diff --git a/doc/tools/cardos-tool.1.xml b/doc/tools/cardos-tool.1.xml index 03356625..890e128e 100644 --- a/doc/tools/cardos-tool.1.xml +++ b/doc/tools/cardos-tool.1.xml @@ -34,33 +34,50 @@ smart cards and similar security tokens based on Siemens Card/OS M4. - , + + , + + Display information about the card or token. - , + + , + + Format the card or token. - number, number - Specify the reader number number to use. + + number, + number + + Specify the reader number number to use. The default is reader 0. - name, driver - Use the card driver specified by name. The default - is to auto-detect the correct card driver. + + name, + name + Use the card driver specified by name. + The default is to auto-detect the correct card driver. - + + , + + Causes cardos-tool to wait for the token to be inserted into reader. - - Causes cardos-tool to be more verbose. Specify this flag several times -to enable debug output in the opensc library. + + , + + + Causes cardos-tool to be more verbose. + Specify this flag several times to enable debug output in the opensc library. diff --git a/doc/tools/cryptoflex-tool.1.xml b/doc/tools/cryptoflex-tool.1.xml index 505cfc5e..17c055fb 100644 --- a/doc/tools/cryptoflex-tool.1.xml +++ b/doc/tools/cryptoflex-tool.1.xml @@ -35,90 +35,122 @@ - + + , + + Verifies CHV1 before issuing commands - + + , + + Lists all keys stored in a public key file - arg, - arg - Creates new RSA key files for arg keys + + arg, + arg + + Creates new RSA key files for arg keys - id, - id - Creates new PIN file for CHVid + + id, + id + + Creates new PIN file for CHVid - + + , + + Generate a new RSA key pair - + + + Reads a public key from the card, allowing the user to extract and store or use the public key - num, - num + + num, + num + Specifies the key number to operate on. The default is key number 1. - num, - num + + num, + num + Specifies the DF to operate in - id, - id - Specifies the private key file id, id, + + id, + id + + Specifies the private key file id, id, to use - id, - id - Specifies the public key file id, id, + + id, + id + + Specifies the public key file id, id, to use - exp, - exp - Specifies the RSA exponent, exp, + + exp, + exp + + Specifies the RSA exponent, exp, to use in key generation. The default value is 3. - length, - length - Specifies the modulus length to use + + length, + length + + Specifies the modulus length to use in key generation. The default value is 1024. - num, - num + + num, + num + Forces cryptoflex-tool to use - reader number num for operations. The default + reader number num for operations. The default is to use reader number 0, the first reader in the system. - + + , + + Causes cryptoflex-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library. diff --git a/doc/tools/eidenv.1.xml b/doc/tools/eidenv.1.xml index 4cdf28bc..7b569290 100644 --- a/doc/tools/eidenv.1.xml +++ b/doc/tools/eidenv.1.xml @@ -38,43 +38,64 @@ - num + + num, + num + Use the given reader. The default is the first reader with a card. - + + , + + Wait for a card to be inserted - + + , + + Print help message on screen. - + + , + + Prints the version of the utility and exits. - + + , + + Prints all data fields from the card, like validity period, document number etc. - + + , + + Prints key usage statistics (only for Estonian ID card). - prog + + prog, + prog + Executes the given program with data in environment variables. diff --git a/doc/tools/netkey-tool.1.xml b/doc/tools/netkey-tool.1.xml index 3cc29593..9d111d38 100644 --- a/doc/tools/netkey-tool.1.xml +++ b/doc/tools/netkey-tool.1.xml @@ -35,32 +35,52 @@ - , + + , + + Displays a short help message. - number, number + + number, + number + Use smart card in specified reader. Default is reader 0. - + + + Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity. - pin-value, pin-value + + pin-value, + pin-value + Specifies the current value of the global PIN. - pin-value, pin-value + + pin-value, + pin-value + Specifies the current value of the global PUK. - pin-value, pin-value + + pin-value, + pin-value + Specifies the current value of the local PIN0 (aka local PIN). - pin-value, pin-value + + pin-value, + pin-value + Specifies the current value of the local PIN1 (aka local PUK). @@ -98,22 +118,27 @@ - { | | - } + + unblock { pin | pin0 | pin1 } + This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed. - { | | - | } new-pin + + change { pin | puk | + pin0 | pin1 } new-pin + This changes the value of the specified pin to the given new value. You must specify either the current value of the pin or another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed. - initial-pin + + nullpin initial-pin + This command can be executed only if the global PIN of your card is in nullpin-state. There's no way to return back to nullpin-state once you have changed your global PIN. You don't need a pin to execute the nullpin-command. After a succesfull @@ -121,18 +146,22 @@ PUK-value. - number filename + + cert number filename + This command will read one of your cards certificates (as specified by - ) and save this certificate into file + number) and save this certificate into file filename in PEM-format. Certificates on a NetKey E4 card are readable without a pin, so you don't have to specify one. - filename number + + cert filename number + This command will read the first PEM-encoded certificate from file - and store this into your smart cards certificate file - . Some of your smart cards certificate files might be readonly, so - this will not work with all values of . If a certificate file is + filename and store this into your smart cards certificate file + number. Some of your smart cards certificate files might be readonly, so + this will not work with all values of number. If a certificate file is writable you must specify a pin in order to change it. If you try to use this command without specifying a pin, netkey-tool will tell you which one is needed. diff --git a/doc/tools/opensc-explorer.1.xml b/doc/tools/opensc-explorer.1.xml index 425f8b90..9ffa1f34 100644 --- a/doc/tools/opensc-explorer.1.xml +++ b/doc/tools/opensc-explorer.1.xml @@ -42,8 +42,8 @@ - num, - num + num, + num Use the given reader number. The default @@ -52,8 +52,8 @@ - driver, - driver + driver, + driver Use the given card driver. The default is @@ -62,22 +62,26 @@ - path, - path + path, + path Select the file referenced by the given path on startup. The default is the path to the standard master file, - 3F00. If path is empty (e.g. opensc-explorer + 3F00. If path is empty (e.g. opensc-explorer --mf ""), then no file is explicitly selected. - + + , + Wait for a card to be inserted - + + , + Causes opensc-explorer to be more verbose. Specify this flag several times to enable @@ -95,57 +99,74 @@ interactive prompt. - + + ls + list all files in the current DF - file-id - change to another DF specified by file-id + + cd file-id + + change to another DF specified by file-id - [file-id] - sfi:sfi-id + + cat [file-id] + + + cat sfi:sfi-id + print the contents of the currently selected EF or the contents of a file - specified by file-id - or sfi-id. + specified by file-id + or sfi-id. - [file-id] - display attributes of a file specified by file-id. - If file-id is not supplied, + + info [file-id] + + display attributes of a file specified by file-id. + If file-id is not supplied, the attributes of the current file are printed. - file-id size - create a new EF. file-id specifies the - id number and size is the size of the new file. + + create file-id size + + create a new EF. file-id specifies the + id number and size is the size of the new file. - file-id - remove the EF or DF specified by file-id + + delete file-id + + remove the EF or DF specified by file-id - file-id - remove the EF or DF specified by file-id + + rm file-id + + remove the EF or DF specified by file-id - key-typekey-id - [key] - present a PIN or key to the card. Where key-type - can be one of CHV, KEY or PRO. key-id is a number representing the - key or PIN reference. key is the key or PIN to be verified in hex. + + verify key-typekey-id [key] + + present a PIN or key to the card. Where key-type + can be one of CHV, KEY or PRO. key-id is a number representing the + key or PIN reference. key is the key or PIN to be verified in hex. - If key is omitted, PIN will be verified with PIN-Pad. + If key is omitted, PIN will be verified with PIN-Pad. Example: verify CHV0 31:32:33:34:00:00:00:00 @@ -154,9 +175,10 @@ - id - [[old-pin] new-pin] - change a PIN, where id is the PIN reference + + change CHVid [[old-pin] new-pin] + + change a PIN, where id is the PIN reference Examples: @@ -173,117 +195,141 @@ - file-id input + + put file-id input + copy a local file to the card. The local file is specified - by input while the card file is specified by file-id. + by input while the card file is specified by file-id. - file-id [output] + + get file-id [output] + copy an EF to a local file. The local file is specified - by output while the card file is specified by file-id. + by output while the card file is specified by file-id. - If output is ommited, the name of the output file will be - derivated from the full card path to file-id. + If output is ommited, the name of the output file will be + derivated from the full card path to file-id. - hex-tag input + + do_put hex-tag input + update internal card's 'tagged' data. - hex-tag is the tag of the card's data. - input is the filename of the source file or the literal data presented as + hex-tag is the tag of the card's data. + input is the filename of the source file or the literal data presented as a sequence of hexadecimal values or '"' enclosed string. - hex-tag [output] + + do_get hex-tag [output] + copy the internal card's 'tagged' data into the local file. - The local file is specified by output while the tag of - the card's data is specified by hex-tag. + The local file is specified by output while the tag of + the card's data is specified by hex-tag. - If output is ommited, the name of the output file will be - derivated from hex-tag. + If output is ommited, the name of the output file will be + derivated from hex-tag. - file-id size - create a DF. file-id specifies the id number - and size is the size of the new file. + + mkdir file-id size + + create a DF. file-id specifies the id number + and size is the size of the new file. - + + erase + erase the card, if the card supports it. - count + + random count + - generate random sequence of count bytes. + generate random sequence of count bytes. - file-id rec_nr - rec_offs data + + update_record file-id rec-nr rec-offs data + - update record specified by rec_nr of the file - specified by file-id with the literal data - data starting from offset specified by - rec_offs. - data can be supplied as a sequence of the hex values or + update record specified by rec-nr of the file + specified by file-id with the literal data + data starting from offset specified by + rec-offs. + data can be supplied as a sequence of the hex values or as a '"' encolsed string. - file-id offs - data + + update_binary file-id offs data + - binary update of the file specified by file-id with the literal data - data starting from offset specified by offs. - data can be supplied as a sequence of the hex values or + binary update of the file specified by file-id with the literal data + data starting from offset specified by offs. + data can be supplied as a sequence of the hex values or as a '"' encolsed string. - [level] + + debug [level] + - set OpenSC debug level to level. - If level is ommited the current debug level will be shown. + set OpenSC debug level to level. + If level is ommited the current debug level will be shown. - hex_data + + apdu hex-data + - send a custom APDU command hex_data. + send a custom APDU command hex-data. - file-id + + asn1 file-id + parse and print the ASN1 encoded content of the file specified by - file-id. + file-id. - + + quit + exit the program. diff --git a/doc/tools/opensc-tool.1.xml b/doc/tools/opensc-tool.1.xml index 5c2c8d11..6892cd3e 100644 --- a/doc/tools/opensc-tool.1.xml +++ b/doc/tools/opensc-tool.1.xml @@ -34,55 +34,90 @@ - + + , + + Print information about OpenSC, such as version and enabled components - + + , + + Print the Answer To Reset (ATR) of the card, output is in hex byte format - + + , + + Print the name of the inserted card (driver) - + + + Print the card serial number (normally the ICCSN), output is in hex byte format - apdu, apdu + + apdu, + apdu + Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF... - + + , + + Recursively lists all files stored on card - + + , + + Lists all configured readers - + + , + + Lists all installed card drivers - num, num + + num, + num + Use the given reader number. The default is 0, the first reader in the system. - driver, driver + + driver, + driver + Use the given card driver. The default is auto-detected. - + + , + + Wait for a card to be inserted - + + , + + Causes opensc-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library. diff --git a/doc/tools/piv-tool.1.xml b/doc/tools/piv-tool.1.xml index a2f85eae..3250f06e 100644 --- a/doc/tools/piv-tool.1.xml +++ b/doc/tools/piv-tool.1.xml @@ -35,16 +35,24 @@ - + + + Print the derived card serial number from the CHUID object if any. output is in hex byte format. - + + , + + Print the name of the inserted card (driver) - argument, argument + + argument, + argument + Authenticate to the card using a 2DES or 3DES key. An argument {A|M}:{ref}:{alg} is required, were A uses "EXTERNAL AUTHENTICATION" and M uses "MUTUAL AUTHENTICATION". ref is normally 9B, and alg is 03 for @@ -54,69 +62,104 @@ - argument, argument + + argument, + argument + Generate a key pair on the card and output the public key. An argument {ref}:{alg} is required, where ref is 9A, 9C, 9D or 9E and alg is 06, 07, 11 or 14 for RSA 1024, RSA 2048, ECC 256 or ECC 384. - ContainerID, ContainerID + + ContainerID, + ContainerID + Load an object on to the card. The ContainerID is defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000 - ref, ref + + ref, + ref + Load a certificate on to the card. ref is 9A, 9C, 9D or 9E - ref, ref + + ref, + ref + Load a certificate that has been gziped on to the card. ref is 9A, 9C, 9D or 9E - file, file + + file, + file + Output file for any operation that produces output. - file, file + + file, + file + Input file for any operation that requires an input file. - file + + file + Print properties of the key slots. Needs 'admin' authentication. - apdu, apdu + + apdu, + apdu + Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF... This option may be repeated. - num + + num, + num + Use the given reader number. The default is 0, the first reader in the system. - driver, driver + + driver, + driver + Use the given card driver. The default is auto-detected. - + + , + + Wait for a card to be inserted - + + , + + Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library. diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml index d071d614..529329fc 100644 --- a/doc/tools/pkcs11-tool.1.xml +++ b/doc/tools/pkcs11-tool.1.xml @@ -36,16 +36,21 @@ - + + , + + Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line. - pin, - pin - Use the given pin for + + pin, + pin + + Use the given pin for token operations. WARNING: Be careful using this option as other users may be able to read the command line from the system or if it is embedded in a script. @@ -54,22 +59,28 @@ - pin - Use the given pin as the + + pin + + Use the given pin as the Security Officer PIN for some token operations (token initialization, user PIN initialization, etc). The same warning as also applies here. - + + + Initializes a token: set the token label as well as a Security Officer PIN (the label must be specified using ). - + + + Initializes the user PIN. This option differs from --change-pin in that it sets the user PIN for the first time. Once set, the user PIN can be changed @@ -77,120 +88,169 @@ - + + , + + Change the user PIN on the token - + + , + + Performs some tests on the token. This option is most useful when used with either or . - + + , + + Displays general token information. - + + , + + Displays a list of available slots on the token. - + + , + + Displays a list of mechanisms supported by the token. - + + , + + Displays a list of objects. - + + , + + Sign some data. - + + , + + Hash some data. - mechanism, - mechanism - Use the specified mechanism + + mechanism, + mechanism + + Use the specified mechanism for token operations. See for a list of mechanisms supported by your token. - + + , + + Generate a new key pair (public and private pair.) - id, - path + + id, + path + Write a key or certificate object to the token. - path points to the DER-encoded certificate or key file. + path points to the DER-encoded certificate or key file. - type, - type + + type, + type + Specify the type of object to operate on. Examples are cert, privkey and pubkey. - id, - id + + id, + id + Specify the id of the object to operate on. - name, - name + + name, + name + Specify the name of the object to operate on (or the token label when is used). - id + + id + Specify the id of the slot to use. - description + + description + Specify the description of the slot to use. - index + + index + Specify the index of the slot to use. - label + + label + Specify the label of token. Will be used the first slot, that has the inserted token with this label. - id, - id + + id, + id + Set the CKA_ID of the object. - path - Extract information from path + + path + + Extract information from path (DER-encoded certificate file) and create the corresponding attributes when writing an object to the token. Example: the certificate subject name is used to create the CKA_SUBJECT @@ -198,33 +258,43 @@ - path, - path + + path, + path + Specify the path to a file for input. - path, - path + + path, + path + Specify the path to a file for output. - mod + + mod + Specify a PKCS#11 module (or library) to load. - path, - path + + path, + path + Tests a Mozilla-like keypair generation - and certificate request. Specify the path + and certificate request. Specify the path to the certificate file. - + + , + Causes pkcs11-tool to be more verbose.NB! This does not affect OpenSC debugging level! To set OpenSC PKCS#11 module into debug diff --git a/doc/tools/pkcs15-crypt.1.xml b/doc/tools/pkcs15-crypt.1.xml index 4ff79c73..dbdce718 100644 --- a/doc/tools/pkcs15-crypt.1.xml +++ b/doc/tools/pkcs15-crypt.1.xml @@ -35,21 +35,26 @@ - + + , + + Perform digital signature operation on - the data read from a file specified using the + the data read from a file specified using the option. By default, the contents of the file are assumed to be the result of an MD5 hash operation. Note that pkcs15-crypt expects the data in binary representation, not ASCII. The digital signature is stored, in binary representation, - in the file specified by the option. If + in the file specified by the option. If this option is not given, the signature is printed on standard output, displaying non-printable characters using their hex notation xNN (see also ). - + + + By default, pkcs15-crypt assumes that input data has been padded to the correct length (i.e. when computing an RSA signature using a 1024 bit key, @@ -61,7 +66,9 @@ - + + + This option tells pkcs15-crypt that the input file is the result of an SHA1 hash operation, rather than an MD5 hash. Again, the data must be in binary @@ -69,7 +76,10 @@ - + + , + + Decrypt the contents of the file specified by the option. The result of the decryption operation is written to the file specified by the @@ -80,40 +90,53 @@ - id, - id + + id, + id + Selects the ID of the key to use. - N, - N - Selects the N-th smart + + N, + N + + Selects the N-th smart card reader configured by the system. If unspecified, pkcs15-crypt will use the first reader found. - file, - file + + file, + file + Specifies the input file to use. - file, - file + + file, + file + Any output will be sent to the specified file. - + + , + + Outputs raw 8 bit data. - pin, - pin + + pin, + pin + When the cryptographic operation requires a PIN to access the key, pkcs15-crypt will prompt the user for the PIN on the terminal. Using this option @@ -126,13 +149,18 @@ - aid + + aid + Specify in a hexadecimal form the AID of the on-card PKCS#15 application to be binded to. - + + , + + Causes pkcs15-crypt to be more verbose. Specify this flag several times to enable debug output in the OpenSC library. diff --git a/doc/tools/pkcs15-init.1.xml b/doc/tools/pkcs15-init.1.xml index 6e945b64..4d8e433c 100644 --- a/doc/tools/pkcs15-init.1.xml +++ b/doc/tools/pkcs15-init.1.xml @@ -46,7 +46,7 @@ pkcs15-init can be used to create a PKCS #15 structure on your smart card, create PINs, and install keys and certificates on the card. - This process is also called personalization. + This process is also called personalization. An OpenSC card can have one security officer PIN, and zero or more user PINs. @@ -71,7 +71,7 @@ card profiles that will allow the security officer to override user PINs. - For each PIN, you can specify a PUK (also called unblock PIN). + For each PIN, you can specify a PUK (also called unblock PIN). The PUK can be used to overwrite or unlock a PIN if too many incorrect values have been entered in a row. @@ -113,7 +113,7 @@ pkcs15-init --store-pin --id " nn - where nn is a PKCS #15 ID in hexadecimal notation. Common + where nn is a PKCS #15 ID in hexadecimal notation. Common values are 01, 02, etc. @@ -136,14 +136,15 @@ pkcs15-init --generate-key " keyspec " --auth-id " nn - where describes the algorithm and length of the - key to be created, such as . This will create a 512 bit + where keyspec describes the algorithm and length of the + key to be created, such as rsa/512. This will create a 512 bit RSA key. Currently, only RSA key generation is supported. Note that cards usually support just a few different key lengths. Almost all cards will support 512 and 1024 bit keys, some will support 768 or 2048 as well. - is the ID of a user PIN installed previously, e.g. 01. + nn is the ID of a user PIN installed previously, + e.g. 01. In addition to storing the private portion of the key on the card, @@ -157,7 +158,7 @@ You can use a private key generated by other means and download it to the card. For instance, to download a private key contained in a file named - okir.pem, which is in PEM format, you would use + okir.pem, which is in PEM format, you would use pkcs15-init --store-private-key okir.pem --id 45 --auth-id 01 @@ -170,7 +171,7 @@ Note the use of the option. The current pkcs15 profile defines two key templates, one for - authentication (key ID 45), and one for non-repudiation purposes (key ID 46). + authentication (key ID 45), and one for non-repudiation purposes (key ID 46). Other key templates will probably be added in the future. Note that if you don't specify a key ID, pkcs15-init will pick just the first key template defined by the profile. @@ -226,8 +227,8 @@ 01 - This will install the private key contained in the file okir.p12, - and protect it with the PIN referenced by authentication ID 01. + This will install the private key contained in the file okir.p12, + and protect it with the PIN referenced by authentication ID 01. It will also store any X.509 certificates contained in the file, which is usually the user certificate that goes with the key, as well as the CA certificate. @@ -239,33 +240,37 @@ - name, - name + + name, + name + Tells pkcs15-init to load the specified general profile. Currently, the only application profile defined is - pkcs15, but you can write your own profiles and + pkcs15, but you can write your own profiles and specify them using this option. - The profile name can be combined with one or more profile - options, which slightly modify the profile's behavior. + The profile name can be combined with one or more profile + options, which slightly modify the profile's behavior. For instance, the default OpenSC profile supports the option, which installs a single PIN during card initialization. This PIN is then used both as the SO PIN as well as the user PIN for all keys stored on the card. - Profile name and options are separated by a - character, as in . + Profile name and options are separated by a + + character, as in pkcs15+onepin. - name, - name + + name, + name + Tells pkcs15-init to load the specified card @@ -275,7 +280,10 @@ - + + , + + This tells pkcs15-init to create a PKCS #15 @@ -285,7 +293,10 @@ - + + , + + This will erase the card prior to creating the PKCS #15 structure, @@ -296,12 +307,14 @@ - keyspec, - keyspec + + keyspec, + keyspec + Tells the card to generate new key and store it on the card. - keyspec consists of an algorithm name + keyspec consists of an algorithm name (currently, the only supported name is ), optionally followed by a slash and the length of the key in bits. It is a good idea to specify the key ID along with this command, @@ -316,8 +329,10 @@ - filename, - filename + + filename, + filename + Tells pkcs15-init to download the specified @@ -337,7 +352,9 @@ - filename + + filename + Tells pkcs15-init to download the specified @@ -350,8 +367,10 @@ - filename, - filename + + filename, + filename + Tells pkcs15-init to store the certificate given @@ -369,8 +388,10 @@ - filename, - filename + + filename, + filename + Tells pkcs15-init to update the certificate @@ -385,8 +406,10 @@ - , - + + , + + Tells pkcs15-init to not ask for the transport @@ -396,7 +419,12 @@ - + + , + , + , + + These options can be used to specify PIN/PUK values on the command @@ -410,11 +438,13 @@ - filename + + filename + Tells pkcs15-init to read additional options - from filename. The file is supposed to + from filename. The file is supposed to contain one long option per line, without the leading dashes, for instance: @@ -429,7 +459,10 @@ - + + , + + Causes pkcs15-init to be more verbose. Specify this diff --git a/doc/tools/pkcs15-tool.1.xml b/doc/tools/pkcs15-tool.1.xml index 7de1e869..c928eee5 100644 --- a/doc/tools/pkcs15-tool.1.xml +++ b/doc/tools/pkcs15-tool.1.xml @@ -37,7 +37,10 @@ - + + , + + Cache PKCS #15 token data to the local filesystem. Subsequent operations are performed on the cached data where possible. If the cache becomes out-of-sync with the token state (eg. new key is @@ -46,36 +49,50 @@ - + + + List the on-card PKCS#15 applications - cert, - cert + + cert, + cert + Reads the certificate with the given id. - + + , + + Lists all certificates stored on the token. - cert, - data + + cert, + data + Reads data object with OID, applicationName or label. - + + + Verify PIN after card binding and before issuing any command (without 'auth-id' the first non-SO, non-Unblock PIN will be verified) - + + , + + Lists all data objects stored on the token. For some cards the PKCS#15 attributes of the private data objects are protected for reading and need the authentication with the User PIN. @@ -84,30 +101,43 @@ - + + + Lists all PINs stored on the token. General information about each PIN is listed (eg. PIN name). Actual PIN values are not shown. - + + , + + Dump card objects. - + + + Changes a PIN or PUK stored on the token. User authentication is required for this operation. - + + , + + Unblocks a PIN stored on the token. Knowledge of the Pin Unblock Key (PUK) is required for this operation. - + + , + + Lists all private keys stored on the token. General information about each private key is listed (eg. key name, id and algorithm). Actual private key values are not displayed. @@ -117,58 +147,78 @@ - + + + Lists all public keys stored on the token, including key name, id, algorithm and length information. - id - Reads the public key with id id, + + id + + Reads the public key with id id, allowing the user to extract and store or use the public key. - id - Reads the public key with id id, - writing the output in format suitable for $HOME/.ssh/authorized_keys. + + id + + Reads the public key with id id, + writing the output in format suitable for + $HOME/.ssh/authorized_keys. - filename, - filename + + filename, + filename + Specifies where key output should be written. - If filename already exists, it will be overwritten. + If filename already exists, it will be overwritten. If this option is not given, keys will be printed to standard output. - + + + Disables token data caching. - pin, - pin + + pin, + pin + Specifies the auth id of the PIN to use for the operation. This is useful with the --change-pin operation. - aid + + aid + Specify in a hexadecimal form the AID of the on-card PKCS#15 application to be binded to. - num + + num + Forces pkcs15-tool to use reader - number num for operations. The default is to use + number num for operations. The default is to use reader number 0, the first reader in the system. - + + , + + Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library. diff --git a/doc/tools/westcos-tool.1.xml b/doc/tools/westcos-tool.1.xml index 07d4935c..92a5da19 100644 --- a/doc/tools/westcos-tool.1.xml +++ b/doc/tools/westcos-tool.1.xml @@ -36,19 +36,28 @@ - num + + num, + num + Use the given reader. The default is the first reader with a card. - + + , + + Wait for a card to be inserted - + + , + + Generate a private key on smart card. The smart card must be not finalized and a PIN must be installed (ie. file for PIN must be created, see option -i). By default key length is 1536 bits. User authentication is required for @@ -56,65 +65,80 @@ - + + , + + Overwrite the key if there is already a key on card. - length, - length + length, + length Change the length of private key, use with . - + + , + + Install PIN file in token, you must provide PIN value with . - value, - value + value, + value set value of PIN. - value, - value + value, + value set value of PUK (or value of new PIN for change PIN command see ). - + + , + + Changes a PIN stored on the token. User authentication is required for this operation. - + + , + + Unblocks a PIN stored on the token. Knowledge of the PIN Unblock Key (PUK) is required for this operation. - file, - file + file, + file Write certificate file in PEM format to the card. User authentication is required for this operation. - + + , + + Finalize the card. Once finalized the default key is invalidated so PIN and PUK can't be changed anymore without user authentication. Warning, un-finalized are insecure because PIN can be changed without user authentication (knowledge of default key @@ -123,8 +147,8 @@ - path, - path + path, + path Get the file path the file is written on disk with path name. User authentication @@ -133,8 +157,8 @@ - path, - path + path, + path Put the file with name path from disk to card the file is written in path. User authentication @@ -142,12 +166,17 @@ - + + , + + Print help message on screen. - + + + Causes westcos-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.