6 hours ago
[center]![[Image: images?q=tbn:ANd9GcRUb-AdST-kL_o9w-b75WK...NSf8r6VQ&s]](https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRUb-AdST-kL_o9w-b75WKtyQhev-NSf8r6VQ&s)
[/center]
[center]=7Denmark Mastercard Debit Business by carders forum[/center]
[center]
Denmark Mastercard Debit Business by carders forum
pkcs11-tools is a toolkit containing a bunch of small utilities to perform key management tasks on cryptographic tokens implementing a PKCS#11 interface. It features a number of commands similar to the unix CLI utilities, such as ls , mv, rm, od, and more. It also has specific commands to generate keys, generate CSRs, import certificates and other files, in a fashion compatible with most implementations, including both IBM and Oracle JVMs. It is also able to interface with NSS libraries from mozilla.org.
Some features:
support for DES, 3DES, AES, HMAC, RSA, DSA, DH, Elliptic curves (NIST curves, Edwards curves)
generation of PKCS#10 (CSR) and self-signed certificates
import of certificates, public keys, data files
support for wrapping and unwrapping keys, for both symmetric and asymmetric keys
support for templates during key creation, public key import, key wrapping and key unwrapping
support for session key generation and direct wrapping under one or several keys, in a single command
support for key rewrapping (i.e. key unwrapping and key wrapping)
News
July 2023
Version 2.6 brings support for the AWS CloudHSM platform, library version 5.9. Limitations are:
Certificates are not supported by the platform, therefore any command handling certificates will fail
Changing attributes values is not supported by the platform; several commands rely on that capability to adjust CKA_ID accross objects. These commands may occasionally report an error when executed; key material is usually created.
For the same reason, p11mv and p11setattr will not operate on this platform.
The platform does not allow for duplicate CKA_ID attributes, which occasionally brings issues when generating key material. This will be adjusted in a later release.
p11od command will not work, due to the way CloudHSM handles attributes.
When using wrapped key files, CKA_SIGN_RECOVER and CKA_VERIFY_RECOVER are not supported, and should be commented out.
Wrap and unwrap templates are not supported by this platform. These should also be commented out in wrapped key files. AWS CloudHSM support is disabled by default; please refer to installation instructions for more details.
June 2023
Version 2.6, introduces support for JWK - JOSE Web Key output (RFC 7517) on the p11keygen, p11wrap, and p11rewrap commands. The JWK format is not supported for importing keys.
October 2021
Version 2.5, that brings support for CKA_ALLOWED_MECHANISMS, on many key management commands: p11keygen, p11wrap , p11unwrap, p11rewrap, p11od, p11ls. Note that the wrapped key grammar has changed; the grammar version number has been incremented to 2.2.
July 2021
Version 2.4, to support templates in many commands: p11keygen, p11importpubk, p11wrap, p11unwrap, p11od , p11ls. Keys created with a template can be wrapped, the template attributes will be carried. Note that the wrapped key grammar has changed, and the grammar version number has been incremented to 2.1.
April 2021
Version 2.3, that adds extra options to p11kcv, so that tokens not supporting NULL-length HMAC computation can be also supported.
March 2021
Version 2.2 is slightly changing the layout of p11slotinfo. Edwards Curve support enhanced. The toolkit is also adapted to be packaged as a FreeBSD port.
January 2021
Version 2.1 brings support for Edwards Curve.
December 2020
The toolkit has reached v2.0. It features several major changes:
it supports (and requires) OpenSSL v1.1.1+
signing commands (p11mkcert, p11req and masqreq) implement OpenSSL algorithm methods. This will enable supporting more algorithms in the future.
major overhaul of the wrapping/unwrapping system: it is now possible to perform double wrapping (aka envelope wrapping) with a single command, in a secure fashion
p11keygen can now generate a session key and wrap it under one or several wrapping keys
a new command, p11rewrap, allows to unwrap a key and immediately rewrap in under one or several wrapping keys, in a secure fashion.
Introduction
Ensure the prerequisites listed in the Install Document are installed before proceeding
To build the source code, simply execute (with appropriate privileges)
$ ./bootstrap.sh
$ ./configure
$ make install
To list the methods available on a PKCS#11 token, use p11slotinfo, that will return the list of available mechanisms, together with allowed APIs.
$ using PKCS11LIB at /opt/softhsm2-devel/lib/softhsm/libsofthsm2.so
PKCS#11 Library
---------------
Name : /opt/softhsm2-devel/lib/softhsm/libsofthsm2.so
Lib version : 2.6
API version : 2.40
Description : Implementation of PKCS11
Manufacturer: SoftHSM
PKCS#11 module slot list:
Slot index: 0
----------------
Description : SoftHSM slot ID 0x4fbfdc13
Token Label : token1
Manufacturer: SoftHSM project
Enter slot index: 0
Slot[0]
-------------
Slot Number : 1337973779
Description : SoftHSM slot ID 0x4fbfdc13
Manufacturer: SoftHSM project
Slot Flags : [ CKF_TOKEN_PRESENT ]
Token
-------------
Label : first token
Manufacturer: SoftHSM project
Token Flags : [ CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED ]
Mechanisms:
-----------
CKM_MD5 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000210)
CKM_SHA_1 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000220)
CKM_SHA224 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000255)
CKM_SHA256 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000250)
CKM_SHA384 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000260)
CKM_SHA512 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000270)
CKM_MD5_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000211)
CKM_SHA_1_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000221)
CKM_SHA224_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000256)
CKM_SHA256_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000251)
CKM_SHA384_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000261)
CKM_SHA512_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000271)
CKM_RSA_PKCS_KEY_PAIR_GEN --- --- --- --- --- --- --- --- gkp --- --- --- SW (00000000)
CKM_RSA_PKCS enc dec --- sig --- vfy --- --- --- wra unw --- SW (00000001)
...
To list the objects sitting on the token at slot with index 0, use p11ls. objects are listed together with their attributes;
$ p11ls -l /usr/local/opt/softhsm/lib/softhsm/libsofthsm2.so -s 0
Enter passphrase for token: ******
seck/des-double tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(128)
pubk/rsa tok,pub,r/w,loc,vfy,rsa(2048)
seck/des-simple tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(64)
seck/aes-wrapping tok,prv,r/w,imp,wra,unw,sen,NAS,WXT,aes
pubk/dh tok,pub,r/w,loc,enc,vre,wra,dh(2048)
pubk/rsa-wrapping tok,pub,r/w,loc,wra,rsa(2048)
prvk/rsa-disclosed tok,prv,r/w,loc,sig,NSE,NAS,XTR,WXT,rsa(2048)
prvk/rsa-wrapping tok,prv,r/w,loc,unw,sen,ase,nxt,rsa(2048)
seck/aes-128 tok,prv,r/w,loc,enc,dec,sen,ase,nxt,aes(128)
seck/aes-256 tok,prv,r/w,loc,wra,unw,sen,ase,nxt,aes(256)
prvk/rsa tok,prv,r/w,loc,sig,sen,ase,nxt,rsa(2048)
pubk/rsa-disclosed tok,pub,r/w,loc,vfy,rsa(2048)
prvk/dh tok,prv,r/w,loc,dec,sir,unw,sen,ase,nxt,dh(2048)
seck/des-triple tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(192)
prvk/dsa tok,prv,r/w,loc,dec,sig,sir,unw,sen,ase,nxt,dsa(2048)
pubk/dsa tok,pub,r/w,loc,enc,vfy,vre,wra,dsa(2048)
data/dsaparam tok,prv,
seck/hmac-256 tok,prv,r/w,loc,sig,vfy,sen,ase,nxt,generic
data/dhparam tok,prv,
To avoid specifying command line arguments, environment variables can be specified for the following items:
-----END CERTIFICATE REQUEST-----
Later, p11importcert can be used to import the certificate back to the keystore. Public keys can be imported using p11importpubk, and data files with p11importdata.
If you need to wrap or unwrap a key, you can use the command p11wrap:
$ p11wrap -w aes-wrapping -i rootca -a cbcpad >wrapped-key.wrap
key wrapping succeeded
The key can be unwrapped later, reusing the wrapped-key.wrap file created earlier:
$ p11unwrap -f wrapped-key.wrap
key unwrapping succeeded
Installation
The project can compile on many platforms, including Linux, AIX, Solaris. Using cross-compilers, it is also possible to compile for the Windows platform. Compilation under macOS requires brew. Please refer to docs/INSTALL.md for installation instructions.
Manual
Please refer to docs/MANUAL.md for instructions / how-to guide.
Contributing
If you wish to contribute to this project, please refer to the rules in docs/CONTRIBUTING.md.
Contributors:
Georg Lippold (Mastercard, https://www.mastercard.com) - JWK output, GitHub build & CodeQL integration
Author
Eric Devolder (Mastercard, https://www.mastercard.com)
Licensing terms
Except when specified differently in source files, the following license apply:
Copyright © 2018 Mastercard
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Download Link
[/center]
=7Download Link
[/center]
[center]=7Denmark Mastercard Debit Business by carders forum[/center]
[center]
Denmark Mastercard Debit Business by carders forum
pkcs11-tools is a toolkit containing a bunch of small utilities to perform key management tasks on cryptographic tokens implementing a PKCS#11 interface. It features a number of commands similar to the unix CLI utilities, such as ls , mv, rm, od, and more. It also has specific commands to generate keys, generate CSRs, import certificates and other files, in a fashion compatible with most implementations, including both IBM and Oracle JVMs. It is also able to interface with NSS libraries from mozilla.org.
Some features:
support for DES, 3DES, AES, HMAC, RSA, DSA, DH, Elliptic curves (NIST curves, Edwards curves)
generation of PKCS#10 (CSR) and self-signed certificates
import of certificates, public keys, data files
support for wrapping and unwrapping keys, for both symmetric and asymmetric keys
support for templates during key creation, public key import, key wrapping and key unwrapping
support for session key generation and direct wrapping under one or several keys, in a single command
support for key rewrapping (i.e. key unwrapping and key wrapping)
News
July 2023
Version 2.6 brings support for the AWS CloudHSM platform, library version 5.9. Limitations are:
Certificates are not supported by the platform, therefore any command handling certificates will fail
Changing attributes values is not supported by the platform; several commands rely on that capability to adjust CKA_ID accross objects. These commands may occasionally report an error when executed; key material is usually created.
For the same reason, p11mv and p11setattr will not operate on this platform.
The platform does not allow for duplicate CKA_ID attributes, which occasionally brings issues when generating key material. This will be adjusted in a later release.
p11od command will not work, due to the way CloudHSM handles attributes.
When using wrapped key files, CKA_SIGN_RECOVER and CKA_VERIFY_RECOVER are not supported, and should be commented out.
Wrap and unwrap templates are not supported by this platform. These should also be commented out in wrapped key files. AWS CloudHSM support is disabled by default; please refer to installation instructions for more details.
June 2023
Version 2.6, introduces support for JWK - JOSE Web Key output (RFC 7517) on the p11keygen, p11wrap, and p11rewrap commands. The JWK format is not supported for importing keys.
October 2021
Version 2.5, that brings support for CKA_ALLOWED_MECHANISMS, on many key management commands: p11keygen, p11wrap , p11unwrap, p11rewrap, p11od, p11ls. Note that the wrapped key grammar has changed; the grammar version number has been incremented to 2.2.
July 2021
Version 2.4, to support templates in many commands: p11keygen, p11importpubk, p11wrap, p11unwrap, p11od , p11ls. Keys created with a template can be wrapped, the template attributes will be carried. Note that the wrapped key grammar has changed, and the grammar version number has been incremented to 2.1.
April 2021
Version 2.3, that adds extra options to p11kcv, so that tokens not supporting NULL-length HMAC computation can be also supported.
March 2021
Version 2.2 is slightly changing the layout of p11slotinfo. Edwards Curve support enhanced. The toolkit is also adapted to be packaged as a FreeBSD port.
January 2021
Version 2.1 brings support for Edwards Curve.
December 2020
The toolkit has reached v2.0. It features several major changes:
it supports (and requires) OpenSSL v1.1.1+
signing commands (p11mkcert, p11req and masqreq) implement OpenSSL algorithm methods. This will enable supporting more algorithms in the future.
major overhaul of the wrapping/unwrapping system: it is now possible to perform double wrapping (aka envelope wrapping) with a single command, in a secure fashion
p11keygen can now generate a session key and wrap it under one or several wrapping keys
a new command, p11rewrap, allows to unwrap a key and immediately rewrap in under one or several wrapping keys, in a secure fashion.
Introduction
Ensure the prerequisites listed in the Install Document are installed before proceeding
To build the source code, simply execute (with appropriate privileges)
$ ./bootstrap.sh
$ ./configure
$ make install
To list the methods available on a PKCS#11 token, use p11slotinfo, that will return the list of available mechanisms, together with allowed APIs.
$ using PKCS11LIB at /opt/softhsm2-devel/lib/softhsm/libsofthsm2.so
PKCS#11 Library
---------------
Name : /opt/softhsm2-devel/lib/softhsm/libsofthsm2.so
Lib version : 2.6
API version : 2.40
Description : Implementation of PKCS11
Manufacturer: SoftHSM
PKCS#11 module slot list:
Slot index: 0
----------------
Description : SoftHSM slot ID 0x4fbfdc13
Token Label : token1
Manufacturer: SoftHSM project
Enter slot index: 0
Slot[0]
-------------
Slot Number : 1337973779
Description : SoftHSM slot ID 0x4fbfdc13
Manufacturer: SoftHSM project
Slot Flags : [ CKF_TOKEN_PRESENT ]
Token
-------------
Label : first token
Manufacturer: SoftHSM project
Token Flags : [ CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED ]
Mechanisms:
-----------
CKM_MD5 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000210)
CKM_SHA_1 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000220)
CKM_SHA224 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000255)
CKM_SHA256 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000250)
CKM_SHA384 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000260)
CKM_SHA512 --- --- hsh --- --- --- --- --- --- --- --- --- SW (00000270)
CKM_MD5_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000211)
CKM_SHA_1_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000221)
CKM_SHA224_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000256)
CKM_SHA256_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000251)
CKM_SHA384_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000261)
CKM_SHA512_HMAC --- --- --- sig --- vfy --- --- --- --- --- --- SW (00000271)
CKM_RSA_PKCS_KEY_PAIR_GEN --- --- --- --- --- --- --- --- gkp --- --- --- SW (00000000)
CKM_RSA_PKCS enc dec --- sig --- vfy --- --- --- wra unw --- SW (00000001)
...
To list the objects sitting on the token at slot with index 0, use p11ls. objects are listed together with their attributes;
$ p11ls -l /usr/local/opt/softhsm/lib/softhsm/libsofthsm2.so -s 0
Enter passphrase for token: ******
seck/des-double tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(128)
pubk/rsa tok,pub,r/w,loc,vfy,rsa(2048)
seck/des-simple tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(64)
seck/aes-wrapping tok,prv,r/w,imp,wra,unw,sen,NAS,WXT,aes
pubk/dh tok,pub,r/w,loc,enc,vre,wra,dh(2048)
pubk/rsa-wrapping tok,pub,r/w,loc,wra,rsa(2048)
prvk/rsa-disclosed tok,prv,r/w,loc,sig,NSE,NAS,XTR,WXT,rsa(2048)
prvk/rsa-wrapping tok,prv,r/w,loc,unw,sen,ase,nxt,rsa(2048)
seck/aes-128 tok,prv,r/w,loc,enc,dec,sen,ase,nxt,aes(128)
seck/aes-256 tok,prv,r/w,loc,wra,unw,sen,ase,nxt,aes(256)
prvk/rsa tok,prv,r/w,loc,sig,sen,ase,nxt,rsa(2048)
pubk/rsa-disclosed tok,pub,r/w,loc,vfy,rsa(2048)
prvk/dh tok,prv,r/w,loc,dec,sir,unw,sen,ase,nxt,dh(2048)
seck/des-triple tok,prv,r/w,loc,enc,dec,sen,ase,nxt,des(192)
prvk/dsa tok,prv,r/w,loc,dec,sig,sir,unw,sen,ase,nxt,dsa(2048)
pubk/dsa tok,pub,r/w,loc,enc,vfy,vre,wra,dsa(2048)
data/dsaparam tok,prv,
seck/hmac-256 tok,prv,r/w,loc,sig,vfy,sen,ase,nxt,generic
data/dhparam tok,prv,
To avoid specifying command line arguments, environment variables can be specified for the following items:
-----END CERTIFICATE REQUEST-----
Later, p11importcert can be used to import the certificate back to the keystore. Public keys can be imported using p11importpubk, and data files with p11importdata.
If you need to wrap or unwrap a key, you can use the command p11wrap:
$ p11wrap -w aes-wrapping -i rootca -a cbcpad >wrapped-key.wrap
key wrapping succeeded
The key can be unwrapped later, reusing the wrapped-key.wrap file created earlier:
$ p11unwrap -f wrapped-key.wrap
key unwrapping succeeded
Installation
The project can compile on many platforms, including Linux, AIX, Solaris. Using cross-compilers, it is also possible to compile for the Windows platform. Compilation under macOS requires brew. Please refer to docs/INSTALL.md for installation instructions.
Manual
Please refer to docs/MANUAL.md for instructions / how-to guide.
Contributing
If you wish to contribute to this project, please refer to the rules in docs/CONTRIBUTING.md.
Contributors:
Georg Lippold (Mastercard, https://www.mastercard.com) - JWK output, GitHub build & CodeQL integration
Author
Eric Devolder (Mastercard, https://www.mastercard.com)
Licensing terms
Except when specified differently in source files, the following license apply:
Copyright © 2018 Mastercard
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Download Link
[/center]
=7Download Link
[/center]
zerodark
