Towards new release 0.21.0

[Jakuje]

There have been talks about new release for quite some time as there have been many quite important fixes in master since 0.20.0.

I would like to kick off some testing and summarizing of changelog to get a new version out of door soon. Feel free to edit the following draft, add what I missed or propose missing issues/PRs. Let me know if there is something else where I can help towards the next release.

---

General Improvements

• Bump minimal required OpenSSL version to 1.0.1 (Bump Openssl and clean up openssl requirements up to 1.0.1 #1658)
• Implement basic unit tests for asn1 library, compression and simpletlv parser (Introduce unit tests and address more oss-fuzz issues (mostly ASN1 parser) #1830)
• Allow generating code coverage
• Improve fuzzing by providing corpus from real cards (Introduce unit tests and address more oss-fuzz issues (mostly ASN1 parser) #1830)
• Implement support for OAEP encryption
• New separate debug level for PIN commands (d06f23e)
• Fix handling of card/reader insertion/removal events in pcscd
• Many bugfixes reported by oss-fuzz, coverity and lgtm.com
• Fixes of removed readers handling (Improved Handling of PKCS11 Slots (2) #1970)
• Fix Firefox crash because of invalid pcsc context (Fix for context handle management in PCSC reader driver #2077)

PKCS #11

• Return CKR_TOKEN_NOT_RECOGNIZED for not recognized cards (CKR_TOKEN_NOT_PRESENT returned for unsupported token #2030)
• Propagate ignore_user_content to PKCS#11 layer not to confuse applications (pkcs11: If user consent is ignored through configuration, do not pres… #2040)

MacOS

• Add installer signing for PR and master
• Move OpenSC to MacOS Utilities folder (Move to macOS Utilities folder #2063)

pkcs11-tool

• Make SHA256 default for OAEP encryption

opensc-explorer

• asn1 accepts offsets and decode records (Explorer records #2090)
• cat accepts records (Explorer records #2090)

OpenPGP

• Add new ec curves supported by GNUK (openpgp: add nistp256 and secp251k1 curves for gnuk devices #1853)
• First steps supporting OpenPGP 3.4
• Add support for EC key import (openpgp: Fixes for importing ECC keys #1821)

CardOS

• Improve detection of various CardOS 5 configurations (Various CardOS 5.3 Fixes #1987)

ePass2003

• Improve ECC support (Bug fixed #1859)
• Fixed erase sequence (epass2003: Fix erase sequence. #2097)

IDPrime

• New driver for Gemalto IDPrime (only some types) (Add support for Gemalto IDPrime smart cards #1772)

eDo

• New driver with initial support for Polish eID card (e-dowód, eDO) (Initial support for Polish eID card (e-dowód, eDO) #2023)

MCRD

• Remove unused and broken RSA EstEID support (Remove unused and broken RSA EstEID support #2095)

TCOS

• Add missing encryption certificates (tcos: add missing encryption certificates #2083)

IAS-ECC (#2070):

• Fixed support for Idemia Cosmo cards with AWP middleware interoperability (previously broken).
• Added support for Idemia Cosmo v8 cards.
• PIN padding settings are now used from PKCS Fix #15 info when available.
• Added PIN-pad support for PIN unblock.

[frankmorgner]

Thanks for the initial work! Unfortunately, we are still having #1999 and #1934 which are blocking us from a new release...

[Jakuje]

I would like to see the first one fixed, but we did not hear from anyone able to reproduce the issue for months. I saw some crashes with Firefox myself (with 0.20.0), but I never got any usable backtrace. Since 0.20.0 there were several fixes. Since I switched to locally built opensc master, I never saw the crash regardless what I did.

For OSX installation process, I do not think I can help much with the OSX issue.

[dengert]

With #1999 the fear I have is someone else will build and release a modified version of OpenSC as it appears @open-eid has done, and Firefox will block all versions of OpenSC "onepin-opensc-pkcs11.dll" because the modified version fails.

Could we in addition to distributing a "onepin-opensc-pkcs11.dll" can we distribute
a "official-onepin-opensc-pkcs11.dll" which is not built by default, but only built for our "official" Windows distribution. There would be a warning in the source to not build or distribute this DLL as it name reserved for OpenSC distribution only. (It would be the same as the "onepin-opensc-pkcs11.dll" in except for the name.)

GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999, says:
"Also, if the library is
modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be
introduced by others."

We need to protect our "original author's reputation".

[metsma]

We distributed official opensc binary and codesigned. And when we change something then we alter version numbers to identify binaries from official release.

[frankmorgner]

I absolutely believe in your true intents, no need for finger pointing. Did you try to investigate the problem with your users? Unfortunately, we didn't get any revealing information in #1999 or #2032...

[metsma]

We did some testing with #2032 and will release to wider audience.
Let's see any crash reports will appear to Firefox Bugzilla.
They should be with version 0.20.1.4 dll-s.

[Wandtket]

Could you provide ARM/ARM64 builds for Windows in your release downloads? The 32bit emulation on Windows 10 ARM isn't quite up to par yet.

[frankmorgner]

@wandtke if you manage to integrate this into the CI/build scripts and volunteer for testing, then we're good to go. Otherwise, I don't think I'll have the time to look at this right now.

[frankmorgner]

@Jakuje, could you have a look at https://oss-fuzz.com/testcase-detail/6578720056541184 ?

[Wandtket]

@frankmorgner I was attempting to compile it myself following the instructions from the wiki using nmake, however, it kept giving me fatal errors. I would be happy to test it though.

[Jakuje]

@Jakuje, could you have a look at https://oss-fuzz.com/testcase-detail/6578720056541184 ?

This should be handled by #2086 -- I would like to go through the rest of them next week, if containers will work for me.

[jmastr]

Could you create a release candidate? We want to roll out an update internally and need an official build for doing that.

[aussetg]

Hope it will be in time for Fedora 33 :)

[frankmorgner]

We'll release a RC in the next few days.

Unfortunately, we did not yet find a solution for (automatically) generating a suitable installer for macOS, so this will not be available for now.

[jmastr]

@frankmorgner What is the problem? Is there a ticket? Can I help?

[frankmorgner]

I don't have (and want to get) a paid developer account from apple for signing packages and allowing the notification of the app. Preferably, I'd like to integrate signing credentials from someone (else) associated with the project into CI to automate this task...

[jmastr]

Which one do you need and what is your PGP key ID?

[frankmorgner]

Hi @jmastr , thanks for your help, please contact me via [email protected], thanks

[frankmorgner]

The release candidate is available here: https://github.com/OpenSC/OpenSC/releases/tag/0.21.0-rc1

[dengert]

@frankmorgner, Tested several PIV devices against Master (2 commits ahead of 0.21.0-rc1) with pkcs11-tool.
all worked as expected.

Are you going to add a Test Results for 0.21.0-rc-1 to https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing ?

If you do can you add PIV full_moon for PKCS11 and

| PIV-II | NIST PIV Demo cards, |
| | IDEMIA Id-One PIV 2.4.1 (No SM, i.e. backward compatibility) |
| | YubiKey 4, Yubikey 5 NFC (USB and NFC) |

PivApplet (JCardSim) is tested via travis-c so it could be added too.

[misterzed88]

I did a quick test of IAS-ECC with Cosmo v8 cards on Linux, and it seems to be working fine.

But I miss the following from the change list.

IAS-ECC:

• Fixed support for Idemia Cosmo cards with AWP middleware interoperability (previously broken).
• Added support for Idemia Cosmo v8 cards.
• PIN padding settings are now used from PKCS Fix #15 info when available.
• Added PIN-pad support for PIN unblock.

[Jakuje]

I did a quick test of IAS-ECC with Cosmo v8 cards on Linux, and it seems to be working fine.

But I miss the following from the change list.

Thanks. Added to the description. If you would happen to have at least pull request IDs so we can link them from the release notes, it would be great.

[misterzed88]

Thanks. Added to the description. If you would happen to have at least pull request IDs so we can link them from the release notes, it would be great.

The main pull request for the listed changes was #2070. If you want to link to it, I assume its should be linked directly from the IAS-ECC header (above the list bullets).

The IAS-ECC changes also required supporting changes in other code, in the following pull requests. I'm not sure where- or if these need to be mentioned:
#2072, #2075, #2076, #2080

[Jakuje]

Tested my bunch of cards on Linux:

• CAC Alt token (HID)
• IDPrime with os version 1: Error in C_GenerateRandom from pkcs11-tool --test, otherwise good
• coolkey applet on 534e SafeNet Java card
• PIV test card 16
• CAC card with PIV endpoint
• CAC card using cac1 driver
• CardOS 5.3

I ran just the tests using pkcs11-tool and p11test, nothing more fancy. I will update the wiki soon. From my side, we are fine.

[jmastr]

What about the MacOS package? @frankmorgner Anything else you need from me there?

[frankmorgner]

working on it... https://github.com/OpenSC/OpenSC/tree/macinst

[henning-schild]

The current "master" branch contains several useful fixes, some distros already start backporting.

Nobody cares which number you give it "release early, release often". The more we pile up the more issues we cause downstream and do not get reports about it ... One can not fix all known issues with the next release ...

[Silvanoc]

Next Debian Stable release is approaching and it would be nice to have 0.21.0 ready on time to get it integrated. What is blocking the release?

[frankmorgner]

Counter question: Has someone tested RC2?

[Silvanoc]

I understand that what is blocking the release is feedback, right? I didn't know, therefore I hadn't test it until now.

Now I have tested it. I can confirm that the test pkcs11-tool --login --test runs successfully.

Set-up:

• Debian Testing
• OpenSC 0.21.0-rc2 (compiled from GIT tag: 0.21.0-rc2)
• CardOS 5.3

Should I run some other tests?

[popovec]

Hi, I just tested:

• Debian stable
• OpenSC 0.21.0-rc2 (compiled from GIT tag: 0.21.0-rc2)
• MyEID 4.0.1

pkcs11-tool --login --test runs successfully

ECDSA (NIST256 curve)

• pkcs15-crypt OK
• pkcs11-tool OK

---

OsEID card - lot of tests with pkcs11-tool, pkcs15-init, pkcs15-tool, pkcs15-crypt.. tested:

• card init/erase OK
• RSA: key generate, key upload, sign/decrypt OK
• pkcs11-tool --login --test OK
• ECC: key generate, key upload, ECDSA, ECDH OK

[jmue]

I tested:

• Windows 10 1909
• OpenSC-0.21.0-rc2_win64.msi
• CardOS 5.3

pkcs11-tool --login --test runs successfully as well

[jmue]

I also tested:

• Ubuntu 20.04 LTS & Debian 11 (Testing)
• OpenSC 0.21.0-rc2 (builded .deb from GIT tag: 0.21.0-rc2)
• CardOS 5.3

pkcs11-tool --login --test runs successfully as well
login on corporate site (chrome) succeeded

[Silvanoc]

Thanks @frankmorgner for the release! 🎉

[Silvanoc]

Now let's trigger the integration on the different distros! I've taken care of Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975651

[henning-schild]

Gentoo already has a security issue for that, maybe no need to create a bump request ...

https://bugs.gentoo.org/746821

[Silvanoc]

Debian packaging for unstable (sid) already available!

Now it means it got into the Debian promotion process, getting into "testing" (Bullseye) the upcoming days if certain requirements are fulfilled and with high probability getting into the candidate list for the upcoming "stable" release (Bullseye will get promoted from testing into stable).