pkcscca - Man Page

The pkcscca utility assists in administering the CCA token.

In version 2 of opencryptoki, CCA private token objects were encrypted in CCA hardware. In version 3 these objects are encrypted in software. The v2objectsv3 migration option migrates these v2 objects by decrypting them in CCA hardware using a secure key and then re-encrypting them in software using a software key. Afterwards, v2 objects can be accessed in version 3.

There may be situations where CCA master keys must be changed. All CCA secret and private keys are wrapped with a master key. After a CCA master key is changed, keys wrapped with the old master key need to be re-wrapped with the current master key. The keys migration option migrates these wrapped keys by unwrapping them with the old master key and wrapping them with the current master key.

Up to opencryptoki version 3.14.0, RSA keys were created using the RSA-CRT key token format (private key section X'08'). RSA-CRT keys are encrypted with the CCA ASYM master key, and can not be used for certain mechanisms, e.g. RSA-PSS or RSA-OAEP. In newer opencryptoki versions, RSA keys are created using the RSA-AESC key token format (private key section X'31'). Up to version 3.16.0, RSA public keys also contained full CCA secure key tokens, including the private key section (which is encrypted by the CCA master key). The oldrsakeys migration option migrates old RSA private key tokens to the new format, and also extracts the public key sections from RSA public key tokens containing a full CCA secure key token.

-d|--datastore directory

the directory where the CCA token information is kept. This directory will be used to locate the private token objects to be migrated. i.e. /var/lib/opencryptoki/ccatok

-v|--verbose

Provide more detailed output

-m v2objectsv3

Migrates CCA private token objects from CCA encryption (used in v2) to software encryption (used in v3).

-m keys

Unwraps private keys with an old CCA master key and wraps them with a new CCA master key.

-k aes|apka|asym|sym

Migrate keys wrapped with the selected master key type.

-s|--slotid SLOTID

The PKCS slot number.

-m oldrsakeys

Converts old RSA keys (RSA-CRT) to the new format (RSA-AESC) and extracts the public key section only from key objects containing the full RSA key token.

-s|--slotid SLOTID

The PKCS slot number.

/var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX

contains current list of public and private token objects for the CCA token.

README.cca_stdll (in system's doc directory)