forked from OpenSC/OpenSC
-
Notifications
You must be signed in to change notification settings - Fork 6
/
NEWS
1390 lines (1341 loc) · 56.3 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
NEWS for OpenSC -- History of user visible changes
# New in 0.25.0; 2024-02-XX
## Security
* [CVE-2023-5992](https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992): Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
* [CVE-2024-1454](https://github.com/OpenSC/OpenSC/wiki/CVE-2024-1454): Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)
## General improvements
* Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
* Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
* Fix 64b to 32b conversions (#2993)
* Improvements for the p11test (#2991)
* Fix reader initialization without SCardControl (#3007)
* Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
* Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
* Enable MSI signing via Signpath CI integration for Windows (#2799)
* Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
## minidriver
* Fix wrong hash selection (#2932)
## pkcs11-tool
* Simplify printing EC keys parameters (#2960)
* Add option to import GENERIC key (#2955)
* Add support for importing Ed25518/448 keys (#2985)
## IDPrime
* Support uncompressed certificates on IDPrime 940 (#2958)
* Enhance IDPrime logging (#3003)
## D-Trust Signature Cards
* Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)
## EstEID
* Remove expired EstEID 3.* card support (#2950)
## ePass2003
* Allow SW implementation with more SHA2 hashes and ECDSA (#3012)
## SmartCard-HSM
* Fix SELECT APDU command (#2978)
## MyEID
* Update for PKCS#15 profile (#2965)
## Rutoken
* Support for RSA 4096 key algorithm (#3011)
# New in 0.24.0; 2023-12-13
## Security
* CVE-2023-40660: Fix Potential PIN bypass (#2806, frankmorgner/OpenSCToken#50, #2807)
* CVE-2023-40661: Important dynamic analyzers reports
* CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys (f1993dc4)
## General improvements
* Fix compatibility of EAC with OpenSSL 3.0 (#2674)
* Enable `use_file_cache` by default (#2501)
* Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
* Fix record-based files (#2604)
* Fix several race conditions (#2735)
* Run tests under Valgrind (#2756)
* Test signing of data bigger than 512 bytes (#2789)
* Update to OpenPACE 1.1.3 (#2796)
* Implement logout for some of the card drivers (#2807)
* Fix wrong popup position of opensc-notify (#2901)
* Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
## PKCS#11
* Check card presence state in `C_GetSessionInfo` (#2740)
* Remove `onepin-opensc-pkcs11` module (#2681)
* Do not use colons in the token info label (#2760)
* Present profile objects in all slots with the CKA_TOKEN attribute to resolve issues with NSS (#2928, #2924)
* Use secure memory for PUK (#2906)
* Don't logout to preserve concurrent access from different processes (#2907)
* Add more examples to manual page (#2936)
* Present profile objects in all virtual slots (#2928)
* Provide CKA_TOKEN attribute for profile objects (#2924)
* Improve --slot parameter documentation (#2951)
## PKCS#15
* Honor cache offsets when writing file cache (#2858)
* Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
* Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and back to PKCS#11 (#2936)
## Minidriver
* Fix for private keys that do not need a PIN (#2722)
* Unbreak decipher when the first null byte of PKCS#1.5 padding is missing (#2939)
## pkcs11-tool
* Fix RSA key import with OpenSSL 3.0 (#2656)
* Add support for attribute filtering when listing objects (#2687)
* Add support for `--private` flag when writing certificates (#2768)
* Add support for non-AEAD ciphers to the test mode (#2780)
* Show CKA_SIGN attribute for secret keys (#2862)
* Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys (#2864, #2913)
* Show Sign/VerifyRecover attributes (#2888)
* Add option to import generic keys (#2955)
## westcos-tool
* Generate 2k RSA keys by default (b53fc5cd)
## pkcs11-register
* Disable autostart on Linux by default (#2680)
## IDPrime
* Add support for IDPrime MD 830, 930 and 940 (#2666)
* Add support for SafeNet eToken 5110 token (#2812)
* Process index even without keyrefmap and use correct label for second PIN (#2878)
* Add support for Gemalto IDPrime 940C (#2941)
## EPass2003
* Change of PIN requires verification of the PIN (#2759)
* Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
* Use true random number for mutual authentication for SM (#2766)
* Add verification of data coming from the token in the secure messaging mode (#2772)
* Avoid success when using unsupported digest and fix data length for RAW ECDSA signatures (#2845)
## OpenPGP
* Fix select data command (#2753, issue #2752)
* Unbreak ed/curve25519 support (#2892)
## eOI
* Add support for Slovenian eID card (eOI) (#2646)
## Italian CNS
* Add support for IDEMIA (Oberthur) tokens (#2483)
## PIV
* Add support for Swissbit iShield FIDO2 Authenticator (#2671)
* Implement PIV secure messaging (#2053)
## SkeID
* Add support for Slovak eID cards (#2672)
## isoApplet
* Support ECDSA with off-card hashing (#2642)
## MyEID
* Fix WRAP operation when using T0 (#2695)
* Identify changes on the card and enable `use_file_cache` (#2798)
* Workaround for unwrapping using 2K RSA key (#2921)
## SC-HSM
* Add support for `opensc-tool --serial` (#2675)
* Fix unwrapping of 4096 keys with handling reader limits (#2682)
* Indicate supported hashes and MGF1s (#2827)
# Addendum for 0.22.0; 2023-09-01
* fixed security problems
* CVE-2021-42778 Heap double free in sc_pkcs15_free_tokeninfo
* CVE-2021-42779 Heap use after free in sc_file_valid
* CVE-2021-42780 Use after return in insert_pin function
* CVE-2021-42781 Heap buffer overflow in pkcs15-oberthur.c
* CVE-2021-42782 Stack buffer overflow issues in various places
* CVE-2021-34193 is a duplicate CVE covering the 5 individual CVEs listed above
# New in 0.23.0; 2022-11-29
## General improvements
* Support signing of data with a length of more than 512 bytes (#2314)
* By default, disable support for old card drivers (#2391) and remove support for old drivers MioCOS and JCOP (#2374)
* Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
* Compatibility with LibreSSL (#2495, #2595)
* Remove support for DSA (#2503)
* Extend p11test to support symmetric keys (#2430)
* Notice detached reader on macOS (#2418)
* Support for OAEP padding (#2475, #2484)
* Fix for PSS salt length (#2478)
* Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550, #2637)
* Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
* Fix issues with OpenPACE (#2472)
* Containers support for local testing
* Add support for encryption and decryption using symmetric keys (#2473, #2607)
* Stop building support for Gost algorithms with OpenSSL 3.0 as they require deprecated API (#2586)
* Fix detection of disconnected readers in PCSC (#2600)
* Add configuration option for on-disk caching of private data (#2588)
* Skip building empty binaries when dependencies are missing and remove needless linking (#2617)
* Define arm64 as a supported architecture in the Installer package (#2610)
## PKCS#11
* Implement `C_CreateObject` for EC keys and fix signature verification for `CKM_ECDSA_SHAx` cards (#2420)
## pkcs11-tool
* Add more elliptic curves (#2301)
* Add support for symmetric encrypt and decrypt, wrap and unwrap operations, and initialization vector (#2268)
* Fix consistent handling of secret key attributes (#2497)
* Add support for signing and verifying with HMAC (#2385)
* Add support for SHA3 (#2467)
* Make object selectable via label (#2570)
* Do not require an R/W session for some operations and add `--session-rw` option (#2579)
* Print more information: CKA_UNIQUE_ID attribute, SHA3 HMACs and serial number for certificates (#2644, #2643, #2641)
* Add new option --undestroyable to create keys with CKA_DESTROYABLE=FALSE (#2645)
## sc-hsm-tool
* Add options for public key authentication (#2301)
## Minidriver
* Fix reinit of the card (#2525)
* Add an entry for Italian CNS (e) (#2548)
* Fix detection of ECC mechanisms (#2523)
* Fix ATRs before adding them to the windows registry (#2628)
## NQ-Applet
* Add support for the JCOP4 Cards with NQ-Applet (#2425)
## ItaCNS
* Add support for ItaCMS v1.1 (key length 2048) (#2371)
## Belpic
* Add support for applet v1.8 (#2455)
## Starcos
* Add ATR for V3.4 (#2464)
* Add PKCS#15 emulator for 3.x cards with eSign app (#2544)
* Add (fix) support for eGK v 2.1 (#2871)
## ePass2003
* Fix PKCS#15 initialization (#2403)
* Add support for FIPS (#2543)
* Fix matching with newer versions and tokens initialized with OpenSC (#2575)
## MyEID
* Support logout operation (#2557)
* Support for symmetric encryption and decryption (#2473, #2607)
## GIDS
* Fix decipher for TPM (#1881)
## OpenPGP
* Get the list of supported algorithms from algorithm information on the card (#2287)
* Support for 3 certificates with OpenPGP 3+ (#2103)
## nPA
* Fix card detection (#2463)
## Rutoken
* Fix formatting rtecp cards (#2599)
## PIV
* Add new PIVKey ATRs for current cards (#2602)
# New in 0.22.0; 2021-08-10
## General improvements
* Use standard paths for file cache on Linux (#2148) and OSX (#2214)
* Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
* Add threading test to `pkcs11-tool` (#2067)
* Add support to generate generic secret keys (#2140)
* `opensc-explorer`: Print information about LCS (Life cycle status byte) (#2195)
* Add support for Apple's arm64 (M1) binaries, removed TokenD. A separate installer with TokenD (and without arm64 binaries) will be available (#2179).
* Support for gcc11 and its new strict aliasing rules (#2241, #2260)
* Initial support for building with OpenSSL 3.0 (#2343)
* pkcs15-tool: Write data objects in binary mode (#2324)
* Avoid limited size of log messages (#2352)
## PKCS#11
* Support for ECDSA verification (#2211)
* Support for ECDSA with different SHA hashes (#2190)
* Prevent issues in p11-kit by not returning unexpected return codes (#2207)
* Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
* Standardize the version 2 on 2.20 in the code (#2096)
* Fix CKA_MODIFIABLE and CKA_EXTRACTABLE (#2176)
* Copy arguments of C_Initialize (#2350)
## Minidriver
* Fix RSA-PSS signing (#2234)
## OpenPGP
* Fix DO deletion (#2215)
* Add support for (X)EdDSA keys (#1960)
## IDPrime
* Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
* Add support for applet version 4 (#2332)
## MyEID
* New configuration option for opensc.conf to disable pkcs1_padding (#2193)
* Add support for ECDSA with different hashes (#2190)
* Enable more mechanisms (#2178)
* Fixed asking for a user pin when formatting a card (#1737)
## IAS/ECC
* Added support for French CPx Healthcare cards (#2217)
## CardOS
* Added ATR for new CardOS 5.4 version (#2296)
# New in 0.21.0; 2020-11-24
## General Improvements
* fixed security problems
* CVE-2020-26570 (6903aebfddc466d966c7b865fae34572bf3ed23e)
* CVE-2020-26571
* CVE-2020-26572 (9d294de90d1cc66956389856e60b6944b27b4817)
* Bump minimal required OpenSSL version to 1.0.1 (#1658)
* Implement basic unit tests for asn1 library, compression and simpletlv parser (#1830)
* Allow generating code coverage
* Improve fuzzing by providing corpus from real cards (#1830)
* Implement support for OAEP encryption
* New separate debug level for PIN commands (d06f23e8)
* Fix handling of card/reader insertion/removal events in pcscd
* Many bugfixes reported by oss-fuzz, coverity and lgtm.com
* Fixes of removed readers handling (#1970)
* Fix Firefox crash because of invalid pcsc context (#2077)
## PKCS#11
* Return CKR_TOKEN_NOT_RECOGNIZED for not recognized cards (#2030)
* Propagate ignore_user_content to PKCS#11 layer not to confuse applications (#2040)
## Minidriver
* Fix check of ATR length (2-to 33 characters inclusive) (#2146)
## MacOS
* Add installer signing for PR and master
* Avoid app bundle relocations after installation
* Move OpenSC to MacOS Utilities folder (#2063)
## OpenSC tools
### pkcs11-tool
* Make SHA256 default for OAEP encryption
* pkcs11-tool: allow using SW tokens (#2113)
### opensc-explorer
* `asn1` accepts offsets and decode records (#2090)
* `cat` accepts records (#2090)
## OpenPGP
* Add new ec curves supported by GNUK (#1853)
* First steps supporting OpenPGP 3.4
* Add support for EC key import (#1821)
## Rutoken
* Add ATR for Rutoken ECP SC NFC (#2122)
## CardOS
* Improve detection of various CardOS 5 configurations (#1987)
## DNIe
* Add new DNIe CA structure for the secure channel (#2109)
## ePass2003
* Improve ECC support (#1859)
* Fixed erase sequence (#2097)
## IAS-ECC (#2070):
* Fixed support for Idemia Cosmo cards with AWP middleware interoperability (previously broken).
* Added support for Idemia Cosmo v8 cards.
* PIN padding settings are now used from PKCS#15 info when available.
* Added PIN-pad support for PIN unblock.
## IDPrime
* New driver for Gemalto IDPrime (only some types) (#1772)
## eDo
* New driver with initial support for Polish eID card (e-dowód, eDO) (#2023)
## MCRD
* Remove unused and broken RSA EstEID support (#2095)
## TCOS
* Add missing encryption certificates (#2083)
## PIV
* Add ATR of DOD Yubikey (#2115)
* fixed PIV global pin bug (#2142)
## CAC1
* Support changing PIN with CAC Alt tokens (#2129)
# New in 0.20.0; 2019-12-29
## General Improvements
* fixed security problems
* CVE-2019-6502 (#1586)
* CVE-2019-15946 (a3fc769)
* CVE-2019-15945 (412a614)
* CVE-2019-19480 (6ce6152284c47ba9b1d4fe8ff9d2e6a3f5ee02c7)
* CVE-2019-19481 (b75c002cfb1fd61cd20ec938ff4937d7b1a94278)
* CVE-2019-19479 (c3f23b836e5a1766c36617fe1da30d22f7b63de2)
* Support RSA-PSS signature mechanisms using RSA-RAW (#1435)
* Added memory locking for secrets (#1491)
* added support for terminal colors (#1534)
* PC/SC driver: Fixed error handling in case of changing (#1537) or removing the card reader (#1615)
* macOS installer
* Add installer option to deselect tokend (#1607)
* Make OpenSCToken available on 10.12+ and the default on 10.15+ (2017626ed237dbdd4683a4b9410fc610618200c5)
* Configuration
* rename `md_read_only` to `read_only` and use it for PKCS#11 and Minidriver (#1467)
* allow global use of ignore_private_certificate (#1623)
* Build Environment
* Bump openssl requirement to 0.9.8 (##1459)
* Added support for fuzzing with AFL (#1580) and libFuzzer/OSS-Fuzz (#1697)
* Added CI tests for simulating GIDS, OpenPGP, PIV, IsoApplet (#1568) and MyEID (#1677) and CAC (#1757)
* Integrate clang-tidy with `make check` (#1673)
* Added support for reproducible builds (#1839)
## PKCS#11
* Implement write protection (CKF_WRITE_PROTECTED) based on the card profile (#1467)
* Added C_WrapKey and C_UnwrapKey implementations (#1393)
* Handle CKA_ALWAYS_AUTHENTICATE when creating key objects. (#1539)
* Truncate long PKCS#11 labels with ... (#1629)
* Fixed recognition of a token when being unplugged and reinserted (#1875)
## Minidriver
* Register for CardOS5 cards (#1750)
* Add support for RSA-PSS (263b945)
## OpenSC tools
* Harmonize the use of option `-r`/`--reader` (#1548)
* `goid-tool`: GoID personalization with fingerprint
* `openpgp-tool`
* replace the options `-L`/` --key-length` with `-t`/`--key-type` (#1508)
* added options `-C`/`--card-info` and `-K`/`--key-info` (#1508)
* `opensc-explorer`
* add command `pin_info` (#1487)
* extend `random` to allow writing to a file (#1487)
* `opensc-minidriver-test.exe`: Tests for Microsoft CryptoAPI (#1510)
* `opensc-notify`: Autostart on Windows
* `pkcs11-register`:
* Auto-configuration of applications for use of OpenSC PKCS#11 (#1644)
* Autostart on Windows, macOS and Linux (#1644)
* `opensc-tool`: Show ATR also for cards not recognized by OpenSC (#1625)
* `pkcs11-spy`:
* parse CKM_AES_GCM
* Add support for CKA_OTP_* and CKM_*_PSS values
* parse EC Derive parameters (#1677)
* `pkcs11-tool`
* Support for signature verification via `--verify` (#1435)
* Add object type `secrkey` for `--type` option (#1575)
* Implement Secret Key write object (#1648)
* Add GOSTR3410-2012 support (#1654)
* Add support for testing CKM_RSA_PKCS_OAEP (#1600)
* Add extractable option to key import (#1674)
* list more key access flags when listing keys (#1653)
* Add support for `CKA_ALLOWED_MECHANISMS` when creating new objects and listing keys (#1628)
* `pkcs15-crypt`: * Handle keys with user consent (#1529)
## CAC1
New separate CAC1 driver using the old CAC specification (#1502)
## CardOS
* Add support for 4K RSA keys in CardOS 5 (#1776)
* Fixed decryption with CardOS 5 (#1867)
## Coolkey
* Enable CoolKey driver to handle 2048-bit keys. (#1532)
## EstEID
* adds support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018 (#1635)
## GIDS
* GIDS Decipher fix (#1881)
* Allow RSA 4K support (#1891)
## MICARDO
* Remove long expired EstEID 1.0/1.1 card support (#1470)
## MyEID
* Add support for unwrapping a secret key with an RSA key or secret key (#1393)
* Add support for wrapping a secret key with a secret key (#1393)
* Support for MyEID 4K RSA (#1657)
* Support for OsEID (#1677).
## Gemalto GemSafe
* add new PTeID ATRs (#1683)
* Add support for 4K RSA keys (#1863, #1872)
## OpenPGP
* OpenPGP Card v3 ECC support (#1506)
## Rutoken
* Add Rutoken ECP SC (#1652)
* Add Rutoken Lite (#1728)
## SC-HSM
* Add SmartCard-HSM 4K ATR (#1681)
* Add missing secp384r1 curve parameter (#1696)
## Starcos
* Fixed decipher with 2.3 (#1496)
* Added ATR for 2nd gen. eGK (#1668)
* Added new ATR for 3.5 (#1882)
* Detect and allow Globalplatform PIN encoding (#1882)
## TCOS
* Fix TCOS IDKey support (#1880)
* add encryption certificate for IDKey (#1892)
## Infocamere, Postecert, Cnipa
* Removed profiles (#1584)
## ACS ACOS5
* Remove incomplete acos5 driver (#1622).
# New in 0.19.0; 2018-09-13
## General Improvements
* fixed multiple security problems (out of bound writes/reads, #1447):
* CVE-2018-16391
* CVE-2018-16392
* CVE-2018-16393
* CVE-2018-16418
* CVE-2018-16419
* CVE-2018-16420
* CVE-2018-16421
* CVE-2018-16422
* CVE-2018-16423
* CVE-2018-16424
* CVE-2018-16425
* CVE-2018-16426
* CVE-2018-16427
* Improved documentation:
* New manual page for opensc.conf(5)
* Added several missing switches in manual pages and fixed formatting
* Win32 installer:
* automatically start SCardSvr
* added newer OpenPGP ATRs
* macOS installer: use HFS+ for backward compatibility
* Remove outdated solaris files
* PC/SC driver:
* Workaround OMNIKEY 3x21 and 6121 Smart Card Readers wrongly identified as pinpad readers in macOS
* Workaround cards returning short signatures without leading zeroes
* bash completion
* make location directory configurable
* Use a new correct path by default
* build: support for libressl-2.7+
* Configuration
* Distribute minimal opensc.conf
* `pkcs11_enable_InitToken made` global configuration option
* Modify behavior of `OPENSC_DRIVER` environment variable to restrict driver list instead of forcing one driver and skipping vital parts of configuration
* Removed configuration options `zero_ckaid_for_ca_certs`, `force_card_driver`, `reopen_debug_file`, `paranoid-memory`
* Generalized configuration option `ignored_readers`
* If card initialization fails, continue card detection with other card drivers (#1251)
* Fixed long term card operations on Windows 8 and later (#1043)
* reader-pcsc: allow fixing the length of a PIN
* fixed multithreading issue on Window with OpenPACE OIDs
## PKCS#11
* fixed crash during `C_WaitForSlotEvent` (#1335)
## Minidriver
* Allow cancelling the PIN pad prompt before starting the reader transaction. Whether to start the transaction immediately or not is user-configurable for each application
## OpenSC tools
* `opensc-notify`
* add Exit button to tray icon
* User better description (GenericName) and a generic application icon
* Do not display in the application list
* `pkcs15-tool`
* added support for reading ECDSA ssh keys
* `p11test`
* Filter certificates other than `CKC_X_509`
* `openpgp-tool`
* allow calling -d multiple times
* clarify usage text
## sc-hsm
* Implement RSA PSS
* Add support for SmartCard-HSM 4K (V3.0)
## CAC
* Remove support for CAC1 cards
* Ignore unknown tags in properties buffer
* Use GET PROPERTIES to recognize buffer formats
* Unbreak encoding last tag-len-value in the data objects
* Support HID Alt tokens without CCC
* They present certificates in OIDs of first AID and use other undocumented applets
* Inspect the tokens through the ACA applet and GET ACR APDU
## Coolkey
* Unbreak Get Challenge functionality
* Make uninitialized cards working as expected with ESC
## OpenPGP
* add serial number to card name
* include detailed version into card name
* define & set LCS (lifecycle support) as extended capability
* extend manufacturer list in pkcs15-openpgp.c
* correctly parse hist_bytes
* Make deciphering with AUT-key possible for OpenPGP Card >v3.2 (fixes #1352)
* Add supported algorithms for OpenPGP Card (Fixes #1432)
## Starcos
* added support for 2nd generation eGK (#1451)
## CardOS
* create PIN in MF (`pkcs15init`)
## German ID card
* fixed identifying unknown card as German ID card (#1360)
## PIV
* Context Specific Login Using Pin Pad Reader Fix
* Better Handling of Reset using Discovery Object
# New in 0.18.0; 2018-05-16
## General Improvements
* PKCS#15
* fixed parsing ECC parameters from TokenInfo (#1134)
* Added PKCS#15 emulator for DIN 66291 profile
* Cope with empty serial number in TokenInfo
* Build Environment
* Treat compiler warnings as errors (use `--disable-strict` to avoid)
* MacOS
* optionally use CTK in package builder
* fixed detection of OpenPACE package
* macOS High Sierra: fixed dmg creation
* fixed DNIe UI compatibility
* Windows: Use Dedicated md/pkcs11 installation folders instead of installing to System32/SysWOW64
* fixed (possible) memory leaks for PIV, JPKI, PKCS#11, Minidriver
* fixed many issues reported via compiler warnings, coverity scan and clang's static analyzer
* beautify printed ASN.1 data, add support for ASN.1 time types
* SimpleTLV: Skip correctly two bytes after reading 2b size (#1231)
* added support for `keep_alive` commands for cards with multiple applets to be enabled via `opensc.conf`
* added support for bash completion for arguments that expect filenames
* added keyword `old` for selecting `card_drivers` via `opensc.conf`
* improved documentation manuals for OpenSC tools
* use `leave` as default for `disconnect_action` for PC/SC readers
## PKCS#11
* Make OpenSC PKCS#11 Vendor Defined attributes, mechanisms etc unique
## Minidriver
* added CNS ATR (#1153)
* Add multiple PINs support to minidriver
* protect MD entry points with `CriticalSection`
## Tokend
* Configuration value for not propagating certificates that require user authentication (`ignore_private_certificate`)
## CryptoTokenKit
* Added support for PIN pad
* fixed codesigning of opensc tools
* Added complete support for system integration with https://github.com/frankmorgner/OpenSCToken
## OpenSC Tools
* `cardos-tool`
* List human-readable version for CardOS 5.3
* `pkcs11-tool`
* fixed overwriting digestinfo + hash for RSA-PKCS Signature
* Enable support for RSA-PSS signatures in pkcs11-tool
* Add support for RSA-OAEP
* Fixed #1286
* Add missing pkcs11-tool options to man page
* allow mechanism to be specified in hexadecimal
* fixed default module path on Windows to use opensc-pkcs11.dll
* `pkcs11-spy`
* Add support for RSA-OAEP
* Add support for RSA-PSS
* `pkcs15init`
* Fix rutokenS FCP parsing (#1259)
* `egk-tool`
* Read data from German Health Care Card (Elektronische Gesundheitskarte, eGK)
* `opensc-asn1`
* Parse ASN.1 from files
* `opensc-tool`/`opensc-explorer`
* Allow extended APDUs
## Authentic
* Correctly handle APDUs with more than 256 bytes (#1205)
## Coolkey
* Copy labels from certificate objects to the keys
## Common Access Card
* Fixed infinite reading of certificate
* Added support for Alt token card
## MyEID
* support for RAW RSA signature for 2048 bit keys
## IAS/ECC
* Support for new MinInt agent card
## PIV
* Get cardholder name from the first certificate if token label not specified
* implemented keep alive command (#1256)
* fixed signature creation with `CKA_ALWAYS_AUTHENTICATE` (i.e. PKCS#11 `C_Login(CKU_CONTEXT_SPECIFIC)`)
## CardOS
* fixed card name for CardOS 5
* added ATR `"3b:d2:18:00:81:31:fe:58:c9:02:17"`
* Try forcing `max_send_size` for PSO:DEC
## DNIe
* DNIe: card also supports 1920 bits (#1247)
## GIDS
* Fix GIDS admin authentication
## epass 3000
* Add ECC support
* Fix #1073
* Fix #1115
* Fix buffer underrun in decipher
* Fix #1306
## Starcos
* added serial number for 3.4
* fixed setting key reference for 3.4
* added support for PIN status queries for 3.4
## EstEID
* ECDSA/ECDH token support
* Fix crash when certificate read failed (#1176)
* Cleanup expired EstEID card ATR-s
* Fix reading EstEID certificates with T=0 (#1193)
## OpenPGP
* Added support for PIN logout and status
* factory reset is possible if LCS is supported
* Added support for OpenPGP card V3
* fixed selecting Applet
* implemented keep alive command
* Retrieve OpenPGP applet version from OpenPGP applet on YubiKey token (#1262)
## German ID card
* fixed recognition of newer cards
## SC-HSM
* Don't block generic contactless ATR
* changed default labels of GoID
* added PIN commands for GoID 1.0
## Starcos
* Added Support for Starcos 3.4 and 3.5
## MioCOS
* disabled by default, use `card_drivers = old;` to enable; driver will be removed soon.
## BlueZ PKCS#15 applet
* disabled by default, use `card_drivers = old;` to enable; driver will be removed soon.
# New in 0.17.0; 2017-07-18
## Support for new Cards
* CAC (Common Access Card)
* GoID (SC-HSM with built-in PIN pad and fingerprint sensor)
* Coolkey
* JPKI (Japanese Individual Number Card)
* nPA (German ID card, eSign Application)
## General Improvements
* PKCS#15
* Implemented file caching based on card's contact-less UID
* Cache EF.ODF and EF.TokenInfo
* File caching is done transparently when the user sets the config option.
* `opensc.conf`
* Added `disable_popups` for disabling internal UI
* All Windows specific reader configuration is handled by the pcsc driver (cardmod driver was removed)
* Build Environment
* Allow setting `PKG_CONFIG_PATH` for macOS build
* Added compatibility with Visual Studio 2015
* Allow building against LibreSSL
* Allow building against OpenSSL 1.1.0
* Allow building against WiX 3.11
* Allow building minidriver with MinGW
* Include OpenPACE library by default
* Removed `BUILD_ON`/`BUILD_FOR` variable
* Simplified installer on macOS and Windows
* Added support for PIN commands via PC/SC escape commands
* Added support for card reader access via CryptoTokenKit
* Added support for PIN entry on card for verification/unblock/change
* Recognize T=0 limitation of sending 255 bytes
* Force T=1 for contactless cards
* Allow setting driver via `OPENSC_DRIVER` environment variable
* Fixed many bugs
* Fixed many compiler warnings
* Fixed possible issues (memory corruptions, memory leaks, double free, ...)
* Internal refactoring and cleanup
## PKCS#11
* Move PIN type label front of description
* `C_GetTokenInfo` read the login status from the card if possible
* Don't use ':' in the token name (#849)
* Install `opensc-pkcs11.pc` for usage with `pkg-config`
* Don't shrink the number of slots (#629)
* Add session handle uniqueness check to PKCS#11 `C_OpenSession()`
* Activate functionality of `C_WaitForSlot()` for pcsc-lite >= 1.8.22
## Minidriver
* Support PIN unblocking in minidriver via PUK as response
* Added support for Session PIN
## Tokend
* Allow usage of readers PIN pad by entering an empty PIN
## OpenSC Tools
* Fixed Bash completion (#782)
* `opensc-tool`
* Added `--reset` option
* `opensc-explorer`
* Show tag 0x82 for unknown files
* `pkcs15-tool`
* Fixed `--read-ssh-key` crash (#788)
* Added `--clear-cache`
* Fixed locking the card on Windows (#868)
* Add `--list-info` option
* Make `--list-...` messages consistent
* Add `--short` option
* `--read-data-object`: Do not print data to terminal when output file is given
* Reword `--no-prompt` to `--use-pinpad`, old option still available as alias
* Added `--test-session-pin` option
* `pkcs15-init`
* Fix using PINPAD to verify PIN (#856)
* Fixed locking the card on Windows (#868)
* Added `--secret-key-algorithm` option
* Print more detailed secret key information
* `pkcs11-tool`
* Added `keygen` for secret key generation
* Better handling of PIN (re-) validation
* Fixed --id for `C_GenerateKey`, DES and DES3 keygen mechanism (#857)
* Added `--derive-pass-der` option
* Added `--generate-random` option
* Add GOSTR3410 key pair generation
* `npa-tool` (new)
* Allows read/write access to EAC tokens
* Allows PIN management for EAC tokens
* `gids-tool`
* Fixed entering SN via command line
* `sc-hsm-tool`
* Added `--print-dkek-share` (hidden from the user)
* Fixed locking the card on Windows (#868)
## CardOS
* Better support for CardOS 5.3
## DNIe
* Fixed interaction with DNIe UI
* Added support for DNIe 3.0
## ePass2003
* Add new ATR for entersafe PKI card
* Solved Incorrect PIN raise wrong CKR error
## GemsafeV1
* PTeid: add objects (SOD, TRACe, CA) and fix flags
* PTeid: Support PIN max tries and tries left report
* PTeid: Properly report cards with 2048b keys.
## MyEID
* Fix to ECDH implementation (#756)
* Added support for symmetric keys
## OpenPGP
* Improve handling of OpenPGP card PIN change and unblock commands
## PIV
* Some workarounds for PIV-alike cards (e.g. Yubikey)
* Change driver's short name to 'PIV-II'
* Use certificate's keyUsage to set PKCS#11 key attributes
## SC-HSM
* Use PKCS#15 file cache
* Prevent unnecessary applet selection and state resets
* Added support for session pin
* Fixed forcing a card driver via opensc.conf
## STARCOS
* Read the maximum transcive sice from the card's ATR (#765)
New in 0.16.0; 2016-05-15
* build
link OpenSSL in static
option: enable PKCS11 thread locking
* configuration
use one configuration file for all systems
* tools:
package revision as version
** pkcs11-tool
keygen mechanism in pkcs11 tools
write GOST public key
fix CKA_SENSITIVE attribute of public keys
** opensc-explorer:
added command find_tags
allow ASN.1 decoding if the file seems incomplete
** pkcs15-tool:
handle record-based files when doing file caching
option to prine raw data
** sc-hsm-tool:
status info support for SmartCard-HSM V2.0
** doc: some missing options are documented, added documentation
for gid tool
* minidriver:
support for ECC
Windows x509 enrollment
first implementation of CardDeleteContainer
MD logs controlled by register and environment variable
* reader-pcsc
fixed unreleased locks with pcsc-lite
honour PC/SC pt 10 dwMaxAPDUDataSize
added call back for getting vendor/product id
restrict access to card handles after fork
SCardGetAttrib is used to initialize reader's metadata
by default only short APDUs supported
* pkcs11
no slot reserved for hot plug
no more slot created 'per-applications'
atomic operation (TODO: expand)
export all C_* symbols
metadata initialized from package info
fix registering pkcs11 mechanisms multiple times
sloppy initialization for C_GetSlotInfo
* pkcs15
cache of on-card files extended to application paths
configuration option to enable/disable application
make file cache dir configurable
in key info data type introduced 'auxiliary data' -- container
for the non-pkc15 data.
* OpenPGP
support for Gnuk -- USB cryptographic token for GNU Privacy Guard
build without OpenSSL
implemented 'erase card'
additional manufacturers
* MyEID
support for 521 bit ECC keys
ATRs for the new cards
* sc-hsm
read/write support in minidriver
* rtecp
delete keys
* GemSafeV1
support for European Patent Office smart card
sign with SHA256
* Gids
first support for Gids smart card
* dnie
* Feitian PKI card
new ATRs
* IsoApplet
(fixes)
* starcos
initial support for STARCOS 3.4 (German D-Trust cards)
* macosx
install tokend to /Library/Security/ instead /System/Library/Security/
fixed locking issue in pcsc reader
* PIV
allow using of cards where default application in not PIV
support for the Yubikey NEO
* italian-CNS
italian-cns reg file for minidriver
New in 0.15.0; 2015-05-11
* new card drivers
AzeDIT 3.5
IsoApplet
MaskTech
* libopensc
allow extended length APDUs
accept no output for 'SELECT' MF and 'SELECT' DF_NAME APDUs
fixed sc_driver_version check
adjusted send/receive size according to card capabilities
in iso7816 make SELECT agnosting to sc_path_t's aid
* asn1
support multi-bytes tags
* pkcs15
reviewed support and tool functions for public key
public certs and pubkeys with an auth_id are treated as private
* pkcs11
introduced default PKCS#11 provider
fetched real value of CKA_LOCAL for pubkey
removed inconsistent attributes
C_Digest issues
no check if buffer too small before update
* added support for Travis CI
* updated support of EC in libopensc, pkcs15 and pkcs11
* fixed number of warnings, resource leaks, overity-scan issues
* macosx
target minimum OSX version to 10.7
update the minimal building instructions.
locate and target the latest SDK to build against.
locate the best newest SDK present on the computer.
* build
disable Secure Messaging if OpenSSL is not used
* tools
util_get_pin helper function
* PIV
Add AES support for PIV General Authenticate
fixed invalid bit when writing PIV certificate object with gzipped certificate
fixed bad caching behavior of PIV PKCS15 emulator
* ePass2003
fixed failure due to re-authenticate of secure messaging when card is accessed
by multiple PKCS11 sessions
* MyEID
EC support for MyEID-v4 card
* openpgp
extended options for openpgp-tool
* asepcos
fixed puk handling
* sc-hsm
support for Koblitz curves secp192k1 and secp256k1 (Bitcoin)
improved error detection and reporting in sc-hsm-tool
fixed Lc byte in VERIFY PIN block for PC/SC PIN PAD reader
fix certificate delete bug
* IAS/ECC
fixed PKCS#11 compliance issues
support for Morpho IAS Agent Card
* cardos
overwrite content of deleted private key
* win32
setup improuvement
look & feel
custom actions with card registration
minidriver impouvement
fixed errors and warnings returned by Microsoft quality tool
pin-pad support
New in 0.14.0; 2014-05-31
* new card driver DNIe
* extended existing drivers by support of
Swedish eID card (gemsafeV1)
EstEID 3.5 (mcrd)
* bogus javacard driver removed
* build
return to the standard use of 'autoconf'
CI specific bootstrap script: git commit stamp for the built packages
windows friendly compile settings
fixed a ton of compiler warnings
fence against using EVP_sha256 mech
debian packaging templates
compile without OpenSSL and without SM
enable compiler warnings by default
win32
add 'VarFileInfo' block to version-info
include to MSI package 'openpgp-tool.exe'
'version-info' resource for each target
* macOSX
"graphical uninstaller" to distribution DMG
update package building to modern tools
new tool and SDK paths for OS X 10.8
improved opensc-installer from distribution
osx: target 10.9 (a free upgrade to anyone using 10.6+) from now on
build 'fat' binaries i386
* common
added getpass implementation for non windows
* libopensc
allow for the pin to be entered on the keypad during issuing
introduce 'encoded-content' to the sc_file data
general usage method to allocate generalized time
* minidriver
implemented 'CardChangeAuthenticator', 'CardGetChallenge' and 'CardUnblockPin'
improved management of GUID
use reader pin pad if available and allowed
configuration options for
compose GUID
refuse create container mechanism
add registers file for feitian cards
fixed
return code in 'CardGetContainerInfo'
returned 'tries-left' for blocked card
length of stripped data in RSADecrypt
* pkcs#11
bind non-recognized card, generic 'init-token' procedure
fixed
CKA_VALUE of 'public-key' object
fix ASN1 encoding issues
PIN-NOT-INITIALIZED for the non-user PINs
buffers overflow
segfault due to the undefined 'application-file'
* pkcs15
'direct' public key in PuKDF encoding
implement SPKI public key encoding
include and maintain minidriver framework data: cmap-record, md-flags, GUID, ..
fixed
encoding of 'SubjectPublicKeyInfo'
DER encoding of 'issuer' and 'subject'
PIN validation in 'pkcs15-verify'
public key algorithm
ECC public key encoding
ECC ecpointQ
* pkcs15init
introduce 'max-unblocks' PIN init parameter
keep cert. blob in cert-info data
file 'content' and 'prop-attrs' in the card profile
in profile more AC operations are parsed
fixed
NULL pointer dereference error
NULL 'store-key' handle
ignore if no TokenInfo file to update
set EC pubkey parameters from init data
* reader-pcsc
fixed
implicit pin modification
pin checking when implicitly given
verify/modify pinpad commands
* SM
common SM 'increase-sequence-counter' procedure
move SM APDU procedures to dedicated source file
move SM common crypto procedures to the dedicated library
* doc
documentation for --list-token-slots
* default driver
do not send possibly arbitrary APDU-s to an unknown card.
by default 'default' card driver is disabled
* sc-hsm
Added support for
persistent EC public keys generated from certificate signing requests
token label to be set via C_InitToken or sc-hsm-tool
unblock PIN using C_InitPIN()
initialize EC key params
fixed
bug that prevents a newly generated 2048 key to show up at the PKCS#11 interface
bug when changing SO-PIN with opensc-explorer sc-hsm-tool
memory checking and removed warning
problem deleting CA certificates sc-hsm
public key format returned when generating ECC keys
sc-hsm-tool
better error handling for non-SmartCard-HSM cards
support for DKEK password sharing scheme
threshold scheme parameters to manpage
crash on Windows when --wrap-key frees memory allocated in opensc.dll
* ias
simplify the compute signature operation
* PIV
use SPKI encoding for public key data
extract public key from cert if no object on card
fix
segfault and valgrind issue
gen_key to expect the proper PIV Key references
* CardOS
build for Windows
use information from AlgorithmInfo
supported CardOS V5.0
* epass2003
key generation allows stricter privkey/pubkey ACLs
list_files implemented
properly disable padding
allow exponents other than 65537
* myeid
fixed file-id in myeid.profile
* entersafe
fix a bug when writing public key
* EstEID
match card only based on presence of application.