1PKCS15-TOOL(1)                   OpenSC Tools                   PKCS15-TOOL(1)
2
3
4

NAME

6       pkcs15-tool - utility for manipulating PKCS #15 data structures on
7       smart cards and similar security tokens
8

SYNOPSIS

10       pkcs15-tool [OPTIONS]
11

DESCRIPTION

13       The pkcs15-tool utility is used to manipulate the PKCS #15 data
14       structures on smart cards and similar security tokens. Users can list
15       and read PINs, keys and certificates stored on the token. User PIN
16       authentication is performed for those operations that require it.
17

OPTIONS

19       --version,
20           Print the OpenSC package release version.
21
22       --aid aid
23           Specify in a hexadecimal form the AID of the on-card PKCS#15
24           application to bind to.
25
26       --auth-id id, -a id
27           Specifies the auth id of the PIN to use for the operation. This is
28           useful with the --change-pin operation.
29
30       --change-pin
31           Changes a PIN or PUK stored on the token. User authentication is
32           required for this operation.
33
34       --dump, -D
35           List all card objects.
36
37       --list-info
38           List card objects.
39
40       --list-applications
41           List the on-card PKCS#15 applications.
42
43       --list-certificates, -c
44           List all certificates stored on the token.
45
46       --list-data-objects, -C
47           List all data objects stored on the token. For some cards the
48           PKCS#15 attributes of the private data objects are protected for
49           reading and need the authentication with the User PIN. In such a
50           case the --verify-pin option has to be used.
51
52       --list-keys, -k
53           List all private keys stored on the token. General information
54           about each private key is listed (eg. key name, id and algorithm).
55           Actual private key values are not displayed. For some cards the
56           PKCS#15 attributes of the private keys are protected for reading
57           and need the authentication with the User PIN. In such a case the
58           --verify-pin option has to be used.
59
60       --list-secret-keys
61           List all secret (symmetric) keys stored on the token. General
62           information about each secret key is listed (eg. key name, id and
63           algorithm). Actual secret key values are not displayed. For some
64           cards the PKCS#15 attributes of the private keys are protected for
65           reading and need the authentication with the User PIN. In such a
66           case the --verify-pin option has to be used.
67
68       --list-pins
69           List all PINs stored on the token. General information about each
70           PIN is listed (eg. PIN name). Actual PIN values are not shown.
71
72       --list-public-keys
73           List all public keys stored on the token, including key name, id,
74           algorithm and length information.
75
76       --short -s
77           Output lists in compact format.
78
79       --no-cache
80           Disables token data caching.
81
82       --clear-cache
83           Removes the user's cache directory. On Windows, this option
84           additionally removes the system's caching directory (requires
85           administrator privileges).
86
87       --clear-cache
88           Removes the user's cache directory. On Windows, this option
89           additionally removes the system's caching directory (requires
90           administrator privileges).
91
92       --output filename, -o filename
93           Specifies where key output should be written. If filename already
94           exists, it will be overwritten. If this option is not given, keys
95           will be printed to standard output.
96
97       --raw
98           Changes how --read-data-object prints the content to standard
99           output. By default, when --raw is not given, it will print the
100           content in hex notation. If --raw is set, it will print the binary
101           data directly. This does not affect the output that is written to
102           the file specified by the --output option. Data written to a file
103           will always be in raw binary.
104
105       --read-certificate cert
106           Reads the certificate with the given id.
107
108       --read-data-object cert, -R data
109           Reads data object with OID, applicationName or label. The content
110           is printed to standard output in hex notation, unless the --raw
111           option is given. If an output file is given with the --output
112           option, the content is additionally written to the file. Output to
113           the file is always written in raw binary mode, the --raw only
114           affects standard output behavior.
115
116       --read-public-key id
117           Reads the public key with id id, allowing the user to extract and
118           store or use the public key.
119
120       --read-ssh-key id
121           Reads the public key with id id, writing the output in format
122           suitable for $HOME/.ssh/authorized_keys.
123
124           The key label, if any will be shown in the 'Comment' field.
125
126           --rfc4716
127               When used in conjunction with option --read-ssh-key the output
128               format of the public key follows rfc4716.
129
130           The default output format is a single line (openssh).
131
132       --test-update, -T,
133           Test if the card needs a security update
134
135       --update, -U,
136           Update the card with a security update
137
138       --reader arg
139           Number of the reader to use. By default, the first reader with a
140           present card is used. If arg is an ATR, the reader with a matching
141           card will be chosen.
142
143       --unblock-pin, -u
144           Unblocks a PIN stored on the token. Knowledge of the Pin Unblock
145           Key (PUK) is required for this operation.
146
147       --verbose, -v
148           Causes pkcs15-tool to be more verbose. Specify this flag several
149           times to enable debug output in the OpenSC library.
150
151       --pin pin, --new-pin newpin --puk puk
152           These options can be used to specify the PIN/PUK values on the
153           command line. If the value is set to env:VARIABLE, the value of the
154           specified environment variable is used. By default, the code is
155           prompted on the command line if needed.
156
157           Note that on most operation systems, any user can display the
158           command line of any process on the system using utilities such as
159           ps(1). Therefore, you should prefer passing the codes via an
160           environment variable on an unsecured system.
161
162       --new-pin pin
163           Specify New PIN (when changing or unblocking)
164
165       --verify-pin
166           Verify PIN after card binding and before issuing any command
167           (without 'auth-id' the first non-SO, non-Unblock PIN will be
168           verified)
169
170       --test-session-pin
171           Equivalent to --verify-pin with additional session PIN generation
172
173       --wait, -w
174           Causes pkcs15-tool to wait for a card insertion.
175
176       --use-pinpad
177           Do not prompt the user; if no PINs supplied, pinpad will be used.
178

SEE ALSO

180       pkcs15-init(1), pkcs15-crypt(1)
181

AUTHORS

183       pkcs15-tool was written by Juha Yrjölä <juha.yrjola@iki.fi>.
184
185
186
187opensc                            05/02/2022                    PKCS15-TOOL(1)
Impressum