P11NG CLI
The CLI tool p11ng-tool provides actions for querying, removing, and creating objects(keys) in an HSM slot in addition to signing sample text with existing wrapped key.
The tool is provided for troubleshooting purposes and the API is likely to change in future versions.
Run p11ng-tool from SIGNSERVER_HOME using the following command:
bin/p11ng-tool
CODE
Usage
p11ng-tool [options]
P11NG commands
-action <arg> Operation to perform. Any of: [listSlots,
showInfo, listObjects, listKeyStoreEntries,
generateKey, generateAndWrapKeyPair,
unwrapAndSign, deleteKeyStoreEntryByAlias,
deleteObjects, generateKeyPair,
signPerformanceTest, unwrapPerformanceTest]
-alias <arg> Key alias
-attributes_file <arg> Path of file containing attributes to be used
while generating key pair
-libfile <arg> Shared library path
-method <arg> Method to use, either pkcs11 (default) or
provider
-nocertificateobject Don't create a certificate object when
generating a key. Default is to generate a
certificate object
-object <arg> Object ID (decimal)
-pin <arg> User PIN
-plaintext <arg> text string to sign
-privatekey <arg> base64 encoded encrypted (wrapped) private
key
-publickey <arg> base64 encoded public key
-selfcert Generate a self-signed certificate for the
new key-pair
-selfsigneddn <arg> Distinguished Name (DN) to use as issuer and
subject DN in the self-signed certificate
instead of the default one.
-signaturealgorithm <arg> For sign-/unwrapPerformanceTest: Signature algorithm
to use (default: SHA256withRSA)
-slot <arg> Slot ID to operate on
-threads <arg> For sign-/unwrapPerformanceTest: Number of stresstest
threads to run (default: 1)
-timelimit <arg> For sign-/unwrapPerformanceTest: Optional. Only run
for the specified time (in milliseconds).
-unwrapkey <arg> Label of key to unwrap with
-use_cache <arg> For sign-/unwrapPerformanceTest: Whether key objects
are fetched from cache instead of HSM token
(default: true)
-warmuptime <arg> For sign-/unwrapPerformanceTest: Don't count number
of signings and response times until after
this time (in milliseconds). Default=0 (no
warmup time).
-wrapkey <arg> Label of key to wrap with
Sample usages:
a) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
listSlots
b) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
showInfo
c) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
listObjects -slot 0 -pin foo123
d) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
generateKey -slot 0 -pin foo123 -alias wrapkey1
e) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
generateKeyPair -slot 0 -pin foo123 -alias myprivkey
f) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
generateKeyPair -slot 0 -pin foo123 -alias myprivkey -attributes_file
/home/user/attribute_file.properties
g) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
deleteObjects -slot 0 -pin foo123 -object 4
h) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
deleteObjects -slot 0 -pin foo123 -object 4 -object 5
i) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
deleteKeyStoreEntryByAlias -slot 0 -alias mykey1
j) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
listKeyStoreEntries -slot 0 -pin foo123
k) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
generateAndWrapKeyPair -slot 0 -pin foo123 -wrapkey wrapkey1 -selfcert
-alias wrappedprivkey
l) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
signPerformanceTest -slot 0 -pin foo123 -alias mykey1 -warmuptime 10000
-timelimit 100000 -threads 10
m) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action
unwrapPerformanceTest -slot 0 -pin foo123 -wrapkey wrapkey1 -warmuptime
10000 -timelimit 100000 -threads 10
CODE