cmu getpkc
Retrieve a Public Key Confirmation from the HSM.
NOTE This operation works with non-extractable keys only, and supports both RSA and ECC keypair types.
Syntax
cmu getpkc [{-handle=<handle#> | -ouid=<OUID#>}] [-outputfile=<filename>] [-verify]
| Argument(s) | Description |
|---|---|
| -authdata=<value> | Specifies authorization data for the operation. |
| -handle=<handle#> | The handle to the corresponding private key for the PKC. This method of selection applies to Luna HSMs only. On a Luna Cloud HSM service slot, use -ouid. |
| -ouid=<OUID#> | The Object Unified Identifier (OUID) to the corresponding private key for the PKC. This method of selection |
| -outputfile=<filename> | The name of the file that receives the PKC. |
| -verify | Sets a flag to verify the PKC against the certificate that signed the PKC. It must be set to True or False (or 1 or 0), with False being the default. |
If you run the command with no parameters, you are prompted for the mandatory ones.
Common CMU Options
Some options are commonly available to all cmu commands. They are described below.
| Argument(s) | Description |
|---|---|
| -ecdsasigpadalways | Specifies that you wish to pad ecdsa signature R and S values with a leading 0. |
| -ecdsasigpadnever | Specifies that you do not wish to pad ecdsa signature R and S values. |
|
-password=<password> -pin=<password> |
The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
| -slot=<slot#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
| -so | Specifies that you wish to perform the command as Partition Security Officer for that slot. If a role is not specified, the Crypto Officer role is used by default. |
Example
cmu getpkc –handle=5
NOTE To generate Key Attestation via program, without using CMU, the PKCS#11 calls you need are:
[LUNA-36984 from Martin G. in Discuss-HSM]
CA_GetTokenCertificates (see CA_GetTokenCertificates in Luna Extensions to PKCS#11) and
C_GetAttributeValue for the attribute CKA_PKC (CKA_PKC_ECC for ECC-keys).
The first call fetches the relevant certificates (MIC+HOC --> look at cryptoki_v2.h) from the HSM (certificate types described in detail at Verifying HSM Authenticity or Key Attestation ) which are the chain for the PKC certificate stored in the keys attribute.
The response generated by cmu getpkc is a PKCS#7 store containing the three certificates as a full chain for the relevant private key.
