genDSAKeyPair
The genDSAKeyPair command in the key_mgmt_util tool generates a Digital Signing
Algorithm
Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).
Tip
To find the attributes of a key that you have created, such as the type, length, label, and ID, use getAttribute. To find the keys for a particular user, use getKeyInfo. To find keys based on their attribute values, use findKey.
Syntax
genDSAKeyPair -h genDSAKeyPair -m<modulus length>-l<label>[-id<key ID>] [-min_srv<minimum number of servers>] [-m_value<0..8>] [-nex] [-sess] [-timeout<number of seconds>] [-u<user-ids>] [-attest]
Examples
These examples show how to use genDSAKeyPair to create a DSA key pair.
Example : Create a DSA key pair
This command creates a DSA key pair with a DSA label. The output shows that
the key handle of the public key is 19 and the handle of the private key is
21.
Command:genDSAKeyPair -m 2048 -l DSACfm3GenerateKeyPair: returned: 0x00 : HSM Return: SUCCESS Cfm3GenerateKeyPair: public key handle: 19 private key handle: 21 Cluster Error Status Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
Example : Create a session-only DSA key pair
This command creates a DSA key pair that is valid only in the current session. The
command assigns a unique ID of DSA_temp_pair in addition to the required
(nonunique) label. You might want to create a key pair like this to sign and verify a
session-only token. The output shows that the key handle of the public key is
12 and the handle of the private key is 14.
Command:genDSAKeyPair -m 2048 -l DSA-temp -id DSA_temp_pair -sessCfm3GenerateKeyPair: returned: 0x00 : HSM Return: SUCCESS Cfm3GenerateKeyPair: public key handle: 12 private key handle: 14 Cluster Error Status Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
To confirm that the key pair exists only in the session, use the -sess
parameter of findKey with a value of
1 (true).
Command:findKey -sess 1Total number of keys present 2 number of keys matched from start index 0::1 12, 14 Cluster Error Status Node id 0 and err state 0x00000000 : HSM Return: SUCCESS Cfm3FindKey returned: 0x00 : HSM Return: SUCCESS
Example : Create a shared, nonextractable DSA key pair
This command creates a DSA key pair. The private key is shared with three other users, and it cannot be exported from the HSM. Public keys can be used by any user and can always be extracted.
Command:genDSAKeyPair -m 2048 -l DSA -id DSA_shared_pair -nex -u 3,5,6Cfm3GenerateKeyPair: returned: 0x00 : HSM Return: SUCCESS Cfm3GenerateKeyPair: public key handle: 11 private key handle: 19 Cluster Error Status Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
Example : Create a quorum-controlled key pair
This command creates a DSA key pair with the label DSA-mV2. The command
uses the -u parameter to share the private key with user 4 and 6. It uses the
-m_value parameter to require a quorum of at least two approvals for any
cryptographic operations that use the private key. The command also uses the
-attest parameter to verify the integrity of the firmware on which the key pair
is generated.
The output shows that the command generates a public key with key handle 12
and a private key with key handle 17, and that the attestation check on the
cluster firmware passed.
Command:genDSAKeyPair -m 2048 -l DSA-mV2 -m_value 2 -u 4,6 -attestCfm3GenerateKeyPair: returned: 0x00 : HSM Return: SUCCESS Cfm3GenerateKeyPair: public key handle: 12 private key handle: 17 Attestation Check : [PASS] Cluster Error Status Node id 1 and err state 0x00000000 : HSM Return: SUCCESS Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
This command uses getKeyInfo on the
private key (key handle 17). The output confirms that the key is owned by the
current user (user 3) and that it is shared with users 4 and 6 (and no others). The output
also shows that quorum authentication is enabled and the quorum size is two.
Command:getKeyInfo -k 17Cfm3GetKey returned: 0x00 : HSM Return: SUCCESS Owned by user 3 also, shared to following 2 user(s): 4 6 2 Users need to approve to use/manage this key
Parameters
- -h
-
Displays help for the command.
Required: Yes
- -m
-
Specifies the length of the modulus in bits. The only valid value is
2048.Required: Yes
- -l
-
Specifies a user-defined label for the key pair. Type a string. The same label applies to both keys in the pair. The maximum size allowable for
labelis 127 characters.You can use any phrase that helps you to identify the key. Because the label does not have to be unique, you can use it to group and categorize keys.
Required: Yes
- -id
-
Specifies a user-defined identifier for the key pair. Type a string that is unique in the cluster. The default is an empty string. The ID that you specify applies to both keys in the pair.
Default: No ID value.
Required: No
- -min_srv
-
Specifies the minimum number of HSMs on which the key is synchronized before the value of the
-timeoutparameter expires. If the key is not synchronized to the specified number of servers in the time allotted, it is not created.AWS CloudHSM automatically synchronizes every key to every HSM in the cluster. To speed up your process, set the value of
min_srvto less than the number of HSMs in the cluster and set a low timeout value. Note, however, that some requests might not generate a key.Default: 1
Required: No
- -m_value
-
Specifies the number of users who must approve any cryptographic operation that uses the private key in the pair. Type a value from
0to8.This parameter establishes a quorum authentication requirement for the private key. The default value,
0, disables the quorum authentication feature for the key. When quorum authentication is enabled, the specified number of users must sign a token to approve cryptographic operations that use the private key, and operations that share or unshare the private key.To find the
m_valueof a key, use getKeyInfo.This parameter is valid only when the
-uparameter in the command shares the key pair with enough users to satisfy them_valuerequirement.Default: 0
Required: No
- -nex
-
Makes the private key nonextractable. The private key that is generated cannot be exported from the HSM. Public keys are always extractable.
Default: Both the public and private keys in the key pair are extractable.
Required: No
- -sess
-
Creates a key that exists only in the current session. The key cannot be recovered after the session ends.
Use this parameter when you need a key only briefly, such as a wrapping key that encrypts, and then quickly decrypts, another key. Do not use a session key to encrypt data that you might need to decrypt after the session ends.
To change a session key to a persistent (token) key, use setAttribute.
Default: The key is persistent.
Required: No
- -timeout
-
Specifies how long (in seconds) the command waits for a key to be synchronized to the number of HSMs specified by the
min_srvparameter.This parameter is valid only when the
min_srvparameter is also used in the command.Default: No timeout. The command waits indefinitely and returns only when the key is synchronized to the minimum number of servers.
Required: No
- -u
-
Shares the private key in the pair with the specified users. This parameter gives other HSM crypto users (CUs) permission to use the private key in cryptographic operations. Public keys can be used by any user without sharing.
Type a comma-separated list of HSM user IDs, such as -
u 5,6. Do not include the HSM user ID of the current user. To find HSM user IDs of CUs on the HSM, use listUsers. To share and unshare existing keys, use shareKey in the cloudhsm_mgmt_util.Default: Only the current user can use the private key.
Required: No
- -attest
Runs an integrity check that verifies that the firmware on which the cluster runs has not been tampered with.
Default: No attestation check.
Required: No
Related topics
