OpenSC 0.25.1

New in 0.25.1; 2024-04-05

General improvements

• Add missing file to dist tarball to build documentation (#3063)

minidriver

• Fix RSA decryption with PKCS#1 v1.5 padding (#3077)
• Fix crash when app is not set (#3084)

OpenSC 0.25.0

New in 0.25.0; 2024-03-06

Security

• CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
• CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)

General improvements

• Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
• Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
• Fix 64b to 32b conversions (#2993)
• Improvements for the p11test (#2991)
• Fix reader initialization without SCardControl (#3007)
• Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
• Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
• Enable MSI signing via Signpath CI integration for Windows (#2799)
• Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

minidriver

• Fix wrong hash selection (#2932)

pkcs11-tool

• Simplify printing EC keys parameters (#2960)
• Add option to import GENERIC key (#2955)
• Add support for importing Ed25518/448 keys (#2985)

drust-tool

• Add tool for D-Trust cards (#3026, #3051)

IDPrime

• Support uncompressed certificates on IDPrime 940 (#2958)
• Enhance IDPrime logging (#3003)
• Add SafeNet 5110+ FIPS token support (#3048)

D-Trust Signature Cards

• Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)

EstEID

• Remove expired EstEID 3.* card support (#2950)

ePass2003

• Allow SW implementation with more SHA2 hashes and ECDSA (#3012)
• Fix EC key generation (#3045)

SmartCard-HSM

• Fix SELECT APDU command (#2978)

MyEID

• Update for PKCS#15 profile (#2965)

Rutoken

• Support for RSA 4096 key algorithm (#3011)

OpenPGP

• Fix decryption requiting Manage Security Environment for authentication key (#3042)

OpenSC 0.25.0-rc1

New in 0.25.0; 2024-02-XX

Security

• CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
• CVE-2024-1454: Potential use-after-free in AuthentIC driver during card enrollment in pkcs15init (#2962)

General improvements

• Update OpenSSL 1.1.1 to 3.0 in MacOS build (#2930)
• Remove support for old card drivers Akis, GPK, Incrypto34 and Westcos, disable Cyberflex driver (#2885)
• Fix 64b to 32b conversions (#2993)
• Improvements for the p11test (#2991)
• Fix reader initialization without SCardControl (#3007)
• Make RSA PKCS#1 v1.5 depadding constant-time (#2948)
• Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) on the card (#2975)
• Enable MSI signing via Signpath CI integration for Windows (#2799)
• Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer

minidriver

• Fix wrong hash selection (#2932)

pkcs11-tool

• Simplify printing EC keys parameters (#2960)
• Add option to import GENERIC key (#2955)
• Add support for importing Ed25518/448 keys (#2985)

IDPrime

• Support uncompressed certificates on IDPrime 940 (#2958)
• Enhance IDPrime logging (#3003)

D-Trust Signature Cards

• Add support for RSA D-Trust Signature Card 4.1 and 4.4 (#2943)

EstEID

• Remove expired EstEID 3.* card support (#2950)

ePass2003

• Allow SW implementation with more SHA2 hashes and ECDSA (#3012)

SmartCard-HSM

• Fix SELECT APDU command (#2978)

MyEID

• Update for PKCS#15 profile (#2965)

Rutoken

• Support for RSA 4096 key algorithm (#3011)

OpenSC 0.24.0

New in 0.24.0; 2023-12-13

Security

• CVE-2023-40660: Fix Potential PIN bypass (#2806, frankmorgner/OpenSCToken#50, #2807)
• CVE-2023-40661: Important dynamic analyzers reports
• CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys (f1993dc)

General improvements

• Fix compatibility of EAC with OpenSSL 3.0 (#2674)
• Enable use_file_cache by default (#2501)
• Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
• Fix record-based files (#2604)
• Fix several race conditions (#2735)
• Run tests under Valgrind (#2756)
• Test signing of data bigger than 512 bytes (#2789)
• Update to OpenPACE 1.1.3 (#2796)
• Implement logout for some of the card drivers (#2807)
• Fix wrong popup position of opensc-notify (#2901)
• Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init

PKCS#11

• Check card presence state in C_GetSessionInfo (#2740)
• Remove onepin-opensc-pkcs11 module (#2681)
• Do not use colons in the token info label (#2760)
• Present profile objects in all slots with the CKA_TOKEN attribute to resolve issues with NSS (#2928, #2924)
• Use secure memory for PUK (#2906)
• Don't logout to preserve concurrent access from different processes (#2907)
• Add more examples to manual page (#2936)
• Present profile objects in all virtual slots (#2928)
• Provide CKA_TOKEN attribute for profile objects (#2924)
• Improve --slot parameter documentation (#2951)

PKCS#15

• Honor cache offsets when writing file cache (#2858)
• Prevent needless amount of PIN prompts from pkcs15init layer (#2916)
• Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and back to PKCS#11 (#2936)

Minidriver

• Fix for private keys that do not need a PIN (#2722)
• Unbreak decipher when the first null byte of PKCS#1.5 padding is missing (#2939)

pkcs11-tool

• Fix RSA key import with OpenSSL 3.0 (#2656)
• Add support for attribute filtering when listing objects (#2687)
• Add support for --private flag when writing certificates (#2768)
• Add support for non-AEAD ciphers to the test mode (#2780)
• Show CKA_SIGN attribute for secret keys (#2862)
• Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys (#2864, #2913)
• Show Sign/VerifyRecover attributes (#2888)
• Add option to import generic keys (#2955)

westcos-tool

• Generate 2k RSA keys by default (b53fc5c)

pkcs11-register

• Disable autostart on Linux by default (#2680)

IDPrime

• Add support for IDPrime MD 830, 930 and 940 (#2666)
• Add support for SafeNet eToken 5110 token (#2812)
• Process index even without keyrefmap and use correct label for second PIN (#2878)
• Add support for Gemalto IDPrime 940C (#2941)

EPass2003

• Change of PIN requires verification of the PIN (#2759)
• Fix incorrect CMAC computation for subkeys (#2759, issue #2734)
• Use true random number for mutual authentication for SM (#2766)
• Add verification of data coming from the token in the secure messaging mode (#2772)
• Avoid success when using unsupported digest and fix data length for RAW ECDSA signatures (#2845)

OpenPGP

• Fix select data command (#2753, issue #2752)
• Unbreak ed/curve25519 support (#2892)

eOI

• Add support for Slovenian eID card (eOI) (#2646)

Italian CNS

• Add support for IDEMIA (Oberthur) tokens (#2483)

PIV

• Add support for Swissbit iShield FIDO2 Authenticator (#2671)
• Implement PIV secure messaging (#2053)

SkeID

• Add support for Slovak eID cards (#2672)

isoApplet

• Support ECDSA with off-card hashing (#2642)

MyEID

• Fix WRAP operation when using T0 (#2695)
• Identify changes on the card and enable use_file_cache (#2798)
• Workaround for unwrapping using 2K RSA key (#2921)

SC-HSM

• Add support for opensc-tool --serial (#2675)
• Fix unwrapping of 4096 keys with handling reader limits (#2682)
• Indicate supported hashes and MGF1s (#2827)

0.24.0-rc2

For release notes, see #2873 and #2792 and NEWS file:

https://github.com/OpenSC/OpenSC/blob/master/NEWS

0.24.0-rc1

For release notes, see #2873 and #2792.

OpenSC 0.23.0

New in 0.23.0; 2022-11-29

General improvements

• Support signing of data with a length of more than 512 bytes (#2314)
• By default, disable support for old card drivers (#2391) and remove support for old drivers MioCOS and JCOP (#2374)
• Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
• Compatibility with LibreSSL (#2495, #2595)
• Remove support for DSA (#2503)
• Extend p11test to support symmetric keys (#2430)
• Notice detached reader on macOS (#2418)
• Support for OAEP padding (#2475, #2484)
• Fix for PSS salt length (#2478)
• Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550, #2637)
• Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
• Fix issues with OpenPACE (#2472)
• Containers support for local testing
• Add support for encryption and decryption using symmetric keys (#2473, #2607)
• Stop building support for Gost algorithms with OpenSSL 3.0 as they require deprecated API (#2586)
• Fix detection of disconnected readers in PCSC (#2600)
• Add configuration option for on-disk caching of private data (#2588)
• Skip building empty binaries when dependencies are missing and remove needless linking (#2617)
• Define arm64 as a supported architecture in the Installer package (#2610)

PKCS#11

• Implement C_CreateObject for EC keys and fix signature verification for CKM_ECDSA_SHAx cards (#2420)

pkcs11-tool

• Add more elliptic curves (#2301)
• Add support for symmetric encrypt and decrypt, wrap and unwrap operations, and initialization vector (#2268)
• Fix consistent handling of secret key attributes (#2497)
• Add support for signing and verifying with HMAC (#2385)
• Add support for SHA3 (#2467)
• Make object selectable via label (#2570)
• Do not require an R/W session for some operations and add --session-rw option (#2579)
• Print more information: CKA_UNIQUE_ID attribute, SHA3 HMACs and serial number for certificates (#2644, #2643, #2641)
• Add new option --undestroyable to create keys with CKA_DESTROYABLE=FALSE (#2645)

sc-hsm-tool

• Add options for public key authentication (#2301)

Minidriver

• Fix reinit of the card (#2525)
• Add an entry for Italian CNS (e) (#2548)
• Fix detection of ECC mechanisms (#2523)
• Fix ATRs before adding them to the windows registry (#2628)

NQ-Applet

• Add support for the JCOP4 Cards with NQ-Applet (#2425)

ItaCNS

• Add support for ItaCMS v1.1 (key length 2048) (#2371)

Belpic

• Add support for applet v1.8 (#2455)

Starcos

• Add ATR for V3.4 (#2464)
• Add PKCS#15 emulator for 3.x cards with eSign app (#2544)

ePass2003

• Fix PKCS#15 initialization (#2403)
• Add support for FIPS (#2543)
• Fix matching with newer versions and tokens initialized with OpenSC (#2575)

MyEID

• Support logout operation (#2557)
• Support for symmetric encryption and decryption (#2473, #2607)

GIDS

• Fix decipher for TPM (#1881)

OpenPGP

• Get the list of supported algorithms from algorithm information on the card (#2287)
• Support for 3 certificates with OpenPGP 3+ (#2103)

nPA

• Fix card detection (#2463)

Rutoken

• Fix formatting rtecp cards (#2599)

PIV

• Add new PIVKey ATRs for current cards (#2602)

0.23.0-rc2

New in 0.23.0; 2022-11-09

General improvements

• Support signing of data with a length of more than 512 bytes (#2314)
• By default, disable support for old card drivers (#2391) and remove support for old drivers MioCOS and JCOP (#2374)
• Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
• Compatibility with LibreSSL (#2495, #2595)
• Remove support for DSA (#2503)
• Extend p11test to support symmetric keys (#2430)
• Notice detached reader on macOS (#2418)
• Support for OAEP padding (#2475, #2484)
• Fix for PSS salt length (#2478)
• Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550)
• Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
• Fix issues with OpenPACE (#2472)
• Containers support for local testing
• Add support for encryption using symmetric keys (#2473)
• Stop building support for Gost algorithms with OpenSSL 3.0 as they require deprecated API (#2586)
• Fix detection of disconnected readers in PCSC (#2600)
• Add configuration option for on-disk caching of private data (#2588)
• Skip building empty binaries when dependencies are missing and remove needless linking (#2617)
• Define arm64 as a supported architecture in the Installer package (#2610)

PKCS#11

• Implement C_CreateObject for EC keys and fix signature verification for CKM_ECDSA_SHAx cards (#2420)

pkcs11-tool

• Add more elliptic curves (#2301)
• Add support for symmetric encrypt and decrypt, wrap and unwrap operations, and initialization vector (#2268)
• Fix consistent handling of secret key attributes (#2497)
• Add support for signing and verifying with HMAC (#2385)
• Add support for SHA3 (#2467)
• Make object selectable via label (#2570)
• Do not require an R/W session for some operations and add --session-rw option (#2579)

sc-hsm-tool

• Add options for public key authentication (#2301)

Minidriver

• Fix reinit of the card (#2525)
• Add an entry for Italian CNS (e) (#2548)
• Fix detection of ECC mechanisms (#2523)
• Fix ATRs before adding them to the windows registry (#2628)

NQ-Applet

• Add support for the JCOP4 Cards with NQ-Applet (#2425)

ItaCNS

• Add support for ItaCMS v1.1 (key length 2048) (#2371)

Belpic

• Add support for applet v1.8 (#2455)

Starcos

• Add ATR for V3.4 (#2464)
• Add PKCS#15 emulator for 3.x cards with eSign app (#2544)

ePass2003

• Fix PKCS#15 initialization (#2403)
• Add support for FIPS (#2543)
• Fix matching with newer versions and tokens initialized with OpenSC (#2575)

MyEID

• Support logout operation (#2557)

GIDS

• Fix decipher for TPM (#1881)

OpenPGP

• Get the list of supported algorithms from algorithm information on the card (#2287)

nPA

• Fix card detection (#2463)

Rutoken

• Fix formatting rtecp cards (#2599)

PIV

• Add new PIVKey ATRs for current cards (#2602)

0.23.0-rc1

New in 0.23.0; 2022-10-11

General improvements

• Support signing of data with a length of more than 512 bytes (#2314)
• By default, disable support for old card drivers (#2391) and remove support for old drivers MioCOS and JCOP (#2374)
• Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506)
• Compatibility with LibreSSL (#2495, #2595)
• Remove support for DSA (#2503)
• Extend p11test to support symmetric keys (#2430)
• Notice detached reader on macOS (#2418)
• Support for OAEP padding (#2475, #2484)
• Fix for PSS salt length (#2478)
• Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550)
• Fixed various issues reported by OSS-Fuzz and Coverity regarding card drivers, PKCS#11 and PKCS#15 init
• Fix issues with OpenPACE (#2472)
• Containers support for local testing
• Add support for encryption using symmetric keys (#2473)
• Stop building support for Gost algorithms with OpenSSL 3.0 as they require deprecated API (#2586)
• Fix detection of disconnected readers in PCSC (#2600)
• Add configuration option for on-disk caching of private data (#2588)

PKCS#11

• Implement C_CreateObject for EC keys and fix signature verification for CKM_ECDSA_SHAx cards (#2420)

pkcs11-tool

• Add more elliptic curves (#2301)
• Add support for symmetric encrypt and decrypt, wrap and unwrap operations, and initialization vector (#2268)
• Fix consistent handling of secret key attributes (#2497)
• Add support for signing and verifying with HMAC (#2385)
• Add support for SHA3 (#2467)
• Make object selectable via label (#2570)
• Do not require an R/W session for some operations and add --session-rw option (#2579)

sc-hsm-tool

• Add options for public key authentication (#2301)

Minidriver

• Fix reinit of the card (#2525)
• Add an entry for Italian CNS (e) (#2548)
• Fix detection of ECC mechanisms (#2523)

NQ-Applet

• Add support for the JCOP4 Cards with NQ-Applet (#2425)

ItaCNS

• Add support for ItaCMS v1.1 (key length 2048) (#2371)

Belpic

• Add support for applet v1.8 (#2455)

Starcos

• Add ATR for V3.4 (#2464)
• Add PKCS#15 emulator for 3.x cards with eSign app (#2544)

ePass2003

• Fix PKCS#15 initialization (#2403)
• Add support for FIPS (#2543)
• Fix matching with newer versions and tokens initialized with OpenSC (#2575)

MyEID

• Support logout operation (#2557)

GIDS

• Fix decipher for TPM (#1881)

OpenPGP

• Get the list of supported algorithms from algorithm information on the card (#2287)

nPA

• Fix card detection (#2463)

Rutoken

• Fix formatting rtecp cards (#2599)

PIV

• Add new PIVKey ATRs for current cards (#2602)

OpenSC-0.22.0

General improvements

• Use standard paths for file cache on Linux (#2148) and OSX (#2214)
• Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
• Add threading test to pkcs11-tool (#2067)
• Add support to generate generic secret keys (#2140)
• opensc-explorer: Print information about LCS (Life cycle status byte) (#2195)
• Add support for Apple's arm64 (M1) binaries, removed TokenD. A seperate installer with TokenD (and without arm64 binaries) will be available (#2179).
• Support for gcc11 and its new strict aliasing rules (#2241, #2260)
• Initial support for building with OpenSSL 3.0 (#2343)
• pkcs15-tool: Write data objects in binary mode (#2324)
• Avoid limited size of log messages (#2352)

PKCS#11

• Support for ECDSA verification (#2211)
• Support for ECDSA with different SHA hashes (#2190)
• Prevent issues in p11-kit by not returning unexpected return codes (#2207)
• Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
• Standardize the version 2 on 2.20 in the code (#2096)
• Fix CKA_MODIFIABLE and CKA_EXTRACTABLE (#2176)
• Copy arguments of C_Initialize (#2350)

Minidriver

• Fix RSA-PSS signing (#2234)

OpenPGP

• Fix DO deletion (#2215)
• Add support for (X)EdDSA keys (#1960)

IDPrime

• Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
• Add support for applet version 4 (#2332)

MyEID

• New configuration option for opensc.conf to disable pkcs1_padding (#2193)
• Add support for ECDSA with different hashes (#2190)
• Enable more mechanisms (#2178)
• Fixed asking for a user pin when formatting a card (#1737)

IAS/ECC

• Added support for French CPx Healthcare cards (#2217)

CardOS

• Added ATR for new CardOS 5.4 version (#2296)