OpenSC 0.27.1

Edit 2026-04-18: Replaced the MacOS release binary due to originally uploading wrongly signed one (see #3654).

New in 0.27.1; 2026-03-31

• Bugfix release to fix up infrastructure issues. There were no 0.27.0 artifacts published.

New in 0.27.0; 2026-03-30

Security

• CVE-2025-13763: Several uses of potentially uninitialized memory detected by fuzzers
• CVE-2025-49010: Possible write beyond buffer bounds during processing of GET RESPONSE APDU
• CVE-2025-66215: Possible write beyond buffer bounds in oberthur driver
• CVE-2025-66038: Possible read beyond buffer bounds when parsing historical bytes in PIV driver
• CVE-2025-66037: Possible buffer overrun while parsing SPKI
• More low-severity data handling issues when parsing profile configuration

General improvements

• Added support for PKCS#11 3.2 in tools and pkcs11-spy and p11test(#3510)
• Added support for Ed448, X448 mechanisms and improve support for
  Edwards and montgomery keys in general (#3090)
• Support CKA_PUBKEY_KEY_INFO PKCS#11 attribute (#3090)
• Various refactoring of autotools build system
• Remove obsolete tokend support (#3285)
• Run tests against different software PKCS#11 tokens kryoptic and NSS softokn (#3365)
• Removed internal caching for current EF/DF (#3403)
• Correctly detect OS-level FIPS mode in OpenSSL automatically (#3551)
  or through custom configuration file (#3525)
• Added support for Brainpool twisted curves to pkcs11-tool and SC-HSM (#3601)

PC/SC

• Handle case when smart card is removed and inserted between two subsequent calls to
  refresh_attributes() (#2803)

EsteID

• Add support for EstEID 2025 (#3392)
• Implement FinEID 4.0/4.1 support (#3505)
• Add Latvian IDEMIA Cosmo X card support (#3503)
• Check if PIN is locked and hint CKF_USER_PIN_TO_BE_CHANGED (#3490)
• Remove obsolete FinEID cards (#3522)
• Add Latvian Cosmo 8.2 card support (#3521)

D-Trust

• Prevent unncecessary pin prompts on pinpad readers (#3266)
• Support for D-Trust Card 5.1 & 5.4 (#3137)
• Implement PIN change and unblock in dtrust-tool (#3137)

Belpic

• Add supports for belpic applet version 1.8 (#3308)

OpenPGP

• Implement key derived PIN format (KDF-DO) as per OpenPGP card spec v3.3 (#3398)

IDPrime

• Implement 5110+ FIPS and 5110 CC (940) derive support (#3483)

Windows

• Update to Wix 6 (#3435)
• Fix C_WaitForSlotEvent() not working in Windows (#2919)
• remove pkcs11-register from autostart (#3354)

MacOS

• Installer images are now notarized (#3536)

pkcs11-tool

• Added support for ML-DSA, ML-KEM, SLH-DSA keys from PKCS#11 3.2 (#3510)
• Improve support for Edwards and montgomery keys and
  add derive key support for CKK_MONTGOMERY (#3090)
• Add support for ChaCha20 and Poly1305 (#3339)
• Add support for AES CTR in decrypt_data() and encrypt_data() (#3338)
• Add initial support for PKCS#11 URIs (#3289)
• Print more information about RSA keys (#3623)

New Contributors

• @GeorgePantelakis made their first contribution in #3254
• @tinyboxvk made their first contribution in #3260
• @dgalling made their first contribution in #3281
• @botovq made their first contribution in #3306
• @tpetazzoni made their first contribution in #3303
• @Mironenko made their first contribution in #3326
• @cdanger made their first contribution in #3324
• @D4ryus made their first contribution in #3386
• @vssldmtrv made their first contribution in #3415
• @hendrikdonner made their first contribution in #3405
• @antimeme made their first contribution in #3428
• @citypw made their first contribution in #3421
• @marcwillert made their first contribution in #3445
• @hardening made their first contribution in #3493
• @pavelkohout396 made their first contribution in #3546
• @daloic made their first contribution in #3587
• @gkapetanakis made their first contribution in #3625

Full Changelog: 0.26.0...0.27.1