Skip to content

opkcs11-tool: managing and operating PKCS #11 security tokens in OCaml

License

Notifications You must be signed in to change notification settings

caml-pkcs11/opkcs11-tool

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

opkcs11-tool

Build Status

This software is a computer program whose purpose is to offer CLI capabilities to administer and use PKCS#11 devices. It is similar to OpenSC's pkcs11-tool but offers a more complete feature set.

Example of CLI capabilities:

  • Use newer encryption schemes:
    • use EC keys
    • support for PSS signature (CKM_RSA_PKCS_PSS)
    • support for OAEP encryption (CKM_RSA_PKCS_OAEP)
  • Manage object creation using template from the CLI:
    • specify key usages, label, id
  • Change attributes from the CLI
  • Search for objects using attributes from the CLI
  • ...

Authors

Quickstart - Linux

Download the sources using GIT:

git clone --recursive https://github.com/caml-pkcs11/opkcs11-tool

Dependencies for a Debian/Ubuntu machine:

sudo apt-get install autoconf make gcc ocaml-nox camlidl coccinelle camlp4

Building:

cd opkcs11-tool
./autogen.sh
./configure
make

Quickstart - Windows

It is possible to compile opkcs11-tool for Windows 32/64. Documentation on how to build for Windows, check the dedicated page.

Documentation

A more complete documentation will be provided at a later time. Please see below for a couple of examples.

Examples using SoftHSM (initialized)

Create a new signature-only RSA key-pair (requires a PIN):

./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -l \
-keypairgen -keypairsize 1024 -mech rsa \
-priv-attributes "CKA_TOKEN=TRUE,CKA_SIGN=TRUE,CKA_SIGN_RECOVER=FALSE,CKA_DECRYPT=FALSE,CKA_UNWRAP=FALSE"\
-pub-attributes "CKA_PRIVATE=FALSE,CKA_VERIFY=TRUE,CKA_VERIFY_RECOVER=FALSE,CKA_ENCRYPT=FALSE,CKA_WRAP=FALSE"\
-label sign_key
>Using slot 0.
>Enter PIN:******
>C_GenerateKeyPair ret: cKR_OK

Hash and sign (RSA_PSS) some data using the new key (requires a PIN):

./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -l -label sign_key \
-s -mech CKM_SHA256_RSA_PKCS -in /etc/fstab -out /tmp/hash-and-sign-fstab
>Using slot 0.
>Enter PIN:******
>Signed data (in hex): '...'
>Writing data to /tmp/hash-and-sign-fstab

Verify the signed data:

./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -label sign_key \
-v -mech CKM_SHA256_RSA_PKCS_PSS -in /etc/fstab -verify /tmp/hash-and-sign-fstab
>Verify operation returned : cKR_OK

dd if=/dev/zero of=/tmp/hash-and-sign-fstab bs=1 count=128
./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -label sign_key \
-mech CKM_SHA256_RSA_PKCS_PSS -in /etc/fstab -verify /tmp/hash-and-sign-fstab
>Fatal error: exception Failure("cKR_SIGNATURE_INVALID")

About

opkcs11-tool: managing and operating PKCS #11 security tokens in OCaml

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published