Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Towards new release 0.20.0 #1782

Open
frankmorgner opened this issue Sep 5, 2019 · 6 comments

Comments

@frankmorgner
Copy link
Member

commented Sep 5, 2019

There are no critical issues left and the new functionality has been integrated. I think it's time to prepare and publish the next major release, @OpenSC/core, @OpenSC/maintainers.

This release renames the configuration option md_read_only to read_only. In openpgp-tool the options -L/ --key-length have been replaced with -t/--key-type. Please review your opensc.conf` and your shell scripts. Release candidate is available on Github.

The general functionality has been verified to some extent in the CI environment, where we're using simulations of PIV, OpenPGP, GIDS, IsoApplet, MyEID and CAC for testing. Refer to the wiki page on how to systematically test your card. OpenSC is now part of the OSS-Fuzz family, which has already led to the fix of some security issues (see below).

Here is the complete list of changes, that would also appear in the release notes and NEWS file (please let me know if I'm missing something):


General Improvements

  • fixed security problems
  • Support RSA-PSS signature mechanisms using RSA-RAW (#1435)
  • Added memory locking for secrets (#1491)
  • added support for terminal colors (#1534)
  • PC/SC driver: Fixed error handling in case of changing (#1537) or removing the card reader (#1615)
  • macOS installer: Add installer option to deselect tokend (#1607)
  • Configuration
    • rename md_read_only to read_only and use it for PKCS#11 and Minidriver (#1467)
    • allow global use of ignore_private_certificate (#1623)
  • Build Environment
    • Bump openssl requirement to 0.9.8 (##1459)
    • Added support for fuzzing with AFL (#1580) and libFuzzer/OSS-Fuzz (#1697)
    • Added CI tests for simulating GIDS, OpenPGP, PIV, IsoApplet (#1568) and MyEID (#1677) and CAC (#1757)
    • Integrate clang-tidy with make check (#1673)

PKCS#11

  • Implement write protection (CKF_WRITE_PROTECTED) based on the card profile (#1467)
  • Added C_WrapKey and C_UnwrapKey implementations (#1393)
  • Handle CKA_ALWAYS_AUTHENTICATE when creating key objects. (#1539)
  • Truncate long PKCS#11 labels with ... (#1629)

Minidriver

  • Register for CardOS5 cards (#1750)
  • Add support for RSA-PSS (263b945)

OpenSC tools

  • Harmonize the use of option -r/--reader (#1548)

  • goid-tool: GoID personalization with fingerprint

  • openpgp-tool

    • replace the options -L/ --key-length with -t/--key-type (#1508)
    • added options -C/--card-info and -K/--key-info (#1508)
  • opensc-explorer

    • add command pin_info (#1487)
    • extend random to allow writing to a file (#1487)
  • opensc-minidriver-test.exe: Tests for Microsoft CryptoAPI (#1510)

  • opensc-notify: Autostart on Windows

  • pkcs11-register:

    • Auto-configuration of applications for use of OpenSC PKCS#11 (#1644)
    • Autostart on Windows, macOS and Linux (#1644)
  • opensc-tool: Show ATR also for cards not recognized by OpenSC (#1625)

  • pkcs11-spy:

    • parse CKM_AES_GCM
    • Add support for CKA_OTP_* and CKM_*_PSS values
    • parse EC Derive parameters (#1677)
  • pkcs11-tool

    • Support for signature verification via --verify (#1435)
    • Add object type secrkey for --type option (#1575)
    • Implement Secret Key write object (#1648)
    • Add GOSTR3410-2012 support (#1654)
    • Add support for testing CKM_RSA_PKCS_OAEP (#1600)
    • Add extractable option to key import (#1674)
    • list more key access flags when listing keys (#1653)
    • Add support for CKA_ALLOWED_MECHANISMS when creating new objects and listing keys (#1628)
  • pkcs15-crypt: * Handle keys with user consent (#1529)

CAC1

New separate CAC1 driver using the old CAC specification (#1502).

CardOS

  • Add support for 4K RSA keys in CardOS 5 (#1776)

Coolkey

  • Enable CoolKey driver to handle 2048-bit keys. (#1532)

EstEID

  • adds support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018 (#1635)

MICARDO

  • Remove long expired EstEID 1.0/1.1 card support (#1470)

MyEID

  • Add support for unwrapping a secret key with an RSA key or secret key (#1393)
  • Add support for wrapping a secret key with a secret key (#1393)
  • Support for MyEID 4K RSA (#1657)
  • Support for OsEID (#1677).

Gemalto GemSafe

  • add new PTeID ATRs (#1683)

OpenPGP

  • OpenPGP Card v3 ECC support (#1506)

Rutoken

  • Add Rutoken ECP SC (#1652)
  • Add Rutoken Lite (#1728)

SC-HSM

  • Add SmartCard-HSM 4K ATR (#1681)
  • Add missing secp384r1 curve parameter (#1696)

Starcos

  • Fixed decipher with 2.3 (#1496)
  • Added ATR for 2nd gen. eGK (#1668)

Infocamere, Postecert, Cnipa

  • Removed profiles (#1584)

ACS ACOS5

  • Remove incomplete acos5 driver (#1622).
@Jakuje

This comment has been minimized.

Copy link
Contributor

commented Sep 13, 2019

I re-read all the commits since the last release and I would suggest to mention also the following highlights that look like missed from the original list:

For MyEID, I would mention also a support for OsEID cards that was added to the driver (#1677).

For opensc-tool

  • avoiding of unnecessary connects to the card in case the actions do not require it (#1762)
  • show ATR also for cards not recognized by any OpenSC driver (#1625)

For pkcs11-spy, parse the EC Derive parameters (#1677).

For pkcs11-tool:

  • list more key access flags when listing keys (#1653).
  • Add support for CKA_ALLOWED_MECHANISMS when creating new objects and listing keys (#1628)

Remove incomplete acos5 driver (#1622).

minidriver:

  • Add support for RSA-PSS (263b945)

coolkey: Improved card matching to avoid mismatches with similar muscle driver (#1500).

New separate CAC1 driver using the old CAC specification (#1502).

Additionally, I would like to ask for the status fo #1772, which adds support for IDPrime cards and in-card RSA-OAEP as an counterpart to RSA-PSS already in.

@plaes

This comment has been minimized.

Copy link
Contributor

commented Sep 16, 2019

EstEID section should mention something like this: "Added support for Estonian ID cards (supplied by IDEMIA) that have been issued since January 2019."

It's a big win, because we only had closed source blob that had some issues...

@frankmorgner

This comment has been minimized.

Copy link
Member Author

commented Sep 16, 2019

Thanks for the comments, @Jakuje @plaes !

I've edited and extended the NEWS as requested.

I'd like to avoid mentioning #1500 and #1762 because I think they are technical improvements, invisible to the user.

I'd like to postpone #1772 for the next release, because that are quite a lot of changes that did not yet get the attention they deserve.

@Jakuje

This comment has been minimized.

Copy link
Contributor

commented Sep 16, 2019

Thank you for clarification.

@frankmorgner

This comment has been minimized.

Copy link
Member Author

commented Oct 3, 2019

You can find the updated release candidate here

@frankmorgner

This comment has been minimized.

Copy link
Member Author

commented Oct 19, 2019

Since macOS Catalina, TokenDs are disabled by default, that's why I had to update the installer to also distribute OpenSCToken... (installed by default on 10.15, available as alternative to OpenSC.tokend on 10.12-10.14, disabled on 10.11 and before). The installation of PKCS#11 module and tools are unaffected.

You can find the updated release candidate here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.