467
/* SERIALNO [APPTYPE]
469
Return the serial number of the card using a status reponse. This
470
function should be used to check for the presence of a card.
472
If APPTYPE is given, an application of that type is selected and an
473
error is returned if the application is not supported or available.
474
The default is to auto-select the application using a hardwired
475
preference system. Note, that a future extension to this function
476
may allow to specify a list and order of applications to try.
478
This function is special in that it can be used to reset the card.
479
Most other functions will return an error when a card change has
480
been detected and the use of this function is therefore required.
482
Background: We want to keep the client clear of handling card
483
changes between operations; i.e. the client can assume that all
484
operations are done on the same card unless he calls this function.
484
static const char hlp_serialno[] =
485
"SERIALNO [<apptype>]\n"
487
"Return the serial number of the card using a status reponse. This\n"
488
"function should be used to check for the presence of a card.\n"
490
"If APPTYPE is given, an application of that type is selected and an\n"
491
"error is returned if the application is not supported or available.\n"
492
"The default is to auto-select the application using a hardwired\n"
493
"preference system. Note, that a future extension to this function\n"
494
"may allow to specify a list and order of applications to try.\n"
496
"This function is special in that it can be used to reset the card.\n"
497
"Most other functions will return an error when a card change has\n"
498
"been detected and the use of this function is therefore required.\n"
500
"Background: We want to keep the client clear of handling card\n"
501
"changes between operations; i.e. the client can assume that all\n"
502
"operations are done on the same card unless he calls this function.";
487
504
cmd_serialno (assuan_context_t ctx, char *line)
489
506
ctrl_t ctrl = assuan_get_pointer (ctx);
524
/* LEARN [--force] [--keypairinfo]
526
Learn all useful information of the currently inserted card. When
527
used without the force options, the command might do an INQUIRE
530
INQUIRE KNOWNCARDP <hexstring_with_serialNumber> <timestamp>
532
The client should just send an "END" if the processing should go on
533
or a "CANCEL" to force the function to terminate with a Cancel
536
With the option --keypairinfo only KEYPARIINFO lstatus lines are
539
The response of this command is a list of status lines formatted as
544
This returns the type of the application, currently the strings:
546
P15 = PKCS-15 structure used
548
OPENPGP = OpenPGP card
551
are implemented. These strings are aliases for the AID
553
S KEYPAIRINFO <hexstring_with_keygrip> <hexstring_with_id>
555
If there is no certificate yet stored on the card a single "X" is
556
returned as the keygrip. In addition to the keypair info, information
557
about all certificates stored on the card is also returned:
559
S CERTINFO <certtype> <hexstring_with_id>
561
Where CERTTYPE is a number indicating the type of certificate:
563
100 := Regular X.509 cert
564
101 := Trusted X.509 cert
565
102 := Useful X.509 cert
566
110 := Root CA cert in a special format (e.g. DINSIG)
567
111 := Root CA cert as standard X509 cert.
569
For certain cards, more information will be returned:
571
S KEY-FPR <no> <hexstring>
573
For OpenPGP cards this returns the stored fingerprints of the
574
keys. This can be used check whether a key is available on the
575
card. NO may be 1, 2 or 3.
577
S CA-FPR <no> <hexstring>
579
Similar to above, these are the fingerprints of keys assumed to be
582
S DISP-NAME <name_of_card_holder>
584
The name of the card holder as stored on the card; percent
585
escaping takes place, spaces are encoded as '+'
589
The URL to be used for locating the entire public key.
591
Note, that this function may even be used on a locked card.
539
static const char hlp_learn[] =
540
"LEARN [--force] [--keypairinfo]\n"
542
"Learn all useful information of the currently inserted card. When\n"
543
"used without the force options, the command might do an INQUIRE\n"
546
" INQUIRE KNOWNCARDP <hexstring_with_serialNumber> <timestamp>\n"
548
"The client should just send an \"END\" if the processing should go on\n"
549
"or a \"CANCEL\" to force the function to terminate with a Cancel\n"
552
"With the option --keypairinfo only KEYPARIINFO lstatus lines are\n"
555
"The response of this command is a list of status lines formatted as\n"
558
" S APPTYPE <apptype>\n"
560
"This returns the type of the application, currently the strings:\n"
562
" P15 = PKCS-15 structure used\n"
563
" DINSIG = DIN SIG\n"
564
" OPENPGP = OpenPGP card\n"
565
" NKS = NetKey card\n"
567
"are implemented. These strings are aliases for the AID\n"
569
" S KEYPAIRINFO <hexstring_with_keygrip> <hexstring_with_id>\n"
571
"If there is no certificate yet stored on the card a single 'X' is\n"
572
"returned as the keygrip. In addition to the keypair info, information\n"
573
"about all certificates stored on the card is also returned:\n"
575
" S CERTINFO <certtype> <hexstring_with_id>\n"
577
"Where CERTTYPE is a number indicating the type of certificate:\n"
579
" 100 := Regular X.509 cert\n"
580
" 101 := Trusted X.509 cert\n"
581
" 102 := Useful X.509 cert\n"
582
" 110 := Root CA cert in a special format (e.g. DINSIG)\n"
583
" 111 := Root CA cert as standard X509 cert.\n"
585
"For certain cards, more information will be returned:\n"
587
" S KEY-FPR <no> <hexstring>\n"
589
"For OpenPGP cards this returns the stored fingerprints of the\n"
590
"keys. This can be used check whether a key is available on the\n"
591
"card. NO may be 1, 2 or 3.\n"
593
" S CA-FPR <no> <hexstring>\n"
595
"Similar to above, these are the fingerprints of keys assumed to be\n"
596
"ultimately trusted.\n"
598
" S DISP-NAME <name_of_card_holder>\n"
600
"The name of the card holder as stored on the card; percent\n"
601
"escaping takes place, spaces are encoded as '+'\n"
603
" S PUBKEY-URL <url>\n"
605
"The URL to be used for locating the entire public key.\n"
607
"Note, that this function may even be used on a locked card.";
594
609
cmd_learn (assuan_context_t ctx, char *line)
596
611
ctrl_t ctrl = assuan_get_pointer (ctx);
1045
This command is used to retrieve data from a smartcard. The
1046
allowed names depend on the currently selected smartcard
1047
application. NAME must be percent and '+' escaped. The value is
1048
returned through status message, see the LEARN command for details.
1050
However, the current implementation assumes that Name is not escaped;
1051
this works as long as noone uses arbitrary escaping.
1053
Note, that this function may even be used on a locked card.
1056
static const char hlp_getattr[] =
1059
"This command is used to retrieve data from a smartcard. The\n"
1060
"allowed names depend on the currently selected smartcard\n"
1061
"application. NAME must be percent and '+' escaped. The value is\n"
1062
"returned through status message, see the LEARN command for details.\n"
1064
"However, the current implementation assumes that Name is not escaped;\n"
1065
"this works as long as noone uses arbitrary escaping. \n"
1067
"Note, that this function may even be used on a locked card.";
1056
1069
cmd_getattr (assuan_context_t ctx, char *line)
1058
1071
ctrl_t ctrl = assuan_get_pointer (ctx);
1082
/* SETATTR <name> <value>
1084
This command is used to store data on a a smartcard. The allowed
1085
names and values are depend on the currently selected smartcard
1086
application. NAME and VALUE must be percent and '+' escaped.
1088
However, the current implementation assumes that NAME is not
1089
escaped; this works as long as noone uses arbitrary escaping.
1091
A PIN will be requested for most NAMEs. See the corresponding
1092
setattr function of the actually used application (app-*.c) for
1095
static const char hlp_setattr[] =
1096
"SETATTR <name> <value> \n"
1098
"This command is used to store data on a a smartcard. The allowed\n"
1099
"names and values are depend on the currently selected smartcard\n"
1100
"application. NAME and VALUE must be percent and '+' escaped.\n"
1102
"However, the current implementation assumes that NAME is not\n"
1103
"escaped; this works as long as noone uses arbitrary escaping.\n"
1105
"A PIN will be requested for most NAMEs. See the corresponding\n"
1106
"setattr function of the actually used application (app-*.c) for\n"
1095
1109
cmd_setattr (assuan_context_t ctx, char *orig_line)
1097
1111
ctrl_t ctrl = assuan_get_pointer (ctx);
1135
/* WRITECERT <hexified_certid>
1137
This command is used to store a certifciate on a smartcard. The
1138
allowed certids depend on the currently selected smartcard
1139
application. The actual certifciate is requested using the inquiry
1140
"CERTDATA" and needs to be provided in its raw (e.g. DER) form.
1142
In almost all cases a a PIN will be requested. See the related
1143
writecert function of the actually used application (app-*.c) for
1148
static const char hlp_writecert[] =
1149
"WRITECERT <hexified_certid>\n"
1151
"This command is used to store a certifciate on a smartcard. The\n"
1152
"allowed certids depend on the currently selected smartcard\n"
1153
"application. The actual certifciate is requested using the inquiry\n"
1154
"\"CERTDATA\" and needs to be provided in its raw (e.g. DER) form.\n"
1156
"In almost all cases a a PIN will be requested. See the related\n"
1157
"writecert function of the actually used application (app-*.c) for\n"
1146
1160
cmd_writecert (assuan_context_t ctx, char *line)
1148
1162
ctrl_t ctrl = assuan_get_pointer (ctx);
1197
/* WRITEKEY [--force] <keyid>
1199
This command is used to store a secret key on a a smartcard. The
1200
allowed keyids depend on the currently selected smartcard
1201
application. The actual keydata is requested using the inquiry
1202
"KEYDATA" and need to be provided without any protection. With
1203
--force set an existing key under this KEYID will get overwritten.
1204
The keydata is expected to be the usual canonical encoded
1207
A PIN will be requested for most NAMEs. See the corresponding
1208
writekey function of the actually used application (app-*.c) for
1210
static const char hlp_writekey[] =
1211
"WRITEKEY [--force] <keyid> \n"
1213
"This command is used to store a secret key on a a smartcard. The\n"
1214
"allowed keyids depend on the currently selected smartcard\n"
1215
"application. The actual keydata is requested using the inquiry\n"
1216
"\"KEYDATA\" and need to be provided without any protection. With\n"
1217
"--force set an existing key under this KEYID will get overwritten.\n"
1218
"The keydata is expected to be the usual canonical encoded\n"
1221
"A PIN will be requested for most NAMEs. See the corresponding\n"
1222
"writekey function of the actually used application (app-*.c) for\n"
1211
1225
cmd_writekey (assuan_context_t ctx, char *line)
1213
1227
ctrl_t ctrl = assuan_get_pointer (ctx);
1264
/* GENKEY [--force] [--timestamp=<isodate>] <no>
1266
Generate a key on-card identified by NO, which is application
1267
specific. Return values are application specific. For OpenPGP
1268
cards 2 status lines are returned:
1270
S KEY-FPR <hexstring>
1271
S KEY-CREATED-AT <seconds_since_epoch>
1272
S KEY-DATA [p|n] <hexdata>
1274
--force is required to overwrite an already existing key. The
1275
KEY-CREATED-AT is required for further processing because it is
1276
part of the hashed key material for the fingerprint.
1278
If --timestamp is given an OpenPGP key will be created using this
1279
value. The value needs to be in ISO Format; e.g.
1280
"--timestamp=20030316T120000" and after 1970-01-01 00:00:00.
1282
The public part of the key can also later be retrieved using the
1277
static const char hlp_genkey[] =
1278
"GENKEY [--force] [--timestamp=<isodate>] <no>\n"
1280
"Generate a key on-card identified by NO, which is application\n"
1281
"specific. Return values are application specific. For OpenPGP\n"
1282
"cards 2 status lines are returned:\n"
1284
" S KEY-FPR <hexstring>\n"
1285
" S KEY-CREATED-AT <seconds_since_epoch>\n"
1286
" S KEY-DATA [p|n] <hexdata>\n"
1288
"--force is required to overwrite an already existing key. The\n"
1289
"KEY-CREATED-AT is required for further processing because it is\n"
1290
"part of the hashed key material for the fingerprint.\n"
1292
"If --timestamp is given an OpenPGP key will be created using this\n"
1293
"value. The value needs to be in ISO Format; e.g.\n"
1294
"\"--timestamp=20030316T120000\" and after 1970-01-01 00:00:00.\n"
1296
"The public part of the key can also later be retrieved using the\n"
1287
1299
cmd_genkey (assuan_context_t ctx, char *line)
1289
1301
ctrl_t ctrl = assuan_get_pointer (ctx);
1381
/* PASSWD [--reset] [--nullpin] <chvno>
1383
Change the PIN or, if --reset is given, reset the retry counter of
1384
the card holder verfication vector CHVNO. The option --nullpin is
1385
used for TCOS cards to set the initial PIN. The format of CHVNO
1386
depends on the card application. */
1397
static const char hlp_passwd[] =
1398
"PASSWD [--reset] [--nullpin] <chvno>\n"
1400
"Change the PIN or, if --reset is given, reset the retry counter of\n"
1401
"the card holder verfication vector CHVNO. The option --nullpin is\n"
1402
"used for TCOS cards to set the initial PIN. The format of CHVNO\n"
1403
"depends on the card application.";
1388
1405
cmd_passwd (assuan_context_t ctx, char *line)
1390
1407
ctrl_t ctrl = assuan_get_pointer (ctx);
1433
Perform a VERIFY operation without doing anything else. This may
1434
be used to initialize a the PIN cache earlier to long lasting
1435
operations. Its use is highly application dependent.
1439
Perform a simple verify operation for CHV1 and CHV2, so that
1440
further operations won't ask for CHV2 and it is possible to do a
1441
cheap check on the PIN: If there is something wrong with the PIN
1442
entry system, only the regular CHV will get blocked and not the
1443
dangerous CHV3. IDSTR is the usual card's serial number in hex
1444
notation; an optional fingerprint part will get ignored. There
1445
is however a special mode if the IDSTR is sffixed with the
1446
literal string "[CHV3]": In this case the Admin PIN is checked
1447
if and only if the retry counter is still at 3.
1451
Any of the valid PIN Ids may be used. These are the strings:
1453
PW1.CH - Global password 1
1454
PW2.CH - Global password 2
1455
PW1.CH.SIG - SigG password 1
1456
PW2.CH.SIG - SigG password 2
1458
For a definitive list, see the implementation in app-nks.c.
1459
Note that we call a PW2.* PIN a "PUK" despite that since TCOS
1460
3.0 they are technically alternative PINs used to mutally
1448
static const char hlp_checkpin[] =
1449
"CHECKPIN <idstr>\n"
1451
"Perform a VERIFY operation without doing anything else. This may\n"
1452
"be used to initialize a the PIN cache earlier to long lasting\n"
1453
"operations. Its use is highly application dependent.\n"
1457
" Perform a simple verify operation for CHV1 and CHV2, so that\n"
1458
" further operations won't ask for CHV2 and it is possible to do a\n"
1459
" cheap check on the PIN: If there is something wrong with the PIN\n"
1460
" entry system, only the regular CHV will get blocked and not the\n"
1461
" dangerous CHV3. IDSTR is the usual card's serial number in hex\n"
1462
" notation; an optional fingerprint part will get ignored. There\n"
1463
" is however a special mode if the IDSTR is sffixed with the\n"
1464
" literal string \"[CHV3]\": In this case the Admin PIN is checked\n"
1465
" if and only if the retry counter is still at 3.\n"
1469
" Any of the valid PIN Ids may be used. These are the strings:\n"
1471
" PW1.CH - Global password 1\n"
1472
" PW2.CH - Global password 2\n"
1473
" PW1.CH.SIG - SigG password 1\n"
1474
" PW2.CH.SIG - SigG password 2\n"
1476
" For a definitive list, see the implementation in app-nks.c.\n"
1477
" Note that we call a PW2.* PIN a \"PUK\" despite that since TCOS\n"
1478
" 3.0 they are technically alternative PINs used to mutally\n"
1479
" unblock each other.";
1465
1481
cmd_checkpin (assuan_context_t ctx, char *line)
1467
1483
ctrl_t ctrl = assuan_get_pointer (ctx);
1571
Multi purpose command to return certain information.
1572
Supported values of WHAT are:
1574
version - Return the version of the program.
1575
pid - Return the process id of the server.
1577
socket_name - Return the name of the socket.
1579
status - Return the status of the current slot (in the future, may
1580
also return the status of all slots). The status is a list of
1581
one-character flags. The following flags are currently defined:
1582
'u' Usable card present. This is the normal state during operation.
1583
'r' Card removed. A reset is necessary.
1584
These flags are exclusive.
1586
reader_list - Return a list of detected card readers. Does
1587
currently only work with the internal CCID driver.
1589
deny_admin - Returns OK if admin commands are not allowed or
1590
GPG_ERR_GENERAL if admin commands are allowed.
1592
app_list - Return a list of supported applications. One
1593
application per line, fields delimited by colons,
1594
first field is the name.
1585
static const char hlp_getinfo[] =
1588
"Multi purpose command to return certain information. \n"
1589
"Supported values of WHAT are:\n"
1591
"version - Return the version of the program.\n"
1592
"pid - Return the process id of the server.\n"
1594
"socket_name - Return the name of the socket.\n"
1596
"status - Return the status of the current slot (in the future, may\n"
1597
"also return the status of all slots). The status is a list of\n"
1598
"one-character flags. The following flags are currently defined:\n"
1599
" 'u' Usable card present. This is the normal state during operation.\n"
1600
" 'r' Card removed. A reset is necessary.\n"
1601
"These flags are exclusive.\n"
1603
"reader_list - Return a list of detected card readers. Does\n"
1604
" currently only work with the internal CCID driver.\n"
1606
"deny_admin - Returns OK if admin commands are not allowed or\n"
1607
" GPG_ERR_GENERAL if admin commands are allowed.\n"
1609
"app_list - Return a list of supported applications. One\n"
1610
" application per line, fields delimited by colons,\n"
1611
" first field is the name.";
1598
1613
cmd_getinfo (assuan_context_t ctx, char *line)
1679
Restart the current connection; this is a kind of warm reset. It
1680
deletes the context used by this connection but does not send a
1681
RESET to the card. Thus the card itself won't get reset.
1683
This is used by gpg-agent to reuse a primary pipe connection and
1684
may be used by clients to backup from a conflict in the serial
1685
command; i.e. to select another application.
1692
static const char hlp_restart[] =
1695
"Restart the current connection; this is a kind of warm reset. It\n"
1696
"deletes the context used by this connection but does not send a\n"
1697
"RESET to the card. Thus the card itself won't get reset. \n"
1699
"This is used by gpg-agent to reuse a primary pipe connection and\n"
1700
"may be used by clients to backup from a conflict in the serial\n"
1701
"command; i.e. to select another application.";
1689
1703
cmd_restart (assuan_context_t ctx, char *line)
1691
1705
ctrl_t ctrl = assuan_get_pointer (ctx);
1727
/* APDU [--atr] [--more] [--exlen[=N]] [hexstring]
1729
Send an APDU to the current reader. This command bypasses the high
1730
level functions and sends the data directly to the card. HEXSTRING
1731
is expected to be a proper APDU. If HEXSTRING is not given no
1732
commands are set to the card but the command will implictly check
1733
whether the card is ready for use.
1735
Using the option "--atr" returns the ATR of the card as a status
1736
message before any data like this:
1737
S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
1739
Using the option --more handles the card status word MORE_DATA
1740
(61xx) and concatenates all reponses to one block.
1742
Using the option "--exlen" the returned APDU may use extended
1743
length up to N bytes. If N is not given a default value is used
1741
static const char hlp_apdu[] =
1742
"APDU [--atr] [--more] [--exlen[=N]] [hexstring]\n"
1744
"Send an APDU to the current reader. This command bypasses the high\n"
1745
"level functions and sends the data directly to the card. HEXSTRING\n"
1746
"is expected to be a proper APDU. If HEXSTRING is not given no\n"
1747
"commands are set to the card but the command will implictly check\n"
1748
"whether the card is ready for use. \n"
1750
"Using the option \"--atr\" returns the ATR of the card as a status\n"
1751
"message before any data like this:\n"
1752
" S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1\n"
1754
"Using the option --more handles the card status word MORE_DATA\n"
1755
"(61xx) and concatenates all reponses to one block.\n"
1757
"Using the option \"--exlen\" the returned APDU may use extended\n"
1758
"length up to N bytes. If N is not given a default value is used\n"
1759
"(currently 4096).";
1747
1761
cmd_apdu (assuan_context_t ctx, char *line)
1749
1763
ctrl_t ctrl = assuan_get_pointer (ctx);
1844
1861
static struct {
1845
1862
const char *name;
1846
int (*handler)(assuan_context_t, char *line);
1863
assuan_handler_t handler;
1864
const char * const help;
1848
{ "SERIALNO", cmd_serialno },
1849
{ "LEARN", cmd_learn },
1850
{ "READCERT", cmd_readcert },
1851
{ "READKEY", cmd_readkey },
1852
{ "SETDATA", cmd_setdata },
1853
{ "PKSIGN", cmd_pksign },
1854
{ "PKAUTH", cmd_pkauth },
1855
{ "PKDECRYPT", cmd_pkdecrypt },
1866
{ "SERIALNO", cmd_serialno, hlp_serialno },
1867
{ "LEARN", cmd_learn, hlp_learn },
1868
{ "READCERT", cmd_readcert, hlp_readcert },
1869
{ "READKEY", cmd_readkey, hlp_readkey },
1870
{ "SETDATA", cmd_setdata, hlp_setdata },
1871
{ "PKSIGN", cmd_pksign, hlp_pksign },
1872
{ "PKAUTH", cmd_pkauth, hlp_pkauth },
1873
{ "PKDECRYPT", cmd_pkdecrypt,hlp_pkdecrypt },
1856
1874
{ "INPUT", NULL },
1857
1875
{ "OUTPUT", NULL },
1858
{ "GETATTR", cmd_getattr },
1859
{ "SETATTR", cmd_setattr },
1860
{ "WRITECERT", cmd_writecert },
1861
{ "WRITEKEY", cmd_writekey },
1862
{ "GENKEY", cmd_genkey },
1863
{ "RANDOM", cmd_random },
1864
{ "PASSWD", cmd_passwd },
1865
{ "CHECKPIN", cmd_checkpin },
1866
{ "LOCK", cmd_lock },
1867
{ "UNLOCK", cmd_unlock },
1868
{ "GETINFO", cmd_getinfo },
1869
{ "RESTART", cmd_restart },
1870
{ "DISCONNECT", cmd_disconnect },
1871
{ "APDU", cmd_apdu },
1872
{ "KILLSCD", cmd_killscd },
1876
{ "GETATTR", cmd_getattr, hlp_getattr },
1877
{ "SETATTR", cmd_setattr, hlp_setattr },
1878
{ "WRITECERT", cmd_writecert,hlp_writecert },
1879
{ "WRITEKEY", cmd_writekey, hlp_writekey },
1880
{ "GENKEY", cmd_genkey, hlp_genkey },
1881
{ "RANDOM", cmd_random, hlp_random },
1882
{ "PASSWD", cmd_passwd, hlp_passwd },
1883
{ "CHECKPIN", cmd_checkpin, hlp_checkpin },
1884
{ "LOCK", cmd_lock, hlp_lock },
1885
{ "UNLOCK", cmd_unlock, hlp_unlock },
1886
{ "GETINFO", cmd_getinfo, hlp_getinfo },
1887
{ "RESTART", cmd_restart, hlp_restart },
1888
{ "DISCONNECT", cmd_disconnect,hlp_disconnect },
1889
{ "APDU", cmd_apdu, hlp_apdu },
1890
{ "KILLSCD", cmd_killscd, hlp_killscd },
1877
1895
for (i=0; table[i].name; i++)
1879
rc = assuan_register_command (ctx, table[i].name, table[i].handler);
1897
rc = assuan_register_command (ctx, table[i].name, table[i].handler,