Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
P11SAK(1)			 openCryptoki			     P11SAK(1)

NAME
       p11sak  - generate and list token keys in an openCryptoki token reposi-
       tory.

SYNOPSIS
       p11sak command [ARGS] [OPTIONS]

       p11sak --help|-h

DESCRIPTION
       p11sak can be used to generate, list and	delete the token  keys	in  an
       openCryptoki  token  repository.	  The  utility provides	a flexible key
       management tool in openCryptoki to list and  generate  symmetric	 (DES;
       3DES, AES) and asymetric	(RSA, EC) keys.	 This tool is especially capa-
       ble of a	well defined listing of	keys with their	PKCS #11 attributes.

COMMANDS
       The  p11sak  tool can operate in	three modes: when command generate-key
       is specified, it	operates in the	mode to	generate a token  key  in  the
       openCryptoki  token repository.	If command list-key is given, it lists
       the keys	specified in the arguments.  If	command	remove-key  is	given,
       it removes the keys specified in	the arguments.

   generate-key
       Use the generate-key|gen-key|gen	command	and key	argument to generate a
       token  key with the respective [ARGS] and [OPTIONS].  The --help|-h op-
       tion will show the arguments and	options	available.

   list-key
       Use the list-key|ls-key|ls command and key argument to list token  keys
       given  the  respective [ARGS] and [OPTIONS].  The --help|-h option will
       show the	arguments and options available.

   remove-key
       Use the remove-key|rm-key|rm command and	key argument to	 delete	 token
       keys  given  the	respective [ARGS] and [OPTIONS].  The --help|-h	option
       will show the arguments and options available.

   Generating DES/3DES keys
       p11sak generate-key|gen-key|gen des|3des	--slot SLOTID --pin PIN	 --la-
       bel LABEL --attr	[PMRLSEDGVWUAXNT] --help | -h

       Use the generate-key command with the des|3des key argument to generate
       a DES or	3DES key. The --slot SLOTID and	--pin PIN options are required
       to set the token	to SLOTID and the token	PIN. The --label option	allows
       the  user  to  set  the	LABEL  attribute  of  the  key and --attr [PM-
       RLSEDGVWUAXNT] can be used to set the binary attributes of the key (see
       below for detailed description of the attributes).

   Generating AES keys
       p11sak generate-key|gen-key|gen aes 128|192|256 --slot SLOTID --pin PIN
       --label LABEL --attr [PMRLSEDGVWUAXNT] --help | -h

       Use the generate-key aes	128|192|256 command and	key argument to	gener-
       ate a AES key with 128, 192 or 256 bit length, respectively. The	--slot
       SLOTID and --pin	PIN options are	required to set	the  token  to	SLOTID
       and  the	token PIN. The --label option allows the user to set the LABEL
       attribute of the	key and	--attr [PMRLSEDGVWUAXNT] can be	 used  to  set
       the binary attributes of	the key	(see below for detailed	description of
       the attributes).

   Generating RSA keys
       p11sak  generate-key|gen-key|gen	rsa 1024|2048|4096 --slot SLOTID --pin
       PIN --label LABEL --exponent EXP	--attr [PMRLSEDGVWUAXNT] --help	| -h

       Use the generate-key rsa	1024|2048|4096 command	and  key  argument  to
       generate	 a  1024,  2048	 or 4096 bit RSA key, respectively. The	--slot
       SLOTID and --pin	PIN options are	required to set	the  token  to	SLOTID
       and  the	token PIN. The --label option allows the user to set the LABEL
       attribute of the	key and	--attr [PMRLSEDGVWUAXNT] can be	 used  to  set
       the binary attributes of	the key	(see below for detailed	description of
       the  attributes).  Furthermore,	the  --exponent	EXP options allows the
       user to specify the exponent used for generating	the RSA	key.  The  de-
       fault is	set to 65537 according to the PKCS #11 standard.

   Generating EC keys
       p11sak  generate-key|gen-key|gen	ec CURVE --slot	SLOTID --pin PIN --la-
       bel LABEL --attr	[PMRLSEDGVWUAXNT] --help | -h

       Use the generate-key ec CURVE command and key argument to  generate  an
       EC  key,	 where CURVE specifies the eliptic curve used to create	the EC
       key. The	 following  arguments  can  be	used  for  respective  curves:
       prime256v1  |  prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 |
       brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 |
       brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 |
       brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 |
       brainpoolP512r1 | brainpoolP512t1 | curve25519 |	curve448 |  ed25519  |
       ed448

       Note: not all curves will be supported by all tokens and	key generation
       will  fail when the specified CURVE is not supported. The --slot	SLOTID
       and --pin PIN options are required to set the token to SLOTID  and  the
       token  PIN.  The	 --label  option  allows the user to set the LABEL at-
       tribute of the key and --attr [PMRLSEDGVWUAXNT] can be used to set  the
       binary attributes of the	key (see below for detailed description	of the
       attributes).

   Generating IBM Dilithium keys
       p11sak  generate-key|gen-key|gen	 ibm-dilithium	VERSION	 --slot	SLOTID
       --pin PIN --label LABEL --attr [MRLSEDGVWUAXNT] --help |	-h

       Use the generate-key ibm-dilithium VERSION command and key argument  to
       generate	 an  IBM Dilithium key,	where VERSION specifies	the version of
       the IBM Dilithium keypair. The following	arguments can be used for  re-
       spective	keys: r2_65

       The  --slot  SLOTID and --pin PIN options are required to set the token
       to SLOTID and the token PIN. The	--label	option allows the user to  set
       the  LABEL attribute of the key and --attr [MRLSEDGVWUAXNT] can be used
       to set the binary attributes of the key (see  below  for	 detailed  de-
       scription of the	attributes).

   Listing symmetric and asymmetric keys
       p11sak list-key|ls-key|ls des|3des|aes|rsa|ec|ibm-dilithium|public|pri-
       vate|secret|all	--slot	SLOTID	--pin  PIN  --label  LABEL --long | -l
       --help |	-h

       Use the list-key	| ls-key | ls command and key argument	to  list  DES,
       3DES,  AES,  RSA, EC, or	IBM Dilithium keys, respectively. Public, pri-
       vate, secret, or	all keys can also be listed irrespective of key	type.

   Deleting symmetric and asymmetric keys
       p11sak  remove-key|rm-key|rm  des|3des|aes|rsa|ec|ibm-dilithium	--slot
       SLOTID --pin PIN	--label	LABEL --force |	-f --help | -h

       Use  the	 remove-key  |	rm-key | rm command and	key argument to	delete
       DES, 3DES, AES, RSA, EC,	or IBM Dilithium keys, respectively. All spec-
       ified cipher keys will be prompted to be	deleted	unless a specific  key
       with  the  --label LABEL	argument is selected. The user will be promted
       to confirm the deletion of the key. To  suppress	 the  promt,  use  the
       --force | -f option.

ARGS
   des	|  3des	| aes |	rsa | ec | ibm-dilithium | public | private | secret |
       all
       selects the respective symmetric	or asymetric key to  be	 generated  or
       listed.	The  public|private|secret|all	argument can only be used with
       the list-key command to list either public,  private,  secret,  or  all
       keys.

   128|192|256
       the  aes	 argument  has to be followed by either	128, 192 or 256	to set
       the respective key bit length of	the AES	key.

   1024|2048|4096
       the rsa argument	has to be followed by either 1024, 2048	or 4096	to set
       the respective key bit length of	the RSA	key.

   prime256v1 |	prime192 | secp224 |  secp384r1	 |  secp521r1  |  secp265k1  |
       brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 |
       brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 |
       brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 |
       brainpoolP512r1	|  brainpoolP512t1 | curve25519	| curve448 | ed25519 |
       ed448
       the ec argument has to be followed by either of these CURVE  to	select
       the EC curve used to generate the key.

OPTIONS
   --slot SLOTID
       sets the	token to SLOTID

   --pin PIN
       sets the	token PIN to PIN

       Alternatively  the  PKCS11_USER_PIN environment variable	may be used to
       provide the token PIN.

   --force-pin-prompt
       enforce p11sak to prompt	for the	token PIN (regardless if it  has  been
       specified elsewhere)

   --label LABEL
       sets the	key label attribute to LABEL

   --exponent EXP
       sets the	RSA exponent to	EXP

   --attr [P M R L S E D G V W U A X N T]
       sets the	binary attributes of a key.

       Note:  not all binary attributes	are applicable to all keys and will be
       omitted if not applicable.

       The attributes are set to FALSE by default and switched	to  TRUE  when
       the letter that is associated with the given binary attribute is	speci-
       fied.  The  following letters are associated with the respective	CK_AT-
       TRIBUTE:

        P - CKA_PRIVATE

        M - CKA_MODIFIABLE

        R - CKA_DERIVE

        L - CKA_LOCAL

        S - CKA_SENSITIVE

        E - CKA_ENCRYPT

        D - CKA_DECRYPT

        G - CKA_SIGN

        V - CKA_VERIFY

        W - CKA_WRAP

        U - CKA_UNWRAP

        A - CKA_ALWAYS_SENSITIVE

        X - CKA_EXTRACTABLE

        N - CKA_NEVER_EXTRACTABLE

        * - if	in p11sak_defined_attrs.conf  additional  attributes  are  de-
	 fined.

       CKA_TOKEN and CKA_PRIVATE are set by default to TRUE.  For multiple at-
       tributes,  combine  the	letters	in a string without white space, e. g.
       'MlD'.  An uppercase letter  means  true,  while	 an  lowercase	letter
       equals	false.	  From	Example	 above:	 CKA_MODIFIABLE=true,  CKA_LO-
       CAL=false, CKA_DECRYPT=true

       For asymmetric keys a user can set different custom attributes for  the
       public  and  the	private	key.  The separator is the symbol ":". The de-
       fined attributes	in front of the	separator are set for the  public  key
       and  the	attributes defined after the separator are set for the private
       key. When the separator is not in the string, the defined attribute set
       is used for public and private key. To set a configuration for only the
       public key, the string has to end with the separator and	 respectively,
       to  use	a  configuration  for  the private key only, the string	has to
       start with the separator.

   --long | -l
       prints the list-key output in long format. If omitted, the output is in
       a short,	tabular	format.

   --force | -f
       to be used with the remove-key command to suppress  the	promt  whether
       the user	wants to delete	the specified keys.

   --help | -h
       prints help for the usage of p11sak and/or the respective command.

FILES
   /usr/local/etc/opencryptoki/p11sak_defined_attrs.conf
       In  the	output	config	file  a	user can define	additional attributes,
       which are not mentioned in the PKCS#11 standard.	A custom filepath  can
       be set with an environment variable.

ENVIRONMENT VARIABLES
   P11SAK_DEFAULT_CONF_FILE
       A  custom  path for p11sak_defined_attrs.conf can be set	with the envi-
       ronment variable	P11SAK_DEFAULT_CONF_FILE. If none is set  p11sak  will
       first look for the file in the user directory, followed by the standard
       installation path.

   PKCS11_USER_PIN
       The   token   PIN   can	be  specified  via  the	 environment  variable
       PKCS11_USER_PIN.	 If nothing is set and the option --pin	is not	speci-
       fied, p11sak will prompt	for the	token PIN interactively.

EXIT STATUS
       p11sak returns various error codes on fail:

   CKR_ARGUMENTS_BAD (0x00000007):
       The p11sak_defined_attrs.conf is	not found.

   CKR_DATA_INVALID (0x00000020):
       The p11sak_defined_attrs.conf cannot be parsed or syntax	is invalid.

   CKR_ATTRIBUTE_TYPE_INVALID (0x00000012):
       A given attribute type cannot be	set for	this key.

SEE ALSO
       p11sak_defined_attrs.conf(5)

3.19.0				   May 2020			     P11SAK(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=p11sak&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help