source-git / opencryptoki

Clone
Source Code
GIT

Files

  1.   8aa27dc2edbd225ad179b0db77a7f01cbfdeff9a
  2.   man
  3.   man1
  4.   p11sak.1.in
Blob Blame History Raw 
.TH P11SAK 1 "May 2020" "@PACKAGE_VERSION@" "openCryptoki"
.SH NAME
p11sak \- generate and list token keys in an openCryptoki token repository.
.
.
.SH SYNOPSIS
.B p11sak
.I command
.RI [ ARGS ]
.RB [ OPTIONS ]
.
.PP
.B p11sak
.BR \-\-help | \-h
.br

.SH DESCRIPTION
.B p11sak can be used to generate, list and delete the token keys in an openCryptoki token repository.
The utility provides a flexible key management tool in openCryptoki to list and generate symmetric (DES; 3DES, AES) and asymetric (RSA, EC) keys.
This tool is especially capable of a well defined listing of keys with their PKCS #11 attributes.
.
.
.
.SH COMMANDS
The \fBp11sak\fP tool can operate in three modes: when command
.I generate-key
is specified, it operates in the mode to generate a token key in the openCryptoki token repository.
If command
.I list-key
is given, it lists the keys specified in the arguments.
If command
.I remove-key
is given, it removes the keys specified in the arguments.
.
.PP
.SS "generate-key"
.PP
Use the
.B generate-key|gen-key|gen
command and key argument to generate a token key with the respective
.RI [ ARGS ]
and
.RB [ OPTIONS ].
The
.BR \-\-help | \-h
option will show the arguments and options available.
.
.PP
.SS "list-key"
.PP
Use the
.B list-key|ls-key|ls
command and key argument to list token keys given the respective
.RI [ ARGS ]
and
.RB [ OPTIONS ].
The
.BR \-\-help | \-h
option will show the arguments and options available.
.
.PP
.SS "list-key"
.PP
Use the
.B remove-key|rm-key|rm
command and key argument to delete token keys given the respective
.RI [ ARGS ]
and
.RB [ OPTIONS ].
The
.BR \-\-help | \-h
option will show the arguments and options available.
.
.PP
.SS "Generating DES/3DES keys"
.
.B p11sak
.BR generate-key | gen-key | gen
.BR des | 3des
.B \-\-slot
.IR SLOTID
.B \-\-pin
.IR PIN
.B \-\-label
.IR LABEL
.B \-\-attr
.IR [M R L S E D G V W U A X N T]
.B \-\-help | \-h
.PP
Use the
.B generate-key
command with the
.B des|3des
key argument to generate a DES or 3DES key. The
.B \-\-slot
.IR SLOTID
and
.B \-\-pin
.IR PIN
options are required to set the token to
.IR SLOTID
and the token PIN. The
.B \-\-label
option allows the user to set the
.IR LABEL
attribute of the key and
.B \-\-attr
.IR [M R L S E D G V W U A X N T]
can be used to set the binary attributes of the key (see below for detailed description of the attributes).
.
.PP
.SS "Generating AES keys"
.
.B p11sak
.BR generate-key | gen-key | gen
.BR aes
.BR 128 | 192 | 256
.B \-\-slot
.IR SLOTID
.B \-\-pin
.IR PIN
.B \-\-label
.IR LABEL
.B \-\-attr
.IR [M R L S E D G V W U A X N T]
.B \-\-help | \-h
.PP
Use the
.B generate-key
.B aes
.B 128|192|256
command and key argument to generate a AES key with 128, 192 or 256 bit length, respectively. The
.B \-\-slot
.IR SLOTID
and
.B \-\-pin
.IR PIN
options are required to set the token to
.IR SLOTID
and the token PIN. The
.B \-\-label
option allows the user to set the
.IR LABEL
attribute of the key and
.B \-\-attr
.IR [M R L S E D G V W U A X N T]
can be used to set the binary attributes of the key (see below for detailed description of the attributes).
.
.PP
.SS "Generating RSA keys"
.
.B p11sak
.BR generate-key | gen-key | gen
.BR rsa
.BR 1024 | 2048 | 4096
.B \-\-slot
.IR SLOTID
.B \-\-pin
.IR PIN
.B \-\-label
.IR LABEL
.B \-\-exponent
.IR EXP
.B \-\-attr
.IR [M R L S E D G V W U A X N T]
.B \-\-help | \-h
.PP
Use the
.B generate-key
.B rsa
.B 1024|2048|4096
command and key argument to generate a 1024, 2048 or 4096 bit RSA key, respectively. The
.B \-\-slot
.IR SLOTID
and
.B \-\-pin
.IR PIN
options are required to set the token to
.IR SLOTID
and the token PIN. The
.B \-\-label
option allows the user to set the
.IR LABEL
attribute of the key and
.B \-\-attr
.IR [M R L S E D G V W U A X N T]
can be used to set the binary attributes of the key (see below for detailed description of the attributes). Furthermore, the
.B \-\-exponent
.IR EXP
options allows the user to specify the exponent used for generating the RSA key. The default is set to 65537 according to the PKCS #11 standard.
.
.PP
.SS "Generating EC keys"
.
.B p11sak
.BR generate-key | gen-key | gen
.BR ec
.BR CURVE
.B \-\-slot
.IR SLOTID
.B \-\-pin
.IR PIN
.B \-\-label
.IR LABEL
.B \-\-attr
.IR [M R L S E D G V W U A X N T]
.B \-\-help | \-h
.PP
Use the
.B generate-key
.B ec
.B CURVE
command and key argument to generate an EC key, where
.I CURVE
specifies the eliptic curve used to create the EC key. The following arguments can be used for respective curves:
.B prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 | brainpoolP160r1 | brainpoolP160t1
.B | brainpoolP192r1 | brainpoolP192t1 | brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1
.B | brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | brainpoolP512r1 | brainpoolP512t1
.PP
.B Note:
not all curves will be supported by all tokens and key generation will fail when the specified
.I CURVE
is not supported. The
.B \-\-slot
.IR SLOTID
and
.B \-\-pin
.IR PIN
options are required to set the token to
.IR SLOTID
and the token PIN. The
.B \-\-label
option allows the user to set the
.IR LABEL
attribute of the key and
.B \-\-attr
.IR [M R L S E D G V W U A X N T]
can be used to set the binary attributes of the key (see below for detailed description of the attributes).
.
.PP
.SS "Listing symmetric and asymmetric keys"
.
.B p11sak
.BR list-key | ls-key | ls
.BR des | 3des | aes | rsa | ec | public | private | secret
.B \-\-slot
.IR SLOTID
.B \-\-pin
.IR PIN
.B \-\-long | \-l
.B \-\-help | \-h
.PP
Use the
.B list-key | ls-key | ls
command and key argument to list DES, 3DES, AES, RSA or EC keys, respectively. Public, private or secret keys can also be listed irrespective of key type.
.
.PP
.SS "Deleting symmetric and asymmetric keys"
.
.B p11sak
.BR remove-key | rm-key | rm
.BR des | 3des | aes | rsa | ec
.B \-\-slot
.IR SLOTID
.B \-\-pin
.IR PIN
.B \-\-label
.IR LABEL
.B \-\-force | \-f
.B \-\-help | \-h
.PP
Use the
.B remove-key | rm-key | rm
command and key argument to delete DES, 3DES, AES, RSA or EC keys, respectively. All specified cipher keys will be promted to be deleted unless 
a specific key with the 
.B \-\-label
.IR LABEL
argument is selected. The user will be promted to confirm the deletion of the key. To suppress the promt, use the 
.B \-\-force | \-f
option.
.
.PP
.
.
.
.SH ARGS
.
.SS "des | 3des | aes | rsa | ec | public | private | secret"

selects the respective symmetric or asymetric key to be generated or listed. The
.B public|private|secret
argument can only be used with the
.B list-key
command to list either public, private or secret keys.
.PP
.
.
.
.SS "128|192|256"
the
.B aes
argument has to be followed by either 128, 192 or 256 to set the respective key bit length of the AES key.
.PP
.
.
.
.SS "1024|2048|4096"
the
.B rsa
argument has to be followed by either 1024, 2048 or 4096 to set the respective key bit length of the RSA key.
.PP
.
.
.
.SS "prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 | brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 | brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 | brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | brainpoolP512r1 | brainpoolP512t1"
the
.B ec
argument has to be followed by either of these
.I CURVE
to select the EC curve used to generate the key.
.PP
.
.

.SH OPTIONS

.SS "\-\-slot SLOTID"
sets the token to
.IR SLOTID
.PP
.
.
.
.SS "\-\-pin PIN"
sets the token PIN to
.IR PIN
.PP
.
.
.
.SS "\-\-label LABEL"
sets the key label attribute to
.IR LABEL
.PP
.
.
.
.SS "\-\-exponent EXP"
sets the RSA exponent to
.IR EXP
.PP
.
.
.
.SS "\-\-attr [M R L S E D G V W U A X N T]"
sets the binary attributes of a key.
.PP
.B Note:
not all binary attributes are applicable to all keys and will be omitted if not applicable.
.PP
The attributes are set to
.B FALSE
by default and switched to
.B TRUE
when the letter that is associated with the given binary attribute is specified. The following letters are associated with the respective
.B CK_ATTRIBUTE:
.IP "\(bu" 2
.B M
- CKA_MODIFIABLE
.IP "\(bu" 2
.B R
- CKA_DERIVE
.IP "\(bu" 2
.B L
- CKA_LOCAL
.IP "\(bu" 2
.B S
- CKA_SENSITIVE
.IP "\(bu" 2
.B E
- CKA_ENCRYPT
.IP "\(bu" 2
.B D
- CKA_DECRYPT
.IP "\(bu" 2
.B G
- CKA_SIGN
.IP "\(bu" 2
.B V
- CKA_VERIFY
.IP "\(bu" 2
.B W
- CKA_WRAP
.IP "\(bu" 2
.B U
- CKA_UNWRAP
.IP "\(bu" 2
.B A
- CKA_ALWAYS_SENSITIVE
.IP "\(bu" 2
.B X
- CKA_EXTRACTABLE
.IP "\(bu" 2
.B N
- CKA_NEVER_EXTRACTABLE
.PP
CKA_TOKEN and CKA_PRIVATE are set by default to
.B TRUE.
For multiple attributes, combine the letters in a string without white space, e. g. 'MLD'.
.PP
.
.
.
.SS "\-\-long | \-l"
prints the
.B list-key
output in long format. If omitted, the output is in a short, tabular format.
.PP
.
.
.
.SS "\-\-force | \-f"
to be used with the 
.B remove-key
command to suppress the promt whether the user wants to delete the specified keys.
.PP
.
.
.
.SS "\-\-help | \-h"
prints help for the usage of
.B p11sak
and/or the respective command.
.PP

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation