OpenSC 0.27.1

Edit 2026-04-18: Replaced the MacOS release binary due to originally uploading wrongly signed one (see #3654).

New in 0.27.1; 2026-03-31

• Bugfix release to fix up infrastructure issues. There were no 0.27.0 artifacts published.

New in 0.27.0; 2026-03-30

Security

• CVE-2025-13763: Several uses of potentially uninitialized memory detected by fuzzers
• CVE-2025-49010: Possible write beyond buffer bounds during processing of GET RESPONSE APDU
• CVE-2025-66215: Possible write beyond buffer bounds in oberthur driver
• CVE-2025-66038: Possible read beyond buffer bounds when parsing historical bytes in PIV driver
• CVE-2025-66037: Possible buffer overrun while parsing SPKI
• More low-severity data handling issues when parsing profile configuration

General improvements

• Added support for PKCS#11 3.2 in tools and pkcs11-spy and p11test(#3510)
• Added support for Ed448, X448 mechanisms and improve support for
  Edwards and montgomery keys in general (#3090)
• Support CKA_PUBKEY_KEY_INFO PKCS#11 attribute (#3090)
• Various refactoring of autotools build system
• Remove obsolete tokend support (#3285)
• Run tests against different software PKCS#11 tokens kryoptic and NSS softokn (#3365)
• Removed internal caching for current EF/DF (#3403)
• Correctly detect OS-level FIPS mode in OpenSSL automatically (#3551)
  or through custom configuration file (#3525)
• Added support for Brainpool twisted curves to pkcs11-tool and SC-HSM (#3601)

PC/SC

• Handle case when smart card is removed and inserted between two subsequent calls to
  refresh_attributes() (#2803)

EsteID

• Add support for EstEID 2025 (#3392)
• Implement FinEID 4.0/4.1 support (#3505)
• Add Latvian IDEMIA Cosmo X card support (#3503)
• Check if PIN is locked and hint CKF_USER_PIN_TO_BE_CHANGED (#3490)
• Remove obsolete FinEID cards (#3522)
• Add Latvian Cosmo 8.2 card support (#3521)

D-Trust

• Prevent unncecessary pin prompts on pinpad readers (#3266)
• Support for D-Trust Card 5.1 & 5.4 (#3137)
• Implement PIN change and unblock in dtrust-tool (#3137)

Belpic

• Add supports for belpic applet version 1.8 (#3308)

OpenPGP

• Implement key derived PIN format (KDF-DO) as per OpenPGP card spec v3.3 (#3398)

IDPrime

• Implement 5110+ FIPS and 5110 CC (940) derive support (#3483)

Windows

• Update to Wix 6 (#3435)
• Fix C_WaitForSlotEvent() not working in Windows (#2919)
• remove pkcs11-register from autostart (#3354)

MacOS

• Installer images are now notarized (#3536)

pkcs11-tool

• Added support for ML-DSA, ML-KEM, SLH-DSA keys from PKCS#11 3.2 (#3510)
• Improve support for Edwards and montgomery keys and
  add derive key support for CKK_MONTGOMERY (#3090)
• Add support for ChaCha20 and Poly1305 (#3339)
• Add support for AES CTR in decrypt_data() and encrypt_data() (#3338)
• Add initial support for PKCS#11 URIs (#3289)
• Print more information about RSA keys (#3623)

New Contributors

• @GeorgePantelakis made their first contribution in #3254
• @tinyboxvk made their first contribution in #3260
• @dgalling made their first contribution in #3281
• @botovq made their first contribution in #3306
• @tpetazzoni made their first contribution in #3303
• @Mironenko made their first contribution in #3326
• @cdanger made their first contribution in #3324
• @D4ryus made their first contribution in #3386
• @vssldmtrv made their first contribution in #3415
• @hendrikdonner made their first contribution in #3405
• @antimeme made their first contribution in #3428
• @citypw made their first contribution in #3421
• @marcwillert made their first contribution in #3445
• @hardening made their first contribution in #3493
• @pavelkohout396 made their first contribution in #3546
• @daloic made their first contribution in #3587
• @gkapetanakis made their first contribution in #3625

Full Changelog: 0.26.0...0.27.1

OpenSC 0.27.0-rc2

Security

• Several uses of potentially uninitialized memory detected by fuzzers

General improvements

• Added support for PKCS#11 3.2 in tools and pkcs11-spy and p11test(#3510)
• Added support for Ed448, X448 mechanisms and improve support for
  Edwards and montgomery keys in general (#3090)
• Support CKA_PUBKEY_KEY_INFO PKCS#11 attribute (#3090)
• Various refactoring of autotools build system
• Remove obsolete tokend support (#3285)
• Run tests against different software PKCS#11 tokens kryoptic and NSS softokn (#3365)
• Removed internal caching for current EF/DF (#3403)
• Correctly detect OS-level FIPS mode in OpenSSL automatically (#3551)
  or through custom configuration file (#3525)

PC/SC

• Handle case when smart card is removed and inserted between two subsequent calls to
  refresh_attributes() (#2803)

EsteID

• Add support for EstEID 2025 (#3392)
• Implement FinEID 4.0/4.1 support (#3505)
• Add Latvian IDEMIA Cosmo X card support (#3503)
• Check if PIN is locked and hint CKF_USER_PIN_TO_BE_CHANGED (#3490)
• Remove obsolete FinEID cards (#3522)
• Add Latvian Cosmo 8.2 card support (#3521)

D-Trust

• Prevent unncecessary pin prompts on pinpad readers (#3266)
• Support for D-Trust Card 5.1 & 5.4 (#3137)
• Implement PIN change and unblock in dtrust-tool (#3137)

Belpic

• Add supports for belpic applet version 1.8 (#3308)

OpenPGP

• Implement key derived PIN format (KDF-DO) as per OpenPGP card spec v3.3 (#3398)

IDPrime

• Implement 5110+ FIPS and 5110 CC (940) derive support (#3483)

Windows

• Update to Wix 6 (#3435)
• Fix C_WaitForSlotEvent() not working in Windows (#2919)
• remove pkcs11-register from autostart (#3354)

MacOS

• Installer images are now notarized (#3536)

pkcs11-tool

• Added support for ML-DSA, ML-KEM, SLH-DSA keys from PKCS#11 3.2 (#3510)
• Improve support for Edwards and montgomery keys and
  add derive key support for CKK_MONTGOMERY (#3090)
• Add support for ChaCha20 and Poly1305 (#3339)
• Add support for AES CTR in decrypt_data() and encrypt_data() (#3338)
• Add initial support for PKCS#11 URIs (#3289)

OpenSC 0.27.0-rc1

Security

• Several uses of potentially uninitialized memory detected by fuzzers

General improvements

• Added support for PKCS#11 3.2 in tools and pkcs11-spy and p11test(#3510)
• Added support for Ed448, X448 mechanisms and improve support for
  Edwards and montgomery keys in general (#3090)
• Support CKA_PUBKEY_KEY_INFO PKCS#11 attribute (#3090)
• Various refactoring of autotools build system
• Remove obsolete tokend support (#3285)
• Run tests against different software PKCS#11 tokens kryoptic and NSS softokn (#3365)
• Removed internal caching for current EF/DF (#3403)
• Correctly detect OS-level FIPS mode in OpenSSL automatically (#3551)
  or through custom configuration file (#3525)

PC/SC

• Handle case when smart card is removed and inserted between two subsequent calls to
  refresh_attributes() (#2803)

EsteID

• Add support for EstEID 2025 (#3392)
• Implement FinEID 4.0/4.1 support (#3505)
• Add Latvian IDEMIA Cosmo X card support (#3503)
• Check if PIN is locked and hint CKF_USER_PIN_TO_BE_CHANGED (#3490)
• Remove obsolete FinEID cards (#3522)
• Add Latvian Cosmo 8.2 card support (#3521)

D-Trust

• Prevent unncecessary pin prompts on pinpad readers (#3266)
• Support for D-Trust Card 5.1 & 5.4 (#3137)
• Implement PIN change and unblock in dtrust-tool (#3137)

Belpic

• Add supports for belpic applet version 1.8 (#3308)

OpenPGP

• Implement key derived PIN format (KDF-DO) as per OpenPGP card spec v3.3 (#3398)

IDPrime

• Implement 5110+ FIPS and 5110 CC (940) derive support (#3483)

Windows

• Update to Wix 6 (#3435)
• Fix C_WaitForSlotEvent() not working in Windows (#2919)
• remove pkcs11-register from autostart (#3354)

MacOS

• Installer images are now notarized (#3536)

pkcs11-tool

• Added support for ML-DSA, ML-KEM, SLH-DSA keys from PKCS#11 3.2 (#3510)
• Improve support for Edwards and montgomery keys and
  add derive key support for CKK_MONTGOMERY (#3090)
• Add support for ChaCha20 and Poly1305 (#3339)
• Add support for AES CTR in decrypt_data() and encrypt_data() (#3338)
• Add initial support for PKCS#11 URIs (#3289)

OpenSC 0.26.1

New in 0.26.1; 2025-01-14

General improvements

• Align allocations of sc_mem_secure_alloc (#3281)
• Fix -O3 gcc optimization failure on amd64 and ppc64el (#3299)

pkcs11-spy

• Avoid crash while spying C_GetInterface() (#3275)

TCOS

• Fix reading certificate (#3296)

OpenSC 0.26.0

New in 0.26.0; 2024-11-13

Security

• CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (#3225)
• CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (#3225)
• CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (#3225)
• CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (#3225)
• CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (#3225)
• CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (#3225)
• CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (#3219)

General improvements

• Fix reselection of DF after error in PKCS#15 layer (#3067)
• Unify OpenSSL logging throughout code (#2922)
• Extend the p11test to support kryoptic (#3141)
• Fix for error in PCSC reconnection (#3150)
• Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

PKCS#15

• Documentation for PKCS#15 profile files (#3132)

minidriver

• Support PinCacheAlwaysPrompt usable for PIV cards (#3167)

pkcs11-tool

• Show URI when listing token information (#3125) and objects (#3130)
• Do not limit size of objects to 5000 bytes (#3174)
• Add support for AES CMAC (#3184)
• Add support for AES GCM encryption (#3195)
• Add support for RSA OAEP encryption (#3175)
• Add support for HKDF (#3193)
• Implement better support for wrapping and unwrapping (#3198)
• Add support for EdDSA sign and verify (#2979)

pkcs15-crypt

• Fix PKCS#1 encoding function to correctly detect padding type (#3075)

piv-tool

• Fix RSA key generation (#3158)
• Avoid possible state change when matching unknown card (#3112)

sc-hsm-tool

• Cleanse buffer with plaintext key share (#3226)

pkcs11-register

• Fix pkcs11-register defaults on macOS and Windows (#3053)

IDPrime

• Fix identification of IDPrime 840 cards (#3146)
• Fix container mapping for IDPrime 940 cards (#3220)
• Reorder ATRs for matching cards (#3154)

OpenPGP

• Fix state tracking after erasing card (#3024)

Belpic

• Disable Applet V1.8 (#3109)

MICARDO

• Deactivate driver (#3152)

SmartCard-HSM

• Fix signing with secp521r1 signature (#3157)

eOI

• Set model via sc_card_ctl function (#3189)

Rutoken

• increase the minimum PIN size to support Rutoken ECP BIO (#3208)

JPKI

• Adjust parameters for public key in PKCS#15 emulator (#3182)

D-Trust

• Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (#3240, #3248)

OpenSC 0.26.0-rc1

New in 0.26.0; 2024-09-11

Security

• CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (#3225)
• CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (#3225)
• CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (#3225)
• CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (#3225)
• CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (#3225)
• CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (#3225)
• CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (#3219)

General improvements

• Fix reselection of DF after error in PKCS#15 layer (#3067)
• Unify OpenSSL logging throughout code (#2922)
• Extend the p11test to support kryoptic (#3141)
• Fix for error in PCSC reconnection (#3150)
• Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

PKCS#15

• Documentation for PKCS#15 profile files (#3132)

minidriver

• Support PinCacheAlwaysPrompt usable for PIV cards (#3167)

pkcs11-tool

• Show URI when listing token information (#3125) and objects (#3130)
• Do not limit size of objects to 5000 bytes (#3174)
• Add support for AES CMAC (#3184)
• Add support for Add support for AES GCM encryption (#3195)
• Add support for RSA OAEP encryption (#3175)
• Add support for HKDF (#3193)
• Implement better support for wrapping and unwrapping (#3198)
• Add support for EdDSA sign and verify (#2979)

pkcs15-crypt

• Fix PKCS#1 encoding function to correctly detect padding type (#3075)

piv-tool

• Fix RSA key generation (#3158)
• Avoid possible state change when matching unknown card (#3112)

sc-hsm-tool

• Cleanse buffer with plaintext key share (#3226)

pkcs11-register

• Fix pkcs11-register defaults on macOS and Windows (#3053)

IDPrime

• Fix identification of IDPrime 840 cards (#3146)
• Fix container mapping for IDPrime 940 cards (#3220)
• Reorder ATRs for matching cards (#3154)

OpenPGP

• Fix state tracking after erasing card (#3024)

Belpic

• Disable Applet V1.8 (#3109)

MICARDO

• Deactivate driver (#3152)

SmartCard-HSM

• Fix signing with secp521r1 signature (#3157)

eOI

• Set model via sc_card_ctl function (#3189)

Rutoken

• increase the minimum PIN size to support Rutoken ECP BIO (#3208)

JPKI

• Adjust parameters for public key in PKCS#15 emulator (#3182)

OpenSC 0.25.1

New in 0.25.1; 2024-04-05

General improvements

• Add missing file to dist tarball to build documentation (#3063)

minidriver

• Fix RSA decryption with PKCS#1 v1.5 padding (#3077)
• Fix crash when app is not set (#3084)

OpenSC 0.25.0

New in 0.25.0; 2024-03-06

Security

• CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
• CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)

General improvements

• Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
• Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
• Fix 64b to 32b conversions (#2993)
• Improvements for the p11test (#2991)
• Fix reader initialization without SCardControl (#3007)
• Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
• Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
• Enable MSI signing via Signpath CI integration for Windows (#2799)
• Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

minidriver

• Fix wrong hash selection (#2932)

pkcs11-tool

• Simplify printing EC keys parameters (#2960)
• Add option to import GENERIC key (#2955)
• Add support for importing Ed25518/448 keys (#2985)

drust-tool

• Add tool for D-Trust cards (#3026, #3051)

IDPrime

• Support uncompressed certificates on IDPrime 940 (#2958)
• Enhance IDPrime logging (#3003)
• Add SafeNet 5110+ FIPS token support (#3048)

D-Trust Signature Cards

• Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)

EstEID

• Remove expired EstEID 3.* card support (#2950)

ePass2003

• Allow SW implementation with more SHA2 hashes and ECDSA (#3012)
• Fix EC key generation (#3045)

SmartCard-HSM

• Fix SELECT APDU command (#2978)

MyEID

• Update for PKCS#15 profile (#2965)

Rutoken

• Support for RSA 4096 key algorithm (#3011)

OpenPGP

• Fix decryption requiting Manage Security Environment for authentication key (#3042)

OpenSC 0.25.0-rc1

New in 0.25.0; 2024-02-XX

Security

• CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
• CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)

General improvements

• Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
• Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
• Fix 64b to 32b conversions (#2993)
• Improvements for the p11test (#2991)
• Fix reader initialization without SCardControl (#3007)
• Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
• Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
• Enable MSI signing via Signpath CI integration for Windows (#2799)
• Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

minidriver

• Fix wrong hash selection (#2932)

pkcs11-tool

• Simplify printing EC keys parameters (#2960)
• Add option to import GENERIC key (#2955)
• Add support for importing Ed25518/448 keys (#2985)

IDPrime

• Support uncompressed certificates on IDPrime 940 (#2958)
• Enhance IDPrime logging (#3003)

D-Trust Signature Cards

• Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)

EstEID

• Remove expired EstEID 3.* card support (#2950)

ePass2003

• Allow SW implementation with more SHA2 hashes and ECDSA (#3012)

SmartCard-HSM

• Fix SELECT APDU command (#2978)

MyEID

• Update for PKCS#15 profile (#2965)

Rutoken

• Support for RSA 4096 key algorithm (#3011)

OpenSC 0.24.0

New in 0.24.0; 2023-12-13

Security

• CVE-2023-40660: Fix Potential PIN bypass (#2806, frankmorgner/OpenSCToken#50, #2807)
• CVE-2023-40661: Important dynamic analyzers reports
• CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys (f1993dc)

General improvements

• Fix compatibility of EAC with OpenSSL 3.0 (#2674)
• Enable use_file_cache by default (#2501)
• Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
• Fix record-based files (#2604)
• Fix several race conditions (#2735)
• Run tests under Valgrind (#2756)
• Test signing of data bigger than 512 bytes (#2789)
• Update to OpenPACE 1.1.3 (#2796)
• Implement logout for some of the card drivers (#2807)
• Fix wrong popup position of opensc-notify (#2901)
• Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init

PKCS#11

• Check card presence state in C_GetSessionInfo (#2740)
• Remove onepin-opensc-pkcs11 module (#2681)
• Do not use colons in the token info label (#2760)
• Present profile objects in all slots with the CKA_TOKEN attribute to resolve issues with NSS (#2928, #2924)
• Use secure memory for PUK (#2906)
• Don't logout to preserve concurrent access from different processes (#2907)
• Add more examples to manual page (#2936)
• Present profile objects in all virtual slots (#2928)
• Provide CKA_TOKEN attribute for profile objects (#2924)
• Improve --slot parameter documentation (#2951)

PKCS#15

• Honor cache offsets when writing file cache (#2858)
• Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
• Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and back to PKCS#11 (#2936)

Minidriver

• Fix for private keys that do not need a PIN (#2722)
• Unbreak decipher when the first null byte of PKCS#1.5 padding is missing (#2939)

pkcs11-tool

• Fix RSA key import with OpenSSL 3.0 (#2656)
• Add support for attribute filtering when listing objects (#2687)
• Add support for --private flag when writing certificates (#2768)
• Add support for non-AEAD ciphers to the test mode (#2780)
• Show CKA_SIGN attribute for secret keys (#2862)
• Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys (#2864, #2913)
• Show Sign/VerifyRecover attributes (#2888)
• Add option to import generic keys (#2955)

westcos-tool

• Generate 2k RSA keys by default (b53fc5c)

pkcs11-register

• Disable autostart on Linux by default (#2680)

IDPrime

• Add support for IDPrime MD 830, 930 and 940 (#2666)
• Add support for SafeNet eToken 5110 token (#2812)
• Process index even without keyrefmap and use correct label for second PIN (#2878)
• Add support for Gemalto IDPrime 940C (#2941)

EPass2003

• Change of PIN requires verification of the PIN (#2759)
• Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
• Use true random number for mutual authentication for SM (#2766)
• Add verification of data coming from the token in the secure messaging mode (#2772)
• Avoid success when using unsupported digest and fix data length for RAW ECDSA signatures (#2845)

OpenPGP

• Fix select data command (#2753, issue #2752)
• Unbreak ed/curve25519 support (#2892)

eOI

• Add support for Slovenian eID card (eOI) (#2646)

Italian CNS

• Add support for IDEMIA (Oberthur) tokens (#2483)

PIV

• Add support for Swissbit iShield FIDO2 Authenticator (#2671)
• Implement PIV secure messaging (#2053)

SkeID

• Add support for Slovak eID cards (#2672)

isoApplet

• Support ECDSA with off-card hashing (#2642)

MyEID

• Fix WRAP operation when using T0 (#2695)
• Identify changes on the card and enable use_file_cache (#2798)
• Workaround for unwrapping using 2K RSA key (#2921)

SC-HSM

• Add support for opensc-tool --serial (#2675)
• Fix unwrapping of 4096 keys with handling reader limits (#2682)
• Indicate supported hashes and MGF1s (#2827)