What's new in OpenSC 0.25.1
Apr 9, 2024
- General improvements:
- Add missing file to dist tarball to build documentation (#3063)
- minidriver:
- Fix RSA decryption with PKCS#1 v1.5 padding (#3077)
- Fix crash when app is not set (#3084)
New in OpenSC 0.25.0 (Apr 9, 2024)
- Security:
- CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
- CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)
- General improvements:
- Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
- Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
- Fix 64b to 32b conversions (#2993)
- Improvements for the p11test (#2991)
- Fix reader initialization without SCardControl (#3007)
- Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
- Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
- Enable MSI signing via Signpath CI integration for Windows (#2799)
- Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
- minidriver:
- Fix wrong hash selection (#2932)
- pkcs11-tool:
- Simplify printing EC keys parameters (#2960)
- Add option to import GENERIC key (#2955)
- Add support for importing Ed25518/448 keys (#2985)
- drust-tool:
- Add tool for D-Trust cards (#3026, #3051)
- IDPrime:
- Support uncompressed certificates on IDPrime 940 (#2958)
- Enhance IDPrime logging (#3003)
- Add SafeNet 5110+ FIPS token support (#3048)
- D-Trust Signature Cards:
- Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)
- EstEID:
- Remove expired EstEID 3.* card support (#2950)
- ePass2003:
- Allow SW implementation with more SHA2 hashes and ECDSA (#3012)
- Fix EC key generation (#3045)
- SmartCard-HSM:
- Fix SELECT APDU command (#2978)
- MyEID:
- Update for PKCS#15 profile (#2965)
- Rutoken:
- Support for RSA 4096 key algorithm (#3011)
- OpenPGP:
- Fix decryption requiting Manage Security Environment for authentication key (#3042)
New in OpenSC 0.25.0 RC 1 (Feb 19, 2024)
- Security:
- CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
- CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)
- General improvements:
- Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
- Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
- Fix 64b to 32b conversions (#2993)
- Improvements for the p11test (#2991)
- Fix reader initialization without SCardControl (#3007)
- Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
- Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
- Enable MSI signing via Signpath CI integration for Windows (#2799)
- Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
- minidriver:
- Fix wrong hash selection (#2932)
- pkcs11-tool:
- Simplify printing EC keys parameters (#2960)
- Add option to import GENERIC key (#2955)
- Add support for importing Ed25518/448 keys (#2985)
- IDPrime:
- Support uncompressed certificates on IDPrime 940 (#2958)
- Enhance IDPrime logging (#3003)
- D-Trust Signature Cards:
- Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)
- EstEID:
- Remove expired EstEID 3.* card support (#2950)
- ePass2003:
- Allow SW implementation with more SHA2 hashes and ECDSA (#3012)
- SmartCard-HSM:
- Fix SELECT APDU command (#2978)
- MyEID:
- Update for PKCS#15 profile (#2965)
- Rutoken:
- Support for RSA 4096 key algorithm (#3011)
New in OpenSC 0.24.0 (Dec 13, 2023)
- Security:
- CVE-2023-40660: Fix Potential PIN bypass (#2806, frankmorgner/OpenSCToken#50, #2807)
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys (f1993dc4)
- General improvements:
- Fix compatibility of EAC with OpenSSL 3.0 (#2674)
- Enable `use_file_cache` by default (#2501)
- Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
- Fix record-based files (#2604)
- Fix several race conditions (#2735)
- Run tests under Valgrind (#2756)
- Test signing of data bigger than 512 bytes (#2789)
- Update to OpenPACE 1.1.3 (#2796)
- Implement logout for some of the card drivers (#2807)
- Fix wrong popup position of opensc-notify (#2901)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
- PKCS#11:
- Check card presence state in `C_GetSessionInfo` (#2740)
- Remove `onepin-opensc-pkcs11` module (#2681)
- Do not use colons in the token info label (#2760)
- Present profile objects in all slots with the CKA_TOKEN attribute to resolve issues with NSS (#2928, #2924)
- Use secure memory for PUK (#2906)
- Don't logout to preserve concurrent access from different processes (#2907)
- Add more examples to manual page (#2936)
- Present profile objects in all virtual slots (#2928)
- Provide CKA_TOKEN attribute for profile objects (#2924)
- Improve --slot parameter documentation (#2951)
- PKCS#15:
- Honor cache offsets when writing file cache (#2858)
- Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
- Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and back to PKCS#11 (#2936)
- Minidriver:
- Fix for private keys that do not need a PIN (#2722)
- Unbreak decipher when the first null byte of PKCS#1.5 padding is missing (#2939)
- pkcs11-tool:
- Fix RSA key import with OpenSSL 3.0 (#2656)
- Add support for attribute filtering when listing objects (#2687)
- Add support for `--private` flag when writing certificates (#2768)
- Add support for non-AEAD ciphers to the test mode (#2780)
- Show CKA_SIGN attribute for secret keys (#2862)
- Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys (#2864, #2913)
- Show Sign/VerifyRecover attributes (#2888)
- Add option to import generic keys (#2955)
- westcos-tool:
- Generate 2k RSA keys by default (b53fc5cd)
- pkcs11-register:
- Disable autostart on Linux by default (#2680)
- IDPrime:
- Add support for IDPrime MD 830, 930 and 940 (#2666)
- Add support for SafeNet eToken 5110 token (#2812)
- Process index even without keyrefmap and use correct label for second PIN (#2878)
- Add support for Gemalto IDPrime 940C (#2941)
- EPass2003:
- Change of PIN requires verification of the PIN (#2759)
- Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
- Use true random number for mutual authentication for SM (#2766)
- Add verification of data coming from the token in the secure messaging mode (#2772)
- Avoid success when using unsupported digest and fix data length for RAW ECDSA signatures (#2845)
- OpenPGP:
- Fix select data command (#2753, issue #2752)
- Unbreak ed/curve25519 support (#2892)
- eOI:
- Add support for Slovenian eID card (eOI) (#2646)
- Italian CNS
- Add support for IDEMIA (Oberthur) tokens (#2483)
- PIV:
- Add support for Swissbit iShield FIDO2 Authenticator (#2671)
- Implement PIV secure messaging (#2053)
- SkeID:
- Add support for Slovak eID cards (#2672)
- isoApplet:
- Support ECDSA with off-card hashing (#2642)
- MyEID:
- Fix WRAP operation when using T0 (#2695)
- Identify changes on the card and enable `use_file_cache` (#2798)
- Workaround for unwrapping using 2K RSA key (#2921)
- SC-HSM:
- Add support for `opensc-tool --serial` (#2675)
- Fix unwrapping of 4096 keys with handling reader limits (#2682)
- Indicate supported hashes and MGF1s (#2827)
New in OpenSC 0.24.0 RC 2 (Nov 21, 2023)
- Security:
- CVE-2023-40660: Fix Potential PIN bypass (#2806, frankmorgner/OpenSCToken#50, #2807)
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys (f1993dc4)
- General improvements:
- Fix compatibility of EAC with OpenSSL 3.0 (#2674)
- Enable `use_file_cache` by default (#2501)
- Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
- Fix record-based files (#2604)
- Fix several race conditions (#2735)
- Run tests under Valgrind (#2756)
- Test signing of data bigger than 512 bytes (#2789)
- Update to OpenPACE 1.1.3 (#2796)
- Implement logout for some of the card drivers (#2807)
- Fix wrong popup position of opensc-notify (#2901)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
- PKCS#11:
- Check card presence state in `C_GetSessionInfo` (#2740)
- Remove `onepin-opensc-pkcs11` module (#2681)
- Do not use colons in the token info label (#2760)
- Present profile objects in all slots with the CKA_TOKEN attribute to resolve issues with NSS (#2928, #2924)
- Use secure memory for PUK (#2906)
- Don't logout to preserve concurrent access from different processes (#2907)
- Add more examples to manual page (#2936)
- Present profile objects in all virtual slots (#2928)
- Provide CKA_TOKEN attribute for profile objects (#2924)
- PKCS#15:
- Honor cache offsets when writing file cache (#2858)
- Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
- Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and back to PKCS#11 (#2936)
- Minidriver:
- Fix for private keys that do not need a PIN (#2722)
- Unbreak decipher when the first null byte of PKCS#1.5 padding is missing (#2939)
- ## pkcs11-tool:
- Fix RSA key import with OpenSSL 3.0 (#2656)
- Add support for attribute filtering when listing objects (#2687)
- Add support for `--private` flag when writing certificates (#2768)
- Add support for non-AEAD ciphers to the test mode (#2780)
- Show CKA_SIGN attribute for secret keys (#2862)
- Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys (#2864, #2913)
- Show Sign/VerifyRecover attributes (2888)
- westcos-tool:
- Generate 2k RSA keys by default (b53fc5cd)
- pkcs11-register
- Disable autostart on Linux by default (#2680)
- IDPrime:
- Add support for IDPrime MD 830, 930 and 940 (#2666)
- Add support for SafeNet eToken 5110 token (#2812)
- Process index even without keyrefmap and use correct label for second PIN (#2878)
- EPass2003:
- Change of PIN requires verification of the PIN (#2759)
- Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
- Use true random number for mutual authentication for SM (#2766)
- Add verification of data coming from the token in the secure messaging mode (#2772)
- Avoid success when using unsupported digest and fix data length for RAW ECDSA signatures (#2845)
- OpenPGP:
- Fix select data command (#2753, issue #2752)
- Unbreak ed/curve25519 support (#2892)
- eOI:
- Add support for Slovenian eID card (eOI) (#2646)
- Italian CNS:
- Add support for IDEMIA (Oberthur) tokens (#2483)
- PIV:
- Add support for Swissbit iShield FIDO2 Authenticator (#2671)
- Implement PIV secure messaging (#2053)
- SkeID:
- Add support for Slovak eID cards (#2672)
- isoApplet:
- Support ECDSA with off-card hashing (#2642)
- MyEID:
- Fix WRAP operation when using T0 (#2695)
- Identify changes on the card and enable `use_file_cache` (#2798)
- Workaround for unwrapping using 2K RSA key (#2921)
- SC-HSM:
- Add support for `opensc-tool --serial` (#2675)
- Fix unwrapping of 4096 keys with handling reader limits (#2682)
- Indicate supported hashes and MGF1s (#2827)
New in OpenSC 0.23.0 RC 1 (Nov 9, 2022)
- General improvements:
- Support signing of data with a length of more than 512 bytes (#2314)
- By default, disable support for old card drivers (#2391) and remove support for old drivers MioCOS and JCOP (#2374)
- Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
- Compatibility with LibreSSL (#2495, #2595)
- Remove support for DSA (#2503)
- Extend p11test to support symmetric keys (#2430)
- Notice detached reader on macOS (#2418)
- Support for OAEP padding (#2475, #2484)
- Fix for PSS salt length (#2478)
- Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
- Fix issues with OpenPACE (#2472)
- Containers support for local testing
- Add support for encryption using symmetric keys (#2473)
- Stop building support for Gost algorithms with OpenSSL 3.0 as they require deprecated API (#2586)
- Fix detection of disconnected readers in PCSC (#2600)
- Add configuration option for on-disk caching of private data (#2588)
- PKCS#11:
- Implement C_CreateObject for EC keys and fix signature verification for CKM_ECDSA_SHAx cards (#2420)
- pkcs11-tool:
- Add more elliptic curves (#2301)
- Add support for symmetric encrypt and decrypt, wrap and unwrap operations, and initialization vector (#2268)
- Fix consistent handling of secret key attributes (#2497)
- Add support for signing and verifying with HMAC (#2385)
- Add support for SHA3 (#2467)
- Make object selectable via label (#2570)
- Do not require an R/W session for some operations and add --session-rw option (#2579)
- sc-hsm-tool:
- Add options for public key authentication (#2301)
- Minidriver:
- Fix reinit of the card (#2525)
- Add an entry for Italian CNS (e) (#2548)
- Fix detection of ECC mechanisms (#2523)
- NQ-Applet:
- Add support for the JCOP4 Cards with NQ-Applet (#2425)
- ItaCNS:
- Add support for ItaCMS v1.1 (key length 2048) (#2371)
- Belpic:
- Add support for applet v1.8 (#2455)
- Starcos:
- Add ATR for V3.4 (#2464)
- Add PKCS#15 emulator for 3.x cards with eSign app (#2544)
- ePass2003:
- Fix PKCS#15 initialization (#2403)
- Add support for FIPS (#2543)
- Fix matching with newer versions and tokens initialized with OpenSC (#2575)
- MyEID:
- Support logout operation (#2557)
- GIDS:
- Fix decipher for TPM (#1881)
- OpenPGP:
- Get the list of supported algorithms from algorithm information on the card (#2287)
- nPA:
- Fix card detection (#2463)
- Rutoken:
- Fix formatting rtecp cards (#2599)
- PIV:
- Add new PIVKey ATRs for current cards (#2602)
New in OpenSC 0.22.0 (Oct 12, 2022)
- General improvements:
- Use standard paths for file cache on Linux (#2148) and OSX (#2214)
- Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
- Add threading test to pkcs11-tool (#2067)
- Add support to generate generic secret keys (#2140)
- opensc-explorer: Print information about LCS (Life cycle status byte) (#2195)
- Add support for Apple's arm64 (M1) binaries, removed TokenD. A seperate installer with TokenD (and without arm64 binaries) will be available (#2179).
- Support for gcc11 and its new strict aliasing rules (#2241, #2260)
- Initial support for building with OpenSSL 3.0 (#2343)
- pkcs15-tool: Write data objects in binary mode (#2324)
- Avoid limited size of log messages (#2352)
- PKCS#11:
- Support for ECDSA verification (#2211)
- Support for ECDSA with different SHA hashes (#2190)
- Prevent issues in p11-kit by not returning unexpected return codes (#2207)
- Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
- Standardize the version 2 on 2.20 in the code (#2096)
- Fix CKA_MODIFIABLE and CKA_EXTRACTABLE (#2176)
- Copy arguments of C_Initialize (#2350)
- Minidriver:
- Fix RSA-PSS signing (#2234)
- OpenPGP:
- Fix DO deletion (#2215)
- Add support for (X)EdDSA keys (#1960)
- IDPrime:
- Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
- Add support for applet version 4 (#2332)
- MyEID:
- New configuration option for opensc.conf to disable pkcs1_padding (#2193)
- Add support for ECDSA with different hashes (#2190)
- Enable more mechanisms (#2178)
- Fixed asking for a user pin when formatting a card (#1737)
- IAS/ECC:
- Added support for French CPx Healthcare cards (#2217)
- CardOS:
- Added ATR for new CardOS 5.4 version (#2296)
New in OpenSC 0.13.0 (Apr 3, 2013)
- New card driver ePass2003.
- OpenPGP card:
- greatly improved card driver and PKCS#15 emulation;
- implemented write (pkcs15init) mode;
- greatly enhanced documentation and tools.
- ECDSA keys supported in 'read' and 'write' modes by
- internal PKCS#15 library, PKCS#11 and tools.
- Minidriver in 'write' mode.
- SM: secure messaging in GlobalPlatform-SP01 and CW14890 specifications;
- supported by ePass2003, IAS/ECC and AuthentIC cards;
- "ACL" and "APDU" modes to trigger secure messaging session;
- 'local' version of the external secure messaging module.
- PKCS#15: support of 'secret-key' PKCS#15 objects
- support of 'authentication-object' PKCS#15 objects
- support of 'algReference' common key PKCS#15 attribute
- support of 'algReference' common key PKCS#15 attribute
- support of 'subjectName' common public key PKCS#15 attribute
- PKCS#11: removed 'onepin' version of pkcs#11 module
- configuration options to expose slots for PINs and present on-card applications.
- support GOSTR3410 generate key mechanism
- Support of PACE reader.
- Remove libltdl reference.
- ECDSA supported by MyEID card
- New card driver for the SmartCard-HSM, a light-weight hardware security module
- New useful commands in 'opensc-explorer' tool: 'find', 'put-data', ...
- fixed SIGV issue due to the unsupported public key format
- fixes for the number of documentation issues
New in OpenSC 0.12.2 (Jul 18, 2011)
- Builds are now silent by default when OpenSC is built from source on Unix.
- Using --wait with command line tools works with 64bit Linux again.
- Greatly improved OpenPGP card support, including OpenPGP 2.0 cards like the one found in German Privacy Foundation CryptoStick.
- Fixed support for FINeID cards issued after 01.03.2011 with 2048bit keys.
- #256: Fixed support for TCOS cards (broken since 0.12.0).
- Added support for IDKey-cards to TCOS3 driver.
- #361: Improved PC/SC driver to fetch the maximum PIN sizes from the open source CCID driver. This fixes the issue for Linux/OSX with recent driver.
- WindowsInstaller now installs only static DLL-s (PKCS#11, minidriver) to system folder.
- Fix FINeID cards for organizations.
- Several smaller bugs and compiler warnings fixed.
New in OpenSC 0.11.13 (Oct 28, 2010)
- Modify Rutoken S binary interfaces by Aktiv Co.
- Muscle driver fixed (acl reading issue)
- Many small fixes (e.g. mem leaks)
- Compiling with openssl 1.0.0-beta fixed