f704e4f23e
Option --use-locking has C_Initialize pass in parameters with the CKF_OS_LOCKING_OK to tell module to use threads. The default is it passes NULL which says threads are not needed. The following is not designed to be used by the general user. There are for debugging and test scripts and only compiled if the system has threads. Option --test-threads <arg> can be passed multiple times. Each one starts a thread. <arg> is a list of 2 byte commands seperated by ":". The thread will execute these. Current commands are: IN - C_Initialize(NULL) IL - C_Initialize with CKF_OS_LOCKING_OK Pn - Pause for n seconds GI - C_GetInfo SL - C_GetSlotList Tn - C_GetTokenInfo from slot_index n These are just enough calls to see if threads are working in the module. Output is written to stderr. Changes to be committed: modified: doc/tools/pkcs11-tool.1.xml modified: src/tools/Makefile.am modified: src/tools/pkcs11-tool.c
681 lines
21 KiB
XML
681 lines
21 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry id="pkcs11-tool">
|
|
<refmeta>
|
|
<refentrytitle>pkcs11-tool</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
<refmiscinfo class="productname">OpenSC</refmiscinfo>
|
|
<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
|
|
<refmiscinfo class="source">opensc</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>pkcs11-tool</refname>
|
|
<refpurpose>utility for managing and using PKCS #11 security tokens</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>pkcs11-tool</command>
|
|
<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
<para>
|
|
The <command>pkcs11-tool</command> utility is used to manage the
|
|
data objects on smart cards and similar PKCS #11 security tokens.
|
|
Users can list and read PINs, keys and certificates stored on the
|
|
token. User PIN authentication is performed for those operations
|
|
that require it.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
<para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>
|
|
<option>--attr-from</option> <replaceable>filename</replaceable>
|
|
</term>
|
|
<listitem><para>Extract information from <replaceable>filename</replaceable>
|
|
(DER-encoded certificate file) and create the corresponding
|
|
attributes when writing an object to the token. Example: the
|
|
certificate subject name is used to create the CKA_SUBJECT
|
|
attribute.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--change-pin</option>,
|
|
<option>-c</option>
|
|
</term>
|
|
<listitem><para>Change the user PIN on the token</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--unlock-pin</option>
|
|
</term>
|
|
<listitem><para>Unlock User PIN (without <option>--login</option>
|
|
unlock in logged in session; otherwise <option>--login-type</option>
|
|
has to be 'context-specific').</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--hash</option>,
|
|
<option>-h</option>
|
|
</term>
|
|
<listitem><para>Hash some data.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--hash-algorithm</option> <replaceable>mechanism</replaceable>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption.
|
|
Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may
|
|
also allow "SHA224". Default is "SHA-1".
|
|
</para>
|
|
<para>
|
|
Note that the input to RSA-PKCS-PSS has to be of the size equal to
|
|
the specified hash algorithm. E.g., for SHA256 the signature input must
|
|
be exactly 32 bytes long (for mechanisms SHA256-RSA-PKCS-PSS there is no
|
|
such restriction). For RSA-OAEP, the plaintext input size mLen must be
|
|
at most keyLen - 2 - 2*hashLen. For example, for RSA 3072-bit key and
|
|
SHA384, the longest plaintext to encrypt with RSA-OAEP is (with all
|
|
sizes in bytes): 384 - 2 - 2*48 = 286, aka 286 bytes.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--id</option> <replaceable>id</replaceable>,
|
|
<option>-d</option> <replaceable>id</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the id of the object to operate on.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--init-pin</option>
|
|
</term>
|
|
<listitem><para>Initializes the user PIN. This option
|
|
differs from <option>--change-pin</option> in that it sets the user PIN
|
|
for the first time. Once set, the user PIN can be changed
|
|
using <option>--change-pin</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--init-token</option>
|
|
</term>
|
|
<listitem><para>Initialize a token: set the token label as
|
|
well as a Security Officer PIN (the label must be specified
|
|
using <option>--label</option>).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--input-file</option> <replaceable>filename</replaceable>,
|
|
<option>-i</option> <replaceable>filename</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the path to a file for input.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--keypairgen</option>,
|
|
<option>-k</option>
|
|
</term>
|
|
<listitem><para>Generate a new key pair (public and private pair.)</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<option>--keygen</option>
|
|
</term>
|
|
<listitem><para>Generate a new key.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--key-type</option> <replaceable>specification</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the type and length (bytes if symmetric) of the key to create,
|
|
for example RSA:1024, EC:prime256v1, GOSTR3410-2012-256:B,
|
|
DES:8, DES3:24, AES:16 or GENERIC:64.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--usage-sign</option>
|
|
</term>
|
|
<listitem><para>Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in pubkey).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--usage-decrypt</option>
|
|
</term>
|
|
<listitem><para>Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey, ENCRYPT in pubkey).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--usage-derive</option>
|
|
</term>
|
|
<listitem><para>Specify 'derive' key usage flag (EC only).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--usage-wrap</option>
|
|
</term>
|
|
<listitem><para>Specify 'wrap' key usage flag.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--label</option> <replaceable>name</replaceable>,
|
|
<option>-a</option> <replaceable>name</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the name of the object to operate on
|
|
(or the token label when <option>--init-token</option>
|
|
is used).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-mechanisms</option>,
|
|
<option>-M</option>
|
|
</term>
|
|
<listitem><para>Display a list of mechanisms supported by the token.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-objects</option>,
|
|
<option>-O</option>
|
|
</term>
|
|
<listitem><para>Display a list of objects.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-slots</option>,
|
|
<option>-L</option>
|
|
</term>
|
|
<listitem><para>Display a list of available slots on the token.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-token-slots</option>,
|
|
<option>-T</option>
|
|
</term>
|
|
<listitem><para>List slots with tokens.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-interfaces</option>
|
|
</term>
|
|
<listitem><para>List interfaces of PKCS #11 3.0 library.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--login</option>,
|
|
<option>-l</option>
|
|
</term>
|
|
<listitem><para>Authenticate to the token before performing
|
|
other operations. This option is not needed if a PIN is
|
|
provided on the command line.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--login-type</option>
|
|
</term>
|
|
<listitem><para>Specify login type ('so', 'user', 'context-specific';
|
|
default:'user').</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--mechanism</option> <replaceable>mechanism</replaceable>,
|
|
<option>-m</option> <replaceable>mechanism</replaceable>
|
|
</term>
|
|
<listitem><para>Use the specified <replaceable>mechanism</replaceable>
|
|
for token operations. See <option>-M</option> for a list
|
|
of mechanisms supported by your token. The mechanism can also be specified in
|
|
hexadecimal, e.g., <replaceable>0x80001234</replaceable>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--mgf</option> <replaceable>function</replaceable>
|
|
</term>
|
|
<listitem><para>Use the specified Message Generation
|
|
Function (MGF) <replaceable>function</replaceable>
|
|
for RSA-PKCS-PSS signatures or RSA-OAEP decryptions. Supported arguments are MGF1-SHA1
|
|
to MGF1-SHA512 if supported by the driver.
|
|
The default is based on the hash selection.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--module</option> <replaceable>mod</replaceable>
|
|
</term>
|
|
<listitem><para>Specify a PKCS#11 module (or library) to
|
|
load.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--moz-cert</option> <replaceable>filename</replaceable>,
|
|
<option>-z</option> <replaceable>filename</replaceable>
|
|
</term>
|
|
<listitem><para>Test a Mozilla-like key pair generation
|
|
and certificate request. Specify the <replaceable>filename</replaceable>
|
|
to the certificate file.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--output-file</option> <replaceable>filename</replaceable>,
|
|
<option>-o</option> <replaceable>filename</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the path to a file for output.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--pin</option> <replaceable>pin</replaceable>,
|
|
<option>-p</option> <replaceable>pin</replaceable>
|
|
</term>
|
|
<listitem><para>Use the given <replaceable>pin</replaceable> for
|
|
token operations. If set to
|
|
env:<replaceable>VARIABLE</replaceable>, the value of the
|
|
environment variable <replaceable>VARIABLE</replaceable> is
|
|
used. WARNING: Be careful using this option
|
|
as other users may be able to read the command line from
|
|
the system or if it is embedded in a script. If set to
|
|
env:<replaceable>VARIABLE</replaceable>, the value of the
|
|
environment variable <replaceable>VARIABLE</replaceable> is
|
|
used.</para>
|
|
<para>This option will also set
|
|
the <option>--login</option> option.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--puk</option> <replaceable>puk</replaceable>
|
|
</term>
|
|
<listitem><para>Supply User PUK on the command line.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--new-pin</option> <replaceable>pin</replaceable>
|
|
</term>
|
|
<listitem><para>Supply new User PIN on the command line.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--sensitive</option>
|
|
</term>
|
|
<listitem><para>Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--extractable</option>
|
|
</term>
|
|
<listitem><para>Set the CKA_EXTRACTABLE attribute (object can be extracted)</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--set-id</option> <replaceable>id</replaceable>,
|
|
<option>-e</option> <replaceable>id</replaceable>
|
|
</term>
|
|
<listitem><para>Set the CKA_ID of the object.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--show-info</option>,
|
|
<option>-I</option>
|
|
</term>
|
|
<listitem><para>Display general token information.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--sign</option>,
|
|
<option>-s</option>
|
|
</term>
|
|
<listitem><para>Sign some data.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--decrypt</option>,
|
|
</term>
|
|
<listitem><para>Decrypt some data.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--derive</option>,
|
|
</term>
|
|
<listitem><para>Derive a secret key using another key and some data.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--derive-pass-der</option>,
|
|
</term>
|
|
<listitem><para>Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--salt-len</option> <replaceable>bytes</replaceable>
|
|
</term>
|
|
<listitem><para>Specify how many bytes of salt should
|
|
be used in RSA-PSS signatures. Accepts two special values:
|
|
"-1" means salt length equals to digest length,
|
|
"-2" means use maximum permissible length.
|
|
Default is digest length (-1).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--slot</option> <replaceable>id</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the id of the slot to use.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--slot-description</option> <replaceable>description</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the description of the slot to use.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--slot-index</option> <replaceable>index</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the index of the slot to use.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--object-index</option> <replaceable>index</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the index of the object to use.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--use-locking</option>
|
|
</term>
|
|
<listitem><para>Tell pkcs11 module it should use OS thread locking.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--test-threads</option> <replaceable>options</replaceable>
|
|
</term>
|
|
<listitem><para>Test a pkcs11 module's thread implication. (See source code).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--token-label</option> <replaceable>label</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the label of token.
|
|
Will be used the first slot, that has the inserted token with this
|
|
label.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--so-pin</option> <replaceable>pin</replaceable>
|
|
</term>
|
|
<listitem><para>Use the given <replaceable>pin</replaceable> as the
|
|
Security Officer PIN for some token operations (token
|
|
initialization, user PIN initialization, etc). If set to
|
|
env:<replaceable>VARIABLE</replaceable>, the value of the
|
|
environment variable <replaceable>VARIABLE</replaceable> is
|
|
used. The same warning as <option>--pin</option> also
|
|
applies here.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--test</option>,
|
|
<option>-t</option>
|
|
</term>
|
|
<listitem><para>Perform some tests on the token. This
|
|
option is most useful when used with either <option>--login</option>
|
|
or <option>--pin</option>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--test-hotplug</option>
|
|
</term>
|
|
<listitem><para>Test hotplug capabilities (C_GetSlotList +
|
|
C_WaitForSlotEvent).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--private</option>
|
|
</term>
|
|
<listitem><para>Set the CKA_PRIVATE attribute (object is only
|
|
viewable after a login).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--always-auth</option>
|
|
</term>
|
|
<listitem><para>Set the CKA_ALWAYS_AUTHENTICATE attribute to a private key object.
|
|
If set, the user has to supply the PIN for each use (sign or decrypt) with the key.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--allowed-mechanisms</option> <replaceable>mechanisms</replaceable>
|
|
</term>
|
|
<listitem><para>Sets the CKA_ALLOWED_MECHANISMS attribute
|
|
to a key objects when importing an object or generating
|
|
a keys. The argument accepts comma-separated list of
|
|
algorithmsm, that can be used with the given key.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--test-ec</option>
|
|
</term>
|
|
<listitem><para>Test EC (best used with the <option>--login</option>
|
|
or <option>--pin</option> option).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--test-fork</option>
|
|
</term>
|
|
<listitem><para>Test forking and calling C_Initialize() in the
|
|
child.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--type</option> <replaceable>type</replaceable>,
|
|
<option>-y</option> <replaceable>type</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the type of object to operate on.
|
|
Valid value are <literal>cert</literal>, <literal>privkey</literal>,
|
|
<literal>pubkey</literal>, <literal>secrkey</literal>
|
|
and <literal>data</literal>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--verbose</option>, <option>-v</option>
|
|
</term>
|
|
<listitem><para>Cause <command>pkcs11-tool</command> to be
|
|
more verbose.</para><para>NB! This does not affect
|
|
OpenSC debugging level! To set OpenSC PKCS#11 module into debug
|
|
mode, set the <varname>OPENSC_DEBUG</varname> environment variable to a
|
|
non-zero number.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--verify</option>,
|
|
</term>
|
|
<listitem><para>Verify signature of some data.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--read-object</option>,
|
|
<option>-r</option>
|
|
</term>
|
|
<listitem><para>Get object's CKA_VALUE attribute (use with
|
|
<option>--type</option>).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--delete-object</option>,
|
|
<option>-b</option>
|
|
</term>
|
|
<listitem><para>Delete an object.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--application-label</option> <replaceable>label</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the application label of the data object (use with
|
|
<option>--type</option> data).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--application-id</option> <replaceable>id</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the application ID of the data object (use with
|
|
<option>--type</option> data).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--issuer</option> <replaceable>data</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the issuer in hexadecimal format (use with
|
|
<option>--type</option> cert).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--subject</option> <replaceable>data</replaceable>
|
|
</term>
|
|
<listitem><para>Specify the subject in hexadecimal format (use with
|
|
<option>--type</option> cert/privkey/pubkey).</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--signature-file</option> <replaceable>filename</replaceable>
|
|
</term>
|
|
<listitem><para>The path to the signature file for signature verification</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--signature-format</option> <replaceable>format</replaceable>
|
|
</term>
|
|
<listitem><para>Format for ECDSA signature: 'rs' (default),
|
|
'sequence', 'openssl'.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--write-object</option> <replaceable>filename</replaceable>,
|
|
<option>-w</option> <replaceable>filename</replaceable>
|
|
</term>
|
|
<listitem><para>Write a key or certificate object to the token.
|
|
<replaceable>filename</replaceable> points to the DER-encoded certificate or key file.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--generate-random</option> <replaceable>num</replaceable>
|
|
</term>
|
|
<listitem><para>Get <replaceable>num</replaceable> bytes of random data.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--allow-sw</option>
|
|
</term>
|
|
<listitem><para>Allow using software mechanisms that do not have the CKF_HW flag set.
|
|
May be required when using software tokens and emulators.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
<para>
|
|
To list all certificates on the smart card:
|
|
<programlisting>pkcs11-tool --list-objects --type cert</programlisting>
|
|
|
|
To read the certificate with ID <replaceable>KEY_ID</replaceable>
|
|
in DER format from smart card:
|
|
<programlisting>pkcs11-tool --read-object --id KEY_ID --type cert --output-file cert.der</programlisting>
|
|
|
|
To convert the certificate in DER format to PEM format, use OpenSSL
|
|
tools:
|
|
<programlisting>openssl x509 -inform DER -in cert.der -outform PEM > cert.pem</programlisting>
|
|
|
|
To sign some data stored in file <replaceable>data</replaceable>
|
|
using the private key with ID <replaceable>ID</replaceable> and
|
|
using the RSA-PKCS mechanism:
|
|
<programlisting>pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig</programlisting>
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Authors</title>
|
|
<para><command>pkcs11-tool</command> was written by
|
|
Olaf Kirch <email>okir@suse.de</email>.</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|