opkcs11-tool

This software is a computer program whose purpose is to offer CLI capabilities to administer and use PKCS#11 devices. It is similar to OpenSC's pkcs11-tool but offers a more complete feature set.

Example of CLI capabilities:

Use newer encryption schemes:
- use EC keys
- support for PSS signature (CKM_RSA_PKCS_PSS)
- support for OAEP encryption (CKM_RSA_PKCS_OAEP)
Manage object creation using template from the CLI:
- specify key usages, label, id
Change attributes from the CLI
Search for objects using attributes from the CLI
...

Authors

Ryad Benadjila (mailto:ryadbenadjila@gmail.com)
Thomas Calderon (mailto:calderon.thomas@gmail.com)

Quickstart - Linux

Download the sources using GIT:

git clone --recursive https://github.com/caml-pkcs11/opkcs11-tool

Dependencies for a Debian/Ubuntu machine:

sudo apt-get install autoconf make gcc ocaml-nox camlidl coccinelle camlp4

Building:

cd opkcs11-tool
./autogen.sh
./configure
make

Quickstart - Windows

It is possible to compile opkcs11-tool for Windows 32/64. Documentation on how to build for Windows, check the dedicated page.

Documentation

A more complete documentation will be provided at a later time. Please see below for a couple of examples.

Examples using SoftHSM (initialized)

Create a new signature-only RSA key-pair (requires a PIN):

./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -l \
-keypairgen -keypairsize 1024 -mech rsa \
-priv-attributes "CKA_TOKEN=TRUE,CKA_SIGN=TRUE,CKA_SIGN_RECOVER=FALSE,CKA_DECRYPT=FALSE,CKA_UNWRAP=FALSE"\
-pub-attributes "CKA_PRIVATE=FALSE,CKA_VERIFY=TRUE,CKA_VERIFY_RECOVER=FALSE,CKA_ENCRYPT=FALSE,CKA_WRAP=FALSE"\
-label sign_key
>Using slot 0.
>Enter PIN:******
>C_GenerateKeyPair ret: cKR_OK

Hash and sign (RSA_PSS) some data using the new key (requires a PIN):

./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -l -label sign_key \
-s -mech CKM_SHA256_RSA_PKCS -in /etc/fstab -out /tmp/hash-and-sign-fstab
>Using slot 0.
>Enter PIN:******
>Signed data (in hex): '...'
>Writing data to /tmp/hash-and-sign-fstab

Verify the signed data:

./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -label sign_key \
-v -mech CKM_SHA256_RSA_PKCS_PSS -in /etc/fstab -verify /tmp/hash-and-sign-fstab
>Verify operation returned : cKR_OK

dd if=/dev/zero of=/tmp/hash-and-sign-fstab bs=1 count=128
./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -label sign_key \
-mech CKM_SHA256_RSA_PKCS_PSS -in /etc/fstab -verify /tmp/hash-and-sign-fstab
>Fatal error: exception Failure("cKR_SIGNATURE_INVALID")

Name	Name	Last commit message	Last commit date
Latest commit calderonth Merge pull request #3 from caml-pkcs11/rbe/fix_release Nov 22, 2021 73da2d7 · Nov 22, 2021 History 49 Commits
caml-crush @ 7462012	caml-crush @ 7462012	Update submodule dir	May 25, 2020
m4	m4	configure: Initial autoconf support	Feb 19, 2015
x509	x509	Fix the release with the new version of OCaml that deprecates mutable…	Aug 26, 2021
.gitmodules	.gitmodules	Update submodule to new URL	Dec 12, 2017
.travis.yml	.travis.yml	Add travis and Docker files for tests.	May 25, 2020
Dockerfile.debian	Dockerfile.debian	Add travis and Docker files for tests.	May 25, 2020
Dockerfile.ubuntu-trusty	Dockerfile.ubuntu-trusty	Add travis and Docker files for tests.	May 25, 2020
ISSUES.md	ISSUES.md	Initial beta release.	Feb 4, 2015
LICENSE.txt	LICENSE.txt	license: Switch to MIT license.	Jun 12, 2015
Makefile.Unix.in	Makefile.Unix.in	Fix the release with the new version of OCaml that deprecates mutable…	Aug 26, 2021
Makefile.Win32.VS	Makefile.Win32.VS	Fix the release with the new version of OCaml that deprecates mutable…	Aug 26, 2021
Makefile.Win32.in	Makefile.Win32.in	Fix the release with the new version of OCaml that deprecates mutable…	Aug 26, 2021
README.md	README.md	Add travis status in README.	May 25, 2020
WIN32.md	WIN32.md	doc: Add documentation for 64 bits build	Feb 26, 2015
autoclean.sh	autoclean.sh	win32: Support for compiling using Cygwin/MinGW	Feb 25, 2015
autogen.sh	autogen.sh	win32: Support for compiling using Cygwin/MinGW	Feb 25, 2015
config.guess	config.guess	configure: Initial autoconf support	Feb 19, 2015
configure.ac	configure.ac	Fix the release with the new version of OCaml that deprecates mutable…	Aug 26, 2021
ecc_helper.ml	ecc_helper.ml	configure: Initial autoconf support	Feb 19, 2015
opkcs11_tool.ml	opkcs11_tool.ml	Fix the release with the new version of OCaml that deprecates mutable…	Aug 26, 2021
p11_common.ml	p11_common.ml	Fix the release with the new version of OCaml that deprecates mutable…	Aug 26, 2021
p11_crypto.ml	p11_crypto.ml	Display mech number when unknown.	Apr 21, 2015
p11_infos.ml	p11_infos.ml	feature: Add support DSA key pair generation	Feb 17, 2015
p11_objects.ml	p11_objects.ml	Remove deprecated ECDSA symbol	Apr 21, 2015
p11_templates.ml	p11_templates.ml	feature: Add support DSA key pair generation	Feb 17, 2015
ssl.ml	ssl.ml	Fix the release with the new version of OCaml that deprecates mutable…	Aug 26, 2021
ssl.mli	ssl.mli	Initial beta release.	Feb 4, 2015
ssl_stubs.c	ssl_stubs.c	Initial beta release.	Feb 4, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

opkcs11-tool

Authors

Quickstart - Linux

Quickstart - Windows

Documentation

Examples using SoftHSM (initialized)

About

Releases

Packages

Contributors 3

Languages

License

caml-pkcs11/opkcs11-tool

Folders and files

Latest commit

History

Repository files navigation

opkcs11-tool

Authors

Quickstart - Linux

Quickstart - Windows

Documentation

Examples using SoftHSM (initialized)

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 3

Languages

Packages