'\" t
.\"     Title: npa-tool
.\"    Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 04/05/2024
.\"    Manual: OpenSC Tools
.\"    Source: opensc
.\"  Language: English
.\"
.TH "NPA\-TOOL" "1" "04/05/2024" "opensc" "OpenSC Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
npa-tool \- displays information on the German eID card (neuer Personalausweis, nPA)\&.
.SH "SYNOPSIS"
.HP \w'\fBnpa\-tool\fR\ 'u
\fBnpa\-tool\fR [\fIOPTIONS\fR]
.SH "DESCRIPTION"
.PP
The
\fBnpa\-tool\fR
utility is used to display information stored on the German eID card (neuer Personalausweis,
nPA), and to perform some write and verification operations\&.
.PP
Extended Access Control version 2 is performed according to ICAO Doc 9303 or BSI TR\-03110 so that other identity cards and machine readable travel documents (MRTDs) may be read as well\&.
.SH "OPTIONS"
.PP
.PP
\fB\-\-help\fR, \fB\-h\fR
.RS 4
Print help and exit\&.
.RE
.PP
\fB\-\-version\fR, \fB\-V\fR
.RS 4
Print version and exit\&.
.RE
.PP
\fB\-\-reader\fR \fIarg\fR, \fB\-r\fR \fIarg\fR
.RS 4
Number of the reader to use\&. By default, the first reader with a present card is used\&. If
\fIarg\fR
is an ATR, the reader with a matching card will be chosen\&.
.RE
.PP
\fB\-\-verbose\fR, \fB\-v\fR
.RS 4
Causes
\fBnpa\-tool\fR
to be more verbose\&. Specify this flag several times to be more verbose\&.
.RE
.SS "Password Authenticated Connection Establishment (PACE)"
.PP
\fB\-\-pin\fR [\fISTRING\fR], \fB\-p\fR [\fISTRING\fR]
.RS 4
Run
PACE
with (transport) eID\-PIN\&.
.RE
.PP
\fB\-\-puk\fR [\fISTRING\fR], \fB\-u\fR [\fISTRING\fR]
.RS 4
Run
PACE
with PUK\&.
.RE
.PP
\fB\-\-can\fR [\fISTRING\fR], \fB\-c\fR [\fISTRING\fR]
.RS 4
Run
PACE
with Card Access Number (CAN)\&.
.RE
.PP
\fB\-\-mrz\fR [\fISTRING\fR], \fB\-m\fR [\fISTRING\fR]
.RS 4
Run
PACE
with Machine Readable Zone (MRZ)\&. Enter the
MRZ
without newlines\&.
.RE
.PP
\fB\-\-env\fR
.RS 4
Specify whether to use environment variables
\fBPIN\fR,
\fBPUK\fR,
\fBCAN\fR,
\fBMRZ\fR, and
\fBNEWPIN\fR\&. You may want to clean your environment before enabling this\&. (default=off)
.RE
.SS "PIN management"
.PP
\fB\-\-new\-pin\fR [\fISTRING\fR], \fB\-N\fR [\fISTRING\fR]
.RS 4
Install a new PIN\&.
.RE
.PP
\fB\-\-resume\fR, \fB\-R\fR
.RS 4
Resume eID\-PIN (uses
CAN
to activate last retry)\&. (default=off)
.RE
.PP
\fB\-\-unblock\fR, \fB\-U\fR
.RS 4
Unblock PIN (uses PUK to activate three more retries)\&. (default=off)
.RE
.SS "Terminal Authentication (TA) and Chip Authentication (CA)"
.PP
\fB\-\-cv\-certificate\fR \fIFILENAME\fR, \fB\-C\fR \fIFILENAME\fR
.RS 4
Specify Card Verifiable (CV) certificate to create a certificate chain\&. The option can be given multiple times, in which case the order is important\&.
.RE
.PP
\fB\-\-cert\-desc\fR \fIHEX_STRING\fR
.RS 4
Certificate description to show for Terminal Authentication\&.
.RE
.PP
\fB\-\-chat\fR \fIHEX_STRING\fR
.RS 4
Specify the Card Holder Authorization Template (CHAT) to use\&. If not given, it defaults to the terminal\*(Aqs CHAT\&. Use
7F4C0E060904007F000703010203530103
to trigger EAC on the CAT\-C (Komfortleser)\&.
.RE
.PP
\fB\-\-auxiliary\-data\fR \fIHEX_STRING\fR, \fB\-A\fR \fIHEX_STRING\fR
.RS 4
Specify the terminal\*(Aqs auxiliary data\&. If not given, the default is determined by verification of validity, age and community ID\&.
.RE
.PP
\fB\-\-private\-key\fR \fIFILENAME\fR, \fB\-P\fR \fIFILENAME\fR
.RS 4
Specify the terminal\*(Aqs private key\&.
.RE
.PP
\fB\-\-cvc\-dir\fR \fIDIRECTORY\fR
.RS 4
Specify where to look for the certificate of the Country Verifying Certification Authority (CVCA)\&. If not given, it defaults to
/home/fm/\&.local/etc/eac/cvc\&.
.RE
.PP
\fB\-\-x509\-dir\fR \fIDIRECTORY\fR
.RS 4
Specify where to look for the X\&.509 certificate\&. If not given, it defaults to
/home/fm/\&.local/etc/eac/x509\&.
.RE
.PP
\fB\-\-disable\-ta\-checks\fR
.RS 4
Disable checking the validity period of CV certificates\&. (default=off)
.RE
.PP
\fB\-\-disable\-ca\-checks\fR
.RS 4
Disable passive authentication\&. (default=off)
.RE
.SS "Read and write data groups"
.PP
\fB\-\-read\-dg1\fR
.RS 4
Read data group 1: Document Type\&.
.RE
.PP
\fB\-\-read\-dg2\fR
.RS 4
Read data group 2: Issuing State\&.
.RE
.PP
\fB\-\-read\-dg3\fR
.RS 4
Read data group 3: Date of Expiry\&.
.RE
.PP
\fB\-\-read\-dg4\fR
.RS 4
Read data group 4: Given Name(s)\&.
.RE
.PP
\fB\-\-read\-dg5\fR
.RS 4
Read data group 5: Family Name\&.
.RE
.PP
\fB\-\-read\-dg6\fR
.RS 4
Read data group 6: Religious/Artistic Name\&.
.RE
.PP
\fB\-\-read\-dg7\fR
.RS 4
Read data group 7: Academic Title\&.
.RE
.PP
\fB\-\-read\-dg8\fR
.RS 4
Read data group 8: Date of Birth\&.
.RE
.PP
\fB\-\-read\-dg9\fR
.RS 4
Read data group 9: Place of Birth\&.
.RE
.PP
\fB\-\-read\-dg10\fR
.RS 4
Read data group 10: Nationality\&.
.RE
.PP
\fB\-\-read\-dg11\fR
.RS 4
Read data group 11: Sex\&.
.RE
.PP
\fB\-\-read\-dg12\fR
.RS 4
Read data group 12: Optional Data\&.
.RE
.PP
\fB\-\-read\-dg13\fR
.RS 4
Read data group 13: Birth Name\&.
.RE
.PP
\fB\-\-read\-dg14\fR
.RS 4
Read data group 14\&.
.RE
.PP
\fB\-\-read\-dg15\fR
.RS 4
Read data group 15\&.
.RE
.PP
\fB\-\-read\-dg16\fR
.RS 4
Read data group 16\&.
.RE
.PP
\fB\-\-read\-dg17\fR
.RS 4
Read data group 17: Normal Place of Residence\&.
.RE
.PP
\fB\-\-read\-dg18\fR
.RS 4
Read data group 18: Community ID\&.
.RE
.PP
\fB\-\-read\-dg19\fR
.RS 4
Read data group 19: Residence Permit I\&.
.RE
.PP
\fB\-\-read\-dg20\fR
.RS 4
Read data group 20: Residence Permit II\&.
.RE
.PP
\fB\-\-read\-dg21\fR
.RS 4
Read data group 21: Optional Data\&.
.RE
.PP
\fB\-\-write\-dg17\fR \fIHEX_STRING\fR
.RS 4
Write data group 17: Normal Place of Residence\&.
.RE
.PP
\fB\-\-write\-dg18\fR \fIHEX_STRING\fR
.RS 4
Write data group 18: Community ID\&.
.RE
.PP
\fB\-\-write\-dg19\fR \fIHEX_STRING\fR
.RS 4
Write data group 19: Residence Permit I\&.
.RE
.PP
\fB\-\-write\-dg20\fR \fIHEX_STRING\fR
.RS 4
Write data group 20: Residence Permit II\&.
.RE
.PP
\fB\-\-write\-dg21\fR \fIHEX_STRING\fR
.RS 4
Write data group 21: Optional Data\&.
.RE
.SS "Verification of validity, age and community ID"
.PP
\fB\-\-verify\-validity\fR \fIYYYYMMDD\fR
.RS 4
Verify chip\*(Aqs validity with a reference date\&.
.RE
.PP
\fB\-\-older\-than\fR \fIYYYYMMDD\fR
.RS 4
Verify age with a reference date\&.
.RE
.PP
\fB\-\-verify\-community\fR \fIHEX_STRING\fR
.RS 4
Verify community ID with a reference ID\&.
.RE
.SS "Special options, not always useful"
.PP
\fB\-\-break\fR, \fB\-b\fR
.RS 4
Brute force PIN, CAN or PUK\&. Use together with options
\fB\-p\fR,
\fB\-a\fR, or
\fB\-u\fR\&. (default=off)
.RE
.PP
\fB\-\-translate\fR \fIFILENAME\fR, \fB\-t\fR \fIFILENAME\fR
.RS 4
Specify the file with APDUs of HEX_STRINGs to send through the secure channel\&. (default=`stdin\*(Aq)
.RE
.PP
\fB\-\-tr\-03110v201\fR
.RS 4
Force compliance to BSI TR\-03110 version 2\&.01\&. (default=off)
.RE
.PP
\fB\-\-disable\-all\-checks\fR
.RS 4
Disable all checking of fly\-by\-data\&. (default=off)
.RE
.SH "AUTHORS"
.PP
\fBnpa\-tool\fR
was written by Frank Morgner
<frankmorgner@gmail\&.com>\&.