--help, -h
Print help and exit.
--version, -V
Print version and exit.
--reader arg, -r arg
Number of the reader to use. By default, the first reader
with a present card is used. If arg is an ATR, the reader with a
matching card will be chosen.
--verbose, -v
Causes npa-tool to be more verbose. Specify this
flag several times to be more verbose.
--pin [STRING], -p [STRING]
Run PACE with (transport) eID-PIN.
--puk [STRING], -u [STRING]
Run PACE with PUK.
--can [STRING], -c [STRING]
Run PACE with Card Access Number (CAN).
--mrz [STRING], -m [STRING]
Run PACE with Machine Readable Zone (MRZ). Enter the MRZ
without newlines.
--env
Specify whether to use environment variables PIN,
PUK, CAN, MRZ, and NEWPIN. You may want to clean
your environment before enabling this. (default=off)
--new-pin [STRING], -N [STRING]
Install a new PIN.
--resume, -R
Resume eID-PIN (uses CAN to activate last retry).
(default=off)
--unblock, -U
Unblock PIN (uses PUK to activate three more retries).
(default=off)
--cv-certificate FILENAME, -C
FILENAME
Specify Card Verifiable (CV) certificate to create a
certificate chain. The option can be given multiple times, in which case the
order is important.
--cert-desc HEX_STRING
Certificate description to show for Terminal
Authentication.
--chat HEX_STRING
Specify the Card Holder Authorization Template (CHAT) to
use. If not given, it defaults to the terminal's CHAT. Use
7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C
(Komfortleser).
--auxiliary-data HEX_STRING, -A
HEX_STRING
Specify the terminal's auxiliary data. If not given, the
default is determined by verification of validity, age and community ID.
--private-key FILENAME, -P
FILENAME
Specify the terminal's private key.
--cvc-dir DIRECTORY
Specify where to look for the certificate of the Country
Verifying Certification Authority (CVCA). If not given, it defaults to
/home/fm/.local/etc/eac/cvc.
--x509-dir DIRECTORY
Specify where to look for the X.509 certificate. If not
given, it defaults to /home/fm/.local/etc/eac/x509.
--disable-ta-checks
Disable checking the validity period of CV certificates.
(default=off)
--disable-ca-checks
Disable passive authentication. (default=off)
--read-dg1
Read data group 1: Document Type.
--read-dg2
Read data group 2: Issuing State.
--read-dg3
Read data group 3: Date of Expiry.
--read-dg4
Read data group 4: Given Name(s).
--read-dg5
Read data group 5: Family Name.
--read-dg6
Read data group 6: Religious/Artistic Name.
--read-dg7
Read data group 7: Academic Title.
--read-dg8
Read data group 8: Date of Birth.
--read-dg9
Read data group 9: Place of Birth.
--read-dg10
Read data group 10: Nationality.
--read-dg11
Read data group 11: Sex.
--read-dg12
Read data group 12: Optional Data.
--read-dg13
Read data group 13: Birth Name.
--read-dg14
Read data group 14.
--read-dg15
Read data group 15.
--read-dg16
Read data group 16.
--read-dg17
Read data group 17: Normal Place of Residence.
--read-dg18
Read data group 18: Community ID.
--read-dg19
Read data group 19: Residence Permit I.
--read-dg20
Read data group 20: Residence Permit II.
--read-dg21
Read data group 21: Optional Data.
--write-dg17 HEX_STRING
Write data group 17: Normal Place of Residence.
--write-dg18 HEX_STRING
Write data group 18: Community ID.
--write-dg19 HEX_STRING
Write data group 19: Residence Permit I.
--write-dg20 HEX_STRING
Write data group 20: Residence Permit II.
--write-dg21 HEX_STRING
Write data group 21: Optional Data.
--verify-validity YYYYMMDD
Verify chip's validity with a reference date.
--older-than YYYYMMDD
Verify age with a reference date.
--verify-community HEX_STRING
Verify community ID with a reference ID.
--break, -b
Brute force PIN, CAN or PUK. Use together with options
-p, -a, or -u. (default=off)
--translate FILENAME, -t FILENAME
Specify the file with APDUs of HEX_STRINGs to send
through the secure channel. (default=`stdin')
--tr-03110v201
Force compliance to BSI TR-03110 version 2.01.
(default=off)
--disable-all-checks
Disable all checking of fly-by-data. (default=off)