1099 lines
56 KiB
HTML
1099 lines
56 KiB
HTML
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>OpenSC Manual Pages: Section 5</title><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><style type="text/css"><!--
|
|
body {
|
|
font-family: Verdana, Arial;
|
|
font-size: 0.9em;
|
|
}
|
|
|
|
.title {
|
|
font-size: 1.5em;
|
|
text-align: center;
|
|
}
|
|
|
|
.toc b {
|
|
font-size: 1.2em;
|
|
border-bottom: dashed 1px black;
|
|
}
|
|
|
|
a {
|
|
color: blue;
|
|
text-decoration: none;
|
|
}
|
|
|
|
a:visited {
|
|
color: blue;
|
|
text-decoration: none;
|
|
}
|
|
|
|
pre.programlisting {
|
|
font-size: 1.1em;
|
|
background-color: #EEEEEE ;
|
|
border: 1px solid #006600 ;
|
|
padding: 1em;
|
|
}
|
|
|
|
span.symbol {
|
|
font-weight: bold;
|
|
}
|
|
|
|
span.errorname {
|
|
font-weight: bold;
|
|
}
|
|
|
|
span.errortext {
|
|
font-style: italic;
|
|
}
|
|
|
|
--></style></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book"><div class="titlepage"><div><div><h1 class="title"><a name="idm1"></a>OpenSC Manual Pages: Section 5</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl class="toc"><dt><span class="refentrytitle"><a href="#opensc.conf">opensc.conf</a></span><span class="refpurpose"> — configuration file for OpenSC</span></dt><dt><span class="refentrytitle"><a href="#pkcs15-profile">pkcs15-profile</a></span><span class="refpurpose"> — format of profile for <span class="command"><strong>pkcs15-init</strong></span></span></dt></dl></div><div class="refentry"><a name="opensc.conf"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc.conf — configuration file for OpenSC</p></div><div class="refsect1"><a name="idm13"></a><h2>Description</h2><p>
|
|
OpenSC obtains configuration data from the following sources in the following order
|
|
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
|
|
command-line options
|
|
</p></li><li class="listitem"><p>
|
|
environment variables
|
|
</p></li><li class="listitem"><p>
|
|
Windows registry key in
|
|
<code class="literal">HKEY_CURRENT_USER</code> (if available)
|
|
</p></li><li class="listitem"><p>
|
|
Windows registry key in
|
|
<code class="literal">HKEY_LOCAL_MACHINE</code> (if available)
|
|
</p></li><li class="listitem"><p>
|
|
system-wide configuration file
|
|
(<code class="literal">/usr/etc/opensc.conf</code>)
|
|
</p></li></ol></div><p>
|
|
</p><p>
|
|
The configuration file, <code class="literal">opensc.conf</code>, is composed
|
|
of <em class="replaceable"><code>block</code></em>s, which, in general, have the
|
|
following format:
|
|
</p><pre class="programlisting">
|
|
<em class="replaceable"><code>key</code></em> [, <em class="replaceable"><code>name</code></em>...] {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</pre><p>
|
|
<em class="replaceable"><code>block_contents</code></em> is one or more
|
|
<em class="replaceable"><code>block_item</code></em>s where a
|
|
<em class="replaceable"><code>block_item</code></em> is one of
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
# <em class="replaceable"><code>comment string</code></em>
|
|
</p></li><li class="listitem"><p>
|
|
<em class="replaceable"><code>key</code></em> [, <em class="replaceable"><code>name</code></em>...] = <em class="replaceable"><code>value</code></em>;
|
|
</p></li><li class="listitem"><p>
|
|
<em class="replaceable"><code>block</code></em>
|
|
</p></li></ul></div><p>
|
|
</p><p>
|
|
At the root level, <code class="literal">opensc.conf</code> should contain
|
|
one or more application specific configuration blocks:
|
|
</p><pre class="programlisting">
|
|
app <em class="replaceable"><code>application</code></em> {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</pre><p>
|
|
<em class="replaceable"><code>application</code></em>
|
|
specifies one of:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">default</code>: The fall-back configuration block for all applications
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">opensc-pkcs11</code>: Configuration block for the PKCS#11 module (<code class="filename">opensc-pkcs11.so</code>)
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">onepin-opensc-pkcs11</code>: Configuration block for the PKCS#11 one-PIN-module (<code class="filename">onepin-opensc-pkcs11.so</code>)
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">cardmod</code>: Configuration block for Windows' minidriver (<code class="filename">opensc-minidriver.dll</code>)
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">tokend</code>: Configuration block for macOS' tokend (<span class="application">OpenSC.tokend</span>)
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">cardos-tool</code>,
|
|
<code class="literal">cryptoflex-tool</code>,
|
|
<code class="literal">dnie-tool</code>,
|
|
<code class="literal">egk-tool</code>,
|
|
<code class="literal">eidenv</code>,
|
|
<code class="literal">gids-tool</code>,
|
|
<code class="literal">iasecc-tool</code>,
|
|
<code class="literal">netkey-tool</code>,
|
|
<code class="literal">npa-tool</code>,
|
|
<code class="literal">openpgp-tool</code>,
|
|
<code class="literal">opensc-asn1</code>,
|
|
<code class="literal">opensc-explorer</code>,
|
|
<code class="literal">opensc-notify</code>,
|
|
<code class="literal">opensc-tool</code>,
|
|
<code class="literal">piv-tool</code>,
|
|
<code class="literal">pkcs11-tool</code>,
|
|
<code class="literal">pkcs15-crypt</code>,
|
|
<code class="literal">pkcs15-init</code>,
|
|
<code class="literal">pkcs15-tool</code>,
|
|
<code class="literal">sc-hsm-tool</code>,
|
|
<code class="literal">westcos-tool</code>:
|
|
Configuration block for OpenSC tools
|
|
</p></li></ul></div><p>
|
|
</p></div><div class="refsect1"><a name="idm103"></a><h2>Configuration Options</h2><div class="variablelist"><dl class="variablelist"><dt><a name="debug"></a><span class="term">
|
|
<code class="option">debug = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Amount of debug info to print (Default:
|
|
<code class="literal">0</code>). A greater value means more
|
|
debug info.
|
|
</p><p>
|
|
The environment variable
|
|
<code class="envar">OPENSC_DEBUG</code> overwrites this
|
|
setting.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">debug_file = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
The file to which debug output will be written
|
|
(Default: <code class="literal">stderr</code>). Special
|
|
values <code class="literal">stdout</code> and
|
|
<code class="literal">stderr</code> are recognized.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">profile_dir = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
PKCS#15 initialization/personalization profiles
|
|
directory for
|
|
<span class="citerefentry"><span class="refentrytitle">pkcs15-init</span>(1).
|
|
</span>
|
|
(Default: <code class="literal">/usr/share/opensc</code>).
|
|
</p><p>
|
|
If this configuration value is not found on
|
|
Windows, the registry key
|
|
<code class="filename">Software\OpenSC
|
|
Project\OpenSC\ProfileDir</code> is
|
|
checked.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">disable_popups = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Disable pop-ups of built-in GUI (Default: <code class="literal">false</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">enable_default_driver = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Enable default card driver (Default:
|
|
<code class="literal">false</code>). Default card driver is
|
|
explicitly enabled for
|
|
<span class="citerefentry"><span class="refentrytitle">opensc-explorer</span>(1).
|
|
</span>
|
|
and
|
|
<span class="citerefentry"><span class="refentrytitle">opensc-tool</span>(1).
|
|
</span>
|
|
</p></dd><dt><a name="card_drivers"></a><span class="term">
|
|
<code class="option">card_drivers = <em class="replaceable"><code>name</code></em>... ;</code>
|
|
</span></dt><dd><p>
|
|
Whitelist of card drivers to load at start-up.
|
|
The special value <code class="literal">internal</code> (the
|
|
default) will load all statically linked drivers.
|
|
</p><p>
|
|
If an unknown (i.e. not internal or old) driver is
|
|
supplied, a separate configuration configuration
|
|
block has to be written for the driver. A special
|
|
value <code class="literal">old</code> will load all
|
|
statically linked drivers that may be removed in
|
|
the future.
|
|
</p><p>
|
|
The list of supported card driver names can be
|
|
retrieved from the output of <span class="command"><strong>opensc-tool
|
|
--list-drivers</strong></span>.
|
|
</p><p>
|
|
The environment variable
|
|
<code class="envar">OPENSC_DRIVER</code> overwrites this
|
|
setting.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">ignored_readers = <em class="replaceable"><code>name</code></em>... ;</code>
|
|
</span></dt><dd><p>
|
|
List of readers to ignore (Default: empty). If any
|
|
of the comma separated strings listed is matched in
|
|
a reader name (case sensitive, partial matching
|
|
possible), the reader is ignored by OpenSC. Use
|
|
<span class="command"><strong>opensc-tool --list-readers</strong></span> to
|
|
see all currently connected readers.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">reader_driver <em class="replaceable"><code>name</code></em> {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</code>
|
|
</span></dt><dd><p>
|
|
Configuration of the smart card reader driver where <em class="replaceable"><code>name</code></em> is one of:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">ctapi</code>: See <a class="xref" href="#ctapi" title="Configuration of CT-API Readers">the section called “Configuration of CT-API Readers”</a>
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">pcsc</code>: See <a class="xref" href="#pcsc" title="Configuration of PC/SC Readers">the section called “Configuration of PC/SC Readers”</a>
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">openct</code>: See <a class="xref" href="#openct" title="Configuration of OpenCT Readers">the section called “Configuration of OpenCT Readers”</a>
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">cryptotokenkit</code>: Configuration block for CryptoTokenKit readers
|
|
</p></li></ul></div><p>
|
|
</p><p>
|
|
See <a class="xref" href="#reader_driver" title="Configuration of Smart Card Reader Driver">the section called “Configuration of Smart Card Reader Driver”</a>.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">card_driver <em class="replaceable"><code>name</code></em> {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</code>
|
|
</span></dt><dd><p>
|
|
Configuration of the card driver where <em class="replaceable"><code>name</code></em> is one of:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">npa</code>: See <a class="xref" href="#npa" title="Configuration Options for German ID Card">the section called “Configuration Options for German ID Card”</a>
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">dnie</code>: See <a class="xref" href="#dnie" title="Configuration Options for DNIe">the section called “Configuration Options for DNIe”</a>
|
|
</p></li><li class="listitem"><p>
|
|
Any other value: Configuration block for an externally loaded card driver
|
|
</p></li></ul></div><p>
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">card_atr <em class="replaceable"><code>hexstring</code></em> {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</code>
|
|
</span></dt><dd><p>
|
|
In addition to the built-in list of known cards in
|
|
the card driver, you can configure a new card for
|
|
the driver using the <code class="option">card_atr</code>
|
|
block.
|
|
</p><p>
|
|
For details see <a class="xref" href="#card_atr" title="Configuration based on ATR">the section called “Configuration based on ATR”</a>.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">secure_messaging <em class="replaceable"><code>name</code></em> {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</code>
|
|
</span></dt><dd><p>
|
|
Configuration options for the secure messaging profile <em class="replaceable"><code>name</code></em>:
|
|
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">module_name = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Name of external SM module (Default: libsmm-local.so).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">module_path = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Directory with external SM module
|
|
(Default: /usr/lib).
|
|
</p><p>
|
|
If this configuration value is not
|
|
found on Windows, the registry key
|
|
<code class="filename">Software\OpenSC
|
|
Project\OpenSC\SmDir</code> is
|
|
checked.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">module_data = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Specific data to tune the module initialization.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">mode = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Secure messaging mode. Known parameters:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">transmit</code>:
|
|
In this mode the
|
|
procedure to securize
|
|
an APDU is called by
|
|
the OpenSC general APDU
|
|
transmit procedure. In
|
|
this mode all APDUs,
|
|
except the ones
|
|
filtered by the card
|
|
specific procedure, are
|
|
securized.
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">acl</code>:
|
|
In this mode APDU are
|
|
securized only if
|
|
needed by the ACLs of
|
|
the command to be
|
|
executed.
|
|
</p></li></ul></div><p>
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">flags = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Secure messaging type specific flags.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">kmc = <em class="replaceable"><code>hexstring</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Default KMC of the GP Card Manager for the Oberthur's Java cards.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">ifd_serial = <em class="replaceable"><code>hexstring</code></em>;</code>
|
|
</span></dt><dd></dd><dt><span class="term">
|
|
<code class="option">keyset[_<em class="replaceable"><code>aid</code></em>]_<em class="replaceable"><code>num</code></em>_enc =
|
|
<em class="replaceable"><code>value</code></em>;</code>
|
|
<code class="option">keyset[_<em class="replaceable"><code>aid</code></em>]_<em class="replaceable"><code>num</code></em>_mac =
|
|
<em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Keyset values from IAM profiles of
|
|
the Gemalto IAS/ECC cards with an
|
|
optional application identifier
|
|
</p></dd></dl></div></dd><dt><span class="term">
|
|
<code class="option">framework <em class="replaceable"><code>name</code></em> {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</code>
|
|
</span></dt><dd><p>
|
|
Internal configuration options where <em class="replaceable"><code>name</code></em> is one of:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">pkcs15</code>: See <a class="xref" href="#framework%20pkcs15" title="Configuration of PKCS#15 Framework">the section called “Configuration of PKCS#15 Framework”</a>
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">tokend</code>: See <a class="xref" href="#framework%20tokend" title="Configuration of Tokend">the section called “Configuration of Tokend”</a>
|
|
</p></li></ul></div><p>
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">pkcs11 {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</code>
|
|
</span></dt><dd><p>
|
|
Parameters for the OpenSC PKCS11 module.
|
|
</p><p>
|
|
For details see <a class="xref" href="#pkcs11" title="Configuration of PKCS#11">the section called “Configuration of PKCS#11”</a>.
|
|
</p></dd></dl></div><div class="refsect2"><a name="reader_driver"></a><h3>Configuration of Smart Card Reader Driver</h3><div class="refsect3"><a name="idm330"></a><h4>Configuration Options for all Reader Drivers</h4><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">max_send_size = <em class="replaceable"><code>num</code></em>;</code>
|
|
<code class="option">max_recv_size = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Limit command and response sizes
|
|
(Default:
|
|
<code class="option">max_send_size</code>
|
|
= <code class="literal">255</code>,
|
|
<code class="option">max_recv_size</code>
|
|
= <code class="literal">256</code>) . Some
|
|
Readers don't propagate their
|
|
transceive capabilities correctly.
|
|
max_send_size and max_recv_size
|
|
allow setting the limits manually,
|
|
for example to enable extended
|
|
length capabilities.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">enable_escape <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Detect reader capabilities with
|
|
escape commands (wrapped APDUs with
|
|
CLA=0xFF as defined by PC/SC pt. 3
|
|
and BSI TR-03119, e.g. for getting
|
|
the UID, escaped PIN commands and
|
|
the reader's firmware version,
|
|
Default: <code class="literal">false</code>)
|
|
</p></dd></dl></div></div><div class="refsect3"><a name="ctapi"></a><h4>Configuration of CT-API Readers</h4><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">module <em class="replaceable"><code>filename</code></em> {
|
|
ports = <em class="replaceable"><code>nums</code></em>;
|
|
}
|
|
</code>
|
|
</span></dt><dd><p>
|
|
Load the specified CT-API module with the specified number of ports.
|
|
</p></dd></dl></div></div><div class="refsect3"><a name="pcsc"></a><h4>Configuration of PC/SC Readers</h4><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">connect_exclusive = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Connect to reader in exclusive mode
|
|
(Default: <code class="literal">false</code>)?
|
|
This option has no effect in Windows' minidriver.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">disconnect_action = <em class="replaceable"><code>action</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
What to do when disconnecting from
|
|
a card (SCardDisconnect). Valid
|
|
values are
|
|
<code class="literal">leave</code>,
|
|
<code class="literal">reset</code>,
|
|
<code class="literal">unpower</code> (Default:
|
|
<code class="literal">leave</code>).
|
|
This option has no effect in Windows' minidriver.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">transaction_end_action = <em class="replaceable"><code>action</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
What to do at the end of a
|
|
transaction (SCardEndTransaction).
|
|
Valid values
|
|
are <code class="literal">leave</code>,
|
|
<code class="literal">reset</code>,
|
|
<code class="literal">unpower</code> (Default:
|
|
<code class="literal">leave</code>).
|
|
This option has no effect in Windows' minidriver.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">reconnect_action = <em class="replaceable"><code>action</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
What to do when reconnection to a
|
|
card (SCardReconnect). Valid values
|
|
are <code class="literal">leave</code>,
|
|
<code class="literal">reset</code>,
|
|
<code class="literal">unpower</code> (Default:
|
|
<code class="literal">leave</code>).
|
|
This option has no effect in Windows' minidriver.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">enable_pinpad = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Enable pinpad if detected (PC/SC
|
|
v2.0.2 Part 10, Default:
|
|
<code class="literal">true</code>)
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">fixed_pinlength = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Some pinpad readers can only handle
|
|
one exact length of the PIN.
|
|
<code class="option">fixed_pinlength</code>
|
|
sets this value so that OpenSC
|
|
expands the padding to this length
|
|
(Default: <code class="literal">0</code>,
|
|
i.e. not fixed).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">provider_library = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Use specific PC/SC provider
|
|
(Default:
|
|
<code class="literal">libpcsclite.so.1</code>).
|
|
</p></dd></dl></div></div><div class="refsect3"><a name="openct"></a><h4>Configuration of OpenCT Readers</h4><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">readers = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Virtual readers to allocate (Default: <code class="literal">2</code>).
|
|
</p></dd></dl></div></div></div><div class="refsect2"><a name="npa"></a><h3>Configuration Options for German ID Card</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">can = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
German ID card requires the CAN to
|
|
be verified before QES PIN. This,
|
|
however, is not part of the PKCS#15
|
|
profile of the card. So for
|
|
verifying the QES PIN we actually
|
|
need both. The CAN may be given
|
|
here. If the CAN is not given here,
|
|
it will be prompted on the command
|
|
line or on the reader (depending on
|
|
the reader's capabilities).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">st_dv_certificate = <em class="replaceable"><code>filename</code></em>;</code>
|
|
<code class="option">st_certificate = <em class="replaceable"><code>filename</code></em>;</code>
|
|
<code class="option">st_key = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
QES is only possible with a Comfort
|
|
Reader (CAT-K), which holds a
|
|
cryptographic key to authenticate
|
|
itself as signature terminal (ST).
|
|
We usually will use the reader's
|
|
capability to sign the data.
|
|
However, during development you
|
|
may specify soft certificates and
|
|
keys for a ST.
|
|
</p><p>
|
|
An example PKI can be found in the
|
|
example data for the
|
|
<a class="ulink" href="https://github.com/frankmorgner/vsmartcard/tree/master/virtualsmartcard/npa-example-data" target="_top">German
|
|
ID card emulator</a>
|
|
</p></dd></dl></div></div><div class="refsect2"><a name="dnie"></a><h3>Configuration Options for DNIe</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">user_consent_enabled = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Configure the warning message when
|
|
performing a signature operation
|
|
with the DNIe. Only used if
|
|
compiled with
|
|
<code class="option">--enable-dnie-ui</code>
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">user_consent_app = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Specify the pinentry application to
|
|
use if warning is configured to be
|
|
displayed using pinentry (Default:
|
|
<code class="literal">/usr/bin/pinentry</code>).
|
|
Only used if compiled with
|
|
<code class="option">--enable-dnie-ui</code>
|
|
</p></dd></dl></div></div><div class="refsect2"><a name="card_atr"></a><h3>Configuration based on ATR</h3><p>
|
|
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">atrmask = <em class="replaceable"><code>hexstring</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
The mask is logically AND'd with an
|
|
card ATR prior to comparison with
|
|
the ATR reference value above.
|
|
Using this mask allows identifying
|
|
and configuring multiple ATRs as
|
|
the same card model.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">driver = <em class="replaceable"><code>name</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
When enabled, overrides all
|
|
possible settings from the card
|
|
drivers built-in card configuration
|
|
list.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">name = <em class="replaceable"><code>name</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Set card name for card drivers that
|
|
allows it.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">type = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Allows setting the exact type of
|
|
the card internally used by the
|
|
card driver. Allowed values can be
|
|
found in the source code of
|
|
<code class="filename">cards.h</code>.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">flags = <em class="replaceable"><code>value</code></em>... ;</code>
|
|
</span></dt><dd><p>
|
|
Card flags as an hex value.
|
|
Multiple values are OR'd together.
|
|
Depending on card driver, this
|
|
allows fine-tuning the capabilities
|
|
in the card driver for your card.
|
|
</p><p>
|
|
Optionally, some known parameters
|
|
can be specified as strings:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">rng</code>:
|
|
On-board random number
|
|
source
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">keep_alive</code>:
|
|
Request the card driver
|
|
to send a "keep alive"
|
|
command before each
|
|
transaction to make
|
|
sure that the required
|
|
applet is still
|
|
selected.
|
|
</p></li></ul></div><p>
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">pkcs15emu = <em class="replaceable"><code>name</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
When using PKCS#15 emulation, force
|
|
the emulation driver for specific
|
|
cards. Required for external
|
|
drivers, but can be used with
|
|
built-in drivers, too.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">force_protocol = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Force protocol selection for
|
|
specific cards. Known parameters:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">t0</code>
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">t1</code>
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">raw</code>
|
|
</p></li></ul></div><p>
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_read_only = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Mark card as read/only card in
|
|
Minidriver/BaseCSP interface
|
|
(Default: <code class="literal">false</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_supports_X509_enrollment = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Indicate X509 enrollment support at
|
|
Minidriver/BaseCSP interface
|
|
(Default: <code class="literal">false</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_guid_as_id = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Use the GUID generated for the key
|
|
as id in the PKCS#15 structure
|
|
(Default: <code class="literal">false</code>, i.e. auto generated)
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_guid_as_label = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Use the GUID generated for the key
|
|
as label in the PKCS#15 structure
|
|
(Default: <code class="literal">false</code>,
|
|
i.e. no label set).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_supports_container_key_gen = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Card allows generating key pairs on the card (Default: <code class="literal">false</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_supports_container_key_import = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Card allows importing private keys
|
|
(Default: <code class="literal">false</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_pinpad_dlg_title = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Window title of the PIN pad dialog
|
|
(Default: <code class="literal">"Windows
|
|
Security"</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_pinpad_dlg_icon = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Filename of the icon for the PIN
|
|
pad dialog; use
|
|
<code class="literal">""</code> for no icon
|
|
(Default: Built-in smart card icon).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_pinpad_dlg_main = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Main instruction of the PIN pad
|
|
dialog (Default: <code class="literal">"OpenSC
|
|
Smart Card Provider"</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_pinpad_dlg_content_user = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Content of the PIN pad dialog for
|
|
role "user" (Default:
|
|
<code class="literal">"Please enter your PIN on the PIN
|
|
pad."</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_pinpad_dlg_content_user_sign = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Content of the PIN pad dialog for
|
|
role "user+signature" (Default:
|
|
<code class="literal">"Please enter your digital signature
|
|
PIN on the PIN pad."</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_pinpad_dlg_content_admin = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Content of the PIN pad dialog for
|
|
role "admin" (Default:
|
|
<code class="literal">"Please enter your PIN to unblock the
|
|
user PIN on the PIN pad."</code>)
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_pinpad_dlg_expanded = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Expanded information of the PIN pad
|
|
dialog (Default: <code class="literal">"This window will be
|
|
closed automatically after the PIN has been
|
|
submitted on the PIN pad (timeout typically
|
|
after 30 seconds)."</code>)
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_pinpad_dlg_enable_cancel = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Allow the user to cancel the PIN
|
|
pad dialog (Default:
|
|
<code class="literal">false</code>).
|
|
|
|
If this value is set to
|
|
<code class="literal">true</code>, the user needs to
|
|
click "OK" to start the PIN verification on the
|
|
PIN pad. The user can choose the default
|
|
behavior by enabling or disabling the checkbox
|
|
of the dialog. The setting is saved by the
|
|
program's full path
|
|
(<em class="replaceable"><code>program_path</code></em>) that
|
|
uses OpenSC.
|
|
</p><p>
|
|
The registry key <code class="filename">HKCU\Software\OpenSC
|
|
Project\OpenSC\md_pinpad_dlg_enable_cancel\<em class="replaceable"><code>program_path</code></em></code>
|
|
overwrites this setting with a
|
|
<code class="literal">DWORD</code> set to either
|
|
<code class="literal">1</code> (enabled) or
|
|
<code class="literal">0</code> (disabled).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">md_pinpad_dlg_timeout = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Time in seconds for the progress
|
|
bar of the PIN pad dialog to tick.
|
|
<code class="literal">0</code> removes the
|
|
progress bar (Default:
|
|
<code class="literal">30</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">notify_card_inserted = <em class="replaceable"><code>value</code></em>;</code>
|
|
<code class="option">notify_card_inserted_text = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Notification title and text when
|
|
card was inserted (Default:
|
|
<code class="literal">"Smart card
|
|
detected"</code>, ATR of
|
|
the card).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">notify_card_removed = <em class="replaceable"><code>value</code></em>;</code>
|
|
<code class="option">notify_card_removed_text = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Notification title and text when
|
|
card was removed (Default:
|
|
<code class="literal">"Smart card
|
|
removed"</code>, name of
|
|
smart card reader).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">notify_pin_good = <em class="replaceable"><code>value</code></em>;</code>
|
|
<code class="option">notify_pin_good_text = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Notification title and text when
|
|
PIN was verified (Default:
|
|
<code class="literal">"PIN verified"</code>,
|
|
<code class="literal">"Smart card is
|
|
unlocked"</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">notify_pin_bad = <em class="replaceable"><code>value</code></em>;</code>
|
|
<code class="option">notify_pin_bad_text = <em class="replaceable"><code>value</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Notification title and text when
|
|
PIN was wrong (Default:
|
|
<code class="literal">"PIN not
|
|
verified"</code>,
|
|
<code class="literal">"Smart card is
|
|
locked"</code>).
|
|
</p></dd></dl></div><p>
|
|
</p></div><div class="refsect2"><a name="framework%20pkcs15"></a><h3>Configuration of PKCS#15 Framework</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">use_file_caching = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Whether to cache the card's files (e.g.
|
|
certificates) on disk in
|
|
<code class="option">file_cache_dir</code> (Default:
|
|
<code class="literal">false</code>).
|
|
</p><p>
|
|
If caching is done by a system process, the
|
|
cached files may be placed inaccessible from
|
|
the user account. Use a globally readable and
|
|
writable location if you wish to share the
|
|
cached information. Note that the cached files
|
|
may contain personal data such as name and mail
|
|
address.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">file_cache_dir = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Where to cache the card's files. The default values are:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="filename"><code class="envar">$XDG_CACHE_HOME</code>/opensc/</code> (if defined)
|
|
</p></li><li class="listitem"><p>
|
|
<code class="filename"><code class="envar">$HOME</code>/.cache/opensc/</code> (Unix)
|
|
</p></li><li class="listitem"><p>
|
|
<code class="filename"><code class="envar">$USERPROFILE</code>\.eid-cache\</code> (Windows)
|
|
</p></li></ul></div><p>
|
|
</p><p>
|
|
If caching is done by a system process, the
|
|
cached files may be placed inaccessible from
|
|
a user account. Use a globally readable and
|
|
writable location if you wish to share the
|
|
cached information. Note that the cached files
|
|
may contain personal data such as name and mail
|
|
address.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">use_pin_caching = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Use PIN caching (Default: <code class="literal">true</code>)?
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">pin_cache_counter = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
How many times to use a PIN from cache before
|
|
re-authenticating it (Default:
|
|
<code class="literal">10</code>)?
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">pin_cache_ignore_user_consent = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Older PKCS#11 applications not supporting
|
|
<code class="literal">CKA_ALWAYS_AUTHENTICATE</code> may
|
|
need to set this to get signatures to work with
|
|
some cards (Default: <code class="literal">false</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">enable_pkcs15_emulation = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Enable pkcs15 emulation (Default:
|
|
<code class="literal">true</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">try_emulation_first = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Prefer pkcs15 emulation code before the normal
|
|
pkcs15 processing (Default:
|
|
<code class="literal">no</code>). Some cards work in
|
|
emu-only mode, and do not depend on this
|
|
option.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">enable_builtin_emulation = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Enable builtin emulators (Default:
|
|
<code class="literal">true</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">builtin_emulators = <em class="replaceable"><code>emulators</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
List of the builtin pkcs15 emulators to test
|
|
(Default: <code class="literal">westcos, openpgp,
|
|
starcert, tcos, esteid, itacns,
|
|
PIV-II, cac, gemsafeGPK, gemsafeV1, actalis,
|
|
atrust-acos, tccardos, entersafe, pteid,
|
|
oberthur, sc-hsm, dnie, gids, iasecc, jpki,
|
|
coolkey, din66291</code>)
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">pkcs11_enable_InitToken = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Enable initialization and card recognition
|
|
(Default: <code class="literal">false</code>).
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">emulate <em class="replaceable"><code>name</code></em> {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</code>
|
|
</span></dt><dd><p>
|
|
Configuration options for a PKCS#15 emulator
|
|
where <em class="replaceable"><code>name</code></em> is a
|
|
short name for an external card driver.
|
|
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">module = <em class="replaceable"><code>filename</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
For pkcs15 emulators loaded from an
|
|
external shared library/DLL, you need to
|
|
specify the path name of the module and
|
|
customize the card_atr example above
|
|
correctly.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">function = <em class="replaceable"><code>name</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Get the init function name of the
|
|
emulator (Default:
|
|
<code class="literal">sc_pkcs15_init_func_ex</code>)
|
|
</p></dd></dl></div></dd><dt><span class="term">
|
|
<code class="option">application <em class="replaceable"><code>hexstring</code></em> {
|
|
<em class="replaceable"><code>block_contents</code></em>
|
|
}
|
|
</code>
|
|
</span></dt><dd><p>
|
|
Configuration of the on-card-application where
|
|
<em class="replaceable"><code>hexstring</code></em> is the
|
|
application identifier (AID).
|
|
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">type = <em class="replaceable"><code>name</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Type of application where
|
|
<em class="replaceable"><code>name</code></em> is one
|
|
of:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">generic</code>
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">protected</code>
|
|
</p></li></ul></div><p>
|
|
</p><p>
|
|
Used to distinguish the common access
|
|
application and application for which
|
|
authentication to perform some
|
|
operation cannot be obtained with the
|
|
common procedures (ex. object creation
|
|
protected by secure messaging). Used
|
|
by PKCS#11 module configured to expose
|
|
restricted number of slots. (for ex.
|
|
configured to expose only User PIN
|
|
slot, User and Sign PINs slots, ...)
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">model = <em class="replaceable"><code>name</code></em>;</code>
|
|
</span></dt><dd></dd><dt><span class="term">
|
|
<code class="option">disable = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Do not expose application in PKCS#15
|
|
framework (Default:
|
|
<code class="literal">false</code>)
|
|
</p></dd></dl></div></dd></dl></div></div><div class="refsect2"><a name="framework%20tokend"></a><h3>Configuration of Tokend</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">score = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Score for <span class="application">OpenSC.tokend</span>
|
|
(Default: <code class="literal">300</code>). The tokend with
|
|
the highest score shall be used.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">ignore_private_certificate = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Tokend ignore to read PIN protected certificate
|
|
that is set
|
|
<code class="literal">SC_PKCS15_CO_FLAG_PRIVATE</code> flag
|
|
(Default: <code class="literal">true</code>).
|
|
</p></dd></dl></div></div><div class="refsect2"><a name="pkcs11"></a><h3>Configuration of PKCS#11</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="option">max_virtual_slots = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Maximum Number of virtual slots (Default:
|
|
<code class="literal">16</code>). If there are more slots
|
|
than defined here, the remaining slots will be
|
|
hidden from PKCS#11.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">slots_per_card = <em class="replaceable"><code>num</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Maximum number of slots per smart card (Default:
|
|
<code class="literal">4</code>). If the card has fewer keys
|
|
than defined here, the remaining number of slots
|
|
will be empty.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">lock_login = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
By default, the OpenSC PKCS#11 module will not lock
|
|
your card once you authenticate to the card via
|
|
<code class="literal">C_Login</code> (Default:
|
|
<code class="literal">false</code>).
|
|
|
|
Thus the other users or other applications is not
|
|
prevented from connecting to the card and perform
|
|
crypto operations (which may be possible because
|
|
you have already authenticated with the card). This
|
|
setting is not very secure.
|
|
</p><p>
|
|
Also, if your card is not locked, you can enconter
|
|
problems due to limitation of the OpenSC framework,
|
|
that still is not thoroughly tested in the multi
|
|
threads environment.
|
|
</p><p>
|
|
Your settings will be more secure if you choose to
|
|
lock your card. Nevertheless this behavior is a
|
|
known violation of PKCS#11 specification. Now once
|
|
one application has started using your card with
|
|
<code class="literal">C_Login</code>, no other application
|
|
can use it, until the first is done and calls
|
|
<code class="literal">C_Logout</code> or
|
|
<code class="literal">C_Finalize</code>. In the case of many
|
|
PKCS#11 application this does not happen until you
|
|
exit the application.
|
|
</p><p>
|
|
Thus it is impossible to use several smart card
|
|
aware applications at the same time, e.g. you
|
|
cannot run both <span class="application">Firefox</span>
|
|
and <span class="application">Thunderbird</span> at the
|
|
same time, if both are configured to use your smart
|
|
card.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">atomic = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
By default, interacting with the OpenSC PKCS#11
|
|
module may change the state of the token, e.g.
|
|
whether a user is logged in or not (Default:
|
|
<code class="literal">false</code>).
|
|
</p><p>
|
|
Thus other users or other applications may change
|
|
or use the state of the token unknowingly. Other
|
|
applications may create signatures abusing an
|
|
existing login or they may logout unnoticed.
|
|
</p><p>
|
|
With this setting enabled the login state of the
|
|
token is tracked and cached (including the PIN).
|
|
Every transaction is preceded by restoring the
|
|
login state. After every transaction a logout is
|
|
performed. This setting by default also enables
|
|
<code class="option">lock_login</code> to disable access for
|
|
other applications during the atomic transactions.
|
|
</p><p>
|
|
Please note that any PIN-pad should be disabled
|
|
(see <code class="option">enable_pinpad</code>), because the
|
|
user would have to input his PIN for every
|
|
transaction.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">init_sloppy = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
With this setting disabled, the OpenSC PKCS#11
|
|
module will initialize the slots available when the
|
|
application calls <code class="literal">C_GetSlotList</code>.
|
|
With this setting enabled, the slots will also get
|
|
initialized when <code class="literal">C_GetSlotInfo</code>
|
|
is called (Default: <code class="literal">true</code>).
|
|
</p><p>
|
|
This setting is a workaround for
|
|
<span class="application">Java</span> which does not call
|
|
<code class="literal">C_GetSlotList</code> when configured
|
|
with a static <code class="literal">slot</code> instead of
|
|
<code class="literal">slotListIndex</code>.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">user_pin_unblock_style = <em class="replaceable"><code>mode</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
User PIN unblock style <em class="replaceable"><code>mode</code></em>
|
|
is one of:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">none</code> (Default): PIN
|
|
unblock is not possible with PKCS#11 API
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">set_pin_in_unlogged_session</code>:
|
|
<code class="literal">C_SetPIN</code> in unlogged
|
|
session: PUK is passed as the
|
|
<code class="literal">OldPin</code> argument of the
|
|
<code class="literal">C_SetPIN</code> call.
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">set_pin_in_specific_context</code>:
|
|
<code class="literal">C_SetPIN</code> in the
|
|
<code class="literal">CKU_SPECIFIC_CONTEXT</code>
|
|
logged session: PUK is passed as the
|
|
<code class="literal">OldPin</code> argument of the
|
|
<code class="literal">C_SetPIN</code> call.
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">init_pin_in_so_session</code>:
|
|
<code class="literal">C_InitPIN</code> in
|
|
<code class="literal">CKU_SO</code> logged session:
|
|
User PIN 'UNBLOCK' is protected by SOPIN.
|
|
(PUK == SOPIN).
|
|
</p></li></ul></div><p>
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">create_puk_slot = <em class="replaceable"><code>bool</code></em>;</code>
|
|
</span></dt><dd><p>
|
|
Create slot for unblocking PIN with PUK (Default:
|
|
<code class="literal">false</code>). This way PKCS#11 API can
|
|
be used to login with PUK and change a PIN. May
|
|
cause problems with some applications like
|
|
<span class="application">Firefox</span> and
|
|
<span class="application">Thunderbird</span>.
|
|
</p></dd><dt><span class="term">
|
|
<code class="option">create_slots_for_pins = <em class="replaceable"><code>mode</code></em>... ;</code>
|
|
</span></dt><dd><p>
|
|
Symbolic names of PINs for which slots are created
|
|
where <em class="replaceable"><code>mode</code></em> is a list of:
|
|
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
|
|
<code class="literal">all</code> (Default): All
|
|
non-SO-PIN, non-unblocking PINs
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">user</code>: The first
|
|
global or first local PIN
|
|
</p></li><li class="listitem"><p>
|
|
<code class="literal">sign</code>: The second PIN
|
|
(first local, second global or second
|
|
local)
|
|
</p></li></ul></div><p>
|
|
</p><p>
|
|
Card can contain more then one PINs or more then
|
|
one on-card application with its own PINs.
|
|
Normally, to access all of them with the PKCS#11
|
|
API a slot has to be created for all of them. Many
|
|
slots could be annoying for some of widely used
|
|
application, like FireFox. This configuration
|
|
parameter allows to select the PIN(s) for which
|
|
PKCS#11 slot will be created.
|
|
</p><p>
|
|
Only PINs initialised, non-SO-PIN, non-unblocking
|
|
are associated with symbolic name.
|
|
</p><p>
|
|
For the module to simulate the opensc-onepin module
|
|
behavior the following option
|
|
<code class="option">create_slots_for_pins = "user";</code>
|
|
</p></dd></dl></div></div></div><div class="refsect1"><a name="idm971"></a><h2>Environment</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="envar">OPENSC_CONF</code>
|
|
</span></dt><dd><p>
|
|
Filename for a user defined configuration file
|
|
</p><p>
|
|
If this environment variable is not found on
|
|
Windows, the registry key
|
|
<code class="filename">Software\OpenSC
|
|
Project\OpenSC\ConfigFile</code> is
|
|
checked.
|
|
</p></dd><dt><span class="term">
|
|
<code class="envar">OPENSC_DEBUG</code>
|
|
</span></dt><dd><p>
|
|
See <a class="xref" href="#debug">
|
|
<code class="option">debug = <em class="replaceable"><code>num</code></em>;</code>
|
|
</a>
|
|
</p></dd><dt><span class="term">
|
|
<code class="envar">OPENSC_DRIVER</code>
|
|
</span></dt><dd><p>
|
|
See <a class="xref" href="#card_drivers">
|
|
<code class="option">card_drivers = <em class="replaceable"><code>name</code></em>... ;</code>
|
|
</a>
|
|
</p></dd><dt><span class="term">
|
|
<code class="envar">CARDMOD_LOW_LEVEL_DEBUG</code>
|
|
</span></dt><dd><p>
|
|
Write minidriver debug information to
|
|
<code class="filename">C:\tmp\md.log</code>, if set to
|
|
<code class="literal">1</code>.
|
|
</p><p>
|
|
If this environment variable is not found on
|
|
Windows, the registry key
|
|
<code class="filename">Software\OpenSC
|
|
Project\OpenSC\MiniDriverDebug</code> is
|
|
checked.
|
|
</p></dd><dt><span class="term">
|
|
<code class="envar">PIV_EXT_AUTH_KEY</code>,
|
|
<code class="envar">PIV_9A_KEY</code>,
|
|
<code class="envar">PIV_9C_KEY</code>,
|
|
<code class="envar">PIV_9D_KEY</code>,
|
|
<code class="envar">PIV_9E_KEY</code>
|
|
</span></dt><dd><p>
|
|
PIV configuration during initialization with
|
|
<span class="application">piv-tool</span>.
|
|
</p></dd></dl></div></div><div class="refsect1"><a name="idm1012"></a><h2>Files</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">
|
|
<code class="filename">/usr/etc/opensc.conf</code>
|
|
</span></dt><dd><p>
|
|
System-wide configuration file
|
|
</p></dd><dt><span class="term">
|
|
<code class="filename">/usr/share/doc/opensc/opensc.conf</code>
|
|
</span></dt><dd><p>
|
|
Extended example configuration file
|
|
</p></dd></dl></div></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="pkcs15-profile"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-profile — format of profile for <span class="command"><strong>pkcs15-init</strong></span></p></div><div class="refsect1"><a name="idm1036"></a><h2>Description</h2><p>
|
|
The <span class="command"><strong>pkcs15-init</strong></span> utility for PKCS #15 smart card
|
|
personalization is controlled via profiles. When starting, it will read two
|
|
such profiles at the moment, a generic application profile, and a card
|
|
specific profile. The generic profile must be specified on the command line,
|
|
while the card-specific file is selected based on the type of card detected.
|
|
</p><p>
|
|
The generic application profile defines general information about the card
|
|
layout, such as the path of the application DF, various PKCS #15 files within
|
|
that directory, and the access conditions on these files. It also defines
|
|
general information about PIN, key and certificate objects. Currently, there
|
|
is only one such generic profile, <code class="filename">pkcs15.profile</code>.
|
|
</p><p>
|
|
The card specific profile contains additional information required during
|
|
card initialization, such as location of PIN files, key references etc.
|
|
Profiles currently reside in <code class="filename">@pkgdatadir@</code>
|
|
</p></div><div class="refsect1"><a name="idm1044"></a><h2>Syntax</h2><p>
|
|
This section should contain information about the profile syntax. Will add
|
|
this soonishly.
|
|
</p></div><div class="refsect1"><a name="idm1047"></a><h2>See also</h2><p>
|
|
<span class="citerefentry"><span class="refentrytitle">pkcs15-init</span>(1)</span>,
|
|
<span class="citerefentry"><span class="refentrytitle">pkcs15-crypt</span>(1)</span>
|
|
</p></div></div></div></body></html>
|