Releases: OpenSC/OpenSC
Releases · OpenSC/OpenSC
OpenSC 0.26.1
OpenSC 0.26.0
New in 0.26.0; 2024-11-13
Security
- CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (#3225)
- CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (#3225)
- CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (#3225)
- CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (#3225)
- CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (#3225)
- CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (#3225)
- CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (#3219)
General improvements
- Fix reselection of DF after error in PKCS#15 layer (#3067)
- Unify OpenSSL logging throughout code (#2922)
- Extend the p11test to support kryoptic (#3141)
- Fix for error in PCSC reconnection (#3150)
- Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
- Documentation for PKCS#15 profile files (#3132)
minidriver
- Support PinCacheAlwaysPrompt usable for PIV cards (#3167)
pkcs11-tool
- Show URI when listing token information (#3125) and objects (#3130)
- Do not limit size of objects to 5000 bytes (#3174)
- Add support for AES CMAC (#3184)
- Add support for AES GCM encryption (#3195)
- Add support for RSA OAEP encryption (#3175)
- Add support for HKDF (#3193)
- Implement better support for wrapping and unwrapping (#3198)
- Add support for EdDSA sign and verify (#2979)
pkcs15-crypt
- Fix PKCS#1 encoding function to correctly detect padding type (#3075)
piv-tool
sc-hsm-tool
- Cleanse buffer with plaintext key share (#3226)
pkcs11-register
- Fix pkcs11-register defaults on macOS and Windows (#3053)
IDPrime
- Fix identification of IDPrime 840 cards (#3146)
- Fix container mapping for IDPrime 940 cards (#3220)
- Reorder ATRs for matching cards (#3154)
OpenPGP
- Fix state tracking after erasing card (#3024)
Belpic
- Disable Applet V1.8 (#3109)
MICARDO
- Deactivate driver (#3152)
SmartCard-HSM
- Fix signing with secp521r1 signature (#3157)
eOI
- Set model via
sc_card_ctl
function (#3189)
Rutoken
- increase the minimum PIN size to support Rutoken ECP BIO (#3208)
JPKI
- Adjust parameters for public key in PKCS#15 emulator (#3182)
D-Trust
OpenSC 0.26.0-rc1
New in 0.26.0; 2024-09-11
Security
- CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (#3225)
- CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (#3225)
- CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (#3225)
- CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (#3225)
- CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (#3225)
- CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (#3225)
- CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (#3219)
General improvements
- Fix reselection of DF after error in PKCS#15 layer (#3067)
- Unify OpenSSL logging throughout code (#2922)
- Extend the p11test to support kryoptic (#3141)
- Fix for error in PCSC reconnection (#3150)
- Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
- Documentation for PKCS#15 profile files (#3132)
minidriver
- Support PinCacheAlwaysPrompt usable for PIV cards (#3167)
pkcs11-tool
- Show URI when listing token information (#3125) and objects (#3130)
- Do not limit size of objects to 5000 bytes (#3174)
- Add support for AES CMAC (#3184)
- Add support for Add support for AES GCM encryption (#3195)
- Add support for RSA OAEP encryption (#3175)
- Add support for HKDF (#3193)
- Implement better support for wrapping and unwrapping (#3198)
- Add support for EdDSA sign and verify (#2979)
pkcs15-crypt
- Fix PKCS#1 encoding function to correctly detect padding type (#3075)
piv-tool
sc-hsm-tool
- Cleanse buffer with plaintext key share (#3226)
pkcs11-register
- Fix pkcs11-register defaults on macOS and Windows (#3053)
IDPrime
- Fix identification of IDPrime 840 cards (#3146)
- Fix container mapping for IDPrime 940 cards (#3220)
- Reorder ATRs for matching cards (#3154)
OpenPGP
- Fix state tracking after erasing card (#3024)
Belpic
- Disable Applet V1.8 (#3109)
MICARDO
- Deactivate driver (#3152)
SmartCard-HSM
- Fix signing with secp521r1 signature (#3157)
eOI
- Set model via
sc_card_ctl
function (#3189)
Rutoken
- increase the minimum PIN size to support Rutoken ECP BIO (#3208)
JPKI
- Adjust parameters for public key in PKCS#15 emulator (#3182)
OpenSC 0.25.1
OpenSC 0.25.0
New in 0.25.0; 2024-03-06
Security
- CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
- CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)
General improvements
- Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
- Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
- Fix 64b to 32b conversions (#2993)
- Improvements for the p11test (#2991)
- Fix reader initialization without SCardControl (#3007)
- Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
- Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
- Enable MSI signing via Signpath CI integration for Windows (#2799)
- Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
minidriver
- Fix wrong hash selection (#2932)
pkcs11-tool
- Simplify printing EC keys parameters (#2960)
- Add option to import GENERIC key (#2955)
- Add support for importing Ed25518/448 keys (#2985)
drust-tool
IDPrime
- Support uncompressed certificates on IDPrime 940 (#2958)
- Enhance IDPrime logging (#3003)
- Add SafeNet 5110+ FIPS token support (#3048)
D-Trust Signature Cards
- Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)
EstEID
- Remove expired EstEID 3.* card support (#2950)
ePass2003
SmartCard-HSM
- Fix SELECT APDU command (#2978)
MyEID
- Update for PKCS#15 profile (#2965)
Rutoken
- Support for RSA 4096 key algorithm (#3011)
OpenPGP
- Fix decryption requiting Manage Security Environment for authentication key (#3042)
OpenSC 0.25.0-rc1
New in 0.25.0; 2024-02-XX
Security
- CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
- CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)
General improvements
- Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
- Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
- Fix 64b to 32b conversions (#2993)
- Improvements for the p11test (#2991)
- Fix reader initialization without SCardControl (#3007)
- Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
- Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
- Enable MSI signing via Signpath CI integration for Windows (#2799)
- Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
minidriver
- Fix wrong hash selection (#2932)
pkcs11-tool
- Simplify printing EC keys parameters (#2960)
- Add option to import GENERIC key (#2955)
- Add support for importing Ed25518/448 keys (#2985)
IDPrime
D-Trust Signature Cards
- Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)
EstEID
- Remove expired EstEID 3.* card support (#2950)
ePass2003
- Allow SW implementation with more SHA2 hashes and ECDSA (#3012)
SmartCard-HSM
- Fix SELECT APDU command (#2978)
MyEID
- Update for PKCS#15 profile (#2965)
Rutoken
- Support for RSA 4096 key algorithm (#3011)
OpenSC 0.24.0
New in 0.24.0; 2023-12-13
Security
- CVE-2023-40660: Fix Potential PIN bypass (#2806, frankmorgner/OpenSCToken#50, #2807)
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys (f1993dc)
General improvements
- Fix compatibility of EAC with OpenSSL 3.0 (#2674)
- Enable
use_file_cache
by default (#2501) - Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
- Fix record-based files (#2604)
- Fix several race conditions (#2735)
- Run tests under Valgrind (#2756)
- Test signing of data bigger than 512 bytes (#2789)
- Update to OpenPACE 1.1.3 (#2796)
- Implement logout for some of the card drivers (#2807)
- Fix wrong popup position of opensc-notify (#2901)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
PKCS#11
- Check card presence state in
C_GetSessionInfo
(#2740) - Remove
onepin-opensc-pkcs11
module (#2681) - Do not use colons in the token info label (#2760)
- Present profile objects in all slots with the CKA_TOKEN attribute to resolve issues with NSS (#2928, #2924)
- Use secure memory for PUK (#2906)
- Don't logout to preserve concurrent access from different processes (#2907)
- Add more examples to manual page (#2936)
- Present profile objects in all virtual slots (#2928)
- Provide CKA_TOKEN attribute for profile objects (#2924)
- Improve --slot parameter documentation (#2951)
PKCS#15
- Honor cache offsets when writing file cache (#2858)
- Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
- Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and back to PKCS#11 (#2936)
Minidriver
- Fix for private keys that do not need a PIN (#2722)
- Unbreak decipher when the first null byte of PKCS#1.5 padding is missing (#2939)
pkcs11-tool
- Fix RSA key import with OpenSSL 3.0 (#2656)
- Add support for attribute filtering when listing objects (#2687)
- Add support for
--private
flag when writing certificates (#2768) - Add support for non-AEAD ciphers to the test mode (#2780)
- Show CKA_SIGN attribute for secret keys (#2862)
- Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys (#2864, #2913)
- Show Sign/VerifyRecover attributes (#2888)
- Add option to import generic keys (#2955)
westcos-tool
- Generate 2k RSA keys by default (b53fc5c)
pkcs11-register
- Disable autostart on Linux by default (#2680)
IDPrime
- Add support for IDPrime MD 830, 930 and 940 (#2666)
- Add support for SafeNet eToken 5110 token (#2812)
- Process index even without keyrefmap and use correct label for second PIN (#2878)
- Add support for Gemalto IDPrime 940C (#2941)
EPass2003
- Change of PIN requires verification of the PIN (#2759)
- Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
- Use true random number for mutual authentication for SM (#2766)
- Add verification of data coming from the token in the secure messaging mode (#2772)
- Avoid success when using unsupported digest and fix data length for RAW ECDSA signatures (#2845)
OpenPGP
eOI
- Add support for Slovenian eID card (eOI) (#2646)
Italian CNS
- Add support for IDEMIA (Oberthur) tokens (#2483)
PIV
SkeID
- Add support for Slovak eID cards (#2672)
isoApplet
- Support ECDSA with off-card hashing (#2642)
MyEID
- Fix WRAP operation when using T0 (#2695)
- Identify changes on the card and enable
use_file_cache
(#2798) - Workaround for unwrapping using 2K RSA key (#2921)
SC-HSM
0.24.0-rc2
0.24.0-rc1
OpenSC 0.23.0
New in 0.23.0; 2022-11-29
General improvements
- Support signing of data with a length of more than 512 bytes (#2314)
- By default, disable support for old card drivers (#2391) and remove support for old drivers MioCOS and JCOP (#2374)
- Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
- Compatibility with LibreSSL (#2495, #2595)
- Remove support for DSA (#2503)
- Extend p11test to support symmetric keys (#2430)
- Notice detached reader on macOS (#2418)
- Support for OAEP padding (#2475, #2484)
- Fix for PSS salt length (#2478)
- Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550, #2637)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
- Fix issues with OpenPACE (#2472)
- Containers support for local testing
- Add support for encryption and decryption using symmetric keys (#2473, #2607)
- Stop building support for Gost algorithms with OpenSSL 3.0 as they require deprecated API (#2586)
- Fix detection of disconnected readers in PCSC (#2600)
- Add configuration option for on-disk caching of private data (#2588)
- Skip building empty binaries when dependencies are missing and remove needless linking (#2617)
- Define arm64 as a supported architecture in the Installer package (#2610)
PKCS#11
- Implement
C_CreateObject
for EC keys and fix signature verification forCKM_ECDSA_SHAx
cards (#2420)
pkcs11-tool
- Add more elliptic curves (#2301)
- Add support for symmetric encrypt and decrypt, wrap and unwrap operations, and initialization vector (#2268)
- Fix consistent handling of secret key attributes (#2497)
- Add support for signing and verifying with HMAC (#2385)
- Add support for SHA3 (#2467)
- Make object selectable via label (#2570)
- Do not require an R/W session for some operations and add
--session-rw
option (#2579) - Print more information: CKA_UNIQUE_ID attribute, SHA3 HMACs and serial number for certificates (#2644, #2643, #2641)
- Add new option --undestroyable to create keys with CKA_DESTROYABLE=FALSE (#2645)
sc-hsm-tool
- Add options for public key authentication (#2301)
Minidriver
- Fix reinit of the card (#2525)
- Add an entry for Italian CNS (e) (#2548)
- Fix detection of ECC mechanisms (#2523)
- Fix ATRs before adding them to the windows registry (#2628)
NQ-Applet
- Add support for the JCOP4 Cards with NQ-Applet (#2425)
ItaCNS
- Add support for ItaCMS v1.1 (key length 2048) (#2371)
Belpic
- Add support for applet v1.8 (#2455)
Starcos
ePass2003
- Fix PKCS#15 initialization (#2403)
- Add support for FIPS (#2543)
- Fix matching with newer versions and tokens initialized with OpenSC (#2575)
MyEID
GIDS
- Fix decipher for TPM (#1881)
OpenPGP
- Get the list of supported algorithms from algorithm information on the card (#2287)
- Support for 3 certificates with OpenPGP 3+ (#2103)
nPA
- Fix card detection (#2463)
Rutoken
- Fix formatting rtecp cards (#2599)
PIV
- Add new PIVKey ATRs for current cards (#2602)