Linux cli command npa-tool

➡ A Linux man page (short for manual page) is a form of software documentation found on Linux and Unix-like operating systems. This man-page explains the command npa-tool and provides detailed information about the command npa-tool, system calls, library functions, and other aspects of the system, including usage, options, and examples of _. You can access this man page by typing man followed by the npa-tool.

  4 minute read  

NAME 🖥️ npa-tool 🖥️

tool - displays information on the German eID card (neuer Personalausweis, nPA).

SYNOPSIS

npa-tool [OPTIONS]

DESCRIPTION

The npa-tool utility is used to display information stored on the German eID card (neuer Personalausweis, nPA), and to perform some write and verification operations.

Extended Access Control version 2 is performed according to ICAO Doc 9303 or BSI TR-03110 so that other identity cards and machine readable travel documents (MRTDs) may be read as well.

OPTIONS

–help, -h

Print help and exit.

–version, -V

Print version and exit.

–reader arg, -r arg

Number of the reader to use. By default, the first reader with a present card is used. If arg is an ATR, the reader with a matching card will be chosen.

–verbose, -v

Causes npa-tool to be more verbose. Specify this flag several times to be more verbose.

Password Authenticated Connection Establishment (PACE)

–pin [STRING], -p [STRING]

Run PACE with (transport) eID-PIN.

–puk [STRING], -u [STRING]

Run PACE with PUK.

–can [STRING], -c [STRING]

Run PACE with Card Access Number (CAN).

–mrz [STRING], -m [STRING]

Run PACE with Machine Readable Zone (MRZ). Enter the MRZ without newlines.

–env

Specify whether to use environment variables PIN, PUK, CAN, MRZ, and NEWPIN. You may want to clean your environment before enabling this. (default=off)

PIN management

–new-pin [STRING], -N [STRING]

Install a new PIN.

–resume, -R

Resume eID-PIN (uses CAN to activate last retry). (default=off)

–unblock, -U

Unblock PIN (uses PUK to activate three more retries). (default=off)

Terminal Authentication (TA) and Chip Authentication (CA)

–cv-certificate FILENAME, -C FILENAME

Specify Card Verifiable (CV) certificate to create a certificate chain. The option can be given multiple times, in which case the order is important.

–cert-desc HEX_STRING

Certificate description to show for Terminal Authentication.

–chat HEX_STRING

Specify the Card Holder Authorization Template (CHAT) to use. If not given, it defaults to the terminals CHAT. Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser).

–auxiliary-data HEX_STRING, -A HEX_STRING

Specify the terminals auxiliary data. If not given, the default is determined by verification of validity, age and community ID.

–private-key FILENAME, -P FILENAME

Specify the terminals private key.

–cvc-dir DIRECTORY

Specify where to look for the certificate of the Country Verifying Certification Authority (CVCA). If not given, it defaults to /home/fm/.local/etc/eac/cvc.

–x509-dir DIRECTORY

Specify where to look for the X.509 certificate. If not given, it defaults to /home/fm/.local/etc/eac/x509.

–disable-ta-checks

Disable checking the validity period of CV certificates. (default=off)

–disable-ca-checks

Disable passive authentication. (default=off)

Read and write data groups

–read-dg1

Read data group 1: Document Type.

–read-dg2

Read data group 2: Issuing State.

–read-dg3

Read data group 3: Date of Expiry.

–read-dg4

Read data group 4: Given Name(s).

–read-dg5

Read data group 5: Family Name.

–read-dg6

Read data group 6: Religious/Artistic Name.

–read-dg7

Read data group 7: Academic Title.

–read-dg8

Read data group 8: Date of Birth.

–read-dg9

Read data group 9: Place of Birth.

–read-dg10

Read data group 10: Nationality.

–read-dg11

Read data group 11: Sex.

–read-dg12

Read data group 12: Optional Data.

–read-dg13

Read data group 13: Birth Name.

–read-dg14

Read data group 14.

–read-dg15

Read data group 15.

–read-dg16

Read data group 16.

–read-dg17

Read data group 17: Normal Place of Residence.

–read-dg18

Read data group 18: Community ID.

–read-dg19

Read data group 19: Residence Permit I.

–read-dg20

Read data group 20: Residence Permit II.

–read-dg21

Read data group 21: Optional Data.

–write-dg17 HEX_STRING

Write data group 17: Normal Place of Residence.

–write-dg18 HEX_STRING

Write data group 18: Community ID.

–write-dg19 HEX_STRING

Write data group 19: Residence Permit I.

–write-dg20 HEX_STRING

Write data group 20: Residence Permit II.

–write-dg21 HEX_STRING

Write data group 21: Optional Data.

Verification of validity, age and community ID

–verify-validity YYYYMMDD

Verify chips validity with a reference date.

–older-than YYYYMMDD

Verify age with a reference date.

–verify-community HEX_STRING

Verify community ID with a reference ID.

Special options, not always useful

–break, -b

Brute force PIN, CAN or PUK. Use together with options -p, -a, or -u. (default=off)

–translate FILENAME, -t FILENAME

Specify the file with APDUs of HEX_STRINGs to send through the secure channel. (default=`stdin)

–tr-03110v201

Force compliance to BSI TR-03110 version 2.01. (default=off)

–disable-all-checks

Disable all checking of fly-by-data. (default=off)

AUTHORS

npa-tool was written by Frank Morgner <[email protected]>.

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

  █║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌

              ██╗ ██╗ ██████╗  ██████╗ ██╗  ██╗███████╗██████╗
             ████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
             ╚██╔═██╔╝██║  ██║██║   ██║ ╚███╔╝ █████╗  ██║  ██║
             ████████╗██║  ██║██║   ██║ ██╔██╗ ██╔══╝  ██║  ██║
             ╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
              ╚═╝ ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═════╝

               █║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░