A tool to generate a keypair inside a PKCS#11 crypto token.
pkcs11keypair
can be configured by setting environment variables, but applies
it's own defaults in case a variable is unset.
HSM_MODULE
: Path to HSM Module library to use (default/usr/lib/softhsm/libsofthsm.so
)HSM_SLOT_ID
: Slot ID to use (default0
)USER_PIN
: User PIN to login to token (default0000
)KEY_LABEL
: Label to use for key (defaultpkcs11keypair_label
)KEY_ID
: ID to use for key (default is a random value)RSA_SIZE
: Bit size for modulus in key generation (default is2048
, minimum is1024
)
Usage example with SoftHSM (requires libsofthsm and pkcs11-tool):
-
Prepare SoftHSM token and set configuration values
Create SoftHSM configuration
% echo "0:${PWD}/softhsm.db" > softhsm.conf
Set configuration variables
% export SOFTHSM_CONF=${PWD}/softhsm.conf % export HSM_MODULE=/usr/lib/softhsm/libsofthsm.so % export HSM_SLOT_ID=0 % export TOKEN_LABEL=softhsm-token % export KEY_LABEL=some_key % export KEY_ID=12345
Initialize SoftHSM slot.
% pkcs11-tool --module ${HSM_MODULE} --slot ${HSM_SLOT} --login
--init-token --init-pin --label ${TOKEN_LABEL}
(You will be prompted for SO PIN und User PIN. Don't mix them up)
-
Build and run
pkcs11keypair
% go build pkcs11keypair.go % ./pkcs11keypair Using module /usr/lib/softhsm/libsofthsm.so, slot ID 0, user PIN 0000, key id '12345', key label 'some_key', rsa bit size 2048. Wanted slot id 0 and got slot id 0. HSM Info: Manufacturer ID SoftHSM Flags: 0 Library Description: Implementation of PKCS11 Library Version: {1 3}. Key pair generated: Public Key: 2 Private Key: 1
-
Verify that the keypair has been generated:
% pkcs11-tool --module ${HSM_MODULE} --login -O Using slot 0 with a present token (0x0) Public Key Object; RSA 2048 bits label: some_key ID: 3132333435 Usage: encrypt, verify, wrap Private Key Object; RSA label: some_key Usage: decrypt, sign, unwrap