Crescendo CLI Tool

The Crescendo Command Line Interface (CLI) Tool is the easiest way to work with the Crescendo SDK. This tool provides a powerful interface for interacting with your Crescendo tokens directly from the command line.

To use the Crescendo CLI, open your terminal and navigate to the directory where CrescendoCLI.exe is located.

General Help

For a list of all commands and general usage, run:

CrescendoCLI.exe --help

Command-Specific Help

For help with a specific command, including details about parameters specific to that command, run:

CrescendoCLI.exe <command> --help

And you will get a response like in this example:

Crescendo CLI Tool X.X.X.X
 
Usage: CrescendoCLI.exe piv-data-get (-p <pin> | -x <key>) [--ber-tlv-tag <tag>] [-v] [--log-level <level>] [-t <token>]
[--help]
 
Available options:
 
  --ber-tlv-tag      (Default: 5FC105) String identification of the BER TLV tag of the generic container object from
                     which to read the data. For example, 5FC105, 5F-C1-0E, 5F C1 20.
  -p, --pin          (Group: Authenticate) PIN to be used for authentication. String "env" can be used to read an
                     Environment Variable "PIN" as a valid key.
  -x, --xauth-key    (Group: Authenticate) XAUTH key to be used for authentication. String "env" can be used to read an
                     Environment Variable "XAUTH" as a valid key.
  -v, --verbose      Enable verbose (debug) logging (shortcut for --log-level DEBUG).
  --log-level        (Default: INFO) Switch between different log levels. Valid options are "DEBUG", "INFO", "WARN",
                     "ERROR", "SILENT"
  -t, --token        (Default: 0) Specify the number of given token to work with, or the name of the reader that the
                     token is connected into. All available tokens can be displayed with "CrescendoCLI.exe token-info"
  --help             Display this help screen.
 
Usage EXAMPLE:
CrescendoCLI.exe piv-data-get -p 123456 --ber-tlv-tag 5FC182 -v

List of All Available Commands

Command	Corresponding API Function	Description
aca-props-get	ListACAProperties	List all available ACA applet properties and options from the token in JSON format.
pin-change	ChangePIN	Change the existing PIN to a newly specified one.
pin-verify	AuthenticateWithPIN	Verify the validity of entered PIN. If no PIN is entered, then the command corresponds to a PIN VERIFY command to determine whether the PIN code has already been verified.
pin-reset-tries	ResetPINTries	Reset the Token PIN try counter with PUK.
pin-props-update	UpdatePINProperties	Update PIN properties, such as min/max length, various counters etc.
puk-put	PUKPut	Put a specified PUK to the token.
cache-read	ReadCacheFreshness	Return data stored under tag 0x44 in a specified Cache data object 5FC151 on tokens using applet V4.
logout	Logout	Log out of the ACA instance.
xauth-key-put	PutXAUTHKey	Store XAUTH key to the token.
xauth-key-delete	DeleteXAUTHKey	Delete existing XAUTH key from the token.
xauth	AuthenticateWithXAUTH	Perform External Authentication. Works for both static and dynamic XAUTH modes.
xauth-mode-change	ChangeXAUTHMode	Change the XAUTH challenge mode (static <-> dynamic).
xauth-get-challenge	GetChallenge	Get the XAUTH challenge from the token.
otp-props-get	ListOATHProperties	List all available OATH applet properties and options from the token in JSON format.
otp-slot-configure	ConfigureOATHSlot	Store OATH configuration and OATH key to the token to a specified OTP slot. Update the PSKC file, or create a new one if it does not yet exist.
otp-pass-configure	ConfigureStaticPassword	Configure static password on Crescendo Key V3.
ocra-slot-configure	ConfigureOCRASlot	Store OCRA configuration and OCRA key to the token to a specified OCRA slot.
otp-slot-delete	DeleteOATHSlot	Delete OATH configuration and corresponding OATH key from the token in specified OTP slot. Update the PSKC file. If no other KeyPackage tag is left in the PSKC file, the file will get deleted.
otp-generate	GenerateOTP	Generate OTP using key and configuration stored in specified OTP slot.
ocra-authenticate	OCRAAuthenticate	Perform an OCRA Challenge Response or Digital Signature operation with previously configured OCRA slot.
piv-props-get	ListPIVProperties	List all available Generic Container Objects and all PKI objects and their properties on a given token in JSON format.
piv-key-pair-gen	PIVGenerateKeyPair	Generate a pair of asymmetric keys using specified cryptographic mechanism.
piv-pki-put	PIVPutPKIData	Put PKI data (private key, certificate or both) to the token base on the user input.
piv-key-delete	PIVDeleteKey	Delete key object with specified Key Reference.
piv-data-put	PIVAddDataToDataObject	Store data under specified tag to a specified buffer (identified by BER TLV tag). The command reads content of the buffer and adds/rewrites only the specified tag. Other data in the buffer stay intact.
piv-data-get	PIVGetDataObjectContent	Return data stored in a given generic container object identified by the object’s BER TLV tag.
piv-data-delete	PIVDeleteDataFromDataObject	Delete data in a specified buffer (identified by BER TLV tag). The command reads the content of the buffer and deletes either data under the specified tag (other data in the buffer stay intact), or the entire content of the buffer.
piv-data-raw-crypto	PIVRawCryptoOperation	Take data from input file or input string and perform a raw cryptographic operation using a private key stored on the token at a given Key Reference. No padding to input data will be applied, meaning you are fully responsible for the proper length of the input data.
piv-data-sign	PIVSignData	Take data from input file or input string, create a Hash of the data and send it to the token to get the hash signed back using private key stored at given Key Reference.
piv-data-acr	PIVChangeDataObjectACR	Change the ACR of given empty generic container object. The object must be completely empty.
piv-cert-get	PIVGetCertificate	Get certificate from specified buffer (identified by BER TLV tag).
piv-cert-delete	PIVDeleteCertificate	Remove a certificate from a specified buffer (identified by BER TLV tag). The command reads content of the buffer and removes the certificate. Then it adds a public key value derived from the certificate to make sure the ability to work with the private key is not lost. Other data in the buffer stay intact.
ski-key-get	GetSKITransportKey	SKI Part 1: Generate the SKI RSA3072 transport key (or just read it if it is already initialized).
ski-data-encrypt	EncryptKEKAndDataWithKEK	SKI Part 2: Generate a random Session KEK key. Then encrypt the Session KEK key with the RSA3k public transport key, and encrypt the key input key from user with the Session KEK. Store both results into a JSON format (in case of encrypted PIV key, the JSON would contain encrypted individual CRT components).
ski-key-put	SecureKeyInjection	SKI Part 3: Store the encrypted Session KEK to the token, and finally perform the PUT KEY operation with a key encrypted by the Session KEK, thus completing the SKI transfer.
fido-props-get	ListFIDOProperties	List all available FIDO applet properties and options from the token in JSON format. The command should be run with elevated privileges. The command will not work when using Crescendo Keys inserted in USB slots.
fido-pin-set	FIDOSetPIN	Set the PIN used for FIDO authentication using the FIDO2 standard communication. This command requires elevated privileges.
fido-pin-change	FIDOChangePIN	Change the PIN used for FIDO authentication using the FIDO2 standard communication. This command requires elevated privileges.
fido-token-reset	FIDOTokenReset	Reset all existing FIDO configuration and discoverable credentials stored on the token.
token-reset	ResetToken	Reset the specified token.
token-new	NewToken	Reset the token using only pin –pin, change the PIN to a specified value –new-pin and set default PIN properties. Then upload PUK to the card, and finally generate PIV personal data uploaded them to the PIV data object 5FC102.
token-info	TokenOptions	General info about all connected tokens.