diff --git a/.github/codespell_ignore_words.txt b/.github/codespell_ignore_words.txt index dbfce90..6e9f2b2 100644 --- a/.github/codespell_ignore_words.txt +++ b/.github/codespell_ignore_words.txt @@ -1,4 +1,9 @@ -Feitian -GOST +feitian signatur lokale +ist +alle +als +theses +widgits +gost diff --git a/.github/markdownlint-config.json b/.github/markdownlint-config.json index ade0d1b..5eefa55 100644 --- a/.github/markdownlint-config.json +++ b/.github/markdownlint-config.json @@ -3,5 +3,6 @@ "MD013": false, "MD041": false, "MD014": false, - "MD024": false + "MD024": false, + "MD010": false } \ No newline at end of file diff --git a/Aladdin-eToken-PRO.md b/Aladdin-eToken-PRO.md index cf2909e..9d2ebe0 100644 --- a/Aladdin-eToken-PRO.md +++ b/Aladdin-eToken-PRO.md @@ -108,7 +108,7 @@ If you are only interested in the middleware (and not the proprietary key manage 3. double-click on the following packages in this order so as to install them: * `etokenframework.pkg`: those are the shared libraries (that will go into `/Library/Frameworks/eToken.framework`) needed by all the other packages; -* `etokendriversleopard.pkg` (for Mac OS 10.5.x) or `etokendriverstiger.pkg` (for Mac OS 10.4.x): this is the middleware, that goes under `/usr/libexec/SmartCardServices/drivers/eTokenIfdh.bundle/` . It consists of an auxillary daemon that will be run by `pcscd` in order to perform the necessary USB I/O. +* `etokendriversleopard.pkg` (for Mac OS 10.5.x) or `etokendriverstiger.pkg` (for Mac OS 10.4.x): this is the middleware, that goes under `/usr/libexec/SmartCardServices/drivers/eTokenIfdh.bundle/` . It consists of an auxiliary daemon that will be run by `pcscd` in order to perform the necessary USB I/O. To test this setup, plug your token in, then open a terminal and type the following commands: diff --git a/Aventra-MyEID-PKI-card.md b/Aventra-MyEID-PKI-card.md index 5854f7a..778abbb 100644 --- a/Aventra-MyEID-PKI-card.md +++ b/Aventra-MyEID-PKI-card.md @@ -12,7 +12,7 @@ The cards can be personalized both visually and electrically by Aventra accordin MyEID is certified by Microsoft and supports Smart Card Plug and Play. -> MyEID version 4 has been released, adding support for Elliptic Curve Cryptography and many other new features. +> MyEID version 4 has been released, adding support for Elliptic Curve Cryptography and many other new features. ## Aventra MyEID PKI applet diff --git a/Card-personalization.md b/Card-personalization.md index ddc8144..3b2776f 100644 --- a/Card-personalization.md +++ b/Card-personalization.md @@ -327,18 +327,24 @@ These libraries can be loaded in OpenSSL so you can do a certificate request wit * Run `openssl` command * On the `openssl` command prompt, type - ```bash - engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD - ``` + + ```bash + engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD + ``` + to use the PKCS #11 engine + * Then type (on the openssl command prompt) - ```bash - req -engine pkcs11 -new -key -keyform engine -out - ``` - in which ID is the slot+ID in the following format: - ```bash - [slot_][-][id_], e.g. id_45 or slot_0-id_45 - ``` + + ```bash + req -engine pkcs11 -new -key -keyform engine -out + ``` + + in which ID is the slot+ID in the following format: + + ```bash + [slot_][-][id_], e.g. id_45 or slot_0-id_45 + ``` ### `pkcs11-tool` and Mozilla/Netscape diff --git a/Compiling-on-Cygwin.md b/Compiling-on-Cygwin.md index 93f6c58..00fc12e 100644 --- a/Compiling-on-Cygwin.md +++ b/Compiling-on-Cygwin.md @@ -4,6 +4,7 @@ If you want to use OpenSC with Cygwin OpenSSH utilities, such as `ssh-agent` or then OpenSC has to be compiled for Cygwin. To do this follow these steps: ## Prepare for a fresh Cygwin install + When building OpenSC we're going to be running the reconfiguration step of the OpenSC build process. One side effect is that this step may try to incorporate additional features that are detected in your current Cygwin installation, which can complicate the package dependencies. @@ -14,9 +15,9 @@ So these instructions are based on starting from a fresh Cygwin installation. Th 3. Temporarily unset `CYGWIN` environment variable while building and installing. Currently having `CYGWIN` set causes make install to fail in the `install-exec-hook` stage. -## Install Cygwin base +## Install Cygwin base -1. Go to https://cygwin.com/install.html. +1. Go to . 2. Run `setup-x86_64.exe` & save it for running later. 3. Install to `C:\cygwin64`. 4. Select `All Users`. diff --git a/Creating-applications-with-smart-card-support.md b/Creating-applications-with-smart-card-support.md index a547139..5c301ca 100644 --- a/Creating-applications-with-smart-card-support.md +++ b/Creating-applications-with-smart-card-support.md @@ -21,7 +21,7 @@ These tools and libraries help in talking to PKCS#11 modules or integrate PKCS#1 * [gp11](http://live.gnome.org/GnomeKeyring/Architecture) is a GObject based wrapper for PKCS#11, distributed with gnome-keyring. * [PaKChoiS](http://www.manyfish.co.uk/pakchois/) aims to provide a thin wrapper over the PKCS#11 interface. * [p11-kit](http://p11-glue.freedesktop.org/p11-kit.html) eases working with multiple PKCS#11 modules and includes support for [PKCS#11 URI scheme](http://tools.ietf.org/html/draft-pechanec-pkcs11uri-13). -* [pkcs11-provider] (https://github.com/latchset/pkcs11-provider) is an Openssl 3.x provider to access Hardware or Software Tokens using the PKCS#11 Cryptographic Token Interface. +* [pkcs11-provider](https://github.com/latchset/pkcs11-provider) is an Openssl 3.x provider to access Hardware or Software Tokens using the PKCS#11 Cryptographic Token Interface. ##### Python @@ -59,7 +59,7 @@ Mac OS X implements CDSA as the cryptography API for the Mac platform (in theory [OpenSSL](http://www.openssl.org/) has an easy way to integrate smart card support. The [libp11](https://github.com/OpenSC/libp11/wiki) has code to make using OpenSC PKCS#11 module with OpenSSL quite easy and includes example code for using SSL with client certificate authentication using a smart card too. -The use of engines in OpenSSL are deprecated fom the version 3. +The use of engines in OpenSSL are deprecated from the version 3. The engine_pkcs11 project has an OpenSSL engine implementation so you can change any code using OpenSSL to move the crypto operation from your CPU to your smart card with only a few small changes. It was merged into libp11 project. @@ -72,16 +72,16 @@ The [pkcs11-provider](https://github.com/latchset/pkcs11-provider) is an Openssl ### QCA -[QCA](http://api.kde.org/kdesupport-api/kdesupport-apidocs/qca/html/) (Qt Cryptographic Architecture) adds cryptography support into Qt applications. QCA has PKCS#11 support since v2.0. See "http://sites.google.com/site/alonbarlev/qca-pkcs11":http://sites.google.com/site/alonbarlev/qca-pkcs11 for more information. +[QCA](http://api.kde.org/kdesupport-api/kdesupport-apidocs/qca/html/) (Qt Cryptographic Architecture) adds cryptography support into Qt applications. QCA has PKCS#11 support since v2.0. ### GnuTLS -"GnuTLS":http://www.gnutls.org includes native PKCS#11 smart card support using the PKCS#11 URI scheme.. -See "http://www.gnutls.org/manual":http://www.gnutls.org/manual for more information. +[GnuTLS](http://www.gnutls.org) includes native PKCS#11 smart card support using the PKCS#11 URI scheme.. +See for more information. ### cryptlib -"cryptlib":http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ is a library by Peter Gutmann and claims support for SSL and PKCS#11 modules. +[cryptlib](https://www.cs.auckland.ac.nz/~pgut001/cryptlib/) is a library by Peter Gutmann and claims support for SSL and PKCS#11 modules. ## Low level smart card access @@ -89,19 +89,19 @@ OpenSC is for cryptographic smart cards and the preferred method for accessing s ### PC/SC -PC/SC is a standard from "PC/SC Workgroup":http://www.pcscworkgroup.com/ but the "reference implementation" is still "Windows winscard.dll":http://msdn.microsoft.com/en-us/library/aa374731(VS.85).aspx#smart_card_functions. Linux uses the open source "pcsc-lite":http://pcsclite.alioth.debian.org/ package. And Mac OS X uses a fork of pcsc-lite included in the "SmartCardServices":http://smartcardservices.macosforge.org/ project. +PC/SC is a standard from [PC/SC Workgroup](https://pcscworkgroup.com/) but the "reference implementation" is still [Windows winscard.dll](http://msdn.microsoft.com/en-us/library/aa374731(VS.85).aspx#smart_card_functions). Linux uses the open source [pcsc-lite](https://pcsclite.apdu.fr/) package. And Mac OS X uses a fork of pcsc-lite included in the [SmartCardServices](http://smartcardservices.macosforge.org/) project. #### Tools and libraries * Python - * "pyscard":http://pyscard.sourceforge.net/ + * [pyscard](https://pyscard.sourceforge.io/) * Java - * See [[dedicated Java page|Using-smart-cards-with-Java-SE]] about javax.smartcardio in Java 1.6+ + * See [[dedicated Java page|Using-smart-cards-with-Java-SE]] about `javax.smartcardio` in Java 1.6+ ### CT-API -"CT-API":https://www.tuvit.de/de/aktuelles/downloads/card-terminal-application-programing-interface-fuer-chipkartenanwendungen/ is an API for accessing smart card readers that is mostly used in Germany. It is not suited for modern multi-user environments, is not portable and not always available. New projects should avoid using CT-API and use PC/SC instead. +CT-API is an API for accessing smart card readers that is mostly used in Germany. It is not suited for modern multi-user environments, is not portable and not always available. New projects should avoid using CT-API and use PC/SC instead. ### OpenCT -"OpenCT":https://github.com/OpenSC/openct, like CT-API, is a Linux only API for accessing USB tokens (and smart card readers). Very few applications beside OpenSC can make use of OpenCT readers. New projects should try to avoid building against OpenCT and use PC/SC instead. +[OpenCT](https://github.com/OpenSC/openct), like CT-API, is a Linux only API for accessing USB tokens (and smart card readers). Very few applications beside OpenSC can make use of OpenCT readers. New projects should try to avoid building against OpenCT and use PC/SC instead. diff --git a/DNIe-(OpenDNIe).md b/DNIe-(OpenDNIe).md index 253122d..0c5cddf 100644 --- a/DNIe-(OpenDNIe).md +++ b/DNIe-(OpenDNIe).md @@ -17,7 +17,7 @@ From the public administration point of view the card has been procured by the M Resources: -* The [official home page](http://www.dnielectronico.es) for the Spanish DNIe +* The [official home page](http://www.dnielectronico.es) for the Spanish DNIe ## Card capabilities diff --git a/Estonian-eID-(EstEID).md b/Estonian-eID-(EstEID).md index 96d2e65..2975500 100644 --- a/Estonian-eID-(EstEID).md +++ b/Estonian-eID-(EstEID).md @@ -103,7 +103,7 @@ X.509 Certificate [Allkirjastamine] ## Supported algorithms -* Version 3.0 suports PKCS1 padding and SHA1, SHA-224 (not used as PKCS#11 does not support SHA-224 in v2.20) and SHA-256 hashes with 2048bit RSA keys +* Version 3.0 supports PKCS1 padding and SHA1, SHA-224 (not used as PKCS#11 does not support SHA-224 in v2.20) and SHA-256 hashes with 2048bit RSA keys ## Known issues and incompatibilities diff --git a/Eutron-CryptoIdentity-ITSEC-I-ITSEC-P.md b/Eutron-CryptoIdentity-ITSEC-I-ITSEC-P.md index a592b20..64ec70e 100644 --- a/Eutron-CryptoIdentity-ITSEC-I-ITSEC-P.md +++ b/Eutron-CryptoIdentity-ITSEC-I-ITSEC-P.md @@ -15,7 +15,7 @@ interface differs, the rest seems to be the same. One minor feature of the Siemens CardOS M4 is, that a RSA key cannot be used for both signing and decryption. OpenSC has implemented a workaround: software key generation and storing that key twice, once marked as decryption key and once marked as signing key. To enable this workaround -specifiy `--split-key` on the command line, when creating the key. +specify `--split-key` on the command line, when creating the key. Eutron has their own software for Windows. This software does not implement PKCS#15 and thus is not compatible with OpenSC. As long as the card has memory, you can initialize the card with both software diff --git a/Feitian-ePass2003.md b/Feitian-ePass2003.md index 3517949..db54101 100644 --- a/Feitian-ePass2003.md +++ b/Feitian-ePass2003.md @@ -60,8 +60,8 @@ Refer to issue [#1803](https://github.com/OpenSC/OpenSC/issues/1803); Links to the `Fix_Tool.tar.gz` archives: -* With x86 and x64: "Download fix_tool":http://download.ftsafe.com/files/ePass/Fix_Tool.tar.gz -* With armhf arch: "Download fix_tool":http://download.ftsafe.com/files/reader/SDK/Fix_Tool_20200604.zip +* With x86 and x64: [Download fix_tool](http://download.ftsafe.com/files/ePass/Fix_Tool.tar.gz) +* With armhf arch: [Download fix_tool](http://download.ftsafe.com/files/reader/SDK/Fix_Tool_20200604.zip) ## Thanks diff --git a/Feitian-ePass3000.md b/Feitian-ePass3000.md index 0799658..6a2789b 100644 --- a/Feitian-ePass3000.md +++ b/Feitian-ePass3000.md @@ -4,7 +4,7 @@ The driver of ePass3000 in OpenSC is called "entersafe". -Feitian has their own software for Windows, GNU/linux and MAC OSX. This software does not implement PKCS15 and thus is not compatible with OpenSC. Because Feitian's software reserves all storage, its data cannot be co-existed with OpenSC's in the USB token. In addition, there may be unexpected errors if both softwares exists in the operating system concurrently, since Feitian's software assumes there is one and only one software manipulates the token. +Feitian has their own software for Windows, GNU/linux and MAC OSX. This software does not implement PKCS15 and thus is not compatible with OpenSC. Because Feitian's software reserves all storage, its data cannot be co-existed with OpenSC's in the USB token. In addition, there may be unexpected errors if both software exists in the operating system concurrently, since Feitian's software assumes there is one and only one software manipulates the token. Token initialized with Feitian's private format can not be directly used by OpenSC. Unless it is totally erased by command: diff --git a/HBCI-homebanking.md b/HBCI-homebanking.md index 1d96bf4..97c39f1 100644 --- a/HBCI-homebanking.md +++ b/HBCI-homebanking.md @@ -1,4 +1,4 @@ -h1. HBCI homebanking +# HBCI homebanking HBCI is a standard that is used by many banks in Germany. Those banks offer either banking with PIN and TAN lists, or diff --git a/History-of-the-OpenSC-Project.md b/History-of-the-OpenSC-Project.md index af190e7..08dae45 100644 --- a/History-of-the-OpenSC-Project.md +++ b/History-of-the-OpenSC-Project.md @@ -37,7 +37,7 @@ to help the transition back from hal to `udev`. Engine_PKCS#11 ### OpenSC 0.11.12 -On 2009-12-18 OpenSC 0.11.12 was released with a fix for a +On 2009-12-18 OpenSC 0.11.12 was released with a fix for a regression in OpenSC 0.11.5 and later, that made some cards initialized with older versions of OpenSC no longer work with newer versions. diff --git a/IAS-ECC.md b/IAS-ECC.md index bacad9a..b31b7e4 100644 --- a/IAS-ECC.md +++ b/IAS-ECC.md @@ -47,7 +47,7 @@ Tested compatibility with the PKCS#11 and CSP from the other middlewares: ## To get the source code for SM -**Not active project, changes already integrated in standard OpenSC distribution** +**Not active project, changes already integrated in standard OpenSC distribution.** ```bash git clone https://github.com/viktorTarasov/OpenSC-SM.git diff --git a/Installing-OpenSC-PKCS#11-Module-in-Firefox,-Step-by-Step.md b/Installing-OpenSC-PKCS11-Module-in-Firefox,-Step-by-Step.md similarity index 92% rename from Installing-OpenSC-PKCS#11-Module-in-Firefox,-Step-by-Step.md rename to Installing-OpenSC-PKCS11-Module-in-Firefox,-Step-by-Step.md index da52bee..56e5f25 100644 --- a/Installing-OpenSC-PKCS#11-Module-in-Firefox,-Step-by-Step.md +++ b/Installing-OpenSC-PKCS11-Module-in-Firefox,-Step-by-Step.md @@ -1,7 +1,5 @@ # Installing OpenSC PKCS#11 Module in Firefox, Step by Step -This step by step description is can also be found in "Mozilla's knowledge base":https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Installation. - 1. Start Mozilla Firefox. ![Start Firefox](https://github.com/n8felton/OpenSC/wiki/attachments/wiki/MozillaSteps/firefox_64.png "Start Firefox") diff --git a/Muscle-applet.md b/Muscle-applet.md index 3e7f30a..bd90809 100644 --- a/Muscle-applet.md +++ b/Muscle-applet.md @@ -46,7 +46,7 @@ MuscleApplet could be layered as follows: * APDU specification and implementation * Internal object layer and related machinery (ACL-s, Key objects, data objects) (also in CardEdge.java) * Object manager with helpers for dealing with objects, on same terms as they are exposed to the outside world -* Memory manager that deals with allocating and re-allocating the memory, which is grabbed as a huge block when the applet is initialized. This is to overcome the absence of garbage collection in older JavaCard-s +* Memory manager that deals with allocating and re-allocating the memory, which is grabbed as a huge block when the applet is initialized. This is to overcome the absence of garbage collection in older JavaCard-s. #### Memory manager @@ -68,7 +68,7 @@ In addition to data objects, MuscleApplet manages the following internal objects * PIN-s * And accompanying PUK-s - * MuscleApplet uses PIN0 as the "super PIN". The PIN is set to an initial value in source code, "Muscle00". + * MuscleApplet uses PIN0 as the "super PIN". The PIN is set to an initial value in source code, "Muscle00". * Key pairs * Can be generated on the card or imported. Plaintext exporting is also possible. * Keys diff --git a/OpenPGP-card.md b/OpenPGP-card.md index 735390d..0579afc 100644 --- a/OpenPGP-card.md +++ b/OpenPGP-card.md @@ -1,11 +1,11 @@ -h1. OpenPGP Card +# OpenPGP Card The OpenPGP Card is an ISO/IEC 7816-4/-8 compatible smart card implementation that is integrated with many GnuPG functions. Using this smart card, various cryptographic tasks (encryption, decryption, digital signing/verification, authentication etc.) can be performed. The cards come in various form factors ranging from the standard size ID-1, over ID-1 with cut-outs for ID-000 (i.e. SIM card size), which together with an USB card reader allows to build a do-it-yourself crypto stick, to the Nitrokey USB security key. -They implement the OpenPGP Card specification which evolved compatibly from "v1.0":http://g10code.com/docs/openpgp-card-1.0.pdf in 2003, via "v1.1":http://g10code.com/docs/openpgp-card-1.1.pdf in 2004, "v2.0":http://g10code.com/docs/openpgp-card-2.0.pdf which was released in 2009, to "v3.4.1":https://www.gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf in 2020. +They implement the OpenPGP Card specification which evolved compatibly from [v1.0](http://g10code.com/docs/openpgp-card-1.0.pdf) in 2003, via [v1.1](https://g10code.com/docs/openpgp-card-1.1.pdf) in 2004, [v2.0](http://g10code.com/docs/openpgp-card-2.0.pdf) which was released in 2009, to [v3.4.1](https://www.gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf) in 2020. Version 1.0 of the specification is mostly of theoretical interest, as most - if not all - cards adhere to version 3. @@ -14,6 +14,7 @@ All versions allow storing card holder details as well as generating and storing While the 1.x version only supported 1024-bit RSA keys and no certificates, version 2.0 allows for RSA keys up to 4096 bits (requires GnuPG 2.0.18+) and optionally an X.509 card holder certificate for the AUT key on the card. Version 3.0 introduced support for ECC. Other changes were: + * V1.1 brought 4 optional DOs for private use with different access conditions * V2.0 brought optional support for * card reset functionality (life cycle management) @@ -22,163 +23,207 @@ Other changes were: * other algorithms than RSA (not specified) * Removal of PW2 ("Encryption PIN") present in v1.1. In v2.0 only "Admin PIN" and "User PIN" are specified. Furthermore, v2.0 spec defines "user consent" capabilities for signature key. - -h2. Where/How to get one? +## Where/How to get one? OpenPGP Cards / Nitrokeys can be obtained from vendors like e.g. -* "Nitrokey":https://shop.nitrokey.com/ -* "Kernel concepts":http://shop.kernelconcepts.de -* or by becoming a fellow in the "Free Software Foundation Europe":http://fsfe.org which uses the OpenPGP Card specification on the "Fellowship Smart Cards":http://wiki.fsfe.org/FellowshipSmartCard it hands out to its fellows. +* [Nitrokey](https://shop.nitrokey.com/) +* [Kernel concepts](http://shop.kernelconcepts.de) +* or by becoming a fellow in the [Free Software Foundation Europe](https://fsfe.org/) which uses the OpenPGP Card specification on the [Fellowship Smart Cards](https://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html) it hands out to its fellows. -h2. State of OpenSC support +## State of OpenSC support -OpenPGP Card "v1.0":http://www.g10code.de/docs/openpgp-card-1.0.pdf /"1.1":http://www.g10code.de/docs/openpgp-card-1.1.pdf is deprecated but should work since OpenSC 0.9.1. Starting with OpenSC 0.12.2, OpenSC supports reading the OpenPGP Card "v2.0":http://www.g10code.de/docs/openpgp-card-2.0.pdf too. Since OpenSC 0.13 full write support for OpenPGP Card 2 is supported. Support for OpenPGP Card 3 was introduced later. +OpenPGP Card [v1.0](http://www.g10code.de/docs/openpgp-card-1.0.pdf) /[1.1](http://www.g10code.de/docs/openpgp-card-1.1.pdf) is deprecated but should work since OpenSC 0.9.1. Starting with OpenSC 0.12.2, OpenSC supports reading the OpenPGP Card [v2.0](http://www.g10code.de/docs/openpgp-card-2.0.pdf) too. Since OpenSC 0.13 full write support for OpenPGP Card 2 is supported. Support for OpenPGP Card 3 was introduced later. -h2. Usage +## Usage To apply this usage to Gnuk, the patch above is needed. Basically, usage between general OpenPGP Card (for example Nitrokey) and Gnuk are the same, except some differences will be noted below. -h3. 1. Display user info +### Display user info -Use @openpgpg-tool@ +Use `openpgpg-tool`. -h3. 2. Read and write data object (DO) +### 2. Read and write data object (DO) -Use @opensc-explorer@. +Use `opensc-explorer`. For example, you want to change card holder name: -1. Run @opensc-explorer@ +1. Run `opensc-explorer` 2. Verify Admin PIN by this command -
verify CHV3 3132333435363738
-in which @CHV3@ means Admin PIN is to be verified (User PIN will be CHV1 or CHV2) and @3132333435363738@ is ASCII-decoded hex string of PIN code "12345678". + ```sh + verify CHV3 3132333435363738 + ``` + + in which @CHV3@ means Admin PIN is to be verified (User PIN will be CHV1 or CHV2) and @3132333435363738@ is ASCII-decoded hex string of PIN code "12345678". 3. Put data to 005B DO, the DO containing card holder name: -
do_put 005B "Quan"
+ + ```sh + do_put 005B "Quan" + ``` 4. Remove it afterwards: -
do_put 005B ""
+ + ```sh + do_put 005B "" + ``` 5. Or change user PIN to "654321": -
change CHV1 31:32:33:34:35:36 "654321"
-Where @31:32:33:34:35:36@ is hex string of ASCII-decoded old PIN “123456”. -Reading DO content is not as straightforward as writing, because the DOs are nested in each other. For example, to read 005B DO, you have to go through 0065 DO: -
OpenSC [3F00]> cd 0065
-OpenSC [3F00/0065]> cat 005B
-00000000: 51 75 61 6E Quan
-
+ ```sh + change CHV1 31:32:33:34:35:36 "654321" + ``` + + Where @31:32:33:34:35:36@ is hex string of ASCII-decoded old PIN “123456”. + + Reading DO content is not as straightforward as writing, because the DOs are nested in each other. For example, to read 005B DO, you have to go through 0065 DO: -**Note**: We cannot delete DO content with delete/rm command. Technical reason: The OpenSC framework doesn't pass the full path of file to OpenPGP driver, so the driver cannot identify the DO to be deleted. + ```sh + OpenSC [3F00]> cd 0065 + OpenSC [3F00/0065]> cat 005B + 00000000: 51 75 61 6E Quan + ``` -h3. 3. Generating keys + **Note**: We cannot delete DO content with `delete/rm<` command. Technical reason: The OpenSC framework doesn't pass the full path of file to OpenPGP driver, so the driver cannot identify the DO to be deleted. -h5. Key generation via @openpgp-tool@: +### Generating keys -
openpgp-tool --verify CHV3 --pin 12345678 --gen-key 3
+#### Key generation via `openpgp-tool`
+
+```sh
+openpgp-tool --verify CHV3 --pin 12345678 --gen-key 3
 openpgp-tool --verify CHV3 --pin 12345678 --gen-key 1 --key-len 1024
-
+``` -In which, @--genkey 3@ means that we're generating key with ID=3. The three keys in the have these IDs: Singing key: 1, Decryption key: 2, Authentication: 3. +In which, `--genkey 3` means that we're generating key with ID=3. The three keys in the have these IDs: Singing key: 1, Decryption key: 2, Authentication: 3. -@--key-length 1024@ means that the key is 1024-bit. We can specify bit length: 1024, 2048, 3072, 4096. +`--key-length 1024` means that the key is 1024-bit. We can specify bit length: 1024, 2048, 3072, 4096. If this option is absent, default key length 2048-bit is used. -+Gnuk:+ Gnuk only supports 2048-bit key, so don’t specify @--key-length@ option, you also have to delete old key before generating or import new one. -
openpgp-tool --verify CHV3 --pin 12345678 --del-key 3
++Gnuk:+ Gnuk only supports 2048-bit key, so don’t specify `--key-length` option, you also have to delete old key before generating or import new one. + +```sh +openpgp-tool --verify CHV3 --pin 12345678 --del-key 3 +``` -h5. Key generation via @pkcs15-init@: +#### Key generation via `pkcs15-init` -
pkcs15-init --delete-objects privkey,pubkey --id 3 --generate-key rsa/2048 --auth-id 3 --verify
-
+```sh +pkcs15-init --delete-objects privkey,pubkey --id 3 --generate-key rsa/2048 --auth-id 3 --verify +``` -There is limitation: @pkcs15-init@ requires new key length to be the same as existing key. To generate key with different key length, @openpgp-tool@ is recommended. +There is limitation: `pkcs15-init` requires new key length to be the same as existing key. To generate key with different key length, `openpgp-tool` is recommended. -@pkcs15-init@ also requires to explicitly remove existing key/object. That's why we have @--delete-objects privkey,pubkey --id 3@ in the command (though it has no effect to Nitrokey, which does not support deleting key, but support overwriting key). +`pkcs15-init` also requires to explicitly remove existing key/object. That's why we have `--delete-objects privkey,pubkey --id 3` in the command (though it has no effect to Nitrokey, which does not support deleting key, but support overwriting key). -h3. 4. Delete key (Gnuk) +### Delete key (Gnuk) Deleting key is supported by Gnuk only. Nitrokey does not. Example to delete 3rd (authentication) key: -bc. openpgp-tool --verify CHV3 --pin 12345678 --del-key 3 +```sh +openpgp-tool --verify CHV3 --pin 12345678 --del-key 3 +``` or -bc. pkcs15-init --delete-objects privkey,pubkey --id 3 +```sh +pkcs15-init --delete-objects privkey,pubkey --id 3 +``` If you want to delete key from Nitrokey, the only option is to erase card (all things will be deleted). -h3. 5. Erase card (Nitrokey) +### Erase card (Nitrokey) Erasing card is supported by Nitrokey (or general OpenPGP Card v2+) only. Gnuk does not support. -bc. openpgp-tool --erase +```sh +openpgp-tool --erase +``` or -bc. pkcs15-init --erase-card +```sh +pkcs15-init --erase-card +``` -h3. 6. Import key resp. certificate +### Import key resp. certificate -h5. Only certificate +#### Only certificate -bc. pkcs15-init --store-certificate mycert.pem --id 3 +```sh +pkcs15-init --store-certificate mycert.pem --id 3 +``` In which the PEM file is extracted from p12 using OpenSSL (key is stripped out): -bc. openssl pkcs12 -in myprivate.p12 -nokeys -out mycert.pem +```sh +openssl pkcs12 -in myprivate.p12 -nokeys -out mycert.pem +``` Note that the OpenPGP Card v2 contains only 1 certificate, so the ID to store is always 3. -h5. Only key: +#### Only key -bc. pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 3 +```sh +pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 3 +``` In which the PEM file is extracted from a p12 file using OpenSSL (certificate is stripped out): -bc. openssl pkcs12 -in myprivate.p12 -nocerts -out mykey.pem +```sh +openssl pkcs12 -in myprivate.p12 -nocerts -out mykey.pem +``` -h5. Pairs of key & certificate from P12 file: +#### Pairs of key & certificate from P12 file -bc. pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin +```sh +pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin +``` *Notes:* - * In current version, @pkcs15-init@ tool is pretty silent, so you may not recognize if the operation is successful or not. You should run @pkcs15-init@ in debug mode (set environment variable @OPENSC_DEBUG=3@). - * In p12 file, the @pkcs15-init@ detect X.509 certificates in hierarchy, in which only the first found certificate need to be imported. But @pkcs15-init@ then try to do with all, so the later imports will fail. You can see some error messages due to this failure, but it is OK because the main certificate has been imported successfully. - * The certificate can be used to encrypt email. But to make decryption work, the corresponding private key need to be import to “Decryption Key” (ID=2) as well (normally, it is imported to “Authentication Key”, which has the same ID=3 as certificate). -bc. pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 2 +* In current version, `pkcs15-init` tool is pretty silent, so you may not recognize if the operation is successful or not. You should run `pkcs15-init` in debug mode (set environment variable `OPENSC_DEBUG=3`). +* In p12 file, the `pkcs15-init` detect X.509 certificates in hierarchy, in which only the first found certificate need to be imported. But `pkcs15-init` then try to do with all, so the later imports will fail. You can see some error messages due to this failure, but it is OK because the main certificate has been imported successfully. +* The certificate can be used to encrypt email. But to make decryption work, the corresponding private key need to be import to “Decryption Key” (ID=2) as well (normally, it is imported to “Authentication Key”, which has the same ID=3 as certificate). -h3. 7. Delete certificate +```sh +pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 2 +``` -bc. pkcs15-init --delete-objects cert --id 3 +### Delete certificate -h2. OpenSC driver details +```sh +pkcs15-init --delete-objects cert --id 3 +``` + +## OpenSC driver details OpenPGP Cards only implement a small subset of the ISO/IEC 7816-4/-8 standard. Most importantly, they do not use a file system to store the application specific data. Instead the data stored for the application is accessible via Data Objects (DO) only. These DOs come in two variants: + * simple DOs that do not have a meaningful internal structure * complex DOs that have a well-known internal structure which is encoded according to ASN.1 BER rules In order to make OpenPGP Cards accessible for OpenSC's PKCS15 functions, the OpenPGP Card driver in OpenSC simulates a file system. -It does so by reading the well-known DOs on the card and converting them according to this logic: +It does so by reading the well-known DOs on the card and converting them according to this logic: + * simple DOs are treated as wEFs * complex DOs are treated as DFs with their elements as children. As complex DOs can also contain complex DOs as elements, this conversion is done recursively, leading to a multi-level hierarchy. This file-system is currently read-only, hence any operation writing to the card, i.e. personalization and key generation, needs to be done via GnuPG. - -h2. Examples +## Examples Here's an example of a card as seen via GnuPG: -
$ gpg --card-edit
+```sh
+$ gpg --card-edit
 Application ID ...: D2760001240101010001000004D50000
 Version ..........: 1.1
 Manufacturer .....: PPC Card Systems
@@ -209,10 +254,12 @@ ssb>  1024R/DF3119A9  created: 2010-03-07  expires: never
                       card-no: 0001 000004D5
 ssb>  1024R/2764F212  created: 2010-03-07  expires: never
                       card-no: 0001 000004D5
-
+``` -In @opensc-explorer@ the very same card looks like -
$ opensc-explorer
+In `opensc-explorer` the very same card looks like
+
+```sh
+$ opensc-explorer
 OpenSC Explorer version 0.12.1-svn
 Using reader with a card: SCM SCR 335 [CCID Interface] (60600adc) 00 00
 OpenSC [3F00]> ls
@@ -239,15 +286,17 @@ FileID  Type  Size
 OpenSC [3F00/0065]> cat 005B
 00000000: 44 6F 65 3C 3C 4A 6F 68 Doe<
-
+``` + +## Tips -h2. Tips +### General -h3. General +* Minimum PIN length is 6 (you get a generic "Bad PIN" error if trying to use a shorter one) and Admin PIN must be at least 8 digits. +* OpenPGP v2.0 card can be erased with the following command (ATTENTION! ONLY USE IT ON A V2 CARD LIKE CRYPTOSTICK! WILL BRICK OTHERS!) - * Minimum PIN length is 6 (you get a generic "Bad PIN" error if trying to use a shorter one) and Admin PIN must be at least 8 digits. - * OpenPGP v2.0 card can be erased with the following command (ATTENTION! ONLY USE IT ON A V2 CARD LIKE CRYPTOSTICK! WILL BRICK OTHERS!) - 
$ opensc-tool -s 00:20:00:81:08:40:40:40:40:40:40:40:40 \
+```sh
+$ opensc-tool -s 00:20:00:81:08:40:40:40:40:40:40:40:40 \
 -s 00:20:00:81:08:40:40:40:40:40:40:40:40 \
 -s 00:20:00:81:08:40:40:40:40:40:40:40:40 \
 -s 00:20:00:81:08:40:40:40:40:40:40:40:40 \
@@ -257,64 +306,82 @@ h3. General
 -s 00:20:00:83:08:40:40:40:40:40:40:40:40 \
 -s 00:e6:00:00 \
 -s 00:44:00:00
-
+``` -h3. Mac OS X +### Mac OS X - * Use "http://www.gpgtools.org/":http://www.gpgtools.org/ to get GnuPG2 for Mac OS X - * Remove OpenSC.tokend from !/System/Library/Security/tokend when personalizing your token. scdaemon requires exclusive access which can not be shared with OpenSC.tokend, which is started when OpenPGP Card/token is inserted. - * kill scdaemon and re-insert your reader if you still see this: - 
gpg: selecting openpgp failed: Card error
+* Use  to get GnuPG2 for Mac OS X
+* Remove OpenSC.tokend from `/System/Library/Security/tokend` when personalizing your token. `scdaemon` requires exclusive access which can not be shared with OpenSC.tokend, which is started when OpenPGP Card/token is inserted.
+* kill `scdaemon` and re-insert your reader if you still see this:
+
+```sh
+gpg: selecting openpgp failed: Card error
 gpg: OpenPGP card not available: Card error
-
+``` -h3. Linux (and Gnome) +### Linux (and Gnome) -h4. GnomeKeyring @gpg-agent@ confusion +#### GnomeKeyring @gpg-agent@ confusion -Under Gnome, @gnome-keyring@ sets up @GPG_AGENT_INFO@: -
$ env | grep GPG_AGENT
+Under Gnome, `gnome-keyring` sets up `GPG_AGENT_INFO`:
+
+```sh
+$ env | grep GPG_AGENT
 GPG_AGENT_INFO=/tmp/keyring-cKD5KN/gpg:0:1
-
-This agent is not capable of talking to smart cards (@--card-status@ & @--card-edit@): -
$ gpg2 --card-status
+```
+
+This agent is not capable of talking to smart cards (`--card-status` & `--card-edit`):
+
+```sh
+$ gpg2 --card-status
 gpg: selecting openpgp failed: Unsupported certificate
 gpg: OpenPGP card not available: Unsupported certificate
-
-Solution: use @gpg2@ from a console or unset @GPG_AGENT_INFO@ to use smart card related functions: -
$ GPG_AGENT_INFO= gpg2 --card-status
+```
+
+Solution: use `gpg2` from a console or unset `GPG_AGENT_INFO` to use smart card related functions:
+
+```sh
+$ GPG_AGENT_INFO= gpg2 --card-status
 scdaemon[11344]: enabled debug flags: command cardio
 Application ID ...: D2760001240102000005000005460000
 Version ..........: 2.0
 Manufacturer .....: ZeitControl
 ...
-
-Or permanently disable the @gnome-keyring@ agent: +``` -bc. $ gnome-session-properties +Or permanently disable the `gnome-keyring` agent: -And then uncheck _GPG Password Agent_, log out and log back in. +```sh +gnome-session-properties +``` -If there is no _GPG Password Agent_ entry in @gnome-session-properties@, you can put this line to _~/.bashrc_ file: +And then uncheck *GPG Password Agent*, log out and log back in. -bc. unset GPG_AGENT_INFO +If there is no *GPG Password Agent* entry in `gnome-session-properties`, you can put this line to *~/.bashrc* file: -h4. SSH agent failure +```sh +unset GPG_AGENT_INFO +``` + +#### SSH agent failure When using OpenSSH with support of a pkcs11 module, you may fail: -bc. $ ssh-add -s /usr/lib/opensc-pkcs11.so -Enter passphrase for PKCS#11: +```sh +$ ssh-add -s /usr/lib/opensc-pkcs11.so +Enter passphrase for PKCS#11: SSH_AGENT_FAILURE Could not add card: /usr/lib/opensc-pkcs11.so +``` -"Solution":https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/791747 +[Solution](https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/791747) -h4. @gpg2@ and multiple readers +#### @gpg2@ and multiple readers -@gpg2@ only works if the OpenPGP compatible card is in the first listed reader: +`gpg2` only works if the OpenPGP compatible card is in the first listed reader: -
$ opensc-tool -l
+```sh
+$ opensc-tool -l
 # Detected readers (pcsc)
 Nr.  Card  Features  Name
 0    No              Sitecom USB simcard reader MD-010 00 00
@@ -323,11 +390,12 @@ $ GPG_AGENT_INFO= gpg2 --card-status
 scdaemon[10980]: enabled debug flags: command cardio
 gpg: selecting openpgp failed: Card not present
 gpg: OpenPGP card not available: Card not present
-
+``` versus -
$ opensc-tool -l
+```sh
+$ opensc-tool -l
 # Detected readers (pcsc)
 Nr.  Card  Features  Name
 0    Yes             German Privacy Foundation Crypto Stick v1.2 00 00
@@ -338,24 +406,28 @@ Application ID ...: D2760001240102000005000005460000
 Version ..........: 2.0
 Manufacturer .....: ZeitControl
 ...
-
-Solution: remove other smart card readers. If all readers are USB, killing pcscd and inserting readers in the "right order" (Nitrokey first) helps. If this is not possible (for example, a reader integrated into the keyboard) editing the "CCID driver":http://pcsclite.alioth.debian.org/ccid.html Info.plist file and removing entries related to the "other" smart card readers can help. -Alternatively look up the name of the reader you are using and add it to _~/.gnupg/scdaemon.conf_ (or @--reader-port@ command line option if using GnuPG 1.X): - 
 reader-port "German Privacy Foundation Crypto Stick v1.2 01 00"
+``` + +Solution: remove other smart card readers. If all readers are USB, killing pcscd and inserting readers in the "right order" (Nitrokey first) helps. If this is not possible (for example, a reader integrated into the keyboard) editing the CCID driver Info.plist file and removing entries related to the "other" smart card readers can help. +Alternatively look up the name of the reader you are using and add it to *~/.gnupg/scdaemon.conf* (or @--reader-port@ command line option if using GnuPG 1.X): + +```sh +reader-port "German Privacy Foundation Crypto Stick v1.2 01 00" +``` + After this a reader other than the first reader can be used. Be sure to change the configuration file if your reader setup changes (like more readers are added before the right one) as the numbering at the end of the name changes. -h4. No readers error +#### No readers error If there are no readers connected, @gpg2@ gives a "generic" error message: -
$ opensc-tool -l
+
+```sh
+$ opensc-tool -l
 No smart card readers found.
 $ GPG_AGENT_INFO= gpg2 --card-status
 scdaemon[11033]: enabled debug flags: command cardio
 gpg: selecting openpgp failed: Card error
 gpg: OpenPGP card not available: Card error
-
-This is just for your information. +``` -h2. Links - - * "http://web.monkeysphere.info/":http://web.monkeysphere.info/ +This is just for your information. diff --git a/OpenSC-Services.md b/OpenSC-Services.md index a27815a..bb34fcd 100644 --- a/OpenSC-Services.md +++ b/OpenSC-Services.md @@ -33,7 +33,7 @@ The mailing lists are hosted at the OpenSC project at SourceForge: [http://sourc ### MSIs and MacOS Apple Disk Image files -* + **Old builds are removed time to time.** ## Tarball releases diff --git a/Overview.md b/Overview.md index 72b775b..4298589 100644 --- a/Overview.md +++ b/Overview.md @@ -88,7 +88,7 @@ For blank cards OpenSC has code to initialize the card in PKCS#15 format. You can't change initialized cards at all, or only with the software that was used to initialize it. But you can use the card with OpenSC if OpenSC knows the format. So the format has either to be PKCS#15 (very few -softwares implement that standard, however), or maybe the format was published +software implement that standard, however), or maybe the format was published and OpenSC contains an emulation for that format. Check the list on [wiki page](Supported-hardware-(smart-cards-and-USB-tokens)) to see diff --git a/PuTTYcard.md b/PuTTYcard.md index 355163d..7a3d723 100644 --- a/PuTTYcard.md +++ b/PuTTYcard.md @@ -9,7 +9,7 @@ a "normal" Pageant. This only needed about 20 lines of codes within the source of pageant.exe and I was hoping that the PuTTY team would -include this into future PuTTY-packages. They did not :-( +include this into future PuTTY-packages. They did not. Therefore I merged the source code of PuTTYcard.dll with the source code of pageant.exe and released a smart card @@ -23,8 +23,6 @@ my smart card enabled version of pageant.exe with a new card or a new card reader I will send you a free license. Just let me know. -## PuTTYcard - PuTTYcard is an extension to PuTTY, the free SSH-client from Simon Tatham. With this extension PuTTY can use RSA-keys from external devices, ie. smart cards, usb-tokens. @@ -64,7 +62,7 @@ your ppk-file should look like PuTTYcard,PuTTYiso7816.dll,,AA,BB,CCCC ``` - is the DF on your smart card that contains the RSA-key. +The `` is the DF on your smart card that contains the RSA-key. This must be specified as a 4,8,12 or 16digit hexadecimal number. Do NOT prefix the path with 3F00. AA is the key-reference of the private key, BB is the @@ -74,7 +72,7 @@ public key. This file must either contain the public key as two ASN1-encoded records or it must be a certificate file from which the public key will be extracted. -h3. How do I find the above mentions numbers? +## How do I find the above mentions numbers? One of the first actions of PuTTYcard is to change its working DF to the DF given by the @@ -253,7 +251,7 @@ certificates namely DF01:C100 and DF01:4371 so two other possible CCCC-values are C100 and 4371 On a Netkey card a private key may be protected by more than -one PIN. So instead of PIN-reference 81 (which references +one PIN. So instead of PIN-reference 81 (which references local PIN1) I may alternatively use PIN-reference 00 (which references global PIN0) diff --git a/Quick-Start-with-OpenSC.textile b/Quick-Start-with-OpenSC.md similarity index 65% rename from Quick-Start-with-OpenSC.textile rename to Quick-Start-with-OpenSC.md index a24c9cb..9cba5da 100644 --- a/Quick-Start-with-OpenSC.textile +++ b/Quick-Start-with-OpenSC.md @@ -1,16 +1,16 @@ -h1. Quick Start with OpenSC +# Quick Start with OpenSC -If you haven't already, please first take a look at our [[Overview|Overview]] page, the [[Operating Systems|Recent-test-results-for-various-smart-cards]] page and the [[Compiling and Installing on Unix flavors]] page. +If you haven't already, please first take a look at our [[Overview|Overview]] page, the [[Operating Systems|Recent-test-results-for-various-smart-cards]] page and the [[Compiling and Installing on Unix flavors]] page. -h2. Before we start... +## Before we start -A word of warning: these experiments can destroy your card (e.g. if we have a bug. there is _NO WARRANTY_ on opensc of any kind). Also be sure to make notes of everything you do, especially the pin and puk and so-pin and so-puk you set, as it is not possible to erase some cards without these! +A word of warning: these experiments can destroy your card (e.g. if we have a bug. there is **NO WARRANTY** on opensc of any kind). Also be sure to make notes of everything you do, *especially*< the pin and puk and so-pin and so-puk you set, as it is not possible to erase some cards without these! -h2. Install the required middleware +## Install the required middleware Some older card readers (or standalone USB tokens) use a nonstandard wire format for communicating between the computer and the device. You will need to get the corresponding (often proprietary) software up and running first. For USB tokens see the respective page on this Wiki (e.g., [[Aladdin eToken PRO]], [SafeNet tokens](SafeNet-cards)). For card readers, you should get to the point where the LED turns on when you plug it into the USB socket. -h2. Install OpenSC +## Install OpenSC For Mac OS X, download and install SCA. @@ -18,52 +18,69 @@ For Windows, visit the build project. For Linux, either use your distribution's package manager or see [[Compiling and Installing on Unix flavors]]. -h2. Test OpenSC +## Test OpenSC First check if your smart card reader is found: -
$ opensc-tool --list-readers
+
+```sh
+$ opensc-tool --list-readers
 Readers known about:
 Nr.    Driver     Name
 0      openct     Towitoko Chipdrive Micro
 1      openct     Aladdin eToken PRO
 2      openct     OpenCT reader (detached)
 3      openct     OpenCT reader (detached)
-4      openct     OpenCT reader (detached)
+4 openct OpenCT reader (detached) +``` You can see, openct claims five slots, but only two are used. This is done to support hotplugging, those slots can be filled later by additional readers you plugin via usb. Next test is to see if your card is found. Every card has a so called ATR ("Answer to reset"), a hex string used for identifying the card type. -
$ opensc-tool --reader 0 --atr
-3b:e2:00:ff:c1:10:31:fe:55:c8:02:9c
+ +```sh +$ opensc-tool --reader 0 --atr +3b:e2:00:ff:c1:10:31:fe:55:c8:02:9c +```sh Lets see if that card is supported by OpenSC. If so, we should know the name of the card: -
$ opensc-tool --reader 0 --name
-Cryptoflex 32K e-gate
+ +```sh +$ opensc-tool --reader 0 --name +Cryptoflex 32K e-gate +``` OpenSC has a small low level tool for exploring your smart card. This is useful if you have a new card and want to look at it, or check some details. -
$ opensc-explorer
-However opensc-explorer only works with known cards and even then: some cards don't have then required functionality, for example no "ls" command. +```sh +$ opensc-explorer +``` -h1. Quick start guide to initializing a blank card +However `opensc-explorer` only works with known cards and even then: some cards don't have then required functionality, for example no `ls` command. + +## Quick start guide to initializing a blank card The best way to use all features of OpenSC is to start with a blank card and initialize it with OpenSC. Make sure your vendor sold you a real blank card, many vendors also have pre-initialized cards, and those only work with the vendors software, but not or only limited with OpenSC. -Warning: before writing any data on the token please read the smartcard os specific wiki pages as some smartcards cannot be deleted once initialized. +**Warning:** before writing any data on the token please read the smartcard os specific wiki pages as some smartcards cannot be deleted once initialized. -You can add "-v" to all of these commands, to get a more verbose output. Adding "-v" more than once will enable debugging or increase the debugging level. +You can add `-v` to all of these commands, to get a more verbose output. Adding `-v` more than once will enable debugging or increase the debugging level. First you need to create the basic structure. At this step you are asked to enter a "security office" pin. Only with this pin you can alter the card, but that pin is not needed to use the keys. -
$ pkcs15-init --create-pkcs15
+
+```sh
+$ pkcs15-init --create-pkcs15
 New Security Officer PIN (Optional - press return for no PIN).
 Please enter Security Officer PIN: 
 Please type again to verify: 
 Unblock Code for New User PIN (Optional - press return for no PIN).
 Please enter User unblocking PIN (PUK): 
-Please type again to verify:
+Please type again to verify: +``` Next step is to create a user and a pin. That pin is needed for using the keys we will create later. -
$ pkcs15-init --store-pin --auth-id 01 --label "Andreas Jellinghaus"
+
+```sh
+$ pkcs15-init --store-pin --auth-id 01 --label "Andreas Jellinghaus"
 New User PIN.
 Please enter User PIN: 
 Please type again to verify: 
@@ -71,19 +88,25 @@ Unblock Code for New User PIN (Optional - press return for no PIN).
 Please enter User unblocking PIN (PUK): 
 Please type again to verify: 
 Security officer PIN required.
-Please enter Security officer PIN:
+Please enter Security officer PIN: +``` Now create a key. Both pins are needed for this. -
$ pkcs15-init --generate-key rsa/1024 --auth-id 01
+
+```sh
+$ pkcs15-init --generate-key rsa/1024 --auth-id 01
 Security officer PIN required.
 Please enter Security officer PIN: 
 User PIN required.
 Please enter User PIN: 
 Security officer PIN required.
-Please enter Security officer PIN:
+Please enter Security officer PIN: +``` You can list the keys on the token with -
$ pkcs15-tool --list-keys
+
+```sh
+$ pkcs15-tool --list-keys
 Private RSA Key [Private Key]
         Com. Flags  : 3
         Usage       : [0x4], sign
@@ -93,29 +116,40 @@ Private RSA Key [Private Key]
         Native      : yes
         Path        : 3F005015
         Auth ID     : 01
-        ID          : 45
+ ID : 45 +``` -h2. Testing using OpenSSL +## Testing using OpenSSL -If you followed thus far, your token is now fitted with a private RSA key that it generated itself and never divulged to anybody (not even the host computer). Assuming "engine_pkcs11":https://github.com/OpenSC/libp11 is installed, we can use this key and openssl to create a self signed certificate, still without divulging the key; the necessary cryptographic computations will occur on-token. +If you followed thus far, your token is now fitted with a private RSA key that it generated itself and never divulged to anybody (not even the host computer). Assuming [engine_pkcs11](https://github.com/OpenSC/libp11) is installed, we can use this key and openssl to create a self signed certificate, still without divulging the key; the necessary cryptographic computations will occur on-token. -Let's start the OpenSSL interactive shell and load the "engine_pkcs11":https://github.com/OpenSC/libp11 so that OpenSSL can ask the token to do the crypto (as opposed to doing it from your computer's CPU). - * Linux: open a terminal and type this (skipping the prompts): -
$ openssl
-OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
+Let's start the OpenSSL interactive shell and load the [engine_pkcs11](https://github.com/OpenSC/libp11) so that OpenSSL can ask the token to do the crypto (as opposed to doing it from your computer's CPU). - * Mac OS X: open a terminal and type this (skipping the prompts): -
$ /Library/OpenSC/bin/openssl
-OpenSSL> engine dynamic -pre SO_PATH:/Library/OpenSC/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
+* **Linux**: open a terminal and type this (skipping the prompts): + +```sh +$ openssl +OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so +``` + +* **Mac OS X**: open a terminal and type this (skipping the prompts): + +```sh +$ /Library/OpenSC/bin/openssl +OpenSSL> engine dynamic -pre SO_PATH:/Library/OpenSC/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so +``` In both cases, OpenSSL should respond with something like -
(dynamic) Dynamic engine loading support
+
+```sh
+(dynamic) Dynamic engine loading support
 [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
 [Success]: ID:pkcs11
 [Success]: LIST_ADD:1
 [Success]: LOAD
 Loaded: (pkcs11) pkcs11 engine
-OpenSSL>
+OpenSSL> +``` It is important to enter the whole long command in one single command line. I usually copy&paste the command, to make sure I don't mistype @@ -123,7 +157,8 @@ anything. Staying at the OpenSSL prompt, now type: -
OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -x509 -out cert.pem -text
+```sh
+OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -x509 -out cert.pem -text
 SmartCard PIN: 
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
@@ -144,16 +179,22 @@ Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
-OpenSSL>
+OpenSSL> +``` This creates a signed certificate as file `cert.pem` (again, without divulging the private key). You can verify that it is indeed self-signed (the private key is not required for this): exit OpenSSL and type -
$ openssl verify -CAfile cert.pem cert.pem
-cert.pem: OK
+ +```sh +$ openssl verify -CAfile cert.pem cert.pem +cert.pem: OK +``` If instead you remove the "-x509" flag in the `req` OpenSSL command, you get a certificate signing request. Send it to the CA, wait till you get it back, signed, and proceed. Now we can store the certificate side by side with the key on the token, as a piece of public (but read-only) data. It is important to save the certificate under the same ID as the key, so that applications wanting to use that certificate on your behalf can find the private key as well. You can get a list of all keys and their details (including the ID) with: -
$ pkcs15-tool --list-keys
+
+```sh
+$ pkcs15-tool --list-keys
 Private RSA Key [Private Key]
         Com. Flags  : 3
         Usage       : [0x4], sign
@@ -163,22 +204,21 @@ Private RSA Key [Private Key]
         Native      : yes
         Path        : 3F005015
         Auth ID     : 01
-        ID          : 45
+ ID : 45 +``` So lets store the certificate that we created: -
$ pkcs15-init --store-certificate cert.pem --auth-id 01 --id 45 --format pem 
+
+```sh
+$ pkcs15-init --store-certificate cert.pem --auth-id 01 --id 45 --format pem 
 Security officer PIN required.
-Please enter Security officer PIN:
+Please enter Security officer PIN: +``` Now we are ready to go. If you want to add more certificates (e.g. the root certificate of the CA that signed your key, or some intermediate certificates in the chain to the root CA) simply put those into pem files, and add them to id 46, 47 and so on. You don't need the private key for these obviously. -h1. Now what? - -You probably want to make your token work with other applications than `pkcs15-init` and OpenSSL: see [[Application Support|Using-smart-cards-with-applications]]. - -If you want to login to your computer with your smart card or crypto token, please note that OpenSC 0.10 does not include the pam module and the openssl engine any more. We suggest you install "libp11":https://github.com/OpenSC/libp11 and one of "pam_p11":https://github.com/OpenSC/pam_p11 (a simple authentication module) or "pam_pkcs11":https://github.com/OpenSC/pam_pkcs11 (a full featured authentication module). +## Now what? -h1. Links +You probably want to make your token work with other applications than `pkcs15-init` and OpenSSL: see [Application Support](Using-smart-cards-with-applications). - * "Gooze Quickstarter Guide, smartcard initialization":http://www.gooze.eu/howto/smartcard-quickstarter-guide/smart-card-initialization - * "eToken PRO initial setup tutorial":http://daniel.benoy.name/?p=76 +If you want to login to your computer with your smart card or crypto token, please note that OpenSC 0.10 does not include the pam module and the openssl engine any more. We suggest you install [libp11](https://github.com/OpenSC/libp11) and one of [pam_p11](https://github.com/OpenSC/pam_p11) (a simple authentication module) or [pam_pkcs11](https://github.com/OpenSC/pam_pkcs11) (a full featured authentication module). diff --git a/Schlumberger-Axalto-Cyberflex.md b/Schlumberger-Axalto-Cyberflex.md index 46b6e31..9cae975 100644 --- a/Schlumberger-Axalto-Cyberflex.md +++ b/Schlumberger-Axalto-Cyberflex.md @@ -2,7 +2,7 @@ > Cryptoflex card are **deactivated**. For further usage, it is necessary to enable the card driver in `opensc.conf`. -Earlier versions of Cyberflex cards have the same or a very similiar filesystem interface like the Cryptoflex cards. +Earlier versions of Cyberflex cards have the same or a very similar filesystem interface like the Cryptoflex cards. Those cards work well with OpenSC. Newer versions however are pure JavaCards and will not work without a JavaApplet. diff --git a/Security-Considerations.md b/Security-Considerations.md index 1c64948..cffd59f 100644 --- a/Security-Considerations.md +++ b/Security-Considerations.md @@ -131,7 +131,7 @@ This means that your keys and sensitive data are safe against others (who know t However, depending on the smartcard os and the card profile anyone who knows the transport key and has access to your card can erase the card. -On itself, that may be a good thing if you lost your card, but there's another problem: If your card contains trusted certificates, and an adversary steals your card, puts another pkcs15 dir with other certs on the card and puts it back without you knowing, you may not find out until you put trust in those untrusted certs. +On itself, that may be a good thing if you lost your card, but there's another problem: If your card contains trusted certificates, and an adversary steals your card, puts another pkcs15 dir with other certs on the card and puts it back without you knowing, you may not find out until you put trust in those untrusted certs. Be very careful when using the card as a tamper-resistant storage - make them PIN-protected for example. (Note: this if often not the case: the trusted certificates are usually stored in the applications using them.) diff --git a/Serbian-EID.md b/Serbian-EID.md index 66a4d0f..2c47f7a 100644 --- a/Serbian-EID.md +++ b/Serbian-EID.md @@ -5,7 +5,7 @@ The Serbian EID is currently not supported by OpenSC. ## "Old" card -The EID is based on ApolloOS 2.43. Old patches for driver for thi card are in [vigsterkr/OpenSC](https://github.com/vigsterkr/OpenSC). +The EID is based on ApolloOS 2.43. Old patches for driver for this card are in [vigsterkr/OpenSC](https://github.com/vigsterkr/OpenSC). It supports reading EF from the card, reading the card's serial number and extract ID information (e.g. name, address, issue date etc.) from the card with `eidenvtool`. ## "New" card diff --git a/SmartCardHSM.md b/SmartCardHSM.md index 5450ba7..dc3ae18 100644 --- a/SmartCardHSM.md +++ b/SmartCardHSM.md @@ -560,13 +560,13 @@ asc@calzone:~/tmp$ sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 6 Using reader with a card: SCM SCR 355 [CCID Interface] 00 00 asc@calzone:~/tmp$ ls -la wrap-key.bin -rw-rw-r-- 1 asc asc 1696 Jul 17 19:15 wrap-key.bin - +``` The resulting file contains a key description, the optional certificate and the key value encrypted under the DKEK. The key value and it's meta data is protected by a cryptographic checksum against modifications. Importing the key into the same or a different SmartCard-HSM with the same DKEK can be done using: -

+```sh
 asc@calzone:~/tmp$ sc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219
 Using reader with a card: SCM SCR 355 [CCID Interface] 00 00
 Wrapped key contains:
diff --git a/Software-compatibility.md b/Software-compatibility.md
index 02bfbf7..13eb8fa 100644
--- a/Software-compatibility.md
+++ b/Software-compatibility.md
@@ -28,7 +28,7 @@ But at least some software is compatible:
 
 Giesecke & Devrient ship the Starcos
 smart card and USB tokens based on that card. The software bundled with both is called StarSign. That software implements
-the PKCS#15 standard, too, so it should be fully compatible with OpenSC and vise versa. If there is any issue, please
+the PKCS#15 standard, too, so it should be fully compatible with OpenSC and vice versa. If there is any issue, please
 let us know (the last test was quite a while in the past).
 
 If you know other software implementing PKCS#15, please add a paragraph.
diff --git a/Supported-hardware-(smart-cards-and-USB-tokens).md b/Supported-hardware-(smart-cards-and-USB-tokens).md
index f109f44..e045513 100644
--- a/Supported-hardware-(smart-cards-and-USB-tokens).md
+++ b/Supported-hardware-(smart-cards-and-USB-tokens).md
@@ -1,102 +1,103 @@
-h1. Supported hardware (smart cards and USB tokens)
+# Supported hardware (smart cards and USB tokens)
 
-NB! Unless noted otherwise, OpenSC works only with contact interface! 
+NB! Unless noted otherwise, OpenSC works only with **contact interface**!
 
- * OpenSC targets only smart cards, so to know if your reader device is support, check the list of [[CardReaders|Smart-card-readers-(Linux-and-Mac-OS-X)]].
-  * Proprietary USB tokens will require a (possibly proprietary) USB level driver: PC/SC (preferred) or OpenCT (deprecated)
+* OpenSC targets only smart cards, so to know if your reader device is support, check the list of [CardReaders](Smart-card-readers-(Linux-and-Mac-OS-X)).
+* Proprietary USB tokens will require a (possibly proprietary) USB level driver: PC/SC (preferred) or OpenCT (deprecated)
 
-h2. National ID Cards
+## National ID Cards
 
 These are usually pre-initialized read-only cards.
 Supported eID cards:
- * [[IAS-ECC|IAS-ECC]]
- * [[UnitedStatesPIV|US-PIV]]
- * [[GermanEid|German-ID-Cards]]
- * [[ItalianCNS|Italian-CNS-and-CIE]]
- * [[ItalianEid|Italian-Infocamere]]
- * [[EstonianEid|Estonian-eID-(EstEID)]]
- * [[PortugueseEid|Portuguese-eID]]
- * [[US CAC|US-CAC]]
 
+* [IAS-ECC](IAS-ECC)
+* [UnitedStatesPIV](US-PIV)
+* [GermanEid](German-ID-Cards)
+* [ItalianCNS](Italian-CNS-and-CIE)
+* [ItalianEid](Italian-Infocamere)
+* [EstonianEid](Estonian-eID-(EstEID))
+* [PortugueseEid](Portuguese-eID)
+* [US CAC](US-CAC)
 
-h2. Generic smart cards
+## Generic smart cards
 
 Each entry on this list possibly represents a whole family of cards. See each page to find out which models are supported.
 Personalizable cards:
- * [[OpenPGP Card|OpenPGP-card]]
- * [[MyEID|Aventra-MyEID-PKI-card]]
- * [[WestCOS|WestCOS]]
- * [[SetCOS|Setcos-driver]]
- * [[Oberthur|Oberthur-AuthentIC-applet-v2.2]]
- * [[Cyberflex|Schlumberger-Axalto-Cyberflex]]
- * [[CardOS|Siemens-CardOS-M4]]
- * [[STARCOS|STARCOS-cards]]
- * [[ASEPCOS|Athena-ASEPCOS-ASEKey]]
- * [[SmartCardHsm|SmartCardHSM]]
- * [[Cryptoflex|Schlumberger-Axalto-Cryptoflex]]
- * [[FTCOSPK01C|Feitian-PKI-card]]
+
+* [OpenPGP Card](OpenPGP-card)
+* [MyEID](Aventra-MyEID-PKI-card)
+* [WestCOS](WestCOS)
+* [SetCOS](Setcos-driver)
+* [Oberthur](Oberthur-AuthentIC-applet-v2.2)
+* [Cyberflex](Schlumberger-Axalto-Cyberflex)
+* [CardOS](Siemens-CardOS-M4)
+* [STARCOS](STARCOS-cards)
+* [ASEPCOS](Athena-ASEPCOS-ASEKey)
+* [SmartCardHsm](SmartCardHSM)
+* [Cryptoflex](Schlumberger-Axalto-Cryptoflex)
+* [FTCOSPK01C](Feitian-PKI-card)
 
 Read-only cards:
- * [[Micardo|Micardo]]
- * [[AKIS|AKiS-cards]]
- * [[TCOS|TCOS-based-preformatted-cards]]
- * [[MTCOS|MaskTech-cards]]
+
+* [AKIS](AKiS-cards)
+* [TCOS](TCOS-based-preformatted-cards)
+* [MTCOS](MaskTech-cards)
 
 JavaCard applets:
- * [[MyEID|Aventra-MyEID-PKI-card]]
- * [[Oberthur|Oberthur-AuthentIC-applet-v2.2]]
- * [[MuscleApplet|Muscle-applet]]
- * [[SmartCardHsm|SmartCardHSM]]
- * [[Coolkey (RHCS)|Coolkey]]
 
-h2. USB Tokens
+* [MyEID](Aventra-MyEID-PKI-card)
+* [Oberthur](Oberthur-AuthentIC-applet-v2.2)
+* [MuscleApplet](Muscle-applet)
+* [SmartCardHsm](SmartCardHSM)
+* [Coolkey (RHCS)](Coolkey)
 
-Each entry on this list possibly represents a whole family of tokens. See each page to find out which models are supported. These devices are also known as cryto-sticks.
+## USB Tokens
 
- * [[Aktiv Co. Rutoken ECP|Aktiv-Co.-Rutoken-ECP]]
- * [[Aktiv Co. Rutoken S|Aktiv-Co.-Rutoken-S]]
- * [[Aladdin Etoken Pro|Aladdin-eToken-PRO]]
- * [[Athena ASEPCOS / ASEKey|Athena-ASEPCOS-ASEKey]]
- * [[CardContact SmartCardHsm|SmartCardHSM]]
- * [[Crypto Stick|OpenPGP-card]]
- * [[Feitian ePass2003|Feitian-ePass2003]]
- * [[Feitian ePass3000|Feitian-ePass3000]]
- * [[Feitian PKI token|Feitian-ePass-PKI-token]]
- * [[Nitrokey Pro, Start, Storage|OpenPGP-card]], [[HSM|SmartCardHSM]]
- * [[Rainbow iKey 3000|iKey-3000]]
- * [[Schlumberger / Axalto e-gate|Schlumberger-Axalto-Gemalto-e-gate]]
+Each entry on this list possibly represents a whole family of tokens. See each page to find out which models are supported. These devices are also known as cryto-sticks.
 
+* [Aktiv Co. Rutoken ECP](Aktiv-Co.-Rutoken-ECP)
+* [Aktiv Co. Rutoken S](Aktiv-Co.-Rutoken-S)
+* [Aladdin Etoken Pro](Aladdin-eToken-PRO)
+* [Athena ASEPCOS / ASEKey](Athena-ASEPCOS-ASEKey)
+* [CardContact SmartCardHsm](SmartCardHSM)
+* [Crypto Stick](OpenPGP-card)
+* [Feitian ePass2003](Feitian-ePass2003)
+* [Feitian ePass3000](Feitian-ePass3000)
+* [Feitian PKI token](Feitian-ePass-PKI-token)
+* [Nitrokey Pro, Start, Storage](OpenPGP-card), [HSM](SmartCardHSM)
+* [Schlumberger / Axalto e-gate](Schlumberger-Axalto-Gemalto-e-gate)
+* Rainbow iKey-3000
 
-Did not find your card from the supported card list? See [[FrequentlyAskedQuestions|Frequently-Asked-Questions]] for next steps.
+**Did not find your card from the supported card list?** See [FrequentlyAskedQuestions](Frequently-Asked-Questions) for next steps.
 
-h2. Unsupported hardware
+## Unsupported hardware
 
 Things that we have (some) code for but which are known to be incomplete, broken or largely useless.
 
 Unclear/unsupported eID cards:
- * [[Australia|Australian-national-ID-card]]
- * [[FinnishEid|Finnish-FINEID]]
- * [[TaiwanEid|Taiwan]]
- * [[SwedishEid|Swedish-ePosten-card]]
- * [[BelgianEid|Belgian-Belpic]]
- * [[GermanEGK|German-eHBA,-eGK]]
- * [[MyKAD|Malaysian-MyKAD]]
- * [[SpanishEid|Spanish-Ceres-DNIe]]
- * [[AustrianEid|Austrian-"Bürgerkarte"]]
- * [[ItalianPostecert|Italian-Postecert]]
- * [[SwedishBankID|Swedish-BankID]]
+
+* Australian national ID card
+* Finnish eID
+* Taiwan eID
+* Swedish eID
+* [Belgian eID](Belgian-Belpic)
+* [German EGK](German-eHBA,-eGK)
+* Malaysian MyKAD
+* [Spanish eID](Spanish-Ceres-DNIe)
+* [Austrian eID](Austrian-"Bürgerkarte")
+* Italian Postecert
+* [Swedish BankID](Swedish-BankID)
 
 Unsupported USB tokens:
- * [[RainbowIkeyFour|iKey-4000]]
- * [[CryptoIdentityItsec|Eutron-CryptoIdentity-ITSEC-I-ITSEC-P]]
 
+* Rainbow iKey-4000
+* [CryptoIdentityItsec](Eutron-CryptoIdentity-ITSEC-I-ITSEC-P)
 
 Unsupported smart cards:
- * [[IbmJcop|IbmJcop]]
- * [[EMV|EMV-(Europay,-Mastercard,-VISA)]]
- * [[Seccos|Seccos]]
- * [[Actalis|Italian-signature-card-Actalis]]
- * [[ACOS5|ACOS5]]
- * [[GemplusGpk|Gemplus-GPK-16k]]
-
 
+* IBM JCOP
+* [EMV](EMV-(Europay,-Mastercard,-VISA))
+* [Seccos](Seccos)
+* [Actalis](Italian-signature-card-Actalis)
+* [ACOS5](ACOS5)
+* [GemplusGpk](Gemplus-GPK-16k)
diff --git a/TCOS-based-preformatted-cards.md b/TCOS-based-preformatted-cards.md
index 5050463..6a42a69 100644
--- a/TCOS-based-preformatted-cards.md
+++ b/TCOS-based-preformatted-cards.md
@@ -6,7 +6,7 @@ TeleSec (now part of Deutsche Telekom AG), Deutsche Post and DATEV are german co
 
 Since late 2006 TCOS 3.0 cards are available from TeleSec and a test card plus excellent doku reached the OpenSC team in december 2006. Besides 2048 bit keys TCOS 3.0 has some other new features. In december 2007 the TCOS 2.0 driver was extended such that it supports TCOS 3.0 cards as well. OpenSC 0.11.5 was the first version that had TCOS3 support.
 
-The 2048 bit NetKey card was named NetKey E4 V3. The signature key of this card can be used only with secure messaging. Since OpenSC does not have support for secure messaging the signature key will not be supported soon. 
+The 2048 bit NetKey card was named NetKey E4 V3. The signature key of this card can be used only with secure messaging. Since OpenSC does not have support for secure messaging the signature key will not be supported soon.
 
 If OpenSC would fully support TCOS, one could erase the preformatted card and initialize the card with a fresh PKCS#15 filesystem. This is not possible right now as OpenSC lacks support for initializing a PKCS#15 layout on an empty card with TCOS operation system.
 
@@ -73,7 +73,7 @@ There is one problem with many PKCS#11 or PKCS#15 smartcard-applications. They a
 
 If you have stored a certificate on your NetKey card, you most likely want to use this certificate (and not the readonly-one). Therefore the emulation will add the user-certificates first into its internal list.
 
-h3. Some remarks about the PINs of NetKey cards
+### Some remarks about the PINs of NetKey cards
 
 There are two global PINs on TCOS2 based NetKey-cards and some of the directories contain further PINs. TCOS3-based cards are slightly different but since `netkey-tool` does not support TCOS3-cards yet I will not explain the differences.
 
diff --git a/US-PIV.md b/US-PIV.md
index b2bc4c3..c30e7bf 100644
--- a/US-PIV.md
+++ b/US-PIV.md
@@ -32,7 +32,7 @@ There is also [arekinath/PivApplet](https://github.com/arekinath/PivApplet) - PI
 * OpenSC 0.12.1 bug fixes:
   * Fixed: Support to request the PIN before each Digital Signature Key operation.
   * Fixed: Key usage when using ECDSA with Thunderbird.
-  * (Although not PIV specific) a bug was introduced during the release cycle for 0.12.1 where the `pam_krb5` login or Kerberos `kinit` may fail. The circumvention is to set in the `opensc.conf` file `plug_and_play = false;` `C_GetSlotList` with `tokenpresent=1` would return the hotplug slot even if emply as the first slot.
+  * (Although not PIV specific) a bug was introduced during the release cycle for 0.12.1 where the `pam_krb5` login or Kerberos `kinit` may fail. The circumvention is to set in the `opensc.conf` file `plug_and_play = false;` `C_GetSlotList` with `tokenpresent=1` would return the hotplug slot even if empty as the first slot.
 * OpenSC 0.13.0:
   * ECDH with key derivation is now supported via PKCS#11 `C_Derive` using `CKM_ECDH1_COFACTOR_DERIVE` or `CKM_ECDH1_DERIVE`. The KDF must be `CKD_NULL`. See the `pkcs11-tool.c` for an example.
   * `CK_ALWAYS_AUTHENTICATE` is supported for the signing key. This requires the PIN to be entered before cypto opertation when using the signing certificate.
diff --git a/Using-pinpad-readers-with-CT-API.md b/Using-pinpad-readers-with-CT-API.md
index a944c84..ac846fd 100644
--- a/Using-pinpad-readers-with-CT-API.md
+++ b/Using-pinpad-readers-with-CT-API.md
@@ -5,7 +5,7 @@ On Win32 a pinpad reader usually supplies a PC/SC driver and a CT-API driver. Yo
 ## Configuring CT-API in `opensc.conf`
 
 To activate the CT-API driver you have to add the token `ctapi` to the `reader_drivers` attribute of the app default section (or whatever app you are using).
-Then the reader's parameters, that is the library and port number, have to be configured in the `reader_driver ctapi` secion.
+Then the reader's parameters, that is the library and port number, have to be configured in the `reader_driver ctapi` section.
 
 Use this as an example:
 
diff --git a/Using-smart-cards-with-Java-SE.md b/Using-smart-cards-with-Java-SE.md
index 5085a54..7061217 100644
--- a/Using-smart-cards-with-Java-SE.md
+++ b/Using-smart-cards-with-Java-SE.md
@@ -1,59 +1,61 @@
-h1. Using smart cards with Java SE
+# Using smart cards with Java SE
 
-
-h2. JNI wrappers
+## JNI wrappers
 
 Access to native PKCS#11 providers. Requires JNI and necessary host-side software.
- * OpenSC-Java "https://www.opensc-project.org/opensc-java/browser/trunk/pkcs11":https://www.opensc-project.org/opensc-java/browser/trunk/pkcs11
- * IAIK "http://jce.iaik.tugraz.at/sic/Products/Core-Crypto-Toolkits/PKCS-11-Wrapper":http://jce.iaik.tugraz.at/sic/Products/Core-Crypto-Toolkits/PKCS-11-Wrapper
- * Sun PKCS#11 in 1.5+ "http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html":http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
-Access to PC/SC for Java versions before 1.6. Should not be used for new applications, use Java 1.6 and javax.smartcardio instead
- * jPCSC - "http://www.linuxnet.com/middle.html":http://www.linuxnet.com/middle.html
 
-h2. javax.smartcardio in 1.6+
+* [OpenSC-Java](https://github.com/OpenSC/OpenSC-Java)
+* [IAIK](https://jce.iaik.tugraz.at/products/core-crypto-toolkits/pkcs11-wrapper/)
+* Sun PKCS#11 in 1.5+
+* [jPCSC](https://github.com/klali/jpcsc)
+
+## javax.smartcardio in 1.6+
 
 List of "interesting" applications and libraries that make use of javax.smartcardio
- * Low level PC/SC bridge (replaces and obsoletes jPCSC) "http://java.sun.com/javase/6/docs/jre/api/security/smartcardio/spec/javax/smartcardio/package-summary.html":http://java.sun.com/javase/6/docs/jre/api/security/smartcardio/spec/javax/smartcardio/package-summary.html
- * PKCS#15 support (OpenSC-Java)
- * GPJ "http://sourceforge.net/projects/gpj/":http://sourceforge.net/projects/gpj/
- * scuba "http://scuba.sourceforge.net/":http://scuba.sourceforge.net/
- * OpenCard Framework "http://www.openscdp.org/ocf/":http://www.openscdp.org/ocf/
- * Smart Card Shell "http://www.openscdp.org/scsh3/index.html":http://www.openscdp.org/scsh3/index.html
- * wiki:OpenPGP GUI "http://sourceforge.net/projects/javaopenpgpcard/":http://sourceforge.net/projects/javaopenpgpcard/
- * Generic APDU sending GUI "http://sourceforge.net/projects/jsmartcard/":http://sourceforge.net/projects/jsmartcard/
- * NFC link for ACR122U "http://code.google.com/p/nfcip-java/":http://code.google.com/p/nfcip-java/
- * Serbian eID interface: "https://gitorious.org/freesteel/jfreesteel":https://gitorious.org/freesteel/jfreesteel
- * MOCCA - applet for digital signatures for several eID cards with direct APDU-s "http://mocca.egovlabs.gv.at/BKUOnline/":http://mocca.egovlabs.gv.at/BKUOnline/
-
-h3. Tips
-
- * On Mac OS X 10.6 and 10.7 run the JRE with _-d32_ to force it into 32bit mode, otherwise smart card events won't work or a crash happens:
- 
java(2885,0x104c77000) malloc: *** mmap(size=140454020517888) failed (error code=12)
+
+* Low level PC/SC bridge (replaces and obsoletes jPCSC) 
+* PKCS#15 support (OpenSC-Java)
+* [GPJ](https://sourceforge.net/projects/gpj/)
+* [scuba](https://scuba.sourceforge.net/)
+* [OpenCard Framework](https://www.openscdp.org/ocf/)
+* [Smart Card Shell](https://www.openscdp.org/scsh3/index.html)
+* [OpenPGP](https://sourceforge.net/projects/javaopenpgpcard/)
+* [Generic APDU sending GUI](https://sourceforge.net/projects/jsmartcard/)
+* [NFC link for ACR122U](https://code.google.com/archive/p/nfcip-java/)
+
+### Tips
+
+* On Mac OS X 10.6 and 10.7 run the JRE with _-d32_ to force it into 32bit mode, otherwise smart card events won't work or a crash happens:
+
+```sh
+java(2885,0x104c77000) malloc: *** mmap(size=140454020517888) failed (error code=12)
 *** error: can't allocate region
 *** set a breakpoint in malloc_error_break to debug
 Invalid memory access of location 0x0 rip=0x10c0d766e
 Segmentation fault: 11
-

- * Applets and out-of-browser windows: "http://my.opera.com/daniel/blog/2010/05/31/new-opera-with-ns4-javaplugin":http://my.opera.com/daniel/blog/2010/05/31/new-opera-with-ns4-javaplugin
- * "card.disconnect()":http://docs.oracle.com/javase/6/docs/jre/api/security/smartcardio/spec/javax/smartcardio/Card.html#disconnect(boolean) has an "inverse logic bug":https://bugs.openjdk.java.net/show_bug.cgi?id=100151, _true_ leaves the card and _false_ resets the card. 
+```
+
+* [card.disconnect()](https://docs.oracle.com/javase/6/docs/jre/api/security/smartcardio/spec/javax/smartcardio/Card.html#disconnect(boolean)) has an [inverse logic bug](https://bugs.openjdk.java.net/show_bug.cgi?id=100151), _true_ leaves the card and _false_ resets the card.
 
-h2. JVM system properties (-D)
+## JVM system properties (-D)
 
- * pcsc-lite library location. If no PC/SC implementation is found by default (exception) path to the library location might be needed (on Debian for example)
-  * _sun.security.smartcardio.library_=_/usr/lib/libpcsclite.so_
- * Automatic GET RESPONSE issuing. Cards that behave in a certain way, might need to have the automatic GET RESPONSE issuing turned off (for example see "problem description":https://ridrix.wordpress.com/2009/07/12/design-error-in-javax-smartcardio/)
-  * _sun.security.smartcardio.t0GetResponse_=_false_
-  * _sun.security.smartcardio.t1GetResponse_=_false_
+* pcsc-lite library location. If no PC/SC implementation is found by default (exception) path to the library location might be needed (on Debian for example)
+* `sun.security.smartcardio.library` = `/usr/lib/libpcsclite.so`
+* Automatic GET RESPONSE issuing. Cards that behave in a certain way, might need to have the automatic GET RESPONSE issuing turned off (for example see [problem description](https://ridrix.wordpress.com/2009/07/12/design-error-in-javax-smartcardio/)
+* `sun.security.smartcardio.t0GetResponse` = `false`
+* `sun.security.smartcardio.t1GetResponse` = `false`
 
-h2. PKCS#15 in Java
+## PKCS#15 in Java
 
-Similar to the PKCS#15 generation/parsing software in OpenSC, but implemented in Java. Both use "Bouncy Castle":http://www.bouncycastle.org/java.html for actual ASN.1 encoding/decoding. Both use javax.smartcardio instead of the pcsc/openct/ctapi layer of OpenSC.
- * in OpenSC-Java "https://www.opensc-project.org/opensc-java/browser/trunk/pkcs15":https://www.opensc-project.org/opensc-java/browser/trunk/pkcs15
- * In javacardsign "http://javacardsign.svn.sourceforge.net/viewvc/javacardsign/pkihostapi/src/net/sourceforge/javacardsign/iso7816_15/":http://javacardsign.svn.sourceforge.net/viewvc/javacardsign/pkihostapi/src/net/sourceforge/javacardsign/iso7816_15/
- * Alternative: use "Java ASN.1 compiler":http://sourceforge.net/projects/jac-asn1 instead.
+Similar to the PKCS#15 generation/parsing software in OpenSC, but implemented in Java. Both use [Bouncy Castle](https://www.bouncycastle.org/java.html) for actual ASN.1 encoding/decoding. Both use javax.smartcardio instead of the pcsc/openct/ctapi layer of OpenSC.
 
-h2. GlobalPlatform in Java
+* in OpenSC-Java
+* In javacardsign
+* Alternative: use [Java ASN.1 compiler](https://sourceforge.net/projects/jac-asn1/) instead.
+
+## GlobalPlatform in Java
 
 GlobalPlatform deals with loading and managing JavaCard applets. There are currently two known implementations of GlobalPlatform specific functionality:
- * GPJ (see above) uses javax.smartcardio and does not provide a GUI. Ideal for integrating purposes.
- * jcManager "http://www.brokenmill.com/2010/03/java-secure-card-manager/":http://www.brokenmill.com/2010/03/java-secure-card-manager/ uses jPCSC (see above) and provides a rudimentary GUI.
+
+* GPJ (see above) uses javax.smartcardio and does not provide a GUI. Ideal for integrating purposes.
+* jcManager uses jPCSC (see above) and provides a rudimentary GUI.
diff --git a/Using-smart-cards-with-applications.md b/Using-smart-cards-with-applications.md
index 70aa02a..fb237ac 100644
--- a/Using-smart-cards-with-applications.md
+++ b/Using-smart-cards-with-applications.md
@@ -1,86 +1,78 @@
-h1. Using smart cards with applications
+# Using smart cards with applications
 
-This is an incomplete list of (mostly open source) end-user applications that are capable of working with smart cards initialized and/or supported by OpenSC, grouped by function. Software development libraries and helpers are listed on [[DeveloperInformation|Creating-applications-with-smart-card-support]] page. 
+This is an incomplete list of (mostly open source) **end-user applications** that are capable of working with smart cards initialized and/or supported by OpenSC, grouped by function. Software development libraries and helpers are listed on [DeveloperInformation](Creating-applications-with-smart-card-support) page.
 
-h2. Connection authentication + encryption
+## Connection authentication + encryption
 
+### Web browsers / HTTPS
 
-h3. Web browsers / HTTPS
+* [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) - See [MozillaSteps](Installing-OpenSC-PKCS11-Module-in-Firefox,-Step-by-Step) for instructions
+* [Safari](https://www.apple.com/safari/) (on Mac OS X) - requires [OpenSC Mac OS X installer] and works transparently
 
- * "Mozilla Firefox":http://www.mozilla.com/en-US/firefox/firefox.html - See [[MozillaSteps|Installing-OpenSC-PKCS#11-Module-in-Firefox,-Step-by-Step]] for instructions
- * "Safari":http://www.apple.com/safari/ (on Mac OS X) - requires [OpenSC Mac OS X installer] and works transparently
+### SSH
 
-h3. SSH
+* See [SSH Secure Shell](SSH-Secure-Shell) for instructions on how to use OpenSSH or Putty
 
- * See [[SSH Secure Shell]] for instructions on how to use OpenSSH or Putty
+### VPN
 
-h3. VPN
+* [OpenConnect](https://www.infradead.org/openconnect/) (client for Cisco AnyConnect SSL VPN) supports PKCS#11 for client authentication.
+* [OpenVPN](https://openvpn.net/) (SSL VPN) supports PKCS#11 for client authentication. [Documentation](https://openvpn.net/community-resources/how-to/#pkcs11)
+* [strongSwan](https://www.strongswan.org/) (IPSec VPN) supports PKCS#11 modules for RSA keys so it can be used with OpenSC. [Documentation](https://docs.strongswan.org/docs/5.9/howtos/smartcards.html) and [installation instructions](https://docs.strongswan.org/docs/5.9/install/install.html).
+* [Openswan](https://openswan.org/) 2.4.X includes code to link directly against libopensc, this has been deprecated with OpenSC versions from 0.12 onwards.
 
- * "OpenConnect":http://www.infradead.org/openconnect/ (client for Cisco AnyConnect SSL VPN) supports PKCS#11 for client authentication. "HOWTO":http://www.gooze.eu/forums/support/howto-connect-to-cisco-anyconnect-vpn-using-openconnect-and-pki-token
- * "OpenVPN":http://www.openvpn.net (SSL VPN) supports PKCS#11 for client authentication. "Documentation":http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11
- * "strongSwan":http://www.strongswan.org/ (IPSec VPN) supports PKCS#11 modules for RSA keys so it can be used with OpenSC. "Documentation":http://wiki.strongswan.org/projects/strongswan/wiki/SmartCards and "installation instructions":http://www.strongswan.org/docs/install.htm#chapter_3.3. StrongSwan has limitations in PKCS#11 slot ID length, see "this post":http://www.opensc-project.org/pipermail/opensc-devel/2010-April/013983.html on opensc-devel for more information.
- * "Openswan":http://www.openswan.org/ 2.4.X includes code to link directly against libopensc, this has been deprecated with OpenSC versions from 0.12 onwards. "README.x509":http://www.openswan.org/docs/local/README.x509 has a chapter 8  about smart card support. Openswan 2.6.X seem to have PKCS#11 support but there is no visible documentation. 
+### Misc
 
-h3. Misc
+* [WiFi WPA authentication](Wireless-authentication)
 
- * [[WiFi WPA authentication|Wireless-authentication]]
+## Data signing + encryption
 
-h2. Data signing + encryption
+### E-mail / S/MIME
 
+* [Thunderbird](https://www.thunderbird.net/en-US/) and derivates - see [MozillaSteps](Installing-OpenSC-PKCS11-Module-in-Firefox,-Step-by-Step) for instructions
+* [Evolution](https://gitlab.gnome.org/GNOME/evolution/-/wikis/home) - see [Evolutio nSteps](Using-OpenSC-in-Evolution) for instructions
 
-h3. E-mail / S/MIME
+### Application specific document signing
 
- * "Mozilla Thunderbird":http://www.mozillamessaging.com/en-US/thunderbird/ and derivates (like "Trustedbird":http://www.trustedbird.org/tb/Main_Page) - see [[MozillaSteps|Installing-OpenSC-PKCS#11-Module-in-Firefox,-Step-by-Step]] for instructions
- * "Evolution":http://projects.gnome.org/evolution/index.shtml - see [[EvolutionSteps|Using-OpenSC-in-Evolution]] for instructions
+* [OpenOffice](http://www.openoffice.org/) internal [digital signatures](https://wiki.openoffice.org/wiki/Digital_Signatures)
+* Built-in support in OpenOffice.org 
+* [PDF](https://helpx.adobe.com/acrobat/kb/certificate-signatures.html)
+* Sinadura - a multiplatform PDF signing application with PKCS#11 support. Mostly targeting Spanish speaking people.
+* OpenSignature - a multiplatform PDF signing application with smart card support. Source code is available under GPL. Mostly targets Italian speaking people.
+* jPdfSign - a commandline application written in Java which allows to add an invisible signature to PDF documents. The private key for signing the PDF document have to be stored in an password protected PKCS#12 file or in a PKCS#11 compatible hardware-tokens.
+* Generic
+* [Cryptonit](https://sourceforge.net/projects/cryptonit/) is a multiplatform open source (GPL) signing and (de)crypting software with PKCS#11 support that generates PKCS#7 containers.
 
-h3. Application specific document signing
+### Legally binding (non-repudiation) signature software
 
- * "OpenOffice":http://www.openoffice.org/ internal "digital signatures":http://wiki.services.openoffice.org/wiki/Digital_Signatures
-  * Built-in support in OpenOffice.org  "http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures":http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures
- * "PDF":http://www.adobe.com/security/digsig.html
-  * "Sinadura":http://www.sinadura.net/inicio - a multiplatform PDF signing application with PKCS#11 support. Source code "available under GPL":http://floss.esle.eu/projects/sinadura/. Mostly targeting Spanish speaking people.
-  * "OpenSignature":http://opensignature.sourceforge.net/english.php - a multiplatform PDF signing application with smart card support. Source code is available under GPL. Mostly targets Italian speaking people.
-  * "jPdfSign":http://private.sit.fraunhofer.de/~stotz/software/jpdfsign - a commandline application written in Java which allows to add an invisible signature to PDF documents. The private key for signing the PDF document have to be stored in an password protected PKCS#12 file or in a PKCS#11 compatible hardware-tokens.
- * Generic
-  * "Cryptonit":http://sourceforge.net/projects/cryptonit/ is a multiplatform open source (GPL) signing and (de)crypting software with PKCS#11 support that generates PKCS#7 containers.
-
-h3. Legally binding (non-repudiation) signature software
-
- * DigiDocClient3 (also known as qdigidoc) implements DigiDoc/BDOC format (a "XAdES":http://uri.etsi.org/01903/v1.1.1/ profile) and available as LGPL "source":https://id.eesti.ee/idtrac/browser/qdigidoc or [ftp://ftp.id.eesti.ee/pub/id/macosx/ multiplatform binary] from "https://id.eesti.ee/idtrac/wiki/ArendajaSissejuhatus.":https://id.eesti.ee/idtrac/wiki/ArendajaSissejuhatus. This obsoletes gdigidoc.
-  * DigiDoc is the official legally binding signature format used in Estonia (and Latvia and Lithuania) See "http://wpki.eu":http://wpki.eu for more information
+* DigiDocClient3 (also known as qdigidoc) implements DigiDoc/BDOC format (a [XAdES](https://uri.etsi.org/01903/v1.1.1/) profile). This obsoletes gdigidoc.
+  * DigiDoc is the official legally binding signature format used in Estonia (and Latvia and Lithuania).
   * Companion utility, DigiDoc3Crypto provides encryption functionality.
- * "j4sign (freesign)":http://j4sign.sourceforge.net/ is a multiplatform open source legal signature software with PKCS#11 support. Currently in Italian.
+* [j4sign (freesign)](https://j4sign.sourceforge.io/) is a multiplatform open source legal signature software with PKCS#11 support. Currently in Italian.
 
-h2. Local authentication / login
+## Local authentication / login
 
- * Linux/"PAM":http://www.kernel.org/pub/linux/libs/pam/
-  * "pam_pkcs11":https://github.com/OpenSC/pam_pkcs11/wiki - feature-ritch PAM module, supporting LDAP, OCSP, X509 checks.  
-   * "Tutorial on pam_pkcs11 and pam_krb5":https://blog.ryandlane.com/2008/10/21/seamless-smartcard-login-with-pam_pkcs11-and-pam_krb5-against-an-active-directory-domain-using-red-hat-enterprise-linux-5-part-1/
-  * [[pam_p11|pam_p11-simple-RSA-authentication-with-PKCS#11-modules]] - a simple PAM module for RSA public key authentication.
- * Mac OS X
-  * Possible, but complicated and fragile. Documentation available for "10.4":http://www.opensc-project.org/sca/wiki/LogonAuthenticate and [10.5+]
+* Linux/[PAM](https://mirrors.edge.kernel.org/pub/linux/libs/pam/)
+  * [pam_pkcs11](https://github.com/OpenSC/pam_pkcs11) - feature-ritch PAM module, supporting LDAP, OCSP, X509 checks.  
 
-h2. Disk encryption
+## Disk encryption
 
- * "TrueCrypt":http://www.truecrypt.org/ can use PKCS#11 tokens as keyfile stores. NB! TrueCrypt does not use asymmetric keys generated on the card but stores symmetric keys as data files in the token! This requires write access to the token and keyfiles are extracted in plaintext on every use.
- * "Linux disk encryption":http://wiki.tuxonice.net/EncryptedSwapAndRoot
+* [TrueCrypt](https://truecrypt.sourceforge.net/) can use PKCS#11 tokens as keyfile stores. NB! TrueCrypt does not use asymmetric keys generated on the card but stores symmetric keys as data files in the token! This requires write access to the token and keyfiles are extracted in plaintext on every use.
 
-h2. Miscellaneous applications
+## Miscellaneous applications
 
- * "GnuPG":http://www.gnupg.org/ can be configured to work with whatever smart card that provides a PKCS#11 library. See "gnupg-pkcs11":http://sites.google.com/site/alonbarlev/gnupg-pkcs11 for more information. Be aware - configuring and using this solution is not trivial.
- * [[HBCI Home banking|HBCI-homebanking]]
+* [GnuPG](https://www.gnupg.org/) can be configured to work with whatever smart card that provides a PKCS#11 library. See gnupg-pkcs11 for more information. Be aware - configuring and using this solution is not trivial.
 
-h2. PKI/CA
+## PKI/CA
 
- * "EJBCA":http://ejbca.org is a complete open source J2EE implementation of CA and RA software. It supports PKCS#11 for CA key storage. Compatibility with issuing OpenSC created smart cards for end users has been tested. Using OpenSC cards to store CA keys are yet to be tested.  
- * "OpenCA":http://www.openca.org/openca/ is an open source CA offering PKI services. It includes code to use the command line tools of OpenSC in a scripted way, no PKCS#11 support.
- * "XCA":http://xca.hohnstaedt.de/ is an open source CA GUI using OpenSSL and QT4. It supports PKCS#11 to manage and use keys and certificates on smart cards.
- * "step-ca":https://smallstep.com/docs/step-ca is an open-source, online CA written in Go. It supports PKCS#11 for certificate signing operations on HSMs.
+* [EJBCA](https://www.ejbca.org/) is a complete open source J2EE implementation of CA and RA software. It supports PKCS#11 for CA key storage. Compatibility with issuing OpenSC created smart cards for end users has been tested. Using OpenSC cards to store CA keys are yet to be tested.  
+* OpenCA is an open source CA offering PKI services. It includes code to use the command line tools of OpenSC in a scripted way, no PKCS#11 support.
+* XCA is an open source CA GUI using OpenSSL and QT4. It supports PKCS#11 to manage and use keys and certificates on smart cards.
+* [step-ca](https://smallstep.com/docs/step-ca/index.html) is an open-source, online CA written in Go. It supports PKCS#11 for certificate signing operations on HSMs.
 
-h2. Work in progress
+## Work in progress
 
 The following projects are working on adding PKCS#11 support into their software. People who feel comfortable working with source code can check out the latest snapshots.
 
-h3. CA
+### CA
 
- * "gnoMint":http://gnomint.sourceforge.net is an X.509 Certification Authority management tool. Currently, it has two different interfaces: one for GTK/Gnome environments, and another one for command-line. Windows port soon (patch submitted). Import/Export to pkcs12 format. Will soon include some OpenSC support.
+* [gnoMint](https://sourceforge.net/projects/gnomint/) is an X.509 Certification Authority management tool. Currently, it has two different interfaces: one for GTK/Gnome environments, and another one for command-line. Windows port soon (patch submitted). Import/Export to pkcs12 format. Will soon include some OpenSC support.
diff --git a/_Footer.md b/_Footer.md
index 4f64fc9..8786610 100644
--- a/_Footer.md
+++ b/_Footer.md
@@ -1,2 +1,2 @@
-**Warning**: Due to attempts to plant malicious links to our wiki, it is no longer open to anyone to edit. If
-you want to contribute to this, wiki, please open a pull request here: https://github.com/OpenSC/Wiki
+**Warning**: Due to attempts to plant malicious links to our wiki, it is no longer open to anyone to edit.
+If you want to contribute to this, wiki, please open a pull request here: .