"Fossies" - the Fresh Open Source Software Archive

Member "opensc-0.22.0/doc/tools/pkcs11-tool.1.xml" (10 Aug 2021, 21911 Bytes) of package /linux/privat/opensc-0.22.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) XML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "pkcs11-tool.1.xml": 0.21.0_vs_0.22.0.

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <refentry id="pkcs11-tool">
    3     <refmeta>
    4         <refentrytitle>pkcs11-tool</refentrytitle>
    5         <manvolnum>1</manvolnum>
    6         <refmiscinfo class="productname">OpenSC</refmiscinfo>
    7         <refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
    8         <refmiscinfo class="source">opensc</refmiscinfo>
    9     </refmeta>
   10 
   11     <refnamediv>
   12         <refname>pkcs11-tool</refname>
   13         <refpurpose>utility for managing and using PKCS #11 security tokens</refpurpose>
   14     </refnamediv>
   15 
   16     <refsynopsisdiv>
   17         <cmdsynopsis>
   18             <command>pkcs11-tool</command>
   19             <arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
   20         </cmdsynopsis>
   21     </refsynopsisdiv>
   22 
   23     <refsect1>
   24         <title>Description</title>
   25         <para>
   26             The <command>pkcs11-tool</command> utility is used to manage the
   27             data objects on smart cards and similar PKCS #11 security tokens.
   28             Users can list and read PINs, keys and certificates stored on the
   29             token. User PIN authentication is performed for those operations
   30             that require it.
   31         </para>
   32     </refsect1>
   33 
   34     <refsect1>
   35         <title>Options</title>
   36         <para>
   37             <variablelist>
   38                 <varlistentry>
   39                     <term>
   40                         <option>--attr-from</option> <replaceable>filename</replaceable>
   41                     </term>
   42                     <listitem><para>Extract information from <replaceable>filename</replaceable>
   43                     (DER-encoded certificate file) and create the corresponding
   44                     attributes when writing an object to the token. Example: the
   45                     certificate subject name is used to create the CKA_SUBJECT
   46                     attribute.</para></listitem>
   47                 </varlistentry>
   48 
   49                 <varlistentry>
   50                     <term>
   51                         <option>--change-pin</option>,
   52                         <option>-c</option>
   53                     </term>
   54                     <listitem><para>Change the user PIN on the token</para></listitem>
   55                 </varlistentry>
   56 
   57                 <varlistentry>
   58                     <term>
   59                         <option>--unlock-pin</option>
   60                     </term>
   61                     <listitem><para>Unlock User PIN (without <option>--login</option>
   62                     unlock in logged in session; otherwise <option>--login-type</option>
   63                     has to be 'context-specific').</para></listitem>
   64                 </varlistentry>
   65 
   66                 <varlistentry>
   67                     <term>
   68                         <option>--hash</option>,
   69                         <option>-h</option>
   70                     </term>
   71                     <listitem><para>Hash some data.</para></listitem>
   72                 </varlistentry>
   73 
   74                 <varlistentry>
   75                     <term>
   76                         <option>--hash-algorithm</option> <replaceable>mechanism</replaceable>
   77                     </term>
   78                     <listitem>
   79                         <para>
   80                             Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption.
   81                             Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may 
   82                             also allow "SHA224". Default is "SHA-1".
   83                         </para>
   84                         <para> 
   85                             Note that the input to RSA-PKCS-PSS has to be of the size equal to
   86                             the specified hash algorithm. E.g., for SHA256 the signature input must
   87                             be exactly 32 bytes long (for mechanisms SHA256-RSA-PKCS-PSS there is no
   88                             such restriction). For RSA-OAEP, the plaintext input size mLen must be
   89                             at most keyLen - 2 - 2*hashLen. For example, for RSA 3072-bit key and
   90                             SHA384, the longest plaintext to encrypt with RSA-OAEP is (with all
   91                             sizes in bytes): 384 - 2 - 2*48 = 286, aka 286 bytes. 
   92                         </para>
   93                     </listitem>
   94                 </varlistentry>
   95 
   96                 <varlistentry>
   97                     <term>
   98                         <option>--id</option> <replaceable>id</replaceable>,
   99                         <option>-d</option> <replaceable>id</replaceable>
  100                     </term>
  101                     <listitem><para>Specify the id of the object to operate on.</para></listitem>
  102                 </varlistentry>
  103 
  104                 <varlistentry>
  105                     <term>
  106                         <option>--init-pin</option>
  107                     </term>
  108                     <listitem><para>Initializes the user PIN. This option
  109                     differs from <option>--change-pin</option> in that it sets the user PIN
  110                     for the first time. Once set, the user PIN can be changed
  111                     using <option>--change-pin</option>.</para></listitem>
  112                 </varlistentry>
  113 
  114                 <varlistentry>
  115                     <term>
  116                         <option>--init-token</option>
  117                     </term>
  118                     <listitem><para>Initialize a token: set the token label as
  119                     well as a Security Officer PIN (the label must be specified
  120                     using <option>--label</option>).</para></listitem>
  121                 </varlistentry>
  122 
  123                 <varlistentry>
  124                     <term>
  125                         <option>--input-file</option> <replaceable>filename</replaceable>,
  126                         <option>-i</option> <replaceable>filename</replaceable>
  127                     </term>
  128                     <listitem><para>Specify the path to a file for input.</para></listitem>
  129                 </varlistentry>
  130 
  131                 <varlistentry>
  132                     <term>
  133                         <option>--keypairgen</option>,
  134                         <option>-k</option>
  135                     </term>
  136                     <listitem><para>Generate a new key pair (public and private pair.)</para></listitem>
  137                 </varlistentry>
  138                 <varlistentry>
  139                     <term>
  140                         <option>--keygen</option>
  141                     </term>
  142                     <listitem><para>Generate a new key.</para></listitem>
  143                 </varlistentry>
  144 
  145                 <varlistentry>
  146                     <term>
  147                         <option>--key-type</option> <replaceable>specification</replaceable>
  148                     </term>
  149                     <listitem><para>Specify the type and length (bytes if symmetric) of the key to create,
  150                     for example RSA:1024, EC:prime256v1, GOSTR3410-2012-256:B,
  151                     DES:8, DES3:24, AES:16 or GENERIC:64.</para></listitem>
  152                 </varlistentry>
  153 
  154                 <varlistentry>
  155                     <term>
  156                         <option>--usage-sign</option>
  157                     </term>
  158                     <listitem><para>Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in pubkey).</para></listitem>
  159                 </varlistentry>
  160 
  161                 <varlistentry>
  162                     <term>
  163                         <option>--usage-decrypt</option>
  164                     </term>
  165                     <listitem><para>Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey, ENCRYPT in pubkey).</para></listitem>
  166                 </varlistentry>
  167 
  168                 <varlistentry>
  169                     <term>
  170                         <option>--usage-derive</option>
  171                     </term>
  172                     <listitem><para>Specify 'derive' key usage flag (EC only).</para></listitem>
  173                 </varlistentry>
  174 
  175                 <varlistentry>
  176                     <term>
  177                         <option>--usage-wrap</option>
  178                     </term>
  179                     <listitem><para>Specify 'wrap' key usage flag.</para></listitem>
  180                 </varlistentry>
  181 
  182                 <varlistentry>
  183                     <term>
  184                         <option>--label</option> <replaceable>name</replaceable>,
  185                         <option>-a</option> <replaceable>name</replaceable>
  186                     </term>
  187                     <listitem><para>Specify the name of the object to operate on
  188                     (or the token label when <option>--init-token</option>
  189                     is used).</para></listitem>
  190                 </varlistentry>
  191 
  192                 <varlistentry>
  193                     <term>
  194                         <option>--list-mechanisms</option>,
  195                         <option>-M</option>
  196                     </term>
  197                     <listitem><para>Display a list of mechanisms supported by the token.</para></listitem>
  198                 </varlistentry>
  199 
  200                 <varlistentry>
  201                     <term>
  202                         <option>--list-objects</option>,
  203                         <option>-O</option>
  204                     </term>
  205                     <listitem><para>Display a list of objects.</para></listitem>
  206                 </varlistentry>
  207 
  208                 <varlistentry>
  209                     <term>
  210                         <option>--list-slots</option>,
  211                         <option>-L</option>
  212                     </term>
  213                     <listitem><para>Display a list of available slots on the token.</para></listitem>
  214                 </varlistentry>
  215 
  216                 <varlistentry>
  217                     <term>
  218                         <option>--list-token-slots</option>,
  219                         <option>-T</option>
  220                     </term>
  221                     <listitem><para>List slots with tokens.</para></listitem>
  222                 </varlistentry>
  223 
  224                 <varlistentry>
  225                     <term>
  226                         <option>--list-interfaces</option>
  227                     </term>
  228                     <listitem><para>List interfaces of PKCS #11 3.0 library.</para></listitem>
  229                 </varlistentry>
  230 
  231                 <varlistentry>
  232                     <term>
  233                         <option>--login</option>,
  234                         <option>-l</option>
  235                     </term>
  236                     <listitem><para>Authenticate to the token before performing
  237                     other operations. This option is not needed if a PIN is
  238                     provided on the command line.</para></listitem>
  239                 </varlistentry>
  240 
  241                 <varlistentry>
  242                     <term>
  243                         <option>--login-type</option>
  244                     </term>
  245                     <listitem><para>Specify login type ('so', 'user', 'context-specific';
  246                     default:'user').</para></listitem>
  247                 </varlistentry>
  248 
  249                 <varlistentry>
  250                     <term>
  251                         <option>--mechanism</option> <replaceable>mechanism</replaceable>,
  252                         <option>-m</option> <replaceable>mechanism</replaceable>
  253                     </term>
  254                     <listitem><para>Use the specified <replaceable>mechanism</replaceable>
  255                     for token operations. See <option>-M</option> for a list
  256                     of mechanisms supported by your token. The mechanism can also be specified in
  257                     hexadecimal, e.g., <replaceable>0x80001234</replaceable>.</para></listitem>
  258                 </varlistentry>
  259 
  260                 <varlistentry>
  261                     <term>
  262                         <option>--mgf</option> <replaceable>function</replaceable>
  263                     </term>
  264                     <listitem><para>Use the specified Message Generation
  265                     Function (MGF) <replaceable>function</replaceable>
  266                     for RSA-PKCS-PSS signatures or RSA-OAEP decryptions. Supported arguments are MGF1-SHA1
  267                     to MGF1-SHA512 if supported by the driver.
  268                     The default is based on the hash selection.
  269                     </para></listitem>
  270                 </varlistentry>
  271 
  272                 <varlistentry>
  273                     <term>
  274                         <option>--module</option> <replaceable>mod</replaceable>
  275                     </term>
  276                     <listitem><para>Specify a PKCS#11 module (or library) to
  277                     load.</para></listitem>
  278                 </varlistentry>
  279 
  280                 <varlistentry>
  281                     <term>
  282                         <option>--moz-cert</option> <replaceable>filename</replaceable>,
  283                         <option>-z</option> <replaceable>filename</replaceable>
  284                     </term>
  285                     <listitem><para>Test a Mozilla-like key pair generation
  286                     and certificate request. Specify the <replaceable>filename</replaceable>
  287                     to the certificate file.</para></listitem>
  288                 </varlistentry>
  289 
  290                 <varlistentry>
  291                     <term>
  292                         <option>--output-file</option> <replaceable>filename</replaceable>,
  293                         <option>-o</option> <replaceable>filename</replaceable>
  294                     </term>
  295                     <listitem><para>Specify the path to a file for output.</para></listitem>
  296                 </varlistentry>
  297 
  298                 <varlistentry>
  299                     <term>
  300                         <option>--pin</option> <replaceable>pin</replaceable>,
  301                         <option>-p</option> <replaceable>pin</replaceable>
  302                     </term>
  303                     <listitem><para>Use the given <replaceable>pin</replaceable> for
  304                     token operations. If set to
  305                     env:<replaceable>VARIABLE</replaceable>, the value of the
  306                     environment variable <replaceable>VARIABLE</replaceable> is
  307                     used. WARNING: Be careful using this option
  308                     as other users may be able to read the command line from
  309                     the system or if it is embedded in a script. If set to
  310                     env:<replaceable>VARIABLE</replaceable>, the value of the
  311                     environment variable <replaceable>VARIABLE</replaceable> is
  312                     used.</para>
  313                     <para>This option will also set
  314                     the <option>--login</option> option.</para></listitem>
  315                 </varlistentry>
  316 
  317                 <varlistentry>
  318                     <term>
  319                         <option>--puk</option> <replaceable>puk</replaceable>
  320                     </term>
  321                     <listitem><para>Supply User PUK on the command line.</para></listitem>
  322                 </varlistentry>
  323 
  324                 <varlistentry>
  325                     <term>
  326                         <option>--new-pin</option> <replaceable>pin</replaceable>
  327                     </term>
  328                     <listitem><para>Supply new User PIN on the command line.</para></listitem>
  329                 </varlistentry>
  330 
  331                 <varlistentry>
  332                     <term>
  333                         <option>--sensitive</option>
  334                     </term>
  335                     <listitem><para>Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).</para></listitem>
  336                 </varlistentry>
  337 
  338                 <varlistentry>
  339                     <term>
  340                         <option>--extractable</option>
  341                     </term>
  342                     <listitem><para>Set the CKA_EXTRACTABLE attribute (object can be extracted)</para></listitem>
  343                 </varlistentry>
  344 
  345                 <varlistentry>
  346                     <term>
  347                         <option>--set-id</option> <replaceable>id</replaceable>,
  348                         <option>-e</option> <replaceable>id</replaceable>
  349                     </term>
  350                     <listitem><para>Set the CKA_ID of the object.</para></listitem>
  351                 </varlistentry>
  352 
  353                 <varlistentry>
  354                     <term>
  355                         <option>--show-info</option>,
  356                         <option>-I</option>
  357                     </term>
  358                     <listitem><para>Display general token information.</para></listitem>
  359                 </varlistentry>
  360 
  361                 <varlistentry>
  362                     <term>
  363                         <option>--sign</option>,
  364                         <option>-s</option>
  365                     </term>
  366                     <listitem><para>Sign some data.</para></listitem>
  367                 </varlistentry>
  368 
  369                 <varlistentry>
  370                     <term>
  371                         <option>--decrypt</option>,
  372                     </term>
  373                     <listitem><para>Decrypt some data.</para></listitem>
  374                 </varlistentry>
  375 
  376                 <varlistentry>
  377                     <term>
  378                         <option>--derive</option>,
  379                     </term>
  380                     <listitem><para>Derive a secret key using another key and some data.</para></listitem>
  381                 </varlistentry>
  382 
  383                 <varlistentry>
  384                     <term>
  385                         <option>--derive-pass-der</option>,
  386                     </term>
  387                     <listitem><para>Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations</para></listitem>
  388                 </varlistentry>
  389 
  390                 <varlistentry>
  391                     <term>
  392                         <option>--salt-len</option> <replaceable>bytes</replaceable>
  393                     </term>
  394                     <listitem><para>Specify how many bytes of salt should
  395                     be used in RSA-PSS signatures. Accepts two special values:
  396                     "-1" means salt length equals to digest length,
  397                     "-2" means use maximum permissible length.
  398                     Default is digest length (-1).</para></listitem>
  399                 </varlistentry>
  400 
  401                 <varlistentry>
  402                     <term>
  403                         <option>--slot</option> <replaceable>id</replaceable>
  404                     </term>
  405                     <listitem><para>Specify the id of the slot to use.</para></listitem>
  406                 </varlistentry>
  407 
  408                 <varlistentry>
  409                     <term>
  410                         <option>--slot-description</option> <replaceable>description</replaceable>
  411                     </term>
  412                     <listitem><para>Specify the description of the slot to use.</para></listitem>
  413                 </varlistentry>
  414 
  415                 <varlistentry>
  416                     <term>
  417                         <option>--slot-index</option> <replaceable>index</replaceable>
  418                     </term>
  419                     <listitem><para>Specify the index of the slot to use.</para></listitem>
  420                 </varlistentry>
  421 
  422                 <varlistentry>
  423                     <term>
  424                         <option>--object-index</option> <replaceable>index</replaceable>
  425                     </term>
  426                     <listitem><para>Specify the index of the object to use.</para></listitem>
  427                 </varlistentry>
  428 
  429                 <varlistentry>
  430                     <term>
  431                         <option>--use-locking</option>
  432                     </term>
  433                     <listitem><para>Tell pkcs11 module it should use OS thread locking.
  434                     </para></listitem>
  435                 </varlistentry>
  436 
  437                 <varlistentry>
  438                     <term>
  439                         <option>--test-threads</option> <replaceable>options</replaceable>
  440                     </term>
  441                     <listitem><para>Test a pkcs11 module's thread implication. (See source code).
  442                     </para></listitem>
  443                 </varlistentry>
  444 
  445                 <varlistentry>
  446                     <term>
  447                         <option>--token-label</option> <replaceable>label</replaceable>
  448                     </term>
  449                     <listitem><para>Specify the label of token.
  450                     Will be used the first slot, that has the inserted token with this
  451                     label.</para></listitem>
  452                 </varlistentry>
  453 
  454                 <varlistentry>
  455                     <term>
  456                         <option>--so-pin</option> <replaceable>pin</replaceable>
  457                     </term>
  458                     <listitem><para>Use the given <replaceable>pin</replaceable> as the
  459                     Security Officer PIN for some token operations (token
  460                     initialization, user PIN initialization, etc). If set to
  461                     env:<replaceable>VARIABLE</replaceable>, the value of the
  462                     environment variable <replaceable>VARIABLE</replaceable> is
  463                     used. The same warning as <option>--pin</option> also
  464                     applies here.</para></listitem>
  465                 </varlistentry>
  466 
  467                 <varlistentry>
  468                     <term>
  469                         <option>--test</option>,
  470                         <option>-t</option>
  471                     </term>
  472                     <listitem><para>Perform some tests on the token. This
  473                     option is most useful when used with either <option>--login</option>
  474                     or <option>--pin</option>.</para></listitem>
  475                 </varlistentry>
  476 
  477                 <varlistentry>
  478                     <term>
  479                         <option>--test-hotplug</option>
  480                     </term>
  481                     <listitem><para>Test hotplug capabilities (C_GetSlotList +
  482                     C_WaitForSlotEvent).</para></listitem>
  483                 </varlistentry>
  484 
  485                 <varlistentry>
  486                     <term>
  487                         <option>--private</option>
  488                     </term>
  489                     <listitem><para>Set the CKA_PRIVATE attribute (object is only
  490                     viewable after a login).</para></listitem>
  491                 </varlistentry>
  492 
  493                 <varlistentry>
  494                     <term>
  495                         <option>--always-auth</option>
  496                     </term>
  497                     <listitem><para>Set the CKA_ALWAYS_AUTHENTICATE attribute to a private key object.
  498                     If set, the user has to supply the PIN for each use (sign or decrypt) with the key.</para>
  499                     </listitem>
  500                 </varlistentry>
  501 
  502                 <varlistentry>
  503                     <term>
  504                         <option>--allowed-mechanisms</option> <replaceable>mechanisms</replaceable>
  505                     </term>
  506                     <listitem><para>Sets the CKA_ALLOWED_MECHANISMS attribute
  507                     to a key objects when importing an object or generating
  508                     a keys. The argument accepts comma-separated list of
  509                     algorithmsm, that can be used with the given key.</para>
  510                     </listitem>
  511                 </varlistentry>
  512 
  513                 <varlistentry>
  514                     <term>
  515                         <option>--test-ec</option>
  516                     </term>
  517                     <listitem><para>Test EC (best used with the <option>--login</option>
  518                     or <option>--pin</option> option).</para></listitem>
  519                 </varlistentry>
  520 
  521                 <varlistentry>
  522                     <term>
  523                         <option>--test-fork</option>
  524                     </term>
  525                     <listitem><para>Test forking and calling C_Initialize() in the
  526                     child.</para></listitem>
  527                 </varlistentry>
  528 
  529                 <varlistentry>
  530                     <term>
  531                         <option>--type</option> <replaceable>type</replaceable>,
  532                         <option>-y</option> <replaceable>type</replaceable>
  533                     </term>
  534                     <listitem><para>Specify the type of object to operate on.
  535                     Valid value are <literal>cert</literal>, <literal>privkey</literal>,
  536                     <literal>pubkey</literal>, <literal>secrkey</literal> 
  537                     and <literal>data</literal>.</para></listitem>
  538                 </varlistentry>
  539 
  540                 <varlistentry>
  541                     <term>
  542                         <option>--verbose</option>, <option>-v</option>
  543                     </term>
  544                     <listitem><para>Cause <command>pkcs11-tool</command> to be
  545                     more verbose.</para><para>NB! This does not affect
  546                     OpenSC debugging level! To set OpenSC PKCS#11 module into debug
  547                     mode, set the <varname>OPENSC_DEBUG</varname> environment variable to a
  548                     non-zero number.</para></listitem>
  549                 </varlistentry>
  550 
  551                 <varlistentry>
  552                     <term>
  553                         <option>--verify</option>,
  554                     </term>
  555                     <listitem><para>Verify signature of some data.</para></listitem>
  556                 </varlistentry>
  557 
  558                 <varlistentry>
  559                     <term>
  560                         <option>--read-object</option>,
  561                         <option>-r</option>
  562                     </term>
  563                     <listitem><para>Get object's CKA_VALUE attribute (use with
  564                     <option>--type</option>).</para></listitem>
  565                 </varlistentry>
  566 
  567                 <varlistentry>
  568                     <term>
  569                         <option>--delete-object</option>,
  570                         <option>-b</option>
  571                     </term>
  572                     <listitem><para>Delete an object.</para></listitem>
  573                 </varlistentry>
  574 
  575                 <varlistentry>
  576                     <term>
  577                         <option>--application-label</option> <replaceable>label</replaceable>
  578                     </term>
  579                     <listitem><para>Specify the application label of the data object (use with
  580                     <option>--type</option> data).</para></listitem>
  581                 </varlistentry>
  582 
  583                 <varlistentry>
  584                     <term>
  585                         <option>--application-id</option> <replaceable>id</replaceable>
  586                     </term>
  587                     <listitem><para>Specify the application ID of the data object (use with
  588                     <option>--type</option> data).</para></listitem>
  589                 </varlistentry>
  590 
  591                 <varlistentry>
  592                     <term>
  593                         <option>--issuer</option> <replaceable>data</replaceable>
  594                     </term>
  595                     <listitem><para>Specify the issuer in hexadecimal format (use with
  596                     <option>--type</option> cert).</para></listitem>
  597                 </varlistentry>
  598 
  599                 <varlistentry>
  600                     <term>
  601                         <option>--subject</option> <replaceable>data</replaceable>
  602                     </term>
  603                     <listitem><para>Specify the subject in hexadecimal format (use with
  604                     <option>--type</option> cert/privkey/pubkey).</para></listitem>
  605                 </varlistentry>
  606 
  607                 <varlistentry>
  608                     <term>
  609                         <option>--signature-file</option> <replaceable>filename</replaceable>
  610                     </term>
  611                     <listitem><para>The path to the signature file for signature verification</para></listitem>
  612                 </varlistentry>
  613 
  614                 <varlistentry>
  615                     <term>
  616                         <option>--signature-format</option> <replaceable>format</replaceable>
  617                     </term>
  618                     <listitem><para>Format for ECDSA signature: 'rs' (default),
  619                     'sequence', 'openssl'.</para></listitem>
  620                 </varlistentry>
  621 
  622                 <varlistentry>
  623                     <term>
  624                         <option>--write-object</option> <replaceable>filename</replaceable>,
  625                         <option>-w</option> <replaceable>filename</replaceable>
  626                     </term>
  627                     <listitem><para>Write a key or certificate object to the token.
  628                     <replaceable>filename</replaceable> points to the DER-encoded certificate or key file.
  629                     </para></listitem>
  630                 </varlistentry>
  631 
  632                 <varlistentry>
  633                     <term>
  634                         <option>--generate-random</option> <replaceable>num</replaceable>
  635                     </term>
  636                     <listitem><para>Get <replaceable>num</replaceable> bytes of random data.
  637                     </para></listitem>
  638                 </varlistentry>
  639 
  640                 <varlistentry>
  641                     <term>
  642                         <option>--allow-sw</option>
  643                     </term>
  644                     <listitem><para>Allow using software mechanisms that do not have the CKF_HW flag set.
  645                     May be required when using software tokens and emulators.
  646                     </para></listitem>
  647                 </varlistentry>
  648 
  649             </variablelist>
  650         </para>
  651     </refsect1>
  652 
  653     <refsect1>
  654         <title>Examples</title>
  655         <para>
  656             To list all certificates on the smart card:
  657                 <programlisting>pkcs11-tool --list-objects --type cert</programlisting>
  658 
  659             To read the certificate with ID <replaceable>KEY_ID</replaceable>
  660             in DER format from smart card:
  661                 <programlisting>pkcs11-tool --read-object --id KEY_ID --type cert --output-file cert.der</programlisting>
  662 
  663             To convert the certificate in DER format to PEM format, use OpenSSL
  664             tools:
  665                 <programlisting>openssl x509 -inform DER -in cert.der -outform PEM > cert.pem</programlisting>
  666 
  667             To sign some data stored in file <replaceable>data</replaceable>
  668             using the private key with ID <replaceable>ID</replaceable> and
  669             using the RSA-PKCS mechanism:
  670                 <programlisting>pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig</programlisting>
  671         </para>
  672     </refsect1>
  673 
  674     <refsect1>
  675         <title>Authors</title>
  676         <para><command>pkcs11-tool</command> was written by
  677         Olaf Kirch <email>okir@suse.de</email>.</para>
  678     </refsect1>
  679 
  680 </refentry>