Skip to content

Releases: OpenSC/OpenSC

OpenSC 0.26.1

14 Jan 15:51
Compare
Choose a tag to compare

New in 0.26.1; 2025-01-14

General improvements

  • Align allocations of sc_mem_secure_alloc (#3281)
  • Fix -O3 gcc optimization failure on amd64 and ppc64el (#3299)

pkcs11-spy

  • Avoid crash while spying C_GetInterface() (#3275)

TCOS

  • Fix reading certificate (#3296)

OpenSC 0.26.0

13 Nov 09:50
Compare
Choose a tag to compare

New in 0.26.0; 2024-11-13

Security

  • CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (#3225)
  • CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (#3225)
  • CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (#3225)
  • CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (#3225)
  • CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (#3225)
  • CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (#3225)
  • CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (#3219)

General improvements

  • Fix reselection of DF after error in PKCS#15 layer (#3067)
  • Unify OpenSSL logging throughout code (#2922)
  • Extend the p11test to support kryoptic (#3141)
  • Fix for error in PCSC reconnection (#3150)
  • Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

PKCS#15

  • Documentation for PKCS#15 profile files (#3132)

minidriver

  • Support PinCacheAlwaysPrompt usable for PIV cards (#3167)

pkcs11-tool

  • Show URI when listing token information (#3125) and objects (#3130)
  • Do not limit size of objects to 5000 bytes (#3174)
  • Add support for AES CMAC (#3184)
  • Add support for AES GCM encryption (#3195)
  • Add support for RSA OAEP encryption (#3175)
  • Add support for HKDF (#3193)
  • Implement better support for wrapping and unwrapping (#3198)
  • Add support for EdDSA sign and verify (#2979)

pkcs15-crypt

  • Fix PKCS#1 encoding function to correctly detect padding type (#3075)

piv-tool

  • Fix RSA key generation (#3158)
  • Avoid possible state change when matching unknown card (#3112)

sc-hsm-tool

  • Cleanse buffer with plaintext key share (#3226)

pkcs11-register

  • Fix pkcs11-register defaults on macOS and Windows (#3053)

IDPrime

  • Fix identification of IDPrime 840 cards (#3146)
  • Fix container mapping for IDPrime 940 cards (#3220)
  • Reorder ATRs for matching cards (#3154)

OpenPGP

  • Fix state tracking after erasing card (#3024)

Belpic

  • Disable Applet V1.8 (#3109)

MICARDO

  • Deactivate driver (#3152)

SmartCard-HSM

  • Fix signing with secp521r1 signature (#3157)

eOI

  • Set model via sc_card_ctl function (#3189)

Rutoken

  • increase the minimum PIN size to support Rutoken ECP BIO (#3208)

JPKI

  • Adjust parameters for public key in PKCS#15 emulator (#3182)

D-Trust

  • Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (#3240, #3248)

OpenSC 0.26.0-rc1

11 Sep 14:52
Compare
Choose a tag to compare
OpenSC 0.26.0-rc1 Pre-release
Pre-release

New in 0.26.0; 2024-09-11

Security

  • CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (#3225)
  • CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (#3225)
  • CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (#3225)
  • CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (#3225)
  • CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (#3225)
  • CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (#3225)
  • CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (#3219)

General improvements

  • Fix reselection of DF after error in PKCS#15 layer (#3067)
  • Unify OpenSSL logging throughout code (#2922)
  • Extend the p11test to support kryoptic (#3141)
  • Fix for error in PCSC reconnection (#3150)
  • Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

PKCS#15

  • Documentation for PKCS#15 profile files (#3132)

minidriver

  • Support PinCacheAlwaysPrompt usable for PIV cards (#3167)

pkcs11-tool

  • Show URI when listing token information (#3125) and objects (#3130)
  • Do not limit size of objects to 5000 bytes (#3174)
  • Add support for AES CMAC (#3184)
  • Add support for Add support for AES GCM encryption (#3195)
  • Add support for RSA OAEP encryption (#3175)
  • Add support for HKDF (#3193)
  • Implement better support for wrapping and unwrapping (#3198)
  • Add support for EdDSA sign and verify (#2979)

pkcs15-crypt

  • Fix PKCS#1 encoding function to correctly detect padding type (#3075)

piv-tool

  • Fix RSA key generation (#3158)
  • Avoid possible state change when matching unknown card (#3112)

sc-hsm-tool

  • Cleanse buffer with plaintext key share (#3226)

pkcs11-register

  • Fix pkcs11-register defaults on macOS and Windows (#3053)

IDPrime

  • Fix identification of IDPrime 840 cards (#3146)
  • Fix container mapping for IDPrime 940 cards (#3220)
  • Reorder ATRs for matching cards (#3154)

OpenPGP

  • Fix state tracking after erasing card (#3024)

Belpic

  • Disable Applet V1.8 (#3109)

MICARDO

  • Deactivate driver (#3152)

SmartCard-HSM

  • Fix signing with secp521r1 signature (#3157)

eOI

  • Set model via sc_card_ctl function (#3189)

Rutoken

  • increase the minimum PIN size to support Rutoken ECP BIO (#3208)

JPKI

  • Adjust parameters for public key in PKCS#15 emulator (#3182)

OpenSC 0.25.1

05 Apr 11:53
Compare
Choose a tag to compare

New in 0.25.1; 2024-04-05

General improvements

  • Add missing file to dist tarball to build documentation (#3063)

minidriver

  • Fix RSA decryption with PKCS#1 v1.5 padding (#3077)
  • Fix crash when app is not set (#3084)

OpenSC 0.25.0

06 Mar 09:27
Compare
Choose a tag to compare

New in 0.25.0; 2024-03-06

Security

  • CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
  • CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)

General improvements

  • Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
  • Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
  • Fix 64b to 32b conversions (#2993)
  • Improvements for the p11test (#2991)
  • Fix reader initialization without SCardControl (#3007)
  • Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
  • Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
  • Enable MSI signing via Signpath CI integration for Windows (#2799)
  • Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

minidriver

  • Fix wrong hash selection (#2932)

pkcs11-tool

  • Simplify printing EC keys parameters (#2960)
  • Add option to import GENERIC key (#2955)
  • Add support for importing Ed25518/448 keys (#2985)

drust-tool

IDPrime

  • Support uncompressed certificates on IDPrime 940 (#2958)
  • Enhance IDPrime logging (#3003)
  • Add SafeNet 5110+ FIPS token support (#3048)

D-Trust Signature Cards

  • Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)

EstEID

  • Remove expired EstEID 3.* card support (#2950)

ePass2003

  • Allow SW implementation with more SHA2 hashes and ECDSA (#3012)
  • Fix EC key generation (#3045)

SmartCard-HSM

  • Fix SELECT APDU command (#2978)

MyEID

  • Update for PKCS#15 profile (#2965)

Rutoken

  • Support for RSA 4096 key algorithm (#3011)

OpenPGP

  • Fix decryption requiting Manage Security Environment for authentication key (#3042)

OpenSC 0.25.0-rc1

19 Feb 09:21
Compare
Choose a tag to compare
OpenSC 0.25.0-rc1 Pre-release
Pre-release

New in 0.25.0; 2024-02-XX

Security

  • CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
  • CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)

General improvements

  • Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
  • Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
  • Fix 64b to 32b conversions (#2993)
  • Improvements for the p11test (#2991)
  • Fix reader initialization without SCardControl (#3007)
  • Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
  • Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
  • Enable MSI signing via Signpath CI integration for Windows (#2799)
  • Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

minidriver

  • Fix wrong hash selection (#2932)

pkcs11-tool

  • Simplify printing EC keys parameters (#2960)
  • Add option to import GENERIC key (#2955)
  • Add support for importing Ed25518/448 keys (#2985)

IDPrime

  • Support uncompressed certificates on IDPrime 940 (#2958)
  • Enhance IDPrime logging (#3003)

D-Trust Signature Cards

  • Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)

EstEID

  • Remove expired EstEID 3.* card support (#2950)

ePass2003

  • Allow SW implementation with more SHA2 hashes and ECDSA (#3012)

SmartCard-HSM

  • Fix SELECT APDU command (#2978)

MyEID

  • Update for PKCS#15 profile (#2965)

Rutoken

  • Support for RSA 4096 key algorithm (#3011)

OpenSC 0.24.0

13 Dec 11:08
Compare
Choose a tag to compare

New in 0.24.0; 2023-12-13

Security

General improvements

  • Fix compatibility of EAC with OpenSSL 3.0 (#2674)
  • Enable use_file_cache by default (#2501)
  • Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
  • Fix record-based files (#2604)
  • Fix several race conditions (#2735)
  • Run tests under Valgrind (#2756)
  • Test signing of data bigger than 512 bytes (#2789)
  • Update to OpenPACE 1.1.3 (#2796)
  • Implement logout for some of the card drivers (#2807)
  • Fix wrong popup position of opensc-notify (#2901)
  • Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init

PKCS#11

  • Check card presence state in C_GetSessionInfo (#2740)
  • Remove onepin-opensc-pkcs11 module (#2681)
  • Do not use colons in the token info label (#2760)
  • Present profile objects in all slots with the CKA_TOKEN attribute to resolve issues with NSS (#2928, #2924)
  • Use secure memory for PUK (#2906)
  • Don't logout to preserve concurrent access from different processes (#2907)
  • Add more examples to manual page (#2936)
  • Present profile objects in all virtual slots (#2928)
  • Provide CKA_TOKEN attribute for profile objects (#2924)
  • Improve --slot parameter documentation (#2951)

PKCS#15

  • Honor cache offsets when writing file cache (#2858)
  • Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
  • Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and back to PKCS#11 (#2936)

Minidriver

  • Fix for private keys that do not need a PIN (#2722)
  • Unbreak decipher when the first null byte of PKCS#1.5 padding is missing (#2939)

pkcs11-tool

  • Fix RSA key import with OpenSSL 3.0 (#2656)
  • Add support for attribute filtering when listing objects (#2687)
  • Add support for --private flag when writing certificates (#2768)
  • Add support for non-AEAD ciphers to the test mode (#2780)
  • Show CKA_SIGN attribute for secret keys (#2862)
  • Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys (#2864, #2913)
  • Show Sign/VerifyRecover attributes (#2888)
  • Add option to import generic keys (#2955)

westcos-tool

  • Generate 2k RSA keys by default (b53fc5c)

pkcs11-register

  • Disable autostart on Linux by default (#2680)

IDPrime

  • Add support for IDPrime MD 830, 930 and 940 (#2666)
  • Add support for SafeNet eToken 5110 token (#2812)
  • Process index even without keyrefmap and use correct label for second PIN (#2878)
  • Add support for Gemalto IDPrime 940C (#2941)

EPass2003

  • Change of PIN requires verification of the PIN (#2759)
  • Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
  • Use true random number for mutual authentication for SM (#2766)
  • Add verification of data coming from the token in the secure messaging mode (#2772)
  • Avoid success when using unsupported digest and fix data length for RAW ECDSA signatures (#2845)

OpenPGP

  • Fix select data command (#2753, issue #2752)
  • Unbreak ed/curve25519 support (#2892)

eOI

  • Add support for Slovenian eID card (eOI) (#2646)

Italian CNS

  • Add support for IDEMIA (Oberthur) tokens (#2483)

PIV

  • Add support for Swissbit iShield FIDO2 Authenticator (#2671)
  • Implement PIV secure messaging (#2053)

SkeID

  • Add support for Slovak eID cards (#2672)

isoApplet

  • Support ECDSA with off-card hashing (#2642)

MyEID

  • Fix WRAP operation when using T0 (#2695)
  • Identify changes on the card and enable use_file_cache (#2798)
  • Workaround for unwrapping using 2K RSA key (#2921)

SC-HSM

  • Add support for opensc-tool --serial (#2675)
  • Fix unwrapping of 4096 keys with handling reader limits (#2682)
  • Indicate supported hashes and MGF1s (#2827)

0.24.0-rc2

20 Nov 15:15
Compare
Choose a tag to compare
0.24.0-rc2 Pre-release
Pre-release

For release notes, see #2873 and #2792 and NEWS file:

https://github.com/OpenSC/OpenSC/blob/master/NEWS

0.24.0-rc1

25 Sep 09:29
Compare
Choose a tag to compare
0.24.0-rc1 Pre-release
Pre-release

For release notes, see #2873 and #2792.

OpenSC 0.23.0

29 Nov 10:22
Compare
Choose a tag to compare

New in 0.23.0; 2022-11-29

General improvements

  • Support signing of data with a length of more than 512 bytes (#2314)
  • By default, disable support for old card drivers (#2391) and remove support for old drivers MioCOS and JCOP (#2374)
  • Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
  • Compatibility with LibreSSL (#2495, #2595)
  • Remove support for DSA (#2503)
  • Extend p11test to support symmetric keys (#2430)
  • Notice detached reader on macOS (#2418)
  • Support for OAEP padding (#2475, #2484)
  • Fix for PSS salt length (#2478)
  • Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550, #2637)
  • Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
  • Fix issues with OpenPACE (#2472)
  • Containers support for local testing
  • Add support for encryption and decryption using symmetric keys (#2473, #2607)
  • Stop building support for Gost algorithms with OpenSSL 3.0 as they require deprecated API (#2586)
  • Fix detection of disconnected readers in PCSC (#2600)
  • Add configuration option for on-disk caching of private data (#2588)
  • Skip building empty binaries when dependencies are missing and remove needless linking (#2617)
  • Define arm64 as a supported architecture in the Installer package (#2610)

PKCS#11

  • Implement C_CreateObject for EC keys and fix signature verification for CKM_ECDSA_SHAx cards (#2420)

pkcs11-tool

  • Add more elliptic curves (#2301)
  • Add support for symmetric encrypt and decrypt, wrap and unwrap operations, and initialization vector (#2268)
  • Fix consistent handling of secret key attributes (#2497)
  • Add support for signing and verifying with HMAC (#2385)
  • Add support for SHA3 (#2467)
  • Make object selectable via label (#2570)
  • Do not require an R/W session for some operations and add --session-rw option (#2579)
  • Print more information: CKA_UNIQUE_ID attribute, SHA3 HMACs and serial number for certificates (#2644, #2643, #2641)
  • Add new option --undestroyable to create keys with CKA_DESTROYABLE=FALSE (#2645)

sc-hsm-tool

  • Add options for public key authentication (#2301)

Minidriver

  • Fix reinit of the card (#2525)
  • Add an entry for Italian CNS (e) (#2548)
  • Fix detection of ECC mechanisms (#2523)
  • Fix ATRs before adding them to the windows registry (#2628)

NQ-Applet

  • Add support for the JCOP4 Cards with NQ-Applet (#2425)

ItaCNS

  • Add support for ItaCMS v1.1 (key length 2048) (#2371)

Belpic

  • Add support for applet v1.8 (#2455)

Starcos

  • Add ATR for V3.4 (#2464)
  • Add PKCS#15 emulator for 3.x cards with eSign app (#2544)

ePass2003

  • Fix PKCS#15 initialization (#2403)
  • Add support for FIPS (#2543)
  • Fix matching with newer versions and tokens initialized with OpenSC (#2575)

MyEID

  • Support logout operation (#2557)
  • Support for symmetric encryption and decryption (#2473, #2607)

GIDS

  • Fix decipher for TPM (#1881)

OpenPGP

  • Get the list of supported algorithms from algorithm information on the card (#2287)
  • Support for 3 certificates with OpenPGP 3+ (#2103)

nPA

  • Fix card detection (#2463)

Rutoken

  • Fix formatting rtecp cards (#2599)

PIV

  • Add new PIVKey ATRs for current cards (#2602)