tct2
tct2 [[-S|--sign] | [-P|--pack] | [-E|--encrypt] | [--add-sig] | [--sign-and-pack] | [--print-sigs] | [--unpack-skycert] | [--unpack-sar-payload]] [--sigfile=<NAME> ] [-k|--key=<IDENT>] [[--is-machine] |[--machine-key=<HASH>]| [--machinekey-ident=<IDENT> ] [-T|--machine-type=<TYPE>]] [-m|--module=<MODULE> ] [-o|--outfile=<OUTFILE>] [--non-interactive] [--show-metadata] [-v|--verbose] [-q|--quiet] [[-i|--infile=]<INFILE>]
Trusted Code Tool: enables users to sign, pack, and encrypt file archives so that they can be loaded onto an SEE-Ready nShield HSM.
tct2
uses keys that are protected by a Security World or an OCS and creates SAR files.
Examples of how tct2 can be used are provided in Example SEE machines.
Encrypted SEE machines are not supported for use with nShield Connect HSMs.
When the SEEMachine binary is installed on the Connect itself for automated loading at boot, the SEE Confidentiality key is not available.
However, when a client host loads a SEEMachine , it has access to the SEE Confidentiality key and can cause the binary to be decrypted.
In this scenario, the Connect works fine with encrypted SEEMachine binaries.
|
Check the documentation supplied by the application vendor to see if you need to use tct2
to set up and use the application.
Option | Description | ||||||
---|---|---|---|---|---|---|---|
Program options, use exactly one |
|||||||
|
Creates a signed SAR file |
||||||
|
Encrypts the packed SAR file |
||||||
|
Packs the file |
||||||
|
Displays the key hashes used to sign the SAR file |
||||||
|
Creates a signature on the file
|
||||||
|
Creates a signature on the file |
||||||
|
Retrieves the payload of the SAR file |
||||||
Packing and signing options |
|||||||
|
File that contains the signature. This option can be repeated to specify multiple signatures. |
||||||
Machine key specification options for signing operations |
|||||||
|
Uses SEE machine signing mode. |
||||||
|
Key hash of the SEE machine for which this signature is good. |
||||||
|
Retrieves the hash of key |
||||||
|
SEE machine type.
|
||||||
Other options |
|||||||
|
Name of the input |
||||||
|
Sets non-interactive mode. |
||||||
|
Name of the output |
||||||
|
Decrease the verbosity level.
Use repeatedly, for example as |
||||||
|
Shows the image metadata before signing. |
||||||
|
Increase the verbosity level.
Use repeatedly, for example as |
||||||
Module selection |
|||||||
|
Specifies the number ID to use. |
||||||
Help options |
|||||||
|
Displays help for |
||||||
|
Displays a brief usage summary for |
||||||
|
Displays the version number of the Security World Software that deploys |
Sign with tct2
Use one of the following methods to create a signing key:
-
During the KeySafe key-generation process, ensure you select the
SEE Code Integrity
option. -
When generating the key with the
generatekey
command-line utility, ensure you select the application typeseeinteg
.
Signing keys can be DSA or RSA. You can sign a file any number of times using different signing keys.
For information about key application types, see Key application type (APPNAME).
For information about generating keys, see Generating keys.
To create a signature, give a command of the form:
tct2 -S|--sign [-m|--module=<MODULE>] -k|--key=<IDENT> [--machine-key=<HASH>| --machine-key-ident=<IDENT> | --is-machine] -o|--outfile=<OUTFILE> [-i|--infile=<INFILE>]
If the signing key is protected by an OCS, tct2
prompts you for the passphrase for the inserted card.
Pack with tct2
All files must be packed even if you are not adding signatures. The packing operation must be performed once and only once. Your application vendor may have supplied a pre-packed SAR file.
Packing a file creates a new SAR file. The packed file contains:
-
The original file
-
Specified signatures, if any.
To pack a file and any signatures, give a command of the form:
tct2 -P|--pack -o|--outfile=<OUTFILE> [-i|--infile=]<INFILE> [sigfile...]
Encrypt with tct2
Encrypted SEE machines are not currently supported for use with nShield Connects.
When the SEEMachine
binary is installed on the Connect itself for automated loading at boot, the SEE Confidentiality key is not available.
However, when a client host loads a SEEMachine
, it has access to the SEE Confidentiality key and can cause the binary to be decrypted.
In this scenario, the Connect works fine with encrypted SEEMachine
binaries.
Use one of the following methods to create an encryption key:
-
During the KeySafe key-generation process, ensure you select the
SEE Code Confidentiality
option. -
When generating the key with the
generatekey
command-line utility, ensure you select the application typeseeconf
.
Encryption keys can be either Triple DES or AES keys. Encryption keys can be protected by the Security World or by a 1/N OCS.
For information about key application types, see Key application type (APPNAME).
For information about generating keys, see the User Guide.
A .sar
file can be encrypted only once.
To encrypt a .sar
file, use the command:
tct2 -E|--encrypt -k|--key=<IDENT> [-m|--module=<MODULE>] -o|--outfile=<OUTFILE> [-i|--infile=]<INFILE>