giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added docbook XML source for tools manpages 

git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2443 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
bert 2005-07-20 00:43:38 +00:00
parent 9894a10d37
commit a355f9cdd7
11 changed files with 1541 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
doc/src/tools/cardos-info.xml Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="cardos-info">
<refmeta>
<refentrytitle>cardos-info</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>cardos-info</refname>
<refpurpose>displays information about Card OS-based security tokens
</refpurpose>
</refnamediv>
<refsect1>
<title>Synopsis</title>
<para>
<command>cardos-info</command> [OPTIONS]
</para>
</refsect1>
<refsect1>
<title>Description</title>
<para>
The <command>cardos-info</command> utility is used to display information about
smart cards and similar security tokens based on Siemens Card/OS M4.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>
<variablelist>
<varlistentry>
<term><option>--reader</option> number, <option>-r</option> number</term>
<listitem><para>Display information about the token in reader number <varname>number</varname>.
The default is reader 0.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--card-driver</option> name, <option>-c</option> driver</term>
<listitem><para>Use the card driver specified by <varname>name</varname>. The default
is to auto-detect the correct card driver.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--wait, -w</option></term>
<listitem><para>Causes <command>cardos-info</command> to wait for the token
to be inserted into reader.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--verbose, -v</option></term>
<listitem><para>Causes <command>cardos-info</command> to be more verbose. Specify this flag several times
to enable debug output in the opensc library.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>opensc(7)</para>
</refsect1>
</refentry>

134
doc/src/tools/cryptoflex-tool.xml Normal file
View File

@ -0,0 +1,134 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="cryptoflex-tool">
<refmeta>
<refentrytitle>cryptoflex-tool</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>cryptoflex-tool</refname>
<refpurpose>utility for manipulating Schlumberger Cryptoflex data structures</refpurpose>
</refnamediv>
<refsect1>
<title>Synopsis</title>
<para>
<command>cryptoflex-tool</command> [OPTIONS]
</para>
</refsect1>
<refsect1>
<title>Description</title>
<para>
<command>cryptoflex-tool</command> is used to manipulate PKCS
data structures on Schlumberger Cryptoflex smart cards. Users
can create, list and read PINs and keys stored on the smart card.
User PIN authentication is performed for those operations that require it.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>
<variablelist>
<varlistentry>
<term><option>--verify-pin, -V</option></term>
<listitem><para>Verifies CHV1 before issuing commands</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-keys, -l</option></term>
<listitem><para>Lists all keys stored in a public key file</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--create-key-files</option> <varname>arg</varname>,
<option>-c</option> <varname>arg</varname></term>
<listitem><para>Creates new RSA key files for <varname>arg</varname> keys</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--create-pin-files</option> <varname>id</varname>,
<option>-P</option> <varname>id</varname></term>
<listitem><para>Creates new PIN file for CHV<varname>id</varname></para></listitem>
</varlistentry>
<varlistentry>
<term><option>--generate-key, -g</option></term>
<listitem><para>Generate a new RSA key pair</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--read-key</option></term>
<listitem><para>Reads a public key from the card, allowing the user to
extract and store or use the public key
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--key-num</option> <varname>num</varname>,
<option>-k</option> <varname>num</varname></term>
<listitem><para>Specifies the key number to operate on. The default is
key number 1.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--app-df</option> <varname>num</varname>,
<option>-a</option> <varname>num</varname></term>
<listitem><para>Specifies the DF to operate in</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--prkey-file</option> <varname>id</varname>,
<option>-p</option> <varname>id</varname></term>
<listitem><para>Specifies the private key file id, <varname>id</varname>,
to use</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--pubkey-file</option> <varname>id</varname>,
<option>-u</option> <varname>id</varname></term>
<listitem><para>Specifies the public key file id, <varname>id</varname>,
to use</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--exponent</option> <varname>exp</varname>,
<option>-e</option> <varname>exp</varname></term>
<listitem><para>Specifies the RSA exponent, <varname>exp</varname>,
to use in key generation. The default value is 3.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--modulus-length</option> <varname>length</varname>,
<option>-m</option> <varname>length</varname></term>
<listitem><para>Specifies the modulus <varname>length</varname> to use
in key generation. The default value is 1024.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--reader</option> <varname>num</varname>,
<option>-r</option> <varname>num</varname></term>
<listitem><para>Forces <command>cryptoflex-tool</command> to use
reader number <varname>num</varname> for operations. The default
is to use reader number 0, the first reader in the system.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--verbose, -v</option></term>
<listitem><para>Causes <command>cryptoflex-tool</command> to be more
verbose. Specify this flag several times to enable debug output in
the opensc library.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>opensc(7), pkcs15-tool(1)</para>
</refsect1>
</refentry>

77
doc/src/tools/opensc-config.xml Normal file
View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="opensc-config">
<refmeta>
<refentrytitle>opensc-config</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>opensc-config</refname>
<refpurpose>a tool to get information about the installed version of OpenSC</refpurpose>
</refnamediv>
<refsect1>
<title>Synopsis</title>
<para>
<command>opensc-config</command> [OPTIONS]
</para>
</refsect1>
<refsect1>
<title>Description</title>
<para>
<command>opensc-config</command> is a tool that is used to get various information
about the installed version of OpenSC. It is particularly useful in determining
compiler and linker flags necessary to build programs with the OpenSC libraries.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>
<command>opensc-config</command> accepts the following options:
<variablelist>
<varlistentry>
<term><option>--version</option></term>
<listitem><para>Print the installed version of OpenSC to standard output.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--libs</option></term>
<listitem><para>Print the linker flags that are needed to compile a program
to use the OpenSC libraries.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--cflags</option></term>
<listitem><para>Print the compiler flags that are needed to compile a program
to use the OpenSC libraries.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--prefix=PREFIX</option></term>
<listitem><para>If specified, use PREFIX instead of the installation
prefix that OpenSC was built with when computing the output for the
--cflags and --libs options. This option is also used for the exec
prefix if --exec-prefix was not specified. This option must be specified
before any --libs or --cflags options.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--exec-prefix=PREFIX</option></term>
<listitem><para>If specified, use PREFIX instead of the installation
exec prefix that OpenSC was built with when computing the output for
the --cflags and --libs options. This option must be specified before any
--libs or --cflags options.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>opensc(7)</para>
</refsect1>
</refentry>

191
doc/src/tools/opensc-explorer.xml Normal file
View File

@ -0,0 +1,191 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="opensc-explorer">
<refmeta>
<refentrytitle>opensc-explorer</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>opensc-explorer</refname>
<refpurpose>
generic interactive utility for accessing smart card
and similar security token functions
</refpurpose>
</refnamediv>
<refsect1>
<title>Synopsis</title>
<para>
<command>opensc-explorer</command> [OPTIONS]
</para>
</refsect1>
<refsect1>
<title>Description</title>
<para>
The <command>opensc-explorer</command> utility can be
used interactively to perform miscellaneous operations
such as exploring the contents of or sending arbitrary
APDU commands to a smart card or similar security token.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>
The following are the command-line options for
<command>opensc-explorer</command>. There are additional
interactive commands available once it is running.
<variablelist>
<varlistentry>
<term>
<option>--reader</option> num,
<option>-r</option> num
</term>
<listitem><para>
Use the given reader number. The default
is 0, the first reader in the system.
</para></listitem>
</varlistentry>
<varlistentry>
<term>
<option>--card-driver</option> driver,
<option>-c</option> driver
</term>
<listitem><para>
Use the given card driver. The default is
auto-detected.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--verbose, -v</option></term>
<listitem><para>
Causes <command>opensc-explorer</command> to be more
verbose. Specify this flag several times to enable
debug output in the opensc library.
</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>Commands</title>
<para>
The following commands are supported at the <command>opensc-explorer</command>
interactive prompt.
<variablelist>
<varlistentry>
<term><option>ls</option></term>
<listitem><para>list all files in the current DF</para></listitem>
</varlistentry>
<varlistentry>
<term><option>cd</option> <varname>file-id</varname></term>
<listitem><para>change to another DF specified by <varname>file-id</varname></para></listitem>
</varlistentry>
<varlistentry>
<term><option>cat</option></term>
<listitem><para>print the contents of the currently selected EF</para></listitem>
</varlistentry>
<varlistentry>
<term><option>info</option> [<varname>file-id</varname>]</term>
<listitem><para>display attributes of a file specified by <varname>file-id</varname>.
If <varname>file-id</varname> is not supplied,
the attributes of the current file are printed.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>create</option> <varname>file-id</varname> <varname>size</varname></term>
<listitem><para>create a new EF. <varname>file-id</varname> specifies the
id number and <varname>size</varname> is the size of the new file.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>delete</option> <varname>file-id</varname></term>
<listitem><para>remove the EF or DF specified by <varname>file-id</varname></para></listitem>
</varlistentry>
<varlistentry>
<term><option>verify</option> <varname>key-type</varname><varname>key-id</varname>
[<varname>key</varname>]</term>
<listitem><para>present a PIN or key to the card. Where <varname>key-type</varname>
can be one of CHV, KEY or PRO. <varname>key-id</varname> is a number representing the
key or PIN number. <varname>key</varname> is the key or PIN to be verified in hex.
</para>
<para>
Example: verify CHV0 31:32:33:34:00:00:00:00
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>change CHV</option><varname>id [old-pin] new-pin</varname></term>
<listitem><para>change a PIN</para>
<para>
Example: change CHV0 31:32:33:34:00:00:00:00 'secret'
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>put</option> <varname>file-id</varname> [<varname>input</varname>]</term>
<listitem><para>copy a local file to the card. The local file is specified
by <varname>input</varname> while the card file is specified by <varname>file-id</varname>
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>get</option> <varname>file-id</varname> [<varname>output</varname>]</term>
<listitem><para>copy an EF to a local file. The local file is specified
by <varname>output</varname> while the card file is specified by <varname>file-id</varname>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>mkdir</option> <varname>file-id</varname> <varname>size</varname></term>
<listitem><para>create a DF. <varname>file-id</varname> specifies the id number
and <varname>size</varname> is the size of the new file.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>pksign</option></term>
<listitem><para>create a public key signature. NOTE: This command is currently not implemented.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>pkdecrypt</option></term>
<listitem><para>perform a public key decryption. NOTE: This command is currently not implemented.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>erase</option></term>
<listitem><para>erase the card, if the card supports it.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>debug</option> [<varname>level</varname>]</term>
<listitem><para>get or set the debug level</para></listitem>
</varlistentry>
<varlistentry>
<term><option>quit</option></term>
<listitem><para>exit the program</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>opensc(7), opensc-tool(1)</para>
</refsect1>
</refentry>

87
doc/src/tools/opensc-tool.xml Normal file
View File

@ -0,0 +1,87 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="opensc-tool">
<refmeta>
<refentrytitle>opensc-tool</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>opensc-tool</refname>
<refpurpose>generic smart card utility</refpurpose>
</refnamediv>
<refsect1>
<title>Synopsis</title>
<para>
<command>opensc-tool</command> [OPTIONS]
</para>
</refsect1>
<refsect1>
<title>Description</title>
<para>
The <command>opensc-tool</command> utility can be used from the command line to perform
miscellaneous smart card operations such as getting the card ATR or
sending arbitrary APDU commands to a card.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>
<variablelist>
<varlistentry>
<term><option>--atr, -a</option></term>
<listitem><para>Print the Answer To Reset (ATR) of the card,
output is in hex byte format</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--serial</option></term>
<listitem><para>Print the card serial number (normally the ICCSN), output is in hex byte
format</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--send-apdu</option> apdu, <option>-s</option> apdu</term>
<listitem><para>Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF...</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-files, -f</option></term>
<listitem><para>Recursively lists all files stored on card</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-readers, -l</option></term>
<listitem><para>Lists all configured readers</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-drivers, -D</option></term>
<listitem><para>Lists all installed card drivers</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-rdrivers, -R</option></term>
<listitem><para>Lists all installed reader drivers</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--reader</option> num, <option>-r</option> num</term>
<listitem><para>Use the given reader number. The default is 0, the first reader
in the system.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--card-driver</option> driver, <option>-c</option> driver</term>
<listitem><para>Use the given card driver. The default is auto-detected.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--verbose, -v</option></term>
<listitem><para>Causes <command>opensc-tool</command> to be more verbose. Specify this flag several times
to enable debug output in the opensc library.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>opensc(7), opensc-explorer(1)</para>
</refsect1>
</refentry>

223
doc/src/tools/pkcs11-tool.xml Normal file
View File

@ -0,0 +1,223 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="pkcs11-tool">
<refmeta>
<refentrytitle>pkcs11-tool</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>pkcs11-tool</refname>
<refpurpose>utility for managing and using PKCS #11 security tokens</refpurpose>
</refnamediv>
<refsect1>
<title>Synopsis</title>
<para>
<command>pkcs11-tool</command> [OPTIONS]
</para>
</refsect1>
<refsect1>
<title>Description</title>
<para>
The <command>pkcs11-tool</command> utility is used to manage the
data objects on smart cards and similar PKCS #11 security tokens.
Users can list and read PINs, keys and certificates stored on the
token. User PIN authentication is performed for those operations
that require it.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>
<variablelist>
<varlistentry>
<term><option>--login, -l</option></term>
<listitem><para>Authenticate to the token before performing
other operations. This option is not needed if a PIN is
provided on the command line.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--pin</option> <varname>pin</varname>,
<option>-p</option> <varname>pin</varname></term>
<listitem><para>Use the given <varname>pin</varname> for
token operations. WARNING: Be careful using this option
as other users may be able to read the command line from
the system or if it is embedded in a script.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--so-pin</option> <varname>pin</varname></term>
<listitem><para>Use the given <varname>pin</varname> as the
Security Officer PIN for some token operations (token
initialization, user PIN initialization, etc). The same
warning as --pin also applies here.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--init-token</option></term>
<listitem><para>Initializes a token: set the token label as
well as a Security Officer PIN (the label must be specified
using --label).</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--init-pin</option></term>
<listitem><para>Initializes the user PIN. This option
differs from --change-pin in that it sets the user PIN
for the first time. Once set, the user PIN can be changed
using --change-pin.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--change-pin, -c</option></term>
<listitem><para>Change the user PIN on the token</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--test, -t</option></term>
<listitem><para>Performs some tests on the token. This
option is most useful when used with either --login or
--pin.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--show-info, -I</option></term>
<listitem><para>Displays general token information.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-slots, -L</option></term>
<listitem><para>Displays a list of available slots on the token.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-mechanisms, -M</option></term>
<listitem><para>Displays a list of mechanisms supported by the token.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-objects, -O</option></term>
<listitem><para>Displays a list of objects.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--sign, s</option></term>
<listitem><para>Sign some data.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--hash, -h</option></term>
<listitem><para>Hash some data.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--mechanism</option> <varname>mechanism</varname>,
<option>-m</option> <varname>mechanism</varname></term>
<listitem><para>Use the specified <varname>mechanism</varname>
for token operations. See -M for a list of mechanisms supported
by your token.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--keypairgen, -k</option></term>
<listitem><para>Generate a new key pair (public and private pair.)</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--write-object</option> <varname>id</varname>,
<option>-w</option> <varname>id</varname></term>
<listitem><para>Write a key or certificate object to the token.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--type</option> <varname>type</varname>,
<option>-y</option> <varname>type</varname></term>
<listitem><para>Specify the type of object to operate on.
Examples are <emphasis>cert</emphasis>, <emphasis>privkey</emphasis>
and <emphasis>pubkey</emphasis>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--id</option> <varname>id</varname>,
<option>-d</option> <varname>id</varname></term>
<listitem><para>Specify the id of the object to operate on.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--label</option> <varname>name</varname>,
<option>-a</option> <varname>name</varname></term>
<listitem><para>Specify the name of the object to operate on
(or the token label when --init-token is used).</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--slot</option> <varname>id</varname></term>
<listitem><para>Specify the id of the slot to use.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--slot-id</option> <varname>name</varname></term>
<listitem><para>Specify the name of the slot to use.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--set-id</option> <varname>id</varname>,
<option>-e</option> <varname>id</varname></term>
<listitem><para>Set the CKA_ID of the object.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--attr-from</option> <varname>path</varname></term>
<listitem><para>Extract information from <varname>path</varname>
(DER-encoded certificate file) and create the corresponding
attributes when writing an object to the token. Example: the
certificate subject name is used to create the CKA_SUBJECT
attribute.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--input-file</option> <varname>path</varname>,
<option>-i</option> <varname>path</varname></term>
<listitem><para>Specify the path to a file for input.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--output-file</option> <varname>path</varname>,
<option>-o</option> <varname>path</varname></term>
<listitem><para>Specify the path to a file for output.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--module</option> <varname>mod</varname></term>
<listitem><para>Specify a module to load.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--moz-cert</option> <varname>path</varname>,
<option>-z</option> <varname>path</varname></term>
<listitem><para>Tests a Mozilla-like keypair generation
and certificate request. Specify the <varname>path</varname>
to the certificate file.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--verbose, -v</option></term>
<listitem><para>Causes <command>pkcs11-tool</command> to be
more verbose. Specify this flag several times to enable debug
output in the OpenSC library.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>opensc(7)</para>
</refsect1>
</refentry>

141
doc/src/tools/pkcs15-crypt.xml Normal file
View File

@ -0,0 +1,141 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="pkcs15-crypt">
<refmeta>
<refentrytitle>pkcs15-crypt</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>pkcs15-crypt</refname>
<refpurpose>perform crypto operations using pkcs15 smart card</refpurpose>
</refnamediv>
<refsect1>
<title>Synopsis</title>
<para>
<command>pkcs15-crypt</command> [OPTIONS]
</para>
</refsect1>
<refsect1>
<title>Description</title>
<para>
The <command>pkcs15-crypt</command> utility can be used from the
command line to perform cryptographic operations such as computing
digital signatures or decrypting data, using keys stored on a PKCS
#15 compliant smart card.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>
<variablelist>
<varlistentry>
<term><option>--sign, -s</option></term>
<listitem><para>Perform digital signature operation on
the data read from a file specified using the <option>input</option>
option. By default, the contents of the file are assumed to
be the result of an MD5 hash operation. Note that <command>pkcs15-crypt</command>
expects the data in binary representation, not ASCII.</para>
<para>The digital signature is stored, in binary representation,
in the file specified by the <option>output</option> option. If
this option is not given, the signature is printed on standard
output, displaying non-printable characters using their hex notation
xNN (see also <option>--raw</option>).</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--pkcs1</option></term>
<listitem><para>By default, <command>pkcs15-crypt</command>
assumes that input data has been padded to the correct length
(i.e. when computing an RSA signature using a 1024 bit key,
the input must be padded to 128 bytes to match the modulus
length). When giving the <option>--pkcs1</option> option,
however, <command>pkcs15-crypt</command> will perform the
required padding using the algorithm outlined in the
PKCS #1 standard version 1.5.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--sha-1</option></term>
<listitem><para>This option tells <command>pkcs15-crypt</command>
that the input file is the result of an SHA1 hash operation,
rather than an MD5 hash. Again, the data must be in binary
representation.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--decipher, -c</option></term>
<listitem><para>Decrypt the contents of the file specified by
the <option>--input</option> option. The result of the
decryption operation is written to the file specified by the
<option>--output</option> option. If this option is not given,
the decrypted data is printed to standard output, displaying
non-printable characters using their hex notation xNN (see also
<option>--raw</option>).</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--key</option> <varname>id</varname>,
<option>-k</option> <varname>id</varname></term>
<listitem><para>Selects the ID of the key to use.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--reader</option> <varname>N</varname>,
<option>-r</option> <varname>N</varname></term>
<listitem><para>Selects the <varname>N</varname>-th smart
card reader configured by the system. If unspecified,
<command>pkcs15-crypt</command> will use the first reader
found.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--input</option> <varname>file</varname>,
<option>-i</option> <varname>file</varname></term>
<listitem><para>Specifies the input file to use.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--output</option> <varname>file</varname>,
<option>-o</option> <varname>file</varname></term>
<listitem><para>Any output will be sent to the specified file.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--raw, -R</option></term>
<listitem><para>Outputs raw 8 bit data.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--pin</option> <varname>pin</varname>,
<option>-p</option> <varname>pin</varname></term>
<listitem><para>When the cryptographic operation requires a
PIN to access the key, <command>pkcs15-crypt</command> will
prompt the user for the PIN on the terminal. Using this option
allows you to specify the PIN on the command line.</para>
<para>Note that on most operating systems, the command line of
a process can be displayed by any user using the ps(1)
command. It is therefore a security risk to specify
secret information such as PINs on the command line.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--verbose, -v</option></term>
<listitem><para>Causes <command>pkcs15-crypt</command> to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>pkcs15-init(1), pkcs15-tool(1)</para>
</refsect1>
</refentry>

407
doc/src/tools/pkcs15-init.xml Normal file
View File

@ -0,0 +1,407 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="">
<refmeta>
<refentrytitle>pkcs15-init</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>pkcs15-init</refname>
<refpurpose>smart card personalization utility</refpurpose>
</refnamediv>
<refsect1>
<title>Description</title>
<para>
The <command>pkcs15-init</command> utility can be used to create a PKCS #15
structure on a smart card, and add key or certificate objects. Details of the
structure that will be created are controlled via profiles.
</para>
<para>
The profile used by default is <command>pkcs15</command>. Alternative
profiles can be specified via the <option>-p</option> switch.
</para>
</refsect1>
<refsect1>
<title>PIN Usage</title>
<para>
<command>pkcs15-init</command> can be used to create a PKCS #15 structure on
your smart card, create PINs, and install keys and certificates on the card.
This process is also called <emphasis>personalization</emphasis>.
</para>
<para>
An OpenSC card can have one security officer PIN, and zero or more user PINs.
PIN stands for Personal Identification Number, and is a secret code you need
to present to the card before being allowed to perform certain operations,
such as using one of the stored RSA keys to sign a document, or modifying
the card itself.
</para>
<para>
Usually, PINs are a sequence of decimal digits, but some cards will accept
arbitrary ASCII characters. Be aware however that using characters other
than digits will make the card unusable with PIN pad readers, because those
usually have keys for entering digits only.
</para>
<para>
The security officer (SO) PIN is special; it is used to protect meta data
information on the card, such as the PKCS #15 structure itself. Setting
the SO PIN is optional, because the worst that can usually happen is that
someone finding your card can mess it up. To extract any of your secret
keys stored on the card, an attacker will still need your user PIN, at
least for the default OpenSC profiles. However, it is possible to create
card profiles that will allow the security officer to override user PINs.
</para>
<para>
For each PIN, you can specify a PUK (also called <emphasis>unblock PIN</emphasis>).
The PUK can be used to overwrite or unlock a PIN if too many incorrect values
have been entered in a row.
</para>
</refsect1>
<refsect1>
<title>Modes of operation</title>
<refsect2>
<title>Initialization</title>
<para>This is the first step during card personalization, and will create the
basic files on the card. To create the initial PKCS #15 structure, invoke the
utility as
</para>
<para>
<command>pkcs15-init --create-pkcs15</command></para>
<para>
You will then be asked for several the security officer PIN and PUK. Simply
pressing return at the SO PIN prompt will skip installation of an SO PIN.
</para>
<para>
If the card supports it, you can also request that the card is erased prior
to creating the PKCS #15 structure, by specifying the <option>--erase-card</option>
option.
</para>
</refsect2>
<refsect2>
<title>User PIN Installation</title>
<para>
Before installing any user objects such as private keys, you need at least one
PIN to protect these objects. you can do this using
</para>
<para>
<command>pkcs15-init --store-pin --id " nn</command>
</para>
<para>
where <emphasis>nn</emphasis> is a PKCS #15 ID in hexadecimal notation. Common
values are 01, 02, etc.
</para>
<para>
Entering the command above will ask you for the user's PIN and PUK. If you do
not wish to install an unblock PIN, simply press return at the PUK prompt.
</para>
<para>
To set a label for this PIN object (which can be used by applications to display
a meaningful prompt to the user), use the <option>--label</option> command line option.
</para>
</refsect2>
<refsect2>
<title>Key generation</title>
<para>
<command>pkcs15-init</command> lets you generate a new key and store it on the card.
You can do this using:
</para>
<para>
<command>pkcs15-init --generate-key " keyspec " --auth-id " nn</command>
</para>
<para>
where <option>keyspec</option> describes the algorithm and length of the
key to be created, such as <option>rsa/512</option>. This will create a 512 bit
RSA key. Currently, only RSA key generation is supported. Note that cards
usually support just a few different key lengths. Almost all cards will support
512 and 1024 bit keys, some will support 768 or 2048 as well.
</para>
<para>
<option>nn</option> is the ID of a user PIN installed previously, e.g. 01.
</para>
<para>
In addition to storing the private portion of the key on the card,
<command>pkcs15-init</command> will also store the the public portion of the
key as a PKCS #15 public key object.
</para>
<para>
By default, <command>pkcs15-init</command> will try to use the card's
on-board key generation facilities, if available. If the card does not
support on-board key generation, <command>pkcs15-init</command> will fall
back to software key generation.
</para>
</refsect2>
<refsect2>
<title>Private Key Download</title>
<para>
You can use a private key generated by other means and download it to the card.
For instance, to download a private key contained in a file named
<emphasis>okir.pem</emphasis>, which is in PEM format, you would use
</para>
<para>
<command>pkcs15-init --store-private-key okir.pem --id 45 --auth-id 01</command>
</para>
<para>
If the key is protected by a pass phrase, <command>pkcs15-init</command>
will prompt you for a pass phrase to unlock the key.
</para>
<para>
In addition to storing the private portion of the key on the card,
<command>pkcs15-init</command> will also store the the public portion of the
key as a PKCS #15 public key object.
</para>
<para>
Note the use of the <option>--id</option> option. The current
<command>pkcs15</command> profile defines two key templates, one for
authentication (key ID 45), and one for non-repudiation purposes (key ID 46).
Other key templates will probably be added in the future. Note that if you don't
specify a key ID, <command>pkcs15-init</command> will pick just the first key
template defined by the profile.
</para>
<para>
In addition to the PEM key file format, <command>pkcs15-init</command> also
supports DER encoded keys, and PKCS #12 files. The latter is the file format
used by Netscape Navigator (among others) when exporting certificates to
a file. A PKCS #12 file usually contains the X.509 certificate corresponding
to the private key. If that is the case, <command>pkcs15-init</command> will
store the certificate instead of the public key portion.
</para>
</refsect2>
<refsect2>
<title>Public Key Download</title>
<para>
You can also download individual public keys to the card using the
<option>--store-public-key</option> option, which takes a filename as an
argument. This file is supposed to contain the public key. If you don't
specify a key file format using the <option>--format</option> option,
<command>pkcs15-init</command> will assume PEM format. The only other
supported public key file format is DER.
</para>
<para>
Since the corresponding public keys are always downloaded automatically
when generating a new key, or when downloading a private key, you will
probably use this option only very rarely.
</para>
</refsect2>
<refsect2>
<title>Certificate Download</title>
<para>
You can download certificates to the card using the
<option>--store-certificate</option> option, which takes a filename as
an argument. This file is supposed to contain the DER encoded X.509
certificate.
</para>
</refsect2>
<refsect2>
<title>Downloading PKCS #12 bags</title>
<para>
Most browsers nowadays use PKCS #12 format files when you ask them to
export your key and certificate to a file. <command>pkcs15-init</command>
is capable of parsing these files, and storing their contents on the
card in a single operation. This works just like storing a private key,
except that you need to specify the file format:
</para>
<para>
<command>pkcs15-init --store-private-key okir.p12 --format pkcs12 --auth-id
01</command>
</para>
<para>
This will install the private key contained in the file <emphasis>okir.p12</emphasis>,
and protect it with the PIN referenced by authentication ID <emphasis>01</emphasis>.
It will also store any X.509 certificates contained in the file, which is
usually the user certificate that goes with the key, as well as the CA certificate.
</para>
</refsect2>
</refsect1>
<refsect1>
<title>Options</title>
<para>
<variablelist>
<varlistentry>
<term><option>--profile</option> <emphasis>name</emphasis>,
<option>-p</option> <emphasis>name</emphasis></term>
<listitem>
<para>
Tells <command>pkcs15-init</command> to load the specified general
profile. Currently, the only application profile defined is
<command>pkcs15</command>, but you can write your own profiles and
specify them using this option.
</para>
<para>
The profile name can be combined with one or more <emphasis>profile
options</emphasis>, which slightly modify the profile's behavior.
For instance, the default OpenSC profile supports the
<option>openpin</option> option, which installs a single PIN during
card initialization. This PIN is then used both as the SO PIN as
well as the user PIN for all keys stored on the card.
</para>
<para>
Profile name and options are separated by a <option>+</option>
character, as in <option>pkcs15+onepin</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--card-profile</option> <emphasis>name</emphasis>,
<option>-c</option> <emphasis>name</emphasis></term>
<listitem>
<para>
Tells <command>pkcs15-init</command> to load the specified card
profile option. You will rarely need this option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--create-pkcs15, -C</option></term>
<listitem>
<para>
This tells <command>pkcs15-init</command> to create a PKCS #15
structure on the card, and initialize any PINs.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--erase-card, -E</option></term>
<listitem>
<para>
This will erase the card prior to creating the PKCS #15 structure,
if the card supports it. If the card does not support erasing,
<command>pkcs15-init</command> will fail.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--generate-key</option> <emphasis>keyspec</emphasis>,
<option>-G</option> <emphasis>keyspec</emphasis></term>
<listitem>
<para>
Tells the card to generate new key and store it on the card.
<emphasis>keyspec</emphasis> consists of an algorithm name
(currently, the only supported name is <option>RSA</option>),
optionally followed by a slash and the length of the key in bits.
It is a good idea to specify the key ID along with this command,
using the <option>id</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--store-private-key</option> <emphasis>filename</emphasis>,
<option>-S</option> <emphasis>filename</emphasis></term>
<listitem>
<para>
Tells <command>pkcs15-init</command> to download the specified
private key to the card. This command will also create a public
key object containing the public key portion. By default, the
file is assumed to contain the key in PEM format. Alternative
formats can be specified using <option>--format</option>.
It is a good idea to specify the key ID along with this command,
using the <option>--id</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--store-public-key</option> <emphasis>filename</emphasis>,
<option>-P</option> <emphasis>filename</emphasis></term>
<listitem>
<para>
Tells <command>pkcs15-init</command> to download the specified
public key to the card and create a public key object with the
key ID specified via the <option>--id</option>. By default,
the file is assumed to contain the key in PEM format. Alternative
formats can be specified using <option>--format</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--store-certificate</option> <emphasis>filename</emphasis>,
<option>-X</option> <emphasis>filename</emphasis></term>
<listitem>
<para>
Tells <command>pkcs15-init</command> to store the certificate given
in <option>filename</option> on the card, creating a certificate
object with the ID specified via the <option>--id</option> option.
The file is assumed to contain the DER encoded certificate.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--so-pin, --so-puk, --pin, --puk</option></term>
<listitem>
<para>
These options can be used to specify PIN/PUK values on the command
line. Note that on most operation systems, any user can display
the command line of any process on the system using utilities such
as <command>ps(1)</command>. Therefore, you should use these options
only on a secured system, or in an options file specified with
<option>--options-file</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--passphrase</option></term>
<listitem>
<para>
When downloading a private key, this option can be used to specify
the pass phrase to unlock the private key. The same caveat applies
here as in the case of the <option>--pin</option> options.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--options-file</option> <emphasis>filename</emphasis></term>
<listitem>
<para>
Tells <command>pkcs15-init</command> to read additional options
from <emphasis>filename</emphasis>. The file is supposed to
contain one long option per line, without the leading dashes,
for instance:
<programlisting>
pin frank
puk zappa
</programlisting>
</para>
<para>
You can specify <option>--options-file</option> several times.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--verbose, -v</option></term>
<listitem>
<para>
Causes <command>pkcs15-init</command> to be more verbose. Specify this
flag several times to enable debug output in the OpenSC library.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>pkcs15-profile(5)</para>
</refsect1>
</refentry>

60
doc/src/tools/pkcs15-profile.xml.in Normal file
View File

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="">
<refmeta>
<refentrytitle>pkcs15-profile</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>pkcs15-profile</refname>
<refpurpose>format of profile for <command>pkcs15-init</command></refpurpose>
</refnamediv>
<refsect1>
<title>Synopsis</title>
<para>
<command></command>
</para>
</refsect1>
<refsect1>
<title>Description</title>
<para>
The <command>pkcs15-init</command> utility for PKCS #15 smart card
personalization is controlled via profiles. When starting, it will read two
such profiles at the moment, a generic application profile, and a card
specific profile. The generic profile must be specified on the command line,
while the card-specific file is selected based on the type of card detected.
</para>
<para>
The generic application profile defines general information about the card
layout, such as the path of the application DF, various PKCS #15 files within
that directory, and the access conditions on these files. It also defines
general information about PIN, key and certificate objects. Currently, there
is only one such generic profile, <command>pkcs15.profile</command>.
</para>
<para>
The card specific profile contains additional information required during
card intialization, such as location of PIN files, key references etc.
Profiles currently reside in <command>@pkgdata@</command>
</para>
</refsect1>
<refsect1>
<title>Syntax</title>
<para>
This section should contain information about the profile syntax. Will add
this soonishly.
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>
<command>pkcs15</command>(7), <command>pkcs15-init</command>(1),
<command>pkcs15-crypt</command>(1), <command>opensc</command>(7),
</para>
</refsect1>
</refentry>

131
doc/src/tools/pkcs15-tool.xml Normal file
View File

@ -0,0 +1,131 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry id="pkcs15-tool">
<refmeta>
<refentrytitle>pkcs15-tool</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>opensc</refmiscinfo>
</refmeta>
<refnamediv>
<refname>pkcs15-tool</refname>
<refpurpose>utility for manipulating PKCS #15 data structures
on smart cards and similar security tokens</refpurpose>
</refnamediv>
<refsect1>
<title>Synopsis</title>
<para>
<command>pkcs15-tool</command> [OPTIONS]
</para>
</refsect1>
<refsect1>
<title>Description</title>
<para>
The <command>pkcs15-tool</command> utility is used to manipulate
the PKCS #15 data structures on smart cards and similar security
tokens. Users can list and read PINs, keys and certificates stored
on the token. User PIN authentication is performed for those
operations that require it.
</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>
<variablelist>
<varlistentry>
<term><option>--learn-card, -L</option></term>
<listitem><para>Cache PKCS #15 token data to the local filesystem.
Subsequent operations are performed on the cached data where possible.
If the cache becomes out-of-sync with the token state (eg. new key is
generated and stored on the token), the cache should be updated or
operations may show stale results.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--read-certificate</option> <varname>cert</varname>,
<option>-r</option> <varname>cert</varname></term>
<listitem><para>Reads the certificate with the given id.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-certificates, -c</option></term>
<listitem><para>Lists all certificates stored on the token.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-pins</option></term>
<listitem><para>Lists all PINs stored on the token. General information
about each PIN is listed (eg. PIN name). Actual PIN values are not shown.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--change-pin</option></term>
<listitem><para>Changes a PIN stored on the token. User authentication
is required for this operation.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-keys, -k</option></term>
<listitem><para>Lists all private keys stored on the token. General
information about each private key is listed (eg. key name, id and
algorithm). Actual private key values are not displayed.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--list-public-keys</option></term>
<listitem><para>Lists all public keys stored on the token, including
key name, id, algorithm and length information.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--read-public-key</option> <varname>id</varname></term>
<listitem><para>Reads the public key with id <varname>id</varname>,
allowing the user to extract and store or use the public key.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--output</option> <varname>filename</varname>,
<option>-o</option> <varname>filename</varname></term>
<listitem><para>Specifies where key output should be written.
If <varname>filename</varname> already exists, it will be overwritten.
If this option is not given, keys will be printed to standard output.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--no-cache</option></term>
<listitem><para>Disables token data caching.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--pin-id</option> <varname>pin</varname>,
<option>-a</option> <varname>pin</varname></term>
<listitem><para>Specifies the auth id of the PIN to use for the
operation. This is useful with the --change-pin operation.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--reader</option> <varname>num</varname></term>
<listitem><para>Forces <command>pkcs15-tool</command> to use reader
number <varname>num</varname> for operations. The default is to use
reader number 0, the first reader in the system.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--verbose, -v</option></term>
<listitem><para>Causes <command>pkcs15-tool</command> to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See also</title>
<para>opensc(7), pkcs15-init(1), pkcs15-crypt(1)</para>
</refsect1>
</refentry>

26
doc/src/tools/tools.xml Normal file
View File

@ -0,0 +1,26 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>OpenSC tools</title>
<reference>
<referenceinfo>
<title>OpenSC</title>
</referenceinfo>
<xi:include href="opensc-config.xml"/>
<xi:include href="opensc-tool.xml"/>
<xi:include href="opensc-explorer.xml"/>
<xi:include href="pkcs11-tool.xml"/>
<xi:include href="pkcs15-crypt.xml"/>
<xi:include href="pkcs15-tool.xml"/>
<xi:include href="pkcs15-init.xml"/>
<xi:include href="pkcs15-profile.xml"/>
<xi:include href="cardos-info.xml"/>
<xi:include href="cryptoflex-tool.xml"/>
</reference>
</book>
<!-- TODO
opensc
-->