summaryrefslogtreecommitdiffstats
path: root/doc/scdaemon.texi
blob: d8724ced8358813028148e40f4c52598a9486c90 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
@c Copyright (C) 2002 Free Software Foundation, Inc.
@c This is part of the GnuPG manual.
@c For copying conditions, see the file gnupg.texi.

@node Invoking SCDAEMON
@chapter Invoking the SCDAEMON
@cindex SCDAEMON command options
@cindex command options
@cindex options, SCDAEMON command

@manpage scdaemon.1
@ifset manverb
.B scdaemon
\- Smartcard daemon for the GnuPG system
@end ifset

@mansect synopsis
@ifset manverb
.B  scdaemon
.RB [ \-\-homedir
.IR dir ]
.RB [ \-\-options
.IR file ]
.RI [ options ]  
.B  \-\-server 
.br
.B  scdaemon
.RB [ \-\-homedir
.IR dir ]
.RB [ \-\-options
.IR file ]
.RI [ options ]  
.B  \-\-daemon 
.RI [ command_line ]
@end ifset


@mansect description
The @command{scdaemon} is a daemon to manage smartcards.  It is usually
invoked by @command{gpg-agent} and in general not used directly.

@manpause
@xref{Option Index}, for an index to @command{scdaemon}'s commands and
options.
@mancont

@menu
* Scdaemon Commands::      List of all commands.
* Scdaemon Options::       List of all options.
* Card applications::      Description of card applications.
* Scdaemon Configuration:: Configuration files.
* Scdaemon Examples::      Some usage examples.
* Scdaemon Protocol::      The protocol the daemon uses.
@end menu

@mansect commands

@node Scdaemon Commands
@section Commands

Commands are not distinguished from options except for the fact that
only one command is allowed.

@table @gnupgtabopt
@item --version
@opindex version
Print the program version and licensing information.  Not that you can
abbreviate this command.

@item --help, -h
@opindex help
Print a usage message summarizing the most usefule command-line options.
Not that you can abbreviate this command.

@item --dump-options
@opindex dump-options
Print a list of all available options and commands.  Not that you can
abbreviate this command.

@item --server
@opindex server
Run in server mode and wait for commands on the @code{stdin}.  This is
default mode is to create a socket and listen for commands there.

@item --multi-server
@opindex multi-server
Run in server mode and wait for commands on the @code{stdin} as well as
on an additional Unix Domain socket.  The server command @code{GETINFO}
may be used to get the name of that extra socket.

@item --daemon
@opindex daemon
Run the program in the background.  This option is required to prevent
it from being accidently running in the background.

@end table


@mansect options

@node Scdaemon Options
@section Option Summary

@table @gnupgtabopt

@item --options @var{file}
@opindex options
Reads configuration from @var{file} instead of from the default
per-user configuration file.  The default configuration file is named
@file{scdaemon.conf} and expected in the @file{.gnupg} directory directly
below the home directory of the user.

@include opt-homedir.texi


@item -v
@item --verbose
@opindex v
@opindex verbose
Outputs additional information while running.
You can increase the verbosity by giving several
verbose commands to @command{gpgsm}, such as @samp{-vv}.

@item --debug-level @var{level}
@opindex debug-level
Select the debug level for investigating problems. @var{level} may be
one of:

@table @code
@item none
no debugging at all.
@item basic  
some basic debug messages
@item advanced
more verbose debug messages
@item expert
even more detailed messages
@item guru
all of the debug messages you can get
@end table

How these messages are mapped to the actual debugging flags is not
specified and may change with newer releases of this program. They are
however carefully selected to best aid in debugging.

@quotation Note
All debugging options are subject to change and thus should not be used
by any application program.  As the name says, they are only used as
helpers to debug problems.
@end quotation


@item --debug @var{flags}
@opindex debug
This option is only useful for debugging and the behaviour may change at
any time without notice.  FLAGS are bit encoded and may be given in
usual C-Syntax. The currently defined bits are:

@table @code
@item 0  (1)
command I/O
@item 1  (2)  
values of big number integers 
@item 2  (4)
low level crypto operations
@item 5  (32)
memory allocation
@item 6  (64)
caching
@item 7  (128)
show memory statistics.
@item 9  (512)
write hashed data to files named @code{dbgmd-000*}
@item 10 (1024)
trace Assuan protocol
@item 11 (2048)
trace APDU I/O to the card.  This may reveal sensitive data.
@end table

@item --debug-all
@opindex debug-all
Same as @code{--debug=0xffffffff}

@item --debug-wait @var{n}
@opindex debug-wait
When running in server mode, wait @var{n} seconds before entering the
actual processing loop and print the pid.  This gives time to attach a
debugger.

@item --debug-ccid-driver
@opindex debug-wait
Enable debug output from the included CCID driver for smartcards.
Using this option twice will also enable some tracing of the T=1
protocol.  Note that this option may reveal sensitive data.

@item --debug-disable-ticker
@opindex debug-disable-ticker
This option disables all ticker functions like checking for card
insertions.

@item --debug-allow-core-dump
@opindex debug-allow-core-dump
For security reasons we won't create a core dump when the process
aborts.  For debugging purposes it is sometimes better to allow core
dump.  This options enables it and also changes the working directory to
@file{/tmp} when running in @option{--server} mode.


@item --no-detach
@opindex no-detach
Don't detach the process from the console.  This is mainly useful for
debugging.

@item --log-file @var{file}
@opindex log-file
Append all logging output to @var{file}.  This is very helpful in
seeing what the agent actually does.


@item --pcsc-driver @var{library}
@opindex pcsc-driver
Use @var{library} to access the smartcard reader.  The current default
is @file{libpcsclite.so}.  Instead of using this option you might also
want to install a symbolic link to the default file name
(e.g. from @file{libpcsclite.so.1}).

@item --ctapi-driver @var{library}
@opindex ctapi-driver
Use @var{library} to access the smartcard reader.  The current default
is @file{libtowitoko.so}.  Note that the use of this interface is
deprecated; it may be removed in future releases.

@item --disable-ccid 
@opindex disable-ccid
Disable the integrated support for CCID compliant readers.  This
allows to fall back to one of the other drivers even if the internal
CCID driver can handle the reader.  Note, that CCID support is only
available if libusb was available at build time.

@item --reader-port @var{number_or_string}
@opindex reader-port
This option may be used to specify the port of the card terminal.  A
value of 0 refers to the first serial device; add 32768 to access USB
devices.  The default is 32768 (first USB device).  PC/SC or CCID
readers might need a string here; run the program in verbose mode to get
a list of available readers.  The default is then the first reader
found.

To get a list of available CCID readers you may use this command:
@smallexample
echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ @{print $2@}'
@end smallexample


@item --card-timeout @var{n}
@opindex card-timeout
If @var{n} is not 0 and no client is actively using the card, the card
will be powered down after @var{n} seconds.  Powering down the card
avoids a potential risk of damaging a card when used with certain
cheap readers.  This also allows non Scdaemon aware applications to
access the card.  The disadvantage of using a card timeout is that
accessing the card takes longer and that the user needs to enter the
PIN again after the next power up.

Note that with the current version of Scdaemon the card is powered
down immediatley at the next timer tick for any value of @var{n} other
than 0.


@item --disable-keypad
@opindex disable-keypad
Even if a card reader features a keypad, do not try to use it.


@item --allow-admin
@itemx --deny-admin
@opindex allow-admin
@opindex deny-admin
This enables the use of Admin class commands for card applications
where this is supported.  Currently we support it for the OpenPGP
card.  Deny is the default.  This commands is useful to inhibit
accidental access to admin class command which could ultimately lock
the card through wrong PIN numbers.

@item --disable-application @var{name}
@opindex disable-application
This option disables the use of the card application named
@var{name}.  This is mainly useful for debugging or if a application
with lower priority should be used by default.

@end table

All the long options may also be given in the configuration file after
stripping off the two leading dashes.


@mansect card applications
@node Card applications
@section Description of card applications

@command{scdaemon} supports the card applications as described below.

@menu
* OpenPGP Card::          The OpenPGP card application
* NKS Card::              The Telesec NetKey card application
* DINSIG Card::           The DINSIG card application
* PKCS#15 Card::          The PKCS#15 card application
@end menu

@node OpenPGP Card
@subsection The OpenPGP card application ``openpgp''

This application is currently only used by @command{gpg} but may in
future also be useful with @command{gpgsm}. 

The specification for such a card is available at
@uref{http://g10code.com/docs/openpgp-card-1.0.pdf}.

@node NKS Card
@subsection The Telesec NetKey card ``nks''

This is the main application of the Telesec cards as available in
Germany.  It is a superset of the German DINSIG card.  The card is
used by @command{gpgsm}.

@node DINSIG Card
@subsection The DINSIG card application ``dinsig''

This is an application as described in the German draft standard
@emph{DIN V 66291-1}.  It is intended to be used by cards supporting
the German signature law and its bylaws (SigG and SigV).

@node PKCS#15 Card
@subsection The PKCS#15 card application ``p15''

This is common fraqmework for smart card applications.  It is used by
@command{gpgsm}.


@c *******************************************
@c ***************            ****************
@c ***************   FILES    ****************
@c ***************            ****************
@c *******************************************
@mansect files
@node Scdaemon Configuration
@section Configuration files

There are a few configuration files to control certain aspects of
@command{scdaemons}'s operation. Unless noted, they are expected in the
current home directory (@pxref{option --homedir}).

@table @file

@item scdaemon.conf
@cindex scdaemon.conf
This is the standard configuration file read by @command{scdaemon} on
startup.  It may contain any valid long option; the leading two dashes
may not be entered and the option may not be abbreviated.  This default
name may be changed on the command line (@pxref{option --options}).

@item scd-event
@cindex scd-event
If this file is present and executable, it will be called on veyer card
reader's status changed. An example of this script is provided with the
distribution

@item reader_@var{n}.status
This file is created by @command{sdaemon} to let other applications now
about reader status changes.  Its use is now deprecated in favor of
@file{scd-event}.

@end table


@c 
@c  Examples
@c
@mansect examples
@node Scdaemon Examples
@section Examples

@c man begin EXAMPLES

@example
$ scdaemon --server -v
@end example

@c man end

@c 
@c  Assuan Protocol
@c
@manpause
@node Scdaemon Protocol
@section Scdaemon's Assuan Protocol

The SC-Daemon should be started by the system to provide access to
external tokens.  Using Smartcards on a multi-user system does not
make much sense expcet for system services, but in this case no
regular user accounts are hosted on the machine.

A client connects to the SC-Daemon by connecting to the socket named
@file{/var/run/scdaemon/socket}, configuration information is read from
@var{/etc/scdaemon.conf}

Each connection acts as one session, SC-Daemon takes care of
syncronizing access to a token between sessions.

@menu
* Scdaemon SERIALNO::     Return the serial number.
* Scdaemon LEARN::        Read all useful information from the card.
* Scdaemon READCERT::     Return a certificate.
* Scdaemon READKEY::      Return a public key.
* Scdaemon PKSIGN::       Signing data with a Smartcard.
* Scdaemon PKDECRYPT::    Decrypting data with a Smartcard.
* Scdaemon GETATTR::      Read an attribute's value.
* Scdaemon SETATTR::      Update an attribute's value.
* Scdaemon WRITEKEY::     Write a key to a card.
* Scdaemon GENKEY::       Generate a new key on-card.
* Scdaemon RANDOM::       Return random bytes generate on-card.
* Scdaemon PASSWD::       Change PINs.
* Scdaemon CHECKPIN::     Perform a VERIFY operation.
* Scdaemon RESTART::      Restart connection
* Scdaemon APDU::         Send a verbatim APDU to the card
@end menu

@node Scdaemon SERIALNO 
@subsection Return the serial number

This command should be used to check for the presence of a card.  It is
special in that it can be used to reset the card.  Most other commands
will return an error when a card change has been detected and the use of
this function is therefore required.

Background: We want to keep the client clear of handling card changes
between operations; i.e. the client can assume that all operations are
done on the same card unless he call this function.

@example
  SERIALNO
@end example

Return the serial number of the card using a status reponse like:

@example
  S SERIALNO D27600000000000000000000 0
@end example

The trailing 0 should be ignored for now, it is reserved for a future
extension.  The serial number is the hex encoded value identified by 
the @code{0x5A} tag in the GDO file (FIX=0x2F02).



@node Scdaemon LEARN
@subsection Read all useful information from the card

@example
  LEARN [--force]
@end example

Learn all useful information of the currently inserted card.  When
used without the force options, the command might do an INQUIRE
like this:

@example
      INQUIRE KNOWNCARDP <hexstring_with_serialNumber> <timestamp>
@end example

The client should just send an @code{END} if the processing should go on
or a @code{CANCEL} to force the function to terminate with a cancel
error message.  The response of this command is a list of status lines
formatted as this:

@example
     S KEYPAIRINFO @var{hexstring_with_keygrip} @var{hexstring_with_id}
@end example

If there is no certificate yet stored on the card a single "X" is
returned in @var{hexstring_with_keygrip}.

@node Scdaemon READCERT
@subsection Return a certificate

@example
 READCERT @var{hexified_certid}|@var{keyid}
@end example

This function is used to read a certificate identified by
@var{hexified_certid} from the card.  With OpenPGP cards the keyid
@code{OpenPGP.3} may be used to rad the certticate of version 2 cards.


@node Scdaemon READKEY
@subsection Return a public key

@example
READKEY @var{hexified_certid}
@end example

Return the public key for the given cert or key ID as an standard
S-Expression. 



@node Scdaemon PKSIGN
@subsection Signing data with a Smartcard

To sign some data the caller should use the command

@example
 SETDATA @var{hexstring}
@end example

to tell @command{scdaemon} about the data to be signed.  The data must be given in
hex notation.  The actual signing is done using the command

@example
  PKSIGN @var{keyid}
@end example

where @var{keyid} is the hexified ID of the key to be used.  The key id
may have been retrieved using the command @code{LEARN}.  If another
hash algorithm than SHA-1 is used, that algorithm may be given like:

@example
  PKSIGN --hash=@var{algoname} @var{keyid}
@end example

With @var{algoname} are one of @code{sha1}, @code{rmd160} or @code{md5}.


@node Scdaemon PKDECRYPT
@subsection Decrypting data with a Smartcard

To decrypt some data the caller should use the command

@example
 SETDATA @var{hexstring}
@end example

to tell @command{scdaemon} about the data to be decrypted.  The data
must be given in hex notation.  The actual decryption is then done
using the command

@example
  PKDECRYPT @var{keyid}
@end example

where @var{keyid} is the hexified ID of the key to be used.


@node Scdaemon GETATTR
@subsection Read an attribute's value.

TO BE WRITTEN.

@node Scdaemon SETATTR
@subsection Update an attribute's value.

TO BE WRITTEN.

@node Scdaemon WRITEKEY
@subsection Write a key to a card.

@example
  WRITEKEY [--force] @var{keyid}
@end example

This command is used to store a secret key on a a smartcard.  The
allowed keyids depend on the currently selected smartcard
application. The actual keydata is requested using the inquiry
@code{KEYDATA} and need to be provided without any protection.  With
@option{--force} set an existing key under this @var{keyid} will get
overwritten.  The key data is expected to be the usual canonical encoded
S-expression.

A PIN will be requested in most saes.  This however depends on the
actual card application.


@node Scdaemon GENKEY
@subsection Generate a new key on-card.

TO BE WRITTEN.

@node Scdaemon RANDOM
@subsection Return random bytes generate on-card.

TO BE WRITTEN.


@node Scdaemon PASSWD
@subsection Change PINs.

@example
   PASSWD [--reset] [--nullpin] @var{chvno}
@end example
  
Change the PIN or reset the retry counter of the card holder
verification vector number @var{chvno}.  The option @option{--nullpin}
is used to initialize the PIN of TCOS cards (6 byte NullPIN only).


@node Scdaemon CHECKPIN
@subsection Perform a VERIFY operation.

@example
  CHECKPIN @var{idstr}
@end example

Perform a VERIFY operation without doing anything else.  This may be
used to initialize a the PIN cache earlier to long lasting
operations.  Its use is highly application dependent:

@table @strong
@item OpenPGP

Perform a simple verify operation for CHV1 and CHV2, so that further
operations won't ask for CHV2 and it is possible to do a cheap check on
the PIN: If there is something wrong with the PIN entry system, only the
regular CHV will get blocked and not the dangerous CHV3.  @var{idstr} is
the usual card's serial number in hex notation; an optional fingerprint
part will get ignored.

There is however a special mode if @var{idstr} is suffixed with the
literal string @code{[CHV3]}: In this case the Admin PIN is checked if
and only if the retry counter is still at 3.

@end table



@node Scdaemon RESTART
@subsection Perform a RESTART operation.

@example
  RESTART
@end example

Restart the current connection; this is a kind of warm reset.  It
deletes the context used by this connection but does not actually
reset the card. 

This is used by gpg-agent to reuse a primary pipe connection and
may be used by clients to backup from a conflict in the serial
command; i.e. to select another application. 




@node Scdaemon APDU
@subsection Send a verbatim APDU to the card.

@example
  APDU [--atr] [--more] [@var{hexstring}]
@end example


Send an APDU to the current reader.  This command bypasses the high
level functions and sends the data directly to the card.
@var{hexstring} is expected to be a proper APDU.  If @var{hexstring} is
not given no commands are send to the card; However the command will
implicitly check whether the card is ready for use.

Using the option @code{--atr} returns the ATR of the card as a status
message before any data like this:
@example
     S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
@end example

Using the option @code{--more} handles the card status word MORE_DATA
(61xx) and concatenate all reponses to one block.



@mansect see also
@ifset isman
@command{gpg-agent}(1),
@command{gpgsm}(1), 
@command{gpg2}(1)
@end ifset
@include see-also-note.texi