yubikey/pkcs11-tools.md

# PKCS#11 Tools
* OpenSC pkcs11-tool,pkcs15-tool etc...
* GnuTLS p11tool
* p11-kit


# PKCS#11 Libraries

```
/Library/OpenSC/lib/opensc-pkcs11.so
/usr/local/lib/libykcs11.dylib
```

# `pkcs11-tool`

```shell
$ pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.so -I
Cryptoki version 3.0
Manufacturer     OpenSC Project
Library          OpenSC smartcard framework (ver 0.25)
Using slot 0 with a present token (0x0)
```

```shell
$ pkcs11-tool --module /usr/local/lib/libykcs11.dylib --show-info
Cryptoki version 2.40
Manufacturer     Yubico (www.yubico.com)
Library          PKCS#11 PIV Library (SP-800-73) (ver 2.31)
Using slot 0 with a present token (0x0)
```

List certificates:
```shell
$ pkcs11-tool --list-objects --type cert
```

Read certificate:
```shell
$ pkcs11-tool --read-object --id $CERT_ID --type cert --output-file cert.der
```

List public keys:
```shell
$ pkcs11-tool --list-objects --type pubkey
```

Read public key:
```shell
$ pkcs11-tool --read-object --id $PUBKEY_ID --type pubkey --output-file pubkey.der
```

List private keys:
```shell
$ pkcs11-tool --login --list-objects --type privkey
```

Sign a file:
```shell
$ pkcs11-tool --id $KEY_ID -s -m ECDSA --input-file FILE --output-file FILE.sig
```


# `p11tool`


```shell
$ p11tool --provider=/Library/OpenSC/lib/opensc-pkcs11.so --info
Object 0:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=3da*********;token=ha********;id=%01;object=PIV%20AUTH%20pubkey;type=public
	Type: Public key (EC/ECDSA-SECP384R1)
	Label: PIV AUTH pubkey
	Flags: CKA_EXTRACTABLE; 
	ID: 01
...
```



<br>

# Reference
1. https://developers.yubico.com/yubico-piv-tool/YKCS11/Supported_applications/pkcs11tool.html
1. https://github.com/OpenSC/OpenSC/wiki/Using-pkcs11-tool-and-OpenSSL