OpenSC pkcs11-tool PKCS#11

Show slot and token info with OpenSC pkcs11-tool

Show slot and token info: pkcs11-tool is a command line tool to test functions and perform operations of a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.

This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.

You easily can view the version of a PKCS#11 library e.g the SoftHSM2 library. Replace the name and location of the .so library to your preferred PKCS#11 module:

$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --show-info -v

Cryptoki version 2.40
Manufacturer     SoftHSM
Library          Implementation of PKCS11 (ver 2.6)
Using slot 0 with a present token (0x5ddb1f43)

To show a more detailed view on the slots and token use the options „-l -t“ that also starts functional test on some cryptographic methods. You need to enter the „User PIN“ of the slot to perform the tests.

$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so -l -t
 
Using slot 0 with a present token (0x5ddb1f43)
Logging in to "label1".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
Signatures: not implemented
Verify (currently only for RSA)
  testing key 0 () -- non-RSA, skipping
Unwrap: not implemented
Decryption (currently only for RSA)
  testing key 0 ()  -- non-RSA, skipping
No errors

These are the location of some common PKCS#11 libraries you can use:

/usr/local/lib/softhsm/libsofthsm2.so
/usr/local/lib/libykcs11.so
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

What are these libraries?

libsofthsm2.so – The PKCS#11 library of SoftHSM2 a popular software defines key store. You need to install or compile SoftHSM2 to get this library.

libykcs11.so – The Yubico PKCS#11 library for all YubiKey token with smart card PIV functionallity. Install and compile Yubico yubico-piv-tool.

opensc-pkcs11.so – The popular OpenSC PKCS#11 library supporting many smart cards and PKI token. Install or compile opensc to use this software interface.

Related Posts

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.