OpenSC pkcs11-tool PKCS#11

Generate RSA, ECC and AES keys with OpenSC pkcs11-tool

How to generate RSA, ECC and AES keys: pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.

PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.

Generate a RSA key on a key media using PKCS#11

Please see my previous and related posts how to compile a PKCS#11 library and configure OpenSC to use this cryptographic module.

To generate a key I am using SoftHSM2 version 2.6.1 with Cryptoki 2.40 implementation of PKCS11 as the PKCS#11 module and generate the key using OpenSC pkcs11-tool

$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --login --login-type user --keypairgen --id 1 --key-type rsa:2048

Using slot 0 with a present token (0x57c8fc9e)
Logging in to "label2".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
  label:
  ID:         01
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:
  ID:         01
  Usage:      encrypt, verify, wrap

In this example I did not use the parameter „–slot 1234567890“ to specify a slot, so the key is generated on the first available slot. Better you select the slot when you create a key.

Generate different ECC keys on a key media (smart card, token, HSM, SoftHSM) using PKCS#11

To generate a SECP r1 ECC key pair use the following command. The key length 384 can be changed according to the available ciphers.

$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --login --login-type user --keypairgen --id 1 --key-type EC:secp384r1

Using slot 0 with a present token (0x1e8d7409)
Logging in to "mytoken1".
Please enter User PIN:
Key pair generated:
Private Key Object; EC
label:
ID: 01
Usage: decrypt, sign, unwrap, derive
Public Key Object; EC EC_POINT 384 bits
EC_POINT: 04610473ae22f61b9aafc7435deb2f85deba21b6a61b0e58a3f454141f11ea694d426888cc987fb245b397a3f8b9512c4bfc23139ea74a9c849615c6fc14e1c115ce93b980dc82c91641875623423ef7935ef096567e29aeed855dc1629d60b00fbfd4
EC_PARAMS: 06052b81040022
label:
ID: 01
Usage: encrypt, verify, wrap, derive

If you want to generate a Koblitz k1 curve use the following command. Again you can change the key length 256 depending on the module supported key lengths.

$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --login --login-type user --keypairgen --id 1 --key-type EC:prime256v1
Using slot 0 with a present token (0x1e8d7409)
Logging in to "mytoken1".
WARNING: user PIN count low
Please enter User PIN:
Key pair generated:
Private Key Object; EC
label:
ID: 01
Usage: decrypt, sign, unwrap, derive
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441041bad6bccac75588be1bf35b7527041e35733346402bf4307b562d4595b84b4dbd8f3afdcfcf0179ffcf1ca54978c6bc8431a14ce7dda14f49eb26f950271694e
EC_PARAMS: 06082a8648ce3d030107
label:
ID: 01
Usage: encrypt, verify, wrap, derive

Generate an AES key on smart card or HSM using PKCS#11

The generation of a AES key is quite simple as well. In this example I choose a specific slot on the media using option „–slot XXXXXXXX“:

$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --slot 1221758082 --login --login-type user --keygen --id 256 --key-type aes:32
 
Logging in to "mytoken3".
Please enter User PIN:
Key generated:
Secret Key Object; AES length 32
warning: PKCS11 function C_GetAttributeValue(VALUE) failed: rv = CKR_ATTRIBUTE_SENSITIVE (0x11)
 
  label:
  ID:         0256
  Usage:      encrypt, decrypt, verify, wrap, unwrap
 
     --keygen                  Key generation
      --key-type <arg>          Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1 or GOSTR3410:A

In this example the „–id 256“ does not specify the AES-256 key length, it just defines an intern ID of the generated to you can use later to specify the key by ID. The AES key length is defined by aes:32 defining an AES length of 32 bytes equal to 32×8 bit = 256 bit. To generate a AES-128 bit key just use „–key-type aes-16“ or to create a AES-192 key use „–key-type aes:24“.

Where to find working PKCS#11 libraries?

The most common open source libraries are found here:

/usr/local/lib/softhsm/libsofthsm2.so
/usr/local/lib/libykcs11.so
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

libsofthsm2.so – The PKCS#11 library of SoftHSM2 a popular software defines key store. You need to install or compile SoftHSM2 to get this library.

libykcs11.so – The Yubico PKCS#11 library for all YubiKey token with smart card PIV functionallity. Install and compile Yubico yubico-piv-tool.

opensc-pkcs11.so – The popular OpenSC PKCS#11 library supporting many smart cards and PKI token. Install or compile opensc to use this software interface.

Related Posts

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.