# Configuration file for OpenSC # Example configuration file # NOTE: All key-value pairs must be terminated by a semicolon. # Default values for any application # These can be overridden by an application # specific configuration block. app default { # Amount of debug info to print # # A greater value means more debug info. # Default: 0 # debug = 0; # The file to which debug output will be written # # Special values 'stdout' and 'stderr' are recognized. # Default: stderr # # debug_file = @DEBUG_FILE@ # Re-open debug file (used in WIN32) # # In Windows, file handles can not be shared between DLL-s, # each DLL has a separate file handle table. # For that reason reopen debug file before every debug message. # # Default: true # reopen_debug_file = false; # PKCS#15 initialization / personalization # profiles directory for pkcs15-init. # Default: @pkgdatadir@ # # profile_dir = @pkgdatadir@; # Paranoid memory allocation. # # If set to 'true', then refuse to continue when locking of non-pageable # memory fails. This can cause subtle failures but is more secure when # you have a swap disk. # Default: false # # paranoid_memory = false; # CT-API module configuration. reader_driver ctapi { # module @libdir@/libtowitoko.so { # CT-API ports: # 0..3 COM1..4 # 4 Printer # 5 Modem # 6..7 LPT1..2 # ports = 0; # } } # The following section shows definitions for PC/SC readers. reader_driver pcsc { # Limit command and response sizes. # Default: n/a # max_send_size = 255; # max_recv_size = 256; # # Connect to reader in exclusive mode? # Default: false # connect_exclusive = true; # # What to do when disconnecting from a card (SCardDisconnect) # Valid values: leave, reset, unpower. # Default: reset # disconnect_action = unpower; # # What to do at the end of a transaction (SCardEndTransaction) # Valid values: leave, reset, unpower. # Default: leave # transaction_end_action = reset; # # What to do when reconnection to a card (SCardReconnect) # Valid values: leave, reset, unpower. # Note that this affects only the internal reconnect (after a SCARD_W_RESET_CARD). # A forced reset via sc_reset() always does a full powerup. # Default: leave # reconnect_action = reset; # # Enable pinpad if detected (PC/SC v2.0.2 Part 10) # Default: true # enable_pinpad = false; # # Use specific pcsc provider. # Default: @DEFAULT_PCSC_PROVIDER@ # provider_library = @DEFAULT_PCSC_PROVIDER@ } # Options for OpenCT support reader_driver openct { # Virtual readers to allocate. # Default: 2 # readers = 5; # # Limit command and response sizes. # Default: n/a # max_send_size = 255; # max_recv_size = 256; }; # What card drivers to load at start-up # # A special value of 'internal' will load all # statically linked drivers. If an unknown (ie. not # internal) driver is supplied, a separate configuration # configuration block has to be written for the driver. # Default: internal # NOTE: When "internal" keyword is used, must be last entry # # card_drivers = customcos, internal; # Card driver configuration blocks. # For card drivers loaded from an external shared library/DLL, # you need to specify the path name of the module # # card_driver customcos { # The location of the driver library # module = @libdir@/card_customcos.so; # } # Force using specific card driver # # If this option is present, OpenSC will use the supplied # driver with all inserted cards. # # Default: autodetect # # force_card_driver = customcos; # In addition to the built-in list of known cards in the # card driver, you can configure a new card for the driver # using the card_atr block. The goal is to centralize # everything related to a certain card to card_atr. # # The supported internal card driver names can be retrieved # from the output of: # $ opensc-tool --list-drivers # Generic format: card_atr # New card entry for the flex card driver # card_atr 3b:f0:0d:ca:fe { # All parameters for the context are # optional unless specified otherwise. # Context: global, card driver # # ATR mask value # # The mask is logically AND'd with an # card ATR prior to comparison with the # ATR reference value above. Using mask # allows identifying and configuring # multiple ATRs as the same card model. # atrmask = "ff:ff:ff:ff:ff"; # Context: card driver # # Specify used card driver (REQUIRED). # # When enabled, overrides all possible # settings from the card drivers built-in # card configuration list. # driver = "flex"; # Set card name for card drivers that allows it. # name = "My CryptoFlex card"; # Card type as an integer value. # # Depending on card driver, this allows # tuning the behaviour of the card driver # for your card. # type = "2002"; # Card flags as an hex value. # Multiple values are OR'd together. # # Depending on card driver, this allows # fine-tuning the capabilities in # the card driver for your card. # # Optionally, some known parameters # can be specified as strings: # # rng - On-board random number source # # flags = "rng", "0x80000000"; # # Context: PKCS#15 emulation layer # # When using PKCS#15 emulation, force # the emulation driver for specific cards. # # Required for external drivers, but can # be used with built-in drivers, too. # pkcs15emu = "custom"; # # Context: reader driver # # Force protocol selection for specific cards. # Known parameters: t0, t1, raw # force_protocol = "t0"; # } # PIV cards need an entry similar to this one: # card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 { # name = "PIV-II"; # driver = "piv"; # } # Estonian ID card and Micardo driver sometimes only play together with T=0 # In theory only the 'cold' ATR should be specified, as T=0 will # be the preferred protocol once you boot it up with T=0, but be # paranoid. # # Warm ATR v1 card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 { force_protocol = t0; } # Cold ATR v1 card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 { force_protocol = t0; } # Warm ATR v2 card_atr 3b:5e:11:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 { force_protocol = t0; } # Cold ATR v2 card_atr 3b:de:18:ff:c0:80:b1:fe:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:2b { force_protocol = t0; } # Digi-ID cold ATR. The same card has the same warm ATR as "Cold ATR v1" above # The card is claimed to only support T=0 but in fact (sometimes) works with T=1, even if not advertised in ATR. card_atr 3b:6e:00:00:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 { force_protocol = t0; } # Cold ATR v3 dev1 card_atr 3b:fe:18:00:00:80:31:fe:45:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:a8 { force_protocol = t0; } # Warm ATR v3 dev1 card_atr 3b:fe:18:00:00:80:31:fe:45:80:31:80:66:40:90:a4:56:1b:16:83:01:90:00:86 { force_protocol = t0; } # Warm ATR v3 dev2 card_atr 3b:fe:18:00:00:80:31:fe:45:80:31:80:66:40:90:a4:16:2a:00:83:01:90:00:e1 { force_protocol = t0; } # Warm ATR v3 (18.01.2011) card_atr 3b:fe:18:00:00:80:31:fe:45:80:31:80:66:40:90:a4:16:2a:00:83:0f:90:00:ef { force_protocol = t0; } # D-Trust cards are also based on micardo and need T=0 for some reason card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 { force_protocol = t0; } card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 { force_protocol = t0; } # Oberthur's AuthentIC v3.2.2 card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B { type = 11100; driver = "authentic"; name = "AuthentIC v3.1"; # Name of SM configuration sub-section # secure_messaging = local_authentic; } # IAS/ECC cards card_atr 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00 { type = 25001; driver = "iasecc"; name = "Gemalto MultiApp IAS/ECC v1.0.1"; secure_messaging = local_gemalto_iam; # secure_messaging = local_adele; md_read_only = false; md_supports_X509_enrollment = true; } card_atr 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00 { type = 25001; driver = "iasecc"; name = "Gemalto MultiApp IAS/ECC v1.0.1"; secure_messaging = local_gemalto_iam; md_read_only = false; md_supports_X509_enrollment = true; } #card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:08:00:07:90:00:FE { # type = 25002; # driver = "iasecc"; # name = "Oberthur IAS/ECC v1.0.1"; # # No 'admin' application for this card -- no secure messaging #} #card_atr 3B:7F:18:00:00:00:31:B8:64:50:23:EC:C1:73:94:01:80:82:90:00 { # type = 25003; # driver = "iasecc"; # name = "Morpho YpsID S3 IAS/ECC"; # # secure_messaging = local_morpho_YpsID_S3; #} card_atr 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3 { type = 25004; driver = "iasecc"; name = "Amos IAS/ECC v1.0.1"; md_read_only = false; md_supports_X509_enrollment = true; secure_messaging = local_amos; } card_atr 3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38 { type = 25004; driver = "iasecc"; name = "Amos IAS/ECC v1.0.1"; md_read_only = false; md_supports_X509_enrollment = true; secure_messaging = local_amos_eid; } secure_messaging local_authentic { #path to ans name of external SM module #module_name = @DEFAULT_SM_MODULE@; #module_path = @libdir@; # specific data to tune the module initialization #module_data = "Here can be your SM module init data"; # SM mode: # 'transmit' -- in this mode the procedure to securize an APDU is called by the OpenSC general # APDU transmit procedure. # In this mode all APDUs, except the ones filtered by the card specific procedure, # are securized. # 'acl' -- in this mode APDU are securized only if needed by the ACLs of the command to be executed. # #mode = transmit; # SM type specific flags # flags = 0x78; # 0x78 -- level 3, channel 0 # Default KMC of the GP Card Manager for the Oberthur's Java cards # kmc = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"; } secure_messaging local_gemalto_iam { module_name = @DEFAULT_SM_MODULE@; module_path = @libdir@; #module_data = ""; type = acl; # transmit, acl ifd_serial = "11:22:33:44:55:66:77:88"; # Keyset values from IAM profiles of the Gemalto IAS/ECC cards keyset_02_enc = "RW_PRIV_ENC_TEST"; keyset_02_mac = "RW_PRIV_MAC_TEST"; keyset_E828BD080FD2504543432D654944_01_enc = "RO_ENC_TEST_KEY_"; keyset_E828BD080FD2504543432D654944_01_mac = "RO_MAC_TEST_KEY_"; keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST"; keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST"; } secure_messaging local_amos { module_name = @DEFAULT_SM_MODULE@; module_path = @libdir@; mode = acl; ifd_serial = "11:22:33:44:55:66:77:88"; keyset_02_enc = "ENCROECHANTILLON"; keyset_02_mac = "MACROECHANTILLON"; } secure_messaging local_amos_eid { module_name = @DEFAULT_SM_MODULE@; module_path = @libdir@; mode = acl; ifd_serial = "11:22:33:44:55:66:77:88"; keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST"; keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST"; } secure_messaging local_adele { module_name = @DEFAULT_SM_MODULE@; module_path = @libdir@; #module_data = ""; type = acl; # transmit, acl ifd_serial = "11:22:33:44:55:66:77:88"; # Keyset values from 'Adele' profiles of the IAS/ECC cards keyset_01_enc = "EMENCECHANTILLON"; keyset_01_mac = "EMMACECHANTILLON"; keyset_02_enc = "AAENCECHANTILLON"; keyset_02_mac = "AAMACECHANTILLON"; keyset_E828BD080FD2500000040301_02_enc = "E2ENCECHANTILLON"; keyset_E828BD080FD2500000040301_02_mac = "E2MACECHANTILLON"; keyset_D2500000044164E86C650101_02_enc = "E1ENCECHANTILLON"; keyset_D2500000044164E86C650101_02_mac = "E1MACECHANTILLON"; keyset_D2500000044164E86C650101_03_enc = "SIENCECHANTILLON"; keyset_D2500000044164E86C650101_03_mac = "SIMACECHANTILLON"; } # Below are the framework specific configuration blocks. # PKCS #15 framework pkcs15 { # Whether to use the cache files in the user's # home directory. # # At the moment you have to 'teach' the card # to the system by running command: pkcs15-tool -L # # WARNING: Caching shouldn't be used in setuid root # applications. # Default: false # use_file_caching = true; # # Use PIN caching? # Default: true # use_pin_caching = false; # # How many times to use a PIN from cache before re-authenticating it? # Default: 10 # pin_cache_counter = 3; # # Enable pkcs15 emulation. # Default: yes # enable_pkcs15_emulation = no; # # Prefer pkcs15 emulation code before # the normal pkcs15 processing. # Some cards (like esteid and pteid) work in emu-only mode, # and do not depend on this option. # # Default: no # try_emulation_first = yes; # Enable builtin emulators. # Default: yes # enable_builtin_emulation = no; # # List of the builtin pkcs15 emulators to test # Default: esteid, openpgp, tcos, starcert, itacns, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II; # builtin_emulators = openpgp; # additional settings per driver # # For pkcs15 emulators loaded from an external shared # library/DLL, you need to specify the path name of the module # and customize the card_atr example above correctly. # # emulate custom { # The location of the driver library # module = @libdir@/p15emu_custom.so; # } # some additional application parameters: # - type (generic, protected) used to distinguish the common access application # and application for which authentication to perform some operation cannot be # obtained with the common procedures (ex. object creation protected by secure messaging). # Used by PKCS#11 module configurated to expose restricted number of slots. # (for ex. configurated to expose only User PIN slot, User and Sign PINs slots, ...) application E828BD080FD25047656E65726963 { type = generic; model = "ECC Generic PKI"; } application E828BD080FD2500000040301 { type = generic; model = "Adèle Générique"; } application E828BD080FD2504543432D654944 { type = protected; model = "ECC eID"; } application E828BD080FD2500000040201 { type = protected; model = "Adèle Admin-2"; } } } # Parameters for the OpenSC PKCS11 module app opensc-pkcs11 { pkcs11 { # Should the module support hotplug of readers as per PKCS#11 v2.20? # This affects slot changes and PC/SC PnP, as v2.11 applications # are not allowed to change the length of the slot list. # Default: true # plug_and_play = false; # Maximum Number of virtual slots. # If there are more slots than defined here, # the remaining slots will be hidden from PKCS#11. # Default: 16 # max_virtual_slots = 32; # Maximum number of slots per smart card. # If the card has fewer keys than defined here, # the remaining number of slots will be empty. # Default: 4 # slots_per_card = 2; # (max_virtual_slots/slots_per_card) limits the number of readers # that can be used on the system. Default is then 16/4=4 readers. # Normally, the pkcs11 module will create # the full number of slots defined above by # num_slots. If there are fewer pins/keys on # the card, the remaining keys will be empty # (and you will be able to create new objects # within them). # Default: true # hide_empty_tokens = false; # By default, the OpenSC PKCS#11 module will not lock your card # once you authenticate to the card via C_Login. # # Thus the other users or other applications is not prevented # from connecting to the card and perform crypto operations # (which may be possible because you have already authenticated # with the card). This setting is not very secure. # # Also, if your card is not locked, you can enconter problems # due to limitation of the OpenSC framework, that still is not # thoroughly tested in the multi threads environment. # # Your settings will be more secure if you choose to lock your # card. Nevertheless this behavior is a known violation of PKCS#11 # specification. Now once one application has started using your # card with C_Login, no other application can use it, until # the first is done and calls C_Logout or C_Finalize. In the case # of many PKCS#11 application this does not happen until you exit # the application. # Thus it is impossible to use several smart card aware applications # at the same time, e.g. you cannot run both Firefox and Thunderbird at # the same time, if both are configured to use your smart card. # # Default: false # lock_login = true; # User PIN unblock style # none: PIN unblock is not possible with PKCS#11 API; # set_pin_in_unlogged_session: C_SetPIN() in unlogged session: # PUK is passed as the 'OldPin' argument of the C_SetPIN() call. # set_pin_in_specific_context: C_SetPIN() in the CKU_SPECIFIC_CONTEXT logged session: # PUK is passed as the 'OldPin' argument of the C_SetPIN() call. # init_pin_in_so_session: C_InitPIN() in CKU_SO logged session: # User PIN 'UNBLOCK' is protected by SOPIN. (PUK == SOPIN). # # Actually this style works only for the PKCS15 contents without SOPIN. # # For those with SOPIN, this mode will be usefull for the cards without # # modes 00 and 01 of ISO command 'RESET RETRY COUNTER'. --vt # # Default: none # user_pin_unblock_style = set_pin_in_unlogged_session; # Create slot for unblocking PIN with PUK # This way PKCS#11 API can be used to login with PUK and # change a PIN. # Warning: causes problems with some applications like # firefox and thunderbird. Thus turned off by default # # Default: false # create_puk_slot = true; # Report as 'zero' the CKA_ID attribute of CA certificate # For the unknown reason the middleware of the manufacturer of gemalto (axalto, gemplus) # card reports as '0' the CKA_ID of CA cartificates. # Maybe someone else will need it. (Would be nice to know who and what for -- VTA) # # Default: false # zero_ckaid_for_ca_certs = true; # List of readers to ignore # If any of the strings listed below is matched (case sensitive) in a reader name, # the reader is ignored by the PKCS#11 module. # # Default: empty # ignored_readers = "CardMan 1021", "SPR 532"; # Symbolic names of PINs for which slots are created # Card can contain more then one PINs or more then one on-card application with # its own PINs. Normally, to access all of them with the PKCS#11 API a slot has to be # created for all of them. Many slots could be ennoying for some of widely used application, # like FireFox. This configuration parameter allows to select the PINs or on-card application # for which PKCS#11 slot will be created. # Actually recognised following symbolic names: # 'user', 'sign', 'application', all # Only PINs initialised, non-SoPIN, non-unblocking are associated with symbolic name. # 'user' is identified as first global or first local PIN. # 'sign' is identified as second PIN: first local, second global or second local. # 'application' slot created for each on-card application, # even if they use a common global PIN. # 'all' slot created for all non-sopin, non-unblocking PINs, # optionally for PUK (see option 'create_puk_slot') # # Default: all # create_slots_for_pins = "user,sign"; # create_slots_for_pins = application; # create_slots_for_pins = "application,sign"; } } # Used by OpenSC.tokend on Mac OS X only. app tokend { # The file to which debug log will be written # Default: /tmp/opensc-tokend.log # # debug_file = /Library/Logs/OpenSC.tokend.log framework tokend { # Score for OpenSC.tokend # The tokend with the highest score shall be used. # Default: 300 # # score = 10; } } # XXX: remove cardmod pseudodriver app cardmod { # cardmod app name use special pcsc reader subset # fix options for this reader driver here. reader_driver cardmod { # Enable pinpad if detected (PC/SC v2.0.2 Part 10) # Default: true # enable_pinpad = false; } }