diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml index 576999daac..3218e1e90d 100644 --- a/doc/tools/pkcs11-tool.1.xml +++ b/doc/tools/pkcs11-tool.1.xml @@ -707,6 +707,9 @@ Examples + Perform a basic functionality test of the card: + pkcs11-tool --test --login + To list all certificates on the smart card: pkcs11-tool --list-objects --type cert @@ -727,6 +730,16 @@ Generate new extractable RSA Key pair: pkcs11-tool --login --keypairgen --key-type RSA:2048 --extractable + Generate an elliptic curve key pair with OpenSSL and import it to the card as $ID: + openssl genpkey -out EC_private.der -outform DER \ + -algorithm EC -pkeyopt ec_paramgen_curve:P-521 +pkcs11-tool --write-object EC_private.der --id "$ID" \ + --type privkey --label "EC private key" -p "$PIN" +openssl pkey -in EC_private.der -out EC_public.der \ + -pubout -inform DER -outform DER +pkcs11-tool --write-object EC_public.der --id "$ID" \ + --type pubkey --label "EC public key" -p $PIN + List private keys: pkcs11-tool --login --list-objects --type privkey @@ -737,12 +750,21 @@ The same is also possible by piping the data from stdin rather than specifying a input file: dd if=data bs=128 count=1 | pkcs11-tool --sign --id ID --mechanism RSA-PKCS --pin=$PIN > data.sig + Verify the signed data: +pkcs11-tool --id ID --verify -m RSA-PKCS --input-file data --signature-file data.sig + To encrypt file using the AES key with ID 85 and using mechanism AES-CBC with padding: pkcs11-tool --login --encrypt --id 85 -m AES-CBC-PAD \ --iv "00000000000000000000000000000000" \ -i file.txt -o encrypted_file.data + Decipher the encrypted file: +pkcs11-tool --login --decrypt --id 85 -m AES-CBC-PAD \ + --iv "00000000000000000000000000000000" \ +--i encrypted_file.data -o decrypted.txt + + Use the key with ID 75 using mechanism AES-CBC-PAD, with initialization vector "00000000000000000000000000000000" to wrap the key with ID 76 into output file exported_aes.key