# Configuration file for OpenSC # Example configuration file # NOTE: All key-value pairs must be terminated by a semicolon. # Default values for any application # These can be overridden by an application # specific configuration block. app default { # Amount of debug info to print # # A greater value means more debug info. # Default: 0 # debug = 0; # The file to which debug output will be written # # A special value of 'stdout' is recognized. # Default: stdout # # debug_file = /tmp/opensc-debug.log; # debug_file = "C:\Documents and Settings\All Users\Documents\opensc-debug.log"; # The file to which errors will be written # # A special value of 'stderr' is recognized. # Default: stderr # # error_file = /tmp/opensc-errors.log; # error_file = "C:\Documents and Settings\All Users\Documents\opensc-errors.log"; # PKCS#15 initialization / personalization # profiles directory for pkcs15-init. # Default: /usr/share/opensc # # profile_dir = /usr/share/opensc; # What reader drivers to load at start-up # # A special value of 'internal' will load all # statically linked drivers. If an unknown (ie. not # internal) driver is supplied, a separate configuration # configuration block has to be written for the driver. # Default: internal # NOTE: if "internal" keyword is used, must be the # last entry in reader_drivers list # # reader_drivers = openct, pcsc, ctapi; reader_drivers = pcsc; reader_driver ctapi { # module /usr/local/towitoko/lib/libtowitoko.so { # CT-API ports: # 0..3 COM1..4 # 4 Printer # 5 Modem # 6..7 LPT1..2 # ports = 0; # } } # Define parameters specific to your readers. # The following section shows definitions for PC/SC readers, # but the same set of variables are applicable to ctapi and # openct readers, simply by using "reader_driver ctapi" and # "reader_driver openct", respectively. reader_driver pcsc { # This sets the maximum send and receive sizes. # Some reader drivers have limitations, so you need # to set these values. For usb devices check the # properties with lsusb -vv for dwMaxIFSD # max_send_size=252; max_recv_size=252; # Connect to reader in exclusive mode. # Default: false # connect_exclusive = true; # # Reset the card after disconnect. # Default: true # connect_reset = false; # # Reset the card after each transaction. # Default: false # transaction_reset = true; # # Enable pinpad if detected (PC/SC v2.0.2 Part 10) # Default: false # enable_pinpad = true; # # Use specific pcsc provider. # Default: /usr/lib/libpcsclite.so.1 # provider_library = /usr/lib/libpcsclite.so.1 } # Options for OpenCT support reader_driver openct { # Virtual readers to allocate. # Default: 2 # readers = 5; # This sets the maximum send and receive sizes. # Some reader drivers have limitations, so you need # to set these values. For usb devices check the # properties with lsusb -vv for dwMaxIFSD # max_send_size=252; max_recv_size=252; }; # What card drivers to load at start-up # # A special value of 'internal' will load all # statically linked drivers. If an unknown (ie. not # internal) driver is supplied, a separate configuration # configuration block has to be written for the driver. # Default: internal # NOTE: When "internal" keyword is used, must be last entry # # card_drivers = customcos, internal; card_drivers = ceres; card_driver ceres { #The location of the driver library module = /usr/lib/libopensc-ceres.so; } # Card driver configuration blocks. # For card drivers loaded from an external shared library/DLL, # you need to specify the path name of the module # # card_driver customcos { # The location of the driver library # module = /usr/lib/opensc/drivers/card_customcos.so; # } # Special configuration data for dnie card driver # card_driver dnie { # # Enable/Disable user consent on signing (default: enable) # user_consent_enabled = true; # # Program to be used for ask confirmation (default: pinentry) # user_consent_app = /usr/bin/pinentry; # } card_drivers = internal; # Force using specific card driver # # If this option is present, OpenSC will use the supplied # driver with all inserted cards. # # Default: autodetect # # force_card_driver = customcos; # In addition to the built-in list of known cards in the # card driver, you can configure a new card for the driver # using the card_atr block. The goal is to centralize # everything related to a certain card to card_atr. # # The supported internal card driver names can be retrieved # from the output of: # $ opensc-tool --list-drivers # Generic format: card_atr # New card entry for the flex card driver # card_atr 3b:f0:0d:ca:fe { # All parameters for the context are # optional unless specified otherwise. # Context: global, card driver # # ATR mask value # # The mask is logically AND'd with an # card ATR prior to comparison with the # ATR reference value above. Using mask # allows identifying and configuring # multiple ATRs as the same card model. # atrmask = "ff:ff:ff:ff:ff"; # Context: card driver # # Specify used card driver (REQUIRED). # # When enabled, overrides all possible # settings from the card drivers built-in # card configuration list. # driver = "flex"; # Set card name for card drivers that allows it. # name = "My CryptoFlex card"; # Card type as an integer value. # # Depending on card driver, this allows # tuning the behaviour of the card driver # for your card. # type = "2002"; # Card flags as an hex value. # Multiple values are OR'd together. # # Depending on card driver, this allows # fine-tuning the capabilities in # the card driver for your card. # # Optionally, some known parameters # can be specified as strings: # # keygen - On-board key generation capability # rng - On-board random number source # # flags = "keygen", "rng", "0x80000000"; # # Context: PKCS#15 emulation layer # # When using PKCS#15 emulation, force # the emulation driver for specific cards. # # Required for external drivers, but can # be used with built-in drivers, too. # pkcs15emu = "custom"; # # Context: reader driver # # Force protocol selection for specific cards. # Known parameters: t0, t1, raw # force_protocol = "t0"; # } # PIV cards need an entry similar to this one: # card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 { # name = "PIV-II"; # driver = "piv"; # } # Estonian ID card and Micardo driver currently play together with T=0 # only. In theory only the 'cold' ATR should be specified, as T=0 will # be the preferred protocol once you boot it up with T=0, but be # paranoid. card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 { force_protocol = t0; } card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 { force_protocol = t0; } # D-Trust cards are also based on micardo and need T=0 for some reason card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 { force_protocol = t0; } card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 { force_protocol = t0; } # Below are the framework specific configuration blocks. # PKCS #15 framework pkcs15 { # Whether to use the cache files in the user's # home directory. # # At the moment you have to 'teach' the card # to the system by running command: pkcs15-tool -L # # WARNING: Caching shouldn't be used in setuid root # applications. # Default: false use_caching = true; # Enable pkcs15 emulation. # Default: yes # enable_pkcs15_emulation = no; # # Prefer pkcs15 emulation code before # the normal pkcs15 processing. # Default: no # try_emulation_first = yes; # Enable builtin emulators. # Default: yes # enable_builtin_emulation = no; # # List of the builtin pkcs15 emulators to test # Default: esteid, openpgp, tcos, starcert, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II; # builtin_emulators = openpgp; # additional settings per driver # # For pkcs15 emulators loaded from an external shared # library/DLL, you need to specify the path name of the module # and customize the card_atr example above correctly. # # emulate custom { # The location of the driver library # module = /usr/lib/opensc/drivers/p15emu_custom.so # } pkcs15init ceres { # The location of the driver library module = /usr/lib/libpkcs15init-ceres.so; } # workaround: use rsa decrypt operation for signing # some cardos cards need this, if initializes with certain # versions of the siemens software # we have an auto detection, but it is not 100% reliable, # so you can turn it off, if it misbehaves. # this option only affects cardos cards right now. # Default: yes # enable_sign_with_decrypt_workaround = no; # workaround: fix keyReference and pinReference values # OpenSC 0.11.4 and older have a bug: integers were not # properly encoded in asn.1 structures. So far only # starcos cards were found to have a problem with this, # and only these two values were found to be filled with # the wrong value. # # Fortunatly those values (if present) need to be positive. # Thus we can check if these are available and negative, # and if so fix them by adding 256 to get the correct value. # # To be on the safe side, this workaround/fix can be turned # off. # # Default: yes # enable_fix_asn1_integers = no; } } # Parameters for the OpenSC PKCS11 module app opensc-pkcs11 { pkcs11 { # Should the module support hotplug of readers as per PKCS#11 v2.20? # This affects slot changes and PC/SC PnP, as v2.11 applications # are not allowed to change the length of the slot list. # Default: true # plug_and_play = false; # Maximum Number of virtual slots. # If there are more slots than defined here, # the remaining slots will be hidden from PKCS#11. # Default: 16 # max_virtual_slots = 32; # Maximum number of slots per smart card. # If the card has fewer keys than defined here, # the remaining number of slots will be empty. # Default: 4 # slots_per_card = 2; # (max_virtual_slots/slots_per_card) limits the number of readers # that can be used on the system. Default is then 16/4=4 readers. # Normally, the pkcs11 module will create # the full number of slots defined above by # num_slots. If there are fewer pins/keys on # the card, the remaining keys will be empty # (and you will be able to create new objects # within them). # Default: true # hide_empty_tokens = false; # By default, the OpenSC PKCS#11 module will lock your card # once you authenticate to the card via C_Login. # This is to prevent other users or other applications # from connecting to the card and perform crypto operations # (which may be possible because you have already authenticated # with the card). Thus this setting is very secure. # # This behavior is a known violation of PKCS#11 specification, # and is forced due to limitation of the OpenSC framework. # # However now once one application has started using your # card with C_Login, no other application can use it, until # the first is done and calls C_Logout or C_Finalize. # In the case of many PKCS#11 application this does not happen # until you exit the application. # # Thus it is impossible to use several smart card aware # applications at the same time, e.g. you cannot run both # Firefox and Thunderbird at the same time, if both are # configured to use your smart card. # # Default: true # lock_login = false; # Normally, the pkcs11 module will not cache PINs # presented via C_Login. However, some cards # may not work properly with OpenSC; for instance # when you have two keys on your card that get # stored in two different directories. # # In this case, you can turn on PIN caching by setting # cache_pins = true # # Default: true # cache_pins = false; # Set this value to true if you want to allow off-card # keypair generation (in software on your pc) # # Default: false # soft_keygen_allowed = true; } } app tokend { # Score for OpenSC.tokend framework tokend { score = 10; } }