Towards new release 0.19.0

[Jakuje]

With #1447 and many other features from recent months, it is time to prepare next release.

Below you'll find a draft for an update of the NEWS file. Let me know if I missed something or something can be worded better.

What is not covered in the news, but I would really like to see reviewed and merged is #1435 (RSA-PSS using RAW RSA), which will soon be demanded feature mostly for TSL1.3.

---

General Improvements

• fixed multiple security problems (out of bound writes/reads, Security issues identified by fuzzing #1447):
  • CVE-2018-16391
  • CVE-2018-16392
  • CVE-2018-16393
  • CVE-2018-16418
  • CVE-2018-16419
  • CVE-2018-16420
  • CVE-2018-16421
  • CVE-2018-16422
  • CVE-2018-16423
  • CVE-2018-16424
  • CVE-2018-16425
  • CVE-2018-16426
  • CVE-2018-16427
• Improved documentation:
  • New manual page for opensc.conf(5)
  • Added several missing switches in manual pages and fixed formatting
• Win32 installer:
  • automatically start SCardSvr
  • added newer OpenPGP ATRs
• macOS installer: use HFS+ for backward compatibility
• Remove outdated solaris files
• PC/SC driver:
  • Workaround OMNIKEY 3x21 and 6121 Smart Card Readers wrongly identified as pinpad readers in macOS
• Workaround cards returning short signatures without leading zeroes
• bash completion
  • make location directory configurable
  • Use a new correct path by default
• build: support for libressl-2.7+
• Configuration
  • Distribute minimal opensc.conf
  • pkcs11_enable_InitToken made global configuration option
  • Modify behavior of OPENSC_DRIVER environment variable to restrict driver list instead of forcing one driver and skipping vital parts of configuration
  • Removed configuration options zero_ckaid_for_ca_certs, force_card_driver, reopen_debug_file, paranoid-memory
  • Generalized configuration option ignored_readers
• If card initialization fails, continue card detection with other card drivers (If card initialization fails, return SC_ERROR_INVALID_CARD #1251)
• Fixed long term card operations on Windows 8 and later (opensc-explorer does not verify PIN on Windows 8.1 #1043)
• reader-pcsc: allow fixing the length of a PIN
• fixed multithreading issue on Window with OpenPACE OIDs

PKCS#11

• fixed crash during C_WaitForSlotEvent (Do not temporarily set SC_READER_REMOVED on all readers #1335)

Minidriver

• Allow cancelling the PIN pad prompt before starting the reader transaction. Whether to start the transaction immediately or not is user-configurable for each application

OpenSC tools

• opensc-notify
  • add Exit button to tray icon
  • User better description (GenericName) and a generic application icon
  • Do not display in the application list
• pkcs15-tool
  • added support for reading ECDSA ssh keys
• p11test
  • Filter certificates other than CKC_X_509
• opengpg-tool
  • allow calling -d multiple times
  • clarify usage text

sc-hsm

• Implement RSA PSS
• Add support for SmartCard-HSM 4K (V3.0)

CAC

• Remove support for CAC1 cards
• Ignore unknown tags in properties buffer
• Use GET PROPERTIES to recognize buffer formats
• Unbreak encoding last tag-len-value in the data objects
• Support HID Alt tokens without CCC
  • They present certificates in OIDs of first AID and use other undocumented applets
  • Inspect the tokens through the ACA applet and GET ACR APDU

Coolkey

• Unbreak Get Challenge functionality
• Make uninitialized cards working as expected with ESC

OpenPGP

• add serial number to card name
• include detailed version into card name
• define & set LCS (lifecycle support) as extended capability
• extend manufacturer list in pkcs15-openpgp.c
• correctly parse hist_bytes
• Make deciphering with AUT-key possible for OpenPGP Card >v3.2 (fixes OpenPGP Card 3.3: using slot 3 for email encryption #1352)
• Add supported algorithms for OpenPGP Card (Fixes pkcs15-init: key generation and import for OpenPGP Card with different algorithms #1432)

Starcos

• added support for 2nd generation eGK (eGK G2 egk-tool read error #1451)

CardOS

• create PIN in MF (pkcs15init)

German ID card

• fixed identifying unknown card as German ID card (Recent change in NPA driver wrongly matches Portuguese eID Card #1360)

PIV

• Context Specific Login Using Pin Pad Reader Fix
• Better Handling of Reset using Discovery Object

---

The list of changes and commits since last release so far:
0.18.0...master

[frankmorgner]

Thanks for the great starter 👍

I'd like to leave out some technical details and be more specific about the change in the minidriver. If you agree, I'll directly edit the problem description, OK?

[frankmorgner]

FYI, @OpenSC/core @OpenSC/maintainers

I'll test #1447 next week, but I think #1435 should wait until next release.

[Jakuje]

Sure. This was mostly copy paste from commit messages that I considered important, but I don't quite much anything know about the minidriver so feel free to use better wording by directly editing the issue.

[frankmorgner]

I've updated the description. @Jakuje , could you review the CAC/Coolkey description from a user perspective (NEWS will contain only user visible changes).

[Jakuje]

I fixed a typo and removed the reference to security issues as not covered. CAC/Coolkey sections look good to me.

[alonbl]

Hi,

I experience the following:

make[3]: Entering directory '/var/tmp/portage/dev-libs/opensc-0.19.0/work/opensc-0.19.0/doc/files'
sed -e 's|@pkgdatadir[@]|/usr/share/opensc|g' < pkcs15-profile.5.xml \
| xsltproc --nonet --path "./..:/usr/share/sgml/docbook/xsl-stylesheets/manpages" --xinclude -o pkcs15-profile.5 man.xsl pkcs15-profile.5.xml
Warn: meta author : no refentry/info/author                        pkcs15-profile
Note: meta author : see http:https://docbook.sf.net/el/author            pkcs15-profile
Warn: meta author : no author data, so inserted a fixme            pkcs15-profile
Note: Writing pkcs15-profile.5
sed \
        -e 's|@sysconfdir[@]|/etc|g' \
        -e 's|@docdir[@]|/usr/share/doc/opensc-0.19.0|g' \
        -e 's|@libdir[@]|/usr/lib64|g' \
        -e 's|@DYN_LIB_EXT[@]|.so|g' \
        -e 's|@DEFAULT_PCSC_PROVIDER[@]|libpcsclite.so.1|g' \
        -e 's|@PROFILE_DIR_DEFAULT[@]|/usr/share/opensc|g' \
        -e 's|@DEFAULT_SM_MODULE[@]||g' \
        < opensc.conf.5.xml.in > opensc.conf.5.xml
xsltproc --nonet --path "./..:/usr/share/sgml/docbook/xsl-stylesheets/manpages" --xinclude -o opensc.conf.5 man.xsl opensc.conf.5.xml
Warn: meta author : no refentry/info/author                        opensc.conf
Note: meta author : see http:https://docbook.sf.net/el/author            opensc.conf
Warn: meta author : no author data, so inserted a fixme            opensc.conf
Note: Writing opensc.conf.5
make[3]: *** No rule to make target 'files.xml', needed by 'files.html'.  Stop.
make[3]: Leaving directory '/var/tmp/portage/dev-libs/opensc-0.19.0/work/opensc-0.19.0/doc/files'
make[2]: *** [Makefile:441: all-recursive] Error 1
make[2]: Leaving directory '/var/tmp/portage/dev-libs/opensc-0.19.0/work/opensc-0.19.0/doc'
make[1]: *** [Makefile:562: all-recursive] Error 1

Configure:

./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --disable-dependency-tracking --disable-silent-rules --docdir=/usr/share/doc/opensc-0.19.0 --htmldir=/usr/share/doc/opensc-0.19.0/html --libdir=/usr/lib64 --docdir=/usr/share/doc/opensc-0.19.0 --htmldir=$(docdir)/html --disable-static --disable-openpace --enable-doc --disable-openct --enable-readline --enable-zlib --disable-sm --enable-openssl --enable-pcsc --disable-openct --disable-ctapi

Regards,
Alon

[frankmorgner]

@alonbl should be fixed with 62a2847

[alonbl]

I do not see this is fixed. ``` Making all in files make[3]: Entering directory '/var/tmp/portage/dev-libs/opensc-0.19.0/work/opensc-0.19.0/doc/files' sed -e 's|@pkgdatadir[@]|/usr/share/opensc|g' < pkcs15-profile.5.xml \ | xsltproc --nonet --path "./..:/usr/share/sgml/docbook/xsl-stylesheets/manpages" --xinclude -o pkcs15-profile.5 man.xsl pkcs15-profile.5.xml Warn: meta author : no refentry/info/author pkcs15-profile Note: meta author : see http:https://docbook.sf.net/el/author pkcs15-profile Warn: meta author : no author data, so inserted a fixme pkcs15-profile Note: Writing pkcs15-profile.5 sed \ -e 's|@sysconfdir[@]|/etc|g' \ -e 's|@DocDir[@]|/usr/share/doc/opensc-0.19.0|g' \ -e 's|@libdir[@]|/usr/lib64|g' \ -e 's|@DYN_LIB_EXT[@]|.so|g' \ -e 's|@DEFAULT_PCSC_PROVIDER[@]|libpcsclite.so.1|g' \ -e 's|@PROFILE_DIR_DEFAULT[@]|/usr/share/opensc|g' \ -e 's|@DEFAULT_SM_MODULE[@]||g' \ < opensc.conf.5.xml.in > opensc.conf.5.xml xsltproc --nonet --path "./..:/usr/share/sgml/docbook/xsl-stylesheets/manpages" --xinclude -o opensc.conf.5 man.xsl opensc.conf.5.xml Warn: meta author : no refentry/info/author opensc.conf Note: meta author : see http:https://docbook.sf.net/el/author opensc.conf Warn: meta author : no author data, so inserted a fixme opensc.conf Note: Writing opensc.conf.5 make[3]: *** No rule to make target 'files.xml', needed by 'all-am'. Stop. ``` Please also check the libressl compatibility before release.

[frankmorgner]

I don't see this problem in CI nor on my machine... How are you building the package? Were you using https://github.com/OpenSC/Nightly/blob/2018-09-04_62a28473/opensc-0.19.0.tar.gz?raw=true?

Could you check on libressl?

[alonbl]

On Wed, Sep 5, 2018 at 9:27 AM Frank Morgner ***@***.***> wrote: I don't see this problem in CI nor on my machine... How are you building the package? Were you using https://github.com/OpenSC/Nightly/blob/2018-09-04_62a28473/opensc-0.19.0.tar.gz?raw=true?

yes + the patch. do you check also parallel build? although I get this with non parallel.

Could you check on libressl?

I have a very limited time to be qa. The CI should also check libressl.

[frankmorgner]

Please tell me how to reproduce this...

[alonbl]

As I wrote it is reproduced every time for me with a simple build I pasted the configure statement. Please try make -j5 and see if you can reproduce if it is related to parallel build, otherwise, I will have time on weekend to look into this and fix it.

[frankmorgner]

please check as fast as possible, because there are a number of security fixes with this release.

[dengert]

In response to #1448 (comment) I can get the same error when building separate source and build directories:

sed ...
	< ../../../src/doc/files/opensc.conf.5.xml.in > opensc.conf.5.xml
xsltproc --nonet --path "../../../src/doc/files/..:/usr/share/xml/docbook/stylesheet/nwalsh/manpages" --xinclude -o opensc.conf.5 man.xsl opensc.conf.5.xml
Warn: meta author : no refentry/info/author                        opensc.conf
Note: meta author : see http:https://docbook.sf.net/el/author            opensc.conf
Warn: meta author : no author data, so inserted a fixme            opensc.conf
Note: Writing opensc.conf.5
xsltproc --nonet --path "../../../src/doc/files/..:/usr/share/xml/docbook/stylesheet/nwalsh/html" --xinclude -o files.html html.xsl ../../../src/doc/files/files.xml
warning: failed to load external entity "../../../src/doc/files/opensc.conf.5.xml"
../../../src/doc/files/files.xml:8: element include: XInclude error : could not load ../../../src/doc/files/opensc.conf.5.xml, and no fallback was found
Makefile:639: recipe for target 'files.html' failed

But only if I specified --enable-doc It appears --disable-doc is the default.

The problem appears to be the above line is looking for ../../../src/doc/files/opensc.conf.5.xml but the
file is in the build directory.

Adding "./" to the path fixes it. Need to do a ./bootstrap.

diff --git a/doc/files/Makefile.am b/doc/files/Makefile.am
index d12091c..3960d9e 100644
--- a/doc/files/Makefile.am
+++ b/doc/files/Makefile.am
@@ -22,7 +22,7 @@ opensc.conf.5.xml opensc.conf.5: $(srcdir)/opensc.conf.5.xml.in
        $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/manpages" --xinclude -o $@ man.xsl opensc.conf.5.xml
 
 files.html: $(srcdir)/files.xml $(wildcard $(srcdir)/*.5.xml) opensc.conf.5.xml
-       $(XSLTPROC) --nonet --path "$(srcdir)/..:$(xslstylesheetsdir)/html" --xinclude -o $@ html.xsl $<
+       $(XSLTPROC) --nonet --path "./:$(srcdir)/..:$(xslstylesheetsdir)/html" --xinclude -o $@ html.xsl $<
 
 %.5: $(srcdir)/%.5.xml
        sed -e 's|@pkgdatadir[@]|$(pkgdatadir)|g' < $< \

Note: Writing opensc.conf.5
xsltproc --nonet --path "./:../../../src/doc/files/..:/usr/share/xml/docbook/stylesheet/nwalsh/html" --xinclude -o files.html html.xsl ../../../src/doc/files/files.xml
make[3]: Leaving directory '/afs/anl.gov/appl/OpenSC-dev/build/opensc-git-my/amd64_linux26-1.1/doc/files'

[frankmorgner]

Thanks, Doug! Building in a separate folder was the missing hint. It's fixed now.

[frankmorgner]

updated the description

[alonbl]

master build success. thanks!

[metsma]

Please merge this to 0.19.0 #1477

[Jakuje]

I updated the test results with my cards:

https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing

All of them work well. The only issues I noticed were the following:

• Muscle driver loaded before coolkey "steals" the detection. We already talked about this issue before and I was hoping the muscle driver will move on to the "old" and disabled drivers. Or is there a way to move coolkey up or muscle down in the list?
• The example line in default opensc.conf has missing semicolon (opensc.conf: Make the example syntax correct #1478)

[frankmorgner]

Unfortunately the muscle driver still seems to be used often... We've moved the MUSCLE driver up the detection list, because this applet always return 9000, no matter what AID was used for selection. This would make the muscle applet be detected as any other applet based card (58b6cc0).

I wonder why the muscle driver matches for a coolkey card. Did I miss some discussion?

[Jakuje]

It is most probably because coolkey is based on muscle applet so it behaves similarly in this way.
I hit this issue last time in #1377, where the coolkey applet was detected in CAC driver and after skipping that one, we ended up in sc-hsm or muscle. I am not sure if I was not debugging or reporting this issue earlier, but our QE hit this from time to time.

[frankmorgner]

I would have nothing against detecting coolkey first, but if the applet has the same bug, this means that muscle card will be mistakenly identified as coolkey cards. Unfortunately, this is only treating the symptoms; a real fix should be applied in the applets' implementations. Is there some maintainer of the coolkey applet who can help?

[Jakuje]

@dengert tried to analyze this in #1377 (comment) but there was no outcome since none of us is Java Card expert. Notably, this issue does not express when the card is plugged in the reader and only after that the card is accessed by the OpenSC. The issue happens only soon after hot-plug (wait for slot event and then start detection) or after reset (fast disconnect and connect from p11tests), which makes me think that it is problem of the platform itself, rather than problem of either of applets,

I can try to bring this to Bob, who might have some idea but even if we would fix it in the applet, there are many enrolled cards in the wild so we should really modify the card detection to request some content and not only the 90 00 from the card select.

Anyway, this is not a regression, since this was behaving the same also in previous releases. Is there still anything that needs to be done before release or when we can expect one, when the CVEs are already assigned?

[frankmorgner]

OK, done

[Jakuje]

Please, lets have also the home page of the wiki updated with the new release links and information. I can do it tomorrow, if nobody else will pick it up.

[frankmorgner]

done

[alonbl]

hi,
In future, if a file is missing in distribution, in this case p11test_common.h, please release z-stream for traball.
thanks!