2005-07-20 00:43:38 +00:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<refentry id="pkcs11-tool">
|
|
|
|
<refmeta>
|
|
|
|
<refentrytitle>pkcs11-tool</refentrytitle>
|
|
|
|
<manvolnum>1</manvolnum>
|
2011-08-14 21:27:55 +00:00
|
|
|
<refmiscinfo class="productname">OpenSC</refmiscinfo>
|
|
|
|
<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
|
|
|
|
<refmiscinfo class="source">opensc</refmiscinfo>
|
2005-07-20 00:43:38 +00:00
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
<refname>pkcs11-tool</refname>
|
|
|
|
<refpurpose>utility for managing and using PKCS #11 security tokens</refpurpose>
|
|
|
|
</refnamediv>
|
|
|
|
|
2011-08-14 19:52:02 +00:00
|
|
|
<refsynopsisdiv>
|
|
|
|
<cmdsynopsis>
|
|
|
|
<command>pkcs11-tool</command>
|
|
|
|
<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
</refsynopsisdiv>
|
2005-07-20 00:43:38 +00:00
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
<para>
|
|
|
|
The <command>pkcs11-tool</command> utility is used to manage the
|
|
|
|
data objects on smart cards and similar PKCS #11 security tokens.
|
|
|
|
Users can list and read PINs, keys and certificates stored on the
|
|
|
|
token. User PIN authentication is performed for those operations
|
|
|
|
that require it.
|
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Options</title>
|
|
|
|
<para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2018-02-06 14:01:38 +00:00
|
|
|
<option>--attr-from</option> <replaceable>filename</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2018-02-06 14:01:38 +00:00
|
|
|
<listitem><para>Extract information from <replaceable>filename</replaceable>
|
2011-08-21 11:30:26 +00:00
|
|
|
(DER-encoded certificate file) and create the corresponding
|
|
|
|
attributes when writing an object to the token. Example: the
|
|
|
|
certificate subject name is used to create the CKA_SUBJECT
|
|
|
|
attribute.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--change-pin</option>,
|
|
|
|
<option>-c</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Change the user PIN on the token</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2016-03-22 13:27:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--unlock-pin</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Unlock User PIN (without <option>--login</option>
|
|
|
|
unlock in logged in session; otherwise <option>--login-type</option>
|
|
|
|
has to be 'context-specific').</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--hash</option>,
|
|
|
|
<option>-h</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Hash some data.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2017-09-21 09:19:22 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--hash-algorithm</option> <replaceable>mechanism</replaceable>
|
|
|
|
</term>
|
2017-10-19 20:12:47 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption.
|
|
|
|
Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may
|
|
|
|
also allow "SHA224". Default is "SHA-1".
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
Note that the input to RSA-PKCS-PSS has to be of the size equal to
|
|
|
|
the specified hash algorithm. E.g., for SHA256 the signature input must
|
|
|
|
be exactly 32 bytes long (for mechanisms SHA256-RSA-PKCS-PSS there is no
|
|
|
|
such restriction). For RSA-OAEP, the plaintext input size mLen must be
|
|
|
|
at most keyLen - 2 - 2*hashLen. For example, for RSA 3072-bit key and
|
|
|
|
SHA384, the longest plaintext to encrypt with RSA-OAEP is (with all
|
|
|
|
sizes in bytes): 384 - 2 - 2*48 = 286, aka 286 bytes.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
2017-09-21 09:19:22 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--id</option> <replaceable>id</replaceable>,
|
|
|
|
<option>-d</option> <replaceable>id</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify the id of the object to operate on.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
|
|
|
<option>--init-pin</option>
|
|
|
|
</term>
|
2005-07-20 00:43:38 +00:00
|
|
|
<listitem><para>Initializes the user PIN. This option
|
2016-03-22 13:27:13 +00:00
|
|
|
differs from <option>--change-pin</option> in that it sets the user PIN
|
2005-07-20 00:43:38 +00:00
|
|
|
for the first time. Once set, the user PIN can be changed
|
2006-09-14 12:56:06 +00:00
|
|
|
using <option>--change-pin</option>.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--init-token</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Initialize a token: set the token label as
|
|
|
|
well as a Security Officer PIN (the label must be specified
|
|
|
|
using <option>--label</option>).</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2018-02-06 14:01:38 +00:00
|
|
|
<option>--input-file</option> <replaceable>filename</replaceable>,
|
|
|
|
<option>-i</option> <replaceable>filename</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify the path to a file for input.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--keypairgen</option>,
|
|
|
|
<option>-k</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Generate a new key pair (public and private pair.)</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
2018-02-12 11:59:19 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--keygen</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Generate a new key.</para></listitem>
|
|
|
|
</varlistentry>
|
2005-07-20 00:43:38 +00:00
|
|
|
|
2016-03-22 13:27:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
2017-09-21 09:19:22 +00:00
|
|
|
<option>--key-type</option> <replaceable>specification</replaceable>
|
2016-03-22 13:27:13 +00:00
|
|
|
</term>
|
|
|
|
<listitem><para>Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--usage-sign</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in pubkey).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--usage-decrypt</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey, ENCRYPT in pubkey).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--usage-derive</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify 'derive' key usage flag (EC only).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--label</option> <replaceable>name</replaceable>,
|
|
|
|
<option>-a</option> <replaceable>name</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify the name of the object to operate on
|
|
|
|
(or the token label when <option>--init-token</option>
|
|
|
|
is used).</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
|
|
|
<option>--list-mechanisms</option>,
|
|
|
|
<option>-M</option>
|
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Display a list of mechanisms supported by the token.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
|
|
|
<option>--list-objects</option>,
|
|
|
|
<option>-O</option>
|
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Display a list of objects.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--list-slots</option>,
|
|
|
|
<option>-L</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Display a list of available slots on the token.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2013-10-20 11:32:45 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--list-token-slots</option>,
|
|
|
|
<option>-T</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>List slots with tokens.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--login</option>,
|
|
|
|
<option>-l</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Authenticate to the token before performing
|
|
|
|
other operations. This option is not needed if a PIN is
|
|
|
|
provided on the command line.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2016-03-22 13:27:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--login-type</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify login type ('so', 'user', 'context-specific';
|
|
|
|
default:'user').</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
|
|
|
<option>--mechanism</option> <replaceable>mechanism</replaceable>,
|
|
|
|
<option>-m</option> <replaceable>mechanism</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Use the specified <replaceable>mechanism</replaceable>
|
2006-09-14 12:56:06 +00:00
|
|
|
for token operations. See <option>-M</option> for a list
|
2018-03-27 00:48:05 +00:00
|
|
|
of mechanisms supported by your token. The mechanism can also be specified in
|
|
|
|
hexadecimal, e.g., <replaceable>0x80001234</replaceable>.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2017-09-21 09:19:22 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--mgf</option> <replaceable>function</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Use the specified Message Generation
|
|
|
|
Function (MGF) <replaceable>function</replaceable>
|
2017-10-19 20:12:47 +00:00
|
|
|
for RSA-PKCS-PSS signatures or RSA-OAEP decryptions. Supported arguments are MGF1-SHA1
|
2017-09-21 09:19:22 +00:00
|
|
|
to MGF1-SHA512 if supported by the driver.
|
2017-10-19 20:12:47 +00:00
|
|
|
The default is based on the hash selection.
|
|
|
|
</para></listitem>
|
2017-09-21 09:19:22 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--module</option> <replaceable>mod</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify a PKCS#11 module (or library) to
|
|
|
|
load.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2018-02-06 14:01:38 +00:00
|
|
|
<option>--moz-cert</option> <replaceable>filename</replaceable>,
|
|
|
|
<option>-z</option> <replaceable>filename</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Test a Mozilla-like keypair generation
|
2018-02-06 14:01:38 +00:00
|
|
|
and certificate request. Specify the <replaceable>filename</replaceable>
|
2011-08-21 11:30:26 +00:00
|
|
|
to the certificate file.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2018-02-06 14:01:38 +00:00
|
|
|
<option>--output-file</option> <replaceable>filename</replaceable>,
|
|
|
|
<option>-o</option> <replaceable>filename</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify the path to a file for output.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--pin</option> <replaceable>pin</replaceable>,
|
|
|
|
<option>-p</option> <replaceable>pin</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Use the given <replaceable>pin</replaceable> for
|
2014-11-04 20:44:02 +00:00
|
|
|
token operations. If set to
|
|
|
|
env:<replaceable>VARIABLE</replaceable>, the value of the
|
|
|
|
environment variable <replaceable>VARIABLE</replaceable> is
|
|
|
|
used. WARNING: Be careful using this option
|
2011-08-21 11:30:26 +00:00
|
|
|
as other users may be able to read the command line from
|
2014-11-04 20:44:02 +00:00
|
|
|
the system or if it is embedded in a script. If set to
|
|
|
|
env:<replaceable>VARIABLE</replaceable>, the value of the
|
|
|
|
environment variable <replaceable>VARIABLE</replaceable> is
|
|
|
|
used.</para>
|
2011-08-21 11:30:26 +00:00
|
|
|
<para>This option will also set
|
|
|
|
the <option>--login</option> option.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2016-03-22 13:27:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--puk</option> <replaceable>puk</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Supply User PUK on the command line.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--new-pin</option> <replaceable>pin</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Supply new User PIN on the command line.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2018-02-12 11:59:19 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--sensitive</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--set-id</option> <replaceable>id</replaceable>,
|
|
|
|
<option>-e</option> <replaceable>id</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Set the CKA_ID of the object.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--show-info</option>,
|
|
|
|
<option>-I</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Display general token information.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--sign</option>,
|
|
|
|
<option>-s</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Sign some data.</para></listitem>
|
2015-04-30 11:50:28 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--decrypt</option>,
|
|
|
|
</term>
|
|
|
|
<listitem><para>Decrypt some data.</para></listitem>
|
2011-06-02 19:29:15 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2016-03-22 13:27:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--derive</option>,
|
|
|
|
</term>
|
|
|
|
<listitem><para>Derive a secret key using another key and some data.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2018-02-12 11:59:19 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--derive-pass-der</option>,
|
|
|
|
</term>
|
|
|
|
<listitem><para>Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2017-09-21 09:19:22 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--salt-len</option> <replaceable>bytes</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify how many bytes of salt should
|
|
|
|
be used in RSA-PSS signatures. Accepts two special values:
|
|
|
|
"-1" means salt length equals to digest length,
|
|
|
|
"-2" means use maximum permissible length.
|
|
|
|
Default is digest length (-1).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2011-06-02 19:29:15 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--slot</option> <replaceable>id</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify the id of the slot to use.</para></listitem>
|
2011-06-02 19:29:15 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--slot-description</option> <replaceable>description</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify the description of the slot to use.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--slot-index</option> <replaceable>index</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify the index of the slot to use.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--token-label</option> <replaceable>label</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify the label of token.
|
|
|
|
Will be used the first slot, that has the inserted token with this
|
|
|
|
label.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--so-pin</option> <replaceable>pin</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Use the given <replaceable>pin</replaceable> as the
|
|
|
|
Security Officer PIN for some token operations (token
|
2014-11-04 20:44:02 +00:00
|
|
|
initialization, user PIN initialization, etc). If set to
|
|
|
|
env:<replaceable>VARIABLE</replaceable>, the value of the
|
|
|
|
environment variable <replaceable>VARIABLE</replaceable> is
|
|
|
|
used. The same warning as <option>--pin</option> also
|
|
|
|
applies here.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--test</option>,
|
|
|
|
<option>-t</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Perform some tests on the token. This
|
|
|
|
option is most useful when used with either <option>--login</option>
|
|
|
|
or <option>--pin</option>.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2016-03-22 13:27:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--test-hotplug</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Test hotplug capabilities (C_GetSlotList +
|
|
|
|
C_WaitForSlotEvent).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--private</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Set the CKA_PRIVATE attribute (object is only
|
|
|
|
viewable after a login).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--test-ec</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Test EC (best used with the <option>--login</option>
|
|
|
|
or <option>--pin</option> option).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--test-fork</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Test forking and calling C_Initialize() in the
|
|
|
|
child.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--type</option> <replaceable>type</replaceable>,
|
|
|
|
<option>-y</option> <replaceable>type</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Specify the type of object to operate on.
|
|
|
|
Examples are <literal>cert</literal>, <literal>privkey</literal>
|
|
|
|
and <literal>pubkey</literal>.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<option>--verbose</option>, <option>-v</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Cause <command>pkcs11-tool</command> to be
|
|
|
|
more verbose.</para><para>NB! This does not affect
|
|
|
|
OpenSC debugging level! To set OpenSC PKCS#11 module into debug
|
|
|
|
mode, set the <varname>OPENSC_DEBUG</varname> environment variable to a
|
|
|
|
non-zero number.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2016-03-22 13:27:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--read-object</option>,
|
|
|
|
<option>-r</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Get object's CKA_VALUE attribute (use with
|
|
|
|
<option>--type</option>).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--delete-object</option>,
|
|
|
|
<option>-b</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Delete an object.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--application-label</option> <replaceable>label</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify the application label of the data object (use with
|
|
|
|
<option>--type</option> data).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--application-id</option> <replaceable>id</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify the application ID of the data object (use with
|
|
|
|
<option>--type</option> data).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--issuer</option> <replaceable>data</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify the issuer in hexadecimal format (use with
|
|
|
|
<option>--type</option> cert).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--subject</option> <replaceable>data</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify the subject in hexadecimal format (use with
|
|
|
|
<option>--type</option> cert/privkey/pubkey).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--signature-format</option> <replaceable>format</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Format for ECDSA signature: 'rs' (default),
|
|
|
|
'sequence', 'openssl'.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2018-02-06 14:01:38 +00:00
|
|
|
<option>--write-object</option> <replaceable>filename</replaceable>,
|
|
|
|
<option>-w</option> <replaceable>filename</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:30:26 +00:00
|
|
|
<listitem><para>Write a key or certificate object to the token.
|
2018-02-06 14:01:38 +00:00
|
|
|
<replaceable>filename</replaceable> points to the DER-encoded certificate or key file.
|
2011-08-21 11:30:26 +00:00
|
|
|
</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2017-03-27 08:52:38 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--generate-random</option> <replaceable>num</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Get <replaceable>num</replaceable> bytes of random data.
|
|
|
|
</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
</variablelist>
|
|
|
|
</para>
|
|
|
|
</refsect1>
|
2018-04-12 21:50:19 +00:00
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Examples</title>
|
|
|
|
<para>
|
|
|
|
To list all certificates on the smart card:
|
|
|
|
<programlisting>pkcs11-tool --list-objects --type cert</programlisting>
|
|
|
|
|
|
|
|
To read the certificate with ID <replaceable>KEY_ID</replaceable>
|
|
|
|
in DER format from smart card:
|
|
|
|
<programlisting>pkcs11-tool --read-object --id KEY_ID --type cert --outfile cert.der</programlisting>
|
|
|
|
|
2018-04-14 17:38:34 +00:00
|
|
|
To convert the certificate in DER format to PEM format, use OpenSSL
|
2018-04-12 21:50:19 +00:00
|
|
|
tools:
|
|
|
|
<programlisting>openssl x509 -inform DER -in cert.der -outform PEM > cert.pem</programlisting>
|
|
|
|
|
|
|
|
To sign some data stored in file <replaceable>data</replaceable>
|
|
|
|
using the private key with ID <replaceable>ID</replaceable> and
|
|
|
|
using the RSA-PKCS mechanism:
|
|
|
|
<programlisting>pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig</programlisting>
|
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
|
2018-05-08 06:25:15 +00:00
|
|
|
<refsect1>
|
|
|
|
<title>Authors</title>
|
|
|
|
<para><command>pkcs11-tool</command> was written by
|
|
|
|
Olaf Kirch <email>okir@suse.de</email>.</para>
|
|
|
|
</refsect1>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
</refentry>
|