A command line tool for interacting with PKCS #11 tokens. The intended audience is developers writing PKCS #11 applications who need to inspect objects, import test keys, delete generated keys, etc. (We wrote this tool to help with our own development projects).
go get -u github.com/thales-e-security/p11tool
Run p11tool --help to see available commands. Run p11tool <command> --help for help on individual commands.
Supported functionality:
- Print the attributes of all objects on the token. Optionally restricted to objects with a given label.
- Print all the mechanisms supported by a token.
- Delete all objects from the token. Optionally retain objects with the specified label(s).
- Import a plaintext AES key.
- Calculate a checksum for an AES key.
The token user PIN can be supplied as a command line argument or omitted, in which case it will be prompted for in the terminal.
CloudHSM produces a lot of noisy logs that make it impossible to read the outputs from p11tool. Here's how you can list the objects on a CloudHSM without seeing all the logs:
p11tool --lib /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --pin <user>:<password> --token cavium list | grep -v "failed with error" | grep .Contributions are very welcome. Either raise a pull request or open an issue to discuss a new feature. Here are some of the things we'd like to add or improve:
- Printing nested templates (i.e.
CKA_WRAP_TEMPLATEandCKA_UNWRAP_TEMPLATE). - Generating test keys (at least RSA and AES).
- Encryption, signing and verifying of test data using token keys.
- Reading of library path, token name and PIN from a config file.