npa-tool1OpenSCOpenSC Toolsopenscnpa-tooldisplays information on the German eID card (neuer Personalausweis, nPA).
npa-toolOPTIONSDescription
The npa-tool utility is used to display information
stored on the German eID card (neuer Personalausweis, nPA),
and to perform some write and verification operations.
Options
,
Print help and exit.
,
Print version and exit.arg,
arg
Number of the reader to use. By default, the first
reader with a present card is used. If
arg is an ATR, the
reader with a matching card will be chosen.
,
Causes npa-tool to be more verbose.
Specify this flag several times to be more verbose.
Password Authenticated Connection Establishment (PACE)STRING,
STRING
Run PACE with (transport) eID-PIN.
STRING,
STRING
Run PACE with PUK.
STRING,
STRING
Run PACE with Card Access Number (CAN).
STRING,
STRING
Run PACE with Machine Readable Zone (MRZ).
Enter the MRZ without newlines.
Specify whether to use environment variables PIN,
PUK, CAN, MRZ,
and NEWPIN.
You may want to clean your environment before enabling this.
(default=off)
PIN managementSTRING,
STRING
Install a new PIN.
,
Resume eID-PIN (uses CAN to activate last retry).
(default=off)
,
Unblock PIN (uses PUK to activate three more retries).
(default=off)
Terminal Authentication (TA) and Chip Authentication (CA)FILENAME,
FILENAME
Specify Card Verifiable (CV) certificate
to create a certificate chain.
The option can be given multiple times, in which case the
order is important.
HEX_STRING
Certificate description to show for Terminal Authentication.
HEX_STRING
Specify the Card Holder Authorization Template
(CHAT) to use.
If not given, it defaults to the terminal's CHAT.
Use 7F4C0E060904007F000703010203530103
to trigger EAC on the CAT-C (Komfortleser).
HEX_STRING,
HEX_STRING
Specify the terminal's auxiliary data.
If not given, the default is determined by verification
of validity, age and community ID.
FILENAME,
FILENAME
Specify the terminal's private key.
DIRECTORY
Specify where to look for the certificate of the
Country Verifying Certification Authority
(CVCA).
If not given, it defaults to
/home/fm/.local/etc/eac/cvc.
DIRECTORY
Specify where to look for the X.509 certificate.
If not given, it defaults to
/home/fm/.local/etc/eac/x509.
Disable checking the validity period of CV certificates.
(default=off)
Disable passive authentication. (default=off)
Read and write data groupsRead data group 1: Document Type.Read data group 2: Issuing State.Read data group 3: Date of Expiry.Read data group 4: Given Name(s).Read data group 5: Family Name.Read data group 6: Religious/Artistic Name.Read data group 7: Academic Title.Read data group 8: Date of Birth.Read data group 9: Place of Birth.Read data group 10: Nationality.Read data group 11: Sex.Read data group 12: Optional Data.Read data group 13: Birth Name.Read data group 14.Read data group 15.Read data group 16.Read data group 17: Normal Place of Residence.Read data group 18: Community ID.Read data group 19: Residence Permit I.Read data group 20: Residence Permit II.Read data group 21: Optional Data.HEX_STRINGWrite data group 17: Normal Place of Residence.HEX_STRINGWrite data group 18: Community ID.HEX_STRINGWrite data group 19: Residence Permit I.HEX_STRINGWrite data group 20: Residence Permit II.HEX_STRINGWrite data group 21: Optional Data.Verification of validity, age and community IDYYYYMMDD
Verify chip's validity with a reference date.
YYYYMMDD
Verify age with a reference date.
HEX_STRING
Verify community ID with a reference ID.
Special options, not always useful
,
Brute force PIN, CAN or PUK.
Use together with options ,
, or .
(default=off)
FILENAME,
FILENAME
Specify the file with APDUs of HEX_STRINGs to send
through the secure channel.
(default=`stdin')
Force compliance to BSI TR-03110 version 2.01. (default=off)
Disable all checking of fly-by-data. (default=off)
Authorsnpa-tool was written by
Frank Morgner frankmorgner@gmail.com.