npa-tool - Man Page

displays information on the German eID card (neuer Personalausweis, nPA).

Synopsis

npa-tool [Options]

Description

The npa-tool utility is used to display information stored on the German eID card (neuer Personalausweis, nPA), and to perform some write and verification operations.

Extended Access Control version 2 is performed according to ICAO Doc 9303 or BSI TR-03110 so that other identity cards and machine readable travel documents (MRTDs) may be read as well.

Options

--help, -h: Print help and exit.
--version, -V: Print version and exit.
--reader arg, -r arg: Number of the reader to use. By default, the first reader with a present card is used. If arg is an ATR, the reader with a matching card will be chosen.
--verbose, -v: Causes npa-tool to be more verbose. Specify this flag several times to be more verbose.

Password Authenticated Connection Establishment (PACE)

--pin [STRING], -p [STRING]: Run PACE with (transport) eID-PIN.
--puk [STRING], -u [STRING]: Run PACE with PUK.
--can [STRING], -c [STRING]: Run PACE with Card Access Number (CAN).
--mrz [STRING], -m [STRING]: Run PACE with Machine Readable Zone (MRZ). Enter the MRZ without newlines.
--env: Specify whether to use environment variables PIN, PUK, CAN, MRZ, and NEWPIN. You may want to clean your environment before enabling this. (default=off)

PIN management

--new-pin [STRING], -N [STRING]: Install a new PIN.
--resume, -R: Resume eID-PIN (uses CAN to activate last retry). (default=off)
--unblock, -U: Unblock PIN (uses PUK to activate three more retries). (default=off)

Terminal Authentication (TA) and Chip Authentication (CA)

--cv-certificate FILENAME, -C FILENAME: Specify Card Verifiable (CV) certificate to create a certificate chain. The option can be given multiple times, in which case the order is important.
--cert-desc HEX_STRING: Certificate description to show for Terminal Authentication.
--chat HEX_STRING: Specify the Card Holder Authorization Template (CHAT) to use. If not given, it defaults to the terminal's CHAT. Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser).
--auxiliary-data HEX_STRING, -A HEX_STRING: Specify the terminal's auxiliary data. If not given, the default is determined by verification of validity, age and community ID.
--private-key FILENAME, -P FILENAME: Specify the terminal's private key.
--cvc-dir DIRECTORY: Specify where to look for the certificate of the Country Verifying Certification Authority (CVCA). If not given, it defaults to /home/fm/.local/etc/eac/cvc.
--x509-dir DIRECTORY: Specify where to look for the X.509 certificate. If not given, it defaults to /home/fm/.local/etc/eac/x509.
--disable-ta-checks: Disable checking the validity period of CV certificates. (default=off)
--disable-ca-checks: Disable passive authentication. (default=off)

Read and write data groups

--read-dg1: Read data group 1: Document Type.
--read-dg2: Read data group 2: Issuing State.
--read-dg3: Read data group 3: Date of Expiry.
--read-dg4: Read data group 4: Given Name(s).
--read-dg5: Read data group 5: Family Name.
--read-dg6: Read data group 6: Religious/Artistic Name.
--read-dg7: Read data group 7: Academic Title.
--read-dg8: Read data group 8: Date of Birth.
--read-dg9: Read data group 9: Place of Birth.
--read-dg10: Read data group 10: Nationality.
--read-dg11: Read data group 11: Sex.
--read-dg12: Read data group 12: Optional Data.
--read-dg13: Read data group 13: Birth Name.
--read-dg14: Read data group 14.
--read-dg15: Read data group 15.
--read-dg16: Read data group 16.
--read-dg17: Read data group 17: Normal Place of Residence.
--read-dg18: Read data group 18: Community ID.
--read-dg19: Read data group 19: Residence Permit I.
--read-dg20: Read data group 20: Residence Permit II.
--read-dg21: Read data group 21: Optional Data.
--write-dg17 HEX_STRING: Write data group 17: Normal Place of Residence.
--write-dg18 HEX_STRING: Write data group 18: Community ID.
--write-dg19 HEX_STRING: Write data group 19: Residence Permit I.
--write-dg20 HEX_STRING: Write data group 20: Residence Permit II.
--write-dg21 HEX_STRING: Write data group 21: Optional Data.

Verification of validity, age and community ID

--verify-validity YYYYMMDD: Verify chip's validity with a reference date.
--older-than YYYYMMDD: Verify age with a reference date.
--verify-community HEX_STRING: Verify community ID with a reference ID.

Special options, not always useful

--break, -b: Brute force PIN, CAN or PUK. Use together with options -p, -a, or -u. (default=off)
--translate FILENAME, -t FILENAME: Specify the file with APDUs of HEX_STRINGs to send through the secure channel. (default=`stdin')
--tr-03110v201: Force compliance to BSI TR-03110 version 2.01. (default=off)
--disable-all-checks: Disable all checking of fly-by-data. (default=off)

Authors

npa-tool was written by Frank Morgner <frankmorgner@gmail.com>.

Info

07/24/2025 OpenSC Tools