1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
|
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>OpenSC Manual Pages: Section 1</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><style type="text/css"><!--
body {
font-family: Verdana, Arial;
font-size: 0.9em;
}
.title {
font-size: 1.5em;
text-align: center;
}
.toc b {
font-size: 1.2em;
border-bottom: dashed 1px black;
}
a {
color: blue;
text-decoration: none;
}
a:visited {
color: blue;
text-decoration: none;
}
pre.programlisting {
font-size: 1.1em;
background-color: #EEEEEE ;
border: 1px solid #006600 ;
padding: 1em;
}
span.symbol {
font-weight: bold;
}
span.errorname {
font-weight: bold;
}
span.errortext {
font-style: italic;
}
--></style></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book"><div class="titlepage"><div><div><h1 class="title"><a name="id-1"></a>OpenSC Manual Pages: Section 1</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl class="toc"><dt><span class="refentrytitle"><a href="#cardos-tool">cardos-tool</a></span><span class="refpurpose"> — displays information about Card OS-based security tokens or format them
</span></dt><dt><span class="refentrytitle"><a href="#cryptoflex-tool">cryptoflex-tool</a></span><span class="refpurpose"> — utility for manipulating Schlumberger Cryptoflex data structures</span></dt><dt><span class="refentrytitle"><a href="#dnie-tool">dnie-tool</a></span><span class="refpurpose"> — displays information about DNIe based security tokens</span></dt><dt><span class="refentrytitle"><a href="#egk-tool">egk-tool</a></span><span class="refpurpose"> — displays information on the German electronic health card (elektronische Gesundheitskarte, <abbr class="abbrev">eGK</abbr>)
</span></dt><dt><span class="refentrytitle"><a href="#eidenv">eidenv</a></span><span class="refpurpose"> — utility for accessing visible data from
electronic identity cards</span></dt><dt><span class="refentrytitle"><a href="#gids-tool">gids-tool</a></span><span class="refpurpose"> — smart card utility for GIDS cards</span></dt><dt><span class="refentrytitle"><a href="#cardos-tool">iasecc-tool</a></span><span class="refpurpose"> — displays information about IAS/ECC card
</span></dt><dt><span class="refentrytitle"><a href="#netkey-tool">netkey-tool</a></span><span class="refpurpose"> — administrative utility for Netkey E4 cards</span></dt><dt><span class="refentrytitle"><a href="#npa-tool">npa-tool</a></span><span class="refpurpose"> — displays information on the German eID card (neuer Personalausweis, <abbr class="abbrev">nPA</abbr>).
</span></dt><dt><span class="refentrytitle"><a href="#openpgp-tool">openpgp-tool</a></span><span class="refpurpose"> — utility for accessing visible data OpenPGP smart cards
and compatible tokens</span></dt><dt><span class="refentrytitle"><a href="#opensc-asn1">opensc-asn1</a></span><span class="refpurpose"> — parse ASN.1 data
</span></dt><dt><span class="refentrytitle"><a href="#opensc-explorer">opensc-explorer</a></span><span class="refpurpose"> —
generic interactive utility for accessing smart card
and similar security token functions
</span></dt><dt><span class="refentrytitle"><a href="#opensc-notify">opensc-notify</a></span><span class="refpurpose"> — monitor smart card events and send notifications
</span></dt><dt><span class="refentrytitle"><a href="#opensc-tool">opensc-tool</a></span><span class="refpurpose"> — generic smart card utility</span></dt><dt><span class="refentrytitle"><a href="#piv-tool">piv-tool</a></span><span class="refpurpose"> — smart card utility for HSPD-12 PIV cards</span></dt><dt><span class="refentrytitle"><a href="#pkcs11-tool">pkcs11-tool</a></span><span class="refpurpose"> — utility for managing and using PKCS #11 security tokens</span></dt><dt><span class="refentrytitle"><a href="#pkcs15-crypt">pkcs15-crypt</a></span><span class="refpurpose"> — perform crypto operations using PKCS#15 smart cards</span></dt><dt><span class="refentrytitle"><a href="#pkcs15-init">pkcs15-init</a></span><span class="refpurpose"> — smart card personalization utility</span></dt><dt><span class="refentrytitle"><a href="#pkcs15-tool">pkcs15-tool</a></span><span class="refpurpose"> — utility for manipulating PKCS #15 data structures
on smart cards and similar security tokens</span></dt><dt><span class="refentrytitle"><a href="#sc-hsm-tool">sc-hsm-tool</a></span><span class="refpurpose"> — smart card utility for SmartCard-HSM</span></dt><dt><span class="refentrytitle"><a href="#westcos-tool">westcos-tool</a></span><span class="refpurpose"> — utility for manipulating data structures
on westcos smart cards</span></dt></dl></div><div class="refentry"><a name="cardos-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>cardos-tool — displays information about Card OS-based security tokens or format them
</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">cardos-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.2.4"></a><h2>Description</h2><p>
The <span class="command"><strong>cardos-tool</strong></span> utility is used to display information about
smart cards and similar security tokens based on Siemens Card/OS M4.
</p></div><div class="refsect1"><a name="id-1.2.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--format</code>,
<code class="option">-f</code>
</span></dt><dd><p>Format the card or token.</p></dd><dt><span class="term">
<code class="option">--help</code>,
<code class="option">-h</code>
</span></dt><dd><p>Print help message on screen.</p></dd><dt><span class="term">
<code class="option">--info</code>,
<code class="option">-i</code>
</span></dt><dd><p>Display information about the card or token.</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--startkey</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-s</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>Specify startkey for format.</p></dd><dt><span class="term">
<code class="option">--change-startkey</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-S</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>Change Startkey with given APDU command.</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>cardos-tool</strong></span> to be more verbose.
Specify this flag several times to enable debug output in the opensc library.</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Causes <span class="command"><strong>cardos-tool</strong></span> to wait for the token
to be inserted into reader.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.2.6"></a><h2>Authors</h2><p><span class="command"><strong>cardos-tool</strong></span> was written by
Andreas Jellinghaus <code class="email"><<a class="email" href="mailto:aj@dungeon.inka.de">aj@dungeon.inka.de</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="cryptoflex-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">cryptoflex-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.3.4"></a><h2>Description</h2><p>
<span class="command"><strong>cryptoflex-tool</strong></span> is used to manipulate PKCS
data structures on Schlumberger Cryptoflex smart cards. Users
can create, list and read PINs and keys stored on the smart card.
User PIN authentication is performed for those operations that require it.
</p></div><div class="refsect1"><a name="id-1.3.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--app-df</code> <em class="replaceable"><code>num</code></em>,
<code class="option">-a</code> <em class="replaceable"><code>num</code></em>
</span></dt><dd><p>Specifies the DF to operate in</p></dd><dt><span class="term">
<code class="option">--create-key-files</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-c</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>Creates new RSA key files for <em class="replaceable"><code>arg</code></em> keys</p></dd><dt><span class="term">
<code class="option">--create-pin-files</code> <em class="replaceable"><code>id</code></em>,
<code class="option">-P</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Creates new PIN file for CHV<em class="replaceable"><code>id</code></em></p></dd><dt><span class="term">
<code class="option">--exponent</code> <em class="replaceable"><code>exp</code></em>,
<code class="option">-e</code> <em class="replaceable"><code>exp</code></em>
</span></dt><dd><p>Specifies the RSA exponent, <em class="replaceable"><code>exp</code></em>,
to use in key generation. The default value is 3.</p></dd><dt><span class="term">
<code class="option">--generate-key</code>,
<code class="option">-g</code>
</span></dt><dd><p>Generate a new RSA key pair</p></dd><dt><span class="term">
<code class="option">--key-num</code> <em class="replaceable"><code>num</code></em>,
<code class="option">-k</code> <em class="replaceable"><code>num</code></em>
</span></dt><dd><p>Specifies the key number to operate on. The default is
key number 1.</p></dd><dt><span class="term">
<code class="option">--list-keys</code>,
<code class="option">-l</code>
</span></dt><dd><p>Lists all keys stored in a public key file</p></dd><dt><span class="term">
<code class="option">--modulus-length</code> <em class="replaceable"><code>length</code></em>,
<code class="option">-m</code> <em class="replaceable"><code>length</code></em>
</span></dt><dd><p>Specifies the modulus <em class="replaceable"><code>length</code></em> to use
in key generation. The default value is 1024.</p></dd><dt><span class="term">
<code class="option">--prkey-file</code> <em class="replaceable"><code>id</code></em>,
<code class="option">-p</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Specifies the private key file id, <em class="replaceable"><code>id</code></em>,
to use</p></dd><dt><span class="term">
<code class="option">--pubkey-file</code> <em class="replaceable"><code>id</code></em>,
<code class="option">-u</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Specifies the public key file id, <em class="replaceable"><code>id</code></em>,
to use</p></dd><dt><span class="term">
<code class="option">--read-key</code>,
<code class="option">-R</code>
</span></dt><dd><p>Reads a public key from the card, allowing the user to
extract and store or use the public key
</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>cryptoflex-tool</strong></span> to be more
verbose. Specify this flag several times to enable debug output in
the opensc library.</p></dd><dt><span class="term">
<code class="option">--verify-pin</code>,
<code class="option">-V</code>
</span></dt><dd><p>Verifies CHV1 before issuing commands</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Causes <span class="command"><strong>cryptoflex-tool</strong></span> to
wait for a card insertion.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.3.6"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">pkcs15-tool</span>(1)</span>
</p></div><div class="refsect1"><a name="id-1.3.7"></a><h2>Authors</h2><p><span class="command"><strong>cryptoflex-tool</strong></span> was written by
Juha Yrjölä <code class="email"><<a class="email" href="mailto:juha.yrjola@iki.fi">juha.yrjola@iki.fi</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="dnie-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>dnie-tool — displays information about DNIe based security tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">dnie-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.4.4"></a><h2>Description</h2><p>
The <span class="command"><strong>dnie-tool</strong></span> utility is used to display additional information about DNIe, the Spanish National eID card.
</p></div><div class="refsect1"><a name="id-1.4.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--idesp</code>,
<code class="option">-i</code>
</span></dt><dd><p>Show the DNIe IDESP value.</p></dd><dt><span class="term">
<code class="option">--data</code>,
<code class="option">-d</code>
</span></dt><dd><p>Show DNIe personal information.
Reads and print DNIe number and User Name and SurName</p></dd><dt><span class="term">
<code class="option">--all</code>,
<code class="option">-a</code>
</span></dt><dd><p>Displays every available information.
This command is equivalent to -d -i -V -s</p></dd><dt><span class="term">
<code class="option">--serial</code>,
<code class="option">-s</code>
</span></dt><dd><p>Displays DNIe Serial Number
</p></dd><dt><span class="term">
<code class="option">--version</code>,
<code class="option">-V</code>
</span></dt><dd><p>Show DNIe sw version.
Displays software version for in-card DNIe OS</p></dd><dt><span class="term">
<code class="option">--pin</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">-p</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>
These options can be used to specify the PIN value
on the command line. If the value is set to
<code class="literal">env:</code><em class="replaceable"><code>VARIABLE</code></em>, the value
of the specified environment variable is used. By default,
the code is prompted on the command line if needed.
</p><p>
Note that on most operation systems, any user can
display the command line of any process on the
system using utilities such as
<span class="command"><strong>ps(1)</strong></span>. Therefore, you should prefer
passing the codes via an environment variable
on an unsecured system.
</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Causes <span class="command"><strong>dnie-tool</strong></span> to wait for the token to be inserted into reader.</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>dnie-tool</strong></span> to be more verbose.
Specify this flag several times
to enable debug output in the opensc library.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.4.6"></a><h2>Authors</h2><p><span class="command"><strong>dnie-tool</strong></span> was written by
Juan Antonio Martinez <code class="email"><<a class="email" href="mailto:jonsito@terra.es">jonsito@terra.es</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="egk-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>egk-tool — displays information on the German electronic health card (elektronische Gesundheitskarte, <abbr class="abbrev">eGK</abbr>)
</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">egk-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.5.4"></a><h2>Description</h2><p>
The <span class="command"><strong>egk-tool</strong></span> utility is used to display information stored on the German elektronic health card (elektronische Gesundheitskarte, <abbr class="abbrev">eGK</abbr>).
</p></div><div class="refsect1"><a name="id-1.5.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--help</code>,
<code class="option">-h</code></span></dt><dd><p>Print help and exit.</p></dd><dt><span class="term">
<code class="option">--version</code>,
<code class="option">-V</code></span></dt><dd><p>Print version and exit.</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>
Causes <span class="command"><strong>egk-tool</strong></span> to be more verbose.
Specify this flag several times to be more verbose.
</p></dd></dl></div><p>
</p><div class="refsect2"><a name="id-1.5.5.3"></a><h3>'Gesundheitsanwendung', Health Care Application (<abbr class="abbrev">HCA</abbr>)</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">--pd</code></span></dt><dd><p>
Show 'Persönliche Versichertendaten' (XML).
</p></dd><dt><span class="term"><code class="option">--vd</code></span></dt><dd><p>
Show 'Allgemeine Versichertendaten' (XML).
</p></dd><dt><span class="term"><code class="option">--gvd</code></span></dt><dd><p>
Show 'Geschützte Versichertendaten' (XML).
</p></dd><dt><span class="term"><code class="option">--vsd-status</code></span></dt><dd><p>
Show 'Versichertenstammdaten-Status'.
</p></dd></dl></div></div></div><div class="refsect1"><a name="id-1.5.6"></a><h2>Authors</h2><p><span class="command"><strong>egk-tool</strong></span> was written by
Frank Morgner <code class="email"><<a class="email" href="mailto:frankmorgner@gmail.com">frankmorgner@gmail.com</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="eidenv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>eidenv — utility for accessing visible data from
electronic identity cards</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">eidenv</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.6.4"></a><h2>Description</h2><p>
The <span class="command"><strong>eidenv</strong></span> utility is used for
accessing data from electronic identity cards (like
national eID cards) which might not be present in
PKCS#15 objects but available in custom files on the
card. The data can be printed on screen or used by
other programs via environment variables.
</p></div><div class="refsect1"><a name="id-1.6.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--exec</code> <em class="replaceable"><code>prog</code></em>,
<code class="option">-x</code> <em class="replaceable"><code>prog</code></em>
</span></dt><dd><p>Executes the given program with
data in environment variables.</p></dd><dt><span class="term">
<code class="option">--help</code>,
<code class="option">-h</code>
</span></dt><dd><p>Print help message on screen.</p></dd><dt><span class="term">
<code class="option">--print</code>,
<code class="option">-p</code>
</span></dt><dd><p>Prints all data
fields from the card, like validity
period, document number etc.</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--stats</code>,
<code class="option">-t</code>
</span></dt><dd><p>Prints key usage statistics
(only for Estonian ID card).</p></dd><dt><span class="term">
<code class="option">--version</code>,
<code class="option">-v</code>
</span></dt><dd><p>Prints the version
of the utility and exits.</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Wait for a card to be inserted</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.6.6"></a><h2>Authors</h2><p><span class="command"><strong>eidenv</strong></span> utility was written by
Stef Hoeben and Martin Paljak <code class="email"><<a class="email" href="mailto:martin@martinpaljak.net">martin@martinpaljak.net</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="gids-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>gids-tool — smart card utility for GIDS cards</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">gids-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.7.4"></a><p>
The <span class="command"><strong>gids-tool</strong></span> utility can be used from the command line to perform
miscellaneous smart card operations on a GIDS smart card.
</p></div><div class="refsect1"><a name="id-1.7.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">-X</code>,
<code class="option">--initialize</code>
</span></dt><dd><p>Initialize token.</p></dd><dt><span class="term">
<code class="option">--admin-key</code> <em class="replaceable"><code>argument</code></em>
</span></dt><dd><p>Define the administrator key</p></dd><dt><span class="term">
<code class="option">--pin</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>
This option can be used to specify the PIN value
on the command line. If the value is set to
<code class="literal">env:</code><em class="replaceable"><code>VARIABLE</code></em>, the value
of the specified environment variable is used. By default,
the code is prompted on the command line if needed.
</p><p>
Note that on most operation systems, any user can
display the command line of any process on the
system using utilities such as
<span class="command"><strong>ps(1)</strong></span>. Therefore, you should prefer
passing the codes via an environment variable
on an unsecured system.
</p></dd><dt><span class="term">
<code class="option">--serial-number</code> <em class="replaceable"><code>argument</code></em>
</span></dt><dd><p>Define serial number.</p></dd><dt><span class="term">
<code class="option">-U</code>,
<code class="option">--unblock</code>
</span></dt><dd><p>Unblock the user PIN after an administrator
authentication.</p></dd><dt><span class="term">
<code class="option">-C</code>,
<code class="option">--change-admin-key</code>
</span></dt><dd><p>Change the administrator key.</p></dd><dt><span class="term">
<code class="option">--new-admin-key</code> <em class="replaceable"><code>argument</code></em>
</span></dt><dd><p>Define the new administrator key.</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>argument</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>argument</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>argument</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">-w</code>,
<code class="option">--wait</code>
</span></dt><dd><p>Wait for a card to be inserted.</p></dd><dt><span class="term">
<code class="option">-v</code>,
<code class="option">--verbose</code>
</span></dt><dd><p>Verbose operation. Use several times to
enable debug output.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.7.6"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">opensc-tool</span>(1)</span>
</p></div><div class="refsect1"><a name="id-1.7.7"></a><h2>Authors</h2><p><span class="command"><strong>gids-tool</strong></span> was written by
Vincent Le Toux <code class="email"><<a class="email" href="mailto:vincent.letoux@mysmartlogon.com">vincent.letoux@mysmartlogon.com</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="cardos-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>iasecc-tool — displays information about IAS/ECC card
</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">iasecc-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.8.4"></a><h2>Description</h2><p>
The <span class="command"><strong>iasecc-tool</strong></span> utility is used to display information about IAS/ECC v1.0.1 smart cards.
</p></div><div class="refsect1"><a name="id-1.8.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--list-applications</code>,
</span></dt><dd><p>Get list of the on-card applications.</p></dd><dt><span class="term">
<code class="option">--aid</code> <em class="replaceable"><code>hex-aid</code></em>,
</span></dt><dd><p>Select <em class="replaceable"><code>hex-aid</code></em> before processing.</p></dd><dt><span class="term">
<code class="option">--list-sdos</code> <em class="replaceable"><code>sdo-type</code></em>,
</span></dt><dd><p>List SDOs of the given <em class="replaceable"><code>sdo-type</code></em>,
present in default or selected application.</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>cardos-tool</strong></span> to be more verbose.
Specify this flag several times to enable debug output in the opensc library.</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Causes <span class="command"><strong>iasecc-tool</strong></span> to wait for the token
to be inserted into reader.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.8.6"></a><h2>Authors</h2><p><span class="command"><strong>iasecc-tool</strong></span> was written by
Viktor Tarasov <code class="email"><<a class="email" href="mailto:viktor.tarasov@gmail.com">viktor.tarasov@gmail.com</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="netkey-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>netkey-tool — administrative utility for Netkey E4 cards</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">netkey-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>] [<em class="replaceable"><code>COMMAND</code></em>]</p></div></div><div class="refsect1"><a name="id-1.9.4"></a><h2>Description</h2><p>The <span class="command"><strong>netkey-tool</strong></span> utility can be used from the
command line to perform some smart card operations with NetKey E4 cards
that cannot be done easily with other OpenSC-tools, such as changing local
PINs, storing certificates into empty NetKey E4 cert-files or displaying
the initial PUK-value.</p></div><div class="refsect1"><a name="id-1.9.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--help</code>,
<code class="option">-h</code>
</span></dt><dd><p>Displays a short help message.</p></dd><dt><span class="term">
<code class="option">--pin</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">-p</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>Specifies the current value of the global PIN.</p></dd><dt><span class="term">
<code class="option">--puk</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">-u</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>Specifies the current value of the global PUK.</p></dd><dt><span class="term">
<code class="option">--pin0</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">-0</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>Specifies the current value of the local PIN0 (aka local PIN).</p></dd><dt><span class="term">
<code class="option">--pin1</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">-1</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>Specifies the current value of the local PIN1 (aka local PUK).</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>netkey-tool</strong></span> to be more verbose. This
options may be specified multiple times to increase verbosity.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.9.6"></a><h2>PIN format</h2><p>With the <code class="option">-p</code>, <code class="option">-u</code>, <code class="option">-0</code> or the <code class="option">-1</code>
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consist of exactly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.</p></div><div class="refsect1"><a name="id-1.9.7"></a><h2>Commands</h2><p>When used without any options or commands, <span class="command"><strong>netkey-tool</strong></span> will
display information about the smart cards pins and certificates. This will not change
your card in any aspect (assumed there are no bugs in <span class="command"><strong>netkey-tool</strong></span>).
In particular the tries-left counters of the pins are investigated without doing
actual pin-verifications.</p><p>If you specify the global PIN via the <code class="option">--pin</code> option,
<span class="command"><strong>netkey-tool</strong></span> will also display the initial value of the cards
global PUK. If your global PUK was changed <span class="command"><strong>netkey-tool</strong></span> will still
display its initial value. There's no way to recover a lost global PUK once it was changed.
There's also no way to display the initial value of your global PUK without knowing the
current value of your global PIN. </p><p>For most of the commands that <span class="command"><strong>netkey-tool</strong></span> can execute, you have
to specify one pin. One notable exception is the <span class="command"><strong>nullpin</strong></span> command, but
this command can only be executed once in the lifetime of a NetKey E4 card.</p><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<span class="command"><strong>cert</strong></span> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>This command will read one of your cards certificates (as specified by
<em class="replaceable"><code>number</code></em>) and save this certificate into file <em class="replaceable"><code>filename</code></em>
in PEM-format. Certificates on a NetKey E4 card are readable without a pin, so you don't
have to specify one.</p></dd><dt><span class="term">
<span class="command"><strong>cert</strong></span> <em class="replaceable"><code>filename</code></em> <em class="replaceable"><code>number</code></em>
</span></dt><dd><p>This command will read the first PEM-encoded certificate from file
<em class="replaceable"><code>filename</code></em> and store this into your smart cards certificate file
<em class="replaceable"><code>number</code></em>. Some of your smart cards certificate files might be readonly, so
this will not work with all values of <em class="replaceable"><code>number</code></em>. If a certificate file is
writable you must specify a pin in order to change it. If you try to use this command
without specifying a pin, <span class="command"><strong>netkey-tool</strong></span> will tell you which one is
needed.</p></dd><dt><span class="term">
<span class="command"><strong>change</strong></span>
{ pin | puk | pin0 | pin1 }
<em class="replaceable"><code>new-pin</code></em>
</span></dt><dd><p>This changes the value of the specified pin to the given new value.
You must specify either the current value of the pin or another pin to be able to do
this and if you don't specify a correct one, <span class="command"><strong>netkey-tool</strong></span> will tell
you which one is needed.</p></dd><dt><span class="term">
<span class="command"><strong>nullpin</strong></span> <em class="replaceable"><code>initial-pin</code></em>
</span></dt><dd><p>This command can be executed only if the global PIN of your card is
in nullpin-state. There's no way to return back to nullpin-state once you have changed
your global PIN. You don't need a pin to execute the nullpin-command. After a successful
nullpin-command <span class="command"><strong>netkey-tool</strong></span> will display your cards initial
PUK-value.</p></dd><dt><span class="term">
<span class="command"><strong>unblock</strong></span>
{ pin | pin0 | pin1 }
</span></dt><dd><p>This unblocks the specified pin. You must specify another pin
to be able to do this and if you don't specify a correct one,
<span class="command"><strong>netkey-tool</strong></span> will tell you which one is needed.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.9.8"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">opensc-explorer</span>(1)</span>
</p></div><div class="refsect1"><a name="id-1.9.9"></a><h2>Authors</h2><p><span class="command"><strong>netkey-tool</strong></span> was written by
Peter Koch <code class="email"><<a class="email" href="mailto:pk_opensc@web.de">pk_opensc@web.de</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="npa-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>npa-tool — displays information on the German eID card (neuer Personalausweis, <abbr class="abbrev">nPA</abbr>).
</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">npa-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.10.4"></a><h2>Description</h2><p>
The <span class="command"><strong>npa-tool</strong></span> utility is used to display information
stored on the German eID card (neuer Personalausweis, <abbr class="abbrev">nPA</abbr>),
and to perform some write and verification operations.
</p><p>
Extended Access Control version 2 is performed according to ICAO Doc
9303 or BSI TR-03110 so that other identity cards and machine
readable travel documents (MRTDs) may be read as well.
</p></div><div class="refsect1"><a name="id-1.10.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--help</code>,
<code class="option">-h</code></span></dt><dd><p>Print help and exit.</p></dd><dt><span class="term">
<code class="option">--version</code>,
<code class="option">-V</code></span></dt><dd><p>Print version and exit.</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>
Causes <span class="command"><strong>npa-tool</strong></span> to be more verbose.
Specify this flag several times to be more verbose.
</p></dd></dl></div><p>
</p><div class="refsect2"><a name="id-1.10.5.3"></a><h3>Password Authenticated Connection Establishment (<abbr class="abbrev">PACE</abbr>)</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--pin</code> [<em class="replaceable"><code>STRING</code></em>],
<code class="option">-p</code> [<em class="replaceable"><code>STRING</code></em>]
</span></dt><dd><p>
Run <abbr class="abbrev">PACE</abbr> with (transport) eID-PIN.
</p></dd><dt><span class="term">
<code class="option">--puk</code> [<em class="replaceable"><code>STRING</code></em>],
<code class="option">-u</code> [<em class="replaceable"><code>STRING</code></em>]
</span></dt><dd><p>
Run <abbr class="abbrev">PACE</abbr> with PUK.
</p></dd><dt><span class="term">
<code class="option">--can</code> [<em class="replaceable"><code>STRING</code></em>],
<code class="option">-c</code> [<em class="replaceable"><code>STRING</code></em>]
</span></dt><dd><p>
Run <abbr class="abbrev">PACE</abbr> with Card Access Number (<abbr class="abbrev">CAN</abbr>).
</p></dd><dt><span class="term">
<code class="option">--mrz</code> [<em class="replaceable"><code>STRING</code></em>],
<code class="option">-m</code> [<em class="replaceable"><code>STRING</code></em>]
</span></dt><dd><p>
Run <abbr class="abbrev">PACE</abbr> with Machine Readable Zone (<abbr class="abbrev">MRZ</abbr>).
Enter the <abbr class="abbrev">MRZ</abbr> without newlines.
</p></dd><dt><span class="term"><code class="option">--env</code></span></dt><dd><p>
Specify whether to use environment variables <code class="envar">PIN</code>,
<code class="envar">PUK</code>, <code class="envar">CAN</code>, <code class="envar">MRZ</code>,
and <code class="envar">NEWPIN</code>.
You may want to clean your environment before enabling this.
(default=off)
</p></dd></dl></div></div><div class="refsect2"><a name="id-1.10.5.4"></a><h3>PIN management</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--new-pin</code> [<em class="replaceable"><code>STRING</code></em>],
<code class="option">-N</code> [<em class="replaceable"><code>STRING</code></em>]
</span></dt><dd><p>
Install a new PIN.
</p></dd><dt><span class="term">
<code class="option">--resume</code>,
<code class="option">-R</code>
</span></dt><dd><p>
Resume eID-PIN (uses <abbr class="abbrev">CAN</abbr> to activate last retry).
(default=off)
</p></dd><dt><span class="term">
<code class="option">--unblock</code>,
<code class="option">-U</code>
</span></dt><dd><p>
Unblock PIN (uses PUK to activate three more retries).
(default=off)
</p></dd></dl></div></div><div class="refsect2"><a name="id-1.10.5.5"></a><h3>Terminal Authentication (<abbr class="abbrev">TA</abbr>) and Chip Authentication (<abbr class="abbrev">CA</abbr>)</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--cv-certificate</code> <em class="replaceable"><code>FILENAME</code></em>,
<code class="option">-C</code> <em class="replaceable"><code>FILENAME</code></em>
</span></dt><dd><p>
Specify Card Verifiable (<abbr class="abbrev">CV</abbr>) certificate
to create a certificate chain.
The option can be given multiple times, in which case the
order is important.
</p></dd><dt><span class="term"><code class="option">--cert-desc</code> <em class="replaceable"><code>HEX_STRING</code></em></span></dt><dd><p>
Certificate description to show for Terminal Authentication.
</p></dd><dt><span class="term"><code class="option">--chat</code> <em class="replaceable"><code>HEX_STRING</code></em></span></dt><dd><p>
Specify the Card Holder Authorization Template
(<abbr class="abbrev">CHAT</abbr>) to use.
If not given, it defaults to the terminal's CHAT.
Use <code class="literal">7F4C0E060904007F000703010203530103</code>
to trigger EAC on the CAT-C (Komfortleser).
</p></dd><dt><span class="term">
<code class="option">--auxiliary-data</code> <em class="replaceable"><code>HEX_STRING</code></em>,
<code class="option">-A</code> <em class="replaceable"><code>HEX_STRING</code></em>
</span></dt><dd><p>
Specify the terminal's auxiliary data.
If not given, the default is determined by verification
of validity, age and community ID.
</p></dd><dt><span class="term">
<code class="option">--private-key</code> <em class="replaceable"><code>FILENAME</code></em>,
<code class="option">-P</code> <em class="replaceable"><code>FILENAME</code></em>
</span></dt><dd><p>
Specify the terminal's private key.
</p></dd><dt><span class="term"><code class="option">--cvc-dir</code> <em class="replaceable"><code>DIRECTORY</code></em></span></dt><dd><p>
Specify where to look for the certificate of the
Country Verifying Certification Authority
(<abbr class="abbrev">CVCA</abbr>).
If not given, it defaults to
<code class="filename">/home/fm/.local/etc/eac/cvc</code>.
</p></dd><dt><span class="term">
<code class="option">--x509-dir</code> <em class="replaceable"><code>DIRECTORY</code></em></span></dt><dd><p>
Specify where to look for the X.509 certificate.
If not given, it defaults to
<code class="filename">/home/fm/.local/etc/eac/x509</code>.
</p></dd><dt><span class="term"><code class="option">--disable-ta-checks</code></span></dt><dd><p>
Disable checking the validity period of CV certificates.
(default=off)
</p></dd><dt><span class="term"><code class="option">--disable-ca-checks</code></span></dt><dd><p>
Disable passive authentication. (default=off)
</p></dd></dl></div></div><div class="refsect2"><a name="id-1.10.5.6"></a><h3>Read and write data groups</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">--read-dg1</code></span></dt><dd><p>Read data group 1: Document Type.</p></dd><dt><span class="term"><code class="option">--read-dg2</code></span></dt><dd><p>Read data group 2: Issuing State.</p></dd><dt><span class="term"><code class="option">--read-dg3</code></span></dt><dd><p>Read data group 3: Date of Expiry.</p></dd><dt><span class="term"><code class="option">--read-dg4</code></span></dt><dd><p>Read data group 4: Given Name(s).</p></dd><dt><span class="term"><code class="option">--read-dg5</code></span></dt><dd><p>Read data group 5: Family Name.</p></dd><dt><span class="term"><code class="option">--read-dg6</code></span></dt><dd><p>Read data group 6: Religious/Artistic Name.</p></dd><dt><span class="term"><code class="option">--read-dg7</code></span></dt><dd><p>Read data group 7: Academic Title.</p></dd><dt><span class="term"><code class="option">--read-dg8</code></span></dt><dd><p>Read data group 8: Date of Birth.</p></dd><dt><span class="term"><code class="option">--read-dg9</code></span></dt><dd><p>Read data group 9: Place of Birth.</p></dd><dt><span class="term"><code class="option">--read-dg10</code></span></dt><dd><p>Read data group 10: Nationality.</p></dd><dt><span class="term"><code class="option">--read-dg11</code></span></dt><dd><p>Read data group 11: Sex.</p></dd><dt><span class="term"><code class="option">--read-dg12</code></span></dt><dd><p>Read data group 12: Optional Data.</p></dd><dt><span class="term"><code class="option">--read-dg13</code></span></dt><dd><p>Read data group 13: Birth Name.</p></dd><dt><span class="term"><code class="option">--read-dg14</code></span></dt><dd><p>Read data group 14.</p></dd><dt><span class="term"><code class="option">--read-dg15</code></span></dt><dd><p>Read data group 15.</p></dd><dt><span class="term"><code class="option">--read-dg16</code></span></dt><dd><p>Read data group 16.</p></dd><dt><span class="term"><code class="option">--read-dg17</code></span></dt><dd><p>Read data group 17: Normal Place of Residence.</p></dd><dt><span class="term"><code class="option">--read-dg18</code></span></dt><dd><p>Read data group 18: Community ID.</p></dd><dt><span class="term"><code class="option">--read-dg19</code></span></dt><dd><p>Read data group 19: Residence Permit I.</p></dd><dt><span class="term"><code class="option">--read-dg20</code></span></dt><dd><p>Read data group 20: Residence Permit II.</p></dd><dt><span class="term"><code class="option">--read-dg21</code></span></dt><dd><p>Read data group 21: Optional Data.</p></dd><dt><span class="term">
<code class="option">--write-dg17</code> <em class="replaceable"><code>HEX_STRING</code></em></span></dt><dd><p>Write data group 17: Normal Place of Residence.</p></dd><dt><span class="term">
<code class="option">--write-dg18</code> <em class="replaceable"><code>HEX_STRING</code></em></span></dt><dd><p>Write data group 18: Community ID.</p></dd><dt><span class="term">
<code class="option">--write-dg19</code> <em class="replaceable"><code>HEX_STRING</code></em></span></dt><dd><p>Write data group 19: Residence Permit I.</p></dd><dt><span class="term">
<code class="option">--write-dg20</code> <em class="replaceable"><code>HEX_STRING</code></em></span></dt><dd><p>Write data group 20: Residence Permit II.</p></dd><dt><span class="term"><code class="option">--write-dg21</code> <em class="replaceable"><code>HEX_STRING</code></em></span></dt><dd><p>Write data group 21: Optional Data.</p></dd></dl></div></div><div class="refsect2"><a name="id-1.10.5.7"></a><h3>Verification of validity, age and community ID</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">--verify-validity</code> <em class="replaceable"><code>YYYYMMDD</code></em></span></dt><dd><p>
Verify chip's validity with a reference date.
</p></dd><dt><span class="term"><code class="option">--older-than</code> <em class="replaceable"><code>YYYYMMDD</code></em></span></dt><dd><p>
Verify age with a reference date.
</p></dd><dt><span class="term"><code class="option">--verify-community</code> <em class="replaceable"><code>HEX_STRING</code></em></span></dt><dd><p>
Verify community ID with a reference ID.
</p></dd></dl></div></div><div class="refsect2"><a name="id-1.10.5.8"></a><h3>Special options, not always useful</h3><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--break</code>,
<code class="option">-b</code>
</span></dt><dd><p>
Brute force PIN, CAN or PUK.
Use together with options <code class="option">-p</code>,
<code class="option">-a</code>, or <code class="option">-u</code>.
(default=off)
</p></dd><dt><span class="term">
<code class="option">--translate</code> <em class="replaceable"><code>FILENAME</code></em>,
<code class="option">-t</code> <em class="replaceable"><code>FILENAME</code></em>
</span></dt><dd><p>
Specify the file with APDUs of HEX_STRINGs to send
through the secure channel.
(default=`stdin')
</p></dd><dt><span class="term"><code class="option">--tr-03110v201</code></span></dt><dd><p>
Force compliance to BSI TR-03110 version 2.01. (default=off)
</p></dd><dt><span class="term"><code class="option">--disable-all-checks</code></span></dt><dd><p>
Disable all checking of fly-by-data. (default=off)
</p></dd></dl></div></div></div><div class="refsect1"><a name="id-1.10.6"></a><h2>Authors</h2><p><span class="command"><strong>npa-tool</strong></span> was written by
Frank Morgner <code class="email"><<a class="email" href="mailto:frankmorgner@gmail.com">frankmorgner@gmail.com</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="openpgp-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>openpgp-tool — utility for accessing visible data OpenPGP smart cards
and compatible tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">openpgp-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.11.4"></a><h2>Description</h2><p>
The <span class="command"><strong>openpgp-tool</strong></span> utility is used for
accessing data from the OpenPGP v1.1 and v2.0 smart cards
and compatible tokens like e.g. GPF CryptoStick v1.x,
which might not be present in
PKCS#15 objects but available in custom files on the
card. The data can be printed on screen or used by
other programs via environment variables.
</p></div><div class="refsect1"><a name="id-1.11.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--card-info</code>,
<code class="option">-C</code>
</span></dt><dd><p>
Show card information.
</p></dd><dt><span class="term">
<code class="option">--del-key</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Delete key indicated by <em class="replaceable"><code>arg</code></em>.
<em class="replaceable"><code>arg</code></em> can be <code class="literal">1</code>,
<code class="literal">2</code>, <code class="literal">3</code>, or
<code class="literal">all</code>.
</p></dd><dt><span class="term">
<code class="option">--do</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-d</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Dump private data object (<abbr class="abbrev">DO</abbr>)
indicated by <em class="replaceable"><code>arg</code></em>.
<em class="replaceable"><code>arg</code></em> can be in the form
<em class="replaceable"><code>x</code></em>,
<code class="literal">10</code><em class="replaceable"><code>x</code></em>, or
<code class="literal">010</code><em class="replaceable"><code>x</code></em>
to access <code class="literal">DO 010</code><em class="replaceable"><code>x</code></em>,
where <em class="replaceable"><code>x</code></em> is <code class="literal">1</code>,
<code class="literal">2</code>, <code class="literal">3</code>, or
<code class="literal">4</code>.
</p></dd><dt><span class="term">
<code class="option">--erase</code>,
<code class="option">-E</code>
</span></dt><dd><p>
Erase (i.e. reset) the card.
</p></dd><dt><span class="term">
<code class="option">--exec</code> <em class="replaceable"><code>prog</code></em>,
<code class="option">-x</code> <em class="replaceable"><code>prog</code></em>
</span></dt><dd><p>
Execute the given program with data in environment variables.
</p></dd><dt><span class="term">
<code class="option">--gen-key</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-G</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Generate key with the ID given as <em class="replaceable"><code>arg</code></em>.
<em class="replaceable"><code>arg</code></em> can be one of <code class="literal">1</code>,
<code class="literal">2</code>, or <code class="literal">3</code>.
</p></dd><dt><span class="term">
<code class="option">--help</code>,
<code class="option">-h</code>
</span></dt><dd><p>
Print help message on screen.
</p></dd><dt><span class="term">
<code class="option">--key-info</code>,
<code class="option">-K</code>
</span></dt><dd><p>
Show information of keys on the card.
</p></dd><dt><span class="term">
<code class="option">--key-type</code> <em class="replaceable"><code>keytype</code></em>,
<code class="option">-t</code> <em class="replaceable"><code>keytype</code></em>
</span></dt><dd><p>
Specify the type of the key to be generated.
Supported values for <em class="replaceable"><code>keytype</code></em> are
<code class="literal">rsa</code> for RSA with 2048 bits,
<code class="literal">rsa</code><em class="replaceable"><code>LENGTH</code></em>
for RSA with a bit length of <em class="replaceable"><code>LENGTH</code></em>.
If not given, it defaults to <code class="literal">rsa2048</code>.
</p></dd><dt><span class="term">
<code class="option">--pin</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>
This option can be used to specify the PIN value
on the command line. If the value is set to
<code class="literal">env:</code><em class="replaceable"><code>VARIABLE</code></em>, the value
of the specified environment variable is used. By default,
the code is prompted on the command line if needed.
</p><p>
Note that on most operation systems, any user can
display the command line of any process on the
system using utilities such as
<span class="command"><strong>ps(1)</strong></span>. Therefore, you should prefer
passing the codes via an environment variable
on an unsecured system.
</p></dd><dt><span class="term">
<code class="option">--pretty</code>
</span></dt><dd><p>
Print values in pretty format.
</p></dd><dt><span class="term">
<code class="option">--raw</code>
</span></dt><dd><p>
Print values in raw format, as they are stored on the card.
</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--user-info</code>,
<code class="option">-U</code>
</span></dt><dd><p>
Show card holder information.
</p></dd><dt><span class="term">
<code class="option">--verify</code> <em class="replaceable"><code>pintype</code></em>
</span></dt><dd><p>
Verify PIN (CHV1, CHV2 or CHV3).
</p></dd><dt><span class="term">
<code class="option">--version</code>,
<code class="option">-V</code>
</span></dt><dd><p>
Print the version of the utility and exit.
</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>
Verbose operation. Use several times to enable debug output.
</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>
Wait for a card to be inserted.
</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.11.6"></a><h2>Authors</h2><p><span class="command"><strong>openpgp-tool</strong></span> utility was written by
Peter Marschall <code class="email"><<a class="email" href="mailto:peter@adpm.de">peter@adpm.de</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="opensc-asn1"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc-asn1 — parse ASN.1 data
</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">opensc-asn1</code> [<em class="replaceable"><code>OPTIONS</code></em>] [<em class="replaceable"><code>FILES</code></em>]</p></div></div><div class="refsect1"><a name="id-1.12.4"></a><h2>Description</h2><p>
The <span class="command"><strong>opensc-asn1</strong></span> utility is used to parse ASN.1 data.
</p></div><div class="refsect1"><a name="id-1.12.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--help</code>,
<code class="option">-h</code></span></dt><dd><p>Print help and exit.</p></dd><dt><span class="term">
<code class="option">--version</code>,
<code class="option">-V</code></span></dt><dd><p>Print version and exit.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.12.6"></a><h2>Authors</h2><p><span class="command"><strong>opensc-asn1</strong></span> was written by
Frank Morgner <code class="email"><<a class="email" href="mailto:frankmorgner@gmail.com">frankmorgner@gmail.com</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="opensc-explorer"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc-explorer —
generic interactive utility for accessing smart card
and similar security token functions
</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">opensc-explorer</code> [<em class="replaceable"><code>OPTIONS</code></em>] [<em class="replaceable"><code>SCRIPT</code></em>]</p></div></div><div class="refsect1"><a name="id-1.13.4"></a><h2>Description</h2><p>
The <span class="command"><strong>opensc-explorer</strong></span> utility can be
used to perform miscellaneous operations
such as exploring the contents of or sending arbitrary
APDU commands to a smart card or similar security token.
</p><p>
If a <em class="replaceable"><code>SCRIPT</code></em> is given,
<span class="command"><strong>opensc-explorer</strong></span> runs in non-interactive mode,
reading the commands from <em class="replaceable"><code>SCRIPT</code></em>,
one command per line.
If no script is given, <span class="command"><strong>opensc-explorer</strong></span>
runs in interactive mode, reading commands from standard input.
</p></div><div class="refsect1"><a name="id-1.13.5"></a><h2>Options</h2><p>
The following are the command-line options for
<span class="command"><strong>opensc-explorer</strong></span>. There are additional
interactive commands available once it is running.
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--card-driver</code> <em class="replaceable"><code>driver</code></em>,
<code class="option">-c</code> <em class="replaceable"><code>driver</code></em>
</span></dt><dd><p>
Use the given card driver.
The default is to auto-detect the correct card driver.
The literal value <code class="literal">?</code> lists
all available card drivers and terminates
<span class="command"><strong>opensc-explorer</strong></span>.
</p></dd><dt><span class="term">
<code class="option">--mf</code> <em class="replaceable"><code>path</code></em>,
<code class="option">-m</code> <em class="replaceable"><code>path</code></em>
</span></dt><dd><p>
Select the file referenced by the given path on startup.
The default is the path to the standard master file,
<code class="literal">3F00</code>. If <em class="replaceable"><code>path</code></em>
is empty (e.g. <span class="command"><strong>opensc-explorer --mf ""</strong></span>),
then no file is explicitly selected.
</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--verbose</code>, <code class="option">-v</code>
</span></dt><dd><p>
Cause <span class="command"><strong>opensc-explorer</strong></span> to be more
verbose. Specify this flag several times to enable
debug output in the opensc library.
</p></dd><dt><span class="term">
<code class="option">--wait</code>, <code class="option">-w</code>
</span></dt><dd><p>
Wait for a card to be inserted.
</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.13.6"></a><h2>Commands</h2><p>
<span class="command"><strong>opensc-explorer</strong></span> supports commands with arguments
at its interactive prompt or in script files passed via the command line
parameter <em class="replaceable"><code>SCRIPT</code></em>.
</p><p>
Similar to a command shell like e.g. <code class="code">bash</code>,
each input line is split into white-space separated words.
Of these words, the first one is used as the command,
while the remaining ones are treated as arguments to that command.
</p><p>
The following commands are supported:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<span class="command"><strong>#</strong></span>
<em class="replaceable"><code></code></em>...
</span></dt><dd><p>
Treat line as a comment.
Ignore anything until the end of the line introduced by
<code class="literal">#</code>.
</p></dd><dt><span class="term">
<span class="command"><strong>apdu</strong></span>
<em class="replaceable"><code>data</code></em>...
</span></dt><dd><p>
Send a custom APDU command to the card.
<em class="replaceable"><code>data</code></em> is a series of
sequences of hexadecimal values and strings enclosed
in double quotes (<code class="literal">"..."</code>).
</p></dd><dt><span class="term">
<span class="command"><strong>asn1</strong></span>
<em class="replaceable"><code>file-id</code></em>
[<em class="replaceable"><code>rec-no</code></em>]
[<em class="replaceable"><code>offs</code></em>]
</span></dt><dd><p>
Parse and print the ASN.1 encoded content of the working EF
specified by <em class="replaceable"><code>file-id</code></em>.
If the optional parameter
<em class="replaceable"><code>rec-no</code></em> is given and the file is
a record-oriented EF, parse and print only the record
indicated by this parameter.
If the optional parameter
<em class="replaceable"><code>offs</code></em> is given, start parsing
and printing the file or record at the offset indicated
by the value given.
If this parameter is not given, the default offset is
<code class="literal">0</code>.
</p></dd><dt><span class="term">
<span class="command"><strong>cat</strong></span>
[ <em class="replaceable"><code>file-id</code></em> | <code class="literal">sfi:</code><em class="replaceable"><code>short-id</code></em> ]
[<em class="replaceable"><code>rec-no</code></em>]
</span></dt><dd><p>
Print the contents of the working EF specified by
<em class="replaceable"><code>file-id</code></em> or the short file id
<em class="replaceable"><code>short-id</code></em>.
If the optional second parameter
<em class="replaceable"><code>rec-no</code></em> is given,
only print the record indicated by this parameter.
If no argument is given, print the the contents
of the currently selected EF.
</p></dd><dt><span class="term">
<span class="command"><strong>cd</strong></span>
{ <code class="literal">..</code> | <em class="replaceable"><code>file-id</code></em> | <code class="literal">aid:</code><em class="replaceable"><code>DF-name</code></em> }
</span></dt><dd><p>
Change to another DF specified by the argument passed.
If the argument given is <code class="literal">..</code>,
then move up one level in the file system hierarchy.
If it is a <em class="replaceable"><code>file-id</code></em>,
which must be a DF directly
beneath the current DF, then change to that DF.
If it is an application identifier given as
<code class="literal">aid:</code><em class="replaceable"><code>DF-name</code></em>,
then jump to the MF of the application denoted by
<em class="replaceable"><code>DF-name</code></em>.
</p></dd><dt><span class="term">
<span class="command"><strong>change</strong></span>
<code class="literal">CHV</code><em class="replaceable"><code>pin-ref</code></em>
[
[<em class="replaceable"><code>old-pin</code></em>]
<em class="replaceable"><code>new-pin</code></em>
]
</span></dt><dd><p>
Change the PIN specified by <em class="replaceable"><code>pin-ref</code></em>
from the value given by <em class="replaceable"><code>old-pin</code></em> and
change its value to <em class="replaceable"><code>new-pin</code></em>.
</p><p>
<em class="replaceable"><code>old-pin</code></em> and
<em class="replaceable"><code>new-pin</code></em> can be
sequences of hexadecimal values,
strings enclosed in double quotes (<code class="literal">"..."</code>),
empty (<code class="literal">""</code>), or absent.
If absent, the values are read from the card reader's pin pad.
</p><p>
Examples:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="code">change CHV2 00:00:00:00:00:00 "foobar"</code></span></dt><dd><p>
Change PIN <code class="literal">CHV2</code>
to the new value <code class="literal">foobar</code>,
giving the old value <code class="literal">00:00:00:00:00:00</code>.
</p></dd><dt><span class="term"><code class="code">change CHV2 "foobar"</code></span></dt><dd><p>
Set PIN <code class="literal">CHV2</code>
to the new value <code class="literal">foobar</code>.
</p></dd><dt><span class="term"><code class="code">change CHV2</code></span></dt><dd><p>
Change PIN <code class="literal">CHV2</code> using the card reader's pinpad.
</p></dd></dl></div><p>
</p></dd><dt><span class="term">
<span class="command"><strong>create</strong></span>
<em class="replaceable"><code>file-id</code></em>
<em class="replaceable"><code>size</code></em>
</span></dt><dd><p>
Create a new EF.
<em class="replaceable"><code>file-id</code></em> specifies the numeric id, and
<em class="replaceable"><code>size</code></em> the size of the EF to create.
</p></dd><dt><span class="term">
<span class="command"><strong>debug</strong></span>
[<em class="replaceable"><code>level</code></em>]
</span></dt><dd><p>
Set OpenSC debug level to <em class="replaceable"><code>level</code></em>.
</p><p>
If <em class="replaceable"><code>level</code></em> is omitted,
show the current debug level.
</p></dd><dt><span class="term">
<span class="command"><strong>delete</strong></span>
<em class="replaceable"><code>file-id</code></em>
</span></dt><dd><p>
Remove the EF or DF specified by
<em class="replaceable"><code>file-id</code></em>.
</p></dd><dt><span class="term">
<span class="command"><strong>do_get</strong></span>
<em class="replaceable"><code>hex-tag</code></em>
[<em class="replaceable"><code>output</code></em>]
</span></dt><dd><p>
Copy the contents of the card's data object
(<acronym class="acronym">DO</acronym>)
specified by <em class="replaceable"><code>hex-tag</code></em>
to the local host computer's file named
<em class="replaceable"><code>output</code></em>.
</p><p>
If <em class="replaceable"><code>output</code></em> is not given,
the contents of <em class="replaceable"><code>hex-tag</code></em>
will be displayed as hex-dump.
</p></dd><dt><span class="term">
<span class="command"><strong>do_put</strong></span>
<em class="replaceable"><code>hex-tag</code></em>
<em class="replaceable"><code>data</code></em>
</span></dt><dd><p>
Change the contents of the card's data object
(<acronym class="acronym">DO</acronym>)
specified by <em class="replaceable"><code>hex-tag</code></em>
to <em class="replaceable"><code>data</code></em>.
</p><p>
<em class="replaceable"><code>data</code></em> is either a
sequence of hexadecimal values or a string enclosed
in double quotes (<code class="literal">"..."</code>).
</p></dd><dt><span class="term">
<span class="command"><strong>echo</strong></span>
<em class="replaceable"><code>string</code></em>...
</span></dt><dd><p>
Print the <em class="replaceable"><code>string</code></em>s given.
</p></dd><dt><span class="term">
<span class="command"><strong>erase</strong></span>
</span></dt><dd><p>
Erase the card, if the card supports it.
</p></dd><dt><span class="term">
<span class="command"><strong>get</strong></span>
<em class="replaceable"><code>file-id</code></em>
[<em class="replaceable"><code>output</code></em>]
</span></dt><dd><p>
Copy an EF to a local file.
The local file is specified by
<em class="replaceable"><code>output</code></em>
while the card file is specified by
<em class="replaceable"><code>file-id</code></em>.
</p><p>
If <em class="replaceable"><code>output</code></em> is omitted,
the name of the output file will be derived from the
full card path to <em class="replaceable"><code>file-id</code></em>.
</p></dd><dt><span class="term">
<span class="command"><strong>get_record</strong></span>
<em class="replaceable"><code>file-id</code></em>
<em class="replaceable"><code>rec-no</code></em>
[<em class="replaceable"><code>output</code></em>]
</span></dt><dd><p>
Copy a record of a record-oriented EF to a local file.
The local file is specified by
<em class="replaceable"><code>output</code></em>
while the card file and the record are specified by
<em class="replaceable"><code>file-id</code></em> and
<em class="replaceable"><code>rec-no</code></em>,
</p><p>
If <em class="replaceable"><code>output</code></em> is omitted,
the name of the output file will be derived from the
full card path to <em class="replaceable"><code>file-id</code></em>.
and the <em class="replaceable"><code>rec-no</code></em>.
</p></dd><dt><span class="term">
<span class="command"><strong>help</strong></span>
[<em class="replaceable"><code>pattern</code></em>]
</span></dt><dd><p>
Display the list of available commands, their options
and parameters together with a short help text.
If <em class="replaceable"><code>pattern</code></em> is given,
the commands shown are limited to those matching
<em class="replaceable"><code>pattern</code></em>.
</p></dd><dt><span class="term">
<span class="command"><strong>info</strong></span>
[<em class="replaceable"><code>file-id</code></em>]
</span></dt><dd><p>
Display attributes of a file specified by
<em class="replaceable"><code>file-id</code></em>.
If <em class="replaceable"><code>file-id</code></em> is not supplied,
the attributes of the current file are displayed.
</p></dd><dt><span class="term">
<span class="command"><strong>ls</strong></span>
[<em class="replaceable"><code>pattern</code></em>...]
</span></dt><dd><p>
List files in the current DF.
If no <em class="replaceable"><code>pattern</code></em> is given,
then all files are listed.
If one or more <em class="replaceable"><code>pattern</code></em>s are given,
only files matching at least one
<em class="replaceable"><code>pattern</code></em> are listed.
</p></dd><dt><span class="term">
<span class="command"><strong>find</strong></span>
[
<em class="replaceable"><code>start-id</code></em>
[<em class="replaceable"><code>end-id</code></em>]
]
</span></dt><dd><p>
Find all files in the current DF.
Files are found by selecting all file identifiers in the range
from <em class="replaceable"><code>start-fid</code></em>
to <em class="replaceable"><code>end-fid</code></em>.
</p><p>
If not given, the default value for
<em class="replaceable"><code>start-fid</code></em> is <code class="literal">0000</code>,
while the default for <em class="replaceable"><code>end-fid</code></em> is
<code class="literal">FFFF</code>.
</p></dd><dt><span class="term">
<span class="command"><strong>find_tags</strong></span>
[
<em class="replaceable"><code>start-tag</code></em>
[<em class="replaceable"><code>end-tag</code></em>]
]
</span></dt><dd><p>
Find all tags of data objects in the current context.
Tags are found by using GET DATA in the range from
from <em class="replaceable"><code>start-tag</code></em>
to <em class="replaceable"><code>end-tag</code></em>.
</p><p>
If not given, the default value for
<em class="replaceable"><code>start-tag</code></em> is <code class="literal">0000</code>,
while the default for <em class="replaceable"><code>end-tag</code></em> is
<code class="literal">FFFF</code>.
</p></dd><dt><span class="term">
<span class="command"><strong>mkdir</strong></span>
<em class="replaceable"><code>file-id</code></em>
<em class="replaceable"><code>size</code></em>
</span></dt><dd><p>
Create a DF.
<em class="replaceable"><code>file-id</code></em> specifies the numeric id,
and <em class="replaceable"><code>size</code></em> the size of the DF to create.
</p></dd><dt><span class="term">
<span class="command"><strong>pin_info</strong></span>
<em class="replaceable"><code>key-type</code></em><em class="replaceable"><code>key-id</code></em>
</span></dt><dd><p>
Get information on a PIN or key from the card, where
<em class="replaceable"><code>key-type</code></em> can be one of
<code class="literal">CHV</code>, <code class="literal">KEY</code>,
<code class="literal">AUT</code> or <code class="literal">PRO</code>.
<em class="replaceable"><code>key-id</code></em> is a number
representing the key or PIN reference.
</p></dd><dt><span class="term">
<span class="command"><strong>put</strong></span>
<em class="replaceable"><code>file-id</code></em>
<em class="replaceable"><code>input</code></em>
</span></dt><dd><p>
Copy a local file to the card.
The local file is specified by <em class="replaceable"><code>input</code></em>
while the card file is specified by
<em class="replaceable"><code>file-id</code></em>.
</p></dd><dt><span class="term">
<span class="command"><strong>quit</strong></span>
</span></dt><dd><p>Exit the program.</p></dd><dt><span class="term">
<span class="command"><strong>random</strong></span>
<em class="replaceable"><code>count</code></em>
[<em class="replaceable"><code>output-file</code></em>]
</span></dt><dd><p>
Generate <em class="replaceable"><code>count</code></em> bytes
of random data.
If <em class="replaceable"><code>output-file</code></em> is given,
write the data to the host computer's file denoted
by it, otherwise show the data as hex dump.
</p></dd><dt><span class="term">
<span class="command"><strong>rm</strong></span>
<em class="replaceable"><code>file-id</code></em>
</span></dt><dd><p>
Remove the EF or DF specified by
<em class="replaceable"><code>file-id</code></em>.
</p></dd><dt><span class="term">
<span class="command"><strong>unblock</strong></span>
<code class="literal">CHV</code><em class="replaceable"><code>pin-ref</code></em>
[
<em class="replaceable"><code>puk</code></em>
[<em class="replaceable"><code>new-pin</code></em>]
]
</span></dt><dd><p>
Unblock the PIN denoted by <em class="replaceable"><code>pin-ref</code></em>
using the PUK <em class="replaceable"><code>puk</code></em>, and potentially
change its value to <em class="replaceable"><code>new-pin</code></em>.
</p><p>
<em class="replaceable"><code>puk</code></em> and
<em class="replaceable"><code>new-pin</code></em> can be
sequences of hexadecimal values,
strings enclosed in double quotes (<code class="literal">"..."</code>),
empty (<code class="literal">""</code>), or absent.
If absent, the values are read from the card reader's pin pad.
</p><p>
Examples:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="code">unblock CHV2 00:00:00:00:00:00 "foobar"</code></span></dt><dd><p>
Unblock PIN <code class="literal">CHV2</code> using PUK
<code class="literal">00:00:00:00:00:00</code>
and set it to the new value <code class="literal">foobar</code>.
</p></dd><dt><span class="term"><code class="code">unblock CHV2 00:00:00:00:00:00 ""</code></span></dt><dd><p>
Unblock PIN <code class="literal">CHV2</code> using PUK
<code class="literal">00:00:00:00:00:00</code> keeping the old value.
</p></dd><dt><span class="term"><code class="code">unblock CHV2 "" "foobar"</code></span></dt><dd><p>
Set new value of PIN <code class="literal">CHV2</code>
to <code class="literal">foobar</code>.
</p></dd><dt><span class="term"><code class="code">unblock CHV2 00:00:00:00:00:00</code></span></dt><dd><p>
Unblock PIN <code class="literal">CHV2</code> using PUK
<code class="literal">00:00:00:00:00:00</code>.
The new PIN value is prompted by pinpad.
</p></dd><dt><span class="term"><code class="code">unblock CHV2 ""</code></span></dt><dd><p>
Set PIN <code class="literal">CHV2</code>.
The new PIN value is prompted by pinpad.
</p></dd><dt><span class="term"><code class="code">unblock CHV2</code></span></dt><dd><p>
Unblock PIN <code class="literal">CHV2</code>.
The unblock code and new PIN value are prompted by pinpad.
</p></dd></dl></div><p>
</p></dd><dt><span class="term">
<span class="command"><strong>update_binary</strong></span>
<em class="replaceable"><code>file-id</code></em>
<em class="replaceable"><code>offs</code></em>
<em class="replaceable"><code>data</code></em>
</span></dt><dd><p>
Binary update of the file specified by
<em class="replaceable"><code>file-id</code></em> with the literal data
<em class="replaceable"><code>data</code></em> starting from offset specified
by <em class="replaceable"><code>offs</code></em>.
</p><p>
<em class="replaceable"><code>data</code></em> can be supplied as a sequence
of hexadecimal values or as a string enclosed in double quotes
(<code class="literal">"..."</code>).
</p></dd><dt><span class="term">
<span class="command"><strong>update_record</strong></span>
<em class="replaceable"><code>file-id</code></em>
<em class="replaceable"><code>rec-nr</code></em>
<em class="replaceable"><code>rec-offs</code></em>
<em class="replaceable"><code>data</code></em>
</span></dt><dd><p>
Update record specified by <em class="replaceable"><code>rec-nr</code></em>
of the file specified by <em class="replaceable"><code>file-id</code></em>
with the literal data <em class="replaceable"><code>data</code></em>
starting from offset specified by
<em class="replaceable"><code>rec-offs</code></em>.
</p><p>
<em class="replaceable"><code>data</code></em> can be supplied as a sequence
of hexadecimal values or as a string enclosed in double quotes
(<code class="literal">"..."</code>).
</p></dd><dt><span class="term">
<span class="command"><strong>verify</strong></span>
<em class="replaceable"><code>key-type</code></em><em class="replaceable"><code>key-id</code></em>
[<em class="replaceable"><code>key</code></em>]
</span></dt><dd><p>
Present a PIN or key to the card, where
<em class="replaceable"><code>key-type</code></em> can be one of
<code class="literal">CHV</code>, <code class="literal">KEY</code>,
<code class="literal">AUT</code> or <code class="literal">PRO</code>.
<em class="replaceable"><code>key-id</code></em> is a number representing
the key or PIN reference.
<em class="replaceable"><code>key</code></em> is the key or PIN to be verified,
formatted as a colon-separated sequence of hexadecimal values
or a string enclosed in double quotes (<code class="literal">"..."</code>).
</p><p>
If <em class="replaceable"><code>key</code></em> is omitted, the exact action
depends on the card reader's features:
if the card readers supports PIN input via a pin pad,
then the PIN will be verified using the card reader's pin pad.
If the card reader does not support PIN input,
then the PIN will be asked interactively.
</p><p>
Examples:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="code">verify CHV2 31:32:33:34:00:00:00:00</code></span></dt><dd><p>
Verify <code class="literal">CHV2</code> using the hex value
<code class="literal">31:32:33:34:00:00:00:00</code>
</p></dd><dt><span class="term"><code class="code">verify CHV1 "secret"</code></span></dt><dd><p>
Verify <code class="literal">CHV1</code>
using the string value <code class="literal">secret</code>.
</p></dd><dt><span class="term"><code class="code">verify KEY2</code></span></dt><dd><p>
Verify <code class="literal">KEY2</code>,
get the value from the card reader's pin pad.
</p></dd></dl></div><p>
</p></dd><dt><span class="term">
<span class="command"><strong>sm</strong></span>
{ <code class="literal">open</code> | <code class="literal">close</code> }
</span></dt><dd><p>
Call the card's <code class="literal">open</code> or
<code class="literal">close</code> Secure Messaging handler.
</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.13.7"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">opensc-tool</span>(1)</span>
</p></div><div class="refsect1"><a name="id-1.13.8"></a><h2>Authors</h2><p><span class="command"><strong>opensc-explorer</strong></span> was written by
Juha Yrjölä <code class="email"><<a class="email" href="mailto:juha.yrjola@iki.fi">juha.yrjola@iki.fi</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="opensc-notify"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc-notify — monitor smart card events and send notifications
</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">opensc-notify</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.14.4"></a><h2>Description</h2><p>
The <span class="command"><strong>opensc-notify</strong></span> utility is used to
monitor smart card events and send the appropriate notification.
</p></div><div class="refsect1"><a name="id-1.14.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--help</code>,
<code class="option">-h</code></span></dt><dd><p>Print help and exit.</p></dd><dt><span class="term">
<code class="option">--version</code>,
<code class="option">-V</code></span></dt><dd><p>Print version and exit.</p></dd></dl></div><p>
</p><div class="refsect2"><a name="id-1.14.5.3"></a><h3>Mode: customized</h3><p>
Send customized notifications.
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--title</code> [<em class="replaceable"><code>STRING</code></em>],
<code class="option">-t</code> [<em class="replaceable"><code>STRING</code></em>]
</span></dt><dd><p>
Specify the title of the notification.
</p></dd><dt><span class="term">
<code class="option">--message</code> [<em class="replaceable"><code>STRING</code></em>],
<code class="option">-m</code> [<em class="replaceable"><code>STRING</code></em>]
</span></dt><dd><p>
Specify the main text of the notification.
</p></dd></dl></div></div><div class="refsect2"><a name="id-1.14.5.4"></a><h3>Mode: standard</h3><p>
Manually send standard notifications.
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--notify-card-inserted</code>,
<code class="option">-I</code></span></dt><dd><p>
See <em class="parameter"><code>notify_card_inserted</code></em>
in <code class="filename">opensc.conf</code> (default=off).
</p></dd><dt><span class="term">
<code class="option">--notify-card-removed</code>,
<code class="option">-R</code></span></dt><dd><p>
See <em class="parameter"><code>notify_card_removed</code></em>
in <code class="filename">opensc.conf</code> (default=off).
</p></dd><dt><span class="term">
<code class="option">--notify-pin-good</code>,
<code class="option">-G</code></span></dt><dd><p>
See <em class="parameter"><code>notify_pin_good</code></em>
in <code class="filename">opensc.conf</code> (default=off).
</p></dd><dt><span class="term">
<code class="option">--notify-pin-bad</code>,
<code class="option">-B</code></span></dt><dd><p>
See <em class="parameter"><code>notify_pin_bad</code></em>
in <code class="filename">opensc.conf</code> (default=off).
</p></dd></dl></div></div></div><div class="refsect1"><a name="id-1.14.6"></a><h2>Authors</h2><p><span class="command"><strong>opensc-notify</strong></span> was written by
Frank Morgner <code class="email"><<a class="email" href="mailto:frankmorgner@gmail.com">frankmorgner@gmail.com</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="opensc-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc-tool — generic smart card utility</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">opensc-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.15.4"></a><h2>Description</h2><p>
The <span class="command"><strong>opensc-tool</strong></span> utility can be used from the command line to perform
miscellaneous smart card operations such as getting the card ATR or
sending arbitrary APDU commands to a card.
</p></div><div class="refsect1"><a name="id-1.15.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--version</code>
</span></dt><dd><p>Print the OpenSC package release version.</p></dd><dt><span class="term">
<code class="option">--atr</code>,
<code class="option">-a</code>
</span></dt><dd><p>Print the Answer To Reset (ATR) of the card.
Output is in hex byte format</p></dd><dt><span class="term">
<code class="option">--card-driver</code> <em class="replaceable"><code>driver</code></em>,
<code class="option">-c</code> <em class="replaceable"><code>driver</code></em>
</span></dt><dd><p>
Use the given card driver.
The default is to auto-detect the correct card driver.
The literal value <code class="literal">?</code> lists
all available card drivers.
</p></dd><dt><span class="term">
<code class="option">--list-algorithms</code>,
</span></dt><dd><p>Lists algorithms supported by card</p></dd><dt><span class="term">
<code class="option">--info</code>,
<code class="option">-i</code>
</span></dt><dd><p>Print information about OpenSC, such as version and enabled components.</p></dd><dt><span class="term">
<code class="option">--list-drivers</code>,
<code class="option">-D</code>
</span></dt><dd><p>List all installed card drivers.</p></dd><dt><span class="term">
<code class="option">--list-files</code>,
<code class="option">-f</code>
</span></dt><dd><p>Recursively list all files stored on card.</p></dd><dt><span class="term">
<code class="option">--list-readers</code>,
<code class="option">-l</code>
</span></dt><dd><p>List all configured readers.</p></dd><dt><span class="term">
<code class="option">--name</code>,
<code class="option">-n</code>
</span></dt><dd><p>Print the name of the inserted card (driver).</p></dd><dt><span class="term">
<code class="option">--get-conf-entry</code> <em class="replaceable"><code>conf</code></em>,
<code class="option">-G</code> <em class="replaceable"><code>conf</code></em>
</span></dt><dd><p>Get configuration key, format: section:name:key</p></dd><dt><span class="term">
<code class="option">--set-conf-entry</code> <em class="replaceable"><code>conf</code></em>,
<code class="option">-S</code> <em class="replaceable"><code>conf</code></em>
</span></dt><dd><p>Set configuration key, format: section:name:key:value</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--reset</code> [<em class="replaceable"><code>type</code></em>],
</span></dt><dd><p>Resets the card in reader.
The default reset type is <code class="literal">cold</code>,
but <code class="literal">warm</code> reset is also possible.</p></dd><dt><span class="term">
<code class="option">--send-apdu</code> <em class="replaceable"><code>apdu</code></em>,
<code class="option">-s</code> <em class="replaceable"><code>apdu</code></em>
</span></dt><dd><p>
Sends an arbitrary APDU to the card in the format
<code class="code">AA:BB:CC:DD:EE:FF...</code>. Use this option
multiple times to send more than one APDU.
</p><p>
The built-in card drivers may send additional APDUs
for detection and initialization. To avoid this
behavior, you may additionally specify
<code class="option">--card-driver</code> <code class="literal">default</code>.
</p></dd><dt><span class="term">
<code class="option">--serial</code>
</span></dt><dd><p>Print the card serial number (normally the ICCSN).
Output is in hex byte format</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>opensc-tool</strong></span> to be more verbose.
Specify this flag several times to enable debug output in the opensc library.</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Wait for a card to be inserted.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.15.6"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">opensc-explorer</span>(1)</span>
</p></div><div class="refsect1"><a name="id-1.15.7"></a><h2>Authors</h2><p><span class="command"><strong>opensc-tool</strong></span> was written by
Juha Yrjölä <code class="email"><<a class="email" href="mailto:juha.yrjola@iki.fi">juha.yrjola@iki.fi</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="piv-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>piv-tool — smart card utility for HSPD-12 PIV cards</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">piv-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.16.4"></a><p>
The <span class="command"><strong>piv-tool</strong></span> utility can be used from the command line to perform
miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3.
It is intended for use with test cards only. It can be used to load objects, and generate
key pairs, as well as send arbitrary APDU commands to a card after having authenticated
to the card using the card key provided by the card vendor.
</p></div><div class="refsect1"><a name="id-1.16.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--serial</code>
</span></dt><dd><p>Print the card serial number derived from the CHUID object,
if any. Output is in hex byte format.</p></dd><dt><span class="term">
<code class="option">--name</code>,
<code class="option">-n</code>
</span></dt><dd><p>Print the name of the inserted card (driver)</p></dd><dt><span class="term">
<code class="option">--admin</code> <em class="replaceable"><code>argument</code></em>,
<code class="option">-A</code> <em class="replaceable"><code>argument</code></em>
</span></dt><dd><p>Authenticate to the card using a 2DES, 3DES or AES key.
The <em class="replaceable"><code>argument</code></em> of the form
</p><pre class="synopsis"> {<code class="literal">A</code>|<code class="literal">M</code>}<code class="literal">:</code><em class="replaceable"><code>ref</code></em><code class="literal">:</code><em class="replaceable"><code>alg</code></em></pre><p>
is required, were <code class="literal">A</code> uses "EXTERNAL AUTHENTICATION"
and <code class="literal">M</code> uses "MUTUAL AUTHENTICATION".
<em class="replaceable"><code>ref</code></em> is normally <code class="literal">9B</code>,
and <em class="replaceable"><code>alg</code></em> is <code class="literal">03</code> for 3DES,
<code class="literal">01</code> for 2DES, <code class="literal">08</code> for AES-128,
<code class="literal">0A</code> for AES-192 or <code class="literal">0C</code> for AES-256.
The key is provided by the card vendor. The environment variable
<code class="varname">PIV_EXT_AUTH_KEY</code> must point to either a binary file
matching the length of the key or a text file containing
the key in the format:
<code class="code">XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX</code>
</p></dd><dt><span class="term">
<code class="option">--genkey</code> <em class="replaceable"><code>argument</code></em>,
<code class="option">-G</code> <em class="replaceable"><code>argument</code></em>
</span></dt><dd><p>Generate a key pair on the card and output the public key.
The <em class="replaceable"><code>argument</code></em> of the form
</p><pre class="synopsis"><em class="replaceable"><code>ref</code></em>:<em class="replaceable"><code>alg</code></em></pre><p>
is required, where <em class="replaceable"><code>ref</code></em> is <code class="literal">9A</code>,
<code class="literal">9C</code>, <code class="literal">9D</code> or <code class="literal">9E</code> and
<em class="replaceable"><code>alg</code></em> is <code class="literal">06</code>,
<code class="literal">07</code>, <code class="literal">11</code> or <code class="literal">14</code>
for RSA 1024, RSA 2048, ECC 256 or ECC 384 respectively. </p></dd><dt><span class="term">
<code class="option">--object</code> <em class="replaceable"><code>ContainerID</code></em>,
<code class="option">-O</code> <em class="replaceable"><code>ContainerID</code></em>
</span></dt><dd><p>Load an object onto the card.
The <em class="replaceable"><code>ContainerID</code></em> is as defined in NIST 800-73-n
without leading <code class="literal">0x</code>. Example: CHUID object is 3000
</p></dd><dt><span class="term">
<code class="option">--cert</code> <em class="replaceable"><code>ref</code></em>,
<code class="option">-C</code> <em class="replaceable"><code>ref</code></em>
</span></dt><dd><p>Load a certificate onto the card.
<em class="replaceable"><code>ref</code></em> is <code class="literal">9A</code>,
<code class="literal">9C</code>, <code class="literal">9D</code> or
<code class="literal">9E</code></p></dd><dt><span class="term">
<code class="option">--compresscert</code> <em class="replaceable"><code>ref</code></em>,
<code class="option">-Z</code> <em class="replaceable"><code>ref</code></em>
</span></dt><dd><p>Load a certificate that has been gzipped onto the card.
<em class="replaceable"><code>ref</code></em> is <code class="literal">9A</code>,
<code class="literal">9C</code>, <code class="literal">9D</code> or
<code class="literal">9E</code></p></dd><dt><span class="term">
<code class="option">--out</code> <em class="replaceable"><code>file</code></em>,
<code class="option">-o</code> <em class="replaceable"><code>file</code></em>
</span></dt><dd><p>Output file for any operation that produces output.
</p></dd><dt><span class="term">
<code class="option">--in</code> <em class="replaceable"><code>file</code></em>,
<code class="option">-i</code> <em class="replaceable"><code>file</code></em>
</span></dt><dd><p>Input file for any operation that requires an input file.
</p></dd><dt><span class="term">
<code class="option">--key-slots-discovery</code> <em class="replaceable"><code>file</code></em>
</span></dt><dd><p>Print properties of the key slots. Needs 'admin' authentication.
</p></dd><dt><span class="term">
<code class="option">--send-apdu</code> <em class="replaceable"><code>apdu</code></em>,
<code class="option">-s</code> <em class="replaceable"><code>apdu</code></em>
</span></dt><dd><p>Sends an arbitrary APDU to the card in the format
<code class="code">AA:BB:CC:DD:EE:FF...</code>.
This option may be repeated.</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Wait for a card to be inserted</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>piv-tool</strong></span> to be more verbose.
Specify this flag several times to enable debug output in the opensc
library.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.16.6"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">opensc-tool</span>(1)</span>
</p></div><div class="refsect1"><a name="id-1.16.7"></a><h2>Authors</h2><p><span class="command"><strong>piv-tool</strong></span> was written by
Douglas E. Engert <code class="email"><<a class="email" href="mailto:deengert@gmail.com">deengert@gmail.com</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="pkcs11-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs11-tool — utility for managing and using PKCS #11 security tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pkcs11-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.17.4"></a><h2>Description</h2><p>
The <span class="command"><strong>pkcs11-tool</strong></span> utility is used to manage the
data objects on smart cards and similar PKCS #11 security tokens.
Users can list and read PINs, keys and certificates stored on the
token. User PIN authentication is performed for those operations
that require it.
</p></div><div class="refsect1"><a name="id-1.17.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--attr-from</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Extract information from <em class="replaceable"><code>filename</code></em>
(DER-encoded certificate file) and create the corresponding
attributes when writing an object to the token. Example: the
certificate subject name is used to create the CKA_SUBJECT
attribute.</p></dd><dt><span class="term">
<code class="option">--change-pin</code>,
<code class="option">-c</code>
</span></dt><dd><p>Change the user PIN on the token</p></dd><dt><span class="term">
<code class="option">--unlock-pin</code>
</span></dt><dd><p>Unlock User PIN (without <code class="option">--login</code>
unlock in logged in session; otherwise <code class="option">--login-type</code>
has to be 'context-specific').</p></dd><dt><span class="term">
<code class="option">--hash</code>,
<code class="option">-h</code>
</span></dt><dd><p>Hash some data.</p></dd><dt><span class="term">
<code class="option">--hash-algorithm</code> <em class="replaceable"><code>mechanism</code></em>
</span></dt><dd><p>
Specify hash algorithm used with RSA-PKCS-PSS signature or RSA-OAEP decryption.
Allowed values are "SHA-1", "SHA256", "SHA384", "SHA512", and some tokens may
also allow "SHA224". Default is "SHA-1".
</p><p>
Note that the input to RSA-PKCS-PSS has to be of the size equal to
the specified hash algorithm. E.g., for SHA256 the signature input must
be exactly 32 bytes long (for mechanisms SHA256-RSA-PKCS-PSS there is no
such restriction). For RSA-OAEP, the plaintext input size mLen must be
at most keyLen - 2 - 2*hashLen. For example, for RSA 3072-bit key and
SHA384, the longest plaintext to encrypt with RSA-OAEP is (with all
sizes in bytes): 384 - 2 - 2*48 = 286, aka 286 bytes.
</p></dd><dt><span class="term">
<code class="option">--id</code> <em class="replaceable"><code>id</code></em>,
<code class="option">-d</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Specify the id of the object to operate on.</p></dd><dt><span class="term">
<code class="option">--init-pin</code>
</span></dt><dd><p>Initializes the user PIN. This option
differs from <code class="option">--change-pin</code> in that it sets the user PIN
for the first time. Once set, the user PIN can be changed
using <code class="option">--change-pin</code>.</p></dd><dt><span class="term">
<code class="option">--init-token</code>
</span></dt><dd><p>Initialize a token: set the token label as
well as a Security Officer PIN (the label must be specified
using <code class="option">--label</code>).</p></dd><dt><span class="term">
<code class="option">--input-file</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-i</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Specify the path to a file for input.</p></dd><dt><span class="term">
<code class="option">--keypairgen</code>,
<code class="option">-k</code>
</span></dt><dd><p>Generate a new key pair (public and private pair.)</p></dd><dt><span class="term">
<code class="option">--keygen</code>
</span></dt><dd><p>Generate a new key.</p></dd><dt><span class="term">
<code class="option">--key-type</code> <em class="replaceable"><code>specification</code></em>
</span></dt><dd><p>Specify the type and (not always compulsory) flavour (byte-wise symmetric key length, bit-wise asymmetric key length,
elliptic curve identifier, etc.) of the key to create, for example RSA:2048, EC:prime256v1, GOSTR3410-2012-256:B,
DES:8, DES3:24, AES:16, AES: or GENERIC:64. If the key type was incompletely specified, possible values are listed.</p></dd><dt><span class="term">
<code class="option">--usage-sign</code>
</span></dt><dd><p>Specify 'sign' key usage flag (sets SIGN in privkey, sets VERIFY in pubkey).</p></dd><dt><span class="term">
<code class="option">--usage-decrypt</code>
</span></dt><dd><p>Specify 'decrypt' key usage flag.</p><p>
For RSA keys, sets DECRYPT in privkey and ENCRYPT in pubkey. For secret
keys, sets both DECRYPT and ENCRYPT.
</p></dd><dt><span class="term">
<code class="option">--usage-derive</code>
</span></dt><dd><p>Specify 'derive' key usage flag (EC only).</p></dd><dt><span class="term">
<code class="option">--usage-wrap</code>
</span></dt><dd><p>Specify 'wrap' key usage flag.</p></dd><dt><span class="term">
<code class="option">--label</code> <em class="replaceable"><code>name</code></em>,
<code class="option">-a</code> <em class="replaceable"><code>name</code></em>
</span></dt><dd><p>Specify the name of the object to operate on
(or the token label when <code class="option">--init-token</code>
is used).</p></dd><dt><span class="term">
<code class="option">--list-mechanisms</code>,
<code class="option">-M</code>
</span></dt><dd><p>Display a list of mechanisms supported by the token.</p></dd><dt><span class="term">
<code class="option">--list-objects</code>,
<code class="option">-O</code>
</span></dt><dd><p>Display a list of objects.</p><p>The options <code class="option">--keytype</code>, <code class="option">--label</code>
, <code class="option">--id</code> or <code class="option">--application-id</code> can be
used to filter the listed objects.</p></dd><dt><span class="term">
<code class="option">--list-slots</code>,
<code class="option">-L</code>
</span></dt><dd><p>Display a list of available slots on the token.</p></dd><dt><span class="term">
<code class="option">--list-token-slots</code>,
<code class="option">-T</code>
</span></dt><dd><p>List slots with tokens.</p></dd><dt><span class="term">
<code class="option">--list-interfaces</code>
</span></dt><dd><p>List interfaces of PKCS #11 3.0 library.</p></dd><dt><span class="term">
<code class="option">--session-rw</code>,
</span></dt><dd><p>Forces to open the PKCS#11 session with CKF_RW_SESSION.</p></dd><dt><span class="term">
<code class="option">--login</code>,
<code class="option">-l</code>
</span></dt><dd><p>Authenticate to the token before performing
other operations. This option is not needed if a PIN is
provided on the command line.</p></dd><dt><span class="term">
<code class="option">--login-type</code>
</span></dt><dd><p>Specify login type ('so', 'user', 'context-specific';
default:'user').</p></dd><dt><span class="term">
<code class="option">--mechanism</code> <em class="replaceable"><code>mechanism</code></em>,
<code class="option">-m</code> <em class="replaceable"><code>mechanism</code></em>
</span></dt><dd><p>Use the specified <em class="replaceable"><code>mechanism</code></em>
for token operations. See <code class="option">-M</code> for a list
of mechanisms supported by your token. The mechanism can also be specified in
hexadecimal, e.g., <em class="replaceable"><code>0x80001234</code></em>.</p></dd><dt><span class="term">
<code class="option">--mgf</code> <em class="replaceable"><code>function</code></em>
</span></dt><dd><p>Use the specified Message Generation
Function (MGF) <em class="replaceable"><code>function</code></em>
for RSA-PKCS-PSS signatures or RSA-OAEP decryptions. Supported arguments are MGF1-SHA1
to MGF1-SHA512 if supported by the driver.
The default is based on the hash selection.
</p></dd><dt><span class="term">
<code class="option">--module</code> <em class="replaceable"><code>mod</code></em>
</span></dt><dd><p>Specify a PKCS#11 module (or library) to
load.</p></dd><dt><span class="term">
<code class="option">--moz-cert</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-z</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Test a Mozilla-like key pair generation
and certificate request. Specify the <em class="replaceable"><code>filename</code></em>
to the certificate file.</p></dd><dt><span class="term">
<code class="option">--output-file</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-o</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Specify the path to a file for output.</p></dd><dt><span class="term">
<code class="option">--pin</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">-p</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>Use the given <em class="replaceable"><code>pin</code></em> for
token operations. If set to
env:<em class="replaceable"><code>VARIABLE</code></em>, the value of the
environment variable <em class="replaceable"><code>VARIABLE</code></em> is
used. WARNING: Be careful using this option
as other users may be able to read the command line from
the system or if it is embedded in a script. If set to
env:<em class="replaceable"><code>VARIABLE</code></em>, the value of the
environment variable <em class="replaceable"><code>VARIABLE</code></em> is
used.</p><p>This option will also set
the <code class="option">--login</code> option.</p></dd><dt><span class="term">
<code class="option">--puk</code> <em class="replaceable"><code>puk</code></em>
</span></dt><dd><p>Supply User PUK on the command line.</p></dd><dt><span class="term">
<code class="option">--new-pin</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>Supply new User PIN on the command line.</p></dd><dt><span class="term">
<code class="option">--sensitive</code>
</span></dt><dd><p>Set the CKA_SENSITIVE attribute (object cannot be revealed in plaintext).</p></dd><dt><span class="term">
<code class="option">--extractable</code>
</span></dt><dd><p>Set the CKA_EXTRACTABLE attribute (object can be extracted)</p></dd><dt><span class="term">
<code class="option">--undestroyable</code>
</span></dt><dd><p>Set the CKA_DESTROYABLE attribute to false (object cannot be destroyed)</p></dd><dt><span class="term">
<code class="option">--set-id</code> <em class="replaceable"><code>id</code></em>,
<code class="option">-e</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Set the CKA_ID of the object.</p></dd><dt><span class="term">
<code class="option">--show-info</code>,
<code class="option">-I</code>
</span></dt><dd><p>Display general token information.</p></dd><dt><span class="term">
<code class="option">--sign</code>,
<code class="option">-s</code>
</span></dt><dd><p>Sign some data.</p></dd><dt><span class="term">
<code class="option">--decrypt</code>,
</span></dt><dd><p>Decrypt some data.</p></dd><dt><span class="term">
<code class="option">--encrypt</code>,
</span></dt><dd><p>Encrypt some data.</p></dd><dt><span class="term">
<code class="option">--unwrap</code>,
</span></dt><dd><p>Unwrap key.</p></dd><dt><span class="term">
<code class="option">--wrap</code>,
</span></dt><dd><p>Wrap key.</p></dd><dt><span class="term">
<code class="option">--derive</code>,
</span></dt><dd><p>Derive a secret key using another key and some data.</p></dd><dt><span class="term">
<code class="option">--derive-pass-der</code>,
</span></dt><dd><p>Derive ECDHpass DER encoded pubkey for compatibility with some PKCS#11 implementations</p></dd><dt><span class="term">
<code class="option">--salt-len</code> <em class="replaceable"><code>bytes</code></em>
</span></dt><dd><p>Specify how many bytes of salt should
be used in RSA-PSS signatures. Accepts two special values:
"-1" means salt length equals to digest length,
"-2" or "-3" means use maximum permissible length.
For verify operation "-2" means that the salt length is automatically recovered from signature.
The value "-2" for the verify operation is supported for opensc pkcs#11 module only.
Default is digest length (-1).</p></dd><dt><span class="term">
<code class="option">--slot</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Specify the id of the slot to use (accepts HEX format with 0x.. prefix or decimal number).</p></dd><dt><span class="term">
<code class="option">--slot-description</code> <em class="replaceable"><code>description</code></em>
</span></dt><dd><p>Specify the description of the slot to use.</p></dd><dt><span class="term">
<code class="option">--slot-index</code> <em class="replaceable"><code>index</code></em>
</span></dt><dd><p>Specify the index of the slot to use.</p></dd><dt><span class="term">
<code class="option">--object-index</code> <em class="replaceable"><code>index</code></em>
</span></dt><dd><p>Specify the index of the object to use.</p></dd><dt><span class="term">
<code class="option">--use-locking</code>
</span></dt><dd><p>Tell pkcs11 module it should use OS thread locking.
</p></dd><dt><span class="term">
<code class="option">--test-threads</code> <em class="replaceable"><code>options</code></em>
</span></dt><dd><p>Test a pkcs11 module's thread implication. (See source code).
</p></dd><dt><span class="term">
<code class="option">--token-label</code> <em class="replaceable"><code>label</code></em>
</span></dt><dd><p>Specify the label of token.
Will be used the first slot, that has the inserted token with this
label.</p></dd><dt><span class="term">
<code class="option">--so-pin</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>Use the given <em class="replaceable"><code>pin</code></em> as the
Security Officer PIN for some token operations (token
initialization, user PIN initialization, etc). If set to
env:<em class="replaceable"><code>VARIABLE</code></em>, the value of the
environment variable <em class="replaceable"><code>VARIABLE</code></em> is
used. The same warning as <code class="option">--pin</code> also
applies here.</p></dd><dt><span class="term">
<code class="option">--test</code>,
<code class="option">-t</code>
</span></dt><dd><p>Perform some tests on the token. This
option is most useful when used with either <code class="option">--login</code>
or <code class="option">--pin</code>.</p></dd><dt><span class="term">
<code class="option">--test-hotplug</code>
</span></dt><dd><p>Test hotplug capabilities (C_GetSlotList +
C_WaitForSlotEvent).</p></dd><dt><span class="term">
<code class="option">--private</code>
</span></dt><dd><p>Set the CKA_PRIVATE attribute (object is only
viewable after a login).</p></dd><dt><span class="term">
<code class="option">--always-auth</code>
</span></dt><dd><p>Set the CKA_ALWAYS_AUTHENTICATE attribute to a private key object.
If set, the user has to supply the PIN for each use (sign or decrypt) with the key.</p></dd><dt><span class="term">
<code class="option">--allowed-mechanisms</code> <em class="replaceable"><code>mechanisms</code></em>
</span></dt><dd><p>Sets the CKA_ALLOWED_MECHANISMS attribute
to a key objects when importing an object or generating
a keys. The argument accepts comma-separated list of
algorithmsm, that can be used with the given key.</p></dd><dt><span class="term">
<code class="option">--test-ec</code>
</span></dt><dd><p>Test EC (best used with the <code class="option">--login</code>
or <code class="option">--pin</code> option).</p></dd><dt><span class="term">
<code class="option">--test-fork</code>
</span></dt><dd><p>Test forking and calling C_Initialize() in the
child.</p></dd><dt><span class="term">
<code class="option">--type</code> <em class="replaceable"><code>type</code></em>,
<code class="option">-y</code> <em class="replaceable"><code>type</code></em>
</span></dt><dd><p>Specify the type of object to operate on.
Valid value are <code class="literal">cert</code>, <code class="literal">privkey</code>,
<code class="literal">pubkey</code>, <code class="literal">secrkey</code>
and <code class="literal">data</code>.</p></dd><dt><span class="term">
<code class="option">--verbose</code>, <code class="option">-v</code>
</span></dt><dd><p>Cause <span class="command"><strong>pkcs11-tool</strong></span> to be
more verbose.</p><p>NB! This does not affect
OpenSC debugging level! To set OpenSC PKCS#11 module into debug
mode, set the <code class="varname">OPENSC_DEBUG</code> environment variable to a
non-zero number.</p></dd><dt><span class="term">
<code class="option">--verify</code>,
</span></dt><dd><p>Verify signature of some data.</p></dd><dt><span class="term">
<code class="option">--read-object</code>,
<code class="option">-r</code>
</span></dt><dd><p>Get object's CKA_VALUE attribute (use with
<code class="option">--type</code>).</p></dd><dt><span class="term">
<code class="option">--delete-object</code>,
<code class="option">-b</code>
</span></dt><dd><p>Delete an object.</p></dd><dt><span class="term">
<code class="option">--application-label</code> <em class="replaceable"><code>label</code></em>
</span></dt><dd><p>Specify the application label of the data object (use with
<code class="option">--type</code> data).</p></dd><dt><span class="term">
<code class="option">--application-id</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Specify the application ID of the data object (use with
<code class="option">--type</code> data).</p></dd><dt><span class="term">
<code class="option">--issuer</code> <em class="replaceable"><code>data</code></em>
</span></dt><dd><p>Specify the issuer in hexadecimal format (use with
<code class="option">--type</code> cert).</p></dd><dt><span class="term">
<code class="option">--subject</code> <em class="replaceable"><code>data</code></em>
</span></dt><dd><p>Specify the subject in hexadecimal format (use with
<code class="option">--type</code> cert/privkey/pubkey).</p></dd><dt><span class="term">
<code class="option">--signature-file</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>The path to the signature file for signature verification</p></dd><dt><span class="term">
<code class="option">--signature-format</code> <em class="replaceable"><code>format</code></em>
</span></dt><dd><p>Format for ECDSA signature: 'rs' (default),
'sequence', 'openssl'.</p></dd><dt><span class="term">
<code class="option">--write-object</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-w</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Write a key or certificate object to the token.
<em class="replaceable"><code>filename</code></em> points to the DER-encoded certificate or key file.
</p></dd><dt><span class="term">
<code class="option">--generate-random</code> <em class="replaceable"><code>num</code></em>
</span></dt><dd><p>Get <em class="replaceable"><code>num</code></em> bytes of random data.
</p></dd><dt><span class="term">
<code class="option">--allow-sw</code>
</span></dt><dd><p>Allow using software mechanisms that do not have the CKF_HW flag set.
May be required when using software tokens and emulators.
</p></dd><dt><span class="term">
<code class="option">--iv</code> <em class="replaceable"><code>data</code></em>
</span></dt><dd><p>Initialization vector for symmetric ciphers.
The <em class="replaceable"><code>data</code></em> is hexadecimal number, i.e. "000013aa7bffa0".
</p></dd><dt><span class="term">
<code class="option">--mac-general-param</code> <em class="replaceable"><code>num</code></em>
</span></dt><dd><p>Sets the length of the MAC for the general-length MACing mechanisms
to <em class="replaceable"><code>num</code></em> bytes.
</p></dd><dt><span class="term">
<code class="option">--aad</code> <em class="replaceable"><code>data</code></em>
</span></dt><dd><p>Additional authenticated data for AEAD ciphers.
The <em class="replaceable"><code>data</code></em> is an hexadecimal number.
</p></dd><dt><span class="term">
<code class="option">--tag-bits-len</code> <em class="replaceable"><code>num</code></em>
</span></dt><dd><p>Sets the length of the tag for AEAD ciphers to
<em class="replaceable"><code>num</code></em> bits.
</p></dd><dt><span class="term">
<code class="option">--salt-file</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Specify the file containing the salt for HKDF (optional)</p></dd><dt><span class="term">
<code class="option">--info-file</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Specify the file containing the info for HKDF (optional)</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.17.6"></a><h2>Examples</h2><p>
Perform a basic functionality test of the card:
</p><pre class="programlisting">pkcs11-tool --test --login</pre><p>
List all certificates on the smart card:
</p><pre class="programlisting">pkcs11-tool --list-objects --type cert</pre><p>
Read the certificate with ID <code class="varname">CERT_ID</code>
in DER format from smart card and convert it to PEM via OpenSSL:
</p><pre class="programlisting">
pkcs11-tool --read-object --id $CERT_ID --type cert \
--output-file cert.der
openssl x509 -inform DER -in cert.der -outform PEM > cert.pem
</pre><p>
Write a certificate to token:
</p><pre class="programlisting">pkcs11-tool --login --write-object certificate.der --type cert</pre><p>
Generate new RSA Key pair:
</p><pre class="programlisting">pkcs11-tool --login --keypairgen --key-type RSA:2048</pre><p>
Generate new extractable RSA Key pair:
</p><pre class="programlisting">pkcs11-tool --login --keypairgen --key-type RSA:2048 --extractable</pre><p>
Generate an elliptic curve key pair with OpenSSL and import it to the card as <code class="varname">$ID</code>:
</p><pre class="programlisting">openssl genpkey -out EC_private.der -outform DER \
-algorithm EC -pkeyopt ec_paramgen_curve:P-521
pkcs11-tool --write-object EC_private.der --id "$ID" \
--type privkey --label "EC private key" -p "$PIN"
openssl pkey -in EC_private.der -out EC_public.der \
-pubout -inform DER -outform DER
pkcs11-tool --write-object EC_public.der --id "$ID" \
--type pubkey --label "EC public key" -p $PIN</pre><p>
List private keys:
</p><pre class="programlisting">pkcs11-tool --login --list-objects --type privkey</pre><p>
Sign some data stored in file <code class="filename">data</code>
using the private key with ID <code class="varname">ID</code> and
using the RSA-PKCS mechanism:
</p><pre class="programlisting">
pkcs11-tool --sign --id $ID --mechanism RSA-PKCS \
--input-file data --output-file data.sig
</pre><p>
The same is also possible by piping the data from stdin rather than specifying a input file:
</p><pre class="programlisting">
dd if=data bs=128 count=1 \
| pkcs11-tool --sign --id $ID --mechanism RSA-PKCS \
> data.sig
</pre><p>
Verify the signed data:
</p><pre class="programlisting">
pkcs11-tool --id ID --verify -m RSA-PKCS \
--input-file data --signature-file data.sig
</pre><p>
To encrypt file using the AES key with ID 85 and using mechanism AES-CBC with padding:
</p><pre class="programlisting">
pkcs11-tool --login --encrypt --id 85 -m AES-CBC-PAD \
--iv "00000000000000000000000000000000" \
-i file.txt -o encrypted_file.data
</pre><p>
Decipher the encrypted file:
</p><pre class="programlisting">
pkcs11-tool --login --decrypt --id 85 -m AES-CBC-PAD \
--iv "00000000000000000000000000000000" \
--i encrypted_file.data -o decrypted.txt
</pre><p>
Use the key with ID 75 using mechanism AES-CBC-PAD, with initialization vector
"00000000000000000000000000000000" to wrap the key with ID 76 into output file
<code class="filename">exported_aes.key</code>
</p><pre class="programlisting">
pkcs11-tool --login --wrap --id 75 --mechanism AES-CBC-PAD \
--iv "00000000000000000000000000000000" \
--application-id 76 \
--output-file exported_aes.key
</pre><p>
Use the key with ID 22 and mechanism RSA-PKCS to unwrap key from file
<code class="filename">aes_wrapped.key</code>. After a successful unwrap operation,
a new AES key is created on token. ID of this key is set to 90 and label of this
key is set to <code class="literal">unwrapped-key</code>
Note: for the MyEID card, the AES key size must be present in key
specification i.e. AES:16
</p><pre class="programlisting">
pkcs11-tool --login --unwrap --mechanism RSA-PKCS --id 22 \
-i aes_wrapped.key --key-type AES: \
--application-id 90 --applicatin-label unwrapped-key
</pre><p>
Use the SO-PIN to initialize or re-set the PIN:
</p><pre class="programlisting">
pkcs11-tool --login --login-type so --init-pin
</pre><p>
</p></div><div class="refsect1"><a name="id-1.17.7"></a><h2>Authors</h2><p><span class="command"><strong>pkcs11-tool</strong></span> was written by
Olaf Kirch <code class="email"><<a class="email" href="mailto:okir@suse.de">okir@suse.de</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="pkcs15-crypt"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-crypt — perform crypto operations using PKCS#15 smart cards</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pkcs15-crypt</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.18.4"></a><h2>Description</h2><p>
The <span class="command"><strong>pkcs15-crypt</strong></span> utility can be used from the
command line to perform cryptographic operations such as computing
digital signatures or decrypting data, using keys stored on a PKCS#15
compliant smart card.
</p></div><div class="refsect1"><a name="id-1.18.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--version</code>,
</span></dt><dd><p>Print the OpenSC package release version.</p></dd><dt><span class="term">
<code class="option">--aid</code> <em class="replaceable"><code>aid</code></em>
</span></dt><dd><p>Specify the AID of the on-card PKCS#15 application
to bind to. The <em class="replaceable"><code>aid</code></em> must be in hexadecimal
form.</p></dd><dt><span class="term">
<code class="option">--decipher</code>,
<code class="option">-c</code>
</span></dt><dd><p>Decrypt the contents of the file specified by
the <code class="option">--input</code> option. The result of the
decryption operation is written to the file specified by the
<code class="option">--output</code> option. If this option is not given,
the decrypted data is printed to standard output, displaying
non-printable characters using their hex notation xNN (see also
<code class="option">--raw</code>).</p></dd><dt><span class="term">
<code class="option">--input</code> <em class="replaceable"><code>file</code></em>,
<code class="option">-i</code> <em class="replaceable"><code>file</code></em>
</span></dt><dd><p>Specifies the input file to use. Defaults to stdin if
not specified.</p></dd><dt><span class="term">
<code class="option">--key</code> <em class="replaceable"><code>id</code></em>,
<code class="option">-k</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Selects the ID of the key to use.</p></dd><dt><span class="term">
<code class="option">--output</code> <em class="replaceable"><code>file</code></em>,
<code class="option">-o</code> <em class="replaceable"><code>file</code></em>
</span></dt><dd><p>Any output will be sent to the specified file. Defaults
to stdout if not specified.</p></dd><dt><span class="term">
<code class="option">--pin</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">-p</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>When the cryptographic operation requires a
PIN to access the key, <span class="command"><strong>pkcs15-crypt</strong></span> will
prompt the user for the PIN on the terminal. Using this option
allows you to specify the PIN on the command line.</p><p>Note that on most operating systems, the command line of
a process can be displayed by any user using the ps(1)
command. It is therefore a security risk to specify
secret information such as PINs on the command line.
If you specify '-' as PIN, it will be read from STDIN.</p></dd><dt><span class="term">
<code class="option">--pkcs1</code>
</span></dt><dd><p>By default, <span class="command"><strong>pkcs15-crypt</strong></span>
assumes that input data has been padded to the correct length
(i.e. when computing an RSA signature using a 1024 bit key,
the input must be padded to 128 bytes to match the modulus
length). When giving the <code class="option">--pkcs1</code> option,
however, <span class="command"><strong>pkcs15-crypt</strong></span> will perform the
required padding using the algorithm outlined in the
PKCS #1 standard version 1.5.</p></dd><dt><span class="term">
<code class="option">--raw</code>,
<code class="option">-R</code>
</span></dt><dd><p>Outputs raw 8 bit data.</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--md5</code>
<code class="option">--sha-1</code>
<code class="option">--sha-224</code>
<code class="option">--sha-256</code>
<code class="option">--sha-384</code>
<code class="option">--sha-512</code>
</span></dt><dd><p>These options tell <span class="command"><strong>pkcs15-crypt</strong></span>
that the input file is the result of the specified hash operation.
By default, an MD5 hash is expected. Again, the data must be in binary
representation.</p></dd><dt><span class="term">
<code class="option">--sign</code>,
<code class="option">-s</code>
</span></dt><dd><p>Perform digital signature operation on
the data read from a file specified using the <code class="option">--input</code>
option. By default, the contents of the file are assumed to
be the result of an MD5 hash operation.
Note that <span class="command"><strong>pkcs15-crypt</strong></span>
expects the data in binary representation, not ASCII.</p><p>The digital signature is stored, in binary representation,
in the file specified by the <code class="option">--output</code> option. If
this option is not given, the signature is printed on standard
output, displaying non-printable characters using their hex notation
<code class="literal">x</code><em class="replaceable"><code>NN</code></em>
(see also <code class="option">--raw</code>).</p></dd><dt><span class="term">
<code class="option">--signature-format</code>,
<code class="option">--f</code>
</span></dt><dd><p>When signing with ECDSA key this option indicates
to <span class="command"><strong>pkcs15-crypt</strong></span> the signature output format.
Possible values are 'rs'(default) -- two concatenated
integers (PKCS#11), 'sequence' or 'openssl' -- DER encoded sequence
of two integers (OpenSSL).</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Causes <span class="command"><strong>pkcs15-crypt</strong></span> to
wait for a card insertion.</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>pkcs15-crypt</strong></span> to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.18.6"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">pkcs15-init</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">pkcs15-tool</span>(1)</span>
</p></div><div class="refsect1"><a name="id-1.18.7"></a><h2>Authors</h2><p><span class="command"><strong>pkcs15-crypt</strong></span> was written by
Juha Yrjölä <code class="email"><<a class="email" href="mailto:juha.yrjola@iki.fi">juha.yrjola@iki.fi</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="pkcs15-init"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-init — smart card personalization utility</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pkcs15-init</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.19.5"></a><h2>Description</h2><p>
The <span class="command"><strong>pkcs15-init</strong></span> utility can be used to create a PKCS #15
structure on a smart card, and add key or certificate objects. Details of the
structure that will be created are controlled via profiles.
</p><p>
The profile used by default is <span class="command"><strong>pkcs15</strong></span>. Alternative
profiles can be specified via the <code class="option">-p</code> switch.
</p></div><div class="refsect1"><a name="id-1.19.6"></a><h2>PIN Usage</h2><p>
<span class="command"><strong>pkcs15-init</strong></span> can be used to create a PKCS #15 structure on
your smart card, create PINs, and install keys and certificates on the card.
This process is also called <em class="replaceable"><code>personalization</code></em>.
</p><p>
An OpenSC card can have one security officer PIN, and zero or more user PINs.
PIN stands for Personal Identification Number, and is a secret code you need
to present to the card before being allowed to perform certain operations,
such as using one of the stored RSA keys to sign a document, or modifying
the card itself.
</p><p>
Usually, PINs are a sequence of decimal digits, but some cards will accept
arbitrary ASCII characters. Be aware however that using characters other
than digits will make the card unusable with PIN pad readers, because those
usually have keys for entering digits only.
</p><p>
The security officer (SO) PIN is special; it is used to protect meta data
information on the card, such as the PKCS #15 structure itself. Setting
the SO PIN is optional, because the worst that can usually happen is that
someone finding your card can mess it up. To extract any of your secret
keys stored on the card, an attacker will still need your user PIN, at
least for the default OpenSC profiles. However, it is possible to create
card profiles that will allow the security officer to override user PINs.
</p><p>
For each PIN, you can specify a PUK (also called <em class="replaceable"><code>unblock PIN</code></em>).
The PUK can be used to overwrite or unlock a PIN if too many incorrect values
have been entered in a row.
</p><p>
For some cards that use the PKCS#15 emulation, the attributes of private objects
are protected and cannot be parsed without authentication (usually with User PIN).
This authentication need to be done immediately after the card binding.
In such cases <code class="option">--verify-pin</code> has to be used.
</p></div><div class="refsect1"><a name="id-1.19.7"></a><h2>Modes of operation</h2><div class="refsect2"><a name="id-1.19.7.2"></a><h3>Initialization</h3><p>This is the first step during card personalization, and will create the
basic files on the card. To create the initial PKCS #15 structure, invoke the
utility as
</p><p>
<span class="command"><strong>pkcs15-init --create-pkcs15</strong></span></p><p>
You will then be asked for the security officer PIN and PUK. Simply
pressing return at the SO PIN prompt will skip installation of an SO PIN.
</p><p>
If the card supports it, you should erase the contents of the card with
<span class="command"><strong>pkcs15-init --erase-card</strong></span> before creating the PKCS#15 structure.
</p></div><div class="refsect2"><a name="id-1.19.7.3"></a><h3>User PIN Installation</h3><p>
Before installing any user objects such as private keys, you need at least one
PIN to protect these objects. you can do this using
</p><p>
<span class="command"><strong>pkcs15-init --store-pin --id " nn</strong></span>
</p><p>
where <em class="replaceable"><code>nn</code></em> is a PKCS #15 ID in hexadecimal notation. Common
values are 01, 02, etc.
</p><p>
Entering the command above will ask you for the user's PIN and PUK. If you do
not wish to install an unblock PIN, simply press return at the PUK prompt.
</p><p>
To set a label for this PIN object (which can be used by applications to display
a meaningful prompt to the user), use the <code class="option">--label</code> command line option.
</p></div><div class="refsect2"><a name="id-1.19.7.4"></a><h3>Key generation</h3><p>
<span class="command"><strong>pkcs15-init</strong></span> lets you generate a new key and store it on the card.
You can do this using:
</p><p>
<span class="command"><strong>pkcs15-init --generate-key "keyspec" --auth-id "nn"</strong></span>
</p><p>
where <em class="replaceable"><code>keyspec</code></em> describes the algorithm and the parameters
of the key to be created. For example, <code class="literal">rsa:2048</code> generates a RSA key
with 2048-bit modulus. If you are generating an EC key, the curve designation must
be specified, for example <code class="literal">ec:prime256v1</code>. For symmetric key,
the length of key is specified in bytes, for example <code class="literal">AES:32</code>
or <code class="literal">DES3:24</code>.
</p><p>
<em class="replaceable"><code>nn</code></em> is the ID of a user PIN installed previously,
e.g. <code class="literal">01</code>.
</p><p>
In addition to storing the private portion of the key on the card,
<span class="command"><strong>pkcs15-init</strong></span> will also store the public portion of the
key as a PKCS #15 public key object.
</p></div><div class="refsect2"><a name="id-1.19.7.5"></a><h3>Private Key Upload</h3><p>
You can use a private key generated by other means and upload it to the card.
For instance, to upload a private key contained in a file named
<code class="filename">okir.pem</code>, which is in PEM format, you would use
</p><p>
<span class="command"><strong>pkcs15-init --store-private-key okir.pem --id 45 --auth-id 01</strong></span>
</p><p>
In addition to storing the private portion of the key on the card,
<span class="command"><strong>pkcs15-init</strong></span> will also store the public portion of the
key as a PKCS #15 public key object.
</p><p>
Note that usage of <code class="option">--id</code> option in the <span class="command"><strong>pkcs15-init</strong></span>
commands to generate or to import a new key is deprecated.
Better practice is to let the middleware to derive the identifier from the key material.
(SHA1(modulus) for RSA, ...).
This allows easily set up relation between 'related' objects
(private/public keys and certificates).
</p><p>
In addition to the PEM key file format, <span class="command"><strong>pkcs15-init</strong></span> also
supports DER encoded keys, and PKCS #12 files. The latter is the file format
used by Netscape Navigator (among others) when exporting certificates to
a file. A PKCS #12 file usually contains the X.509 certificate corresponding
to the private key. If that is the case, <span class="command"><strong>pkcs15-init</strong></span> will
store the certificate instead of the public key portion.
</p></div><div class="refsect2"><a name="id-1.19.7.6"></a><h3>Public Key Upload</h3><p>
You can also upload individual public keys to the card using the
<code class="option">--store-public-key</code> option, which takes a filename as an
argument. This file is supposed to contain the public key. If you don't
specify a key file format using the <code class="option">--format</code> option,
<span class="command"><strong>pkcs15-init</strong></span> will assume PEM format. The only other
supported public key file format is DER.
</p><p>
Since the corresponding public keys are always uploaded automatically
when generating a new key, or when uploading a private key, you will
probably use this option only very rarely.
</p></div><div class="refsect2"><a name="id-1.19.7.7"></a><h3>Certificate Upload</h3><p>
You can upload certificates to the card using the
<code class="option">--store-certificate</code> option, which takes a filename as
an argument. This file is supposed to contain the PEM encoded X.509
certificate.
</p></div><div class="refsect2"><a name="id-1.19.7.8"></a><h3>Uploading PKCS #12 bags</h3><p>
Most browsers nowadays use PKCS #12 format files when you ask them to
export your key and certificate to a file. <span class="command"><strong>pkcs15-init</strong></span>
is capable of parsing these files, and storing their contents on the
card in a single operation. This works just like storing a private key,
except that you need to specify the file format:
</p><p>
<span class="command"><strong>pkcs15-init --store-private-key okir.p12 --format pkcs12 --auth-id
01</strong></span>
</p><p>
This will install the private key contained in the file <code class="filename">okir.p12</code>,
and protect it with the PIN referenced by authentication ID <code class="literal">01</code>.
It will also store any X.509 certificates contained in the file, which is
usually the user certificate that goes with the key, as well as the CA certificate.
</p></div><div class="refsect2"><a name="id-1.19.7.9"></a><h3>Secret Key Upload</h3><p>
You can use a secret key generated by other means and upload it to the card.
For instance, to upload an AES-secret key generated by the system random generator
you would use
</p><p>
<span class="command"><strong>pkcs15-init --store-secret-key /dev/urandom --secret-key-algorithm aes:256 --auth-id 01</strong></span>
</p><p>
By default a random ID is generated for the secret key. You may specify an ID
with the <code class="option">--id</code> if needed.
</p></div></div><div class="refsect1"><a name="id-1.19.8"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--version</code>,
</span></dt><dd><p>Print the OpenSC package release version.</p></dd><dt><span class="term">
<code class="option">--card-profile</code> <em class="replaceable"><code>name</code></em>,
<code class="option">-c</code> <em class="replaceable"><code>name</code></em>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to load the specified card
profile option. You will rarely need this option.
</p></dd><dt><span class="term">
<code class="option">--create-pkcs15</code>,
<code class="option">-C</code>
</span></dt><dd><p>
This tells <span class="command"><strong>pkcs15-init</strong></span> to create a PKCS #15
structure on the card, and initialize any PINs.
</p></dd><dt><span class="term">
<code class="option">--serial</code> <em class="replaceable"><code>SERIAL</code></em>
</span></dt><dd><p>
Specify the serial number of the card.
</p></dd><dt><span class="term">
<code class="option">--erase-card</code>,
<code class="option">-E</code>
</span></dt><dd><p>
This will erase the card prior to creating the PKCS #15 structure,
if the card supports it. If the card does not support erasing,
<span class="command"><strong>pkcs15-init</strong></span> will fail.
</p></dd><dt><span class="term">
<code class="option">--erase-application</code> <em class="replaceable"><code>AID</code></em>
</span></dt><dd><p>
This will erase the application with the application identifier
<em class="replaceable"><code>AID</code></em>.
</p></dd><dt><span class="term">
<code class="option">--generate-key</code> <em class="replaceable"><code>keyspec</code></em>,
<code class="option">-G</code> <em class="replaceable"><code>keyspec</code></em>
</span></dt><dd><p>
Tells the card to generate new key and store it on the card.
<em class="replaceable"><code>keyspec</code></em> consists of an algorithm name,
optionally followed by a colon ":", slash "/" or hyphen "-" and
the parameters of the key to be created.
It is a good idea to specify the key ID along with this command,
using the <code class="option">id</code> option, otherwise an intrinsic ID
will be calculated from the key material. Look the description of
the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
about the algorithm used to calculate intrinsic ID.
For the multi-application cards the target PKCS#15 application can be
specified by the hexadecimal AID value of the <code class="option">aid</code> option.
</p></dd><dt><span class="term">
<code class="option">--pin</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">--puk</code> <em class="replaceable"><code>puk</code></em>,
<code class="option">--so-pin</code> <em class="replaceable"><code>sopin</code></em>,
<code class="option">--so-puk</code> <em class="replaceable"><code>sopuk</code></em>
</span></dt><dd><p>
These options can be used to specify the PIN/PUK values
on the command line. If the value is set to
<code class="literal">env:</code><em class="replaceable"><code>VARIABLE</code></em>, the value
of the specified environment variable is used. By default,
the code is prompted on the command line if needed.
</p><p>
Note that on most operation systems, any user can
display the command line of any process on the
system using utilities such as
<span class="command"><strong>ps(1)</strong></span>. Therefore, you should prefer
passing the codes via an environment variable
on an unsecured system.
</p></dd><dt><span class="term">
<code class="option">--no-so-pin</code>,
</span></dt><dd><p>
Do not install a SO PIN, and do not prompt for it.
</p></dd><dt><span class="term">
<code class="option">--profile</code> <em class="replaceable"><code>name</code></em>,
<code class="option">-p</code> <em class="replaceable"><code>name</code></em>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to load the specified general
profile. Currently, the only application profile defined is
<code class="literal">pkcs15</code>, but you can write your own profiles and
specify them using this option.
</p><p>
The profile name can be combined with one or more profile
options, which slightly modify the profile's behavior.
For instance, the default OpenSC profile supports the
<code class="option">openpin</code> option, which installs a single PIN during
card initialization. This PIN is then used both as the SO PIN as
well as the user PIN for all keys stored on the card.
</p><p>
Profile name and options are separated by a <code class="literal">+</code>
character, as in <code class="literal">pkcs15+onepin</code>.
</p></dd><dt><span class="term">
<code class="option">--secret-key-algorithm</code> <em class="replaceable"><code>keyspec</code></em>,
</span></dt><dd><p>
<em class="replaceable"><code>keyspec</code></em> describes the algorithm and length of the
key to be created or downloaded, such as <code class="literal">aes:256</code>.
This will create a 256 bit AES key.
</p></dd><dt><span class="term">
<code class="option">--store-certificate</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-X</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to store the certificate given
in <code class="option">filename</code> on the card, creating a certificate
object with the ID specified via the <code class="option">--id</code> option.
Without supplied ID an intrinsic ID will be calculated from the
certificate's public key. Look the description of the 'pkcs15-id-style'
attribute in the 'pkcs15.profile' for the details
about the algorithm used to calculate intrinsic ID.
The file is assumed to contain the PEM encoded certificate.
For the multi-application cards the target application can be specified
by the hexadecimal AID value of the <code class="option">aid</code> option.
</p></dd><dt><span class="term">
<code class="option">--store-pin</code>,
<code class="option">-P</code>
</span></dt><dd><p>
Store a new PIN/PUK on the card.
</p></dd><dt><span class="term">
<code class="option">--store-public-key</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to download the specified
public key to the card and create a public key object with the
key ID specified via the <code class="option">--id</code>. By default,
the file is assumed to contain the key in PEM format. Alternative
formats can be specified using <code class="option">--format</code>.
</p></dd><dt><span class="term">
<code class="option">--store-private-key</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-S</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to download the specified
private key to the card. This command will also create a public
key object containing the public key portion. By default, the
file is assumed to contain the key in PEM format. Alternative
formats can be specified using <code class="option">--format</code>.
It is a good idea to specify the key ID along with this command,
using the <code class="option">--id</code> option, otherwise an intrinsic ID
will be calculated from the key material. Look the description of
the 'pkcs15-id-style' attribute in the 'pkcs15.profile' for the details
about the algorithm used to calculate intrinsic ID.
For the multi-application cards the target PKCS#15 application can be
specified by the hexadecimal AID value of the <code class="option">aid</code> option.
</p></dd><dt><span class="term">
<code class="option">--store-secret-key</code> <em class="replaceable"><code>filename</code></em>,
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to download the specified
secret key to the card. The file is assumed to contain the raw key.
They key type should be specified with <code class="option">--secret-key-algorithm</code>
option.
</p><p>
You may additionally specify the key ID along with this command,
using the <code class="option">--id</code> option, otherwise a random ID is generated.
For the multi-application cards the target PKCS#15 application can be
specified by the hexadecimal AID value of the <code class="option">aid</code> option.
</p></dd><dt><span class="term">
<code class="option">--store-data</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-W</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>
Store a data object.
</p></dd><dt><span class="term">
<code class="option">--update-certificate</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-U</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to update the certificate
object with the ID specified via the <code class="option">--id</code> option
with the certificate in <em class="replaceable"><code>filename</code></em>.
The file is assumed to contain a PEM encoded certificate.
</p><p>Pay extra attention when updating mail decryption certificates, as
missing certificates can render e-mail messages unreadable!
</p></dd><dt><span class="term">
<code class="option">--delete-objects</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-D</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to delete the
specified object. <em class="replaceable"><code>arg</code></em>
is comma-separated list containing any of
<code class="literal">privkey</code>, <code class="literal">pubkey</code>,
<code class="literal">secrkey</code>, <code class="literal">cert</code>,
<code class="literal">chain</code> or <code class="literal">data</code>.
</p><p>
When <code class="literal">data</code> is specified, an
-<code class="option">--application-id</code> must also be
specified, in the other cases an
<code class="option">--id</code> must also be specified
</p><p>
When <code class="literal">chain</code> is specified, the
certificate chain starting with the cert with
specified ID will be deleted, until there's a CA
certificate that certifies another cert on the card
</p></dd><dt><span class="term">
<code class="option">--change-attributes</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-A</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to change the
specified attribute. <em class="replaceable"><code>arg</code></em>
is either <code class="literal">privkey</code>,
<code class="literal">pubkey</code>, <code class="literal">secrkey</code>,
<code class="literal">cert</code> or <code class="literal">data</code>.
You also have to specify the <code class="option">--id</code>
of the object.
For now, you can only change the <code class="option">--label</code>, e.g:
</p><pre class="programlisting">
pkcs15-init -A cert --id 45 -a 1 --label Jim
</pre><p>
</p></dd><dt><span class="term">
<code class="option">--use-default-transport-keys</code>,
<code class="option">-T</code>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to not ask for the transport
keys and use default keys, as known by the card driver.
</p></dd><dt><span class="term">
<code class="option">--sanity-check</code>
</span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to perform a
card specific sanity check and possibly update
procedure.
</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>
Causes <span class="command"><strong>pkcs15-init</strong></span> to be more verbose. Specify this
flag several times to enable debug output in the OpenSC library.
</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Causes <span class="command"><strong>pkcs15-init</strong></span> to
wait for a card insertion.</p></dd><dt><span class="term">
<code class="option">--use-pinpad</code>
</span></dt><dd><p>Do not prompt the user; if no PINs supplied, pinpad will be used.</p></dd><dt><span class="term">
<code class="option">--auth-id</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-a</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>
Specify ID of PIN to use/create
</p></dd><dt><span class="term">
<code class="option">--puk-id</code> <em class="replaceable"><code>ID</code></em>
</span></dt><dd><p>
Specify ID of PUK to use/create
</p></dd><dt><span class="term">
<code class="option">--label</code> <em class="replaceable"><code>LABEL</code></em>
</span></dt><dd><p>
Specify label for a PIN, key, certificate or data object when creating a new objects. When deleting objects, this can be used to delete object by label.
</p></dd><dt><span class="term">
<code class="option">--puk-label</code> <em class="replaceable"><code>LABEL</code></em>
</span></dt><dd><p>
Specify label of PUK
</p></dd><dt><span class="term">
<code class="option">--public-key-label</code> <em class="replaceable"><code>LABEL</code></em>
</span></dt><dd><p>
Specify public key label (use with <code class="option">--generate-key</code>)
</p></dd><dt><span class="term">
<code class="option">--cert-label</code> <em class="replaceable"><code>LABEL</code></em>
</span></dt><dd><p>
Specify user cert label (use with <code class="option">--store-private-key</code>)
</p></dd><dt><span class="term">
<code class="option">--application-name</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Specify application name of data object (use with <code class="option">--store-data-object</code>)
</p></dd><dt><span class="term">
<code class="option">--aid</code> <em class="replaceable"><code>AID</code></em>
</span></dt><dd><p>
Specify AID of the on-card PKCS#15 application to be binded to (in hexadecimal form)
</p></dd><dt><span class="term">
<code class="option">--output-file</code> <em class="replaceable"><code>filename</code></em>
<code class="option">-o</code> <em class="replaceable"><code>filename</code></em>,
</span></dt><dd><p>
Output public portion of generated key to file
</p></dd><dt><span class="term">
<code class="option">--passphrase</code> <em class="replaceable"><code>PASSPHRASE</code></em>
</span></dt><dd><p>
Specify passphrase for unlocking secret key
</p></dd><dt><span class="term">
<code class="option">--authority</code>
</span></dt><dd><p>
Mark certificate as a CA certificate
</p></dd><dt><span class="term">
<code class="option">--key-usage</code> <em class="replaceable"><code>arg</code></em>
<code class="option">-u</code> <em class="replaceable"><code>arg</code></em>,
</span></dt><dd><p>
Specifies the X.509 key usage.
<em class="replaceable"><code>arg</code></em> is comma-separated
list containing any of
<code class="literal">digitalSignature</code>,
<code class="literal">nonRepudiation</code>,
<code class="literal">keyEncipherment</code>,
<code class="literal">dataEncipherment</code>,
<code class="literal">keyAgreement</code>,
<code class="literal">keyCertSign</code>,
<code class="literal">cRLSign</code>. Abbreviated names are
allowed if unique (e.g.
<code class="literal">dataEnc</code>).
</p><p>
The alias <code class="literal">sign</code> is equivalent to
<code class="literal">digitalSignature,keyCertSign,cRLSign</code>
</p><p>
The alias <code class="literal">decrypt</code> is equivalent to
<code class="literal">keyEncipherment,dataEncipherment</code>
</p></dd><dt><span class="term">
<code class="option">--finalize</code>
<code class="option">-F</code>,
</span></dt><dd><p>
Finish initialization phase of the smart card
</p></dd><dt><span class="term">
<code class="option">--update-last-update</code>
</span></dt><dd><p>
Update 'lastUpdate' attribute of tokenInfo
</p></dd><dt><span class="term">
<code class="option">--ignore-ca-certificates</code>
</span></dt><dd><p>
When storing PKCS#12 ignore CA certificates
</p></dd><dt><span class="term">
<code class="option">--update-existing</code>
</span></dt><dd><p>
Store or update existing certificate
</p></dd><dt><span class="term">
<code class="option">--extractable</code>
</span></dt><dd><p>
Private key stored as an extractable key
</p></dd><dt><span class="term">
<code class="option">--user-consent</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Specify user-consent. <em class="replaceable"><code>arg</code></em> is an integer value.
If > 0, the value specifies how many times the
object can be accessed before a new authentication is required.
If zero, the object does not require re-authentication.
</p></dd><dt><span class="term">
<code class="option">--insecure</code>
</span></dt><dd><p>
Insecure mode: do not require a PIN for private key
</p></dd><dt><span class="term">
<code class="option">--md-container-guid</code> <em class="replaceable"><code>GUID</code></em>
</span></dt><dd><p>
For a new key specify GUID for a MD container
</p></dd><dt><span class="term">
<code class="option">--help</code>
<code class="option">-h</code>,
</span></dt><dd><p>
Display help message
</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.19.9"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">pkcs15-profile</span>(5)</span>
</p></div><div class="refsect1"><a name="id-1.19.10"></a><h2>Authors</h2><p><span class="command"><strong>pkcs15-init</strong></span> was written by
Olaf Kirch <code class="email"><<a class="email" href="mailto:okir@suse.de">okir@suse.de</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="pkcs15-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-tool — utility for manipulating PKCS #15 data structures
on smart cards and similar security tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pkcs15-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.20.4"></a><h2>Description</h2><p>
The <span class="command"><strong>pkcs15-tool</strong></span> utility is used to manipulate
the PKCS #15 data structures on smart cards and similar security
tokens. Users can list and read PINs, keys and certificates stored
on the token. User PIN authentication is performed for those
operations that require it.
</p></div><div class="refsect1"><a name="id-1.20.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--version</code>
</span></dt><dd><p>Print the OpenSC package release version.</p></dd><dt><span class="term">
<code class="option">--aid</code> <em class="replaceable"><code>aid</code></em>
</span></dt><dd><p>Specify in a hexadecimal form the AID of the on-card PKCS#15
application to bind to.</p></dd><dt><span class="term">
<code class="option">--auth-id</code> <em class="replaceable"><code>id</code></em>,
<code class="option">-a</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Specifies the auth id of the PIN to use for the
operation. This is useful with the --change-pin operation.</p></dd><dt><span class="term">
<code class="option">--change-pin</code>
</span></dt><dd><p>Changes a PIN or PUK stored on the token. User authentication
is required for this operation.</p></dd><dt><span class="term">
<code class="option">--dump</code>,
<code class="option">-D</code>
</span></dt><dd><p>List all card objects.</p></dd><dt><span class="term">
<code class="option">--list-info</code>
</span></dt><dd><p>List card objects.</p></dd><dt><span class="term">
<code class="option">--list-applications</code>
</span></dt><dd><p>List the on-card PKCS#15 applications.</p></dd><dt><span class="term">
<code class="option">--list-certificates</code>,
<code class="option">-c</code>
</span></dt><dd><p>List all certificates stored on the token.</p></dd><dt><span class="term">
<code class="option">--list-data-objects</code>,
<code class="option">-C</code>
</span></dt><dd><p>List all data objects stored on the token.
For some cards the PKCS#15 attributes of the private data objects are
protected for reading and need the authentication with the User PIN.
In such a case the <code class="option">--verify-pin</code> option has to be used.
</p></dd><dt><span class="term">
<code class="option">--list-keys</code>,
<code class="option">-k</code>
</span></dt><dd><p>List all private keys stored on the token. General
information about each private key is listed (eg. key name, id and
algorithm). Actual private key values are not displayed.
For some cards the PKCS#15 attributes of the private keys are protected for reading
and need the authentication with the User PIN.
In such a case the <code class="option">--verify-pin</code> option has to be used.</p></dd><dt><span class="term">
<code class="option">--list-secret-keys</code>
</span></dt><dd><p>List all secret (symmetric) keys stored on the token. General
information about each secret key is listed (eg. key name, id and
algorithm). Actual secret key values are not displayed.
For some cards the PKCS#15 attributes of the private keys are protected for reading
and need the authentication with the User PIN.
In such a case the <code class="option">--verify-pin</code> option has to be used.</p></dd><dt><span class="term">
<code class="option">--list-pins</code>
</span></dt><dd><p>List all PINs stored on the token. General information
about each PIN is listed (eg. PIN name). Actual PIN values are not shown.</p></dd><dt><span class="term">
<code class="option">--list-public-keys</code>
</span></dt><dd><p>List all public keys stored on the token, including
key name, id, algorithm and length information.</p></dd><dt><span class="term">
<code class="option">--short</code>,
<code class="option">-s</code>
</span></dt><dd><p>Output lists in compact format.</p></dd><dt><span class="term">
<code class="option">--no-cache</code>
</span></dt><dd><p>Disables token data caching.</p></dd><dt><span class="term">
<code class="option">--clear-cache</code>
</span></dt><dd><p>Removes the user's cache directory. On
Windows, this option additionally removes the system's
caching directory (requires administrator
privileges).</p></dd><dt><span class="term">
<code class="option">--output</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-o</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Specifies where key output should be written.
If <em class="replaceable"><code>filename</code></em> already exists, it will be overwritten.
If this option is not given, keys will be printed to standard output.</p></dd><dt><span class="term">
<code class="option">--raw</code>
</span></dt><dd><p>Changes how <code class="option">--read-data-object</code> prints the content
to standard output. By default, when <code class="option">--raw</code> is not given, it will
print the content in hex notation. If <code class="option">--raw</code> is set, it will print
the binary data directly. This does not affect the output that is written to the
file specified by the <code class="option">--output</code> option. Data written to a file will
always be in raw binary.</p></dd><dt><span class="term">
<code class="option">--read-certificate</code> <em class="replaceable"><code>cert</code></em>
</span></dt><dd><p>Reads the certificate with the given id.</p></dd><dt><span class="term">
<code class="option">--read-data-object</code> <em class="replaceable"><code>data</code></em>,
<code class="option">-R</code> <em class="replaceable"><code>data</code></em>
</span></dt><dd><p>Reads data object with OID, applicationName or label.
The content is printed to standard output in hex notation, unless
the <code class="option">--raw</code> option is given.
If an output file is given with the <code class="option">--output</code> option,
the content is additionally written to the file.
Output to the file is always written in raw binary mode, the
<code class="option">--raw</code> only affects standard output behavior.</p></dd><dt><span class="term">
<code class="option">--read-public-key</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Reads the public key with id <em class="replaceable"><code>id</code></em>,
allowing the user to extract and store or use the public key.</p></dd><dt><span class="term">
<code class="option">--read-ssh-key</code> <em class="replaceable"><code>id</code></em>
</span></dt><dd><p>Reads the public key with id <em class="replaceable"><code>id</code></em>,
writing the output in format suitable for
<code class="filename">$HOME/.ssh/authorized_keys</code>.</p><p>The key label, if any will be shown in the 'Comment' field.</p><dt><span class="term">
<code class="option">--rfc4716</code>
</span></dt><dd><p>When used in conjunction with option <code class="option">--read-ssh-key</code> the
output format of the public key follows rfc4716.</p></dd><p></p><p> The default output format is a single line (openssh).</p></dd><dt><span class="term">
<code class="option">--test-update</code>,
<code class="option">-T</code>
</span></dt><dd><p>Test if the card needs a security update</p></dd><dt><span class="term">
<code class="option">--update</code>,
<code class="option">-U</code>
</span></dt><dd><p>Update the card with a security update</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--unblock-pin</code>,
<code class="option">-u</code>
</span></dt><dd><p>Unblocks a PIN stored on the token. Knowledge of the
Pin Unblock Key (PUK) is required for this operation.</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>pkcs15-tool</strong></span> to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.</p></dd><dt><span class="term">
<code class="option">--pin</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">--new-pin</code> <em class="replaceable"><code>newpin</code></em>,
<code class="option">--puk</code> <em class="replaceable"><code>puk</code></em>
</span></dt><dd><p>
These options can be used to specify the PIN/PUK values
on the command line. If the value is set to
<code class="literal">env:</code><em class="replaceable"><code>VARIABLE</code></em>, the value
of the specified environment variable is used. By default,
the code is prompted on the command line if needed.
</p><p>
Note that on most operation systems, any user can
display the command line of any process on the
system using utilities such as
<span class="command"><strong>ps(1)</strong></span>. Therefore, you should prefer
passing the codes via an environment variable
on an unsecured system.
</p></dd><dt><span class="term">
<code class="option">--new-pin</code> <em class="replaceable"><code>pin</code></em>
</span></dt><dd><p>Specify New PIN (when changing or unblocking)</p></dd><dt><span class="term">
<code class="option">--verify-pin</code>
</span></dt><dd><p>Verify PIN after card binding and before issuing any command
(without 'auth-id' the first non-SO, non-Unblock PIN will be verified)</p></dd><dt><span class="term">
<code class="option">--test-session-pin</code>
</span></dt><dd><p>Equivalent to <code class="option">--verify-pin</code>
with additional session PIN generation</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Causes <span class="command"><strong>pkcs15-tool</strong></span> to
wait for a card insertion.</p></dd><dt><span class="term">
<code class="option">--use-pinpad</code>
</span></dt><dd><p>Do not prompt the user; if no PINs supplied, pinpad will be used.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.20.6"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">pkcs15-init</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">pkcs15-crypt</span>(1)</span>
</p></div><div class="refsect1"><a name="id-1.20.7"></a><h2>Authors</h2><p><span class="command"><strong>pkcs15-tool</strong></span> was written by
Juha Yrjölä <code class="email"><<a class="email" href="mailto:juha.yrjola@iki.fi">juha.yrjola@iki.fi</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="sc-hsm-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>sc-hsm-tool — smart card utility for SmartCard-HSM</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">sc-hsm-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.21.4"></a><p>
The <span class="command"><strong>sc-hsm-tool</strong></span> utility can be used from the command line to perform
extended maintenance tasks not available via PKCS#11 or other tools in the OpenSC package.
It can be used to query the status of a SmartCard-HSM, initialize a device, generate and import
Device Key Encryption Key (DKEK) shares and to wrap and unwrap keys.
</p></div><div class="refsect1"><a name="id-1.21.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--initialize</code>,
<code class="option">-X</code>
</span></dt><dd><p>Initialize token, removing all existing keys, certificates and files.</p><p>Use <code class="option">--so-pin</code> to define SO-PIN for first initialization or to verify in subsequent
initializations.</p><p>Use <code class="option">--pin</code> to define the initial user pin value.</p><p>Use <code class="option">--pin-retry</code> to define the maximum number of wrong user PIN presentations.</p><p>Use with <code class="option">--dkek-shares</code> to enable key wrap / unwrap.</p><p>Use with <code class="option">--label</code> to define a token label</p><p>Use with <code class="option">--public-key-auth</code> and <code class="option">--required-pub-keys</code> to require public key authentication for login</p></dd><dt><span class="term">
<code class="option">--create-dkek-share</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-C</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Create a DKEK share encrypted under a password and save it to the file
given as parameter.</p><p>Use <code class="option">--password</code> to provide a password for encryption rather than prompting for one.</p><p>Use <code class="option">--pwd-shares-threshold</code> and <code class="option">--pwd-shares-total</code> to randomly generate a password and split is using a (t, n) threshold scheme.</p></dd><dt><span class="term">
<code class="option">--import-dkek-share</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-I</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Prompt for user password, read and decrypt DKEK share and import into SmartCard-HSM.</p><p>Use <code class="option">--password</code> to provide a password for decryption rather than prompting for one.</p><p>Use <code class="option">--pwd-shares-total</code> to specify the number of shares that should be entered to reconstruct the password.</p></dd><dt><span class="term">
<code class="option">--wrap-key</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-W</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Wrap the key referenced in <code class="option">--key-reference</code> and save with it together with the key description
and certificate to the given file.</p><p>Use <code class="option">--pin</code> to provide the user PIN on the command line.</p></dd><dt><span class="term">
<code class="option">--unwrap-key</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-U</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Read wrapped key, description and certificate from file and import into SmartCard-HSM
under the key reference given in <code class="option">--key-reference</code>.</p><p>Determine the key reference using the output of <span class="command"><strong>pkcs15-tool -D</strong></span>.</p><p>Use <code class="option">--pin</code> to provide a user PIN on the command line.</p><p>Use <code class="option">--force</code> to remove any key, key description or certificate in the way.</p></dd><dt><span class="term">
<code class="option">--dkek-shares</code> <em class="replaceable"><code>number-of-shares</code></em>,
<code class="option">-s</code> <em class="replaceable"><code>number-of-shares</code></em>
</span></dt><dd><p>Define the number of DKEK shares to use for recreating the DKEK.</p><p>This is an optional parameter. Using <code class="option">--initialize</code> without
<code class="option">--dkek-shares</code> will disable the DKEK completely.</p><p>Using <code class="option">--dkek-shares</code> with 0 shares requests the SmartCard-HSM to
generate a random DKEK. Keys wrapped with this DKEK can only be unwrapped in the
same SmartCard-HSM.</p><p>After using <code class="option">--initialize</code> with one or more DKEK shares, the
SmartCard-HSM will remain in the initialized state until all DKEK shares have
been imported. During this phase no new keys can be generated or imported.</p></dd><dt><span class="term">
<code class="option">--pin</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">--so-pin</code> <em class="replaceable"><code>sopin</code></em>,
</span></dt><dd><p>
These options can be used to specify the PIN values
on the command line. If the value is set to
<code class="literal">env:</code><em class="replaceable"><code>VARIABLE</code></em>, the value
of the specified environment variable is used. By default,
the code is prompted on the command line if needed.
</p><p>
Note that on most operation systems, any user can
display the command line of any process on the
system using utilities such as
<span class="command"><strong>ps(1)</strong></span>. Therefore, you should prefer
passing the codes via an environment variable
on an unsecured system.
</p></dd><dt><span class="term">
<code class="option">--pin-retry</code> <em class="replaceable"><code>value</code></em>
</span></dt><dd><p>Define number of PIN retries for user PIN during initialization. Default is 3.</p></dd><dt><span class="term">
<code class="option">--bio-server1</code> <em class="replaceable"><code>value</code></em>
</span></dt><dd><p>The hexadecimal AID of of the biometric server for template 1. Switches on the use of the user PIN as session PIN.</p></dd><dt><span class="term">
<code class="option">--bio-server2</code> <em class="replaceable"><code>value</code></em>
</span></dt><dd><p>The hexadecimal AID of of the biometric server for template 2. Switches on the use of the user PIN as session PIN.</p></dd><dt><span class="term">
<code class="option">--password</code> <em class="replaceable"><code>value</code></em>
</span></dt><dd><p>Define password for DKEK share encryption. If set to
env:<em class="replaceable"><code>VARIABLE</code></em>, the value of
the environment variable
<em class="replaceable"><code>VARIABLE</code></em> is used.</p></dd><dt><span class="term">
<code class="option">--pwd-shares-threshold</code> <em class="replaceable"><code>value</code></em>
</span></dt><dd><p>Define threshold for number of password shares required for reconstruction.</p></dd><dt><span class="term">
<code class="option">--pwd-shares-total</code> <em class="replaceable"><code>value</code></em>
</span></dt><dd><p>Define number of password shares.</p></dd><dt><span class="term">
<code class="option">--force</code>
</span></dt><dd><p>Force removal of existing key, description and certificate.</p></dd><dt><span class="term">
<code class="option">--label</code> <em class="replaceable"><code>label</code></em>,
<code class="option">-l</code> <em class="replaceable"><code>label</code></em>
</span></dt><dd><p>Define the token label to be used in --initialize.</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--public-key-auth</code> <em class="replaceable"><code>total-number-of-public-keys</code></em>,
<code class="option">-K</code> <em class="replaceable"><code>total-number-of-public-keys</code></em>
</span></dt><dd><p>Define the total number of public keys to use for public key authentication when using <code class="option">--initialize</code>.
<code class="option">--public-key-auth</code> is optional, but if it's present, it must be used with <code class="option">--required-pub-keys</code>.
</p><p>When the SmartCard-HSM is initialized with these options, it will require M-of-N public key authentication to be used, where
<code class="option">--required-pub-keys</code> sets the M and <code class="option">--public-key-auth</code> sets the N. After the initialization,
the user should use <code class="option">--register-public-key</code> to register the N public keys before the SmartCard-HSM can be used.
</p></dd><dt><span class="term">
<code class="option">--required-pub-keys</code> <em class="replaceable"><code>required-number-of-public-keys</code></em>,
<code class="option">-n</code> <em class="replaceable"><code>required-number-of-public-keys</code></em>
</span></dt><dd><p>Define the required number of public keys to use for public key authentication when using <code class="option">--initialize</code>.
This is the M in M-of-N public key authentication. See <code class="option">--public-key-auth</code> for more information.
</p></dd><dt><span class="term">
<code class="option">--register-public-key</code> <em class="replaceable"><code>input-public-key-file</code></em>,
<code class="option">-g</code> <em class="replaceable"><code>input-public-key-file</code></em>
</span></dt><dd><p>Register a public key to be used for M-of-N public key authentication. The file can be exported from
a different SmartCard-HSM with <code class="option">--export-for-pub-key-auth</code>. This can only be used when the
SmartCard-HSM has been initialized with <code class="option">--public-key-auth</code> and <code class="option">--required-pub-keys</code>
and fewer than N public keys have been registered. Use <code class="option">--public-key-auth-status</code> to check the
how many public keys have been registered.
</p></dd><dt><span class="term">
<code class="option">--export-for-pub-key-auth</code> <em class="replaceable"><code>output-public-key-file</code></em>,
<code class="option">-e</code> <em class="replaceable"><code>output-public-key-file</code></em>
</span></dt><dd><p>Export a public key to be used for M-of-N public key authentication. This should be used with
<code class="option">--key-reference</code> to choose the key to export. The file should be registered on
another SmartCard-HSM using <code class="option">--register-public-key</code>.
</p></dd><dt><span class="term">
<code class="option">--public-key-auth-status</code>
<code class="option">-S</code>
</span></dt><dd><p>Print the public key authentication status. This is only valid if the SmartCard-HSM was initialized
to use M-of-N public key authentication.
</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Wait for a card to be inserted</p></dd><dt><span class="term">
<code class="option">--verbose</code>,
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>sc-hsm-tool</strong></span> to be more verbose.
Specify this flag several times to enable debug output in the opensc
library.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.21.6"></a><h2>Examples</h2><p>Create a DKEK share:</p><p><span class="command"><strong>sc-hsm-tool --create-dkek-share dkek-share-1.pbe</strong></span></p><p>Create a DKEK share with random password split up using a (3, 5) threshold scheme:</p><p><span class="command"><strong>sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5</strong></span></p><p>Initialize SmartCard-HSM to use a single DKEK share:</p><p><span class="command"><strong>sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken</strong></span></p><p>Import DKEK share:</p><p><span class="command"><strong>sc-hsm-tool --import-dkek-share dkek-share-1.pbe</strong></span></p><p>Import DKEK share using a password split up using a (3, 5) threshold scheme for encryption:</p><p><span class="command"><strong>sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3</strong></span></p><p>Wrap referenced key, description and certificate:</p><p><span class="command"><strong>sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219</strong></span></p><p>Unwrap key into same or in different SmartCard-HSM with the same DKEK:</p><p><span class="command"><strong>sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --force</strong></span></p><p>Initialize SmartCard-HSM to use M-of-N public key authentication with M=2 and N=5</p><p><span class="command"><strong>sc-hsm-tool --initialize --required-pub-keys 2 --public-key-auth 5</strong></span></p><p>Export a public key for M-of-N public key authentication to a file</p><p><span class="command"><strong>sc-hsm-tool --key-reference 1 --export-for-pub-key-auth ./public_key1.asn1</strong></span></p><p>Register a public key for M-of-N public key authentication from a file</p><p><span class="command"><strong>sc-hsm-tool --register-public-key ./public_key1.asn1</strong></span></p></div><div class="refsect1"><a name="id-1.21.7"></a><h2>See also</h2><p>
<span class="citerefentry"><span class="refentrytitle">opensc-tool</span>(1)</span>
</p></div><div class="refsect1"><a name="id-1.21.8"></a><h2>Authors</h2><p><span class="command"><strong>sc-hsm-tool</strong></span> was written by
Andreas Schwier <code class="email"><<a class="email" href="mailto:andreas.schwier@cardcontact.de">andreas.schwier@cardcontact.de</a>></code>.</p></div></div><div class="refentry"><div class="refentry.separator"><hr></div><a name="westcos-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>westcos-tool — utility for manipulating data structures
on westcos smart cards</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">westcos-tool</code> [<em class="replaceable"><code>OPTIONS</code></em>]</p></div></div><div class="refsect1"><a name="id-1.22.4"></a><h2>Description</h2><p>
The <span class="command"><strong>westcos-tool</strong></span> utility is used to manipulate
the westcos data structures on 2 Ko smart cards / tokens. Users can create PINs,
keys and certificates stored on the card / token. User PIN authentication is
performed for those operations that require it.
</p></div><div class="refsect1"><a name="id-1.22.5"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">--change-pin</code>,
<code class="option">-n</code>
</span></dt><dd><p>Changes a PIN stored on the card.
User authentication is required for this operation.</p></dd><dt><span class="term">
<code class="option">--certificate</code> <em class="replaceable"><code>file</code></em>,
<code class="option">-t</code> <em class="replaceable"><code>file</code></em>
</span></dt><dd><p>Write certificate file <em class="replaceable"><code>file</code></em>
in PEM format to the card.
User authentication is required for this operation.</p></dd><dt><span class="term">
<code class="option">--finalize</code>,
<code class="option">-f</code>
</span></dt><dd><p>Finalize the card. Once finalized the default key is
invalidated, so PIN and PUK cannot be changed anymore without user
authentication.</p><p>Warning, un-finalized cards are insecure because the PIN can be
changed without user authentication (knowledge of default key
is enough).</p></dd><dt><span class="term">
<code class="option">--generate-key</code>,
<code class="option">-g</code>
</span></dt><dd><p>Generate a private key on the card. The card must not have
been finalized and a PIN must be installed (i.e. the file for the PIN must
have been created, see option <code class="option">-i</code>).
By default the key length is 2048 bits. User authentication is required for
this operation. </p></dd><dt><span class="term">
<code class="option">--help</code>,
<code class="option">-h</code>
</span></dt><dd><p>Print help message on screen.</p></dd><dt><span class="term">
<code class="option">--install-pin</code>,
<code class="option">-i</code>
</span></dt><dd><p>Install PIN file in on the card.
You must provide a PIN value with <code class="option">-x</code>.</p></dd><dt><span class="term">
<code class="option">--key-length</code> <em class="replaceable"><code>length</code></em>,
<code class="option">-l</code> <em class="replaceable"><code>length</code></em>
</span></dt><dd><p>Change the length of private key.
Use with <code class="option">-g</code>.</p></dd><dt><span class="term">
<code class="option">--overwrite-key</code>,
<code class="option">-o</code>
</span></dt><dd><p>Overwrite the key if there is already a key on the card.</p></dd><dt><span class="term">
<code class="option">--pin-value</code> <em class="replaceable"><code>pin</code></em>,
<code class="option">-x</code> <em class="replaceable"><code>pin</code></em>
<code class="option">--puk-value</code> <em class="replaceable"><code>puk</code></em>,
<code class="option">-y</code> <em class="replaceable"><code>puk</code></em>
</span></dt><dd><p>
These options can be used to specify the PIN/PUK values
on the command line. If the value is set to
<code class="literal">env:</code><em class="replaceable"><code>VARIABLE</code></em>, the value
of the specified environment variable is used. By default,
the code is prompted on the command line if needed.
</p><p>
Note that on most operation systems, any user can
display the command line of any process on the
system using utilities such as
<span class="command"><strong>ps(1)</strong></span>. Therefore, you should prefer
passing the codes via an environment variable
on an unsecured system.
</p></dd><dt><span class="term">
<code class="option">--read-file</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-j</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Read the file <em class="replaceable"><code>filename</code></em> from the card.
The file is written on disk with name <em class="replaceable"><code>filename</code></em>.
User authentication is required for this operation.</p></dd><dt><span class="term">
<code class="option">--reader</code> <em class="replaceable"><code>arg</code></em>,
<code class="option">-r</code> <em class="replaceable"><code>arg</code></em>
</span></dt><dd><p>
Number of the reader to use. By default, the first
reader with a present card is used. If
<em class="replaceable"><code>arg</code></em> is an ATR, the
reader with a matching card will be chosen.
</p></dd><dt><span class="term">
<code class="option">--unblock-pin</code>,
<code class="option">-u</code>
</span></dt><dd><p>Unblocks a PIN stored on the card. Knowledge of the
PIN Unblock Key (PUK) is required for this operation.</p></dd><dt><span class="term">
<code class="option">--verbose</code>
<code class="option">-v</code>
</span></dt><dd><p>Causes <span class="command"><strong>westcos-tool</strong></span> to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.</p></dd><dt><span class="term">
<code class="option">--wait</code>,
<code class="option">-w</code>
</span></dt><dd><p>Wait for a card to be inserted.</p></dd><dt><span class="term">
<code class="option">--write-file</code> <em class="replaceable"><code>filename</code></em>,
<code class="option">-k</code> <em class="replaceable"><code>filename</code></em>
</span></dt><dd><p>Put the file with name <em class="replaceable"><code>filename</code></em>
from disk to card.
On the card the file is written in <em class="replaceable"><code>filename</code></em>.
User authentication is required for this operation.</p></dd></dl></div><p>
</p></div><div class="refsect1"><a name="id-1.22.6"></a><h2>Authors</h2><p><span class="command"><strong>westcos-tool</strong></span> was written by
Francois Leblanc <code class="email"><<a class="email" href="mailto:francois.leblanc@cev-sa.com">francois.leblanc@cev-sa.com</a>></code>.</p></div></div></div></body></html>
|
