opensc/etc/opensc.conf.in

# Configuration file for OpenSC
# Example configuration file

# NOTE: All key-value pairs must be terminated by a semicolon.

# Default values for any application
# These can be overrided by an application
# specific configuration block.
app default {
	# Amount of debug info to print
	#
	# A greater value means more debug info.
	# Default: 0
	#
	debug = 0;

	# The file to which debug output will be written
	#
	# A special value of 'stdout' is recognized.
	# Default: stdout
	#
	# debug_file = /tmp/opensc-debug.log;

	# The file to which errors will be written
	#
	# A special value of 'stderr' is recognized.
	# Default: stderr
	#
	# error_file = /tmp/opensc-errors.log;

	# PKCS#15 initialization / personalization
	# profiles directory for pkcs15-init.
	
	profile_dir = PKGDATADIR;

	# What reader drivers to load at start-up
	#
	# A special value of 'internal' will load all
	# statically linked drivers. If an unknown (ie. not
	# internal) driver is supplied, a separate configuration
	# configuration block has to be written for the driver.
	# Default: internal
	# NOTE: if "internal" keyword is used, must be the
	# last entry in reader_drivers list
	#
	# reader_drivers = openct, pcsc, ctapi;

	reader_driver ctapi {
		# module /usr/local/towitoko/lib/libtowitoko.so {
			# CT-API ports:
			# 0..3		COM1..4
			# 4		Printer
			# 5		Modem
			# 6..7		LPT1..2
			# ports = 0;
		# }
	}

	# Define parameters specific to your readers.
	# The following section shows definitions for PC/SC readers,
	# but the same set of variables are applicatable to ctapi and
	# openct readers, simply by using "reader_driver ctapi" and
	# "reader_driver openct", respectively.
	reader_driver pcsc {
		# Whether to transform some APDU's from one case to another
		# Possible values:
		#            none:   Don't transform any APDU's
		#        case4as3:   For T=0, send a case 4 APDU as case 3,
		#                    (no Lc byte) the card will send back
		# 		     a 61xx SW, and we will follow up with a
		#                    GetResponse command
		#                    The SCM SCR111, Sun SCF, and e-gate readers
		#                    seem to require this.
		#        case1as2:   For T=0, send a case 1 APDU as case 2.
		#                    (append an Le byte of 0)
		#                    The Sun SCF and e-gate readers seem to
		#                    require this
		# case1as2_always:   for any T=0/1, send a case 1 APDU as
		#		     case 2.
		#                    The Sun SCF reader may require this
		# Default: none
		#
		apdu_masquerade = none;
		#
		# This sets the maximum send and receive sizes.
		# Some IFD handlers do not properly handle APDUs with
		# large lc or le bytes.
		#
		max_send_size = 252;
		max_recv_size = 252;
		#
		# Connect to reader in exclusive mode.
		# Default: false
		connect_exclusive = false;
		#
		# Reset the card after disconnect.
		# Default: true
		connect_reset = true;
		#
		# Reset the card after each transaction.
		# Default: false
		transcaction_reset = false;
		#
		# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
		# Default: false
		enable_pinpad = false;
	}

	# What card drivers to load at start-up
	#
	# A special value of 'internal' will load all
	# statically linked drivers. If an unknown (ie. not
	# internal) driver is supplied, a separate configuration
	# configuration block has to be written for the driver.
	# Default: internal
	# NOTE: When "internal" keyword is used, must be last entry
	#
	# card_drivers = customcos, internal;

	# Card driver configuration blocks.

	# For card drivers loaded from an external shared library/DLL,
	# you need to specify the path name of the module
	#
	# card_driver customcos {
		# The location of the driver library
		# module = /usr/lib/opensc/drivers/card_customcos.so;
	# }

	# Force using specific card driver
	#
	# If this option is present, OpenSC will use the supplied
	# driver with all inserted cards.
	#
	# Default: autodetect
	#
	# force_card_driver = customcos;

	# In addition to the built-in list of known cards in the
	# card driver, you can configure a new card for the driver
	# using the card_atr block. The goal is to centralize
	# everything related to a certain card to card_atr.
	#
	# The supported internal card driver names are
	#  etoken           Aladdin eToken and other Siemens CardOS cards
	#  flex             Schlumberger Multiflex/Cryptoflex
	#  cyberflex        Schlumberger Cyberflex
	#  gpk              Gemplus GPK
	#  miocos           MioCOS 1.1
	#  mcrd             MICARDO 2.1
	#  setcos           Setec cards
	#  starcos          STARCOS SPK 2.3
	#  tcos             TCOS 2.0
	#  openpgp          OpenPGP card
	#  jcop             JCOP cards with BlueZ PKCS#15 applet
	#  oberthur         Oberthur AuthentIC.v2/CosmopolIC.v4
	#  belpic           Belpic cards
	#  emv              EMV compatible cards

	# Generic format: card_atr <hex encoded ATR (case-sensitive!)>

	# New card entry for the flex card driver
	# card_atr 3b:f0:0d:ca:fe {
		# All parameters for the context are
		# optional unless specified otherwise.

		# Context: global, card driver
		#
		# ATR mask value
		#
		# The mask is logically AND'd with an
		# card ATR prior to comparison with the
		# ATR reference value above. Using mask
		# allows identifying and configuring
		# multiple ATRs as the same card model.
		# atrmask = "ff:ff:ff:ff:ff";

		# Context: card driver
		#
		# Specify used card driver (REQUIRED).
		#
		# When enabled, overrides all possible
		# settings from the card drivers built-in
		# card configuration list.
		# driver = "flex";

		# Set card name for card drivers that allows it.
		# name = "My CryptoFlex card";

		# Card type as an integer value.
		#
		# Depending on card driver, this allows
		# tuning the behaviour of the card driver
		# for your card.
		# type = "2002";

		# Card flags as an hex value.
		# Multiple values are OR'd together.
		#
		# Depending on card driver, this allows
		# fine-tuning the capabilities in
		# the card driver for your card.
		#
		# Optionally, some known parameters
		# can be specified as strings:
		#
		# keygen - On-board key generation capability
		# rng - On-board random number source
		#
		# flags = "keygen", "rng", "0x80000000";

		#
		# Context: PKCS#15 emulation layer
		#
		# When using PKCS#15 emulation, force
		# the emulation driver for specific cards.
		#
		# Required for external drivers, but can
		# be used with built-in drivers, too.
		# pkcs15emu = "custom";

		#
		# Context: reader driver
		#
		# Force protocol selection for specific cards.
		# Known parameters: t0, t1, raw
		# force_protocol = "t0";
	# }

	# Estonian ID card and Micardo driver currently play together with T=0 only.
	# In theory only the 'cold' ATR should be specified, as T=0 will be the preferred
	# protocol once you boot it up with T=0, but be paranoid.
	card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
		force_protocol = t0;
	}
	card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
		force_protocol = t0;
	}


	# Below are the framework specific configuration blocks.

	# PKCS #15
	framework pkcs15 {
		# Whether to use the cache files in the user's
		# home directory.
		#
		# At the moment you have to 'teach' the card
		# to the system by running command: pkcs15-tool -L
		#
		# WARNING: Caching shouldn't be used in setuid root
		# applications.
		# Default: false
		#
		use_caching = true;
		# Enable pkcs15 emulation.
		# Default: yes
		enable_pkcs15_emulation = yes;
		# Prefer pkcs15 emulation code before
		# the normal pkcs15 processing.
		# Default: no
		try_emulation_first = no;
		# Enable builtin emulators.
		# Default: yes
		enable_builtin_emulation = yes;
		# list of the builtin pkcs15 emulators to test
		builtin_emulators = esteid, openpgp, tcos, starcert, infocamere, postecert, actalis, atrust-acosi, gemsafe, tccardos;

		# additional settings per driver
		#
		# For pkcs15 emulators loaded from an external shared library/DLL,
		# you need to specify the path name of the module and customize
		# the card_atr example above correctly.
		#
		# emulate custom {
			# The location of the driver library
			# module = /usr/lib/opensc/drivers/p15emu_custom.so;
		# }
	}
}

# Parameters for the OpenSC PKCS11 module
app opensc-pkcs11 {
	pkcs11 {
		# Maxmimum number of slots per smart card.
		# If the card has fewer keys than defined here,
		# the remaining number of slots will be empty.
		#
		# Note that there is currently a compile time
		# maximum on the overall number of slots
		# the pkcs11 module is able to handle.
		num_slots = 4;

		# Normally, the pkcs11 module will create
		# the full number of slots defined above by
		# num_slots. If there are fewer pins/keys on
		# the card, the remaining keys will be empty
		# (and you will be able to create new objects
		# within them).
		#
		# Set this option to true to hide these empty
		# slots.
		hide_empty_tokens = yes;

		# By default, the OpenSC PKCS#11 module will
		# try to lock this card once you have authenticated
		# to the card via C_Login. This is done so that no
		# other user can connect to the card and perform
		# crypto operations (which may be possible because
		# you have already authenticated with the card).
		#
		# However, this also means that no other application
		# that _you_ run can use the card until your application
		# has done a C_Logout or C_Finalize. In the case of
		# Netscape or Mozilla, this does not happen until
		# you exit the browser.
		lock_login = true;

		# Normally, the pkcs11 module will not cache PINs
		# presented via C_Login. However, some cards
		# may not work properly with OpenSC; for instance
		# when you have two keys on your card that get
		# stored in two different directories.
		#
		# In this case, you can turn on PIN caching by setting
		# cache_pins = true
		#
		# Default: false
		cache_pins = false;

		# Set this value to false if you want to enfore on-card
		# keypair generation
		#
		# Default: true
		soft_keygen_allowed = true;
	}
}