Skip to content
/ opkcs11-tool Public

opkcs11-tool: managing and operating PKCS #11 security tokens in OCaml

License

View license
7 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

caml-pkcs11/opkcs11-tool

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
caml-crush @ 7462012
caml-crush @ 7462012
 
 
m4
m4
 
 
x509
x509
 
 
.gitmodules
.gitmodules
 
 
.travis.yml
.travis.yml
 
 
Dockerfile.debian
Dockerfile.debian
 
 
Dockerfile.ubuntu-trusty
Dockerfile.ubuntu-trusty
 
 
ISSUES.md
ISSUES.md
 
 
LICENSE.txt
LICENSE.txt
 
 
Makefile.Unix.in
Makefile.Unix.in
 
 
Makefile.Win32.VS
Makefile.Win32.VS
 
 
Makefile.Win32.in
Makefile.Win32.in
 
 
README.md
README.md
 
 
WIN32.md
WIN32.md
 
 
autoclean.sh
autoclean.sh
 
 
autogen.sh
autogen.sh
 
 
config.guess
config.guess
 
 
configure.ac
configure.ac
 
 
ecc_helper.ml
ecc_helper.ml
 
 
opkcs11_tool.ml
opkcs11_tool.ml
 
 
p11_common.ml
p11_common.ml
 
 
p11_crypto.ml
p11_crypto.ml
 
 
p11_infos.ml
p11_infos.ml
 
 
p11_objects.ml
p11_objects.ml
 
 
p11_templates.ml
p11_templates.ml
 
 
ssl.ml
ssl.ml
 
 
ssl.mli
ssl.mli
 
 
ssl_stubs.c
ssl_stubs.c
 
 

Repository files navigation

opkcs11-tool

Build Status

This software is a computer program whose purpose is to offer CLI capabilities to administer and use PKCS#11 devices. It is similar to OpenSC's pkcs11-tool but offers a more complete feature set.

Example of CLI capabilities:

  • Use newer encryption schemes:
    • use EC keys
    • support for PSS signature (CKM_RSA_PKCS_PSS)
    • support for OAEP encryption (CKM_RSA_PKCS_OAEP)
  • Manage object creation using template from the CLI:
    • specify key usages, label, id
  • Change attributes from the CLI
  • Search for objects using attributes from the CLI
  • ...

Authors

Quickstart - Linux

Download the sources using GIT:

git clone --recursive https://github.com/caml-pkcs11/opkcs11-tool

Dependencies for a Debian/Ubuntu machine:

sudo apt-get install autoconf make gcc ocaml-nox camlidl coccinelle camlp4

Building:

cd opkcs11-tool
./autogen.sh
./configure
make

Quickstart - Windows

It is possible to compile opkcs11-tool for Windows 32/64. Documentation on how to build for Windows, check the dedicated page.

Documentation

A more complete documentation will be provided at a later time. Please see below for a couple of examples.

Examples using SoftHSM (initialized)

Create a new signature-only RSA key-pair (requires a PIN):

./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -l \
-keypairgen -keypairsize 1024 -mech rsa \
-priv-attributes "CKA_TOKEN=TRUE,CKA_SIGN=TRUE,CKA_SIGN_RECOVER=FALSE,CKA_DECRYPT=FALSE,CKA_UNWRAP=FALSE"\
-pub-attributes "CKA_PRIVATE=FALSE,CKA_VERIFY=TRUE,CKA_VERIFY_RECOVER=FALSE,CKA_ENCRYPT=FALSE,CKA_WRAP=FALSE"\
-label sign_key
>Using slot 0.
>Enter PIN:******
>C_GenerateKeyPair ret: cKR_OK

Hash and sign (RSA_PSS) some data using the new key (requires a PIN):

./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -l -label sign_key \
-s -mech CKM_SHA256_RSA_PKCS -in /etc/fstab -out /tmp/hash-and-sign-fstab
>Using slot 0.
>Enter PIN:******
>Signed data (in hex): '...'
>Writing data to /tmp/hash-and-sign-fstab

Verify the signed data:

./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -label sign_key \
-v -mech CKM_SHA256_RSA_PKCS_PSS -in /etc/fstab -verify /tmp/hash-and-sign-fstab
>Verify operation returned : cKR_OK

dd if=/dev/zero of=/tmp/hash-and-sign-fstab bs=1 count=128
./opkcs11-tool -module /usr/lib/softhsm/libsofthsm.so -label sign_key \
-mech CKM_SHA256_RSA_PKCS_PSS -in /etc/fstab -verify /tmp/hash-and-sign-fstab
>Fatal error: exception Failure("cKR_SIGNATURE_INVALID")

About

opkcs11-tool: managing and operating PKCS #11 security tokens in OCaml

Resources

Readme

License

View license
Activity
Custom properties

Stars

7 stars

Watchers

9 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages