Esigner Windows 6 4 ReleaseNotes CC PDF
Esigner Windows 6 4 ReleaseNotes CC PDF
Esigner Windows 6 4 ReleaseNotes CC PDF
4 for Windows
Release Notes
Contents
These release notes provide particular details about eSigner 6.4.0 for Windows.
What’s New?
This section describes all the differences between this release 6.4.0 for Windows and the previous
release 6.2.0.
New Features
New parameters for local.conf for controlling HTML page rendering width.
Dynamic hash mechanism support. This feature allows eSigner to use the best available hash
mechanism.
Corrected Problems
Openssl has been updated to version 1.0.2h.
Improve HTML data support for wide table rendering.
Propagation issues for user certificates on V1 cards for some use cases
Propagation issues for root and intermediate certificates on V3 cards for some use cases
Windows 7 limitation on the total size of certificates allowed in a card for SCardWriteCache function
used by Microsoft has been increased from 5000 to 10000 bytes.
What’s Gone?
Operating Systems
Microsoft Vista support has been removed.
4
What’s in?
This section provides a full list of hardware, operating systems, peripherals and software that are
supported by Gemalto for use with this current release of eSigner for Windows.
Gemalto strongly recommends that any supported OS should have the latest SP versions.
eSigner 6.4 W7 W8 W8 W8.1 W8.1 Server Server Server Server W10 W10
32b 64b 32b 64b 2008 2008 2012 2012 R2 32b 64b
dtop dtop dtop dtop SP2 R2 64b 64b
64b 64b
IE 7 N N N N N S N N N N N
IE 8 V N N N N S S N N N N
IE 9 S N N N N S S N N N N
IE 10 S V V N N N S S N N N
IE 11 S N N V V N S N S V V
FF 45 ESR V V S V S S S S S V V
FF 48 latest V S V S V S S S S V V
Supported Readers
This release of eSigner supports all the readers that are supported by the version of Classic Client
middleware that is installed in the same bundle. For a list of readers therefore, please refer to the Classic
Client documentation.
In particular, eSigner supports Gemalto’s CT700 and CT710 PIN pad readers, regardless of whether the
PIN pad’s firewall option is set or not.
Supported Middleware
eSigner comes in a “bundle” with the corresponding version of the Classic Client middleware:
Classic Client 6.3.11
If your computer already has an older version of eSigner and/or Classic Client, you must uninstall these
manually before installing the eSigner Bundle (Start > Control Panel > Programs and Features).
Note: .doc and .xls are not supported for Java technology in the IdenTrust version.
What’s History?
This section describes the corrected problems and enhancements in each previous version.
Corrected Problems
A bug that led to a potential invalid PKCS#7 generated by eSigner in case of peculiar keys modulus
values, has been corrected. A special separate note was communicated to issuers with more details.
This present eSigner release is the official fix for this bug. It will be installed to end users facing this
particular issue with previous eSigner releases.
In DDA mode, when selecting a certificate. The GUI was not highlighting the list when selected to
chose a certificate. Now highlighted.
The names of two variables in the config.reg file were corrected as follows:
GUI.ConfigIHMFile was renamed as GUI.ConfigIHMDir.
CustomLogo.Strech was renamed as CustomLogo.Stretch
10
Corrections
In embed mode, when a window is too small for consistent usage, it now appears as a pop-up
window of usable size, as intended.
Sometimes a window appeared prompting the user to choose a certificate from a list instead of the
correct choice being made transparently by eSigner. This no longer happens.
In some cases in embed mode, Firefox incorrectly interpreted the size of the eSigner window. This is
now corrected.
A blank window would occasionally appear. This is no longer the case.
The diagnostic tool in Classic Client now displays information for eSigner.
Sometimes eSigner would unexpectedly close if the user entered the wrong PIN in non-embed
mode. This is now corrected.
Sometimes in the IdenTrust version using Java technology, the main window would be truncated.
This is now corrected.
The following bug found during IdenTrust testing in ISPI mode (ActiveX) has been corrected: When
performing a signature, the user entered the PIN code, but then nothing happened!
The following bug found during IdenTrust testing in ISIL mode (Java) has been corrected: A
signature was performed when the user clicked on the View Certificates icon.
When using eSigner with Firefox, Google Chrome and Safari (Mac) browsers, eSigner would open in
a new pop-up window instead of being in embed mode. This no longer happens.
In Internet Explorer, it is now possible to embed eSigner.
Documentation
This release included an Installation and User Guide. Unlike previous releases, this document
covered both the Corporate version and the IdenTrust version.
Enhancements
Some enhancements were made regarding the way eSigner displays.
The default values for the config.reg file have been changed to
height = 350
11
Note: eSigner 4.0 has been designed for backward compatibility with eSigner 3.0. Any parameters that
were supported in previous versions but are no longer supported in 4.0 will either be ignored or a
message will be displayed.
Features
From this particular version, XML digital signatures (XML-sSig) export format are not supported.
The following features were removed in eSigner 4.0.6
OCSP
Time stamping
12
Corrected Problems
The following problems were corrected in this release:
■ It is now possible to perform signatures involving the SHA-1 hash
algorithm (performed outside the card) with V1 cards in applications
that access the PKCS#11 library through Oracle's Java runtime.
Ref: 395616.
Browsers
■ Added Mozilla Firefox 38 ESR
■ Removed Mozilla Firefox 31 ESR
e-mail Applications
■ Added Mozilla Thunderbird 38
■ Removed Mozilla Thunderbird 31
■ Added Microsoft Outlook 2016
■ Removed Microsoft Outlook 2003 SP1
13
Other Applications
■ Added Adobe Acrobat Reader 2015 - for document signature
■ Added Citrix Metaframe Xenapp 6.5 on Microsoft Server 2008 R2 (with
Fat and Thin Clients
■ Removed Entrust Authority 7.1 for certificate enrollment and renewal (not
Entrust Certified)
■ Removed Intercede MyID for certificate issuance and management
(revocation, renewal etc.)
■ Removed Microsoft Office 2003 (up to SP1)
■ Added Microsoft Office 2016
■ Removed Microsoft SharePoint 2010 web server
■ Removed Terminal Services with Windows Server 2003 R2 SP2 –32-bit
and 64-bit versions. (Supported for Fat and Thin clients)
■ Removed Windows BitLocker Drive Encryption (Windows 7)
Features
■ PKCS#11 auto registration in Firefox
This feature is no longer supported as the support by Mozilla is not
consistent from one version of Firefox to another.
Browsers
■ Internet Explorer - support added for version 11
Other Applications
■ Adobe Acrobat Reader - support removed for version 10
■ IAS Minidriver only: The minidriver, SCU and IAS API have been
modified to improve the internal handling of transactions. This corrects
several different problems that arose when switching from local to
remote desktop protocol (and vice-versa) smart card logons: Ref
318700.
– When in minidriver mode, the SCU internal transactions are
deactivated - leaving the Base CSP to manage them and thus
avoid memory sharing problems when switching sessions.
– By changing the order in which PC/SC transactions are processed, with
regard to the internal semaphore of the IAS API – this avoids deadlock
when one application accesses the card via P11/CSP and another via
the minidriver.
– The detection of session changes has been improved to avoid freezing
LSASS and also allow log activation.
■ There was a scenario where a new card was inserted in the reader and
the “Init PIN” dialog box forced the user to change the PIN from the
default - as it should. The problem was that when the card was removed
and re-inserted, the same “Init PIN” dialog box forced the user to change
the PIN again. This problem only occurred for cards whose maxLength
parameter (an optional parameter) was not set in the AOD file.
Ref#318863
■ When using “qualified signature” keys to perform SSL authentication to a
web site, the user should be asked to enter the PIN for each session.
Unfortunately when closing and restarting the browser, the user was not
reprompted to enter the PIN.
Browsers
■ Mozilla Firefox - support removed for versions 20-21
■ Mozilla Firefox - support added for version 26
■ Google Chrome - support removed for versions 26-27
■ Google Chrome - support added for version 31
e-mail Applications
■ Mozilla Thunderbird - support removed for versions 16-17
■ Mozilla Thunderbird - support added for version 24
16
Improvements in Classic Client 6.3 Patch 2 – 001 (since 6.3 Patch 1 – 001)
Supported Smart Cards
The following card is now supported by Classic Client:
■ Optelio/Desineo D72 FXR1
Corrected Problems
The following problems have been corrected in this version:
■ Improvements have been made to PKCS#11 attribute management. This
fixes a problem where an “out of memory” error was returned.
■ The visual C++ runtime libraries installed with Classic Client have been
updated to improve the stability of Classic Client when it is installed on a
server.
■ A problem has been fixed with the C_InitToken function so that the
management of spaces in the label has been improved. This avoids
problems for storing the label EF.
Operating Systems
■ Windows 7 SP1 – 32-bit and 64-bit added
■ Windows Server 2012 64-bit added
Browsers
■ Mozilla Firefox - support removed for versions 12-18
■ Mozilla Firefox - support added for versions 20 and 21
■ Google Chrome - support removed for versions 19-24
■ Google Chrome - support added for versions 26 and 27
e-mail Applications
■ Mozilla Thunderbird - - support removed for versions 12-15
Other Applications
■ Adobe Acrobat Reader - support removed for versions 8 and 9
■ Adobe Acrobat Reader - support added for version 11
Operating Systems
■ Windows 8 (32-bit and 64-bit) added
Browsers
■ Google Chrome - support added for versions 20 and 21
■ Internet Explorer - support added for version 10
Other Applications
■ Adobe Acrobat Reader - support added for version 10
■ Microsoft SharePoint 2010 web server - support added
Corrected Problems
The following problems were corrected in this version:
■ The issue of the inability to import the same certificate into Mozilla
Firefox after deleting the certificate is fixed.
■ Registration Tool works properly after Smart Card Logon on a 64-bit
computer.
■ Classic Client Toolbox works properly when a certificate is imported
from the Trusted Root CA in the Internet Explorer Store.
■ Smart Card Logon works properly in Windows XP 64-bit.
■ You can now change the Administrator PIN if BIO PIN is available.
■ Certificates are now recognized when performing Smart Card
Unlock in Windows 7 – 64-bit.
18
Improvements in Classic Client 6.2 Patch 3 – 001 (since 6.2 Patch 2 – 001)
Corrected Problems
■ There was a problem when Classic Client needed to prompt for the User
PIN when requested by the java applet embedded in a secure web site.
The “Enter PIN” dialog box would freeze. (Ref 148449)
■ This patch corrects some problems concerning the detection of card
reader insertion and removal by the registration tool. (Ref 148458)
Supported Applications
In this version, support for some old versions was removed and support for
some new versions was added. The changes are as follows:
Browsers
■ Mozilla Firefox - support added for versions 14 and 15.
Mail
■ Mozilla Thunderbird - support added for versions 14 and 15.
Improvements in Classic Client 6.2 Patch 2 – 001 (since 6.2 Patch 1 – 001)
Corrected Problems
The following problems have been corrected in this version:
■ The ATR for the “Other Optelio Card (Santander MPCOS)” has been
corrected.
■ A shortcut name has been corrected (“secutity” to “security”).
■ When the user automatically registers Classic Client as a security module
in Firefox, Firefox displays a warning to say “A script from “file://” is
requesting enhanced abilities that are UNSAFE and could be used to
compromise your machine or data”. This is normal, but could alarm the
user. Consequently, a note has been added to the HTML page that
displays during the registration, telling the user that a security warning
may display but it is safe to authorize the installation.
■ A problem existed when using a PIN pad reader when the PIN policy file
was corrupted. This has been corrected so that now, if the PIN policy file
is corrupted, the PIN pad reader uses a default PIN policy.
Supported Applications
In this version, support for some old versions was removed and support for
some new versions was added. The changes are as follows:
Browsers
■ Mozilla Firefox - support added for version 13.
Mail
■ Mozilla Thunderbird - support added for version 13.
19
Supported Applications
In this version, support for some old versions was removed and support for
some new versions was added. The changes were as follows:
Browsers
■ Mozilla Firefox - support removed for 7.0; added for 12.0.
■ Google Chrome - support removed for 15; added for 19.
Mail
■ Mozilla Thunderbird - support removed for 7.0; added for 12.0.
20
Enhancements
In Classic Client 6.1 – 005 a feature was added whereby the registration tool
calls the Microsoft Base CSP if Classic Client’s CSP does not recognize the
card. The base CSP then chooses the correct minidriver for the card
according to its ATR. This feature is mandatory for people who have .Net
solution for example. However if a card uses its own CSP, it will not be
recognized by Classic Client’s CSP and will not be recognized by Microsoft
Base CSP, so the Registration Tool is calling the Microsoft Base CSP for
nothing. To avoid this, an enhancement has been made whereby the
registration tool only calls the base CSP if the card has an associated
minidriver.
Corrected Problems
■ This release corrects a problem where removing a reader was causing
Registration Tool to take up to 90% of CPU.
■ In certain cases, Classic Client had problems detecting card events
(multiple removals and insertions). This release corrects these
problems.
■ Under certain rare conditions, not all of the card data were read. This is
corrected by improving the parsing of the PKCS#15 data structure.
■ In the Toolbox splash screen, the “Show this window at startup” check
box was unresponsive. This release corrects this problem.
■ The reboot message at the end of the installation process in the French
version of Classic Client is now displayed correctly.
■ It is now possible to go into Hibernate mode in Windows when using Classic
Client.
■ Fast User Switching feature is now supported.
21
Supported Applications
In this version, support for some old versions was removed and support for
some new versions was added. The changes were as follows:
Browsers
■ Mozilla Firefox - support removed for 3.5, 3.6 and 4.0; added for 7.0.
■ Google Chrome - support removed for 13; added for 15.
Mail
■ Mozilla Thunderbird - support removed for 2.0, 3.0 and 3.1; added for 7.0.
Other Applications
■ Microsoft Identity Lifecycle Manager (ILM) 2007 - support removed
New Feature
The setup has been modified such that if you are installing Classic Client and
Firefox is already installed on the computer, you are given the option of
registering Classic Client as a Gemalto Cryptographic Security Module at the
same time as the installation (so that it is recognized by Firefox). You must
reboot the computer to perform this registration.
Corrected Problems
■ Enrollment with IAS ECC card (ref #111755)
After enrolling a certificate on an IAS ECC card, there was a problem when
refreshing the toolbox: The certificate or some of its keys appeared twice.
■ Internet Explorer 9 - SSL client authentication (PIN window is to the center
screen) (ref #111759)
When using IE9 to perform an SSL to a web site, the PIN prompt appeared
in the top left of the screen instead of in the center of the IE window.
■ IE8 IE9 - SSL authentication with Protected mode on (ref #111761)
When Protected mode was enabled for IE 8 or 9 but the web site was not
added in the trusted sites list, it was impossible to connect to this site
using SSL with a card.
■ IAS ECC card: PIN Request on card insertion with a PIN pad reader (ref
#112109)
22
If the card was removed during a signature scenario, each time the card
was re- inserted the PIN was requested on the PIN pad.
Applications Supported
■ Added Google Chrome 9.0
■ Added Firefox 3.6
■ Removed Firefox 3.0
■ Added Microsoft Outlook 2010
■ Removed Microsoft Outlook Express
■ Added Mozilla Thunderbird 3.0 and 3.1
■ Added Microsoft Office 2010
23
Cards Supported
■ Added MultiApp ID Dual Citizen EAC 80K CC (with IAS Classic
Applet V3) / IDClassic 3340 (then called Classic TPC DM) (with
Classic Applet V3)
■ Added MultiApp ID Dual Citizen EAC 144K CC (with IAS Classic Applet V3)
■ Added MultiApp ID Citizen BioPIN
■ Added TOP DL V2 – dual (contact and contactless) card.
■ Removed Classic MDE TPC IM (Classic MDE Applet)
■ Removed TOP DM GX4 – MPH51 – dual (contact and contactless)
card with Classic MDE Applet
New Features
■ Fingerprint authentication supported. The smart card must have the MoC
(Match on Card) algorithm loaded inside it.
■ Global bioPIN supported (global PIN that can be PIN or fingerprints).
■ Registration Tool calls Microsoft Base if Classic Client’s CSP does not
recognize the card.
Pre-Requisite
■ .NET Framework version 2.0 or later must be installed
Corrections
■ PIN Try Counter displays when entering an incorrect PIN during a
Change PIN operation with the registration tool.
■ When entering a PIN in the Enter PIN window, the masking characters
appear correctly. This was not previously the case when the window was
called from a Java applet.
■ For cards that support virtual slots, it is now possible to choose a
slot when enrolling a certificate (all the available slots are visible).
Applications supported
■ Added Firefox 3.6
■ Gemalto’s eSigner 4.0.7 for Windows
Enhancements
24
Corrections
■ A correction was made that concerns cards containing the Classic Applet
V1 only. After an incorrect IdenTrust PIN entry, the number of remaining
PIN tries is now returned by Classic Client.
■ The following bug was corrected: It is now possible to perform smart card
login and smart card unlock computer operations in Windows Vista and
Windows 7 with a PIN of more than 8 characters.
■ A correction was made that concerns cards containing the Classic Applet
V2 or Classic Applet V3 only. If you call a PKCS#11 function when no
card is inserted in the reader, Classic Client now returns the correct error
code.
Applications supported
■ Added Windows BitLocker Drive Encryption (Windows 7 only)
New Features:
■ The PIN pad reader now supports the minimum PIN length as defined in
the PIN management policy
Cards Supported
Support for the following cards has been added:
25
New Features: Note that they are available only for cards that contain the IAS ECC applet.
■ A PKCS#15 plug-in has been added to the toolbox. This enables you to
navigate through the PKCS#15 structure of the IAS ECC applet.
■ An Identity Management plug-in has been added to the toolbox. This
enables you to display and modify the identity data in the IAS ECC
applet.
■ The User Setup plug-in has been modified so that an Administrator can
include the PKCS#15 and Identity Management plug-ins and the IAS ECC
token in a User Setup.
■ An IAS API has been added. This provides entry points to enable you to
navigate through the PKCS#15 structure of the IAS ECC applet.
Applications Supported
■ Added Firefox 3.5
Corrected Problems
The following issues have been resolved in this release.
■ Some localization problems have been solved in the Japanese version (Ref
495)
■ When selecting a PKCS#12 file in the toolbox, all the certificates in that
file are automatically selected. This makes importing PKCS#12 files
easier.
■ The CSP is now able to sign data that has been hashed using SHA-256
(Ref 477 and 489)
■ A problem with the C_Unwrap Key function has been fixed – it no longer
creates an extra “ghost” key
■ An object management problem has been fixed – it is no longer necessary
to read the card before creating an object
■ Command data objects for key set management are only updated in the card
when an operation is performed on a key set (set as default; create; destroy)
or by a PIN management operation (change and unblock).
Note: This is the default behavior, but it can be modified by configuring the
TransientRules registry key. Please refer to the Classic Client Integration
Guide for more information on how to do this.
26
Corrected Problems
■ A problem concerning the display of the PIN prompt when using PIN pad
readers has been corrected. With certain applications (eSigner in
particular), this window was hidden, but this patch ensures it is displayed
in front of all other open windows.
■ GPK cards under Vista can now be used with a reasonable level of
performance.
■ For IdenTrust cards, sometimes PIN messages would relate to the
wrong PIN (IdenTrust instead of User or vice-versa). This has now
been corrected.
■ PIN Pad readers only: After changing a PIN, you need to relog on to the
card with the User PIN. Previously, if the User PIN was entered
incorrectly, a message displayed to say that the PIN had not been
changed, when in fact it had. This message has now been changed so
that it says that the PIN has been successfully changed.
Applications Supported
Support for the following applications has been added:
Browsers
■ Internet Explorer 8
■ Mozilla Firefox 3.0
e-Mail
■ Mozilla Thunderbird 2.0
■ Microsoft Outlook 2003 SP1 and 2007
Other Applications
■ Office 2007
■ Adobe Acrobat 9
■ Adobe Acrobat Reader 8 and 9
■ Citrix Metaframe Xenapp 5.0 (on Microsoft Server 2008)
Cards Supported
Support for the following cards has been added:
■ Optelio D38-D72 R6 with Classic applet v2
■ Optelio Contactless D72 R2 with Classic applet v1
■ MultiApp Easy 72K Type B (with Classic Applet V2)
■ MultiApp Combi 72K Type B (with Classic Applet V2)
27
Corrected Problems
■ Bug fix in First PIN Change management
Corrected Problems
■ Bug fix in reader selection in User Setup Plugin
Improvements in Classic Client 5.1.4 – 002 (since Classic Client RC Edition 5.1.0
– 003)
Enhancements
■ Support of Virtual Slot through CSP
■ Support of Citrix
■ Support of PKCS#11 find object with some non-standard parameters.
Corrected Problems
■ Correction of C_InitToken side effects
29
Cards Supported
■ GPK support available in option with User Setup
Enhancements
■ New branding
■ Documentation update
Cards Supported
■ Support of Classic MDE applet
Enhancements
■ Enhanced robustness regarding semaphore management
■ Enhanced robustness regarding abnormal termination of the calling
application
■ Possibility to import pkcs#12 certificates not protected by password
■ Changed import mechanism to be compliant with any type of string
encoding in certificates.
■ When the type of a certificate is unknown, it is considered to be an
exchange certificate
■ Stability improvement during the enrollment phase
■ Full Office compatibility for multi languages in container names
■ Possibility to perform common criteria signature through CSP.
Corrected Problems
■ Added “critical section” of code to avoid a lock on multiple signatures in
a single thread
■ Correction of display error on a Chinese certificate when imported with
Certificate tool or CSP
■ Correction regarding import from IE store
■ Corrected display of Chinese characters for certificate name in Certificate
Tool, and in Registration Tool
■ Corrected issue of importing certificate with Chinese name in Certificate Tool.
What’s Up?
This section provides a list of the known issues at the time of this current release and also of
the limitations of the product.
Known Issues
When uninstalling 64-bit versions (both CORP and IS), a message may appear saying
“NXPlugIn.dll cannot be unregistered”. Just click OK – the uninstallation will complete
successfully.
For Identrust installations, the “Identrust.Version” parameter must always be specified.
If a smart card is expired and has never been initialized, eSigner will first prompt an error
stating that the certificate is not valid rather than the smart card is not initialized.
In browsing mode, when a user is loading a multi-page document from the hard drive, a
refresh issue can occur on the first rendering of the first page.
The Print button is not disabled when signing a document not supported by the eSigner
internal viewer such as a Word or .pdf file. #Ref193718
If a web page uses target=”_new” for opening a signature result in an external window.
This is considered as a pop-up window and is blocked by default in most modern
browsers. #Ref189595
When installing eSigner on a Terminal server running Windows 2008 R2, the
MSIEmbeddedChainer function is not supported: http://msdn.microsoft.com/en-
us/library/windows/desktop/bb736316(v=vs.85).aspx Therefore, it is not possible to install
the eSigner bundle. eSigner must be installed separately from Classic Client.
When the eSigner banner is customized with a logo (integration customization), the logo
appears correctly, but the hyperlink to the given URL does not work. This behavior is the
same for both modes: embedded and pop-up. Ref#176970.
If the multi-page display feature is deactivated (LargeData.MultiPageDisplay = 0), or the
value of Text.Plain.MaxGridSize is increased from the default of 360,000 characters the
eSigner window may have difficulty in managing the data.
The Save button always appears and is enabled, even if the
CFG_GUI_SHOWSAVEBUTTON parameter is set to 0 (meaning hide Save button). Refs
#152920 and #159801
When the Sign.Save.Button parameter is set to 2 in the local.conf file (meaning hide the
Save After Signature button) the button is masked by a white square or rectangle. This
happens in both modes (embedded and pop-up) Ref #125688.
eSigner is grayed after cancelling a Save Signature File process. The user has to reload
the page. Ref #125559.
When trying to sign an external data source, if Internet Explorer returns the error page
404 (page not found), eSigner signs this error page.
When verifying a signature, you cannot navigate around the eSigner window using the
keyboard only.
In Internet Explorer, the response sent by eSigner to the web server is sometimes missing
the “content-type” field.
31
When using the Print button in eSigner, some extra blank pages may be printed at the
end of the document.
For the IdenTrust version, in Java technology, the menu is not displayed.
When choosing the DDA shortcuts to perform an operation, you should not be able to
perform another operation until the first is completed. Unfortunately, you can.
When the CFG_GUI_SHOWSIGNBUTTON is set to 0, the Sign button appears disabled,
as it should. However, the Sign option in the Post menu does not appear dimmed, giving
the impression that it can be used to make a signature. However the signature can still not
be performed with the DDA shortcuts.
CustomLogo.Url should not be specified in the local.conf file. The parameter
CFG_GUI_CUSTOM_BMP_URL should be used instead.
The following parameters have not been implemented:
CFG_GUI_BUTTON_BMP
CFG_GUI_BUTTON_BMP_URL
In practice, the button mode can only be used with text but not with a picture in the button.
When changing the Admin PIN via the toolbox, using a CT700 PIN pad reader, the reader
display asks the user to enter the User PIN instead of asking for the Admin PIN. Entering
the User PIN would of course be regarded as an invalid attempt as far as the Admin PIN
is concerned, and there is a risk that the user could accidentally block the Admin PIN.
(Ref #175897)
When installing a User Setup, a dialog box offers the possibility to perform a customized
installation, but at present there are no customizable options, so the installation is exactly
the same as the typical one. (Ref #175946)
When the user is forced to change the User PIN when inserting the smart card for the first
time, a dialog box should display to enable the user to do this. The Reg Tool should do
this, but does not. The Classic Client Toolbox may perform the operation, but naturally
there is no guarantee that it will be running. (Ref #176094)
User setup only: In cases where a User PIN Policy and an Administrator PIN policy have
been defined, Classic Client checks that the new PIN obeys the rules defined in the
Administrator PIN policy when unblocking a PIN. It should be the User PIN policy that is
used. A workaround is to make sure that the Administrator PIN policy and User PIN policy
are identical (Ref #4585).
For cards with the Classic Applet V3, it is not possible to sign documents in Microsoft
Word 2003 and Excel 2003 spreadsheets because the “Digital Signature” window is
blank. This is not an issue for the 2007 and 2010 versions of Word and Excel. (Ref: Issue
#4505)
When locking the computer please make sure that no PIN windows are open on the
desktop otherwise it may not be possible to unlock the computer using the smart
card/token
It is mandatory not to overload any Java card (such as any IDClassic 3XX or 3XXX card).
Use Classic Client Toolbox to check for free key containers and free memory space
before adding keys and certificates on the card.
When the Toolbox calculates the amount of free memory in the smart card, it does not
take read-only certificates into account.
The Splash Screen “display timeout” feature used in user setups is ignored. (Ref 120).
If you remove and reinsert your card too quickly, you may find that when you attempt to
unlock your system that the following message appears “Your credentials could not be
verified”. In this case, remove the card and allow a short pause before reinserting the
card. You should then be able to unlock your system as normal.
For some specific card personalizations, Classic Client 6.x behaves differently than
GemSafe™ Libraries 4.x.
Firefox does not systematically refresh the certificate display when removing/ inserting
cards. (Ref 344)
As Firefox uses static management of PKCS#11 slots, moving cards between readers can
lead to problems. If this occurs, it is recommended to close Firefox and re-open it. (Also
Ref 344)
It is recommended not to perform a reader hot-plug on a Citrix Client.
Normally, performing a ScardDisconnect operation should free a “Mutex” called
CTXMTXSmartCard, so that it can be accessed by other programming threads. However,
this does not always work.
In a Citrix environment, it is strongly recommended not to disconnect the Citrix session.
Instead you should log off. If disconnected, a Citrix session must be re- opened on the
same PC to recover its specific smart card environment.
CITRIX: 2 sessions opened from same terminal not supported - Smart Card Logon (Ref
354)
33
CITRIX: 2 sessions opened from same terminal not supported - Normal Logon (Ref 355)
If you perform a smart card logon with the Classic Applet V1, and then perform a smart
card logon with the Classic Applet V2, the second log on will fail. This is also true for
Classic Applet V2 followed by Classic Applet V1. (Ref 253)
Under Vista, using the Toolbox, it is impossible to export a certificate to the IE store.
Gemalto recommends that you close Internet Explorer after each certificate enrollment on
Citrix.
If Classic Client is used with several readers and several cards at the same time, it can
become overloaded if you perform too many card movements, for example, swapping
cards from one reader to another, or even withdrawing and reinserting cards in the same
reader. When overloaded in this way, it is possible that Classic Client will confuse one
card with another.
Problem enrolling certificates with IE under Vista when using virtual slots (Ref 470)
When signing a document in Adobe Acrobat Reader 9, Adobe prompts you to select SHA-
256. However when using the CSP security module, the signature is performed using the
SHA-1 algorithm. This means the signature cannot be successfully verified as the hash
algorithm is wrong. This does not apply to later versions of Adobe Reader as you are not
prompted to choose an algorithm. (Ref 483)
With IAS ECC cards only, the Card Properties plug-in does not display the amount of free
memory for the private portion and public portion of the key. It also does not provide the
“Advanced” view of the card. (Ref 486)
Citrix Metaframe Xenapp 5.0 is very slow when disconnecting: (Ref 490)
o A Winlogon temporary session appears to freeze (but in fact it just takes
more than one minute to disconnect).
o When two sessions are open simultaneously, changing from one session to
the other can take over one minute.
o When two sessions are open simultaneously, changing from one session to
the other can cause a “network error” or a “Wshell error”.
When more than one session is open in Citrix Metaframe Presentation Server 4.5, the
mutex of the sessions mix together. This can cause deadlock and block at least one of the
sessions. (Ref 491)
There can be installation problems when installing Classic Client on a PC that already has
Classic Client installed - it depends on the version and specifics of the version that is
already installed. Gemalto recommends therefore that you uninstall the old version of
Classic Client before installing the new one. (Ref 492).
If you try to update a certificate through the Personal Data plug-in, the update fails. (Ref
493).
For the Administrator version or a user setup which includes the IAS ECC applet and an
(IAS) Classic Applet (V1, V2 or V3): It is possible after opening a new session that the first
SSL authentication may not work. (Ref 537)
Solution for User Setups: Make sure that the setup includes only the tokens that are
needed and in the case of IAS ECC tokens, that the setup includes the IAS ECC token
only.
General Solution: After opening the session, perform another operation (such as opening
the Toolbox, or signing an email) before attempting the SSL authentication.
Localization Issues
There are still some localization issues for non-English versions of the product.
34
In Windows Server 2008 64-bit version there is a sentence in the PIN administration tool
that appears in English (Ref 282)
In Windows Server 2008 64-bit version there is a sentence in the PIN dialog box that
appears in English (Ref 283)
Unicode characters of a specific language are correctly displayed only on an OS version
of the same language (for example, Simplified Chinese characters are correctly displayed
only on Simplified Chinese Windows).
Product Limitations
For some use cases in HTML mode displaying wide tables. eSigner can support up to
1000 rows displayed. This applies to an example of full table with BACS payments having
approx. 1000 payments.
Sometimes in multi-page mode, if the data is too large – the signature cannot be verified.
The Pkcs11.ForcePin parameter is valid only for V2/V3 cards and even then it depends
on how the cards have been personalized. Ref#179286
The msiexec.exe must NOT use the /forcerestart parameter, otherwise the computer will
restart after the installation of the bundle, which means that Classic Client and eSigner will
not be installed at all. Ref#183165.
In multi-page mode, if a single line of data is larger than the Text.Plain.MaxGridSize
parameter, the data cannot be broken into multi-pages and eSigner returns an error to say
the file is too large. You should make sure that no single line exceeds the MaxGridSize.
As indicated earlier, when going to multi-page display, eSigner always displays in pop-up
mode, regardless of the window size parameter values. Ref #176970.
Text in documents to be signed must be limited to those in the ASCII range of 33-126.
The following table is a reminder of the ASCII values in this range. Ref #179657.
35
Internet Explorer 10 provides two interfaces: Desktop and Metro. The Metro interface of IE
10 is not supported, because it does not support plug-ins. On the Metro interface, the web
page calling eSigner appears with an empty frame instead of the eSigner window.
Internet Explorer 10 is supported by the 32-bit version of eSigner only (not the 64-bit
version of eSigner).
The 32-bit version of the eSigner bundle cannot be executed on a 64-bit operating
system, such as Windows 8. Similarly, a 64-bit version of the eSigner bundle cannot be
executed on a 32-bit operating system. Such attempts are refused.
Note: The 32-bit version of eSigner can be installed on a 64-bit operating system by
executing the 64-bit version of the eSigner bundle (which installs both the 32-bit and 64-
bit versions of eSigner). In such a case, the 32-bit version of eSigner can run on IE 10,
even when IE 10 is configured in Enhanced Protected Mode (thus behaving like a 64-bit
version of IE).
Only regular versions of Firefox are supported, not the nightly build versions.
The PIN Pad Reader ref: P/N HWP113026B is not compliant with eSigner 4.X regarding
the Change PIN at first use feature. This is a known PIN Pad reader HWP113026B
limitation. Up-to-date supplied Gemalto PIN Pad readers do not present this issue.
When calling eSigner to sign a file, you must specify the mime-type for each type of file
that you want to be able to sign. If you do not, the browse function (when selecting a file to
sign) will not work correctly. The extension of the file you are opening must correspond to
the type of file specified in the mime type.
In Internet Explorer, when starting eSigner in “Button” mode, the button size must be
given - otherwise the button will be displayed as a single pixel. eSigner 3 had the same
limitation.
In certain cases where the eSigner call made by the server is incorrect, the error message
that should be sent to the server may not be sent or may not be exactly as expected or
may not display correctly – depending on the browser. These issues should not occur in a
normal call to eSigner by a correct live web site complying with the eSigner call
specifications. These problems could affect web developers when developing new calls.
There is no counter-signature process implemented; when calling eSigner with a
mime_type text/signature, eSigner does not propose an additional signature on top of the
input signature.
Third party browsers, for example Internet Explorer and Firefox must be installed on the
PC before eSigner.
Note: Gemalto therefore recommends that if you want to install a new version of a browser,
you should uninstall eSigner, then install the browser, then reinstall eSigner.
■ Windows Smart Card Logon with PIN pad readers (CT700 and CT710)
is not supported for the V1/V2/V3/IAS smart cards.
■ The MS Edge browser is not supported by default because CSP cannot
load certificates with it, and so it is not possible to display to perform
SSL authentication. It is possible to configure Classic Client to use the
minidriver instead of CSP to propagate certificates so that Edge can be
used for SSL authentication.
Note: This solution is supported only for V2 and V3 cards. Edge is not supported at all for V1
and IAS cards
Under the Regtool key, located as shown below, create a REG_DWORD value called
ForceMinidriver and set it to 1 in order to force the Registration Tool to load certificates using
the minidriver instead of the CSP.
This value can be set to 0 to revert to the default behavior (loading certificates using CSP
which makes them unusable under Edge).
The Regtool key is located in:
o 32-bit machines: "HKEY_LOCAL_MACHINE\SOFTWARE\Gemplus\
Cryptography\RegTool\ForceMinidriver"
o 64-bit machines: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Gemplus\Cryptography\RegTool\ForceMinidriver"
Browsers now use TLS (evolution of SSL). TLS v1.2 uses SHA-256 to perform signatures as
SHA-1 is deprecated. This means that if the browser and server select TLS v1.2 for
authentication, it will not be possible to perform a signature with V1 and V2 cards.
After entering an incorrect PIN, Mozilla Firefox does not display an “incorrect PIN” error
message or indicate how many attempts remain. It appears to the user as if Firefox is
reprompting for the PIN for no apparent reason. This is true even after the PIN has been
blocked. This is a limitation on the Mozilla Firefox and not of the middleware itself. (Ref
#5711).
IMPORTANT: If a computer is using Citrix Client (ICA) or Terminal Services, Classic Client
must not be installed on both the Client and the Server.
It is not possible to use the Covadis Auriga Reader-Scanner with the Gem PC Twin reader
due to hardware limitations. Auriga uses the same PC/SC channel to perform both fingerprint
scanning and smart card transactions.
For card having two virtual slots, only the first slot will be identified and use at smart card
logon. This is because the current minidriver specification has no way to identify and select
between the two virtual slots.
It is impossible to import a “sign only” certificate through Firefox. This is a limitation of Firefox,
NOT Classic Client.
Firefox imports “sign-only” certificates into a “sign and exchange” key container. This is an
issue for CC certified applications, as the certificate must be imported into a “sign-only” key
pair.
Under Vista, only the first slot can be used to perform a smart card logon.
Impossible to import p7 and .cert certificates files in the card if the card does not contain the
corresponding RSA key pair (Ref 122)
To use EFS (encrypted file system) on Windows Vista, you must use a non self- signed
certificate and perform the EFS operation with no card inserted in the reader. Wait until EFS
prompts you before inserting the card.
It is not possible to perform SHA-256 operations using Microsoft applications (CertEnroll,
Outlook, and so on) when CSP is used to load certificates. This is due to the fact that
Microsoft applications require the use of a KSP (key storage provider) to use certain
cryptographic algorithms such as SHA-256. It is possible to perform SHA-256 operations
when the minidriver is used to load certificates but only with V3 and IAS cards. To use the
minidriver, create a ForceMinidriver REG_DWORD value under the Regtool key as described
earlier in this section on page 30.
The operations Verify PIN, Change PIN and Unblock PIN cannot be performed in the secure
desktop of Windows for cards that impose secure messaging for these operations. This is true
for Windows Vista, 7, 8, 8.1 and 10.
When registering Classic Client as a Cryptographic Security Module (CSM) in Firefox, it is
only registered for the current user account. If another user logs on to the computer, Classic
Client will need to be registered manually. This can be done either as described in the Classic
37
Client User Guide or by using the registration utility (Start > All programs > Gemalto > Classic
Client > Cryptographic Security Module registration).
If you uninstall Classic Client, it is not automatically unregistered as a CSM in Firefox. This is
not necessarily important, but if you really want to unregister Classic Client in Firefox, do so
manually before uninstalling Classic Client (Start > All programs > Gemalto > Classic Client >
Cryptographic Security Module unregistration).
For certain versions of Microsoft Outlook it is not possible to sign a mail in Microsoft Outlook
using a qualified signature in a card with the IAS XL / IAS ECC applet. This is because
Outlook performs the hash instead of allowing the card to perform the hash as required.
When using Adobe Reader, users can perform login and logout in the Security Settings
window. After performing a login, if users remove and re-insert the card, they can still see that
the card status is “logging in”. At this point, if users press the Logout button, logging out fails.
This is an Adobe Reader issue due to its mechanism on getting card status. Status update of
the card only occurs when the Security Settings windows is open. If the Security Settings
windows is closed, Adobe Reader is unable to know the status of the card.
Improper name of the certificate is displayed after importing the certificate using Firefox.
When users import the certificate file that does not have a friendly name, Mozilla Firefox
generates a new random string as the name of the certificate. As a result, a not-so-friendly
certificate name is displayed in the Classic Client Toolbox.
Users are unable to perform SSL Authentication using Internet Explorer 11 in Windows 8.1 if
using the Metro interface with “Enhanced Protected Mode” activated (not to be confused with
standard Protected Mode).
Google Chrome does not support Certificate Enrollment, so users are unable to perform
certificate enrollment using Google Chrome.
PKCS #11 security registration is not supported in Firefox 15 and later. This limitation is due
to the removal of a JavaScript privilege module in Firefox 15 for security reasons.
Observations
Buttons for multi-page navigation (previous, first, next, last page) are never disabled.
Using them has no effect when they are irrelevant.
If a user is changing the local.conf file manually, permissions can be modified. eSigner
might stop working because of modified access rights.
If previous versions of eSigner and/or Classic Client are already present on the PC, you
must uninstall these before running the eSigner bundle. Ref #182
If the multi-page display feature is activated (LargeData.MultiPageDisplay = 1), and the
user clicks Print, only the current page is printed – not the whole document. Ref #183214
If the eSigner bundle is run from an administrator account, including the case where an
administrator performs a silent installation for a user, the bundle appears in the Control
Panel > Programs and Features, as it should. However it appears only when an
administrator account logs on to the machine – not when a standard user logs on. This
means eSigner and Classic Client cannot be uninstalled by uninstalling the bundle when a
standard user is logged on. Ref#183163.
Note: There is no problem if eSigner is installed from a standard user account that
temporarily has administrator rights.
38
This section describes the documentation that is provided with eSigner 6 and where to find it:
eSigner 6 Documentation