1 @c Copyright (C) 2002 Free Software Foundation, Inc.
2 @c This is part of the GnuPG manual.
3 @c For copying conditions, see the file gnupg.texi.
7 @node Invoking SCDAEMON
8 @chapter Invoking the SCDAEMON
9 @cindex SCDAEMON command options
10 @cindex command options
11 @cindex options, SCDAEMON command
16 \- Smartcard daemon for the GnuPG system
41 The @command{scdaemon} is a daemon to manage smartcards. It is usually
42 invoked by @command{gpg-agent} and in general not used directly.
45 @xref{Option Index}, for an index to @command{scdaemon}'s commands and
50 * Scdaemon Commands:: List of all commands.
51 * Scdaemon Options:: List of all options.
52 * Card applications:: Description of card applications.
53 * Scdaemon Configuration:: Configuration files.
54 * Scdaemon Examples:: Some usage examples.
55 * Scdaemon Protocol:: The protocol the daemon uses.
60 @node Scdaemon Commands
63 Commands are not distinguished from options except for the fact that
64 only one command is allowed.
69 Print the program version and licensing information. Note that you cannot
70 abbreviate this command.
74 Print a usage message summarizing the most useful command-line options.
75 Note that you cannot abbreviate this command.
79 Print a list of all available options and commands. Note that you cannot
80 abbreviate this command.
84 Run in server mode and wait for commands on the @code{stdin}. The
85 default mode is to create a socket and listen for commands there.
89 Run in server mode and wait for commands on the @code{stdin} as well as
90 on an additional Unix Domain socket. The server command @code{GETINFO}
91 may be used to get the name of that extra socket.
95 Run the program in the background. This option is required to prevent
96 it from being accidentally running in the background.
103 @node Scdaemon Options
104 @section Option Summary
108 @item --options @var{file}
110 Reads configuration from @var{file} instead of from the default
111 per-user configuration file. The default configuration file is named
112 @file{scdaemon.conf} and expected in the @file{.gnupg} directory directly
113 below the home directory of the user.
115 @include opt-homedir.texi
122 Outputs additional information while running.
123 You can increase the verbosity by giving several
124 verbose commands to @command{gpgsm}, such as @samp{-vv}.
126 @item --debug-level @var{level}
128 Select the debug level for investigating problems. @var{level} may be
129 a numeric value or a keyword:
133 No debugging at all. A value of less than 1 may be used instead of
136 Some basic debug messages. A value between 1 and 2 may be used
137 instead of the keyword.
139 More verbose debug messages. A value between 3 and 5 may be used
140 instead of the keyword.
142 Even more detailed messages. A value between 6 and 8 may be used
143 instead of the keyword.
145 All of the debug messages you can get. A value greater than 8 may be
146 used instead of the keyword. The creation of hash tracing files is
147 only enabled if the keyword is used.
150 How these messages are mapped to the actual debugging flags is not
151 specified and may change with newer releases of this program. They are
152 however carefully selected to best aid in debugging.
155 All debugging options are subject to change and thus should not be used
156 by any application program. As the name says, they are only used as
157 helpers to debug problems.
161 @item --debug @var{flags}
163 Set debug flags. All flags are or-ed and @var{flags} may be given
164 in C syntax (e.g. 0x0042) or as a comma separated list of flag names.
165 To get a list of all supported flags the single word "help" can be
166 used. This option is only useful for debugging and the behavior may
167 change at any time without notice.
171 Same as @code{--debug=0xffffffff}
173 @item --debug-wait @var{n}
175 When running in server mode, wait @var{n} seconds before entering the
176 actual processing loop and print the pid. This gives time to attach a
179 @item --debug-ccid-driver
181 Enable debug output from the included CCID driver for smartcards.
182 Using this option twice will also enable some tracing of the T=1
183 protocol. Note that this option may reveal sensitive data.
185 @item --debug-disable-ticker
186 @opindex debug-disable-ticker
187 This option disables all ticker functions like checking for card
190 @item --debug-allow-core-dump
191 @opindex debug-allow-core-dump
192 For security reasons we won't create a core dump when the process
193 aborts. For debugging purposes it is sometimes better to allow core
194 dump. This option enables it and also changes the working directory to
195 @file{/tmp} when running in @option{--server} mode.
197 @item --debug-log-tid
198 @opindex debug-log-tid
199 This option appends a thread ID to the PID in the log output.
201 @item --debug-assuan-log-cats @var{cats}
202 @opindex debug-assuan-log-cats
203 @efindex ASSUAN_DEBUG
204 Changes the active Libassuan logging categories to @var{cats}. The
205 value for @var{cats} is an unsigned integer given in usual C-Syntax.
206 A value of 0 switches to a default category. If this option is not
207 used the categories are taken from the environment variable
208 @code{ASSUAN_DEBUG}. Note that this option has only an effect if the
209 Assuan debug flag has also been with the option @option{--debug}. For
210 a list of categories see the Libassuan manual.
214 Don't detach the process from the console. This is mainly useful for
217 @item --listen-backlog @var{n}
218 @opindex listen-backlog
219 Set the size of the queue for pending connections. The default is 64.
220 This option has an effect only if @option{--multi-server} is also
223 @item --log-file @var{file}
225 Append all logging output to @var{file}. This is very helpful in
226 seeing what the agent actually does. Use @file{socket://} to log to
231 Use shared mode to access the card via PC/SC. This is a somewhat
232 dangerous option because Scdaemon assumes exclusive access to the
233 card and for example caches certain information from the card. Use
234 this option only if you know what you are doing.
236 @item --pcsc-driver @var{library}
238 Use @var{library} to access the smartcard reader. The current default
239 on Unix is @file{libpcsclite.so} and on Windows @file{winscard.dll}.
240 Instead of using this option you might also want to install a symbolic
241 link to the default file name (e.g. from @file{libpcsclite.so.1}).
242 A Unicode file name may not be used on Windows.
244 @item --ctapi-driver @var{library}
245 @opindex ctapi-driver
246 Use @var{library} to access the smartcard reader. The current default
247 is @file{libtowitoko.so}. Note that the use of this interface is
248 deprecated; it may be removed in future releases.
251 @opindex disable-ccid
252 Disable the integrated support for CCID compliant readers. This
253 allows falling back to one of the other drivers even if the internal
254 CCID driver can handle the reader. Note, that CCID support is only
255 available if libusb was available at build time.
257 @item --reader-port @var{number_or_string}
259 This option may be used to specify the port of the card terminal. A
260 value of 0 refers to the first serial device; add 32768 to access USB
261 devices. The default is 32768 (first USB device). PC/SC or CCID
262 readers might need a string here; run the program in verbose mode to get
263 a list of available readers. The default is then the first reader
266 To get a list of available CCID readers you may use this command:
269 echo scd getinfo reader_list \
270 | gpg-connect-agent --decode | awk '/^D/ @{print $2@}'
274 @item --card-timeout @var{n}
275 @opindex card-timeout
276 This option is deprecated. In GnuPG 2.0, it used to be used for
277 DISCONNECT command to control timing issue. Since DISCONNECT command
278 works synchronously, it has no effect.
280 @item --enable-pinpad-varlen
281 @opindex enable-pinpad-varlen
282 Please specify this option when the card reader supports variable
283 length input for pinpad (default is no). For known readers (listed in
284 ccid-driver.c and apdu.c), this option is not needed. Note that if
285 your card reader doesn't supports variable length input but you want
286 to use it, you need to specify your pinpad request on your card.
289 @item --disable-pinpad
290 @opindex disable-pinpad
291 Even if a card reader features a pinpad, do not try to use it.
297 This option disables the use of admin class commands for card
298 applications where this is supported. Currently we support it for the
299 OpenPGP card. This option is useful to inhibit accidental access to
300 admin class command which could ultimately lock the card through wrong
301 PIN numbers. Note that GnuPG versions older than 2.0.11 featured an
302 @option{--allow-admin} option which was required to use such admin
303 commands. This option has no more effect today because the default is
304 now to allow admin commands.
306 @item --disable-application @var{name}
307 @opindex disable-application
308 This option disables the use of the card application named
309 @var{name}. This is mainly useful for debugging or if a application
310 with lower priority should be used by default.
312 @item --application-priority @var{namelist}
313 @opindex application-priority
314 This option allows to change the order in which applications of a card
315 a tried if no specific application was requested. @var{namelist} is a
316 space or comma delimited list of application names. Unknown names are
317 simply skipped. Applications not mentioned in the list are put in the
318 former order at the end of the new priority list.
320 To get the list of current active applications, use
323 gpg-connect-agent 'scd getinfo app_list' /bye
329 All the long options may also be given in the configuration file after
330 stripping off the two leading dashes.
333 @mansect card applications
334 @node Card applications
335 @section Description of card applications
337 @command{scdaemon} supports the card applications as described below.
340 * OpenPGP Card:: The OpenPGP card application
341 * NKS Card:: The Telesec NetKey card application
342 * DINSIG Card:: The DINSIG card application
343 * PKCS#15 Card:: The PKCS#15 card application
344 * Geldkarte Card:: The Geldkarte application
345 * SmartCard-HSM:: The SmartCard-HSM application
346 * Undefined Card:: The Undefined stub application
350 @subsection The OpenPGP card application ``openpgp''
352 This application is currently only used by @command{gpg} but may in
353 future also be useful with @command{gpgsm}. Version 1 and version 2 of
354 the card is supported.
357 The specifications for these cards are available at@*
358 @uref{http://g10code.com/docs/openpgp-card-1.0.pdf} and@*
359 @uref{http://g10code.com/docs/openpgp-card-2.0.pdf}.
362 @subsection The Telesec NetKey card ``nks''
364 This is the main application of the Telesec cards as available in
365 Germany. It is a superset of the German DINSIG card. The card is
366 used by @command{gpgsm}.
369 @subsection The DINSIG card application ``dinsig''
371 This is an application as described in the German draft standard
372 @emph{DIN V 66291-1}. It is intended to be used by cards supporting
373 the German signature law and its bylaws (SigG and SigV).
376 @subsection The PKCS#15 card application ``p15''
378 This is common framework for smart card applications. It is used by
382 @subsection The Geldkarte card application ``geldkarte''
384 This is a simple application to display information of a German
385 Geldkarte. The Geldkarte is a small amount debit card application which
386 comes with almost all German banking cards.
389 @subsection The SmartCard-HSM card application ``sc-hsm''
391 This application adds read-only support for keys and certificates
392 stored on a @uref{http://www.smartcard-hsm.com, SmartCard-HSM}.
394 To generate keys and store certificates you may use
395 @uref{https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM, OpenSC} or
396 the tools from @uref{http://www.openscdp.org, OpenSCDP}.
398 The SmartCard-HSM cards requires a card reader that supports Extended
402 @subsection The Undefined card application ``undefined''
404 This is a stub application to allow the use of the APDU command even
405 if no supported application is found on the card. This application is
406 not used automatically but must be explicitly requested using the
410 @c *******************************************
411 @c *************** ****************
412 @c *************** FILES ****************
413 @c *************** ****************
414 @c *******************************************
416 @node Scdaemon Configuration
417 @section Configuration files
419 There are a few configuration files to control certain aspects of
420 @command{scdaemons}'s operation. Unless noted, they are expected in the
421 current home directory (@pxref{option --homedir}).
426 @cindex scdaemon.conf
427 This is the standard configuration file read by @command{scdaemon} on
428 startup. It may contain any valid long option; the leading two dashes
429 may not be entered and the option may not be abbreviated. This default
430 name may be changed on the command line (@pxref{option --options}).
434 If this file is present and executable, it will be called on every card
435 reader's status change. An example of this script is provided with the
436 source code distribution. This option is deprecated in favor of the
437 @command{DEVINFO --watch}.
439 @item reader_@var{n}.status
440 This file is created by @command{scdaemon} to let other applications now
441 about reader status changes. Its use is now deprecated in favor of
451 @node Scdaemon Examples
454 @c man begin EXAMPLES
457 $ scdaemon --server -v
466 @node Scdaemon Protocol
467 @section Scdaemon's Assuan Protocol
469 The SC-Daemon should be started by the system to provide access to
470 external tokens. Using Smartcards on a multi-user system does not
471 make much sense except for system services, but in this case no
472 regular user accounts are hosted on the machine.
474 A client connects to the SC-Daemon by connecting to the socket named
475 @file{@value{LOCALRUNDIR}/scdaemon/socket}, configuration information
476 is read from @var{@value{SYSCONFDIR}/scdaemon.conf}
478 Each connection acts as one session, SC-Daemon takes care of
479 synchronizing access to a token between sessions.
482 * Scdaemon SERIALNO:: Return the serial number.
483 * Scdaemon LEARN:: Read all useful information from the card.
484 * Scdaemon READCERT:: Return a certificate.
485 * Scdaemon READKEY:: Return a public key.
486 * Scdaemon PKSIGN:: Signing data with a Smartcard.
487 * Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
488 * Scdaemon GETATTR:: Read an attribute's value.
489 * Scdaemon SETATTR:: Update an attribute's value.
490 * Scdaemon WRITEKEY:: Write a key to a card.
491 * Scdaemon GENKEY:: Generate a new key on-card.
492 * Scdaemon RANDOM:: Return random bytes generated on-card.
493 * Scdaemon PASSWD:: Change PINs.
494 * Scdaemon CHECKPIN:: Perform a VERIFY operation.
495 * Scdaemon RESTART:: Restart connection
496 * Scdaemon APDU:: Send a verbatim APDU to the card
499 @node Scdaemon SERIALNO
500 @subsection Return the serial number
502 This command should be used to check for the presence of a card. It is
503 special in that it can be used to reset the card. Most other commands
504 will return an error when a card change has been detected and the use of
505 this function is therefore required.
507 Background: We want to keep the client clear of handling card changes
508 between operations; i.e. the client can assume that all operations are
509 done on the same card unless he call this function.
515 Return the serial number of the card using a status response like:
518 S SERIALNO D27600000000000000000000
521 The serial number is the hex encoded value identified by
522 the @code{0x5A} tag in the GDO file (FIX=0x2F02).
527 @subsection Read all useful information from the card
533 Learn all useful information of the currently inserted card. When
534 used without the @option{--force} option, the command might do an INQUIRE
538 INQUIRE KNOWNCARDP <hexstring_with_serialNumber>
541 The client should just send an @code{END} if the processing should go on
542 or a @code{CANCEL} to force the function to terminate with a cancel
543 error message. The response of this command is a list of status lines
547 S KEYPAIRINFO @var{hexstring_with_keygrip} @var{hexstring_with_id}
550 If there is no certificate yet stored on the card a single "X" is
551 returned in @var{hexstring_with_keygrip}.
553 @node Scdaemon READCERT
554 @subsection Return a certificate
557 READCERT @var{hexified_certid}|@var{keyid}
560 This function is used to read a certificate identified by
561 @var{hexified_certid} from the card. With OpenPGP cards the keyid
562 @code{OpenPGP.3} may be used to read the certificate of version 2 cards.
565 @node Scdaemon READKEY
566 @subsection Return a public key
569 READKEY @var{hexified_certid}
572 Return the public key for the given cert or key ID as an standard
577 @node Scdaemon PKSIGN
578 @subsection Signing data with a Smartcard
580 To sign some data the caller should use the command
583 SETDATA @var{hexstring}
586 to tell @command{scdaemon} about the data to be signed. The data must be given in
587 hex notation. The actual signing is done using the command
593 where @var{keyid} is the hexified ID of the key to be used. The key id
594 may have been retrieved using the command @code{LEARN}. If another
595 hash algorithm than SHA-1 is used, that algorithm may be given like:
598 PKSIGN --hash=@var{algoname} @var{keyid}
601 With @var{algoname} are one of @code{sha1}, @code{rmd160} or @code{md5}.
604 @node Scdaemon PKDECRYPT
605 @subsection Decrypting data with a Smartcard
607 To decrypt some data the caller should use the command
610 SETDATA @var{hexstring}
613 to tell @command{scdaemon} about the data to be decrypted. The data
614 must be given in hex notation. The actual decryption is then done
618 PKDECRYPT @var{keyid}
621 where @var{keyid} is the hexified ID of the key to be used.
623 If the card is aware of the apdding format a status line with padding
624 information is send before the plaintext data. The key for this
625 status line is @code{PADDING} with the only defined value being 0 and
626 meaning padding has been removed.
628 @node Scdaemon GETATTR
629 @subsection Read an attribute's value
633 @node Scdaemon SETATTR
634 @subsection Update an attribute's value
638 @node Scdaemon WRITEKEY
639 @subsection Write a key to a card
642 WRITEKEY [--force] @var{keyid}
645 This command is used to store a secret key on a smartcard. The
646 allowed keyids depend on the currently selected smartcard
647 application. The actual keydata is requested using the inquiry
648 @code{KEYDATA} and need to be provided without any protection. With
649 @option{--force} set an existing key under this @var{keyid} will get
650 overwritten. The key data is expected to be the usual canonical encoded
653 A PIN will be requested in most cases. This however depends on the
654 actual card application.
657 @node Scdaemon GENKEY
658 @subsection Generate a new key on-card
662 @node Scdaemon RANDOM
663 @subsection Return random bytes generated on-card
668 @node Scdaemon PASSWD
669 @subsection Change PINs
672 PASSWD [--reset] [--nullpin] @var{chvno}
675 Change the PIN or reset the retry counter of the card holder
676 verification vector number @var{chvno}. The option @option{--nullpin}
677 is used to initialize the PIN of TCOS cards (6 byte NullPIN only).
680 @node Scdaemon CHECKPIN
681 @subsection Perform a VERIFY operation
687 Perform a VERIFY operation without doing anything else. This may be
688 used to initialize a the PIN cache earlier to long lasting
689 operations. Its use is highly application dependent:
694 Perform a simple verify operation for CHV1 and CHV2, so that further
695 operations won't ask for CHV2 and it is possible to do a cheap check on
696 the PIN: If there is something wrong with the PIN entry system, only the
697 regular CHV will get blocked and not the dangerous CHV3. @var{idstr} is
698 the usual card's serial number in hex notation; an optional fingerprint
699 part will get ignored.
701 There is however a special mode if @var{idstr} is suffixed with the
702 literal string @code{[CHV3]}: In this case the Admin PIN is checked if
703 and only if the retry counter is still at 3.
709 @node Scdaemon RESTART
710 @subsection Perform a RESTART operation
716 Restart the current connection; this is a kind of warm reset. It
717 deletes the context used by this connection but does not actually
720 This is used by gpg-agent to reuse a primary pipe connection and
721 may be used by clients to backup from a conflict in the serial
722 command; i.e. to select another application.
728 @subsection Send a verbatim APDU to the card
731 APDU [--atr] [--more] [--exlen[=@var{n}]] [@var{hexstring}]
735 Send an APDU to the current reader. This command bypasses the high
736 level functions and sends the data directly to the card.
737 @var{hexstring} is expected to be a proper APDU. If @var{hexstring} is
738 not given no commands are send to the card; However the command will
739 implicitly check whether the card is ready for use.
741 Using the option @code{--atr} returns the ATR of the card as a status
742 message before any data like this:
744 S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
747 Using the option @code{--more} handles the card status word MORE_DATA
748 (61xx) and concatenate all responses to one block.
750 Using the option @code{--exlen} the returned APDU may use extended
751 length up to N bytes. If N is not given a default value is used
758 @command{gpg-agent}(1),
762 @include see-also-note.texi