Scroll to navigation

PIV-TOOL(1) OpenSC Tools PIV-TOOL(1)

NAME

piv-tool - smart card utility for HSPD-12 PIV cards

SYNOPSIS

piv-tool [OPTIONS]

The piv-tool utility can be used from the command line to perform miscellaneous smart card operations on a HSPD-12 PIV smart card as defined in NIST 800-73-3. It is intended for use with test cards only. It can be used to load objects, and generate key pairs, as well as send arbitrary APDU commands to a card after having authenticated to the card using the card key provided by the card vendor.

OPTIONS

--serial

Print the card serial number derived from the CHUID object, if any. Output is in hex byte format.

--name, -n

Print the name of the inserted card (driver)

--admin argument, -A argument

Authenticate to the card using a 2DES or 3DES key. The argument of the form


{A|M}:ref:alg

is required, were A uses "EXTERNAL AUTHENTICATION" and M uses "MUTUAL AUTHENTICATION". ref is normally 9B, and alg is 03 for 3DES. The key is provided by the card vendor, and the environment variable PIV_EXT_AUTH_KEY must point to a text file containing the key in the format: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

--genkey argument, -G argument

Generate a key pair on the card and output the public key. The argument of the form

ref:alg

is required, where ref is 9A, 9C, 9D or 9E and alg is 06, 07, 11 or 14 for RSA 1024, RSA 2048, ECC 256 or ECC 384 respectively.

--object ContainerID, -O ContainerID

Load an object onto the card. The ContainerID is as defined in NIST 800-73-n without leading 0x. Example: CHUID object is 3000

--cert ref, -C ref

Load a certificate onto the card. ref is 9A, 9C, 9D or 9E

--compresscert ref, -Z ref

Load a certificate that has been gzipped onto the card. ref is 9A, 9C, 9D or 9E

--out file, -o file

Output file for any operation that produces output.

--in file, -i file

Input file for any operation that requires an input file.

--key-slots-discovery file

Print properties of the key slots. Needs 'admin' authentication.

--send-apdu apdu, -s apdu

Sends an arbitrary APDU to the card in the format AA:BB:CC:DD:EE:FF.... This option may be repeated.

--reader num, -r num

Specify the reader to use. By default, the first reader with a present card is used. If num is an ATR, the reader with a matching card will be chosen.

--card-driver driver, -c driver

Use the given card driver. The default is auto-detected.

--wait, -w

Wait for a card to be inserted

--verbose, -v

Causes piv-tool to be more verbose. Specify this flag several times to enable debug output in the opensc library.

SEE ALSO

opensc-tool(1)

AUTHORS

piv-tool was written by Douglas E. Engert <deengert@gmail.com>.

12/15/2020 opensc