1PKCS15-TOOL(1)                   OpenSC Tools                   PKCS15-TOOL(1)
2
3
4

NAME

6       pkcs15-tool - utility for manipulating PKCS #15 data structures on
7       smart cards and similar security tokens
8

SYNOPSIS

10       pkcs15-tool [OPTIONS]
11

DESCRIPTION

13       The pkcs15-tool utility is used to manipulate the PKCS #15 data
14       structures on smart cards and similar security tokens. Users can list
15       and read PINs, keys and certificates stored on the token. User PIN
16       authentication is performed for those operations that require it.
17

OPTIONS

19       --version
20           Print the OpenSC package release version.
21
22       --aid aid
23           Specify in a hexadecimal form the AID of the on-card PKCS#15
24           application to bind to.
25
26       --auth-id id, -a id
27           Specifies the auth id of the PIN to use for the operation. This is
28           useful with the --change-pin operation.
29
30       --change-pin
31           Changes a PIN or PUK stored on the token. User authentication is
32           required for this operation.
33
34       --dump, -D
35           List all card objects.
36
37       --list-info
38           List card objects.
39
40       --list-applications
41           List the on-card PKCS#15 applications.
42
43       --list-certificates, -c
44           List all certificates stored on the token.
45
46       --list-data-objects, -C
47           List all data objects stored on the token. For some cards the
48           PKCS#15 attributes of the private data objects are protected for
49           reading and need the authentication with the User PIN. In such a
50           case the --verify-pin option has to be used.
51
52       --list-keys, -k
53           List all private keys stored on the token. General information
54           about each private key is listed (eg. key name, id and algorithm).
55           Actual private key values are not displayed. For some cards the
56           PKCS#15 attributes of the private keys are protected for reading
57           and need the authentication with the User PIN. In such a case the
58           --verify-pin option has to be used.
59
60       --list-secret-keys
61           List all secret (symmetric) keys stored on the token. General
62           information about each secret key is listed (eg. key name, id and
63           algorithm). Actual secret key values are not displayed. For some
64           cards the PKCS#15 attributes of the private keys are protected for
65           reading and need the authentication with the User PIN. In such a
66           case the --verify-pin option has to be used.
67
68       --list-pins
69           List all PINs stored on the token. General information about each
70           PIN is listed (eg. PIN name). Actual PIN values are not shown.
71
72       --list-public-keys
73           List all public keys stored on the token, including key name, id,
74           algorithm and length information.
75
76       --short, -s
77           Output lists in compact format.
78
79       --no-cache
80           Disables token data caching.
81
82       --clear-cache
83           Removes the user's cache directory. On Windows, this option
84           additionally removes the system's caching directory (requires
85           administrator privileges).
86
87       --output filename, -o filename
88           Specifies where key output should be written. If filename already
89           exists, it will be overwritten. If this option is not given, keys
90           will be printed to standard output.
91
92       --raw
93           Changes how --read-data-object prints the content to standard
94           output. By default, when --raw is not given, it will print the
95           content in hex notation. If --raw is set, it will print the binary
96           data directly. This does not affect the output that is written to
97           the file specified by the --output option. Data written to a file
98           will always be in raw binary.
99
100       --read-certificate cert
101           Reads the certificate with the given id.
102
103       --read-data-object data, -R data
104           Reads data object with OID, applicationName or label. The content
105           is printed to standard output in hex notation, unless the --raw
106           option is given. If an output file is given with the --output
107           option, the content is additionally written to the file. Output to
108           the file is always written in raw binary mode, the --raw only
109           affects standard output behavior.
110
111       --read-public-key id
112           Reads the public key with id id, allowing the user to extract and
113           store or use the public key.
114
115       --read-ssh-key id
116           Reads the public key with id id, writing the output in format
117           suitable for $HOME/.ssh/authorized_keys.
118
119           The key label, if any will be shown in the 'Comment' field.
120
121           --rfc4716
122               When used in conjunction with option --read-ssh-key the output
123               format of the public key follows rfc4716.
124
125           The default output format is a single line (openssh).
126
127       --test-update, -T
128           Test if the card needs a security update
129
130       --update, -U
131           Update the card with a security update
132
133       --reader arg
134           Number of the reader to use. By default, the first reader with a
135           present card is used. If arg is an ATR, the reader with a matching
136           card will be chosen.
137
138       --unblock-pin, -u
139           Unblocks a PIN stored on the token. Knowledge of the Pin Unblock
140           Key (PUK) is required for this operation.
141
142       --verbose, -v
143           Causes pkcs15-tool to be more verbose. Specify this flag several
144           times to enable debug output in the OpenSC library.
145
146       --pin pin, --new-pin newpin, --puk puk
147           These options can be used to specify the PIN/PUK values on the
148           command line. If the value is set to env:VARIABLE, the value of the
149           specified environment variable is used. By default, the code is
150           prompted on the command line if needed.
151
152           Note that on most operation systems, any user can display the
153           command line of any process on the system using utilities such as
154           ps(1). Therefore, you should prefer passing the codes via an
155           environment variable on an unsecured system.
156
157       --new-pin pin
158           Specify New PIN (when changing or unblocking)
159
160       --verify-pin
161           Verify PIN after card binding and before issuing any command
162           (without 'auth-id' the first non-SO, non-Unblock PIN will be
163           verified)
164
165       --test-session-pin
166           Equivalent to --verify-pin with additional session PIN generation
167
168       --wait, -w
169           Causes pkcs15-tool to wait for a card insertion.
170
171       --use-pinpad
172           Do not prompt the user; if no PINs supplied, pinpad will be used.
173

SEE ALSO

175       pkcs15-init(1), pkcs15-crypt(1)
176

AUTHORS

178       pkcs15-tool was written by Juha Yrjölä <juha.yrjola@iki.fi>.
179
180
181
182opensc                            08/08/2023                    PKCS15-TOOL(1)
Impressum