'\" t
.\"     Title: dtrust-tool
.\"    Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 03/31/2026
.\"    Manual: OpenSC Tools
.\"    Source: opensc
.\"  Language: English
.\"
.TH "DTRUST\-TOOL" "1" "03/31/2026" "opensc" "OpenSC Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dtrust-tool \- displays information about D\-Trust signature cards and remove the transport protection
.SH "SYNOPSIS"
.HP \w'\fBdtrust\-tool\fR\ 'u
\fBdtrust\-tool\fR [\fIOPTIONS\fR]
.SH "DESCRIPTION"
.PP
The
\fBdtrust\-tool\fR
utility is used to display information about D\-Trust signature cards and to remove the initial transport protection\&.
.SH "OPTIONS"
.PP
.PP
\fB\-\-reader\fR \fIarg\fR, \fB\-r\fR \fIarg\fR
.RS 4
Number of the reader to use\&. By default, the first reader with a present card is used\&. If
\fIarg\fR
is an ATR, the reader with a matching card will be chosen\&.
.RE
.PP
\fB\-\-wait\fR, \fB\-w\fR
.RS 4
Causes
\fBdtrust\-tool\fR
to wait for the token to be inserted into reader\&.
.RE
.PP
\fB\-\-verify\-can\fR,
.RS 4
D\-Trust Card 5 comes with a Card Access Number (CAN) printed onto the card\&. The purpose of this number is to establish a secure communication channel between the card and the card reader\&. In normal operation
\fBdtrust\-tool\fR
automatically prompts for the CAN when necessary\&. Under certain circumstances
dtrust\-tool
cannot decide whether the CAN is necessary\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
You may call
dtrust\-tool
with just this option to force a CAN verification, which saves the CAN into the cache if it proved right\&. Once the CAN was saved into the cache, You do not need to enter the CAN of this card again\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
In case you entered a transport PIN wrong two times, the transport PIN is suspended\&. You need this parameter together with
\fB\-\-unlock\-transport\-protection\fR
to resume the suspended transport PIN for a last attempt\&. Failing to enter the transport PIN successfully blocks the transport PIN\&. You then need to unblock the transport PIN with
\fB\-\-unblock\-pin\fR\&.
.RE
.RE
.PP
\fB\-\-enter\-can\fR,
.RS 4
There are several ways to provide a CAN\&. See the
dtrust
section in the
opensc\&.conf
manpage for details\&. With this parameter
\fBdtrust\-tool\fR
will prompt interactively for a CAN, bypassing all other sources\&. This is useful if you:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
enter the CAN for the first time and want it to be saved in the CAN cache
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
want to bypass the pin pad of card reader\&. Bypassing the pin pad will save the CAN into the cache as well\&.
.RE
.sp
Once the CAN is cached, you do not need this parameter anymore\&.
.RE
.PP
\fB\-\-pin\-status\fR, \fB\-s\fR
.RS 4
Show the status of the various PINs\&. The Card Holder PIN is used for advanced signatures and decryption\&. It is only defined for signature cards, but not for sealing cards\&. The signature PIN is used for qualified signatures\&. It can only be used if it is unlocked by presenting the Transport PIN\&. Once the Transport PIN is used, it cannot be used anymore\&. The PUK is used to unlock PIN which had beend entered incorrectly several times\&.
.RE
.PP
\fB\-\-check\-transport\-protection\fR, \fB\-c\fR
.RS 4
In the delivery state the card is locked by a so called transport protection\&. This option allows to check if the transport protection is still in force\&. The Signature PIN can only be used if the transport protection is removed\&.
.sp
Initially the transport protection should be intact\&. If you receive a new card and the transport protection was already broken, don\*(Aqt use that card and contact the producer for further advice\&.
.sp
If you removed the transport protection, it is normal that
\fBdtrust\-tool\fR
reports the transport protection as broken\&. This is the normal operation state\&. It does not mean your card is broken\&.
.RE
.PP
\fB\-\-unlock\-transport\-protection\fR, \fB\-u\fR
.RS 4
This command removes the transport protection\&. It first queries the Transport PIN and then the new value of the Signature PIN twice\&.
.RE
.PP
\fB\-\-change\-pin\fR,
.RS 4
Change the specified PIN\&. The following PINs can be changed:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
For D\-Trust Card 4: PIN\&.CH, PIN\&.QES, PUK\&.CH
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
For D\-Trust Card 5: PIN\&.QES, PIN\&.AUT, PUK\&.CH
.RE
.sp
It is not recommended to change the PUK\&.
.sp
To change a PIN, you first have to enter the old PIN and then the new PIN value two times\&.
.RE
.PP
\fB\-\-change\-verify\fR,
.RS 4
This option specifies the PIN to verify for changing the PIN specified with the
\fB\-\-change\-pin\fR
command\&. The only useful application of this option is to reset the cardholder PIN (PIN\&.CH) of D\-Trust 4\&.1 cards by providing the cardholder PUK (PUK\&.CH)\&. In all other cases, a PIN may only changed by providing its current value\&.
.RE
.PP
\fB\-\-resume\-pin\fR,
.RS 4
Resume a suspended PIN\&. This matters only for the PUK (PUK\&.CH) of D\-Trust 5 cards\&. After two unsuccessful attempts to verify the PUK, the PUK is suspended\&. To resume the suspended PUK you first have to input the CAN and then the value of the suspended PUK\&. If you enter the wrong PUK again, the PUK is finally blocked and cannot be recovered\&.
.sp
To resume a suspended transport PIN use
\fB\-\-unlock\-transport\-protection\fR
together with
\fB\-\-can\fR\&.
.RE
.PP
\fB\-\-unblock\-pin\fR,
.RS 4
Reset the retry counter of a PIN to its default value\&. To unblock a PIN, you first have to provide the PUK\&. The following PINs can be unblocked:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
For D\-Trust Card 4: PIN\&.T, PIN\&.CH, PIN\&.QES
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
For D\-Trust Card 5: PIN\&.T, PIN\&.T\&.AUT, PIN\&.QES, PIN\&.AUT
.RE
.sp
It is impossible to unblock a blocked PUK\&.
.sp
Please keep in mind that the PUK may only be used a limited number of times (48 times for D\-Trust Card 4 and 5)\&.
.RE
.PP
\fB\-\-help\fR, \fB\-h\fR
.RS 4
Print help message on screen\&.
.RE
.PP
\fB\-\-verbose\fR, \fB\-v\fR
.RS 4
Causes
\fBdtrust\-tool\fR
to be more verbose\&. Specify this flag several times to enable debug output in the opensc library\&.
.RE
.SH "SEE ALSO"
.PP
\fBopensc.conf\fR(5)
.SH "AUTHORS"
.PP
\fBdtrust\-tool\fR
was written by Mario Haustein
<mario\&.haustein@hrz\&.tu\-chemnitz\&.de>\&.