Disable the Applet V1.8 ATR #3109
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The V1.8 applet has a few differences to the older applets. This causes the OpenSC PKCS#11 module to not be able to sign anything with the Belpic driver on this card. While the best solution is to implement the required changes to make this work correctly, for the time being it's better to not confuse users by claiming we support the card when in reality we don't.
Jakuje
approved these changes
Apr 11, 2024
yoe
referenced
this pull request
in Fedict/eid-mw
May 9, 2024
The OpenSC module claims it supports the Belgian eID card, but it only supports applet 1.7, not 1.8. The result is that users who have OpenSC installed may or may not successfully authenticate, depending on whether their browser prefers OpenSC over the eID software (or not). To avoid this situation, we can conflict with OpenSC. Users who need OpenSC for other things will hate us for that, but that can't be helped.
dangowrt
added a commit
to dangowrt/packages
that referenced
this pull request
Apr 26, 2025
New in 0.26.1; 2025-01-14
General improvements
Align allocations of sc_mem_secure_alloc (OpenSC/OpenSC#3281)
Fix -O3 gcc optimization failure on amd64 and ppc64el (OpenSC/OpenSC#3299)
pkcs11-spy
Avoid crash while spying C_GetInterface() (OpenSC/OpenSC#3275)
TCOS
Fix reading certificate (OpenSC/OpenSC#3296)
New in 0.26.0; 2024-11-13
Security
CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (OpenSC/OpenSC#3219)
General improvements
Fix reselection of DF after error in PKCSOpenSC/OpenSC#15 layer (OpenSC/OpenSC#3067)
Unify OpenSSL logging throughout code (OpenSC/OpenSC#2922)
Extend the p11test to support kryoptic (OpenSC/OpenSC#3141)
Fix for error in PCSC reconnection (OpenSC/OpenSC#3150)
Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
Documentation for PKCS#15 profile files (OpenSC/OpenSC#3132)
minidriver
Support PinCacheAlwaysPrompt usable for PIV cards (OpenSC/OpenSC#3167)
pkcs11-tool
Show URI when listing token information (OpenSC/OpenSC#3125) and objects (OpenSC/OpenSC#3130)
Do not limit size of objects to 5000 bytes (OpenSC/OpenSC#3174)
Add support for AES CMAC (OpenSC/OpenSC#3184)
Add support for AES GCM encryption (OpenSC/OpenSC#3195)
Add support for RSA OAEP encryption (OpenSC/OpenSC#3175)
Add support for HKDF (OpenSC/OpenSC#3193)
Implement better support for wrapping and unwrapping (OpenSC/OpenSC#3198)
Add support for EdDSA sign and verify (OpenSC/OpenSC#2979)
pkcs15-crypt
Fix PKCS#1 encoding function to correctly detect padding type (OpenSC/OpenSC#3075)
piv-tool
Fix RSA key generation (OpenSC/OpenSC#3158)
Avoid possible state change when matching unknown card (OpenSC/OpenSC#3112)
sc-hsm-tool
Cleanse buffer with plaintext key share (OpenSC/OpenSC#3226)
pkcs11-register
Fix pkcs11-register defaults on macOS and Windows (OpenSC/OpenSC#3053)
IDPrime
Fix identification of IDPrime 840 cards (OpenSC/OpenSC#3146)
Fix container mapping for IDPrime 940 cards (OpenSC/OpenSC#3220)
Reorder ATRs for matching cards (OpenSC/OpenSC#3154)
OpenPGP
Fix state tracking after erasing card (OpenSC/OpenSC#3024)
Belpic
Disable Applet V1.8 (OpenSC/OpenSC#3109)
MICARDO
Deactivate driver (OpenSC/OpenSC#3152)
SmartCard-HSM
Fix signing with secp521r1 signature (OpenSC/OpenSC#3157)
eOI
Set model via sc_card_ctl function (OpenSC/OpenSC#3189)
Rutoken
increase the minimum PIN size to support Rutoken ECP BIO (OpenSC/OpenSC#3208)
JPKI
Adjust parameters for public key in PKCS#15 emulator (OpenSC/OpenSC#3182)
D-Trust
Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (OpenSC/OpenSC#3240, OpenSC/OpenSC#openwrt#3248)
Signed-off-by: Daniel Golle <[email protected]>
dangowrt
added a commit
to dangowrt/packages
that referenced
this pull request
Apr 26, 2025
New in 0.26.1; 2025-01-14
General improvements
Align allocations of sc_mem_secure_alloc (OpenSC/OpenSC#3281)
Fix -O3 gcc optimization failure on amd64 and ppc64el (OpenSC/OpenSC#3299)
pkcs11-spy
Avoid crash while spying C_GetInterface() (OpenSC/OpenSC#3275)
TCOS
Fix reading certificate (OpenSC/OpenSC#3296)
New in 0.26.0; 2024-11-13
Security
CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (OpenSC/OpenSC#3219)
General improvements
Fix reselection of DF after error in PKCSOpenSC/OpenSC#15 layer (OpenSC/OpenSC#3067)
Unify OpenSSL logging throughout code (OpenSC/OpenSC#2922)
Extend the p11test to support kryoptic (OpenSC/OpenSC#3141)
Fix for error in PCSC reconnection (OpenSC/OpenSC#3150)
Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
Documentation for PKCS#15 profile files (OpenSC/OpenSC#3132)
minidriver
Support PinCacheAlwaysPrompt usable for PIV cards (OpenSC/OpenSC#3167)
pkcs11-tool
Show URI when listing token information (OpenSC/OpenSC#3125) and objects (OpenSC/OpenSC#3130)
Do not limit size of objects to 5000 bytes (OpenSC/OpenSC#3174)
Add support for AES CMAC (OpenSC/OpenSC#3184)
Add support for AES GCM encryption (OpenSC/OpenSC#3195)
Add support for RSA OAEP encryption (OpenSC/OpenSC#3175)
Add support for HKDF (OpenSC/OpenSC#3193)
Implement better support for wrapping and unwrapping (OpenSC/OpenSC#3198)
Add support for EdDSA sign and verify (OpenSC/OpenSC#2979)
pkcs15-crypt
Fix PKCS#1 encoding function to correctly detect padding type (OpenSC/OpenSC#3075)
piv-tool
Fix RSA key generation (OpenSC/OpenSC#3158)
Avoid possible state change when matching unknown card (OpenSC/OpenSC#3112)
sc-hsm-tool
Cleanse buffer with plaintext key share (OpenSC/OpenSC#3226)
pkcs11-register
Fix pkcs11-register defaults on macOS and Windows (OpenSC/OpenSC#3053)
IDPrime
Fix identification of IDPrime 840 cards (OpenSC/OpenSC#3146)
Fix container mapping for IDPrime 940 cards (OpenSC/OpenSC#3220)
Reorder ATRs for matching cards (OpenSC/OpenSC#3154)
OpenPGP
Fix state tracking after erasing card (OpenSC/OpenSC#3024)
Belpic
Disable Applet V1.8 (OpenSC/OpenSC#3109)
MICARDO
Deactivate driver (OpenSC/OpenSC#3152)
SmartCard-HSM
Fix signing with secp521r1 signature (OpenSC/OpenSC#3157)
eOI
Set model via sc_card_ctl function (OpenSC/OpenSC#3189)
Rutoken
increase the minimum PIN size to support Rutoken ECP BIO (OpenSC/OpenSC#3208)
JPKI
Adjust parameters for public key in PKCS#15 emulator (OpenSC/OpenSC#3182)
D-Trust
Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (OpenSC/OpenSC#3240, OpenSC/OpenSC#openwrt#3248)
Signed-off-by: Daniel Golle <[email protected]>
dangowrt
added a commit
to dangowrt/packages
that referenced
this pull request
Apr 26, 2025
New in 0.26.1; 2025-01-14
General improvements
Align allocations of sc_mem_secure_alloc (OpenSC/OpenSC#3281)
Fix -O3 gcc optimization failure on amd64 and ppc64el (OpenSC/OpenSC#3299)
pkcs11-spy
Avoid crash while spying C_GetInterface() (OpenSC/OpenSC#3275)
TCOS
Fix reading certificate (OpenSC/OpenSC#3296)
New in 0.26.0; 2024-11-13
Security
CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (OpenSC/OpenSC#3219)
General improvements
Fix reselection of DF after error in PKCSOpenSC/OpenSC#15 layer (OpenSC/OpenSC#3067)
Unify OpenSSL logging throughout code (OpenSC/OpenSC#2922)
Extend the p11test to support kryoptic (OpenSC/OpenSC#3141)
Fix for error in PCSC reconnection (OpenSC/OpenSC#3150)
Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
Documentation for PKCS#15 profile files (OpenSC/OpenSC#3132)
minidriver
Support PinCacheAlwaysPrompt usable for PIV cards (OpenSC/OpenSC#3167)
pkcs11-tool
Show URI when listing token information (OpenSC/OpenSC#3125) and objects (OpenSC/OpenSC#3130)
Do not limit size of objects to 5000 bytes (OpenSC/OpenSC#3174)
Add support for AES CMAC (OpenSC/OpenSC#3184)
Add support for AES GCM encryption (OpenSC/OpenSC#3195)
Add support for RSA OAEP encryption (OpenSC/OpenSC#3175)
Add support for HKDF (OpenSC/OpenSC#3193)
Implement better support for wrapping and unwrapping (OpenSC/OpenSC#3198)
Add support for EdDSA sign and verify (OpenSC/OpenSC#2979)
pkcs15-crypt
Fix PKCS#1 encoding function to correctly detect padding type (OpenSC/OpenSC#3075)
piv-tool
Fix RSA key generation (OpenSC/OpenSC#3158)
Avoid possible state change when matching unknown card (OpenSC/OpenSC#3112)
sc-hsm-tool
Cleanse buffer with plaintext key share (OpenSC/OpenSC#3226)
pkcs11-register
Fix pkcs11-register defaults on macOS and Windows (OpenSC/OpenSC#3053)
IDPrime
Fix identification of IDPrime 840 cards (OpenSC/OpenSC#3146)
Fix container mapping for IDPrime 940 cards (OpenSC/OpenSC#3220)
Reorder ATRs for matching cards (OpenSC/OpenSC#3154)
OpenPGP
Fix state tracking after erasing card (OpenSC/OpenSC#3024)
Belpic
Disable Applet V1.8 (OpenSC/OpenSC#3109)
MICARDO
Deactivate driver (OpenSC/OpenSC#3152)
SmartCard-HSM
Fix signing with secp521r1 signature (OpenSC/OpenSC#3157)
eOI
Set model via sc_card_ctl function (OpenSC/OpenSC#3189)
Rutoken
increase the minimum PIN size to support Rutoken ECP BIO (OpenSC/OpenSC#3208)
JPKI
Adjust parameters for public key in PKCS#15 emulator (OpenSC/OpenSC#3182)
D-Trust
Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (OpenSC/OpenSC#3240, OpenSC/OpenSC#openwrt#3248)
Signed-off-by: Daniel Golle <[email protected]>
dangowrt
added a commit
to openwrt/packages
that referenced
this pull request
Apr 27, 2025
New in 0.26.1; 2025-01-14
General improvements
Align allocations of sc_mem_secure_alloc (OpenSC/OpenSC#3281)
Fix -O3 gcc optimization failure on amd64 and ppc64el (OpenSC/OpenSC#3299)
pkcs11-spy
Avoid crash while spying C_GetInterface() (OpenSC/OpenSC#3275)
TCOS
Fix reading certificate (OpenSC/OpenSC#3296)
New in 0.26.0; 2024-11-13
Security
CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-45619: Incorrect handling length of buffers or files in libopensc (OpenSC/OpenSC#3225)
CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init (OpenSC/OpenSC#3225)
CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key (OpenSC/OpenSC#3219)
General improvements
Fix reselection of DF after error in PKCSOpenSC/OpenSC#15 layer (OpenSC/OpenSC#3067)
Unify OpenSSL logging throughout code (OpenSC/OpenSC#2922)
Extend the p11test to support kryoptic (OpenSC/OpenSC#3141)
Fix for error in PCSC reconnection (OpenSC/OpenSC#3150)
Fixed various issues reported by OSS-Fuzz and Coverity in drivers, PKCS#11 and PKCS#15 layer
PKCS#15
Documentation for PKCS#15 profile files (OpenSC/OpenSC#3132)
minidriver
Support PinCacheAlwaysPrompt usable for PIV cards (OpenSC/OpenSC#3167)
pkcs11-tool
Show URI when listing token information (OpenSC/OpenSC#3125) and objects (OpenSC/OpenSC#3130)
Do not limit size of objects to 5000 bytes (OpenSC/OpenSC#3174)
Add support for AES CMAC (OpenSC/OpenSC#3184)
Add support for AES GCM encryption (OpenSC/OpenSC#3195)
Add support for RSA OAEP encryption (OpenSC/OpenSC#3175)
Add support for HKDF (OpenSC/OpenSC#3193)
Implement better support for wrapping and unwrapping (OpenSC/OpenSC#3198)
Add support for EdDSA sign and verify (OpenSC/OpenSC#2979)
pkcs15-crypt
Fix PKCS#1 encoding function to correctly detect padding type (OpenSC/OpenSC#3075)
piv-tool
Fix RSA key generation (OpenSC/OpenSC#3158)
Avoid possible state change when matching unknown card (OpenSC/OpenSC#3112)
sc-hsm-tool
Cleanse buffer with plaintext key share (OpenSC/OpenSC#3226)
pkcs11-register
Fix pkcs11-register defaults on macOS and Windows (OpenSC/OpenSC#3053)
IDPrime
Fix identification of IDPrime 840 cards (OpenSC/OpenSC#3146)
Fix container mapping for IDPrime 940 cards (OpenSC/OpenSC#3220)
Reorder ATRs for matching cards (OpenSC/OpenSC#3154)
OpenPGP
Fix state tracking after erasing card (OpenSC/OpenSC#3024)
Belpic
Disable Applet V1.8 (OpenSC/OpenSC#3109)
MICARDO
Deactivate driver (OpenSC/OpenSC#3152)
SmartCard-HSM
Fix signing with secp521r1 signature (OpenSC/OpenSC#3157)
eOI
Set model via sc_card_ctl function (OpenSC/OpenSC#3189)
Rutoken
increase the minimum PIN size to support Rutoken ECP BIO (OpenSC/OpenSC#3208)
JPKI
Adjust parameters for public key in PKCS#15 emulator (OpenSC/OpenSC#3182)
D-Trust
Add support for ECDSA signatures and ECDH key agreement for D-Trust Signatures Cards 4.1/4.4 (OpenSC/OpenSC#3240, OpenSC/OpenSC##3248)
Signed-off-by: Daniel Golle <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The V1.8 applet has a few differences to the older applets. This causes the OpenSC PKCS#11 module to not be able to sign anything with the Belpic driver on this card.
While the best solution is to implement the required changes to make this work correctly, for the time being it's better to not confuse users by claiming we support the card when in reality we don't.
Not tested, but trivial enough.
Checklist