Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   p11tool    ( 1 )

инструмент GnuTLS PKCS #11 (GnuTLS PKCS #11 tool)

  Name  |  Synopsis  |  Description  |    Options    |  Examples  |  Exit  |  See also  |

Параметры (Options)

Tokens
       --list-tokens
              List all available tokens.

--list-token-urls List the URLs available tokens.

This is a more compact version of --list-tokens.

--list-mechanisms List all available mechanisms in a token.

--initialize Initializes a PKCS #11 token.

--initialize-pin Initializes/Resets a PKCS #11 token user PIN.

--initialize-so-pin Initializes/Resets a PKCS #11 token security officer PIN..

This initializes the security officer's PIN. When used non-interactively use the GNUTLS_NEW_SO_PIN environment variables to initialize SO's PIN.

--set-pin=string Specify the PIN to use on token operations.

Alternatively the GNUTLS_PIN environment variable may be used.

--set-so-pin=string Specify the Security Officer's PIN to use on token initialization.

Alternatively the GNUTLS_SO_PIN environment variable may be used.

Object listing --list-all List all available objects in a token.

All objects available in the token will be listed. That includes objects which are potentially unaccessible using this tool.

--list-all-certs List all available certificates in a token.

That option will also provide more information on the certificates, for example, expand the attached extensions in a trust token (like p11-kit-trust).

--list-certs List all certificates that have an associated private key.

That option will only display certificates which have a private key associated with them (share the same ID).

--list-all-privkeys List all available private keys in a token.

Lists all the private keys in a token that match the specified URL.

--list-privkeys This is an alias for the --list-all-privkeys option.

--list-keys This is an alias for the --list-all-privkeys option.

--list-all-trusted List all available certificates marked as trusted.

--export Export the object specified by the URL. This option must not appear in combination with any of the following options: export-stapled, export-chain, export-pubkey.

--export-stapled Export the certificate object specified by the URL. This option must not appear in combination with any of the following options: export, export-chain, export-pubkey.

Exports the certificate specified by the URL while including any attached extensions to it. Since attached extensions are a p11-kit extension, this option is only available on p11-kit registered trust modules.

--export-chain Export the certificate specified by the URL and its chain of trust. This option must not appear in combination with any of the following options: export-stapled, export, export-pubkey.

Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.

--export-pubkey Export the public key for a private key. This option must not appear in combination with any of the following options: export-stapled, export, export-chain.

Exports the public key for the specified private key

--info List information on an available object in a token.

--trusted This is an alias for the --mark-trusted option.

--distrusted This is an alias for the --mark-distrusted option.

Key generation --generate-privkey=string Generate private-public key pair of given type.

Generates a private-public key pair in the specified token. Acceptable types are RSA, ECDSA, Ed25519, and DSA. Should be combined with --sec-param or --bits.

--generate-rsa Generate an RSA private-public key pair.

Generates an RSA private-public key pair on the specified token. Should be combined with --sec-param or --bits.

NOTE: THIS OPTION IS DEPRECATED

--generate-dsa Generate a DSA private-public key pair.

Generates a DSA private-public key pair on the specified token. Should be combined with --sec-param or --bits.

NOTE: THIS OPTION IS DEPRECATED

--generate-ecc Generate an ECDSA private-public key pair.

Generates an ECDSA private-public key pair on the specified token. Should be combined with --curve, --sec- param or --bits.

NOTE: THIS OPTION IS DEPRECATED

--bits=number Specify the number of bits for the key generate. This option takes an integer number as its argument.

For applications which have no key-size restrictions the --sec-param option is recommended, as the sec-param levels will adapt to the acceptable security levels with the new versions of gnutls.

--curve=string Specify the curve used for EC key generation.

Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.

--sec-param=security parameter Specify the security level.

This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra].

Writing objects --set-id=string Set the CKA_ID (in hex) for the specified by the URL object. This option must not appear in combination with any of the following options: write.

Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a '0x' prefix.

--set-label=string Set the CKA_LABEL for the specified by the URL object. This option must not appear in combination with any of the following options: write, set-id.

Modifies or sets the CKA_LABEL in the specified by the URL object

--write Writes the loaded objects to a PKCS #11 token.

It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load- certificate option.

--delete Deletes the objects matching the given PKCS #11 URL.

--label=string Sets a label for the write operation.

--id=string Sets an ID for the write operation.

Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix.

--mark-wrap, --no-mark-wrap Marks the generated key to be a wrapping key. The no-mark-wrap form will disable the option.

Marks the generated key with the CKA_WRAP flag.

--mark-trusted, --no-mark-trusted Marks the object to be written as trusted. The no-mark-trusted form will disable the option. This option must not appear in combination with any of the following options: mark-distrusted.

Marks the object to be generated/written with the CKA_TRUST flag.

--mark-distrusted When retrieving objects, it requires the objects to be distrusted (blacklisted). This option must not appear in combination with any of the following options: mark- trusted.

Ensures that the objects retrieved have the CKA_X_TRUST flag. This is p11-kit trust module extension, thus this flag is only valid with p11-kit registered trust modules.

--mark-decrypt, --no-mark-decrypt Marks the object to be written for decryption. The no-mark-decrypt form will disable the option.

Marks the object to be generated/written with the CKA_DECRYPT flag set to true.

--mark-sign, --no-mark-sign Marks the object to be written for signature generation. The no-mark-sign form will disable the option.

Marks the object to be generated/written with the CKA_SIGN flag set to true.

--mark-ca, --no-mark-ca Marks the object to be written as a CA. The no-mark-ca form will disable the option.

Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA.

--mark-private, --no-mark-private Marks the object to be written as private. The no-mark-private form will disable the option.

Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used.

--ca This is an alias for the --mark-ca option.

--private This is an alias for the --mark-private option.

--secret-key=string Provide a hex encoded secret key.

This secret key will be written to the module if --write is specified.

--load-privkey=file Private key file to use.

--load-pubkey=file Public key file to use.

--load-certificate=file Certificate file to use.

Other options -d number, --debug=number Enable debugging. This option takes an integer number as its argument. The value of number is constrained to being: in the range 0 through 9999

Specifies the debug level.

--outfile=string Output file.

--login, --no-login Force (user) login to token. The no-login form will disable the option.

--so-login, --no-so-login Force security officer login to token. The no-so-login form will disable the option.

Forces login to the token as security officer (admin).

--admin-login This is an alias for the --so-login option.

--test-sign Tests the signature operation of the provided object.

It can be used to test the correct operation of the signature operation. If both a private and a public key are available this operation will sign and verify the signed data.

--sign-params=string Sign with a specific signature algorithm.

This option can be combined with --test-sign, to sign with a specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be specified in order to use RSA-PSS signature on RSA keys.

--hash=string Hash algorithm to use for signing.

This option can be combined with test-sign. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.

--generate-random=number Generate random data. This option takes an integer number as its argument.

Asks the token to generate a number of bytes of random bytes.

-8, --pkcs8 Use PKCS #8 format for private keys.

--inder, --no-inder Use DER/RAW format for input. The no-inder form will disable the option.

Use DER/RAW format for input certificates and private keys.

--inraw This is an alias for the --inder option.

--outder, --no-outder Use DER format for output certificates, private keys, and DH parameters. The no-outder form will disable the option.

The output will be in DER or RAW format.

--outraw This is an alias for the --outder option.

--provider=file Specify the PKCS #11 provider library.

This will override the default options in /etc/gnutls/pkcs11.conf

--provider-opts=string Specify parameters for the PKCS #11 provider library.

This is a PKCS#11 internal option used by few modules. Mainly for testing PKCS#11 modules.

NOTE: THIS OPTION IS DEPRECATED

--detailed-url, --no-detailed-url Print detailed URLs. The no-detailed-url form will disable the option.

--only-urls Print a compact listing using only the URLs.

--batch Disable all interaction with the tool.

In batch mode there will be no prompts, all parameters need to be specified on command line.

-h, --help Display usage information and exit.

-!, --more-help Pass the extended usage information through a pager.

-v [{v|c|n --version [{v|c|n}]}] Output version of program and exit. The default mode is `v', a simple version. The `c' mode will print copyright information and `n' will print the full copyright notice.