# Configuration file for OpenSC
# Example configuration file

# NOTE: All key-value pairs must be terminated by a semicolon.

# Default values for any application
# These can be overridden by an application
# specific configuration block.
app default {
	# Amount of debug info to print
	#
	# A greater value means more debug info.
	# Default: 0
	#
	debug = 0;

	# The file to which debug output will be written
	#
	# A special value of 'stdout' is recognized.
	# Default: stdout
	#
	# debug_file = /tmp/opensc-debug.log;
	# debug_file = "C:\Documents and Settings\All Users\Documents\opensc-debug.log";

	# The file to which errors will be written
	#
	# A special value of 'stderr' is recognized.
	# Default: stderr
	#
	# error_file = /tmp/opensc-errors.log;
	# error_file = "C:\Documents and Settings\All Users\Documents\opensc-errors.log";

	# PKCS#15 initialization / personalization
	# profiles directory for pkcs15-init.
	# Default: /usr/share/opensc
	#
	# profile_dir = /usr/share/opensc;

	# What reader drivers to load at start-up
	#
	# A special value of 'internal' will load all
	# statically linked drivers. If an unknown (ie. not
	# internal) driver is supplied, a separate configuration
	# configuration block has to be written for the driver.
	# Default: internal
	# NOTE: if "internal" keyword is used, must be the
	# last entry in reader_drivers list
	#
	# reader_drivers = openct, pcsc, ctapi;

	reader_driver ctapi {
		# module /usr/local/towitoko/lib/libtowitoko.so {
			# CT-API ports:
			# 0..3		COM1..4
			# 4		Printer
			# 5		Modem
			# 6..7		LPT1..2
			# ports = 0;
		# }
	}

	# Define parameters specific to your readers.
	# The following section shows definitions for PC/SC readers,
	# but the same set of variables are applicable to ctapi and
	# openct readers, simply by using "reader_driver ctapi" and
	# "reader_driver openct", respectively.
	reader_driver pcsc {
		# This sets the maximum send and receive sizes.
		# Some reader drivers have limitations, so you need
		# to set these values. For usb devices check the
		# properties with lsusb -vv for dwMaxIFSD
		#
		# max_send_size = 252;
		# max_recv_size = 252;
		
		# Connect to reader in exclusive mode.
		# Default: false
		# connect_exclusive = true;
		#
		# Reset the card after disconnect.
		# Default: true
		# connect_reset = false;
		#
		# Reset the card after each transaction.
		# Default: false
		# transaction_reset = true;
		#
		# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
		# Default: false
		# enable_pinpad = true;
		#
		# Use specific pcsc provider.
		# Default: /usr/lib/libpcsclite.so.1
		# provider_library = /usr/lib/libpcsclite.so.1
	}

	# Options for OpenCT support
	reader_driver openct {
		# Virtual readers to allocate.
		# Default: 2
		# readers = 5;

		# This sets the maximum send and receive sizes.
		# Some reader drivers have limitations, so you need
		# to set these values. For usb devices check the
		# properties with lsusb -vv for dwMaxIFSD
		#
		# max_send_size = 252;
		# max_recv_size = 252;
	};

	# What card drivers to load at start-up
	#
	# A special value of 'internal' will load all
	# statically linked drivers. If an unknown (ie. not
	# internal) driver is supplied, a separate configuration
	# configuration block has to be written for the driver.
	# Default: internal
	# NOTE: When "internal" keyword is used, must be last entry
	#
	# card_drivers = customcos, internal;

	# Card driver configuration blocks.

	# For card drivers loaded from an external shared library/DLL,
	# you need to specify the path name of the module
	#
	# card_driver customcos {
		# The location of the driver library
		# module = /usr/lib/opensc/drivers/card_customcos.so;
	# }

	# Force using specific card driver
	#
	# If this option is present, OpenSC will use the supplied
	# driver with all inserted cards.
	#
	# Default: autodetect
	#
	# force_card_driver = customcos;

	# In addition to the built-in list of known cards in the
	# card driver, you can configure a new card for the driver
	# using the card_atr block. The goal is to centralize
	# everything related to a certain card to card_atr.
	#
	# The supported internal card driver names can be retrieved
	# from the output of:
	# $ opensc-tool --list-drivers

	# Generic format: card_atr <hex encoded ATR (case-sensitive!)>

	# New card entry for the flex card driver
	# card_atr 3b:f0:0d:ca:fe {
		# All parameters for the context are
		# optional unless specified otherwise.

		# Context: global, card driver
		#
		# ATR mask value
		#
		# The mask is logically AND'd with an
		# card ATR prior to comparison with the
		# ATR reference value above. Using mask
		# allows identifying and configuring
		# multiple ATRs as the same card model.
		# atrmask = "ff:ff:ff:ff:ff";

		# Context: card driver
		#
		# Specify used card driver (REQUIRED).
		#
		# When enabled, overrides all possible
		# settings from the card drivers built-in
		# card configuration list.
		# driver = "flex";

		# Set card name for card drivers that allows it.
		# name = "My CryptoFlex card";

		# Card type as an integer value.
		#
		# Depending on card driver, this allows
		# tuning the behaviour of the card driver
		# for your card.
		# type = "2002";

		# Card flags as an hex value.
		# Multiple values are OR'd together.
		#
		# Depending on card driver, this allows
		# fine-tuning the capabilities in
		# the card driver for your card.
		#
		# Optionally, some known parameters
		# can be specified as strings:
		#
		# keygen - On-board key generation capability
		# rng - On-board random number source
		#
		# flags = "keygen", "rng", "0x80000000";

		#
		# Context: PKCS#15 emulation layer
		#
		# When using PKCS#15 emulation, force
		# the emulation driver for specific cards.
		#
		# Required for external drivers, but can
		# be used with built-in drivers, too.
		# pkcs15emu = "custom";

		#
		# Context: reader driver
		#
		# Force protocol selection for specific cards.
		# Known parameters: t0, t1, raw
		# force_protocol = "t0";
	# }

	# PIV cards need an entry similar to this one:
	# card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 {
		# name = "PIV-II";
	 	# driver = "piv";
	# }

	# Estonian ID card and Micardo driver currently play together with T=0
	# only. In theory only the 'cold' ATR should be specified, as T=0 will
	# be the preferred protocol once you boot it up with T=0, but be
	# paranoid.
	card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
		force_protocol = t0;
	}
	card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
		force_protocol = t0;
	}

	# D-Trust cards are also based on micardo and need T=0 for some reason
	card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 {
		force_protocol = t0;
	}
	card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 {
		force_protocol = t0;
	}

	# Below are the framework specific configuration blocks.

	# PKCS #15
	framework pkcs15 {
		# Whether to use the cache files in the user's
		# home directory.
		#
		# At the moment you have to 'teach' the card
		# to the system by running command: pkcs15-tool -L
		#
		# WARNING: Caching shouldn't be used in setuid root
		# applications.
		# Default: false
		use_caching = true;

		# Enable pkcs15 emulation.
		# Default: yes
		# enable_pkcs15_emulation = no;
		#
		# Prefer pkcs15 emulation code before
		# the normal pkcs15 processing.
		# Default: no
		# try_emulation_first = yes;
		
		# Enable builtin emulators.
		# Default: yes
		# enable_builtin_emulation = no;
		#
		# List of the builtin pkcs15 emulators to test
		# Default: esteid, openpgp, tcos, starcert, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II;
		# builtin_emulators = openpgp;

		# additional settings per driver
		#
		# For pkcs15 emulators loaded from an external shared
		# library/DLL, you need to specify the path name of the module
		# and customize the card_atr example above correctly.
		#
		# emulate custom {
			# The location of the driver library
			# module = /usr/lib/opensc/drivers/p15emu_custom.so;
		# }
		
		# workaround: use rsa decrypt operation for signing
		# some cardos cards need this, if initializes with certain
		# versions of the siemens software
		# we have an auto detection, but it is not 100% reliable,
		# so you can turn it off, if it misbehaves.
		# this option only affects cardos cards right now.
		# Default: yes
		# enable_sign_with_decrypt_workaround = no;

		# workaround: fix keyReference and pinReference values
		# OpenSC 0.11.4 and older have a bug: integers were not
		# properly encoded in asn.1 structures. So far only
		# starcos cards were found to have a problem with this,
		# and only these two values were found to be filled with
		# the wrong value.
		#
		# Fortunatly those values (if present) need to be positive.
		# Thus we can check if these are available and negative,
		# and if so fix them by adding 256 to get the correct value.
		#
		# To be on the safe side, this workaround/fix can be turned
		# off.
		#
		# Default: yes
		# enable_fix_asn1_integers = no;
	}
}

# Parameters for the OpenSC PKCS11 module
app opensc-pkcs11 {
	pkcs11 {
		# Should the module support hotplug of readers as per PKCS#11 v2.20?
		# This affects slot changes and PC/SC PnP, as v2.11 applications
		# are not allowed to change the length of the slot list.
		# Default: true
		# plug_and_play = false;

		# Maximum Number of virtual slots.
		# If there are more slots than defined here,
		# the remaining slots will be hidden from PKCS#11.
		# Default: 16
		# max_virtual_slots = 32;

		# Maximum number of slots per smart card.
		# If the card has fewer keys than defined here,
		# the remaining number of slots will be empty.
		# Default: 4
		# slots_per_card = 2;

		# (max_virtual_slots/slots_per_card) limits the number of readers
		# that can be used on the system. Default is then 16/4=4 readers.

		# Normally, the pkcs11 module will create
		# the full number of slots defined above by
		# num_slots. If there are fewer pins/keys on
		# the card, the remaining keys will be empty
		# (and you will be able to create new objects
		# within them).
		# Default: true
		# hide_empty_tokens = false;

 		# By default, the OpenSC PKCS#11 module will lock your card
 		# once you authenticate to the card via C_Login.
 		# This is to prevent other users or other applications
 		# from connecting to the card and perform crypto operations
 		# (which may be possible because you have already authenticated
 		# with the card). Thus this setting is very secure.
		#
		# This behavior is a known violation of PKCS#11 specification,
		# and is forced due to limitation of the OpenSC framework.
 		#
 		# However now once one application has started using your
 		# card with C_Login, no other application can use it, until
 		# the first is done and calls C_Logout or C_Finalize.
 		# In the case of many PKCS#11 application this does not happen
		# until you exit the application.  
 		#
 		# Thus it is impossible to use several smart card aware
 		# applications at the same time, e.g. you cannot run both
 		# Firefox and Thunderbird at the same time, if both are
 		# configured to use your smart card.
 		#
		# Default: true
		# lock_login = false;

		# Normally, the pkcs11 module will not cache PINs
		# presented via C_Login. However, some cards
		# may not work properly with OpenSC; for instance
		# when you have two keys on your card that get
		# stored in two different directories.
		#
		# In this case, you can turn on PIN caching by setting
		# cache_pins = true
		#
		# Default: true
		# cache_pins = false;

		# Set this value to true if you want to allow off-card
		# keypair generation (in software on your pc)
		#
		# Default: false
		# soft_keygen_allowed = true;
	}
}

app tokend {
	# Score for OpenSC.tokend
	framework tokend {
		score = 10;
	}
}