piv-tool(1) [debian man page]
PIV-TOOL(1) OpenSC tools PIV-TOOL(1) NAME
piv-tool - smart card utility for HSPD-12 PIV cards SYNOPSIS
piv-tool [OPTIONS] The piv-tool utility can be used from the command line to perform miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3. It is intened for use with test cards only. It can be used to load objects, and generate key pairs, as well as send arbitrary APDU commands to a card after having authenticated to the card using the card key provided by the card vendor. OPTIONS
--serial Print the derived card serial number from the CHUID object if any. output is in hex byte format. --name, -n Print the name of the inserted card (driver) --admin argument, -A arguement Authenticate to the card using a 2DES or 3DES key. An arguement {A|M}:{ref}:{alg} is required, were A uses "EXTERNAL AUTHENTICATION" and M uses "MUTUAL AUTHENTICATION". ref is normally 9B, and alg is 03 for 3DES. The key is provided by card vendor, and the environment variable PIV_EXT_AUTH_KEY must point to a text file with the key in the format: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX --genkeyargument, -G argument Generate a key pair on the card and output the public key. An argument {ref}:{alg} is required, where ref is 9A, 9C, 9D or 9E and alg is 06, 07, 11 or 14 for RSA 1024, RSA 2048, ECC 256 or ECC 384. --object ContainerID, -O ContainerID Load an object on to the card. The ContainerID is defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000 --cert ref, -s ref Load a certificate on to the card. ref is 9A, 9C, 9D or 9E --compresscert ref, -Z ref Load a certificate that has been gziped on to the card. ref is 9A, 9C, 9D or 9E --out file, -o file Output file for any operation that produces output. --in file, -i file Input file for any operation that requires an input file. --key-slots-discovery file Print properties of the key slots. Needs 'admin' authentication. --send-apdu apdu, -s apdu Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF... This option may be repeated. --reader, -r num Use the given reader number. The default is 0, the first reader in the system. --card-driver driver, -c driver Use the given card driver. The default is auto-detected. --wait, -w Wait for a card to be inserted --verbose, -v Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library. SEE ALSO
opensc-tool(1) opensc 06/03/2012 PIV-TOOL(1)
Check Out this Related Man Page
PKCS15-TOOL(1) OpenSC Tools PKCS15-TOOL(1) NAME
pkcs15-tool - utility for manipulating PKCS #15 data structures on smart cards and similar security tokens SYNOPSIS
pkcs15-tool [OPTIONS] DESCRIPTION
The pkcs15-tool utility is used to manipulate the PKCS #15 data structures on smart cards and similar security tokens. Users can list and read PINs, keys and certificates stored on the token. User PIN authentication is performed for those operations that require it. OPTIONS
--aid aid Specify in a hexadecimal form the AID of the on-card PKCS#15 application to bind to. --auth-id pin, -a pin Specifies the auth id of the PIN to use for the operation. This is useful with the --change-pin operation. --change-pin Changes a PIN or PUK stored on the token. User authentication is required for this operation. --dump, -D Dump card objects. --learn-card, -L Cache PKCS #15 token data to the local filesystem. Subsequent operations are performed on the cached data where possible. If the cache becomes out-of-sync with the token state (eg. new key is generated and stored on the token), the cache should be updated or operations may show stale results. --list-applications List the on-card PKCS#15 applications --list-certificates, -c Lists all certificates stored on the token. --list-data-objects, -C Lists all data objects stored on the token. For some cards the PKCS#15 attributes of the private data objects are protected for reading and need the authentication with the User PIN. In such a case the --verify-pin option has to be used. --list-keys, -k Lists all private keys stored on the token. General information about each private key is listed (eg. key name, id and algorithm). Actual private key values are not displayed. For some cards the PKCS#15 attributes of the private keys are protected for reading and need the authentication with the User PIN. In such a case the --verify-pin option has to be used. --list-pins Lists all PINs stored on the token. General information about each PIN is listed (eg. PIN name). Actual PIN values are not shown. --list-public-keys Lists all public keys stored on the token, including key name, id, algorithm and length information. --no-cache Disables token data caching. --output filename, -o filename Specifies where key output should be written. If filename already exists, it will be overwritten. If this option is not given, keys will be printed to standard output. --read-certificate cert, -r cert Reads the certificate with the given id. --read-data-object cert, -R data Reads data object with OID, applicationName or label. --read-public-key id Reads the public key with id id, allowing the user to extract and store or use the public key. --read-ssh-key id Reads the public key with id id, writing the output in format suitable for $HOME/.ssh/authorized_keys. --reader num Forces pkcs15-tool to use reader number num for operations. The default is to use reader number 0, the first reader in the system. --unblock-pin, -u Unblocks a PIN stored on the token. Knowledge of the Pin Unblock Key (PUK) is required for this operation. --verbose, -v Causes pkcs15-tool to be more verbose. Specify this flag several times to enable debug output in the OpenSC library. --verify-pin Verify PIN after card binding and before issuing any command (without 'auth-id' the first non-SO, non-Unblock PIN will be verified) SEE ALSO
pkcs15-init(1), pkcs15-crypt(1) opensc 06/17/2014 PKCS15-TOOL(1)