The p11ex_cli is a command-line interface for interacting with PKCS#11 cryptographic tokens and modules. It provides a commands for managing slots, objects, and key generation on PKCS#11-compliant hardware security modules (HSMs).
Table of Contents
Installation
The CLI tool is part of the p11ex test applications. To build and run it:
cd test_apps/p11ex_cli
mix deps.get
mix compile
Configuration
Before using the CLI, you need to configure the PKCS#11 module and authentication credentials. This can be done through:
- Environment variables (recommended for automation)
- Command-line options (recommended for interactive use)
Required Configuration
- PKCS#11 Module: Path to the PKCS#11 library (.so or.dylib file)
- Token Label: Label of the token/slot to use
- PIN: Authentication PIN for the token
Global Options
These options are available for all commands:
| Option | Short | Type | Default | Description |
|---|---|---|---|---|
--verbose | -v | boolean | false | Output verbose information |
--module | -m | string | - | Path to PKCS#11 module file |
Token Authentication Options
Available for commands that require token access:
| Option | Short | Type | Default | Description |
|---|---|---|---|---|
--token-label | -l | string | - | Token label to use |
--pin-file | - | string | - | PIN file to use |
p11ex_cli either reads the Token PIN from a file or the environment variable P11EX_PIN
as shown below:
# from environment variable
env P11EX_PIN=1234 p11ex_cli list-objects --module /somewhere/libsofthsm2.so -l Token_0
# from file
echo -n 1234 > /ramdisk/.pin.txt
p11ex_cli list-objects --module /somewhere/libsofthsm2.so -l Token_0Be careful with PIN files: p11ex_cli uses the complete file content including newline characters
as the password.
Output Options
Available for commands that produce output:
| Option | Short | Type | Default | Description |
|---|---|---|---|---|
--output-format | -f | string | text | Output format (json, text) |
Using Environment Variables
For automation and scripts, use environment variables:
export P11EX_MODULE=/usr/lib/softhsm/libsofthsm2.so
export P11EX_PIN=1234
p11ex list-slots
p11ex list-objects -l MyToken seck
Using PIN Files
For enhanced security, store PINs in files:
echo "1234" > /secure/path/pin.txt
chmod 600 /secure/path/pin.txt
p11ex list-objects -m /usr/lib/softhsm/libsofthsm2.so \
-l MyToken \
--pin-file /secure/path/pin.txt \
seck
Commands
list-slots
Lists available PKCS#11 slots and their associated tokens.
Usage:
p11ex list-slots [OPTIONS]
Options:
--with-token/-t(boolean, default: true): List only slots that contain a token
Example Output:
Slot 0:
Description: SoftHSM slot 0
Manufacturer: SoftHSM project
Hardware Version: 2.0
Firmware Version: 2.0
Flags: [:removable_device, :hw_slot]
Token Info:
Label: MyToken
Manufacturer: SoftHSM project
Model: SoftHSM v2
Serial Number: 1234567890
Hardware Version: 2.0
Firmware Version: 2.0
Min. PIN Length: 4
Max. PIN Length: 256
Max. Session Count: 1
Session Count: 0
Max. R/W Session Count: 1
Session R/W Count: 0
Total Private Memory: 65536
Free Private Memory: 65536
Total Public Memory: 65536
Free Public Memory: 65536
UTC Time: 20240101120000Z
Flags: [:rng, :login_required, :user_pin_initialized]list-objects
Lists cryptographic objects (keys, certificates) stored in a token.
Usage:
p11ex list-objects [OPTIONS] <object_type>
Arguments:
object_type(required): Type of objects to listseck: Secret keysprvk: Private keyspubk: Public keys
Options:
- All global and token authentication options
--output-format/-f: Output format (json, text)
Example Usage:
# List all secret keys in text format
p11ex list-objects -m /usr/lib/softhsm/libsofthsm2.so -l MyToken -f text seck
# List all private keys in JSON format
p11ex list-objects -m /usr/lib/softhsm/libsofthsm2.so -l MyToken -f json prvk
Example Output (text format):
Object handle: 1234567890
:cka_class: :cko_secret_key
:cka_key_type: :ck_aes
:cka_label: "MyAESKey"
:cka_id: 48656C6C6F576F726C64
:cka_encrypt: true
:cka_decrypt: true
:cka_token: trueExample Output (JSON format):
{
"handle": 1234567890,
"attribs": [
{"attrib": ":cka_class", "value": ":cko_secret_key"},
{"attrib": ":cka_key_type", "value": ":ck_aes"},
{"attrib": ":cka_label", "value": "MyAESKey"},
{"attrib": ":cka_id", "value": "48656C6C6F576F726C64"},
{"attrib": ":cka_encrypt", "value": "true"},
{"attrib": ":cka_decrypt", "value": "true"},
{"attrib": ":cka_token", "value": "true"}
]
}key-gen-aes
Generates new AES key in the token.
Usage:
p11ex key-gen-aes [OPTIONS] <key_label> <key_length>
Arguments:
key_label(required): Label for the generated keykey_length(required): Key length in bits
Options:
- All global and token authentication options
--key-id: Key ID for the key (hex string, random if not provided)--encrypt: Allow key for encryption (default: true)--decrypt: Allow key for decryption (default: true)--sign: Allow key for signing (default: false)--verify: Allow key for verification (default: false)--wrap: Allow key for wrapping (default: false)--unwrap: Allow key for unwrapping (default: false)--derive: Allow key for deriving (default: false)--extract: Allow key for extracting (default: false)
Example Usage:
# Generate a 256-bit AES key for encryption/decryption
p11ex key-gen-aes -m /usr/lib/softhsm/libsofthsm2.so -l MyToken "MyAESKey" 256
# Generate a key with specific ID and signing capabilities
p11ex key-gen-aes -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
--key-id 48656C6C6F576F726C64 \
--sign --verify \
"MySigningKey" 256
Example Output:
Generated new key ID: 48656c6c6f576f726c64
Key generated. Object handle: 1234567890abcdefkey-wrap
Wraps (encrypts) a cryptographic key using another key (the wrapping key). The wrapped key is exported as encrypted bytes that can be stored externally or transferred to another token.
Usage:
p11ex key-wrap [OPTIONS] <mechanism> <wrapping_key_ref> <key_ref> <output_file>
Arguments:
mechanism(required): Wrapping mechanism to useckm_aes_key_wrap_pad: AES key wrapping with paddingckm_rsa_pkcs: RSA PKCS#1 v1.5 encryptionckm_rsa_pkcs_oaep: RSA PKCS#1 OAEP encryption
wrapping_key_ref(required): Reference to the wrapping key- Format:
label:name,id:hexstring, orhandle:number - The key must have
CKA_WRAPattribute set to true
- Format:
key_ref(required): Reference to the key to wrap- Format:
label:name,id:hexstring, orhandle:number - The key must have
CKA_EXTRACTABLEattribute set to true
- Format:
output_file(required): Path where wrapped key will be written
Options:
- All global and token authentication options
--output-format/-f: Output format for wrapped key (default: hex)binary: Raw binary formathex: Hexadecimal encoding (lowercase)base64: Base64 encoding
Example Usage:
# Wrap an AES key using another AES key, output as hex
p11ex key-wrap -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
ckm_aes_key_wrap_pad \
label:MyWrappingKey \
label:MyKeyToWrap \
wrapped_key.hex
# Wrap a private key using RSA public key, output as base64
p11ex key-wrap -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
--output-format base64 \
ckm_rsa_pkcs_oaep \
label:MyRSAPublicKey \
id:48656c6c6f \
wrapped_key.b64
Example Output:
Wrapped key written to: wrapped_key.hexNotes:
- The wrapping key must be marked with
CKA_WRAP=trueduring key generation - The key to wrap must be marked with
CKA_EXTRACTABLE=trueduring key generation - Supported key combinations depend on the token implementation
- Common use cases:
- Wrapping AES keys with AES keys
- Wrapping RSA/EC private keys with AES keys
- Wrapping AES/RSA keys with RSA public keys
key-unwrap
Unwraps (decrypts) a previously wrapped key and imports it into the token as a new key object.
Usage:
p11ex key-unwrap [OPTIONS] <mechanism> <unwrapping_key_ref> <input_file>
Arguments:
mechanism(required): Unwrapping mechanism (must match the mechanism used for wrapping)ckm_aes_key_wrap_pad: AES key unwrapping with paddingckm_rsa_pkcs: RSA PKCS#1 v1.5 decryptionckm_rsa_pkcs_oaep: RSA PKCS#1 OAEP decryption
unwrapping_key_ref(required): Reference to the unwrapping key- Format:
label:name,id:hexstring, orhandle:number - The key must have
CKA_UNWRAPattribute set to true
- Format:
input_file(required): Path to file containing wrapped key bytes
Options:
- All global and token authentication options
--input-format/-f: Input format for wrapped key (default: hex)binary: Raw binary formathex: Hexadecimal encodingbase64: Base64 encoding
--key-label(required): Label for the unwrapped key--key-id: Key ID for the unwrapped key (hex string, random if not provided)--key-type(required): Type of key being unwrappedaes: AES secret keyrsa: RSA keyec: Elliptic curve key
--key-class(required): Object class of key being unwrappedseck: Secret keyprvk: Private keypubk: Public key
--encrypt: Allow key for encryption (default: false)--decrypt: Allow key for decryption (default: false)--sign: Allow key for signing (default: false)--verify: Allow key for verification (default: false)--wrap: Allow key for wrapping (default: false)--unwrap: Allow key for unwrapping (default: false)--derive: Allow key for key derivation (default: false)--extract: Mark key as extractable (default: false)--token: Store key on token (persistent) (default: true)
Example Usage:
# Unwrap an AES key from hex file
p11ex key-unwrap -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
--key-label "ImportedAESKey" \
--key-type aes \
--key-class seck \
--encrypt --decrypt \
ckm_aes_key_wrap_pad \
label:MyWrappingKey \
wrapped_key.hex
# Unwrap an RSA private key from base64 file with specific attributes
p11ex key-unwrap -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
--input-format base64 \
--key-label "ImportedRSAKey" \
--key-id 48656c6c6f \
--key-type rsa \
--key-class prvk \
--sign --decrypt \
ckm_rsa_pkcs_oaep \
label:MyRSAPrivateKey \
wrapped_key.b64
Example Output:
Generated new key ID: a3f2c8d4e5b6f7a8
Key unwrapped successfully
Object handle: 1a2b3c4d5e6f7890Notes:
- The unwrapping key must be marked with
CKA_UNWRAP=trueduring key generation - The unwrapping mechanism must match the wrapping mechanism used
- You must specify the correct key type and class for the unwrapped key
- Key attributes (encrypt, decrypt, sign, etc.) can be set during unwrap
- The unwrapped key is a completely new key object with a new handle
kcv-gen
Generates a Key Check Value (KCV) for one or more secret keys. The KCV is computed by encrypting a block of zeros using AES-ECB mode with the key and taking the first 3 bytes of the result. This provides a quick fingerprint for verifying key integrity.
Usage:
p11ex kcv-gen [OPTIONS] <key_ref...>
Arguments:
key_ref(required, repeatable): Reference(s) to the key(s)- Format:
label:name,id:hexstring, orhandle:number - The key must be a secret key (
CKO_SECRET_KEY) - The key must have
CKA_ENCRYPTcapability set to true - Multiple keys can be specified for batch processing
- Format:
Options:
- All global and token authentication options
--output-format/-f: Output format (json, text)
Example Usage:
# Generate KCV for a single key by label
p11ex kcv-gen -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
label:MyAESKey
# Generate KCVs for multiple keys
p11ex kcv-gen -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
label:MyAESKey label:AnotherKey id:48656c6c6f
# Generate KCV with JSON output
p11ex kcv-gen -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
-f json label:MyAESKey
Example Output (text format):
Key reference: label:MyAESKey
Handle: 1234567890
KCV: 0x48656c
Key reference: label:AnotherKey
Handle: 9876543210
KCV: 0xa3f2c8Example Output (JSON format):
[
{
"ref": "label:MyAESKey",
"result": {
"handle": 1234567890,
"status": "ok",
"kcv": "0x48656c"
}
},
{
"ref": "label:AnotherKey",
"result": {
"handle": 9876543210,
"status": "ok",
"kcv": "0xa3f2c8"
}
}
]Notes:
- The KCV algorithm uses AES-ECB mode to encrypt a zero-filled block and takes the first 3 bytes
- KCVs provide a quick way to verify that a key was correctly loaded or transferred
- Only secret keys can be used for KCV generation
- The key must have encryption capability enabled
- Error status will be shown in the output if key lookup or encryption fails
bench-aes-encrypt-block
Benchmarks AES-CBC encryption performance across various block sizes using parallel sessions. This command is useful for performance testing and capacity planning of PKCS#11 tokens and HSMs.
Usage:
p11ex bench-aes-encrypt-block [OPTIONS] <key_ref>
Arguments:
key_ref(required): Reference to the secret key to use for encryption- Format:
label:name,id:hexstring, orhandle:number - The key must be a secret key (
CKO_SECRET_KEY) - The key must have
CKA_ENCRYPTcapability set to true
- Format:
Options:
- All global and token authentication options
--number-sessions(integer, default: 1): Number of parallel sessions to use for benchmarking--rounds(integer): Number of encryption rounds per block size (overrides config default)
Configuration:
The benchmark uses configuration from config.exs:
block_sizes: List of block sizes to test (default: [32, 256, 1024, 8192, 65536, 262144] bytes)rounds_per_block: Default number of rounds per block size (default: 10)
Example Usage:
# Single session benchmark with default settings
p11ex bench-aes-encrypt-block -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
label:MyAESKey
# Multi-session benchmark with 4 parallel sessions
p11ex bench-aes-encrypt-block -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
--number-sessions 4 \
label:MyAESKey
# Custom number of rounds per block size
p11ex bench-aes-encrypt-block -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
--rounds 20 \
label:MyAESKey
Example Output:
{
"measurements": [
{
"block_size_bytes": 32,
"status": "success",
"average_duration_ms": 0.234,
"rounds": 10
},
{
"block_size_bytes": 256,
"status": "success",
"average_duration_ms": 0.456,
"rounds": 10
},
{
"block_size_bytes": 1024,
"status": "success",
"average_duration_ms": 1.234,
"rounds": 10
},
{
"block_size_bytes": 8192,
"status": "success",
"average_duration_ms": 8.765,
"rounds": 10
},
{
"block_size_bytes": 65536,
"status": "success",
"average_duration_ms": 65.432,
"rounds": 10
},
{
"block_size_bytes": 262144,
"status": "success",
"average_duration_ms": 254.321,
"rounds": 10
}
],
"config": {
"key_ref": "label:MyAESKey",
"number_sessions": 1,
"iv": "0x48656c6c6f576f726c6431323456",
"block_sizes": [32, 256, 1024, 8192, 65536, 262144],
"rounds_per_block": 10
}
}Notes:
- The benchmark uses AES-CBC mode with a random IV generated at the start and reused for all measurements
- Each block size is encrypted multiple times (based on
roundsor configuration), and the average duration is reported - Parallel execution distributes the encryption workload across multiple sessions for better throughput testing
- Measurements include timing information in milliseconds for each block size
- If some measurements fail, the status will be "partial" or "error" with error details included
- The IV used for all encryptions is included in the output for reference
- This command is useful for:
- Performance testing of PKCS#11 tokens
- Capacity planning and throughput estimation
- Comparing encryption performance across different HSMs
- Stress testing with multiple parallel sessions
sign
Signs data with a private key using various signature mechanisms. Supports RSA PKCS#1 v1.5, RSA PSS, ECDSA, and EdDSA (PureEd25519 / PureEd448). The command takes a signature mechanism and a digest mechanism as separate arguments; the digest controls whether input is raw data (hashed by token or by the CLI), an already-computed hash, or (for EdDSA) the full message to sign.
Usage:
p11ex sign [OPTIONS] <mechanism> <digest> <key_ref> <input_file> <output_file>
Arguments:
mechanism(required): Signature mechanism- RSA PKCS#1 v1.5 (hash then sign):
rsa_pkcs— use with digestsha,sha224,sha256,sha384, orsha512; the token hashes the input and signs the DigestInfo. - RSA PKCS#1 v1.5 (pre-hashed input):
rsa_pkcs_sha1,rsa_pkcs_sha224,rsa_pkcs_sha256,rsa_pkcs_sha384,rsa_pkcs_sha512— use with digestnone; input file must contain the hash (e.g. SHA-256 digest). - RSA PSS (hash then sign):
rsa_pkcs_pss— use with digestsha,sha224,sha256,sha384, orsha512; the CLI hashes the input and the token signs with PSS. - RSA PSS (pre-hashed input):
rsa_pkcs_pss_sha,rsa_pkcs_pss_sha224,rsa_pkcs_pss_sha256,rsa_pkcs_pss_sha384,rsa_pkcs_pss_sha512— use with digestnone; input file must contain the hash. - ECDSA:
ecdsa_plain— use with digestnonefor pre-computed hash input, or with digestsha256,sha384, orsha512to have the CLI hash the input before signing. - EdDSA:
eddsaoreddsa_plain— use only with digestnone. The input file is the entire message the token signs (PureEd25519 or PureEd448, depending on the key). Do not usesha*digests; the CLI will reject them.
- RSA PKCS#1 v1.5 (hash then sign):
digest(required): Digest mechanismnone: Input is already a hash (for pre-hashed mechanisms orecdsa_plainwith raw hash), or the full message foreddsa/eddsa_plain.sha,sha224,sha256,sha384,sha512: Hash algorithm when mechanism hashes internally (e.g.rsa_pkcs+sha256) or when the CLI pre-hashes (e.g.rsa_pkcs_pss+sha256, orecdsa_plain+sha256). Not valid for EdDSA.
key_ref(required): Reference to the private key- Format:
label:name,id:hexstring, orhandle:number - The key must be a private key (
CKO_PRIVATE_KEY) withCKA_SIGNset to true.
- Format:
input_file(required): Path to input file (raw data or hash, depending on mechanism and digest).output_file(required): Path to output file for the signature.
Options:
- All global and token authentication options
--format/-f(string, default:bin): Output format for signaturebin: Raw binaryhex: Lowercase hexadecimalbase64: Base64 encoding
Mechanism and digest combinations:
- RSA PKCS#1 v1.5, token hashes:
rsa_pkcswith digestsha|sha224|sha256|sha384|sha512— pass raw data as input. - RSA PKCS#1 v1.5, pre-hashed:
rsa_pkcs_sha1|rsa_pkcs_sha224|…|rsa_pkcs_sha512with digestnone— pass hash bytes as input. - RSA PSS, CLI hashes:
rsa_pkcs_psswith digestsha|…|sha512— pass raw data as input. - RSA PSS, pre-hashed:
rsa_pkcs_pss_sha|…|rsa_pkcs_pss_sha512with digestnone— pass hash bytes as input. - ECDSA, pre-hashed:
ecdsa_plainwith digestnone— input file is the hash (e.g. 32 bytes for SHA-256). - ECDSA, CLI hashes:
ecdsa_plainwith digestsha256|sha384|sha512— pass raw data; CLI hashes it then signs. - EdDSA:
eddsaoreddsa_plainwith digestnone— input file is the full message (raw bytes); signature is raw (64 bytes for Ed25519, 114 bytes for Ed448).
Example Usage:
# Sign raw data with RSA PKCS#1 v1.5 SHA-256 (token hashes)
p11ex sign -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
rsa_pkcs sha256 \
label:MyRSAPrivateKey \
input_data.dat \
signature.bin
# Sign raw data with RSA PSS SHA-256 (CLI hashes, token signs PSS)
p11ex sign -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
-f hex \
rsa_pkcs_pss sha256 \
label:MyRSAPrivateKey \
input_data.dat \
signature.hex
# Sign pre-computed hash with RSA PKCS#1 v1.5 (digest none)
p11ex sign -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
rsa_pkcs_sha256 none \
label:MyRSAPrivateKey \
data_hash.dat \
signature.bin
# Sign pre-computed hash with ECDSA (digest none)
p11ex sign -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
ecdsa_plain none \
label:MyECPrivateKey \
hash.dat \
signature.bin
# Sign raw data with ECDSA (CLI hashes with SHA-256)
p11ex sign -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
ecdsa_plain sha256 \
label:MyECPrivateKey \
input_data.dat \
signature.hex
# Sign full message with Ed25519 (digest must be none)
p11ex sign -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
eddsa none \
label:MyEd25519PrivateKey \
input_data.dat \
signature.bin
# Sign a file and verify with OpenSSL
p11ex export-pubk id:02 > rsa-pubk.pem
dd if=/dev/urandom count=100 bs=1024 of=100kb.bin
p11ex sign rsa_pkcs sha256 id:02 100kb.bin sig.bin
openssl dgst -sha256 -verify rsa-pubk.pem -signature sig.bin 100kb.bin
Example Output:
Signature written to: signature.hexNotes:
- Output format: ECDSA signatures are written as ASN.1 DER: the token’s raw r||s value is converted to a SEQUENCE of two INTEGERs (r, s). RSA signatures are written as raw bytes (PKCS#1 v1.5 or PSS block) with no extra encoding. EdDSA signatures are raw r||s bytes from the token (no ASN.1).
- OpenSSL verification: These formats match what OpenSSL expects. Verify with
openssl dgst -<digest> -verify pubkey.pem -signature sig.bin datafile(use the same digest as when signing). For RSA PKCS#1 v1.5 and ECDSA this is sufficient; for RSA PSS useopenssl pkeyutl -verifywith the matching PSS and digest options. For EdDSA (PureEd25519 / PureEd448) useopenssl pkeyutl -verify -pubin -inkey pubkey.pem -sigfile sig.bin -in datafile -rawin. - For RSA PKCS#1 v1.5 with
rsa_pkcs+ digest, the token performs hashing and signs the DigestInfo; no pre-hashing is done by the CLI. - For RSA PSS and for ECDSA with a digest, the CLI hashes the input (using the given digest) and the token signs the hash.
- For EdDSA, the CLI never pre-hashes: the input file is passed to the token as the message to sign.
- The private key must have
CKA_SIGN=trueand key type must match the mechanism (RSA, EC, or EdDSA). - Input and output are file paths only; stdin/stdout are not supported.
export-pubk
Exports a public key from the token as a PEM-encoded SubjectPublicKeyInfo (SPKI), compatible with OpenSSL and other standard tools.
Usage:
p11ex export-pubk [OPTIONS] <key_ref>
Arguments:
key_ref(required): Reference to the public key- Format:
label:name,id:hexstring, orhandle:number - The key must be a public key (
CKO_PUBLIC_KEY)
- Format:
Options:
- All global and token authentication options
Supported Key Types:
- RSA public keys (
CKK_RSA) - EC public keys (
CKK_EC,CKK_ECDSAand EdDSA)
Output format:
- Output is always PEM. The key is encoded as SubjectPublicKeyInfo (SPKI): algorithm identifier plus key material.
- RSA: algorithm
rsaEncryption(1.2.840.113549.1.1.1), key is DER-encoded RSAPublicKey (modulus and public exponent). - EC: algorithm
id-ecPublicKey(1.2.840.10045.2.1) withnamedCurveparameters, key is the EC point as an OCTET STRING.
Example Usage:
# Export RSA public key to a file
p11ex export-pubk -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
label:MyRSAPublicKey > pubkey.pem
# Inspect with OpenSSL
p11ex export-pubk -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
label:MyRSAPublicKey | openssl rsa -pubin -text -noout
p11ex export-pubk -m /usr/lib/softhsm/libsofthsm2.so -l MyToken \
label:MyECPublicKey | openssl ec -pubin -text -noout
# Export then use for signature verification (see sign command)
p11ex export-pubk -m /usr/lib/softhsm/libsofthsm2.so -l MyToken label:MyKey > key.pem
openssl dgst -sha256 -verify key.pem -signature sig.bin datafile
Example Output:
# Command always writes PEM to stdout; redirect to file as needed
p11ex export-pubk -m /usr/lib/softhsm/libsofthsm2.so -l MyToken label:MyKey > key.pem
# PEM uses the standard PUBLIC KEY wrapper
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----Notes:
- Output is written to stdout only (redirect to a file as needed). There is no option to output DER or to write to a file directly.
- PEM uses the standard
-----BEGIN PUBLIC KEY-----/-----END PUBLIC KEY-----headers (SubjectPublicKeyInfo). - OpenSSL compatibility: The exported PEM is standard SPKI and can be used with OpenSSL for verification (
openssl dgst -verify,openssl pkeyutl -verify), inspection (openssl rsa -pubin -text -noout,openssl ec -pubin -text -noout), and with other tools (e.g. Pythoncryptography). - For RSA keys, both
CKA_MODULUSandCKA_PUBLIC_EXPONENTmust be readable; if either is inaccessible, the command fails. - For EC keys, both
CKA_EC_PARAMSandCKA_EC_POINTmust be readable; if either is inaccessible, the command fails. - Unsupported key types (e.g. DSA, DH) result in an error.
help
Shows help information for commands.
Usage:
p11ex help [subcommand]
Arguments:
subcommand(optional): Specific command to get help for
Examples:
# Show general usage
p11ex help
# Show help for specific command
p11ex help list-objects
p11ex help key-gen-aes