forked from OpenSC/OpenSC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopensc.conf.win.in
646 lines (573 loc) · 21.2 KB
/
opensc.conf.win.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
# Configuration file for OpenSC
# Example configuration file
# NOTE: All key-value pairs must be terminated by a semicolon.
# Default values for any application
# These can be overridden by an application
# specific configuration block.
app default {
# Amount of debug info to print
#
# A greater value means more debug info.
# Default: 0
#
debug = 0;
# The file to which debug output will be written
#
# Special values 'stdout' and 'stderr' are recognized.
# Default: stderr
#
# debug_file = %TEMP%\opensc-debug.log
# Re-open debug file (used in WIN32)
#
# In Windows, file handles can not be shared between DLL-s,
# each DLL has a separate file handle table.
# For that reason reopen debug file before every debug message.
#
# Default: true
# reopen_debug_file = false;
# PKCS#15 initialization / personalization
# profiles directory for pkcs15-init.
# Default: obtained from windows registers
#
# profile_dir = "";
# Paranoid memory allocation.
#
# If set to 'true', then refuse to continue when locking of non-pageable
# memory fails. This can cause subtle failures but is more secure when
# you have a swap disk.
# Default: false
#
# paranoid_memory = false;
# Enable default card driver
# Default card driver is explicitely enabled for the 'opensc-explorer' and 'opensc-tool'.
#
# Default: false
# enable_default_driver = true;
# CT-API module configuration.
reader_driver ctapi {
# module @libdir@/libtowitoko.so {
# CT-API ports:
# 0..3 COM1..4
# 4 Printer
# 5 Modem
# 6..7 LPT1..2
# ports = 0;
# }
}
# The following section shows definitions for PC/SC readers.
reader_driver pcsc {
# Limit command and response sizes.
# Default: n/a
# max_send_size = 255;
# max_recv_size = 256;
#
# Connect to reader in exclusive mode?
# Default: false
# connect_exclusive = true;
#
# What to do when disconnecting from a card (SCardDisconnect)
# Valid values: leave, reset, unpower.
# Default: reset
# disconnect_action = unpower;
#
# What to do at the end of a transaction (SCardEndTransaction)
# Valid values: leave, reset, unpower.
# Default: leave
# transaction_end_action = reset;
#
# What to do when reconnection to a card (SCardReconnect)
# Valid values: leave, reset, unpower.
# Note that this affects only the internal reconnect (after a SCARD_W_RESET_CARD).
# A forced reset via sc_reset() always does a full powerup.
# Default: leave
# reconnect_action = reset;
#
# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
# Default: true
# enable_pinpad = false;
#
# Use specific pcsc provider.
# Default: winscard.dll
# provider_library = winscard.dll
}
# Options for OpenCT support
reader_driver openct {
# Virtual readers to allocate.
# Default: 2
# readers = 5;
#
# Limit command and response sizes.
# Default: n/a
# max_send_size = 255;
# max_recv_size = 256;
};
# What card drivers to load at start-up
#
# A special value of 'internal' will load all
# statically linked drivers. If an unknown (ie. not
# internal) driver is supplied, a separate configuration
# configuration block has to be written for the driver.
# Default: internal
# NOTE: When "internal" keyword is used, must be last entry
#
# card_drivers = customcos, internal;
# Card driver configuration blocks.
# For card drivers loaded from an external shared library/DLL,
# you need to specify the path name of the module
#
# card_driver customcos {
# The location of the driver library
# module = @libdir@/card_customcos.so;
# }
# Force using specific card driver
#
# If this option is present, OpenSC will use the supplied
# driver with all inserted cards.
#
# Default: autodetect
#
# force_card_driver = customcos;
# In addition to the built-in list of known cards in the
# card driver, you can configure a new card for the driver
# using the card_atr block. The goal is to centralize
# everything related to a certain card to card_atr.
#
# The supported internal card driver names can be retrieved
# from the output of:
# $ opensc-tool --list-drivers
# Generic format: card_atr <hex encoded ATR (case-sensitive!)>
# New card entry for the flex card driver
# card_atr 3b:f0:0d:ca:fe {
# All parameters for the context are
# optional unless specified otherwise.
# Context: global, card driver
#
# ATR mask value
#
# The mask is logically AND'd with an
# card ATR prior to comparison with the
# ATR reference value above. Using mask
# allows identifying and configuring
# multiple ATRs as the same card model.
# atrmask = "ff:ff:ff:ff:ff";
# Context: card driver
#
# Specify used card driver (REQUIRED).
#
# When enabled, overrides all possible
# settings from the card drivers built-in
# card configuration list.
# driver = "flex";
# Set card name for card drivers that allows it.
# name = "My CryptoFlex card";
# Card type as an integer value.
#
# Depending on card driver, this allows
# tuning the behaviour of the card driver
# for your card.
# type = "2002";
# Card flags as an hex value.
# Multiple values are OR'd together.
#
# Depending on card driver, this allows
# fine-tuning the capabilities in
# the card driver for your card.
#
# Optionally, some known parameters
# can be specified as strings:
#
# rng - On-board random number source
#
# flags = "rng", "0x80000000";
#
# Context: PKCS#15 emulation layer
#
# When using PKCS#15 emulation, force
# the emulation driver for specific cards.
#
# Required for external drivers, but can
# be used with built-in drivers, too.
# pkcs15emu = "custom";
#
# Context: reader driver
#
# Force protocol selection for specific cards.
# Known parameters: t0, t1, raw
# force_protocol = "t0";
# }
# PIV cards need an entry similar to this one:
# card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 {
# name = "PIV-II";
# driver = "piv";
# }
# Estonian ID card and Micardo driver sometimes only play together with T=0
# In theory only the 'cold' ATR should be specified, as T=0 will
# be the preferred protocol once you boot it up with T=0, but be
# paranoid.
#
# Warm ATR v1
card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
force_protocol = t0;
}
# Cold ATR v1
card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
force_protocol = t0;
}
# Warm ATR v2
card_atr 3b:5e:11:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
force_protocol = t0;
}
# Cold ATR v2
card_atr 3b:de:18:ff:c0:80:b1:fe:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:2b {
force_protocol = t0;
}
# Digi-ID cold ATR. The same card has the same warm ATR as "Cold ATR v1" above
# The card is claimed to only support T=0 but in fact (sometimes) works with T=1, even if not advertised in ATR.
card_atr 3b:6e:00:00:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
force_protocol = t0;
}
# D-Trust cards are also based on micardo and need T=0 for some reason
card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 {
force_protocol = t0;
}
card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 {
force_protocol = t0;
}
# Oberthur's AuthentIC v3.2.2
card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B {
type = 11100;
driver = "authentic";
name = "AuthentIC v3.1";
# Name of SM configuration sub-section
# secure_messaging = local_authentic;
}
# IAS/ECC cards
card_atr 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00 {
type = 25001;
driver = "iasecc";
name = "Gemalto MultiApp IAS/ECC v1.0.1";
secure_messaging = local_gemalto_iam;
# secure_messaging = local_adele;
md_read_only = false;
md_supports_X509_enrollment = true;
}
card_atr 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00 {
type = 25001;
driver = "iasecc";
name = "Gemalto MultiApp IAS/ECC v1.0.1";
secure_messaging = local_gemalto_iam;
md_read_only = false;
md_supports_X509_enrollment = true;
}
#card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:08:00:07:90:00:FE {
# type = 25002;
# driver = "iasecc";
# name = "Oberthur IAS/ECC v1.0.1";
# # No 'admin' application for this card -- no secure messaging
#}
#card_atr 3B:7F:18:00:00:00:31:B8:64:50:23:EC:C1:73:94:01:80:82:90:00 {
# type = 25003;
# driver = "iasecc";
# name = "Morpho YpsID S3 IAS/ECC";
# # secure_messaging = local_morpho_YpsID_S3;
#}
card_atr 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3 {
type = 25004;
driver = "iasecc";
name = "Amos IAS/ECC v1.0.1";
md_read_only = false;
md_supports_X509_enrollment = true;
secure_messaging = local_amos;
}
card_atr 3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38 {
type = 25004;
driver = "iasecc";
name = "Amos IAS/ECC v1.0.1";
md_read_only = false;
md_supports_X509_enrollment = true;
secure_messaging = local_amos_eid;
}
secure_messaging local_authentic {
# name of external SM module
# module_name = smm-local.dll;
# directory with external SM module
# Default: defined by windows register
# module_path = "";
# specific data to tune the module initialization
# module_data = "Here can be your SM module init data";
# SM mode:
# 'transmit' -- in this mode the procedure to securize an APDU is called by the OpenSC general
# APDU transmit procedure.
# In this mode all APDUs, except the ones filtered by the card specific procedure,
# are securized.
# 'acl' -- in this mode APDU are securized only if needed by the ACLs of the command to be executed.
#
#mode = transmit;
# SM type specific flags
# flags = 0x78; # 0x78 -- level 3, channel 0
# Default KMC of the GP Card Manager for the Oberthur's Java cards
# kmc = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00";
}
secure_messaging local_gemalto_iam {
module_name = smm-local.dll;
# module_path = "";
# module_data = "";
type = acl; # transmit, acl
ifd_serial = "11:22:33:44:55:66:77:88";
# Keyset values from IAM profiles of the Gemalto IAS/ECC cards
keyset_02_enc = "RW_PRIV_ENC_TEST";
keyset_02_mac = "RW_PRIV_MAC_TEST";
keyset_E828BD080FD2504543432D654944_01_enc = "RO_ENC_TEST_KEY_";
keyset_E828BD080FD2504543432D654944_01_mac = "RO_MAC_TEST_KEY_";
keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST";
keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST";
}
secure_messaging local_amos {
module_name = smm-local.dll;
# module_path = "";
# module_data = "";
mode = acl;
ifd_serial = "11:22:33:44:55:66:77:88";
keyset_02_enc = "ENCROECHANTILLON";
keyset_02_mac = "MACROECHANTILLON";
}
secure_messaging local_amos_eid {
module_name = smm-local.dll;
# module_path = "";
# module_data = "";
mode = acl;
ifd_serial = "11:22:33:44:55:66:77:88";
keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST";
keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST";
}
secure_messaging local_adele {
module_name = smm-local.dll;
# module_path = "";
# module_data = "";
type = acl; # transmit, acl
ifd_serial = "11:22:33:44:55:66:77:88";
# Keyset values from 'Adele' profiles of the IAS/ECC cards
keyset_01_enc = "EMENCECHANTILLON";
keyset_01_mac = "EMMACECHANTILLON";
keyset_02_enc = "AAENCECHANTILLON";
keyset_02_mac = "AAMACECHANTILLON";
keyset_E828BD080FD2500000040301_02_enc = "E2ENCECHANTILLON";
keyset_E828BD080FD2500000040301_02_mac = "E2MACECHANTILLON";
keyset_D2500000044164E86C650101_02_enc = "E1ENCECHANTILLON";
keyset_D2500000044164E86C650101_02_mac = "E1MACECHANTILLON";
keyset_D2500000044164E86C650101_03_enc = "SIENCECHANTILLON";
keyset_D2500000044164E86C650101_03_mac = "SIMACECHANTILLON";
}
# Below are the framework specific configuration blocks.
# PKCS #15
framework pkcs15 {
# Whether to use the cache files in the user's
# home directory.
#
# At the moment you have to 'teach' the card
# to the system by running command: pkcs15-tool -L
#
# WARNING: Caching shouldn't be used in setuid root
# applications.
# Default: false
# use_file_caching = true;
#
# Use PIN caching?
# Default: true
# use_pin_caching = false;
#
# How many times to use a PIN from cache before re-authenticating it?
# Default: 10
# pin_cache_counter = 3;
#
# Older PKCS#11 applications not supporting CKA_ALWAYS_AUTHENTICATE
# may need to set this to get signatures to work with some cards.
# Default: false
# pin_cache_ignore_user_consent = true;
#
# Enable pkcs15 emulation.
# Default: yes
# enable_pkcs15_emulation = no;
#
# Prefer pkcs15 emulation code before
# the normal pkcs15 processing.
# Some cards (like esteid and pteid) work in emu-only mode,
# and do not depend on this option.
#
# Default: no
# try_emulation_first = yes;
# Enable builtin emulators.
# Default: yes
# enable_builtin_emulation = no;
#
# List of the builtin pkcs15 emulators to test
# Default: esteid, openpgp, tcos, starcert, itacns, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II;
# builtin_emulators = openpgp;
# additional settings per driver
#
# For pkcs15 emulators loaded from an external shared
# library/DLL, you need to specify the path name of the module
# and customize the card_atr example above correctly.
#
# emulate custom {
# The location of the driver library
# module = p15emu_custom.dll;
# }
# some additional application parameters:
# - type (generic, protected) used to distinguish the common access application
# and application for which authentication to perform some operation cannot be
# obtained with the common procedures (ex. object creation protected by secure messaging).
# Used by PKCS#11 module configurated to expose restricted number of slots.
# (for ex. configurated to expose only User PIN slot, User and Sign PINs slots, ...)
application E828BD080FD25047656E65726963 {
type = generic;
model = "ECC Generic PKI";
}
application E828BD080FD2500000040301 {
type = generic;
model = "Adèle Générique";
}
application E828BD080FD2504543432D654944 {
type = protected;
model = "ECC eID";
}
application E828BD080FD2500000040201 {
type = protected;
model = "Adèle Admin-2";
}
}
}
# Parameters for the OpenSC PKCS11 module
app opensc-pkcs11 {
pkcs11 {
# Should the module support hotplug of readers as per PKCS#11 v2.20?
# This affects slot changes and PC/SC PnP, as v2.11 applications
# are not allowed to change the length of the slot list.
# Default: true
# plug_and_play = false;
# Maximum Number of virtual slots.
# If there are more slots than defined here,
# the remaining slots will be hidden from PKCS#11.
# Default: 16
# max_virtual_slots = 32;
# Maximum number of slots per smart card.
# If the card has fewer keys than defined here,
# the remaining number of slots will be empty.
# Default: 4
# slots_per_card = 2;
# (max_virtual_slots/slots_per_card) limits the number of readers
# that can be used on the system. Default is then 16/4=4 readers.
# Normally, the pkcs11 module will create
# the full number of slots defined above by
# num_slots. If there are fewer pins/keys on
# the card, the remaining keys will be empty
# (and you will be able to create new objects
# within them).
# Default: true
# hide_empty_tokens = false;
# By default, the OpenSC PKCS#11 module will not lock your card
# once you authenticate to the card via C_Login.
#
# Thus the other users or other applications is not prevented
# from connecting to the card and perform crypto operations
# (which may be possible because you have already authenticated
# with the card). This setting is not very secure.
#
# Also, if your card is not locked, you can enconter problems
# due to limitation of the OpenSC framework, that still is not
# thoroughly tested in the multi threads environment.
#
# Your settings will be more secure if you choose to lock your
# card. Nevertheless this behavior is a known violation of PKCS#11
# specification. Now once one application has started using your
# card with C_Login, no other application can use it, until
# the first is done and calls C_Logout or C_Finalize. In the case
# of many PKCS#11 application this does not happen until you exit
# the application.
# Thus it is impossible to use several smart card aware applications
# at the same time, e.g. you cannot run both Firefox and Thunderbird at
# the same time, if both are configured to use your smart card.
#
# Default: false
# lock_login = true;
# User PIN unblock style
# none: PIN unblock is not possible with PKCS#11 API;
# set_pin_in_unlogged_session: C_SetPIN() in unlogged session:
# PUK is passed as the 'OldPin' argument of the C_SetPIN() call.
# set_pin_in_specific_context: C_SetPIN() in the CKU_SPECIFIC_CONTEXT logged session:
# PUK is passed as the 'OldPin' argument of the C_SetPIN() call.
# init_pin_in_so_session: C_InitPIN() in CKU_SO logged session:
# User PIN 'UNBLOCK' is protected by SOPIN. (PUK == SOPIN).
# # Actually this style works only for the PKCS15 contents without SOPIN.
# # For those with SOPIN, this mode will be usefull for the cards without
# # modes 00 and 01 of ISO command 'RESET RETRY COUNTER'. --vt
#
# Default: none
# user_pin_unblock_style = set_pin_in_unlogged_session;
# Create slot for unblocking PIN with PUK
# This way PKCS#11 API can be used to login with PUK and
# change a PIN.
# Warning: causes problems with some applications like
# firefox and thunderbird. Thus turned off by default
#
# Default: false
# create_puk_slot = true;
# Report as 'zero' the CKA_ID attribute of CA certificate
# For the unknown reason the middleware of the manufacturer of gemalto (axalto, gemplus)
# card reports as '0' the CKA_ID of CA cartificates.
# Maybe someone else will need it. (Would be nice to know who and what for -- VTA)
#
# Default: false
# zero_ckaid_for_ca_certs = true;
# List of readers to ignore
# If any of the strings listed below is matched (case sensitive) in a reader name,
# the reader is ignored by the PKCS#11 module.
#
# Default: empty
# ignored_readers = "CardMan 1021", "SPR 532";
# Symbolic names of PINs for which slots are created
# Card can contain more then one PINs or more then one on-card application with
# its own PINs. Normally, to access all of them with the PKCS#11 API a slot has to be
# created for all of them. Many slots could be ennoying for some of widely used application,
# like FireFox. This configuration parameter allows to select the PINs or on-card application
# for which PKCS#11 slot will be created.
# Actually recognised following symbolic names:
# 'user', 'sign', 'application', all
# Only PINs initialised, non-SoPIN, non-unblocking are associated with symbolic name.
# 'user' is identified as first global or first local PIN.
# 'sign' is identified as second PIN: first local, second global or second local.
# 'application' slot created for each on-card application,
# even if they use a common global PIN.
# 'all' slot created for all non-sopin, non-unblocking PINs,
# optionally for PUK (see option 'create_puk_slot')
#
# Default: all
# create_slots_for_pins = "user,sign";
# create_slots_for_pins = application;
# create_slots_for_pins = "application,sign";
}
}
# Used by OpenSC.tokend on Mac OS X only.
app tokend {
# The file to which debug log will be written
# Default: /tmp/opensc-tokend.log
#
# debug_file = /Library/Logs/OpenSC.tokend.log
framework tokend {
# Score for OpenSC.tokend
# The tokend with the highest score shall be used.
# Default: 300
#
# score = 10;
}
}
# XXX: remove cardmod pseudodriver
app cardmod {
# cardmod app name use special pcsc reader subset
# fix options for this reader driver here.
reader_driver cardmod {
# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
# Default: true
# enable_pinpad = false;
}
}