Go to the first, previous, next, last section, table of contents.
The cryptsh
programm offers the ability to access a PKCS#11
implementation via an interactive programm. The Cryptsh is based on the
guile
scheme interpreter and all function pertaining the use of
the PKCS#11 Module are implemented as scheme functions.
All functions return a pair of the cryptoki return code and the output
parameters relevant to the function. The later are detailed in the
descriptions of each function. The former is not mentioned when
decribing the return values of each function, rather outlining only the
cdr
of the pair.
Currently the following functions return only the return code, which I
consider a bug and will fix it asap: C-Initialize
The version structures returned by some functions are mapped into a
pair.
The GetFunctionList
funtion is not supported by the cryptsh as it
is called internally when the cryptsh is started.
- Function: C-Initialize
-
Initialize the PKCS#11 Module.
Since the function pointers that are provided to the equivalent C
function for setting the threading methods are not availiable in scheme,
these cannot be set by the funcion.
- Function: C-Finalize
-
shut down connection to PKCS#11 module.
- Function: C-GetInfo
-
Return information about the PKCS#11 module.
The return value of the function will contain the contents of a CK_INFO
structure as a list in the cdr
: version of the cryptoki
interface, manufacturer ID padded with blanks to a lengh of 32
characters, the flags, the library description (also blank padded), and
library version.
- Function: C-GetSlotList tokenp
-
Return the list of valid slot ID's. If tokenp is set to
#t
only
slots that contain tokens are returned, otherwise all slots are listed.
- Function: C-GetSlotInfo slot_int
-
Return information about a slot as list holding the elements of the
CK_SLOT_INFO
structure. The elements are as follows:
slot description, manufacturerID, flags, hardware version, firmware
version (for details check section 10.5 of the PKCS#11 standard
document)
- Function: C-GetTokenInfo slot_int
-
Return information about a token occupying the slot with the given slot
ID. A list containing the elements of the
CK_TOKEN_INFO
structure
are returned:
- label
-
a string padded with blanks to a lenght of 32 characters
- manufacturerID
-
a string padded with blanks to a lenght of 32 characters
- model
-
a string padded with blanks to a lenght of 16 characters
- serialNumber
-
a string padded with blanks to a lenght of 16 characters
- flags
-
An integer number from following or'ed values:
CKF_RNG |
token has its own random generator |
CKF_WRITE_PROTECTED |
token is write-protected |
CKF_LOGIN_REQUIRED |
user must login in order to use R/W functions. |
CKF_USER_PIN_INITIALIZED |
normal user's PIN is set |
- ulMaxSessionCount
-
- ulSessionCount
-
- ulMaxRwSessionCount
-
- ulRwSessionCount
-
- ulMaxPinLen
-
- ulMinPinLen
-
- ulTotalPublicMemory
-
- ulFreePublicMemory
-
- ulTotalPrivateMemory
-
- ulFreePrivateMemory
-
- hardwareVersion
-
- firmwareVersion
-
- utcTime
-
a string padded with blanks to a lenght of 16 characters.
More details on the semantics of each of the elements are described in
section 8.2 of the PKCS#11 standard document.
- Function: C-WaitForSlotEvent flags_ulong
-
Function will wait for an event on a Slot to occour. The function will
block further execution if the flags value is set to zero and will
continue execution even if no event ocoured if the value is 1.
- Function: C-GetMechanismList slot_ulong
-
the function returns a list of the mechanism identifiers as defined in
the
pkcs11t.h
- Function: C-GetMechanismInfo slot_ulong mech_type_ulong
-
Function returns a list of the elements of the
CK_MECHANISM_INFO
structure: minimum lenght of key, maximum length of key,
Bit Flag |
Mask |
Meaning |
CKF_HW |
0x00000001 |
TRUE if the mechanism is performed by the device; FALSE if the |
mechanism is performed in software
CKF_ENCRYPT |
0x00000100 |
TRUE if the mechanism can be used with C_EncryptInit |
CKF_DECRYPT |
0x00000200 |
TRUE if the mechanism can be used with C_DecryptInit |
CKF_DIGEST |
0x00000400 |
TRUE if the mechanism can be used with C_DigestInit |
CKF_SIGN |
0x00000800 |
TRUE if the mechanism can be used with C_SignInit |
CKF_SIGN_RECOVER |
0x00001000 |
TRUE if the mechanism can be used with C_SignRecoverInit |
CKF_VERIFY |
0x00002000 |
TRUE if the mechanism can be used with C_VerifyInit |
CKF_VERIFY_RECOVER |
0x00004000 |
TRUE if the mechanism can be used with C_VerifyRecoverInit |
CKF_GENERATE |
0x00008000 |
TRUE if the mechanism can be used with C_GenerateKey |
CKF_GENERATE_KEY_PAIR |
0x00010000 |
TRUE if the mechanism can be used with C_GenerateKeyPair |
CKF_WRAP |
0x00020000 |
TRUE if the mechanism can be used with C_WrapKey |
CKF_UNWRAP |
0x00040000 |
TRUE if the mechanism can be used with C_UnwrapKey |
CKF_DERIVE |
0x00080000 |
TRUE if the mechanism can be used with C_DeriveKey |
CKF_EXTENSION |
0x80000000 |
TRUE if there is an extension to the flags; FALSE if no |
extensions. Must be FALSE for this version
- Function: C-InitToken slot_ulong pin_string label_string
-
(Re-)Set the token with a new pin and label. The strings may be any
sequence of bytes, but this may lead to problems in other applications.
- Function: C-InitPin session_ulong pin_string
-
- Function: C-SetPin session_ulong oldpin_string newpin_string
-
- Function: C-OpenSession slot_ulong flags_ulong
-
Returns the session handle
- Function: C-CloseSession handle_ulong
-
- Function: C-CloseAllSessions slot_ulong
-
- Function: C-GetSessionInfo session_ulong
-
- Function: C-GetOperationState session_ulong null_data
-
- Function: C-SetOperationState session state enc_key auth_key
-
- Function: C-Login session_ulong user_ulong pin_string
-
- Function: C-Logout session_ulong
-
- Function: C-CreateObject session_ulong attribs_list
-
- Function: C-CopyObject session_ulong object_ulong template_list
-
- Function: C-DestroyObject session_ulong object_ulong
-
- Function: C-GetObjectSize session_ulong object_ulong
-
- Function: C-GetAttributeValue session_ulong object_ulong attr_list
-
The
attr-list
must contain the list of attribute type IDs that
function shall look up. The function returns a pair of the error code
and a list of lists of two elements each. Each of these tuples contains
one attribute type ID and its corresponding value.
- Function: C-SetAttributeValue session_ulong object_ulong template_list
-
template_list
must contain a list of list of two elements
eacht. These tuples each contain the attribute type ID and its value.
- Function: C-FindObjectsInit session_ulong attribs_list
-
- Function: C-FindObjects session_ulong
-
- Function: C-FindObjectsFinal session_ulong
-
- Function: C-EncryptInit session_ulong mechanism_list key_ulong
-
- Function: C-Encrypt session_ulong data_string null_data
-
- Function: C-EncryptUpdate session_ulong data_string null_data
-
- Function: C-EncryptFinal session_ulong null_data
-
- Function: C-DecryptInit session_ulong mechanism_list key_ulong
-
- Function: C-Decrypt session_ulong data_string null_data
-
- Function: C-DecryptUpdate session_ulong data_string null_data
-
- Function: C-DecryptFinal session_ulong null_data
-
- Function: C-DigestInit session_ulong mechanism_list
-
- Function: C-Digest session_ulong data_string null_data
-
- Function: C-DigestUpdate session_ulong data_string
-
- Function: C-DigestKey session_ulong key_ulong
-
- Function: C-DigestFinal session_ulong null_data
-
- Function: C-SignInit session_ulong mechanism_list key_ulong
-
- Function: C-Sign session_ulong data_string null_data
-
- Function: C-SignUpdate session_ulong data_string
-
- Function: C-SignFinal session_ulong null_data
-
- Function: C-SignRecoverInit session_ulong mechanism_list key_ulong
-
- Function: C-SignRecover session_ulong data_string null_data
-
- Function: C-VerifyInit session_ulong mechanism_list key_ulong
-
- Function: C-Verify session data_string signature_string
-
- Function: C-VerifyUpdate session_ulong part_string
-
- Function: C-VerifyFinal session_ulong signature_string
-
- Function: C-VerifyRecoverInit session_ulong mechanism_list key_ulong
-
- Function: C-VerifyRecover session_ulong signature_string null_data
-
- Function: C-DigestEncryptUpdate session part null_data
-
- Function: C-DecryptDigestUpdate session enc_part null_data
-
- Function: C-SignEncryptUpdate session part null_data
-
- Function: C-DecryptVerifyUpdate session enc_part null_data
-
- Function: C-GenerateKey session mechanism template
-
generate a new key.
session
is the session handle for the
session to be used, mechanism
a list of values in the order of
definition as given for the mechanism structure. template
is a
list of pairs that give default values for attributes of the object to
be created.
The function returns a pair of the the value returned by the PKCS#11
C function and the handle of the key that was created. If the return value
is not CKR_OK (0) the handle of the key is set to 0.
- Function: C-GenerateKeyPair session mechanism public_template private_template
-
generate a new pair of private and public key.
session
provides
the handle of the session that this pair is created in, mechanism
states
the mechanism to be used. For valid mechanism please check with the
standard. public_template
and private_template
are lists
of pairs that give default values for attributes for the public and
private key respectively.
The function returns a pair of the value returned by the PKCS#11 C
function and a pair of the public and the private key.
- Function: C-WrapKey session mech_list wrapper wrappeenull_data
-
- Function: C-UnwrapKey session mechanism unwrapper wrapped template
-
- Function: C-DeriveKey session mechanism base_key template
-
- Function: C-SeedRandom session_ulong seed_string
-
- Function: C-GenerateRandom session_ulong len_ulong
-
- Function: C-GetFunctionStatus session
-
- Function: C-CancelFunction session
-
These functions aid in handling certificates or require the use of an
ASN.1 Parser. They call code in the OpenSSL library more or less
directly.
- Function: create-cert-req session key subject file
-
create a new certificate. Function PEM encodes the data and writes it
to a file. The filename is given as the last parameter.
Go to the first, previous, next, last section, table of contents.