diff --git a/doc/tools/Makefile.am b/doc/tools/Makefile.am
index 83a36199..17e4fbf1 100644
--- a/doc/tools/Makefile.am
+++ b/doc/tools/Makefile.am
@@ -2,8 +2,7 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
EXTRA_DIST = completion-template
-# TODO XXX Uncomment after fixing issue #1267
-#TESTS = test-manpage.sh
+TESTS = test-manpage.sh
dist_noinst_DATA = $(wildcard $(srcdir)/*.xml)
if ENABLE_DOC
diff --git a/doc/tools/cardos-tool.1.xml b/doc/tools/cardos-tool.1.xml
index 553934b1..9f384c89 100644
--- a/doc/tools/cardos-tool.1.xml
+++ b/doc/tools/cardos-tool.1.xml
@@ -59,8 +59,14 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
Table of Contents Table of Contents Table of Contents Table of Contents Display information about the card or token. Specify the reader number
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ Causes cardos-tool to be more verbose.
@@ -80,12 +84,12 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
Causes cardos-tool to wait for the token
to be inserted into reader.
- cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures
cryptoflex-tool is used to manipulate PKCS
data structures on Schlumberger Cryptoflex smart cards. Users
can create, list and read PINs and keys stored on the smart card.
User PIN authentication is performed for those operations that require it.
-
Specifies the public key file id, Reads a public key from the card, allowing the user to
extract and store or use the public key
Forces cryptoflex-tool to use
- reader number
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ Causes cryptoflex-tool to be more
@@ -138,12 +146,16 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
the opensc library. Verifies CHV1 before issuing commands
-
+ Verifies CHV1 before issuing commands Causes cryptoflex-tool to
+ wait for a card insertion.
+ dnie-tool — displays information about DNIe based security tokens
The dnie-tool utility is used to display additional information about DNIe, the Spanish National eID card.
-
Specify the reader
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ Specify the card driver Causes dnie-tool to be more verbose.
Specify this flag several times
to enable debug output in the opensc library.
- eidenv — utility for accessing visible data from
- electronic identity cards
The eidenv utility is used for
accessing data from electronic identity cards (like
national eID cards) which might not be present in
PKCS#15 objects but available in custom files on the
card. The data can be printed on screen or used by
other programs via environment variables.
-
- Use the given reader. The default is the first reader with a card.
- Prints key usage statistics
@@ -226,11 +245,11 @@ to enable debug output in the opensc library.
Wait for a card to be inserted
- gids-tool — smart card utility for GIDS cards
The gids-tool utility can be used from the command line to perform
miscellaneous smart card operations on a GIDS smart card.
-
Define the new administrator key. Uses reader number
-
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ Wait for a card to be inserted.
Verbose operation. Use several times to
enable debug output.
- netkey-tool — administrative utility for Netkey E4 cards The netkey-tool utility can be used from the
command line to perform some smart card operations with NetKey E4 cards
that cannot be done easily with other OpenSC-tools, such as changing local
PINs, storing certificates into empty NetKey E4 cert-files or displaying
- the initial PUK-value.
Specifies the current value of the local PIN1 (aka local PUK). Use smart card in specified reader. Default is reader 0.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ Causes netkey-tool to be more verbose. This
options may be specified multiple times to increase verbosity.
- With the When used without any options or commands, netkey-tool will
+ length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4. When used without any options or commands, netkey-tool will
display information about the smart cards pins and certificates. This will not change
your card in any aspect (assumed there are no bugs in netkey-tool).
In particular the tries-left counters of the pins are investigated without doing
@@ -336,17 +364,21 @@ to enable debug output in the opensc library.
This unblocks the specified pin. You must specify another pin
to be able to do this and if you don't specify a correct one,
netkey-tool will tell you which one is needed.
- iasecc-tool — displays information about IAS/ECC card
-
The iasecc-tool utility is used to display information about IAS/ECC v1.0.1 smart cards.
-
Specify the reader number
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ Get list of the on-card applications.
Causes iasecc-tool to wait for the token
to be inserted into reader.
openpgp-tool — utility for accessing visible data OpenPGP smart cards
- and compatible tokens
The openpgp-tool utility is used for
accessing data from the OpenPGP v1.1 and v2.0 smart cards
and compatible tokens like e.g. GPF CryptoStick v1.x,
@@ -371,7 +403,7 @@ to enable debug output in the opensc library.
PKCS#15 objects but available in custom files on the
card. The data can be printed on screen or used by
other programs via environment variables.
-
- Use the given reader. The default is the first reader with a card.
-
Verify PIN (CHV1, CHV2 or CHV3).
@@ -437,12 +472,12 @@ to enable debug output in the opensc library.
Wait for a card to be inserted.
- netkey-tool — administrative utility for Netkey E4 cards The netkey-tool utility can be used from the
command line to perform some smart card operations with NetKey E4 cards
that cannot be done easily with other OpenSC-tools, such as changing local
PINs, storing certificates into empty NetKey E4 cert-files or displaying
- the initial PUK-value.
Specifies the current value of the local PIN1 (aka local PUK). Use smart card in specified reader. Default is reader 0.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ Causes netkey-tool to be more verbose. This
options may be specified multiple times to increase verbosity.
- With the When used without any options or commands, netkey-tool will
+ length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4. When used without any options or commands, netkey-tool will
display information about the smart cards pins and certificates. This will not change
your card in any aspect (assumed there are no bugs in netkey-tool).
In particular the tries-left counters of the pins are investigated without doing
@@ -511,11 +551,11 @@ to enable debug output in the opensc library.
This unblocks the specified pin. You must specify another pin
to be able to do this and if you don't specify a correct one,
netkey-tool will tell you which one is needed.
- openpgp-tool — utility for accessing visible data OpenPGP smart cards
- and compatible tokens
The openpgp-tool utility is used for
accessing data from the OpenPGP v1.1 and v2.0 smart cards
and compatible tokens like e.g. GPF CryptoStick v1.x,
@@ -523,7 +563,7 @@ to enable debug output in the opensc library.
PKCS#15 objects but available in custom files on the
card. The data can be printed on screen or used by
other programs via environment variables.
-
- Use the given reader. The default is the first reader with a card.
-
Verify PIN (CHV1, CHV2 or CHV3).
@@ -589,12 +632,12 @@ to enable debug output in the opensc library.
Wait for a card to be inserted.
- opensc-tool — generic smart card utility
The opensc-tool utility can be used from the command line to perform
miscellaneous smart card operations such as getting the card ATR or
sending arbitrary APDU commands to a card.
-
Print the OpenSC package release version.
Use the given card driver.
The default is auto-detected. Lists algorithms supported by card Print information about OpenSC, such as version and enabled components.
Print the name of the inserted card (driver). Get configuration key, format: section:name:key Get configuration key, format: section:name:key:value Use the given reader number.
- The default is
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ Resets the card in reader.
The default reset type is
Wait for a card to be inserted.
- opensc-explorer —
generic interactive utility for accessing smart card
and similar security token functions
-
The opensc-explorer utility can be
used interactively to perform miscellaneous operations
such as exploring the contents of or sending arbitrary
APDU commands to a smart card or similar security token.
-
The following are the command-line options for
opensc-explorer. There are additional
interactive commands available once it is running.
@@ -674,9 +729,11 @@ to enable debug output in the opensc library.
- Use the given reader number. The default
- is 0, the first reader in the system.
-
Causes opensc-explorer to be more
@@ -685,7 +742,7 @@ to enable debug output in the opensc library.
Wait for a card to be inserted
-
The following commands are supported at opensc-explorer's
interactive prompt or in script files passed via the command line parameter
Calls the card's
- piv-tool — smart card utility for HSPD-12 PIV cards
The piv-tool utility can be used from the command line to perform
miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3.
It is intended for use with test cards only. It can be used to load objects, and generate
key pairs, as well as send arbitrary APDU commands to a card after having authenticated
to the card using the card key provided by the card vendor.
-
Print the card serial number derived from the CHUID object,
@@ -906,7 +963,7 @@ to enable debug output in the opensc library.
without leading Load a certificate onto the card.
This option may be repeated. Use the given reader number. The default is
-
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ Use the given card driver.
@@ -949,15 +1010,15 @@ to enable debug output in the opensc library.
Causes piv-tool to be more verbose.
Specify this flag several times to enable debug output in the opensc
library.
- pkcs11-tool — utility for managing and using PKCS #11 security tokens pkcs11-tool — utility for managing and using PKCS #11 security tokens
The pkcs11-tool utility is used to manage the
data objects on smart cards and similar PKCS #11 security tokens.
Users can list and read PINs, keys and certificates stored on the
token. User PIN authentication is performed for those operations
that require it.
-
Extract information from
Get
-
To list all certificates on the smart card:
@@ -1198,12 +1259,12 @@ to enable debug output in the opensc library.
using the private key with ID
- pkcs15-crypt — perform crypto operations using PKCS#15 smart cards pkcs15-crypt — perform crypto operations using PKCS#15 smart cards
The pkcs15-crypt utility can be used from the
command line to perform cryptographic operations such as computing
digital signatures or decrypting data, using keys stored on a PKCS#15
compliant smart card.
-
Print the OpenSC package release version.
Outputs raw 8 bit data. Selects the
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ This option tells pkcs15-crypt
- that the input file is the result of an SHA1 hash operation,
- rather than an MD5 hash. Again, the data must be in binary
+ These options tell pkcs15-crypt
+ that the input file is the result of the specified hash operation.
+ By default, an MD5 hash is expected. Again, the data must be in binary
representation.
Possible values are 'rs'(default) -- two concatenated
integers (PKCS#11), 'sequence' or 'openssl' -- DER encoded sequence
of two integers (OpenSSL). Causes pkcs15-crypt to
+ wait for a card insertion. Causes pkcs15-crypt to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.
- pkcs15-init — smart card personalization utility
The pkcs15-init utility can be used to create a PKCS #15
structure on a smart card, and add key or certificate objects. Details of the
structure that will be created are controlled via profiles.
The profile used by default is pkcs15. Alternative
profiles can be specified via the
pkcs15-init can be used to create a PKCS #15 structure on
your smart card, create PINs, and install keys and certificates on the card.
This process is also called
are protected and cannot be parsed without authentication (usually with User PIN).
This authentication need to be done immediately after the card binding.
In such cases This is the first step during card personalization, and will create the
basic files on the card. To create the initial PKCS #15 structure, invoke the
utility as
@@ -1341,7 +1413,7 @@ to enable debug output in the opensc library.
If the card supports it, you should erase the contents of the card with
pkcs15-init --erase-card before creating the PKCS#15 structure.
-
Before installing any user objects such as private keys, you need at least one
PIN to protect these objects. you can do this using
@@ -1355,7 +1427,7 @@ to enable debug output in the opensc library.
To set a label for this PIN object (which can be used by applications to display
a meaningful prompt to the user), use the
pkcs15-init lets you generate a new key and store it on the card.
You can do this using:
@@ -1373,7 +1445,7 @@ to enable debug output in the opensc library.
In addition to storing the private portion of the key on the card,
pkcs15-init will also store the the public portion of the
key as a PKCS #15 public key object.
-
You can use a private key generated by other means and upload it to the card.
For instance, to upload a private key contained in a file named
key as a PKCS #15 public key object.
Note that usage of
In addition to the PEM key file format, pkcs15-init also
supports DER encoded keys, and PKCS #12 files. The latter is the file format
@@ -1397,7 +1469,7 @@ to enable debug output in the opensc library.
a file. A PKCS #12 file usually contains the X.509 certificate corresponding
to the private key. If that is the case, pkcs15-init will
store the certificate instead of the public key portion.
-
You can also upload individual public keys to the card using the
Since the corresponding public keys are always uploaded automatically
when generating a new key, or when uploading a private key, you will
probably use this option only very rarely.
-
You can upload certificates to the card using the
Most browsers nowadays use PKCS #12 format files when you ask them to
export your key and certificate to a file. pkcs15-init
is capable of parsing these files, and storing their contents on the
@@ -1427,7 +1499,7 @@ to enable debug output in the opensc library.
and protect it with the PIN referenced by authentication ID
You can use a secret key generated by other means and upload it to the card.
For instance, to upload an AES-secret key generated by the system random generator
you would use
@@ -1436,10 +1508,10 @@ to enable debug output in the opensc library.
By default a random ID is generated for the secret key. You may specify an ID
with the
Print the OpenSC package release version. Print the OpenSC package release version.
@@ -1452,6 +1524,10 @@ to enable debug output in the opensc library.
This tells pkcs15-init to create a PKCS #15
structure on the card, and initialize any PINs.
+ Specify the serial number of the card.
+
@@ -1459,6 +1535,11 @@ to enable debug output in the opensc library.
if the card supports it. If the card does not support erasing,
pkcs15-init will fail.
+ This will erase the application with the application identifier
+
@@ -1468,11 +1549,11 @@ to enable debug output in the opensc library.
optionally followed by a slash and the length of the key in bits.
It is a good idea to specify the key ID along with this command,
using the
@@ -1480,10 +1561,10 @@ to enable debug output in the opensc library.
from
+
You can specify --reader
number
,
-r
number
- number
to use.
- The default is reader 0
.num
is an ATR, the
+ reader with a matching card will be chosen.
+ --verbose
,
-v
-w
Name
Synopsis
cryptoflex-tool
[OPTIONS
]Name
Synopsis
cryptoflex-tool
[OPTIONS
]Description
Options
--app-df
num
,
-a
num
@@ -122,15 +126,19 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
-u
id
id
,
to use--read-key
+ --read-key
,
+ -R
--reader
num
,
-r
num
- num
for operations. The default
- is to use reader number 0, the first reader in the system.num
is an ATR, the
+ reader with a matching card will be chosen.
+ --verbose
,
-v
--verify-pin
,
-V
- See also
--wait
,
+ -w
+ Name
Synopsis
dnie-tool
[OPTIONS
]Description
Options
--idesp
,
-i
@@ -173,8 +185,12 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
The default is do not enter pin--reader
number
,
-r
number
- number
to use.
- The default is reader 0.num
is an ATR, the
+ reader with a matching card will be chosen.
+ --driver
driver
,
-c
driver
driver
to use.
@@ -187,16 +203,16 @@ smart cards and similar security tokens based on Siemens Card/OS M4.
Name
Synopsis
eidenv
[OPTIONS
]Synopsis
eidenv
[OPTIONS
]Description
Options
--exec
prog
,
-x
prog
@@ -213,8 +229,11 @@ to enable debug output in the opensc library.--reader
num
,
-r
num
num
is an ATR, the
+ reader with a matching card will be chosen.
+ --stats
,
-t
--wait
,
-w
Name
Synopsis
gids-tool
[OPTIONS
]Options
-X
,
--initialize
@@ -252,8 +271,12 @@ to enable debug output in the opensc library.--reader
argument
,
-r
argument
- argument
.num
is an ATR, the
+ reader with a matching card will be chosen.
+ -w
,
--wait
--verbose
Name
Synopsis
netkey-tool
[OPTIONS
] [COMMAND
]Description
Options
--help
,
-h
@@ -286,15 +309,20 @@ to enable debug output in the opensc library.--reader
number
,
-r
number
- num
is an ATR, the
+ reader with a matching card will be chosen.
+ -v
PIN format
-p
, -u
, -0
or the -1
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
- length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.Commands
Commands
Name
Synopsis
iasecc-tool
[OPTIONS
]Synopsis
iasecc-tool
[OPTIONS
]Description
Options
--reader
number
,
- number
to use.
- The default is reader 0
.num
is an ATR, the
+ reader with a matching card will be chosen.
+ --list-applications
,
--aid
hex-aid
,
@@ -363,7 +395,7 @@ to enable debug output in the opensc library.Name
Synopsis
openpgp-tool
[OPTIONS
]Synopsis
openpgp-tool
[OPTIONS
]Description
Options
--exec
prog
,
-x
prog
@@ -399,8 +431,11 @@ to enable debug output in the opensc library.--reader
num
,
-r
num
num
is an ATR, the
+ reader with a matching card will be chosen.
+ --verify
pintype
Name
Synopsis
netkey-tool
[OPTIONS
] [COMMAND
]Description
Options
--help
,
-h
@@ -461,15 +496,20 @@ to enable debug output in the opensc library.--reader
number
,
-r
number
- num
is an ATR, the
+ reader with a matching card will be chosen.
+ -v
PIN format
-p
, -u
, -0
or the -1
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
- length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.Commands
Commands
Name
Synopsis
openpgp-tool
[OPTIONS
]Synopsis
openpgp-tool
[OPTIONS
]Description
Options
--exec
prog
,
-x
prog
@@ -551,8 +591,11 @@ to enable debug output in the opensc library.--reader
num
,
-r
num
num
is an ATR, the
+ reader with a matching card will be chosen.
+ --verify
pintype
Name
Synopsis
opensc-tool
[OPTIONS
]Description
Options
--version
,
-c
driver
--list-algorithms
,
+ --info
,
-i
--name
,
-n
--get-conf-entry
conf
,
+ -G
conf
+ --set-conf-entry
conf
,
+ -S
conf
+ --reader
num
,
-r
num
- 0
, the first reader in the system.num
is an ATR, the
+ reader with a matching card will be chosen.
+ --reset
[=type
],
cold
, but warm reset is also possible.--wait
,
-w
Name
Synopsis
opensc-explorer
[OPTIONS
] [SCRIPT
]Synopsis
opensc-explorer
[OPTIONS
] [SCRIPT
]Description
Options
--reader
num
,
-r
num
num
is an ATR, the
+ reader with a matching card will be chosen.
+ --verbose
, -v
--wait
, -w
Commands
SCRIPT
.
@@ -859,15 +916,15 @@ to enable debug output in the opensc library.[open]
|[close]
open
or close
Secure Messaging handler.Name
Synopsis
piv-tool
[OPTIONS
]Options
--serial
0x
. Example: CHUID object is 3000
--cert
ref
,
- -s
ref
+ -C
ref
ref
is 9A
,
9C
, 9D
or
@@ -935,8 +992,12 @@ to enable debug output in the opensc library.--reader
num
,
-r
num
- 0
, the first reader in the system.num
is an ATR, the
+ reader with a matching card will be chosen.
+ --card-driver
driver
,
-c
driver
Name
Synopsis
pkcs11-tool
[OPTIONS
]Name
Synopsis
pkcs11-tool
[OPTIONS
]Description
Options
--attr-from
filename
filename
@@ -1182,7 +1243,7 @@ to enable debug output in the opensc library.--generate-random
num
num
bytes of random data.
Examples
pkcs11-tool --list-objects --type cert
ID
and
using the RSA-PKCS mechanism:
pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig
Name
Synopsis
pkcs15-crypt
[OPTIONS
]Name
Synopsis
pkcs15-crypt
[OPTIONS
]Description
Options
--version
,
--reader
N
,
-r
N
- N
-th smart
- card reader configured by the system. If unspecified,
- pkcs15-crypt will use the first reader
- found.num
is an ATR, the
+ reader with a matching card will be chosen.
+ --md5
--sha-1
- --sha-224
+ --sha-256
+ --sha-384
+ --sha-512
+ --sign
,
-s
@@ -1284,22 +1352,26 @@ to enable debug output in the opensc library.--wait
,
+ -w
+ --verbose
,
-v
Name
Synopsis
pkcs15-init
[OPTIONS
]Description
-p
switch.
- PIN Usage
personalization
.
@@ -1331,7 +1403,7 @@ to enable debug output in the opensc library.--verify-pin
has to be used.
- Modes of operation
Modes of operation
Initialization
User PIN Installation
--label
command line option.
- Key generation
Private Key Upload
okir.pem
, which is in PEM format, you would use
@@ -1385,11 +1457,11 @@ to enable debug output in the opensc library.--id
option in the pkcs15-init
- commands to generate or to import a new key is deprecated.
- Better practice is to let the middleware to derive the identifier from the key material.
- (SHA1(modulus) for RSA, SHA1(pub) for DSA, ...).
- This allows easily set up relation between 'related' objects
- (private/public keys and certificates).
+ commands to generate or to import a new key is deprecated.
+ Better practice is to let the middleware to derive the identifier from the key material.
+ (SHA1(modulus) for RSA, SHA1(pub) for DSA, ...).
+ This allows easily set up relation between 'related' objects
+ (private/public keys and certificates).
Public Key Upload
--store-public-key
option, which takes a filename as an
argument. This file is supposed to contain the public key. If you don't
@@ -1408,12 +1480,12 @@ to enable debug output in the opensc library.Certificate Upload
--store-certificate
option, which takes a filename as
an argument. This file is supposed to contain the PEM encoded X.509
certificate.
- Uploading PKCS #12 bags
01
.
It will also store any X.509 certificates contained in the file, which is
usually the user certificate that goes with the key, as well as the CA certificate.
- Secret Key Upload
--id
if needed.
- Options
--version
,
- --version
,
+ --card-profile
name
,
-c
name
--serial
SERIAL
+ --erase-card
,
-E
--erase-application
AID
+ AID
.
+ --generate-key
keyspec
,
-G
keyspec
id
option, otherwise an intrinsic ID
- will be calculated from the key material. Look the description of
- the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
- about the algorithm used to calculate intrinsic ID.
- For the multi-application cards the target PKCS#15 application can be
- specified by the hexadecimal AID value of the aid
option.
+ will be calculated from the key material. Look the description of
+ the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
+ about the algorithm used to calculate intrinsic ID.
+ For the multi-application cards the target PKCS#15 application can be
+ specified by the hexadecimal AID value of the aid
option.
--options-file
filename
filename
. The file is supposed to
contain one long option per line, without the leading dashes,
for instance:
-
- pin frank
- puk zappa
-
+ pin 1234
+ puk 87654321
+
--options-file
several times.
options file specified with
--options-file
.
--no-so-pin
,
+ + Do not install a SO PIN, and do not prompt for it. +
--profile
name
,
-p
name
@@ -1535,13 +1620,18 @@ to enable debug output in the opensc library.
Tells pkcs15-init to store the certificate given
in filename
on the card, creating a certificate
object with the ID specified via the --id
option.
- Without supplied ID an intrinsic ID will be calculated from the
- certificate's public key. Look the description of the 'pkcs15-id-style'
- attribute in the 'pkcs15.profile' for the details
- about the algorithm used to calculate intrinsic ID.
+ Without supplied ID an intrinsic ID will be calculated from the
+ certificate's public key. Look the description of the 'pkcs15-id-style'
+ attribute in the 'pkcs15.profile' for the details
+ about the algorithm used to calculate intrinsic ID.
The file is assumed to contain the PEM encoded certificate.
- For the multi-application cards the target application can be specified
- by the hexadecimal AID value of the aid
option.
+ For the multi-application cards the target application can be specified
+ by the hexadecimal AID value of the aid
option.
+
--store-pin
,
+ -P
+ + Store a new PIN/PUK on the card.
--store-public-key
filename
@@ -1561,11 +1651,11 @@ to enable debug output in the opensc library.
formats can be specified using --format
.
It is a good idea to specify the key ID along with this command,
using the --id
option, otherwise an intrinsic ID
- will be calculated from the key material. Look the description of
- the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
- about the algorithm used to calculate intrinsic ID.
- For the multi-application cards the target PKCS#15 application can be
- specified by the hexadecimal AID value of the aid
option.
+ will be calculated from the key material. Look the description of
+ the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
+ about the algorithm used to calculate intrinsic ID.
+ For the multi-application cards the target PKCS#15 application can be
+ specified by the hexadecimal AID value of the aid
option.
--store-secret-key
filename
,
@@ -1573,20 +1663,61 @@ to enable debug output in the opensc library.
secret key to the card. The file is assumed to contain the raw key.
They key type should be specified with --secret-key-algorithm
option.
+
You may additionally specify the key ID along with this command,
using the --id
option, otherwise a random ID is generated.
For the multi-application cards the target PKCS#15 application can be
specified by the hexadecimal AID value of the aid
option.
--store-data
filename
,
+ -W
filename
+ + Store a data object. +
--update-certificate
filename
,
-U
filename
Tells pkcs15-init to update the certificate
object with the ID specified via the --id
option
- with the certificate in filename
.
+ with the certificate in filename
.
The file is assumed to contain a PEM encoded certificate.
Pay extra attention when updating mail decryption certificates, as - missing certificates can render e-mail messages unreadable! + missing certificates can render e-mail messages unreadable! +
--delete-objects
arg
,
+ -D
arg
+
+ Tells pkcs15-init to delete the
+ specified object. arg
+ is comma-separated list containing any of
+ privkey
, pubkey
,
+ secrkey
, cert
,
+ chain
or data
.
+
+ When data
is specified, an
+ ---application-id
must also be
+ specified, in the other cases an
+ --id
must also be specified
+
+ When chain
is specified, the
+ certificate chain starting with the cert with
+ specified ID will be deleted, until there's a CA
+ certificate that certifies another cert on the card
+
--change-attributes
arg
,
+ -A
arg
+
+ Tells pkcs15-init to change the
+ specified attribute. arg
+ is either privkey
,
+ pubkey
, secrkey
,
+ cert
or data
.
+ You also have to specify the --id
+ of the object.
+ For now, you can only change the --label
, e.g:
+
+ pkcs15-init -A cert --id 45 -a 1 --label Jim +
--use-default-transport-keys
,
-T
@@ -1594,24 +1725,136 @@ to enable debug output in the opensc library.Tells pkcs15-init to not ask for the transport keys and use default keys, as known by the card driver.
--sanity-check
,
+ -T
+ + Tells pkcs15-init to perform a + card specific sanity check and possibly update + procedure. +
--reader
num
,
+ -r
num
+
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num
is an ATR, the
+ reader with a matching card will be chosen.
+
--verbose
,
-v
Causes pkcs15-init to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
--wait
,
+ -w
+ Causes pkcs15-init to + wait for a card insertion.
--use-pinpad
- Do not prompt the user; if no PINs supplied, pinpad will be used.
-
+
Do not prompt the user; if no PINs supplied, pinpad will be used.
--puk-id
ID
+ + Specify ID of PUK to use/create +
--puk-label
LABEL
+ + Specify label of PUK +
--public-key-label
LABEL
+
+ Specify public key label (use with --generate-key
)
+
--cert-label
LABEL
+
+ Specify user cert label (use with --store-private-key
)
+
--application-name
arg
+
+ Specify application name of data object (use with --store-data-object
)
+
--aid
AID
+ + Specify AID of the on-card PKCS#15 application to be binded to (in hexadecimal form) +
--output-file
filename
+ -o
filename
,
+ + Output public portion of generated key to file +
--passphrase
PASSPHRASE
+ + Specify passphrase for unlocking secret key +
--authority
+ + Mark certificate as a CA certificate +
--key-usage
arg
+ -u
arg
,
+
+ Specifies the X.509 key usage.
+ arg
is comma-separated
+ list containing any of
+ digitalSignature
,
+ nonRepudiation
,
+ keyEncipherment
,
+ dataEncipherment
,
+ keyAgreement
,
+ keyCertSign
,
+ cRLSign
. Abbreviated names are
+ allowed if unique (e.g.
+ dataEnc
).
+
+ The alias sign
is equivalent to
+ digitalSignature,keyCertSign,cRLSign
+
+ The alias decrypt
is equivalent to
+ keyEncipherment,dataEncipherment
+
--finalize
+ -F
,
+ + Finish initialization phase of the smart card +
--update-last-update
+ + Update 'lastUpdate' attribute of tokenInfo +
--ignore-ca-certificates
+ + When storing PKCS#12 ignore CA certificates +
--update-existing
+ + Store or update existing certificate +
--extractable
+ + Private key stored as an extractable key +
--insecure
+ + Insecure mode: do not require a PIN for private key +
--md-container-guid
GUID
+ + For a new key specify GUID for a MD container +
--help
+ -h
,
+ + Display help message +
+
pkcs15-tool — utility for manipulating PKCS #15 data structures - on smart cards and similar security tokens
pkcs15-tool
[OPTIONS
]
pkcs15-tool
[OPTIONS
]
The pkcs15-tool utility is used to manipulate the PKCS #15 data structures on smart cards and similar security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it. -
--version
,
Print the OpenSC package release version.
--dump
,
-D
List all card objects.
--list-info
+ List card objects.
--list-applications
- List the on-card PKCS#15 applications
List the on-card PKCS#15 applications.
--list-certificates
,
-c
List all certificates stored on the token.
algorithm). Actual private key values are not displayed.
For some cards the PKCS#15 attributes of the private keys are protected for reading
and need the authentication with the User PIN.
+ In such a case the --verify-pin
option has to be used.
--list-secret-keys
+ List all secret (symmetric) keys stored on the token. General
+ information about each secret key is listed (eg. key name, id and
+ algorithm). Actual secret key values are not displayed.
+ For some cards the PKCS#15 attributes of the private keys are protected for reading
+ and need the authentication with the User PIN.
In such a case the --verify-pin
option has to be used.
--list-pins
List all PINs stored on the token. General information @@ -1703,10 +1955,19 @@ to enable debug output in the opensc library.
--rfc4716
When used in conjunction with option --read-ssh-key
the
output format of the public key follows rfc4716.
The default output format is a single line (openssh).
--test-update
,
+ -T
,
+ Test if the card needs a security update
--update
,
+ -U
,
+ Update the card with a security update
--reader
num
- Forces pkcs15-tool to use reader
- number num
for operations. The default is to use
- reader number 0, the first reader in the system.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num
is an ATR, the
+ reader with a matching card will be chosen.
+
--unblock-pin
,
-u
Unblocks a PIN stored on the token. Knowledge of the @@ -1716,20 +1977,33 @@ to enable debug output in the opensc library.
Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
--pin
PIN
+ Specify PIN
--puk
PUK
+ Specify Unblock PIN
--new-pin
PIN
+ Specify New PIN (when changing or unblocking)
--verify-pin
Verify PIN after card binding and before issuing any command (without 'auth-id' the first non-SO, non-Unblock PIN will be verified)
--test-session-pin
+ Equivalent to --verify-pin
+ with additional session PIN generation
--wait
,
+ -w
+ Causes pkcs15-tool to + wait for a card insertion.
--use-pinpad
Do not prompt the user; if no PINs supplied, pinpad will be used.
-
sc-hsm-tool — smart card utility for SmartCard-HSM
sc-hsm-tool
[OPTIONS
]
The sc-hsm-tool utility can be used from the command line to perform extended maintenance tasks not available via PKCS#11 or other tools in the OpenSC package. It can be used to query the status of a SmartCard-HSM, initialize a device, generate and import Device Key Encryption Key (DKEK) shares and to wrap and unwrap keys. -
--initialize
,
-X
@@ -1787,8 +2061,12 @@ to enable debug output in the opensc library.
Define the token label to be used in --initialize.
--reader
num
,
-r
num
- Use the given reader number. The default is
- 0
, the first reader in the system.
+ Specify the reader to use. By default, the first
+ reader with a present card is used. If
+ num
is an ATR, the
+ reader with a matching card will be chosen.
+
--wait
,
-w
Wait for a card to be inserted
Causes sc-hsm-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.
-
Create a DKEK share:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Create a DKEK share with random password split up using a (3, 5) threshold scheme:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5
Initialize SmartCard-HSM to use a single DKEK share:
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken
Import DKEK share:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3
Wrap referenced key, description and certificate:
sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219
Unwrap key into same or in different SmartCard-HSM with the same DKEK:
sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force
Create a DKEK share:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Create a DKEK share with random password split up using a (3, 5) threshold scheme:
sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5
Initialize SmartCard-HSM to use a single DKEK share:
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken
Import DKEK share:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:
sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3
Wrap referenced key, description and certificate:
sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219
Unwrap key into same or in different SmartCard-HSM with the same DKEK:
sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force
westcos-tool — utility for manipulating data structures - on westcos smart cards
westcos-tool
[OPTIONS
]
westcos-tool
[OPTIONS
]
The westcos-tool utility is used to manipulate the westcos data structures on 2 Ko smart cards / tokens. Users can create PINs, keys and certificates stored on the card / token. User PIN authentication is performed for those operations that require it. -
--change-pin
,
-n
@@ -1865,8 +2143,11 @@ to enable debug output in the opensc library.
--reader
num
,
-r
num
- Use the given reader. The default is the first reader with a card. -
num
is an ATR, the
+ reader with a matching card will be chosen.
+ --unblock-pin
,
-u
Unblocks a PIN stored on the card. Knowledge of the @@ -1884,8 +2165,8 @@ to enable debug output in the opensc library.
from disk to card.
On the card the file is written in filename
.
User authentication is required for this operation.
-
Table of Contents
Table of Contents
pkcs15-profile — format of profile for pkcs15-init
The pkcs15-init utility for PKCS #15 smart card personalization is controlled via profiles. When starting, it will read two such profiles at the moment, a generic application profile, and a card @@ -1901,10 +2182,10 @@ to enable debug output in the opensc library.
The card specific profile contains additional information required during card initialization, such as location of PIN files, key references etc. Profiles currently reside in @pkgdatadir@ -