SC-HSM-TOOL(1) OpenSC Tools SC-HSM-TOOL(1)

sc-hsm-tool - smart card utility for SmartCard-HSM

sc-hsm-tool [OPTIONS]

The sc-hsm-tool utility can be used from the command line to perform extended maintenance tasks not available via PKCS#11 or other tools in the OpenSC package. It can be used to query the status of a SmartCard-HSM, initialize a device, generate and import Device Key Encryption Key (DKEK) shares and to wrap and unwrap keys.

--initialize, -X

Initialize token, removing all existing keys, certificates and files.

Use --so-pin to define SO-PIN for first initialization or to verify in subsequent initializations.

Use --pin to define the initial user pin value.

Use --pin-retry to define the maximum number of wrong user PIN presentations.

Use with --dkek-shares to enable key wrap / unwrap.

Use with --label to define a token label

Use with --public-key-auth and --required-pub-keys to require public key authentication for login

--create-dkek-share filename, -C filename

Create a DKEK share encrypted under a password and save it to the file given as parameter.

Use --password to provide a password for encryption rather than prompting for one.

Use --pwd-shares-threshold and --pwd-shares-total to randomly generate a password and split is using a (t, n) threshold scheme.

--import-dkek-share filename, -I filename

Prompt for user password, read and decrypt DKEK share and import into SmartCard-HSM.

Use --password to provide a password for decryption rather than prompting for one.

Use --pwd-shares-total to specify the number of shares that should be entered to reconstruct the password.

--wrap-key filename, -W filename

Wrap the key referenced in --key-reference and save with it together with the key description and certificate to the given file.

Use --pin to provide the user PIN on the command line.

--unwrap-key filename, -U filename

Read wrapped key, description and certificate from file and import into SmartCard-HSM under the key reference given in --key-reference.

Determine the key reference using the output of pkcs15-tool -D.

Use --pin to provide a user PIN on the command line.

Use --force to remove any key, key description or certificate in the way.

--dkek-shares number-of-shares, -s number-of-shares

Define the number of DKEK shares to use for recreating the DKEK.

This is an optional parameter. Using --initialize without --dkek-shares will disable the DKEK completely.

Using --dkek-shares with 0 shares requests the SmartCard-HSM to generate a random DKEK. Keys wrapped with this DKEK can only be unwrapped in the same SmartCard-HSM.

After using --initialize with one or more DKEK shares, the SmartCard-HSM will remain in the initialized state until all DKEK shares have been imported. During this phase no new keys can be generated or imported.

--pin pin, --so-pin sopin,

These options can be used to specify the PIN values on the command line. If the value is set to env:VARIABLE, the value of the specified environment variable is used. By default, the code is prompted on the command line if needed.

Note that on most operation systems, any user can display the command line of any process on the system using utilities such as ps(1). Therefore, you should prefer passing the codes via an environment variable on an unsecured system.

--pin-retry value

Define number of PIN retries for user PIN during initialization. Default is 3.

--bio-server1 value

The hexadecimal AID of of the biometric server for template 1. Switches on the use of the user PIN as session PIN.

--bio-server2 value

The hexadecimal AID of of the biometric server for template 2. Switches on the use of the user PIN as session PIN.

--password value

Define password for DKEK share encryption. If set to env:VARIABLE, the value of the environment variable VARIABLE is used.

--pwd-shares-threshold value

Define threshold for number of password shares required for reconstruction.

--pwd-shares-total value

Define number of password shares.

--force

Force removal of existing key, description and certificate.

--label label, -l label

Define the token label to be used in --initialize.

--reader arg, -r arg

Number of the reader to use. By default, the first reader with a present card is used. If arg is an ATR, the reader with a matching card will be chosen.

--public-key-auth total-number-of-public-keys, -K total-number-of-public-keys

Define the total number of public keys to use for public key authentication when using --initialize. --public-key-auth is optional, but if it's present, it must be used with --required-pub-keys.

When the SmartCard-HSM is initialized with these options, it will require M-of-N public key authentication to be used, where --required-pub-keys sets the M and --public-key-auth sets the N. After the initialization, the user should use --register-public-key to register the N public keys before the SmartCard-HSM can be used.

--required-pub-keys required-number-of-public-keys, -n required-number-of-public-keys

Define the required number of public keys to use for public key authentication when using --initialize. This is the M in M-of-N public key authentication. See --public-key-auth for more information.

--register-public-key input-public-key-file, -g input-public-key-file

Register a public key to be used for M-of-N public key authentication. The file can be exported from a different SmartCard-HSM with --export-for-pub-key-auth. This can only be used when the SmartCard-HSM has been initialized with --public-key-auth and --required-pub-keys and fewer than N public keys have been registered. Use --public-key-auth-status to check the how many public keys have been registered.

--export-for-pub-key-auth output-public-key-file, -e output-public-key-file

Export a public key to be used for M-of-N public key authentication. This should be used with --key-reference to choose the key to export. The file should be registered on another SmartCard-HSM using --register-public-key.

--public-key-auth-status -S

Print the public key authentication status. This is only valid if the SmartCard-HSM was initialized to use M-of-N public key authentication.

--wait, -w

Wait for a card to be inserted

--verbose, -v

Causes sc-hsm-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

Create a DKEK share:

sc-hsm-tool --create-dkek-share dkek-share-1.pbe

Create a DKEK share with random password split up using a (3, 5) threshold scheme:

sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5

Initialize SmartCard-HSM to use a single DKEK share:

sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken

Import DKEK share:

sc-hsm-tool --import-dkek-share dkek-share-1.pbe

Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:

sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3

Wrap referenced key, description and certificate:

sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219

Unwrap key into same or in different SmartCard-HSM with the same DKEK:

sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force

Initialize SmartCard-HSM to use M-of-N public key authentication with M=2 and N=5

sc-hsm-tool --initialize --required-pub-keys 2 --public-key-auth 5

Export a public key for M-of-N public key authentication to a file

sc-hsm-tool --key-reference 1 --export-for-pub-key-auth ./public_key1.asn1

Register a public key for M-of-N public key authentication from a file

sc-hsm-tool --register-public-key ./public_key1.asn1

opensc-tool(1)

sc-hsm-tool was written by Andreas Schwier <andreas.schwier@cardcontact.de>.

12/13/2023 opensc