CSPid Support

  • Downloads
  • History
  • Knowledgebase
Description
Date
Notes
CSPid Admin Guide CSPid Admin Guide
11/15/16
Admin Guide for version 5.1.0
CSPid CAPI Bridge CSPid CAPI Guide
2/08/17
Admin Guide for the CSPid PKCS$11 Bridge for 5.1.0
CSPid User's Guide CSPid User's Guide
11/15/16
User's Guide for version 5.1.0
CSPid 5.1.0 Release Notes
11/15/16
Release notes for version 5.1.0 (Windows)

CSPid Admin Guide CSPid Admin Guide
5/22/14
Admin Guide for version 4.0.0
CSPid User's Guide CSPid User's Guide
4/08/14
User's Guide for version 4.0.0
CSPid 4.0.0 Release Notes
4/08/14
Release notes for version 4.0.0 (Windows)

CSPid User's Guide CSPid User's Guide
1/31/14
User's Guide for version 3.1.0
CSPid User's Guide Using CSPid with Citrix
8/16/12
Guidance on using CSPid 3.0 and below in a Citrix environment
download icon CSPid VPAT 5/29/09

Section 508 VPAT for CSPid


Release 5.1.5

Package Enhancements:

  • #6703 Adding '--no-warnings' to the cspid_cli will suppress warning messages issued by the command.
  • #6707 Starting the system tray application with the '--login' option now properly calls the startup event to sync with CAPI.
  • #6710 C_GetFunctionList now returns the supported PKCS#11 API version rather than the CSPid library version.
  • #6721 On Windows, the CSPid DLL refuses to load for processes running as the SYSTEM user. This can be disabled by setting a system wide Windows environment variable: CSPID_INT_ALLOW_SYSTEM_USER=1 and restarting.
  • #6722 On Windows, if permanent password caching is enabled and the system tray application cannot recover the password from the cache, the system tray application will prompt the user for their password and cache it.
  • #6723 On Windows, the cspid_cli '--initalize' command will now remove all CSPid-related objects from CAPI as part of the process.
  • #6725 When the feature is enabled on Windows, CSPid will push changes to CKA_LABEL values to the CAPI friendly name value. See #6728 for more information.
  • #6726 A log file is no longer created if logging is enabled but only critical items are being logged. Only 'info' level or above will trigger the generation of a separate log file.
  • #6727 In certain Windows environments it may be necessary to completely clear the user's personal CAPI store and re-add the CSPid objects each time the CSPid system tray starts. Set CSPID_INT_CLEAR_CAPI_ON_START=1 in the CSPid configuration file, or set "Remove and re-add CSPid objects to CAPI (Windows Only)" to yes, in the Bagala Editor's 'Internal Use' section.
  • #6728 On Windows, the ability to sync CKA_LABEL with the friendly name value in CAPI is now user configurable (if allowed by the installed CSPid configuration). A new tab appears in the Options dialog and includes a check box to enable/disable this feature. This option can be controlled globally for all users by setting CSPID_CAPI_SYNC_LABEL_FNAME=0 in the CSPid configuration file or by setting "Make Friendly Name match CKA_LABEL" to 'no' in the Bagala Editor's CAPI section. In the Bagala Editor the default is to allow the user to change the setting. To prevent the user from changing the value, change 'yes' in the "User Configurable" column to 'no'.
Release 5.1.4

Package Modifications:

  • #0000 On Windows, CSPid no longer writes its persistent random value to the INI file. This value is now written to the Windows registry. This reduces the number of updates to the INI file that require it to be copied to the local cache location.
  • #0000 On Windows, the system tray application no longer polls the PDU's last modified time to determine whether or not the PDU needs to be copied to the local cache location. Instead the PKCS#11 library will invoke the system tray application with the '--make-local' option when it stores the PDU.
  • #6663 The CSPid PDU file is no longer occasionally corrupted when the local cache copy of the PDU file is created. The expanded section of the PDU is now locked before writing when the PDU size increases.
Release 5.1.3

Package Modifications:

  • #0000 The CSPID_INT_PROTECTED_APPS value is actually used allowing applications other than those in the default list (Acrobat, Microsoft Edge, and the Cisco VPN client) to be placed on the list of protected applications that should use the local cache.
Release 5.1.2

Bug Fixes:

  • #6652 On Windows cspid_cli no longer crashes when '--password' is used with the file:filename parameter format and the file does not exist.
  • #6662 cspid_cli's '--gen-jks' command works properly again.
  • #6663 The CSPid PDU file is no longer occasionally corrupted when the local cache copy of the PDU file is created.
Release 5.1.1

Bug Fixes:

  • #LS977 cspid_cli's --get-new-pin and --get-pin no longer hang when the output file exists and --yes-to-all is absent from the command line. The output file is now always overwritten, if present.
  • #6599 cspid_cli's --post command now outputs a informative error message if the address in the URL doesn't match the server's certificate.
  • #6600 Users can again successfully import .p12 or .pfx files using the Windows context menu and 'Open With CSPid'.
  • #6601 When using DAS-enabled CSPid with the PKCS#11 CAPI library users, can successfully set the 'Use for Decryption' option.
  • #6614 Properly creates the local PDU cache folder on startup, if it doesn't already exist.
  • #6631 The CSPid-CAPI documentation now includes the PKCS#11 Slot Label for the virtual device: ISC CAPI
  • #6647 When importing a PKCS#12 file using the cspid_cli's '--import' command with the '--label' option, the provided label value is, once again, appended to the friendly name that is either found in the PKCS#12 file or created by CSPid.
Release 5.0.0

Package Enhancements:

  • client-side key generation is supported for use with CCMS 4 and above
  • support has been added for windows 10, Fiddler, and other .Net-based applications
  • added support for managed CRLs; on Windows, managed CRLs are installed into the Windows store
  • performance with Windows services using impersonation has been improved (requires password caching to be enabled and the password to be cached)
  • OCSP server configuration adds an option that causes CSPid to regard as "revoked" any certificate not explicitly validated by the server (e.g., with this option an "unknown" response is regarded as a validation failure)
  • additional key derivation options are now available when deriving symmetric keys from the user's PDU password
  • a fourth audit trail level, filtered debug, is now available that attempts to scrub sensitive information from the debug level
  • descriptions of the blacklist and whitelist options and functionality in both the administrator's guide and the Bagala Editor have been improved
  • the Balaga Editor text for the CCMS URL now supplies an example
  • keyboard shortcuts for common tasks have been added
  • the executables and MSI package are now signed using SHA-256
  • the type 2 Firefox add-on included with CSPid 5.0 has been digitally signed by Mozilla as required by Firefox version 43 and above
  • an RPM installation package is now available
  • due to customer demand, the combined CMU/CSPid package is again available
  • RSA 3072 and 4096 are now supported in the cspid_cli '--gen-p10-type' option
  • cspid_cli now supports per-session password caching on systems that do not include a system tray; use the CLI option '--cache' to cache the password and '--cache-quit' to clear the password and terminate caching
Operational Changes:
  • deleting a certificate in Advanced view no longer deletes the public and private keys associated with it
  • if CSPid Manager is configured to hide its system tray icon on startup, it offers a 'Hide' option rather than 'Exit'; to exit, the user must run 'cspid_ui --exit'
  • Renew now checks the validity of the user's certificates, including revocation checking, so that it can perform the renew operation if the user's certificate has been revoked
  • OCSP support has been renamed 'Windows Validation Client' and now supports revocation checking options of none, CRL, or OCSP on a per-host or per-issuer basis
  • The 'Renew my certificate' system tray option is now enabled if CCMS renewal is enabled
  • Register with applications (which is run whenever the CSPid Manager is started) now deletes all CSPid credentials from CAPI and then recreates them
  • most configuration strings are now trimmed of whitespace when CSPid reads them from the CSPid.xml file
  • CSPid falls into read only mode if the caling process is running at a low integrity level; applications that should run in read only mode may now be named explicitly in the configuration settings
  • when per-session password caching is enabled the CSPid library now attempts to eliminate unnecessary password prompts before CSPid Manager is started
  • 'cspid_cli --list' now outputs additional certificate information
  • improved handling of friendly name values in Microsoft CAPI: friendly names in PKCS#12 files are used as CKA_LABEL values during import, and CKA_LABEL values are used when exporting PKCS#12 files
  • on Windows, the program path in java_pkcs11.cfg has been changed to the System folder
  • on Linux, when installed in the default /opt/cspid location cspid_cli and spid_ui no longer require LD_LIBRARY_PATH to be set; the rpath value in the executables has been updated to include /opt/cspid
New Admin Features:
  • a new option is available to lock the user's PDU to a subset of the configuration options so that the PDU is only useable if the same or stronger settings are present at run time
  • the "Allow impersonation (Windows Only)' option in Bagala->General CSPid->Internal Use can be used to prevent services and other processes from impersonating the user and accessing their CSPid key store
  • the "Suppress CKR_USER_ALREADY_LOGGED_IN" option in Bagala->General CSPid->CSP can be used to specify applications for which CSPid should return CKR_OK instead of CKR_USER_ALREADY_LOGGED_IN
  • the "Assert CKF_PROTECTED_AUTHENTICATION_PATH" option in Bagala->General CSPid->CSP can be used to specify those applications for which CSPid should set the CKF_PROTECTED_AUTHENTICATION_PATH flag when C_GetTokenInfo is called and either per-session or permanent password caching is enabled
Bug Fixes:
  • corrected an issue where applications would stop working once the configured password timeout had expired.
  • the internal path validation module properly supports hierarchical PKIs with more than two levels
  • CSPid Manager no longer crashes when the CLI initializes the PDU
  • 'cspid_cli --cfg-update' now works when the current configuration is malformed
  • 'cspid_cli --ccms-retrieve' with '--debug' no longer returns a spurious invalid session handle error.
  • Internet Explorer and other applications should no longer crash when the Windows Validation Client is enabled
  • the JAWS screen reader now speaks the correct window titles for password prompts and CSPid Manager
  • Qt console output is now suppressed
Release 4.0.0

The following enhancements are included:

  • added support for centralized administration (with Bagala)
  • added ability to cache DAS responses and support for the new DAS Proxy API
  • improved FireFox integration
  • Windows port now uses CSP/KSP and no longer relies on any Microsoft smart card components (i.e., the smart card minidriver shim in the diagram below has been eliminated)
  • integrated certificate manager now sorts installed certificates into categories

 

Release 3.0.2 to Release 3.1.0

Changes:

  • CSPid Manager now provides an 'Export all' menu item that allows you to export your certificates as individual .der/.p12 files
  • the configuration file supports two new options to provide control over private key export attempts from Firefox and to optionally display a system tray popup message when that is not allowed (see CSPID_INT_PRIVATE_ATTRIBUTE_EXPORT and CSPID_INT_PRIVATE_ATTRIBUTE_ACCESS_MESSAGE in the .cfg file)
  • CSPid will now attempt to remove the CAPI private key link file in 'AppData\Roaming\Microsoft\SystemCertificates\My\Keys' when deleting credentials

Release 2.1 to Release 2.2.5

Improvements in cspid_cli:

  • '--import' command now supports a '--replace' option
  • added '--graphical-prompt' option: when necessary, user is prompted for additional input (and program no longer hangs with an invisible window when used with REGAPPSCM)
  • '--export' command (with '--exp-pin-cspid' and password caching enabled) no longer prompts for a password and exports the user's keys without error

Improvements in CSPid Manager:

  • the CKA_LABEL field is now editable
  • command line now supports '--exp-pin-cspid' and properly logs in when a command is executed but the user is not yet logged in (say for 'Register with Applications')

Other improvements:

  • double clicking system tray icon makes active the resulting dialog (main UI or password prompt)
  • new PWCACHE=1 option caches password for entire session (requires system tray app to be running): on first use CSPid prompts for password and then behaves as for PWCACHE=2 until user logs off or quits system tray app, at which point the cached password is cleared
Release 2.0 to Release 2.1

Enhancements:

  • #4489: added password timeout option to require password reentry after a period of inactivity
  • #4490: protects sensitive key and other material kept in memory; see CSPid User's Guide for details
  • #4511: added GUI command line option '--start-hidden' for use on operating systems that do not have a system tray

Corrected Defects:

  • #4443: '--export-all-keys' option now properly errors when unable save a file
  • #4467: password prompt for PKCS#12 import now includes the name of the file the user is trying to import
  • #4476: '--showsuccess' message no longer appears after each succesful PKCS#12 file is imported when using the '--import' GUI command line option
  • #4481: password creation dialog now informs the user when the entered passwords do not agree
Use of CSPid with certain versions of SA5CLI (#3333)
There appears to be compatibility issues between CSPid and SA5CLI versions 5.9.4 and 5.9.1 that we believe are due to bugs in those SecretAgent builds. If you encounter this problem, please request a SA5CLI update.
Clicking on "ISC CSPid" in the Firefox 2/Linux Security Devices dialog causes Firefox to crash with the error:
*** glibc detected *** free(): invalid pointer: 0x0a346c30 ***
This didn't happen with Firefox 1.5 and hasn't been noted on other platforms, so it is most likely a Firefox bug.
Current release:
  • {version}
CSPid Information
CSPid FAQs