Context Navigation

opensc.conf.in

Revision 3607, 10.7 KB (checked in by alonbl, 11 days ago)
Add PKCS#11 specification limitation note
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`

Line
1	# Configuration file for OpenSC
2	# Example configuration file
3
4	# NOTE: All key-value pairs must be terminated by a semicolon.
5
6	# Default values for any application
7	# These can be overridden by an application
8	# specific configuration block.
9	app default {
10	# Amount of debug info to print
11	#
12	# A greater value means more debug info.
13	# Default: 0
14	#
15	debug = 0;
16
17	# The file to which debug output will be written
18	#
19	# A special value of 'stdout' is recognized.
20	# Default: stdout
21	#
22	# debug_file = /tmp/opensc-debug.log;
23	# debug_file = "C:\Documents and Settings\All Users\Documents\opensc-debug.log";
24
25	# The file to which errors will be written
26	#
27	# A special value of 'stderr' is recognized.
28	# Default: stderr
29	#
30	# error_file = /tmp/opensc-errors.log;
31	# error_file = "C:\Documents and Settings\All Users\Documents\opensc-errors.log";
32
33	# PKCS#15 initialization / personalization
34	# profiles directory for pkcs15-init.
35
36	profile_dir = @pkgdatadir@;
37
38	# What reader drivers to load at start-up
39	#
40	# A special value of 'internal' will load all
41	# statically linked drivers. If an unknown (ie. not
42	# internal) driver is supplied, a separate configuration
43	# configuration block has to be written for the driver.
44	# Default: internal
45	# NOTE: if "internal" keyword is used, must be the
46	# last entry in reader_drivers list
47	#
48	# reader_drivers = openct, pcsc, ctapi;
49
50	reader_driver ctapi {
51	# module /usr/local/towitoko/lib/libtowitoko.so {
52	# CT-API ports:
53	# 0..3 COM1..4
54	# 4 Printer
55	# 5 Modem
56	# 6..7 LPT1..2
57	# ports = 0;
58	# }
59	}
60
61	# Define parameters specific to your readers.
62	# The following section shows definitions for PC/SC readers,
63	# but the same set of variables are applicable to ctapi and
64	# openct readers, simply by using "reader_driver ctapi" and
65	# "reader_driver openct", respectively.
66	reader_driver pcsc {
67	# This sets the maximum send and receive sizes.
68	# Some reader drivers have limitations, so you need
69	# to set these values. For usb devices check the
70	# properties with lsusb -vv for dwMaxIFSD
71	#
72	#max_send_size = 252;
73	#max_recv_size = 252;
74
75	# Connect to reader in exclusive mode.
76	# Default: false
77	# connect_exclusive = true;
78	#
79	# Reset the card after disconnect.
80	# Default: true
81	# connect_reset = false;
82	#
83	# Reset the card after each transaction.
84	# Default: false
85	# transaction_reset = true;
86	#
87	# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
88	# Default: false
89	# enable_pinpad = true;
90	#
91	# Use specific pcsc provider.
92	# Default: @DEFAULT_PCSC_PROVIDER@
93	# provider_library = @DEFAULT_PCSC_PROVIDER@
94	}
95
96	# options for openct support
97	reader_driver openct {
98	# virtual readers to allocate. default:5
99	readers = 5;
100
101	# This sets the maximum send and receive sizes.
102	# Some reader drivers have limitations, so you need
103	# to set these values. For usb devices check the
104	# properties with lsusb -vv for dwMaxIFSD
105	#
106	#max_send_size = 252;
107	#max_recv_size = 252;
108	};
109
110	# What card drivers to load at start-up
111	#
112	# A special value of 'internal' will load all
113	# statically linked drivers. If an unknown (ie. not
114	# internal) driver is supplied, a separate configuration
115	# configuration block has to be written for the driver.
116	# Default: internal
117	# NOTE: When "internal" keyword is used, must be last entry
118	#
119	# card_drivers = customcos, internal;
120
121	# Card driver configuration blocks.
122
123	# For card drivers loaded from an external shared library/DLL,
124	# you need to specify the path name of the module
125	#
126	# card_driver customcos {
127	# The location of the driver library
128	# module = /usr/lib/opensc/drivers/card_customcos.so;
129	# }
130
131	# Force using specific card driver
132	#
133	# If this option is present, OpenSC will use the supplied
134	# driver with all inserted cards.
135	#
136	# Default: autodetect
137	#
138	# force_card_driver = customcos;
139
140	# In addition to the built-in list of known cards in the
141	# card driver, you can configure a new card for the driver
142	# using the card_atr block. The goal is to centralize
143	# everything related to a certain card to card_atr.
144	#
145	# The supported internal card driver names can be retrieved
146	# from the output of:
147	# $ opensc-tool --list-drivers
148
149	# Generic format: card_atr <hex encoded ATR (case-sensitive!)>
150
151	# New card entry for the flex card driver
152	# card_atr 3b:f0:0d:ca:fe {
153	# All parameters for the context are
154	# optional unless specified otherwise.
155
156	# Context: global, card driver
157	#
158	# ATR mask value
159	#
160	# The mask is logically AND'd with an
161	# card ATR prior to comparison with the
162	# ATR reference value above. Using mask
163	# allows identifying and configuring
164	# multiple ATRs as the same card model.
165	# atrmask = "ff:ff:ff:ff:ff";
166
167	# Context: card driver
168	#
169	# Specify used card driver (REQUIRED).
170	#
171	# When enabled, overrides all possible
172	# settings from the card drivers built-in
173	# card configuration list.
174	# driver = "flex";
175
176	# Set card name for card drivers that allows it.
177	# name = "My CryptoFlex card";
178
179	# Card type as an integer value.
180	#
181	# Depending on card driver, this allows
182	# tuning the behaviour of the card driver
183	# for your card.
184	# type = "2002";
185
186	# Card flags as an hex value.
187	# Multiple values are OR'd together.
188	#
189	# Depending on card driver, this allows
190	# fine-tuning the capabilities in
191	# the card driver for your card.
192	#
193	# Optionally, some known parameters
194	# can be specified as strings:
195	#
196	# keygen - On-board key generation capability
197	# rng - On-board random number source
198	#
199	# flags = "keygen", "rng", "0x80000000";
200
201	#
202	# Context: PKCS#15 emulation layer
203	#
204	# When using PKCS#15 emulation, force
205	# the emulation driver for specific cards.
206	#
207	# Required for external drivers, but can
208	# be used with built-in drivers, too.
209	# pkcs15emu = "custom";
210
211	#
212	# Context: reader driver
213	#
214	# Force protocol selection for specific cards.
215	# Known parameters: t0, t1, raw
216	# force_protocol = "t0";
217	# }
218
219	# PIV cards need an entry similar to this one:
220	# card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 {
221	# name = "PIV-II";
222	# driver = "piv";
223	# }
224
225	# Estonian ID card and Micardo driver currently play together with T=0
226	# only. In theory only the 'cold' ATR should be specified, as T=0 will
227	# be the preferred protocol once you boot it up with T=0, but be
228	# paranoid.
229	card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
230	force_protocol = t0;
231	}
232	card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
233	force_protocol = t0;
234	}
235
236	# D-Trust cards are also based on micardo and need T=0 for some reason
237	card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 {
238	force_protocol = t0;
239	}
240	card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 {
241	force_protocol = t0;
242	}
243
244	# Below are the framework specific configuration blocks.
245
246	# PKCS #15
247	framework pkcs15 {
248	# Whether to use the cache files in the user's
249	# home directory.
250	#
251	# At the moment you have to 'teach' the card
252	# to the system by running command: pkcs15-tool -L
253	#
254	# WARNING: Caching shouldn't be used in setuid root
255	# applications.
256	# Default: false
257	#
258	use_caching = true;
259	# Enable pkcs15 emulation.
260	# Default: yes
261	# enable_pkcs15_emulation = no;
262	# Prefer pkcs15 emulation code before
263	# the normal pkcs15 processing.
264	# Default: no
265	# try_emulation_first = yes;
266	# Enable builtin emulators.
267	# Default: yes
268	# enable_builtin_emulation = yes;
269	# list of the builtin pkcs15 emulators to test
270	builtin_emulators = esteid, openpgp, tcos, starcert, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II, rutoken;
271
272	# additional settings per driver
273	#
274	# For pkcs15 emulators loaded from an external shared
275	# library/DLL, you need to specify the path name of the module
276	# and customize the card_atr example above correctly.
277	#
278	# emulate custom {
279	# The location of the driver library
280	# module = /usr/lib/opensc/drivers/p15emu_custom.so;
281	# }
282
283	# workaround: use rsa decrypt operation for signing
284	# some cardos cards need this, if initializes with certain
285	# versions of the siemens software
286	# we have an auto detection, but it is not 100% reliable,
287	# so you can turn it off, if it misbehaves.
288	# this option only affects cardos cards right now.
289	# Default: yes
290	# enable_sign_with_decrypt_workaround = yes;
291	}
292	}
293
294	# Parameters for the OpenSC PKCS11 module
295	app opensc-pkcs11 {
296	pkcs11 {
297	# Maximum Number of virtual slots.
298	# If there are more slots than defined here,
299	# the remaining slots will be hidden from PKCS#11.
300	max_virtual_slots = 8;
301
302	# Maximum number of slots per smart card.
303	# If the card has fewer keys than defined here,
304	# the remaining number of slots will be empty.
305	num_slots = 4;
306
307	# (max_virtual_slots/num_slots) limits the number of readers
308	# that can be used on the system. Default is then 8/4=2 readers.
309
310	# Normally, the pkcs11 module will create
311	# the full number of slots defined above by
312	# num_slots. If there are fewer pins/keys on
313	# the card, the remaining keys will be empty
314	# (and you will be able to create new objects
315	# within them).
316	#
317	# Set this option to true to hide these empty
318	# slots.
319	hide_empty_tokens = yes;
320
321	# By default, the OpenSC PKCS#11 module will lock your card
322	# once you authenticate to the card via C_Login.
323	# This is to prevent other users or other applications
324	# from connecting to the card and perform crypto operations
325	# (which may be possible because you have already authenticated
326	# with the card). Thus this setting is very secure.
327	#
328	# This behavior is a known violation of PKCS#11 specification,
329	# and is forced due to limitation of the OpenSC framework.
330	#
331	# However now once one application has started using your
332	# card with C_Login, no other application can use it, until
333	# the first is done and calls C_Logout or C_Finalize.
334	# In the case of many PKCS#11 application this does not happen
335	# until you exit the application.
336	#
337	# Thus it is impossible to use several smart card aware
338	# applications at the same time, e.g. you cannot run both
339	# Firefox and Thunderbird at the same time, if both are
340	# configured to use your smart card.
341	#
342	# Default: true
343	# lock_login = false;
344
345	# Normally, the pkcs11 module will not cache PINs
346	# presented via C_Login. However, some cards
347	# may not work properly with OpenSC; for instance
348	# when you have two keys on your card that get
349	# stored in two different directories.
350	#
351	# In this case, you can turn on PIN caching by setting
352	# cache_pins = true
353	#
354	# Default: true
355	# cache_pins = false;
356
357	# Set this value to true if you want to allow off-card
358	# keypair generation (in software on your pc)
359	#
360	# Default: false
361	# soft_keygen_allowed = true;
362	}
363	}
364
365	app tokend {
366	# Score for OpenSC.tokend
367	framework tokend {
368	score = 10;
369	}
370	}

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format