npa-tool - Man Page

displays information of an ID card or ePassport.

Synopsis

npa-tool [Options]

Description

The npa-tool utility is used to display information stored on an ID card or on a passport and to perform some write and verification operations.

Extended Access Control version 2 is performed according to ICAO Doc 9303 or BSI TR-03110 so that an ICAO compliant machine readable travel document (MRTD) as well as EAC compliant ID cards, for example the German ID card (neuer Personalausweis, nPA), may be read.

Options

--help,  -h

Print help and exit.

--version,  -V

Print version and exit.

--reader arg, -r arg

Number of the reader to use. By default, the first reader with a present card is used. If arg is an ATR, the reader with a matching card will be chosen.

--verbose,  -v

Causes npa-tool to be more verbose. Specify this flag several times to be more verbose.

Password Authenticated Connection Establishment (PACE)

--pin [STRING], -p [STRING]

Run PACE with (transport) eID-PIN.

--puk [STRING], -u [STRING]

Run PACE with PUK.

--can [STRING], -c [STRING]

Run PACE with Card Access Number (CAN).

--mrz [STRING], -m [STRING]

Run PACE with Machine Readable Zone (MRZ). Enter the MRZ without newlines.

--env

Specify whether to use environment variables PIN, PUK, CAN, MRZ, and NEWPIN. You may want to clean your environment before enabling this. (default=off)

PIN management

--new-pin [STRING], -N [STRING]

Install a new PIN.

--resume,  -R

Resume eID-PIN (uses CAN to activate last retry). (default=off)

--unblock,  -U

Unblock PIN (uses PUK to activate three more retries). (default=off)

Terminal Authentication (TA) and Chip Authentication (CA)

--cv-certificate FILENAME, -C FILENAME

Specify Card Verifiable (CV) certificate to create a certificate chain. The option can be given multiple times, in which case the order is important.

--cert-desc HEX_STRING

Certificate description to show for Terminal Authentication.

--chat HEX_STRING

Specify the Card Holder Authorization Template (CHAT) to use. If not given, it defaults to the terminal's CHAT. Use 7F4C0E060904007F000703010203530103 to trigger EAC on the CAT-C (Komfortleser).

--auxiliary-data HEX_STRING, -A HEX_STRING

Specify the terminal's auxiliary data. If not given, the default is determined by verification of validity, age and community ID.

--private-key FILENAME, -P FILENAME

Specify the terminal's private key.

--cvc-dir DIRECTORY

Specify where to look for the certificate of the Country Verifying Certification Authority (CVCA). If not given, it defaults to /home/fm/.local/etc/eac/cvc.

--x509-dir DIRECTORY

Specify where to look for the X.509 certificate. If not given, it defaults to /home/fm/.local/etc/eac/x509.

--disable-ta-checks

Disable checking the validity period of CV certificates. (default=off)

--disable-ca-checks

Disable passive authentication. (default=off)

Card application

--application app

What application to select on the card, use eID for the electronic identification application and eMRTD for the ePassport application. (default=eID)

Read and write data groups

--read-all-dgs

Read all available data groups.

--read-dg1

Read data group 1.

--read-dg2

Read data group 2.

--read-dg3

Read data group 3.

--read-dg4

Read data group 4.

--read-dg5

Read data group 5.

--read-dg6

Read data group 6.

--read-dg7

Read data group 7.

--read-dg8

Read data group 8.

--read-dg9

Read data group 9.

--read-dg10

Read data group 10.

--read-dg11

Read data group 11.

--read-dg12

Read data group 12.

--read-dg13

Read data group 13.

--read-dg14

Read data group 14.

--read-dg15

Read data group 15.

--read-dg16

Read data group 16.

--read-dg17

Read data group 17.

--read-dg18

Read data group 18.

--read-dg19

Read data group 19.

--read-dg20

Read data group 20.

--read-dg21

Read data group 21.

--write-dg17 HEX_STRING

Write data group 17.

--write-dg18 HEX_STRING

Write data group 18.

--write-dg19 HEX_STRING

Write data group 19.

--write-dg20 HEX_STRING

Write data group 20.

--write-dg21 HEX_STRING

Write data group 21.

Verification of validity, age and community ID

--verify-validity YYYYMMDD

Verify chip's validity with a reference date.

--older-than YYYYMMDD

Verify age with a reference date.

--verify-community HEX_STRING

Verify community ID with a reference ID.

Special options, not always useful

--break,  -b

Brute force PIN, CAN or PUK. Use together with options -p, -a, or -u. (default=off)

--translate FILENAME, -t FILENAME

Specify the file with APDUs of HEX_STRINGs to send through the secure channel. (default=`stdin')

--tr-03110v201

Force compliance to BSI TR-03110 version 2.01. (default=off)

--disable-all-checks

Disable all checking of fly-by-data. (default=off)

Authors

npa-tool was written by Frank Morgner <frankmorgner@gmail.com>.

Info

03/31/2026 OpenSC Tools