|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
User Commands pktool(1)
NAME
pktool - manage PKCS#11 token object storage
SYNOPSIS
pktool delete {[objtype=public|private|both]
[label=label_name]} [token=token_spec]
pktool export [token=token_spec] outfile=file
pktool import [token=token_spec] infile=file
pktool help
pktool list [objtype=public|private|both] [label=label_name]
[token=token_spec]
pktool setpin [token=token_spec]
pktool tokens
DESCRIPTION
The pktool command allows users to manage PKCS#11 token
object stores, including the PKCS#11 software token (softto-
ken).
OPERANDS
The following operands are supported:
token=token_spec Specifies a PKCS#11 token other than
the default softtoken object store.
The token_spec has the format of:
token_name [:manuf_id [:serial_no]]
At a minimum, token_spec must con-
tain the token label name. If the
token label name contains trailing
spaces, specifying the trailing
spaces is not required, as a con-
venience to the user.
You can further qualify the specific
token by providing the token
manufacturer identifier, the token
serial number, or both, separated by
colons (:). If the serial number is
used without a manufacturer identif-
ier, the extra colon separator must
be included to indicate that
manufacturer identifier is null, for
SunOS 5.10 Last change: 9 Nov 2005 1
User Commands pktool(1)
example, token=tokname::2005.
Literal colons in the token label
name, manufacturer identifier, or
serial number must be escaped using
backslash (\fR) to precede the
colon. In those cases, you can also
need to protect the token specifier
from being parsed by the shell using
the current shell escape characters,
as in the following example using
double quotes (""):
token="Token: Home::20:05"
infile=file Specifies the input file path.
There is no default.
label=label_name Specifies a PKCS#11 object label.
objtype=object_type Specifies the type of object, where
object_type is one of the following:
both
Selects both public and private
objects for the current opera-
tion. The user must successfully
authenticate to the selected
token to gain access to private
objects.
private
Selects private objects for the
current operation. The user
must successfully authenticate
to the selected token using the
correct passphrase to gain
access to private objects.
SunOS 5.10 Last change: 9 Nov 2005 2
User Commands pktool(1)
public
Selects public objects for the
current operation.
outfile=file Specifies the output file path.
There is no default.
SUBCOMMANDS
The following subcommands are supported:
delete
The format for the delete subcommand is as follows:
delete {[objtype=object_type] [label=label_name]} [token=token_spec]
Removes the object with the given label from the
selected token object store. If the object to be deleted
is private, the user is first required to successfully
authenticate with the correct token passphrase.
The objtype argument can used to narrow the objects to
to be deleted to only public or private ones, or both.
The label argument can be omitted to indicate that all
public or private objects are to be deleted.
At least one of objtype or label must be used to delete
objects.
export
The format for the export subcommand is as follows:
export [token=token_spec] outfile=file
Saves the contents of the selected token object store to
the given file. The file created contains a PKCS#12-
compliant list of elements, and can optionally be
passphrase-protected.
The export subcommand only supports passphrase-based
privacy and integrity. The same passphrase is used for
SunOS 5.10 Last change: 9 Nov 2005 3
User Commands pktool(1)
both privacy and integrity. If the user provides a non-
empty passphrase for the PKCS#12 export file, pktool
encrypts the contents of the file with this passphrase.
Successful exporting the objects requires authenticating
correctly to the token object store by entering its
passphrase when prompted. The PKCS#12 file is created
with mode 0600.
help
The format for the help subcommand is as follows:
help
Displays usage and help information.
import
The format for the import subcommand is as follows:
import [token=token_spec] infile=file
Loads supported objects from the given file into the
selected token object store.
The file must be in the PKCS#12 standard format: Per-
sonal Information Exchange Syntax Standard. See
http://www.rsasecurity.com. Supported objects are that
can be imported are public keys, private keys, secret
keys, and certificates.
The file must contain one or more PKCS#12-compliant ele-
ments, and can optionally be passphrase-encrypted. The
import subcommand only supports passphrase-based privacy
and integrity. The same passphrase is used for both
privacy and integrity. PKCS#12 files protected with dif-
ferent privacy and integrity passphrases are not sup-
ported.
Once the user provides the correct passphrase, if
needed, to the PKCS#12 import file, pktool decrypts the
contents of the file. The decrypted objects are then
stored into the token object store. Successful importing
of the objects requires authenticating correctly to the
token object store by entering its passphrase when
prompted.
SunOS 5.10 Last change: 9 Nov 2005 4
User Commands pktool(1)
list
The format for the list subcommand is as follows:
list [objtype=object_type] [label=label_name] [token=token_spec]
Lists PKCS#11 objects that exist in the selected token
object store.
If the objtype=public argument is given, which is the
default, only public objects are listed. When the
objtype=private argument is given, only private objects
are listed and the user is prompted to authenticate to
the token by entering the correct passphrase. To see
both types of objects, the objtype=both argument must be
used.
Only those objects with the given label are listed when
the label argument is used. The label argument can be
combined with objtype to further refine the list of
objects.
When an object is displayed, the user sees its label,
object size, object type and class, and any capability
flags it has enabled.
Additional object attributes are displayed, if avail-
able, such as its identifier for private keys and their
corresponding certificates. Certificates can also
include their beginning and ending validity dates, sub-
ject identifier, issuer, and serial number.
setpin
The format for the setpin subcommand is as follows:
setpin [token=token_spec]
Changes the passphrase used to authenticate a user to
the selected token object store. setpin prompts the user
for the old passphrase, if any. If the old passphrase
matches, pktool prompts for the new passphrase twice.
If the two entries of the new passphrases match, it
becomes the current passphrase for the token.
Passphrases can be any string of characters with lengths
SunOS 5.10 Last change: 9 Nov 2005 5
User Commands pktool(1)
between 1 and 256 with no nulls.
tokens
The format for the tokens subcommand is as follows:
tokens
Lists all visible PKCS#11 tokens.
EXAMPLES
Example 1: Setting and Changing the Passphrase
The following example sets and changes the passphrase for
the softtoken object store. In the first part of the exam-
ple, the passphrase for the softtoken object store is set to
fido. In the second part of the example, the passphrase is
changed from from fido to sh!quiet.
% pktool setpin
Create new passphrase: fido (passphrase is not echoed)
Re-enter new passphrase: fido (passphrase is not echoed)
% pktool setpin
Enter token passphrase: fido (passphrase is not echoed)
Create new passphrase: hide&seek (passphrase is not echoed)
Re-enter new passphrase: hide&seek (passphrase is not echoed)
%
Example 2: Importing Supported Objects
The following example imports a PKCS#12 file infile.p12 that
is encrypted with the passphrase sh!quiet into the softtoken
object store whose passphrase is hide&seek:
% pktool import infile=infile.p12
Enter token passphrase: hide&seek (passphrase is not echoed)
Enter import file passphrase: sh!quiet (passphrase is not echoed)
3 PKCS#12 elements imported
%
Example 3: Exporting Supported Objects
The following example exports the contents of the same soft-
token object store to an unencrypted PKCS#12 file
outfile.p12:
SunOS 5.10 Last change: 9 Nov 2005 6
User Commands pktool(1)
% pktool export outfile=outfile.p12
Enter token passphrase: hide&seek (passphrase is not echoed)
Create export file passphrase: (user presses return)
Re-enter export file passphrase: (user presses return again)
Writing object #1...
Writing object #2...
Writing object #3...
%
Example 4: Listing Objects
The following example lists the contents of softtoken object
store:
% pktool list objtype=both
1. "My DES3 key" (168-bit DES3 secret key)
(encrypt,decrypt,wrap,unwrap,sign,verify,extractable)
2. "Server-Cert" (1024-bit RSA private key)
Id: a8:bf:a8:ea:f2:2d:a5:03:89:58:b5:d5:9d:fc:33:a9:57:46:02:80
(decrypt,sign,sign-recover,unwrap,extractable)
3. "Server-Cert" (X.509 certificate)
Id: a8:bf:a8:ea:f2:2d:a5:03:89:58:b5:d5:9d:fc:33:a9:57:46:02:80
Subject: C = US, ST = California, O = Sun Microsystems, Inc., OU =
Solaris Group, CN = www.demo.sun.com
Issuer: O = Sun Microsystems, Inc., OU = Solaris Group,
CN = Test Root CA
Serial: 86:27 (34343)
%
Example 5: Deleting Objects
The following example deletes all objects with the label
Server-Cert shown in the previous example.
% pktool delete label="Server-Cert"
Enter token passphrase: hide&seek (passphrase is not echoed)
Warning: multiple objects "Server-Cert" found, deleting all
Continue with delete? yes
Object "Server-Cert" #1 successfully deleted
Object "Server-Cert" #2 successfully deleted
%
Example 6: Listing PKCS#11 Tokens
The following example lists available PKCS#11 tokens:
% pktool tokens
Token Label Manuf ID Serial No PIN State
Sun Metaslot Sun Microsystem user set
vca/0 Crypto Accel 2.0 SUNWvca 0003-BA0E-89F8 user set
vca/1 Crypto Accel 2.0 SUNWvca 0003-BA0E-99CA user set
Sun Software PKCS#11 softtoken Sun Microsystem user set
SunOS 5.10 Last change: 9 Nov 2005 7
User Commands pktool(1)
%
Example 7: Listing PKCS#11 Tokens and Setting the Initial
Passphrase
The following example lists available PKCS#11 tokens, and
selects one to set the initial passphrase:
% pktool tokens
Token Label Manuf ID Serial No PIN State
Sun Metaslot Sun Microsystem user set
vca/0 Crypto Accel 2.0 SUNWvca 0003-BA0E-89F8 default
vca/1 Crypto Accel 2.0 SUNWvca 0003-BA0E-99CA default
Sun Software PKCS#11 softtoken Sun Microsystem user set
% pktool setpin token="vca/0 Crypto Accel 2.0"
Create new passphrase: realmX:sh!quiet (passphrase is not echoed)
Re-enter new passphrase: realmX:sh!quiet (passphrase is not echoed)
%
EXIT STATUS
The following exit values are returned:
0 Successful completion.
>0 An error occurred.
ERRORS
If any PKCS#12 elements in the import file are corrupted, or
cannot be decrypted or parsed successfully, the entire con-
tents of the file is rejected.
If any elements in the import file are not supported softto-
ken object store objects, or duplicates of existing objects,
only those elements are omitted from the import. The remain-
ing items are imported as usual.
Some object attributes in the softtoken object store can not
be preserved when those objects are exported to a PKCS#12
file. The attributes these objects acquire when they are
imported as PKCS#12 elements into a PKCS#11 token are
token-dependent. Similarly, objects that imported into soft-
token object store from other tokens by way of PKCS#12 might
not have identical object attributes.
FILES
${HOME}/.sunw/pkcs11_softtoken
The user's default token object store.
SunOS 5.10 Last change: 9 Nov 2005 8
User Commands pktool(1)
${SOFTTOKEN_DIR}/pkcs11_softtoken
The alternate software token object store.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
attributes(5), pkcs11_softtoken(5)
RSA PKCS#11 v2.11 http://www.rsasecurity.com
RSA PKCS#12 v1.0 http://www.rsasecurity.com
SunOS 5.10 Last change: 9 Nov 2005 9
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:25:14 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5333 hits)
(openSUSE 10.2)
svn man page (5208 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2874 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2487 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2406 hits)
(Suse Linux 10.1)
|
Man Pages 
