Crypt::HSM::Session - A PKCS11 session
version 0.016
$session->encrypt('aes-cbc', $key, $plaintext, $iv); $session->sign('sha256-hmac', $key, $data); $session->verify('sha256-rsa-pkcs', $key, $data, $signature); my $key = $session->generate_key($type, { token => 1, sensitive => 1 }); my @keys = $session->find_objects({ class => 'secret-key' }); my $attrs = $session->get_attributes($key, [ 'private', 'sensitive' ]);
This represents a session with a PKCS module such as an HSM. It does most of the cryptographic work of using a PKCS11 interface.
This module uses hundreds of constants from the PKCS11 standard as short stings. They're all lowercased, without prefix and with hyphens instead of underscores. So CKM_SHA256_RSA_PKCS becomes 'sha256-rsa-pkcs'. In KDF names, the <-kdf> part is eliminated.
CKM_SHA256_RSA_PKCS
'sha256-rsa-pkcs'
Various types of arguments are recurring its methods, these are:
This is an identifier that refers to resource inside the HSM, it has no meaning outside of it.
This is a mechanism for a cryptographic operation, e.g. 'aes-gcm', 'sha256-rsa-pkcs' or 'sha512-hmac'. The list of supported mechanisms can be retrieved using the mechanisms method on the Crypt::HSM object.
'aes-gcm'
'sha512-hmac'
mechanisms
Crypt::HSM
Cryptographic methods taking taking an argument will also take zero or more mechanism specific arguments after their generic arguments, for example an IV or nonce for a symmetric cipher that uses such, or a public key for a Diffie-Hellman derivation.
This is an hash of attributes. The key is the name of the attribute (e.g. 'class', 'sensitive'), the value depends on the key but is usually either an integer, a string or a bool.
'class'
'sensitive'
Copy an object, optionally adding/modifying the given attributes.
Create an object with the given $attribute hash.
$attribute
Decrypt $ciphertext with $mechanism and $key.
$ciphertext
$mechanism
$key
Derive a new key from $key, using mechanism and setting $attributes on it.
$attributes
This deletes the object with the identifier $object.
$object
Digest $input with $mechanism and $key.
$input
Encrypt $plaintext with $mechanism and $key.
$plaintext
Find all objects that satisfy the given $attributes.
Generate a new key for $mechanism with $attributes. Some relevant attributes are:
label
A label to your key, this helps with alter retreiving the key.
token
If true this will store the key on the token, if false it will create a session key.
sensitive
Sensitive keys cannot be revealed in plaintext, this is almost always desired for non-public keys.
extractable
This allows the key to be extractable, for example using wrapping.
wrap-with-trusted
If true a key can only be extracted with a trusted key
trusted
This marks the key as trusted, this usually requires logging in as security officer.
private
If true the key can't be used without logging in.
value-len
This sets the length of a key, this can be useful when creating a 'generic-secret-key-gen' in particular.
'generic-secret-key-gen'
Most of these have implementation-specific defaults.
This generates a key pair. The attributes for the public and private keys work similar to `generate_key`.
This generate $length bytes of randomness.
$length
This returns the value of the named attribute.
This returns a hash with the attributes that are asked for.
This returns information about the current session.
This initializes the PIN for this slot.
Log in the current session. $type should be either 'user' (most likely), 'so' (security officer, for elevated privileges), or 'context-dependent'. $pin is your password.
$type
'user'
'so'
'context-dependent'
$pin
Log the current session out.
This returns the size of $object.
Start a decryption with $mechanism and $key. This returns a Crypt::HSM::Decrypt object.
Start a digest with $mechanism. This returns a Crypt::HSM::Digest object.
Start an encryption with $mechanism and $key. This returns a Crypt::HSM::Encrypt object.
Start an signing with $mechanism and $key. This returns a Crypt::HSM::Sign object.
Start an verification with $mechanism and $key. This returns a Crypt::HSM::Verify object.
Returns the provider object for this session.
Mix additional seed material into the token’s random number generator.
This sets the $attributes on $object.
This changes the PIN from $old_pin to $new_pin.
$old_pin
$new_pin
This creates a signature over $input using $mechanism and $key.
Returns the slot identifier used for this session.
This unwraps the key wrapped in the bytearray $wrapped_key using mechanism and key $unwrap_key, setting $attributes on the new key.
$wrapped_key
mechanism
$unwrap_key
Verify that $signature matches $data, using $mechanism and $key.
$signature
$data
This wraps key $key using $mechanism and key $wrap_key.
$wrap_key
Leon Timmermans <leont@cpan.org>
This software is copyright (c) 2023 by Leon Timmermans.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.
To install Crypt::HSM, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Crypt::HSM
CPAN shell
perl -MCPAN -e shell install Crypt::HSM
For more information on module installation, please visit the detailed CPAN module installation guide.