docs: add example to initialize PIN with pkcs11-tool

doc/tools/pkcs11-tool.1.xml

@@ -148,7 +148,7 @@
  </term>
  <listitem><para>Specify the type and length (bytes if symmetric) of the key to create,
  for example RSA:1024, EC:prime256v1, GOSTR3410-2012-256:B,
- DES:8, DES3:24, AES:16 or GENERIC:64.</para></listitem>
+ DES:8, DES3:24, AES:16 or GENERIC:64. If the key type was incompletely specified, possible values are listed.</para></listitem>
  </varlistentry>
 
  <varlistentry>
@@ -734,6 +734,8 @@
  using the private key with ID <replaceable>ID</replaceable> and
  using the RSA-PKCS mechanism:
  <programlisting>pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig</programlisting>
+ The same is also possible by piping the data from stdin rather than specifying a input file:
+ <programlisting>dd if=data bs=128 count=1 | pkcs11-tool --sign --id ID --mechanism RSA-PKCS --pin=$PIN > data.sig</programlisting>
 
  To encrypt file using the AES key with ID 85 and using mechanism AES-CBC with padding:
  <programlisting>
@@ -761,6 +763,11 @@ pkcs11-tool --login --unwrap --mechanism RSA-PKCS --id 22 \
  -i aes_wrapped.key --key-type AES: \
  --application-id 90 --applicatin-label unwrapped-key
  </programlisting>
+
+ Use the SO-PIN to initialize or re-set the PIN:
+ <programlisting>
+pkcs11-tool --login --login-type so --init-pin
+ </programlisting>
  </para>
  </refsect1>
 

src/tools/pkcs11-tool.c

@@ -2870,11 +2870,10 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
  if (!find_mechanism(slot, CKF_GENERATE_KEY_PAIR, mtypes, mtypes_num, &opt_mechanism))
  util_fatal("Generate RSA mechanism not supported");
 
- if (size == NULL)
- util_fatal("Unknown key pair type %s, expecting RSA:<nbytes>", type);
  key_length = (unsigned long)atol(size);
- if (key_length != 0)
- modulusBits = key_length;
+ if (key_length == 0)
+ util_fatal("Unknown key pair type %s, expecting RSA:<nbytes>", type);
+ modulusBits = key_length;
 
  FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_MODULUS_BITS, &modulusBits, sizeof(modulusBits));
  n_pubkey_attr++;
@@ -2919,8 +2918,13 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
  if (!strcmp(ec_curve_infos[ii].oid, type + 3))
  break;
  }
- if (!ec_curve_infos[ii].name)
- util_fatal("Unknown EC key params '%s'", type + 3);
+ if (!ec_curve_infos[ii].name) {
+ fprintf(stderr, "EC key parameters may be specified by their canonic name or object identifier. Possible values are:\n");
+ for (ii = 0; ec_curve_infos[ii].name; ii++) {
+ fprintf(stderr, "%s (%s)\n", ec_curve_infos[ii].name, ec_curve_infos[ii].oid);
+ }
+ util_fatal("Unknown EC key parameter '%s'", type + 3);
+ }
 
  switch (ec_curve_infos[ii].mechanism) {
  case CKM_EC_EDWARDS_KEY_PAIR_GEN:
@@ -2992,9 +2996,6 @@ static int gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
  size_t mtypes_num = sizeof(mtypes)/sizeof(mtypes[0]);
  const char *p_param_set = type + strlen("GOSTR3410");
 
- if (p_param_set == NULL)
- util_fatal("Unknown key pair type %s, expecting GOSTR3410:<nbytes>", type);
-
  if (!strcmp(":A", p_param_set) || !strcmp("-2001:A", p_param_set)) {
  gost_key_type = CKK_GOSTR3410;
  mtypes[0] = CKM_GOSTR3410_KEY_PAIR_GEN;
@@ -3193,11 +3194,9 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
  if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
  util_fatal("Generate Key mechanism not supported\n");
 
- if (size == NULL)
- util_fatal("Unknown key type %s, expecting AES:<nbytes>", type);
  key_length = (unsigned long)atol(size);
  if (key_length == 0)
- key_length = 32;
+ util_fatal("Unknown key type %s, expecting AES:<nbytes>", type);
 
  FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
  n_attr++;
@@ -3213,11 +3212,9 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
  if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
  util_fatal("Generate Key mechanism not supported\n");
 
- if (size == NULL)
- util_fatal("Unknown key type %s, expecting DES:<nbytes>", type);
  key_length = (unsigned long)atol(size);
  if (key_length == 0)
- key_length = 8;
+ util_fatal("Unknown key type %s, expecting DES:<nbytes>", type);
 
  FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
  n_attr++;
@@ -3233,11 +3230,9 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
  if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
  util_fatal("Generate Key mechanism not supported\n");
 
- if (size == NULL)
- util_fatal("Unknown key type %s, expecting DES3:<nbytes>", type);
  key_length = (unsigned long)atol(size);
  if (key_length == 0)
- key_length = 16;
+ util_fatal("Unknown key type %s, expecting DES3:<nbytes>", type);
 
  FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
  n_attr++;
@@ -3253,11 +3248,9 @@ gen_key(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE *hSecretKey
  if (!find_mechanism(slot, CKF_GENERATE, mtypes, mtypes_num, &opt_mechanism))
  util_fatal("Generate Key mechanism not supported\n");
 
- if (size == NULL)
- util_fatal("Unknown key type %s, expecting GENERIC:<nbytes>", type);
  key_length = (unsigned long)atol(size);
  if (key_length == 0)
- key_length = 32;
+ util_fatal("Unknown key type %s, expecting GENERIC:<nbytes>", type);
 
  FILL_ATTR(keyTemplate[n_attr], CKA_KEY_TYPE, &key_type, sizeof(key_type));
  n_attr++;

tests/test-pkcs11-tool-allowed-mechanisms.sh

@@ -21,7 +21,7 @@ echo "======================================================="
 ID="05"
 MECHANISMS="RSA-PKCS,SHA1-RSA-PKCS,RSA-PKCS-PSS"
 # Generate key pair
-$PKCS11_TOOL --keypairgen --key-type="RSA:" --login --pin=$PIN \
+$PKCS11_TOOL --keypairgen --key-type="RSA:1024" --login --pin=$PIN \
  --module="$P11LIB" --label="test" --id="$ID" \
  --allowed-mechanisms="$MECHANISMS,SHA384-RSA-PKCS"
 assert $? "Failed to Generate RSA key pair"