diff --git a/doc/files/files.html b/doc/files/files.html index 49ce0c4e..f536af6e 100644 --- a/doc/files/files.html +++ b/doc/files/files.html @@ -43,7 +43,7 @@ span.errortext { font-style: italic; } - -->

OpenSC Manual Pages: Section 5

Table of Contents

opensc.conf — configuration file for OpenSC
pkcs15-profile — format of profile for pkcs15-init

Name

opensc.conf — configuration file for OpenSC

Description

+ -->

OpenSC Manual Pages: Section 5

Table of Contents

opensc.conf — configuration file for OpenSC
pkcs15-profile — format of profile for pkcs15-init

Name

opensc.conf — configuration file for OpenSC

Description

OpenSC obtains configuration data from the following sources in the following order

  1. command-line options @@ -122,7 +122,7 @@ app application { westcos-tool: Configuration block for OpenSC tools

-

Configuration Options

+

Configuration Options

debug = num;

Amount of debug info to print (Default: @@ -153,6 +153,12 @@ app application { Software\OpenSC Project\OpenSC\ProfileDir is checked. +

+ disable_colors = bool; +

+ Disable colors of log messages (Default: + false if attached to a console, + true otherwise).

disable_popups = bool;

@@ -176,7 +182,7 @@ app application { default) will load all statically linked drivers.

If an unknown (i.e. not internal or old) driver is - supplied, a separate configuration configuration + supplied, a separate configuration block has to be written for the driver. A special value old will load all statically linked drivers that may be removed in @@ -227,6 +233,10 @@ app application { npa: See the section called “Configuration Options for German ID Card”

  • dnie: See the section called “Configuration Options for DNIe” +

  • + edo: See the section called “Configuration Options for Polish eID Card” +

  • + myeid: See the section called “Configuration Options for MyEID Card”

  • Any other value: Configuration block for an externally loaded card driver

    • @@ -332,7 +342,7 @@ app application { Parameters for the OpenSC PKCS11 module.

    For details see the section called “Configuration of PKCS#11”. -

    Configuration of Smart Card Reader Driver

    Configuration Options for all Reader Drivers

    +

    Configuration of Smart Card Reader Driver

    Configuration Options for all Reader Drivers

    max_send_size = num; max_recv_size = num;

    @@ -429,7 +439,27 @@ app application { readers = num;

    Virtual readers to allocate (Default: 2). -

    Configuration Options for German ID Card

    +

    Configuration Options for MyEID Card

    + disable_hw_pkcs1_padding = bool; +

    + The MyEID card can internally + encapsulate the data (hash code) + into a DigestInfo ASN.1 structure + according to the selected hash + algorithm (currently only for SHA1). + DigestInfo is padded to RSA key + modulus length according to PKCS#1 + v1.5, block type 01h. Size of the + DigestInfo must not exceed 40% + of the RSA key modulus length. If + this limit is unsatisfactory (for + example someone needs RSA 1024 + with SHA512), the user can disable + this feature. In this case, the + card driver will do everything + necessary before sending the data + (hash code) to the card. +

    Configuration Options for German ID Card

    can = value;

    German ID card requires the CAN to @@ -478,6 +508,16 @@ app application { /usr/bin/pinentry). Only used if compiled with --enable-dnie-ui +

    Configuration Options for Polish eID Card

    + can = value; +

    + CAN (Card Access Number – 6 digit number + printed on the right bottom corner of the + front side of the document) is required + to establish connection with the card. + It might be overwritten by EDO_CAN + environment variable. Currently, it is not + possible to set it in any other way.

    Configuration based on ATR

    atrmask = hexstring; @@ -554,10 +594,10 @@ app application { raw

    - md_read_only = bool; + read_only = bool;

    Mark card as read/only card in - Minidriver/BaseCSP interface + PKCS#11/Minidriver/BaseCSP interface (Default: false).

    md_supports_X509_enrollment = bool; @@ -724,7 +764,7 @@ app application {

    Where to cache the card's files. The default values are:

    • - $XDG_CACHE_HOME/opensc/ (if defined) + $XDG_CACHE_HOME/opensc/ (If $XDG_CACHE_HOME is defined)

    • $HOME/.cache/opensc/ (Unix)

    • @@ -755,6 +795,26 @@ app application { CKA_ALWAYS_AUTHENTICATE may need to set this to get signatures to work with some cards (Default: false). +

      + It is recommended to enable also PIN caching using + use_pin_caching option for OpenSC + to be able to provide PIN for the card when needed. +

    + private_certificate = value; +

    + How to handle a PIN-protected certificate. Known + parameters: +

    • + protect: The certificate stays PIN-protected. +

    • + declassify: Allow + reading the certificate without + enforcing verification of the PIN. +

    • + ignore: Ignore PIN-protected certificates. +

    + (Default: ignore in Tokend, + protect otherwise).

    enable_pkcs15_emulation = bool;

    @@ -777,7 +837,7 @@ app application { builtin_emulators = emulators;

    List of the builtin pkcs15 emulators to test - (Default: westcos, openpgp, + (Default: westcos, openpgp, starcert, tcos, esteid, itacns, PIV-II, cac, gemsafeGPK, gemsafeV1, actalis, atrust-acos, tccardos, entersafe, pteid, @@ -856,13 +916,6 @@ app application { Score for OpenSC.tokend (Default: 300). The tokend with the highest score shall be used. -

    - ignore_private_certificate = bool; -

    - Tokend ignore to read PIN protected certificate - that is set - SC_PKCS15_CO_FLAG_PRIVATE flag - (Default: true).

    Configuration of PKCS#11

    max_virtual_slots = num;

    @@ -1022,7 +1075,7 @@ app application { For the module to simulate the opensc-onepin module behavior the following option create_slots_for_pins = "user"; -

    Environment

    +

    Environment

    OPENSC_CONF

    Filename for a user defined configuration file @@ -1065,7 +1118,7 @@ app application {

    PIV configuration during initialization with piv-tool. -

    Files

    +

    Files

    /usr/etc/opensc.conf

    System-wide configuration file @@ -1073,7 +1126,7 @@ app application { /usr/share/doc/opensc/opensc.conf

    Extended example configuration file -

    Name

    pkcs15-profile — format of profile for pkcs15-init

    Description

    +

    Name

    pkcs15-profile — format of profile for pkcs15-init

    Description

    The pkcs15-init utility for PKCS #15 smart card personalization is controlled via profiles. When starting, it will read two such profiles at the moment, a generic application profile, and a card @@ -1089,10 +1142,10 @@ app application { The card specific profile contains additional information required during card initialization, such as location of PIN files, key references etc. Profiles currently reside in @pkgdatadir@ -

    Syntax

    +

    Syntax

    This section should contain information about the profile syntax. Will add this soonishly. -

    See also

    +

    See also

    pkcs15-init(1), pkcs15-crypt(1)

    diff --git a/doc/tools/tools.html b/doc/tools/tools.html index a0b0dac4..e370fde4 100644 --- a/doc/tools/tools.html +++ b/doc/tools/tools.html @@ -43,7 +43,7 @@ span.errortext { font-style: italic; } - -->

    OpenSC Manual Pages: Section 1

    Table of Contents

    cardos-tool — displays information about Card OS-based security tokens or format them + -->

    OpenSC Manual Pages: Section 1

    Table of Contents

    cardos-tool — displays information about Card OS-based security tokens or format them
    cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures
    dnie-tool — displays information about DNIe based security tokens
    egk-tool — displays information on the German electronic health card (elektronische Gesundheitskarte, eGK)
    eidenv — utility for accessing visible data from electronic identity cards
    gids-tool — smart card utility for GIDS cards
    iasecc-tool — displays information about IAS/ECC card @@ -57,14 +57,11 @@ span.errortext {
    opensc-tool — generic smart card utility
    piv-tool — smart card utility for HSPD-12 PIV cards
    pkcs11-tool — utility for managing and using PKCS #11 security tokens
    pkcs15-crypt — perform crypto operations using PKCS#15 smart cards
    pkcs15-init — smart card personalization utility
    pkcs15-tool — utility for manipulating PKCS #15 data structures on smart cards and similar security tokens
    sc-hsm-tool — smart card utility for SmartCard-HSM
    westcos-tool — utility for manipulating data structures on westcos smart cards

    Name

    cardos-tool — displays information about Card OS-based security tokens or format them -

    Synopsis

    cardos-tool [OPTIONS]

    Description

    +

    Synopsis

    cardos-tool [OPTIONS]

    Description

    The cardos-tool utility is used to display information about smart cards and similar security tokens based on Siemens Card/OS M4. -

    Options

    +

    Options

    - --card-driver name, - -c name

    Use the card driver specified by name. - The default is to auto-detect the correct card driver.

    --format, -f

    Format the card or token.

    @@ -74,12 +71,12 @@ smart cards and similar security tokens based on Siemens Card/OS M4. --info, -i

    Display information about the card or token.

    - --reader num, - -r num + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --startkey arg, @@ -96,13 +93,13 @@ smart cards and similar security tokens based on Siemens Card/OS M4. -w

    Causes cardos-tool to wait for the token to be inserted into reader.

    -

    Authors

    cardos-tool was written by - Andreas Jellinghaus .

    Name

    cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures

    Synopsis

    cryptoflex-tool [OPTIONS]

    Description

    +

    Authors

    cardos-tool was written by + Andreas Jellinghaus .

    Name

    cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures

    Synopsis

    cryptoflex-tool [OPTIONS]

    Description

    cryptoflex-tool is used to manipulate PKCS data structures on Schlumberger Cryptoflex smart cards. Users can create, list and read PINs and keys stored on the smart card. User PIN authentication is performed for those operations that require it. -

    Options

    +

    Options

    --app-df num, -a num @@ -144,12 +141,12 @@ smart cards and similar security tokens based on Siemens Card/OS M4.

    Reads a public key from the card, allowing the user to extract and store or use the public key

    - --reader num, - -r num + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --verbose, @@ -164,12 +161,12 @@ smart cards and similar security tokens based on Siemens Card/OS M4. -w

    Causes cryptoflex-tool to wait for a card insertion.

    -

    See also

    +

    See also

    pkcs15-tool(1) -

    Authors

    cryptoflex-tool was written by - Juha Yrjölä .

    Name

    dnie-tool — displays information about DNIe based security tokens

    Synopsis

    dnie-tool [OPTIONS]

    Description

    +

    Authors

    cryptoflex-tool was written by + Juha Yrjölä .

    Name

    dnie-tool — displays information about DNIe based security tokens

    Synopsis

    dnie-tool [OPTIONS]

    Description

    The dnie-tool utility is used to display additional information about DNIe, the Spanish National eID card. -

    Options

    +

    Options

    --idesp, -i @@ -181,7 +178,7 @@ smart cards and similar security tokens based on Siemens Card/OS M4. --all, -a

    Displays every available information. - This command is equivalent to -d -i -s

    + This command is equivalent to -d -i -V -s

    --serial, -s

    Displays DNIe Serial Number @@ -192,23 +189,28 @@ smart cards and similar security tokens based on Siemens Card/OS M4. Displays software version for in-card DNIe OS

    --pin pin, -p pin -

    Specify the user pin pin to use. - If set to env:VARIABLE, the - value of the environment variable - VARIABLE is used. - The default is do not enter pin

    - --reader num, - -r num

    - Specify the reader to use. By default, the first + These options can be used to specify the PIN value + on the command line. If the value is set to + env:VARIABLE, the value + of the specified environment variable is used. By default, + the code is prompted on the command line if needed. +

    + Note that on most operation systems, any user can + display the command line of any process on the + system using utilities such as + ps(1). Therefore, you should prefer + passing the codes via an environment variable + on an unsecured system. +

    + --reader arg, + -r arg +

    + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    - --driver driver, - -c driver -

    Specify the card driver driver to use. - Default is use driver from configuration file, or auto-detect if absent

    --wait, -w

    Causes dnie-tool to wait for the token to be inserted into reader.

    @@ -217,11 +219,11 @@ smart cards and similar security tokens based on Siemens Card/OS M4.

    Causes dnie-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

    -

    Authors

    dnie-tool was written by +

    Authors

    dnie-tool was written by Juan Antonio Martinez .

    Name

    egk-tool — displays information on the German electronic health card (elektronische Gesundheitskarte, eGK) -

    Synopsis

    egk-tool [OPTIONS]

    Description

    +

    Synopsis

    egk-tool [OPTIONS]

    Description

    The egk-tool utility is used to display information stored on the German elektronic health card (elektronische Gesundheitskarte, eGK). -

    Options

    +

    Options

    --help, -h

    Print help and exit.

    @@ -230,10 +232,10 @@ to enable debug output in the opensc library.

    --reader arg, -r arg

    - Specify the reader to use. - Use -1 as arg - to automatically detect the reader to use. - By default, the first reader with a present card is used. + Number of the reader to use. By default, the first + reader with a present card is used. If + arg is an ATR, the + reader with a matching card will be chosen.

    --verbose, -v @@ -241,7 +243,7 @@ to enable debug output in the opensc library.

    Causes egk-tool to be more verbose. Specify this flag several times to be more verbose.

    -

    Health Care Application (HCA)

    --pd

    +

    Health Care Application (HCA)

    --pd

    Show 'Persönliche Versicherungsdaten' (XML).

    --vd

    Show 'Allgemeine Versicherungsdaten' (XML). @@ -249,16 +251,16 @@ to enable debug output in the opensc library.

    Show 'Geschützte Versicherungsdaten' (XML).

    --vsd-status

    Show 'Versichertenstammdaten-Status'. -

    Authors

    egk-tool was written by +

    Authors

    egk-tool was written by Frank Morgner .

    Name

    eidenv — utility for accessing visible data from - electronic identity cards

    Synopsis

    eidenv [OPTIONS]

    Description

    + electronic identity cards

    Synopsis

    eidenv [OPTIONS]

    Description

    The eidenv utility is used for accessing data from electronic identity cards (like national eID cards) which might not be present in PKCS#15 objects but available in custom files on the card. The data can be printed on screen or used by other programs via environment variables. -

    Options

    +

    Options

    --exec prog, -x prog @@ -272,12 +274,12 @@ to enable debug output in the opensc library.

    Prints all data fields from the card, like validity period, document number etc.

    - --reader num, - -r num + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --stats, @@ -291,19 +293,32 @@ to enable debug output in the opensc library.

    --wait, -w

    Wait for a card to be inserted

    -

    Authors

    eidenv utility was written by - Stef Hoeben and Martin Paljak .

    Name

    gids-tool — smart card utility for GIDS cards

    Synopsis

    gids-tool [OPTIONS]

    +

    Authors

    eidenv utility was written by + Stef Hoeben and Martin Paljak .

    Name

    gids-tool — smart card utility for GIDS cards

    Synopsis

    gids-tool [OPTIONS]

    The gids-tool utility can be used from the command line to perform miscellaneous smart card operations on a GIDS smart card. -

    Options

    +

    Options

    -X, --initialize

    Initialize token.

    --admin-key argument

    Define the administrator key

    - --pin argument -

    Define user PIN.

    + --pin pin +

    + This option can be used to specify the PIN value + on the command line. If the value is set to + env:VARIABLE, the value + of the specified environment variable is used. By default, + the code is prompted on the command line if needed. +

    + Note that on most operation systems, any user can + display the command line of any process on the + system using utilities such as + ps(1). Therefore, you should prefer + passing the codes via an environment variable + on an unsecured system. +

    --serial-number argument

    Define serial number.

    -U, @@ -318,9 +333,9 @@ to enable debug output in the opensc library.

    --reader argument, -r argument

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + argument is an ATR, the reader with a matching card will be chosen.

    -w, @@ -330,19 +345,19 @@ to enable debug output in the opensc library.

    --verbose

    Verbose operation. Use several times to enable debug output.

    -

    See also

    +

    See also

    opensc-tool(1) -

    Authors

    gids-tool was written by +

    Authors

    gids-tool was written by Vincent Le Toux .

    Name

    iasecc-tool — displays information about IAS/ECC card -

    Synopsis

    iasecc-tool [OPTIONS]

    Description

    +

    Synopsis

    iasecc-tool [OPTIONS]

    Description

    The iasecc-tool utility is used to display information about IAS/ECC v1.0.1 smart cards. -

    Options

    +

    Options

    - --reader num, + --reader arg,

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --list-applications, @@ -360,44 +375,44 @@ to enable debug output in the opensc library.

    -w

    Causes iasecc-tool to wait for the token to be inserted into reader.

    -

    Authors

    iasecc-tool was written by - Viktor Tarasov .

    Name

    netkey-tool — administrative utility for Netkey E4 cards

    Synopsis

    netkey-tool [OPTIONS] [COMMAND]

    Description

    The netkey-tool utility can be used from the +

    Authors

    iasecc-tool was written by + Viktor Tarasov .

    Name

    netkey-tool — administrative utility for Netkey E4 cards

    Synopsis

    netkey-tool [OPTIONS] [COMMAND]

    Description

    The netkey-tool utility can be used from the command line to perform some smart card operations with NetKey E4 cards that cannot be done easily with other OpenSC-tools, such as changing local PINs, storing certificates into empty NetKey E4 cert-files or displaying - the initial PUK-value.

    Options

    + the initial PUK-value.

    Options

    --help, -h

    Displays a short help message.

    - --pin pin-value, - -p pin-value + --pin pin, + -p pin

    Specifies the current value of the global PIN.

    - --puk pin-value, - -u pin-value + --puk pin, + -u pin

    Specifies the current value of the global PUK.

    - --pin0 pin-value, - -0 pin-value + --pin0 pin, + -0 pin

    Specifies the current value of the local PIN0 (aka local PIN).

    - --pin1 pin-value, - -1 pin-value + --pin1 pin, + -1 pin

    Specifies the current value of the local PIN1 (aka local PUK).

    - --reader num, - -r num + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    -v

    Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.

    -

    PIN format

    With the -p, -u, -0 or the -1 +

    PIN format

    With the -p, -u, -0 or the -1 one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string (i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons. Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of - length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.

    Commands

    When used without any options or commands, netkey-tool will + length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.

    Commands

    When used without any options or commands, netkey-tool will display information about the smart cards pins and certificates. This will not change your card in any aspect (assumed there are no bugs in netkey-tool). In particular the tries-left counters of the pins are investigated without doing @@ -441,15 +456,15 @@ to enable debug output in the opensc library.

    This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.

    -

    See also

    +

    See also

    opensc-explorer(1) -

    Authors

    netkey-tool was written by +

    Authors

    netkey-tool was written by Peter Koch .

    Name

    npa-tool — displays information on the German eID card (neuer Personalausweis, nPA). -

    Synopsis

    npa-tool [OPTIONS]

    Description

    +

    Synopsis

    npa-tool [OPTIONS]

    Description

    The npa-tool utility is used to display information stored on the German eID card (neuer Personalausweis, nPA), and to perform some write and verification operations. -

    Options

    +

    Options

    --help, -h

    Print help and exit.

    @@ -458,10 +473,10 @@ to enable debug output in the opensc library.

    --reader arg, -r arg

    - Specify the reader to use. - Use -1 as arg - to automatically detect the reader to use. - By default, the first reader with a present card is used. + Number of the reader to use. By default, the first + reader with a present card is used. If + arg is an ATR, the + reader with a matching card will be chosen.

    --verbose, -v @@ -469,7 +484,7 @@ to enable debug output in the opensc library.

    Causes npa-tool to be more verbose. Specify this flag several times to be more verbose.

    -

    Password Authenticated Connection Establishment (PACE)

    +

    Password Authenticated Connection Establishment (PACE)

    --pin [STRING], -p [STRING]

    @@ -496,7 +511,7 @@ to enable debug output in the opensc library.

    and NEWPIN. You may want to clean your environment before enabling this. (default=off) -

    PIN management

    +

    PIN management

    --new-pin [STRING], -N [STRING]

    @@ -513,7 +528,7 @@ to enable debug output in the opensc library.

    Unblock PIN (uses PUK to activate three more retries). (default=off) -

    Terminal Authentication (TA) and Chip Authentication (CA)

    +

    Terminal Authentication (TA) and Chip Authentication (CA)

    --cv-certificate FILENAME, -C FILENAME

    @@ -557,17 +572,17 @@ to enable debug output in the opensc library.

    (default=off)

    --disable-ca-checks

    Disable passive authentication. (default=off) -

    Read and write data groups

    --read-dg1

    Read data group 1: Document Type.

    --read-dg2

    Read data group 2: Issuing State.

    --read-dg3

    Read data group 3: Date of Expiry.

    --read-dg4

    Read data group 4: Given Name(s).

    --read-dg5

    Read data group 5: Family Name.

    --read-dg6

    Read data group 6: Religious/Artistic Name.

    --read-dg7

    Read data group 7: Academic Title.

    --read-dg8

    Read data group 8: Date of Birth.

    --read-dg9

    Read data group 9: Place of Birth.

    --read-dg10

    Read data group 10: Nationality.

    --read-dg11

    Read data group 11: Sex.

    --read-dg12

    Read data group 12: Optional Data.

    --read-dg13

    Read data group 13: Birth Name.

    --read-dg14

    Read data group 14.

    --read-dg15

    Read data group 15.

    --read-dg16

    Read data group 16.

    --read-dg17

    Read data group 17: Normal Place of Residence.

    --read-dg18

    Read data group 18: Community ID.

    --read-dg19

    Read data group 19: Residence Permit I.

    --read-dg20

    Read data group 20: Residence Permit II.

    --read-dg21

    Read data group 21: Optional Data.

    +

    Read and write data groups

    --read-dg1

    Read data group 1: Document Type.

    --read-dg2

    Read data group 2: Issuing State.

    --read-dg3

    Read data group 3: Date of Expiry.

    --read-dg4

    Read data group 4: Given Name(s).

    --read-dg5

    Read data group 5: Family Name.

    --read-dg6

    Read data group 6: Religious/Artistic Name.

    --read-dg7

    Read data group 7: Academic Title.

    --read-dg8

    Read data group 8: Date of Birth.

    --read-dg9

    Read data group 9: Place of Birth.

    --read-dg10

    Read data group 10: Nationality.

    --read-dg11

    Read data group 11: Sex.

    --read-dg12

    Read data group 12: Optional Data.

    --read-dg13

    Read data group 13: Birth Name.

    --read-dg14

    Read data group 14.

    --read-dg15

    Read data group 15.

    --read-dg16

    Read data group 16.

    --read-dg17

    Read data group 17: Normal Place of Residence.

    --read-dg18

    Read data group 18: Community ID.

    --read-dg19

    Read data group 19: Residence Permit I.

    --read-dg20

    Read data group 20: Residence Permit II.

    --read-dg21

    Read data group 21: Optional Data.

    --write-dg17 HEX_STRING

    Write data group 17: Normal Place of Residence.

    --write-dg18 HEX_STRING

    Write data group 18: Community ID.

    --write-dg19 HEX_STRING

    Write data group 19: Residence Permit I.

    - --write-dg20 HEX_STRING

    Write data group 20: Residence Permit II.

    --write-dg21 HEX_STRING

    Write data group 21: Optional Data.

    Verification of validity, age and community ID

    --verify-validity YYYYMMDD

    + --write-dg20 HEX_STRING

    Write data group 20: Residence Permit II.

    --write-dg21 HEX_STRING

    Write data group 21: Optional Data.

    Verification of validity, age and community ID

    --verify-validity YYYYMMDD

    Verify chip's validity with a reference date.

    --older-than YYYYMMDD

    Verify age with a reference date.

    --verify-community HEX_STRING

    Verify community ID with a reference ID. -

    Special options, not always useful

    +

    Special options, not always useful

    --break, -b

    @@ -586,9 +601,9 @@ to enable debug output in the opensc library.

    Force compliance to BSI TR-03110 version 2.01. (default=off)

    --disable-all-checks

    Disable all checking of fly-by-data. (default=off) -

    Authors

    npa-tool was written by +

    Authors

    npa-tool was written by Frank Morgner .

    Name

    openpgp-tool — utility for accessing visible data OpenPGP smart cards - and compatible tokens

    Synopsis

    openpgp-tool [OPTIONS]

    Description

    + and compatible tokens

    Synopsis

    openpgp-tool [OPTIONS]

    Description

    The openpgp-tool utility is used for accessing data from the OpenPGP v1.1 and v2.0 smart cards and compatible tokens like e.g. GPF CryptoStick v1.x, @@ -596,8 +611,13 @@ to enable debug output in the opensc library.

    PKCS#15 objects but available in custom files on the card. The data can be printed on screen or used by other programs via environment variables. -

    Options

    +

    Options

    + --card-info, + -C +

    + Show card information. +

    --del-key arg

    Delete key indicated by arg. @@ -641,19 +661,37 @@ to enable debug output in the opensc library.

    Print help message on screen.

    - --key-length bitlength, - -L bitlength + --key-info, + -K

    - Specify the length of the key to be generated. - If not given, it defaults to 2048 bit. + Show information of keys on the card.

    - --pin string + --key-type keytype, + -t keytype

    - The PIN text to verify. If set to - env:VARIABLE, the value of - the environment variable - VARIABLE is used. + Specify the type of the key to be generated. + Supported values for keytype are + rsa for RSA with 2048 bits, + rsaLENGTH + for RSA with a bit length of LENGTH. + + If not given, it defaults to rsa2048.

    + --pin pin +

    + This option can be used to specify the PIN value + on the command line. If the value is set to + env:VARIABLE, the value + of the specified environment variable is used. By default, + the code is prompted on the command line if needed. +

    + Note that on most operation systems, any user can + display the command line of any process on the + system using utilities such as + ps(1). Therefore, you should prefer + passing the codes via an environment variable + on an unsecured system. +

    --pretty

    Print values in pretty format. @@ -662,13 +700,13 @@ to enable debug output in the opensc library.

    Print values in raw format, as they are stored on the card.

    - --reader num, - -r num + --reader arg, + -r arg

    - Specify the reader to use. By default, the first - reader with a present card is used. If - num is an ATR, the - reader with a matching card will be chosen. + Number of the reader to use. By default, the first + reader with a present card is used. If + arg is an ATR, the + reader with a matching card will be chosen.

    --user-info, -U @@ -694,26 +732,33 @@ to enable debug output in the opensc library.

    Wait for a card to be inserted.

    -

    Authors

    openpgp-tool utility was written by +

    Authors

    openpgp-tool utility was written by Peter Marschall .

    Name

    opensc-asn1 — parse ASN.1 data -

    Synopsis

    opensc-asn1 [OPTIONS] [FILES]

    Description

    +

    Synopsis

    opensc-asn1 [OPTIONS] [FILES]

    Description

    The opensc-asn1 utility is used to parse ASN.1 data. -

    Options

    +

    Options

    --help, -h

    Print help and exit.

    --version, -V

    Print version and exit.

    -

    Authors

    opensc-asn1 was written by +

    Authors

    opensc-asn1 was written by Frank Morgner .

    Name

    opensc-explorer — generic interactive utility for accessing smart card and similar security token functions -

    Synopsis

    opensc-explorer [OPTIONS] [SCRIPT]

    Description

    +

    Synopsis

    opensc-explorer [OPTIONS] [SCRIPT]

    Description

    The opensc-explorer utility can be - used interactively to perform miscellaneous operations + used to perform miscellaneous operations such as exploring the contents of or sending arbitrary APDU commands to a smart card or similar security token. -

    Options

    +

    + If a SCRIPT is given, + opensc-explorer runs in non-interactive mode, + reading the commands from SCRIPT, + one command per line. + If no script is given, opensc-explorer + runs in interactive mode, reading commands from standard input. +

    Options

    The following are the command-line options for opensc-explorer. There are additional interactive commands available once it is running. @@ -721,72 +766,129 @@ to enable debug output in the opensc library.

    --card-driver driver, -c driver

    - Use the given card driver. The default is - auto-detected. + Use the given card driver. + The default is to auto-detect the correct card driver. + The literal value ? lists + all available card drivers and terminates + opensc-explorer.

    --mf path, -m path

    - Select the file referenced by the given path on - startup. The default is the path to the standard master file, - 3F00. If path is empty (e.g. opensc-explorer - --mf ""), then no file is explicitly selected. -

    - --reader num, - -r num + Select the file referenced by the given path on startup. + The default is the path to the standard master file, + 3F00. If path + is empty (e.g. opensc-explorer --mf ""), + then no file is explicitly selected. +

    + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --verbose, -v

    - Causes opensc-explorer to be more - verbose. Specify this flag several times to enable - debug output in the opensc library. -

    + Cause opensc-explorer to be more + verbose. Specify this flag several times to enable + debug output in the opensc library. +

    --wait, -w -

    Wait for a card to be inserted

    -

    Commands

    - The following commands are supported at opensc-explorer's - interactive prompt or in script files passed via the command line parameter - SCRIPT. +

    + Wait for a card to be inserted. +

    +

    Commands

    + opensc-explorer supports commands with arguments + at its interactive prompt or in script files passed via the command line + parameter SCRIPT. +

    + Similar to a command shell like e.g. bash, + each input line is split into white-space separated words. + Of these words, the first one is used as the command, + while the remaining ones are treated as arguments to that command. +

    + The following commands are supported:

    + # + ... +

    + Treat line as a comment. + Ignore anything until the end of the line introduced by + #. +

    apdu - hex-data -

    Send a custom APDU command hex-data.

    + data... +

    + Send a custom APDU command to the card. + data is a series of + sequences of hexadecimal values and strings enclosed + in double quotes ("..."). +

    asn1 file-id -

    Parse and print the ASN.1 encoded content of the file specified by - file-id.

    + [rec-no] + [offs] +

    + Parse and print the ASN.1 encoded content of the working EF + specified by file-id. + If the optional parameter + rec-no is given and the file is + a record-oriented EF, parse and print only the record + indicated by this parameter. + If the optional parameter + offs is given, start parsing + and printing the file or record at the offset indicated + by the value given. + If this parameter is not given, the default offset is + 0. +

    cat [ file-id | sfi:short-id ] -

    Print the contents of the currently selected EF or the contents - of a file specified by file-id or the short file id + [rec-no] +

    + Print the contents of the working EF specified by + file-id or the short file id short-id. -

    + If the optional second parameter + rec-no is given, + only print the record indicated by this parameter. + If no argument is given, print the the contents + of the currently selected EF. +

    cd { .. | file-id | aid:DF-name }

    Change to another DF specified by the argument passed. If the argument given is .., then move up one level in the file system hierarchy. - If it is file-id, + If it is a file-id, which must be a DF directly beneath the current DF, then change to that DF. If it is an application identifier given as aid:DF-name, then jump to the MF of the application denoted by DF-name. -

    +

    change CHVpin-ref [ [old-pin] new-pin ] -

    Change a PIN, where pin-ref is the PIN reference.

    +

    + Change the PIN specified by pin-ref + from the value given by old-pin and + change its value to new-pin. +

    + old-pin and + new-pin can be + sequences of hexadecimal values, + strings enclosed in double quotes ("..."), + empty (""), or absent. + If absent, the values are read from the card reader's pin pad. +

    Examples:

    change CHV2 00:00:00:00:00:00 "foobar"

    Change PIN CHV2 @@ -802,89 +904,196 @@ to enable debug output in the opensc library.

    create file-id size -

    Create a new EF. file-id specifies the - id number and size is the size of the new file. -

    +

    + Create a new EF. + file-id specifies the numeric id, and + size the size of the EF to create. +

    debug [level] -

    Set OpenSC debug level to level.

    If level is omitted the current debug level will be shown.

    +

    + Set OpenSC debug level to level. +

    + If level is omitted, + show the current debug level. +

    delete file-id -

    Remove the EF or DF specified by file-id

    +

    + Remove the EF or DF specified by + file-id. +

    do_get hex-tag [output] -

    Copy the internal card's 'tagged' data into the local file.

    The local file is specified by output while the tag of - the card's data is specified by hex-tag. +

    + Copy the contents of the card's data object + (DO) + specified by hex-tag + to the local host computer's file named + output.

    - If output is omitted, the name of the output file will be - derived from hex-tag. + If output is not given, + the contents of hex-tag + will be displayed as hex-dump.

    do_put hex-tag - input -

    Update internal card's 'tagged' data.

    hex-tag is the tag of the card's data. - input is the filename of the source file or the literal data presented as - a sequence of hexadecimal values or " enclosed string. + data +

    + Change the contents of the card's data object + (DO) + specified by hex-tag + to data. +

    + data is either a + sequence of hexadecimal values or a string enclosed + in double quotes ("...").

    echo string... -

    Print the strings given.

    +

    + Print the strings given. +

    erase -

    Erase the card, if the card supports it.

    +

    + Erase the card, if the card supports it. +

    get file-id [output] -

    Copy an EF to a local file. The local file is specified - by output while the card file is specified by file-id. +

    + Copy an EF to a local file. + The local file is specified by + output + while the card file is specified by + file-id.

    - If output is omitted, the name of the output file will be - derived from the full card path to file-id. + If output is omitted, + the name of the output file will be derived from the + full card path to file-id. +

    + get_record + file-id + rec-no + [output] +

    + Copy a record of a record-oriented EF to a local file. + The local file is specified by + output + while the card file and the record are specified by + file-id and + rec-no, +

    + If output is omitted, + the name of the output file will be derived from the + full card path to file-id. + and the rec-no. +

    + help + [pattern] +

    + Display the list of available commands, their options + and parameters together with a short help text. + If pattern is given, + the commands shown are limited to those matching + pattern.

    info [file-id] -

    Display attributes of a file specified by file-id. +

    + Display attributes of a file specified by + file-id. If file-id is not supplied, - the attributes of the current file are printed.

    + the attributes of the current file are displayed. +

    ls [pattern...] -

    List files in the current DF. - If no pattern is given, then all files are listed. - If one ore more patterns are given, only files matching - at least one pattern are listed.

    +

    + List files in the current DF. + If no pattern is given, + then all files are listed. + If one ore more patterns are given, + only files matching at least one + pattern are listed. +

    find [ start-id [end-id] ] -

    Find all files in the current DF. - Files are found by selecting all file identifiers in the range from start-fid to end-fid (by default from 0000 to FFFF).

    +

    + Find all files in the current DF. + Files are found by selecting all file identifiers in the range + from start-fid + to end-fid. +

    + If not given, the default value for + start-fid is 0000, + while the default for end-fid is + FFFF. +

    find_tags [ start-tag [end-tag] ] -

    Find all tags of data objects in the current context. - Tags are found by using GET DATA in the range from start-tag to end-tag (by default from 0000 to FFFF).

    +

    + Find all tags of data objects in the current context. + Tags are found by using GET DATA in the range from + from start-tag + to end-tag. +

    + If not given, the default value for + start-tag is 0000, + while the default for end-tag is + FFFF. +

    mkdir file-id size -

    Create a DF. file-id specifies the id number - and size is the size of the new file.

    +

    + Create a DF. + file-id specifies the numeric id, + and size the size of the DF to create. +

    + pin_info + key-typekey-id +

    + Get information on a PIN or key from the card, where + key-type can be one of + CHV, KEY, + AUT or PRO. + key-id is a number + representing the key or PIN reference. +

    put file-id input -

    Copy a local file to the card. The local file is specified - by input while the card file is specified by file-id. -

    +

    + Copy a local file to the card. + The local file is specified by input + while the card file is specified by + file-id. +

    quit

    Exit the program.

    random count -

    Generate random sequence of count bytes.

    + [output-file] +

    + Generate count bytes + of random data. + If output-file is given, + write the data to the host computer's file denoted + by it, otherwise show the data as hex dump. +

    rm file-id -

    Remove the EF or DF specified by file-id

    +

    + Remove the EF or DF specified by + file-id. +

    unblock CHVpin-ref [ @@ -893,13 +1102,15 @@ to enable debug output in the opensc library.

    ]

    Unblock the PIN denoted by pin-ref - using the PUK puk, and set potentially + using the PUK puk, and potentially change its value to new-pin.

    - PUK and PIN values can be a sequence of hexadecimal values, - "-enclosed strings, empty (""), - or absent. - If they are absent, the values are read from the card reader's pin pad. + puk and + new-pin can be + sequences of hexadecimal values, + strings enclosed in double quotes ("..."), + empty (""), or absent. + If absent, the values are read from the card reader's pin pad.

    Examples:

    unblock CHV2 00:00:00:00:00:00 "foobar"

    @@ -928,39 +1139,55 @@ to enable debug output in the opensc library.

    file-id offs data -

    Binary update of the file specified by +

    + Binary update of the file specified by file-id with the literal data data starting from offset specified - by offs.

    data can be supplied as a sequencer - of the hex values or as a " enclosed string.

    + by offs. +

    + data can be supplied as a sequence + of hexadecimal values or as a string enclosed in double quotes + ("..."). +

    update_record file-id rec-nr rec-offs data -

    Update record specified by rec-nr of the file - specified by file-id with the literal data - data starting from offset specified by - rec-offs.

    data can be supplied as a sequence of the hex values or - as a " enclosed string.

    +

    + Update record specified by rec-nr + of the file specified by file-id + with the literal data data + starting from offset specified by + rec-offs. +

    + data can be supplied as a sequence + of hexadecimal values or as a string enclosed in double quotes + ("..."). +

    verify key-typekey-id [key] -

    Present a PIN or key to the card, where - key-type can be one of CHV, - KEY, AUT or PRO. - key-id is a number representing the key or PIN reference. - key is the key or PIN to be verified, formatted as a - colon-separated list of hex values or a " enclosed string. +

    + Present a PIN or key to the card, where + key-type can be one of + CHV, KEY, + AUT or PRO. + key-id is a number representing + the key or PIN reference. + key is the key or PIN to be verified, + formatted as a colon-separated sequence of hexadecimal values + or a string enclosed in double quotes ("...").

    - If key is omitted, the exact action depends on the - card reader's features: if the card readers supports PIN input via a pin pad, + If key is omitted, the exact action + depends on the card reader's features: + if the card readers supports PIN input via a pin pad, then the PIN will be verified using the card reader's pin pad. - If the card reader does not support PIN input, then the PIN will be asked - interactively. + If the card reader does not support PIN input, + then the PIN will be asked interactively.

    Examples: -

    verify CHV0 31:32:33:34:00:00:00:00

    +

    verify CHV2 31:32:33:34:00:00:00:00

    Verify CHV2 using the hex value 31:32:33:34:00:00:00:00

    verify CHV1 "secret"

    @@ -973,21 +1200,24 @@ to enable debug output in the opensc library.

    sm { open | close } -

    Calls the card's open or close Secure Messaging handler.

    -

    See also

    +

    + Call the card's open or + close Secure Messaging handler. +

    +

    See also

    opensc-tool(1) -

    Authors

    opensc-explorer was written by +

    Authors

    opensc-explorer was written by Juha Yrjölä .

    Name

    opensc-notify — monitor smart card events and send notifications -

    Synopsis

    opensc-notify [OPTIONS]

    Description

    +

    Synopsis

    opensc-notify [OPTIONS]

    Description

    The opensc-notify utility is used to monitor smart card events and send the appropriate notification. -

    Options

    +

    Options

    --help, -h

    Print help and exit.

    --version, -V

    Print version and exit.

    -

    Mode: customized

    +

    Mode: customized

    Send customized notifications.

    --title [STRING], @@ -999,7 +1229,7 @@ to enable debug output in the opensc library.

    -m [STRING]

    Specify the main text of the notification. -

    Mode: standard

    +

    Mode: standard

    Manually send standard notifications.

    --notify-card-inserted, @@ -1021,14 +1251,14 @@ to enable debug output in the opensc library.

    -B

    See notify_pin_bad in opensc.conf (default=off). -

    Authors

    opensc-notify was written by - Frank Morgner .

    Name

    opensc-tool — generic smart card utility

    Synopsis

    opensc-tool [OPTIONS]

    Description

    +

    Authors

    opensc-notify was written by + Frank Morgner .

    Name

    opensc-tool — generic smart card utility

    Synopsis

    opensc-tool [OPTIONS]

    Description

    The opensc-tool utility can be used from the command line to perform miscellaneous smart card operations such as getting the card ATR or sending arbitrary APDU commands to a card. -

    Options

    +

    Options

    - --version, + --version

    Print the OpenSC package release version.

    --atr, -a @@ -1036,8 +1266,12 @@ to enable debug output in the opensc library.

    Output is in hex byte format

    --card-driver driver, -c driver -

    Use the given card driver. - The default is auto-detected.

    +

    + Use the given card driver. + The default is to auto-detect the correct card driver. + The literal value ? lists + all available card drivers. +

    --list-algorithms,

    Lists algorithms supported by card

    --info, @@ -1060,13 +1294,13 @@ to enable debug output in the opensc library.

    Get configuration key, format: section:name:key

    --set-conf-entry conf, -S conf -

    Get configuration key, format: section:name:key:value

    - --reader num, - -r num +

    Set configuration key, format: section:name:key:value

    + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --reset [type], @@ -1087,16 +1321,16 @@ to enable debug output in the opensc library.

    --wait, -w

    Wait for a card to be inserted.

    -

    See also

    +

    See also

    opensc-explorer(1) -

    Authors

    opensc-tool was written by - Juha Yrjölä .

    Name

    piv-tool — smart card utility for HSPD-12 PIV cards

    Synopsis

    piv-tool [OPTIONS]

    +

    Authors

    opensc-tool was written by + Juha Yrjölä .

    Name

    piv-tool — smart card utility for HSPD-12 PIV cards

    Synopsis

    piv-tool [OPTIONS]

    The piv-tool utility can be used from the command line to perform miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3. It is intended for use with test cards only. It can be used to load objects, and generate key pairs, as well as send arbitrary APDU commands to a card after having authenticated to the card using the card key provided by the card vendor. -

    Options

    +

    Options

    --serial

    Print the card serial number derived from the CHUID object, @@ -1162,18 +1396,14 @@ to enable debug output in the opensc library.

    Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF.... This option may be repeated.

    - --reader num, - -r num + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    - --card-driver driver, - -c driver -

    Use the given card driver. - The default is auto-detected.

    --wait, -w

    Wait for a card to be inserted

    @@ -1182,16 +1412,16 @@ to enable debug output in the opensc library.

    Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

    -

    See also

    +

    See also

    opensc-tool(1) -

    Authors

    piv-tool was written by - Douglas E. Engert .

    Name

    pkcs11-tool — utility for managing and using PKCS #11 security tokens

    Synopsis

    pkcs11-tool [OPTIONS]

    Description

    +

    Authors

    piv-tool was written by + Douglas E. Engert .

    Name

    pkcs11-tool — utility for managing and using PKCS #11 security tokens

    Synopsis

    pkcs11-tool [OPTIONS]

    Description

    The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it. -

    Options

    +

    Options

    --attr-from filename

    Extract information from filename @@ -1211,9 +1441,9 @@ to enable debug output in the opensc library.

    Hash some data.

    --hash-algorithm mechanism

    - Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption. - Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may - also allow "SHA224". Default is "SHA-1". + Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption. + Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may + also allow "SHA224". Default is "SHA-1".

    Note that the input to RSA-PKCS-PSS has to be of the size equal to the specified hash algorithm. E.g., for SHA256 the signature input must @@ -1244,13 +1474,17 @@ to enable debug output in the opensc library.

    --keygen

    Generate a new key.

    --key-type specification -

    Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1.

    +

    Specify the type and length (bytes if symmetric) of the key to create, + for example RSA:1024, EC:prime256v1, GOSTR3410-2012-256:B, + DES:8, DES3:24, AES:16 or GENERIC:64.

    --usage-sign

    Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in pubkey).

    --usage-decrypt

    Specify 'decrypt' key usage flag (RSA only, set DECRYPT privkey, ENCRYPT in pubkey).

    --usage-derive

    Specify 'derive' key usage flag (EC only).

    + --usage-wrap +

    Specify 'wrap' key usage flag.

    --label name, -a name

    Specify the name of the object to operate on @@ -1268,6 +1502,8 @@ to enable debug output in the opensc library.

    --list-token-slots, -T

    List slots with tokens.

    + --list-interfaces +

    List interfaces of PKCS #11 3.0 library.

    --login, -l

    Authenticate to the token before performing @@ -1294,7 +1530,7 @@ to enable debug output in the opensc library.

    load.

    --moz-cert filename, -z filename -

    Test a Mozilla-like keypair generation +

    Test a Mozilla-like key pair generation and certificate request. Specify the filename to the certificate file.

    --output-file filename, @@ -1319,6 +1555,8 @@ to enable debug output in the opensc library.

    Supply new User PIN on the command line.

    --sensitive

    Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).

    + --extractable +

    Set the CKA_EXTRACTABLE attribute (object can be extracted)

    --set-id id, -e id

    Set the CKA_ID of the object.

    @@ -1346,6 +1584,14 @@ to enable debug output in the opensc library.

    Specify the description of the slot to use.

    --slot-index index

    Specify the index of the slot to use.

    + --object-index index +

    Specify the index of the object to use.

    + --use-locking +

    Tell pkcs11 module it should use OS thread locking. +

    + --test-threads options +

    Test a pkcs11 module's thread implication. (See source code). +

    --token-label label

    Specify the label of token. Will be used the first slot, that has the inserted token with this @@ -1369,6 +1615,14 @@ to enable debug output in the opensc library.

    --private

    Set the CKA_PRIVATE attribute (object is only viewable after a login).

    + --always-auth +

    Set the CKA_ALWAYS_AUTHENTICATE attribute to a private key object. + If set, the user has to supply the PIN for each use (sign or decrypt) with the key.

    + --allowed-mechanisms mechanisms +

    Sets the CKA_ALLOWED_MECHANISMS attribute + to a key objects when importing an object or generating + a keys. The argument accepts comma-separated list of + algorithmsm, that can be used with the given key.

    --test-ec

    Test EC (best used with the --login or --pin option).

    @@ -1378,14 +1632,17 @@ to enable debug output in the opensc library.

    --type type, -y type

    Specify the type of object to operate on. - Examples are cert, privkey - and pubkey.

    + Valid value are cert, privkey, + pubkey, secrkey + and data.

    --verbose, -v

    Cause pkcs11-tool to be more verbose.

    NB! This does not affect OpenSC debugging level! To set OpenSC PKCS#11 module into debug mode, set the OPENSC_DEBUG environment variable to a non-zero number.

    + --verify, +

    Verify signature of some data.

    --read-object, -r

    Get object's CKA_VALUE attribute (use with @@ -1405,6 +1662,8 @@ to enable debug output in the opensc library.

    --subject data

    Specify the subject in hexadecimal format (use with --type cert/privkey/pubkey).

    + --signature-file filename +

    The path to the signature file for signature verification

    --signature-format format

    Format for ECDSA signature: 'rs' (default), 'sequence', 'openssl'.

    @@ -1412,17 +1671,21 @@ to enable debug output in the opensc library.

    -w filename

    Write a key or certificate object to the token. filename points to the DER-encoded certificate or key file. -

    +

    --generate-random num

    Get num bytes of random data. -

    -

    Examples

    +

    + --allow-sw +

    Allow using software mechanisms that do not have the CKF_HW flag set. + May be required when using software tokens and emulators. +

    +

    Examples

    To list all certificates on the smart card: 

    pkcs11-tool --list-objects --type cert

    To read the certificate with ID KEY_ID in DER format from smart card: - 

    pkcs11-tool --read-object  --id KEY_ID --type cert --outfile cert.der

    + 

    pkcs11-tool --read-object --id KEY_ID --type cert --output-file cert.der

    To convert the certificate in DER format to PEM format, use OpenSSL tools: @@ -1432,13 +1695,13 @@ to enable debug output in the opensc library.

    using the private key with ID ID and using the RSA-PKCS mechanism: 

    pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig

    -

    Authors

    pkcs11-tool was written by - Olaf Kirch .

    Name

    pkcs15-crypt — perform crypto operations using PKCS#15 smart cards

    Synopsis

    pkcs15-crypt [OPTIONS]

    Description

    +

    Authors

    pkcs11-tool was written by + Olaf Kirch .

    Name

    pkcs15-crypt — perform crypto operations using PKCS#15 smart cards

    Synopsis

    pkcs15-crypt [OPTIONS]

    Description

    The pkcs15-crypt utility can be used from the command line to perform cryptographic operations such as computing digital signatures or decrypting data, using keys stored on a PKCS#15 compliant smart card. -

    Options

    +

    Options

    --version,

    Print the OpenSC package release version.

    @@ -1488,12 +1751,12 @@ to enable debug output in the opensc library.

    --raw, -R

    Outputs raw 8 bit data.

    - --reader N, - -r N + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --md5 @@ -1535,18 +1798,18 @@ to enable debug output in the opensc library.

    Causes pkcs15-crypt to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

    -

    See also

    +

    See also

    pkcs15-init(1), pkcs15-tool(1) -

    Authors

    pkcs15-crypt was written by - Juha Yrjölä .

    Name

    pkcs15-init — smart card personalization utility

    Synopsis

    pkcs15-init [OPTIONS]

    Description

    +

    Authors

    pkcs15-crypt was written by + Juha Yrjölä .

    Name

    pkcs15-init — smart card personalization utility

    Synopsis

    pkcs15-init [OPTIONS]

    Description

    The pkcs15-init utility can be used to create a PKCS #15 structure on a smart card, and add key or certificate objects. Details of the structure that will be created are controlled via profiles.

    The profile used by default is pkcs15. Alternative profiles can be specified via the -p switch. -

    PIN Usage

    +

    PIN Usage

    pkcs15-init can be used to create a PKCS #15 structure on your smart card, create PINs, and install keys and certificates on the card. This process is also called personalization. @@ -1578,7 +1841,7 @@ to enable debug output in the opensc library.

    are protected and cannot be parsed without authentication (usually with User PIN). This authentication need to be done immediately after the card binding. In such cases --verify-pin has to be used. -

    Modes of operation

    Initialization

    This is the first step during card personalization, and will create the +

    Modes of operation

    Initialization

    This is the first step during card personalization, and will create the basic files on the card. To create the initial PKCS #15 structure, invoke the utility as

    @@ -1588,7 +1851,7 @@ to enable debug output in the opensc library.

    If the card supports it, you should erase the contents of the card with pkcs15-init --erase-card before creating the PKCS#15 structure. -

    User PIN Installation

    +

    User PIN Installation

    Before installing any user objects such as private keys, you need at least one PIN to protect these objects. you can do this using

    @@ -1602,25 +1865,26 @@ to enable debug output in the opensc library.

    To set a label for this PIN object (which can be used by applications to display a meaningful prompt to the user), use the --label command line option. -

    Key generation

    +

    Key generation

    pkcs15-init lets you generate a new key and store it on the card. You can do this using:

    pkcs15-init --generate-key " keyspec " --auth-id " nn

    - where keyspec describes the algorithm and length of the - key to be created, such as rsa/512. This will create a 512 bit - RSA key. Currently, only RSA key generation is supported. Note that cards - usually support just a few different key lengths. Almost all cards will support - 512 and 1024 bit keys, some will support 768 or 2048 as well. + where keyspec describes the algorithm and the parameters + of the key to be created. For example, rsa:2048 generates a RSA key + with 2048-bit modulus. If you are generating an EC key, the curve designation must + be specified, for example ec:prime256v1. For symmetric key, + the length of key is specified in bytes, for example AES:32 + or DES3:24.

    nn is the ID of a user PIN installed previously, e.g. 01.

    In addition to storing the private portion of the key on the card, - pkcs15-init will also store the the public portion of the + pkcs15-init will also store the public portion of the key as a PKCS #15 public key object. -

    Private Key Upload

    +

    Private Key Upload

    You can use a private key generated by other means and upload it to the card. For instance, to upload a private key contained in a file named okir.pem, which is in PEM format, you would use @@ -1628,7 +1892,7 @@ to enable debug output in the opensc library.

    pkcs15-init --store-private-key okir.pem --id 45 --auth-id 01

    In addition to storing the private portion of the key on the card, - pkcs15-init will also store the the public portion of the + pkcs15-init will also store the public portion of the key as a PKCS #15 public key object.

    Note that usage of --id option in the pkcs15-init @@ -1644,7 +1908,7 @@ to enable debug output in the opensc library.

    a file. A PKCS #12 file usually contains the X.509 certificate corresponding to the private key. If that is the case, pkcs15-init will store the certificate instead of the public key portion. -

    Public Key Upload

    +

    Public Key Upload

    You can also upload individual public keys to the card using the --store-public-key option, which takes a filename as an argument. This file is supposed to contain the public key. If you don't @@ -1655,12 +1919,12 @@ to enable debug output in the opensc library.

    Since the corresponding public keys are always uploaded automatically when generating a new key, or when uploading a private key, you will probably use this option only very rarely. -

    Certificate Upload

    +

    Certificate Upload

    You can upload certificates to the card using the --store-certificate option, which takes a filename as an argument. This file is supposed to contain the PEM encoded X.509 certificate. -

    Uploading PKCS #12 bags

    +

    Uploading PKCS #12 bags

    Most browsers nowadays use PKCS #12 format files when you ask them to export your key and certificate to a file. pkcs15-init is capable of parsing these files, and storing their contents on the @@ -1674,16 +1938,16 @@ to enable debug output in the opensc library.

    and protect it with the PIN referenced by authentication ID 01. It will also store any X.509 certificates contained in the file, which is usually the user certificate that goes with the key, as well as the CA certificate. -

    Secret Key Upload

    +

    Secret Key Upload

    You can use a secret key generated by other means and upload it to the card. For instance, to upload an AES-secret key generated by the system random generator you would use

    - pkcs15-init --store-secret-key /dev/urandom --secret-key-algorithm aes/256 --auth-id 01 + pkcs15-init --store-secret-key /dev/urandom --secret-key-algorithm aes:256 --auth-id 01

    By default a random ID is generated for the secret key. You may specify an ID with the --id if needed. -

    Options

    +

    Options

    --version,

    Print the OpenSC package release version.

    @@ -1719,9 +1983,9 @@ to enable debug output in the opensc library.

    -G keyspec

    Tells the card to generate new key and store it on the card. - keyspec consists of an algorithm name - (currently, the only supported name is RSA), - optionally followed by a slash and the length of the key in bits. + keyspec consists of an algorithm name, + optionally followed by a colon ":", slash "/" or hyphen "-" and + the parameters of the key to be created. It is a good idea to specify the key ID along with this command, using the id option, otherwise an intrinsic ID will be calculated from the key material. Look the description of @@ -1730,36 +1994,23 @@ to enable debug output in the opensc library.

    For the multi-application cards the target PKCS#15 application can be specified by the hexadecimal AID value of the aid option.

    - --options-file filename + --pin pin, + --puk puk, + --so-pin sopin, + --so-puk sopuk

    - Tells pkcs15-init to read additional options - from filename. The file is supposed to - contain one long option per line, without the leading dashes, - for instance: - 

    -pin		1234
-puk		87654321
-

    + These options can be used to specify the PIN/PUK values + on the command line. If the value is set to + env:VARIABLE, the value + of the specified environment variable is used. By default, + the code is prompted on the command line if needed.

    - You can specify --options-file several times. -

    - --pin, - --puk - --so-pin, - --so-puk, -

    - These options can be used to specify PIN/PUK values - on the command line. If set to - env:VARIABLE, the value - of the environment variable - VARIABLE is used. Note - that on most operation systems, any user can + Note that on most operation systems, any user can display the command line of any process on the system using utilities such as - ps(1). Therefore, you should use - these options only on a secured system, or in an - options file specified with - --options-file. + ps(1). Therefore, you should prefer + passing the codes via an environment variable + on an unsecured system.

    --no-so-pin,

    @@ -1786,7 +2037,7 @@ puk 87654321 --secret-key-algorithm keyspec,

    keyspec describes the algorithm and length of the - key to be created or downloaded, such as aes/256. + key to be created or downloaded, such as aes:256. This will create a 256 bit AES key.

    --store-certificate filename, @@ -1907,12 +2158,12 @@ puk 87654321 card specific sanity check and possibly update procedure.

    - --reader num, - -r num + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --verbose, @@ -2007,6 +2258,13 @@ puk 87654321

    Private key stored as an extractable key

    + --user-consent arg +

    + Specify user-consent. arg is an integer value. + If > 0, the value specifies how many times the + object can be accessed before a new authentication is required. + If zero, the object does not require re-authentication. +

    --insecure

    Insecure mode: do not require a PIN for private key @@ -2020,25 +2278,25 @@ puk 87654321

    Display help message

    -

    See also

    +

    See also

    pkcs15-profile(5) -

    Authors

    pkcs15-init was written by +

    Authors

    pkcs15-init was written by Olaf Kirch .

    Name

    pkcs15-tool — utility for manipulating PKCS #15 data structures - on smart cards and similar security tokens

    Synopsis

    pkcs15-tool [OPTIONS]

    Description

    + on smart cards and similar security tokens

    Synopsis

    pkcs15-tool [OPTIONS]

    Description

    The pkcs15-tool utility is used to manipulate the PKCS #15 data structures on smart cards and similar security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it. -

    Options

    +

    Options

    --version,

    Print the OpenSC package release version.

    --aid aid

    Specify in a hexadecimal form the AID of the on-card PKCS#15 application to bind to.

    - --auth-id pin, - -a pin + --auth-id id, + -a id

    Specifies the auth id of the PIN to use for the operation. This is useful with the --change-pin operation.

    --change-pin @@ -2109,8 +2367,7 @@ puk 87654321 the binary data directly. This does not affect the output that is written to the file specified by the --output option. Data written to a file will always be in raw binary.

    - --read-certificate cert, - -r cert + --read-certificate cert

    Reads the certificate with the given id.

    --read-data-object cert, -R data @@ -2137,11 +2394,11 @@ puk 87654321 --update, -U,

    Update the card with a security update

    - --reader num + --reader arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --unblock-pin, @@ -2153,11 +2410,24 @@ puk 87654321

    Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.

    - --pin PIN -

    Specify PIN

    - --puk PUK -

    Specify Unblock PIN

    - --new-pin PIN + --pin pin, + --new-pin newpin + --puk puk +

    + These options can be used to specify the PIN/PUK values + on the command line. If the value is set to + env:VARIABLE, the value + of the specified environment variable is used. By default, + the code is prompted on the command line if needed. +

    + Note that on most operation systems, any user can + display the command line of any process on the + system using utilities such as + ps(1). Therefore, you should prefer + passing the codes via an environment variable + on an unsecured system. +

    + --new-pin pin

    Specify New PIN (when changing or unblocking)

    --verify-pin

    Verify PIN after card binding and before issuing any command @@ -2171,16 +2441,16 @@ puk 87654321 wait for a card insertion.

    --use-pinpad

    Do not prompt the user; if no PINs supplied, pinpad will be used.

    -

    See also

    +

    See also

    pkcs15-init(1), pkcs15-crypt(1) -

    Authors

    pkcs15-tool was written by - Juha Yrjölä .

    Name

    sc-hsm-tool — smart card utility for SmartCard-HSM

    Synopsis

    sc-hsm-tool [OPTIONS]

    +

    Authors

    pkcs15-tool was written by + Juha Yrjölä .

    Name

    sc-hsm-tool — smart card utility for SmartCard-HSM

    Synopsis

    sc-hsm-tool [OPTIONS]

    The sc-hsm-tool utility can be used from the command line to perform extended maintenance tasks not available via PKCS#11 or other tools in the OpenSC package. It can be used to query the status of a SmartCard-HSM, initialize a device, generate and import Device Key Encryption Key (DKEK) shares and to wrap and unwrap keys. -

    Options

    +

    Options

    --initialize, -X @@ -2209,19 +2479,28 @@ puk 87654321 same SmartCard-HSM.

    After using --initialize with one or more DKEK shares, the SmartCard-HSM will remain in the initialized state until all DKEK shares have been imported. During this phase no new keys can be generated or imported.

    - --so-pin value -

    Define SO-PIN for initialization. If set to - env:VARIABLE, the value of - the environment variable - VARIABLE is used.

    - --pin value -

    Define user PIN for initialization, wrap or - unwrap operation. If set to - env:VARIABLE, the value of - the environment variable - VARIABLE is used.

    + --pin pin, + --so-pin sopin, +

    + These options can be used to specify the PIN values + on the command line. If the value is set to + env:VARIABLE, the value + of the specified environment variable is used. By default, + the code is prompted on the command line if needed. +

    + Note that on most operation systems, any user can + display the command line of any process on the + system using utilities such as + ps(1). Therefore, you should prefer + passing the codes via an environment variable + on an unsecured system. +

    --pin-retry value

    Define number of PIN retries for user PIN during initialization. Default is 3.

    + --bio-server1 value +

    The hexadecimal AID of of the biometric server for template 1. Switches on the use of the user PIN as session PIN.

    + --bio-server2 value +

    The hexadecimal AID of of the biometric server for template 2. Switches on the use of the user PIN as session PIN.

    --password value

    Define password for DKEK share encryption. If set to env:VARIABLE, the value of @@ -2236,12 +2515,12 @@ puk 87654321 --label label, -l label

    Define the token label to be used in --initialize.

    - --reader num, - -r num + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --wait, @@ -2252,16 +2531,16 @@ puk 87654321

    Causes sc-hsm-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

    -

    Examples

    Create a DKEK share:

    sc-hsm-tool --create-dkek-share dkek-share-1.pbe

    Create a DKEK share with random password split up using a (3, 5) threshold scheme:

    sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5

    Initialize SmartCard-HSM to use a single DKEK share:

    sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken

    Import DKEK share:

    sc-hsm-tool --import-dkek-share dkek-share-1.pbe

    Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:

    sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3

    Wrap referenced key, description and certificate:

    sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219

    Unwrap key into same or in different SmartCard-HSM with the same DKEK:

    sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force

    See also

    +

    Examples

    Create a DKEK share:

    sc-hsm-tool --create-dkek-share dkek-share-1.pbe

    Create a DKEK share with random password split up using a (3, 5) threshold scheme:

    sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5

    Initialize SmartCard-HSM to use a single DKEK share:

    sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken

    Import DKEK share:

    sc-hsm-tool --import-dkek-share dkek-share-1.pbe

    Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:

    sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3

    Wrap referenced key, description and certificate:

    sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219

    Unwrap key into same or in different SmartCard-HSM with the same DKEK:

    sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force

    See also

    opensc-tool(1) -

    Authors

    sc-hsm-tool was written by +

    Authors

    sc-hsm-tool was written by Andreas Schwier .

    Name

    westcos-tool — utility for manipulating data structures - on westcos smart cards

    Synopsis

    westcos-tool [OPTIONS]

    Description

    + on westcos smart cards

    Synopsis

    westcos-tool [OPTIONS]

    Description

    The westcos-tool utility is used to manipulate the westcos data structures on 2 Ko smart cards / tokens. Users can create PINs, keys and certificates stored on the card / token. User PIN authentication is performed for those operations that require it. -

    Options

    +

    Options

    --change-pin, -n @@ -2300,30 +2579,35 @@ puk 87654321 --overwrite-key, -o

    Overwrite the key if there is already a key on the card.

    - --pin-value value, - -x value -

    Set value of PIN. If set to - env:VARIABLE, the value of - the environment variable - VARIABLE is used.

    - --puk-value value, - -y value -

    set value of PUK (or value of new PIN for change PIN - command see -n). If set to - env:VARIABLE, the value of - the environment variable - VARIABLE is used.

    + --pin-value pin, + -x pin + --puk-value puk, + -y puk +

    + These options can be used to specify the PIN/PUK values + on the command line. If the value is set to + env:VARIABLE, the value + of the specified environment variable is used. By default, + the code is prompted on the command line if needed. +

    + Note that on most operation systems, any user can + display the command line of any process on the + system using utilities such as + ps(1). Therefore, you should prefer + passing the codes via an environment variable + on an unsecured system. +

    --read-file filename, -j filename

    Read the file filename from the card. The file is written on disk with name filename. User authentication is required for this operation.

    - --reader num, - -r num + --reader arg, + -r arg

    - Specify the reader to use. By default, the first + Number of the reader to use. By default, the first reader with a present card is used. If - num is an ATR, the + arg is an ATR, the reader with a matching card will be chosen.

    --unblock-pin, @@ -2344,5 +2628,5 @@ puk 87654321 from disk to card. On the card the file is written in filename. User authentication is required for this operation.

    -

    Authors

    westcos-tool was written by +

    Authors

    westcos-tool was written by Francois Leblanc .