MyEID Minidriver version 2.2.4 release note ------------------------------------------- Date: 8.4.2020 Installation ------------ - On Windows 7, 8, 8.1 and 10, the driver can be installed automatically from Windows Update. - If you cannot use Windows Update, install using Device Manager: 1. Ensure that Smart Card Plug & Play is enabled. If it is not enabled by group policy, you can locally enable it by setting value EnableScPnP (REG_DWORD) in registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScPnP to 1. 2. locate "Unknown Smart Card" (or Aventra MyEID Smart Card if you are updating) under Smart Cards in Device Manager 3. Select "Update driver" from the right mouse button context menu. 4. Select "Browse my computer for driver software", and locate the folder containing the inf and dll files. Prerequisites for use ----------------------- - on Windows XP: Microsoft Base Smart Card Crypto Provider must be installed. It can be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=4670 - a PC/SC compatible smart card reader and a MyEID smart card that is initialized with PINs and a PKCS#15 file structure. Initialization can be done with for example MyEID Minidriver Utility which is availabe on Aventra's web site (http://www.aventra.fi/MyClient) Supported functionality ----------------------- - supports Windows Smart Card Minidriver Specification up to version 7.0 - supports RSA keys up to 4096 bits and ECC keys up to 521 bits - tested operating systems: Windows 10, Windows 8/8.1, Windows 7, Windows 2012 Server, Windows 2008 server including R2 (x86 and x64 versions of all the listed OS's are supported) - possible usages: Smart card logon, certificate enrollment from Microsoft CA, VPN logon, logon through remote desktop, s/mime e-mail signing and encrypting. Updating from previous version ------------------------------ - On Windows 7 and newer: use the "driver folder" distribution to update the driver. Exctract the zip file to a folder in your hard disk. Locate "Aventra MyEID Smart Card" in Device Manager. Click "Update Driver Software..." and "Browse my computer for driver software" Locate "myeiddrv.inf" from the extracted folder. Reboot if instructed by the operating system. - alternatively: you can follow the steps below to uninstall the previous version and use the EXE installer to install the new version. - On Windows XP or Vista: Reboot WITHOUT a smart card inserted to release the old DLL. Run MyEID_MiniDriver.exe and follow the instructions of the installation wizard. Check that myeiddrv.dll in C:\Windows\System32 folder has been updated. Uninstallation -------------- - insert a MyEID card, go to Device Manager and locate the card from the device tree under smart cards. Open popup menu with right mouse button and select "uninstall". Check "Delete driver files" checkbox. Changes from 2.2.2 (5.3.2020) - improved debug logging - workaround: some applications called CardSignData with aiHashAlg CALG_SHA1, and passed a hash already encapsulated into a DigestInfo DER structure. This caused an error. By the spec, in this case the caller should pass only a hash, and driver or card should provide the DigestInfo: "If the aiHashAlg member is nonzero, it specifies the hash algorithm’s object identifier (OID) that is encoded in the PKCS padding. This padding is added to the hashed data to which the pbData parameter pointed. The card itself can add this padding, or the minidriver can request this padding to be added by using the PFN_CSP_PAD_DATA function." The minidriver now detects if the data already contains the DigestInfo structure and doens't try to encapsulate the data again. - Fixed: CardChangeAuthenticatorEx could accept a response when another function was called after CardGetChallenge(ex), when using eight byte challenges. Changes from 2.2.0 (29.8.2019) - fixed a memory management problem which could crash the driver at CardDeleteContext when unloading, in some special situations. Changes from 2.1.3 (8.2.2019) - 4096 bit RSA support - cache counter in cardcf file are automatically increased, if the card is updated outside of minidriver architecture. The minidriver uses MyEID's internal cache counter to compare, if the card has been updated since last time cardcf was updated. This feature requires card initialization using MyEID Minidriver Utility 1.3.6 or newer. Util sets minidriver file system version 2 to enable the auto cache counter feature. - resolved compatiblity issue with cards personalized using OpenSC. The minidriver couldn't handle long key and certificate PKCS#15 IDs assigned by OpenSC correctly. Changes from 2.1.2 (8.11.2018) - CardChangeAuthenticator now supports changing Admin PIN. (In earlier version, this was possible only using CardChangeAuthenticatorEx) - C/R challenge length can be chosen and store on card as a global setting for all C/R pins. Allowed values are 8 or 16 bytes, 16 being the default setting. The setting is stored in a PKCS#15 data object. MyEID Minidriver Utility supports settings this value since version 1.3.5. Changes from 2.1.1 (3.1.2018) - improved handling of userConsent. In older versions cache policy of signature PIN was always set to PinCacheAlwaysPrompt. Now PinCacheAlwaysPrompt is set only if there are associated PKCS#15 objects with userConsent=1 set. Changes from 2.0.9 (13.9.2017) - CardGetProperty(CP_CARD_PIN_INFO): for MyEID cards version 4.0.0 and older, sets dwChangePermission = 0 for admin pins. The card used to allow changing admin PIN only using admin state and CardChangeAuthenticatorEx did not work correctly. Since 2.1.1, minidriver allows changing admin PIN only if the card is MyEID 4.0.1 or newer. - returns more accurate buffer size in CardGetContainerInfo. Minidriver used to return buffer size that can hold keys up to 8K even when the actual key data was shorter. Some applications might use the buffer size to determine key length, so now the exact length in bytes needed is returned. Changes from 2.0.8 (6.4.2017) - Bugfix: With some keyUsage combinations, CardGetContainerInfo could return a keySpec value intended for RSA keys for an EC key container, when mapping keyUsage bits to CNG/CSP's keySpec parameter. - Doesn't require LABEL to be present in commonObjectAttributes anymore. - Fixed handling of userConsent. - a new registy value "PinChallengeLength" to select length of C/R PIN challenge and response in bytes. Valid values are 8 and 16, default=16. Changes from 2.0.7 - passed certification for Windows 10 x64 - published in Windows Update ------------------------------ Changes from 2.0.6 - added support for changing administrator key ------------------------------ Changes from 2.0.5 - bug fix: 521 bit ECC keys were not correctly mapped to certificates. Surprisingly this was not found in CMCK test! ------------------------------ Changes from 2.0.3 - fix into logic of automatic memory cleanup when unloading the minidriver DLL. * Minidriver expected the CARD_DATA structure to stay in the same memory location while tracking contexts, and this caused serious problems when calling the minidriver using Interop from .NET framework, which moved the CARD_DATA around in the CLR heap between calls. - more improvements to cache ------------------------------ Changes from 2.0.2 (10.5.2016) - fixed: cache did not work as expected in specific situations. This fix makes the minidriver significantly faster. ------------------------------ Changes from 2.0.1 (28.10.2015) - fixed: minidriver crashed if there was a 4096 bit RSA certificate installed in the trusted certs file ------------------------------ Changes from 1.2.3 (22.4.2013) - new features of MyEID 4 series cards are now supported: * ECC support up to 256 bit keys * CardConstructDHAgreement, CardDeriveKey, CardDestroyDHAgreement (ECDH) - Minidriver specification v7 functionality has been added ------------------------------ Changes from 1.2.2 (20.2.2013) - INF file has been updated for 100% Windows 8 compatibility. - added MyEID version check to CardDeauthenticateEx - fixed a bug in CardChangeAuthenticatorEx (unblocking did not work in specific conditions) ------------------------------ Changes from 1.2.0 (1.11.2012) - passes CMCK test on Windows 8 (required minor changes to CardCreateContainer, related to handling dwKeySize) - PIN change from Windows UI now works also with MyEID cards with version < 3.5 - fixed a bug affecting card unblock in interface v6, using CardChangeAuthenticatorEx ------------------ Changes from 1.1.6 (4.6.2012) - supports new functionality in MyEID 3.5 - fixed a memory allocation problem in CardCreateContainer(.. , CREATE_CONTAINER_KEY_IMPORT, .. ) which could have caused a crash in rare circumstances. - fully passes CMCK test up to interface version 6. Changes from 1.1.5 ------------------ - improved mapping between the card's PKCS#15 structure and minidriver's virtual file system. ------------------ Changes from 1.1.3 - treats files kxc## and ksc## as normal data files if they do not contain DER encoded x.509 certificate data - fixed a bug in ASN.1 Bit String handling. In some situations the old versions interpreted bit string flags incorrectly. - PUKs are shown in the PIN list (CardGetProperty(CP_CARD_LIST_PINS)) - user pins are now correctly associated with key containers. CardGetContainerProperty(CCP_PIN_IDENTIFIER) and CardGetProperty (CP_CARD_PIN_INFO) now return correct information. In previous version only PIN 1 could be used. Note: pins are container specific, so you need to create AT_KEYEXCHANGE and AT_SIGNATURE keys in separate containers if you want them under different pins. If you are using a card that is personalised outside the minidriver environment, they are automatically listed in separate containers. ------------------ Changes from 1.1.1 - added support for CALG_SSL3_SHAMD5 hash type - fixed incorrect behaviour, when CardSignData was called with no hash algorithm specified, with CARD_PADDING_INFO_PESENT flag - minor reliability improvements ------------------ Changes from 1.0.5 - extensive testing have been done to improve reliability and to prevent possible security vulnerablities. input data validation has been improved significantly. - The minidriver specification version 5 is now fully implemented except challenge/response functionality - version 6 of the specification is supported - the driver and the installer are now signed with Aventra's code signing certificate ------------------ Changes from 1.0.4 - Remote desktop crashed sometimes while shutting down and unloading myeiddrv.dll. The problem was related to static objects in the C++ STL and DLL unload order. A workaround was found, which ensures that the objects which caused problems are not instantiated at all. ------------------ Changes from 1.0.3 - Installation wizard - adding multiple certificates by web enroll works correctly ------------------ Changes from 1.0.2 - bugfix: Generated container GUIDs were not unique on cards that had several keys and certificates that were not loaded with the minidriver. Unique container GUIDs are now generated correctly for each container on cards that do not contain container map file. ----------------- Changes from 1.0.0 - key size is now written correctly to Private Key Directory File - minidriver creates and updates a "Container map file" on card, if necessary. In the previous version this file was maintained only in memory. It is required to keep this file on card when doing web enrollment with Windows 2008 domain's CA. Base CSP assigns a GUID to the created key container and it must remain the same between CardAcquireContext calls.