lunar (1) npa-tool.1.gz

Provided by: opensc_0.23.0-0.1ubuntu1_amd64 bug

NAME

       npa-tool - displays information on the German eID card (neuer Personalausweis, nPA).

SYNOPSIS

       npa-tool [OPTIONS]

DESCRIPTION

       The npa-tool utility is used to display information stored on the German eID card (neuer
       Personalausweis, nPA), and to perform some write and verification operations.

       Extended Access Control version 2 is performed according to ICAO Doc 9303 or BSI TR-03110
       so that other identity cards and machine readable travel documents (MRTDs) may be read as
       well.

OPTIONS

       --help, -h
           Print help and exit.

       --version, -V
           Print version and exit.

       --reader arg, -r arg
           Number of the reader to use. By default, the first reader with a present card is used.
           If arg is an ATR, the reader with a matching card will be chosen.

       --verbose, -v
           Causes npa-tool to be more verbose. Specify this flag several times to be more
           verbose.

   Password Authenticated Connection Establishment (PACE)
       --pin [STRING], -p [STRING]
           Run PACE with (transport) eID-PIN.

       --puk [STRING], -u [STRING]
           Run PACE with PUK.

       --can [STRING], -c [STRING]
           Run PACE with Card Access Number (CAN).

       --mrz [STRING], -m [STRING]
           Run PACE with Machine Readable Zone (MRZ). Enter the MRZ without newlines.

       --env
           Specify whether to use environment variables PIN, PUK, CAN, MRZ, and NEWPIN. You may
           want to clean your environment before enabling this. (default=off)

   PIN management
       --new-pin [STRING], -N [STRING]
           Install a new PIN.

       --resume, -R
           Resume eID-PIN (uses CAN to activate last retry). (default=off)

       --unblock, -U
           Unblock PIN (uses PUK to activate three more retries). (default=off)

   Terminal Authentication (TA) and Chip Authentication (CA)
       --cv-certificate FILENAME, -C FILENAME
           Specify Card Verifiable (CV) certificate to create a certificate chain. The option can
           be given multiple times, in which case the order is important.

       --cert-desc HEX_STRING
           Certificate description to show for Terminal Authentication.

       --chat HEX_STRING
           Specify the Card Holder Authorization Template (CHAT) to use. If not given, it
           defaults to the terminal's CHAT. Use 7F4C0E060904007F000703010203530103 to trigger EAC
           on the CAT-C (Komfortleser).

       --auxiliary-data HEX_STRING, -A HEX_STRING
           Specify the terminal's auxiliary data. If not given, the default is determined by
           verification of validity, age and community ID.

       --private-key FILENAME, -P FILENAME
           Specify the terminal's private key.

       --cvc-dir DIRECTORY
           Specify where to look for the certificate of the Country Verifying Certification
           Authority (CVCA). If not given, it defaults to /home/fm/.local/etc/eac/cvc.

       --x509-dir DIRECTORY
           Specify where to look for the X.509 certificate. If not given, it defaults to
           /home/fm/.local/etc/eac/x509.

       --disable-ta-checks
           Disable checking the validity period of CV certificates. (default=off)

       --disable-ca-checks
           Disable passive authentication. (default=off)

   Read and write data groups
       --read-dg1
           Read data group 1: Document Type.

       --read-dg2
           Read data group 2: Issuing State.

       --read-dg3
           Read data group 3: Date of Expiry.

       --read-dg4
           Read data group 4: Given Name(s).

       --read-dg5
           Read data group 5: Family Name.

       --read-dg6
           Read data group 6: Religious/Artistic Name.

       --read-dg7
           Read data group 7: Academic Title.

       --read-dg8
           Read data group 8: Date of Birth.

       --read-dg9
           Read data group 9: Place of Birth.

       --read-dg10
           Read data group 10: Nationality.

       --read-dg11
           Read data group 11: Sex.

       --read-dg12
           Read data group 12: Optional Data.

       --read-dg13
           Read data group 13: Birth Name.

       --read-dg14
           Read data group 14.

       --read-dg15
           Read data group 15.

       --read-dg16
           Read data group 16.

       --read-dg17
           Read data group 17: Normal Place of Residence.

       --read-dg18
           Read data group 18: Community ID.

       --read-dg19
           Read data group 19: Residence Permit I.

       --read-dg20
           Read data group 20: Residence Permit II.

       --read-dg21
           Read data group 21: Optional Data.

       --write-dg17 HEX_STRING
           Write data group 17: Normal Place of Residence.

       --write-dg18 HEX_STRING
           Write data group 18: Community ID.

       --write-dg19 HEX_STRING
           Write data group 19: Residence Permit I.

       --write-dg20 HEX_STRING
           Write data group 20: Residence Permit II.

       --write-dg21 HEX_STRING
           Write data group 21: Optional Data.

   Verification of validity, age and community ID
       --verify-validity YYYYMMDD
           Verify chip's validity with a reference date.

       --older-than YYYYMMDD
           Verify age with a reference date.

       --verify-community HEX_STRING
           Verify community ID with a reference ID.

   Special options, not always useful
       --break, -b
           Brute force PIN, CAN or PUK. Use together with options -p, -a, or -u. (default=off)

       --translate FILENAME, -t FILENAME
           Specify the file with APDUs of HEX_STRINGs to send through the secure channel.
           (default=`stdin')

       --tr-03110v201
           Force compliance to BSI TR-03110 version 2.01. (default=off)

       --disable-all-checks
           Disable all checking of fly-by-data. (default=off)

AUTHORS

       npa-tool was written by Frank Morgner <frankmorgner@gmail.com>.