added docbook XML source for tools manpages
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2443 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
9894a10d37
commit
a355f9cdd7
|
@ -0,0 +1,64 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="cardos-info">
|
||||
<refmeta>
|
||||
<refentrytitle>cardos-info</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>cardos-info</refname>
|
||||
<refpurpose>displays information about Card OS-based security tokens
|
||||
</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Synopsis</title>
|
||||
<para>
|
||||
<command>cardos-info</command> [OPTIONS]
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
The <command>cardos-info</command> utility is used to display information about
|
||||
smart cards and similar security tokens based on Siemens Card/OS M4.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--reader</option> number, <option>-r</option> number</term>
|
||||
<listitem><para>Display information about the token in reader number <varname>number</varname>.
|
||||
The default is reader 0.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--card-driver</option> name, <option>-c</option> driver</term>
|
||||
<listitem><para>Use the card driver specified by <varname>name</varname>. The default
|
||||
is to auto-detect the correct card driver.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--wait, -w</option></term>
|
||||
<listitem><para>Causes <command>cardos-info</command> to wait for the token
|
||||
to be inserted into reader.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--verbose, -v</option></term>
|
||||
<listitem><para>Causes <command>cardos-info</command> to be more verbose. Specify this flag several times
|
||||
to enable debug output in the opensc library.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>opensc(7)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,134 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="cryptoflex-tool">
|
||||
<refmeta>
|
||||
<refentrytitle>cryptoflex-tool</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>cryptoflex-tool</refname>
|
||||
<refpurpose>utility for manipulating Schlumberger Cryptoflex data structures</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Synopsis</title>
|
||||
<para>
|
||||
<command>cryptoflex-tool</command> [OPTIONS]
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
<command>cryptoflex-tool</command> is used to manipulate PKCS
|
||||
data structures on Schlumberger Cryptoflex smart cards. Users
|
||||
can create, list and read PINs and keys stored on the smart card.
|
||||
User PIN authentication is performed for those operations that require it.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--verify-pin, -V</option></term>
|
||||
<listitem><para>Verifies CHV1 before issuing commands</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--list-keys, -l</option></term>
|
||||
<listitem><para>Lists all keys stored in a public key file</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--create-key-files</option> <varname>arg</varname>,
|
||||
<option>-c</option> <varname>arg</varname></term>
|
||||
<listitem><para>Creates new RSA key files for <varname>arg</varname> keys</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--create-pin-files</option> <varname>id</varname>,
|
||||
<option>-P</option> <varname>id</varname></term>
|
||||
<listitem><para>Creates new PIN file for CHV<varname>id</varname></para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--generate-key, -g</option></term>
|
||||
<listitem><para>Generate a new RSA key pair</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--read-key</option></term>
|
||||
<listitem><para>Reads a public key from the card, allowing the user to
|
||||
extract and store or use the public key
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--key-num</option> <varname>num</varname>,
|
||||
<option>-k</option> <varname>num</varname></term>
|
||||
<listitem><para>Specifies the key number to operate on. The default is
|
||||
key number 1.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--app-df</option> <varname>num</varname>,
|
||||
<option>-a</option> <varname>num</varname></term>
|
||||
<listitem><para>Specifies the DF to operate in</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--prkey-file</option> <varname>id</varname>,
|
||||
<option>-p</option> <varname>id</varname></term>
|
||||
<listitem><para>Specifies the private key file id, <varname>id</varname>,
|
||||
to use</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--pubkey-file</option> <varname>id</varname>,
|
||||
<option>-u</option> <varname>id</varname></term>
|
||||
<listitem><para>Specifies the public key file id, <varname>id</varname>,
|
||||
to use</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--exponent</option> <varname>exp</varname>,
|
||||
<option>-e</option> <varname>exp</varname></term>
|
||||
<listitem><para>Specifies the RSA exponent, <varname>exp</varname>,
|
||||
to use in key generation. The default value is 3.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--modulus-length</option> <varname>length</varname>,
|
||||
<option>-m</option> <varname>length</varname></term>
|
||||
<listitem><para>Specifies the modulus <varname>length</varname> to use
|
||||
in key generation. The default value is 1024.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--reader</option> <varname>num</varname>,
|
||||
<option>-r</option> <varname>num</varname></term>
|
||||
<listitem><para>Forces <command>cryptoflex-tool</command> to use
|
||||
reader number <varname>num</varname> for operations. The default
|
||||
is to use reader number 0, the first reader in the system.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--verbose, -v</option></term>
|
||||
<listitem><para>Causes <command>cryptoflex-tool</command> to be more
|
||||
verbose. Specify this flag several times to enable debug output in
|
||||
the opensc library.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>opensc(7), pkcs15-tool(1)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,77 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="opensc-config">
|
||||
<refmeta>
|
||||
<refentrytitle>opensc-config</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>opensc-config</refname>
|
||||
<refpurpose>a tool to get information about the installed version of OpenSC</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Synopsis</title>
|
||||
<para>
|
||||
<command>opensc-config</command> [OPTIONS]
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
<command>opensc-config</command> is a tool that is used to get various information
|
||||
about the installed version of OpenSC. It is particularly useful in determining
|
||||
compiler and linker flags necessary to build programs with the OpenSC libraries.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<para>
|
||||
<command>opensc-config</command> accepts the following options:
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--version</option></term>
|
||||
<listitem><para>Print the installed version of OpenSC to standard output.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--libs</option></term>
|
||||
<listitem><para>Print the linker flags that are needed to compile a program
|
||||
to use the OpenSC libraries.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--cflags</option></term>
|
||||
<listitem><para>Print the compiler flags that are needed to compile a program
|
||||
to use the OpenSC libraries.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--prefix=PREFIX</option></term>
|
||||
<listitem><para>If specified, use PREFIX instead of the installation
|
||||
prefix that OpenSC was built with when computing the output for the
|
||||
--cflags and --libs options. This option is also used for the exec
|
||||
prefix if --exec-prefix was not specified. This option must be specified
|
||||
before any --libs or --cflags options.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--exec-prefix=PREFIX</option></term>
|
||||
<listitem><para>If specified, use PREFIX instead of the installation
|
||||
exec prefix that OpenSC was built with when computing the output for
|
||||
the --cflags and --libs options. This option must be specified before any
|
||||
--libs or --cflags options.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>opensc(7)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,191 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="opensc-explorer">
|
||||
<refmeta>
|
||||
<refentrytitle>opensc-explorer</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>opensc-explorer</refname>
|
||||
<refpurpose>
|
||||
generic interactive utility for accessing smart card
|
||||
and similar security token functions
|
||||
</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Synopsis</title>
|
||||
<para>
|
||||
<command>opensc-explorer</command> [OPTIONS]
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
The <command>opensc-explorer</command> utility can be
|
||||
used interactively to perform miscellaneous operations
|
||||
such as exploring the contents of or sending arbitrary
|
||||
APDU commands to a smart card or similar security token.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<para>
|
||||
The following are the command-line options for
|
||||
<command>opensc-explorer</command>. There are additional
|
||||
interactive commands available once it is running.
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>
|
||||
<option>--reader</option> num,
|
||||
<option>-r</option> num
|
||||
</term>
|
||||
<listitem><para>
|
||||
Use the given reader number. The default
|
||||
is 0, the first reader in the system.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term>
|
||||
<option>--card-driver</option> driver,
|
||||
<option>-c</option> driver
|
||||
</term>
|
||||
<listitem><para>
|
||||
Use the given card driver. The default is
|
||||
auto-detected.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--verbose, -v</option></term>
|
||||
<listitem><para>
|
||||
Causes <command>opensc-explorer</command> to be more
|
||||
verbose. Specify this flag several times to enable
|
||||
debug output in the opensc library.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Commands</title>
|
||||
<para>
|
||||
The following commands are supported at the <command>opensc-explorer</command>
|
||||
interactive prompt.
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>ls</option></term>
|
||||
<listitem><para>list all files in the current DF</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>cd</option> <varname>file-id</varname></term>
|
||||
<listitem><para>change to another DF specified by <varname>file-id</varname></para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>cat</option></term>
|
||||
<listitem><para>print the contents of the currently selected EF</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>info</option> [<varname>file-id</varname>]</term>
|
||||
<listitem><para>display attributes of a file specified by <varname>file-id</varname>.
|
||||
If <varname>file-id</varname> is not supplied,
|
||||
the attributes of the current file are printed.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>create</option> <varname>file-id</varname> <varname>size</varname></term>
|
||||
<listitem><para>create a new EF. <varname>file-id</varname> specifies the
|
||||
id number and <varname>size</varname> is the size of the new file.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>delete</option> <varname>file-id</varname></term>
|
||||
<listitem><para>remove the EF or DF specified by <varname>file-id</varname></para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>verify</option> <varname>key-type</varname><varname>key-id</varname>
|
||||
[<varname>key</varname>]</term>
|
||||
<listitem><para>present a PIN or key to the card. Where <varname>key-type</varname>
|
||||
can be one of CHV, KEY or PRO. <varname>key-id</varname> is a number representing the
|
||||
key or PIN number. <varname>key</varname> is the key or PIN to be verified in hex.
|
||||
</para>
|
||||
<para>
|
||||
Example: verify CHV0 31:32:33:34:00:00:00:00
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>change CHV</option><varname>id [old-pin] new-pin</varname></term>
|
||||
<listitem><para>change a PIN</para>
|
||||
<para>
|
||||
Example: change CHV0 31:32:33:34:00:00:00:00 'secret'
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>put</option> <varname>file-id</varname> [<varname>input</varname>]</term>
|
||||
<listitem><para>copy a local file to the card. The local file is specified
|
||||
by <varname>input</varname> while the card file is specified by <varname>file-id</varname>
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>get</option> <varname>file-id</varname> [<varname>output</varname>]</term>
|
||||
<listitem><para>copy an EF to a local file. The local file is specified
|
||||
by <varname>output</varname> while the card file is specified by <varname>file-id</varname>.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>mkdir</option> <varname>file-id</varname> <varname>size</varname></term>
|
||||
<listitem><para>create a DF. <varname>file-id</varname> specifies the id number
|
||||
and <varname>size</varname> is the size of the new file.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>pksign</option></term>
|
||||
<listitem><para>create a public key signature. NOTE: This command is currently not implemented.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>pkdecrypt</option></term>
|
||||
<listitem><para>perform a public key decryption. NOTE: This command is currently not implemented.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>erase</option></term>
|
||||
<listitem><para>erase the card, if the card supports it.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>debug</option> [<varname>level</varname>]</term>
|
||||
<listitem><para>get or set the debug level</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>quit</option></term>
|
||||
<listitem><para>exit the program</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>opensc(7), opensc-tool(1)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,87 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="opensc-tool">
|
||||
<refmeta>
|
||||
<refentrytitle>opensc-tool</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>opensc-tool</refname>
|
||||
<refpurpose>generic smart card utility</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Synopsis</title>
|
||||
<para>
|
||||
<command>opensc-tool</command> [OPTIONS]
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
The <command>opensc-tool</command> utility can be used from the command line to perform
|
||||
miscellaneous smart card operations such as getting the card ATR or
|
||||
sending arbitrary APDU commands to a card.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--atr, -a</option></term>
|
||||
<listitem><para>Print the Answer To Reset (ATR) of the card,
|
||||
output is in hex byte format</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--serial</option></term>
|
||||
<listitem><para>Print the card serial number (normally the ICCSN), output is in hex byte
|
||||
format</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--send-apdu</option> apdu, <option>-s</option> apdu</term>
|
||||
<listitem><para>Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF...</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--list-files, -f</option></term>
|
||||
<listitem><para>Recursively lists all files stored on card</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--list-readers, -l</option></term>
|
||||
<listitem><para>Lists all configured readers</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--list-drivers, -D</option></term>
|
||||
<listitem><para>Lists all installed card drivers</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--list-rdrivers, -R</option></term>
|
||||
<listitem><para>Lists all installed reader drivers</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--reader</option> num, <option>-r</option> num</term>
|
||||
<listitem><para>Use the given reader number. The default is 0, the first reader
|
||||
in the system.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--card-driver</option> driver, <option>-c</option> driver</term>
|
||||
<listitem><para>Use the given card driver. The default is auto-detected.</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>--verbose, -v</option></term>
|
||||
<listitem><para>Causes <command>opensc-tool</command> to be more verbose. Specify this flag several times
|
||||
to enable debug output in the opensc library.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>opensc(7), opensc-explorer(1)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,223 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="pkcs11-tool">
|
||||
<refmeta>
|
||||
<refentrytitle>pkcs11-tool</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>pkcs11-tool</refname>
|
||||
<refpurpose>utility for managing and using PKCS #11 security tokens</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Synopsis</title>
|
||||
<para>
|
||||
<command>pkcs11-tool</command> [OPTIONS]
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
The <command>pkcs11-tool</command> utility is used to manage the
|
||||
data objects on smart cards and similar PKCS #11 security tokens.
|
||||
Users can list and read PINs, keys and certificates stored on the
|
||||
token. User PIN authentication is performed for those operations
|
||||
that require it.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--login, -l</option></term>
|
||||
<listitem><para>Authenticate to the token before performing
|
||||
other operations. This option is not needed if a PIN is
|
||||
provided on the command line.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--pin</option> <varname>pin</varname>,
|
||||
<option>-p</option> <varname>pin</varname></term>
|
||||
<listitem><para>Use the given <varname>pin</varname> for
|
||||
token operations. WARNING: Be careful using this option
|
||||
as other users may be able to read the command line from
|
||||
the system or if it is embedded in a script.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--so-pin</option> <varname>pin</varname></term>
|
||||
<listitem><para>Use the given <varname>pin</varname> as the
|
||||
Security Officer PIN for some token operations (token
|
||||
initialization, user PIN initialization, etc). The same
|
||||
warning as --pin also applies here.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--init-token</option></term>
|
||||
<listitem><para>Initializes a token: set the token label as
|
||||
well as a Security Officer PIN (the label must be specified
|
||||
using --label).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--init-pin</option></term>
|
||||
<listitem><para>Initializes the user PIN. This option
|
||||
differs from --change-pin in that it sets the user PIN
|
||||
for the first time. Once set, the user PIN can be changed
|
||||
using --change-pin.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--change-pin, -c</option></term>
|
||||
<listitem><para>Change the user PIN on the token</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--test, -t</option></term>
|
||||
<listitem><para>Performs some tests on the token. This
|
||||
option is most useful when used with either --login or
|
||||
--pin.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--show-info, -I</option></term>
|
||||
<listitem><para>Displays general token information.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--list-slots, -L</option></term>
|
||||
<listitem><para>Displays a list of available slots on the token.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--list-mechanisms, -M</option></term>
|
||||
<listitem><para>Displays a list of mechanisms supported by the token.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--list-objects, -O</option></term>
|
||||
<listitem><para>Displays a list of objects.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--sign, s</option></term>
|
||||
<listitem><para>Sign some data.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--hash, -h</option></term>
|
||||
<listitem><para>Hash some data.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--mechanism</option> <varname>mechanism</varname>,
|
||||
<option>-m</option> <varname>mechanism</varname></term>
|
||||
<listitem><para>Use the specified <varname>mechanism</varname>
|
||||
for token operations. See -M for a list of mechanisms supported
|
||||
by your token.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--keypairgen, -k</option></term>
|
||||
<listitem><para>Generate a new key pair (public and private pair.)</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--write-object</option> <varname>id</varname>,
|
||||
<option>-w</option> <varname>id</varname></term>
|
||||
<listitem><para>Write a key or certificate object to the token.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--type</option> <varname>type</varname>,
|
||||
<option>-y</option> <varname>type</varname></term>
|
||||
<listitem><para>Specify the type of object to operate on.
|
||||
Examples are <emphasis>cert</emphasis>, <emphasis>privkey</emphasis>
|
||||
and <emphasis>pubkey</emphasis>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--id</option> <varname>id</varname>,
|
||||
<option>-d</option> <varname>id</varname></term>
|
||||
<listitem><para>Specify the id of the object to operate on.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--label</option> <varname>name</varname>,
|
||||
<option>-a</option> <varname>name</varname></term>
|
||||
<listitem><para>Specify the name of the object to operate on
|
||||
(or the token label when --init-token is used).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--slot</option> <varname>id</varname></term>
|
||||
<listitem><para>Specify the id of the slot to use.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--slot-id</option> <varname>name</varname></term>
|
||||
<listitem><para>Specify the name of the slot to use.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--set-id</option> <varname>id</varname>,
|
||||
<option>-e</option> <varname>id</varname></term>
|
||||
<listitem><para>Set the CKA_ID of the object.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--attr-from</option> <varname>path</varname></term>
|
||||
<listitem><para>Extract information from <varname>path</varname>
|
||||
(DER-encoded certificate file) and create the corresponding
|
||||
attributes when writing an object to the token. Example: the
|
||||
certificate subject name is used to create the CKA_SUBJECT
|
||||
attribute.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--input-file</option> <varname>path</varname>,
|
||||
<option>-i</option> <varname>path</varname></term>
|
||||
<listitem><para>Specify the path to a file for input.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--output-file</option> <varname>path</varname>,
|
||||
<option>-o</option> <varname>path</varname></term>
|
||||
<listitem><para>Specify the path to a file for output.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--module</option> <varname>mod</varname></term>
|
||||
<listitem><para>Specify a module to load.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--moz-cert</option> <varname>path</varname>,
|
||||
<option>-z</option> <varname>path</varname></term>
|
||||
<listitem><para>Tests a Mozilla-like keypair generation
|
||||
and certificate request. Specify the <varname>path</varname>
|
||||
to the certificate file.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--verbose, -v</option></term>
|
||||
<listitem><para>Causes <command>pkcs11-tool</command> to be
|
||||
more verbose. Specify this flag several times to enable debug
|
||||
output in the OpenSC library.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>opensc(7)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,141 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="pkcs15-crypt">
|
||||
<refmeta>
|
||||
<refentrytitle>pkcs15-crypt</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>pkcs15-crypt</refname>
|
||||
<refpurpose>perform crypto operations using pkcs15 smart card</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Synopsis</title>
|
||||
<para>
|
||||
<command>pkcs15-crypt</command> [OPTIONS]
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
The <command>pkcs15-crypt</command> utility can be used from the
|
||||
command line to perform cryptographic operations such as computing
|
||||
digital signatures or decrypting data, using keys stored on a PKCS
|
||||
#15 compliant smart card.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--sign, -s</option></term>
|
||||
<listitem><para>Perform digital signature operation on
|
||||
the data read from a file specified using the <option>input</option>
|
||||
option. By default, the contents of the file are assumed to
|
||||
be the result of an MD5 hash operation. Note that <command>pkcs15-crypt</command>
|
||||
expects the data in binary representation, not ASCII.</para>
|
||||
<para>The digital signature is stored, in binary representation,
|
||||
in the file specified by the <option>output</option> option. If
|
||||
this option is not given, the signature is printed on standard
|
||||
output, displaying non-printable characters using their hex notation
|
||||
xNN (see also <option>--raw</option>).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--pkcs1</option></term>
|
||||
<listitem><para>By default, <command>pkcs15-crypt</command>
|
||||
assumes that input data has been padded to the correct length
|
||||
(i.e. when computing an RSA signature using a 1024 bit key,
|
||||
the input must be padded to 128 bytes to match the modulus
|
||||
length). When giving the <option>--pkcs1</option> option,
|
||||
however, <command>pkcs15-crypt</command> will perform the
|
||||
required padding using the algorithm outlined in the
|
||||
PKCS #1 standard version 1.5.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--sha-1</option></term>
|
||||
<listitem><para>This option tells <command>pkcs15-crypt</command>
|
||||
that the input file is the result of an SHA1 hash operation,
|
||||
rather than an MD5 hash. Again, the data must be in binary
|
||||
representation.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--decipher, -c</option></term>
|
||||
<listitem><para>Decrypt the contents of the file specified by
|
||||
the <option>--input</option> option. The result of the
|
||||
decryption operation is written to the file specified by the
|
||||
<option>--output</option> option. If this option is not given,
|
||||
the decrypted data is printed to standard output, displaying
|
||||
non-printable characters using their hex notation xNN (see also
|
||||
<option>--raw</option>).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--key</option> <varname>id</varname>,
|
||||
<option>-k</option> <varname>id</varname></term>
|
||||
<listitem><para>Selects the ID of the key to use.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--reader</option> <varname>N</varname>,
|
||||
<option>-r</option> <varname>N</varname></term>
|
||||
<listitem><para>Selects the <varname>N</varname>-th smart
|
||||
card reader configured by the system. If unspecified,
|
||||
<command>pkcs15-crypt</command> will use the first reader
|
||||
found.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--input</option> <varname>file</varname>,
|
||||
<option>-i</option> <varname>file</varname></term>
|
||||
<listitem><para>Specifies the input file to use.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--output</option> <varname>file</varname>,
|
||||
<option>-o</option> <varname>file</varname></term>
|
||||
<listitem><para>Any output will be sent to the specified file.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--raw, -R</option></term>
|
||||
<listitem><para>Outputs raw 8 bit data.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--pin</option> <varname>pin</varname>,
|
||||
<option>-p</option> <varname>pin</varname></term>
|
||||
<listitem><para>When the cryptographic operation requires a
|
||||
PIN to access the key, <command>pkcs15-crypt</command> will
|
||||
prompt the user for the PIN on the terminal. Using this option
|
||||
allows you to specify the PIN on the command line.</para>
|
||||
<para>Note that on most operating systems, the command line of
|
||||
a process can be displayed by any user using the ps(1)
|
||||
command. It is therefore a security risk to specify
|
||||
secret information such as PINs on the command line.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--verbose, -v</option></term>
|
||||
<listitem><para>Causes <command>pkcs15-crypt</command> to be more
|
||||
verbose. Specify this flag several times to enable debug output
|
||||
in the OpenSC library.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>pkcs15-init(1), pkcs15-tool(1)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,407 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="">
|
||||
<refmeta>
|
||||
<refentrytitle>pkcs15-init</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>pkcs15-init</refname>
|
||||
<refpurpose>smart card personalization utility</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
The <command>pkcs15-init</command> utility can be used to create a PKCS #15
|
||||
structure on a smart card, and add key or certificate objects. Details of the
|
||||
structure that will be created are controlled via profiles.
|
||||
</para>
|
||||
<para>
|
||||
The profile used by default is <command>pkcs15</command>. Alternative
|
||||
profiles can be specified via the <option>-p</option> switch.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>PIN Usage</title>
|
||||
<para>
|
||||
<command>pkcs15-init</command> can be used to create a PKCS #15 structure on
|
||||
your smart card, create PINs, and install keys and certificates on the card.
|
||||
This process is also called <emphasis>personalization</emphasis>.
|
||||
</para>
|
||||
<para>
|
||||
An OpenSC card can have one security officer PIN, and zero or more user PINs.
|
||||
PIN stands for Personal Identification Number, and is a secret code you need
|
||||
to present to the card before being allowed to perform certain operations,
|
||||
such as using one of the stored RSA keys to sign a document, or modifying
|
||||
the card itself.
|
||||
</para>
|
||||
<para>
|
||||
Usually, PINs are a sequence of decimal digits, but some cards will accept
|
||||
arbitrary ASCII characters. Be aware however that using characters other
|
||||
than digits will make the card unusable with PIN pad readers, because those
|
||||
usually have keys for entering digits only.
|
||||
</para>
|
||||
<para>
|
||||
The security officer (SO) PIN is special; it is used to protect meta data
|
||||
information on the card, such as the PKCS #15 structure itself. Setting
|
||||
the SO PIN is optional, because the worst that can usually happen is that
|
||||
someone finding your card can mess it up. To extract any of your secret
|
||||
keys stored on the card, an attacker will still need your user PIN, at
|
||||
least for the default OpenSC profiles. However, it is possible to create
|
||||
card profiles that will allow the security officer to override user PINs.
|
||||
</para>
|
||||
<para>
|
||||
For each PIN, you can specify a PUK (also called <emphasis>unblock PIN</emphasis>).
|
||||
The PUK can be used to overwrite or unlock a PIN if too many incorrect values
|
||||
have been entered in a row.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Modes of operation</title>
|
||||
<refsect2>
|
||||
<title>Initialization</title>
|
||||
<para>This is the first step during card personalization, and will create the
|
||||
basic files on the card. To create the initial PKCS #15 structure, invoke the
|
||||
utility as
|
||||
</para>
|
||||
<para>
|
||||
<command>pkcs15-init --create-pkcs15</command></para>
|
||||
<para>
|
||||
You will then be asked for several the security officer PIN and PUK. Simply
|
||||
pressing return at the SO PIN prompt will skip installation of an SO PIN.
|
||||
</para>
|
||||
<para>
|
||||
If the card supports it, you can also request that the card is erased prior
|
||||
to creating the PKCS #15 structure, by specifying the <option>--erase-card</option>
|
||||
option.
|
||||
</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title>User PIN Installation</title>
|
||||
<para>
|
||||
Before installing any user objects such as private keys, you need at least one
|
||||
PIN to protect these objects. you can do this using
|
||||
</para>
|
||||
<para>
|
||||
<command>pkcs15-init --store-pin --id " nn</command>
|
||||
</para>
|
||||
<para>
|
||||
where <emphasis>nn</emphasis> is a PKCS #15 ID in hexadecimal notation. Common
|
||||
values are 01, 02, etc.
|
||||
</para>
|
||||
<para>
|
||||
Entering the command above will ask you for the user's PIN and PUK. If you do
|
||||
not wish to install an unblock PIN, simply press return at the PUK prompt.
|
||||
</para>
|
||||
<para>
|
||||
To set a label for this PIN object (which can be used by applications to display
|
||||
a meaningful prompt to the user), use the <option>--label</option> command line option.
|
||||
</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title>Key generation</title>
|
||||
<para>
|
||||
<command>pkcs15-init</command> lets you generate a new key and store it on the card.
|
||||
You can do this using:
|
||||
</para>
|
||||
<para>
|
||||
<command>pkcs15-init --generate-key " keyspec " --auth-id " nn</command>
|
||||
</para>
|
||||
<para>
|
||||
where <option>keyspec</option> describes the algorithm and length of the
|
||||
key to be created, such as <option>rsa/512</option>. This will create a 512 bit
|
||||
RSA key. Currently, only RSA key generation is supported. Note that cards
|
||||
usually support just a few different key lengths. Almost all cards will support
|
||||
512 and 1024 bit keys, some will support 768 or 2048 as well.
|
||||
</para>
|
||||
<para>
|
||||
<option>nn</option> is the ID of a user PIN installed previously, e.g. 01.
|
||||
</para>
|
||||
<para>
|
||||
In addition to storing the private portion of the key on the card,
|
||||
<command>pkcs15-init</command> will also store the the public portion of the
|
||||
key as a PKCS #15 public key object.
|
||||
</para>
|
||||
<para>
|
||||
By default, <command>pkcs15-init</command> will try to use the card's
|
||||
on-board key generation facilities, if available. If the card does not
|
||||
support on-board key generation, <command>pkcs15-init</command> will fall
|
||||
back to software key generation.
|
||||
</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title>Private Key Download</title>
|
||||
<para>
|
||||
You can use a private key generated by other means and download it to the card.
|
||||
For instance, to download a private key contained in a file named
|
||||
<emphasis>okir.pem</emphasis>, which is in PEM format, you would use
|
||||
</para>
|
||||
<para>
|
||||
<command>pkcs15-init --store-private-key okir.pem --id 45 --auth-id 01</command>
|
||||
</para>
|
||||
<para>
|
||||
If the key is protected by a pass phrase, <command>pkcs15-init</command>
|
||||
will prompt you for a pass phrase to unlock the key.
|
||||
</para>
|
||||
<para>
|
||||
In addition to storing the private portion of the key on the card,
|
||||
<command>pkcs15-init</command> will also store the the public portion of the
|
||||
key as a PKCS #15 public key object.
|
||||
</para>
|
||||
<para>
|
||||
Note the use of the <option>--id</option> option. The current
|
||||
<command>pkcs15</command> profile defines two key templates, one for
|
||||
authentication (key ID 45), and one for non-repudiation purposes (key ID 46).
|
||||
Other key templates will probably be added in the future. Note that if you don't
|
||||
specify a key ID, <command>pkcs15-init</command> will pick just the first key
|
||||
template defined by the profile.
|
||||
</para>
|
||||
<para>
|
||||
In addition to the PEM key file format, <command>pkcs15-init</command> also
|
||||
supports DER encoded keys, and PKCS #12 files. The latter is the file format
|
||||
used by Netscape Navigator (among others) when exporting certificates to
|
||||
a file. A PKCS #12 file usually contains the X.509 certificate corresponding
|
||||
to the private key. If that is the case, <command>pkcs15-init</command> will
|
||||
store the certificate instead of the public key portion.
|
||||
</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title>Public Key Download</title>
|
||||
<para>
|
||||
You can also download individual public keys to the card using the
|
||||
<option>--store-public-key</option> option, which takes a filename as an
|
||||
argument. This file is supposed to contain the public key. If you don't
|
||||
specify a key file format using the <option>--format</option> option,
|
||||
<command>pkcs15-init</command> will assume PEM format. The only other
|
||||
supported public key file format is DER.
|
||||
</para>
|
||||
<para>
|
||||
Since the corresponding public keys are always downloaded automatically
|
||||
when generating a new key, or when downloading a private key, you will
|
||||
probably use this option only very rarely.
|
||||
</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title>Certificate Download</title>
|
||||
<para>
|
||||
You can download certificates to the card using the
|
||||
<option>--store-certificate</option> option, which takes a filename as
|
||||
an argument. This file is supposed to contain the DER encoded X.509
|
||||
certificate.
|
||||
</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title>Downloading PKCS #12 bags</title>
|
||||
<para>
|
||||
Most browsers nowadays use PKCS #12 format files when you ask them to
|
||||
export your key and certificate to a file. <command>pkcs15-init</command>
|
||||
is capable of parsing these files, and storing their contents on the
|
||||
card in a single operation. This works just like storing a private key,
|
||||
except that you need to specify the file format:
|
||||
</para>
|
||||
<para>
|
||||
<command>pkcs15-init --store-private-key okir.p12 --format pkcs12 --auth-id
|
||||
01</command>
|
||||
</para>
|
||||
<para>
|
||||
This will install the private key contained in the file <emphasis>okir.p12</emphasis>,
|
||||
and protect it with the PIN referenced by authentication ID <emphasis>01</emphasis>.
|
||||
It will also store any X.509 certificates contained in the file, which is
|
||||
usually the user certificate that goes with the key, as well as the CA certificate.
|
||||
</para>
|
||||
</refsect2>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--profile</option> <emphasis>name</emphasis>,
|
||||
<option>-p</option> <emphasis>name</emphasis></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Tells <command>pkcs15-init</command> to load the specified general
|
||||
profile. Currently, the only application profile defined is
|
||||
<command>pkcs15</command>, but you can write your own profiles and
|
||||
specify them using this option.
|
||||
</para>
|
||||
<para>
|
||||
The profile name can be combined with one or more <emphasis>profile
|
||||
options</emphasis>, which slightly modify the profile's behavior.
|
||||
For instance, the default OpenSC profile supports the
|
||||
<option>openpin</option> option, which installs a single PIN during
|
||||
card initialization. This PIN is then used both as the SO PIN as
|
||||
well as the user PIN for all keys stored on the card.
|
||||
</para>
|
||||
<para>
|
||||
Profile name and options are separated by a <option>+</option>
|
||||
character, as in <option>pkcs15+onepin</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--card-profile</option> <emphasis>name</emphasis>,
|
||||
<option>-c</option> <emphasis>name</emphasis></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Tells <command>pkcs15-init</command> to load the specified card
|
||||
profile option. You will rarely need this option.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--create-pkcs15, -C</option></term>
|
||||
<listitem>
|
||||
<para>
|
||||
This tells <command>pkcs15-init</command> to create a PKCS #15
|
||||
structure on the card, and initialize any PINs.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--erase-card, -E</option></term>
|
||||
<listitem>
|
||||
<para>
|
||||
This will erase the card prior to creating the PKCS #15 structure,
|
||||
if the card supports it. If the card does not support erasing,
|
||||
<command>pkcs15-init</command> will fail.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--generate-key</option> <emphasis>keyspec</emphasis>,
|
||||
<option>-G</option> <emphasis>keyspec</emphasis></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Tells the card to generate new key and store it on the card.
|
||||
<emphasis>keyspec</emphasis> consists of an algorithm name
|
||||
(currently, the only supported name is <option>RSA</option>),
|
||||
optionally followed by a slash and the length of the key in bits.
|
||||
It is a good idea to specify the key ID along with this command,
|
||||
using the <option>id</option> option.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--store-private-key</option> <emphasis>filename</emphasis>,
|
||||
<option>-S</option> <emphasis>filename</emphasis></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Tells <command>pkcs15-init</command> to download the specified
|
||||
private key to the card. This command will also create a public
|
||||
key object containing the public key portion. By default, the
|
||||
file is assumed to contain the key in PEM format. Alternative
|
||||
formats can be specified using <option>--format</option>.
|
||||
It is a good idea to specify the key ID along with this command,
|
||||
using the <option>--id</option> option.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--store-public-key</option> <emphasis>filename</emphasis>,
|
||||
<option>-P</option> <emphasis>filename</emphasis></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Tells <command>pkcs15-init</command> to download the specified
|
||||
public key to the card and create a public key object with the
|
||||
key ID specified via the <option>--id</option>. By default,
|
||||
the file is assumed to contain the key in PEM format. Alternative
|
||||
formats can be specified using <option>--format</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--store-certificate</option> <emphasis>filename</emphasis>,
|
||||
<option>-X</option> <emphasis>filename</emphasis></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Tells <command>pkcs15-init</command> to store the certificate given
|
||||
in <option>filename</option> on the card, creating a certificate
|
||||
object with the ID specified via the <option>--id</option> option.
|
||||
The file is assumed to contain the DER encoded certificate.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--so-pin, --so-puk, --pin, --puk</option></term>
|
||||
<listitem>
|
||||
<para>
|
||||
These options can be used to specify PIN/PUK values on the command
|
||||
line. Note that on most operation systems, any user can display
|
||||
the command line of any process on the system using utilities such
|
||||
as <command>ps(1)</command>. Therefore, you should use these options
|
||||
only on a secured system, or in an options file specified with
|
||||
<option>--options-file</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--passphrase</option></term>
|
||||
<listitem>
|
||||
<para>
|
||||
When downloading a private key, this option can be used to specify
|
||||
the pass phrase to unlock the private key. The same caveat applies
|
||||
here as in the case of the <option>--pin</option> options.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--options-file</option> <emphasis>filename</emphasis></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Tells <command>pkcs15-init</command> to read additional options
|
||||
from <emphasis>filename</emphasis>. The file is supposed to
|
||||
contain one long option per line, without the leading dashes,
|
||||
for instance:
|
||||
<programlisting>
|
||||
pin frank
|
||||
puk zappa
|
||||
</programlisting>
|
||||
</para>
|
||||
<para>
|
||||
You can specify <option>--options-file</option> several times.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--verbose, -v</option></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Causes <command>pkcs15-init</command> to be more verbose. Specify this
|
||||
flag several times to enable debug output in the OpenSC library.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>pkcs15-profile(5)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,60 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="">
|
||||
<refmeta>
|
||||
<refentrytitle>pkcs15-profile</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>pkcs15-profile</refname>
|
||||
<refpurpose>format of profile for <command>pkcs15-init</command></refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Synopsis</title>
|
||||
<para>
|
||||
<command></command>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
The <command>pkcs15-init</command> utility for PKCS #15 smart card
|
||||
personalization is controlled via profiles. When starting, it will read two
|
||||
such profiles at the moment, a generic application profile, and a card
|
||||
specific profile. The generic profile must be specified on the command line,
|
||||
while the card-specific file is selected based on the type of card detected.
|
||||
</para>
|
||||
<para>
|
||||
The generic application profile defines general information about the card
|
||||
layout, such as the path of the application DF, various PKCS #15 files within
|
||||
that directory, and the access conditions on these files. It also defines
|
||||
general information about PIN, key and certificate objects. Currently, there
|
||||
is only one such generic profile, <command>pkcs15.profile</command>.
|
||||
</para>
|
||||
<para>
|
||||
The card specific profile contains additional information required during
|
||||
card intialization, such as location of PIN files, key references etc.
|
||||
Profiles currently reside in <command>@pkgdata@</command>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Syntax</title>
|
||||
<para>
|
||||
This section should contain information about the profile syntax. Will add
|
||||
this soonishly.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>
|
||||
<command>pkcs15</command>(7), <command>pkcs15-init</command>(1),
|
||||
<command>pkcs15-crypt</command>(1), <command>opensc</command>(7),
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,131 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry id="pkcs15-tool">
|
||||
<refmeta>
|
||||
<refentrytitle>pkcs15-tool</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
<refmiscinfo>opensc</refmiscinfo>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>pkcs15-tool</refname>
|
||||
<refpurpose>utility for manipulating PKCS #15 data structures
|
||||
on smart cards and similar security tokens</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsect1>
|
||||
<title>Synopsis</title>
|
||||
<para>
|
||||
<command>pkcs15-tool</command> [OPTIONS]
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
<para>
|
||||
The <command>pkcs15-tool</command> utility is used to manipulate
|
||||
the PKCS #15 data structures on smart cards and similar security
|
||||
tokens. Users can list and read PINs, keys and certificates stored
|
||||
on the token. User PIN authentication is performed for those
|
||||
operations that require it.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--learn-card, -L</option></term>
|
||||
<listitem><para>Cache PKCS #15 token data to the local filesystem.
|
||||
Subsequent operations are performed on the cached data where possible.
|
||||
If the cache becomes out-of-sync with the token state (eg. new key is
|
||||
generated and stored on the token), the cache should be updated or
|
||||
operations may show stale results.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--read-certificate</option> <varname>cert</varname>,
|
||||
<option>-r</option> <varname>cert</varname></term>
|
||||
<listitem><para>Reads the certificate with the given id.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--list-certificates, -c</option></term>
|
||||
<listitem><para>Lists all certificates stored on the token.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--list-pins</option></term>
|
||||
<listitem><para>Lists all PINs stored on the token. General information
|
||||
about each PIN is listed (eg. PIN name). Actual PIN values are not shown.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--change-pin</option></term>
|
||||
<listitem><para>Changes a PIN stored on the token. User authentication
|
||||
is required for this operation.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--list-keys, -k</option></term>
|
||||
<listitem><para>Lists all private keys stored on the token. General
|
||||
information about each private key is listed (eg. key name, id and
|
||||
algorithm). Actual private key values are not displayed.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--list-public-keys</option></term>
|
||||
<listitem><para>Lists all public keys stored on the token, including
|
||||
key name, id, algorithm and length information.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--read-public-key</option> <varname>id</varname></term>
|
||||
<listitem><para>Reads the public key with id <varname>id</varname>,
|
||||
allowing the user to extract and store or use the public key.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--output</option> <varname>filename</varname>,
|
||||
<option>-o</option> <varname>filename</varname></term>
|
||||
<listitem><para>Specifies where key output should be written.
|
||||
If <varname>filename</varname> already exists, it will be overwritten.
|
||||
If this option is not given, keys will be printed to standard output.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--no-cache</option></term>
|
||||
<listitem><para>Disables token data caching.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--pin-id</option> <varname>pin</varname>,
|
||||
<option>-a</option> <varname>pin</varname></term>
|
||||
<listitem><para>Specifies the auth id of the PIN to use for the
|
||||
operation. This is useful with the --change-pin operation.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--reader</option> <varname>num</varname></term>
|
||||
<listitem><para>Forces <command>pkcs15-tool</command> to use reader
|
||||
number <varname>num</varname> for operations. The default is to use
|
||||
reader number 0, the first reader in the system.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--verbose, -v</option></term>
|
||||
<listitem><para>Causes <command>pkcs15-tool</command> to be more
|
||||
verbose. Specify this flag several times to enable debug output
|
||||
in the OpenSC library.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
<para>opensc(7), pkcs15-init(1), pkcs15-crypt(1)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,26 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
|
||||
<book xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||
<title>OpenSC tools</title>
|
||||
<reference>
|
||||
<referenceinfo>
|
||||
<title>OpenSC</title>
|
||||
</referenceinfo>
|
||||
<xi:include href="opensc-config.xml"/>
|
||||
<xi:include href="opensc-tool.xml"/>
|
||||
<xi:include href="opensc-explorer.xml"/>
|
||||
<xi:include href="pkcs11-tool.xml"/>
|
||||
<xi:include href="pkcs15-crypt.xml"/>
|
||||
<xi:include href="pkcs15-tool.xml"/>
|
||||
<xi:include href="pkcs15-init.xml"/>
|
||||
<xi:include href="pkcs15-profile.xml"/>
|
||||
<xi:include href="cardos-info.xml"/>
|
||||
<xi:include href="cryptoflex-tool.xml"/>
|
||||
</reference>
|
||||
</book>
|
||||
|
||||
<!-- TODO
|
||||
opensc
|
||||
-->
|
Loading…
Reference in New Issue