2006-06-20 17:47:10 +00:00
|
|
|
@c Copyright (C) 2002 Free Software Foundation, Inc.
|
2003-01-09 13:24:01 +00:00
|
|
|
@c This is part of the GnuPG manual.
|
|
|
|
@c For copying conditions, see the file gnupg.texi.
|
|
|
|
|
2015-06-09 21:29:15 +02:00
|
|
|
@include defs.inc
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Invoking SCDAEMON
|
|
|
|
@chapter Invoking the SCDAEMON
|
|
|
|
@cindex SCDAEMON command options
|
|
|
|
@cindex command options
|
|
|
|
@cindex options, SCDAEMON command
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@manpage scdaemon.1
|
|
|
|
@ifset manverb
|
|
|
|
.B scdaemon
|
2006-08-17 19:58:28 +00:00
|
|
|
\- Smartcard daemon for the GnuPG system
|
2006-08-17 18:01:25 +00:00
|
|
|
@end ifset
|
|
|
|
|
|
|
|
@mansect synopsis
|
|
|
|
@ifset manverb
|
|
|
|
.B scdaemon
|
|
|
|
.RB [ \-\-homedir
|
|
|
|
.IR dir ]
|
|
|
|
.RB [ \-\-options
|
|
|
|
.IR file ]
|
2011-12-13 17:59:00 +01:00
|
|
|
.RI [ options ]
|
|
|
|
.B \-\-server
|
2006-08-17 18:01:25 +00:00
|
|
|
.br
|
|
|
|
.B scdaemon
|
|
|
|
.RB [ \-\-homedir
|
|
|
|
.IR dir ]
|
|
|
|
.RB [ \-\-options
|
|
|
|
.IR file ]
|
2011-12-13 17:59:00 +01:00
|
|
|
.RI [ options ]
|
|
|
|
.B \-\-daemon
|
2006-08-17 18:01:25 +00:00
|
|
|
.RI [ command_line ]
|
|
|
|
@end ifset
|
|
|
|
|
|
|
|
|
|
|
|
@mansect description
|
2004-09-30 08:38:32 +00:00
|
|
|
The @command{scdaemon} is a daemon to manage smartcards. It is usually
|
2006-08-17 18:01:25 +00:00
|
|
|
invoked by @command{gpg-agent} and in general not used directly.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@manpause
|
|
|
|
@xref{Option Index}, for an index to @command{scdaemon}'s commands and
|
|
|
|
options.
|
|
|
|
@mancont
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@menu
|
|
|
|
* Scdaemon Commands:: List of all commands.
|
|
|
|
* Scdaemon Options:: List of all options.
|
2004-08-05 09:24:36 +00:00
|
|
|
* Card applications:: Description of card applications.
|
2006-09-07 15:13:33 +00:00
|
|
|
* Scdaemon Configuration:: Configuration files.
|
2003-01-09 13:24:01 +00:00
|
|
|
* Scdaemon Examples:: Some usage examples.
|
|
|
|
* Scdaemon Protocol:: The protocol the daemon uses.
|
|
|
|
@end menu
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@mansect commands
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@node Scdaemon Commands
|
|
|
|
@section Commands
|
|
|
|
|
2008-01-28 08:03:08 +00:00
|
|
|
Commands are not distinguished from options except for the fact that
|
|
|
|
only one command is allowed.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
@item --version
|
|
|
|
@opindex version
|
2016-03-04 15:46:08 +00:00
|
|
|
Print the program version and licensing information. Note that you cannot
|
2003-01-09 13:24:01 +00:00
|
|
|
abbreviate this command.
|
|
|
|
|
|
|
|
@item --help, -h
|
|
|
|
@opindex help
|
2009-07-22 13:33:46 +00:00
|
|
|
Print a usage message summarizing the most useful command-line options.
|
2016-09-20 08:32:25 +02:00
|
|
|
Note that you cannot abbreviate this command.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --dump-options
|
|
|
|
@opindex dump-options
|
2016-03-04 15:46:08 +00:00
|
|
|
Print a list of all available options and commands. Note that you cannot
|
2003-01-09 13:24:01 +00:00
|
|
|
abbreviate this command.
|
|
|
|
|
|
|
|
@item --server
|
|
|
|
@opindex server
|
2016-03-04 15:20:47 +00:00
|
|
|
Run in server mode and wait for commands on the @code{stdin}. The
|
2003-01-09 13:24:01 +00:00
|
|
|
default mode is to create a socket and listen for commands there.
|
|
|
|
|
2005-05-20 20:39:36 +00:00
|
|
|
@item --multi-server
|
|
|
|
@opindex multi-server
|
|
|
|
Run in server mode and wait for commands on the @code{stdin} as well as
|
|
|
|
on an additional Unix Domain socket. The server command @code{GETINFO}
|
|
|
|
may be used to get the name of that extra socket.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --daemon
|
|
|
|
@opindex daemon
|
|
|
|
Run the program in the background. This option is required to prevent
|
2009-07-22 13:33:46 +00:00
|
|
|
it from being accidentally running in the background.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@end table
|
|
|
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@mansect options
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@node Scdaemon Options
|
|
|
|
@section Option Summary
|
|
|
|
|
|
|
|
@table @gnupgtabopt
|
|
|
|
|
|
|
|
@item --options @var{file}
|
|
|
|
@opindex options
|
|
|
|
Reads configuration from @var{file} instead of from the default
|
2004-02-04 19:13:16 +00:00
|
|
|
per-user configuration file. The default configuration file is named
|
|
|
|
@file{scdaemon.conf} and expected in the @file{.gnupg} directory directly
|
|
|
|
below the home directory of the user.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2006-08-18 13:05:39 +00:00
|
|
|
@include opt-homedir.texi
|
|
|
|
|
2004-12-20 16:17:25 +00:00
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item -v
|
|
|
|
@item --verbose
|
|
|
|
@opindex v
|
|
|
|
@opindex verbose
|
|
|
|
Outputs additional information while running.
|
|
|
|
You can increase the verbosity by giving several
|
2004-09-30 08:38:32 +00:00
|
|
|
verbose commands to @command{gpgsm}, such as @samp{-vv}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2004-02-18 16:58:29 +00:00
|
|
|
@item --debug-level @var{level}
|
|
|
|
@opindex debug-level
|
2009-12-03 18:04:40 +00:00
|
|
|
Select the debug level for investigating problems. @var{level} may be
|
|
|
|
a numeric value or a keyword:
|
2004-02-18 16:58:29 +00:00
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@table @code
|
|
|
|
@item none
|
2009-12-03 18:04:40 +00:00
|
|
|
No debugging at all. A value of less than 1 may be used instead of
|
|
|
|
the keyword.
|
2011-12-13 17:59:00 +01:00
|
|
|
@item basic
|
2009-12-03 18:04:40 +00:00
|
|
|
Some basic debug messages. A value between 1 and 2 may be used
|
|
|
|
instead of the keyword.
|
2006-08-17 18:01:25 +00:00
|
|
|
@item advanced
|
2009-12-03 18:04:40 +00:00
|
|
|
More verbose debug messages. A value between 3 and 5 may be used
|
|
|
|
instead of the keyword.
|
2006-08-17 18:01:25 +00:00
|
|
|
@item expert
|
2009-12-03 18:04:40 +00:00
|
|
|
Even more detailed messages. A value between 6 and 8 may be used
|
|
|
|
instead of the keyword.
|
2006-08-17 18:01:25 +00:00
|
|
|
@item guru
|
2009-12-03 18:04:40 +00:00
|
|
|
All of the debug messages you can get. A value greater than 8 may be
|
|
|
|
used instead of the keyword. The creation of hash tracing files is
|
|
|
|
only enabled if the keyword is used.
|
2006-08-17 18:01:25 +00:00
|
|
|
@end table
|
2004-02-18 16:58:29 +00:00
|
|
|
|
|
|
|
How these messages are mapped to the actual debugging flags is not
|
2008-01-28 08:03:08 +00:00
|
|
|
specified and may change with newer releases of this program. They are
|
2004-02-18 16:58:29 +00:00
|
|
|
however carefully selected to best aid in debugging.
|
|
|
|
|
2005-05-20 20:39:36 +00:00
|
|
|
@quotation Note
|
|
|
|
All debugging options are subject to change and thus should not be used
|
|
|
|
by any application program. As the name says, they are only used as
|
|
|
|
helpers to debug problems.
|
|
|
|
@end quotation
|
|
|
|
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --debug @var{flags}
|
|
|
|
@opindex debug
|
2016-03-04 16:00:51 +00:00
|
|
|
This option is only useful for debugging and the behavior may change at
|
2003-01-09 13:24:01 +00:00
|
|
|
any time without notice. FLAGS are bit encoded and may be given in
|
|
|
|
usual C-Syntax. The currently defined bits are:
|
2004-02-18 16:58:29 +00:00
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@table @code
|
|
|
|
@item 0 (1)
|
|
|
|
command I/O
|
2011-12-13 17:59:00 +01:00
|
|
|
@item 1 (2)
|
|
|
|
values of big number integers
|
2006-08-17 18:01:25 +00:00
|
|
|
@item 2 (4)
|
|
|
|
low level crypto operations
|
|
|
|
@item 5 (32)
|
|
|
|
memory allocation
|
|
|
|
@item 6 (64)
|
|
|
|
caching
|
|
|
|
@item 7 (128)
|
2016-03-04 16:13:14 +00:00
|
|
|
show memory statistics
|
2006-08-17 18:01:25 +00:00
|
|
|
@item 9 (512)
|
|
|
|
write hashed data to files named @code{dbgmd-000*}
|
|
|
|
@item 10 (1024)
|
2014-06-25 11:15:45 +02:00
|
|
|
trace Assuan protocol.
|
|
|
|
See also option @option{--debug-assuan-log-cats}.
|
2006-08-17 18:01:25 +00:00
|
|
|
@item 11 (2048)
|
|
|
|
trace APDU I/O to the card. This may reveal sensitive data.
|
2011-12-14 17:00:50 +01:00
|
|
|
@item 12 (4096)
|
|
|
|
trace some card reader related function calls.
|
2006-08-17 18:01:25 +00:00
|
|
|
@end table
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@item --debug-all
|
|
|
|
@opindex debug-all
|
|
|
|
Same as @code{--debug=0xffffffff}
|
|
|
|
|
|
|
|
@item --debug-wait @var{n}
|
|
|
|
@opindex debug-wait
|
|
|
|
When running in server mode, wait @var{n} seconds before entering the
|
|
|
|
actual processing loop and print the pid. This gives time to attach a
|
|
|
|
debugger.
|
|
|
|
|
2005-05-20 20:39:36 +00:00
|
|
|
@item --debug-ccid-driver
|
|
|
|
@opindex debug-wait
|
|
|
|
Enable debug output from the included CCID driver for smartcards.
|
|
|
|
Using this option twice will also enable some tracing of the T=1
|
|
|
|
protocol. Note that this option may reveal sensitive data.
|
|
|
|
|
|
|
|
@item --debug-disable-ticker
|
|
|
|
@opindex debug-disable-ticker
|
|
|
|
This option disables all ticker functions like checking for card
|
|
|
|
insertions.
|
|
|
|
|
2005-06-07 19:09:18 +00:00
|
|
|
@item --debug-allow-core-dump
|
|
|
|
@opindex debug-allow-core-dump
|
|
|
|
For security reasons we won't create a core dump when the process
|
|
|
|
aborts. For debugging purposes it is sometimes better to allow core
|
2016-03-04 15:20:47 +00:00
|
|
|
dump. This option enables it and also changes the working directory to
|
2005-06-07 19:09:18 +00:00
|
|
|
@file{/tmp} when running in @option{--server} mode.
|
|
|
|
|
2009-02-25 10:58:56 +00:00
|
|
|
@item --debug-log-tid
|
|
|
|
@opindex debug-log-tid
|
|
|
|
This option appends a thread ID to the PID in the log output.
|
|
|
|
|
2011-12-13 17:59:00 +01:00
|
|
|
@item --debug-assuan-log-cats @var{cats}
|
|
|
|
@opindex debug-assuan-log-cats
|
2016-06-14 14:57:49 +02:00
|
|
|
@efindex ASSUAN_DEBUG
|
2011-12-13 17:59:00 +01:00
|
|
|
Changes the active Libassuan logging categories to @var{cats}. The
|
|
|
|
value for @var{cats} is an unsigned integer given in usual C-Syntax.
|
2017-02-20 16:19:50 -05:00
|
|
|
A value of 0 switches to a default category. If this option is not
|
2011-12-13 17:59:00 +01:00
|
|
|
used the categories are taken from the environment variable
|
2016-06-14 14:57:49 +02:00
|
|
|
@code{ASSUAN_DEBUG}. Note that this option has only an effect if the
|
2011-12-13 17:59:00 +01:00
|
|
|
Assuan debug flag has also been with the option @option{--debug}. For
|
|
|
|
a list of categories see the Libassuan manual.
|
2005-06-07 19:09:18 +00:00
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@item --no-detach
|
|
|
|
@opindex no-detach
|
2008-01-28 08:03:08 +00:00
|
|
|
Don't detach the process from the console. This is mainly useful for
|
2003-01-09 13:24:01 +00:00
|
|
|
debugging.
|
|
|
|
|
|
|
|
@item --log-file @var{file}
|
|
|
|
@opindex log-file
|
|
|
|
Append all logging output to @var{file}. This is very helpful in
|
2016-08-29 11:45:47 +02:00
|
|
|
seeing what the agent actually does. Use @file{socket://} to log to
|
|
|
|
socket.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2005-06-20 17:32:44 +00:00
|
|
|
|
|
|
|
@item --pcsc-driver @var{library}
|
|
|
|
@opindex pcsc-driver
|
|
|
|
Use @var{library} to access the smartcard reader. The current default
|
|
|
|
is @file{libpcsclite.so}. Instead of using this option you might also
|
|
|
|
want to install a symbolic link to the default file name
|
|
|
|
(e.g. from @file{libpcsclite.so.1}).
|
2003-01-09 13:24:01 +00:00
|
|
|
|
2003-08-05 17:11:04 +00:00
|
|
|
@item --ctapi-driver @var{library}
|
2005-06-20 17:32:44 +00:00
|
|
|
@opindex ctapi-driver
|
2003-08-05 17:11:04 +00:00
|
|
|
Use @var{library} to access the smartcard reader. The current default
|
2005-06-20 17:32:44 +00:00
|
|
|
is @file{libtowitoko.so}. Note that the use of this interface is
|
2004-10-20 08:54:45 +00:00
|
|
|
deprecated; it may be removed in future releases.
|
2003-08-05 17:11:04 +00:00
|
|
|
|
2011-12-13 17:59:00 +01:00
|
|
|
@item --disable-ccid
|
2005-06-20 17:32:44 +00:00
|
|
|
@opindex disable-ccid
|
|
|
|
Disable the integrated support for CCID compliant readers. This
|
More cleanup of "allow to".
* README, agent/command.c, agent/keyformat.txt, common/i18n.c,
common/iobuf.c, common/keyserver.h, dirmngr/cdblib.c,
dirmngr/ldap-wrapper.c, doc/DETAILS, doc/TRANSLATE,
doc/announce-2.1.txt, doc/gpg.texi, doc/gpgsm.texi,
doc/scdaemon.texi, doc/tools.texi, doc/whats-new-in-2.1.txt,
g10/export.c, g10/getkey.c, g10/import.c, g10/keyedit.c, m4/ksba.m4,
m4/libgcrypt.m4, m4/ntbtls.m4, po/ca.po, po/cs.po, po/da.po,
po/de.po, po/el.po, po/eo.po, po/es.po, po/et.po, po/fi.po,
po/fr.po, po/gl.po, po/hu.po, po/id.po, po/it.po, po/ja.po,
po/nb.po, po/pl.po, po/pt.po, po/ro.po, po/ru.po, po/sk.po,
po/sv.po, po/tr.po, po/uk.po, po/zh_CN.po, po/zh_TW.po,
scd/app-p15.c, scd/ccid-driver.c, scd/command.c, sm/gpgsm.c,
sm/sign.c, tools/gpgconf-comp.c, tools/gpgtar.h: replace "Allow to"
with clearer text.
In standard English, the normal construction is "${XXX} allows ${YYY}
to" -- that is, the subject (${XXX}) of the sentence is allowing the
object (${YYY}) to do something. When the object is missing, the
phrasing sounds awkward, even if the object is implied by context.
There's almost always a better construction that isn't as awkward.
These changes should make the language a bit clearer.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-01 22:19:17 -04:00
|
|
|
allows falling back to one of the other drivers even if the internal
|
2005-06-20 17:32:44 +00:00
|
|
|
CCID driver can handle the reader. Note, that CCID support is only
|
|
|
|
available if libusb was available at build time.
|
|
|
|
|
|
|
|
@item --reader-port @var{number_or_string}
|
|
|
|
@opindex reader-port
|
|
|
|
This option may be used to specify the port of the card terminal. A
|
|
|
|
value of 0 refers to the first serial device; add 32768 to access USB
|
|
|
|
devices. The default is 32768 (first USB device). PC/SC or CCID
|
|
|
|
readers might need a string here; run the program in verbose mode to get
|
|
|
|
a list of available readers. The default is then the first reader
|
|
|
|
found.
|
|
|
|
|
2007-04-03 16:57:37 +00:00
|
|
|
To get a list of available CCID readers you may use this command:
|
2014-06-25 11:15:45 +02:00
|
|
|
@cartouche
|
2007-04-03 16:57:37 +00:00
|
|
|
@smallexample
|
2014-06-25 11:15:45 +02:00
|
|
|
echo scd getinfo reader_list \
|
|
|
|
| gpg-connect-agent --decode | awk '/^D/ @{print $2@}'
|
2007-04-03 16:57:37 +00:00
|
|
|
@end smallexample
|
2014-06-25 11:15:45 +02:00
|
|
|
@end cartouche
|
2007-04-03 16:57:37 +00:00
|
|
|
|
2008-12-05 12:01:01 +00:00
|
|
|
@item --card-timeout @var{n}
|
|
|
|
@opindex card-timeout
|
|
|
|
If @var{n} is not 0 and no client is actively using the card, the card
|
|
|
|
will be powered down after @var{n} seconds. Powering down the card
|
|
|
|
avoids a potential risk of damaging a card when used with certain
|
More cleanup of "allow to".
* README, agent/command.c, agent/keyformat.txt, common/i18n.c,
common/iobuf.c, common/keyserver.h, dirmngr/cdblib.c,
dirmngr/ldap-wrapper.c, doc/DETAILS, doc/TRANSLATE,
doc/announce-2.1.txt, doc/gpg.texi, doc/gpgsm.texi,
doc/scdaemon.texi, doc/tools.texi, doc/whats-new-in-2.1.txt,
g10/export.c, g10/getkey.c, g10/import.c, g10/keyedit.c, m4/ksba.m4,
m4/libgcrypt.m4, m4/ntbtls.m4, po/ca.po, po/cs.po, po/da.po,
po/de.po, po/el.po, po/eo.po, po/es.po, po/et.po, po/fi.po,
po/fr.po, po/gl.po, po/hu.po, po/id.po, po/it.po, po/ja.po,
po/nb.po, po/pl.po, po/pt.po, po/ro.po, po/ru.po, po/sk.po,
po/sv.po, po/tr.po, po/uk.po, po/zh_CN.po, po/zh_TW.po,
scd/app-p15.c, scd/ccid-driver.c, scd/command.c, sm/gpgsm.c,
sm/sign.c, tools/gpgconf-comp.c, tools/gpgtar.h: replace "Allow to"
with clearer text.
In standard English, the normal construction is "${XXX} allows ${YYY}
to" -- that is, the subject (${XXX}) of the sentence is allowing the
object (${YYY}) to do something. When the object is missing, the
phrasing sounds awkward, even if the object is implied by context.
There's almost always a better construction that isn't as awkward.
These changes should make the language a bit clearer.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-01 22:19:17 -04:00
|
|
|
cheap readers. This also allows applications that are not aware of
|
|
|
|
Scdaemon to access the card. The disadvantage of using a card timeout
|
|
|
|
is that accessing the card takes longer and that the user needs to
|
|
|
|
enter the PIN again after the next power up.
|
2008-12-05 12:01:01 +00:00
|
|
|
|
|
|
|
Note that with the current version of Scdaemon the card is powered
|
2009-07-22 13:33:46 +00:00
|
|
|
down immediately at the next timer tick for any value of @var{n} other
|
2008-12-05 12:01:01 +00:00
|
|
|
than 0.
|
|
|
|
|
scd: Rename 'keypad' to 'pinpad'.
* NEWS: Mention scd changes.
* agent/divert-scd.c (getpin_cb): Change message.
* agent/call-scd.c (inq_needpin): Change the protocol to
POPUPPINPADPROMPT and DISMISSPINPADPROMPT.
* scd/command.c (pin_cb): Likewise.
* scd/apdu.c (struct reader_table_s): Rename member functions.
(check_pcsc_pinpad, pcsc_pinpad_verify, pcsc_pinpad_modify,
check_ccid_pinpad, ccid_pinpad_operation, apdu_check_pinpad
apdu_pinpad_verify, apdu_pinpad_modify): Rename.
* scd/apdu.h (SW_HOST_NO_PINPAD, apdu_check_pinpad)
(apdu_pinpad_verify, apdu_pinpad_modify): Rename.
* scd/iso7816.h (iso7816_check_pinpad): Rename.
* scd/iso7816.c (map_sw): Use SW_HOST_NO_PINPAD.
(iso7816_check_pinpad): Rename.
(iso7816_verify_kp, iso7816_change_reference_data_kp): Follow
the change.
* scd/ccid-driver.h (CCID_DRIVER_ERR_NO_PINPAD): Rename.
* scd/ccid-driver.c (ccid_transceive_secure): Use it.
* scd/app-dinsig.c (verify_pin): Follow the change.
* scd/app-nks.c (verify_pin): Follow the change.
* scd/app-openpgp.c (check_pinpad_request): Rename.
(parse_login_data, verify_a_chv, verify_chv3, do_change_pin): Follow
the change.
* scd/scdaemon.c (oDisablePinpad, oEnablePinpadVarlen): Rename.
* scd/scdaemon.h (opt): Rename to disable_pinpad,
enable_pinpad_varlen.
* tools/gpgconf-comp.c (gc_options_scdaemon): Rename to
disable-pinpad.
2013-02-07 10:07:51 +09:00
|
|
|
@item --enable-pinpad-varlen
|
|
|
|
@opindex enable-pinpad-varlen
|
|
|
|
Please specify this option when the card reader supports variable
|
2013-08-21 15:44:52 +02:00
|
|
|
length input for pinpad (default is no). For known readers (listed in
|
|
|
|
ccid-driver.c and apdu.c), this option is not needed. Note that if
|
|
|
|
your card reader doesn't supports variable length input but you want
|
|
|
|
to use it, you need to specify your pinpad request on your card.
|
scd: Rename 'keypad' to 'pinpad'.
* NEWS: Mention scd changes.
* agent/divert-scd.c (getpin_cb): Change message.
* agent/call-scd.c (inq_needpin): Change the protocol to
POPUPPINPADPROMPT and DISMISSPINPADPROMPT.
* scd/command.c (pin_cb): Likewise.
* scd/apdu.c (struct reader_table_s): Rename member functions.
(check_pcsc_pinpad, pcsc_pinpad_verify, pcsc_pinpad_modify,
check_ccid_pinpad, ccid_pinpad_operation, apdu_check_pinpad
apdu_pinpad_verify, apdu_pinpad_modify): Rename.
* scd/apdu.h (SW_HOST_NO_PINPAD, apdu_check_pinpad)
(apdu_pinpad_verify, apdu_pinpad_modify): Rename.
* scd/iso7816.h (iso7816_check_pinpad): Rename.
* scd/iso7816.c (map_sw): Use SW_HOST_NO_PINPAD.
(iso7816_check_pinpad): Rename.
(iso7816_verify_kp, iso7816_change_reference_data_kp): Follow
the change.
* scd/ccid-driver.h (CCID_DRIVER_ERR_NO_PINPAD): Rename.
* scd/ccid-driver.c (ccid_transceive_secure): Use it.
* scd/app-dinsig.c (verify_pin): Follow the change.
* scd/app-nks.c (verify_pin): Follow the change.
* scd/app-openpgp.c (check_pinpad_request): Rename.
(parse_login_data, verify_a_chv, verify_chv3, do_change_pin): Follow
the change.
* scd/scdaemon.c (oDisablePinpad, oEnablePinpadVarlen): Rename.
* scd/scdaemon.h (opt): Rename to disable_pinpad,
enable_pinpad_varlen.
* tools/gpgconf-comp.c (gc_options_scdaemon): Rename to
disable-pinpad.
2013-02-07 10:07:51 +09:00
|
|
|
|
|
|
|
|
|
|
|
@item --disable-pinpad
|
|
|
|
@opindex disable-pinpad
|
|
|
|
Even if a card reader features a pinpad, do not try to use it.
|
2005-11-13 19:05:00 +00:00
|
|
|
|
2003-12-01 10:53:40 +00:00
|
|
|
|
2009-01-28 14:18:40 +00:00
|
|
|
@item --deny-admin
|
2003-12-01 10:53:40 +00:00
|
|
|
@opindex deny-admin
|
2009-01-28 14:18:40 +00:00
|
|
|
@opindex allow-admin
|
|
|
|
This option disables the use of admin class commands for card
|
|
|
|
applications where this is supported. Currently we support it for the
|
2016-03-04 16:27:21 +00:00
|
|
|
OpenPGP card. This option is useful to inhibit accidental access to
|
2009-01-28 14:18:40 +00:00
|
|
|
admin class command which could ultimately lock the card through wrong
|
|
|
|
PIN numbers. Note that GnuPG versions older than 2.0.11 featured an
|
2016-03-04 16:27:21 +00:00
|
|
|
@option{--allow-admin} option which was required to use such admin
|
2009-01-28 14:18:40 +00:00
|
|
|
commands. This option has no more effect today because the default is
|
|
|
|
now to allow admin commands.
|
2003-12-01 10:53:40 +00:00
|
|
|
|
2004-08-05 09:24:36 +00:00
|
|
|
@item --disable-application @var{name}
|
|
|
|
@opindex disable-application
|
|
|
|
This option disables the use of the card application named
|
|
|
|
@var{name}. This is mainly useful for debugging or if a application
|
|
|
|
with lower priority should be used by default.
|
|
|
|
|
2003-01-09 13:24:01 +00:00
|
|
|
@end table
|
|
|
|
|
|
|
|
All the long options may also be given in the configuration file after
|
|
|
|
stripping off the two leading dashes.
|
|
|
|
|
|
|
|
|
2006-08-17 18:01:25 +00:00
|
|
|
@mansect card applications
|
2004-08-05 09:24:36 +00:00
|
|
|
@node Card applications
|
|
|
|
@section Description of card applications
|
|
|
|
|
2004-09-30 08:38:32 +00:00
|
|
|
@command{scdaemon} supports the card applications as described below.
|
2004-08-05 09:24:36 +00:00
|
|
|
|
|
|
|
@menu
|
|
|
|
* OpenPGP Card:: The OpenPGP card application
|
|
|
|
* NKS Card:: The Telesec NetKey card application
|
|
|
|
* DINSIG Card:: The DINSIG card application
|
|
|
|
* PKCS#15 Card:: The PKCS#15 card application
|
2009-01-28 14:18:40 +00:00
|
|
|
* Geldkarte Card:: The Geldkarte application
|
2014-07-18 16:20:59 +02:00
|
|
|
* SmartCard-HSM:: The SmartCard-HSM application
|
2011-12-14 17:00:50 +01:00
|
|
|
* Undefined Card:: The Undefined stub application
|
2004-08-05 09:24:36 +00:00
|
|
|
@end menu
|
|
|
|
|
|
|
|
@node OpenPGP Card
|
|
|
|
@subsection The OpenPGP card application ``openpgp''
|
|
|
|
|
2004-09-30 08:38:32 +00:00
|
|
|
This application is currently only used by @command{gpg} but may in
|
2009-01-28 14:18:40 +00:00
|
|
|
future also be useful with @command{gpgsm}. Version 1 and version 2 of
|
2011-12-13 17:59:00 +01:00
|
|
|
the card is supported.
|
2004-08-05 09:24:36 +00:00
|
|
|
|
2014-06-25 11:15:45 +02:00
|
|
|
@noindent
|
|
|
|
The specifications for these cards are available at@*
|
|
|
|
@uref{http://g10code.com/docs/openpgp-card-1.0.pdf} and@*
|
2009-01-28 14:18:40 +00:00
|
|
|
@uref{http://g10code.com/docs/openpgp-card-2.0.pdf}.
|
2004-08-05 09:24:36 +00:00
|
|
|
|
|
|
|
@node NKS Card
|
|
|
|
@subsection The Telesec NetKey card ``nks''
|
|
|
|
|
|
|
|
This is the main application of the Telesec cards as available in
|
|
|
|
Germany. It is a superset of the German DINSIG card. The card is
|
2004-09-30 08:38:32 +00:00
|
|
|
used by @command{gpgsm}.
|
2004-08-05 09:24:36 +00:00
|
|
|
|
|
|
|
@node DINSIG Card
|
|
|
|
@subsection The DINSIG card application ``dinsig''
|
|
|
|
|
|
|
|
This is an application as described in the German draft standard
|
2007-02-14 16:27:55 +00:00
|
|
|
@emph{DIN V 66291-1}. It is intended to be used by cards supporting
|
2004-08-05 09:24:36 +00:00
|
|
|
the German signature law and its bylaws (SigG and SigV).
|
|
|
|
|
|
|
|
@node PKCS#15 Card
|
|
|
|
@subsection The PKCS#15 card application ``p15''
|
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
This is common framework for smart card applications. It is used by
|
2005-04-27 12:09:21 +00:00
|
|
|
@command{gpgsm}.
|
2004-08-05 09:24:36 +00:00
|
|
|
|
2009-01-28 14:18:40 +00:00
|
|
|
@node Geldkarte Card
|
|
|
|
@subsection The Geldkarte card application ``geldkarte''
|
|
|
|
|
|
|
|
This is a simple application to display information of a German
|
|
|
|
Geldkarte. The Geldkarte is a small amount debit card application which
|
|
|
|
comes with almost all German banking cards.
|
|
|
|
|
2014-07-18 16:20:59 +02:00
|
|
|
@node SmartCard-HSM
|
|
|
|
@subsection The SmartCard-HSM card application ``sc-hsm''
|
|
|
|
|
2016-03-04 15:20:47 +00:00
|
|
|
This application adds read-only support for keys and certificates
|
2014-07-18 16:20:59 +02:00
|
|
|
stored on a @uref{http://www.smartcard-hsm.com, SmartCard-HSM}.
|
|
|
|
|
|
|
|
To generate keys and store certifiates you may use
|
|
|
|
@uref{https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM, OpenSC} or
|
|
|
|
the tools from @uref{http://www.openscdp.org, OpenSCDP}.
|
|
|
|
|
|
|
|
The SmartCard-HSM cards requires a card reader that supports Extended
|
|
|
|
Length APDUs.
|
|
|
|
|
2011-12-14 17:00:50 +01:00
|
|
|
@node Undefined Card
|
|
|
|
@subsection The Undefined card application ``undefined''
|
|
|
|
|
|
|
|
This is a stub application to allow the use of the APDU command even
|
|
|
|
if no supported application is found on the card. This application is
|
|
|
|
not used automatically but must be explicitly requested using the
|
|
|
|
SERIALNO command.
|
|
|
|
|
2004-08-05 09:24:36 +00:00
|
|
|
|
2006-09-07 15:13:33 +00:00
|
|
|
@c *******************************************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *************** FILES ****************
|
|
|
|
@c *************** ****************
|
|
|
|
@c *******************************************
|
|
|
|
@mansect files
|
|
|
|
@node Scdaemon Configuration
|
|
|
|
@section Configuration files
|
|
|
|
|
|
|
|
There are a few configuration files to control certain aspects of
|
|
|
|
@command{scdaemons}'s operation. Unless noted, they are expected in the
|
|
|
|
current home directory (@pxref{option --homedir}).
|
|
|
|
|
|
|
|
@table @file
|
|
|
|
|
|
|
|
@item scdaemon.conf
|
|
|
|
@cindex scdaemon.conf
|
|
|
|
This is the standard configuration file read by @command{scdaemon} on
|
|
|
|
startup. It may contain any valid long option; the leading two dashes
|
|
|
|
may not be entered and the option may not be abbreviated. This default
|
|
|
|
name may be changed on the command line (@pxref{option --options}).
|
|
|
|
|
|
|
|
@item scd-event
|
|
|
|
@cindex scd-event
|
2016-03-04 15:20:47 +00:00
|
|
|
If this file is present and executable, it will be called on every card
|
|
|
|
reader's status change. An example of this script is provided with the
|
2006-09-07 15:13:33 +00:00
|
|
|
distribution
|
|
|
|
|
|
|
|
@item reader_@var{n}.status
|
2016-03-04 15:20:47 +00:00
|
|
|
This file is created by @command{scdaemon} to let other applications now
|
2006-09-07 15:13:33 +00:00
|
|
|
about reader status changes. Its use is now deprecated in favor of
|
|
|
|
@file{scd-event}.
|
|
|
|
|
|
|
|
@end table
|
|
|
|
|
2004-08-05 09:24:36 +00:00
|
|
|
|
2011-12-13 17:59:00 +01:00
|
|
|
@c
|
2003-01-09 13:24:01 +00:00
|
|
|
@c Examples
|
|
|
|
@c
|
2006-08-17 18:01:25 +00:00
|
|
|
@mansect examples
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Scdaemon Examples
|
|
|
|
@section Examples
|
|
|
|
|
|
|
|
@c man begin EXAMPLES
|
|
|
|
|
|
|
|
@example
|
|
|
|
$ scdaemon --server -v
|
|
|
|
@end example
|
|
|
|
|
|
|
|
@c man end
|
|
|
|
|
2011-12-13 17:59:00 +01:00
|
|
|
@c
|
2003-01-09 13:24:01 +00:00
|
|
|
@c Assuan Protocol
|
|
|
|
@c
|
2006-09-07 15:13:33 +00:00
|
|
|
@manpause
|
2003-01-09 13:24:01 +00:00
|
|
|
@node Scdaemon Protocol
|
|
|
|
@section Scdaemon's Assuan Protocol
|
|
|
|
|
|
|
|
The SC-Daemon should be started by the system to provide access to
|
|
|
|
external tokens. Using Smartcards on a multi-user system does not
|
2016-03-04 15:20:47 +00:00
|
|
|
make much sense except for system services, but in this case no
|
2003-01-09 13:24:01 +00:00
|
|
|
regular user accounts are hosted on the machine.
|
|
|
|
|
|
|
|
A client connects to the SC-Daemon by connecting to the socket named
|
2015-06-09 21:29:15 +02:00
|
|
|
@file{@value{LOCALRUNDIR}/scdaemon/socket}, configuration information
|
|
|
|
is read from @var{@value{SYSCONFDIR}/scdaemon.conf}
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
Each connection acts as one session, SC-Daemon takes care of
|
2009-07-22 13:33:46 +00:00
|
|
|
synchronizing access to a token between sessions.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@menu
|
|
|
|
* Scdaemon SERIALNO:: Return the serial number.
|
|
|
|
* Scdaemon LEARN:: Read all useful information from the card.
|
|
|
|
* Scdaemon READCERT:: Return a certificate.
|
|
|
|
* Scdaemon READKEY:: Return a public key.
|
|
|
|
* Scdaemon PKSIGN:: Signing data with a Smartcard.
|
|
|
|
* Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
|
2003-10-21 17:12:21 +00:00
|
|
|
* Scdaemon GETATTR:: Read an attribute's value.
|
|
|
|
* Scdaemon SETATTR:: Update an attribute's value.
|
2005-05-20 20:39:36 +00:00
|
|
|
* Scdaemon WRITEKEY:: Write a key to a card.
|
2003-10-21 17:12:21 +00:00
|
|
|
* Scdaemon GENKEY:: Generate a new key on-card.
|
2016-03-04 15:20:47 +00:00
|
|
|
* Scdaemon RANDOM:: Return random bytes generated on-card.
|
2003-10-21 17:12:21 +00:00
|
|
|
* Scdaemon PASSWD:: Change PINs.
|
|
|
|
* Scdaemon CHECKPIN:: Perform a VERIFY operation.
|
2006-04-11 13:53:21 +00:00
|
|
|
* Scdaemon RESTART:: Restart connection
|
|
|
|
* Scdaemon APDU:: Send a verbatim APDU to the card
|
2003-01-09 13:24:01 +00:00
|
|
|
@end menu
|
|
|
|
|
2011-12-13 17:59:00 +01:00
|
|
|
@node Scdaemon SERIALNO
|
2003-01-09 13:24:01 +00:00
|
|
|
@subsection Return the serial number
|
|
|
|
|
|
|
|
This command should be used to check for the presence of a card. It is
|
|
|
|
special in that it can be used to reset the card. Most other commands
|
|
|
|
will return an error when a card change has been detected and the use of
|
|
|
|
this function is therefore required.
|
|
|
|
|
|
|
|
Background: We want to keep the client clear of handling card changes
|
|
|
|
between operations; i.e. the client can assume that all operations are
|
|
|
|
done on the same card unless he call this function.
|
|
|
|
|
|
|
|
@example
|
|
|
|
SERIALNO
|
|
|
|
@end example
|
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
Return the serial number of the card using a status response like:
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@example
|
2017-01-18 15:48:50 +09:00
|
|
|
S SERIALNO D27600000000000000000000
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
2017-01-18 15:48:50 +09:00
|
|
|
The serial number is the hex encoded value identified by
|
2003-01-09 13:24:01 +00:00
|
|
|
the @code{0x5A} tag in the GDO file (FIX=0x2F02).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@node Scdaemon LEARN
|
|
|
|
@subsection Read all useful information from the card
|
|
|
|
|
|
|
|
@example
|
|
|
|
LEARN [--force]
|
|
|
|
@end example
|
|
|
|
|
|
|
|
Learn all useful information of the currently inserted card. When
|
2016-03-04 16:38:09 +00:00
|
|
|
used without the @option{--force} option, the command might do an INQUIRE
|
2003-01-09 13:24:01 +00:00
|
|
|
like this:
|
|
|
|
|
|
|
|
@example
|
2017-01-18 15:48:50 +09:00
|
|
|
INQUIRE KNOWNCARDP <hexstring_with_serialNumber>
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
The client should just send an @code{END} if the processing should go on
|
|
|
|
or a @code{CANCEL} to force the function to terminate with a cancel
|
|
|
|
error message. The response of this command is a list of status lines
|
|
|
|
formatted as this:
|
|
|
|
|
|
|
|
@example
|
|
|
|
S KEYPAIRINFO @var{hexstring_with_keygrip} @var{hexstring_with_id}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
If there is no certificate yet stored on the card a single "X" is
|
|
|
|
returned in @var{hexstring_with_keygrip}.
|
|
|
|
|
|
|
|
@node Scdaemon READCERT
|
|
|
|
@subsection Return a certificate
|
|
|
|
|
|
|
|
@example
|
2008-07-17 19:40:53 +00:00
|
|
|
READCERT @var{hexified_certid}|@var{keyid}
|
2003-01-09 13:24:01 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
This function is used to read a certificate identified by
|
2008-07-17 19:40:53 +00:00
|
|
|
@var{hexified_certid} from the card. With OpenPGP cards the keyid
|
2016-03-04 15:20:47 +00:00
|
|
|
@code{OpenPGP.3} may be used to read the certificate of version 2 cards.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
@node Scdaemon READKEY
|
|
|
|
@subsection Return a public key
|
|
|
|
|
|
|
|
@example
|
|
|
|
READKEY @var{hexified_certid}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
Return the public key for the given cert or key ID as an standard
|
2011-12-13 17:59:00 +01:00
|
|
|
S-Expression.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@node Scdaemon PKSIGN
|
|
|
|
@subsection Signing data with a Smartcard
|
|
|
|
|
|
|
|
To sign some data the caller should use the command
|
|
|
|
|
|
|
|
@example
|
|
|
|
SETDATA @var{hexstring}
|
|
|
|
@end example
|
|
|
|
|
2004-09-30 08:38:32 +00:00
|
|
|
to tell @command{scdaemon} about the data to be signed. The data must be given in
|
2003-01-09 13:24:01 +00:00
|
|
|
hex notation. The actual signing is done using the command
|
|
|
|
|
|
|
|
@example
|
|
|
|
PKSIGN @var{keyid}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
where @var{keyid} is the hexified ID of the key to be used. The key id
|
2006-03-21 12:48:51 +00:00
|
|
|
may have been retrieved using the command @code{LEARN}. If another
|
|
|
|
hash algorithm than SHA-1 is used, that algorithm may be given like:
|
|
|
|
|
|
|
|
@example
|
|
|
|
PKSIGN --hash=@var{algoname} @var{keyid}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
With @var{algoname} are one of @code{sha1}, @code{rmd160} or @code{md5}.
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
@node Scdaemon PKDECRYPT
|
|
|
|
@subsection Decrypting data with a Smartcard
|
|
|
|
|
|
|
|
To decrypt some data the caller should use the command
|
|
|
|
|
|
|
|
@example
|
|
|
|
SETDATA @var{hexstring}
|
|
|
|
@end example
|
|
|
|
|
2004-09-30 08:38:32 +00:00
|
|
|
to tell @command{scdaemon} about the data to be decrypted. The data
|
|
|
|
must be given in hex notation. The actual decryption is then done
|
|
|
|
using the command
|
2003-01-09 13:24:01 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
PKDECRYPT @var{keyid}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
where @var{keyid} is the hexified ID of the key to be used.
|
|
|
|
|
2016-03-04 15:20:47 +00:00
|
|
|
If the card is aware of the apdding format a status line with padding
|
2013-08-26 17:29:54 +02:00
|
|
|
information is send before the plaintext data. The key for this
|
|
|
|
status line is @code{PADDING} with the only defined value being 0 and
|
|
|
|
meaning padding has been removed.
|
2003-10-21 17:12:21 +00:00
|
|
|
|
|
|
|
@node Scdaemon GETATTR
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Read an attribute's value
|
2003-10-21 17:12:21 +00:00
|
|
|
|
|
|
|
TO BE WRITTEN.
|
|
|
|
|
|
|
|
@node Scdaemon SETATTR
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Update an attribute's value
|
2003-10-21 17:12:21 +00:00
|
|
|
|
|
|
|
TO BE WRITTEN.
|
|
|
|
|
2005-05-20 20:39:36 +00:00
|
|
|
@node Scdaemon WRITEKEY
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Write a key to a card
|
2005-05-20 20:39:36 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
WRITEKEY [--force] @var{keyid}
|
|
|
|
@end example
|
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
This command is used to store a secret key on a smartcard. The
|
2005-05-20 20:39:36 +00:00
|
|
|
allowed keyids depend on the currently selected smartcard
|
|
|
|
application. The actual keydata is requested using the inquiry
|
|
|
|
@code{KEYDATA} and need to be provided without any protection. With
|
|
|
|
@option{--force} set an existing key under this @var{keyid} will get
|
|
|
|
overwritten. The key data is expected to be the usual canonical encoded
|
|
|
|
S-expression.
|
|
|
|
|
2009-07-22 13:33:46 +00:00
|
|
|
A PIN will be requested in most cases. This however depends on the
|
2005-05-20 20:39:36 +00:00
|
|
|
actual card application.
|
|
|
|
|
|
|
|
|
2003-10-21 17:12:21 +00:00
|
|
|
@node Scdaemon GENKEY
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Generate a new key on-card
|
2003-10-21 17:12:21 +00:00
|
|
|
|
|
|
|
TO BE WRITTEN.
|
|
|
|
|
|
|
|
@node Scdaemon RANDOM
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Return random bytes generated on-card
|
2003-10-21 17:12:21 +00:00
|
|
|
|
|
|
|
TO BE WRITTEN.
|
|
|
|
|
|
|
|
|
|
|
|
@node Scdaemon PASSWD
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Change PINs
|
2003-10-21 17:12:21 +00:00
|
|
|
|
2005-05-23 20:18:13 +00:00
|
|
|
@example
|
2008-06-24 16:00:29 +00:00
|
|
|
PASSWD [--reset] [--nullpin] @var{chvno}
|
2005-05-23 20:18:13 +00:00
|
|
|
@end example
|
2011-12-13 17:59:00 +01:00
|
|
|
|
2005-05-23 20:18:13 +00:00
|
|
|
Change the PIN or reset the retry counter of the card holder
|
2008-06-24 16:00:29 +00:00
|
|
|
verification vector number @var{chvno}. The option @option{--nullpin}
|
|
|
|
is used to initialize the PIN of TCOS cards (6 byte NullPIN only).
|
2003-10-21 17:12:21 +00:00
|
|
|
|
|
|
|
|
|
|
|
@node Scdaemon CHECKPIN
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Perform a VERIFY operation
|
2003-10-21 17:12:21 +00:00
|
|
|
|
2005-05-23 20:18:13 +00:00
|
|
|
@example
|
|
|
|
CHECKPIN @var{idstr}
|
|
|
|
@end example
|
|
|
|
|
|
|
|
Perform a VERIFY operation without doing anything else. This may be
|
|
|
|
used to initialize a the PIN cache earlier to long lasting
|
|
|
|
operations. Its use is highly application dependent:
|
|
|
|
|
|
|
|
@table @strong
|
|
|
|
@item OpenPGP
|
|
|
|
|
|
|
|
Perform a simple verify operation for CHV1 and CHV2, so that further
|
|
|
|
operations won't ask for CHV2 and it is possible to do a cheap check on
|
|
|
|
the PIN: If there is something wrong with the PIN entry system, only the
|
|
|
|
regular CHV will get blocked and not the dangerous CHV3. @var{idstr} is
|
|
|
|
the usual card's serial number in hex notation; an optional fingerprint
|
|
|
|
part will get ignored.
|
|
|
|
|
|
|
|
There is however a special mode if @var{idstr} is suffixed with the
|
|
|
|
literal string @code{[CHV3]}: In this case the Admin PIN is checked if
|
|
|
|
and only if the retry counter is still at 3.
|
|
|
|
|
|
|
|
@end table
|
2003-10-21 17:12:21 +00:00
|
|
|
|
|
|
|
|
2006-04-11 13:53:21 +00:00
|
|
|
|
|
|
|
@node Scdaemon RESTART
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Perform a RESTART operation
|
2006-04-11 13:53:21 +00:00
|
|
|
|
|
|
|
@example
|
|
|
|
RESTART
|
|
|
|
@end example
|
|
|
|
|
|
|
|
Restart the current connection; this is a kind of warm reset. It
|
|
|
|
deletes the context used by this connection but does not actually
|
2011-12-13 17:59:00 +01:00
|
|
|
reset the card.
|
2006-04-11 13:53:21 +00:00
|
|
|
|
|
|
|
This is used by gpg-agent to reuse a primary pipe connection and
|
|
|
|
may be used by clients to backup from a conflict in the serial
|
2011-12-13 17:59:00 +01:00
|
|
|
command; i.e. to select another application.
|
2006-04-11 13:53:21 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@node Scdaemon APDU
|
2016-03-04 14:45:19 +00:00
|
|
|
@subsection Send a verbatim APDU to the card
|
2006-04-11 13:53:21 +00:00
|
|
|
|
|
|
|
@example
|
2009-05-13 17:12:00 +00:00
|
|
|
APDU [--atr] [--more] [--exlen[=@var{n}]] [@var{hexstring}]
|
2006-04-11 13:53:21 +00:00
|
|
|
@end example
|
|
|
|
|
|
|
|
|
|
|
|
Send an APDU to the current reader. This command bypasses the high
|
|
|
|
level functions and sends the data directly to the card.
|
|
|
|
@var{hexstring} is expected to be a proper APDU. If @var{hexstring} is
|
|
|
|
not given no commands are send to the card; However the command will
|
2008-01-28 08:03:08 +00:00
|
|
|
implicitly check whether the card is ready for use.
|
2006-04-11 13:53:21 +00:00
|
|
|
|
|
|
|
Using the option @code{--atr} returns the ATR of the card as a status
|
|
|
|
message before any data like this:
|
|
|
|
@example
|
|
|
|
S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
|
|
|
|
@end example
|
|
|
|
|
|
|
|
Using the option @code{--more} handles the card status word MORE_DATA
|
2009-07-22 13:33:46 +00:00
|
|
|
(61xx) and concatenate all responses to one block.
|
2006-04-11 13:53:21 +00:00
|
|
|
|
2009-05-13 17:12:00 +00:00
|
|
|
Using the option @code{--exlen} the returned APDU may use extended
|
|
|
|
length up to N bytes. If N is not given a default value is used
|
|
|
|
(currently 4096).
|
|
|
|
|
2006-04-11 13:53:21 +00:00
|
|
|
|
|
|
|
|
2006-09-07 15:13:33 +00:00
|
|
|
@mansect see also
|
|
|
|
@ifset isman
|
|
|
|
@command{gpg-agent}(1),
|
2011-12-13 17:59:00 +01:00
|
|
|
@command{gpgsm}(1),
|
2006-09-07 15:13:33 +00:00
|
|
|
@command{gpg2}(1)
|
|
|
|
@end ifset
|
|
|
|
@include see-also-note.texi
|
|
|
|
|