Skip to main content

Smart Key Attributes

Securosys Smart Key Attributes (SKA) enable multi-authorization and policy rules for private key usage.

Create Attestation Key

SKA requires an attestation key for signing attestation statements and timestamps. The attestation key in turn requires the Root Key Store to be initialized on the HSM. Then, to create the attestation key:

java -jar primus-tools.jar CreateAttestationKey <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] [-size <size>] [-curve <curve>] [-type <type>]

List SKA Access

java -jar primus-tools.jar ListEkaAccess <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>]

Create SKA Key

java -jar primus-tools.jar CreateEkaKey <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -type <type> [-size <size>] [-curve <curve>] [-flags <flags>] -authorizationkeys <k>,<k>,... -quorum <quorum> [-ekadelay <minutes>] [-ekalimit <minutes>] [-authorizationkeysblock <k>,<k>,...] [-quorumblock <quorum>] [-ekadelayblock <minutes>] [-ekalimitblock <minutes>] [-authorizationkeysunblock <k>,<k>,...] [-quorumunblock <quorum>] [-ekadelayunblock <minutes>] [-ekalimitunblock <minutes>] [-authorizationkeysmodify <k>,<k>,...] [-quorummodify <quorum>] [-ekadelaymodify <minutes>] [-ekalimitmodify <minutes>]

Create Integrity Key

An integrity key is needed to sign timestamps for using SKA keys protected by timeouts or timelocks.

java -jar primus-tools.jar CreateIntegrityKey <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] /
-type <type> [-size <size>] [-curve <curve>] /
-flags [non]<flagname>[,[non]<flagname>,...] /
[-ckd] /
[-access <access>] /

Possible key flags: sensitive,extractable,modifiable,copyable,preload,token,indestructible,private,public,blocked,neverextractable,nopublickey,alwayssensitive,externalobject,local,trusted,wrapwithtrusted,unique,encrypt,decrypt,sign,verify,wrap,unwrap,derive,integrity,attestation,timestamp,verifyrecover,signrecover

Get Attestation of Key Attributes

java -jar primus-tools.jar GetAttestation <HSM connection and credentials> / 
-keyname <keyname> [-keypassword <keypassword>] -attestationkeyname <attestationkeyname> [-attestationkeypassword <attestationkeypassword>] [-ca <CA PEM file>] [-out <output file name base>]

Modify SKA Key

java -jar primus-tools.jar ModifyEka <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -operationauthorizationkeys <k>,<k>,... -integritykey <integritykey> [-timestamp] [-modifydelay <modifydelay>] -authorizationkeys <k>,<k>,... -quorum <quorum> [-ekadelay <minutes>] [-ekalimit <minutes>] [-authorizationkeysblock <k>,<k>,...] [-quorumblock <quorum>] [-ekadelayblock <minutes>] [-ekalimitblock <minutes>] [-authorizationkeysunblock <k>,<k>,...] [-quorumunblock <quorum>] [-ekadelayunblock <minutes>] [-ekalimitunblock <minutes>] [-authorizationkeysmodify <k>,<k>,...] [-quorummodify <quorum>] [-ekadelaymodify <minutes>] [-ekalimitmodify <minutes>]

Set SKA Key Flag

java -jar primus-tools.jar SetKeyFlagEka <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -algorithm <algorithm> -authorizationkeys <k>,<k>,... -integritykey <integritykey> -flag <flagname> [-value <flagvalue>] [-timestamp] [-ekadelay <ekadelay>]

Sign with SKA Key

java -jar primus-tools.jar SignEka <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -algorithm <algorithm> [-message <message>] -authorizationkeys <k>,<k>,... -integritykey <integritykey> [-timestamp] [-signdelay <signdelay>]