<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>OpenSC tools</title><meta name="generator" content="DocBook XSL Stylesheets V1.75.1"><style type="text/css"><!--
body {
font-family: Verdana, Arial;
font-size: 0.9em;
}
.title {
font-size: 1.5em;
text-align: center;
}
.toc b {
font-size: 1.2em;
border-bottom: dashed 1px black;
}
a {
color: blue;
text-decoration: none;
}
a:visited {
color: blue;
text-decoration: none;
}
pre.programlisting {
font-size: 1.1em;
background-color: #EEEEEE ;
border: 1px solid #006600 ;
padding: 1em;
}
span.symbol {
font-weight: bold;
}
span.errorname {
font-weight: bold;
}
span.errortext {
font-style: italic;
}
--></style></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book" title="OpenSC tools"><div class="titlepage"><div><div><h1 class="title"><a name="id556267"></a>OpenSC tools</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="reference"><a href="#id556279">I. OpenSC</a></span></dt></dl></div><div class="reference" title="OpenSC"><div class="titlepage"><div><div><h1 class="title"><a name="id556279"></a>OpenSC</h1></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="refentrytitle"><a href="#opensc-config">opensc-config</a></span><span class="refpurpose"> — a tool to get information about the installed version of OpenSC</span></dt><dt><span class="refentrytitle"><a href="#opensc-tool">opensc-tool</a></span><span class="refpurpose"> — generic smart card utility</span></dt><dt><span class="refentrytitle"><a href="#opensc-explorer">opensc-explorer</a></span><span class="refpurpose"> —
generic interactive utility for accessing smart card
and similar security token functions
</span></dt><dt><span class="refentrytitle"><a href="#pkcs11-tool">pkcs11-tool</a></span><span class="refpurpose"> — utility for managing and using PKCS #11 security tokens</span></dt><dt><span class="refentrytitle"><a href="#pkcs15-crypt">pkcs15-crypt</a></span><span class="refpurpose"> — perform crypto operations using pkcs15 smart card</span></dt><dt><span class="refentrytitle"><a href="#pkcs15-tool">pkcs15-tool</a></span><span class="refpurpose"> — utility for manipulating PKCS #15 data structures
on smart cards and similar security tokens</span></dt><dt><span class="refentrytitle"><a href="#">pkcs15-init</a></span><span class="refpurpose"> — smart card personalization utility</span></dt><dt><span class="refentrytitle"><a href="#">pkcs15-profile</a></span><span class="refpurpose"> — format of profile for <span class="command"><strong>pkcs15-init</strong></span></span></dt><dt><span class="refentrytitle"><a href="#cardos-tool">cardos-tool</a></span><span class="refpurpose"> — displays information about Card OS-based security tokens or format them
</span></dt><dt><span class="refentrytitle"><a href="#cryptoflex-tool">cryptoflex-tool</a></span><span class="refpurpose"> — utility for manipulating Schlumberger Cryptoflex data structures</span></dt><dt><span class="refentrytitle"><a href="#netkey-tool">netkey-tool</a></span><span class="refpurpose"> — administrative utility for Netkey E4 cards</span></dt><dt><span class="refentrytitle"><a href="#westcos-tool">westcos-tool</a></span><span class="refpurpose"> — utility for manipulating data structure
on westcos smart card and similar security tokens</span></dt></dl></div><div class="refentry" title="opensc-config"><a name="opensc-config"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc-config — a tool to get information about the installed version of OpenSC</p></div><div class="refsect1" title="Synopsis"><a name="id523656"></a><h2>Synopsis</h2><p>
<span class="command"><strong>opensc-config</strong></span> [OPTIONS]
</p></div><div class="refsect1" title="Description"><a name="id523671"></a><h2>Description</h2><p>
<span class="command"><strong>opensc-config</strong></span> is a tool that is used to get various information
about the installed version of OpenSC. It is particularly useful in determining
compiler and linker flags necessary to build programs with the OpenSC libraries.
</p></div><div class="refsect1" title="Options"><a name="id523687"></a><h2>Options</h2><p>
<span class="command"><strong>opensc-config</strong></span> accepts the following options:
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--version</code></span></dt><dd><p>Print the installed version of OpenSC to standard output.</p></dd><dt><span class="term"><code class="option">--libs</code></span></dt><dd><p>Print the linker flags that are needed to compile a program
to use the OpenSC libraries.</p></dd><dt><span class="term"><code class="option">--cflags</code></span></dt><dd><p>Print the compiler flags that are needed to compile a program
to use the OpenSC libraries.</p></dd><dt><span class="term"><code class="option">--prefix=PREFIX</code></span></dt><dd><p>If specified, use PREFIX instead of the installation
prefix that OpenSC was built with when computing the output
for the <code class="option">--cflags</code>
and <code class="option">--libs</code> options. This option is also used for the exec
prefix if --exec-prefix was not specified. This option must be specified
before any --libs or --cflags options.</p></dd><dt><span class="term"><code class="option">--exec-prefix=PREFIX</code></span></dt><dd><p>If specified, use PREFIX instead of the installation
exec prefix that OpenSC was built with when computing the output for
the <code class="option">--cflags</code> and <code class="option">--libs</code>
options. This option must be specified before any
--libs or --cflags options.</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id523726"></a><h2>See also</h2><p>opensc(7)</p></div></div><div class="refentry" title="opensc-tool"><div class="refentry.separator"><hr></div><a name="opensc-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc-tool — generic smart card utility</p></div><div class="refsect1" title="Synopsis"><a name="id523011"></a><h2>Synopsis</h2><p>
<span class="command"><strong>opensc-tool</strong></span> [OPTIONS]
</p></div><div class="refsect1" title="Description"><a name="id523026"></a><h2>Description</h2><p>
The <span class="command"><strong>opensc-tool</strong></span> utility can be used from the command line to perform
miscellaneous smart card operations such as getting the card ATR or
sending arbitrary APDU commands to a card.
</p></div><div class="refsect1" title="Options"><a name="id523042"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--atr, -a</code></span></dt><dd><p>Print the Answer To Reset (ATR) of the card,
output is in hex byte format</p></dd><dt><span class="term"><code class="option">--serial</code></span></dt><dd><p>Print the card serial number (normally the ICCSN), output is in hex byte
format</p></dd><dt><span class="term"><code class="option">--send-apdu</code> apdu, <code class="option">-s</code> apdu</span></dt><dd><p>Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF...</p></dd><dt><span class="term"><code class="option">--list-files, -f</code></span></dt><dd><p>Recursively lists all files stored on card</p></dd><dt><span class="term"><code class="option">--list-readers, -l</code></span></dt><dd><p>Lists all configured readers</p></dd><dt><span class="term"><code class="option">--list-drivers, -D</code></span></dt><dd><p>Lists all installed card drivers</p></dd><dt><span class="term"><code class="option">--list-rdrivers, -R</code></span></dt><dd><p>Lists all installed reader drivers</p></dd><dt><span class="term"><code class="option">--reader</code> num, <code class="option">-r</code> num</span></dt><dd><p>Use the given reader number. The default is 0, the first reader
in the system.</p></dd><dt><span class="term"><code class="option">--card-driver</code> driver, <code class="option">-c</code> driver</span></dt><dd><p>Use the given card driver. The default is auto-detected.</p></dd><dt><span class="term"><code class="option">--verbose, -v</code></span></dt><dd><p>Causes <span class="command"><strong>opensc-tool</strong></span> to be more verbose. Specify this flag several times
to enable debug output in the opensc library.</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id524123"></a><h2>See also</h2><p>opensc(7), opensc-explorer(1)</p></div></div><div class="refentry" title="opensc-explorer"><div class="refentry.separator"><hr></div><a name="opensc-explorer"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>opensc-explorer —
generic interactive utility for accessing smart card
and similar security token functions
</p></div><div class="refsect1" title="Synopsis"><a name="id523110"></a><h2>Synopsis</h2><p>
<span class="command"><strong>opensc-explorer</strong></span> [OPTIONS]
</p></div><div class="refsect1" title="Description"><a name="id523125"></a><h2>Description</h2><p>
The <span class="command"><strong>opensc-explorer</strong></span> utility can be
used interactively to perform miscellaneous operations
such as exploring the contents of or sending arbitrary
APDU commands to a smart card or similar security token.
</p></div><div class="refsect1" title="Options"><a name="id523142"></a><h2>Options</h2><p>
The following are the command-line options for
<span class="command"><strong>opensc-explorer</strong></span>. There are additional
interactive commands available once it is running.
</p><div class="variablelist"><dl><dt><span class="term">
<code class="option">--reader</code> num,
<code class="option">-r</code> num
</span></dt><dd><p>
Use the given reader number. The default
is 0, the first reader in the system.
</p></dd><dt><span class="term">
<code class="option">--card-driver</code> driver,
<code class="option">-c</code> driver
</span></dt><dd><p>
Use the given card driver. The default is
auto-detected.
</p></dd><dt><span class="term"><code class="option">--verbose, -v</code></span></dt><dd><p>
Causes <span class="command"><strong>opensc-explorer</strong></span> to be more
verbose. Specify this flag several times to enable
debug output in the opensc library.
</p></dd></dl></div><p>
</p></div><div class="refsect1" title="Commands"><a name="id523216"></a><h2>Commands</h2><p>
The following commands are supported at the <span class="command"><strong>opensc-explorer</strong></span>
interactive prompt.
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">ls</code></span></dt><dd><p>list all files in the current DF</p></dd><dt><span class="term"><code class="option">cd</code> <code class="varname">file-id</code></span></dt><dd><p>change to another DF specified by <code class="varname">file-id</code></p></dd><dt><span class="term"><code class="option">cat</code></span></dt><dd><p>print the contents of the currently selected EF</p></dd><dt><span class="term"><code class="option">info</code> [<code class="varname">file-id</code>]</span></dt><dd><p>display attributes of a file specified by <code class="varname">file-id</code>.
If <code class="varname">file-id</code> is not supplied,
the attributes of the current file are printed.</p></dd><dt><span class="term"><code class="option">create</code> <code class="varname">file-id</code> <code class="varname">size</code></span></dt><dd><p>create a new EF. <code class="varname">file-id</code> specifies the
id number and <code class="varname">size</code> is the size of the new file.
</p></dd><dt><span class="term"><code class="option">delete</code> <code class="varname">file-id</code></span></dt><dd><p>remove the EF or DF specified by <code class="varname">file-id</code></p></dd><dt><span class="term"><code class="option">verify</code> <code class="varname">key-type</code><code class="varname">key-id</code>
[<code class="varname">key</code>]</span></dt><dd><p>present a PIN or key to the card. Where <code class="varname">key-type</code>
can be one of CHV, KEY or PRO. <code class="varname">key-id</code> is a number representing the
key or PIN number. <code class="varname">key</code> is the key or PIN to be verified in hex.
</p><p>
Example: verify CHV0 31:32:33:34:00:00:00:00
</p></dd><dt><span class="term"><code class="option">change CHV</code><code class="varname">id [old-pin] new-pin</code></span></dt><dd><p>change a PIN</p><p>
Example: change CHV0 31:32:33:34:00:00:00:00 'secret'
</p></dd><dt><span class="term"><code class="option">put</code> <code class="varname">file-id</code> [<code class="varname">input</code>]</span></dt><dd><p>copy a local file to the card. The local file is specified
by <code class="varname">input</code> while the card file is specified by <code class="varname">file-id</code>
</p></dd><dt><span class="term"><code class="option">get</code> <code class="varname">file-id</code> [<code class="varname">output</code>]</span></dt><dd><p>copy an EF to a local file. The local file is specified
by <code class="varname">output</code> while the card file is specified by <code class="varname">file-id</code>.
</p></dd><dt><span class="term"><code class="option">mkdir</code> <code class="varname">file-id</code> <code class="varname">size</code></span></dt><dd><p>create a DF. <code class="varname">file-id</code> specifies the id number
and <code class="varname">size</code> is the size of the new file.</p></dd><dt><span class="term"><code class="option">pksign</code></span></dt><dd><p>create a public key signature. NOTE: This command is currently not implemented.
</p></dd><dt><span class="term"><code class="option">pkdecrypt</code></span></dt><dd><p>perform a public key decryption. NOTE: This command is currently not implemented.
</p></dd><dt><span class="term"><code class="option">erase</code></span></dt><dd><p>erase the card, if the card supports it.</p></dd><dt><span class="term"><code class="option">quit</code></span></dt><dd><p>exit the program</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id565631"></a><h2>See also</h2><p>opensc(7), opensc-tool(1)</p></div></div><div class="refentry" title="pkcs11-tool"><div class="refentry.separator"><hr></div><a name="pkcs11-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs11-tool — utility for managing and using PKCS #11 security tokens</p></div><div class="refsect1" title="Synopsis"><a name="id565359"></a><h2>Synopsis</h2><p>
<span class="command"><strong>pkcs11-tool</strong></span> [OPTIONS]
</p></div><div class="refsect1" title="Description"><a name="id565374"></a><h2>Description</h2><p>
The <span class="command"><strong>pkcs11-tool</strong></span> utility is used to manage the
data objects on smart cards and similar PKCS #11 security tokens.
Users can list and read PINs, keys and certificates stored on the
token. User PIN authentication is performed for those operations
that require it.
</p></div><div class="refsect1" title="Options"><a name="id565390"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--login, -l</code></span></dt><dd><p>Authenticate to the token before performing
other operations. This option is not needed if a PIN is
provided on the command line.</p></dd><dt><span class="term"><code class="option">--pin</code> <code class="varname">pin</code>,
<code class="option">-p</code> <code class="varname">pin</code></span></dt><dd><p>Use the given <code class="varname">pin</code> for
token operations. WARNING: Be careful using this option
as other users may be able to read the command line from
the system or if it is embedded in a script.</p><p>This option will also set
the <code class="option">--login</code> option.</p></dd><dt><span class="term"><code class="option">--so-pin</code> <code class="varname">pin</code></span></dt><dd><p>Use the given <code class="varname">pin</code> as the
Security Officer PIN for some token operations (token
initialization, user PIN initialization, etc). The same
warning as <code class="option">--pin</code> also applies here.</p></dd><dt><span class="term"><code class="option">--init-token</code></span></dt><dd><p>Initializes a token: set the token label as
well as a Security Officer PIN (the label must be specified
using <code class="option">--label</code>).</p></dd><dt><span class="term"><code class="option">--init-pin</code></span></dt><dd><p>Initializes the user PIN. This option
differs from --change-pin in that it sets the user PIN
for the first time. Once set, the user PIN can be changed
using <code class="option">--change-pin</code>.</p></dd><dt><span class="term"><code class="option">--change-pin, -c</code></span></dt><dd><p>Change the user PIN on the token</p></dd><dt><span class="term"><code class="option">--test, -t</code></span></dt><dd><p>Performs some tests on the token. This
option is most useful when used with either <code class="option">--login</code>
or <code class="option">--pin</code>.</p></dd><dt><span class="term"><code class="option">--show-info, -I</code></span></dt><dd><p>Displays general token information.</p></dd><dt><span class="term"><code class="option">--list-slots, -L</code></span></dt><dd><p>Displays a list of available slots on the token.</p></dd><dt><span class="term"><code class="option">--list-mechanisms, -M</code></span></dt><dd><p>Displays a list of mechanisms supported by the token.</p></dd><dt><span class="term"><code class="option">--list-objects, -O</code></span></dt><dd><p>Displays a list of objects.</p></dd><dt><span class="term"><code class="option">--sign, s</code></span></dt><dd><p>Sign some data.</p></dd><dt><span class="term"><code class="option">--hash, -h</code></span></dt><dd><p>Hash some data.</p></dd><dt><span class="term"><code class="option">--mechanism</code> <code class="varname">mechanism</code>,
<code class="option">-m</code> <code class="varname">mechanism</code></span></dt><dd><p>Use the specified <code class="varname">mechanism</code>
for token operations. See <code class="option">-M</code> for a list
of mechanisms supported by your token.</p></dd><dt><span class="term"><code class="option">--keypairgen, -k</code></span></dt><dd><p>Generate a new key pair (public and private pair.)</p></dd><dt><span class="term"><code class="option">--write-object</code> <code class="varname">id</code>,
<code class="option">-w</code> <code class="varname">id</code></span></dt><dd><p>Write a key or certificate object to the token.</p></dd><dt><span class="term"><code class="option">--type</code> <code class="varname">type</code>,
<code class="option">-y</code> <code class="varname">type</code></span></dt><dd><p>Specify the type of object to operate on.
Examples are <span class="emphasis"><em>cert</em></span>, <span class="emphasis"><em>privkey</em></span>
and <span class="emphasis"><em>pubkey</em></span>.</p></dd><dt><span class="term"><code class="option">--id</code> <code class="varname">id</code>,
<code class="option">-d</code> <code class="varname">id</code></span></dt><dd><p>Specify the id of the object to operate on.</p></dd><dt><span class="term"><code class="option">--label</code> <code class="varname">name</code>,
<code class="option">-a</code> <code class="varname">name</code></span></dt><dd><p>Specify the name of the object to operate on
(or the token label when <code class="option">--init-token</code>
is used).</p></dd><dt><span class="term"><code class="option">--slot</code> <code class="varname">id</code></span></dt><dd><p>Specify the id of the slot to use.</p></dd><dt><span class="term"><code class="option">--slot-id</code> <code class="varname">name</code></span></dt><dd><p>Specify the name of the slot to use.</p></dd><dt><span class="term"><code class="option">--set-id</code> <code class="varname">id</code>,
<code class="option">-e</code> <code class="varname">id</code></span></dt><dd><p>Set the CKA_ID of the object.</p></dd><dt><span class="term"><code class="option">--attr-from</code> <code class="varname">path</code></span></dt><dd><p>Extract information from <code class="varname">path</code>
(DER-encoded certificate file) and create the corresponding
attributes when writing an object to the token. Example: the
certificate subject name is used to create the CKA_SUBJECT
attribute.</p></dd><dt><span class="term"><code class="option">--input-file</code> <code class="varname">path</code>,
<code class="option">-i</code> <code class="varname">path</code></span></dt><dd><p>Specify the path to a file for input.</p></dd><dt><span class="term"><code class="option">--output-file</code> <code class="varname">path</code>,
<code class="option">-o</code> <code class="varname">path</code></span></dt><dd><p>Specify the path to a file for output.</p></dd><dt><span class="term"><code class="option">--module</code> <code class="varname">mod</code></span></dt><dd><p>Specify a PKCS#11 module (or library) to
load.</p></dd><dt><span class="term"><code class="option">--moz-cert</code> <code class="varname">path</code>,
<code class="option">-z</code> <code class="varname">path</code></span></dt><dd><p>Tests a Mozilla-like keypair generation
and certificate request. Specify the <code class="varname">path</code>
to the certificate file.</p></dd><dt><span class="term"><code class="option">--verbose, -v</code></span></dt><dd><p>Causes <span class="command"><strong>pkcs11-tool</strong></span> to be
more verbose. Specify this flag several times to enable debug
output in the OpenSC library.</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id566406"></a><h2>See also</h2><p>opensc(7)</p></div></div><div class="refentry" title="pkcs15-crypt"><div class="refentry.separator"><hr></div><a name="pkcs15-crypt"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-crypt — perform crypto operations using pkcs15 smart card</p></div><div class="refsect1" title="Synopsis"><a name="id565805"></a><h2>Synopsis</h2><p>
<span class="command"><strong>pkcs15-crypt</strong></span> [OPTIONS]
</p></div><div class="refsect1" title="Description"><a name="id565820"></a><h2>Description</h2><p>
The <span class="command"><strong>pkcs15-crypt</strong></span> utility can be used from the
command line to perform cryptographic operations such as computing
digital signatures or decrypting data, using keys stored on a PKCS
#15 compliant smart card.
</p></div><div class="refsect1" title="Options"><a name="id565836"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--sign, -s</code></span></dt><dd><p>Perform digital signature operation on
the data read from a file specified using the <code class="option">input</code>
option. By default, the contents of the file are assumed to
be the result of an MD5 hash operation. Note that <span class="command"><strong>pkcs15-crypt</strong></span>
expects the data in binary representation, not ASCII.</p><p>The digital signature is stored, in binary representation,
in the file specified by the <code class="option">output</code> option. If
this option is not given, the signature is printed on standard
output, displaying non-printable characters using their hex notation
xNN (see also <code class="option">--raw</code>).</p></dd><dt><span class="term"><code class="option">--pkcs1</code></span></dt><dd><p>By default, <span class="command"><strong>pkcs15-crypt</strong></span>
assumes that input data has been padded to the correct length
(i.e. when computing an RSA signature using a 1024 bit key,
the input must be padded to 128 bytes to match the modulus
length). When giving the <code class="option">--pkcs1</code> option,
however, <span class="command"><strong>pkcs15-crypt</strong></span> will perform the
required padding using the algorithm outlined in the
PKCS #1 standard version 1.5.</p></dd><dt><span class="term"><code class="option">--sha-1</code></span></dt><dd><p>This option tells <span class="command"><strong>pkcs15-crypt</strong></span>
that the input file is the result of an SHA1 hash operation,
rather than an MD5 hash. Again, the data must be in binary
representation.</p></dd><dt><span class="term"><code class="option">--decipher, -c</code></span></dt><dd><p>Decrypt the contents of the file specified by
the <code class="option">--input</code> option. The result of the
decryption operation is written to the file specified by the
<code class="option">--output</code> option. If this option is not given,
the decrypted data is printed to standard output, displaying
non-printable characters using their hex notation xNN (see also
<code class="option">--raw</code>).</p></dd><dt><span class="term"><code class="option">--key</code> <code class="varname">id</code>,
<code class="option">-k</code> <code class="varname">id</code></span></dt><dd><p>Selects the ID of the key to use.</p></dd><dt><span class="term"><code class="option">--reader</code> <code class="varname">N</code>,
<code class="option">-r</code> <code class="varname">N</code></span></dt><dd><p>Selects the <code class="varname">N</code>-th smart
card reader configured by the system. If unspecified,
<span class="command"><strong>pkcs15-crypt</strong></span> will use the first reader
found.</p></dd><dt><span class="term"><code class="option">--input</code> <code class="varname">file</code>,
<code class="option">-i</code> <code class="varname">file</code></span></dt><dd><p>Specifies the input file to use.</p></dd><dt><span class="term"><code class="option">--output</code> <code class="varname">file</code>,
<code class="option">-o</code> <code class="varname">file</code></span></dt><dd><p>Any output will be sent to the specified file.</p></dd><dt><span class="term"><code class="option">--raw, -R</code></span></dt><dd><p>Outputs raw 8 bit data.</p></dd><dt><span class="term"><code class="option">--pin</code> <code class="varname">pin</code>,
<code class="option">-p</code> <code class="varname">pin</code></span></dt><dd><p>When the cryptographic operation requires a
PIN to access the key, <span class="command"><strong>pkcs15-crypt</strong></span> will
prompt the user for the PIN on the terminal. Using this option
allows you to specify the PIN on the command line.</p><p>Note that on most operating systems, the command line of
a process can be displayed by any user using the ps(1)
command. It is therefore a security risk to specify
secret information such as PINs on the command line.
If you specify '-' as PIN, it will be read from STDIN.</p></dd><dt><span class="term"><code class="option">--verbose, -v</code></span></dt><dd><p>Causes <span class="command"><strong>pkcs15-crypt</strong></span> to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id566510"></a><h2>See also</h2><p>pkcs15-init(1), pkcs15-tool(1)</p></div></div><div class="refentry" title="pkcs15-tool"><div class="refentry.separator"><hr></div><a name="pkcs15-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-tool — utility for manipulating PKCS #15 data structures
on smart cards and similar security tokens</p></div><div class="refsect1" title="Synopsis"><a name="id566538"></a><h2>Synopsis</h2><p>
<span class="command"><strong>pkcs15-tool</strong></span> [OPTIONS]
</p></div><div class="refsect1" title="Description"><a name="id566553"></a><h2>Description</h2><p>
The <span class="command"><strong>pkcs15-tool</strong></span> utility is used to manipulate
the PKCS #15 data structures on smart cards and similar security
tokens. Users can list and read PINs, keys and certificates stored
on the token. User PIN authentication is performed for those
operations that require it.
</p></div><div class="refsect1" title="Options"><a name="id566570"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--learn-card, -L</code></span></dt><dd><p>Cache PKCS #15 token data to the local filesystem.
Subsequent operations are performed on the cached data where possible.
If the cache becomes out-of-sync with the token state (eg. new key is
generated and stored on the token), the cache should be updated or
operations may show stale results.</p></dd><dt><span class="term"><code class="option">--read-certificate</code> <code class="varname">cert</code>,
<code class="option">-r</code> <code class="varname">cert</code></span></dt><dd><p>Reads the certificate with the given id.</p></dd><dt><span class="term"><code class="option">--list-certificates, -c</code></span></dt><dd><p>Lists all certificates stored on the token.</p></dd><dt><span class="term"><code class="option">--list-pins</code></span></dt><dd><p>Lists all PINs stored on the token. General information
about each PIN is listed (eg. PIN name). Actual PIN values are not shown.</p></dd><dt><span class="term"><code class="option">--change-pin</code></span></dt><dd><p>Changes a PIN stored on the token. User authentication
is required for this operation.</p></dd><dt><span class="term"><code class="option">--unblock-pin, -u</code></span></dt><dd><p>Unblocks a PIN stored on the token. Knowledge of the Pin Unblock Key (PUK) is required for this operation.</p></dd><dt><span class="term"><code class="option">--list-keys, -k</code></span></dt><dd><p>Lists all private keys stored on the token. General
information about each private key is listed (eg. key name, id and
algorithm). Actual private key values are not displayed.</p></dd><dt><span class="term"><code class="option">--list-public-keys</code></span></dt><dd><p>Lists all public keys stored on the token, including
key name, id, algorithm and length information.</p></dd><dt><span class="term"><code class="option">--read-public-key</code> <code class="varname">id</code></span></dt><dd><p>Reads the public key with id <code class="varname">id</code>,
allowing the user to extract and store or use the public key.</p></dd><dt><span class="term"><code class="option">--read-ssh-key</code> <code class="varname">id</code></span></dt><dd><p>Reads the public key with id <code class="varname">id</code>,
writing the output in format suitable for $HOME/.ssh/authorized_keys.</p></dd><dt><span class="term"><code class="option">--output</code> <code class="varname">filename</code>,
<code class="option">-o</code> <code class="varname">filename</code></span></dt><dd><p>Specifies where key output should be written.
If <code class="varname">filename</code> already exists, it will be overwritten.
If this option is not given, keys will be printed to standard output.</p></dd><dt><span class="term"><code class="option">--no-cache</code></span></dt><dd><p>Disables token data caching.</p></dd><dt><span class="term"><code class="option">--pin-id</code> <code class="varname">pin</code>,
<code class="option">-a</code> <code class="varname">pin</code></span></dt><dd><p>Specifies the auth id of the PIN to use for the
operation. This is useful with the --change-pin operation.</p></dd><dt><span class="term"><code class="option">--reader</code> <code class="varname">num</code></span></dt><dd><p>Forces <span class="command"><strong>pkcs15-tool</strong></span> to use reader
number <code class="varname">num</code> for operations. The default is to use
reader number 0, the first reader in the system.</p></dd><dt><span class="term"><code class="option">--verbose, -v</code></span></dt><dd><p>Causes <span class="command"><strong>pkcs15-tool</strong></span> to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id566869"></a><h2>See also</h2><p>opensc(7), pkcs15-init(1), pkcs15-crypt(1)</p></div></div><div class="refentry" title="pkcs15-init"><div class="refentry.separator"><hr></div><a name=""></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-init — smart card personalization utility</p></div><div class="refsect1" title="Description"><a name="id566897"></a><h2>Description</h2><p>
The <span class="command"><strong>pkcs15-init</strong></span> utility can be used to create a PKCS #15
structure on a smart card, and add key or certificate objects. Details of the
structure that will be created are controlled via profiles.
</p><p>
The profile used by default is <span class="command"><strong>pkcs15</strong></span>. Alternative
profiles can be specified via the <code class="option">-p</code> switch.
</p></div><div class="refsect1" title="PIN Usage"><a name="id566924"></a><h2>PIN Usage</h2><p>
<span class="command"><strong>pkcs15-init</strong></span> can be used to create a PKCS #15 structure on
your smart card, create PINs, and install keys and certificates on the card.
This process is also called <span class="emphasis"><em>personalization</em></span>.
</p><p>
An OpenSC card can have one security officer PIN, and zero or more user PINs.
PIN stands for Personal Identification Number, and is a secret code you need
to present to the card before being allowed to perform certain operations,
such as using one of the stored RSA keys to sign a document, or modifying
the card itself.
</p><p>
Usually, PINs are a sequence of decimal digits, but some cards will accept
arbitrary ASCII characters. Be aware however that using characters other
than digits will make the card unusable with PIN pad readers, because those
usually have keys for entering digits only.
</p><p>
The security officer (SO) PIN is special; it is used to protect meta data
information on the card, such as the PKCS #15 structure itself. Setting
the SO PIN is optional, because the worst that can usually happen is that
someone finding your card can mess it up. To extract any of your secret
keys stored on the card, an attacker will still need your user PIN, at
least for the default OpenSC profiles. However, it is possible to create
card profiles that will allow the security officer to override user PINs.
</p><p>
For each PIN, you can specify a PUK (also called <span class="emphasis"><em>unblock PIN</em></span>).
The PUK can be used to overwrite or unlock a PIN if too many incorrect values
have been entered in a row.
</p></div><div class="refsect1" title="Modes of operation"><a name="id566972"></a><h2>Modes of operation</h2><div class="refsect2" title="Initialization"><a name="id566978"></a><h3>Initialization</h3><p>This is the first step during card personalization, and will create the
basic files on the card. To create the initial PKCS #15 structure, invoke the
utility as
</p><p>
<span class="command"><strong>pkcs15-init --create-pkcs15</strong></span></p><p>
You will then be asked for several the security officer PIN and PUK. Simply
pressing return at the SO PIN prompt will skip installation of an SO PIN.
</p><p>
If the card supports it, you can also request that the card is erased prior
to creating the PKCS #15 structure, by specifying the <code class="option">--erase-card</code>
option.
</p></div><div class="refsect2" title="User PIN Installation"><a name="id567011"></a><h3>User PIN Installation</h3><p>
Before installing any user objects such as private keys, you need at least one
PIN to protect these objects. you can do this using
</p><p>
<span class="command"><strong>pkcs15-init --store-pin --id " nn</strong></span>
</p><p>
where <span class="emphasis"><em>nn</em></span> is a PKCS #15 ID in hexadecimal notation. Common
values are 01, 02, etc.
</p><p>
Entering the command above will ask you for the user's PIN and PUK. If you do
not wish to install an unblock PIN, simply press return at the PUK prompt.
</p><p>
To set a label for this PIN object (which can be used by applications to display
a meaningful prompt to the user), use the <code class="option">--label</code> command line option.
</p></div><div class="refsect2" title="Key generation"><a name="id567050"></a><h3>Key generation</h3><p>
<span class="command"><strong>pkcs15-init</strong></span> lets you generate a new key and store it on the card.
You can do this using:
</p><p>
<span class="command"><strong>pkcs15-init --generate-key " keyspec " --auth-id " nn</strong></span>
</p><p>
where <code class="option">keyspec</code> describes the algorithm and length of the
key to be created, such as <code class="option">rsa/512</code>. This will create a 512 bit
RSA key. Currently, only RSA key generation is supported. Note that cards
usually support just a few different key lengths. Almost all cards will support
512 and 1024 bit keys, some will support 768 or 2048 as well.
</p><p>
<code class="option">nn</code> is the ID of a user PIN installed previously, e.g. 01.
</p><p>
In addition to storing the private portion of the key on the card,
<span class="command"><strong>pkcs15-init</strong></span> will also store the the public portion of the
key as a PKCS #15 public key object.
</p><p>
By default, <span class="command"><strong>pkcs15-init</strong></span> will try to use the card's
on-board key generation facilities, if available. If the card does not
support on-board key generation, <span class="command"><strong>pkcs15-init</strong></span> will fall
back to software key generation.
</p></div><div class="refsect2" title="Private Key Download"><a name="id567113"></a><h3>Private Key Download</h3><p>
You can use a private key generated by other means and download it to the card.
For instance, to download a private key contained in a file named
<span class="emphasis"><em>okir.pem</em></span>, which is in PEM format, you would use
</p><p>
<span class="command"><strong>pkcs15-init --store-private-key okir.pem --id 45 --auth-id 01</strong></span>
</p><p>
If the key is protected by a pass phrase, <span class="command"><strong>pkcs15-init</strong></span>
will prompt you for a pass phrase to unlock the key.
</p><p>
In addition to storing the private portion of the key on the card,
<span class="command"><strong>pkcs15-init</strong></span> will also store the the public portion of the
key as a PKCS #15 public key object.
</p><p>
Note the use of the <code class="option">--id</code> option. The current
<span class="command"><strong>pkcs15</strong></span> profile defines two key templates, one for
authentication (key ID 45), and one for non-repudiation purposes (key ID 46).
Other key templates will probably be added in the future. Note that if you don't
specify a key ID, <span class="command"><strong>pkcs15-init</strong></span> will pick just the first key
template defined by the profile.
</p><p>
In addition to the PEM key file format, <span class="command"><strong>pkcs15-init</strong></span> also
supports DER encoded keys, and PKCS #12 files. The latter is the file format
used by Netscape Navigator (among others) when exporting certificates to
a file. A PKCS #12 file usually contains the X.509 certificate corresponding
to the private key. If that is the case, <span class="command"><strong>pkcs15-init</strong></span> will
store the certificate instead of the public key portion.
</p></div><div class="refsect2" title="Public Key Download"><a name="id567609"></a><h3>Public Key Download</h3><p>
You can also download individual public keys to the card using the
<code class="option">--store-public-key</code> option, which takes a filename as an
argument. This file is supposed to contain the public key. If you don't
specify a key file format using the <code class="option">--format</code> option,
<span class="command"><strong>pkcs15-init</strong></span> will assume PEM format. The only other
supported public key file format is DER.
</p><p>
Since the corresponding public keys are always downloaded automatically
when generating a new key, or when downloading a private key, you will
probably use this option only very rarely.
</p></div><div class="refsect2" title="Certificate Download"><a name="id567637"></a><h3>Certificate Download</h3><p>
You can download certificates to the card using the
<code class="option">--store-certificate</code> option, which takes a filename as
an argument. This file is supposed to contain the DER encoded X.509
certificate.
</p></div><div class="refsect2" title="Downloading PKCS #12 bags"><a name="id567651"></a><h3>Downloading PKCS #12 bags</h3><p>
Most browsers nowadays use PKCS #12 format files when you ask them to
export your key and certificate to a file. <span class="command"><strong>pkcs15-init</strong></span>
is capable of parsing these files, and storing their contents on the
card in a single operation. This works just like storing a private key,
except that you need to specify the file format:
</p><p>
<span class="command"><strong>pkcs15-init --store-private-key okir.p12 --format pkcs12 --auth-id
01</strong></span>
</p><p>
This will install the private key contained in the file <span class="emphasis"><em>okir.p12</em></span>,
and protect it with the PIN referenced by authentication ID <span class="emphasis"><em>01</em></span>.
It will also store any X.509 certificates contained in the file, which is
usually the user certificate that goes with the key, as well as the CA certificate.
</p></div></div><div class="refsect1" title="Options"><a name="id567688"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--profile</code> <span class="emphasis"><em>name</em></span>,
<code class="option">-p</code> <span class="emphasis"><em>name</em></span></span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to load the specified general
profile. Currently, the only application profile defined is
<span class="command"><strong>pkcs15</strong></span>, but you can write your own profiles and
specify them using this option.
</p><p>
The profile name can be combined with one or more <span class="emphasis"><em>profile
options</em></span>, which slightly modify the profile's behavior.
For instance, the default OpenSC profile supports the
<code class="option">openpin</code> option, which installs a single PIN during
card initialization. This PIN is then used both as the SO PIN as
well as the user PIN for all keys stored on the card.
</p><p>
Profile name and options are separated by a <code class="option">+</code>
character, as in <code class="option">pkcs15+onepin</code>.
</p></dd><dt><span class="term"><code class="option">--card-profile</code> <span class="emphasis"><em>name</em></span>,
<code class="option">-c</code> <span class="emphasis"><em>name</em></span></span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to load the specified card
profile option. You will rarely need this option.
</p></dd><dt><span class="term"><code class="option">--create-pkcs15, -C</code></span></dt><dd><p>
This tells <span class="command"><strong>pkcs15-init</strong></span> to create a PKCS #15
structure on the card, and initialize any PINs.
</p></dd><dt><span class="term"><code class="option">--erase-card, -E</code></span></dt><dd><p>
This will erase the card prior to creating the PKCS #15 structure,
if the card supports it. If the card does not support erasing,
<span class="command"><strong>pkcs15-init</strong></span> will fail.
</p></dd><dt><span class="term"><code class="option">--generate-key</code> <span class="emphasis"><em>keyspec</em></span>,
<code class="option">-G</code> <span class="emphasis"><em>keyspec</em></span></span></dt><dd><p>
Tells the card to generate new key and store it on the card.
<span class="emphasis"><em>keyspec</em></span> consists of an algorithm name
(currently, the only supported name is <code class="option">RSA</code>),
optionally followed by a slash and the length of the key in bits.
It is a good idea to specify the key ID along with this command,
using the <code class="option">id</code> option.
</p></dd><dt><span class="term"><code class="option">--store-private-key</code> <span class="emphasis"><em>filename</em></span>,
<code class="option">-S</code> <span class="emphasis"><em>filename</em></span></span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to download the specified
private key to the card. This command will also create a public
key object containing the public key portion. By default, the
file is assumed to contain the key in PEM format. Alternative
formats can be specified using <code class="option">--format</code>.
It is a good idea to specify the key ID along with this command,
using the <code class="option">--id</code> option.
</p></dd><dt><span class="term"><code class="option">--store-public-key</code> <span class="emphasis"><em>filename</em></span>,
<code class="option">-P</code> <span class="emphasis"><em>filename</em></span></span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to download the specified
public key to the card and create a public key object with the
key ID specified via the <code class="option">--id</code>. By default,
the file is assumed to contain the key in PEM format. Alternative
formats can be specified using <code class="option">--format</code>.
</p></dd><dt><span class="term"><code class="option">--store-certificate</code> <span class="emphasis"><em>filename</em></span>,
<code class="option">-X</code> <span class="emphasis"><em>filename</em></span></span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to store the certificate given
in <code class="option">filename</code> on the card, creating a certificate
object with the ID specified via the <code class="option">--id</code> option.
The file is assumed to contain the DER encoded certificate.
</p></dd><dt><span class="term"><code class="option">--so-pin, --so-puk, --pin, --puk</code></span></dt><dd><p>
These options can be used to specify PIN/PUK values on the command
line. Note that on most operation systems, any user can display
the command line of any process on the system using utilities such
as <span class="command"><strong>ps(1)</strong></span>. Therefore, you should use these options
only on a secured system, or in an options file specified with
<code class="option">--options-file</code>.
</p></dd><dt><span class="term"><code class="option">--passphrase</code></span></dt><dd><p>
When downloading a private key, this option can be used to specify
the pass phrase to unlock the private key. The same caveat applies
here as in the case of the <code class="option">--pin</code> options.
</p></dd><dt><span class="term"><code class="option">--options-file</code> <span class="emphasis"><em>filename</em></span></span></dt><dd><p>
Tells <span class="command"><strong>pkcs15-init</strong></span> to read additional options
from <span class="emphasis"><em>filename</em></span>. The file is supposed to
contain one long option per line, without the leading dashes,
for instance:
</p><pre class="programlisting">
pin frank
puk zappa
</pre><p>
</p><p>
You can specify <code class="option">--options-file</code> several times.
</p></dd><dt><span class="term"><code class="option">--verbose, -v</code></span></dt><dd><p>
Causes <span class="command"><strong>pkcs15-init</strong></span> to be more verbose. Specify this
flag several times to enable debug output in the OpenSC library.
</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id568056"></a><h2>See also</h2><p>pkcs15-profile(5)</p></div></div><div class="refentry" title="pkcs15-profile"><div class="refentry.separator"><hr></div><a name=""></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pkcs15-profile — format of profile for <span class="command"><strong>pkcs15-init</strong></span></p></div><div class="refsect1" title="Synopsis"><a name="id523833"></a><h2>Synopsis</h2><p>
<span class="command"><strong></strong></span>
</p></div><div class="refsect1" title="Description"><a name="id524144"></a><h2>Description</h2><p>
The <span class="command"><strong>pkcs15-init</strong></span> utility for PKCS #15 smart card
personalization is controlled via profiles. When starting, it will read two
such profiles at the moment, a generic application profile, and a card
specific profile. The generic profile must be specified on the command line,
while the card-specific file is selected based on the type of card detected.
</p><p>
The generic application profile defines general information about the card
layout, such as the path of the application DF, various PKCS #15 files within
that directory, and the access conditions on these files. It also defines
general information about PIN, key and certificate objects. Currently, there
is only one such generic profile, <span class="command"><strong>pkcs15.profile</strong></span>.
</p><p>
The card specific profile contains additional information required during
card intialization, such as location of PIN files, key references etc.
Profiles currently reside in <span class="command"><strong>@pkgdatadir@</strong></span>
</p></div><div class="refsect1" title="Syntax"><a name="id524692"></a><h2>Syntax</h2><p>
This section should contain information about the profile syntax. Will add
this soonishly.
</p></div><div class="refsect1" title="See also"><a name="id524171"></a><h2>See also</h2><p>
<span class="command"><strong>pkcs15</strong></span>(7), <span class="command"><strong>pkcs15-init</strong></span>(1),
<span class="command"><strong>pkcs15-crypt</strong></span>(1), <span class="command"><strong>opensc</strong></span>(7),
</p></div></div><div class="refentry" title="cardos-tool"><div class="refentry.separator"><hr></div><a name="cardos-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>cardos-tool — displays information about Card OS-based security tokens or format them
</p></div><div class="refsect1" title="Synopsis"><a name="id567472"></a><h2>Synopsis</h2><p>
<span class="command"><strong>cardos-tool</strong></span> [OPTIONS]
</p></div><div class="refsect1" title="Description"><a name="id567487"></a><h2>Description</h2><p>
The <span class="command"><strong>cardos-tool</strong></span> utility is used to display information about
smart cards and similar security tokens based on Siemens Card/OS M4.
</p></div><div class="refsect1" title="Options"><a name="id567503"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--info</code>, <code class="option">-i</code></span></dt><dd><p>Display information about the card or token.</p></dd><dt><span class="term"><code class="option">--format</code>, <code class="option">-f</code></span></dt><dd><p>Format the card or token.</p></dd><dt><span class="term"><code class="option">--reader</code> number, <code class="option">-r</code> number</span></dt><dd><p>Specify the reader number <code class="varname">number</code> to use.
The default is reader 0.</p></dd><dt><span class="term"><code class="option">--card-driver</code> name, <code class="option">-c</code> driver</span></dt><dd><p>Use the card driver specified by <code class="varname">name</code>. The default
is to auto-detect the correct card driver.</p></dd><dt><span class="term"><code class="option">--wait, -w</code></span></dt><dd><p>Causes <span class="command"><strong>cardos-info</strong></span> to wait for the token
to be inserted into reader.</p></dd><dt><span class="term"><code class="option">--verbose, -v</code></span></dt><dd><p>Causes <span class="command"><strong>cardos-info</strong></span> to be more verbose. Specify this flag several times
to enable debug output in the opensc library.</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id567205"></a><h2>See also</h2><p>opensc(7)</p></div></div><div class="refentry" title="cryptoflex-tool"><div class="refentry.separator"><hr></div><a name="cryptoflex-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures</p></div><div class="refsect1" title="Synopsis"><a name="id568084"></a><h2>Synopsis</h2><p>
<span class="command"><strong>cryptoflex-tool</strong></span> [OPTIONS]
</p></div><div class="refsect1" title="Description"><a name="id568099"></a><h2>Description</h2><p>
<span class="command"><strong>cryptoflex-tool</strong></span> is used to manipulate PKCS
data structures on Schlumberger Cryptoflex smart cards. Users
can create, list and read PINs and keys stored on the smart card.
User PIN authentication is performed for those operations that require it.
</p></div><div class="refsect1" title="Options"><a name="id568116"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--verify-pin, -V</code></span></dt><dd><p>Verifies CHV1 before issuing commands</p></dd><dt><span class="term"><code class="option">--list-keys, -l</code></span></dt><dd><p>Lists all keys stored in a public key file</p></dd><dt><span class="term"><code class="option">--create-key-files</code> <code class="varname">arg</code>,
<code class="option">-c</code> <code class="varname">arg</code></span></dt><dd><p>Creates new RSA key files for <code class="varname">arg</code> keys</p></dd><dt><span class="term"><code class="option">--create-pin-files</code> <code class="varname">id</code>,
<code class="option">-P</code> <code class="varname">id</code></span></dt><dd><p>Creates new PIN file for CHV<code class="varname">id</code></p></dd><dt><span class="term"><code class="option">--generate-key, -g</code></span></dt><dd><p>Generate a new RSA key pair</p></dd><dt><span class="term"><code class="option">--read-key</code></span></dt><dd><p>Reads a public key from the card, allowing the user to
extract and store or use the public key
</p></dd><dt><span class="term"><code class="option">--key-num</code> <code class="varname">num</code>,
<code class="option">-k</code> <code class="varname">num</code></span></dt><dd><p>Specifies the key number to operate on. The default is
key number 1.</p></dd><dt><span class="term"><code class="option">--app-df</code> <code class="varname">num</code>,
<code class="option">-a</code> <code class="varname">num</code></span></dt><dd><p>Specifies the DF to operate in</p></dd><dt><span class="term"><code class="option">--prkey-file</code> <code class="varname">id</code>,
<code class="option">-p</code> <code class="varname">id</code></span></dt><dd><p>Specifies the private key file id, <code class="varname">id</code>,
to use</p></dd><dt><span class="term"><code class="option">--pubkey-file</code> <code class="varname">id</code>,
<code class="option">-u</code> <code class="varname">id</code></span></dt><dd><p>Specifies the public key file id, <code class="varname">id</code>,
to use</p></dd><dt><span class="term"><code class="option">--exponent</code> <code class="varname">exp</code>,
<code class="option">-e</code> <code class="varname">exp</code></span></dt><dd><p>Specifies the RSA exponent, <code class="varname">exp</code>,
to use in key generation. The default value is 3.</p></dd><dt><span class="term"><code class="option">--modulus-length</code> <code class="varname">length</code>,
<code class="option">-m</code> <code class="varname">length</code></span></dt><dd><p>Specifies the modulus <code class="varname">length</code> to use
in key generation. The default value is 1024.</p></dd><dt><span class="term"><code class="option">--reader</code> <code class="varname">num</code>,
<code class="option">-r</code> <code class="varname">num</code></span></dt><dd><p>Forces <span class="command"><strong>cryptoflex-tool</strong></span> to use
reader number <code class="varname">num</code> for operations. The default
is to use reader number 0, the first reader in the system.</p></dd><dt><span class="term"><code class="option">--verbose, -v</code></span></dt><dd><p>Causes <span class="command"><strong>cryptoflex-tool</strong></span> to be more
verbose. Specify this flag several times to enable debug output in
the opensc library.</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id568396"></a><h2>See also</h2><p>opensc(7), pkcs15-tool(1)</p></div></div><div class="refentry" title="netkey-tool"><div class="refentry.separator"><hr></div><a name="netkey-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>netkey-tool — administrative utility for Netkey E4 cards</p></div><div class="refsect1" title="Synopsis"><a name="id568151"></a><h2>Synopsis</h2><p><span class="command"><strong>netkey-tool</strong></span> [OPTIONS] [COMMAND]</p></div><div class="refsect1" title="Description"><a name="id568165"></a><h2>Description</h2><p>The <span class="command"><strong>netkey-tool</strong></span> utility can be used from the
command line to perform some smart card operations with NetKey E4 cards
that cannot be done easily with other OpenSC-tools, such as changing local
PINs, storing certificates into empty NetKey E4 cert-files or displaying
the initial PUK-value.</p></div><div class="refsect1" title="Options"><a name="id568182"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--help</code>, <code class="option">-h</code></span></dt><dd><p>Displays a short help message.</p></dd><dt><span class="term"><code class="option">--reader</code> number, <code class="option">-r</code> number</span></dt><dd><p>Use smart card in specified reader. Default is reader 0.</p></dd><dt><span class="term"><code class="option">-v</code></span></dt><dd><p>Causes <span class="command"><strong>netkey-tool</strong></span> to be more verbose. This
options may be specified multiple times to increase verbosity.</p></dd><dt><span class="term"><code class="option">--pin</code> pin-value, <code class="option">-p</code> pin-value</span></dt><dd><p>Specifies the current value of the global PIN.</p></dd><dt><span class="term"><code class="option">--puk</code> pin-value, <code class="option">-u</code> pin-value</span></dt><dd><p>Specifies the current value of the global PUK.</p></dd><dt><span class="term"><code class="option">--pin0</code> pin-value, <code class="option">-0</code> pin-value</span></dt><dd><p>Specifies the current value of the local PIN0 (aka local PIN).</p></dd><dt><span class="term"><code class="option">--pin1</code> pin-value, <code class="option">-1</code> pin-value</span></dt><dd><p>Specifies the current value of the local PIN1 (aka local PUK).</p></dd></dl></div><p>
</p></div><div class="refsect1" title="PIN format"><a name="id568460"></a><h2>PIN format</h2><p>With the <code class="option">-p</code>, <code class="option">-u</code>, <code class="option">-0</code> or the <code class="option">-1</code>
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consists of exacly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.</p></div><div class="refsect1" title="Commands"><a name="id568489"></a><h2>Commands</h2><p>When used without any options or commands, <span class="command"><strong>netkey-tool</strong></span> will
display information about the smart cards pins and certificates. This will not change
your card in any aspect (assumed there are no bugs in <span class="command"><strong>netkey-tool</strong></span>).
In particular the tries-left counters of the pins are investigated without doing
actual pin-verifications.</p><p>If you specify the global PIN via the <code class="option">--pin</code> option,
<span class="command"><strong>netkey-tool</strong></span> will also display the initial value of the cards
global PUK. If your global PUK was changed <span class="command"><strong>netkey-tool</strong></span> will still
diplay its initial value. There's no way to recover a lost global PUK once it was changed.
There's also no way to display the initial value of your global PUK without knowing the
current value of your global PIN. </p><p>For most of the commands that <span class="command"><strong>netkey-tool</strong></span> can execute, you have
to specify one pin. One notable exeption is the <span class="command"><strong>nullpin</strong></span> command, but
this command can only be executed once in the lifetime of a NetKey E4 card.</p><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">unblock</code> { <code class="option">pin</code> | <code class="option">pin0</code> |
<code class="option">pin1</code> }</span></dt><dd><p>This unblocks the specified pin. You must specify another pin
to be able to do this and if you don't specify a correct one,
<span class="command"><strong>netkey-tool</strong></span> will tell you which one is needed.</p></dd><dt><span class="term"><code class="option">change</code> { <code class="option">pin</code> | <code class="option">puk</code> |
<code class="option">pin0</code> | <code class="option">pin1</code> } new-pin</span></dt><dd><p>This changes the value of the specified pin to the given new value.
You must specify either the current value of the pin or another pin to be able to do
this and if you don't specify a correct one, <span class="command"><strong>netkey-tool</strong></span> will tell
you which one is needed.</p></dd><dt><span class="term"><code class="option">nullpin</code> initial-pin</span></dt><dd><p>This command can be executed only if the global PIN of your card is
in nullpin-state. There's no way to return back to nullpin-state once you have changed
your global PIN. You don't need a pin to execute the nullpin-command. After a succesfull
nullpin-command <span class="command"><strong>netkey-tool</strong></span> will display your cards initial
PUK-value.</p></dd><dt><span class="term"><code class="option">cert</code> number filename</span></dt><dd><p>This command will read one of your cards certificates (as specified by
<code class="option">number</code>) and save this certificate into file <code class="option">filename</code>
in PEM-format. Certificates on a NetKey E4 card are readable without a pin, so you don't
have to specify one.</p></dd><dt><span class="term"><code class="option">cert</code> filename number</span></dt><dd><p>This command will read the first PEM-encoded certificate from file
<code class="option">filename</code> and store this into your smart cards certificate file
<code class="option">number</code>. Some of your smart cards certificate files might be readonly, so
this will not work with all values of <code class="option">number</code>. If a certificate file is
writable you must specify a pin in order to change it. If you try to use this command
without specifying a pin, <span class="command"><strong>netkey-tool</strong></span> will tell you which one is
needed.</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id568873"></a><h2>See also</h2><p>opensc(7), opensc-explorer(1)</p></div><div class="refsect1" title="Authors"><a name="id568882"></a><h2>Authors</h2><p><span class="command"><strong>netkey-tool</strong></span> was written by
Peter Koch <code class="email"><<a class="email" href="mailto:pk_opensc@web.de">pk_opensc@web.de</a>></code>.</p></div></div><div class="refentry" title="westcos-tool"><div class="refentry.separator"><hr></div><a name="westcos-tool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>westcos-tool — utility for manipulating data structure
on westcos smart card and similar security tokens</p></div><div class="refsect1" title="Synopsis"><a name="id568577"></a><h2>Synopsis</h2><p>
<span class="command"><strong>westcos-tool</strong></span> [OPTIONS]
</p></div><div class="refsect1" title="Description"><a name="id568592"></a><h2>Description</h2><p>
The <span class="command"><strong>westcos-tool</strong></span> utility is used to manipulate
the westcos data structures on 2 Ko smart cards. Users can create PINs,
keys and certificates stored on the token. User PIN authentication is
performed for those operations that require it.
</p></div><div class="refsect1" title="Options"><a name="id568609"></a><h2>Options</h2><p>
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">-G</code></span></dt><dd><p>Generate a private key on smart card. The smart card must be
not finalized and pin installed (ig. file for pin must be created, see option
-i). By default key length is 1536 bits. User authentication is required for
this operation. </p></dd><dt><span class="term"><code class="option">-L</code> <code class="varname">length</code></span></dt><dd><p>Change the length of private key, use with <code class="option">-G</code>.
</p></dd><dt><span class="term"><code class="option">-i</code></span></dt><dd><p>Install pin file in token, you must provide pin value
with <code class="option">-pin</code>.</p></dd><dt><span class="term"><code class="option">-pin</code> <code class="varname">value</code></span></dt><dd><p>set value of pin.</p></dd><dt><span class="term"><code class="option">-puk</code> <code class="varname">value</code></span></dt><dd><p>set value of puk (or value of new pin for change pin
command see <code class="option">-n</code>).</p></dd><dt><span class="term"><code class="option">-n</code></span></dt><dd><p>Changes a PIN stored on the token. User authentication
is required for this operation.</p></dd><dt><span class="term"><code class="option">-u</code></span></dt><dd><p>Unblocks a PIN stored on the token. Knowledge of the Pin
Unblock Key (PUK) is required for this operation.</p></dd><dt><span class="term"><code class="option">-cert</code> <code class="varname">file</code> </span></dt><dd><p>Write certificate <code class="varname">file</code> in pem format on the
card. User authentication is required for this operation.</p></dd><dt><span class="term"><code class="option">-F</code></span></dt><dd><p>Finalize the card, once finalize default key is invalidate so pin and puk
can'be changed anymore without user authentification. Warning, smart cards not finalized are
unsecure because pin can be changed without user authentification (knowledge of default key
is enougth).</p></dd><dt><span class="term"><code class="option">-r</code> <code class="varname">n</code></span></dt><dd><p>Forces <span class="command"><strong>westcos-tool</strong></span> to use reader
number <code class="varname">n</code> for operations.</p></dd><dt><span class="term"><code class="option">-gf</code> <code class="varname">path</code></span></dt><dd><p>Get the file <code class="varname">path</code> the file is written
on disk with <code class="varname">path</code> name. User authentication
is required for this operation.</p></dd><dt><span class="term"><code class="option">-pf</code> <code class="varname">path</code></span></dt><dd><p>Put the file with name <code class="varname">path</code> from disk
to card the file is written in <code class="varname">path</code>. User authentication
is required for this operation.</p></dd><dt><span class="term"><code class="option">-v</code></span></dt><dd><p>Causes <span class="command"><strong>westcos-tool</strong></span> to be more
verbose. Specify this flag several times to enable debug output
in the OpenSC library.</p></dd><dt><span class="term"><code class="option">-h</code></span></dt><dd><p>Print help message on screen.</p></dd></dl></div><p>
</p></div><div class="refsect1" title="See also"><a name="id569156"></a><h2>See also</h2><p>opensc(7)</p></div><div class="refsect1" title="Authors"><a name="id569165"></a><h2>Authors</h2><p><span class="command"><strong>westcos-tool</strong></span> was written by
Francois Leblanc <code class="email"><<a class="email" href="mailto:francois.leblanc@cev-sa.com">francois.leblanc@cev-sa.com</a>></code>.</p></div></div></div></div></body></html>
distrib
>
Fedora
>
13
>
x86_64
>
media
>
updates
>
by-pkgid
>
64d7525dee9596ae0eae9ecd4241861b
>
files
>
33
