From 47ee3a3978eef843d74b616a99d2eae4e16258e7 Mon Sep 17 00:00:00 2001
From: Frank Morgner Table of Contents opensc.conf — configuration file for OpenSC
+ OpenSC obtains configuration data from the following sources in the following order
+
+ command-line options
+
+ environment variables
+
+ Windows registry (if available)
+
+ system-wide configuration file
+ (
+
+ The configuration file,
+
+ #
+
+
+
+ At the root level,
+
+
+
+
+
+
+
+
+ Amount of debug info to print (Default:
+
+ The environment variable
+
+ The file to which debug output will be written
+ (Default:
+ PKCS#15 initialization/personalization profiles
+ directory for
+ pkcs15-init(1).
+
+ (Default:
+ If this configuration value is not found on
+ Windows, the registry key
+
+ Disable pop-ups of built-in GUI (Default:
+ Enable default card driver (Default:
+
+ Whitelist of card drivers to load at start-up.
+ The special value
+ If an unknown (i.e. not internal or old) driver is
+ supplied, a separate configuration configuration
+ block has to be written for the driver. A special
+ value
+ The list of supported card driver names can be
+ retrieved from the output of opensc-tool
+ --list-drivers.
+
+ The environment variable
+
+ List of readers to ignore (Default: empty). If any
+ of the comma separated strings listed is matched in
+ a reader name (case sensitive, partial matching
+ possible), the reader is ignored by OpenSC. Use
+ opensc-tool --list-readers to
+ see all currently connected readers.
+
+ Configuration of the smart card reader driver where
+
+
+
+
+
+ See the section called “Configuration of Smart Card Reader Driver”.
+
+ Configuration of the card driver where
+
+
+ Any other value: Configuration block for an externally loaded card driver
+
+
+ In addition to the built-in list of known cards in
+ the card driver, you can configure a new card for
+ the driver using the
+ For details see the section called “Configuration based on ATR”.
+
+ Configuration options for the secure messaging profile
+ Name of external SM module (Default: libsmm-local.so).
+
+ Directory with external SM module
+ (Default: /home/fm/.local/lib).
+
+ If this configuration value is not
+ found on Windows, the registry key
+
+ Specific data to tune the module initialization.
+
+ Secure messaging mode. Known parameters:
+
+
+
+
+ Secure messaging type specific flags.
+
+ Default KMC of the GP Card Manager for the Oberthur's Java cards.
+
+ Keyset values from IAM profiles of
+ the Gemalto IAS/ECC cards with an
+ optional application identifier
+
+ Internal configuration options where
+
+
+
+ Parameters for the OpenSC PKCS11 module.
+
+ For details see the section called “Configuration of PKCS#11”.
+
+ Limit command and response sizes
+ (Default:
+
+ Detect reader capabilities with
+ escape commands (wrapped APDUs with
+ CLA=0xFF as defined by PC/SC pt. 3
+ and BSI TR-03119, e.g. for getting
+ the UID, escaped PIN commands and
+ the reader's firmware version,
+ Default:
+ Load the specified CT-API module with the specified number of ports.
+
+ Connect to reader in exclusive mode
+ (Default:
+ What to do when disconnecting from
+ a card (SCardDisconnect). Valid
+ values are
+
+ What to do at the end of a
+ transaction (SCardEndTransaction).
+ Valid values
+ are
+ What to do when reconnection to a
+ card (SCardReconnect). Valid values
+ are
+ Enable pinpad if detected (PC/SC
+ v2.0.2 Part 10, Default:
+
+ Some pinpad readers can only handle
+ one exact length of the PIN.
+
+ Use specific PC/SC provider
+ (Default:
+
+ German ID card requires the CAN to
+ be verified before QES PIN. This,
+ however, is not part of the PKCS#15
+ profile of the card. So for
+ verifying the QES PIN we actually
+ need both. The CAN may be given
+ here. If the CAN is not given here,
+ it will be prompted on the command
+ line or on the reader (depending on
+ the reader's capabilities).
+
+ QES is only possible with a Comfort
+ Reader (CAT-K), which holds a
+ cryptographic key to authenticate
+ itself as signature terminal (ST).
+ We usually will use the reader's
+ capability to sign the data.
+ However, during developement you
+ may specify soft certificates and
+ keys for a ST.
+
+ An example PKI can be found in the
+ example data for the
+ German
+ ID card emulator
+
+ Configure the warning message when
+ performing a signature operation
+ with the DNIe. Only used if
+ compiled with
+
+ Specify the pinentry application to
+ use if warning is configured to be
+ displayed using pinentry (Default:
+
+
+ The mask is logically AND'd with an
+ card ATR prior to comparison with
+ the ATR reference value above.
+ Using this mask allows identifying
+ and configuring multiple ATRs as
+ the same card model.
+
+ When enabled, overrides all
+ possible settings from the card
+ drivers built-in card configuration
+ list.
+
+ Set card name for card drivers that
+ allows it.
+
+ Allows setting the exact type of
+ the card internally used by the
+ card driver. Allowed values can be
+ found in the source code of
+
+ Card flags as an hex value.
+ Multiple values are OR'd together.
+ Depending on card driver, this
+ allows fine-tuning the capabilities
+ in the card driver for your card.
+
+ Optionally, some known parameters
+ can be specified as strings:
+
+
+
+
+ When using PKCS#15 emulation, force
+ the emulation driver for specific
+ cards. Required for external
+ drivers, but can be used with
+ built-in drivers, too.
+
+ Force protocol selection for
+ specific cards. Known parameters:
+
+
+
+
+
+ Mark card as read/only card in
+ Minidriver/BaseCSP interface
+ (Default:
+ Indicate X509 enrollment support at
+ Minidriver/BaseCSP interface
+ (Default:
+ Use the GUID generated for the key
+ as id in the PKCS#15 structure
+ (Default:
+ Use the GUID generated for the key
+ as label in the PKCS#15 structure
+ (Default:
+ Card allows generating key pairs on the card (Default:
+ Card allows importing private keys
+ (Default:
+ Window title of the PIN pad dialog
+ (Default:
+ Filename of the icon for the PIN
+ pad dialog; use
+
+ Main instruction of the PIN pad
+ dialog (Default:
+ Content of the PIN pad dialog for
+ role "user" (Default:
+
+ Content of the PIN pad dialog for
+ role "user+signature" (Default:
+
+ Content of the PIN pad dialog for
+ role "user+signature" (Default:
+
+ Content of the PIN pad dialog for
+ role "admin" (Default:
+
+ Content of the PIN pad dialog after
+ pressing "Cancel", when the reader
+ doesn't respond to SCardCancel
+
+ Expanded information of the PIN pad
+ dialog (Default:
+ Expanded information of the PIN pad
+ dialog after pressing "Cancel",
+ when the reader doesn't respond to
+ SCardCancel (Default:
+
+ Allow the user to cancel the PIN
+ pad dialog (Default:
+
+ Time in seconds for the progress
+ bar of the PIN pad dialog to tick.
+
+ Notification title and text when
+ card was inserted (Default:
+
+ Notification title and text when
+ card was removed (Default:
+
+ Notification title and text when
+ PIN was verified (Default:
+
+ Notification title and text when
+ PIN was wrong (Default:
+
+
+ Whether to cache the card's files (e.g.
+ certificates) on disk in
+
+ If caching is done by a system process, the
+ cached files may be placed inaccessible from
+ the user account. Use a globally readable and
+ writable location if you wish to share the
+ cached information. Note that the cached files
+ may contain personal data such as name and mail
+ address.
+
+ Where to cache the card's files. The default values are:
+
+
+
+
+ If caching is done by a system process, the
+ cached files may be placed inaccessible from
+ a user account. Use a globally readable and
+ writable location if you wish to share the
+ cached information. Note that the cached files
+ may contain personal data such as name and mail
+ address.
+
+ Use PIN caching (Default:
+ How many times to use a PIN from cache before
+ re-authenticating it (Default:
+
+ Older PKCS#11 applications not supporting
+
+ Enable pkcs15 emulation (Default:
+
+ Prefer pkcs15 emulation code before the normal
+ pkcs15 processing (Default:
+
+ Enable builtin emulators (Default:
+
+ List of the builtin pkcs15 emulators to test
+ (Default:
+ Enable initialization and card recognition
+ (Default:
+ Configuration options for a PKCS#15 emulator
+ where
+ For pkcs15 emulators loaded from an
+ external shared library/DLL, you need to
+ specify the path name of the module and
+ customize the card_atr example above
+ correctly.
+
+ Get the init function name of the
+ emulator (Default:
+
+ Configuration of the on-card-application where
+
+ Type of application where
+
+
+
+
+ Used to distinguish the common access
+ application and application for which
+ authentication to perform some
+ operation cannot be obtained with the
+ common procedures (ex. object creation
+ protected by secure messaging). Used
+ by PKCS#11 module configured to expose
+ restricted number of slots. (for ex.
+ configured to expose only User PIN
+ slot, User and Sign PINs slots, ...)
+
+ Do not expose application in PKCS#15
+ framework (Default:
+
+ Score for OpenSC.tokend
+ (Default:
+ Tokend ignore to read PIN protected certificate
+ that is set
+
+ Maximum Number of virtual slots (Default:
+
+ Maximum number of slots per smart card (Default:
+
+ By default, the OpenSC PKCS#11 module will not lock
+ your card once you authenticate to the card via
+
+ Also, if your card is not locked, you can enconter
+ problems due to limitation of the OpenSC framework,
+ that still is not thoroughly tested in the multi
+ threads environment.
+
+ Your settings will be more secure if you choose to
+ lock your card. Nevertheless this behavior is a
+ known violation of PKCS#11 specification. Now once
+ one application has started using your card with
+
+ Thus it is impossible to use several smart card
+ aware applications at the same time, e.g. you
+ cannot run both Firefox
+ and Thunderbird at the
+ same time, if both are configured to use your smart
+ card.
+
+ By default, interacting with the OpenSC PKCS#11
+ module may change the state of the token, e.g.
+ whether a user is logged in or not (Default:
+
+ Thus other users or other applications may change
+ or use the state of the token unknowingly. Other
+ applications may create signatures abusing an
+ existing login or they may logout unnoticed.
+
+ With this setting enabled the login state of the
+ token is tracked and cached (including the PIN).
+ Every transaction is preceded by restoring the
+ login state. After every transaction a logout is
+ performed. This setting by default also enables
+
+ Please note that any PIN-pad should be disabled
+ (see
+ With this setting disabled, the OpenSC PKCS#11
+ module will initialize the slots available when the
+ application calls
+ This setting is a workaround for
+ Java which does not call
+
+ User PIN unblock style
+
+
+
+
+
+ Create slot for unblocking PIN with PUK (Default:
+
+ Symbolic names of PINs for which slots are created
+ where
+
+
+
+
+ Card can contain more then one PINs or more then
+ one on-card application with its own PINs.
+ Normally, to access all of them with the PKCS#11
+ API a slot has to be created for all of them. Many
+ slots could be annoying for some of widely used
+ application, like FireFox. This configuration
+ parameter allows to select the PIN(s) for which
+ PKCS#11 slot will be created.
+
+ Only PINs initialised, non-SO-PIN, non-unblocking
+ are associated with symbolic name.
+
+ For the module to simulate the opensc-onepin module
+ behavior the following option
+
+ Filename for a user defined configuration file
+
+ If this environment variable is not found on
+ Windows, the registry key
+
+ See
+
+ See
+
+ Write minidriver debug information to
+
+ If this environment variable is not found on
+ Windows, the registry key
+
+ PIV configuration during initialization with
+ piv-tool.
+ pkcs15-profile — format of profile for pkcs15-init
+ The pkcs15-init utility for PKCS #15 smart card
+ personalization is controlled via profiles. When starting, it will read two
+ such profiles at the moment, a generic application profile, and a card
+ specific profile. The generic profile must be specified on the command line,
+ while the card-specific file is selected based on the type of card detected.
+
+ The generic application profile defines general information about the card
+ layout, such as the path of the application DF, various PKCS #15 files within
+ that directory, and the access conditions on these files. It also defines
+ general information about PIN, key and certificate objects. Currently, there
+ is only one such generic profile,
+ The card specific profile contains additional information required during
+ card initialization, such as location of PIN files, key references etc.
+ Profiles currently reside in Table of Contents opensc.conf — configuration file for OpenSC
+ OpenSC obtains configuration data from the following sources in the following order
+
+ command-line options
+
+ environment variables
+
+ Windows registry (if available)
+
+ system-wide configuration file
+ (
+
+ The configuration file,
+
+ #
+
+
+
+ At the root level,
+
+
+
+
+
+
+
+
+ Amount of debug info to print (Default:
+
+ The environment variable
+
+ The file to which debug output will be written
+ (Default:
+ PKCS#15 initialization/personalization profiles
+ directory for
+ pkcs15-init(1).
+
+ (Default:
+ If this configuration value is not found on
+ Windows, the registry key
+
+ Disable pop-ups of built-in GUI (Default:
+ Enable default card driver (Default:
+
+ Whitelist of card drivers to load at start-up.
+ The special value
+ If an unknown (i.e. not internal or old) driver is
+ supplied, a separate configuration configuration
+ block has to be written for the driver. A special
+ value
+ The list of supported card driver names can be
+ retrieved from the output of opensc-tool
+ --list-drivers.
+
+ The environment variable
+
+ List of readers to ignore (Default: empty). If any
+ of the comma separated strings listed is matched in
+ a reader name (case sensitive, partial matching
+ possible), the reader is ignored by OpenSC. Use
+ opensc-tool --list-readers to
+ see all currently connected readers.
+
+ Configuration of the card reader driver where
+
+
+
+
+
+ For details see the section called “
+ Configuration of the card driver where
+
+
+ Any other value: Configuration block for an externally loaded card driver
+
+
+ In addition to the built-in list of known cards in
+ the card driver, you can configure a new card for
+ the driver using the
+ For details see the section called “
+ Configuration options for the secure messaging profile
+ Name of external SM module (Default: libsmm-local.so).
+
+ Directory with external SM module
+ (Default: /home/fm/.local/lib).
+
+ If this configuration value is not
+ found on Windows, the registry key
+
+ Specific data to tune the module initialization.
+
+ Secure messaging mode. Known parameters:
+
+
+
+
+ Secure messaging type specific flags.
+
+ Default KMC of the GP Card Manager for the Oberthur's Java cards.
+
+ Keyset values from IAM profiles of
+ the Gemalto IAS/ECC cards with an
+ optional application identifier
+
+ Internal configuration options where
+
+
+
+ Parameters for the OpenSC PKCS11 module.
+
+ For details see the section called “
+ Limit command and response sizes
+ (Default:
+
+ Detect reader capabilities with
+ escape commands (wrapped APDUs with
+ CLA=0xFF as defined by PC/SC pt. 3
+ and BSI TR-03119, e.g. for getting
+ the UID, escaped PIN commands and
+ the reader's firmware version,
+ Default:
+ Load the specified CT-API module with the specified number of ports.
+
+ Connect to reader in exclusive mode
+ (Default:
+ What to do when disconnecting from
+ a card (SCardDisconnect). Valid
+ values are
+
+ What to do at the end of a
+ transaction (SCardEndTransaction).
+ Valid values
+ are
+ What to do when reconnection to a
+ card (SCardReconnect). Valid values
+ are
+ Enable pinpad if detected (PC/SC
+ v2.0.2 Part 10, Default:
+
+ Some pinpad readers can only handle
+ one exact length of the PIN.
+
+ Use specific PC/SC provider
+ (Default:
+
+ German ID card requires the CAN to
+ be verified before QES PIN. This,
+ however, is not part of the PKCS#15
+ profile of the card. So for
+ verifying the QES PIN we actually
+ need both. The CAN may be given
+ here. If the CAN is not given here,
+ it will be prompted on the command
+ line or on the reader (depending on
+ the reader's capabilities).
+
+ QES is only possible with a Comfort
+ Reader (CAT-K), which holds a
+ cryptographic key to authenticate
+ itself as signature terminal (ST).
+ We usually will use the reader's
+ capability to sign the data.
+ However, during developement you
+ may specify soft certificates and
+ keys for a ST.
+
+ An example PKI can be found in the
+ example data for the
+ German
+ ID card emulator
+
+ Configure the warning message when
+ performing a signature operation
+ with the DNIe. Only used if
+ compiled with
+
+ Specify the pinentry application to
+ use if warning is configured to be
+ displayed using pinentry (Default:
+
+
+ Configuration options specified by the card's ATR:
+
+ The mask is logically AND'd with an
+ card ATR prior to comparison with
+ the ATR reference value above.
+ Using this mask allows identifying
+ and configuring multiple ATRs as
+ the same card model.
+
+ When enabled, overrides all
+ possible settings from the card
+ drivers built-in card configuration
+ list.
+
+ Set card name for card drivers that
+ allows it.
+
+ Allows setting the exact type of
+ the card internally used by the
+ card driver. Allowed values can be
+ found in the source code of
+
+ Card flags as an hex value.
+ Multiple values are OR'd together.
+ Depending on card driver, this
+ allows fine-tuning the capabilities
+ in the card driver for your card.
+
+ Optionally, some known parameters
+ can be specified as strings:
+
+
+
+
+ When using PKCS#15 emulation, force
+ the emulation driver for specific
+ cards. Required for external
+ drivers, but can be used with
+ built-in drivers, too.
+
+ Force protocol selection for
+ specific cards. Known parameters:
+
+
+
+
+
+ Mark card as read/only card in
+ Minidriver/BaseCSP interface
+ (Default:
+ Indicate X509 enrollment support at
+ Minidriver/BaseCSP interface
+ (Default:
+ Use the GUID generated for the key
+ as id in the PKCS#15 structure
+ (Default:
+ Use the GUID generated for the key
+ as label in the PKCS#15 structure
+ (Default:
+ Card allows generating key pairs on the card (Default:
+ Card allows importing private keys
+ (Default:
+ Window title of the PIN pad dialog
+ (Default:
+ Filename of the icon for the PIN
+ pad dialog; use
+
+ Main instruction of the PIN pad
+ dialog (Default:
+ Content of the PIN pad dialog for
+ role "user" (Default:
+
+ Content of the PIN pad dialog for
+ role "user+signature" (Default:
+
+ Content of the PIN pad dialog for
+ role "user+signature" (Default:
+
+ Content of the PIN pad dialog for
+ role "admin" (Default:
+
+ Content of the PIN pad dialog after
+ pressing "Cancel", when the reader
+ doesn't respond to SCardCancel
+
+ Expanded information of the PIN pad
+ dialog (Default:
+ Expanded information of the PIN pad
+ dialog after pressing "Cancel",
+ when the reader doesn't respond to
+ SCardCancel (Default:
+
+ Allow the user to cancel the PIN
+ pad dialog (Default:
+
+ Time in seconds for the progress
+ bar of the PIN pad dialog to tick.
+
+ Notification title and text when
+ card was inserted (Default:
+
+ Notification title and text when
+ card was removed (Default:
+
+ Notification title and text when
+ PIN was verified (Default:
+
+ Notification title and text when
+ PIN was wrong (Default:
+
+
+ Whether to cache the card's files (e.g.
+ certificates) on disk in
+
+ If caching is done by a system process, the
+ cached files may be placed inaccessible from
+ the user account. Use a globally readable and
+ writable location if you wish to share the
+ cached information. Note that the cached files
+ may contain personal data such as name and mail
+ address.
+
+ Where to cache the card's files. The default values are:
+
+
+
+
+ If caching is done by a system process, the
+ cached files may be placed inaccessible from
+ a user account. Use a globally readable and
+ writable location if you wish to share the
+ cached information. Note that the cached files
+ may contain personal data such as name and mail
+ address.
+
+ Use PIN caching (Default:
+ How many times to use a PIN from cache before
+ re-authenticating it (Default:
+
+ Older PKCS#11 applications not supporting
+
+ Enable pkcs15 emulation (Default:
+
+ Prefer pkcs15 emulation code before the normal
+ pkcs15 processing (Default:
+
+ Enable builtin emulators (Default:
+
+ List of the builtin pkcs15 emulators to test
+ (Default:
+ Enable initialization and card recognition in
+ PKCS#11 layer (Default:
+
+ Configuration options for a PKCS#15 emulator
+ where
+ For pkcs15 emulators loaded from an
+ external shared library/DLL, you need to
+ specify the path name of the module and
+ customize the card_atr example above
+ correctly.
+
+ Get the init function name of the
+ emulator (Default:
+
+ Configuration of the on-card-application where
+
+ Type of application where
+
+
+
+
+ Used to distinguish the common access
+ application and application for which
+ authentication to perform some
+ operation cannot be obtained with the
+ common procedures (ex. object creation
+ protected by secure messaging). Used
+ by PKCS#11 module configured to expose
+ restricted number of slots. (for ex.
+ configured to expose only User PIN
+ slot, User and Sign PINs slots, ...)
+
+ Do not expose application in PKCS#15
+ framework (Default:
+
+ Score for OpenSC.tokend
+ (Default:
+ Tokend ignore to read PIN protected certificate
+ that is set
+
+ Maximum Number of virtual slots (Default:
+
+ Maximum number of slots per smart card (Default:
+
+ By default, the OpenSC PKCS#11 module will not lock
+ your card once you authenticate to the card via
+
+ Also, if your card is not locked, you can enconter
+ problems due to limitation of the OpenSC framework,
+ that still is not thoroughly tested in the multi
+ threads environment.
+
+ Your settings will be more secure if you choose to
+ lock your card. Nevertheless this behavior is a
+ known violation of PKCS#11 specification. Now once
+ one application has started using your card with
+
+ Thus it is impossible to use several smart card
+ aware applications at the same time, e.g. you
+ cannot run both Firefox
+ and Thunderbird at the
+ same time, if both are configured to use your smart
+ card.
+
+ By default, interacting with the OpenSC PKCS#11
+ module may change the state of the token, e.g.
+ whether a user is logged in or not (Default:
+
+ Thus other users or other applications may change
+ or use the state of the token unknowingly. Other
+ applications may create signatures abusing an
+ existing login or they may logout unnoticed.
+
+ With this setting enabled the login state of the
+ token is tracked and cached (including the PIN).
+ Every transaction is preceded by restoring the
+ login state. After every transaction a logout is
+ performed. This setting by default also enables
+
+ Please note that any PIN-pad should be disabled
+ (see
+ With this setting disabled, the OpenSC PKCS#11
+ module will initialize the slots available when the
+ application calls
+ This setting is a workaround for
+ Java which does not call
+
+ User PIN unblock style
+
+
+
+
+
+ Create slot for unblocking PIN with PUK (Default:
+
+ Symbolic names of PINs for which slots are created
+ where
+
+
+
+
+ Card can contain more then one PINs or more then
+ one on-card application with its own PINs.
+ Normally, to access all of them with the PKCS#11
+ API a slot has to be created for all of them. Many
+ slots could be ennoying for some of widely used
+ application, like FireFox. This configuration
+ parameter allows to select the PIN(s) for which
+ PKCS#11 slot will be created.
+
+ Only PINs initialised, non-SO-PIN, non-unblocking
+ are associated with symbolic name.
+
+ For the module to simulate the opensc-onepin module
+ behavior the following option
+
+ Filename for a user defined configuration file
+
+ If this environment variable is not found on
+ Windows, the registry key
+
+ Write minidriver debug information to
+
+ If this environment variable is not found on
+ Windows, the registry key
+
+ PIV configuration during initialization with
+ piv-tool.
+ pkcs15-profile — format of profile for pkcs15-init
+ The pkcs15-init utility for PKCS #15 smart card
+ personalization is controlled via profiles. When starting, it will read two
+ such profiles at the moment, a generic application profile, and a card
+ specific profile. The generic profile must be specified on the command line,
+ while the card-specific file is selected based on the type of card detected.
+
+ The generic application profile defines general information about the card
+ layout, such as the path of the application DF, various PKCS #15 files within
+ that directory, and the access conditions on these files. It also defines
+ general information about PIN, key and certificate objects. Currently, there
+ is only one such generic profile, pkcs15.profile.
+
+ The card specific profile contains additional information required during
+ card initialization, such as location of PIN files, key references etc.
+ Profiles currently reside in @pkgdatadir@
+ Table of Contents Table of Contents Table of Contents cardos-tool — displays information about Card OS-based security tokens or format them
-
The cardos-tool utility is used to display information about
smart cards and similar security tokens based on Siemens Card/OS M4.
-
Use the card driver specified by Format the card or token. Print help message on screen. Display information about the card or token.
Specify the reader to use. By default, the first
reader with a present card is used. If
Specify startkey for format. Change Startkey with given APDU command. Causes cardos-tool to be more verbose.
@@ -84,13 +96,13 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
Causes cardos-tool to wait for the token
to be inserted into reader.
- cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures
cryptoflex-tool is used to manipulate PKCS
data structures on Schlumberger Cryptoflex smart cards. Users
can create, list and read PINs and keys stored on the smart card.
User PIN authentication is performed for those operations that require it.
- dnie-tool — displays information about DNIe based security tokens
The dnie-tool utility is used to display additional information about DNIe, the Spanish National eID card.
-
Specify the reader to use. By default, the first
reader with a present card is used. If
@@ -205,16 +217,48 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
Causes dnie-tool to be more verbose.
Specify this flag several times
to enable debug output in the opensc library.
- eidenv — utility for accessing visible data from
- electronic identity cards egk-tool — displays information on the German electronic health card (elektronische Gesundheitskarte, eGK)
+
+ The egk-tool utility is used to display information stored on the German elektronic health card (elektronische Gesundheitskarte, eGK).
+
+ Print help and exit. Print version and exit.
+ Specify the reader to use.
+ Use
+ Causes egk-tool to be more verbose.
+ Specify this flag several times to be more verbose.
+
+ eidenv — utility for accessing visible data from
+ electronic identity cards
The eidenv utility is used for
accessing data from electronic identity cards (like
national eID cards) which might not be present in
PKCS#15 objects but available in custom files on the
card. The data can be printed on screen or used by
other programs via environment variables.
-
Wait for a card to be inserted
- gids-tool — smart card utility for GIDS cards
The gids-tool utility can be used from the command line to perform
miscellaneous smart card operations on a GIDS smart card.
-
Verbose operation. Use several times to
enable debug output.
- netkey-tool — administrative utility for Netkey E4 cards The netkey-tool utility can be used from the
- command line to perform some smart card operations with NetKey E4 cards
- that cannot be done easily with other OpenSC-tools, such as changing local
- PINs, storing certificates into empty NetKey E4 cert-files or displaying
- the initial PUK-value.
- Displays a short help message. Specifies the current value of the global PIN. Specifies the current value of the global PUK. Specifies the current value of the local PIN0 (aka local PIN). Specifies the current value of the local PIN1 (aka local PUK).
- Specify the reader to use. By default, the first
- reader with a present card is used. If
- Causes netkey-tool to be more verbose. This
- options may be specified multiple times to increase verbosity.
- With the When used without any options or commands, netkey-tool will
- display information about the smart cards pins and certificates. This will not change
- your card in any aspect (assumed there are no bugs in netkey-tool).
- In particular the tries-left counters of the pins are investigated without doing
- actual pin-verifications. If you specify the global PIN via the For most of the commands that netkey-tool can execute, you have
- to specify one pin. One notable exception is the nullpin command, but
- this command can only be executed once in the lifetime of a NetKey E4 card.
- This command will read one of your cards certificates (as specified by
- This command will read the first PEM-encoded certificate from file
- This changes the value of the specified pin to the given new value.
- You must specify either the current value of the pin or another pin to be able to do
- this and if you don't specify a correct one, netkey-tool will tell
- you which one is needed. This command can be executed only if the global PIN of your card is
- in nullpin-state. There's no way to return back to nullpin-state once you have changed
- your global PIN. You don't need a pin to execute the nullpin-command. After a successful
- nullpin-command netkey-tool will display your cards initial
- PUK-value. This unblocks the specified pin. You must specify another pin
- to be able to do this and if you don't specify a correct one,
- netkey-tool will tell you which one is needed.
- iasecc-tool — displays information about IAS/ECC card
+
The iasecc-tool utility is used to display information about IAS/ECC v1.0.1 smart cards.
-
Specify the reader to use. By default, the first
reader with a present card is used. If
@@ -397,91 +360,12 @@ to enable debug output in the opensc library.
Causes iasecc-tool to wait for the token
to be inserted into reader.
- openpgp-tool — utility for accessing visible data OpenPGP smart cards
- and compatible tokens
- The openpgp-tool utility is used for
- accessing data from the OpenPGP v1.1 and v2.0 smart cards
- and compatible tokens like e.g. GPF CryptoStick v1.x,
- which might not be present in
- PKCS#15 objects but available in custom files on the
- card. The data can be printed on screen or used by
- other programs via environment variables.
-
-
- Execute the given program with data in environment variables.
-
- Print help message on screen.
-
- Print values in raw format, as they are stored on the card.
-
- Print values in pretty format.
-
- Show card holder information.
-
- Specify the reader to use. By default, the first
- reader with a present card is used. If
-
- Verify PIN (CHV1, CHV2 or CHV3).
-
- The PIN text to verify. If set to
- env:
- Generate key. Specify key ID (1, 2 or 3) to generate.
-
- Length (default 2048 bit) of the key to be generated.
-
- Print the version of the utility and exit.
-
- Verbose operation. Use several times to enable debug output.
-
- Wait for a card to be inserted.
-
- netkey-tool — administrative utility for Netkey E4 cards The netkey-tool utility can be used from the
command line to perform some smart card operations with NetKey E4 cards
that cannot be done easily with other OpenSC-tools, such as changing local
PINs, storing certificates into empty NetKey E4 cert-files or displaying
- the initial PUK-value.
Specifies the current value of the local PIN1 (aka local PUK).
Specify the reader to use. By default, the first
reader with a present card is used. If
@@ -509,11 +393,11 @@ to enable debug output in the opensc library.
Causes netkey-tool to be more verbose. This
options may be specified multiple times to increase verbosity.
- With the When used without any options or commands, netkey-tool will
+ length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4. When used without any options or commands, netkey-tool will
display information about the smart cards pins and certificates. This will not change
your card in any aspect (assumed there are no bugs in netkey-tool).
In particular the tries-left counters of the pins are investigated without doing
@@ -539,8 +423,9 @@ to enable debug output in the opensc library.
writable you must specify a pin in order to change it. If you try to use this command
without specifying a pin, netkey-tool will tell you which one is
needed. This changes the value of the specified pin to the given new value.
You must specify either the current value of the pin or another pin to be able to do
this and if you don't specify a correct one, netkey-tool will tell
@@ -551,15 +436,159 @@ to enable debug output in the opensc library.
your global PIN. You don't need a pin to execute the nullpin-command. After a successful
nullpin-command netkey-tool will display your cards initial
PUK-value. This unblocks the specified pin. You must specify another pin
to be able to do this and if you don't specify a correct one,
netkey-tool will tell you which one is needed.
- openpgp-tool — utility for accessing visible data OpenPGP smart cards
- and compatible tokens npa-tool — displays information on the German eID card (neuer Personalausweis, nPA).
+
+ The npa-tool utility is used to display information
+ stored on the German eID card (neuer Personalausweis, nPA),
+ and to perform some write and verification operations.
+
+ Print help and exit. Print version and exit.
+ Specify the reader to use.
+ Use
+ Causes npa-tool to be more verbose.
+ Specify this flag several times to be more verbose.
+
+
+ Run PACE with (transport) eID-PIN.
+
+ Run PACE with PUK.
+
+ Run PACE with Card Access Number (CAN).
+
+ Run PACE with Machine Readable Zone (MRZ).
+ Enter the MRZ without newlines.
+
+ Specify whether to use environment variables
+ Install a new PIN.
+
+ Resume eID-PIN (uses CAN to activate last retry).
+ (default=off)
+
+ Unblock PIN (uses PUK to activate three more retries).
+ (default=off)
+
+ Specify Card Verifiable (CV) certificate
+ to create a certificate chain.
+ The option can be given multiple times, in which case the
+ order is important.
+
+ Certificate description to show for Terminal Authentication.
+
+ Specify the Card Holder Authorization Template
+ (CHAT) to use.
+ If not given, it defaults to the terminal's CHAT.
+ Use
+ Specify the terminal's auxiliary data.
+ If not given, the default is determined by verification
+ of validity, age and community ID.
+
+ Specify the terminal's private key.
+
+ Specify where to look for the certificate of the
+ Country Verifying Certification Authority
+ (CVCA).
+ If not given, it defaults to
+
+ Specify where to look for the X.509 certificate.
+ If not given, it defaults to
+
+ Disable checking the validity period of CV certificates.
+ (default=off)
+
+ Disable passive authentication. (default=off)
+ Read data group 1: Document Type. Read data group 2: Issuing State. Read data group 3: Date of Expiry. Read data group 4: Given Name(s). Read data group 5: Family Name. Read data group 6: Religious/Artistic Name. Read data group 7: Academic Title. Read data group 8: Date of Birth. Read data group 9: Place of Birth. Read data group 10: Nationality. Read data group 11: Sex. Read data group 12: Optional Data. Read data group 13: Birth Name. Read data group 14. Read data group 15. Read data group 16. Read data group 17: Normal Place of Residence. Read data group 18: Community ID. Read data group 19: Residence Permit I. Read data group 20: Residence Permit II. Read data group 21: Optional Data. Write data group 17: Normal Place of Residence. Write data group 18: Community ID. Write data group 19: Residence Permit I. Write data group 20: Residence Permit II. Write data group 21: Optional Data.
+ Verify chip's validity with a reference date.
+
+ Verify age with a reference date.
+
+ Verify community ID with a reference ID.
+
+ Brute force PIN, CAN or PUK.
+ Use together with options
+ Specify the file with APDUs of HEX_STRINGs to send
+ through the secure channel.
+ (default=`stdin')
+
+ Force compliance to BSI TR-03110 version 2.01. (default=off)
+
+ Disable all checking of fly-by-data. (default=off)
+ openpgp-tool — utility for accessing visible data OpenPGP smart cards
+ and compatible tokens
The openpgp-tool utility is used for
accessing data from the OpenPGP v1.1 and v2.0 smart cards
and compatible tokens like e.g. GPF CryptoStick v1.x,
@@ -567,30 +596,141 @@ to enable debug output in the opensc library.
PKCS#15 objects but available in custom files on the
card. The data can be printed on screen or used by
other programs via environment variables.
-
+ Delete key indicated by
+ Dump private data object (DO)
+ indicated by
+ Erase (i.e. reset) the card.
+
- Execute the given program with data in environment variables.
+ Execute the given program with data in environment variables.
+
+ Generate key with the ID given as
- Print help message on screen.
+ Print help message on screen.
- Print values in raw format, as they are stored on the card.
+ Specify the length of the key to be generated.
+ If not given, it defaults to 2048 bit.
+
+ The PIN text to verify. If set to
+ env:
- Print values in pretty format.
+ Print values in pretty format.
+
+ Print values in raw format, as they are stored on the card.
+
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+
- Show card holder information.
+ Show card holder information.
+
+ Verify PIN (CHV1, CHV2 or CHV3).
+
+ Print the version of the utility and exit.
+
+ Verbose operation. Use several times to enable debug output.
+
+ Wait for a card to be inserted.
+
+ opensc-explorer —
+ generic interactive utility for accessing smart card
+ and similar security token functions
+
+ The opensc-explorer utility can be
+ used interactively to perform miscellaneous operations
+ such as exploring the contents of or sending arbitrary
+ APDU commands to a smart card or similar security token.
+
+ The following are the command-line options for
+ opensc-explorer. There are additional
+ interactive commands available once it is running.
+
+ Use the given card driver. The default is
+ auto-detected.
+
+ Select the file referenced by the given path on
+ startup. The default is the path to the standard master file,
+ 3F00. If
- Verify PIN (CHV1, CHV2 or CHV3).
- Wait for a card to be inserted
+
+ The following commands are supported at opensc-explorer's
+ interactive prompt or in script files passed via the command line parameter
+ Send a custom APDU command Parse and print the ASN.1 encoded content of the file specified by
+ Print the contents of the currently selected EF or the contents
+ of a file specified by
- The PIN text to verify. If set to
- env: Change a PIN, where
+ Examples:
+
+ Change PIN
+ Set PIN
+ Change PIN
Create a new EF. Set OpenSC debug level to If Remove the EF or DF specified by Copy the internal card's 'tagged' data into the local file. The local file is specified by
+ If Update internal card's 'tagged' data. Print the Erase the card, if the card supports it. Copy an EF to a local file. The local file is specified
+ by
+ If Display attributes of a file specified by List files in the current DF.
+ If no Find all files in the current DF.
+ Files are found by selecting all file identifiers in the range from Find all tags of data objects in the current context.
+ Tags are found by using GET DATA in the range from Create a DF. Copy a local file to the card. The local file is specified
+ by Exit the program. Generate random sequence of Remove the EF or DF specified by
- Generate key. Specify key ID (1, 2 or 3) to generate.
+ Unblock the PIN denoted by
+ PUK and PIN values can be a sequence of hexadecimal values,
+
+ Examples:
+
+ Unblock PIN
+ Unblock PIN
+ Set new value of PIN
+ Unblock PIN
+ Set PIN
+ Unblock PIN
- Length (default 2048 bit) of the key to be generated.
+ update_binary
+ Binary update of the file specified by
+ Update record specified by Present a PIN or key to the card, where
+
+ If
+ Examples:
+
+ Verify
+ Verify
+ Verify
Calls the card's
+ opensc-notify — monitor smart card events and send notifications
+
+ The opensc-notify utility is used to
+ monitor smart card events and send the appropriate notification.
+
+ Print help and exit. Print version and exit.
+
+ Send customized notifications.
+
- Print the version of the utility and exit.
+ Specify the title of the notification.
- Verbose operation. Use several times to enable debug output.
+ Specify the main text of the notification.
+ opensc-tool — generic smart card utility
The opensc-tool utility can be used from the command line to perform
miscellaneous smart card operations such as getting the card ATR or
sending arbitrary APDU commands to a card.
-
Print the OpenSC package release version.
Resets the card in reader.
- The default reset type is Sends an arbitrary APDU to the card in the format
@@ -701,236 +1087,16 @@ to enable debug output in the opensc library.
Wait for a card to be inserted.
- opensc-explorer —
- generic interactive utility for accessing smart card
- and similar security token functions
-
- The opensc-explorer utility can be
- used interactively to perform miscellaneous operations
- such as exploring the contents of or sending arbitrary
- APDU commands to a smart card or similar security token.
-
- The following are the command-line options for
- opensc-explorer. There are additional
- interactive commands available once it is running.
-
- Use the given card driver. The default is
- auto-detected.
-
- Select the file referenced by the given path on
- startup. The default is the path to the standard master file,
- 3F00. If
- Specify the reader to use. By default, the first
- reader with a present card is used. If
-
- Causes opensc-explorer to be more
- verbose. Specify this flag several times to enable
- debug output in the opensc library.
- Wait for a card to be inserted
-
- The following commands are supported at opensc-explorer's
- interactive prompt or in script files passed via the command line parameter
- Send a custom APDU command Parse and print the ASN.1 encoded content of the file specified by
- Print the contents of the currently selected EF or the contents
- of a file specified by
- Change to another DF specified by the argument passed.
- If the argument given is Change a PIN, where
- Examples:
-
- Change PIN
- Set PIN
- Change PIN
- Create a new EF. Set OpenSC debug level to If Remove the EF or DF specified by Copy the internal card's 'tagged' data into the local file. The local file is specified by
- If Update internal card's 'tagged' data. Print the Erase the card, if the card supports it. Copy an EF to a local file. The local file is specified
- by
- If Display attributes of a file specified by List files in the current DF.
- If no Find all files in the current DF.
- Files are found by selecting all file identifiers in the range from Find all tags of data objects in the current context.
- Tags are found by using GET DATA in the range from Create a DF. Copy a local file to the card. The local file is specified
- by Exit the program. Generate random sequence of Remove the EF or DF specified by
- Unblock the PIN denoted by
- PUK and PIN values can be a sequence of hexadecimal values,
-
- Examples:
-
- Unblock PIN
- Unblock PIN
- Set new value of PIN
- Unblock PIN
- Set PIN
- Unblock PIN
- Binary update of the file specified by
- Update record specified by Present a PIN or key to the card, where
-
- If
- Examples:
-
- Verify
- Verify
- Verify
- Calls the card's
- piv-tool — smart card utility for HSPD-12 PIV cards
The piv-tool utility can be used from the command line to perform
miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3.
It is intended for use with test cards only. It can be used to load objects, and generate
key pairs, as well as send arbitrary APDU commands to a card after having authenticated
to the card using the card key provided by the card vendor.
-
Print the card serial number derived from the CHUID object,
@@ -1016,16 +1182,16 @@ to enable debug output in the opensc library.
Causes piv-tool to be more verbose.
Specify this flag several times to enable debug output in the opensc
library.
- pkcs11-tool — utility for managing and using PKCS #11 security tokens pkcs11-tool — utility for managing and using PKCS #11 security tokens
The pkcs11-tool utility is used to manage the
data objects on smart cards and similar PKCS #11 security tokens.
Users can list and read PINs, keys and certificates stored on the
token. User PIN authentication is performed for those operations
that require it.
-
Extract information from
Get
-
To list all certificates on the smart card:
@@ -1266,13 +1432,13 @@ to enable debug output in the opensc library.
using the private key with ID
- pkcs15-crypt — perform crypto operations using PKCS#15 smart cards pkcs15-crypt — perform crypto operations using PKCS#15 smart cards
The pkcs15-crypt utility can be used from the
command line to perform cryptographic operations such as computing
digital signatures or decrypting data, using keys stored on a PKCS#15
compliant smart card.
-
Print the OpenSC package release version.
Causes pkcs15-crypt to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.
- pkcs15-init — smart card personalization utility
The pkcs15-init utility can be used to create a PKCS #15
structure on a smart card, and add key or certificate objects. Details of the
structure that will be created are controlled via profiles.
The profile used by default is pkcs15. Alternative
profiles can be specified via the
pkcs15-init can be used to create a PKCS #15 structure on
your smart card, create PINs, and install keys and certificates on the card.
This process is also called
are protected and cannot be parsed without authentication (usually with User PIN).
This authentication need to be done immediately after the card binding.
In such cases This is the first step during card personalization, and will create the
basic files on the card. To create the initial PKCS #15 structure, invoke the
utility as
@@ -1422,7 +1588,7 @@ to enable debug output in the opensc library.
If the card supports it, you should erase the contents of the card with
pkcs15-init --erase-card before creating the PKCS#15 structure.
-
Before installing any user objects such as private keys, you need at least one
PIN to protect these objects. you can do this using
@@ -1436,7 +1602,7 @@ to enable debug output in the opensc library.
To set a label for this PIN object (which can be used by applications to display
a meaningful prompt to the user), use the
pkcs15-init lets you generate a new key and store it on the card.
You can do this using:
@@ -1454,7 +1620,7 @@ to enable debug output in the opensc library.
In addition to storing the private portion of the key on the card,
pkcs15-init will also store the the public portion of the
key as a PKCS #15 public key object.
-
You can use a private key generated by other means and upload it to the card.
For instance, to upload a private key contained in a file named
a file. A PKCS #12 file usually contains the X.509 certificate corresponding
to the private key. If that is the case, pkcs15-init will
store the certificate instead of the public key portion.
-
You can also upload individual public keys to the card using the
Since the corresponding public keys are always uploaded automatically
when generating a new key, or when uploading a private key, you will
probably use this option only very rarely.
-
You can upload certificates to the card using the
Most browsers nowadays use PKCS #12 format files when you ask them to
export your key and certificate to a file. pkcs15-init
is capable of parsing these files, and storing their contents on the
@@ -1508,7 +1674,7 @@ to enable debug output in the opensc library.
and protect it with the PIN referenced by authentication ID
You can use a secret key generated by other means and upload it to the card.
For instance, to upload an AES-secret key generated by the system random generator
you would use
@@ -1517,7 +1683,7 @@ to enable debug output in the opensc library.
By default a random ID is generated for the secret key. You may specify an ID
with the
Print the OpenSC package release version.
Display help message
- pkcs15-tool — utility for manipulating PKCS #15 data structures
- on smart cards and similar security tokens
The pkcs15-tool utility is used to manipulate
the PKCS #15 data structures on smart cards and similar security
tokens. Users can list and read PINs, keys and certificates stored
on the token. User PIN authentication is performed for those
operations that require it.
- sc-hsm-tool — smart card utility for SmartCard-HSM
The sc-hsm-tool utility can be used from the command line to perform
extended maintenance tasks not available via PKCS#11 or other tools in the OpenSC package.
It can be used to query the status of a SmartCard-HSM, initialize a device, generate and import
Device Key Encryption Key (DKEK) shares and to wrap and unwrap keys.
-
Causes sc-hsm-tool to be more verbose.
Specify this flag several times to enable debug output in the opensc
library.
- Create a DKEK share: sc-hsm-tool --create-dkek-share dkek-share-1.pbe Create a DKEK share with random password split up using a (3, 5) threshold scheme: sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5 Initialize SmartCard-HSM to use a single DKEK share: sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken Import DKEK share: sc-hsm-tool --import-dkek-share dkek-share-1.pbe Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption: sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3 Wrap referenced key, description and certificate: sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219 Unwrap key into same or in different SmartCard-HSM with the same DKEK: sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force Create a DKEK share: sc-hsm-tool --create-dkek-share dkek-share-1.pbe Create a DKEK share with random password split up using a (3, 5) threshold scheme: sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5 Initialize SmartCard-HSM to use a single DKEK share: sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken Import DKEK share: sc-hsm-tool --import-dkek-share dkek-share-1.pbe Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption: sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3 Wrap referenced key, description and certificate: sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219 Unwrap key into same or in different SmartCard-HSM with the same DKEK: sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force westcos-tool — utility for manipulating data structures
- on westcos smart cards
The westcos-tool utility is used to manipulate
the westcos data structures on 2 Ko smart cards / tokens. Users can create PINs,
keys and certificates stored on the card / token. User PIN authentication is
performed for those operations that require it.
-
Unblocks a PIN stored on the card. Knowledge of the
PIN Unblock Key (PUK) is required for this operation. Causes westcos-tool to be more
verbose. Specify this flag several times to enable debug output
@@ -2177,27 +2344,5 @@ puk 87654321
from disk to card.
On the card the file is written in
- Table of Contents pkcs15-profile — format of profile for pkcs15-init
- The pkcs15-init utility for PKCS #15 smart card
- personalization is controlled via profiles. When starting, it will read two
- such profiles at the moment, a generic application profile, and a card
- specific profile. The generic profile must be specified on the command line,
- while the card-specific file is selected based on the type of card detected.
-
- The generic application profile defines general information about the card
- layout, such as the path of the application DF, various PKCS #15 files within
- that directory, and the access conditions on these files. It also defines
- general information about PIN, key and certificate objects. Currently, there
- is only one such generic profile, pkcs15.profile.
-
- The card specific profile contains additional information required during
- card initialization, such as location of PIN files, key references etc.
- Profiles currently reside in @pkgdatadir@
- Name
Description
/home/fm/.local/etc/opensc.conf
)
+ opensc.conf
, is composed
+ of block
s, which, in general, have the
+ following format:
+
+
key
[, name
...] {
+ block_contents
+}
+ block_contents
is one or more
+ block_item
s where a
+ block_item
is one of
+ comment string
+ key
[, name
...] = value
;
+ block
+ opensc.conf
should contain
+ one or more application specific configuration blocks:
+
+app
application
{
+ block_contents
+}
+ application
+ specifies one of:
+ default
: The fall-back configuration block for all applications
+ opensc-pkcs11
: Configuration block for the PKCS#11 module (opensc-pkcs11.so
)
+ onepin-opensc-pkcs11
: Configuration block for the PKCS#11 one-PIN-module (onepin-opensc-pkcs11.so
)
+ cardmod
: Configuration block for Windows' minidriver (opensc-minidriver.dll
)
+ tokend
: Configuration block for macOS' tokend (OpenSC.tokend)
+ cardos-tool
,
+ cryptoflex-tool
,
+ dnie-tool
,
+ egk-tool
,
+ eidenv
,
+ gids-tool
,
+ iasecc-tool
,
+ netkey-tool
,
+ npa-tool
,
+ openpgp-tool
,
+ opensc-asn1
,
+ opensc-explorer
,
+ opensc-notify
,
+ opensc-tool
,
+ piv-tool
,
+ pkcs11-tool
,
+ pkcs15-crypt
,
+ pkcs15-init
,
+ pkcs15-tool
,
+ sc-hsm-tool
,
+ westcos-tool
:
+ Configuration block for OpenSC tools
+ Configuration Options
debug =
+ num
;0
). A greater value means more
+ debug info.
+ OPENSC_DEBUG
overwrites this
+ setting.
+ debug_file =
+ filename
;stderr
). Special
+ values stdout
and
+ stderr
are recognized.
+ profile_dir =
+ filename
;/home/fm/.local/share/opensc
).
+ HKLM\Software\OpenSC
+ Project\OpenSC\ProfileDir
is
+ checked.
+ disable_popups =
+ bool
;false
).
+ enable_default_driver =
+ bool
;false
). Default card driver is
+ explicitly enabled for
+ opensc-explorer(1).
+
+ and
+ opensc-tool(1).
+
+ card_drivers =
+ name
... ;internal
(the
+ default) will load all statically linked drivers.
+ old
will load all
+ statically linked drivers that may be removed in
+ the future.
+ OPENSC_DRIVER
overwrites this
+ setting.
+ ignored_readers =
+ name
... ;reader_driver
+ name
{
+ block_contents
+ }
+ name
is one of:
+ ctapi
: See the section called “Configuration of CT-API Readers”
+ pcsc
: See the section called “Configuration of PC/SC Readers”
+ openct
: See the section called “Configuration of OpenCT Readers”
+ cryptotokenkit
: Configuration block for CryptoTokenKit readers
+ card_driver
+ name
{
+ block_contents
+ }
+ name
is one of:
+ npa
: See the section called “Configuration Options for German ID Card”
+ dnie
: See the section called “Configuration Options for DNIe”
+ card_atr
+ hexstring
{
+ block_contents
+ }
+ card_atr
+ block.
+ secure_messaging
+ name
{
+ block_contents
+ }
+ name
:
+ module_name =
+ filename
;module_path =
+ filename
;HKLM\Software\OpenSC
+ Project\OpenSC\SmDir
is
+ checked.
+ module_data =
+ value
;mode =
+ value
;transmit
:
+ In this mode the
+ procedure to securize
+ an APDU is called by
+ the OpenSC general APDU
+ transmit procedure. In
+ this mode all APDUs,
+ except the ones
+ filtered by the card
+ specific procedure, are
+ securized.
+ acl
:
+ In this mode APDU are
+ securized only if
+ needed by the ACLs of
+ the command to be
+ executed.
+ flags =
+ value
;kmc =
+ hexstring
;ifd_serial =
+ hexstring
;keyset[_
+ aid
]_num
_enc =
+ value
;keyset[_
+ aid
]_num
_mac =
+ value
;framework
+ name
{
+ block_contents
+ }
+ name
is one of:
+ pkcs15
: See the section called “Configuration of PKCS#15 Framework”
+ tokend
: See the section called “Configuration of Tokend”
+ pkcs11 {
+
+ block_contents
+ }
+ Configuration of Smart Card Reader Driver
Configuration Options for all Reader Drivers
max_send_size =
+ num
;max_recv_size =
+ num
;max_send_size
+ = 255
,
+ max_recv_size
+ = 256
) . Some
+ Readers don't propagate their
+ transceive capabilities correctly.
+ max_send_size and max_recv_size
+ allow setting the limits manually,
+ for example to enable extended
+ length capabilities.
+ enable_escape
+ bool
;false
)
+ Configuration of CT-API Readers
module
+ filename
{
+ ports = nums
;
+ }
+ Configuration of PC/SC Readers
connect_exclusive =
+ bool
;false
)?
+ This option has no effect in Windows' minidriver.
+ disconnect_action =
+ action
;leave
,
+ reset
,
+ unpower
(Default:
+ leave
).
+ This option has no effect in Windows' minidriver.
+ transaction_end_action =
+ action
;leave
,
+ reset
,
+ unpower
(Default:
+ leave
).
+ This option has no effect in Windows' minidriver.
+ reconnect_action =
+ action
;leave
,
+ reset
,
+ unpower
(Default:
+ leave
).
+ This option has no effect in Windows' minidriver.
+ enable_pinpad =
+ bool
;true
)
+ fixed_pinlength =
+ num
;fixed_pinlength
+ sets this value so that OpenSC
+ expands the padding to this length
+ (Default: 0
,
+ i.e. not fixed).
+ provider_library =
+ filename
;libpcsclite.so.1
).
+ Configuration Options for German ID Card
can =
+ value
;st_dv_certificate =
+ filename
;st_certificate =
+ filename
;st_key =
+ filename
;Configuration Options for DNIe
user_consent_enabled =
+ bool
;--enable-dnie-ui
+ user_consent_app =
+ filename
;/usr/bin/pinentry
).
+ Only used if compiled with
+ --enable-dnie-ui
+ Configuration based on ATR
atrmask =
+ hexstring
;driver =
+ name
;name =
+ name
;type =
+ num
;cards.h
.
+ flags =
+ value
... ;rng
:
+ On-board random number
+ source
+ keep_alive
:
+ Request the card driver
+ to send a "keep alive"
+ command before each
+ transaction to make
+ sure that the required
+ applet is still
+ selected.
+ pkcs15emu =
+ name
;force_protocol =
+ value
;t0
+ t1
+ raw
+ md_read_only =
+ bool
;false
).
+ md_supports_X509_enrollment =
+ bool
;false
).
+ md_guid_as_id =
+ bool
;false
, i.e. auto generated)
+ md_guid_as_label =
+ bool
;false
,
+ i.e. no label set).
+ md_supports_container_key_gen =
+ bool
;false
).
+ md_supports_container_key_import =
+ bool
;false
).
+ md_pinpad_dlg_title =
+ value
;"Windows
+ Security"
).
+ md_pinpad_dlg_icon =
+ filename
;""
for no icon
+ (Default: Built-in smart card icon).
+ md_pinpad_dlg_main =
+ value
;"OpenSC
+ Smart Card Provider"
).
+ md_pinpad_dlg_content_user =
+ value
;"Please verify your
+ fingerprint or PIN on the
+ card."
).
+ md_pinpad_dlg_content_user_sign =
+ value
;"Please verify your
+ fingerprint or PIN for the
+ digital signature PIN on the
+ card."
).
+ md_pinpad_dlg_content_user_sign =
+ name
;"Please verify your
+ fingerprint or PIN for the
+ digital signature PIN on the
+ card."
).
+ md_pinpad_dlg_content_admin =
+ value
;"Please enter your PIN to
+ unblock the user PIN on the
+ PINPAD."
)
+ md_pinpad_dlg_content_cancel =
+ value
;md_pinpad_dlg_expanded =
+ value
;"This
+ window will be closed
+ automatically after the PIN has
+ been submitted on the PINPAD
+ (timeout typically after 30
+ seconds)."
)
+ md_pinpad_dlg_expanded_cancel =
+ value
;"Some readers only support
+ canceling the operation on the
+ PIN pad. Press Cancel or remove
+ the card."
).
+ md_pinpad_dlg_enable_cancel =
+ bool
;false
)
+ md_pinpad_dlg_timeout =
+ num
;0
removes the
+ progress bar (Default:
+ 30
).
+ notify_card_inserted =
+ value
;notify_card_inserted_text =
+ value
;"Smart card
+ detected"
, ATR of
+ the card).
+ notify_card_removed =
+ value
;notify_card_removed_text =
+ value
;"Smart card
+ removed"
, name of
+ smart card reader).
+ notify_pin_good =
+ value
;notify_pin_good_text =
+ value
;"PIN verified"
,
+ "Smart card is
+ unlocked"
).
+ notify_pin_bad =
+ value
;notify_pin_bad_text =
+ value
;"PIN not
+ verified"
,
+ "Smart card is
+ locked"
).
+ Configuration of PKCS#15 Framework
use_file_caching =
+ bool
;file_cache_dir
(Default:
+ false
).
+ file_cache_dir =
+ filename
;
(Unix)
+ HOME
/.eid/cache/
(Windows)
+ USERPROFILE
\.eid-cache\use_pin_caching =
+ bool
;true
)?
+ pin_cache_counter =
+ num
;10
)?
+ pin_cache_ignore_user_consent =
+ bool
;CKA_ALWAYS_AUTHENTICATE
may
+ need to set this to get signatures to work with
+ some cards (Default: false
).
+ enable_pkcs15_emulation =
+ bool
;true
).
+ try_emulation_first =
+ bool
;no
). Some cards work in
+ emu-only mode, and do not depend on this
+ option.
+ enable_builtin_emulation =
+ bool
;true
).
+ builtin_emulators =
+ emulators
;esteid, openpgp, tcos,
+ starcert, itacns, infocamere, postecert,
+ actalis, atrust-acos, gemsafeGPK,
+ gemsafeV1, tccardos, PIV-II
)
+ pkcs11_enable_InitToken =
+ bool
;false
).
+ emulate
+ name
{
+ block_contents
+ }
+ name
is a
+ short name for an external card driver.
+ module =
+ filename
;function =
+ name
;sc_pkcs15_init_func_ex
)
+ application
+ hexstring
{
+ block_contents
+ }
+ hexstring
is the
+ application identifier (AID).
+ type =
+ name
;name
is one
+ of:
+ generic
+ protected
+ model =
+ name
;disable =
+ bool
;false
)
+ Configuration of Tokend
score =
+ num
;300
). The tokend with
+ the highest score shall be used.
+ ignore_private_certificate =
+ bool
;SC_PKCS15_CO_FLAG_PRIVATE
flag
+ (Default: true
).
+ Configuration of PKCS#11
max_virtual_slots =
+ num
;16
). If there are more slots
+ than defined here, the remaining slots will be
+ hidden from PKCS#11.
+ slots_per_card =
+ num
;4
). If the card has fewer keys
+ than defined here, the remaining number of slots
+ will be empty.
+ lock_login =
+ bool
;C_Login
(Default:
+ false
).
+
+ Thus the other users or other applications is not
+ prevented from connecting to the card and perform
+ crypto operations (which may be possible because
+ you have already authenticated with the card). This
+ setting is not very secure.
+ C_Login
, no other application
+ can use it, until the first is done and calls
+ C_Logout
or
+ C_Finalize
. In the case of many
+ PKCS#11 application this does not happen until you
+ exit the application.
+ atomic =
+ bool
;false
).
+ lock_login
to disable access for
+ other applications during the atomic transactions.
+ enable_pinpad
), because the
+ user would have to input his PIN for every
+ transaction.
+ init_sloppy =
+ bool
;C_GetSlotList
.
+ With this setting enabled, the slots will also get
+ initialized when C_GetSlotInfo
+ is called (Default: true
).
+ C_GetSlotList
when configured
+ with a static slot
instead of
+ slotListIndex
.
+ user_pin_unblock_style =
+ mode
;mode
+ is one of:
+ none
(Default): PIN
+ unblock is not possible with PKCS#11 API
+ set_pin_in_unlogged_session
:
+ C_SetPIN
in unlogged
+ session: PUK is passed as the
+ OldPin
argument of the
+ C_SetPIN
call.
+ set_pin_in_specific_context
:
+ C_SetPIN
in the
+ CKU_SPECIFIC_CONTEXT
+ logged session: PUK is passed as the
+ OldPin
argument of the
+ C_SetPIN
call.
+ init_pin_in_so_session
:
+ C_InitPIN
in
+ CKU_SO
logged session:
+ User PIN 'UNBLOCK' is protected by SOPIN.
+ (PUK == SOPIN).
+ create_puk_slot =
+ bool
;false
). This way PKCS#11 API can
+ be used to login with PUK and change a PIN. May
+ cause problems with some applications like
+ Firefox and
+ Thunderbird.
+ create_slots_for_pins =
+ mode
... ;mode
is a list of:
+ all
(Default): All
+ non-SO-PIN, non-unblocking PINs
+ user
: The first
+ global or first local PIN
+ sign
: The second PIN
+ (first local, second global or second
+ local)
+ create_slots_for_pins = "user";
+ Environment
OPENSC_CONF
+ HKLM\Software\OpenSC
+ Project\OpenSC\ConfigFile
is
+ checked.
+ OPENSC_DEBUG
+ debug =
+
+ num
;OPENSC_DRIVER
+ card_drivers =
+
+ name
... ;CARDMOD_LOW_LEVEL_DEBUG
+ C:\tmp\md.log
, if set to
+ 1
.
+ HKLM\Software\OpenSC
+ Project\OpenSC\MiniDriverDebug
is
+ checked.
+ PIV_EXT_AUTH_KEY
,
+ PIV_9A_KEY
,
+ PIV_9C_KEY
,
+ PIV_9D_KEY
,
+ PIV_9E_KEY
+ Name
Description
pkcs15.profile
.
+ @pkgdatadir@
+ Name
Description
/home/fm/.local/etc/opensc.conf
)
+ opensc.conf
, is composed
+ of block
s, which, in general, have the
+ following format:
+
+
key
[, name
...] {
+ block_contents
+}
+ block_contents
is one or more
+ block_item
s where a
+ block_item
is one of
+ comment string
+ key
[, name
...] = value
;
+ block
+ opensc.conf
should contain
+ one or more application specific configuration blocks:
+
+app
application
{
+ block_contents
+}
+ application
+ specifies one of:
+ default
: The fall-back configuration block for all applications
+ opensc-pkcs11
: Configuration block for the PKCS#11 module (opensc-pkcs11.so
)
+ onepin-opensc-pkcs11
: Configuration block for the PKCS#11 one-PIN-module (onepin-opensc-pkcs11.so
)
+ cardmod
: Configuration block for Windows' minidriver (opensc-minidriver.dll
)
+ tokend
: Configuration block for macOS' tokend (OpenSC.tokend)
+ cardos-tool
,
+ cryptoflex-tool
,
+ dnie-tool
,
+ egk-tool
,
+ eidenv
,
+ gids-tool
,
+ iasecc-tool
,
+ netkey-tool
,
+ npa-tool
,
+ openpgp-tool
,
+ opensc-asn1
,
+ opensc-explorer
,
+ opensc-notify
,
+ opensc-tool
,
+ piv-tool
,
+ pkcs11-tool
,
+ pkcs15-crypt
,
+ pkcs15-init
,
+ pkcs15-tool
,
+ sc-hsm-tool
,
+ westcos-tool
:
+ Configuration block for OpenSC tools
+ Configuration Options
debug =
+ num
;0
). A greater value means more
+ debug info.
+ OPENSC_DEBUG
overwrites this
+ setting.
+ debug_file =
+ filename
;stderr
). Special
+ values stdout
and
+ stderr
are recognized.
+ profile_dir =
+ filename
;/home/fm/.local/share/opensc
).
+ HKLM\Software\OpenSC
+ Project\OpenSC\ProfileDir
is
+ checked.
+ disable_popups =
+ bool
;false
).
+ enable_default_driver =
+ bool
;false
). Default card driver is
+ explicitly enabled for
+ opensc-explorer(1).
+
+ and
+ opensc-tool(1).
+
+ card_drivers =
+ name
... ;internal
(the
+ default) will load all statically linked drivers.
+ old
will load all
+ statically linked drivers that may be removed in
+ the future.
+ OPENSC_DRIVER
overwrites this
+ setting.
+ ignored_readers =
+ name
... ;reader_driver
+ name
{
+ block_contents
+ }
+ name
is one of:
+ ctapi
: See the section called “Special Configuration Option for CT-API Readers”
+ pcsc
: See the section called “Special Configuration Option for CT-API Readers”
+ openct
: See the section called “Special Configuration Option for OpenCT Readers”
+ cryptotokenkit
: Configuration block for macOS' CryptoTokenKit readers
+ reader_driver
Configuration Block”.
+ card_driver
+ name
{
+ block_contents
+ }
+ name
is one of:
+ npa
: See the section called “Special Configuration Options for German ID Card”
+ dnie
: See the section called “Special Configuration Options for DNIe”
+ card_atr
+ hexstring
{
+ block_contents
+ }
+ card_atr
+ block.
+ card_atr
Configuration Block”.
+ secure_messaging
+ name
{
+ block_contents
+ }
+ name
:
+ module_name =
+ filename
;module_path =
+ filename
;HKLM\Software\OpenSC
+ Project\OpenSC\SmDir
is
+ checked.
+ module_data =
+ value
;mode =
+ value
;transmit
:
+ In this mode the
+ procedure to securize
+ an APDU is called by
+ the OpenSC general APDU
+ transmit procedure. In
+ this mode all APDUs,
+ except the ones
+ filtered by the card
+ specific procedure, are
+ securized.
+ acl
:
+ In this mode APDU are
+ securized only if
+ needed by the ACLs of
+ the command to be
+ executed.
+ flags =
+ value
;kmc =
+ hexstring
;ifd_serial =
+ hexstring
;keyset[_
+ aid
]_num
_enc =
+ value
;keyset[_
+ aid
]_num
_mac =
+ value
;framework
+ name
{
+ block_contents
+ }
+ name
is one of:
+ pkcs15
: See the section called “framework pkcs15
Configuration Block”
+ tokend
: See the section called “framework tokend
Configuration Block”
+ pkcs11 {
+
+ block_contents
+ }
+ pkcs11
Configuration Block”.
+ reader_driver
Configuration BlockConfiguration Options for all Reader Drivers
max_send_size =
+ num
;max_recv_size =
+ num
;max_send_size
+ = 255
,
+ max_recv_size
+ = 256
) . Some
+ Readers don't propagate their
+ transceive capabilities correctly.
+ max_send_size and max_recv_size
+ allow setting the limits manually,
+ for example to enable extended
+ length capabilities.
+ enable_escape
+ bool
;false
)
+ Special Configuration Option for CT-API Readers
module
+ filename
{
+ ports = nums
;
+ }
+ Special Configuration Options for PC/SC Readers
connect_exclusive =
+ bool
;false
)?
+ This option has no effect in Windows' minidriver.
+ disconnect_action =
+ action
;leave
,
+ reset
,
+ unpower
(Default:
+ leave
).
+ This option has no effect in Windows' minidriver.
+ transaction_end_action =
+ action
;leave
,
+ reset
,
+ unpower
(Default:
+ leave
).
+ This option has no effect in Windows' minidriver.
+ reconnect_action =
+ action
;leave
,
+ reset
,
+ unpower
(Default:
+ leave
).
+ This option has no effect in Windows' minidriver.
+ enable_pinpad =
+ bool
;true
)
+ fixed_pinlength =
+ num
;fixed_pinlength
+ sets this value so that OpenSC
+ expands the padding to this length
+ (Default: 0
,
+ i.e. not fixed).
+ provider_library =
+ filename
;libpcsclite.so.1
).
+ Special Configuration Options for German ID Card
can =
+ value
;st_dv_certificate =
+ filename
;st_certificate =
+ filename
;st_key =
+ filename
;Special Configuration Options for DNIe
user_consent_enabled =
+ bool
;--enable-dnie-ui
+ user_consent_app =
+ filename
;/usr/bin/pinentry
).
+ Only used if compiled with
+ --enable-dnie-ui
+ card_atr
Configuration Blockatrmask =
+ hexstring
;driver =
+ name
;name =
+ name
;type =
+ num
;cards.h
.
+ flags =
+ value
... ;rng
:
+ On-board random number
+ source
+ keep_alive
:
+ Request the card driver
+ to send a "keep alive"
+ command before each
+ transaction to make
+ sure that the required
+ applet is still
+ selected.
+ pkcs15emu =
+ name
;force_protocol =
+ value
;t0
+ t1
+ raw
+ md_read_only =
+ bool
;false
).
+ md_supports_X509_enrollment =
+ bool
;false
).
+ md_guid_as_id =
+ bool
;false
, i.e. auto generated)
+ md_guid_as_label =
+ bool
;false
,
+ i.e. no label set).
+ md_supports_container_key_gen =
+ bool
;false
).
+ md_supports_container_key_import =
+ bool
;false
).
+ md_pinpad_dlg_title =
+ value
;"Windows
+ Security"
).
+ md_pinpad_dlg_icon =
+ filename
;""
for no icon
+ (Default: Built-in smart card icon).
+ md_pinpad_dlg_main =
+ value
;"OpenSC
+ Smart Card Provider"
).
+ md_pinpad_dlg_content_user =
+ value
;"Please verify your
+ fingerprint or PIN on the
+ card."
).
+ md_pinpad_dlg_content_user_sign =
+ value
;"Please verify your
+ fingerprint or PIN for the
+ digital signature PIN on the
+ card."
).
+ md_pinpad_dlg_content_user_sign =
+ name
;"Please verify your
+ fingerprint or PIN for the
+ digital signature PIN on the
+ card."
).
+ md_pinpad_dlg_content_admin =
+ value
;"Please enter your PIN to
+ unblock the user PIN on the
+ PINPAD."
)
+ md_pinpad_dlg_content_cancel =
+ value
;md_pinpad_dlg_expanded =
+ value
;"This
+ window will be closed
+ automatically after the PIN has
+ been submitted on the PINPAD
+ (timeout typically after 30
+ seconds)."
)
+ md_pinpad_dlg_expanded_cancel =
+ value
;"Some readers only support
+ canceling the operation on the
+ PIN pad. Press Cancel or remove
+ the card."
).
+ md_pinpad_dlg_enable_cancel =
+ bool
;false
)
+ md_pinpad_dlg_timeout =
+ num
;0
removes the
+ progress bar (Default:
+ 30
).
+ notify_card_inserted =
+ value
;notify_card_inserted_text =
+ value
;"Smart card
+ detected"
, ATR of
+ the card).
+ notify_card_removed =
+ value
;notify_card_removed_text =
+ value
;"Smart card
+ removed"
, name of
+ smart card reader).
+ notify_pin_good =
+ value
;notify_pin_good_text =
+ value
;"PIN verified"
,
+ "Smart card is
+ unlocked"
).
+ notify_pin_bad =
+ value
;notify_pin_bad_text =
+ value
;"PIN not
+ verified"
,
+ "Smart card is
+ locked"
).
+ framework pkcs15
Configuration Blockuse_file_caching =
+ bool
;file_cache_dir
(Default:
+ false
).
+ file_cache_dir =
+ filename
;
(Unix)
+ HOME
/.eid/cache/
(Windows)
+ USERPROFILE
\.eid-cache\use_pin_caching =
+ bool
;true
)?
+ pin_cache_counter =
+ num
;10
)?
+ pin_cache_ignore_user_consent =
+ bool
;CKA_ALWAYS_AUTHENTICATE
may
+ need to set this to get signatures to work with
+ some cards (Default: false
).
+ enable_pkcs15_emulation =
+ bool
;true
).
+ try_emulation_first =
+ bool
;no
). Some cards work in
+ emu-only mode, and do not depend on this
+ option.
+ enable_builtin_emulation =
+ bool
;true
).
+ builtin_emulators =
+ emulators
;esteid, openpgp, tcos,
+ starcert, itacns, infocamere, postecert,
+ actalis, atrust-acos, gemsafeGPK,
+ gemsafeV1, tccardos, PIV-II
)
+ pkcs11_enable_InitToken =
+ bool
;false
).
+ emulate
+ name
{
+ block_contents
+ }
+ name
is a
+ short name for an external card driver.
+ module =
+ filename
;function =
+ name
;sc_pkcs15_init_func_ex
)
+ application
+ hexstring
{
+ block_contents
+ }
+ hexstring
is the
+ application identifier (AID).
+ type =
+ name
;name
is one
+ of:
+ generic
+ protected
+ model =
+ name
;disable =
+ bool
;false
)
+ framework tokend
Configuration Blockscore =
+ num
;300
). The tokend with
+ the highest score shall be used.
+ ignore_private_certificate =
+ bool
;SC_PKCS15_CO_FLAG_PRIVATE
flag
+ (Default: true
).
+ pkcs11
Configuration Blockmax_virtual_slots =
+ num
;16
). If there are more slots
+ than defined here, the remaining slots will be
+ hidden from PKCS#11.
+ slots_per_card =
+ num
;4
). If the card has fewer keys
+ than defined here, the remaining number of slots
+ will be empty.
+ lock_login =
+ bool
;C_Login
(Default:
+ false
).
+
+ Thus the other users or other applications is not
+ prevented from connecting to the card and perform
+ crypto operations (which may be possible because
+ you have already authenticated with the card). This
+ setting is not very secure.
+ C_Login
, no other application
+ can use it, until the first is done and calls
+ C_Logout
or
+ C_Finalize
. In the case of many
+ PKCS#11 application this does not happen until you
+ exit the application.
+ atomic =
+ bool
;false
).
+ lock_login
to disable access for
+ other applications during the atomic transactions.
+ enable_pinpad
), because the
+ user would have to input his PIN for every
+ transaction.
+ init_sloppy =
+ bool
;C_GetSlotList
.
+ With this setting enabled, the slots will also get
+ initialized when C_GetSlotInfo
+ is called (Default: true
).
+ C_GetSlotList
when configured
+ with a static slot
instead of
+ slotListIndex
.
+ user_pin_unblock_style =
+ mode
;mode
+ is one of:
+ none
(Default): PIN
+ unblock is not possible with PKCS#11 API
+ set_pin_in_unlogged_session
:
+ C_SetPIN
in unlogged
+ session: PUK is passed as the
+ OldPin
argument of the
+ C_SetPIN
call.
+ set_pin_in_specific_context
:
+ C_SetPIN
in the
+ CKU_SPECIFIC_CONTEXT
+ logged session: PUK is passed as the
+ OldPin
argument of the
+ C_SetPIN
call.
+ init_pin_in_so_session
:
+ C_InitPIN
in
+ CKU_SO
logged session:
+ User PIN 'UNBLOCK' is protected by SOPIN.
+ (PUK == SOPIN).
+ create_puk_slot =
+ bool
;false
). This way PKCS#11 API can
+ be used to login with PUK and change a PIN. May
+ cause problems with some applications like
+ Firefox and
+ Thunderbird.
+ create_slots_for_pins =
+ mode
... ;mode
is a list of:
+ all
(Default): All
+ non-SO-PIN, non-unblocking PINs
+ user
: The first
+ global or first local PIN
+ sign
: The second PIN
+ (first local, second global or second
+ local)
+ create_slots_for_pins = "user";
+ Environment
OPENSC_CONF
+ HKLM\Software\OpenSC
+ Project\OpenSC\ConfigFile
is
+ checked.
+ CARDMOD_LOW_LEVEL_DEBUG
+ C:\tmp\md.log
, if set to
+ 1
.
+ HKLM\Software\OpenSC
+ Project\OpenSC\MiniDriverDebug
is
+ checked.
+ PIV_EXT_AUTH_KEY
,
+ PIV_9A_KEY
,
+ PIV_9C_KEY
,
+ PIV_9D_KEY
,
+ PIV_9E_KEY
+ Name
Description
Name
Synopsis
cardos-tool
[OPTIONS
]Synopsis
cardos-tool
[OPTIONS
]Description
Options
--card-driver
name
,
-c
name
name
.
@@ -65,17 +68,26 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
--format
,
-f
--help
,
+ -h
+ --info
,
-i
--reader
number
,
- -r
number
+ --reader
num
,
+ -r
num
num
is an ATR, the
reader with a matching card will be chosen.
--startkey
arg
,
+ -s
arg
+ --change-startkey
arg
,
+ -S
arg
+ --verbose
,
-v
-w
Name
Synopsis
cryptoflex-tool
[OPTIONS
]Name
Synopsis
cryptoflex-tool
[OPTIONS
]Description
Name
Synopsis
dnie-tool
[OPTIONS
]Description
Options
--idesp
,
-i
@@ -185,8 +197,8 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
value of the environment variable
VARIABLE
is used.
The default is do not enter pin--reader
number
,
- -r
number
+ --reader
num
,
+ -r
num
Name
Synopsis
eidenv
[OPTIONS
]Name
Synopsis
egk-tool
[OPTIONS
]Description
Options
--help
,
+ -h
--version
,
+ -V
--reader
arg
,
+ -r
arg
+ -1
as arg
+ to automatically detect the reader to use.
+ By default, the first reader with a present card is used.
+ --verbose
,
+ -v
+ Name
Synopsis
eidenv
[OPTIONS
]Description
Options
--exec
prog
,
-x
prog
@@ -247,11 +291,11 @@ to enable debug output in the opensc library.--wait
,
-w
Name
Synopsis
gids-tool
[OPTIONS
]Options
-X
,
--initialize
@@ -286,96 +330,15 @@ to enable debug output in the opensc library.--verbose
Name
Synopsis
netkey-tool
[OPTIONS
] [COMMAND
]Description
Options
--help
,
- -h
- --pin
pin-value
,
- -p
pin-value
- --puk
pin-value
,
- -u
pin-value
- --pin0
pin-value
,
- -0
pin-value
- --pin1
pin-value
,
- -1
pin-value
- --reader
number
,
- -r
number
- num
is an ATR, the
- reader with a matching card will be chosen.
- -v
- PIN format
-p
, -u
, -0
or the -1
- one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
- (i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
- Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
- length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.Commands
--pin
option,
- netkey-tool will also display the initial value of the cards
- global PUK. If your global PUK was changed netkey-tool will still
- display its initial value. There's no way to recover a lost global PUK once it was changed.
- There's also no way to display the initial value of your global PUK without knowing the
- current value of your global PIN. number
filename
- number
) and save this certificate into file filename
- in PEM-format. Certificates on a NetKey E4 card are readable without a pin, so you don't
- have to specify one.filename
number
- filename
and store this into your smart cards certificate file
- number
. Some of your smart cards certificate files might be readonly, so
- this will not work with all values of number
. If a certificate file is
- writable you must specify a pin in order to change it. If you try to use this command
- without specifying a pin, netkey-tool will tell you which one is
- needed.pin
| puk
|
- pin0
| pin1
} new-pin
- initial-pin
- pin
| pin0
| pin1
}
- Name
Synopsis
iasecc-tool
[OPTIONS
]Description
Options
--reader
number
,
+ --reader
num
,
-w
Name
Synopsis
openpgp-tool
[OPTIONS
]Description
Options
--exec
prog
,
- -x
prog
- --help
,
- -h
- --raw
- --pretty
- --user-info
,
- -U
- --reader
num
,
- -r
num
- num
is an ATR, the
- reader with a matching card will be chosen.
- --verify
pintype
- --pin
string
- VARIABLE
, the value of
- the environment variable
- VARIABLE
is used.
- --gen-key
ID
,
- -G
ID
- --key-length
bitlength
,
- -L
bitlength
- --version
,
- -V
- --verbose
,
- -v
- --wait
,
- -w
- Name
Synopsis
netkey-tool
[OPTIONS
] [COMMAND
]Description
Options
--help
,
-h
@@ -498,8 +382,8 @@ to enable debug output in the opensc library.--pin1
pin-value
,
-1
pin-value
--reader
number
,
- -r
number
+ --reader
num
,
+ -r
num
-v
PIN format
-p
, -u
, -0
or the -1
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
- length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.Commands
Commands
pin
| puk
|
- pin0
| pin1
} new-pin
+ change
+ { pin | puk | pin0 | pin1 }
+ new-pin
pin
| pin0
| pin1
}
+ unblock
+ { pin | pin0 | pin1 }
Name
Synopsis
openpgp-tool
[OPTIONS
]Name
Synopsis
npa-tool
[OPTIONS
]Description
Options
--help
,
+ -h
--version
,
+ -V
--reader
arg
,
+ -r
arg
+ -1
as arg
+ to automatically detect the reader to use.
+ By default, the first reader with a present card is used.
+ --verbose
,
+ -v
+ Password Authenticated Connection Establishment (PACE)
--pin
[STRING
],
+ -p
[STRING
]
+ --puk
[STRING
],
+ -u
[STRING
]
+ --can
[STRING
],
+ -c
[STRING
]
+ --mrz
[STRING
],
+ -m
[STRING
]
+ --env
PIN
,
+ PUK
, CAN
, MRZ
,
+ and NEWPIN
.
+ You may want to clean your environment before enabling this.
+ (default=off)
+ PIN management
--new-pin
[STRING
],
+ -N
[STRING
]
+ --resume
,
+ -R
+ --unblock
,
+ -U
+ Terminal Authentication (TA) and Chip Authentication (CA)
--cv-certificate
FILENAME
,
+ -C
FILENAME
+ --cert-desc
HEX_STRING
--chat
HEX_STRING
7F4C0E060904007F000703010203530103
+ to trigger EAC on the CAT-C (Komfortleser).
+ --auxiliary-data
HEX_STRING
,
+ -A
HEX_STRING
+ --private-key
FILENAME
,
+ -P
FILENAME
+ --cvc-dir
DIRECTORY
/home/fm/.local/etc/eac/cvc
.
+ --x509-dir
DIRECTORY
/home/fm/.local/etc/eac/x509
.
+ --disable-ta-checks
--disable-ca-checks
Read and write data groups
--read-dg1
--read-dg2
--read-dg3
--read-dg4
--read-dg5
--read-dg6
--read-dg7
--read-dg8
--read-dg9
--read-dg10
--read-dg11
--read-dg12
--read-dg13
--read-dg14
--read-dg15
--read-dg16
--read-dg17
--read-dg18
--read-dg19
--read-dg20
--read-dg21
--write-dg17
HEX_STRING
--write-dg18
HEX_STRING
--write-dg19
HEX_STRING
--write-dg20
HEX_STRING
--write-dg21
HEX_STRING
Verification of validity, age and community ID
--verify-validity
YYYYMMDD
--older-than
YYYYMMDD
--verify-community
HEX_STRING
Special options, not always useful
--break
,
+ -b
+ -p
,
+ -a
, or -u
.
+ (default=off)
+ --translate
FILENAME
,
+ -t
FILENAME
+ --tr-03110v201
--disable-all-checks
Name
Synopsis
openpgp-tool
[OPTIONS
]Description
Options
--del-key
arg
+ arg
.
+ arg
can be 1
,
+ 2
, 3
, or
+ all
.
+ --do
arg
,
+ -d
arg
+ arg
.
+ arg
can be in the form
+ x
,
+ 10
x
, or
+ 010
x
+ to access DO 010
x
,
+ where x
is 1
,
+ 2
, 3
, or
+ 4
.
+ --erase
,
+ -E
+ --exec
prog
,
-x
prog
--gen-key
arg
,
+ -G
arg
+ arg
.
+ arg
can be one of 1
,
+ 2
, or 3
.
--help
,
-h
--raw
+ --key-length
bitlength
,
+ -L
bitlength
--pin
string
+ VARIABLE
, the value of
+ the environment variable
+ VARIABLE
is used.
--pretty
--raw
+ --reader
num
,
+ -r
num
+ num
is an ATR, the
+ reader with a matching card will be chosen.
--user-info
,
-U
--verify
pintype
+ --version
,
+ -V
+ --verbose
,
+ -v
+ --wait
,
+ -w
+ Name
Synopsis
opensc-explorer
[OPTIONS
] [SCRIPT
]Description
Options
--card-driver
driver
,
+ -c
driver
+ --mf
path
,
+ -m
path
+ path
is empty (e.g. opensc-explorer
+ --mf ""), then no file is explicitly selected.
--reader
num
,
-r
num
@@ -600,48 +740,293 @@ to enable debug output in the opensc library.num
is an ATR, the
reader with a matching card will be chosen.
--verify
pintype
+ --verbose
, -v
--pin
string
+ Causes opensc-explorer to be more
+ verbose. Specify this flag several times to enable
+ debug output in the opensc library.
+ --wait
, -w
+ Commands
SCRIPT
.
+ hex-data
+ hex-data
.file-id
+ file-id
.file-id
| sfi:
short-id
]
+ file-id
or the short file id
+ short-id
.
+ ..
| file-id
| aid:
DF-name
}
VARIABLE
, the value of
- the environment variable
- VARIABLE
is used.
+ Change to another DF specified by the argument passed.
+ If the argument given is ..
,
+ then move up one level in the file system hierarchy.
+ If it is file-id
,
+ which must be a DF directly
+ beneath the current DF, then change to that DF.
+ If it is an application identifier given as
+ aid:
DF-name
,
+ then jump to the MF of the application denoted by
+ DF-name
.
+ CHV
pin-ref
+ [
+ [old-pin
]
+ new-pin
+ ]
+ pin-ref
is the PIN reference.change CHV2 00:00:00:00:00:00 "foobar"
CHV2
+ to the new value foobar
,
+ giving the old value 00:00:00:00:00:00
.
+ change CHV2 "foobar"
CHV2
+ to the new value foobar
.
+ change CHV2
CHV2
using the card reader's pinpad.
+ --gen-key
ID
,
- -G
ID
+ create
+ file-id
+ size
+ file-id
specifies the
+ id number and size
is the size of the new file.
+ level
]
+ level
.level
is omitted the current debug level will be shown.file-id
+ file-id
hex-tag
+ [output
]
+ output
while the tag of
+ the card's data is specified by hex-tag
.
+ output
is omitted, the name of the output file will be
+ derived from hex-tag
.
+ hex-tag
+ input
+ hex-tag
is the tag of the card's data.
+ input
is the filename of the source file or the literal data presented as
+ a sequence of hexadecimal values or "
enclosed string.
+ string
...
+ string
s given.file-id
+ [output
]
+ output
while the card file is specified by file-id
.
+ output
is omitted, the name of the output file will be
+ derived from the full card path to file-id
.
+ file-id
]
+ file-id
.
+ If file-id
is not supplied,
+ the attributes of the current file are printed.pattern
...]
+ pattern
is given, then all files are listed.
+ If one ore more pattern
s are given, only files matching
+ at least one pattern
are listed.start-id
+ [end-id
]
+ ]
+ start-fid
to end-fid
(by default from 0000 to FFFF).start-tag
+ [end-tag
]
+ ]
+ start-tag
to end-tag
(by default from 0000 to FFFF).file-id
+ size
+ file-id
specifies the id number
+ and size
is the size of the new file.file-id
+ input
+ input
while the card file is specified by file-id
.
+ count
+ count
bytes.file-id
+ file-id
CHV
pin-ref
+ [
+ puk
+ [new-pin
]
+ ]
pin-ref
+ using the PUK puk
, and set potentially
+ change its value to new-pin
.
+ "
-enclosed strings, empty (""
),
+ or absent.
+ If they are absent, the values are read from the card reader's pin pad.
+ unblock CHV2 00:00:00:00:00:00 "foobar"
CHV2
using PUK
+ 00:00:00:00:00:00
+ and set it to the new value foobar
.
+ unblock CHV2 00:00:00:00:00:00 ""
CHV2
using PUK
+ 00:00:00:00:00:00
keeping the old value.
+ unblock CHV2 "" "foobar"
CHV2
+ to foobar
.
+ unblock CHV2 00:00:00:00:00:00
CHV2
using PUK
+ 00:00:00:00:00:00
.
+ The new PIN value is prompted by pinpad.
+ unblock CHV2 ""
CHV2
.
+ The new PIN value is prompted by pinpad.
+ unblock CHV2
CHV2
.
+ The unblock code and new PIN value are prompted by pinpad.
+ --key-length
bitlength
,
- -L
bitlength
- file-id
+ offs
+ data
+ file-id
with the literal data
+ data
starting from offset specified
+ by offs
.data
can be supplied as a sequencer
+ of the hex values or as a "
enclosed string. file-id
+ rec-nr
+ rec-offs
+ data
+ rec-nr
of the file
+ specified by file-id
with the literal data
+ data
starting from offset specified by
+ rec-offs
.data
can be supplied as a sequence of the hex values or
+ as a "
enclosed string. key-type
key-id
+ [key
]
+ key-type
can be one of CHV
,
+ KEY
, AUT
or PRO
.
+ key-id
is a number representing the key or PIN reference.
+ key
is the key or PIN to be verified, formatted as a
+ colon-separated list of hex values or a "
enclosed string.
+ key
is omitted, the exact action depends on the
+ card reader's features: if the card readers supports PIN input via a pin pad,
+ then the PIN will be verified using the card reader's pin pad.
+ If the card reader does not support PIN input, then the PIN will be asked
+ interactively.
+ verify CHV0 31:32:33:34:00:00:00:00
CHV2
using the hex value
+ 31:32:33:34:00:00:00:00
+ verify CHV1 "secret"
CHV1
+ using the string value secret
.
+ verify KEY2
KEY2
,
+ get the value from the card reader's pin pad.
+ open
| close
}
+ open
or close
Secure Messaging handler.Name
Synopsis
opensc-notify
[OPTIONS
]Description
Options
--help
,
+ -h
--version
,
- -V
+ -V
Mode: customized
--title
[STRING
],
+ -t
[STRING
]
--verbose
,
- -v
+ --message
[STRING
],
+ -m
[STRING
]
Name
Synopsis
opensc-tool
[OPTIONS
]Description
Options
--version
,
num
is an ATR, the
reader with a matching card will be chosen.
--reset
[=type
],
+ --reset
[type
],
cold
, but warm reset is also possible.cold
,
+ but warm
reset is also possible.--send-apdu
apdu
,
-s
apdu
--wait
,
-w
Name
Synopsis
opensc-explorer
[OPTIONS
] [SCRIPT
]Description
Options
--card-driver
driver
,
- -c
driver
- --mf
path
,
- -m
path
- path
is empty (e.g. opensc-explorer
- --mf ""), then no file is explicitly selected.
- --reader
num
,
- -r
num
- num
is an ATR, the
- reader with a matching card will be chosen.
- --verbose
, -v
- --wait
, -w
- Commands
SCRIPT
.
- hex-data
- hex-data
.file-id
- file-id
.file-id
| sfi:short-id
]
- file-id
or the short file id
- short-id
.
- file-id
| aid:DF-name
}
- ..
, then move up one level in the
- file system hierarchy.
- If it is file-id
, which must be a DF directly
- beneath the current DF, then change to that DF.
- If it is an application identifier given as
- aid:
DF-name
,
- then jump to the MF of the application denoted by
- DF-name
.
- pin-ref
[[old-pin
] new-pin
]
- pin-ref
is the PIN reference.change CHV2 00:00:00:00:00:00 "foobar"
CHV2
- to the new value foobar
,
- giving the old value 00:00:00:00:00:00
.
- change CHV2 "foobar"
CHV2
- to the new value foobar
.
- change CHV2
CHV2
using the card reader's pinpad.
- file-id
size
- file-id
specifies the
- id number and size
is the size of the new file.
- level
]
- level
.level
is omitted the current debug level will be shown.file-id
- file-id
hex-tag
[output
]
- output
while the tag of
- the card's data is specified by hex-tag
.
- output
is omitted, the name of the output file will be
- derived from hex-tag
.
- hex-tag
input
- hex-tag
is the tag of the card's data.
- input
is the filename of the source file or the literal data presented as
- a sequence of hexadecimal values or "
enclosed string.
- string
...
- string
s given.file-id
[output
]
- output
while the card file is specified by file-id
.
- output
is omitted, the name of the output file will be
- derived from the full card path to file-id
.
- file-id
]
- file-id
.
- If file-id
is not supplied,
- the attributes of the current file are printed.pattern
...]
- pattern
is given, then all files are listed.
- If one ore more pattern
s are given, only files matching
- at least one pattern
are listed.start-id
[end-id
]]
- start-fid
to end-fid
(by default from 0000 to FFFF).start-tag
[end-tag
]]
- start-tag
to end-tag
(by default from 0000 to FFFF).file-id
size
- file-id
specifies the id number
- and size
is the size of the new file.file-id
input
- input
while the card file is specified by file-id
.
- count
- count
bytes.file-id
- file-id
pin-ref
[puk
[new pin
]]
- pin-ref
- using the PUK puk
, and set potentially
- change its value to new pin
.
- "
-enclosed strings, empty (""
),
- or absent.
- If they are absent, the values are read from the card reader's pin pad.
- unblock CHV2 00:00:00:00:00:00 "foobar"
CHV2
using PUK
- 00:00:00:00:00:00
- and set it to the new value foobar
.
- unblock CHV2 00:00:00:00:00:00 ""
CHV2
using PUK
- 00:00:00:00:00:00
keeping the old value.
- unblock CHV2 "" "foobar"
CHV2
- to foobar
.
- unblock CHV2 00:00:00:00:00:00
CHV2
using PUK
- 00:00:00:00:00:00
.
- The new PIN value is prompted by pinpad.
- unblock CHV2 ""
CHV2
.
- The new PIN value is prompted by pinpad.
- unblock CHV2
CHV2
.
- The unblock code and new PIN value are prompted by pinpad.
- file-id
offs
data
- file-id
with the literal data
- data
starting from offset specified
- by offs
.data
can be supplied as a sequencer
- of the hex values or as a "
enclosed string. file-id
rec-nr
rec-offs
data
- rec-nr
of the file
- specified by file-id
with the literal data
- data
starting from offset specified by
- rec-offs
.data
can be supplied as a sequence of the hex values or
- as a "
enclosed string. key-type
key-id
[key
]
- key-type
can be one of CHV
,
- KEY
, AUT
or PRO
.
- key-id
is a number representing the key or PIN reference.
- key
is the key or PIN to be verified, formatted as a
- colon-separated list of hex values or a "
enclosed string.
- key
is omitted, the exact action depends on the
- card reader's features: if the card readers supports PIN input via a pin pad,
- then the PIN will be verified using the card reader's pin pad.
- If the card reader does not support PIN input, then the PIN will be asked
- interactively.
- verify CHV0 31:32:33:34:00:00:00:00
CHV2
using the hex value
- 31:32:33:34:00:00:00:00
- verify CHV1 "secret"
CHV1
- using the string value secret
.
- verify KEY2
KEY2
,
- get the value from the card reader's pin pad.
- [open]
|[close]
- open
or close
Secure Messaging handler.Name
Synopsis
piv-tool
[OPTIONS
]Options
--serial
Name
Synopsis
pkcs11-tool
[OPTIONS
]Name
Synopsis
pkcs11-tool
[OPTIONS
]Description
Options
--attr-from
filename
filename
@@ -1250,7 +1416,7 @@ to enable debug output in the opensc library.--generate-random
num
num
bytes of random data.
Examples
pkcs11-tool --list-objects --type cert
ID
and
using the RSA-PKCS mechanism:
pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig
Name
Synopsis
pkcs15-crypt
[OPTIONS
]Name
Synopsis
pkcs15-crypt
[OPTIONS
]Description
Options
--version
,
Name
Synopsis
pkcs15-init
[OPTIONS
]Description
-p
switch.
- PIN Usage
personalization
.
@@ -1412,7 +1578,7 @@ to enable debug output in the opensc library.--verify-pin
has to be used.
- Modes of operation
Modes of operation
Initialization
User PIN Installation
--label
command line option.
- Key generation
Private Key Upload
okir.pem
, which is in PEM format, you would use
@@ -1478,7 +1644,7 @@ to enable debug output in the opensc library.Public Key Upload
--store-public-key
option, which takes a filename as an
argument. This file is supposed to contain the public key. If you don't
@@ -1489,12 +1655,12 @@ to enable debug output in the opensc library.Certificate Upload
--store-certificate
option, which takes a filename as
an argument. This file is supposed to contain the PEM encoded X.509
certificate.
- Uploading PKCS #12 bags
01
.
It will also store any X.509 certificates contained in the file, which is
usually the user certificate that goes with the key, as well as the CA certificate.
- Secret Key Upload
--id
if needed.
- Options
--version
,
Name
Synopsis
pkcs15-tool
[OPTIONS
]Synopsis
pkcs15-tool
[OPTIONS
]Description
Name
Synopsis
sc-hsm-tool
[OPTIONS
]Options
--initialize
,
-X
@@ -2086,16 +2252,16 @@ puk 87654321
Examples
Examples
Name
Synopsis
westcos-tool
[OPTIONS
]Synopsis
westcos-tool
[OPTIONS
]Description
Options
--change-pin
,
-n
@@ -2164,6 +2330,7 @@ puk 87654321
-u
--verbose
-v
filename
.
User authentication is required for this operation.Name
Description