cryptoflex-tool(1) [centos man page]
CRYPTOFLEX-TOOL(1) OpenSC Tools CRYPTOFLEX-TOOL(1) NAME
cryptoflex-tool - utility for manipulating Schlumberger Cryptoflex data structures SYNOPSIS
cryptoflex-tool [OPTIONS] DESCRIPTION
cryptoflex-tool is used to manipulate PKCS data structures on Schlumberger Cryptoflex smart cards. Users can create, list and read PINs and keys stored on the smart card. User PIN authentication is performed for those operations that require it. OPTIONS
--app-df num, -a num Specifies the DF to operate in --create-key-files arg, -c arg Creates new RSA key files for arg keys --create-pin-files id, -P id Creates new PIN file for CHVid --exponent exp, -e exp Specifies the RSA exponent, exp, to use in key generation. The default value is 3. --generate-key, -g Generate a new RSA key pair --key-num num, -k num Specifies the key number to operate on. The default is key number 1. --list-keys, -l Lists all keys stored in a public key file --modulus-length length, -m length Specifies the modulus length to use in key generation. The default value is 1024. --prkey-file id, -p id Specifies the private key file id, id, to use --pubkey-file id, -u id Specifies the public key file id, id, to use --read-key Reads a public key from the card, allowing the user to extract and store or use the public key --reader num, -r num Forces cryptoflex-tool to use reader number num for operations. The default is to use reader number 0, the first reader in the system. --verbose, -v Causes cryptoflex-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library. --verify-pin, -V Verifies CHV1 before issuing commands SEE ALSO
pkcs15-tool(1) opensc 06/17/2014 CRYPTOFLEX-TOOL(1)
Check Out this Related Man Page
SC-HSM-TOOL(1) OpenSC Tools SC-HSM-TOOL(1) NAME
sc-hsm-tool - smart card utility for SmartCard-HSM SYNOPSIS
sc-hsm-tool [OPTIONS] The sc-hsm-tool utility can be used from the command line to perform extended maintenance tasks not available via PKCS#11 or other tools in the OpenSC package. It can be used to query the status of a SmartCard-HSM, initialize a device, generate and import Device Key Encryption Key (DKEK) shares and to wrap and unwrap keys. OPTIONS
--initialize, -X Initialize token, removing all existing keys, certificates and files. Use --so-pin to define SO-PIN for first initialization or to verify in subsequent initializations. Use --pin to define the initial user pin value. Use --pin-retry to define the maximum number of wrong user PIN presentations. Use with --dkek-shares to enable key wrap / unwrap. --create-dkek-share filename, -C filename Create a DKEK share encrypted under a user supplied password and saved to the file given as parameter. Use --password to provide a password for encryption rather than prompting for one. --import-dkek-share filename, -I filename Prompt for user password, read and decrypt DKEK share and import into SmartCard-HSM. Use --password to provide a password for decryption rather than prompting for one. --wrap-key filename, -W filename Wrap the key referenced in --key-reference and save with it together with the key description and certificate to the given file. Use --pin to provide the user PIN on the command line. --unwrap-key filename, -U filename Read wrapped key, description and certificate from file and import into SmartCard-HSM under the key reference given in --key-reference. Determine the key reference using the output of pkcs15-tool -D. Use --pin to provide a user PIN on the command line. Use --force to remove any key, key description or certificate in the way. --dkek-shares number-of-shares, -s number-of-shares Define the number of DKEK shares to use for recreating the DKEK. This is an optional parameter. Using --initialize without --dkek-shares will disable the DKEK completely. Using --dkek-shares with 0 shares requests the SmartCard-HSM to generate a random DKEK. Keys wrapped with this DKEK can only be unwrapped in the same SmartCard-HSM. After using --initialize with one or more DKEK shares, the SmartCard-HSM will remain in the initialized state until all DKEK shares have been imported. During this phase no new keys can be generated or imported. --so-pin value Define SO-PIN for initialization. --pin value Define user PIN for initialization, wrap or unwrap operation. --pin-retry value Define number of PIN retries for user PIN during initialization. Default is 3. --password value Define password for DKEK share encryption. --force Force removal of existing key, description and certificate. --reader num, -r num Use the given reader number. The default is 0, the first reader in the system. --wait, -w Wait for a card to be inserted --verbose, -v Causes sc-hsm-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library. EXAMPLES
Create a DKEK share: sc-hsm-tool --create-dkek-share dkek-share-1.pbe Initialize SmartCard-HSM to use a single DKEK share sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 Import DKEK share sc-hsm-tool --import-dkek-share dkek-share-1.pbe Wrap referenced key, description and certificate sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219 Unwrap key into same or in different SmartCard-HSM with the same DKEK sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force SEE ALSO
opensc-tool(1) opensc 06/17/2014 SC-HSM-TOOL(1)