{"id":15048923,"url":"https://github.com/mastercard/pkcs11-tools","last_synced_at":"2025-04-06T04:09:40.061Z","repository":{"id":41450012,"uuid":"160555428","full_name":"Mastercard/pkcs11-tools","owner":"Mastercard","description":"A set of tools to manage objects on PKCS#11 cryptographic tokens. Compatible with many PKCS#11 library, including major HSM brands, NSS and softoken.","archived":false,"fork":false,"pushed_at":"2024-06-05T13:28:04.000Z","size":2084,"stargazers_count":175,"open_issues_count":1,"forks_count":36,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-04-06T04:09:29.178Z","etag":null,"topics":["aix","bsd","c-language","certificate","keymanagment","linux","macos","nss","oaep","pkcs","pkcs11","rfc3394","rfc5649","solaris","windows","x509"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mastercard.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"docs/CONTRIBUTING.md","funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-05T17:38:24.000Z","updated_at":"2025-03-29T11:35:25.000Z","dependencies_parsed_at":"2024-01-30T11:29:29.743Z","dependency_job_id":"a12aa92c-4d45-4bbe-90e4-1e211e796cb3","html_url":"https://github.com/Mastercard/pkcs11-tools","commit_stats":{"total_commits":175,"total_committers":5,"mean_commits":35.0,"dds":0.1885714285714286,"last_synced_commit":"b7e04f45ab81f39a3f9219061a2e0342d8251023"},"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mastercard%2Fpkcs11-tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mastercard%2Fpkcs11-tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mastercard%2Fpkcs11-tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mastercard%2Fpkcs11-tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mastercard","download_url":"https://codeload.github.com/Mastercard/pkcs11-tools/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247430869,"owners_count":20937874,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aix","bsd","c-language","certificate","keymanagment","linux","macos","nss","oaep","pkcs","pkcs11","rfc3394","rfc5649","solaris","windows","x509"],"created_at":"2024-09-24T21:17:11.201Z","updated_at":"2025-04-06T04:09:40.031Z","avatar_url":"https://github.com/Mastercard.png","language":"C","readme":"# PKCS\\#11 tools\n\npkcs11-tools is a toolkit containing a bunch of small utilities to perform key management tasks on cryptographic tokens\nimplementing a PKCS\\#11 interface. It features a number of commands similar to the unix CLI utilities, such as `ls`\n, `mv`, `rm`, `od`, and `more`. It also has specific commands to generate keys, generate CSRs, import certificates and\nother files, in a fashion compatible with most implementations, including both IBM and Oracle JVMs. It is also able to\ninterface with NSS libraries from [mozilla.org](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS).\n\nSome features:\n\n- support for DES, 3DES, AES, HMAC, RSA, DSA, DH, Elliptic curves (NIST curves, Edwards curves)\n- generation of PKCS\\#10 (CSR) and self-signed certificates\n- import of certificates, public keys, data files\n- support for wrapping and unwrapping keys, for both symmetric and asymmetric keys\n- support for templates during key creation, public key import, key wrapping and key unwrapping\n- support for session key generation and direct wrapping under one or several keys, in a single command\n- support for key rewrapping (i.e. key unwrapping and key wrapping)\n\n## News\n### July 2023\nVersion 2.6 brings support for the AWS CloudHSM platform, library version 5.9.\nLimitations are:\n - Certificates are not supported by the platform, therefore any command handling certificates will fail\n - Changing attributes values is not supported by the platform; several commands rely on that capability to adjust `CKA_ID` accross objects. These commands may occasionally report an error when executed; key material is usually created.\n - For the same reason, `p11mv` and `p11setattr` will not operate on this platform.\n - The platform does not allow for duplicate `CKA_ID` attributes, which occasionally brings issues when generating key material. This will be adjusted in a later release.\n - `p11od` command will not work, due to the way CloudHSM handles attributes.\n - When using wrapped key files, `CKA_SIGN_RECOVER` and `CKA_VERIFY_RECOVER` are not supported, and should be commented out.\n - Wrap and unwrap templates are not supported by this platform. These should also be commented out in wrapped key files.\nAWS CloudHSM support is disabled by default; please refer to [installation instructions](docs/INSTALL.md) for more details.\n\n### June 2023\nVersion 2.6, introduces support for JWK - JOSE Web Key output (RFC 7517) on the `p11keygen`, `p11wrap`, and `p11rewrap`\ncommands. The JWK format is not supported for importing keys.\n\n### October 2021\n\nVersion 2.5, that brings support for `CKA_ALLOWED_MECHANISMS`, on many key management commands: `p11keygen`, `p11wrap`\n, `p11unwrap`, `p11rewrap`, `p11od`, `p11ls`. Note that the wrapped key grammar has changed; the grammar version number\nhas been incremented to `2.2`.\n\n### July 2021\n\nVersion 2.4, to support templates in many commands: `p11keygen`, `p11importpubk`, `p11wrap`, `p11unwrap`, `p11od`\n, `p11ls`. Keys created with a template can be wrapped, the template attributes will be carried. Note that the wrapped\nkey grammar has changed, and the grammar version number has been incremented to `2.1`.\n\n### April 2021\n\nVersion 2.3, that adds extra options to p11kcv, so that tokens not supporting NULL-length HMAC computation can be also\nsupported.\n\n### March 2021\n\nVersion 2.2 is slightly changing the layout of `p11slotinfo`. Edwards Curve support enhanced. The toolkit is also\nadapted to be packaged as a [FreeBSD port](https://www.freshports.org/security/pkcs11-tools/).\n\n### January 2021\n\nVersion 2.1 brings support for Edwards Curve.\n\n### December 2020\n\nThe toolkit has reached v2.0. It features several major changes:\n\n- it supports (and requires) OpenSSL v1.1.1+\n- signing commands (`p11mkcert`, `p11req` and `masqreq`) implement OpenSSL algorithm methods. This will enable\n supporting more algorithms in the future.\n- major overhaul of the wrapping/unwrapping system: it is now possible to perform double wrapping (aka envelope\n wrapping) with a single command, in a secure fashion\n- `p11keygen` can now generate a session key and wrap it under one or several wrapping keys\n- a new command, `p11rewrap`, allows to unwrap a key and immediately rewrap in under one or several wrapping keys, in a\n secure fashion.\n\n## Introduction\n\nEnsure the prerequisites listed in the [Install Document](https://github.com/Mastercard/pkcs11-tools/blob/master/docs/INSTALL.md) are installed before proceeding\n\nTo build the source code, simply execute (with appropriate privileges)\n\n```bash\n$ ./bootstrap.sh\n$ ./configure\n$ make install\n```\n\nTo list the methods available on a PKCS#11 token, use `p11slotinfo`, that will return the list of available mechanisms,\ntogether with allowed APIs.\n\n```bash\n$ using PKCS11LIB at /opt/softhsm2-devel/lib/softhsm/libsofthsm2.so\nPKCS#11 Library\n---------------\nName : /opt/softhsm2-devel/lib/softhsm/libsofthsm2.so\nLib version : 2.6\nAPI version : 2.40\nDescription : Implementation of PKCS11\nManufacturer: SoftHSM\n\nPKCS#11 module slot list:\nSlot index: 0\n----------------\nDescription : SoftHSM slot ID 0x4fbfdc13\nToken Label : token1\nManufacturer: SoftHSM project\n\n\nEnter slot index: 0\n\nSlot[0]\n-------------\nSlot Number : 1337973779\nDescription : SoftHSM slot ID 0x4fbfdc13\nManufacturer: SoftHSM project\nSlot Flags : [ CKF_TOKEN_PRESENT ]\n\nToken\n-------------\nLabel : first token\nManufacturer: SoftHSM project\n\nToken Flags : [ CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED ]\n\nMechanisms:\n-----------\nCKM_MD5 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000210)\nCKM_SHA_1 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000220)\nCKM_SHA224 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000255)\nCKM_SHA256 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000250)\nCKM_SHA384 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000260)\nCKM_SHA512 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000270)\nCKM_MD5_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000211)\nCKM_SHA_1_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000221)\nCKM_SHA224_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000256)\nCKM_SHA256_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000251)\nCKM_SHA384_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000261)\nCKM_SHA512_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000271)\nCKM_RSA_PKCS_KEY_PAIR_GEN --- --- --- --- --- --- --- --- gkp --- --- --- SW (00000000)\nCKM_RSA_PKCS enc dec --- sig --- vfy --- --- --- wra unw --- SW (00000001)\n...\n```\n\nTo list the objects sitting on the token at slot with index 0, use `p11ls`. objects are listed together with their\nattributes;\n\n```bash\n$ p11ls -l /usr/local/opt/softhsm/lib/softhsm/libsofthsm2.so -s 0\n\nEnter passphrase for token: ******\n\nseck/des-double tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(128)\npubk/rsa tok,pub,r/w,loc,vfy,rsa(2048)\nseck/des-simple tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(64)\nseck/aes-wrapping tok,prv,r/w,imp,wra,unw,sen,NAS,WXT,aes\npubk/dh tok,pub,r/w,loc,enc,vre,wra,dh(2048)\npubk/rsa-wrapping tok,pub,r/w,loc,wra,rsa(2048)\nprvk/rsa-disclosed tok,prv,r/w,loc,sig,NSE,NAS,XTR,WXT,rsa(2048)\nprvk/rsa-wrapping tok,prv,r/w,loc,unw,sen,ase,nxt,rsa(2048)\nseck/aes-128 tok,prv,r/w,loc,enc,dec,sen,ase,nxt,aes(128)\nseck/aes-256 tok,prv,r/w,loc,wra,unw,sen,ase,nxt,aes(256)\nprvk/rsa tok,prv,r/w,loc,sig,sen,ase,nxt,rsa(2048)\npubk/rsa-disclosed tok,pub,r/w,loc,vfy,rsa(2048)\nprvk/dh tok,prv,r/w,loc,dec,sir,unw,sen,ase,nxt,dh(2048)\nseck/des-triple tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(192)\nprvk/dsa tok,prv,r/w,loc,dec,sig,sir,unw,sen,ase,nxt,dsa(2048)\npubk/dsa tok,pub,r/w,loc,enc,vfy,vre,wra,dsa(2048)\ndata/dsaparam tok,prv,\nseck/hmac-256 tok,prv,r/w,loc,sig,vfy,sen,ase,nxt,generic\ndata/dhparam tok,prv,\n```\n\nTo avoid specifying command line arguments, environment variables can be specified for the following items:\n\n|optional arg|description |environment variable|\n|------------|-----------------------------------|--------------------|\n| `-l` |path to library |`PKCS11LIB` |\n| `-m` |path to NSS keystore (for NSS only)|`PKCS11NSSDIR` |\n| `-s` |slot index number |`PKCS11SLOT` |\n| `-t` |token name |`PKCS11TOKEN` |\n| `-p` |token password |`PKCS11PASSWORD` |\n\nTo extract the value of a non-sensitive object, use `p11cat`:\n\n```bash\n$ p11cat pubk/rsa\n-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2zd+HKrd1u7TBMfvlpO2\n1eT8uoY+aLw6/yT9treLk67czyA6XQ8NMtspacgxLXbC0XbaObGJDOswFN2o+zjA\nhgKkBY6mEZKO3dzmqtQupQvxybyrj0pg0e+YoZe34rIjVvCdJ9T48etvCyrDZata\nXYMw9pT2JvlJQG2ddPVjR83tGNayGYWmz5L0JwDLlb0NwJTJItIaabseIKHqQOzN\ntSgeLsOmy08aqSq87WKEAilXrxcv8mWl/gbu18Chu4z7KJ76dWHnJfXzIMJCNNxf\nHjhvKZx6bFMEi/gI9gCkUekO+6clrEjSxWzgnC8IDZCLGAvNBZ0pKBW9yEuayPiX\nrQIDAQAB\n-----END PUBLIC KEY-----\n```\n\nTo see an object's value, use `p11more`:\n\n```bash\n$ p11more cert/rootca\nCertificate:\n\tData:\n\t\tVersion: 3 (0x2)\n\t\tSerial Number: 2933735351 (0xaedd3fb7)\n\tSignature Algorithm: sha256WithRSAEncryption\n\t\tIssuer: C=BE, O=Dummy CA Inc., CN=Dummy Root CA G1\n\t\tValidity\n\t\t\tNot Before: Sep 28 08:10:48 2018 GMT\n\t\t\tNot After : Sep 28 08:10:48 2028 GMT\n\t\tSubject: C=BE, O=Dummy CA Inc., CN=Dummy Root CA G1\n\t\tSubject Public Key Info:\n\t\t\tPublic Key Algorithm: rsaEncryption\n\t\t\t\tPublic-Key: (2048 bit)\n\t\t\t\tModulus:\n\t\t\t\t\t00:a9:a6:a5:99:d0:3e:0e:00:c1:f7:df:9f:9c:92:\n\t\t\t\t\t40:ac:67:d3:77:e0:d5:6d:eb:a0:5c:29:12:ad:57:\n\t\t\t\t\ta3:23:9a:27:03:cb:dc:62:43:c3:04:a8:e8:a3:ab:\n...\n```\n\nMoreover, `p11od`can be used to extract all attribute values from an object:\n\n```bash\n$ p11od pubk/dh\npubk/dh:\n CKA_CLASS:\n 0000 02 00 00 00 00 00 00 00 CKO_PUBLIC_KEY\n CKA_TOKEN:\n 0000 01 CK_TRUE\n CKA_PRIVATE:\n 0000 00 CK_FALSE\n CKA_LABEL:\n 0000 64 68 dh\n CKA_VALUE:\n 0000 7e cc a1 d2 c2 e7 90 b9 fa 68 fc ae 49 46 2e 0f ~........h..IF..\n 0010 62 1e 2c 69 2e 94 f2 eb 46 63 d7 fd 57 1f 5d 02 b.,i....Fc..W.].\n 0020 30 f4 3b 48 44 0c eb d7 7e 83 d5 26 7c 7a a3 f5 0.;HD...~..\u0026|z..\n...\n```\n\nGenerating a key is easy: just use `p11keygen` with the proper arguments.\n\n```bash\n$ p11keygen -k ec -q prime256v1 -i my-ec-key sign=true verify=true\nGenerating, please wait...\nkey generation succeeded\n```\n\nLikewise, `p11req` is used to generate a CSR.\n\n```bash\n$ p11req -i my-ec-key -d '/CN=my.site.org/O=My organization/C=BE' -e 'DNS:another-url-for-my.site.org' -v\nCertificate Request:\n\tData:\n\t\tVersion: 0 (0x0)\n\t\tSubject: C=BE, O=My organization, CN=my.site.org\n\t\tSubject Public Key Info:\n\t\t\tPublic Key Algorithm: id-ecPublicKey\n\t\t\t\tPublic-Key: (256 bit)\n\t\t\t\tpub:\n\t\t\t\t\t04:3f:56:11:f8:38:c7:f0:c1:87:a4:75:1a:ca:2e:\n\t\t\t\t\t46:38:9e:6a:79:3a:3e:a5:90:54:48:be:81:18:c6:\n\t\t\t\t\tf3:1c:92:8b:72:35:cd:e3:32:8c:40:a4:d4:e7:33:\n\t\t\t\t\t50:13:34:4a:87:e0:8c:17:77:39:ed:ef:de:d3:1a:\n\t\t\t\t\t26:b3:11:87:13\n\t\t\t\tASN1 OID: prime256v1\n\t\t\t\tNIST CURVE: P-256\n\t\tAttributes:\n\t\tRequested Extensions:\n\t\t\tX509v3 Subject Alternative Name:\n\t\t\t\tDNS:another-url-for-my.site.org\n\tSignature Algorithm: ecdsa-with-SHA256\n\t\t 30:45:02:21:00:e8:b7:c0:49:bc:77:8d:94:29:18:66:8f:9d:\n\t\t 6a:62:cd:f0:84:46:89:73:93:11:d8:67:98:95:12:1c:53:f7:\n\t\t 5f:02:20:4a:b6:98:fd:66:be:7c:7f:d1:02:07:d0:5b:dc:8b:\n\t\t fd:3f:89:f0:ed:03:ec:2e:a4:1c:72:a2:21:22:9f:a5:7d\n-----BEGIN CERTIFICATE REQUEST-----\nMIIBMTCB2AIBADA9MQswCQYDVQQGEwJCRTEYMBYGA1UECgwPTXkgb3JnYW5pemF0\naW9uMRQwEgYDVQQDDAtteS5zaXRlLm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABD9WEfg4x/DBh6R1GsouRjieank6PqWQVEi+gRjG8xySi3I1zeMyjECk1Ocz\nUBM0SofgjBd3Oe3v3tMaJrMRhxOgOTA3BgkqhkiG9w0BCQ4xKjAoMCYGA1UdEQQf\nMB2CG2Fub3RoZXItdXJsLWZvci1teS5zaXRlLm9yZzAKBggqhkjOPQQDAgNIADBF\nAiEA6LfASbx3jZQpGGaPnWpizfCERolzkxHYZ5iVEhxT918CIEq2mP1mvnx/0QIH\n0Fvci/0/ifDtA+wupBxyoiEin6V9\n-----END CERTIFICATE REQUEST-----\n```\n\nLater, `p11importcert` can be used to import the certificate back to the keystore. Public keys can be imported\nusing `p11importpubk`, and data files with `p11importdata`.\n\nIf you need to wrap or unwrap a key, you can use the command `p11wrap`:\n\n```bash\n$ p11wrap -w aes-wrapping -i rootca -a cbcpad \u003ewrapped-key.wrap\nkey wrapping succeeded\n```\n\nThe key can be unwrapped later, reusing the `wrapped-key.wrap` file created earlier:\n\n```bash\n$ p11unwrap -f wrapped-key.wrap\nkey unwrapping succeeded\n```\n\n## Installation\n\nThe project can compile on many platforms, including Linux, AIX, Solaris. Using cross-compilers, it is also possible to\ncompile for the Windows platform. Compilation under macOS requires [brew](https://brew.sh/). Please refer\nto [docs/INSTALL.md](docs/INSTALL.md) for installation instructions.\n\n## Manual\n\nPlease refer to [docs/MANUAL.md](docs/MANUAL.md) for instructions / how-to guide.\n\n## Contributing\n\nIf you wish to contribute to this project, please refer to the rules in [docs/CONTRIBUTING.md](docs/CONTRIBUTING.md).\n\nContributors:\n - Georg Lippold (Mastercard, https://www.mastercard.com) - JWK output, GitHub build \u0026 CodeQL integration\n\n## Author\n\nEric Devolder (Mastercard, https://www.mastercard.com)\n\n## Licensing terms\n\nExcept when specified differently in source files, the following license apply:\n\n---------------\nCopyright (c) 2018 Mastercard\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the\nLicense. You may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"\nAS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific\nlanguage governing permissions and limitations under the License.\n\n-----\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmastercard%2Fpkcs11-tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmastercard%2Fpkcs11-tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmastercard%2Fpkcs11-tools/lists"}