forked from OpenSC/OpenSC
-
Notifications
You must be signed in to change notification settings - Fork 1
/
NEWS
1190 lines (1149 loc) · 47.2 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
NEWS for OpenSC -- History of user visible changes
# New in 0.22.0; 2021-08-10
## General improvements
* Use standard paths for file cache on Linux (#2148) and OSX (#2214)
* Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
* Add threading test to `pkcs11-tool` (#2067)
* Add support to generate generic secret keys (#2140)
* `opensc-explorer`: Print information about LCS (Life cycle status byte) (#2195)
* Add support for Apple's arm64 (M1) binaries, removed TokenD. A separate installer with TokenD (and without arm64 binaries) will be available (#2179).
* Support for gcc11 and its new strict aliasing rules (#2241, #2260)
* Initial support for building with OpenSSL 3.0 (#2343)
* pkcs15-tool: Write data objects in binary mode (#2324)
* Avoid limited size of log messages (#2352)
## PKCS#11
* Support for ECDSA verification (#2211)
* Support for ECDSA with different SHA hashes (#2190)
* Prevent issues in p11-kit by not returning unexpected return codes (#2207)
* Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
* Standardize the version 2 on 2.20 in the code (#2096)
* Fix CKA_MODIFIABLE and CKA_EXTRACTABLE (#2176)
* Copy arguments of C_Initialize (#2350)
## Minidriver
* Fix RSA-PSS signing (#2234)
## OpenPGP
* Fix DO deletion (#2215)
* Add support for (X)EdDSA keys (#1960)
## IDPrime
* Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
* Add support for applet version 4 (#2332)
## MyEID
* New configuration option for opensc.conf to disable pkcs1_padding (#2193)
* Add support for ECDSA with different hashes (#2190)
* Enable more mechanisms (#2178)
* Fixed asking for a user pin when formatting a card (#1737)
## IAS/ECC
* Added support for French CPx Healthcare cards (#2217)
## CardOS
* Added ATR for new CardOS 5.4 version (#2296)
# New in 0.21.0; 2020-11-24
## General Improvements
* fixed security problems
* CVE-2020-26570 (6903aebfddc466d966c7b865fae34572bf3ed23e)
* CVE-2020-26571
* CVE-2020-26572 (9d294de90d1cc66956389856e60b6944b27b4817)
* Bump minimal required OpenSSL version to 1.0.1 (#1658)
* Implement basic unit tests for asn1 library, compression and simpletlv parser (#1830)
* Allow generating code coverage
* Improve fuzzing by providing corpus from real cards (#1830)
* Implement support for OAEP encryption
* New separate debug level for PIN commands (d06f23e8)
* Fix handling of card/reader insertion/removal events in pcscd
* Many bugfixes reported by oss-fuzz, coverity and lgtm.com
* Fixes of removed readers handling (#1970)
* Fix Firefox crash because of invalid pcsc context (#2077)
## PKCS#11
* Return CKR_TOKEN_NOT_RECOGNIZED for not recognized cards (#2030)
* Propagate ignore_user_content to PKCS#11 layer not to confuse applications (#2040)
## Minidriver
* Fix check of ATR length (2-to 33 characters inclusive) (#2146)
## MacOS
* Add installer signing for PR and master
* Avoid app bundle relocations after installation
* Move OpenSC to MacOS Utilities folder (#2063)
## OpenSC tools
### pkcs11-tool
* Make SHA256 default for OAEP encryption
* pkcs11-tool: allow using SW tokens (#2113)
### opensc-explorer
* `asn1` accepts offsets and decode records (#2090)
* `cat` accepts records (#2090)
## OpenPGP
* Add new ec curves supported by GNUK (#1853)
* First steps supporting OpenPGP 3.4
* Add support for EC key import (#1821)
## Rutoken
* Add ATR for Rutoken ECP SC NFC (#2122)
## CardOS
* Improve detection of various CardOS 5 configurations (#1987)
## DNIe
* Add new DNIe CA structure for the secure channel (#2109)
## ePass2003
* Improve ECC support (#1859)
* Fixed erase sequence (#2097)
## IAS-ECC (#2070):
* Fixed support for Idemia Cosmo cards with AWP middleware interoperability (previously broken).
* Added support for Idemia Cosmo v8 cards.
* PIN padding settings are now used from PKCS#15 info when available.
* Added PIN-pad support for PIN unblock.
## IDPrime
* New driver for Gemalto IDPrime (only some types) (#1772)
## eDo
* New driver with initial support for Polish eID card (e-dowód, eDO) (#2023)
## MCRD
* Remove unused and broken RSA EstEID support (#2095)
## TCOS
* Add missing encryption certificates (#2083)
## PIV
* Add ATR of DOD Yubikey (#2115)
* fixed PIV global pin bug (#2142)
## CAC1
* Support changing PIN with CAC Alt tokens (#2129)
# New in 0.20.0; 2019-12-29
## General Improvements
* fixed security problems
* CVE-2019-6502 (#1586)
* CVE-2019-15946 (a3fc769)
* CVE-2019-15945 (412a614)
* CVE-2019-19480 (6ce6152284c47ba9b1d4fe8ff9d2e6a3f5ee02c7)
* CVE-2019-19481 (b75c002cfb1fd61cd20ec938ff4937d7b1a94278)
* CVE-2019-19479 (c3f23b836e5a1766c36617fe1da30d22f7b63de2)
* Support RSA-PSS signature mechanisms using RSA-RAW (#1435)
* Added memory locking for secrets (#1491)
* added support for terminal colors (#1534)
* PC/SC driver: Fixed error handling in case of changing (#1537) or removing the card reader (#1615)
* macOS installer
* Add installer option to deselect tokend (#1607)
* Make OpenSCToken available on 10.12+ and the default on 10.15+ (2017626ed237dbdd4683a4b9410fc610618200c5)
* Configuration
* rename `md_read_only` to `read_only` and use it for PKCS#11 and Minidriver (#1467)
* allow global use of ignore_private_certificate (#1623)
* Build Environment
* Bump openssl requirement to 0.9.8 (##1459)
* Added support for fuzzing with AFL (#1580) and libFuzzer/OSS-Fuzz (#1697)
* Added CI tests for simulating GIDS, OpenPGP, PIV, IsoApplet (#1568) and MyEID (#1677) and CAC (#1757)
* Integrate clang-tidy with `make check` (#1673)
* Added support for reproducible builds (#1839)
## PKCS#11
* Implement write protection (CKF_WRITE_PROTECTED) based on the card profile (#1467)
* Added C_WrapKey and C_UnwrapKey implementations (#1393)
* Handle CKA_ALWAYS_AUTHENTICATE when creating key objects. (#1539)
* Truncate long PKCS#11 labels with ... (#1629)
* Fixed recognition of a token when being unplugged and reinserted (#1875)
## Minidriver
* Register for CardOS5 cards (#1750)
* Add support for RSA-PSS (263b945)
## OpenSC tools
* Harmonize the use of option `-r`/`--reader` (#1548)
* `goid-tool`: GoID personalization with fingerprint
* `openpgp-tool`
* replace the options `-L`/` --key-length` with `-t`/`--key-type` (#1508)
* added options `-C`/`--card-info` and `-K`/`--key-info` (#1508)
* `opensc-explorer`
* add command `pin_info` (#1487)
* extend `random` to allow writing to a file (#1487)
* `opensc-minidriver-test.exe`: Tests for Microsoft CryptoAPI (#1510)
* `opensc-notify`: Autostart on Windows
* `pkcs11-register`:
* Auto-configuration of applications for use of OpenSC PKCS#11 (#1644)
* Autostart on Windows, macOS and Linux (#1644)
* `opensc-tool`: Show ATR also for cards not recognized by OpenSC (#1625)
* `pkcs11-spy`:
* parse CKM_AES_GCM
* Add support for CKA_OTP_* and CKM_*_PSS values
* parse EC Derive parameters (#1677)
* `pkcs11-tool`
* Support for signature verification via `--verify` (#1435)
* Add object type `secrkey` for `--type` option (#1575)
* Implement Secret Key write object (#1648)
* Add GOSTR3410-2012 support (#1654)
* Add support for testing CKM_RSA_PKCS_OAEP (#1600)
* Add extractable option to key import (#1674)
* list more key access flags when listing keys (#1653)
* Add support for `CKA_ALLOWED_MECHANISMS` when creating new objects and listing keys (#1628)
* `pkcs15-crypt`: * Handle keys with user consent (#1529)
## CAC1
New separate CAC1 driver using the old CAC specification (#1502)
## CardOS
* Add support for 4K RSA keys in CardOS 5 (#1776)
* Fixed decryption with CardOS 5 (#1867)
## Coolkey
* Enable CoolKey driver to handle 2048-bit keys. (#1532)
## EstEID
* adds support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018 (#1635)
## GIDS
* GIDS Decipher fix (#1881)
* Allow RSA 4K support (#1891)
## MICARDO
* Remove long expired EstEID 1.0/1.1 card support (#1470)
## MyEID
* Add support for unwrapping a secret key with an RSA key or secret key (#1393)
* Add support for wrapping a secret key with a secret key (#1393)
* Support for MyEID 4K RSA (#1657)
* Support for OsEID (#1677).
## Gemalto GemSafe
* add new PTeID ATRs (#1683)
* Add support for 4K RSA keys (#1863, #1872)
## OpenPGP
* OpenPGP Card v3 ECC support (#1506)
## Rutoken
* Add Rutoken ECP SC (#1652)
* Add Rutoken Lite (#1728)
## SC-HSM
* Add SmartCard-HSM 4K ATR (#1681)
* Add missing secp384r1 curve parameter (#1696)
## Starcos
* Fixed decipher with 2.3 (#1496)
* Added ATR for 2nd gen. eGK (#1668)
* Added new ATR for 3.5 (#1882)
* Detect and allow Globalplatform PIN encoding (#1882)
## TCOS
* Fix TCOS IDKey support (#1880)
* add encryption certificate for IDKey (#1892)
## Infocamere, Postecert, Cnipa
* Removed profiles (#1584)
## ACS ACOS5
* Remove incomplete acos5 driver (#1622).
# New in 0.19.0; 2018-09-13
## General Improvements
* fixed multiple security problems (out of bound writes/reads, #1447):
* CVE-2018-16391
* CVE-2018-16392
* CVE-2018-16393
* CVE-2018-16418
* CVE-2018-16419
* CVE-2018-16420
* CVE-2018-16421
* CVE-2018-16422
* CVE-2018-16423
* CVE-2018-16424
* CVE-2018-16425
* CVE-2018-16426
* CVE-2018-16427
* Improved documentation:
* New manual page for opensc.conf(5)
* Added several missing switches in manual pages and fixed formatting
* Win32 installer:
* automatically start SCardSvr
* added newer OpenPGP ATRs
* macOS installer: use HFS+ for backward compatibility
* Remove outdated solaris files
* PC/SC driver:
* Workaround OMNIKEY 3x21 and 6121 Smart Card Readers wrongly identified as pinpad readers in macOS
* Workaround cards returning short signatures without leading zeroes
* bash completion
* make location directory configurable
* Use a new correct path by default
* build: support for libressl-2.7+
* Configuration
* Distribute minimal opensc.conf
* `pkcs11_enable_InitToken made` global configuration option
* Modify behavior of `OPENSC_DRIVER` environment variable to restrict driver list instead of forcing one driver and skipping vital parts of configuration
* Removed configuration options `zero_ckaid_for_ca_certs`, `force_card_driver`, `reopen_debug_file`, `paranoid-memory`
* Generalized configuration option `ignored_readers`
* If card initialization fails, continue card detection with other card drivers (#1251)
* Fixed long term card operations on Windows 8 and later (#1043)
* reader-pcsc: allow fixing the length of a PIN
* fixed multithreading issue on Window with OpenPACE OIDs
## PKCS#11
* fixed crash during `C_WaitForSlotEvent` (#1335)
## Minidriver
* Allow cancelling the PIN pad prompt before starting the reader transaction. Whether to start the transaction immediately or not is user-configurable for each application
## OpenSC tools
* `opensc-notify`
* add Exit button to tray icon
* User better description (GenericName) and a generic application icon
* Do not display in the application list
* `pkcs15-tool`
* added support for reading ECDSA ssh keys
* `p11test`
* Filter certificates other than `CKC_X_509`
* `opengpg-tool`
* allow calling -d multiple times
* clarify usage text
## sc-hsm
* Implement RSA PSS
* Add support for SmartCard-HSM 4K (V3.0)
## CAC
* Remove support for CAC1 cards
* Ignore unknown tags in properties buffer
* Use GET PROPERTIES to recognize buffer formats
* Unbreak encoding last tag-len-value in the data objects
* Support HID Alt tokens without CCC
* They present certificates in OIDs of first AID and use other undocumented applets
* Inspect the tokens through the ACA applet and GET ACR APDU
## Coolkey
* Unbreak Get Challenge functionality
* Make uninitialized cards working as expected with ESC
## OpenPGP
* add serial number to card name
* include detailed version into card name
* define & set LCS (lifecycle support) as extended capability
* extend manufacturer list in pkcs15-openpgp.c
* correctly parse hist_bytes
* Make deciphering with AUT-key possible for OpenPGP Card >v3.2 (fixes #1352)
* Add supported algorithms for OpenPGP Card (Fixes #1432)
## Starcos
* added support for 2nd generation eGK (#1451)
## CardOS
* create PIN in MF (`pkcs15init`)
## German ID card
* fixed identifying unknown card as German ID card (#1360)
## PIV
* Context Specific Login Using Pin Pad Reader Fix
* Better Handling of Reset using Discovery Object
# New in 0.18.0; 2018-05-16
## General Improvements
* PKCS#15
* fixed parsing ECC parameters from TokenInfo (#1134)
* Added PKCS#15 emulator for DIN 66291 profile
* Cope with empty serial number in TokenInfo
* Build Environment
* Treat compiler warnings as errors (use `--disable-strict` to avoid)
* MacOS
* optionally use CTK in package builder
* fixed detection of OpenPACE package
* macOS High Sierra: fixed dmg creation
* fixed DNIe UI compatibility
* Windows: Use Dedicated md/pkcs11 installation folders instead of installing to System32/SysWOW64
* fixed (possible) memory leaks for PIV, JPKI, PKCS#11, Minidriver
* fixed many issues reported via compiler warnings, coverity scan and clang's static analyzer
* beautify printed ASN.1 data, add support for ASN.1 time types
* SimpleTLV: Skip correctly two bytes after reading 2b size (#1231)
* added support for `keep_alive` commands for cards with multiple applets to be enabled via `opensc.conf`
* added support for bash completion for arguments that expect filenames
* added keyword `old` for selecting `card_drivers` via `opensc.conf`
* improved documentation manuals for OpenSC tools
* use `leave` as default for `disconnect_action` for PC/SC readers
## PKCS#11
* Make OpenSC PKCS#11 Vendor Defined attributes, mechanisms etc unique
## Minidriver
* added CNS ATR (#1153)
* Add multiple PINs support to minidriver
* protect MD entry points with `CriticalSection`
## Tokend
* Configuration value for not propagating certificates that require user authentication (`ignore_private_certificate`)
## CryptoTokenKit
* Added support for PIN pad
* fixed codesigning of opensc tools
* Added complete support for system integration with https://github.com/frankmorgner/OpenSCToken
## OpenSC Tools
* `cardos-tool`
* List human-readable version for CardOS 5.3
* `pkcs11-tool`
* fixed overwriting digestinfo + hash for RSA-PKCS Signature
* Enable support for RSA-PSS signatures in pkcs11-tool
* Add support for RSA-OAEP
* Fixed #1286
* Add missing pkcs11-tool options to man page
* allow mechanism to be specified in hexadecimal
* fixed default module path on Windows to use opensc-pkcs11.dll
* `pkcs11-spy`
* Add support for RSA-OAEP
* Add support for RSA-PSS
* `pkcs15init`
* Fix rutokenS FCP parsing (#1259)
* `egk-tool`
* Read data from German Health Care Card (Elektronische Gesundheitskarte, eGK)
* `opensc-asn1`
* Parse ASN.1 from files
* `opensc-tool`/`opensc-explorer`
* Allow extended APDUs
## Authentic
* Correctly handle APDUs with more than 256 bytes (#1205)
## Coolkey
* Copy labels from certificate objects to the keys
## Common Access Card
* Fixed infinite reading of certificate
* Added support for Alt token card
## MyEID
* support for RAW RSA signature for 2048 bit keys
## IAS/ECC
* Support for new MinInt agent card
## PIV
* Get cardholder name from the first certificate if token label not specified
* implemented keep alive command (#1256)
* fixed signature creation with `CKA_ALWAYS_AUTHENTICATE` (i.e. PKCS#11 `C_Login(CKU_CONTEXT_SPECIFIC)`)
## CardOS
* fixed card name for CardOS 5
* added ATR `"3b:d2:18:00:81:31:fe:58:c9:02:17"`
* Try forcing `max_send_size` for PSO:DEC
## DNIe
* DNIe: card also supports 1920 bits (#1247)
## GIDS
* Fix GIDS admin authentication
## epass 3000
* Add ECC support
* Fix #1073
* Fix #1115
* Fix buffer underrun in decipher
* Fix #1306
## Starcos
* added serial number for 3.4
* fixed setting key reference for 3.4
* added support for PIN status queries for 3.4
## EstEID
* ECDSA/ECDH token support
* Fix crash when certificate read failed (#1176)
* Cleanup expired EstEID card ATR-s
* Fix reading EstEID certificates with T=0 (#1193)
## OpenPGP
* Added support for PIN logout and status
* factory reset is possible if LCS is supported
* Added support for OpenPGP card V3
* fixed selecting Applet
* implemented keep alive command
* Retrieve OpenPGP applet version from OpenPGP applet on YubiKey token (#1262)
## German ID card
* fixed recognition of newer cards
## SC-HSM
* Don't block generic contactless ATR
* changed default labels of GoID
* added PIN commands for GoID 1.0
## Starcos
* Added Support for Starcos 3.4 and 3.5
## MioCOS
* disabled by default, use `card_drivers = old;` to enable; driver will be removed soon.
## BlueZ PKCS#15 applet
* disabled by default, use `card_drivers = old;` to enable; driver will be removed soon.
# New in 0.17.0; 2017-07-18
## Support for new Cards
* CAC (Common Access Card)
* GoID (SC-HSM with built-in PIN pad and fingerprint sensor)
* Coolkey
* JPKI (Japanese Individual Number Card)
* nPA (German ID card, eSign Application)
## General Improvements
* PKCS#15
* Implemented file caching based on card's contact-less UID
* Cache EF.ODF and EF.TokenInfo
* File caching is done transparently when the user sets the config option.
* `opensc.conf`
* Added `disable_popups` for disabling internal UI
* All Windows specific reader configuration is handled by the pcsc driver (cardmod driver was removed)
* Build Environment
* Allow setting `PKG_CONFIG_PATH` for macOS build
* Added compatibility with Visual Studio 2015
* Allow building against LibreSSL
* Allow building against OpenSSL 1.1.0
* Allow building against WiX 3.11
* Allow building minidriver with MinGW
* Include OpenPACE library by default
* Removed `BUILD_ON`/`BUILD_FOR` variable
* Simplified installer on macOS and Windows
* Added support for PIN commands via PC/SC escape commands
* Added support for card reader access via CryptoTokenKit
* Added support for PIN entry on card for verification/unblock/change
* Recognize T=0 limitation of sending 255 bytes
* Force T=1 for contactless cards
* Allow setting driver via `OPENSC_DRIVER` environment variable
* Fixed many bugs
* Fixed many compiler warnings
* Fixed possible issues (memory corruptions, memory leaks, double free, ...)
* Internal refactoring and cleanup
## PKCS#11
* Move PIN type label front of description
* `C_GetTokenInfo` read the login status from the card if possible
* Don't use ':' in the token name (#849)
* Install `opensc-pkcs11.pc` for usage with `pkg-config`
* Don't shrink the number of slots (#629)
* Add session handle uniqueness check to PKCS#11 `C_OpenSession()`
* Activate functionality of `C_WaitForSlot()` for pcsc-lite >= 1.8.22
## Minidriver
* Support PIN unblocking in minidriver via PUK as response
* Added support for Session PIN
## Tokend
* Allow usage of readers PIN pad by entering an empty PIN
## OpenSC Tools
* Fixed Bash completion (#782)
* `opensc-tool`
* Added `--reset` option
* `opensc-explorer`
* Show tag 0x82 for unknown files
* `pkcs15-tool`
* Fixed `--read-ssh-key` crash (#788)
* Added `--clear-cache`
* Fixed locking the card on Windows (#868)
* Add `--list-info` option
* Make `--list-...` messages consistent
* Add `--short` option
* `--read-data-object`: Do not print data to terminal when output file is given
* Reword `--no-prompt` to `--use-pinpad`, old option still available as alias
* Added `--test-session-pin` option
* `pkcs15-init`
* Fix using PINPAD to verify PIN (#856)
* Fixed locking the card on Windows (#868)
* Added `--secret-key-algorithm` option
* Print more detailed secret key information
* `pkcs11-tool`
* Added `keygen` for secret key generation
* Better handling of PIN (re-) validation
* Fixed --id for `C_GenerateKey`, DES and DES3 keygen mechanism (#857)
* Added `--derive-pass-der` option
* Added `--generate-random` option
* Add GOSTR3410 key pair generation
* `npa-tool` (new)
* Allows read/write access to EAC tokens
* Allows PIN management for EAC tokens
* `gids-tool`
* Fixed entering SN via command line
* `sc-hsm-tool`
* Added `--print-dkek-share` (hidden from the user)
* Fixed locking the card on Windows (#868)
## CardOS
* Better support for CardOS 5.3
## DNIe
* Fixed interaction with DNIe UI
* Added support for DNIe 3.0
## ePass2003
* Add new ATR for entersafe PKI card
* Solved Incorrect PIN raise wrong CKR error
## GemsafeV1
* PTeid: add objects (SOD, TRACe, CA) and fix flags
* PTeid: Support PIN max tries and tries left report
* PTeid: Properly report cards with 2048b keys.
## MyEID
* Fix to ECDH implementation (#756)
* Added support for symmetric keys
## OpenPGP
* Improve handling of OpenPGP card PIN change and unblock commands
## PIV
* Some workarounds for PIV-alike cards (e.g. Yubikey)
* Change driver's short name to 'PIV-II'
* Use certificate's keyUsage to set PKCS#11 key attributes
## SC-HSM
* Use PKCS#15 file cache
* Prevent unnecessary applet selection and state resets
* Added support for session pin
* Fixed forcing a card driver via opensc.conf
## STARCOS
* Read the maximum transcive sice from the card's ATR (#765)
New in 0.16.0; 2016-05-15
* build
link OpenSSL in static
option: enable PKCS11 thread locking
* configuration
use one configuration file for all systems
* tools:
package revision as version
** pkcs11-tool
keygen mechanism in pkcs11 tools
write GOST public key
fix CKA_SENSITIVE attribute of public keys
** opensc-explorer:
added command find_tags
allow ASN.1 decoding if the file seems incomplete
** pkcs15-tool:
handle record-based files when doing file caching
option to prine raw data
** sc-hsm-tool:
status info support for SmartCard-HSM V2.0
** doc: some missing options are documented, added documentation
for gid tool
* minidriver:
support for ECC
Windows x509 enrollment
first implementation of CardDeleteContainer
MD logs controlled by register and environment variable
* reader-pcsc
fixed unreleased locks with pcsc-lite
honour PC/SC pt 10 dwMaxAPDUDataSize
added call back for getting vendor/product id
restrict access to card handles after fork
SCardGetAttrib is used to initialize reader's metadata
by default only short APDUs supported
* pkcs11
no slot reserved for hot plug
no more slot created 'per-applications'
atomic operation (TODO: expand)
export all C_* symbols
metadata initialized from package info
fix registering pkcs11 mechanisms multiple times
sloppy initialization for C_GetSlotInfo
* pkcs15
cache of on-card files extended to application paths
configuration option to enable/disable application
make file cache dir configurable
in key info data type introduced 'auxiliary data' -- container
for the non-pkc15 data.
* OpenPGP
support for Gnuk -- USB cryptographic token for GNU Privacy Guard
build without OpenSSL
implemented 'erase card'
additional manufacturers
* MyEID
support for 521 bit ECC keys
ATRs for the new cards
* sc-hsm
read/write support in minidriver
* rtecp
delete keys
* GemSafeV1
support for European Patent Office smart card
sign with SHA256
* Gids
first support for Gids smart card
* dnie
* Feitian PKI card
new ATRs
* IsoApplet
(fixes)
* starcos
initial support for STARCOS 3.4 (German D-Trust cards)
* macosx
install tokend to /Library/Security/ instead /System/Library/Security/
fixed locking issue in pcsc reader
* PIV
allow using of cards where default application in not PIV
support for the Yubikey NEO
* italian-CNS
italian-cns reg file for minidriver
New in 0.15.0; 2015-05-11
* new card drivers
AzeDIT 3.5
IsoApplet
MaskTech
* libopensc
allow extended length APDUs
accept no output for 'SELECT' MF and 'SELECT' DF_NAME APDUs
fixed sc_driver_version check
adjusted send/receive size according to card capabilities
in iso7816 make SELECT agnosting to sc_path_t's aid
* asn1
support multi-bytes tags
* pkcs15
reviewed support and tool functions for public key
public certs and pubkeys with an auth_id are treated as private
* pkcs11
introduced default PKCS#11 provider
fetched real value of CKA_LOCAL for pubkey
removed inconsistent attributes
C_Digest issues
no check if buffer too small before update
* added support for Travis CI
* updated support of EC in libopensc, pkcs15 and pkcs11
* fixed number of warnings, resource leaks, overity-scan issues
* macosx
target minimum OSX version to 10.7
update the minimal building instructions.
locate and target the latest SDK to build against.
locate the best newest SDK present on the computer.
* build
disable Secure Messaging if OpenSSL is not used
* tools
util_get_pin helper function
* PIV
Add AES support for PIV General Authenticate
fixed invalid bit when writing PIV certificate object with gzipped certificate
fixed bad caching behavior of PIV PKCS15 emulator
* ePass2003
fixed failure due to re-authenticate of secure messaging when card is accessed
by multiple PKCS11 sessions
* MyEID
EC support for MyEID-v4 card
* openpgp
extended options for openpgp-tool
* asepcos
fixed puk handling
* sc-hsm
support for Koblitz curves secp192k1 and secp256k1 (Bitcoin)
improved error detection and reporting in sc-hsm-tool
fixed Lc byte in VERIFY PIN block for PC/SC PIN PAD reader
fix certificate delete bug
* IAS/ECC
fixed PKCS#11 compliance issues
support for Morpho IAS Agent Card
* cardos
overwrite content of deleted private key
* win32
setup improuvement
look & feel
custom actions with card registration
minidriver impouvement
fixed errors and warnings returned by Microsoft quality tool
pin-pad support
New in 0.14.0; 2014-05-31
* new card driver DNIe
* extended existing drivers by support of
Swedish eID card (gemsafeV1)
EstEID 3.5 (mcrd)
* bogus javacard driver removed
* build
return to the standard use of 'autoconf'
CI specific bootstrap script: git commit stamp for the built packages
windows friendly compile settings
fixed a ton of compiler warnings
fence against using EVP_sha256 mech
debian packaging templates
compile without OpenSSL and without SM
enable compiler warnings by default
win32
add 'VarFileInfo' block to version-info
include to MSI package 'openpgp-tool.exe'
'version-info' resource for each target
* macOSX
"graphical uninstaller" to distribution DMG
update package building to modern tools
new tool and SDK paths for OS X 10.8
improved opensc-installer from distribution
osx: target 10.9 (a free upgrade to anyone using 10.6+) from now on
build 'fat' binaries i386
* common
added getpass implementation for non windows
* libopensc
allow for the pin to be entered on the keypad during issuing
introduce 'encoded-content' to the sc_file data
general usage method to allocate generalized time
* minidriver
implemented 'CardChangeAuthenticator', 'CardGetChallenge' and 'CardUnblockPin'
improved management of GUID
use reader pin pad if available and allowed
configuration options for
compose GUID
refuse create container mechanism
add registers file for feitian cards
fixed
return code in 'CardGetContainerInfo'
returned 'tries-left' for blocked card
length of stripped data in RSADecrypt
* pkcs#11
bind non-recognized card, generic 'init-token' procedure
fixed
CKA_VALUE of 'public-key' object
fix ASN1 encoding issues
PIN-NOT-INITIALIZED for the non-user PINs
buffers overflow
segfault due to the undefined 'application-file'
* pkcs15
'direct' public key in PuKDF encoding
implement SPKI public key encoding
include and maintain minidriver framework data: cmap-record, md-flags, GUID, ..
fixed
encoding of 'SubjectPublicKeyInfo'
DER encoding of 'issuer' and 'subject'
PIN validation in 'pkcs15-verify'
public key algorithm
ECC public key encoding
ECC ecpointQ
* pkcs15init
introduce 'max-unblocks' PIN init parameter
keep cert. blob in cert-info data
file 'content' and 'prop-attrs' in the card profile
in profile more AC operations are parsed
fixed
NULL pointer dereference error
NULL 'store-key' handle
ignore if no TokenInfo file to update
set EC pubkey parameters from init data
* reader-pcsc
fixed
implicit pin modification
pin checking when implicitly given
verify/modify pinpad commands
* SM
common SM 'increase-sequence-counter' procedure
move SM APDU procedures to dedicated source file
move SM common crypto procedures to the dedicated library
* doc
documentation for --list-token-slots
* default driver
do not send possibly arbitrary APDU-s to an unknown card.
by default 'default' card driver is disabled
* sc-hsm
Added support for
persistent EC public keys generated from certificate signing requests
token label to be set via C_InitToken or sc-hsm-tool
unblock PIN using C_InitPIN()
initialize EC key params
fixed
bug that prevents a newly generated 2048 key to show up at the PKCS#11 interface
bug when changing SO-PIN with opensc-explorer sc-hsm-tool
memory checking and removed warning
problem deleting CA certificates sc-hsm
public key format returned when generating ECC keys
sc-hsm-tool
better error handling for non-SmartCard-HSM cards
support for DKEK password sharing scheme
threshold scheme parameters to manpage
crash on Windows when --wrap-key frees memory allocated in opensc.dll
* ias
simplify the compute signature operation
* PIV
use SPKI encoding for public key data
extract public key from cert if no object on card
fix
segfault and valgrind issue
gen_key to expect the proper PIV Key references
* CardOS
build for Windows
use information from AlgorithmInfo
supported CardOS V5.0
* epass2003
key generation allows stricter privkey/pubkey ACLs
list_files implemented
properly disable padding
allow exponents other than 65537
* myeid
fixed file-id in myeid.profile
* entersafe
fix a bug when writing public key
* EstEID
match card only based on presence of application.
* pteid
do not call the iso7816 driver get_response operation
* myeid
support of EC key is broken
New in 0.13.0; 2012-12-04
* New card driver ePass2003.
* OpenPGP card:
greatly improved card driver and PKCS#15 emulation;
implemented write (pkcs15init) mode;
greatly enhanced documentation and tools.
* ECDSA keys supported in 'read' and 'write' modes by
internal PKCS#15 library, PKCS#11 and tools.
* Minidriver in 'write' mode.
* SM: secure messaging in GlobalPlatform-SP01 and CW14890 specifications;
supported by ePass2003, IAS/ECC and AuthentIC cards;
"ACL" and "APDU" modes to trigger secure messaging session;
'local' version of the external secure messaging module.
* PKCS#15: support of 'secret-key' PKCS#15 objects
support of 'authentication-object' PKCS#15 objects
support of 'algReference' common key PKCS#15 attribute
support of 'algReference' common key PKCS#15 attribute
support of 'subjectName' common public key PKCS#15 attribute
* PKCS#11: removed 'onepin' version of pkcs#11 module
configuration options to expose slots for PINs and present on-card applications.
support GOSTR3410 generate key mechanism
* Support of PACE reader.
* Remove libltdl reference.
* ECDSA supported by MyEID card
* New card driver for the SmartCard-HSM, a light-weight hardware security module
* New useful commands in 'opensc-explorer' tool: 'find', 'put-data', ...
* fixed SIGV issue due to the unsupported public key format
* fixes for the number of documentation issues
New in 0.12.2; 2011-07-15
* Builds are now silent by default when OpenSC is built from source on Unix.
* Using --wait with command line tools works with 64bit Linux again.
* Greatly improved OpenPGP card support, including OpenPGP 2.0 cards
like the one found in German Privacy Foundation CryptoStick.
* Fixed support for FINeID cards issued after 01.03.2011 with 2048bit keys.
* #256: Fixed support for TCOS cards (broken since 0.12.0).
* Added support for IDKey-cards to TCOS3 driver.
* #361: Improved PC/SC driver to fetch the maximum PIN sizes from the open
source CCID driver. This fixes the issue for Linux/OSX with recent driver.
* WindowsInstaller now installs only static DLL-s (PKCS#11, minidriver) to
system folder.
* Fix FINeID cards for organizations.
* Several smaller bugs and compiler warnings fixed.
New in 0.12.1; 2011-05-17
* New card driver: IAS/ECC 1.0.1
* rutoken-tool has been deprecated and removed.
* eidenv and piv-tool utilities now have manual pages.
* pkcs11-tool now requires the use of --module parameter.
* All tools can now use an ATR as an argument to --reader, to skip to the
card with given ATR.
* opensc-tool -l with -v now shows information about the inserted cards.
* Creating files have an enforced upper size limit, 64K
* Support for multiple PKCS#15 applications with different AID-s.
PKCS#15 applications can be listed with pkcs15-tool --list-applications.
Binding to a specific AID with PKCS#15 tools can be done with --aid.
* Hex strings (like card ATR or APDU-s) can now be separated by space, in
addition to colons.
* Pinpad readers known to be bogus are now ignored by OpenSC. At the moment
only "HP USB Smart Card Keyboard" is disabled.
* Windows installer is now distributed as a statically built MSI, for both
x86 and x64.
* Numerous compiler warnings, unused code and internal bugs have been
eliminated.
New in 0.12.0; 2010-12-22
* OpenSC uses a single reader driver, specified at compile time.
* New card driver: Italian eID (CNS) by Emanuele Pucciarelli.
* New card driver: Portuguese eID by João Poupino.
* New card driver: westcos by François Leblanc.
* pkcs11-tool can use a slot based on ID, label or index in the slot list.
* PIN flags are updated from supported cards when C_GetTokenInfo is called.
* Support for CardOS 4.4 cards added.
* Feature to exclude readers from OpenSC PKCS#11 via "ignored_readers"
configuration file entry.
* #229: Support semi-automatic fixes to cards personalized with older and
broken OpenSC versions.
* Software keys removed from pkcs15-init and the PKCS#11 module. OpenSC
can either generate keys on card or import plaintext keys to the card, but
will never generate plaintext key material in software by itself.
All traces of a software token (PKCS#15 Section 7) shall be removed.
* Updates to PC/SC driver to build with pcsc-lite >= 1.6.2
* Build script for a binary Mac OS X installer for 10.5 and 10.6 systems.
Binary installer includes OpenSC.tokend for platform integration.
10.6 installer includes engine_pkcs11.
* Modify Rutoken S binary interfaces by Aktiv Co.
* Support GOST R 34.10-2001 and GOST R 34.11-94 by Aktiv Co.
* CardOS driver now emulates sign on rsa keys with sign+decrypt usage
with padding and decrypt(). This is compatible with old cards and
card initialized by Siemens software. Removed "--split-key" option,
as it is no longer needed.
* Improved debugging support: debug level 3 will show everything
except of ASN1 and card matching debugging (usually not needed).
* Massive changes to libopensc. This library is now internal, only
used by opensc-pkcs11.so and command line tools. Header files are
no longer installed, library should not be used by other applications.
Please use generic PKCS#11 interface instead.
* #include file statements cleaned up: first include "config.h", then
system headers, then additional libraries, then headers in opensc
(but from other directories), then header files from same directory.
Fix path to reference headers, remove src/include/ directory.
* Various source code fixes and improvements.
* OpenSC now depends on xsltproc utility and docbook-xsl to build docs and man
* Remove iconv dependency. EstEID driver now uses the commonName from the
certificate for card label.
* Possibility to change the default behavior for card resets via
opensc.conf.
New in 0.11.12; 2009-12-18; Andreas Jellinghaus
* Document integer problem in OpenSC and implement workaround
* Improve entersafe profile to support private data objects
New in 0.11.9; 2009-07-29; Andreas Jellinghaus
* New rutoken_ecp driver by Aktiv Co. / Aleksey Samsonov
* Allow more keys/certificates/files etc. with entersafe tokens
* Updates pkcs11.h from scute fixing warnings
* Small fixes in rutoken driver
* Major update for piv driver with increased compatibility
New in 0.11.8; 2009-05-07; Andreas Jellinghaus
* Fix security problem in pkcs11-tool gen_keypair (PublicExponent 1)
* fix compiling without openssl.
* updated and improve entersafe driver. FTCOS/PK-01C cards are supported
now, compatible with cards written by Feitian's software on windows.
New in 0.11.7; 2009-02-26; Andreas Jellinghaus
* hide_empty_slots now on by default? small logic change?
* pinpad supported fixed for Mac OS X.
* ruToken driver was updated.
* openct virtual readers reduced to 2 by default.
* link with iconv on Mac OS X for i18n support.
* Security issue: Fix private data support.
* Enable lock_login by default.
* Disable allow_soft_keygen by default.
New in 0.11.6; 2008-08-27; Andreas Jellinghaus
* Improved security fix: don't match for "OpenSC" in the card label.
* New support for Feitian ePass3000 by Weitao Sun.
* GemSafeV1 improved to handle key_ref other than 3 by Douglas E. Engert
New in 0.11.5; 2008-07-31; Andreas Jellinghaus
* Apply security fix for cardos driver and extend pkcs15-tool to
test cards for the security vulnerability and update them.
* Build system rewritten (NOTICE: configure options was modified).
The build system can produce outputs for *NIX, cygwin and native
windows (using mingw).
* ruToken now supported.
* Allow specifying application name for data objects.
* Basic reader hotplug support.
* PC/SC library is dynamic linked no longer compile time dependency.
* PKCS#11 provider is now installed at LIBDIR/pkcs11
* PKCS#11 - Number of virtual slots moved into configuration.
* PKCS#11 - Fix fork() compliance.
* make sign_with_decrypt hack configurable for Siemens cards.
New in 0.11.4; 2007-09-10; Andreas Jellinghaus
* Drop AC_LIB_LINKFLAGS for libltdl and aclocal/lib* files.
* New configure option to disable building nsplugin.
* Support Siemens CardOS initialized cards (signing with decryption)
* Add Siemens CardOS M4.2B support (experimental, don't have such a card)
* Support for AKIS cards added (partial so far) by Gürer Özen.
* add aclocal/libassuan.m4 back so developers don't need assuan installed.
New in 0.11.3; 2007-07-11; Andreas Jellinghaus
* added regression test for raw rsa (crypt0007).
* regression suite can now use installed binaries with --installed.
* update wiki export script (add images, fix links).
* look for ncurses and termcap in configure (in combination with readline).
* make lots of internal functions and variables static.
* fix 0 vs NULL in many places. fix ansi c style (void).
* avoid variable names used also as glibc function (random etc.).
* new code for deleting objects.
* special hack for firefox.
* support for Athena APCOS cards added.
* piv driver now supports bigger rsa keys too.
New in 0.11.2; 2007-05-04; Andreas Jellinghaus
* enabled pin caching by default (needed by regression suite and other apps).
disable this for highest security (but that breaks some applications).
* use max_send_size 255 / max_recv_size 256 bytes by default.
reduce this for some readers (e.g. scm) with t=0 cards.
* increase pin buffer size to allow longer pin codes.
* Windows Make.rules.mak improved to work with and w/o openssl and zlib
* Added --read-ssk-key option to pkcs15-tool (prints public key in ssh format)
* use pkg-config for finding openct, add --enable/disable-openct option
* use strlcpy function
* use new pkcs11.h from scute with an open source license
* add support for sha2 to pkcs15-crypt
* add piv-tool for managing piv cards
* add muscle driver (still work in progress)
* improved oberthur driver
* add support for pcsc v2 part10 (reader drivers with pinpad support)
* convert source files to utf-8
New in 0.11.1; 2006-05-30; Andreas Jellinghaus