Generating an attestation bundle
An attestation bundle can be generated for a key as follows.
$ nfkmattest bundle [OPTIONS] APPNAME IDENTThe set of certificates and relevant data fields is returned in a JSON-formatted file key_APPNAME_IDENT.att.
An alternative output file path can be specified with the option --output PATH.
If the HSM warrant is stored in a non-default directory, its path can be specified with the option --warrants DIR.
If no HSM warrant is found, see Getting missing warrant.
Bundle details
The possible bundle fields are outlined below.
| Field | Presence | Description |
|---|---|---|
pubkeydata |
Always |
Public key material in nCore format (including any domain parameters) |
kcmsg |
Always |
The key generation certificate body |
kcsig |
Always |
The signature on the key generation certificate under KML |
modstatemsg |
Always |
A module state certificate |
modstatesig |
Always |
The signature on the module state certificate under KLF2. |
warrant |
Always |
The D3S encoding of the generating HSM’s warrant. |
root |
Always |
The name of the warranting root used in this certificate. This will always be KWARN-1 for nShield HSMs. |
knsopub |
Persistent keys |
KNSO public key |
hkre |
Recoverable keys |
Hash of KRE |
hkra |
Recoverable keys |
Hash of KRA |
hkfips |
Persistent keys in FIPS worlds |
Hash of KFIPS |
hkmc |
Persistent keys |
Hash of KMC |
hkm |
Persistent keys |
Hash of KM |
CertKMaKMCbKNSO |
Persistent keys in non-FIPS worlds |
Signature on world binding cert |
CertKMaKMCaKFIPSbKNSO |
Persistent keys in FIPS worlds |
Signature on world binding cert |
CertKREaKRAbKNSO |
Recoverable keys |
Signature on world binding cert |
ciphersuite |
Persistent keys |
Ciphersuite name for security world from the NFKM_CipherSuite enumeration (e.g. DLf3072s256mAEScSP800131Ar1) |