gen-key is a tool for generating RSA or ECDSA keys on a HSM using PKCS#11. After generating the key pair it attempts to extract and construct the public key and verifies a test message that was signed using the generated private key. Any action it takes should be thoroughly logged and documented.
When generating a key this tool follows the following steps:
1. Constructs templates for the private and public keys consisting of the appropriate PKCS#11 attributes. 2. Executes a PKCS#11 GenerateKeyPair operation with the constructed templates and either CKM_RSA_PKCS_KEY_PAIR_GEN or CKM_EC_KEY_PAIR_GEN. 3. Extracts the public key components from the returned public key object handle and construct a Golang public key object from them. 4. Generates 4 bytes of random data from the HSM using a PKCS#11 GenerateRandom operation. 5. Signs the random data with the private key object handle using a PKCS#11 SignInit/Sign operation. 6. Verifies the returned signature of the random data with the constructed public key. 7. Marshals the public key into a PEM public key object and print it to STDOUT.