'\" t
.\"     Title: pkcs15-crypt
.\"    Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 03/10/2024
.\"    Manual: OpenSC Tools
.\"    Source: opensc
.\"  Language: English
.\"
.TH "PKCS15\-CRYPT" "1" "03/10/2024" "opensc" "OpenSC Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pkcs15-crypt \- perform crypto operations using PKCS#15 smart cards
.SH "SYNOPSIS"
.HP \w'\fBpkcs15\-crypt\fR\ 'u
\fBpkcs15\-crypt\fR [\fIOPTIONS\fR]
.SH "DESCRIPTION"
.PP
The
\fBpkcs15\-crypt\fR
utility can be used from the command line to perform cryptographic operations such as computing digital signatures or decrypting data, using keys stored on a PKCS#15 compliant smart card\&.
.SH "OPTIONS"
.PP
.PP
\fB\-\-version\fR,
.RS 4
Print the OpenSC package release version\&.
.RE
.PP
\fB\-\-aid\fR \fIaid\fR
.RS 4
Specify the AID of the on\-card PKCS#15 application to bind to\&. The
\fIaid\fR
must be in hexadecimal form\&.
.RE
.PP
\fB\-\-decipher\fR, \fB\-c\fR
.RS 4
Decrypt the contents of the file specified by the
\fB\-\-input\fR
option\&. The result of the decryption operation is written to the file specified by the
\fB\-\-output\fR
option\&. If this option is not given, the decrypted data is printed to standard output, displaying non\-printable characters using their hex notation xNN (see also
\fB\-\-raw\fR)\&.
.RE
.PP
\fB\-\-input\fR \fIfile\fR, \fB\-i\fR \fIfile\fR
.RS 4
Specifies the input file to use\&. Defaults to stdin if not specified\&.
.RE
.PP
\fB\-\-key\fR \fIid\fR, \fB\-k\fR \fIid\fR
.RS 4
Selects the ID of the key to use\&.
.RE
.PP
\fB\-\-output\fR \fIfile\fR, \fB\-o\fR \fIfile\fR
.RS 4
Any output will be sent to the specified file\&. Defaults to stdout if not specified\&.
.RE
.PP
\fB\-\-pin\fR \fIpin\fR, \fB\-p\fR \fIpin\fR
.RS 4
When the cryptographic operation requires a PIN to access the key,
\fBpkcs15\-crypt\fR
will prompt the user for the PIN on the terminal\&. Using this option allows you to specify the PIN on the command line\&.
.sp
Note that on most operating systems, the command line of a process can be displayed by any user using the ps(1) command\&. It is therefore a security risk to specify secret information such as PINs on the command line\&. If you specify \*(Aq\-\*(Aq as PIN, it will be read from STDIN\&.
.RE
.PP
\fB\-\-pkcs1\fR
.RS 4
By default,
\fBpkcs15\-crypt\fR
assumes that input data has been padded to the correct length (i\&.e\&. when computing an RSA signature using a 1024 bit key, the input must be padded to 128 bytes to match the modulus length)\&. When giving the
\fB\-\-pkcs1\fR
option, however,
\fBpkcs15\-crypt\fR
will perform the required padding using the algorithm outlined in the PKCS #1 standard version 1\&.5\&.
.RE
.PP
\fB\-\-raw\fR, \fB\-R\fR
.RS 4
Outputs raw 8 bit data\&.
.RE
.PP
\fB\-\-reader\fR \fIarg\fR, \fB\-r\fR \fIarg\fR
.RS 4
Number of the reader to use\&. By default, the first reader with a present card is used\&. If
\fIarg\fR
is an ATR, the reader with a matching card will be chosen\&.
.RE
.PP
\fB\-\-md5\fR \fB\-\-sha\-1\fR \fB\-\-sha\-224\fR \fB\-\-sha\-256\fR \fB\-\-sha\-384\fR \fB\-\-sha\-512\fR
.RS 4
These options tell
\fBpkcs15\-crypt\fR
that the input file is the result of the specified hash operation\&. By default, an MD5 hash is expected\&. Again, the data must be in binary representation\&.
.RE
.PP
\fB\-\-sign\fR, \fB\-s\fR
.RS 4
Perform digital signature operation on the data read from a file specified using the
\fB\-\-input\fR
option\&. By default, the contents of the file are assumed to be the result of an MD5 hash operation\&. Note that
\fBpkcs15\-crypt\fR
expects the data in binary representation, not ASCII\&.
.sp
The digital signature is stored, in binary representation, in the file specified by the
\fB\-\-output\fR
option\&. If this option is not given, the signature is printed on standard output, displaying non\-printable characters using their hex notation
x\fINN\fR
(see also
\fB\-\-raw\fR)\&.
.RE
.PP
\fB\-\-signature\-format\fR, \fB\-\-f\fR
.RS 4
When signing with ECDSA key this option indicates to
\fBpkcs15\-crypt\fR
the signature output format\&. Possible values are \*(Aqrs\*(Aq(default) \-\- two concatenated integers (PKCS#11), \*(Aqsequence\*(Aq or \*(Aqopenssl\*(Aq \-\- DER encoded sequence of two integers (OpenSSL)\&.
.RE
.PP
\fB\-\-wait\fR, \fB\-w\fR
.RS 4
Causes
\fBpkcs15\-crypt\fR
to wait for a card insertion\&.
.RE
.PP
\fB\-\-verbose\fR, \fB\-v\fR
.RS 4
Causes
\fBpkcs15\-crypt\fR
to be more verbose\&. Specify this flag several times to enable debug output in the OpenSC library\&.
.RE
.SH "SEE ALSO"
.PP
\fBpkcs15-init\fR(1),
\fBpkcs15-tool\fR(1)
.SH "AUTHORS"
.PP
\fBpkcs15\-crypt\fR
was written by Juha Yrjölä
<juha\&.yrjola@iki\&.fi>\&.