# Configuration file for OpenSC # Example configuration file # NOTE: All key-value pairs must be terminated by a semicolon. # Default values for any application # These can be overridden by an application # specific configuration block. app default { # Amount of debug info to print # # A greater value means more debug info. # Default: 0 # #debug = 3; # The file to which debug output will be written # # Special values 'stdout' and 'stderr' are recognized. # Default: stderr # # debug_file = /tmp/opensc-debug.log # PKCS#15 initialization / personalization # profiles directory for pkcs15-init. # Default: /usr/share/opensc # # profile_dir = /usr/share/opensc; # Disable pop-ups of built-in GUI # # Default: false # disable_popups = true; # Enable default card driver # Default card driver is explicitly enabled for the 'opensc-explorer' and 'opensc-tool'. # # Default: false # enable_default_driver = true; # List of readers to ignore # If any of the strings listed below is matched in a reader name (case # sensitive, partial matching possible), the reader is ignored by OpenSC. # Use `opensc-tool --list-readers` to see all currently connected readers. # # Default: empty # ignored_readers = "CardMan 1021", "SPR 532"; # CT-API module configuration. reader_driver ctapi { # module /usr/lib/libtowitoko.so { # CT-API ports: # 0..3 COM1..4 # 4 Printer # 5 Modem # 6..7 LPT1..2 # ports = 0; # } } # The following section shows definitions for PC/SC readers. reader_driver pcsc { # Limit command and response sizes. Some Readers don't propagate their # transceive capabilities correctly. max_send_size and max_recv_size # allow setting the limits manually, for example to enable extended # length capabilities. # Default: max_send_size = 255, max_recv_size = 256; # max_send_size = 65535; # max_recv_size = 65536; # # Connect to reader in exclusive mode? # Default: false # connect_exclusive = true; # # What to do when disconnecting from a card (SCardDisconnect) # Valid values: leave, reset, unpower. # Default: leave # disconnect_action = reset; # # What to do at the end of a transaction (SCardEndTransaction) # Valid values: leave, reset, unpower. # Default: leave # transaction_end_action = reset; # # What to do when reconnection to a card (SCardReconnect) # Valid values: leave, reset, unpower. # Note that this affects only the internal reconnect (after a SCARD_W_RESET_CARD). # A forced reset via sc_reset() always does a full powerup. # Default: leave # reconnect_action = reset; # # Enable pinpad if detected (PC/SC v2.0.2 Part 10) # Default: true # enable_pinpad = false; # # Some pinpad readers can only handle one exact length of the PIN. # fixed_pinlength sets this value so that OpenSC expands the padding to # this length. # Default: 0 (i.e. not fixed) # fixed_pinlength = 6; # # Detect reader capabilities with escape commands (wrapped APDUs with # CLA=0xFF as defined by PC/SC pt. 3 and BSI TR-03119, e.g. for getting # the UID, escaped PIN commands and the reader's firmware version) # Default: false # enable_escape = true; # # Use specific pcsc provider. # Default: libpcsclite.so.1 # provider_library = libpcsclite.so.1 } # Options for OpenCT support reader_driver openct { # Virtual readers to allocate. # Default: 2 # readers = 5; # # Limit command and response sizes. # Default: n/a # max_send_size = 255; # max_recv_size = 256; } # Options for CryptoTokenKit support reader_driver cryptotokenkit { # Limit command and response sizes. Some Readers don't propagate their # transceive capabilities correctly. max_send_size and max_recv_size # allow setting the limits manually, for example to enable extended # length capabilities. # Default: autodetect # max_send_size = 65535; # max_recv_size = 65536; } # Allowlist of card drivers to load at start-up # # The supported internal card driver names can be retrieved # from the output of: # $ opensc-tool --list-drivers # # A special value of 'old' will load all # statically linked drivers that may be removed in the future. # # A special value of 'internal' will load all # statically linked drivers. If an unknown (i.e. not # internal) driver is supplied, a separate configuration # configuration block has to be written for the driver. # Default: internal # NOTE: When "internal" keyword is used, must be last entry # #card_drivers = old, internal; # Card driver configuration blocks. # For card drivers loaded from an external shared library/DLL, # you need to specify the path name of the module # # card_driver customcos { # The location of the driver library # module = /usr/lib/libcard_customcos.so; # } card_driver npa { # German ID card requires the CAN to be verified before QES PIN. This, # however, is not part of the PKCS#15 profile of the card. So for # verifying the QES PIN we actually need both. The CAN may be given # here. If the CAN is not given here, it will be prompted on the # command line or on the reader (depending on the reader's # capabilities). # #can = 222222; # QES is only possible with a Comfort Reader (CAT-K), which holds a # cryptographic key to authenticate itself as signature terminal (ST). # We usually will use the reader's capability to sign the data. # However, during development you may specify soft certificates and # keys for a ST below. # The following example EAC PKI can be found in vicc's example data: # https://github.com/frankmorgner/vsmartcard/tree/master/virtualsmartcard/npa-example-data # #st_dv_certificate = ZZSTDVCA00001.cvcert; #st_certificate = ZZSTTERM00001.cvcert; #st_key = ZZSTTERM00001.pkcs8; } # Configuration block for DNIe # # Card DNIe has an option to show an extra warning before # issuing a signature. card_driver dnie { # Disable / enable warning message when performing a # signature operation with the DNIe. # Only used if compiled with --enable-dnie-ui # user_consent_enabled = yes; # Specify the pinentry application to use if warning # is configured to be displayed using pinentry. # Default: /usr/bin/pinentry # Only used if compiled with --enable-dnie-ui # user_consent_app = "/usr/bin/pinentry"; } card_driver edo { # CAN is required to establish connection # with the card. It might be overridden by # EDO_CAN environment variable. Currently, # it is not possible to set it in any other way. # #can = 123456; } # In addition to the built-in list of known cards in the # card driver, you can configure a new card for the driver # using the card_atr block. The goal is to centralize # everything related to a certain card to card_atr. # # The supported internal card driver names can be retrieved # from the output of: # $ opensc-tool --list-drivers # Generic format: card_atr # New card entry for the flex card driver # card_atr 3b:f0:0d:ca:fe { # All parameters for the context are # optional unless specified otherwise. # Context: global, card driver # # ATR mask value # # The mask is logically AND'd with an # card ATR prior to comparison with the # ATR reference value above. Using mask # allows identifying and configuring # multiple ATRs as the same card model. # atrmask = "ff:ff:ff:ff:ff"; # Context: card driver # # Specify used card driver (REQUIRED). # # When enabled, overrides all possible # settings from the card drivers built-in # card configuration list. # driver = "flex"; # Set card name for card drivers that allows it. # name = "My CryptoFlex card"; # Card type as an integer value. # # Depending on card driver, this allows # tuning the behaviour of the card driver # for your card. # type = "2002"; # Card flags as an hex value. # Multiple values are OR'd together. # # Depending on card driver, this allows # fine-tuning the capabilities in # the card driver for your card. # # Optionally, some known parameters # can be specified as strings: # # rng - On-board random number source # keep_alive - Request the card driver to send a "keep alive" command before each transaction to make sure that the required applet is still selected. # # flags = "rng", "keep_alive", "0x80000000"; # # Context: PKCS#15 emulation layer # # When using PKCS#15 emulation, force # the emulation driver for specific cards. # # Required for external drivers, but can # be used with built-in drivers, too. # pkcs15emu = "custom"; # # Context: reader driver # # Force protocol selection for specific cards. # Known parameters: t0, t1, raw # force_protocol = "t0"; # Context: minidriver # # read_only: Mark card as read/only card in Minidriver/BaseCSP interface (Default: false) # md_supports_X509_enrollment: Indicate X509 enrollment support at Minidriver/BaseCSP interface (Default: false) # md_guid_as_id: Use the GUID generated for the key as id in the PKCS#15 structure (Default: false, i.e. auto generated) # md_guid_as_label: Use the GUID generated for the key as label in the PKCS#15 structure (Default: false, i.e. no label set) # md_supports_container_key_gen: Card allows generating key pairs on the card (Default: false) # md_supports_container_key_import: Card allows importing private keys (Default: false) # # Window title of the PIN pad dialog # Default: "Windows Security" # md_pinpad_dlg_title = "Title"; # # Filename of the icon for the PIN pad dialog; use "" for no icon # Default: Built-in smart card icon # md_pinpad_dlg_icon = ""; # # Main instruction of the PIN pad dialog # Default: "OpenSC Smart Card Provider" # md_pinpad_dlg_main = "Main"; # # Content of the PIN pad dialog for role "user" # Default: "Please verify your fingerprint or PIN on the card." # md_pinpad_dlg_content_user = "Content User"; # # Content of the PIN pad dialog for role "user+signature" # Default: "Please verify your fingerprint or PIN for the digital signature PIN on the card." # md_pinpad_dlg_content_user_sign = "Content User+Sign"; # # Content of the PIN pad dialog for role "admin" # Default: "Please enter your PIN to unblock the user PIN on the PINPAD." # md_pinpad_dlg_content_admin = "Content Admin"; # # Expanded information of the PIN pad dialog # Default: "This window will be closed automatically after the PIN has been submitted on the PINPAD (timeout typically after 30 seconds)." # md_pinpad_dlg_expanded = "Expanded Information"; # # Allow the user to cancel the PIN pad dialog by not immediately requesting the PIN on the PIN pad # Default: false # md_pinpad_dlg_enable_cancel = true; # # Content of the verification of the PIN pad dialog # Default: "Automatically request PIN immediately on PIN-Pad" # md_pinpad_dlg_verification = "Verification"; # # Time in seconds for the progress bar of the PIN pad dialog to tick. "0" removes the progress bar. # Default: 30 # md_pinpad_dlg_timeout = 0; # Notification title and text when card was inserted # Default: "Smart card detected" # notify_card_inserted = "inserted title"; # Default: ATR of the card # notify_card_inserted_text = "inserted text"; # # Notification title and text when card was removed # Default: "Smart card removed" # notify_card_removed = "card removed"; # Default: Name of smart card reader # notify_card_removed_text = "removed text"; # # Notification title and text when PIN was verified # Default: "PIN verified" # notify_pin_good = "good PIN"; # Default: "Smart card is unlocked" # notify_pin_good_text = "good text"; # # Notification title and text when PIN was wrong # Default: "PIN not verified" # notify_pin_bad = "bad PIN"; # Default: "Smart card is locked" # notify_pin_bad_text = "bad text"; # } # Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC # can handle both to access keys and certificates, but only one at a time. card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 { name = "Yubikey 4"; # Select the PKI applet to use ("PIV-II" or "openpgp") driver = "PIV-II"; # Recover from other applications accessing a different applet flags = "keep_alive"; } card_atr 3b:fc:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:4e:45:4f:72:33:e1 { name = "Yubikey Neo"; # Select the PKI applet to use ("PIV-II" or "openpgp") driver = "PIV-II"; # Recover from other applications accessing a different applet flags = "keep_alive"; } card_atr 3b:8c:80:01:59:75:62:69:6b:65:79:4e:45:4f:72:33:58 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:FF:00:00"; name = "Yubikey Neo"; # Select the PKI applet to use ("PIV-II" or "openpgp") driver = "PIV-II"; # Recover from other applications accessing a different applet flags = "keep_alive"; } # Oberthur's AuthentIC v3.2.2 card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B { type = 11100; driver = "authentic"; name = "AuthentIC v3.1"; # Name of SM configuration sub-section # secure_messaging = local_authentic; } # IAS/ECC cards card_atr 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00 { type = 25001; driver = "iasecc"; name = "Gemalto MultiApp IAS/ECC v1.0.1"; secure_messaging = local_gemalto_iam; # secure_messaging = local_adele; read_only = false; md_supports_X509_enrollment = true; } card_atr 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00 { type = 25001; driver = "iasecc"; name = "Gemalto MultiApp IAS/ECC v1.0.1"; secure_messaging = local_gemalto_iam; read_only = false; md_supports_X509_enrollment = true; } #card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:08:00:07:90:00:FE { # type = 25002; # driver = "iasecc"; # name = "Oberthur IAS/ECC v1.0.1"; # # No 'admin' application for this card -- no secure messaging #} #card_atr 3B:7F:18:00:00:00:31:B8:64:50:23:EC:C1:73:94:01:80:82:90:00 { # type = 25003; # driver = "iasecc"; # name = "Morpho YpsID S3 IAS/ECC"; # # secure_messaging = local_morpho_YpsID_S3; #} #card_atr 3B:DF:96:00:80:31:FE:45:00:31:B8:64:04:1F:EC:C1:73:94:01:80:82:90:00:EC { # type = 25005; # driver = "iasecc"; # name = "Morpho MI IAS/ECC v1.0.1"; # read_only = false; # md_supports_X509_enrollment = true; # secure_messaging = local_morpho_mi; #} card_atr 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3 { type = 25004; driver = "iasecc"; name = "Amos IAS/ECC v1.0.1"; read_only = false; md_supports_X509_enrollment = true; secure_messaging = local_amos; } card_atr 3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38 { type = 25004; driver = "iasecc"; name = "Amos IAS/ECC v1.0.1"; read_only = false; md_supports_X509_enrollment = true; secure_messaging = local_amos_eid; } # SmartCard-HSM with contact-based interface or USB-Stick card_atr 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA { driver = "sc-hsm"; read_only = false; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; } # SmartCard-HSM with contact-less interface card_atr 3B:8E:80:01:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:18 { driver = "sc-hsm"; read_only = false; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; } # SmartCard-HSM 4k with contact-based interface or USB-Stick card_atr 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c { driver = "sc-hsm"; read_only = false; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; } # SmartCard-HSM with fingerprint sensor and PIN pad card_atr 3B:80:80:01:01 { force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:84:80:01:47:6f:49:44:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:85:80:01:47:6f:49:44:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:86:80:01:47:6f:49:44:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:87:80:01:47:6f:49:44:00:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:88:80:01:47:6f:49:44:00:00:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:89:80:01:47:6f:49:44:00:00:00:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:8A:80:01:47:6f:49:44:00:00:00:00:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:8B:80:01:47:6f:49:44:00:00:00:00:00:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:8C:80:01:47:6f:49:44:00:00:00:00:00:00:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:8D:80:01:47:6f:49:44:00:00:00:00:00:00:00:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:8E:80:01:47:6f:49:44:00:00:00:00:00:00:00:00:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } # GoID with fingerprint sensor and PIN pad card_atr 3B:8F:80:01:47:6f:49:44:00:00:00:00:00:00:00:00:00:00:00:00 { atrmask = "FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:00:00:00:00:00:00"; driver = "sc-hsm"; force_protocol = "t1"; read_only = true; md_supports_X509_enrollment = true; md_supports_container_key_gen = true; md_guid_as_label = true; md_pinpad_dlg_main = "Fingerabdruck oder PIN eingeben"; md_pinpad_dlg_content_user = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN auf der Karte."; md_pinpad_dlg_content_user_sign = "Bitte verifizieren Sie Ihren Fingarabdruck oder Ihre PIN für die digitale Signatur auf der Karte."; md_pinpad_dlg_content_admin = "Bitte geben Sie Ihre PIN zum Entsperren der Nutzer-PIN auf dem PIN-Pad ein."; md_pinpad_dlg_expanded = "Dieses Fenster wird automatisch geschlossen, wenn die PIN oder der Fingerabdruck verifiziert wurde (Timeout nach 30 Sekunden). Nutzen Sie das PIN-Pad, um die Eingabe abzubrechen."; md_pinpad_dlg_timeout = 30; notify_card_inserted = "GoID erkannt"; notify_card_inserted_text = ""; notify_card_removed = "GoID entfernt"; notify_pin_good = "Fingerabdruck bzw. PIN verifiziert"; notify_pin_good_text = "GoID ist entsperrt"; notify_pin_bad = "Fingerabdruck bzw. PIN nicht verifiziert"; notify_pin_bad_text = "GoID ist gesperrt"; } secure_messaging local_authentic { # name of external SM module # module_name = libsmm-local.so; # directory with external SM module # Default: /usr/lib # module_path = /usr/lib; # specific data to tune the module initialization # module_data = "Here can be your SM module init data"; # SM mode: # 'transmit' -- in this mode the procedure to securize an APDU is called by the OpenSC general # APDU transmit procedure. # In this mode all APDUs, except the ones filtered by the card specific procedure, # are securized. # 'acl' -- in this mode APDU are securized only if needed by the ACLs of the command to be executed. # #mode = transmit; # SM type specific flags # flags = 0x78; # 0x78 -- level 3, channel 0 # Default KMC of the GP Card Manager for the Oberthur's Java cards # kmc = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"; } secure_messaging local_gemalto_iam { module_name = libsmm-local.so; # module_path = /usr/lib; # module_data = ""; type = acl; # transmit, acl ifd_serial = "11:22:33:44:55:66:77:88"; # Keyset values from IAM profiles of the Gemalto IAS/ECC cards keyset_02_enc = "RW_PRIV_ENC_TEST"; keyset_02_mac = "RW_PRIV_MAC_TEST"; keyset_E828BD080FD2504543432D654944_01_enc = "RO_ENC_TEST_KEY_"; keyset_E828BD080FD2504543432D654944_01_mac = "RO_MAC_TEST_KEY_"; keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST"; keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST"; } secure_messaging local_amos { module_name = libsmm-local.so; # module_path = /usr/lib; # module_data = ""; mode = acl; ifd_serial = "11:22:33:44:55:66:77:88"; keyset_02_enc = "ENCROECHANTILLON"; keyset_02_mac = "MACROECHANTILLON"; } secure_messaging local_amos_eid { module_name = libsmm-local.so; # module_path = /usr/lib; # module_data = ""; mode = acl; ifd_serial = "11:22:33:44:55:66:77:88"; keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST"; keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST"; } secure_messaging local_adele { module_name = libsmm-local.so; # module_path = /usr/lib; # module_data = ""; type = acl; # transmit, acl ifd_serial = "11:22:33:44:55:66:77:88"; # Keyset values from 'Adele' profiles of the IAS/ECC cards keyset_01_enc = "EMENCECHANTILLON"; keyset_01_mac = "EMMACECHANTILLON"; keyset_02_enc = "AAENCECHANTILLON"; keyset_02_mac = "AAMACECHANTILLON"; keyset_E828BD080FD2500000040301_02_enc = "E2ENCECHANTILLON"; keyset_E828BD080FD2500000040301_02_mac = "E2MACECHANTILLON"; keyset_D2500000044164E86C650101_02_enc = "E1ENCECHANTILLON"; keyset_D2500000044164E86C650101_02_mac = "E1MACECHANTILLON"; keyset_D2500000044164E86C650101_03_enc = "SIENCECHANTILLON"; keyset_D2500000044164E86C650101_03_mac = "SIMACECHANTILLON"; } # Below are the framework specific configuration blocks. # PKCS #15 framework pkcs15 { # Whether to use the cache files in the user's # home directory. # # Note: If caching is done by a system process, caching may be placed # inaccessible from the user account. Use a global caching directory if # you wish to share the cached information. # # Default: no # use_file_caching = public; # # set a path for caching # so you do not use the env variables and for pam_pkcs11 # (with certificate check) where $HOME is not set # Default: path in user home # file_cache_dir = /var/lib/opensc/cache # Use PIN caching? # Default: true # use_pin_caching = false; # # How many times to use a PIN from cache before re-authenticating it? # Default: 10 # pin_cache_counter = 3; # # Older PKCS#11 applications not supporting CKA_ALWAYS_AUTHENTICATE # may need to set this to get signatures to work with some cards. # Default: false # It is recommended to enable also use_pin_caching to allow OpenSC # to pass the pin to the card when needed. # pin_cache_ignore_user_consent = true; # How to handle a PIN-protected certificate # Valid values: protect, declassify, ignore. # Default: ignore in tokend, protect otherwise # private_certificate = declassify; # Enable pkcs15 emulation. # Default: yes # enable_pkcs15_emulation = no; # # Prefer pkcs15 emulation code before # the normal pkcs15 processing. # Some cards (like esteid and pteid) work in emu-only mode, # and do not depend on this option. # # Default: no # try_emulation_first = yes; # Enable builtin emulators. # Default: yes # enable_builtin_emulation = no; # # List of the builtin pkcs15 emulators to test # Special value of 'internal' will try all not disabled builtin pkcs15 emulators. # Special value of 'old' will try all disabled pkcs15 emulators. # Default: internal; # builtin_emulators = old, internal; # additional settings per driver # # For pkcs15 emulators loaded from an external shared # library/DLL, you need to specify the path name of the module # and customize the card_atr example above correctly. # # emulate custom { # The location of the driver library # module = /usr/lib/libp15emu_custom.so; # } # Enable initialization and card recognition in PKCS#11 layer. # Default: no # pkcs11_enable_InitToken = yes; # some additional application parameters: # - type (generic, protected) used to distinguish the common access application # and application for which authentication to perform some operation cannot be # obtained with the common procedures (ex. object creation protected by secure messaging). # Used by PKCS#11 module configured to expose restricted number of slots. # (for ex. configured to expose only User PIN slot, User and Sign PINs slots, ...) # # - disable: do not expose application in PKCS15 framework # default 'false' application E828BD080FD25047656E65726963 { type = generic; model = "ECC Generic PKI"; # disable = true } application E828BD080FD2500000040301 { type = generic; model = "Adèle Générique"; } application E828BD080FD2504543432D654944 { type = protected; model = "ECC eID"; } application E828BD080FD2500000040201 { type = protected; model = "Adèle Admin-2"; } } } # Parameters for the OpenSC PKCS11 module app opensc-pkcs11 { pkcs11 { # Maximum Number of virtual slots. # If there are more slots than defined here, # the remaining slots will be hidden from PKCS#11. # Default: 16 # max_virtual_slots = 32; # Maximum number of slots per smart card. # If the card has fewer keys than defined here, # the remaining number of slots will be empty. # Default: 4 # slots_per_card = 2; # (max_virtual_slots/slots_per_card) limits the number of readers # that can be used on the system. Default is then 16/4=4 readers. # By default, the OpenSC PKCS#11 module will not lock your card # once you authenticate to the card via C_Login. # # Thus the other users or other applications is not prevented # from connecting to the card and perform crypto operations # (which may be possible because you have already authenticated # with the card). This setting is not very secure. # # Also, if your card is not locked, you can enconter problems # due to limitation of the OpenSC framework, that still is not # thoroughly tested in the multi threads environment. # # Your settings will be more secure if you choose to lock your # card. Nevertheless this behavior is a known violation of PKCS#11 # specification. Now once one application has started using your # card with C_Login, no other application can use it, until # the first is done and calls C_Logout or C_Finalize. In the case # of many PKCS#11 application this does not happen until you exit # the application. # Thus it is impossible to use several smart card aware applications # at the same time, e.g. you cannot run both Firefox and Thunderbird at # the same time, if both are configured to use your smart card. # # Default: false # lock_login = true; # By default, interacting with the OpenSC PKCS#11 module may change the # state of the token, e.g. whether a user is logged in or not. # # Thus other users or other applications may change or use the state of # the token unknowingly. Other applications may create signatures # abusing an existing login or they may logout unnoticed. # # With this setting enabled the login state of the token is tracked and # cached (including the PIN). Every transaction is preceded by # restoring the login state. After every transaction a logout is # performed. This setting by default also enables `lock_login` (see # above) to disable access for other applications during the atomic # transactions. # # Please note that any PIN-pad should be disabled (see `enable_pinpad` # above), because the user would have to input his PIN for every # transaction. # # Default: false # atomic = true; # With this setting disabled, the OpenSC PKCS#11 module will initialize # the slots available when the application calls `C_GetSlotList`. With # this setting enabled, the slots will also get initialized when # C_GetSlotInfo is called. # # This setting is a workaround for Java which does not call # `C_GetSlotList` when configured with a static `slot` instead of # `slotListIndex`. # # Default: true # init_sloppy = false; # User PIN unblock style # none: PIN unblock is not possible with PKCS#11 API; # set_pin_in_unlogged_session: C_SetPIN() in unlogged session: # PUK is passed as the 'OldPin' argument of the C_SetPIN() call. # set_pin_in_specific_context: C_SetPIN() in the CKU_SPECIFIC_CONTEXT logged session: # PUK is passed as the 'OldPin' argument of the C_SetPIN() call. # init_pin_in_so_session: C_InitPIN() in CKU_SO logged session: # User PIN 'UNBLOCK' is protected by SOPIN. (PUK == SOPIN). # # Actually this style works only for the PKCS15 contents without SOPIN. # # For those with SOPIN, this mode will be useful for the cards without # # modes 00 and 01 of ISO command 'RESET RETRY COUNTER'. --vt # # Default: none # user_pin_unblock_style = set_pin_in_unlogged_session; # Create slot for unblocking PIN with PUK # This way PKCS#11 API can be used to login with PUK and # change a PIN. # Warning: causes problems with some applications like # firefox and thunderbird. Thus turned off by default # # Default: false # create_puk_slot = true; # Symbolic names of PINs for which slots are created # Card can contain more then one PINs or more then one on-card application with # its own PINs. Normally, to access all of them with the PKCS#11 API a slot has to be # created for all of them. Many slots could be ennoying for some of widely used application, # like FireFox. This configuration parameter allows one to select the PIN(s) # for which PKCS#11 slot will be created. # Actually recognised following symbolic names: # 'user', 'sign', 'all' # Only PINs initialised, non-SoPIN, non-unblocking are associated with symbolic name. # 'user' is identified as first global or first local PIN. # 'sign' is identified as second PIN: first local, second global or second local. # 'all' slot created for all non-sopin, non-unblocking PINs, # optionally for PUK (see option 'create_puk_slot') # # Default: all # create_slots_for_pins = "user,sign"; # create_slots_for_pins = "sign"; # # For the module to simulate the opensc-onepin module behavior the following option # must be set: # create_slots_for_pins = "user" } } app onepin-opensc-pkcs11 { pkcs11 { slots_per_card = 1; } } # Used by OpenSC.tokend on Mac OS X only app tokend { # The file to which debug log will be written # Default: /tmp/opensc-tokend.log # # debug_file = /Library/Logs/OpenSC.tokend.log framework tokend { # Score for OpenSC.tokend # The tokend with the highest score shall be used. # Default: 300 # # score = 10; # Tokend ignore to read PIN protected certificate that is set SC_PKCS15_CO_FLAG_PRIVATE flag. # Default: true # # ignore_private_certificate = false; } } # Used by OpenSC minidriver on Windows only app cardmod { }