Worked examples

Below is an example generating a key, creating a bundle and verifying the bundle for a recoverable RSA key.

$ generatekey -b simple protect=token type=RSA ident=rsaexample
key generation parameters:
 operation    Operation to perform               generate
 application  Application                        simple
 protect      Protected by                       token
 slot         Slot to read cards from            0
 recovery     Key recovery                       yes
 verify       Verify security of key             yes
 type         Key type                           RSA
 size         Key size                           2048
 pubexp       Public exponent for RSA key (hex)
 ident        Key identifier                     rsaexample
 plainname    Key name
 nvram        Blob in NVRAM (needs ACS)          no

Loading `sampleocs':
 Module 1: 0 cards of 1 read
 Module 1 slot 0: `sampleocs' #1
 Module 1 slot 0:- passphrase supplied - reading card
Card reading complete.

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_simple_rsaexample
$ nfkmattest bundle simple rsaexample
$ nfkmattest verify key_simple_rsaexample.att
{
  "path": "key_simple_rsaexample.att",
  "protection": "cardset",
  "recovery": true,
  "type": "RSAPublic",
  "permissions": [
    "sign",
    "decrypt",
    "unwrap"
  ],
  "k": {
    "type": "RSAPublic",
    "data": {
      "e": "AQAB",
      "n": "514JPs/SdZ7viCuXidF/IkI/13PLsu3GfKp8YgmQ5P5qK/mWRcMPeQ0ZO8SQK9BsoKf+/Shhxn081TxP3n8U4o7D94BxRfcpht02nk3mmQvDm0aNdzV9cBBec7Jk0ipegAgjQm+KfF8dbWtCbmvki7Eg2jcscCaT5qo9n0XhwXLYhmVG8CdqGrPYQR3CVstzjv+uTc+vofmii29S6D4uYG/z9kWDyym3XUKmvjwGAEt2kyZ7BVxeP+tahIkLnvglFJuYKIEF3I86+2UKem8hJa1tTxkXsWuGA0ShsXikV67uJmXMG0Ablx9HmmFdUQ5FL/Gs9ETEA1ZMjX2WEidx3w=="
    }
  }
}

Below is an example of the same process for a non-recoverable PKCS#11 ECDSA key. The key can be generated using the nShield PKCS#11 API but generatekey is used here for brevity.

$ generatekey -b pkcs11 protect=token type=ECDSA plainname=ecdsaexample
key generation parameters:
 operation    Operation to perform       generate
 application  Application                pkcs11
 protect      Protected by               token
 slot         Slot to read cards from    0
 recovery     Key recovery               no
 verify       Verify security of key     yes
 type         Key type                   ECDSA
 plainname    Key name                   ecdsaexample
 nvram        Blob in NVRAM (needs ACS)  no
 curve        Elliptic curve             NISTP256

Loading `sampleocs':
 Module 1: 0 cards of 1 read
 Module 1 slot 0: `sampleocs' #1
 Module 1 slot 0:- passphrase supplied - reading card
Card reading complete.

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_uc3f8abff09207a68ead2a0176ba7aee425370eab1-04b5c0582d4371e4ac7e370723398e469441427c
$ nfkmattest bundle pkcs11 uc3f8abff09207a68ead2a0176ba7aee425370eab1-04b5c0582d4371e4ac7e370723398e469441427c -o key_pkcs11_ecdsaexample.att
$ nfkmattest verify key_pkcs11_ecdsaexample.att
{
  "path": "key_pkcs11_ecdsaexample.att",
  "protection": "cardset",
  "recovery": false,
  "type": "ECDSAPublic",
  "permissions": [
    "sign"
  ],
  "k": {
    "type": "ECDSAPublic",
    "data": {
      "curve": {
        "name": "NISTP256"
      },
      "Q": {
        "flags": [],
        "x": "EhCTAIWyYL38wdhHM8x60fKIp6rQ3wWp6hj9SWWiW+k=",
        "y": "r1YAfJjH50goy2Ja7u80y1UZwiv7LT84rRH+7p/2EVg="
      }
    }
  }
}