Towards new release 0.20.0

[frankmorgner]

There are no critical issues left and the new functionality has been integrated. I think it's time to prepare and publish the next major release, @OpenSC/core, @OpenSC/maintainers.

This release renames the configuration option md_read_only to read_only. In openpgp-tool the options -L/ --key-length have been replaced with -t/--key-type. Please review your opensc.conf` and your shell scripts. Release candidate is available on Github.

The general functionality has been verified to some extent in the CI environment, where we're using simulations of PIV, OpenPGP, GIDS, IsoApplet, MyEID and CAC for testing. Refer to the wiki page on how to systematically test your card. OpenSC is now part of the OSS-Fuzz family, which has already led to the fix of some security issues (see below).

Here is the complete list of changes, that would also appear in the release notes and NEWS file (please let me know if I'm missing something):

---

General Improvements

• fixed security problems
  • CVE-2019-6502 (Memory leak #1586)
  • CVE-2019-15946 (a3fc769)
  • CVE-2019-15945 (412a614)
  • CVE-2019-19480 (6ce6152)
  • CVE-2019-19481 (b75c002)
  • CVE-2019-19479 (c3f23b8)
• Support RSA-PSS signature mechanisms using RSA-RAW (Support RSA-PSS signature mechanisms using RSA-RAW #1435)
• Added memory locking for secrets (Added memory locking for secrets #1491)
• added support for terminal colors (added support for colors #1534)
• PC/SC driver: Fixed error handling in case of changing (Update reader-pcsc.c #1537) or removing the card reader (Handle reader going missing #1615)
• macOS installer
  • Add installer option to deselect tokend (Add installer option to deselect tokend #1607)
  • Make OpenSCToken available on 10.12+ and the default on 10.15+ (2017626)
• Configuration
  • rename md_read_only to read_only and use it for PKCS#11 and Minidriver (Implement write protection in PKCS#11 #1467)
  • allow global use of ignore_private_certificate (opensc.conf: allow global use of ignore_private_certificate #1623)
• Build Environment
  • Bump openssl requirement to 0.9.8 (#Bump openssl requirements to 0.9.8 #1459)
  • Added support for fuzzing with AFL (Add a Minimal Fuzzing test #1580) and libFuzzer/OSS-Fuzz (Added fuzzing with libFuzzer #1697)
  • Added CI tests for simulating GIDS, OpenPGP, PIV, IsoApplet (Simulate and test Open Source Java Card Applets #1568) and MyEID (Unbreak derive for sc-hsm and myeid cards #1677) and CAC (Implement OpenSC CI without HW cards #1757)
  • Integrate clang-tidy with make check ( CI: integrate clang-tidy #1673)
  • Added support for reproducible builds (Generate consistent docbook id's #1839)

PKCS#11

• Implement write protection (CKF_WRITE_PROTECTED) based on the card profile (Implement write protection in PKCS#11 #1467)
• Added C_WrapKey and C_UnwrapKey implementations (C_WrapKey and C_UnwrapKey implementations #1393)
• Handle CKA_ALWAYS_AUTHENTICATE when creating key objects. (Implemented handling of CKA_ALWAYS_AUTHENTICATE when creating key objects. #1539)
• Truncate long PKCS#11 labels with ... (Handle long PKCS#11 labels #1629)
• Fixed recognition of a token when being unplugged and reinserted (Yubikey reinsertion #1875)

Minidriver

• Register for CardOS5 cards (md: added missing cardos5 ATRs #1750)
• Add support for RSA-PSS (263b945)

OpenSC tools

• Harmonize the use of option -r/--reader (tools: harmonize card initialization #1548)

• goid-tool: GoID personalization with fingerprint

• openpgp-tool

  • replace the options -L/ --key-length with -t/--key-type (openpgp-tool extensions #1508)
  • added options -C/--card-info and -K/--key-info (openpgp-tool extensions #1508)

• opensc-explorer

  • add command pin_info (opensc-explorer addons & fixes #1487)
  • extend random to allow writing to a file (opensc-explorer addons & fixes #1487)

• opensc-minidriver-test.exe: Tests for Microsoft CryptoAPI (Minidriver: Add support for PSS #1510)

• opensc-notify: Autostart on Windows

• pkcs11-register:

  • Auto-configuration of applications for use of OpenSC PKCS#11 (Auto-configuration of OpenSC PKCS#11 #1644)
  • Autostart on Windows, macOS and Linux (Auto-configuration of OpenSC PKCS#11 #1644)

• opensc-tool: Show ATR also for cards not recognized by OpenSC (opensc-tool: do not use card driver to read ATR #1625)

• pkcs11-spy:

  • parse CKM_AES_GCM
  • Add support for CKA_OTP_* and CKM_*_PSS values
  • parse EC Derive parameters (Unbreak derive for sc-hsm and myeid cards #1677)

• pkcs11-tool

  • Support for signature verification via --verify (Support RSA-PSS signature mechanisms using RSA-RAW #1435)
  • Add object type secrkey for --type option (Add object type "secrkey" to help of --type switch in pkcs11-tool #1575)
  • Implement Secret Key write object (Implement Secret Key write object #1648)
  • Add GOSTR3410-2012 support (Add GOSTR3410-2012 support #1654)
  • Add support for testing CKM_RSA_PKCS_OAEP (Trustonic pkcs11 #1600)
  • Add extractable option to key import (pkcs11-tool: Add extractable option to key import #1674)
  • list more key access flags when listing keys (pkcs11-tool: Add keys access flags #1653)
  • Add support for CKA_ALLOWED_MECHANISMS when creating new objects and listing keys (Add support for CKA_ALLOWED_MECHANISMS in pkcs11-tool + some more tests #1628)

• pkcs15-crypt: * Handle keys with user consent (pkcs15-crypt - Handle keys with user_consent - Fixes #1292 #1529)

CAC1

New separate CAC1 driver using the old CAC specification (#1502).

CardOS

• Add support for 4K RSA keys in CardOS 5 (Add support for 4K RSA keys in CardOS 5 #1776)
• Fixed decryption with CardOS 5 (Fix CardOS RSA mechanism flags #1867)

Coolkey

• Enable CoolKey driver to handle 2048-bit keys. (Enable CoolKey driver to handle 2048-bit keys. #1532)

EstEID

• adds support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018 (EstEID 2018+ driver #1635)

GIDS

• GIDS Decipher fix (GIDS Decipher fix for TPM #1881)
• Allow RSA 4K support (Update card-gids.c to support 3072 & 4096 RSA key sizes #1891)

MICARDO

• Remove long expired EstEID 1.0/1.1 card support (Remove long expired EstEID 1.0/1.1 card support #1470)

MyEID

• Add support for unwrapping a secret key with an RSA key or secret key (C_WrapKey and C_UnwrapKey implementations #1393)
• Add support for wrapping a secret key with a secret key (C_WrapKey and C_UnwrapKey implementations #1393)
• Support for MyEID 4K RSA (Support for MyEID 4K RSA and clean ups #1657)
• Support for OsEID (Unbreak derive for sc-hsm and myeid cards #1677).

Gemalto GemSafe

• add new PTeID ATRs (pteid: add new ATRs #1683)
• Add support for 4K RSA keys (Add support for 4K RSA keys in GemsafeV1 #1863, Fixing invalid signature with 3072 RSA bits in GemsafeV1 #1872)

OpenPGP

• OpenPGP Card v3 ECC support (OpenPGP Card v3 ECC support #1506)

Rutoken

• Add Rutoken ECP SC (Add Rutoken ECP SC #1652)
• Add Rutoken Lite (Rutoken Lite #1728)

SC-HSM

• Add SmartCard-HSM 4K ATR (SmartCard-HSM 4K not recognized by Minidriver #1681)
• Add missing secp384r1 curve parameter (sc-hsm: Add missing secp384r1 curve parameter #1696)

Starcos

• Fixed decipher with 2.3 (starcos: fixed decipher with 2.3 #1496)
• Added ATR for 2nd gen. eGK (Egk fixes #1668)
• Added new ATR for 3.5 (Starcos3x pin format #1882)
• Detect and allow Globalplatform PIN encoding (Starcos3x pin format #1882)

TCOS

• Fix TCOS IDKey support (Fix TCOS IDKey support #1880)
• add encryption certificate for IDKey (tcos: add encryption certificate for IDKey #1892)

Infocamere, Postecert, Cnipa

• Removed profiles (Remove postecert and infocamere support because no longer issued #1584)

ACS ACOS5

• Remove incomplete acos5 driver (acos5: removed incomplete driver #1622).

[Jakuje]

I re-read all the commits since the last release and I would suggest to mention also the following highlights that look like missed from the original list:

For MyEID, I would mention also a support for OsEID cards that was added to the driver (#1677).

For opensc-tool

• avoiding of unnecessary connects to the card in case the actions do not require it (opensc-tool: do not connect card if not neccesary, fix util.c errors #1762)
• show ATR also for cards not recognized by any OpenSC driver (opensc-tool: do not use card driver to read ATR #1625)

For pkcs11-spy, parse the EC Derive parameters (#1677).

For pkcs11-tool:

• list more key access flags when listing keys (pkcs11-tool: Add keys access flags #1653).
• Add support for CKA_ALLOWED_MECHANISMS when creating new objects and listing keys (Add support for CKA_ALLOWED_MECHANISMS in pkcs11-tool + some more tests #1628)

Remove incomplete acos5 driver (#1622).

minidriver:

• Add support for RSA-PSS (263b945)

coolkey: Improved card matching to avoid mismatches with similar muscle driver (#1500).

New separate CAC1 driver using the old CAC specification (#1502).

Additionally, I would like to ask for the status fo #1772, which adds support for IDPrime cards and in-card RSA-OAEP as an counterpart to RSA-PSS already in.

[plaes]

EstEID section should mention something like this: "Added support for Estonian ID cards (supplied by IDEMIA) that have been issued since January 2019."

It's a big win, because we only had closed source blob that had some issues...

[frankmorgner]

Thanks for the comments, @Jakuje @plaes !

I've edited and extended the NEWS as requested.

I'd like to avoid mentioning #1500 and #1762 because I think they are technical improvements, invisible to the user.

I'd like to postpone #1772 for the next release, because that are quite a lot of changes that did not yet get the attention they deserve.

[Jakuje]

Thank you for clarification.

[frankmorgner]

You can find the updated release candidate here

[frankmorgner]

Since macOS Catalina, TokenDs are disabled by default, that's why I had to update the installer to also distribute OpenSCToken... (installed by default on 10.15, available as alternative to OpenSC.tokend on 10.12-10.14, disabled on 10.11 and before). The installation of PKCS#11 module and tools are unaffected.

You can find the updated release candidate here.

[Jakuje]

Seems like the oss-fuzz got silent for now. I would be for drawing a line here, do a rc, ask for testing and do the release. Is there anything else that we should get in?

[frankmorgner]

Updated CVEs and newly added fixes. Let's wait for the next report from OSS-Fuzz, which should finally allow a new release.

[Jakuje]

Thanks. I would probably like to see also #1877 (this was broken before, but current version can hang, which is not good. I would also like to see ack from the original reporter) and #1867 (this is broken since beginning, but it is frequently reported issue).

[metsma]

Can we get #1826 also in. It will improve parallel usage of cards

[frankmorgner]

For #1877, I'm waiting for feedback from @the-kernel. If positive, the PR is good to be merged.

I didn't see how #1826 is a bugfix for an error with parallel use, so I originally planned to postpone it...

[metsma]

We discovered after testing, that things got better. I can change the label?

[the-kernel]

@metsma Sorry I have been away and haven't had a chance to test, I'll get right on it, and let you know shortly. Thanks!

[the-kernel]

@metsma The fix in #1877 appears to resolve all the issues I had, thanks!

[frankmorgner]

I've merged the PRs as requested.

However, the coolkey issues in OSS-Fuzz keep popping up over and over again... Would it be OK to remove Coolkey from the default list of activate drivers to finally make a release, @Jakuje?

[Jakuje]

Even though they look like popping all over again, the latest one is a different issue than the previous ones (see the top commit in #1830). Some of the other issues look like running on some old revision. It looks like I am not getting email notification to all of the for some reason.

I would like to avoid dropping coolkey from default. Even though the customer base is not big, there were already several users reporting issues directly here so they are using it. So we can either wait few more days and address as much as possible (I believe the worst issues are already handled) or release it as it is now (and possibly count with some security/bugfix release in month or two).

Also in the previous comments I was asking about #1867 whether we can have it in release too as it is long-standing issue.

[dengert]

Can we #1881 into the 0.20.0 release? I can squash and clean up some debugging if needed

[frankmorgner]

The situation around #1881 is not very clear, see the PR for comments

[frankmorgner]

I've created a new release candidate...

[metsma]

RC4 tar.gz is missing test-pkcs11-tool-allowed-mechanisms.sh file

[Jakuje]

@metsma Thank you for reporting this. It should be fixed with #1889.

[dpward]

I've created a new release candidate...

@frankmorgner Could I kindly ask that we improve the versioning here? This is making things unnecessarily difficult for downstream consumption.

The repository has recently been tagged with "0.20.0-rc1", "0.20.0-rc2", "OpenSC-0.20.0-rc3", and now "0.20.0-rc34". Could we please delete then re-create the latter two tags in the repository to follow the regular pattern? Distribution packaging scripts often depend on this.

It also appears that the filenames for the Windows installers have contained the wrong rc version for the last three builds.

Edit: It seems this was opened as #1886, but was closed without being fixed.