diff --git a/doc/tools/cardos-tool.1.xml b/doc/tools/cardos-tool.1.xml
index 9f384c89..62657110 100644
--- a/doc/tools/cardos-tool.1.xml
+++ b/doc/tools/cardos-tool.1.xml
@@ -88,4 +88,10 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
+
+ change CHV2 00:00:00:00:00:00 "foobar"
change CHV2 "foobar"
change CHV2
change CHV2 00:00:00:00:00:00 "foobar"
change CHV2 "foobar"
change CHV2
unblock CHV2 00:00:00:00:00:00 "foobar"
unblock CHV2 00:00:00:00:00:00 ""
unblock CHV2 "" "foobar"
unblock CHV2 00:00:00:00:00:00
unblock CHV2 ""
unblock CHV2
unblock CHV2 00:00:00:00:00:00 "foobar"
unblock CHV2 00:00:00:00:00:00 ""
unblock CHV2 "" "foobar"
unblock CHV2 00:00:00:00:00:00
unblock CHV2 ""
unblock CHV2
verify CHV0 31:32:33:34:00:00:00:00
verify CHV1 "secret"
verify KEY2
verify CHV0 31:32:33:34:00:00:00:00
verify CHV1 "secret"
verify KEY2
Table of Contents
Table of Contents
Table of Contents
Table of Contents
-w
Causes cardos-tool to wait for the token to be inserted into reader.
-
cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures
cryptoflex-tool
[OPTIONS
]
cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures
cryptoflex-tool
[OPTIONS
]
cryptoflex-tool is used to manipulate PKCS data structures on Schlumberger Cryptoflex smart cards. Users can create, list and read PINs and keys stored on the smart card. User PIN authentication is performed for those operations that require it. -
dnie-tool — displays information about DNIe based security tokens
dnie-tool
[OPTIONS
]
The dnie-tool utility is used to display additional information about DNIe, the Spanish National eID card. -
eidenv — utility for accessing visible data from - electronic identity cards
eidenv
[OPTIONS
]
eidenv
[OPTIONS
]
The eidenv utility is used for accessing data from electronic identity cards (like national eID cards) which might not be present in PKCS#15 objects but available in custom files on the card. The data can be printed on screen or used by other programs via environment variables. -
--exec
prog
,
-x
prog
@@ -245,11 +247,11 @@ to enable debug output in the opensc library.
--wait
,
-w
Wait for a card to be inserted
-
gids-tool — smart card utility for GIDS cards
gids-tool
[OPTIONS
]
The gids-tool utility can be used from the command line to perform miscellaneous smart card operations on a GIDS smart card. -
-X
,
--initialize
@@ -284,13 +286,14 @@ to enable debug output in the opensc library.
--verbose
Verbose operation. Use several times to enable debug output.
-
netkey-tool — administrative utility for Netkey E4 cards
netkey-tool
[OPTIONS
] [COMMAND
]
The netkey-tool utility can be used from the command line to perform some smart card operations with NetKey E4 cards that cannot be done easily with other OpenSC-tools, such as changing local PINs, storing certificates into empty NetKey E4 cert-files or displaying - the initial PUK-value.
--help
,
-h
@@ -318,11 +321,11 @@ to enable debug output in the opensc library.
-v
Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.
-
With the -p
, -u
, -0
or the -1
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
- length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.
When used without any options or commands, netkey-tool will + length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.
When used without any options or commands, netkey-tool will display information about the smart cards pins and certificates. This will not change your card in any aspect (assumed there are no bugs in netkey-tool). In particular the tries-left counters of the pins are investigated without doing @@ -364,13 +367,13 @@ to enable debug output in the opensc library.
This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.
-
iasecc-tool — displays information about IAS/ECC card -
iasecc-tool
[OPTIONS
]
iasecc-tool
[OPTIONS
]
The iasecc-tool utility is used to display information about IAS/ECC v1.0.1 smart cards. -
--reader
number
,
@@ -394,8 +397,9 @@ to enable debug output in the opensc library.
-w
Causes iasecc-tool to wait for the token to be inserted into reader.
-
openpgp-tool — utility for accessing visible data OpenPGP smart cards - and compatible tokens
openpgp-tool
[OPTIONS
]
openpgp-tool — utility for accessing visible data OpenPGP smart cards + and compatible tokens
openpgp-tool
[OPTIONS
]
The openpgp-tool utility is used for accessing data from the OpenPGP v1.1 and v2.0 smart cards and compatible tokens like e.g. GPF CryptoStick v1.x, @@ -403,7 +407,7 @@ to enable debug output in the opensc library.
PKCS#15 objects but available in custom files on the card. The data can be printed on screen or used by other programs via environment variables. -
--exec
prog
,
-x
prog
@@ -472,12 +476,12 @@ to enable debug output in the opensc library.
Wait for a card to be inserted.
-
netkey-tool — administrative utility for Netkey E4 cards
netkey-tool
[OPTIONS
] [COMMAND
]
The netkey-tool utility can be used from the command line to perform some smart card operations with NetKey E4 cards that cannot be done easily with other OpenSC-tools, such as changing local PINs, storing certificates into empty NetKey E4 cert-files or displaying - the initial PUK-value.
--help
,
-h
@@ -505,11 +509,11 @@ to enable debug output in the opensc library.
-v
Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.
-
With the -p
, -u
, -0
or the -1
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
- length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.
When used without any options or commands, netkey-tool will + length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.
When used without any options or commands, netkey-tool will display information about the smart cards pins and certificates. This will not change your card in any aspect (assumed there are no bugs in netkey-tool). In particular the tries-left counters of the pins are investigated without doing @@ -551,11 +555,11 @@ to enable debug output in the opensc library.
This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.
-
openpgp-tool — utility for accessing visible data OpenPGP smart cards - and compatible tokens
openpgp-tool
[OPTIONS
]
openpgp-tool
[OPTIONS
]
The openpgp-tool utility is used for accessing data from the OpenPGP v1.1 and v2.0 smart cards and compatible tokens like e.g. GPF CryptoStick v1.x, @@ -563,7 +567,7 @@ to enable debug output in the opensc library.
PKCS#15 objects but available in custom files on the card. The data can be printed on screen or used by other programs via environment variables. -
--exec
prog
,
-x
prog
@@ -632,12 +636,12 @@ to enable debug output in the opensc library.
Wait for a card to be inserted.
-
opensc-tool — generic smart card utility
opensc-tool
[OPTIONS
]
The opensc-tool utility can be used from the command line to perform miscellaneous smart card operations such as getting the card ATR or sending arbitrary APDU commands to a card. -
--version
,
Print the OpenSC package release version.
--wait
,
-w
Wait for a card to be inserted.
-
opensc-explorer — generic interactive utility for accessing smart card and similar security token functions -
opensc-explorer
[OPTIONS
] [SCRIPT
]
opensc-explorer
[OPTIONS
] [SCRIPT
]
The opensc-explorer utility can be used interactively to perform miscellaneous operations such as exploring the contents of or sending arbitrary APDU commands to a smart card or similar security token. -
The following are the command-line options for opensc-explorer. There are additional interactive commands available once it is running. @@ -742,189 +747,190 @@ to enable debug output in the opensc library.
--wait
, -w
Wait for a card to be inserted
-
- The following commands are supported at opensc-explorer's
- interactive prompt or in script files passed via the command line parameter
- SCRIPT
.
-
hex-data
- Send a custom APDU command hex-data
.
file-id
- Parse and print the ASN.1 encoded content of the file specified by
- file-id
.
file-id
| sfi:short-id
]
- Print the contents of the currently selected EF or the contents
- of a file specified by file-id
or the short file id
- short-id
.
-
file-id
| aid:DF-name
}
-
- Change to another DF specified by the argument passed.
- If the argument given is ..
, then move up one level in the
- file system hierarchy.
- If it is file-id
, which must be a DF directly
- beneath the current DF, then change to that DF.
- If it is an application identifier given as
- aid:
DF-name
,
- then jump to the MF of the application denoted by
- DF-name
.
-
pin-ref
[[old-pin
] new-pin
]
- Change a PIN, where pin-ref
is the PIN reference.
- Examples: -
change CHV2 00:00:00:00:00:00 "foobar"
- Change PIN CHV2
- to the new value foobar
,
- giving the old value 00:00:00:00:00:00
.
-
change CHV2 "foobar"
- Set PIN CHV2
- to the new value foobar
.
-
change CHV2
- Change PIN CHV2
using the card reader's pinpad.
-
-
file-id
size
- Create a new EF. file-id
specifies the
- id number and size
is the size of the new file.
-
level
]
- Set OpenSC debug level to level
.
If level
is omitted the current debug level will be shown.
file-id
- Remove the EF or DF specified by file-id
hex-tag
[output
]
- Copy the internal card's 'tagged' data into the local file.
The local file is specified by output
while the tag of
- the card's data is specified by hex-tag
.
-
- If output
is omitted, the name of the output file will be
- derived from hex-tag
.
-
hex-tag
input
- Update internal card's 'tagged' data.
hex-tag
is the tag of the card's data.
- input
is the filename of the source file or the literal data presented as
- a sequence of hexadecimal values or "
enclosed string.
-
string
...
- Print the string
s given.
Erase the card, if the card supports it.
file-id
[output
]
- Copy an EF to a local file. The local file is specified
- by output
while the card file is specified by file-id
.
-
- If output
is omitted, the name of the output file will be
- derived from the full card path to file-id
.
-
file-id
]
- Display attributes of a file specified by file-id
.
- If file-id
is not supplied,
- the attributes of the current file are printed.
pattern
...]
- List files in the current DF.
- If no pattern
is given, then all files are listed.
- If one ore more pattern
s are given, only files matching
- at least one pattern
are listed.
start-id
[end-id
]]
- Find all files in the current DF.
- Files are found by selecting all file identifiers in the range from start-fid
to end-fid
(by default from 0000 to FFFF).
start-tag
[end-tag
]]
- Find all tags of data objects in the current context.
- Tags are found by using GET DATA in the range from start-tag
to end-tag
(by default from 0000 to FFFF).
file-id
size
- Create a DF. file-id
specifies the id number
- and size
is the size of the new file.
file-id
input
- Copy a local file to the card. The local file is specified
- by input
while the card file is specified by file-id
.
-
Exit the program.
count
- Generate random sequence of count
bytes.
file-id
- Remove the EF or DF specified by file-id
pin-ref
[puk
[new pin
]]
-
- Unblock the PIN denoted by pin-ref
- using the PUK puk
, and set potentially
- change its value to new pin
.
-
- PUK and PIN values can be a sequence of hexadecimal values,
- "
-enclosed strings, empty (""
),
- or absent.
- If they are absent, the values are read from the card reader's pin pad.
-
- Examples: -
unblock CHV2 00:00:00:00:00:00 "foobar"
- Unblock PIN CHV2
using PUK
- 00:00:00:00:00:00
- and set it to the new value foobar
.
-
unblock CHV2 00:00:00:00:00:00 ""
- Unblock PIN CHV2
using PUK
- 00:00:00:00:00:00
keeping the old value.
-
unblock CHV2 "" "foobar"
- Set new value of PIN CHV2
- to foobar
.
-
unblock CHV2 00:00:00:00:00:00
- Unblock PIN CHV2
using PUK
- 00:00:00:00:00:00
.
- The new PIN value is prompted by pinpad.
-
unblock CHV2 ""
- Set PIN CHV2
.
- The new PIN value is prompted by pinpad.
-
unblock CHV2
- Unblock PIN CHV2
.
- The unblock code and new PIN value are prompted by pinpad.
-
-
file-id
offs
data
- Binary update of the file specified by
- file-id
with the literal data
- data
starting from offset specified
- by offs
.
data
can be supplied as a sequencer
- of the hex values or as a "
enclosed string.
file-id
rec-nr
rec-offs
data
- Update record specified by rec-nr
of the file
- specified by file-id
with the literal data
- data
starting from offset specified by
- rec-offs
.
data
can be supplied as a sequence of the hex values or
- as a "
enclosed string.
key-type
key-id
[key
]
- Present a PIN or key to the card, where
- key-type
can be one of CHV
,
- KEY
, AUT
or PRO
.
- key-id
is a number representing the key or PIN reference.
- key
is the key or PIN to be verified, formatted as a
- colon-separated list of hex values or a "
enclosed string.
-
- If key
is omitted, the exact action depends on the
- card reader's features: if the card readers supports PIN input via a pin pad,
- then the PIN will be verified using the card reader's pin pad.
- If the card reader does not support PIN input, then the PIN will be asked
- interactively.
-
- Examples: -
verify CHV0 31:32:33:34:00:00:00:00
- Verify CHV2
using the hex value
- 31:32:33:34:00:00:00:00
-
verify CHV1 "secret"
- Verify CHV1
- using the string value secret
.
-
verify KEY2
- Verify KEY2
,
- get the value from the card reader's pin pad.
-
-
[open]
|[close]
- Calls the card's open
or close
Secure Messaging handler.
-
+ The following commands are supported at opensc-explorer's
+ interactive prompt or in script files passed via the command line parameter
+ SCRIPT
.
+
hex-data
+ Send a custom APDU command hex-data
.
file-id
+ Parse and print the ASN.1 encoded content of the file specified by
+ file-id
.
file-id
| sfi:short-id
]
+ Print the contents of the currently selected EF or the contents
+ of a file specified by file-id
or the short file id
+ short-id
.
+
file-id
| aid:DF-name
}
+
+ Change to another DF specified by the argument passed.
+ If the argument given is ..
, then move up one level in the
+ file system hierarchy.
+ If it is file-id
, which must be a DF directly
+ beneath the current DF, then change to that DF.
+ If it is an application identifier given as
+ aid:
DF-name
,
+ then jump to the MF of the application denoted by
+ DF-name
.
+
pin-ref
[[old-pin
] new-pin
]
+ Change a PIN, where pin-ref
is the PIN reference.
+ Examples: +
change CHV2 00:00:00:00:00:00 "foobar"
+ Change PIN CHV2
+ to the new value foobar
,
+ giving the old value 00:00:00:00:00:00
.
+
change CHV2 "foobar"
+ Set PIN CHV2
+ to the new value foobar
.
+
change CHV2
+ Change PIN CHV2
using the card reader's pinpad.
+
+
file-id
size
+ Create a new EF. file-id
specifies the
+ id number and size
is the size of the new file.
+
level
]
+ Set OpenSC debug level to level
.
If level
is omitted the current debug level will be shown.
file-id
+ Remove the EF or DF specified by file-id
hex-tag
[output
]
+ Copy the internal card's 'tagged' data into the local file.
The local file is specified by output
while the tag of
+ the card's data is specified by hex-tag
.
+
+ If output
is omitted, the name of the output file will be
+ derived from hex-tag
.
+
hex-tag
input
+ Update internal card's 'tagged' data.
hex-tag
is the tag of the card's data.
+ input
is the filename of the source file or the literal data presented as
+ a sequence of hexadecimal values or "
enclosed string.
+
string
...
+ Print the string
s given.
Erase the card, if the card supports it.
file-id
[output
]
+ Copy an EF to a local file. The local file is specified
+ by output
while the card file is specified by file-id
.
+
+ If output
is omitted, the name of the output file will be
+ derived from the full card path to file-id
.
+
file-id
]
+ Display attributes of a file specified by file-id
.
+ If file-id
is not supplied,
+ the attributes of the current file are printed.
pattern
...]
+ List files in the current DF.
+ If no pattern
is given, then all files are listed.
+ If one ore more pattern
s are given, only files matching
+ at least one pattern
are listed.
start-id
[end-id
]]
+ Find all files in the current DF.
+ Files are found by selecting all file identifiers in the range from start-fid
to end-fid
(by default from 0000 to FFFF).
start-tag
[end-tag
]]
+ Find all tags of data objects in the current context.
+ Tags are found by using GET DATA in the range from start-tag
to end-tag
(by default from 0000 to FFFF).
file-id
size
+ Create a DF. file-id
specifies the id number
+ and size
is the size of the new file.
file-id
input
+ Copy a local file to the card. The local file is specified
+ by input
while the card file is specified by file-id
.
+
Exit the program.
count
+ Generate random sequence of count
bytes.
file-id
+ Remove the EF or DF specified by file-id
pin-ref
[puk
[new pin
]]
+
+ Unblock the PIN denoted by pin-ref
+ using the PUK puk
, and set potentially
+ change its value to new pin
.
+
+ PUK and PIN values can be a sequence of hexadecimal values,
+ "
-enclosed strings, empty (""
),
+ or absent.
+ If they are absent, the values are read from the card reader's pin pad.
+
+ Examples: +
unblock CHV2 00:00:00:00:00:00 "foobar"
+ Unblock PIN CHV2
using PUK
+ 00:00:00:00:00:00
+ and set it to the new value foobar
.
+
unblock CHV2 00:00:00:00:00:00 ""
+ Unblock PIN CHV2
using PUK
+ 00:00:00:00:00:00
keeping the old value.
+
unblock CHV2 "" "foobar"
+ Set new value of PIN CHV2
+ to foobar
.
+
unblock CHV2 00:00:00:00:00:00
+ Unblock PIN CHV2
using PUK
+ 00:00:00:00:00:00
.
+ The new PIN value is prompted by pinpad.
+
unblock CHV2 ""
+ Set PIN CHV2
.
+ The new PIN value is prompted by pinpad.
+
unblock CHV2
+ Unblock PIN CHV2
.
+ The unblock code and new PIN value are prompted by pinpad.
+
+
file-id
offs
data
+ Binary update of the file specified by
+ file-id
with the literal data
+ data
starting from offset specified
+ by offs
.
data
can be supplied as a sequencer
+ of the hex values or as a "
enclosed string.
file-id
rec-nr
rec-offs
data
+ Update record specified by rec-nr
of the file
+ specified by file-id
with the literal data
+ data
starting from offset specified by
+ rec-offs
.
data
can be supplied as a sequence of the hex values or
+ as a "
enclosed string.
key-type
key-id
[key
]
+ Present a PIN or key to the card, where
+ key-type
can be one of CHV
,
+ KEY
, AUT
or PRO
.
+ key-id
is a number representing the key or PIN reference.
+ key
is the key or PIN to be verified, formatted as a
+ colon-separated list of hex values or a "
enclosed string.
+
+ If key
is omitted, the exact action depends on the
+ card reader's features: if the card readers supports PIN input via a pin pad,
+ then the PIN will be verified using the card reader's pin pad.
+ If the card reader does not support PIN input, then the PIN will be asked
+ interactively.
+
+ Examples: +
verify CHV0 31:32:33:34:00:00:00:00
+ Verify CHV2
using the hex value
+ 31:32:33:34:00:00:00:00
+
verify CHV1 "secret"
+ Verify CHV1
+ using the string value secret
.
+
verify KEY2
+ Verify KEY2
,
+ get the value from the card reader's pin pad.
+
+
[open]
|[close]
+ Calls the card's open
or close
Secure Messaging handler.
+
piv-tool — smart card utility for HSPD-12 PIV cards
piv-tool
[OPTIONS
]
The piv-tool utility can be used from the command line to perform miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3. It is intended for use with test cards only. It can be used to load objects, and generate key pairs, as well as send arbitrary APDU commands to a card after having authenticated to the card using the card key provided by the card vendor. -
--serial
Print the card serial number derived from the CHUID object, @@ -1010,15 +1016,16 @@ to enable debug output in the opensc library.
Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.
-
pkcs11-tool — utility for managing and using PKCS #11 security tokens
pkcs11-tool
[OPTIONS
]
pkcs11-tool — utility for managing and using PKCS #11 security tokens
pkcs11-tool
[OPTIONS
]
The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it. -
--attr-from
filename
Extract information from filename
@@ -1243,7 +1250,7 @@ to enable debug output in the opensc library.
--generate-random
num
Get num
bytes of random data.
-
To list all certificates on the smart card:
pkcs11-tool --list-objects --type cert
@@ -1259,12 +1266,13 @@ to enable debug output in the opensc library.
using the private key with ID ID
and
using the RSA-PKCS mechanism:
pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig
-
pkcs15-crypt — perform crypto operations using PKCS#15 smart cards
pkcs15-crypt
[OPTIONS
]
pkcs15-crypt — perform crypto operations using PKCS#15 smart cards
pkcs15-crypt
[OPTIONS
]
The pkcs15-crypt utility can be used from the command line to perform cryptographic operations such as computing digital signatures or decrypting data, using keys stored on a PKCS#15 compliant smart card. -
--version
,
Print the OpenSC package release version.
Causes pkcs15-crypt to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
-
pkcs15-init — smart card personalization utility
pkcs15-init
[OPTIONS
]
The pkcs15-init utility can be used to create a PKCS #15 structure on a smart card, and add key or certificate objects. Details of the structure that will be created are controlled via profiles.
The profile used by default is pkcs15. Alternative
profiles can be specified via the -p
switch.
-
pkcs15-init can be used to create a PKCS #15 structure on
your smart card, create PINs, and install keys and certificates on the card.
This process is also called personalization
.
@@ -1403,7 +1412,7 @@ to enable debug output in the opensc library.
are protected and cannot be parsed without authentication (usually with User PIN).
This authentication need to be done immediately after the card binding.
In such cases --verify-pin
has to be used.
-
This is the first step during card personalization, and will create the basic files on the card. To create the initial PKCS #15 structure, invoke the utility as
@@ -1413,7 +1422,7 @@ to enable debug output in the opensc library.
If the card supports it, you should erase the contents of the card with pkcs15-init --erase-card before creating the PKCS#15 structure. -
Before installing any user objects such as private keys, you need at least one PIN to protect these objects. you can do this using
@@ -1427,7 +1436,7 @@ to enable debug output in the opensc library.
To set a label for this PIN object (which can be used by applications to display
a meaningful prompt to the user), use the --label
command line option.
-
pkcs15-init lets you generate a new key and store it on the card. You can do this using:
@@ -1445,7 +1454,7 @@ to enable debug output in the opensc library.
In addition to storing the private portion of the key on the card, pkcs15-init will also store the the public portion of the key as a PKCS #15 public key object. -
You can use a private key generated by other means and upload it to the card.
For instance, to upload a private key contained in a file named
okir.pem
, which is in PEM format, you would use
@@ -1469,7 +1478,7 @@ to enable debug output in the opensc library.
a file. A PKCS #12 file usually contains the X.509 certificate corresponding to the private key. If that is the case, pkcs15-init will store the certificate instead of the public key portion. -
You can also upload individual public keys to the card using the
--store-public-key
option, which takes a filename as an
argument. This file is supposed to contain the public key. If you don't
@@ -1480,12 +1489,12 @@ to enable debug output in the opensc library.
Since the corresponding public keys are always uploaded automatically when generating a new key, or when uploading a private key, you will probably use this option only very rarely. -
You can upload certificates to the card using the
--store-certificate
option, which takes a filename as
an argument. This file is supposed to contain the PEM encoded X.509
certificate.
-
Most browsers nowadays use PKCS #12 format files when you ask them to export your key and certificate to a file. pkcs15-init is capable of parsing these files, and storing their contents on the @@ -1499,7 +1508,7 @@ to enable debug output in the opensc library.
and protect it with the PIN referenced by authentication ID 01
.
It will also store any X.509 certificates contained in the file, which is
usually the user certificate that goes with the key, as well as the CA certificate.
-
You can use a secret key generated by other means and upload it to the card. For instance, to upload an AES-secret key generated by the system random generator you would use @@ -1508,7 +1517,7 @@ to enable debug output in the opensc library.
By default a random ID is generated for the secret key. You may specify an ID
with the --id
if needed.
-
--version
,
Print the OpenSC package release version.
contain one long option per line, without the leading dashes, for instance:
- pin 1234 - puk 87654321 +pin 1234 +puk 87654321
You can specify --options-file
several times.
@@ -1845,16 +1854,17 @@ to enable debug output in the opensc library.
Display help message
-
pkcs15-tool — utility for manipulating PKCS #15 data structures - on smart cards and similar security tokens
pkcs15-tool
[OPTIONS
]
pkcs15-tool — utility for manipulating PKCS #15 data structures + on smart cards and similar security tokens
pkcs15-tool
[OPTIONS
]
The pkcs15-tool utility is used to manipulate the PKCS #15 data structures on smart cards and similar security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it. -
--version
,
Print the OpenSC package release version.
wait for a card insertion.
--use-pinpad
Do not prompt the user; if no PINs supplied, pinpad will be used.
-
sc-hsm-tool — smart card utility for SmartCard-HSM
sc-hsm-tool
[OPTIONS
]
The sc-hsm-tool utility can be used from the command line to perform extended maintenance tasks not available via PKCS#11 or other tools in the OpenSC package. It can be used to query the status of a SmartCard-HSM, initialize a device, generate and import Device Key Encryption Key (DKEK) shares and to wrap and unwrap keys. -
--initialize
,
-X
@@ -2075,15 +2086,16 @@ to enable debug output in the opensc library.
Causes sc-hsm-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.
-
Create a DKEK share:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Create a DKEK share with random password split up using a (3, 5) threshold scheme:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5
Initialize SmartCard-HSM to use a single DKEK share:
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken
Import DKEK share:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3
Wrap referenced key, description and certificate:
sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219
Unwrap key into same or in different SmartCard-HSM with the same DKEK:
sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force
Create a DKEK share:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Create a DKEK share with random password split up using a (3, 5) threshold scheme:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5
Initialize SmartCard-HSM to use a single DKEK share:
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken
Import DKEK share:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3
Wrap referenced key, description and certificate:
sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219
Unwrap key into same or in different SmartCard-HSM with the same DKEK:
sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force
westcos-tool — utility for manipulating data structures - on westcos smart cards
westcos-tool
[OPTIONS
]
westcos-tool — utility for manipulating data structures + on westcos smart cards
westcos-tool
[OPTIONS
]
The westcos-tool utility is used to manipulate the westcos data structures on 2 Ko smart cards / tokens. Users can create PINs, keys and certificates stored on the card / token. User PIN authentication is performed for those operations that require it. -
--change-pin
,
-n
@@ -2165,8 +2177,8 @@ to enable debug output in the opensc library.
from disk to card.
On the card the file is written in filename
.
User authentication is required for this operation.
-
Table of Contents
Table of Contents
pkcs15-profile — format of profile for pkcs15-init
The pkcs15-init utility for PKCS #15 smart card personalization is controlled via profiles. When starting, it will read two such profiles at the moment, a generic application profile, and a card @@ -2182,10 +2194,10 @@ to enable debug output in the opensc library.
The card specific profile contains additional information required during card initialization, such as location of PIN files, key references etc. Profiles currently reside in @pkgdatadir@ -