P11NG CLI
The CLI tool p11ng-tool provides actions for querying, removing, and creating objects(keys) in an HSM slot in addition to signing sample text with existing wrapped key.
The tool is provided for troubleshooting purposes and the API is likely to change in future versions.
Run p11ng-tool from SIGNSERVER_HOME using the following command:
bin/p11ng-toolUsage
p11ng-tool [options]P11NG commands -action <arg> Operation to perform. Any of: [listSlots, showInfo, listObjects, listKeyStoreEntries, generateKey, generateAndWrapKeyPair, unwrapAndSign, deleteKeyStoreEntryByAlias, deleteObjects, generateKeyPair, signPerformanceTest, unwrapPerformanceTest] -alias <arg> Key alias -attributes_file <arg> Path of file containing attributes to be used while generating key pair -libfile <arg> Shared library path -method <arg> Method to use, either pkcs11 (default) or provider -nocertificateobject Don't create a certificate object when generating a key. Default is to generate a certificate object -object <arg> Object ID (decimal) -pin <arg> User PIN -plaintext <arg> text string to sign -privatekey <arg> base64 encoded encrypted (wrapped) private key -publickey <arg> base64 encoded public key -selfcert Generate a self-signed certificate for the new key-pair -selfsigneddn <arg> Distinguished Name (DN) to use as issuer and subject DN in the self-signed certificate instead of the default one. -signaturealgorithm <arg> For sign-/unwrapPerformanceTest: Signature algorithm to use (default: SHA256withRSA) -slot <arg> Slot ID to operate on -threads <arg> For sign-/unwrapPerformanceTest: Number of stresstest threads to run (default: 1) -timelimit <arg> For sign-/unwrapPerformanceTest: Optional. Only run for the specified time (in milliseconds). -unwrapkey <arg> Label of key to unwrap with -use_cache <arg> For sign-/unwrapPerformanceTest: Whether key objects are fetched from cache instead of HSM token (default: true) -warmuptime <arg> For sign-/unwrapPerformanceTest: Don't count number of signings and response times until after this time (in milliseconds). Default=0 (no warmup time). -wrapkey <arg> Label of key to wrap withSample usages:a) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actionlistSlotsb) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actionshowInfoc) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actionlistObjects -slot 0 -pin foo123d) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actiongenerateKey -slot 0 -pin foo123 -alias wrapkey1e) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actiongenerateKeyPair -slot 0 -pin foo123 -alias myprivkeyf) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actiongenerateKeyPair -slot 0 -pin foo123 -alias myprivkey -attributes_file/home/user/attribute_file.propertiesg) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actiondeleteObjects -slot 0 -pin foo123 -object 4h) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actiondeleteObjects -slot 0 -pin foo123 -object 4 -object 5i) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actiondeleteKeyStoreEntryByAlias -slot 0 -alias mykey1j) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actionlistKeyStoreEntries -slot 0 -pin foo123k) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actiongenerateAndWrapKeyPair -slot 0 -pin foo123 -wrapkey wrapkey1 -selfcert-alias wrappedprivkeyl) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actionsignPerformanceTest -slot 0 -pin foo123 -alias mykey1 -warmuptime 10000-timelimit 100000 -threads 10m) p11ng-tool -libfile /opt/ETcpsdk/lib/linux-x86_64/libctsw.so -actionunwrapPerformanceTest -slot 0 -pin foo123 -wrapkey wrapkey1 -warmuptime10000 -timelimit 100000 -threads 10