Skip to content

@frankmorgner frankmorgner released this Dec 29, 2019 · 465 commits to master since this release

General Improvements

  • fixed security problems
  • Support RSA-PSS signature mechanisms using RSA-RAW (#1435)
  • Added memory locking for secrets (#1491)
  • added support for terminal colors (#1534)
  • PC/SC driver: Fixed error handling in case of changing (#1537) or removing the card reader (#1615)
  • macOS installer
    • Add installer option to deselect tokend (#1607)
    • Make OpenSCToken available on 10.12+ and the default on 10.15+ (2017626)
  • Configuration
    • rename md_read_only to read_only and use it for PKCS#11 and Minidriver (#1467)
    • allow global use of ignore_private_certificate (#1623)
  • Build Environment
    • Bump openssl requirement to 0.9.8 (##1459)
    • Added support for fuzzing with AFL (#1580) and libFuzzer/OSS-Fuzz (#1697)
    • Added CI tests for simulating GIDS, OpenPGP, PIV, IsoApplet (#1568) and MyEID (#1677) and CAC (#1757)
    • Integrate clang-tidy with make check (#1673)
    • Added support for reproducible builds (#1839)

PKCS#11

  • Implement write protection (CKF_WRITE_PROTECTED) based on the card profile (#1467)
  • Added C_WrapKey and C_UnwrapKey implementations (#1393)
  • Handle CKA_ALWAYS_AUTHENTICATE when creating key objects. (#1539)
  • Truncate long PKCS#11 labels with ... (#1629)
  • Fixed recognition of a token when being unplugged and reinserted (#1875)

Minidriver

  • Register for CardOS5 cards (#1750)
  • Add support for RSA-PSS (263b945)

OpenSC tools

  • Harmonize the use of option -r/--reader (#1548)
  • goid-tool: GoID personalization with fingerprint
  • openpgp-tool
    • replace the options -L/ --key-length with -t/--key-type (#1508)
    • added options -C/--card-info and -K/--key-info (#1508)
  • opensc-explorer
    • add command pin_info (#1487)
    • extend random to allow writing to a file (#1487)
  • opensc-minidriver-test.exe: Tests for Microsoft CryptoAPI (#1510)
  • opensc-notify: Autostart on Windows
  • pkcs11-register:
    • Auto-configuration of applications for use of OpenSC PKCS#11 (#1644)
    • Autostart on Windows, macOS and Linux (#1644)
  • opensc-tool: Show ATR also for cards not recognized by OpenSC (#1625)
  • pkcs11-spy:
    • parse CKM_AES_GCM
    • Add support for CKA_OTP_* and CKM_*_PSS values
    • parse EC Derive parameters (#1677)
  • pkcs11-tool
    • Support for signature verification via --verify (#1435)
    • Add object type secrkey for --type option (#1575)
    • Implement Secret Key write object (#1648)
    • Add GOSTR3410-2012 support (#1654)
    • Add support for testing CKM_RSA_PKCS_OAEP (#1600)
    • Add extractable option to key import (#1674)
    • list more key access flags when listing keys (#1653)
    • Add support for CKA_ALLOWED_MECHANISMS when creating new objects and listing keys (#1628)
  • pkcs15-crypt: * Handle keys with user consent (#1529)

CAC1

New separate CAC1 driver using the old CAC specification (#1502).

CardOS

  • Add support for 4K RSA keys in CardOS 5 (#1776)
  • Fixed decryption with CardOS 5 (#1867)

Coolkey

  • Enable CoolKey driver to handle 2048-bit keys. (#1532)

EstEID

  • adds support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018 (#1635)

GIDS

  • GIDS Decipher fix (#1881)
  • Allow RSA 4K support (#1891)

MICARDO

  • Remove long expired EstEID 1.0/1.1 card support (#1470)

MyEID

  • Add support for unwrapping a secret key with an RSA key or secret key (#1393)
  • Add support for wrapping a secret key with a secret key (#1393)
  • Support for MyEID 4K RSA (#1657)
  • Support for OsEID (#1677).

Gemalto GemSafe

OpenPGP

  • OpenPGP Card v3 ECC support (#1506)

Rutoken

  • Add Rutoken ECP SC (#1652)
  • Add Rutoken Lite (#1728)

SC-HSM

  • Add SmartCard-HSM 4K ATR (#1681)
  • Add missing secp384r1 curve parameter (#1696)

Starcos

  • Fixed decipher with 2.3 (#1496)
  • Added ATR for 2nd gen. eGK (#1668)
  • Added new ATR for 3.5 (#1882)
  • Detect and allow Globalplatform PIN encoding (#1882)

TCOS

  • Fix TCOS IDKey support (#1880)
  • add encryption certificate for IDKey (#1892)

Infocamere, Postecert, Cnipa

  • Removed profiles (#1584)

ACS ACOS5

  • Remove incomplete acos5 driver (#1622).
Assets 12
Pre-release
Pre-release

@frankmorgner frankmorgner released this Jan 3, 2020 · 479 commits to master since this release

Enabled extended APDU support for StarCOS 3x cards
Assets 8
Pre-release
Pre-release

@frankmorgner frankmorgner released this Jan 3, 2020 · 586 commits to master since this release

CI: retry pushing 10 times to nightly
Assets 8
Pre-release
Pre-release

@frankmorgner frankmorgner released this Oct 3, 2019 · 591 commits to master since this release

dir: Avoid insane allocations

Resolves:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17449
Assets 8

@frankmorgner frankmorgner released this Sep 13, 2018 · 1126 commits to master since this release

New in 0.19.0; 2018-09-13

General Improvements

  • fixed multiple security problems (out of bound writes/reads, #1447):
    • CVE-2018-16391
    • CVE-2018-16392
    • CVE-2018-16393
    • CVE-2018-16418
    • CVE-2018-16419
    • CVE-2018-16420
    • CVE-2018-16421
    • CVE-2018-16422
    • CVE-2018-16423
    • CVE-2018-16424
    • CVE-2018-16425
    • CVE-2018-16426
    • CVE-2018-16427
  • Improved documentation:
    • New manual page for opensc.conf(5)
    • Added several missing switches in manual pages and fixed formatting
  • Win32 installer:
    • automatically start SCardSvr
    • added newer OpenPGP ATRs
  • macOS installer: use HFS+ for backward compatibility
  • Remove outdated solaris files
  • PC/SC driver:
    • Workaround OMNIKEY 3x21 and 6121 Smart Card Readers wrongly identified as pinpad readers in macOS
  • Workaround cards returning short signatures without leading zeroes
  • bash completion
    • make location directory configurable
    • Use a new correct path by default
  • build: support for libressl-2.7+
  • Configuration
    • Distribute minimal opensc.conf
    • pkcs11_enable_InitToken made global configuration option
    • Modify behavior of OPENSC_DRIVER environment variable to restrict driver list instead of forcing one driver and skipping vital parts of configuration
    • Removed configuration options zero_ckaid_for_ca_certs, force_card_driver, reopen_debug_file, paranoid-memory
    • Generalized configuration option ignored_readers
  • If card initialization fails, continue card detection with other card drivers (#1251)
  • Fixed long term card operations on Windows 8 and later (#1043)
  • reader-pcsc: allow fixing the length of a PIN
  • fixed multithreading issue on Window with OpenPACE OIDs

PKCS#11

  • fixed crash during C_WaitForSlotEvent (#1335)

Minidriver

  • Allow cancelling the PIN pad prompt before starting the reader transaction. Whether to start the transaction immediately or not is user-configurable for each application

OpenSC tools

  • opensc-notify
    • add Exit button to tray icon
    • User better description (GenericName) and a generic application icon
    • Do not display in the application list
  • pkcs15-tool
    • added support for reading ECDSA ssh keys
  • p11test
    • Filter certificates other than CKC_X_509
  • opengpg-tool
    • allow calling -d multiple times
    • clarify usage text

sc-hsm

  • Implement RSA PSS
  • Add support for SmartCard-HSM 4K (V3.0)

CAC

  • Remove support for CAC1 cards
  • Ignore unknown tags in properties buffer
  • Use GET PROPERTIES to recognize buffer formats
  • Unbreak encoding last tag-len-value in the data objects
  • Support HID Alt tokens without CCC
    • They present certificates in OIDs of first AID and use other undocumented applets
    • Inspect the tokens through the ACA applet and GET ACR APDU

Coolkey

  • Unbreak Get Challenge functionality
  • Make uninitialized cards working as expected with ESC

OpenPGP

  • add serial number to card name
  • include detailed version into card name
  • define & set LCS (lifecycle support) as extended capability
  • extend manufacturer list in pkcs15-openpgp.c
  • correctly parse hist_bytes
  • Make deciphering with AUT-key possible for OpenPGP Card >v3.2 (fixes #1352)
  • Add supported algorithms for OpenPGP Card (Fixes #1432)

Starcos

  • added support for 2nd generation eGK (#1451)

CardOS

  • create PIN in MF (pkcs15init)

German ID card

  • fixed identifying unknown card as German ID card (#1360)

PIV

  • Context Specific Login Using Pin Pad Reader Fix
  • Better Handling of Reset using Discovery Object
Assets 12

@frankmorgner frankmorgner released this May 16, 2018 · 1370 commits to master since this release

General Improvements

  • PKCS#15
    • fixed parsing ECC parameters from TokenInfo (#1134)
    • Added PKCS#15 emulator for DIN 66291 profile
    • Cope with empty serial number in TokenInfo
  • Build Environment
    • Treat compiler warnings as errors (use --disable-strict to avoid)
    • MacOS
      • optionally use CTK in package builder
      • fixed detection of OpenPACE package
      • macOS High Sierra: fixed dmg creation
      • fixed DNIe UI compatibility
  • Windows: Use Dedicated md/pkcs11 installation folders instead of installing to System32/SysWOW64
  • fixed (possible) memory leaks for PIV, JPKI, PKCS#11, Minidriver
  • fixed many issues reported via compiler warnings, coverity scan and clang's static analyzer
  • beautify printed ASN.1 data, add support for ASN.1 time types
  • SimpleTLV: Skip correctly two bytes after reading 2b size (#1231)
  • added support for keep_alive commands for cards with multiple applets to be enabled via opensc.conf
  • added support for bash completion for arguments that expect filenames
  • added keyword old for selecting card_drivers via opensc.conf
  • improved documentation manuals for OpenSC tools
  • use leave as default for disconnect_action for PC/SC readers

PKCS#11

  • Make OpenSC PKCS#11 Vendor Defined attributes, mechanisms etc unique

Minidriver

  • added CNS ATR (#1153)
  • Add multiple PINs support to minidriver
  • protect MD entry points with CriticalSection

Tokend

  • Configuration value for not propagating certificates that require user authentication (ignore_private_certificate)

CryptoTokenKit

OpenSC Tools

  • cardos-tool
    • List human-readable version for CardOS 5.3
  • pkcs11-tool
    • fixed overwriting digestinfo + hash for RSA-PKCS Signature
    • Enable support for RSA-PSS signatures in pkcs11-tool
    • Add support for RSA-OAEP
    • Fixed #1286
    • Add missing pkcs11-tool options to man page
    • allow mechanism to be specified in hexadecimal
    • fixed default module path on Windows to use opensc-pkcs11.dll
  • pkcs11-spy
    • Add support for RSA-OAEP
    • Add support for RSA-PSS
  • pkcs15init
    • Fix rutokenS FCP parsing (#1259)
  • egk-tool
    • Read data from German Health Care Card (Elektronische Gesundheitskarte, eGK)
  • opensc-asn1
    • Parse ASN.1 from files
  • opensc-tool/opensc-explorer
    • Allow extended APDUs

Authentic

  • Correctly handle APDUs with more than 256 bytes (#1205)

Coolkey

  • Copy labels from certificate objects to the keys

Common Access Card

  • Fixed infinite reading of certificate
  • Added support for Alt token card

MyEID

  • support for RAW RSA signature for 2048 bit keys

IAS/ECC

  • Support for new MinInt agent card

PIV

  • Get cardholder name from the first certificate if token label not specified
  • implemented keep alive command (#1256)
  • fixed signature creation with CKA_ALWAYS_AUTHENTICATE (i.e. PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC))

CardOS

  • fixed card name for CardOS 5
  • added ATR "3b:d2:18:00:81:31:fe:58:c9:02:17"
  • Try forcing max_send_size for PSO:DEC

DNIe

  • DNIe: card also supports 1920 bits (#1247)

GIDS

  • Fix GIDS admin authentication

epass 3000

  • Add ECC support
  • Fix #1073
  • Fix #1115
  • Fix buffer underrun in decipher
  • Fix #1306

Starcos

  • added serial number for 3.4
  • fixed setting key reference for 3.4
  • added support for PIN status queries for 3.4

EstEID

  • ECDSA/ECDH token support
  • Fix crash when certificate read failed (#1176)
  • Cleanup expired EstEID card ATR-s
  • Fix reading EstEID certificates with T=0 (#1193)

OpenPGP

  • Added support for PIN logout and status
  • factory reset is possible if LCS is supported
  • Added support for OpenPGP card V3
  • fixed selecting Applet
  • implemented keep alive command
  • Retrieve OpenPGP applet version from OpenPGP applet on YubiKey token (#1262)

German ID card

  • fixed recognition of newer cards

SC-HSM

  • Don't block generic contactless ATR
  • changed default labels of GoID
  • added PIN commands for GoID 1.0

Starcos

  • Added Support for Starcos 3.4 and 3.5

MioCOS

  • disabled by default, use card_drivers = old; to enable; driver will be removed soon.

BlueZ PKCS#15 applet

  • disabled by default, use card_drivers = old; to enable; driver will be removed soon.
Assets 12
Pre-release
Pre-release

@frankmorgner frankmorgner released this May 4, 2018 · 1373 commits to master since this release

macOS: disable notifications only in PKCS#11 module

basically reverts
https://github.com/OpenSC/OpenSC/commit/c35eb1c9bc74e284723ffd726478720b69aed970
by applying a more selective fix for
https://github.com/OpenSC/OpenSC/issues/1174
Assets 8
You can’t perform that action at this time.