* it into a zone file.
*
* usage:
- * pkcs11-keygen [-P] [-m module] [-s slot] -b keysize -l label [-p pin]
+ * pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize
+ * -l label [-i id] [-p pin]
*
*/
CK_ULONG modulusbits = 0;
CK_CHAR *label = NULL;
CK_OBJECT_HANDLE privatekey, publickey;
- CK_BYTE public_exponent[3];
+ CK_BYTE public_exponent[5];
+ CK_ULONG expsize = 3;
int error = 0;
int c, errflg = 0;
int hide = 1;
+ int idlen = 0;
+ unsigned long id = 0;
+ CK_BYTE idbuf[4];
CK_ULONG ulObjectCount;
/* Set search template */
CK_ATTRIBUTE search_template[] = {
{CKA_VERIFY, &truevalue, sizeof (truevalue)},
{CKA_TOKEN, &truevalue, sizeof (truevalue)},
{CKA_MODULUS_BITS, &modulusbits, sizeof (modulusbits)},
- {CKA_PUBLIC_EXPONENT, &public_exponent, sizeof (public_exponent)}
+ {CKA_PUBLIC_EXPONENT, &public_exponent, expsize},
+ {CKA_ID, &idbuf, idlen}
};
+ CK_ULONG publickey_attrcnt = 6;
CK_ATTRIBUTE privatekey_template[] = {
{CKA_LABEL, NULL_PTR, 0},
{CKA_SIGN, &truevalue, sizeof (truevalue)},
{CKA_TOKEN, &truevalue, sizeof (truevalue)},
{CKA_PRIVATE, &truevalue, sizeof (truevalue)},
{CKA_SENSITIVE, &truevalue, sizeof (truevalue)},
- {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)}
+ {CKA_EXTRACTABLE, &falsevalue, sizeof (falsevalue)},
+ {CKA_ID, &idbuf, idlen}
};
+ CK_ULONG privatekey_attrcnt = 7;
extern char *optarg;
extern int optopt;
- while ((c = getopt(argc, argv, ":Pm:s:b:i:l:p:")) != -1) {
+ while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
switch (c) {
case 'P':
hide = 0;
case 's':
slot = atoi(optarg);
break;
+ case 'e':
+ expsize = 5;
+ break;
case 'b':
modulusbits = atoi(optarg);
break;
case 'l':
label = (CK_CHAR *)optarg;
break;
+ case 'i':
+ id = strtoul(optarg, NULL, 0);
+ idlen = 4;
+ break;
case 'p':
pin = (CK_UTF8CHAR *)optarg;
break;
}
if ((errflg) || (!modulusbits) || (!label)) {
fprintf(stderr,
- "usage: pkcs11-keygen [-P] [-m module] [-s slot] "
- "-b keysize -l label [-p pin]\n");
+ "usage: pkcs11-keygen "
+ "[-P] [-m module] [-s slot] [-e] -b keysize\n"
+ " "
+ "-l label [-i id] [-p pin]\n");
exit(2);
}
privatekey_template[0].pValue = label;
privatekey_template[0].ulValueLen = strlen((char *)label);
- /* Set public exponent to 65537 */
+ /* Set public exponent to F4 or F5 */
public_exponent[0] = 0x01;
public_exponent[1] = 0x00;
- public_exponent[2] = 0x01;
+ if (expsize == 3)
+ public_exponent[2] = 0x01;
+ else {
+ publickey_template[4].ulValueLen = expsize;
+ public_exponent[2] = 0x00;
+ public_exponent[3] = 0x00;
+ public_exponent[4] = 0x01;
+ }
/* Set up mechanism for generating key pair */
genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
genmech.pParameter = NULL_PTR;
genmech.ulParameterLen = 0;
+ if (idlen == 0) {
+ publickey_attrcnt--;
+ privatekey_attrcnt--;
+ } else if (id <= 0xffff) {
+ idlen = 2;
+ publickey_template[5].ulValueLen = idlen;
+ privatekey_template[6].ulValueLen = idlen;
+ idbuf[0] = id >> 8;
+ idbuf[1] = id & 0xff;
+ } else {
+ idbuf[0] = id >> 24;
+ idbuf[1] = (id >> 16) & 0xff;
+ idbuf[2] = (id >> 8) & 0xff;
+ idbuf[3] = id & 0xff;
+ }
+
/* Initialize the CRYPTOKI library */
rv = C_Initialize(NULL_PTR);
}
/* Generate Key pair for signing/verifying */
- rv = C_GenerateKeyPair(hSession, &genmech, publickey_template,
- (sizeof (publickey_template) /
- sizeof (CK_ATTRIBUTE)),
- privatekey_template,
- (sizeof (privatekey_template) /
- sizeof (CK_ATTRIBUTE)),
+ rv = C_GenerateKeyPair(hSession, &genmech,
+ publickey_template, publickey_attrcnt,
+ privatekey_template, privatekey_attrcnt,
&publickey, &privatekey);
if (rv != CKR_OK) {
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
- [<!ENTITY mdash "—">]>
+ [<!ENTITY mdash "—">]>
<!--
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: pkcs11-keygen.docbook,v 1.2 2009/10/05 12:07:08 fdupont Exp $ -->
+<!-- $Id: pkcs11-keygen.docbook,v 1.3 2009/10/05 12:23:11 fdupont Exp $ -->
<refentry id="man.pkcs11-keygen">
<refentryinfo>
<date>Sep 18, 2009</date>
<arg><option>-P</option></arg>
<arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+ <arg><option>-e</option></arg>
<arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
<arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
+ <arg><option>-i <replaceable class="parameter">id</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-e</term>
+ <listitem>
+ <para>
+ Use a large exponent.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<listitem>
<para>
Create key objects with the given label.
+ This name must be unique.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i <replaceable class="parameter">id</replaceable></term>
+ <listitem>
+ <para>
+ Create key objects with id. The id is either
+ an unsigned short 2 byte or an unsigned long 4 byte number.
</para>
</listitem>
</varlistentry>
</citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
</para>
</refsect1>
<refsect1>
<title>CAVEAT</title>
- <para>The public exponent is hard-wired to 65537.</para>
- <para>The command should optionally set the object ID too.</para>
+ <para>Some PKCS#11 providers crash with big public exponent.</para>
</refsect1>
<refsect1>
projects / thirdparty / bind9.git / commitdiff
