cmu list
This function lists all objects (keys, certificates and other general data objects) on the HSM that match an optional set of search criteria and that are accessible given the authentication state of the HSM. Search criteria can include many of the object attributes that are available for searching via the PKCS #11 API. If no search criteria are defined, all accessible objects are returned. The content of the entries in the returned list is definable and can include the object handle and/or any combination of viewable object attributes. The default is to include the handle and the label (CKA_LABEL).
Syntax
cmu list [-display=<attributes>] [-class=<class>] [-keyType=<type>] [-certificateType=<type>] [-label=<label>] [-application=<attribute>] [-value=<value>] [-issuer=<issuer>] [-serialNumber=<SN>] [-subject=<subject>] [-id=<ID>] [-token=<0/1>] [-modulusBits=<length>] [-publicExponent=<value>] [-private=<0/1>] [-sensitive=<0/1>] [-alwaysSensitive=<0/1>] [-extractable=<0/1>] [-neverExtractable=<0/1>] [-local=<0/1>] [-encrypt=<0/1>] [-decrypt=<0/1>] [-sign=<0/1>] [-verify <0/1>] [-wrap <0/1>] [-unwrap <0/1>] [-derive=<0/1>] [-startDate=<YYYYMMDD>] [-endDate=<YYYYMMDD>] [-modifiable=<0/1>] [-password=<password>] [-ped=<PED_ID>] [-slot=<slot#>]
Argument(s) | Description |
---|---|
-alwaysSensitive =<0/1> | Show objects that match value True or False (or 1 or 0). |
-application =<attribute> | Specifies the application attribute that objects must match in order to be listed. |
-certificateType =<type> |
Specifies the type of certificate to list. It can only be set to x.509 if used. Valid values: x.509 |
-class=<class> |
Specifies the class of object to list. Valid values: data,certificate,public,private,secret |
-decrypt=<0/1> | Show objects that match value True or False (or 1 or 0). |
-derive=<0/1> | Show objects that match value True or False (or 1 or 0). |
-display =<attributes> |
Specifies the attributes to be displayed for each returned object in the list. Multiple attributes can also be specified by repeated use of the display option instead of using the comma-separated list. If this parameter is omitted, only the handle and the label are displayed. Valid values: index,handle,class,keyType,label,value |
-encrypt=<0/1> | Show objects that match value True or False (or 1 or 0). |
-endDate =<YYYYMMDD> |
This option specifies the end date that objects must match in order to be listed. |
-extractable=<0/1> | Show objects that match value True or False (or 1 or 0). |
-id=<ID> | Specifies the ID that objects must match in order to be listed. |
-issuer=<issuer> | Specifies the issuer that objects must match in order to be listed. |
-keyType=<type> |
Specifies the type of keys to list. Valid values: rsa,dsa,dh,des,2des,3des,rc2,rc4,rc5,cast3,cast5,generic |
-label=<label> | Specifies the label that objects must match in order to be listed. |
-local=<0/1> | Show objects that match value True or False (or 1 or 0). |
-modifiable=<0/1> | Show objects that match value True or False (or 1 or 0). |
-modulusBits =<length> | This option specifies the modulus size that RSA keys must match in order to be listed. |
-neverExtractable =<0/1> | Show objects that match value True or False (or 1 or 0). |
-private=<0/1> | Show objects that match value True or False (or 1 or 0). |
-publicExponent =<value> | This option specifies the public exponent value that RSA keys must match in order to be listed. It can only be set to 3, 17 or 65537. Only 65537 is allowed in FIPS mode. |
-sensitive <0/1> | Show objects that match value True or False (or 1 or 0). |
-serialNumber <SN> | Specifies the serial number that objects must match in order to be listed. |
-sign=<0/1> | Show objects that match value True or False (or 1 or 0). |
-startDate =<YYYYMMDD> | This option specifies the start date that objects must match in order to be listed. |
-subject <subject> | Specifies the subject that objects must match in order to be listed. |
-token=<0/1> |
Specifies whether permanent or temporary objects are to be listed. Valid values: 0(temporary objects),1(permanent objects) |
-unwrap=<0/1> | Show objects that match value True or False (or 1 or 0). |
-value=<value> | Specifies the value that objects must match in order to be listed. |
-verify=<0/1> | Show objects that match value True or False (or 1 or 0). |
-wrap=<0/1> | Show objects that match value True or False (or 1 or 0). |
Common | |
-password=<password> | The password for the role accessing the current slot, with the current command. If this is not specified, it is prompted. |
-ped=<PED_ID> | Specifies the PED ID for the registered Remote PED that will handle authentication for the current slot, with the current command. You must specify this parameter to use Remote PED authentication. |
-slot=<slot#> | The slot to be acted upon, by the current command. If this is not specified, it is prompted. |
Example
The following example displays the handle and label of each certificate that is accessible on the HSM:
cmu list -class=certificate
The following example displays the handles of all locally generated RSA private signing keys on the HSM:
cmu list -keyType=rsa -local=True -sign=True -display=handle
The following example displays the class, type and label of all signing keys on the HSM:
cmu list -display=class,keyType,label -sign=True