2005-07-20 00:43:38 +00:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<refentry id="pkcs15-tool">
|
|
|
|
<refmeta>
|
|
|
|
<refentrytitle>pkcs15-tool</refentrytitle>
|
|
|
|
<manvolnum>1</manvolnum>
|
2011-08-14 21:27:55 +00:00
|
|
|
<refmiscinfo class="productname">OpenSC</refmiscinfo>
|
|
|
|
<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
|
|
|
|
<refmiscinfo class="source">opensc</refmiscinfo>
|
2005-07-20 00:43:38 +00:00
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
<refname>pkcs15-tool</refname>
|
|
|
|
<refpurpose>utility for manipulating PKCS #15 data structures
|
|
|
|
on smart cards and similar security tokens</refpurpose>
|
|
|
|
</refnamediv>
|
|
|
|
|
2011-08-14 19:52:02 +00:00
|
|
|
<refsynopsisdiv>
|
|
|
|
<cmdsynopsis>
|
|
|
|
<command>pkcs15-tool</command>
|
|
|
|
<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
</refsynopsisdiv>
|
2005-07-20 00:43:38 +00:00
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
<para>
|
|
|
|
The <command>pkcs15-tool</command> utility is used to manipulate
|
|
|
|
the PKCS #15 data structures on smart cards and similar security
|
|
|
|
tokens. Users can list and read PINs, keys and certificates stored
|
|
|
|
on the token. User PIN authentication is performed for those
|
|
|
|
operations that require it.
|
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Options</title>
|
|
|
|
<para>
|
|
|
|
<variablelist>
|
2016-03-28 18:41:19 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--version</option>,
|
|
|
|
</term>
|
|
|
|
<listitem><para>Print the OpenSC package release version.</para></listitem>
|
|
|
|
</varlistentry>
|
2011-08-21 11:43:15 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--aid</option> <replaceable>aid</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify in a hexadecimal form the AID of the on-card PKCS#15
|
2012-06-02 15:25:26 +00:00
|
|
|
application to bind to.</para></listitem>
|
2011-08-21 11:43:15 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--auth-id</option> <replaceable>pin</replaceable>,
|
|
|
|
<option>-a</option> <replaceable>pin</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<listitem><para>Specifies the auth id of the PIN to use for the
|
|
|
|
operation. This is useful with the --change-pin operation.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2011-01-06 16:21:15 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--change-pin</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<listitem><para>Changes a PIN or PUK stored on the token. User authentication
|
|
|
|
is required for this operation.</para></listitem>
|
2011-01-06 16:21:15 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--dump</option>,
|
|
|
|
<option>-D</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2016-11-10 16:14:40 +00:00
|
|
|
<listitem><para>List all card objects.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2018-04-27 07:18:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--list-info</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>List card objects.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2010-03-19 09:19:21 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--list-applications</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2018-04-27 07:18:13 +00:00
|
|
|
<listitem><para>List the on-card PKCS#15 applications.</para></listitem>
|
2010-03-19 09:19:21 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2011-04-27 15:01:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--list-certificates</option>,
|
|
|
|
<option>-c</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2016-11-10 16:14:40 +00:00
|
|
|
<listitem><para>List all certificates stored on the token.</para></listitem>
|
2011-04-27 15:01:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2010-03-19 09:19:21 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
|
|
|
<option>--list-data-objects</option>,
|
|
|
|
<option>-C</option>
|
|
|
|
</term>
|
2016-11-10 16:14:40 +00:00
|
|
|
<listitem><para>List all data objects stored on the token.
|
2011-08-15 08:40:57 +00:00
|
|
|
For some cards the PKCS#15 attributes of the private data objects are
|
2010-03-19 09:19:21 +00:00
|
|
|
protected for reading and need the authentication with the User PIN.
|
|
|
|
In such a case the <option>--verify-pin</option> option has to be used.
|
2010-09-02 18:21:14 +00:00
|
|
|
</para></listitem>
|
2010-03-19 09:19:21 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2011-08-21 11:43:15 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--list-keys</option>,
|
|
|
|
<option>-k</option>
|
|
|
|
</term>
|
2016-11-10 16:14:40 +00:00
|
|
|
<listitem><para>List all private keys stored on the token. General
|
2011-08-21 11:43:15 +00:00
|
|
|
information about each private key is listed (eg. key name, id and
|
|
|
|
algorithm). Actual private key values are not displayed.
|
|
|
|
For some cards the PKCS#15 attributes of the private keys are protected for reading
|
|
|
|
and need the authentication with the User PIN.
|
|
|
|
In such a case the <option>--verify-pin</option> option has to be used.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2018-04-27 07:18:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--list-secret-keys</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>List all secret (symmetric) keys stored on the token. General
|
|
|
|
information about each secret key is listed (eg. key name, id and
|
|
|
|
algorithm). Actual secret key values are not displayed.
|
|
|
|
For some cards the PKCS#15 attributes of the private keys are protected for reading
|
|
|
|
and need the authentication with the User PIN.
|
|
|
|
In such a case the <option>--verify-pin</option> option has to be used.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
|
|
|
<option>--list-pins</option>
|
|
|
|
</term>
|
2016-11-10 16:14:40 +00:00
|
|
|
<listitem><para>List all PINs stored on the token. General information
|
2005-07-20 00:43:38 +00:00
|
|
|
about each PIN is listed (eg. PIN name). Actual PIN values are not shown.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2010-03-19 09:19:21 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--list-public-keys</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2016-11-10 16:14:40 +00:00
|
|
|
<listitem><para>List all public keys stored on the token, including
|
2011-08-21 11:43:15 +00:00
|
|
|
key name, id, algorithm and length information.</para></listitem>
|
2010-03-19 09:19:21 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2016-11-10 16:14:40 +00:00
|
|
|
<term>
|
|
|
|
<option>--short</option>
|
|
|
|
<option>-s</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Output lists in compact format.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--no-cache</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<listitem><para>Disables token data caching.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2016-08-30 16:00:37 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--clear-cache</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Removes the user's cache directory. On
|
|
|
|
Windows, this option additionally removes the system's
|
|
|
|
caching directory (requires administrator
|
|
|
|
privileges).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2016-10-07 12:19:03 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--clear-cache</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Removes the user's cache directory. On
|
|
|
|
Windows, this option additionally removes the system's
|
|
|
|
caching directory (requires administrator
|
|
|
|
privileges).</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2006-03-05 19:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--output</option> <replaceable>filename</replaceable>,
|
|
|
|
<option>-o</option> <replaceable>filename</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<listitem><para>Specifies where key output should be written.
|
|
|
|
If <replaceable>filename</replaceable> already exists, it will be overwritten.
|
|
|
|
If this option is not given, keys will be printed to standard output.</para></listitem>
|
2006-03-05 19:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
2015-09-04 11:09:54 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--raw</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Changes how <option>--read-data-object</option> prints the content
|
|
|
|
to standard output. By default, when <option>--raw</option> is not given, it will
|
|
|
|
print the content in hex notation. If <option>--raw</option> is set, it will print
|
|
|
|
the binary data directly. This does not affect the output that is written to the
|
|
|
|
file specified by the <option>--output</option> option. Data written to a file will
|
|
|
|
always be in raw binary.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--read-certificate</option> <replaceable>cert</replaceable>,
|
|
|
|
<option>-r</option> <replaceable>cert</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<listitem><para>Reads the certificate with the given id.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--read-data-object</option> <replaceable>cert</replaceable>,
|
|
|
|
<option>-R</option> <replaceable>data</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<listitem><para>Reads data object with OID, applicationName or label.
|
2015-09-04 11:09:54 +00:00
|
|
|
The content is printed to standard output in hex notation, unless
|
|
|
|
the <option>--raw</option> option is given.
|
|
|
|
If an output file is given with the <option>--output</option> option,
|
|
|
|
the content is additionally written to the file.
|
|
|
|
Output to the file is always written in raw binary mode, the
|
|
|
|
<option>--raw</option> only affects standard output behavior.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
|
|
|
<option>--read-public-key</option> <replaceable>id</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Reads the public key with id <replaceable>id</replaceable>,
|
2005-07-20 00:43:38 +00:00
|
|
|
allowing the user to extract and store or use the public key.</para></listitem>
|
|
|
|
</varlistentry>
|
2011-08-15 08:40:57 +00:00
|
|
|
|
2006-11-09 16:05:55 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
|
|
|
<option>--read-ssh-key</option> <replaceable>id</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Reads the public key with id <replaceable>id</replaceable>,
|
|
|
|
writing the output in format suitable for
|
2015-03-17 11:42:01 +00:00
|
|
|
<filename>$HOME/.ssh/authorized_keys</filename>.</para>
|
|
|
|
|
|
|
|
<para>The key label, if any will be shown in the 'Comment' field.</para>
|
|
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--rfc4716</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>When used in conjunction with option <option>--read-ssh-key</option> the
|
|
|
|
output format of the public key follows rfc4716.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<para></para>
|
|
|
|
<para> The default output format is a single line (openssh).</para>
|
|
|
|
</listitem>
|
2006-11-09 16:05:55 +00:00
|
|
|
</varlistentry>
|
2005-07-20 00:43:38 +00:00
|
|
|
|
2018-04-27 07:18:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--test-update</option>,
|
|
|
|
<option>-T</option>,
|
|
|
|
</term>
|
|
|
|
<listitem><para>Test if the card needs a security update</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--update</option>,
|
|
|
|
<option>-U</option>,
|
|
|
|
</term>
|
|
|
|
<listitem><para>Update the card with a security update</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--reader</option> <replaceable>num</replaceable>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2018-05-04 21:22:45 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Specify the reader to use. By default, the first
|
|
|
|
reader with a present card is used. If
|
|
|
|
<replaceable>num</replaceable> is an ATR, the
|
|
|
|
reader with a matching card will be chosen.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<option>--unblock-pin</option>,
|
|
|
|
<option>-u</option>
|
2011-08-15 14:58:01 +00:00
|
|
|
</term>
|
2011-08-21 11:43:15 +00:00
|
|
|
<listitem><para>Unblocks a PIN stored on the token. Knowledge of the
|
|
|
|
Pin Unblock Key (PUK) is required for this operation.</para></listitem>
|
2005-07-20 00:43:38 +00:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2011-08-15 14:58:01 +00:00
|
|
|
<term>
|
|
|
|
<option>--verbose</option>,
|
|
|
|
<option>-v</option>
|
|
|
|
</term>
|
2005-07-20 00:43:38 +00:00
|
|
|
<listitem><para>Causes <command>pkcs15-tool</command> to be more
|
|
|
|
verbose. Specify this flag several times to enable debug output
|
|
|
|
in the OpenSC library.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2018-04-27 07:18:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--pin</option> <replaceable>PIN</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify PIN</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--puk</option> <replaceable>PUK</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify Unblock PIN</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--new-pin</option> <replaceable>PIN</replaceable>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Specify New PIN (when changing or unblocking)</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2011-08-21 11:43:15 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--verify-pin</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Verify PIN after card binding and before issuing any command
|
|
|
|
(without 'auth-id' the first non-SO, non-Unblock PIN will be verified)</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2018-04-27 07:18:13 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--test-session-pin</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Equivalent to <option>--verify-pin</option>
|
|
|
|
with additional session PIN generation</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--wait</option>,
|
|
|
|
<option>-w</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Causes <command>pkcs15-tool</command> to
|
|
|
|
wait for a card insertion.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2017-02-03 16:01:52 +00:00
|
|
|
<varlistentry>
|
|
|
|
<term>
|
|
|
|
<option>--use-pinpad</option>
|
|
|
|
</term>
|
|
|
|
<listitem><para>Do not prompt the user; if no PINs supplied, pinpad will be used.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
</variablelist>
|
|
|
|
</para>
|
|
|
|
</refsect1>
|
2011-08-15 08:40:57 +00:00
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
<refsect1>
|
|
|
|
<title>See also</title>
|
2011-08-14 20:31:31 +00:00
|
|
|
<para>
|
|
|
|
<citerefentry>
|
|
|
|
<refentrytitle>pkcs15-init</refentrytitle>
|
|
|
|
<manvolnum>1</manvolnum>
|
|
|
|
</citerefentry>,
|
|
|
|
<citerefentry>
|
|
|
|
<refentrytitle>pkcs15-crypt</refentrytitle>
|
|
|
|
<manvolnum>1</manvolnum>
|
|
|
|
</citerefentry>
|
|
|
|
</para>
|
2005-07-20 00:43:38 +00:00
|
|
|
</refsect1>
|
|
|
|
|
2018-05-08 06:25:15 +00:00
|
|
|
<refsect1>
|
|
|
|
<title>Authors</title>
|
|
|
|
<para><command>pkcs15-tool</command> was written by
|
|
|
|
Juha Yrjölä <email>juha.yrjola@iki.fi</email>.</para>
|
|
|
|
</refsect1>
|
|
|
|
|
2005-07-20 00:43:38 +00:00
|
|
|
</refentry>
|