@frankmorgner frankmorgner released this Sep 13, 2018 · 26 commits to master since this release

Assets 12

New in 0.19.0; 2018-09-13

General Improvements

  • fixed multiple security problems (out of bound writes/reads, #1447):
    • CVE-2018-16391
    • CVE-2018-16392
    • CVE-2018-16393
    • CVE-2018-16418
    • CVE-2018-16419
    • CVE-2018-16420
    • CVE-2018-16421
    • CVE-2018-16422
    • CVE-2018-16423
    • CVE-2018-16424
    • CVE-2018-16425
    • CVE-2018-16426
    • CVE-2018-16427
  • Improved documentation:
    • New manual page for opensc.conf(5)
    • Added several missing switches in manual pages and fixed formatting
  • Win32 installer:
    • automatically start SCardSvr
    • added newer OpenPGP ATRs
  • macOS installer: use HFS+ for backward compatibility
  • Remove outdated solaris files
  • PC/SC driver:
    • Workaround OMNIKEY 3x21 and 6121 Smart Card Readers wrongly identified as pinpad readers in macOS
  • Workaround cards returning short signatures without leading zeroes
  • bash completion
    • make location directory configurable
    • Use a new correct path by default
  • build: support for libressl-2.7+
  • Configuration
    • Distribute minimal opensc.conf
    • pkcs11_enable_InitToken made global configuration option
    • Modify behavior of OPENSC_DRIVER environment variable to restrict driver list instead of forcing one driver and skipping vital parts of configuration
    • Removed configuration options zero_ckaid_for_ca_certs, force_card_driver, reopen_debug_file, paranoid-memory
    • Generalized configuration option ignored_readers
  • If card initialization fails, continue card detection with other card drivers (#1251)
  • Fixed long term card operations on Windows 8 and later (#1043)
  • reader-pcsc: allow fixing the length of a PIN
  • fixed multithreading issue on Window with OpenPACE OIDs

PKCS#11

  • fixed crash during C_WaitForSlotEvent (#1335)

Minidriver

  • Allow cancelling the PIN pad prompt before starting the reader transaction. Whether to start the transaction immediately or not is user-configurable for each application

OpenSC tools

  • opensc-notify
    • add Exit button to tray icon
    • User better description (GenericName) and a generic application icon
    • Do not display in the application list
  • pkcs15-tool
    • added support for reading ECDSA ssh keys
  • p11test
    • Filter certificates other than CKC_X_509
  • opengpg-tool
    • allow calling -d multiple times
    • clarify usage text

sc-hsm

  • Implement RSA PSS
  • Add support for SmartCard-HSM 4K (V3.0)

CAC

  • Remove support for CAC1 cards
  • Ignore unknown tags in properties buffer
  • Use GET PROPERTIES to recognize buffer formats
  • Unbreak encoding last tag-len-value in the data objects
  • Support HID Alt tokens without CCC
    • They present certificates in OIDs of first AID and use other undocumented applets
    • Inspect the tokens through the ACA applet and GET ACR APDU

Coolkey

  • Unbreak Get Challenge functionality
  • Make uninitialized cards working as expected with ESC

OpenPGP

  • add serial number to card name
  • include detailed version into card name
  • define & set LCS (lifecycle support) as extended capability
  • extend manufacturer list in pkcs15-openpgp.c
  • correctly parse hist_bytes
  • Make deciphering with AUT-key possible for OpenPGP Card >v3.2 (fixes #1352)
  • Add supported algorithms for OpenPGP Card (Fixes #1432)

Starcos

  • added support for 2nd generation eGK (#1451)

CardOS

  • create PIN in MF (pkcs15init)

German ID card

  • fixed identifying unknown card as German ID card (#1360)

PIV

  • Context Specific Login Using Pin Pad Reader Fix
  • Better Handling of Reset using Discovery Object

@frankmorgner frankmorgner released this May 16, 2018 · 270 commits to master since this release

Assets 12

General Improvements

  • PKCS#15
    • fixed parsing ECC parameters from TokenInfo (#1134)
    • Added PKCS#15 emulator for DIN 66291 profile
    • Cope with empty serial number in TokenInfo
  • Build Environment
    • Treat compiler warnings as errors (use --disable-strict to avoid)
    • MacOS
      • optionally use CTK in package builder
      • fixed detection of OpenPACE package
      • macOS High Sierra: fixed dmg creation
      • fixed DNIe UI compatibility
  • Windows: Use Dedicated md/pkcs11 installation folders instead of installing to System32/SysWOW64
  • fixed (possible) memory leaks for PIV, JPKI, PKCS#11, Minidriver
  • fixed many issues reported via compiler warnings, coverity scan and clang's static analyzer
  • beautify printed ASN.1 data, add support for ASN.1 time types
  • SimpleTLV: Skip correctly two bytes after reading 2b size (#1231)
  • added support for keep_alive commands for cards with multiple applets to be enabled via opensc.conf
  • added support for bash completion for arguments that expect filenames
  • added keyword old for selecting card_drivers via opensc.conf
  • improved documentation manuals for OpenSC tools
  • use leave as default for disconnect_action for PC/SC readers

PKCS#11

  • Make OpenSC PKCS#11 Vendor Defined attributes, mechanisms etc unique

Minidriver

  • added CNS ATR (#1153)
  • Add multiple PINs support to minidriver
  • protect MD entry points with CriticalSection

Tokend

  • Configuration value for not propagating certificates that require user authentication (ignore_private_certificate)

CryptoTokenKit

OpenSC Tools

  • cardos-tool
    • List human-readable version for CardOS 5.3
  • pkcs11-tool
    • fixed overwriting digestinfo + hash for RSA-PKCS Signature
    • Enable support for RSA-PSS signatures in pkcs11-tool
    • Add support for RSA-OAEP
    • Fixed #1286
    • Add missing pkcs11-tool options to man page
    • allow mechanism to be specified in hexadecimal
    • fixed default module path on Windows to use opensc-pkcs11.dll
  • pkcs11-spy
    • Add support for RSA-OAEP
    • Add support for RSA-PSS
  • pkcs15init
    • Fix rutokenS FCP parsing (#1259)
  • egk-tool
    • Read data from German Health Care Card (Elektronische Gesundheitskarte, eGK)
  • opensc-asn1
    • Parse ASN.1 from files
  • opensc-tool/opensc-explorer
    • Allow extended APDUs

Authentic

  • Correctly handle APDUs with more than 256 bytes (#1205)

Coolkey

  • Copy labels from certificate objects to the keys

Common Access Card

  • Fixed infinite reading of certificate
  • Added support for Alt token card

MyEID

  • support for RAW RSA signature for 2048 bit keys

IAS/ECC

  • Support for new MinInt agent card

PIV

  • Get cardholder name from the first certificate if token label not specified
  • implemented keep alive command (#1256)
  • fixed signature creation with CKA_ALWAYS_AUTHENTICATE (i.e. PKCS#11 C_Login(CKU_CONTEXT_SPECIFIC))

CardOS

  • fixed card name for CardOS 5
  • added ATR "3b:d2:18:00:81:31:fe:58:c9:02:17"
  • Try forcing max_send_size for PSO:DEC

DNIe

  • DNIe: card also supports 1920 bits (#1247)

GIDS

  • Fix GIDS admin authentication

epass 3000

  • Add ECC support
  • Fix #1073
  • Fix #1115
  • Fix buffer underrun in decipher
  • Fix #1306

Starcos

  • added serial number for 3.4
  • fixed setting key reference for 3.4
  • added support for PIN status queries for 3.4

EstEID

  • ECDSA/ECDH token support
  • Fix crash when certificate read failed (#1176)
  • Cleanup expired EstEID card ATR-s
  • Fix reading EstEID certificates with T=0 (#1193)

OpenPGP

  • Added support for PIN logout and status
  • factory reset is possible if LCS is supported
  • Added support for OpenPGP card V3
  • fixed selecting Applet
  • implemented keep alive command
  • Retrieve OpenPGP applet version from OpenPGP applet on YubiKey token (#1262)

German ID card

  • fixed recognition of newer cards

SC-HSM

  • Don't block generic contactless ATR
  • changed default labels of GoID
  • added PIN commands for GoID 1.0

Starcos

  • Added Support for Starcos 3.4 and 3.5

MioCOS

  • disabled by default, use card_drivers = old; to enable; driver will be removed soon.

BlueZ PKCS#15 applet

  • disabled by default, use card_drivers = old; to enable; driver will be removed soon.
Pre-release

@frankmorgner frankmorgner released this May 4, 2018 · 273 commits to master since this release

Assets 8
macOS: disable notifications only in PKCS#11 module

basically reverts
https://github.com/OpenSC/OpenSC/commit/c35eb1c9bc74e284723ffd726478720b69aed970
by applying a more selective fix for
https://github.com/OpenSC/OpenSC/issues/1174

@frankmorgner frankmorgner released this Jul 19, 2017 · 520 commits to master since this release

Assets 8

New in 0.17.0; 2017-07-18

Support for new Cards

  • CAC (Common Access Card)
  • GoID (SC-HSM with built-in PIN pad and fingerprint sensor)
  • Coolkey
  • JPKI (Japanese Individual Number Card)
  • nPA (German ID card, eSign Application)

General Improvements

  • PKCS#15
    • Implemented file caching based on card's contact-less UID
    • Cache EF.ODF and EF.TokenInfo
    • File caching is done transparently when the user sets the config option.
  • opensc.conf
    • Added disable_popups for disabling internal UI
    • All Windows specific reader configuration is handled by the pcsc driver (cardmod driver was removed)
  • Build Environment
    • Allow setting PKG_CONFIG_PATH for macOS build
    • Added compatibility with Visual Studio 2015
    • Allow building against LibreSSL
    • Allow building against OpenSSL 1.1.0
    • Allow building against WiX 3.11
    • Allow building minidriver with MinGW
    • Include OpenPACE library by default
    • Removed BUILD_ON/BUILD_FOR variable
  • Simplified installer on macOS and Windows
  • Added support for PIN commands via PC/SC escape commands
  • Added support for card reader access via CryptoTokenKit
  • Added support for PIN entry on card for verification/unblock/change
  • Recognize T=0 limitation of sending 255 bytes
  • Force T=1 for contactless cards
  • Allow setting driver via OPENSC_DRIVER environment variable
  • Fixed many bugs
  • Fixed many compiler warnings
  • Fixed possible issues (memory corruptions, memory leaks, double free, ...)
  • Internal refactoring and cleanup

PKCS#11

  • Move PIN type label front of description
  • C_GetTokenInfo read the login status from the card if possible
  • Don't use ':' in the token name (#849)
  • Install opensc-pkcs11.pc for usage with pkg-config
  • Don't shrink the number of slots (#629)
  • Add session handle uniqueness check to PKCS#11 C_OpenSession()
  • Activate functionality of C_WaitForSlot() for pcsc-lite >= 1.8.22

Minidriver

  • Support PIN unblocking in minidriver via PUK as response
  • Added support for Session PIN

Tokend

  • Allow usage of readers PIN pad by entering an empty PIN

OpenSC Tools

  • Fixed Bash completion (#782)
  • opensc-tool
    • Added --reset option
  • opensc-explorer
    • Show tag 0x82 for unknown files
  • pkcs15-tool
    • Fixed --read-ssh-key crash (#788)
    • Added --clear-cache
    • Fixed locking the card on Windows (#868)
    • Add --list-info option
    • Make --list-... messages consistent
    • Add --short option
    • --read-data-object: Do not print data to terminal when output file is given
    • Reword --no-prompt to --use-pinpad, old option still available as alias
    • Added --test-session-pin option
  • pkcs15-init
    • Fix using PINPAD to verify PIN (#856)
    • Fixed locking the card on Windows (#868)
    • Added --secret-key-algorithm option
    • Print more detailed secret key information
  • pkcs11-tool
    • Added keygen for secret key generation
    • Better handling of PIN (re-) validation
    • Fixed --id for C_GenerateKey, DES and DES3 keygen mechanism (#857)
    • Added --derive-pass-der option
    • Added --generate-random option
    • Add GOSTR3410 keypair generation
  • npa-tool (new)
    • Allows read/write access to EAC tokens
    • Allows PIN management for EAC tokens
  • gids-tool
    • Fixed entering SN via command line
  • sc-hsm-tool
    • Added --print-dkek-share (hidden from the user)
    • Fixed locking the card on Windows (#868)

CardOS

  • Better support for CardOS 5.3

DNIe

  • Fixed interaction with DNIe UI
  • Added support for DNIe 3.0

ePass2003

  • Add new ATR for entersafe PKI card
  • Solved Incorrect PIN raise wrong CKR error

GemsafeV1

  • PTeid: add objects (SOD, TRACe, CA) and fix flags
  • PTeid: Support PIN max tries and tries left report
  • PTeid: Properly report cards with 2048b keys.

MyEID

  • Fix to ECDH implementation (#756)
  • Added support for symmetric keys

OpenPGP

  • Improve handling of OpenPGP card PIN change and unblock commands

PIV

  • Some workarounds for PIV-alike cards (e.g. Yubikey)
  • Change driver's short name to 'PIV-II'
  • Use certificate's keyUsage to set PKCS#11 key attributes

SC-HSM

  • Use PKCS#15 file cache
  • Prevent unnecessary applet selection and state resets
  • Added support for session pin
  • Fixed forcing a card driver via opensc.conf

STARCOS

  • Read the maximum transceive size from the card's ATR (#765)
Pre-release

@frankmorgner frankmorgner released this Jul 6, 2017 · 527 commits to master since this release

Assets 6
Simplify differences between CardOS 5 versions and unbreak 5.3 signat…

…ures (#1080)

* Simplify CardOS 5.0 support (removing explicit 5.3 marker since the behavior should be the same)

* Restore RSA_PKCS signatures functionality

Closes https://github.com/OpenSC/OpenSC/pull/1079