Provided by: opencryptoki_3.25.0+dfsg-0ubuntu1_amd64 bug

NAME
       pkcscca - configuration utility for the CCA token


SYNOPSIS
   VERSION MIGRATION
       pkcscca [-m v2objectsv3] [OPTIONS]

   KEY MIGRATION
       pkcscca [-m keys] [-s SLOTID] [-k aes|apka|asym|sym] [OPTIONS]

   OLD RSA KEY MIGRATION
       pkcscca [-m oldrsakeys] [-s SLOTID] [OPTIONS]


DESCRIPTION
       The pkcscca utility assists in administering the CCA token.

       In  version  2  of  opencryptoki,  CCA private token objects were encrypted in CCA hardware. In version 3
       these objects are encrypted in software. The v2objectsv3 migration option migrates these  v2  objects  by
       decrypting  them  in  CCA  hardware  using  a  secure key and then re-encrypting them in software using a
       software key. Afterwards, v2 objects can be accessed in version 3.

       There may be situations where CCA master keys must be changed.  All  CCA  secret  and  private  keys  are
       wrapped  with  a master key. After a CCA master key is changed, keys wrapped with the old master key need
       to be re-wrapped with the current master key. The keys migration option migrates these  wrapped  keys  by
       unwrapping them with the old master key and wrapping them with the current master key.

       Up  to opencryptoki version 3.14.0, RSA keys were created using the RSA-CRT key token format (private key
       section X'08'). RSA-CRT keys are encrypted with the CCA ASYM master key, and can not be used for  certain
       mechanisms,  e.g.   RSA-PSS  or  RSA-OAEP. In newer opencryptoki versions, RSA keys are created using the
       RSA-AESC key token format (private key section X'31').  Up  to  version  3.16.0,  RSA  public  keys  also
       contained  full  CCA  secure key tokens, including the private key section (which is encrypted by the CCA
       master key). The oldrsakeys migration option migrates old RSA private key tokens to the new  format,  and
       also extracts the public key sections from RSA public key tokens containing a full CCA secure key token.


GENERAL OPTIONS
       -d|--datastore directory
                 the  directory  where  the CCA token information is kept. This directory will be used to locate
                 the private token objects to be migrated. i.e. /var/lib/opencryptoki/ccatok

       -v|--verbose
            Provide more detailed output


VERSION MIGRATION
       -m v2objectsv3
            Migrates CCA private token objects from CCA encryption (used in v2) to software encryption (used  in
            v3).


KEY MIGRATION
       -m keys
            Unwraps private keys with an old CCA master key and wraps them with a new CCA master key.

       -k aes|apka|asym|sym
            Migrate keys wrapped with the selected master key type.

       -s|--slotid SLOTID
            The PKCS slot number.


OLD RSA KEY MIGRATION
       -m oldrsakeys
            Converts  old  RSA  keys  (RSA-CRT) to the new format (RSA-AESC) and extracts the public key section
            only from key objects containing the full RSA key token.

       -s|--slotid SLOTID
            The PKCS slot number.


FILES
       /var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX
              contains current list of public and private token objects for the CCA token.


SEE ALSO
       README.cca_stdll (in system's doc directory)

3.25.0                                           September 2014                                       PKCSCCA(1)