Table of Contents
Table of Contents
opensc-config — a tool to get information about the installed version of OpenSC
opensc-config is a tool that is used to get various information about the installed version of OpenSC. It is particularly useful in determining compiler and linker flags necessary to build programs with the OpenSC libraries.
opensc-config accepts the following options:
--version
Print the installed version of OpenSC to standard output.
--libs
Print the linker flags that are needed to compile a program to use the OpenSC libraries.
--cflags
Print the compiler flags that are needed to compile a program to use the OpenSC libraries.
--prefix=PREFIX
If specified, use PREFIX instead of the installation
prefix that OpenSC was built with when computing the output
for the --cflags
and --libs
options. This option is also used for the exec
prefix if --exec-prefix was not specified. This option must be specified
before any --libs or --cflags options.
--exec-prefix=PREFIX
If specified, use PREFIX instead of the installation
exec prefix that OpenSC was built with when computing the output for
the --cflags
and --libs
options. This option must be specified before any
--libs or --cflags options.
opensc-tool — generic smart card utility
The opensc-tool utility can be used from the command line to perform miscellaneous smart card operations such as getting the card ATR or sending arbitrary APDU commands to a card.
--atr, -a
Print the Answer To Reset (ATR) of the card, output is in hex byte format
--serial
Print the card serial number (normally the ICCSN), output is in hex byte format
--send-apdu
apdu, -s
apduSends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF...
--list-files, -f
Recursively lists all files stored on card
--list-readers, -l
Lists all configured readers
--list-drivers, -D
Lists all installed card drivers
--list-rdrivers, -R
Lists all installed reader drivers
--reader
num, -r
numUse the given reader number. The default is 0, the first reader in the system.
--card-driver
driver, -c
driverUse the given card driver. The default is auto-detected.
--verbose, -v
Causes opensc-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.
opensc-explorer — generic interactive utility for accessing smart card and similar security token functions
The opensc-explorer utility can be used interactively to perform miscellaneous operations such as exploring the contents of or sending arbitrary APDU commands to a smart card or similar security token.
The following are the command-line options for opensc-explorer. There are additional interactive commands available once it is running.
--reader
num,
-r
num
Use the given reader number. The default is 0, the first reader in the system.
--card-driver
driver,
-c
driver
Use the given card driver. The default is auto-detected.
--verbose, -v
Causes opensc-explorer to be more verbose. Specify this flag several times to enable debug output in the opensc library.
The following commands are supported at the opensc-explorer interactive prompt.
ls
list all files in the current DF
cd
file-id
change to another DF specified by file-id
cat
print the contents of the currently selected EF
info
[file-id
]display attributes of a file specified by file-id
.
If file-id
is not supplied,
the attributes of the current file are printed.
create
file-id
size
create a new EF. file-id
specifies the
id number and size
is the size of the new file.
delete
file-id
remove the EF or DF specified by file-id
verify
key-type
key-id
[key
]present a PIN or key to the card. Where key-type
can be one of CHV, KEY or PRO. key-id
is a number representing the
key or PIN number. key
is the key or PIN to be verified in hex.
Example: verify CHV0 31:32:33:34:00:00:00:00
change CHV
id [old-pin] new-pin
change a PIN
Example: change CHV0 31:32:33:34:00:00:00:00 'secret'
put
file-id
[input
]copy a local file to the card. The local file is specified
by input
while the card file is specified by file-id
get
file-id
[output
]copy an EF to a local file. The local file is specified
by output
while the card file is specified by file-id
.
mkdir
file-id
size
create a DF. file-id
specifies the id number
and size
is the size of the new file.
pksign
create a public key signature. NOTE: This command is currently not implemented.
pkdecrypt
perform a public key decryption. NOTE: This command is currently not implemented.
erase
erase the card, if the card supports it.
quit
exit the program
pkcs11-tool — utility for managing and using PKCS #11 security tokens
The pkcs11-tool utility is used to manage the data objects on smart cards and similar PKCS #11 security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it.
--login, -l
Authenticate to the token before performing other operations. This option is not needed if a PIN is provided on the command line.
--pin
pin
,
-p
pin
Use the given pin
for
token operations. WARNING: Be careful using this option
as other users may be able to read the command line from
the system or if it is embedded in a script.
This option will also set
the --login
option.
--so-pin
pin
Use the given pin
as the
Security Officer PIN for some token operations (token
initialization, user PIN initialization, etc). The same
warning as --pin
also applies here.
--init-token
Initializes a token: set the token label as
well as a Security Officer PIN (the label must be specified
using --label
).
--init-pin
Initializes the user PIN. This option
differs from --change-pin in that it sets the user PIN
for the first time. Once set, the user PIN can be changed
using --change-pin
.
--change-pin, -c
Change the user PIN on the token
--test, -t
Performs some tests on the token. This
option is most useful when used with either --login
or --pin
.
--show-info, -I
Displays general token information.
--list-slots, -L
Displays a list of available slots on the token.
--list-mechanisms, -M
Displays a list of mechanisms supported by the token.
--list-objects, -O
Displays a list of objects.
--sign, s
Sign some data.
--hash, -h
Hash some data.
--mechanism
mechanism
,
-m
mechanism
Use the specified mechanism
for token operations. See -M
for a list
of mechanisms supported by your token.
--keypairgen, -k
Generate a new key pair (public and private pair.)
--write-object
id
,
-w
id
Write a key or certificate object to the token.
--type
type
,
-y
type
Specify the type of object to operate on. Examples are cert, privkey and pubkey.
--id
id
,
-d
id
Specify the id of the object to operate on.
--label
name
,
-a
name
Specify the name of the object to operate on
(or the token label when --init-token
is used).
--slot
id
Specify the id of the slot to use.
--slot-id
name
Specify the name of the slot to use.
--set-id
id
,
-e
id
Set the CKA_ID of the object.
--attr-from
path
Extract information from path
(DER-encoded certificate file) and create the corresponding
attributes when writing an object to the token. Example: the
certificate subject name is used to create the CKA_SUBJECT
attribute.
--input-file
path
,
-i
path
Specify the path to a file for input.
--output-file
path
,
-o
path
Specify the path to a file for output.
--module
mod
Specify a PKCS#11 module (or library) to load.
--moz-cert
path
,
-z
path
Tests a Mozilla-like keypair generation
and certificate request. Specify the path
to the certificate file.
--verbose, -v
Causes pkcs11-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
pkcs15-crypt — perform crypto operations using pkcs15 smart card
The pkcs15-crypt utility can be used from the command line to perform cryptographic operations such as computing digital signatures or decrypting data, using keys stored on a PKCS #15 compliant smart card.
--sign, -s
Perform digital signature operation on
the data read from a file specified using the input
option. By default, the contents of the file are assumed to
be the result of an MD5 hash operation. Note that pkcs15-crypt
expects the data in binary representation, not ASCII.
The digital signature is stored, in binary representation,
in the file specified by the output
option. If
this option is not given, the signature is printed on standard
output, displaying non-printable characters using their hex notation
xNN (see also --raw
).
--pkcs1
By default, pkcs15-crypt
assumes that input data has been padded to the correct length
(i.e. when computing an RSA signature using a 1024 bit key,
the input must be padded to 128 bytes to match the modulus
length). When giving the --pkcs1
option,
however, pkcs15-crypt will perform the
required padding using the algorithm outlined in the
PKCS #1 standard version 1.5.
--sha-1
This option tells pkcs15-crypt that the input file is the result of an SHA1 hash operation, rather than an MD5 hash. Again, the data must be in binary representation.
--decipher, -c
Decrypt the contents of the file specified by
the --input
option. The result of the
decryption operation is written to the file specified by the
--output
option. If this option is not given,
the decrypted data is printed to standard output, displaying
non-printable characters using their hex notation xNN (see also
--raw
).
--key
id
,
-k
id
Selects the ID of the key to use.
--reader
N
,
-r
N
Selects the N
-th smart
card reader configured by the system. If unspecified,
pkcs15-crypt will use the first reader
found.
--input
file
,
-i
file
Specifies the input file to use.
--output
file
,
-o
file
Any output will be sent to the specified file.
--raw, -R
Outputs raw 8 bit data.
--pin
pin
,
-p
pin
When the cryptographic operation requires a PIN to access the key, pkcs15-crypt will prompt the user for the PIN on the terminal. Using this option allows you to specify the PIN on the command line.
Note that on most operating systems, the command line of a process can be displayed by any user using the ps(1) command. It is therefore a security risk to specify secret information such as PINs on the command line. If you specify '-' as PIN, it will be read from STDIN.
--verbose, -v
Causes pkcs15-crypt to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
pkcs15-tool — utility for manipulating PKCS #15 data structures on smart cards and similar security tokens
The pkcs15-tool utility is used to manipulate the PKCS #15 data structures on smart cards and similar security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it.
--learn-card, -L
Cache PKCS #15 token data to the local filesystem. Subsequent operations are performed on the cached data where possible. If the cache becomes out-of-sync with the token state (eg. new key is generated and stored on the token), the cache should be updated or operations may show stale results.
--read-certificate
cert
,
-r
cert
Reads the certificate with the given id.
--list-certificates, -c
Lists all certificates stored on the token.
--list-pins
Lists all PINs stored on the token. General information about each PIN is listed (eg. PIN name). Actual PIN values are not shown.
--change-pin
Changes a PIN stored on the token. User authentication is required for this operation.
--unblock-pin, -u
Unblocks a PIN stored on the token. Knowledge of the Pin Unblock Key (PUK) is required for this operation.
--list-keys, -k
Lists all private keys stored on the token. General information about each private key is listed (eg. key name, id and algorithm). Actual private key values are not displayed.
--list-public-keys
Lists all public keys stored on the token, including key name, id, algorithm and length information.
--read-public-key
id
Reads the public key with id id
,
allowing the user to extract and store or use the public key.
--read-ssh-key
id
Reads the public key with id id
,
writing the output in format suitable for $HOME/.ssh/authorized_keys.
--output
filename
,
-o
filename
Specifies where key output should be written.
If filename
already exists, it will be overwritten.
If this option is not given, keys will be printed to standard output.
--no-cache
Disables token data caching.
--pin-id
pin
,
-a
pin
Specifies the auth id of the PIN to use for the operation. This is useful with the --change-pin operation.
--reader
num
Forces pkcs15-tool to use reader
number num
for operations. The default is to use
reader number 0, the first reader in the system.
--verbose, -v
Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
pkcs15-init — smart card personalization utility
The pkcs15-init utility can be used to create a PKCS #15 structure on a smart card, and add key or certificate objects. Details of the structure that will be created are controlled via profiles.
The profile used by default is pkcs15. Alternative
profiles can be specified via the -p
switch.
pkcs15-init can be used to create a PKCS #15 structure on your smart card, create PINs, and install keys and certificates on the card. This process is also called personalization.
An OpenSC card can have one security officer PIN, and zero or more user PINs. PIN stands for Personal Identification Number, and is a secret code you need to present to the card before being allowed to perform certain operations, such as using one of the stored RSA keys to sign a document, or modifying the card itself.
Usually, PINs are a sequence of decimal digits, but some cards will accept arbitrary ASCII characters. Be aware however that using characters other than digits will make the card unusable with PIN pad readers, because those usually have keys for entering digits only.
The security officer (SO) PIN is special; it is used to protect meta data information on the card, such as the PKCS #15 structure itself. Setting the SO PIN is optional, because the worst that can usually happen is that someone finding your card can mess it up. To extract any of your secret keys stored on the card, an attacker will still need your user PIN, at least for the default OpenSC profiles. However, it is possible to create card profiles that will allow the security officer to override user PINs.
For each PIN, you can specify a PUK (also called unblock PIN). The PUK can be used to overwrite or unlock a PIN if too many incorrect values have been entered in a row.
This is the first step during card personalization, and will create the basic files on the card. To create the initial PKCS #15 structure, invoke the utility as
pkcs15-init --create-pkcs15
You will then be asked for several the security officer PIN and PUK. Simply pressing return at the SO PIN prompt will skip installation of an SO PIN.
If the card supports it, you can also request that the card is erased prior
to creating the PKCS #15 structure, by specifying the --erase-card
option.
Before installing any user objects such as private keys, you need at least one PIN to protect these objects. you can do this using
pkcs15-init --store-pin --id " nn
where nn is a PKCS #15 ID in hexadecimal notation. Common values are 01, 02, etc.
Entering the command above will ask you for the user's PIN and PUK. If you do not wish to install an unblock PIN, simply press return at the PUK prompt.
To set a label for this PIN object (which can be used by applications to display
a meaningful prompt to the user), use the --label
command line option.
pkcs15-init lets you generate a new key and store it on the card. You can do this using:
pkcs15-init --generate-key " keyspec " --auth-id " nn
where keyspec
describes the algorithm and length of the
key to be created, such as rsa/512
. This will create a 512 bit
RSA key. Currently, only RSA key generation is supported. Note that cards
usually support just a few different key lengths. Almost all cards will support
512 and 1024 bit keys, some will support 768 or 2048 as well.
nn
is the ID of a user PIN installed previously, e.g. 01.
In addition to storing the private portion of the key on the card, pkcs15-init will also store the the public portion of the key as a PKCS #15 public key object.
By default, pkcs15-init will try to use the card's on-board key generation facilities, if available. If the card does not support on-board key generation, pkcs15-init will fall back to software key generation.
You can use a private key generated by other means and download it to the card. For instance, to download a private key contained in a file named okir.pem, which is in PEM format, you would use
pkcs15-init --store-private-key okir.pem --id 45 --auth-id 01
If the key is protected by a pass phrase, pkcs15-init will prompt you for a pass phrase to unlock the key.
In addition to storing the private portion of the key on the card, pkcs15-init will also store the the public portion of the key as a PKCS #15 public key object.
Note the use of the --id
option. The current
pkcs15 profile defines two key templates, one for
authentication (key ID 45), and one for non-repudiation purposes (key ID 46).
Other key templates will probably be added in the future. Note that if you don't
specify a key ID, pkcs15-init will pick just the first key
template defined by the profile.
In addition to the PEM key file format, pkcs15-init also supports DER encoded keys, and PKCS #12 files. The latter is the file format used by Netscape Navigator (among others) when exporting certificates to a file. A PKCS #12 file usually contains the X.509 certificate corresponding to the private key. If that is the case, pkcs15-init will store the certificate instead of the public key portion.
You can also download individual public keys to the card using the
--store-public-key
option, which takes a filename as an
argument. This file is supposed to contain the public key. If you don't
specify a key file format using the --format
option,
pkcs15-init will assume PEM format. The only other
supported public key file format is DER.
Since the corresponding public keys are always downloaded automatically when generating a new key, or when downloading a private key, you will probably use this option only very rarely.
You can download certificates to the card using the
--store-certificate
option, which takes a filename as
an argument. This file is supposed to contain the DER encoded X.509
certificate.
Most browsers nowadays use PKCS #12 format files when you ask them to export your key and certificate to a file. pkcs15-init is capable of parsing these files, and storing their contents on the card in a single operation. This works just like storing a private key, except that you need to specify the file format:
pkcs15-init --store-private-key okir.p12 --format pkcs12 --auth-id 01
This will install the private key contained in the file okir.p12, and protect it with the PIN referenced by authentication ID 01. It will also store any X.509 certificates contained in the file, which is usually the user certificate that goes with the key, as well as the CA certificate.
--profile
name,
-p
nameTells pkcs15-init to load the specified general profile. Currently, the only application profile defined is pkcs15, but you can write your own profiles and specify them using this option.
The profile name can be combined with one or more profile
options, which slightly modify the profile's behavior.
For instance, the default OpenSC profile supports the
openpin
option, which installs a single PIN during
card initialization. This PIN is then used both as the SO PIN as
well as the user PIN for all keys stored on the card.
Profile name and options are separated by a +
character, as in pkcs15+onepin
.
--card-profile
name,
-c
nameTells pkcs15-init to load the specified card profile option. You will rarely need this option.
--create-pkcs15, -C
This tells pkcs15-init to create a PKCS #15 structure on the card, and initialize any PINs.
--erase-card, -E
This will erase the card prior to creating the PKCS #15 structure, if the card supports it. If the card does not support erasing, pkcs15-init will fail.
--generate-key
keyspec,
-G
keyspec
Tells the card to generate new key and store it on the card.
keyspec consists of an algorithm name
(currently, the only supported name is RSA
),
optionally followed by a slash and the length of the key in bits.
It is a good idea to specify the key ID along with this command,
using the id
option.
--store-private-key
filename,
-S
filename
Tells pkcs15-init to download the specified
private key to the card. This command will also create a public
key object containing the public key portion. By default, the
file is assumed to contain the key in PEM format. Alternative
formats can be specified using --format
.
It is a good idea to specify the key ID along with this command,
using the --id
option.
--store-public-key
filename,
-P
filename
Tells pkcs15-init to download the specified
public key to the card and create a public key object with the
key ID specified via the --id
. By default,
the file is assumed to contain the key in PEM format. Alternative
formats can be specified using --format
.
--store-certificate
filename,
-X
filename
Tells pkcs15-init to store the certificate given
in filename
on the card, creating a certificate
object with the ID specified via the --id
option.
The file is assumed to contain the DER encoded certificate.
--so-pin, --so-puk, --pin, --puk
These options can be used to specify PIN/PUK values on the command
line. Note that on most operation systems, any user can display
the command line of any process on the system using utilities such
as ps(1). Therefore, you should use these options
only on a secured system, or in an options file specified with
--options-file
.
--passphrase
When downloading a private key, this option can be used to specify
the pass phrase to unlock the private key. The same caveat applies
here as in the case of the --pin
options.
--options-file
filenameTells pkcs15-init to read additional options from filename. The file is supposed to contain one long option per line, without the leading dashes, for instance:
pin frank puk zappa
You can specify --options-file
several times.
--verbose, -v
Causes pkcs15-init to be more verbose. Specify this flag several times to enable debug output in the OpenSC library.
pkcs15-profile — format of profile for pkcs15-init
The pkcs15-init utility for PKCS #15 smart card personalization is controlled via profiles. When starting, it will read two such profiles at the moment, a generic application profile, and a card specific profile. The generic profile must be specified on the command line, while the card-specific file is selected based on the type of card detected.
The generic application profile defines general information about the card layout, such as the path of the application DF, various PKCS #15 files within that directory, and the access conditions on these files. It also defines general information about PIN, key and certificate objects. Currently, there is only one such generic profile, pkcs15.profile.
The card specific profile contains additional information required during card intialization, such as location of PIN files, key references etc. Profiles currently reside in @pkgdatadir@
cardos-tool — displays information about Card OS-based security tokens or format them
The cardos-tool utility is used to display information about smart cards and similar security tokens based on Siemens Card/OS M4.
--info
, -i
Display information about the card or token.
--format
, -f
Format the card or token.
--reader
number, -r
numberSpecify the reader number number
to use.
The default is reader 0.
--card-driver
name, -c
driverUse the card driver specified by name
. The default
is to auto-detect the correct card driver.
--wait, -w
Causes cardos-info to wait for the token to be inserted into reader.
--verbose, -v
Causes cardos-info to be more verbose. Specify this flag several times to enable debug output in the opensc library.
cryptoflex-tool — utility for manipulating Schlumberger Cryptoflex data structures
cryptoflex-tool is used to manipulate PKCS data structures on Schlumberger Cryptoflex smart cards. Users can create, list and read PINs and keys stored on the smart card. User PIN authentication is performed for those operations that require it.
--verify-pin, -V
Verifies CHV1 before issuing commands
--list-keys, -l
Lists all keys stored in a public key file
--create-key-files
arg
,
-c
arg
Creates new RSA key files for arg
keys
--create-pin-files
id
,
-P
id
Creates new PIN file for CHVid
--generate-key, -g
Generate a new RSA key pair
--read-key
Reads a public key from the card, allowing the user to extract and store or use the public key
--key-num
num
,
-k
num
Specifies the key number to operate on. The default is key number 1.
--app-df
num
,
-a
num
Specifies the DF to operate in
--prkey-file
id
,
-p
id
Specifies the private key file id, id
,
to use
--pubkey-file
id
,
-u
id
Specifies the public key file id, id
,
to use
--exponent
exp
,
-e
exp
Specifies the RSA exponent, exp
,
to use in key generation. The default value is 3.
--modulus-length
length
,
-m
length
Specifies the modulus length
to use
in key generation. The default value is 1024.
--reader
num
,
-r
num
Forces cryptoflex-tool to use
reader number num
for operations. The default
is to use reader number 0, the first reader in the system.
--verbose, -v
Causes cryptoflex-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.
netkey-tool — administrative utility for Netkey E4 cards
The netkey-tool utility can be used from the command line to perform some smart card operations with NetKey E4 cards that cannot be done easily with other OpenSC-tools, such as changing local PINs, storing certificates into empty NetKey E4 cert-files or displaying the initial PUK-value.
--help
, -h
Displays a short help message.
--reader
number, -r
numberUse smart card in specified reader. Default is reader 0.
-v
Causes netkey-tool to be more verbose. This options may be specified multiple times to increase verbosity.
--pin
pin-value, -p
pin-valueSpecifies the current value of the global PIN.
--puk
pin-value, -u
pin-valueSpecifies the current value of the global PUK.
--pin0
pin-value, -0
pin-valueSpecifies the current value of the local PIN0 (aka local PIN).
--pin1
pin-value, -1
pin-valueSpecifies the current value of the local PIN1 (aka local PUK).
With the -p
, -u
, -0
or the -1
one of the cards pins may be specified. You may use plain ascii-strings (i.e. 123456) or a hex-string
(i.e. 31:32:33:34:35:36). A hex-string must consists of exacly n 2-digit hexnumbers separated by n-1 colons.
Otherwise it will be interpreted as an ascii string. For example :12:34: and 1:2:3:4 are both pins of
length 7, while 12:34 and 01:02:03:04 are pins of length 2 and 4.
When used without any options or commands, netkey-tool will display information about the smart cards pins and certificates. This will not change your card in any aspect (assumed there are no bugs in netkey-tool). In particular the tries-left counters of the pins are investigated without doing actual pin-verifications.
If you specify the global PIN via the --pin
option,
netkey-tool will also display the initial value of the cards
global PUK. If your global PUK was changed netkey-tool will still
diplay its initial value. There's no way to recover a lost global PUK once it was changed.
There's also no way to display the initial value of your global PUK without knowing the
current value of your global PIN.
For most of the commands that netkey-tool can execute, you have to specify one pin. One notable exeption is the nullpin command, but this command can only be executed once in the lifetime of a NetKey E4 card.
unblock
{ pin
| pin0
|
pin1
}This unblocks the specified pin. You must specify another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.
change
{ pin
| puk
|
pin0
| pin1
} new-pinThis changes the value of the specified pin to the given new value. You must specify either the current value of the pin or another pin to be able to do this and if you don't specify a correct one, netkey-tool will tell you which one is needed.
nullpin
initial-pinThis command can be executed only if the global PIN of your card is in nullpin-state. There's no way to return back to nullpin-state once you have changed your global PIN. You don't need a pin to execute the nullpin-command. After a succesfull nullpin-command netkey-tool will display your cards initial PUK-value.
cert
number filenameThis command will read one of your cards certificates (as specified by
number
) and save this certificate into file filename
in PEM-format. Certificates on a NetKey E4 card are readable without a pin, so you don't
have to specify one.
cert
filename numberThis command will read the first PEM-encoded certificate from file
filename
and store this into your smart cards certificate file
number
. Some of your smart cards certificate files might be readonly, so
this will not work with all values of number
. If a certificate file is
writable you must specify a pin in order to change it. If you try to use this command
without specifying a pin, netkey-tool will tell you which one is
needed.