P11NG CLI
The CLI tool p11ng-tool provides actions for querying, removing, and creating objects(keys) in an HSM slot in addition to signing sample text with existing wrapped key.
The tool is provided for troubleshooting purposes and the API is likely to change in future versions.
Run p11ng-tool from SIGNSERVER_HOME using the following command:
bin/p11ng-toolUsage
p11ng-tool [options]P11NG commands -action <arg> Operation to perform. Any of: [listSlots, showInfo, listObjects, listKeyStoreEntries, generateKey, generateAndWrapKeyPair, unwrapAndSign, deleteKeyStoreEntryByAlias, deleteObjects, generateKeyPair, signPerformanceTest, unwrapPerformanceTest] -alias <arg> Key alias -attributes_file <arg> Path of file containing attributes to be used while generating key pair -libfile <arg> Shared library path -method <arg> Method to use, either pkcs11 (default) or provider -nocertificateobject Don't create a certificate object when generating a key. Default is to generate a certificate object -object <arg> Object ID (decimal) -pin <arg> User PIN -plaintext <arg> text string to sign -privatekey <arg> base64 encoded encrypted (wrapped) private key -publickey <arg> base64 encoded public key -selfcert Generate a self-signed certificate for the new key-pair -selfsigneddn <arg> Distinguished Name (DN) to use as issuer and subject DN in the self-signed certificate instead of the default one. -signaturealgorithm <arg> For sign-/unwrapPerformanceTest: Signature algorithm to use (default: SHA256withRSA) -slot <arg> Slot ID to operate on -threads <arg> For sign-/unwrapPerformanceTest: Number of stresstest threads to run (default: 1) -timelimit <arg> For sign-/unwrapPerformanceTest: Optional. Only run for the specified time (in milliseconds). -unwrapkey <arg> Label of key to unwrap with -use_cache <arg> For sign-/unwrapPerformanceTest: Whether key objects are fetched from cache instead of HSM token (default: true) -warmuptime <arg> For sign-/unwrapPerformanceTest: Don't count number of signings and response times until after this time (in milliseconds). Default=0 (no warmup time). -wrapkey <arg> Label of key to wrap withSample Usages
a) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action listSlotsb) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action showInfoc) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action listObjects -slot 0 -pin foo123d) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action generateKey -slot 0 -pin foo123 -alias wrapkey1e) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action generateKeyPair -slot 0 -pin foo123 -alias myprivkeyf) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action generateKeyPair -slot 0 -pin foo123 -alias myprivkey -attributes_file/home/user/attribute_file.propertiesg) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action deleteObjects -slot 0 -pin foo123 -object 4h) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action deleteObjects -slot 0 -pin foo123 -object 4 -object 5i) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action deleteKeyStoreEntryByAlias -slot 0 -alias mykey1j) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action listKeyStoreEntries -slot 0 -pin foo123k) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action generateAndWrapKeyPair -slot 0 -pin foo123 -wrapkey wrapkey1 -selfcert-alias wrappedprivkeyl) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action signPerformanceTest -slot 0 -pin foo123 -alias mykey1 -warmuptime 10000 -timelimit 100000 -threads 10m) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -action unwrapPerformanceTest -slot 0 -pin foo123 -wrapkey wrapkey1 -warmuptime 10000 -timelimit 100000 -threads 10