Table of Contents
Table of Contents
Table of Contents
Table of Contents
Display information about the card or token.
--reader number,
-r number
- Specify the reader number number to use.
- The default is reader 0.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--verbose,
-v
Causes cardos-tool to be more verbose.
@@ -80,12 +84,12 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
-w
Causes cardos-tool to wait for the token to be inserted into reader.
-
cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures
cryptoflex-tool [OPTIONS]
cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures
cryptoflex-tool [OPTIONS]
cryptoflex-tool is used to manipulate PKCS data structures on Schlumberger Cryptoflex smart cards. Users can create, list and read PINs and keys stored on the smart card. User PIN authentication is performed for those operations that require it. -
--app-df num,
-a num
@@ -122,15 +126,19 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
-u id
Specifies the public key file id, id,
to use
--read-key
+ --read-key,
+ -R
Reads a public key from the card, allowing the user to extract and store or use the public key
--reader num,
-r num
- Forces cryptoflex-tool to use
- reader number num for operations. The default
- is to use reader number 0, the first reader in the system.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--verbose,
-v
Causes cryptoflex-tool to be more @@ -138,12 +146,16 @@ smart cards and similar security tokens based on Siemens Card/OS M4. the opensc library.
--verify-pin,
-V
- Verifies CHV1 before issuing commands
-
+
Verifies CHV1 before issuing commands
--wait,
+ -w
+ Causes cryptoflex-tool to + wait for a card insertion.
+
dnie-tool — displays information about DNIe based security tokens
dnie-tool [OPTIONS]
The dnie-tool utility is used to display additional information about DNIe, the Spanish National eID card. -
--idesp,
-i
@@ -173,8 +185,12 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
The default is do not enter pin--reader number,
-r number
- Specify the reader number to use.
- The default is reader 0.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--driver driver,
-c driver
Specify the card driver driver to use.
@@ -187,16 +203,16 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
Causes dnie-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.
-
eidenv — utility for accessing visible data from - electronic identity cards
eidenv [OPTIONS]
eidenv [OPTIONS]
The eidenv utility is used for accessing data from electronic identity cards (like national eID cards) which might not be present in PKCS#15 objects but available in custom files on the card. The data can be printed on screen or used by other programs via environment variables. -
--exec prog,
-x prog
@@ -213,8 +229,11 @@ to enable debug output in the opensc library.
--reader num,
-r num
- Use the given reader. The default is the first reader with a card. -
num is an ATR, the
+ reader with a matching card will be chosen.
+ --stats,
-t
Prints key usage statistics @@ -226,11 +245,11 @@ to enable debug output in the opensc library.
--wait,
-w
Wait for a card to be inserted
-
gids-tool — smart card utility for GIDS cards
gids-tool [OPTIONS]
The gids-tool utility can be used from the command line to perform miscellaneous smart card operations on a GIDS smart card. -
-X,
--initialize
@@ -252,8 +271,12 @@ to enable debug output in the opensc library.
Define the new administrator key.
--reader argument,
-r argument
- Uses reader number
- argument.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
-w,
--wait
Wait for a card to be inserted.
--verbose
Verbose operation. Use several times to enable debug output.
-
netkey-tool — administrative utility for Netkey E4 cards
netkey-tool [OPTIONS] [COMMAND]
The netkey-tool utility can be used from the command line to perform some smart card operations with NetKey E4 cards that cannot be done easily with other OpenSC-tools, such as changing local PINs, storing certificates into empty NetKey E4 cert-files or displaying - the initial PUK-value.
--help,
-h
@@ -286,15 +309,20 @@ to enable debug output in the opensc library.
Specifies the current value of the local PIN1 (aka local PUK).
--reader number,
-r number
- Use smart card in specified reader. Default is reader 0.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
-v
Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.
-
With the -p, -u, -0 or the -1
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
- length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.
When used without any options or commands, netkey-tool will + length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.
When used without any options or commands, netkey-tool will display information about the smart cards pins and certificates. This will not change your card in any aspect (assumed there are no bugs in netkey-tool). In particular the tries-left counters of the pins are investigated without doing @@ -336,17 +364,21 @@ to enable debug output in the opensc library.
This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.
-
iasecc-tool — displays information about IAS/ECC card -
iasecc-tool [OPTIONS]
iasecc-tool [OPTIONS]
The iasecc-tool utility is used to display information about IAS/ECC v1.0.1 smart cards. -
--reader number,
- Specify the reader number number to use.
- The default is reader 0.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--list-applications,
Get list of the on-card applications.
--aid hex-aid,
@@ -363,7 +395,7 @@ to enable debug output in the opensc library.
Causes iasecc-tool to wait for the token to be inserted into reader.
openpgp-tool — utility for accessing visible data OpenPGP smart cards - and compatible tokens
openpgp-tool [OPTIONS]
openpgp-tool [OPTIONS]
The openpgp-tool utility is used for accessing data from the OpenPGP v1.1 and v2.0 smart cards and compatible tokens like e.g. GPF CryptoStick v1.x, @@ -371,7 +403,7 @@ to enable debug output in the opensc library.
PKCS#15 objects but available in custom files on the card. The data can be printed on screen or used by other programs via environment variables. -
--exec prog,
-x prog
@@ -399,8 +431,11 @@ to enable debug output in the opensc library.
--reader num,
-r num
- Use the given reader. The default is the first reader with a card. -
num is an ATR, the
+ reader with a matching card will be chosen.
+ --verify pintype
Verify PIN (CHV1, CHV2 or CHV3). @@ -437,12 +472,12 @@ to enable debug output in the opensc library.
Wait for a card to be inserted.
-
netkey-tool — administrative utility for Netkey E4 cards
netkey-tool [OPTIONS] [COMMAND]
The netkey-tool utility can be used from the command line to perform some smart card operations with NetKey E4 cards that cannot be done easily with other OpenSC-tools, such as changing local PINs, storing certificates into empty NetKey E4 cert-files or displaying - the initial PUK-value.
--help,
-h
@@ -461,15 +496,20 @@ to enable debug output in the opensc library.
Specifies the current value of the local PIN1 (aka local PUK).
--reader number,
-r number
- Use smart card in specified reader. Default is reader 0.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
-v
Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.
-
With the -p, -u, -0 or the -1
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
- length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.
When used without any options or commands, netkey-tool will + length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.
When used without any options or commands, netkey-tool will display information about the smart cards pins and certificates. This will not change your card in any aspect (assumed there are no bugs in netkey-tool). In particular the tries-left counters of the pins are investigated without doing @@ -511,11 +551,11 @@ to enable debug output in the opensc library.
This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.
-
openpgp-tool — utility for accessing visible data OpenPGP smart cards - and compatible tokens
openpgp-tool [OPTIONS]
openpgp-tool [OPTIONS]
The openpgp-tool utility is used for accessing data from the OpenPGP v1.1 and v2.0 smart cards and compatible tokens like e.g. GPF CryptoStick v1.x, @@ -523,7 +563,7 @@ to enable debug output in the opensc library.
PKCS#15 objects but available in custom files on the card. The data can be printed on screen or used by other programs via environment variables. -
--exec prog,
-x prog
@@ -551,8 +591,11 @@ to enable debug output in the opensc library.
--reader num,
-r num
- Use the given reader. The default is the first reader with a card. -
num is an ATR, the
+ reader with a matching card will be chosen.
+ --verify pintype
Verify PIN (CHV1, CHV2 or CHV3). @@ -589,12 +632,12 @@ to enable debug output in the opensc library.
Wait for a card to be inserted.
-
opensc-tool — generic smart card utility
opensc-tool [OPTIONS]
The opensc-tool utility can be used from the command line to perform miscellaneous smart card operations such as getting the card ATR or sending arbitrary APDU commands to a card. -
--version,
Print the OpenSC package release version.
-c driver
Use the given card driver. The default is auto-detected.
--list-algorithms,
+ Lists algorithms supported by card
--info,
-i
Print information about OpenSC, such as version and enabled components.
--name,
-n
Print the name of the inserted card (driver).
--get-conf-entry conf,
+ -G conf
+ Get configuration key, format: section:name:key
--set-conf-entry conf,
+ -S conf
+ Get configuration key, format: section:name:key:value
--reader num,
-r num
- Use the given reader number.
- The default is 0, the first reader in the system.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--reset[=type],
Resets the card in reader.
The default reset type is cold, but warm reset is also possible.
--wait,
-w
Wait for a card to be inserted.
-
opensc-explorer — generic interactive utility for accessing smart card and similar security token functions -
opensc-explorer [OPTIONS] [SCRIPT]
opensc-explorer [OPTIONS] [SCRIPT]
The opensc-explorer utility can be used interactively to perform miscellaneous operations such as exploring the contents of or sending arbitrary APDU commands to a smart card or similar security token. -
The following are the command-line options for opensc-explorer. There are additional interactive commands available once it is running. @@ -674,9 +729,11 @@ to enable debug output in the opensc library.
--reader num,
-r num
- Use the given reader number. The default - is 0, the first reader in the system. -
num is an ATR, the
+ reader with a matching card will be chosen.
+ --verbose, -v
Causes opensc-explorer to be more @@ -685,7 +742,7 @@ to enable debug output in the opensc library.
--wait, -w
Wait for a card to be inserted
-
The following commands are supported at opensc-explorer's
interactive prompt or in script files passed via the command line parameter
SCRIPT.
@@ -859,15 +916,15 @@ to enable debug output in the opensc library.
[open]|[close]
Calls the card's open or close Secure Messaging handler.
-
piv-tool — smart card utility for HSPD-12 PIV cards
piv-tool [OPTIONS]
The piv-tool utility can be used from the command line to perform miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3. It is intended for use with test cards only. It can be used to load objects, and generate key pairs, as well as send arbitrary APDU commands to a card after having authenticated to the card using the card key provided by the card vendor. -
--serial
Print the card serial number derived from the CHUID object, @@ -906,7 +963,7 @@ to enable debug output in the opensc library.
without leading 0x. Example: CHUID object is 3000
--cert ref,
- -s ref
+ -C ref
Load a certificate onto the card.
ref is 9A,
9C, 9D or
@@ -935,8 +992,12 @@ to enable debug output in the opensc library.
This option may be repeated.
--reader num,
-r num
- Use the given reader number. The default is
- 0, the first reader in the system.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--card-driver driver,
-c driver
Use the given card driver. @@ -949,15 +1010,15 @@ to enable debug output in the opensc library.
Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.
-
pkcs11-tool — utility for managing and using PKCS #11 security tokens
pkcs11-tool [OPTIONS]
pkcs11-tool — utility for managing and using PKCS #11 security tokens
pkcs11-tool [OPTIONS]
The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it. -
--attr-from filename
Extract information from filename
@@ -1182,7 +1243,7 @@ to enable debug output in the opensc library.
--generate-random num
Get num bytes of random data.
-
To list all certificates on the smart card:
pkcs11-tool --list-objects --type cert
@@ -1198,12 +1259,12 @@ to enable debug output in the opensc library.
using the private key with ID ID and
using the RSA-PKCS mechanism:
pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig
-
pkcs15-crypt — perform crypto operations using PKCS#15 smart cards
pkcs15-crypt [OPTIONS]
pkcs15-crypt — perform crypto operations using PKCS#15 smart cards
pkcs15-crypt [OPTIONS]
The pkcs15-crypt utility can be used from the command line to perform cryptographic operations such as computing digital signatures or decrypting data, using keys stored on a PKCS#15 compliant smart card. -
--version,
Print the OpenSC package release version.
Outputs raw 8 bit data.
--reader N,
-r N
- Selects the N-th smart
- card reader configured by the system. If unspecified,
- pkcs15-crypt will use the first reader
- found.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--md5
--sha-1
- This option tells pkcs15-crypt
- that the input file is the result of an SHA1 hash operation,
- rather than an MD5 hash. Again, the data must be in binary
+ --sha-224
+ --sha-256
+ --sha-384
+ --sha-512
+
These options tell pkcs15-crypt + that the input file is the result of the specified hash operation. + By default, an MD5 hash is expected. Again, the data must be in binary representation.
--sign,
-s
@@ -1284,22 +1352,26 @@ to enable debug output in the opensc library.Possible values are 'rs'(default) -- two concatenated integers (PKCS#11), 'sequence' or 'openssl' -- DER encoded sequence of two integers (OpenSSL).
--wait,
+ -w
+ Causes pkcs15-crypt to + wait for a card insertion.
--verbose,
-v
Causes pkcs15-crypt to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
-
pkcs15-init — smart card personalization utility
pkcs15-init [OPTIONS]
The pkcs15-init utility can be used to create a PKCS #15 structure on a smart card, and add key or certificate objects. Details of the structure that will be created are controlled via profiles.
The profile used by default is pkcs15. Alternative
profiles can be specified via the -p switch.
-
pkcs15-init can be used to create a PKCS #15 structure on
your smart card, create PINs, and install keys and certificates on the card.
This process is also called personalization.
@@ -1331,7 +1403,7 @@ to enable debug output in the opensc library.
are protected and cannot be parsed without authentication (usually with User PIN).
This authentication need to be done immediately after the card binding.
In such cases --verify-pin has to be used.
-
This is the first step during card personalization, and will create the basic files on the card. To create the initial PKCS #15 structure, invoke the utility as
@@ -1341,7 +1413,7 @@ to enable debug output in the opensc library.
If the card supports it, you should erase the contents of the card with pkcs15-init --erase-card before creating the PKCS#15 structure. -
Before installing any user objects such as private keys, you need at least one PIN to protect these objects. you can do this using
@@ -1355,7 +1427,7 @@ to enable debug output in the opensc library.
To set a label for this PIN object (which can be used by applications to display
a meaningful prompt to the user), use the --label command line option.
-
pkcs15-init lets you generate a new key and store it on the card. You can do this using:
@@ -1373,7 +1445,7 @@ to enable debug output in the opensc library.
In addition to storing the private portion of the key on the card, pkcs15-init will also store the the public portion of the key as a PKCS #15 public key object. -
You can use a private key generated by other means and upload it to the card.
For instance, to upload a private key contained in a file named
okir.pem, which is in PEM format, you would use
@@ -1385,11 +1457,11 @@ to enable debug output in the opensc library.
key as a PKCS #15 public key object.
Note that usage of --id option in the pkcs15-init
- commands to generate or to import a new key is deprecated.
- Better practice is to let the middleware to derive the identifier from the key material.
- (SHA1(modulus) for RSA, SHA1(pub) for DSA, ...).
- This allows easily set up relation between 'related' objects
- (private/public keys and certificates).
+ commands to generate or to import a new key is deprecated.
+ Better practice is to let the middleware to derive the identifier from the key material.
+ (SHA1(modulus) for RSA, SHA1(pub) for DSA, ...).
+ This allows easily set up relation between 'related' objects
+ (private/public keys and certificates).
In addition to the PEM key file format, pkcs15-init also supports DER encoded keys, and PKCS #12 files. The latter is the file format @@ -1397,7 +1469,7 @@ to enable debug output in the opensc library.
a file. A PKCS #12 file usually contains the X.509 certificate corresponding to the private key. If that is the case, pkcs15-init will store the certificate instead of the public key portion. -
You can also upload individual public keys to the card using the
--store-public-key option, which takes a filename as an
argument. This file is supposed to contain the public key. If you don't
@@ -1408,12 +1480,12 @@ to enable debug output in the opensc library.
Since the corresponding public keys are always uploaded automatically when generating a new key, or when uploading a private key, you will probably use this option only very rarely. -
You can upload certificates to the card using the
--store-certificate option, which takes a filename as
an argument. This file is supposed to contain the PEM encoded X.509
certificate.
-
Most browsers nowadays use PKCS #12 format files when you ask them to export your key and certificate to a file. pkcs15-init is capable of parsing these files, and storing their contents on the @@ -1427,7 +1499,7 @@ to enable debug output in the opensc library.
and protect it with the PIN referenced by authentication ID 01.
It will also store any X.509 certificates contained in the file, which is
usually the user certificate that goes with the key, as well as the CA certificate.
-
You can use a secret key generated by other means and upload it to the card. For instance, to upload an AES-secret key generated by the system random generator you would use @@ -1436,10 +1508,10 @@ to enable debug output in the opensc library.
By default a random ID is generated for the secret key. You may specify an ID
with the --id if needed.
-
--version,
- Print the OpenSC package release version.
--version,
+ Print the OpenSC package release version.
--card-profile name,
-c name
@@ -1452,6 +1524,10 @@ to enable debug output in the opensc library.
This tells pkcs15-init to create a PKCS #15 structure on the card, and initialize any PINs.
--serial SERIAL
+ + Specify the serial number of the card. +
--erase-card,
-E
@@ -1459,6 +1535,11 @@ to enable debug output in the opensc library.
if the card supports it. If the card does not support erasing, pkcs15-init will fail.
--erase-application AID
+
+ This will erase the application with the application identifier
+ AID.
+
--generate-key keyspec,
-G keyspec
@@ -1468,11 +1549,11 @@ to enable debug output in the opensc library.
optionally followed by a slash and the length of the key in bits.
It is a good idea to specify the key ID along with this command,
using the id option, otherwise an intrinsic ID
- will be calculated from the key material. Look the description of
- the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
- about the algorithm used to calculate intrinsic ID.
- For the multi-application cards the target PKCS#15 application can be
- specified by the hexadecimal AID value of the aid option.
+ will be calculated from the key material. Look the description of
+ the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
+ about the algorithm used to calculate intrinsic ID.
+ For the multi-application cards the target PKCS#15 application can be
+ specified by the hexadecimal AID value of the aid option.
--options-file filename
@@ -1480,10 +1561,10 @@ to enable debug output in the opensc library.
from filename. The file is supposed to
contain one long option per line, without the leading dashes,
for instance:
-
- pin frank - puk zappa -
+
+ pin 1234 + puk 87654321 +
You can specify --options-file several times.
options file specified with
--options-file.
--no-so-pin,
+ + Do not install a SO PIN, and do not prompt for it. +
--profile name,
-p name
@@ -1535,13 +1620,18 @@ to enable debug output in the opensc library.
Tells pkcs15-init to store the certificate given
in filename on the card, creating a certificate
object with the ID specified via the --id option.
- Without supplied ID an intrinsic ID will be calculated from the
- certificate's public key. Look the description of the 'pkcs15-id-style'
- attribute in the 'pkcs15.profile' for the details
- about the algorithm used to calculate intrinsic ID.
+ Without supplied ID an intrinsic ID will be calculated from the
+ certificate's public key. Look the description of the 'pkcs15-id-style'
+ attribute in the 'pkcs15.profile' for the details
+ about the algorithm used to calculate intrinsic ID.
The file is assumed to contain the PEM encoded certificate.
- For the multi-application cards the target application can be specified
- by the hexadecimal AID value of the aid option.
+ For the multi-application cards the target application can be specified
+ by the hexadecimal AID value of the aid option.
+
--store-pin,
+ -P
+ + Store a new PIN/PUK on the card.
--store-public-key filename
@@ -1561,11 +1651,11 @@ to enable debug output in the opensc library.
formats can be specified using --format.
It is a good idea to specify the key ID along with this command,
using the --id option, otherwise an intrinsic ID
- will be calculated from the key material. Look the description of
- the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
- about the algorithm used to calculate intrinsic ID.
- For the multi-application cards the target PKCS#15 application can be
- specified by the hexadecimal AID value of the aid option.
+ will be calculated from the key material. Look the description of
+ the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
+ about the algorithm used to calculate intrinsic ID.
+ For the multi-application cards the target PKCS#15 application can be
+ specified by the hexadecimal AID value of the aid option.
--store-secret-key filename,
@@ -1573,20 +1663,61 @@ to enable debug output in the opensc library.
secret key to the card. The file is assumed to contain the raw key.
They key type should be specified with --secret-key-algorithm
option.
+
You may additionally specify the key ID along with this command,
using the --id option, otherwise a random ID is generated.
For the multi-application cards the target PKCS#15 application can be
specified by the hexadecimal AID value of the aid option.
--store-data filename,
+ -W filename
+ + Store a data object. +
--update-certificate filename,
-U filename
Tells pkcs15-init to update the certificate
object with the ID specified via the --id option
- with the certificate in filename.
+ with the certificate in filename.
The file is assumed to contain a PEM encoded certificate.
Pay extra attention when updating mail decryption certificates, as - missing certificates can render e-mail messages unreadable! + missing certificates can render e-mail messages unreadable! +
--delete-objects arg,
+ -D arg
+
+ Tells pkcs15-init to delete the
+ specified object. arg
+ is comma-separated list containing any of
+ privkey, pubkey,
+ secrkey, cert,
+ chain or data.
+
+ When data is specified, an
+ ---application-id must also be
+ specified, in the other cases an
+ --id must also be specified
+
+ When chain is specified, the
+ certificate chain starting with the cert with
+ specified ID will be deleted, until there's a CA
+ certificate that certifies another cert on the card
+
--change-attributes arg,
+ -A arg
+
+ Tells pkcs15-init to change the
+ specified attribute. arg
+ is either privkey,
+ pubkey, secrkey,
+ cert or data.
+ You also have to specify the --id
+ of the object.
+ For now, you can only change the --label, e.g:
+
+ pkcs15-init -A cert --id 45 -a 1 --label Jim +
--use-default-transport-keys,
-T
@@ -1594,24 +1725,136 @@ to enable debug output in the opensc library.Tells pkcs15-init to not ask for the transport keys and use default keys, as known by the card driver.
--sanity-check,
+ -T
+ + Tells pkcs15-init to perform a + card specific sanity check and possibly update + procedure. +
--reader num,
+ -r num
+
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--verbose,
-v
Causes pkcs15-init to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
--wait,
+ -w
+ Causes pkcs15-init to + wait for a card insertion.
--use-pinpad
- Do not prompt the user; if no PINs supplied, pinpad will be used.
-
+
Do not prompt the user; if no PINs supplied, pinpad will be used.
--puk-id ID
+ + Specify ID of PUK to use/create +
--puk-label LABEL
+ + Specify label of PUK +
--public-key-label LABEL
+
+ Specify public key label (use with --generate-key)
+
--cert-label LABEL
+
+ Specify user cert label (use with --store-private-key)
+
--application-name arg
+
+ Specify application name of data object (use with --store-data-object)
+
--aid AID
+ + Specify AID of the on-card PKCS#15 application to be binded to (in hexadecimal form) +
--output-file filename
+ -o filename,
+ + Output public portion of generated key to file +
--passphrase PASSPHRASE
+ + Specify passphrase for unlocking secret key +
--authority
+ + Mark certificate as a CA certificate +
--key-usage arg
+ -u arg,
+
+ Specifies the X.509 key usage.
+ arg is comma-separated
+ list containing any of
+ digitalSignature,
+ nonRepudiation,
+ keyEncipherment,
+ dataEncipherment,
+ keyAgreement,
+ keyCertSign,
+ cRLSign. Abbreviated names are
+ allowed if unique (e.g.
+ dataEnc).
+
+ The alias sign is equivalent to
+ digitalSignature,keyCertSign,cRLSign
+
+ The alias decrypt is equivalent to
+ keyEncipherment,dataEncipherment
+
--finalize
+ -F,
+ + Finish initialization phase of the smart card +
--update-last-update
+ + Update 'lastUpdate' attribute of tokenInfo +
--ignore-ca-certificates
+ + When storing PKCS#12 ignore CA certificates +
--update-existing
+ + Store or update existing certificate +
--extractable
+ + Private key stored as an extractable key +
--insecure
+ + Insecure mode: do not require a PIN for private key +
--md-container-guid GUID
+ + For a new key specify GUID for a MD container +
--help
+ -h,
+ + Display help message +
+
pkcs15-tool — utility for manipulating PKCS #15 data structures - on smart cards and similar security tokens
pkcs15-tool [OPTIONS]
pkcs15-tool [OPTIONS]
The pkcs15-tool utility is used to manipulate the PKCS #15 data structures on smart cards and similar security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it. -
--version,
Print the OpenSC package release version.
--dump,
-D
List all card objects.
--list-info
+ List card objects.
--list-applications
- List the on-card PKCS#15 applications
List the on-card PKCS#15 applications.
--list-certificates,
-c
List all certificates stored on the token.
algorithm). Actual private key values are not displayed.
For some cards the PKCS#15 attributes of the private keys are protected for reading
and need the authentication with the User PIN.
+ In such a case the --verify-pin option has to be used.
--list-secret-keys
+ List all secret (symmetric) keys stored on the token. General
+ information about each secret key is listed (eg. key name, id and
+ algorithm). Actual secret key values are not displayed.
+ For some cards the PKCS#15 attributes of the private keys are protected for reading
+ and need the authentication with the User PIN.
In such a case the --verify-pin option has to be used.
--list-pins
List all PINs stored on the token. General information @@ -1703,10 +1955,19 @@ to enable debug output in the opensc library.
--rfc4716
When used in conjunction with option --read-ssh-key the
output format of the public key follows rfc4716.
The default output format is a single line (openssh).
--test-update,
+ -T,
+ Test if the card needs a security update
--update,
+ -U,
+ Update the card with a security update
--reader num
- Forces pkcs15-tool to use reader
- number num for operations. The default is to use
- reader number 0, the first reader in the system.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--unblock-pin,
-u
Unblocks a PIN stored on the token. Knowledge of the @@ -1716,20 +1977,33 @@ to enable debug output in the opensc library.
Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
--pin PIN
+ Specify PIN
--puk PUK
+ Specify Unblock PIN
--new-pin PIN
+ Specify New PIN (when changing or unblocking)
--verify-pin
Verify PIN after card binding and before issuing any command (without 'auth-id' the first non-SO, non-Unblock PIN will be verified)
--test-session-pin
+ Equivalent to --verify-pin
+ with additional session PIN generation
--wait,
+ -w
+ Causes pkcs15-tool to + wait for a card insertion.
--use-pinpad
Do not prompt the user; if no PINs supplied, pinpad will be used.
-
sc-hsm-tool — smart card utility for SmartCard-HSM
sc-hsm-tool [OPTIONS]
The sc-hsm-tool utility can be used from the command line to perform extended maintenance tasks not available via PKCS#11 or other tools in the OpenSC package. It can be used to query the status of a SmartCard-HSM, initialize a device, generate and import Device Key Encryption Key (DKEK) shares and to wrap and unwrap keys. -
--initialize,
-X
@@ -1787,8 +2061,12 @@ to enable debug output in the opensc library.
Define the token label to be used in --initialize.
--reader num,
-r num
- Use the given reader number. The default is
- 0, the first reader in the system.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num is an ATR, the
+ reader with a matching card will be chosen.
+
--wait,
-w
Wait for a card to be inserted
Causes sc-hsm-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.
-
Create a DKEK share:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Create a DKEK share with random password split up using a (3, 5) threshold scheme:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5
Initialize SmartCard-HSM to use a single DKEK share:
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken
Import DKEK share:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3
Wrap referenced key, description and certificate:
sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219
Unwrap key into same or in different SmartCard-HSM with the same DKEK:
sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force
Create a DKEK share:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Create a DKEK share with random password split up using a (3, 5) threshold scheme:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5
Initialize SmartCard-HSM to use a single DKEK share:
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken
Import DKEK share:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3
Wrap referenced key, description and certificate:
sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219
Unwrap key into same or in different SmartCard-HSM with the same DKEK:
sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force
westcos-tool — utility for manipulating data structures - on westcos smart cards
westcos-tool [OPTIONS]
westcos-tool [OPTIONS]
The westcos-tool utility is used to manipulate the westcos data structures on 2 Ko smart cards / tokens. Users can create PINs, keys and certificates stored on the card / token. User PIN authentication is performed for those operations that require it. -
--change-pin,
-n
@@ -1865,8 +2143,11 @@ to enable debug output in the opensc library.
--reader num,
-r num
- Use the given reader. The default is the first reader with a card. -
num is an ATR, the
+ reader with a matching card will be chosen.
+ --unblock-pin,
-u
Unblocks a PIN stored on the card. Knowledge of the @@ -1884,8 +2165,8 @@ to enable debug output in the opensc library.
from disk to card.
On the card the file is written in filename.
User authentication is required for this operation.
-
Table of Contents
Table of Contents
pkcs15-profile — format of profile for pkcs15-init
The pkcs15-init utility for PKCS #15 smart card personalization is controlled via profiles. When starting, it will read two such profiles at the moment, a generic application profile, and a card @@ -1901,10 +2182,10 @@ to enable debug output in the opensc library.
The card specific profile contains additional information required during card initialization, such as location of PIN files, key references etc. Profiles currently reside in @pkgdatadir@ -