1P11SAK(1) openCryptoki P11SAK(1)
2
6 p11sak - generate and list token keys in an openCryptoki token reposi‐
7 tory.
8
10 p11sak command [ARGS] [OPTIONS]
11 p11sak --help|-h
13
16 p11sak can be used to generate and list the token keys in an openCryp‐
17 toki token repository. The utility provides a flexible key management
18 tool in openCryptoki to list and generate symmetric (DES; 3DES, AES)
19 and asymetric (RSA, EC) keys. This tool is especially capable of a
20 well defined listing of keys with their PKCS #11 attributes.
21
23 The p11sak tool can operate in two modes: when command generate-key is
24 specified, it operates in the mode to generate a token key in the open‐
25 Cryptoki token repository. When command list-key is given, it lists
26 the keys specified in the arguments.
27 generate-key
29 Use the generate-key|gen-key|gen command and key argument to generate a
30 token key with the respective [ARGS] and [OPTIONS]. The --help|-h
31 option will show the arguments and options available.
32 list-key
34 Use the list-key|ls-key|ls command and key argument to list token keys
35 given the respective [ARGS] and [OPTIONS]. The --help|-h option will
36 show the arguments and options available.
37 Generating DES/3DES keys
40 p11sak generate-key|gen-key|gen des|3des --slot SLOTID --pin PIN
41 --label LABEL --attr [MRLSEDGVWUAXNT] --help | -h
42 Use the generate-key command with the des|3des key argument to generate
44 a DES or 3DES key. The --slot SLOTID and --pin PIN options are required
45 to set the token to SLOTID and the token PIN. The --label option allows
46 the user to set the LABEL attribute of the key and --attr
47 [MRLSEDGVWUAXNT] can be used to set the binary attributes of the key
48 (see below for detailed description of the attributes).
49 Generating AES keys
51 p11sak generate-key|gen-key|gen aes 128|192|256 --slot SLOTID --pin PIN
52 --label LABEL --attr [MRLSEDGVWUAXNT] --help | -h
53 Use the generate-key aes 128|192|256 command and key argument to gener‐
55 ate a AES key with 128, 192 or 256 bit length, respectively. The --slot
56 SLOTID and --pin PIN options are required to set the token to SLOTID
57 and the token PIN. The --label option allows the user to set the LABEL
58 attribute of the key and --attr [MRLSEDGVWUAXNT] can be used to set the
59 binary attributes of the key (see below for detailed description of the
60 attributes).
61 Generating RSA keys
63 p11sak generate-key|gen-key|gen rsa 1024|2048|4096 --slot SLOTID --pin
64 PIN --label LABEL --exponent EXP --attr [MRLSEDGVWUAXNT] --help | -h
65 Use the generate-key rsa 1024|2048|4096 command and key argument to
67 generate a 1024, 2048 or 4096 bit RSA key, respectively. The --slot
68 SLOTID and --pin PIN options are required to set the token to SLOTID
69 and the token PIN. The --label option allows the user to set the LABEL
70 attribute of the key and --attr [MRLSEDGVWUAXNT] can be used to set the
71 binary attributes of the key (see below for detailed description of the
72 attributes). Furthermore, the --exponent EXP options allows the user to
73 specify the exponent used for generating the RSA key. The default is
74 set to 65537 according to the PKCS #11 standard.
75 Generating EC keys
77 p11sak generate-key|gen-key|gen ec CURVE --slot SLOTID --pin PIN
78 --label LABEL --attr [MRLSEDGVWUAXNT] --help | -h
79 Use the generate-key ec CURVE command and key argument to generate an
81 EC key, where CURVE specifies the eliptic curve used to create the EC
82 key. The following arguments can be used for respective curves:
83 prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 |
84 brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 |
85 brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 |
86 brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 |
87 brainpoolP512r1 | brainpoolP512t1
88 Note: not all curves will be supported by all tokens and key generation
90 will fail when the specified CURVE is not supported. The --slot SLOTID
91 and --pin PIN options are required to set the token to SLOTID and the
92 token PIN. The --label option allows the user to set the LABEL
93 attribute of the key and --attr [MRLSEDGVWUAXNT] can be used to set the
94 binary attributes of the key (see below for detailed description of the
95 attributes).
96 Listing symmetric and asymmetric keys
98 p11sak list-key|ls-key|ls des|3des|aes|rsa|ec|public|private|secret
99 --slot SLOTID --pin PIN --long | -l --help | -h
100 Use the list-key | ls-key | ls command and key argument to list DES,
102 3DES, AES, RSA or EC keys, respectively. Public, private or secret keys
103 can also be listed irrespective of key type.
104
106 des | 3des | aes | rsa | ec | public | private | secret
107 selects the respective symmetric or asymetric key to be generated or
108 listed. The public|private|secret argument can only be used with the
109 list-key command to list either public, private or secret keys.
110 128|192|256
112 the aes argument has to be followed by either 128, 192 or 256 to set
113 the respective key bit length of the AES key.
114 1024|2048|4096
116 the rsa argument has to be followed by either 1024, 2048 or 4096 to set
117 the respective key bit length of the RSA key.
118 prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 |
120 brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 |
121 brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 |
122 brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 |
123 brainpoolP512r1 | brainpoolP512t1
124 the ec argument has to be followed by either of these CURVE to select
125 the EC curve used to generate the key.
126
128 --slot SLOTID
129 sets the token to SLOTID
130 --pin PIN
132 sets the token PIN to PIN
133 --label LABEL
135 sets the key label attribute to LABEL
136 --exponent EXP
138 sets the RSA exponent to EXP
139 --attr [M R L S E D G V W U A X N T]
141 sets the binary attributes of a key.
142 Note: not all binary attributes are applicable to all keys and will be
144 omitted if not applicable.
145 The attributes are set to FALSE by default and switched to TRUE when
147 the letter that is associated with the given binary attribute is speci‐
148 fied. The following letters are associated with the respective
149 CK_ATTRIBUTE:
150 · M - CKA_MODIFIABLE
152 · R - CKA_DERIVE
154 · L - CKA_LOCAL
156 · S - CKA_SENSITIVE
158 · E - CKA_ENCRYPT
160 · D - CKA_DECRYPT
162 · G - CKA_SIGN
164 · V - CKA_VERIFY
166 · W - CKA_WRAP
168 · U - CKA_UNWRAP
170 · A - CKA_ALWAYS_SENSITIVE
172 · X - CKA_EXTRACTABLE
174 · N - CKA_NEVER_EXTRACTABLE
176 CKA_TOKEN and CKA_PRIVATE are set by default to TRUE. For multiple
178 attributes, combine the letters in a string without white space, e. g.
179 'MLD'.
180 --long | -l
182 prints the list-key output in long format. If omitted, the output is in
183 a short, tabular format.
184 --help | -h
186 prints help for the usage of p11sak and/or the respective command.
1873.14.0 May 2020 P11SAK(1)