xNightR00T File Manager

# Configuration file for OpenSC
# Example configuration file

# NOTE: All key-value pairs must be terminated by a semicolon.

# Default values for any application
# These can be overridden by an application
# specific configuration block.
app default {
	# Amount of debug info to print
	#
	# A greater value means more debug info.
	# Default: 0
	#
	debug = 0;

	# The file to which debug output will be written
	#
	# Special values 'stdout' and 'stderr' are recognized.
	# Default: stderr
	#
	# debug_file = /tmp/opensc-debug.log

	# Re-open debug file  (used in WIN32)
	#
	# In Windows, file handles can not be shared between DLL-s,
	#  each DLL has a separate file handle table.
	# For that reason reopen debug file before every debug message.
	#
	# Default: true
	# reopen_debug_file = false;

	# PKCS#15 initialization / personalization
	# profiles directory for pkcs15-init.
	# Default: /usr/share/opensc
	#
	# profile_dir = /usr/share/opensc;

	# Paranoid memory allocation.
	#
	# If set to 'true', then refuse to continue when locking of non-pageable
	# memory fails. This can cause subtle failures but is more secure when
	# you have a swap disk.
	# Default: false
	#
	# paranoid_memory = false;

	# CT-API module configuration.
	reader_driver ctapi {
		# module /usr/lib64/libtowitoko.so {
			# CT-API ports:
			# 0..3		COM1..4
			# 4		Printer
			# 5		Modem
			# 6..7		LPT1..2
			# ports = 0;
		# }
	}

	# The following section shows definitions for PC/SC readers.
	reader_driver pcsc {
		# Limit command and response sizes.
		# Default: n/a
		# max_send_size = 255;
		# max_recv_size = 256;
		#
		# Connect to reader in exclusive mode?
		# Default: false
		# connect_exclusive = true;
		#
		# What to do when disconnecting from a card (SCardDisconnect)
		# Valid values: leave, reset, unpower.
		# Default: reset
		# disconnect_action = unpower;
		#
		# What to do at the end of a transaction (SCardEndTransaction)
		# Valid values: leave, reset, unpower.
		# Default: leave
		# transaction_end_action = reset;
		#
		# What to do when reconnection to a card (SCardReconnect)
		# Valid values: leave, reset, unpower.
		# Note that this affects only the internal reconnect (after a SCARD_W_RESET_CARD).
		# A forced reset via sc_reset() always does a full powerup.
		# Default: leave
		# reconnect_action = reset;
		#
		# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
		# Default: true
		# enable_pinpad = false;
		#
		# Use specific pcsc provider.
		# Default: libpcsclite.so.1
		# provider_library = libpcsclite.so.1
	}

	# Options for OpenCT support
	reader_driver openct {
		# Virtual readers to allocate.
		# Default: 2
		# readers = 5;
		#
		# Limit command and response sizes.
		# Default: n/a
		# max_send_size = 255;
		# max_recv_size = 256;
	};

	# What card drivers to load at start-up
	#
	# A special value of 'internal' will load all
	# statically linked drivers. If an unknown (ie. not
	# internal) driver is supplied, a separate configuration
	# configuration block has to be written for the driver.
	# Default: internal
	# NOTE: When "internal" keyword is used, must be last entry
	#
	# card_drivers = customcos, internal;

	# Card driver configuration blocks.

	# For card drivers loaded from an external shared library/DLL,
	# you need to specify the path name of the module
	#
	# card_driver customcos {
		# The location of the driver library
		# module = /usr/lib64/card_customcos.so;
	# }

	# Force using specific card driver
	#
	# If this option is present, OpenSC will use the supplied
	# driver with all inserted cards.
	#
	# Default: autodetect
	#
	# force_card_driver = customcos;

	# In addition to the built-in list of known cards in the
	# card driver, you can configure a new card for the driver
	# using the card_atr block. The goal is to centralize
	# everything related to a certain card to card_atr.
	#
	# The supported internal card driver names can be retrieved
	# from the output of:
	# $ opensc-tool --list-drivers

	# Generic format: card_atr <hex encoded ATR (case-sensitive!)>

	# New card entry for the flex card driver
	# card_atr 3b:f0:0d:ca:fe {
		# All parameters for the context are
		# optional unless specified otherwise.

		# Context: global, card driver
		#
		# ATR mask value
		#
		# The mask is logically AND'd with an
		# card ATR prior to comparison with the
		# ATR reference value above. Using mask
		# allows identifying and configuring
		# multiple ATRs as the same card model.
		# atrmask = "ff:ff:ff:ff:ff";

		# Context: card driver
		#
		# Specify used card driver (REQUIRED).
		#
		# When enabled, overrides all possible
		# settings from the card drivers built-in
		# card configuration list.
		# driver = "flex";

		# Set card name for card drivers that allows it.
		# name = "My CryptoFlex card";

		# Card type as an integer value.
		#
		# Depending on card driver, this allows
		# tuning the behaviour of the card driver
		# for your card.
		# type = "2002";

		# Card flags as an hex value.
		# Multiple values are OR'd together.
		#
		# Depending on card driver, this allows
		# fine-tuning the capabilities in
		# the card driver for your card.
		#
		# Optionally, some known parameters
		# can be specified as strings:
		#
		# rng - On-board random number source
		#
		# flags = "rng", "0x80000000";

		#
		# Context: PKCS#15 emulation layer
		#
		# When using PKCS#15 emulation, force
		# the emulation driver for specific cards.
		#
		# Required for external drivers, but can
		# be used with built-in drivers, too.
		# pkcs15emu = "custom";

		#
		# Context: reader driver
		#
		# Force protocol selection for specific cards.
		# Known parameters: t0, t1, raw
		# force_protocol = "t0";
	# }

	# PIV cards need an entry similar to this one:
	# card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 {
		# name = "PIV-II";
		# driver = "piv";
	# }

	# Estonian ID card and Micardo driver sometimes only play together with T=0
	# In theory only the 'cold' ATR should be specified, as T=0 will
	# be the preferred protocol once you boot it up with T=0, but be
	# paranoid.
	#
	# Warm ATR v1
	card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
		force_protocol = t0;
	}
	# Cold ATR v1
	card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
		force_protocol = t0;
	}
	# Warm ATR v2
	card_atr 3b:5e:11:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
		force_protocol = t0;
	}
	# Cold ATR v2
	card_atr 3b:de:18:ff:c0:80:b1:fe:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:2b {
		force_protocol = t0;
	}
	# Digi-ID cold ATR. The same card has the same warm ATR as "Cold ATR v1" above
	# The card is claimed to only support T=0 but in fact (sometimes) works with T=1, even if not advertised in ATR.
	card_atr 3b:6e:00:00:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
		force_protocol = t0;
	}
	# Cold ATR v3 dev1
	card_atr 3b:fe:18:00:00:80:31:fe:45:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:a8 {
		force_protocol = t0;
	}
	# Warm ATR v3 dev1
	card_atr 3b:fe:18:00:00:80:31:fe:45:80:31:80:66:40:90:a4:56:1b:16:83:01:90:00:86 {
		force_protocol = t0;
	}
	# Warm ATR v3 dev2
	card_atr 3b:fe:18:00:00:80:31:fe:45:80:31:80:66:40:90:a4:16:2a:00:83:01:90:00:e1 {
		force_protocol = t0;
	}
	# Warm ATR v3 (18.01.2011)
	card_atr 3b:fe:18:00:00:80:31:fe:45:80:31:80:66:40:90:a4:16:2a:00:83:0f:90:00:ef {
		force_protocol = t0;
	}

	# D-Trust cards are also based on micardo and need T=0 for some reason
	card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 {
		force_protocol = t0;
	}
	card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 {
		force_protocol = t0;
	}

	# Oberthur's AuthentIC v3.2.2
	card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B {
		type = 11100;
		driver = "authentic";
		name = "AuthentIC v3.1";

		# Name of SM configuration sub-section
		# secure_messaging = local_authentic;
	}

	# IAS/ECC cards
	card_atr 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00 {
                type = 25001;
                driver = "iasecc";
                name = "Gemalto MultiApp IAS/ECC v1.0.1";
                secure_messaging = local_gemalto_iam;
		# secure_messaging = local_adele;
		md_read_only = false;
		md_supports_X509_enrollment = true;
        }
	card_atr 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00 {
                type = 25001;
                driver = "iasecc";
                name = "Gemalto MultiApp IAS/ECC v1.0.1";
                secure_messaging = local_gemalto_iam;
		md_read_only = false;
		md_supports_X509_enrollment = true;
        }
        #card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:08:00:07:90:00:FE {
        #        type = 25002;
        #        driver = "iasecc";
        #        name = "Oberthur IAS/ECC v1.0.1";
        #        # No 'admin' application for this card -- no secure messaging
        #}
        #card_atr 3B:7F:18:00:00:00:31:B8:64:50:23:EC:C1:73:94:01:80:82:90:00 {
        #        type = 25003;
        #        driver = "iasecc";
        #        name = "Morpho YpsID S3 IAS/ECC";
        #        # secure_messaging = local_morpho_YpsID_S3;
        #}
        card_atr 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3 {
                type = 25004;
                driver = "iasecc";
                name = "Amos IAS/ECC v1.0.1";
                md_read_only = false;
                md_supports_X509_enrollment = true;
                secure_messaging = local_amos;
        }
        card_atr 3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38 {
                type = 25004;
                driver = "iasecc";
                name = "Amos IAS/ECC v1.0.1";
                md_read_only = false;
                md_supports_X509_enrollment = true;
                secure_messaging = local_amos_eid;
        }

	secure_messaging local_authentic  {
		#path to ans name of external SM module
		#module_name = ;
		#module_path = /usr/lib64;

		# specific data to tune the module initialization
		#module_data = "Here can be your SM module init data";

		# SM mode:
		# 'transmit' -- in this mode the procedure to securize an APDU is called by the OpenSC general
                #               APDU transmit procedure.
		#		In this mode all APDUs, except the ones filtered by the card specific procedure,
                #               are securized.
                # 'acl' -- in this mode APDU are securized only if needed by the ACLs of the command to be executed.
                #
		#mode = transmit;

		# SM type specific flags
		# flags = 0x78;           # 0x78 -- level 3, channel 0

		# Default KMC of the GP Card Manager for the Oberthur's Java cards
		# kmc = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00";
	}

        secure_messaging local_gemalto_iam  {
		module_name = ;
		module_path = /usr/lib64;
                #module_data = "";
                type = acl;             # transmit, acl

                ifd_serial = "11:22:33:44:55:66:77:88";

                # Keyset values from IAM profiles of the Gemalto IAS/ECC cards
                keyset_02_enc = "RW_PRIV_ENC_TEST";
                keyset_02_mac = "RW_PRIV_MAC_TEST";

                keyset_E828BD080FD2504543432D654944_01_enc = "RO_ENC_TEST_KEY_";
                keyset_E828BD080FD2504543432D654944_01_mac = "RO_MAC_TEST_KEY_";

                keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST";
                keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST";
        }

	secure_messaging local_amos  {
		module_name = ;
		module_path = /usr/lib64;
		mode = acl;
		ifd_serial = "11:22:33:44:55:66:77:88";
		keyset_02_enc = "ENCROECHANTILLON";
		keyset_02_mac = "MACROECHANTILLON";
	}

        secure_messaging local_amos_eid  {
		module_name = ;
		module_path = /usr/lib64;
                mode = acl;
                ifd_serial = "11:22:33:44:55:66:77:88";
                keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST";
                keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST";
        }

        secure_messaging local_adele  {
		module_name = ;
		module_path = /usr/lib64;
                #module_data = "";
                type = acl;             # transmit, acl

		ifd_serial = "11:22:33:44:55:66:77:88";

                # Keyset values from 'Adele' profiles of the IAS/ECC cards
                keyset_01_enc = "EMENCECHANTILLON";
                keyset_01_mac = "EMMACECHANTILLON";

                keyset_02_enc = "AAENCECHANTILLON";
                keyset_02_mac = "AAMACECHANTILLON";

                keyset_E828BD080FD2500000040301_02_enc = "E2ENCECHANTILLON";
                keyset_E828BD080FD2500000040301_02_mac = "E2MACECHANTILLON";

                keyset_D2500000044164E86C650101_02_enc = "E1ENCECHANTILLON";
                keyset_D2500000044164E86C650101_02_mac = "E1MACECHANTILLON";

                keyset_D2500000044164E86C650101_03_enc = "SIENCECHANTILLON";
                keyset_D2500000044164E86C650101_03_mac = "SIMACECHANTILLON";
        }

	# Below are the framework specific configuration blocks.

	# PKCS #15
	framework pkcs15 {
		# Whether to use the cache files in the user's
		# home directory.
		#
		# At the moment you have to 'teach' the card
		# to the system by running command: pkcs15-tool -L
		#
		# WARNING: Caching shouldn't be used in setuid root
		# applications.
		# Default: false
		# use_file_caching = true;
		#
		# Use PIN caching?
		# Default: true
		# use_pin_caching = false;
		#
		# How many times to use a PIN from cache before re-authenticating it?
		# Default: 10
		# pin_cache_counter = 3;
		#
		# Older PKCS#11 applications not supporting CKA_ALWAYS_AUTHENTICATE
		# may need to set this to get signatures to work with some cards.
		# Default: false
		# pin_cache_ignore_user_consent = true;
		#
		# Enable pkcs15 emulation.
		# Default: yes
		# enable_pkcs15_emulation = no;
		#
		# Prefer pkcs15 emulation code before
		# the normal pkcs15 processing.
		# Some cards (like esteid and pteid) work in emu-only mode,
		# and do not depend on this option.
		#
		# Default: no
		# try_emulation_first = yes;

		# Enable builtin emulators.
		# Default: yes
		# enable_builtin_emulation = no;
		#
		# List of the builtin pkcs15 emulators to test
		# Default: esteid, openpgp, tcos, starcert, itacns, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II;
		# builtin_emulators = openpgp;

		# additional settings per driver
		#
		# For pkcs15 emulators loaded from an external shared
		# library/DLL, you need to specify the path name of the module
		# and customize the card_atr example above correctly.
		#
		# emulate custom {
			# The location of the driver library
			# module = /usr/lib64/p15emu_custom.so;
		# }

		# some additional application parameters:
		# - type (generic, protected) used to distinguish the common access application
		#   and application for which authentication to perform some operation cannot be
		#   obtained with the common procedures (ex. object creation protected by secure messaging).
		#   Used by PKCS#11 module configurated to expose restricted number of slots.
		#   (for ex. configurated to expose only User PIN slot, User and Sign PINs slots, ...)
                application E828BD080FD25047656E65726963 {
                        type = generic;
                        model = "ECC Generic PKI";
                }

                application E828BD080FD2500000040301 {
                        type = generic;
                        model = "Adèle Générique";
                }

                application E828BD080FD2504543432D654944 {
                        type = protected;
                        model = "ECC eID";
                }

                application E828BD080FD2500000040201 {
                        type = protected;
                        model = "Adèle Admin-2";
                }
	}
}

# Parameters for the OpenSC PKCS11 module
app opensc-pkcs11 {
	pkcs11 {
		# Should the module support hotplug of readers as per PKCS#11 v2.20?
		# This affects slot changes and PC/SC PnP, as v2.11 applications
		# are not allowed to change the length of the slot list.
		# Default: true
		# plug_and_play = false;

		# Maximum Number of virtual slots.
		# If there are more slots than defined here,
		# the remaining slots will be hidden from PKCS#11.
		# Default: 16
		# max_virtual_slots = 32;

		# Maximum number of slots per smart card.
		# If the card has fewer keys than defined here,
		# the remaining number of slots will be empty.
		# Default: 4
		# slots_per_card = 2;

		# (max_virtual_slots/slots_per_card) limits the number of readers
		# that can be used on the system. Default is then 16/4=4 readers.

		# Normally, the pkcs11 module will create
		# the full number of slots defined above by
		# num_slots. If there are fewer pins/keys on
		# the card, the remaining keys will be empty
		# (and you will be able to create new objects
		# within them).
		# Default: true
		# hide_empty_tokens = false;

		# By default, the OpenSC PKCS#11 module will not lock your card
		# once you authenticate to the card via C_Login.
		#
		# Thus the other users or other applications is not prevented
		# from connecting to the card and perform crypto operations
		# (which may be possible because you have already authenticated
		# with the card). This setting is not very secure.
		#
		# Also, if your card is not locked, you can enconter problems
		# due to limitation of the OpenSC framework, that still is not
		# thoroughly tested in the multi threads environment.
		#
		# Your settings will be more secure if you choose to lock your
		# card. Nevertheless this behavior is a known violation of PKCS#11
		# specification. Now once one application has started using your
		# card with C_Login, no other application can use it, until
		# the first is done and calls C_Logout or C_Finalize. In the case
		# of many PKCS#11 application this does not happen until you exit
		# the application.
		# Thus it is impossible to use several smart card aware applications
		# at the same time, e.g. you cannot run both Firefox and Thunderbird at
		# the same time, if both are configured to use your smart card.
		#
		# Default: false
		# lock_login = true;

		# User PIN unblock style
		#    none:  PIN unblock is not possible with PKCS#11 API;
		#    set_pin_in_unlogged_session:  C_SetPIN() in unlogged session:
		#       PUK is passed as the 'OldPin' argument of the C_SetPIN() call.
		#    set_pin_in_specific_context:  C_SetPIN() in the CKU_SPECIFIC_CONTEXT logged session:
		#       PUK is passed as the 'OldPin' argument of the C_SetPIN() call.
		#    init_pin_in_so_session:  C_InitPIN() in CKU_SO logged session:
		#       User PIN 'UNBLOCK' is protected by SOPIN. (PUK == SOPIN).
		#       # Actually this style works only for the PKCS15 contents without SOPIN.
		#       # For those with SOPIN, this mode will be usefull for the cards without
		#       #   modes 00 and 01 of ISO command 'RESET RETRY COUNTER'. --vt
		#
		# Default: none
		# user_pin_unblock_style = set_pin_in_unlogged_session;

		# Create slot for unblocking PIN with PUK
		# This way PKCS#11 API can be used to login with PUK and
		# change a PIN.
		# Warning: causes problems with some applications like
		# firefox and thunderbird. Thus turned off by default
		#
		# Default: false
		# create_puk_slot = true;

		# Report as 'zero' the CKA_ID attribute of CA certificate
		# For the unknown reason the middleware of the manufacturer of gemalto (axalto, gemplus)
		# card reports as '0' the CKA_ID of CA cartificates.
		# Maybe someone else will need it. (Would be nice to know who and what for -- VTA)
		#
		# Default: false
		# zero_ckaid_for_ca_certs = true;

		# List of readers to ignore
		# If any of the strings listed below is matched (case sensitive) in a reader name,
		# the reader is ignored by the PKCS#11 module.
		#
		# Default: empty
		# ignored_readers = "CardMan 1021", "SPR 532";

                # Symbolic names of PINs for which slots are created
                # Card can contain more then one PINs or more then one on-card application with
                #   its own PINs. Normally, to access all of them with the PKCS#11 API a slot has to be
                #   created for all of them. Many slots could be ennoying for some of widely used application,
                #   like FireFox. This configuration parameter allows to select the PINs or on-card application
                #   for which PKCS#11 slot will be created.
                # Actually recognised following symbolic names:
                #  'user', 'sign', 'application', all
                # Only PINs initialised, non-SoPIN, non-unblocking are associated with symbolic name.
                # 'user' is identified as first global or first local PIN.
                # 'sign' is identified as second PIN: first local, second global or second local.
                # 'application' slot created for each on-card application,
                #   even if they use a common global PIN.
                # 'all' slot created for all non-sopin, non-unblocking PINs,
                #   optionally for PUK (see option 'create_puk_slot')
                #
                # Default: all
                # create_slots_for_pins = "user,sign";
                # create_slots_for_pins = application;
                # create_slots_for_pins = "application,sign";
	}
}

# Used by OpenSC.tokend on Mac OS X only.
app tokend {
	# The file to which debug log will be written
	# Default: /tmp/opensc-tokend.log
	#
	# debug_file = /Library/Logs/OpenSC.tokend.log

	framework tokend {
		# Score for OpenSC.tokend
		# The tokend with the highest score shall be used.
		# Default: 300
		#
		# score = 10;
	}
}

# XXX: remove cardmod pseudodriver
app cardmod {
	# cardmod app name use special pcsc reader subset
	# fix options for this reader driver here.

	reader_driver cardmod {
		# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
		# Default: true
		# enable_pinpad = false;
	}
}