How to generate RSA, ECC and AES keys: pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.
This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.
PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.
Generate a RSA key on a key media using PKCS#11
Please see my previous and related posts how to compile a PKCS#11 library and configure OpenSC to use this cryptographic module.
To generate a key I am using SoftHSM2 version 2.6.1 with Cryptoki 2.40 implementation of PKCS11 as the PKCS#11 module and generate the key using OpenSC pkcs11-tool
$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --login --login-type user --keypairgen --id 1 --key-type rsa:2048 Using slot 0 with a present token (0x57c8fc9e) Logging in to "label2". Please enter User PIN: Key pair generated: Private Key Object; RSA label: ID: 01 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: ID: 01 Usage: encrypt, verify, wrap
In this example I did not use the parameter “–slot 1234567890” to specify a slot, so the key is generated on the first available slot. Better you select the slot when you create a key.
Generate different ECC keys on a key media (smart card, token, HSM, SoftHSM) using PKCS#11
To generate a SECP r1 ECC key pair use the following command. The key length 384 can be changed according to the available ciphers.
$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --login --login-type user --keypairgen --id 1 --key-type EC:secp384r1 Using slot 0 with a present token (0x1e8d7409) Logging in to "mytoken1". Please enter User PIN: Key pair generated: Private Key Object; EC label: ID: 01 Usage: decrypt, sign, unwrap, derive Public Key Object; EC EC_POINT 384 bits EC_POINT: 04610473ae22f61b9aafc7435deb2f85deba21b6a61b0e58a3f454141f11ea694d426888cc987fb245b397a3f8b9512c4bfc23139ea74a9c849615c6fc14e1c115ce93b980dc82c91641875623423ef7935ef096567e29aeed855dc1629d60b00fbfd4 EC_PARAMS: 06052b81040022 label: ID: 01 Usage: encrypt, verify, wrap, derive
If you want to generate a Koblitz k1 curve use the following command. Again you can change the key length 256 depending on the module supported key lengths.
$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --login --login-type user --keypairgen --id 1 --key-type EC:prime256v1 Using slot 0 with a present token (0x1e8d7409) Logging in to "mytoken1". WARNING: user PIN count low Please enter User PIN: Key pair generated: Private Key Object; EC label: ID: 01 Usage: decrypt, sign, unwrap, derive Public Key Object; EC EC_POINT 256 bits EC_POINT: 0441041bad6bccac75588be1bf35b7527041e35733346402bf4307b562d4595b84b4dbd8f3afdcfcf0179ffcf1ca54978c6bc8431a14ce7dda14f49eb26f950271694e EC_PARAMS: 06082a8648ce3d030107 label: ID: 01 Usage: encrypt, verify, wrap, derive
Generate an AES key on smart card or HSM using PKCS#11
The generation of a AES key is quite simple as well. In this example I choose a specific slot on the media using option “–slot XXXXXXXX”:
$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --slot 1221758082 --login --login-type user --keygen --id 256 --key-type aes:32 Logging in to "mytoken3". Please enter User PIN: Key generated: Secret Key Object; AES length 32 warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11) label: ID: 0256 Usage: encrypt, decrypt, verify, wrap, unwrap --keygen Key generation --key-type <arg> Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1 or GOSTR3410:A
In this example the “–id 256” does not specify the AES-256 key length, it just defines an intern ID of the generated to you can use later to specify the key by ID. The AES key length is defined by aes:32 defining an AES length of 32 bytes equal to 32×8 bit = 256 bit. To generate a AES-128 bit key just use “–key-type aes-16” or to create a AES-192 key use “–key-type aes:24”.
Where to find working PKCS#11 libraries?
The most common open source libraries are found here:
/usr/local/lib/softhsm/libsofthsm2.so /usr/local/lib/libykcs11.so /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
libsofthsm2.so – The PKCS#11 library of SoftHSM2 a popular software defines key store. You need to install or compile SoftHSM2 to get this library.
libykcs11.so – The Yubico PKCS#11 library for all YubiKey token with smart card PIV functionallity. Install and compile Yubico yubico-piv-tool.
opensc-pkcs11.so – The popular OpenSC PKCS#11 library supporting many smart cards and PKI token. Install or compile opensc to use this software interface.
Related Posts
- How to sign data with OpenSSL on an HSM
- First Steps with OpenSSL for signature and encryption
- Full working ECDSA signature with OpenSSL
- SoftHSM2: What crypto mechanisms and ciphers are supported?
- Simple start with Yubico PKCS#11 library
- Export a RSA / ECC public key with OpenSC pkcs11-tool
- SoftHSM2 view slot info and objects on a specific slot
- Generate RSA, ECC and AES keys with OpenSC pkcs11-tool
- Show slot and token info with OpenSC pkcs11-tool
- SoftHSM2 first steps to create slots
- Configuration of OpenSC pkcs11-tool
- S/MIME Zertifikat per OpenSSL erstellen
- EFS Schlüssel per OpenSSL erstellen