Show slot and token info: pkcs11-tool is a command line tool to test functions and perform operations of a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.
PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.
This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.
You easily can view the version of a PKCS#11 library e.g the SoftHSM2 library. Replace the name and location of the .so library to your preferred PKCS#11 module:
$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --show-info -v Cryptoki version 2.40 Manufacturer SoftHSM Library Implementation of PKCS11 (ver 2.6) Using slot 0 with a present token (0x5ddb1f43)
To show a more detailed view on the slots and token use the options “-l -t” that also starts functional test on some cryptographic methods. You need to enter the “User PIN” of the slot to perform the tests.
$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so -l -t Using slot 0 with a present token (0x5ddb1f43) Logging in to "label1". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK Signatures: not implemented Verify (currently only for RSA) testing key 0 () -- non-RSA, skipping Unwrap: not implemented Decryption (currently only for RSA) testing key 0 () -- non-RSA, skipping No errors
These are the location of some common PKCS#11 libraries you can use:
/usr/local/lib/softhsm/libsofthsm2.so /usr/local/lib/libykcs11.so /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
What are these libraries?
libsofthsm2.so – The PKCS#11 library of SoftHSM2 a popular software defines key store. You need to install or compile SoftHSM2 to get this library.
libykcs11.so – The Yubico PKCS#11 library for all YubiKey token with smart card PIV functionallity. Install and compile Yubico yubico-piv-tool.
opensc-pkcs11.so – The popular OpenSC PKCS#11 library supporting many smart cards and PKI token. Install or compile opensc to use this software interface.
- How to sign data with OpenSSL on an HSM
- First Steps with OpenSSL for signature and encryption
- Full working ECDSA signature with OpenSSL
- SoftHSM2: What crypto mechanisms and ciphers are supported?
- Simple start with Yubico PKCS#11 library
- Export a RSA / ECC public key with OpenSC pkcs11-tool
- SoftHSM2 view slot info and objects on a specific slot
- Generate RSA, ECC and AES keys with OpenSC pkcs11-tool
- Show slot and token info with OpenSC pkcs11-tool
- SoftHSM2 first steps to create slots
- Configuration of OpenSC pkcs11-tool
- S/MIME Zertifikat per OpenSSL erstellen
- EFS Schlüssel per OpenSSL erstellen