11.2. 使用方法
- 运行以下命令,检查 tkstool 的版本:
tkstool -V
这应该返回类似如下的输出:tkstool: Version 1.0
- 创建新软件数据库。
tkstool -N -d . Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password:
注意如果 modutil 工具首次用于将 HSM 插槽和令牌插入到secmod.db数据库中,则可以使用硬件 HSM 而不是软件数据库。如果使用 HSM,则必须将 -h hsm_token 选项添加到以下每个命令中。 - 列出本地软件密钥数据库的内容。
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": tkstool: the specified token is empty
- 创建名为 传输的传输密钥。
tkstool -T -d . -n transport
- 出现提示时,填写数据库密码,然后在 some noise 中输入 以查看随机数字生成器。
- 会话密钥共享和对应的 KCV 会显示。写入这两个操作。
- 运行以下命令以生成相同的传输密钥;这通常在需要使用相同的传输密钥的另一组数据库中使用。当运行时,会生成多个会话密钥共享和 KCV。写入所有此信息。
tkstool -I -d . -n verify_transport
此时会出现类似如下的响应:Generating first symmetric key . . . Generating second symmetric key . . . Generating third symmetric key . . . Extracting transport key from operational token . . . transport key KCV: A428 53BA Storing transport key on final specified token . . . Naming transport key "transport" . . . Successfully generated, stored, and named the transport key! - 再次列出密钥数据库的内容。
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 transport
- 使用传输密钥生成和嵌套主密钥,并将主密钥存储在名为 file 的文件中。
tkstool -W -d . -n wrapped_master -t transport -o file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key (for wrapping) from the specified token . . . Generating and storing the master key on the specified token . . . Naming the master key "wrapped_master" . . . Successfully generated, stored, and named the master key! Using the transport key to wrap and store the master key . . . Writing the wrapped data (and resident master key KCV) into the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) - 再次列出软件密钥数据库的内容。
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 wrapped_master 1 transport
注意密钥的顺序不重要,有些系统可能会以不同顺序显示密钥。 - 使用传输密钥生成和解压缩存储在名为 file 的文件中的、名为 unwrapped_master 的主密钥。
tkstool -U -d . -n unwrapped_master -t transport -i file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key from the specified token (for unwrapping) . . . Reading in the wrapped data (and resident master key KCV) from the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to temporarily unwrap the master key to recompute its KCV value to check against its pre-computed KCV value . . . master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to unwrap and store the master key on the specified token . . . Naming the master key "unwrapped_master" . . . Successfully unwrapped, stored, and named the master key! - 列出密钥数据库的内容,以显示所有密钥。
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 unwrapped_master 1 wrapped_master 2 transport
- 从数据库中删除密钥。
tkstool -D -d . -n wrapped_master Enter Password or Pin for "NSS Certificate DB": tkstool: 1 key(s) called "wrapped_master" were deleted
- 再次列出密钥数据库的内容,以显示所有密钥。
tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 unwrapped_master 1 transport
