Whenever you need to work with SoftHSM2 there is a need to view all your configured slots and the objects saved on these slots. As softhsm2-util is not very well documented I decided to support the cryptographic community by offering working usage examples of the main tool of SoftHSM2. This post will show how to view all SoftHSM slots and examine all objects on a specific SoftHSM slots. This working examples are based on version 2.6.1 and can be downloaded from OpenDNSSEC website.
List all SoftHSM2 slots
After installation of SoftHSM2 and once you created a few slots you can check your slot configuration with softhsm2-util and its option “–show-slots”
$ softhsm2-util --show-slots Available slots: Slot 1472789662 Slot info: Description: SoftHSM slot ID 0x57c8fc9e Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.6 Firmware version: 2.6 Serial number: 8db107a857c8fc9e Initialized: yes User PIN init.: yes Label: label2 Slot 1574641475 Slot info: Description: SoftHSM slot ID 0x5ddb1f43 Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.6 Firmware version: 2.6 Serial number: 3963656edddb1f43 Initialized: yes User PIN init.: yes Label: label1 Slot 2 Slot info: Description: SoftHSM slot ID 0x2 Manufacturer ID: SoftHSM project Hardware version: 2.6 Firmware version: 2.6 Token present: yes Token info: Manufacturer ID: SoftHSM project Model: SoftHSM v2 Hardware version: 2.6 Firmware version: 2.6 Serial number: Initialized: no User PIN init.: no Label:
In this demo installation you see two initalized slots (Slot 1472789662 and Slot 1574641475) which may or may not hold keys already. You always will see at least one present token which is not initialized. After initializing two slots (0 and 1) this will be “Slot 2”. You can not use slot 2 unless you initialize it.
Examine all objects on a SoftHSM2 slot
The examination of the object on a SoftHSM2 slot is not possible with softhsm2-util, but you can use OpenSC pkcs11-tool to do so.
$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so -l -O --slot 1574641475 Logging in to "label1". Please enter User PIN: Private Key Object; EC label: ID: 01 Usage: decrypt, sign, unwrap, derive Public Key Object; EC EC_POINT 384 bits EC_POINT: 04610436344cfd3f0c9216bc823fe243b8363736bd6b00c4109b2bcb276850e46fea3e3e93b45a533061b66f3a8999498cc20fbee58e650dcdd1cac745343b79d3eefd581d568a18f9230de61e23732b17e1e11bd4b9ba1ae6daae854139518309d350 EC_PARAMS: 06052b81040022 label: ID: 01 Usage: encrypt, verify, wrap, derive Read PubKey (RSA slot)
In this example there are two key objects on the SoftHSM2 slot 1574641475. The first object with is 01 doesn’t have a label, but theID 01. It is the private key of a 384-bit ECC key. Unluckily I can not identify which ECC curve it is, but as I recently created the key I know it is a SECP384r1 key.
The second object is the public key corresponding to the private key above. Again this object does not have a label but it has an ID of 01. This same ID 01 possible as keys are always referred by their key type (private or public) first before referring their ID.
For the public key it is possible to export this object, the private key can not be exported using the tool. For SoftHSM2 this is not an big deal, as you easily can backup the SoftHSM2 database or storage files.
I will show some examples how to export the generated public key in another related post.
Related Posts
- How to sign data with OpenSSL on an HSM
- First Steps with OpenSSL for signature and encryption
- Full working ECDSA signature with OpenSSL
- SoftHSM2: What crypto mechanisms and ciphers are supported?
- Simple start with Yubico PKCS#11 library
- Export a RSA / ECC public key with OpenSC pkcs11-tool
- SoftHSM2 view slot info and objects on a specific slot
- Generate RSA, ECC and AES keys with OpenSC pkcs11-tool
- Show slot and token info with OpenSC pkcs11-tool
- SoftHSM2 first steps to create slots
- Configuration of OpenSC pkcs11-tool
- S/MIME Zertifikat per OpenSSL erstellen
- EFS Schlüssel per OpenSSL erstellen
Hi,
Thanks for the website.
Please provide me steps to configure SoftHSM2 with java keytool.
using that we need to provide signed certificates without viewing the CA certs/keys.
Hi,
Sorry, this is not on my todo list.
BR, Andreas