1191 lines
47 KiB
Raw Normal View History

NEWS for OpenSC -- History of user visible changes
2017-07-17 13:28:02 +00:00
2021-08-09 19:16:08 +00:00
# New in 0.22.0; 2021-08-10
2021-04-06 11:42:50 +00:00
## General improvements
* Use standard paths for file cache on Linux (#2148) and OSX (#2214)
* Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
* Add threading test to `pkcs11-tool` (#2067)
* Add support to generate generic secret keys (#2140)
* `opensc-explorer`: Print information about LCS (Life cycle status byte) (#2195)
* Add support for Apple's arm64 (M1) binaries, removed TokenD. A seperate installer with TokenD (and without arm64 binaries) will be available (#2179).
* Support for gcc11 and its new strict aliasing rules (#2241, #2260)
* Initial support for building with OpenSSL 3.0 (#2343)
* pkcs15-tool: Write data objects in binary mode (#2324)
2021-08-09 19:16:08 +00:00
* Avoid limited size of log messages (#2352)
2021-04-06 11:42:50 +00:00
## PKCS#11
* Support for ECDSA verification (#2211)
* Support for ECDSA with different SHA hashes (#2190)
* Prevent issues in p11-kit by not returning unexpected return codes (#2207)
* Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
2021-04-06 11:42:50 +00:00
* Standardize the version 2 on 2.20 in the code (#2096)
* Copy arguments of C_Initialize (#2350)
2021-04-06 11:42:50 +00:00
## Minidriver
* Fix RSA-PSS signing (#2234)
## OpenPGP
* Fix DO deletion (#2215)
* Add support for (X)EdDSA keys (#1960)
## IDPrime
* Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
* Add support for applet version 4 (#2332)
2021-04-06 11:42:50 +00:00
## MyEID
* New configuration option for opensc.conf to disable pkcs1_padding (#2193)
* Add support for ECDSA with different hashes (#2190)
* Enable more mechanisms (#2178)
* Fixed asking for a user pin when formatting a card (#1737)
* Added support for French CPx Healthcare cards (#2217)
2021-04-26 16:12:40 +00:00
## CardOS
* Added ATR for new CardOS 5.4 version (#2296)
2021-04-06 11:42:50 +00:00
2020-11-24 09:12:21 +00:00
# New in 0.21.0; 2020-11-24
2020-10-02 23:11:33 +00:00
## General Improvements
2020-11-12 10:14:17 +00:00
* fixed security problems
* CVE-2020-26570 (6903aebfddc466d966c7b865fae34572bf3ed23e)
* CVE-2020-26571
* CVE-2020-26572 (9d294de90d1cc66956389856e60b6944b27b4817)
2020-10-02 23:11:33 +00:00
* Bump minimal required OpenSSL version to 1.0.1 (#1658)
* Implement basic unit tests for asn1 library, compression and simpletlv parser (#1830)
* Allow generating code coverage
* Improve fuzzing by providing corpus from real cards (#1830)
* Implement support for OAEP encryption
* New separate debug level for PIN commands (d06f23e8)
* Fix handling of card/reader insertion/removal events in pcscd
* Many bugfixes reported by oss-fuzz, coverity and
* Fixes of removed readers handling (#1970)
* Fix Firefox crash because of invalid pcsc context (#2077)
## PKCS#11
* Return CKR_TOKEN_NOT_RECOGNIZED for not recognized cards (#2030)
* Propagate ignore_user_content to PKCS#11 layer not to confuse applications (#2040)
2020-11-10 22:25:07 +00:00
## Minidriver
* Fix check of ATR length (2-to 33 characters inclusive) (#2146)
2020-10-02 23:11:33 +00:00
## MacOS
* Add installer signing for PR and master
2020-11-10 22:25:07 +00:00
* Avoid app bundle relocations after installation
2020-10-02 23:11:33 +00:00
* Move OpenSC to MacOS Utilities folder (#2063)
## OpenSC tools
### pkcs11-tool
* Make SHA256 default for OAEP encryption
* pkcs11-tool: allow using SW tokens (#2113)
### opensc-explorer
* `asn1` accepts offsets and decode records (#2090)
* `cat` accepts records (#2090)
## OpenPGP
* Add new ec curves supported by GNUK (#1853)
* First steps supporting OpenPGP 3.4
* Add support for EC key import (#1821)
## Rutoken
* Add ATR for Rutoken ECP SC NFC (#2122)
## CardOS
* Improve detection of various CardOS 5 configurations (#1987)
## DNIe
* Add new DNIe CA structure for the secure channel (#2109)
## ePass2003
* Improve ECC support (#1859)
* Fixed erase sequence (#2097)
2020-11-10 22:25:07 +00:00
## IAS-ECC (#2070):
* Fixed support for Idemia Cosmo cards with AWP middleware interoperability (previously broken).
* Added support for Idemia Cosmo v8 cards.
* PIN padding settings are now used from PKCS#15 info when available.
* Added PIN-pad support for PIN unblock.
2020-10-02 23:11:33 +00:00
## IDPrime
* New driver for Gemalto IDPrime (only some types) (#1772)
## eDo
* New driver with initial support for Polish eID card (e-dowód, eDO) (#2023)
* Remove unused and broken RSA EstEID support (#2095)
* Add missing encryption certificates (#2083)
## PIV
* Add ATR of DOD Yubikey (#2115)
2020-11-10 22:25:07 +00:00
* fixed PIV global pin bug (#2142)
## CAC1
* Support changing PIN with CAC Alt tokens (#2129)
2020-10-02 23:11:33 +00:00
2019-12-29 12:39:01 +00:00
# New in 0.20.0; 2019-12-29
## General Improvements
* fixed security problems
* CVE-2019-6502 (#1586)
* CVE-2019-15946 (a3fc769)
* CVE-2019-15945 (412a614)
* CVE-2019-19480 (6ce6152284c47ba9b1d4fe8ff9d2e6a3f5ee02c7)
* CVE-2019-19481 (b75c002cfb1fd61cd20ec938ff4937d7b1a94278)
* CVE-2019-19479 (c3f23b836e5a1766c36617fe1da30d22f7b63de2)
* Support RSA-PSS signature mechanisms using RSA-RAW (#1435)
* Added memory locking for secrets (#1491)
* added support for terminal colors (#1534)
* PC/SC driver: Fixed error handling in case of changing (#1537) or removing the card reader (#1615)
* macOS installer
* Add installer option to deselect tokend (#1607)
* Make OpenSCToken available on 10.12+ and the default on 10.15+ (2017626ed237dbdd4683a4b9410fc610618200c5)
* Configuration
* rename `md_read_only` to `read_only` and use it for PKCS#11 and Minidriver (#1467)
* allow global use of ignore_private_certificate (#1623)
* Build Environment
* Bump openssl requirement to 0.9.8 (##1459)
* Added support for fuzzing with AFL (#1580) and libFuzzer/OSS-Fuzz (#1697)
* Added CI tests for simulating GIDS, OpenPGP, PIV, IsoApplet (#1568) and MyEID (#1677) and CAC (#1757)
* Integrate clang-tidy with `make check` (#1673)
* Added support for reproducible builds (#1839)
## PKCS#11
* Implement write protection (CKF_WRITE_PROTECTED) based on the card profile (#1467)
* Added C_WrapKey and C_UnwrapKey implementations (#1393)
* Handle CKA_ALWAYS_AUTHENTICATE when creating key objects. (#1539)
* Truncate long PKCS#11 labels with ... (#1629)
* Fixed recognition of a token when being unplugged and reinserted (#1875)
## Minidriver
* Register for CardOS5 cards (#1750)
* Add support for RSA-PSS (263b945)
## OpenSC tools
* Harmonize the use of option `-r`/`--reader` (#1548)
* `goid-tool`: GoID personalization with fingerprint
* `openpgp-tool`
* replace the options `-L`/` --key-length` with `-t`/`--key-type` (#1508)
* added options `-C`/`--card-info` and `-K`/`--key-info` (#1508)
* `opensc-explorer`
* add command `pin_info` (#1487)
* extend `random` to allow writing to a file (#1487)
* `opensc-minidriver-test.exe`: Tests for Microsoft CryptoAPI (#1510)
* `opensc-notify`: Autostart on Windows
* `pkcs11-register`:
* Auto-configuration of applications for use of OpenSC PKCS#11 (#1644)
* Autostart on Windows, macOS and Linux (#1644)
* `opensc-tool`: Show ATR also for cards not recognized by OpenSC (#1625)
* `pkcs11-spy`:
* parse CKM_AES_GCM
* Add support for CKA_OTP_* and CKM_*_PSS values
* parse EC Derive parameters (#1677)
* `pkcs11-tool`
* Support for signature verification via `--verify` (#1435)
* Add object type `secrkey` for `--type` option (#1575)
* Implement Secret Key write object (#1648)
* Add GOSTR3410-2012 support (#1654)
* Add support for testing CKM_RSA_PKCS_OAEP (#1600)
* Add extractable option to key import (#1674)
* list more key access flags when listing keys (#1653)
* Add support for `CKA_ALLOWED_MECHANISMS` when creating new objects and listing keys (#1628)
* `pkcs15-crypt`: * Handle keys with user consent (#1529)
## CAC1
New separate CAC1 driver using the old CAC specification (#1502)
## CardOS
* Add support for 4K RSA keys in CardOS 5 (#1776)
* Fixed decryption with CardOS 5 (#1867)
## Coolkey
* Enable CoolKey driver to handle 2048-bit keys. (#1532)
## EstEID
* adds support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018 (#1635)
* GIDS Decipher fix (#1881)
* Allow RSA 4K support (#1891)
* Remove long expired EstEID 1.0/1.1 card support (#1470)
## MyEID
* Add support for unwrapping a secret key with an RSA key or secret key (#1393)
* Add support for wrapping a secret key with a secret key (#1393)
* Support for MyEID 4K RSA (#1657)
* Support for OsEID (#1677).
## Gemalto GemSafe
* add new PTeID ATRs (#1683)
* Add support for 4K RSA keys (#1863, #1872)
## OpenPGP
* OpenPGP Card v3 ECC support (#1506)
## Rutoken
* Add Rutoken ECP SC (#1652)
* Add Rutoken Lite (#1728)
* Add SmartCard-HSM 4K ATR (#1681)
* Add missing secp384r1 curve parameter (#1696)
## Starcos
* Fixed decipher with 2.3 (#1496)
* Added ATR for 2nd gen. eGK (#1668)
* Added new ATR for 3.5 (#1882)
* Detect and allow Globalplatform PIN encoding (#1882)
* Fix TCOS IDKey support (#1880)
* add encryption certificate for IDKey (#1892)
## Infocamere, Postecert, Cnipa
* Removed profiles (#1584)
* Remove incomplete acos5 driver (#1622).
2018-09-13 11:47:21 +00:00
# New in 0.19.0; 2018-09-13
2018-09-12 07:44:02 +00:00
## General Improvements
* fixed multiple security problems (out of bound writes/reads, #1447):
* CVE-2018-16391
* CVE-2018-16392
* CVE-2018-16393
* CVE-2018-16418
* CVE-2018-16419
* CVE-2018-16420
* CVE-2018-16421
* CVE-2018-16422
* CVE-2018-16423
* CVE-2018-16424
* CVE-2018-16425
* CVE-2018-16426
* CVE-2018-16427
* Improved documentation:
* New manual page for opensc.conf(5)
* Added several missing switches in manual pages and fixed formatting
* Win32 installer:
* automatically start SCardSvr
* added newer OpenPGP ATRs
* macOS installer: use HFS+ for backward compatibility
* Remove outdated solaris files
* PC/SC driver:
* Workaround OMNIKEY 3x21 and 6121 Smart Card Readers wrongly identified as pinpad readers in macOS
* Workaround cards returning short signatures without leading zeroes
* bash completion
* make location directory configurable
* Use a new correct path by default
* build: support for libressl-2.7+
* Configuration
* Distribute minimal opensc.conf
* `pkcs11_enable_InitToken made` global configuration option
* Modify behavior of `OPENSC_DRIVER` environment variable to restrict driver list instead of forcing one driver and skipping vital parts of configuration
* Removed configuration options `zero_ckaid_for_ca_certs`, `force_card_driver`, `reopen_debug_file`, `paranoid-memory`
* Generalized configuration option `ignored_readers`
* If card initialization fails, continue card detection with other card drivers (#1251)
* Fixed long term card operations on Windows 8 and later (#1043)
* reader-pcsc: allow fixing the length of a PIN
* fixed multithreading issue on Window with OpenPACE OIDs
## PKCS#11
* fixed crash during `C_WaitForSlotEvent` (#1335)
## Minidriver
* Allow cancelling the PIN pad prompt before starting the reader transaction. Whether to start the transaction immediately or not is user-configurable for each application
## OpenSC tools
* `opensc-notify`
* add Exit button to tray icon
* User better description (GenericName) and a generic application icon
* Do not display in the application list
* `pkcs15-tool`
* added support for reading ECDSA ssh keys
* `p11test`
* Filter certificates other than `CKC_X_509`
* `opengpg-tool`
* allow calling -d multiple times
* clarify usage text
## sc-hsm
* Implement RSA PSS
* Add support for SmartCard-HSM 4K (V3.0)
## CAC
* Remove support for CAC1 cards
* Ignore unknown tags in properties buffer
* Use GET PROPERTIES to recognize buffer formats
* Unbreak encoding last tag-len-value in the data objects
* Support HID Alt tokens without CCC
* They present certificates in OIDs of first AID and use other undocumented applets
* Inspect the tokens through the ACA applet and GET ACR APDU
## Coolkey
* Unbreak Get Challenge functionality
* Make uninitialized cards working as expected with ESC
## OpenPGP
* add serial number to card name
* include detailed version into card name
* define & set LCS (lifecycle support) as extended capability
* extend manufacturer list in pkcs15-openpgp.c
* correctly parse hist_bytes
* Make deciphering with AUT-key possible for OpenPGP Card >v3.2 (fixes #1352)
* Add supported algorithms for OpenPGP Card (Fixes #1432)
## Starcos
* added support for 2nd generation eGK (#1451)
## CardOS
* create PIN in MF (`pkcs15init`)
## German ID card
* fixed identifying unknown card as German ID card (#1360)
## PIV
* Context Specific Login Using Pin Pad Reader Fix
* Better Handling of Reset using Discovery Object
2018-05-16 11:23:16 +00:00
# New in 0.18.0; 2018-05-16
## General Improvements
* PKCS#15
* fixed parsing ECC parameters from TokenInfo (#1134)
* Added PKCS#15 emulator for DIN 66291 profile
* Cope with empty serial number in TokenInfo
* Build Environment
* Treat compiler warnings as errors (use `--disable-strict` to avoid)
* MacOS
* optionally use CTK in package builder
* fixed detection of OpenPACE package
* macOS High Sierra: fixed dmg creation
* fixed DNIe UI compatibility
* Windows: Use Dedicated md/pkcs11 installation folders instead of installing to System32/SysWOW64
* fixed (possible) memory leaks for PIV, JPKI, PKCS#11, Minidriver
* fixed many issues reported via compiler warnings, coverity scan and clang's static analyzer
* beautify printed ASN.1 data, add support for ASN.1 time types
* SimpleTLV: Skip correctly two bytes after reading 2b size (#1231)
* added support for `keep_alive` commands for cards with multiple applets to be enabled via `opensc.conf`
* added support for bash completion for arguments that expect filenames
* added keyword `old` for selecting `card_drivers` via `opensc.conf`
* improved documentation manuals for OpenSC tools
* use `leave` as default for `disconnect_action` for PC/SC readers
## PKCS#11
* Make OpenSC PKCS#11 Vendor Defined attributes, mechanisms etc unique
## Minidriver
* added CNS ATR (#1153)
* Add multiple PINs support to minidriver
* protect MD entry points with `CriticalSection`
## Tokend
* Configuration value for not propagating certificates that require user authentication (`ignore_private_certificate`)
## CryptoTokenKit
* Added support for PIN pad
* fixed codesigning of opensc tools
* Added complete support for system integration with
## OpenSC Tools
* `cardos-tool`
* List human-readable version for CardOS 5.3
* `pkcs11-tool`
* fixed overwriting digestinfo + hash for RSA-PKCS Signature
* Enable support for RSA-PSS signatures in pkcs11-tool
* Add support for RSA-OAEP
2018-09-12 07:44:02 +00:00
* Fixed #1286
2018-05-16 11:23:16 +00:00
* Add missing pkcs11-tool options to man page
* allow mechanism to be specified in hexadecimal
* fixed default module path on Windows to use opensc-pkcs11.dll
* `pkcs11-spy`
* Add support for RSA-OAEP
* Add support for RSA-PSS
* `pkcs15init`
* Fix rutokenS FCP parsing (#1259)
* `egk-tool`
* Read data from German Health Care Card (Elektronische Gesundheitskarte, eGK)
* `opensc-asn1`
* Parse ASN.1 from files
* `opensc-tool`/`opensc-explorer`
* Allow extended APDUs
## Authentic
* Correctly handle APDUs with more than 256 bytes (#1205)
## Coolkey
* Copy labels from certificate objects to the keys
## Common Access Card
* Fixed infinite reading of certificate
* Added support for Alt token card
## MyEID
* support for RAW RSA signature for 2048 bit keys
* Support for new MinInt agent card
## PIV
* Get cardholder name from the first certificate if token label not specified
* implemented keep alive command (#1256)
* fixed signature creation with `CKA_ALWAYS_AUTHENTICATE` (i.e. PKCS#11 `C_Login(CKU_CONTEXT_SPECIFIC)`)
## CardOS
* fixed card name for CardOS 5
* added ATR `"3b:d2:18:00:81:31:fe:58:c9:02:17"`
* Try forcing `max_send_size` for PSO:DEC
## DNIe
* DNIe: card also supports 1920 bits (#1247)
* Fix GIDS admin authentication
## epass 3000
* Add ECC support
* Fix #1073
* Fix #1115
* Fix buffer underrun in decipher
* Fix #1306
## Starcos
* added serial number for 3.4
* fixed setting key reference for 3.4
* added support for PIN status queries for 3.4
## EstEID
* ECDSA/ECDH token support
* Fix crash when certificate read failed (#1176)
* Cleanup expired EstEID card ATR-s
* Fix reading EstEID certificates with T=0 (#1193)
## OpenPGP
* Added support for PIN logout and status
* factory reset is possible if LCS is supported
* Added support for OpenPGP card V3
* fixed selecting Applet
* implemented keep alive command
* Retrieve OpenPGP applet version from OpenPGP applet on YubiKey token (#1262)
## German ID card
* fixed recognition of newer cards
* Don't block generic contactless ATR
* changed default labels of GoID
* added PIN commands for GoID 1.0
## Starcos
* Added Support for Starcos 3.4 and 3.5
## MioCOS
* disabled by default, use `card_drivers = old;` to enable; driver will be removed soon.
## BlueZ PKCS#15 applet
* disabled by default, use `card_drivers = old;` to enable; driver will be removed soon.
# New in 0.17.0; 2017-07-18
2017-07-17 13:28:02 +00:00
## Support for new Cards
* CAC (Common Access Card)
* GoID (SC-HSM with built-in PIN pad and fingerprint sensor)
* Coolkey
* JPKI (Japanese Individual Number Card)
* nPA (German ID card, eSign Application)
## General Improvements
* PKCS#15
* Implemented file caching based on card's contact-less UID
* Cache EF.ODF and EF.TokenInfo
* File caching is done transparently when the user sets the config option.
* `opensc.conf`
* Added `disable_popups` for disabling internal UI
* All Windows specific reader configuration is handled by the pcsc driver (cardmod driver was removed)
* Build Environment
* Allow setting `PKG_CONFIG_PATH` for macOS build
* Added compatibility with Visual Studio 2015
* Allow building against LibreSSL
* Allow building against OpenSSL 1.1.0
* Allow building against WiX 3.11
* Allow building minidriver with MinGW
* Include OpenPACE library by default
* Removed `BUILD_ON`/`BUILD_FOR` variable
* Simplified installer on macOS and Windows
* Added support for PIN commands via PC/SC escape commands
* Added support for card reader access via CryptoTokenKit
* Added support for PIN entry on card for verification/unblock/change
* Recognize T=0 limitation of sending 255 bytes
* Force T=1 for contactless cards
* Allow setting driver via `OPENSC_DRIVER` environment variable
* Fixed many bugs
* Fixed many compiler warnings
* Fixed possible issues (memory corruptions, memory leaks, double free, ...)
* Internal refactoring and cleanup
## PKCS#11
* Move PIN type label front of description
* `C_GetTokenInfo` read the login status from the card if possible
* Don't use ':' in the token name (#849)
* Install `opensc-pkcs11.pc` for usage with `pkg-config`
* Don't shrink the number of slots (#629)
* Add session handle uniqueness check to PKCS#11 `C_OpenSession()`
* Activate functionality of `C_WaitForSlot()` for pcsc-lite >= 1.8.22
## Minidriver
* Support PIN unblocking in minidriver via PUK as response
* Added support for Session PIN
## Tokend
* Allow usage of readers PIN pad by entering an empty PIN
## OpenSC Tools
* Fixed Bash completion (#782)
* `opensc-tool`
* Added `--reset` option
* `opensc-explorer`
* Show tag 0x82 for unknown files
* `pkcs15-tool`
* Fixed `--read-ssh-key` crash (#788)
* Added `--clear-cache`
* Fixed locking the card on Windows (#868)
* Add `--list-info` option
* Make `--list-...` messages consistent
* Add `--short` option
* `--read-data-object`: Do not print data to terminal when output file is given
* Reword `--no-prompt` to `--use-pinpad`, old option still available as alias
* Added `--test-session-pin` option
* `pkcs15-init`
* Fix using PINPAD to verify PIN (#856)
* Fixed locking the card on Windows (#868)
* Added `--secret-key-algorithm` option
* Print more detailed secret key information
* `pkcs11-tool`
* Added `keygen` for secret key generation
* Better handling of PIN (re-) validation
* Fixed --id for `C_GenerateKey`, DES and DES3 keygen mechanism (#857)
* Added `--derive-pass-der` option
* Added `--generate-random` option
* Add GOSTR3410 key pair generation
2017-07-17 13:28:02 +00:00
* `npa-tool` (new)
* Allows read/write access to EAC tokens
* Allows PIN management for EAC tokens
* `gids-tool`
* Fixed entering SN via command line
* `sc-hsm-tool`
* Added `--print-dkek-share` (hidden from the user)
* Fixed locking the card on Windows (#868)
## CardOS
* Better support for CardOS 5.3
## DNIe
* Fixed interaction with DNIe UI
* Added support for DNIe 3.0
## ePass2003
* Add new ATR for entersafe PKI card
* Solved Incorrect PIN raise wrong CKR error
## GemsafeV1
* PTeid: add objects (SOD, TRACe, CA) and fix flags
* PTeid: Support PIN max tries and tries left report
* PTeid: Properly report cards with 2048b keys.
## MyEID
* Fix to ECDH implementation (#756)
* Added support for symmetric keys
## OpenPGP
* Improve handling of OpenPGP card PIN change and unblock commands
## PIV
* Some workarounds for PIV-alike cards (e.g. Yubikey)
* Change driver's short name to 'PIV-II'
* Use certificate's keyUsage to set PKCS#11 key attributes
* Use PKCS#15 file cache
* Prevent unnecessary applet selection and state resets
* Added support for session pin
* Fixed forcing a card driver via opensc.conf
* Read the maximum transcive sice from the card's ATR (#765)
2016-05-16 09:53:59 +00:00
New in 0.16.0; 2016-05-15
* build
2016-05-16 09:53:59 +00:00
link OpenSSL in static
option: enable PKCS11 thread locking
* configuration
use one configuration file for all systems
* tools:
package revision as version
** pkcs11-tool
keygen mechanism in pkcs11 tools
write GOST public key
fix CKA_SENSITIVE attribute of public keys
** opensc-explorer:
added command find_tags
allow ASN.1 decoding if the file seems incomplete
** pkcs15-tool:
handle record-based files when doing file caching
option to prine raw data
** sc-hsm-tool:
status info support for SmartCard-HSM V2.0
2016-05-16 09:53:59 +00:00
** doc: some missing options are documented, added documentation
for gid tool
* minidriver:
support for ECC
Windows x509 enrollment
first implementation of CardDeleteContainer
2016-05-16 09:53:59 +00:00
MD logs controlled by register and environment variable
* reader-pcsc
fixed unreleased locks with pcsc-lite
honour PC/SC pt 10 dwMaxAPDUDataSize
added call back for getting vendor/product id
restrict access to card handles after fork
SCardGetAttrib is used to initialize reader's metadata
2016-05-16 09:53:59 +00:00
by default only short APDUs supported
* pkcs11
no slot reserved for hot plug
no more slot created 'per-applications'
atomic operation (TODO: expand)
export all C_* symbols
metadata initialized from package info
fix registering pkcs11 mechanisms multiple times
sloppy initialization for C_GetSlotInfo
* pkcs15
cache of on-card files extended to application paths
configuration option to enable/disable application
make file cache dir configurable
2016-05-16 09:53:59 +00:00
in key info data type introduced 'auxiliary data' -- container
for the non-pkc15 data.
* OpenPGP
support for Gnuk -- USB cryptographic token for GNU Privacy Guard
build without OpenSSL
implemented 'erase card'
additional manufacturers
support for 521 bit ECC keys
ATRs for the new cards
* sc-hsm
read/write support in minidriver
* rtecp
delete keys
* GemSafeV1
support for European Patent Office smart card
sign with SHA256
* Gids
first support for Gids smart card
* dnie
* Feitian PKI card
2018-09-12 07:44:02 +00:00
new ATRs
* IsoApplet
* starcos
initial support for STARCOS 3.4 (German D-Trust cards)
* macosx
install tokend to /Library/Security/ instead /System/Library/Security/
2016-05-16 09:53:59 +00:00
fixed locking issue in pcsc reader
allow using of cards where default application in not PIV
support for the Yubikey NEO
* italian-CNS
italian-cns reg file for minidriver
2016-05-16 09:53:59 +00:00
2015-05-16 19:31:47 +00:00
New in 0.15.0; 2015-05-11
* new card drivers
AzeDIT 3.5
* libopensc
allow extended length APDUs
accept no output for 'SELECT' MF and 'SELECT' DF_NAME APDUs
fixed sc_driver_version check
adjusted send/receive size according to card capabilities
2015-05-16 19:31:47 +00:00
in iso7816 make SELECT agnosting to sc_path_t's aid
* asn1
support multi-bytes tags
* pkcs15
reviewed support and tool functions for public key
public certs and pubkeys with an auth_id are treated as private
* pkcs11
introduced default PKCS#11 provider
fetched real value of CKA_LOCAL for pubkey
removed inconsistent attributes
C_Digest issues
no check if buffer too small before update
* added support for Travis CI
* updated support of EC in libopensc, pkcs15 and pkcs11
* fixed number of warnings, resource leaks, overity-scan issues
* macosx
target minimum OSX version to 10.7
update the minimal building instructions.
locate and target the latest SDK to build against.
locate the best newest SDK present on the computer.
* build
disable Secure Messaging if OpenSSL is not used
* tools
util_get_pin helper function
Add AES support for PIV General Authenticate
fixed invalid bit when writing PIV certificate object with gzipped certificate
fixed bad caching behavior of PIV PKCS15 emulator
* ePass2003
fixed failure due to re-authenticate of secure messaging when card is accessed
by multiple PKCS11 sessions
EC support for MyEID-v4 card
* openpgp
extended options for openpgp-tool
* asepcos
fixed puk handling
* sc-hsm
support for Koblitz curves secp192k1 and secp256k1 (Bitcoin)
improved error detection and reporting in sc-hsm-tool
fixed Lc byte in VERIFY PIN block for PC/SC PIN PAD reader
fix certificate delete bug
fixed PKCS#11 compliance issues
support for Morpho IAS Agent Card
* cardos
overwrite content of deleted private key
* win32
setup improuvement
look & feel
custom actions with card registration
minidriver impouvement
fixed errors and warnings returned by Microsoft quality tool
pin-pad support
New in 0.14.0; 2014-05-31
2014-05-16 14:51:01 +00:00
* new card driver DNIe
* extended existing drivers by support of
Swedish eID card (gemsafeV1)
EstEID 3.5 (mcrd)
* bogus javacard driver removed
* build
return to the standard use of 'autoconf'
CI specific bootstrap script: git commit stamp for the built packages
windows friendly compile settings
fixed a ton of compiler warnings
fence against using EVP_sha256 mech
debian packaging templates
compile without OpenSSL and without SM
enable compiler warnings by default
add 'VarFileInfo' block to version-info
include to MSI package 'openpgp-tool.exe'
'version-info' resource for each target
* macOSX
"graphical uninstaller" to distribution DMG
update package building to modern tools
new tool and SDK paths for OS X 10.8
improved opensc-installer from distribution
osx: target 10.9 (a free upgrade to anyone using 10.6+) from now on
2014-06-26 17:15:33 +00:00
build 'fat' binaries i386
2014-05-16 14:51:01 +00:00
* common
added getpass implementation for non windows
* libopensc
allow for the pin to be entered on the keypad during issuing
introduce 'encoded-content' to the sc_file data
general usage method to allocate generalized time
* minidriver
implemented 'CardChangeAuthenticator', 'CardGetChallenge' and 'CardUnblockPin'
improved management of GUID
use reader pin pad if available and allowed
configuration options for
compose GUID
refuse create container mechanism
add registers file for feitian cards
return code in 'CardGetContainerInfo'
returned 'tries-left' for blocked card
length of stripped data in RSADecrypt
* pkcs#11
bind non-recognized card, generic 'init-token' procedure
CKA_VALUE of 'public-key' object
fix ASN1 encoding issues
PIN-NOT-INITIALIZED for the non-user PINs
buffers overflow
segfault due to the undefined 'application-file'
* pkcs15
'direct' public key in PuKDF encoding
implement SPKI public key encoding
include and maintain minidriver framework data: cmap-record, md-flags, GUID, ..
encoding of 'SubjectPublicKeyInfo'
DER encoding of 'issuer' and 'subject'
PIN validation in 'pkcs15-verify'
public key algorithm
ECC public key encoding
ECC ecpointQ
* pkcs15init
2018-09-12 07:44:02 +00:00
introduce 'max-unblocks' PIN init parameter
2014-05-16 14:51:01 +00:00
keep cert. blob in cert-info data
file 'content' and 'prop-attrs' in the card profile
in profile more AC operations are parsed
NULL pointer dereference error
NULL 'store-key' handle
ignore if no TokenInfo file to update
set EC pubkey parameters from init data
* reader-pcsc
implicit pin modification
pin checking when implicitly given
verify/modify pinpad commands
* SM
common SM 'increase-sequence-counter' procedure
move SM APDU procedures to dedicated source file
move SM common crypto procedures to the dedicated library
* doc
documentation for --list-token-slots
* default driver
do not send possibly arbitrary APDU-s to an unknown card.
2018-09-12 07:44:02 +00:00
by default 'default' card driver is disabled
2014-05-16 14:51:01 +00:00
* sc-hsm
Added support for
persistent EC public keys generated from certificate signing requests
token label to be set via C_InitToken or sc-hsm-tool
unblock PIN using C_InitPIN()
initialize EC key params
bug that prevents a newly generated 2048 key to show up at the PKCS#11 interface
bug when changing SO-PIN with opensc-explorer sc-hsm-tool
memory checking and removed warning
problem deleting CA certificates sc-hsm
public key format returned when generating ECC keys
better error handling for non-SmartCard-HSM cards
support for DKEK password sharing scheme
threshold scheme parameters to manpage
crash on Windows when --wrap-key frees memory allocated in opensc.dll
* ias
simplify the compute signature operation
use SPKI encoding for public key data
extract public key from cert if no object on card
segfault and valgrind issue
gen_key to expect the proper PIV Key references
* CardOS
build for Windows
use information from AlgorithmInfo
supported CardOS V5.0
* epass2003
key generation allows stricter privkey/pubkey ACLs
list_files implemented
properly disable padding
allow exponents other than 65537
* myeid
fixed file-id in myeid.profile
* entersafe
2018-09-12 07:44:02 +00:00
fix a bug when writing public key
2014-05-16 14:51:01 +00:00
* EstEID
match card only based on presence of application.
* pteid
do not call the iso7816 driver get_response operation
* myeid
support of EC key is broken
2012-12-04 10:50:49 +00:00
New in 0.13.0; 2012-12-04
2012-08-05 17:10:06 +00:00
* New card driver ePass2003.
* OpenPGP card:
greatly improved card driver and PKCS#15 emulation;
implemented write (pkcs15init) mode;
greatly enhanced documentation and tools.
* ECDSA keys supported in 'read' and 'write' modes by
internal PKCS#15 library, PKCS#11 and tools.
* Minidriver in 'write' mode.
* SM: secure messaging in GlobalPlatform-SP01 and CW14890 specifications;
supported by ePass2003, IAS/ECC and AuthentIC cards;
"ACL" and "APDU" modes to trigger secure messaging session;
'local' version of the external secure messaging module.
* PKCS#15: support of 'secret-key' PKCS#15 objects
support of 'authentication-object' PKCS#15 objects
support of 'algReference' common key PKCS#15 attribute
support of 'algReference' common key PKCS#15 attribute
support of 'subjectName' common public key PKCS#15 attribute
* PKCS#11: removed 'onepin' version of pkcs#11 module
configuration options to expose slots for PINs and present on-card applications.
support GOSTR3410 generate key mechanism
* Support of PACE reader.
* Remove libltdl reference.
2012-12-04 10:50:49 +00:00
* ECDSA supported by MyEID card
* New card driver for the SmartCard-HSM, a light-weight hardware security module
2012-08-06 07:10:28 +00:00
* New useful commands in 'opensc-explorer' tool: 'find', 'put-data', ...
2012-12-04 10:50:49 +00:00
* fixed SIGV issue due to the unsupported public key format
2012-08-06 07:02:42 +00:00
* fixes for the number of documentation issues
2012-08-05 17:10:06 +00:00
2011-07-15 10:40:07 +00:00
New in 0.12.2; 2011-07-15
2011-06-30 10:26:09 +00:00
* Builds are now silent by default when OpenSC is built from source on Unix.
* Using --wait with command line tools works with 64bit Linux again.
* Greatly improved OpenPGP card support, including OpenPGP 2.0 cards
like the one found in German Privacy Foundation CryptoStick.
* Fixed support for FINeID cards issued after 01.03.2011 with 2048bit keys.
* #256: Fixed support for TCOS cards (broken since 0.12.0).
* Added support for IDKey-cards to TCOS3 driver.
* #361: Improved PC/SC driver to fetch the maximum PIN sizes from the open
source CCID driver. This fixes the issue for Linux/OSX with recent driver.
* WindowsInstaller now installs only static DLL-s (PKCS#11, minidriver) to
system folder.
2011-07-13 14:26:28 +00:00
* Fix FINeID cards for organizations.
* Several smaller bugs and compiler warnings fixed.
New in 0.12.1; 2011-05-17
* New card driver: IAS/ECC 1.0.1
* rutoken-tool has been deprecated and removed.
* eidenv and piv-tool utilities now have manual pages.
* pkcs11-tool now requires the use of --module parameter.
* All tools can now use an ATR as an argument to --reader, to skip to the
card with given ATR.
* opensc-tool -l with -v now shows information about the inserted cards.
* Creating files have an enforced upper size limit, 64K
* Support for multiple PKCS#15 applications with different AID-s.
PKCS#15 applications can be listed with pkcs15-tool --list-applications.
Binding to a specific AID with PKCS#15 tools can be done with --aid.
* Hex strings (like card ATR or APDU-s) can now be separated by space, in
addition to colons.
* Pinpad readers known to be bogus are now ignored by OpenSC. At the moment
only "HP USB Smart Card Keyboard" is disabled.
* Windows installer is now distributed as a statically built MSI, for both
x86 and x64.
* Numerous compiler warnings, unused code and internal bugs have been
New in 0.12.0; 2010-12-22
* OpenSC uses a single reader driver, specified at compile time.
* New card driver: Italian eID (CNS) by Emanuele Pucciarelli.
* New card driver: Portuguese eID by João Poupino.
* New card driver: westcos by François Leblanc.
* pkcs11-tool can use a slot based on ID, label or index in the slot list.
* PIN flags are updated from supported cards when C_GetTokenInfo is called.
* Support for CardOS 4.4 cards added.
2012-08-06 07:10:28 +00:00
* Feature to exclude readers from OpenSC PKCS#11 via "ignored_readers"
configuration file entry.
* #229: Support semi-automatic fixes to cards personalized with older and
broken OpenSC versions.
* Software keys removed from pkcs15-init and the PKCS#11 module. OpenSC
can either generate keys on card or import plaintext keys to the card, but
will never generate plaintext key material in software by itself.
All traces of a software token (PKCS#15 Section 7) shall be removed.
* Updates to PC/SC driver to build with pcsc-lite >= 1.6.2
* Build script for a binary Mac OS X installer for 10.5 and 10.6 systems.
Binary installer includes OpenSC.tokend for platform integration.
10.6 installer includes engine_pkcs11.
* Modify Rutoken S binary interfaces by Aktiv Co.
* Support GOST R 34.10-2001 and GOST R 34.11-94 by Aktiv Co.
* CardOS driver now emulates sign on rsa keys with sign+decrypt usage
with padding and decrypt(). This is compatible with old cards and
card initialized by Siemens software. Removed "--split-key" option,
as it is no longer needed.
* Improved debugging support: debug level 3 will show everything
except of ASN1 and card matching debugging (usually not needed).
* Massive changes to libopensc. This library is now internal, only
used by and command line tools. Header files are
no longer installed, library should not be used by other applications.
Please use generic PKCS#11 interface instead.
* #include file statements cleaned up: first include "config.h", then
system headers, then additional libraries, then headers in opensc
(but from other directories), then header files from same directory.
Fix path to reference headers, remove src/include/ directory.
* Various source code fixes and improvements.
* OpenSC now depends on xsltproc utility and docbook-xsl to build docs and man
* Remove iconv dependency. EstEID driver now uses the commonName from the
certificate for card label.
* Possibility to change the default behavior for card resets via
2018-09-12 07:44:02 +00:00
New in 0.11.12; 2009-12-18; Andreas Jellinghaus
* Document integer problem in OpenSC and implement workaround
* Improve entersafe profile to support private data objects
New in 0.11.9; 2009-07-29; Andreas Jellinghaus
* New rutoken_ecp driver by Aktiv Co. / Aleksey Samsonov
* Allow more keys/certificates/files etc. with entersafe tokens
* Updates pkcs11.h from scute fixing warnings
* Small fixes in rutoken driver
* Major update for piv driver with increased compatibility
New in 0.11.8; 2009-05-07; Andreas Jellinghaus
* Fix security problem in pkcs11-tool gen_keypair (PublicExponent 1)
* fix compiling without openssl.
* updated and improve entersafe driver. FTCOS/PK-01C cards are supported
2012-08-06 07:10:28 +00:00
now, compatible with cards written by Feitian's software on windows.
New in 0.11.7; 2009-02-26; Andreas Jellinghaus
* hide_empty_slots now on by default? small logic change?
* pinpad supported fixed for Mac OS X.
* ruToken driver was updated.
* openct virtual readers reduced to 2 by default.
* link with iconv on Mac OS X for i18n support.
* Security issue: Fix private data support.
* Enable lock_login by default.
* Disable allow_soft_keygen by default.
New in 0.11.6; 2008-08-27; Andreas Jellinghaus
* Improved security fix: don't match for "OpenSC" in the card label.
* New support for Feitian ePass3000 by Weitao Sun.
2018-09-12 07:44:02 +00:00
* GemSafeV1 improved to handle key_ref other than 3 by Douglas E. Engert
New in 0.11.5; 2008-07-31; Andreas Jellinghaus
* Apply security fix for cardos driver and extend pkcs15-tool to
test cards for the security vulnerability and update them.
2018-09-12 07:44:02 +00:00
* Build system rewritten (NOTICE: configure options was modified).
The build system can produce outputs for *NIX, cygwin and native
windows (using mingw).
* ruToken now supported.
* Allow specifying application name for data objects.
* Basic reader hotplug support.
* PC/SC library is dynamic linked no longer compile time dependency.
* PKCS#11 provider is now installed at LIBDIR/pkcs11
* PKCS#11 - Number of virtual slots moved into configuration.
* PKCS#11 - Fix fork() compliance.
2012-08-06 07:10:28 +00:00
* make sign_with_decrypt hack configurable for Siemens cards.
New in 0.11.4; 2007-09-10; Andreas Jellinghaus
* Drop AC_LIB_LINKFLAGS for libltdl and aclocal/lib* files.
* New configure option to disable building nsplugin.
* Support Siemens CardOS initialized cards (signing with decryption)
* Add Siemens CardOS M4.2B support (experimental, don't have such a card)
* Support for AKIS cards added (partial so far) by Gürer Özen.
* add aclocal/libassuan.m4 back so developers don't need assuan installed.
New in 0.11.3; 2007-07-11; Andreas Jellinghaus
* added regression test for raw rsa (crypt0007).
* regression suite can now use installed binaries with --installed.
* update wiki export script (add images, fix links).
* look for ncurses and termcap in configure (in combination with readline).
* make lots of internal functions and variables static.
* fix 0 vs NULL in many places. fix ansi c style (void).
* avoid variable names used also as glibc function (random etc.).
* new code for deleting objects.
* special hack for firefox.
2012-08-06 07:10:28 +00:00
* support for Athena APCOS cards added.
* piv driver now supports bigger rsa keys too.
New in 0.11.2; 2007-05-04; Andreas Jellinghaus
* enabled pin caching by default (needed by regression suite and other apps).
disable this for highest security (but that breaks some applications).
* use max_send_size 255 / max_recv_size 256 bytes by default.
reduce this for some readers (e.g. scm) with t=0 cards.
* increase pin buffer size to allow longer pin codes.
* Windows Make.rules.mak improved to work with and w/o openssl and zlib
* Added --read-ssk-key option to pkcs15-tool (prints public key in ssh format)
* use pkg-config for finding openct, add --enable/disable-openct option
* use strlcpy function
* use new pkcs11.h from scute with an open source license
* add support for sha2 to pkcs15-crypt
* add piv-tool for managing piv cards
* add muscle driver (still work in progress)
* improved oberthur driver
* add support for pcsc v2 part10 (reader drivers with pinpad support)
* convert source files to utf-8
New in 0.11.1; 2006-05-30; Andreas Jellinghaus
* Fix version variable in win32 build files
* Update for piv pkcs#15 emulation
* Improved TCOS driver for Uni Giesen Card
* Handle size_t printf with "%lu" and (unsigned long) cast
* Add support for d-trust cards / improve micardo 2.1 driver
New in 0.11.0; 2006-05-01; Andreas Jellinghaus
* compile fixes/improvements for windows
* document pkcs15-tool --unblock-pin option
* remove old and outdated documentation
* use "%lu" format for printf of size_t
* add piv driver and tool by Douglas E. Engert
2012-08-06 07:10:28 +00:00
* new threading code in pkcs11 module
* renamed "etoken" driver to "cardos", as it really is a generic
driver for Siemens CardOS M4, including but not limited to Aladdin eTokens.
2012-08-06 07:10:28 +00:00
* add code to manage unused space
* support for swedish nidel cards
New in 0.10.1; 2006-01-08; Andreas Jellinghaus
* use sc_print_path everywhere.
* silence many warnings.
* add incrypto34 driver by ST Incard, Giuseppe Amato
* improved TCOS driver by Peter Koch
* better PINPAD handling
* updated infocamere driver
* updated opensc.conf with new default values
* fix firefox problems (no real fix, only ugly workaround)
* add cardos M4.2 support
New in 0.10.0; 2005-10-31; Andreas Jellinghaus
* released rc2 without changes.
2012-08-06 07:10:28 +00:00
* Add more documentation, fix man page installation.
* New generic ATR/card matching code with
atrmask support, used by all card drivers.
* Much improved and unified ATR handling in
the configuration file.
* Support for the next generation FinEID cards
with ISO/IEC 7816-15 data layout.
* Preliminary code merge with the Belgian
Belpic EID project.
* Experimental multi-slot support for CT-API
and dynamic loading support for win32.
Thanks to Bernhard Froehlich <>
* Experimental Class 2 pinpad reader support
via TeleTrust compatible PC/SC interface.
* Fixed OpenSSL behaviour in the configure
* PKCS#15 emulation layer improvements and
a new driver for the Italian postecert
* New API documentation and generic documentation
structure renovation to base future work on.
Many thanks to Bert Vermeulen <>
* Spanish manual translation from opensc-ceres
project merged.
* Several memory leaks and other bugs fixed.
New in 0.9.6; 2005-04-25; Andreas Jellinghaus:
* undo user_content changes to retain compatibility with 0.9.4.
* add solaris/ files for easier installation on solaris.
* require automake 1.5
* free() fixes in some card drivers.
* fix autoconf configure code.
New in 0.9.5; 2005-01-11; Andreas Jellinghaus:
* Big rewrite of the autoconf code for openssl. This fixes bugs on Mac OS X
and we hope it doesn't break any other system. Feedback is very welcome.
* The flags object attribute changed to a bitfield.
* Many small bugfixes, including memory leaks.
2012-08-06 07:10:28 +00:00
* Changes to the etoken and gpk profiles to eliminate overlapping file ids.
* pinpad code by Martin Paljak
* add user_consent parameter to pkcs15emu add object/add prkey functions.
* estid provide user_consent parameter.
* add fflush to pkcs11-spy.c
* set version in, src/pkcs11/pkcs11-global.c,
win32/version.rc and src/include/winconfig.h
New in 0.9.4; 2004-10-31; Andreas Jellinghaus:
* Library version was broken in 0.9.3.
* Update library version to 1:0:0, as we are no longer
compatible with the 0:*:* line, I fear.
New in 0.9.3; 2004-10-31; Andreas Jellinghaus:
* Fix some LDFLAGS/LDADD issues for parallel build.
New in 0.9.2; 2004-07-24; Andreas Jellinghaus:
* This is an beta test version. Please be careful.
Do not use in production environments.
* Fix sslengine, link those dynamically with libcrypto
for openssl 0.9.7d and later.
* Fixed small bug in pkcs11-tool
* Link pkcs11-tool and pkcs15-crypt with -lcrypto
* New driver for estonian ID card.
* Bumped version number to opensc 0.9.2
* New card supported: Oberthur AuthentIC v5
* Pam_opensc's eid module now checks permissions,
and supports several certificates in
Thanks to Fritz Elfert <>
* Upgrade library version to 0.9, since incompatible changes
are very likely somewhere.
* Merged several pkcs15 profiles into one with different
New in 0.8.1; 2003-09-30; Olaf Kirch:
* Upgrade libopensc versioning, hasn't been
2012-08-06 07:10:28 +00:00
accidentally upgraded since 0.6.0 release
* MacOS X specific changes:
- Allow to compile without PC/SC support
- Bundle installation fixes
- OpenSSL engine linking fixed
- Renamed OpenSC PKCS#11.bundle to
- CT-API module loading support
* libopensc:
- Renamed sysdep_timestamp_t to sc_timestamp_t
- Renamed debug/error functions to sc_debug/sc_error
- Don't DER-en/decode the data in a pkcs15 object
- Portability fixes for the OpenCT reader driver
* libscconf: Fixed CRLF parsing for UNIX platforms
* Added PKCS#11 spy module by Mathias Brossard
* Other minor bug/build fixes and cleanups
New in 0.8.0; 2003-08-15; Juha Yrjölä:
* New and/or improved card drivers:
Aladdin eToken, MICARDO 2 and STARCOS