# Configuration file for OpenSC # Example configuration file # NOTE: All key-value pairs must be terminated by a semicolon. # Default values for any application # These can be overridden by an application # specific configuration block. app default { # Amount of debug info to print # # A greater value means more debug info. # Default: 0 # debug = 0; # The file to which debug output will be written # # A special value of 'stdout' is recognized. # Default: stdout # # debug_file = /tmp/opensc-debug.log; # debug_file = "C:\Documents and Settings\All Users\Documents\opensc-debug.log"; # The file to which errors will be written # # A special value of 'stderr' is recognized. # Default: stderr # # error_file = /tmp/opensc-errors.log; # error_file = "C:\Documents and Settings\All Users\Documents\opensc-errors.log"; # PKCS#15 initialization / personalization # profiles directory for pkcs15-init. profile_dir = @pkgdatadir@; # What reader drivers to load at start-up # # A special value of 'internal' will load all # statically linked drivers. If an unknown (ie. not # internal) driver is supplied, a separate configuration # configuration block has to be written for the driver. # Default: internal # NOTE: if "internal" keyword is used, must be the # last entry in reader_drivers list # # reader_drivers = openct, pcsc, ctapi; reader_driver ctapi { # module /usr/local/towitoko/lib/libtowitoko.so { # CT-API ports: # 0..3 COM1..4 # 4 Printer # 5 Modem # 6..7 LPT1..2 # ports = 0; # } } # Define parameters specific to your readers. # The following section shows definitions for PC/SC readers, # but the same set of variables are applicable to ctapi and # openct readers, simply by using "reader_driver ctapi" and # "reader_driver openct", respectively. reader_driver pcsc { # This sets the maximum send and receive sizes. # Some reader drivers have limitations, so you need # to set these values. For usb devices check the # properties with lsusb -vv for dwMaxIFSD # #max_send_size = 252; #max_recv_size = 252; # Connect to reader in exclusive mode. # Default: false # connect_exclusive = true; # # Reset the card after disconnect. # Default: true # connect_reset = false; # # Reset the card after each transaction. # Default: false # transaction_reset = true; # # Enable pinpad if detected (PC/SC v2.0.2 Part 10) # Default: false # enable_pinpad = true; # # Use specific pcsc provider. # Default: @DEFAULT_PCSC_PROVIDER@ # provider_library = @DEFAULT_PCSC_PROVIDER@ } # options for openct support reader_driver openct { # virtual readers to allocate. default:5 readers = 5; # This sets the maximum send and receive sizes. # Some reader drivers have limitations, so you need # to set these values. For usb devices check the # properties with lsusb -vv for dwMaxIFSD # #max_send_size = 252; #max_recv_size = 252; }; # What card drivers to load at start-up # # A special value of 'internal' will load all # statically linked drivers. If an unknown (ie. not # internal) driver is supplied, a separate configuration # configuration block has to be written for the driver. # Default: internal # NOTE: When "internal" keyword is used, must be last entry # # card_drivers = customcos, internal; # Card driver configuration blocks. # For card drivers loaded from an external shared library/DLL, # you need to specify the path name of the module # # card_driver customcos { # The location of the driver library # module = /usr/lib/opensc/drivers/card_customcos.so; # } # Force using specific card driver # # If this option is present, OpenSC will use the supplied # driver with all inserted cards. # # Default: autodetect # # force_card_driver = customcos; # In addition to the built-in list of known cards in the # card driver, you can configure a new card for the driver # using the card_atr block. The goal is to centralize # everything related to a certain card to card_atr. # # The supported internal card driver names can be retrieved # from the output of: # $ opensc-tool --list-drivers # Generic format: card_atr # New card entry for the flex card driver # card_atr 3b:f0:0d:ca:fe { # All parameters for the context are # optional unless specified otherwise. # Context: global, card driver # # ATR mask value # # The mask is logically AND'd with an # card ATR prior to comparison with the # ATR reference value above. Using mask # allows identifying and configuring # multiple ATRs as the same card model. # atrmask = "ff:ff:ff:ff:ff"; # Context: card driver # # Specify used card driver (REQUIRED). # # When enabled, overrides all possible # settings from the card drivers built-in # card configuration list. # driver = "flex"; # Set card name for card drivers that allows it. # name = "My CryptoFlex card"; # Card type as an integer value. # # Depending on card driver, this allows # tuning the behaviour of the card driver # for your card. # type = "2002"; # Card flags as an hex value. # Multiple values are OR'd together. # # Depending on card driver, this allows # fine-tuning the capabilities in # the card driver for your card. # # Optionally, some known parameters # can be specified as strings: # # keygen - On-board key generation capability # rng - On-board random number source # # flags = "keygen", "rng", "0x80000000"; # # Context: PKCS#15 emulation layer # # When using PKCS#15 emulation, force # the emulation driver for specific cards. # # Required for external drivers, but can # be used with built-in drivers, too. # pkcs15emu = "custom"; # # Context: reader driver # # Force protocol selection for specific cards. # Known parameters: t0, t1, raw # force_protocol = "t0"; # } # PIV cards need an entry similar to this one: # card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 { # name = "PIV-II"; # driver = "piv"; # } # Estonian ID card and Micardo driver currently play together with T=0 # only. In theory only the 'cold' ATR should be specified, as T=0 will # be the preferred protocol once you boot it up with T=0, but be # paranoid. card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 { force_protocol = t0; } card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 { force_protocol = t0; } # D-Trust cards are also based on micardo and need T=0 for some reason card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 { force_protocol = t0; } card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 { force_protocol = t0; } # Below are the framework specific configuration blocks. # PKCS #15 framework pkcs15 { # Whether to use the cache files in the user's # home directory. # # At the moment you have to 'teach' the card # to the system by running command: pkcs15-tool -L # # WARNING: Caching shouldn't be used in setuid root # applications. # Default: false # use_caching = true; # Enable pkcs15 emulation. # Default: yes # enable_pkcs15_emulation = no; # Prefer pkcs15 emulation code before # the normal pkcs15 processing. # Default: no # try_emulation_first = yes; # Enable builtin emulators. # Default: yes # enable_builtin_emulation = yes; # list of the builtin pkcs15 emulators to test builtin_emulators = esteid, openpgp, tcos, starcert, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II, rutoken; # additional settings per driver # # For pkcs15 emulators loaded from an external shared # library/DLL, you need to specify the path name of the module # and customize the card_atr example above correctly. # # emulate custom { # The location of the driver library # module = /usr/lib/opensc/drivers/p15emu_custom.so; # } } } # Parameters for the OpenSC PKCS11 module app opensc-pkcs11 { pkcs11 { # Maximum Number of virtual slots. # If there are more slots than defined here, # the remaining slots will be hidden from PKCS#11. max_virtual_slots = 8; # Maximum number of slots per smart card. # If the card has fewer keys than defined here, # the remaining number of slots will be empty. num_slots = 4; # Normally, the pkcs11 module will create # the full number of slots defined above by # num_slots. If there are fewer pins/keys on # the card, the remaining keys will be empty # (and you will be able to create new objects # within them). # # Set this option to true to hide these empty # slots. hide_empty_tokens = yes; # By default, the OpenSC PKCS#11 module will not lock # this card once you have authenticated to the card via # C_Login. This may add some risk as other users may connect # to the card and perform crypto operations (which may be # possible because you have already authenticated with the # card). You may consider changing it to true. # # However, if you do, this also means that no other # application that _you_ run can use the card until your # application has done a C_Logout or C_Finalize. In the case # of Netscape or Mozilla, this does not happen until you exit # the browser. # Default: false # lock_login = true; # Normally, the pkcs11 module will not cache PINs # presented via C_Login. However, some cards # may not work properly with OpenSC; for instance # when you have two keys on your card that get # stored in two different directories. # # In this case, you can turn on PIN caching by setting # cache_pins = true # # Default: true # cache_pins = false; # Set this value to false if you want to enforce on-card # keypair generation # # Default: true # soft_keygen_allowed = false; } } app tokend { # Score for OpenSC.tokend framework tokend { score = 10; } }