# Configuration file for OpenSC
# Example configuration file
# NOTE: All key-value pairs must be terminated by a semicolon.
# Default values for any application
# These can be overridden by an application
# specific configuration block.
reader_drivers=pcsc;
app default {
# Amount of debug info to print
#
# A greater value means more debug info.
# Default: 0
#
debug = 0;
# The file to which debug output will be written
#
# Special values 'stdout' and 'stderr' are recognized.
# Default: stderr
#
# debug_file = /tmp/opensc-debug.log;
# debug_file = "C:\Documents and Settings\All Users\Documents\opensc-debug.log";
# PKCS#15 initialization / personalization
# profiles directory for pkcs15-init.
# Default: /usr/share/opensc
#
# profile_dir = /usr/share/opensc;
# CT-API module configuration.
reader_driver ctapi {
# module /usr/local/towitoko/lib/libtowitoko.so {
# CT-API ports:
# 0..3 COM1..4
# 4 Printer
# 5 Modem
# 6..7 LPT1..2
# ports = 0;
# }
}
# The following section shows definitions for PC/SC readers.
reader_driver pcsc {
# This sets the maximum send and receive sizes.
# Some reader drivers have limitations, so you need
# to set these values. For usb devices check the
# properties with lsusb -vv for dwMaxIFSD
#
# These values will be used for APDU communication
# and are used for maximum Lc/Le calculation
# (will not include CLA, INS, P1, P2 or SW1, SW2).
#
# Default: send: 255, recv: 256
# max_send_size = 255;
# max_recv_size = 256;
# Connect to reader in exclusive mode.
# Default: false
# connect_exclusive = true;
#
# Reset the card after disconnect.
# Default: true
# connect_reset = false;
#
# Reset the card after each transaction.
# Default: false
# transaction_reset = true;
#
# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
# Default: true
# enable_pinpad = false;
#
# Use specific pcsc provider.
# Default: libpcsclite.so.1
# provider_library = libpcsclite.so.1
}
# Options for OpenCT support
reader_driver openct {
# Virtual readers to allocate.
# Default: 2
# readers = 5;
# This sets the maximum send and receive sizes.
# Some reader drivers have limitations, so you need
# to set these values. For usb devices check the
# properties with lsusb -vv for dwMaxIFSD
#
# max_send_size = 255;
# max_recv_size = 256;
};
# What card drivers to load at start-up
#
# A special value of 'internal' will load all
# statically linked drivers. If an unknown (ie. not
# internal) driver is supplied, a separate configuration
# configuration block has to be written for the driver.
# Default: internal
# NOTE: When "internal" keyword is used, must be last entry
#
# card_drivers = customcos, internal;
# Card driver configuration blocks.
# For card drivers loaded from an external shared library/DLL,
# you need to specify the path name of the module
#
# card_driver customcos {
# The location of the driver library
# module = /usr/lib/opensc/drivers/card_customcos.so;
# }
# Force using specific card driver
#
# If this option is present, OpenSC will use the supplied
# driver with all inserted cards.
#
# Default: autodetect
#
# force_card_driver = customcos;
# In addition to the built-in list of known cards in the
# card driver, you can configure a new card for the driver
# using the card_atr block. The goal is to centralize
# everything related to a certain card to card_atr.
#
# The supported internal card driver names can be retrieved
# from the output of:
# $ opensc-tool --list-drivers
# Generic format: card_atr <hex encoded ATR (case-sensitive!)>
# New card entry for the flex card driver
# card_atr 3b:f0:0d:ca:fe {
# All parameters for the context are
# optional unless specified otherwise.
# Context: global, card driver
#
# ATR mask value
#
# The mask is logically AND'd with an
# card ATR prior to comparison with the
# ATR reference value above. Using mask
# allows identifying and configuring
# multiple ATRs as the same card model.
# atrmask = "ff:ff:ff:ff:ff";
# Context: card driver
#
# Specify used card driver (REQUIRED).
#
# When enabled, overrides all possible
# settings from the card drivers built-in
# card configuration list.
# driver = "flex";
# Set card name for card drivers that allows it.
# name = "My CryptoFlex card";
# Card type as an integer value.
#
# Depending on card driver, this allows
# tuning the behaviour of the card driver
# for your card.
# type = "2002";
# Card flags as an hex value.
# Multiple values are OR'd together.
#
# Depending on card driver, this allows
# fine-tuning the capabilities in
# the card driver for your card.
#
# Optionally, some known parameters
# can be specified as strings:
#
# keygen - On-board key generation capability
# rng - On-board random number source
#
# flags = "keygen", "rng", "0x80000000";
#
# Context: PKCS#15 emulation layer
#
# When using PKCS#15 emulation, force
# the emulation driver for specific cards.
#
# Required for external drivers, but can
# be used with built-in drivers, too.
# pkcs15emu = "custom";
#
# Context: reader driver
#
# Force protocol selection for specific cards.
# Known parameters: t0, t1, raw
# force_protocol = "t0";
# }
# PIV cards need an entry similar to this one:
# card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 {
# name = "PIV-II";
# driver = "piv";
# }
# Estonian ID card and Micardo driver currently play together with T=0
# only. In theory only the 'cold' ATR should be specified, as T=0 will
# be the preferred protocol once you boot it up with T=0, but be
# paranoid.
card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
force_protocol = t0;
}
card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
force_protocol = t0;
}
# D-Trust cards are also based on micardo and need T=0 for some reason
card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 {
force_protocol = t0;
}
card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 {
force_protocol = t0;
}
# Below are the framework specific configuration blocks.
# PKCS #15
framework pkcs15 {
# Whether to use the cache files in the user's
# home directory.
#
# At the moment you have to 'teach' the card
# to the system by running command: pkcs15-tool -L
#
# WARNING: Caching shouldn't be used in setuid root
# applications.
# Default: false
# use_file_caching = true;
#
# Use PIN caching?
# Default: true
# use_pin_caching = false;
#
# How many times to use a PIN from cache before re-authenticating it?
# Default: 10
# pin_cache_counter = 3;
#
# Enable pkcs15 emulation.
# Default: yes
# enable_pkcs15_emulation = no;
#
# Prefer pkcs15 emulation code before
# the normal pkcs15 processing.
# Some cards (like esteid and pteid) work in emu-only mode,
# and do not depend on this option.
#
# Default: no
try_emulation_first = yes;
# Enable builtin emulators.
# Default: yes
# enable_builtin_emulation = no;
#
# List of the builtin pkcs15 emulators to test
# Default: esteid, openpgp, tcos, starcert, itacns, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II;
# builtin_emulators = openpgp;
# additional settings per driver
#
# For pkcs15 emulators loaded from an external shared
# library/DLL, you need to specify the path name of the module
# and customize the card_atr example above correctly.
#
# emulate custom {
# The location of the driver library
# module = /usr/lib/opensc/drivers/p15emu_custom.so;
# }
# workaround: fix keyReference and pinReference values
# OpenSC 0.11.4 and older have a bug: integers were not
# properly encoded in asn.1 structures. So far only
# starcos cards were found to have a problem with this,
# and only these two values were found to be filled with
# the wrong value.
#
# Fortunatly those values (if present) need to be positive.
# Thus we can check if these are available and negative,
# and if so fix them by adding 256 to get the correct value.
#
# To be on the safe side, this workaround/fix can be turned
# off.
#
# Default: yes
# enable_fix_asn1_integers = no;
}
}
# Parameters for the OpenSC PKCS11 module
app opensc-pkcs11 {
pkcs11 {
# Should the module support hotplug of readers as per PKCS#11 v2.20?
# This affects slot changes and PC/SC PnP, as v2.11 applications
# are not allowed to change the length of the slot list.
# Default: true
# plug_and_play = false;
# Maximum Number of virtual slots.
# If there are more slots than defined here,
# the remaining slots will be hidden from PKCS#11.
# Default: 16
# max_virtual_slots = 32;
# Maximum number of slots per smart card.
# If the card has fewer keys than defined here,
# the remaining number of slots will be empty.
# Default: 4
# slots_per_card = 2;
# (max_virtual_slots/slots_per_card) limits the number of readers
# that can be used on the system. Default is then 16/4=4 readers.
# Normally, the pkcs11 module will create
# the full number of slots defined above by
# num_slots. If there are fewer pins/keys on
# the card, the remaining keys will be empty
# (and you will be able to create new objects
# within them).
# Default: true
# hide_empty_tokens = false;
# By default, the OpenSC PKCS#11 module will not lock your card
# once you authenticate to the card via C_Login.
#
# Thus the other users or other applications is not prevented
# from connecting to the card and perform crypto operations
# (which may be possible because you have already authenticated
# with the card). This setting is not very secure.
#
# Also, if your card is not locked, you can enconter problems
# due to limitation of the OpenSC framework, that still is not
# thoroughly tested in the multi threads environment.
#
# Your settings will be more secure if you choose to lock your
# card. Nevertheless this behavior is a known violation of PKCS#11
# specification. Now once one application has started using your
# card with C_Login, no other application can use it, until
# the first is done and calls C_Logout or C_Finalize. In the case
# of many PKCS#11 application this does not happen until you exit
# the application.
# Thus it is impossible to use several smart card aware applications
# at the same time, e.g. you cannot run both Firefox and Thunderbird at
# the same time, if both are configured to use your smart card.
#
# Default: false
lock_login = false;
# User PIN unblock style
# none: PIN unblock is not possible with PKCS#11 API;
# set_pin_in_unlogged_session: C_SetPIN() in unlogged session:
# PUK is passed as the 'OldPin' argument of the C_SetPIN() call.
# set_pin_in_specific_context: C_SetPIN() in the CKU_SPECIFIC_CONTEXT logged session:
# PUK is passed as the 'OldPin' argument of the C_SetPIN() call.
# init_pin_in_so_session: C_InitPIN() in CKU_SO logged session:
# User PIN 'UNBLOCK' is protected by SOPIN. (PUK == SOPIN).
# # Actually this style works only for the PKCS15 contents without SOPIN.
# # For those with SOPIN, this mode will be usefull for the cards without
# # modes 00 and 01 of ISO command 'RESET RETRY COUNTER'. --vt
#
# Default: none
# user_pin_unblock_style = set_pin_in_unlogged_session;
# Create slot for unblocking PIN with PUK
# This way PKCS#11 API can be used to login with PUK and
# change a PIN.
# Warning: causes problems with some applications like
# firefox and thunderbird. Thus turned off by default
#
# Default: false
# create_puk_slot = true;
# Report as 'zero' the CKA_ID attribute of CA certificate
# For the unknown reason the middleware of the manufacturer of gemalto (axalto, gemplus)
# card reports as '0' the CKA_ID of CA cartificates.
# Maybe someone else will need it. (Would be nice to know who and what for -- VTA)
#
# Default: false
# zero_ckaid_for_ca_certs = true;
# List of readers to ignore
# If any of the strings listed below is matched (case sensitive) in a reader name,
# the reader is ignored by the PKCS#11 module.
#
# Default: empty
# ignored_readers = "CardMan 1021", "SPR 532";
}
}
# Used by OpenSC.tokend on Mac OS X only.
app tokend {
# The file to which debug log will be written
# Default: /tmp/opensc-tokend.log
#
# debug_file = /Library/Logs/OpenSC.tokend.log
framework tokend {
# Score for OpenSC.tokend
# The tokend with the lowest score shall be used
# Default: 50
#
# score = 10;
}
}
app cardmod {
#allow only cardmodule pcsc reader for minidriver (mandatory)
# FIXME cardmod pcsc hack is now broken.
reader_driver cardmod {
# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
# Default: true
# enable_pinpad = false;
}
} |