246 lines
8.0 KiB
XML
246 lines
8.0 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry id="pkcs15-tool">
|
|
<refmeta>
|
|
<refentrytitle>pkcs15-tool</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
<refmiscinfo class="productname">OpenSC</refmiscinfo>
|
|
<refmiscinfo class="manual">OpenSC Tools</refmiscinfo>
|
|
<refmiscinfo class="source">opensc</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>pkcs15-tool</refname>
|
|
<refpurpose>utility for manipulating PKCS #15 data structures
|
|
on smart cards and similar security tokens</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>pkcs15-tool</command>
|
|
<arg choice="opt"><replaceable class="option">OPTIONS</replaceable></arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
<para>
|
|
The <command>pkcs15-tool</command> utility is used to manipulate
|
|
the PKCS #15 data structures on smart cards and similar security
|
|
tokens. Users can list and read PINs, keys and certificates stored
|
|
on the token. User PIN authentication is performed for those
|
|
operations that require it.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
<para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>
|
|
<option>--aid</option> <replaceable>aid</replaceable>
|
|
</term>
|
|
<listitem><para>Specify in a hexadecimal form the AID of the on-card PKCS#15
|
|
application to be binded to.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--auth-id</option> <replaceable>pin</replaceable>,
|
|
<option>-a</option> <replaceable>pin</replaceable>
|
|
</term>
|
|
<listitem><para>Specifies the auth id of the PIN to use for the
|
|
operation. This is useful with the --change-pin operation.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--change-pin</option>
|
|
</term>
|
|
<listitem><para>Changes a PIN or PUK stored on the token. User authentication
|
|
is required for this operation.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--dump</option>,
|
|
<option>-D</option>
|
|
</term>
|
|
<listitem><para>Dump card objects.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--learn-card</option>,
|
|
<option>-L</option>
|
|
</term>
|
|
<listitem><para>Cache PKCS #15 token data to the local filesystem.
|
|
Subsequent operations are performed on the cached data where possible.
|
|
If the cache becomes out-of-sync with the token state (eg. new key is
|
|
generated and stored on the token), the cache should be updated or
|
|
operations may show stale results.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-applications</option>
|
|
</term>
|
|
<listitem><para>List the on-card PKCS#15 applications</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-certificates</option>,
|
|
<option>-c</option>
|
|
</term>
|
|
<listitem><para>Lists all certificates stored on the token.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-data-objects</option>,
|
|
<option>-C</option>
|
|
</term>
|
|
<listitem><para>Lists all data objects stored on the token.
|
|
For some cards the PKCS#15 attributes of the private data objects are
|
|
protected for reading and need the authentication with the User PIN.
|
|
In such a case the <option>--verify-pin</option> option has to be used.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-keys</option>,
|
|
<option>-k</option>
|
|
</term>
|
|
<listitem><para>Lists all private keys stored on the token. General
|
|
information about each private key is listed (eg. key name, id and
|
|
algorithm). Actual private key values are not displayed.
|
|
For some cards the PKCS#15 attributes of the private keys are protected for reading
|
|
and need the authentication with the User PIN.
|
|
In such a case the <option>--verify-pin</option> option has to be used.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-pins</option>
|
|
</term>
|
|
<listitem><para>Lists all PINs stored on the token. General information
|
|
about each PIN is listed (eg. PIN name). Actual PIN values are not shown.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--list-public-keys</option>
|
|
</term>
|
|
<listitem><para>Lists all public keys stored on the token, including
|
|
key name, id, algorithm and length information.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--no-cache</option>
|
|
</term>
|
|
<listitem><para>Disables token data caching.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--output</option> <replaceable>filename</replaceable>,
|
|
<option>-o</option> <replaceable>filename</replaceable>
|
|
</term>
|
|
<listitem><para>Specifies where key output should be written.
|
|
If <replaceable>filename</replaceable> already exists, it will be overwritten.
|
|
If this option is not given, keys will be printed to standard output.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--read-certificate</option> <replaceable>cert</replaceable>,
|
|
<option>-r</option> <replaceable>cert</replaceable>
|
|
</term>
|
|
<listitem><para>Reads the certificate with the given id.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--read-data-object</option> <replaceable>cert</replaceable>,
|
|
<option>-R</option> <replaceable>data</replaceable>
|
|
</term>
|
|
<listitem><para>Reads data object with OID, applicationName or label.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--read-public-key</option> <replaceable>id</replaceable>
|
|
</term>
|
|
<listitem><para>Reads the public key with id <replaceable>id</replaceable>,
|
|
allowing the user to extract and store or use the public key.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--read-ssh-key</option> <replaceable>id</replaceable>
|
|
</term>
|
|
<listitem><para>Reads the public key with id <replaceable>id</replaceable>,
|
|
writing the output in format suitable for
|
|
<filename>$HOME/.ssh/authorized_keys</filename>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--reader</option> <replaceable>num</replaceable>
|
|
</term>
|
|
<listitem><para>Forces <command>pkcs15-tool</command> to use reader
|
|
number <replaceable>num</replaceable> for operations. The default is to use
|
|
reader number 0, the first reader in the system.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--unblock-pin</option>,
|
|
<option>-u</option>
|
|
</term>
|
|
<listitem><para>Unblocks a PIN stored on the token. Knowledge of the
|
|
Pin Unblock Key (PUK) is required for this operation.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--verbose</option>,
|
|
<option>-v</option>
|
|
</term>
|
|
<listitem><para>Causes <command>pkcs15-tool</command> to be more
|
|
verbose. Specify this flag several times to enable debug output
|
|
in the OpenSC library.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>
|
|
<option>--verify-pin</option>
|
|
</term>
|
|
<listitem><para>Verify PIN after card binding and before issuing any command
|
|
(without 'auth-id' the first non-SO, non-Unblock PIN will be verified)</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See also</title>
|
|
<para>
|
|
<citerefentry>
|
|
<refentrytitle>pkcs15-init</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>pkcs15-crypt</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
</citerefentry>
|
|
</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|