Esigner Windows 6 4 ReleaseNotes CC PDF

eSigner 6.
4 for Windows
Release Notes
Document Reference: D1411144A

May 5th 2017
2
Contents
What’s New? ........................................................................................................................... 3

New Features ........................................................................................................................ 3
Corrected Problems .............................................................................................................. 3
What’s Gone? .......................................................................................................................... 3

Operating Systems................................................................................................................ 3
What’s in? ................................................................................................................................ 4

Supported Operating Systems and Applications .................................................................. 4
Supported Readers ............................................................................................................... 4
Supported Middleware .......................................................................................................... 4
Supported Smart Cards ........................................................................................................ 4
Supported Thin Clients ......................................................................................................... 5
Supported Document Types ................................................................................................. 5
Compliant with the Following Standards ............................................................................... 5
What’s History? ...................................................................................................................... 5
What’s Up? ............................................................................................................................ 30

Known Issues ...................................................................................................................... 30
Product Limitations.............................................................................................................. 34
Observations ....................................................................................................................... 37
Where’s the Doc? ................................................................................................................. 38

3
These release notes provide particular details about eSigner 6.4.0 for Windows.
What’s New?
This section describes all the differences between this release 6.4.0 for Windows and the previous
release 6.2.0.
New Features
 New parameters for local.conf for controlling HTML page rendering width.
 Dynamic hash mechanism support. This feature allows eSigner to use the best available hash
mechanism.
Corrected Problems
 Openssl has been updated to version 1.0.2h.
 Improve HTML data support for wide table rendering.
 Propagation issues for user certificates on V1 cards for some use cases
 Propagation issues for root and intermediate certificates on V3 cards for some use cases
 Windows 7 limitation on the total size of certificates allowed in a card for SCardWriteCache function
used by Microsoft has been increased from 5000 to 10000 bytes.
What’s Gone?
Operating Systems
Microsoft Vista support has been removed.
4
What’s in?
This section provides a full list of hardware, operating systems, peripherals and software that are
supported by Gemalto for use with this current release of eSigner for Windows.
Supported Operating Systems and Applications

The following support matrix shows the versions that are supported when using Classic Client as the
middleware PKCS#11 module.
Gemalto strongly recommends that any supported OS should have the latest SP versions.
The version of msiexec must be 4.5 or later.

 V means the application has been validated for the OS. Gemalto recommends that you use this
version.
 S means the application is supported for the OS but has not been validated.
 N means not supported for this release of eSigner.
 For Windows 7, there are no differences between the 32-bit and 64-bit OS.
eSigner 6.4 W7 W8 W8 W8.1 W8.1 Server Server Server Server W10 W10
32b 64b 32b 64b 2008 2008 2012 2012 R2 32b 64b
dtop dtop dtop dtop SP2 R2 64b 64b
64b 64b
IE 7 N N N N N S N N N N N
IE 8 V N N N N S S N N N N
IE 9 S N N N N S S N N N N
IE 10 S V V N N N S S N N N
IE 11 S N N V V N S N S V V
FF 45 ESR V V S V S S S S S V V
FF 48 latest V S V S V S S S S V V
Supported Readers
This release of eSigner supports all the readers that are supported by the version of Classic Client
middleware that is installed in the same bundle. For a list of readers therefore, please refer to the Classic
Client documentation.
In particular, eSigner supports Gemalto’s CT700 and CT710 PIN pad readers, regardless of whether the
PIN pad’s firewall option is set or not.
Supported Middleware
eSigner comes in a “bundle” with the corresponding version of the Classic Client middleware:
 Classic Client 6.3.11
If your computer already has an older version of eSigner and/or Classic Client, you must uninstall these
manually before installing the eSigner Bundle (Start > Control Panel > Programs and Features).
Supported Smart Cards

eSigner supports EZIO PKI and Classic TPC smart cards and all other cards that are supported by the
installed version of Classic Client.
5
Supported Thin Clients

The following configurations have been successfully tested and are supported:
Application Operating Browsers Smart Smart Card Thin Clients

System Card Reader
eSigner 6.4 Windows 2012 IE 10 GSFv3 Twin CT30 HP T620
Server using RDP IE 11 GSFv1 CT700
CT710
The following limitations have been discovered on these thin clients.

 Using Wyse thin client, the CT710 reader is not detected as a smart card reader. As a result the
CT710 cannot be used on Wyse thin client
Supported Document Types

Some types of documents can be signed by eSigner, but only .txt and .html files (with limitations for
HTML) can be displayed inside the eSigner window.
The other document types that can be displayed outside of the eSigner window by starting the
computer’s default application and signed by eSigner are:
 .pdf
 .doc
 .xls
Note: .doc and .xls are not supported for Java technology in the IdenTrust version.
Compliant with the Following Standards

eSigner is compliant with:
 IdenTrust 3.1, and 3.2.
 When using the IdenTrust version of eSigner with Java technology, Gemalto recommends that you
use JRE 1.8. BUT you must respect the following conditions:
 Install JRE 1.8 BEFORE installing eSigner (this is true for all JREs).
 Install JRE 1.8 in a directory that is not one of the “Program Files” directories proposed by Java.
The directory name must not contain any spaces.
 For 64-bit versions of eSigner, the 32-bit and 64-bit versions of the JRE must be installed in
separate directories below the root directory. For example they could be c:\JAVAx64 and
c:\JAVAx86.
What’s History?
This section describes the corrected problems and enhancements in each previous version.
Changes in eSigner 6.2.0 - 001 (since eSigner 6.1.0 - 001)

 When installing eSigner as a bundled installer, the installation used to fail with Error 1720. The
problem was related to special permissions of windows default temporary folder. On some occasions,
it was not accessible by the installer and caused such error.
6
 CFG_SIGN_UNSEEN=1 and CFG_GUI_BUTTON_MODE=0 can no longer be used together as it

should not be possible to force the display of data and hide it at the same time.
 Fixed an issue with horizontal scrollbar that did not appear when plain text was displayed with a line
longer than the screen width.
 A misleading message used to be displayed when PKCS#11 returned unsupported error codes.

 Updated installer that features component selection.
 Multi PKCS#11 Support. eSigner can now be linked to several PKCS#11 libraries. This would allow
transition from one SmartCard technology to a different one.
 See what you sign (SWYS) terminal signature counter included in PKCS#7 signatures.
 SWYS bundle install fixed for Vista platform.
 Fixed a problem where large HTML documents could be truncated when displayed via eSigner.
 Jar ISIL build has been upgraded to match an up to date compiler (1.8.0_72)

 eSigner now supports Windows 10.
 eSigner now supports Gemalto SWYS reader.
 All resources such as images and the GUI layout are now signed to detect unauthorized
modifications.
 The CFG_GUI_CUSTOM_BMP parameter is now supported. This HTML parameter allows the
placing of a custom logo in the top right corner of eSigner windows.
 The CFG_GUI_BUTTON_BMP parameter is now supported. This HTML parameter can be used in
button mode to replace the label with a custom image.
 HTML now displays correctly in single page mode.
 The numbering of the eSigner installation directory now matches the eSigner Major version
numbering
 Changed error message from “PKCS#11 Error - Web Site Not Trusted” to “Operation terminated”
which could be displayed when user cancels transaction.
 Counter information used in OTP generation has been removed from the Terminal signature.

 It is now possible to sign data using XMLDSIG format. eSigner CFG_SIGNATURE_FORMAT attribute
has been extended with a new parameter.
 A warning message can be displayed if a smartcard is about to expire when signing document.
 eSigner now supports Ezio Armored Application.
 Windows 8 Metro has been removed from the compatibility matrix in order to simplify it. None of the
configuration using Internet Explorer Metro is supported as it is a plug-in less browser.

 Signed local configuration file. The local.conf file is now signed and cannot be modified by end user.
 Support for identrust 3.2a is specified in the local.conf configuration file.

 Improved local.conf error management.

 CustomLogo.File and CustomLogo.Transpcolor are now working as described in the documentation
 The CFG_GUI_SHOWSIGNBUTTON HTML parameter now working as described in the
documentation.
 The error message dialog could not be closed when loading an inappropriate file in browsing mode.
The error message has been changed to a classic Windows error dialog.
7

This version of eSigner was NOT compliant with the IdenTrust IT-SIR-3.2a specification. It was compliant
with IdenTrust IT-SIR-3.2. As a result, two optional HTML parameters were not supported for this version
and should not be used:
 Policyid – a list of policy IDs for certificates that are allowed to be used for signing
 Postformvariable – flag to determine if the plug-in should post the plug-in’s calling parameters or not

Enhancements
The following enhancements have been made in this release:
 The printing options have been improved to provide more flexibility. In multi-page mode, it is now
possible to print the whole document, the first sheet of the current page, or specify a start page and
the number of sheets to be printed.
Note: A “page” is a page of the document in eSigner. A sheet is a sheet of paper. A page may therefore
be one or more sheets.
Changes in eSigner 4.3.5-004 since (eSigner 4.2.18-003)

New Features
The following features have been added to this release:
 Multi-page display: eSigner can be configured to display large data over multiple pages. This feature
is activated by default (LargeData.MultiPageDisplay = 1). The Text.Plain.MaxGridSize is set to
360,000 characters by default. This is the maximum character matrix that eSigner will allow to be
displayed as a single WYSIWYS window. When data exceeds the Text.Plain.MaxGridSize value,
eSigner splits it into multiple pages and always displays in pop-up mode. Scrolling buttons allow the
end-user to navigate across the multiple generated pages. Also see “Known Issues”.
 In IdenTrust mode, eSigner IS now compliant with IdenTrust IT-SIR-3.2a. As a result, two additional
optional HTML parameters have been added to this release:
 Policyid – a list of policy IDs for certificates that are allowed to be used for signing
 Postformvariable – flag to determine if the plug-in should post the plug-in’s calling parameters or
not
 Some changes have been made to the eSigner installation:
 eSigner and Classic Client are installed together from a single “bundle” .msi file
 The possibility to change the installation directory has been removed.
 Corrected Problems
 When signing a document displayed in Firefox when using a PIN pad reader, the focus now remains
on Firefox.
Other Changes
The name of the config.reg file has changed to local.conf.
Supported Operating Systems
 Support for the following was removed. For these OS, customers should use eSigner 4.2.18
 Windows XP Home (SP2 and SP3) – (only 32-bit was supported)
 Windows XP Pro (SP2 and SP3) – (only 32-bit was supported)
 Windows Server 2003 R2 SP2 (only with Citrix Metaframe Presentation Server 4.5 or with
Terminal Services)
 Windows Vista SP1 (32-bit and 64-bit)

Corrected Problems
 The About dialog box displayed the incorrect version of eSigner (4.2.17 instead of 4.2.18).
 The .dll properties have been synchronized with the .msi file.
8

Supported Operating Systems
 Windows 8 (32-bit and 64-bit)
 Windows 8 has two interfaces: Desktop and Metro. When Internet Explorer 10 is used with the
Metro interface, it does not support plug-ins and consequently cannot be used with eSigner.
 Only the 32-bit version of eSigner supports the Desktop interface of Windows 8. See Product
Limitations.
 The 64-bit version of eSigner can be neither used nor installed on Windows 8. However, this is
not necessary as the 32-bit version of eSigner can be used instead.
Supported Applications
 Firefox versions 17 (Only the 32-bit versions that are deployed to users as “Regular versions”. The
“nightly build” versions are not supported).
 Internet Explorer 10 (only with the Desktop interface and only with the 32-bit version of eSigner.

Corrected Problem
 With the previous version, Internet Explorer had problems with particular web pages in synchronizing
different events, including page windows construction and displaying eSigner in embed mode,
resulting in eSigner not displaying in embed mode. It was necessary to perform a refresh in Internet
Explorer with the mouse or by pressing <F5> in order to make eSigner appear.
This issue has been fixed in the identified occurring cases and so eSigner displays correctly in
embed mode without the need to perform a refresh.
9

Enhancements
 It is now possible to install both the 32-bit and 64-bit versions of eSigner on the same computer.
 Firefox: Removed 3.6, 4.0, 8.x; Added 11, 12, 13
 Internet Explorer: removed IE6; Added 64-bit version of IE9

Documentation
 The Supported Parameters Guide has been replaced by a more complete Integration Guide
GUI Enhancements
 A button mode has been added.
 Data that displays in an external window can be accessed either by clicking the View Data button, or
by clicking the hyperlink to the file. These actions open the data in an external application.
The ExternalDataView parameter in the Config.reg file of eSigner determines whether it is the View
Data button or a hyperlink that displays.
 Save documents after signing button can be configured so that it is not available. This is
determined by the Sign.Save.Button parameter in the config.reg file (activated or not)
 If available, Save documents after signing button can be activated or not by clicking on it (appears
grayed if not active)
Enhancements
 The SHA-256 hash algorithm is now supported.
 The following parameters have been added to the config.reg file:
 Sign.CheckCertificateChain - Forces bypass of certification chain verification (default is do not
bypass verification).
 Sign.Hash.Mechanism - Specifies the hash algorithm (SHA1 or SHA256) (default is SHA1).
 Sign.Save.Button - Hides the “Save after signing” button (Default is display the button).
 The following parameter has been removed from the config.reg file. The virtual PIN pad is now
enabled or disabled by setting the Pin.Entrymode parameter. The default value is 1 meaning that the
Virtual PIN pad is displayed but the value can also be entered via the keyboard.
 VirtualPinPad - Enables/disables the display of the Virtual PIN Pad.
Other Modifications
 Now, if the file is too big to be displayed by the application, the message “Data to be signed has
exceeded the limit” appears, and the Sign button is disabled.
Corrected Problems
 A bug that led to a potential invalid PKCS#7 generated by eSigner in case of peculiar keys modulus
values, has been corrected. A special separate note was communicated to issuers with more details.
This present eSigner release is the official fix for this bug. It will be installed to end users facing this
particular issue with previous eSigner releases.
 In DDA mode, when selecting a certificate. The GUI was not highlighting the list when selected to
chose a certificate. Now highlighted.
 The names of two variables in the config.reg file were corrected as follows:
 GUI.ConfigIHMFile was renamed as GUI.ConfigIHMDir.
 CustomLogo.Strech was renamed as CustomLogo.Stretch
10

Enhancement
 The limitation on the size of signed data that can be displayed has been removed (1000 lines and
500 characters (columns)).

Corrections
 Unix carriage returns are now ignored. Previously they prevented text from displaying correctly in
some cases.
 In verification mode, text is displayed as in signature mode.
 Tabulations are now equivalent to a width of three spaces.
Enhancements
 This version supports 64-bit versions of Windows.

OS supported
 Added Windows 7 SP 1
Applications supported
 Added Internet Explorer 9 (32-bit versions of IE9 only)
 Added Firefox 4.0 (32-bit versions of FF4 only)
New Features
 Added Disability Discrimination Act (DDA) shortcuts designed to make using the software easier for a
disabled person.
Corrections
 In embed mode, when a window is too small for consistent usage, it now appears as a pop-up
window of usable size, as intended.
 Sometimes a window appeared prompting the user to choose a certificate from a list instead of the
correct choice being made transparently by eSigner. This no longer happens.
 In some cases in embed mode, Firefox incorrectly interpreted the size of the eSigner window. This is
now corrected.
 A blank window would occasionally appear. This is no longer the case.
 The diagnostic tool in Classic Client now displays information for eSigner.
 Sometimes eSigner would unexpectedly close if the user entered the wrong PIN in non-embed
mode. This is now corrected.
 Sometimes in the IdenTrust version using Java technology, the main window would be truncated.
This is now corrected.
 The following bug found during IdenTrust testing in ISPI mode (ActiveX) has been corrected: When
performing a signature, the user entered the PIN code, but then nothing happened!
 The following bug found during IdenTrust testing in ISIL mode (Java) has been corrected: A
signature was performed when the user clicked on the View Certificates icon.
 When using eSigner with Firefox, Google Chrome and Safari (Mac) browsers, eSigner would open in
a new pop-up window instead of being in embed mode. This no longer happens.
 In Internet Explorer, it is now possible to embed eSigner.
Documentation
 This release included an Installation and User Guide. Unlike previous releases, this document
covered both the Corporate version and the IdenTrust version.
Enhancements
 Some enhancements were made regarding the way eSigner displays.
The default values for the config.reg file have been changed to
height = 350
11
and width = 390 pixels.

Corresponding hexadecimal values available in config.reg are:
"GUI.MinHeight"=dword:0000015E
"GUI.MinWidth"=dword:00000186
 If eSigner is called in embed mode with a size smaller than these values, then eSigner will open in a
pop-up mode. This enhancement insures that eSigner will be opened in a size ensuring full usability
as all buttons are properly displayed.
Changes in eSigner 4.0.7-003 since (eSigner 4.0.6)

The following corrections were made:
 The input Mime-type value does not have to be case-sensitive.
 The return code PKCS7_BASIC has been renamed PKCS7_basic for backward compatibility with
eSigner 3.0.X.
 This release, when used with Classic Client 6.0 – patch 3, is able to display the remaining PIN tries
counter after an incorrect IdenTrust PIN value is entered.
Changes in eSigner 4.0.6 since (eSigner 3.0)

 The GUI has been significantly modified and its customization can be proposed as an optional
service during integration in a project
 A setup option is available to display a virtual scrambled PIN Pad for PIN entry
 PKCS#7 is the only supported signature format
 eSigner is now compliant with IdenTrust 3.2 (IdenTrust package only)
OS supported
 Added Windows Vista SP2
 Added Windows Server 2008 SP2
 Added Windows 7
 Added Windows Server 2008 R2
 Removed Windows 2000 Professional with SP4 – 32-bit only
 Added Mozilla Firefox 3.6
 Removed Adobe Acrobat Reader 6 and 7 – for document signature
Middleware
 Removed GemSafe Libraries 4.2 SP3 and SP4
Parameters
 Some parameters that were supported in eSigner 3.0.6 and older versions were no longer supported
in 4.06. Please refer to the eSigner Parameters Guide for full details of what is supported by eSigner
4.0.
Note: eSigner 4.0 has been designed for backward compatibility with eSigner 3.0. Any parameters that
were supported in previous versions but are no longer supported in 4.0 will either be ignored or a
message will be displayed.
Features
 From this particular version, XML digital signatures (XML-sSig) export format are not supported.
 The following features were removed in eSigner 4.0.6
 OCSP
 Time stamping
12
Improvements in Classic Client 6.3.10 – 001 (since 6.3.9 – 004)

Enhancements
The following enhancements were made in this release:
■ The version of OpenSSL supported by Classic Client has been upgraded to
1.0.1t.
Corrected Problems
The following problems were corrected in this release:
■ It is now possible to perform signatures involving the SHA-1 hash
algorithm (performed outside the card) with V1 cards in applications
that access the PKCS#11 library through Oracle's Java runtime.
Ref: 395616.

Enhancements
The following enhancements were made in this release:
■ All .dll and .exe files are now signed with a SHA-256 certificate.
■ The digital signature of all loadable modules is verified and only accepted if
signed by the official Gemalto certificate.
■ All internal dlls are loaded using the absolute path name in order to avoid
attacks.

Supported OS and Applications
Operating Systems
■ Added Windows 8.1 Update and Windows 10
■ Removed Windows XP Home and Vista SP1
Browsers
■ Added Mozilla Firefox 38 ESR
■ Removed Mozilla Firefox 31 ESR
e-mail Applications
■ Added Mozilla Thunderbird 38
■ Removed Mozilla Thunderbird 31
■ Added Microsoft Outlook 2016
■ Removed Microsoft Outlook 2003 SP1
13
Other Applications
■ Added Adobe Acrobat Reader 2015 - for document signature
■ Added Citrix Metaframe Xenapp 6.5 on Microsoft Server 2008 R2 (with
Fat and Thin Clients
■ Removed Entrust Authority 7.1 for certificate enrollment and renewal (not
Entrust Certified)
■ Removed Intercede MyID for certificate issuance and management
(revocation, renewal etc.)
■ Removed Microsoft Office 2003 (up to SP1)
■ Added Microsoft Office 2016
■ Removed Microsoft SharePoint 2010 web server
■ Removed Terminal Services with Windows Server 2003 R2 SP2 –32-bit
and 64-bit versions. (Supported for Fat and Thin clients)
■ Removed Windows BitLocker Drive Encryption (Windows 7)

Corrected Problems
This release corrected the following problems:
■ When performing a CSP signature with a V2 or V3 applet, a PIN
prompt was displayed even if the PIN code had previously been
passed through the CrypSetProvParam function.
■ All the .dll and .exe files have now been signed. In particular,
signing the registration tool prevents the “Unknown publisher”
message warning from appearing.
■ The toolbox has been further modified in order to prevent the “User
Access Control” message warning from appearing.
Features
■ PKCS#11 auto registration in Firefox
This feature is no longer supported as the support by Mozilla is not
consistent from one version of Firefox to another.

Corrected Problems
This release corrects the following problems:
■ There was a problem concerning cards containing the Classic Applet V2
only. If the computer went into hibernate mode while the card was
connected, the card was destroyed when the computer came out of
hibernate mode.
■ A registry key has been added in order for Classic Client to recognize
Optelio Santander bis cards.
■ The toolbox has been signed in order to prevent the “User Access
Control” message warning from appearing.
14

Corrected Problems
This release corrected a problem where the Toolbox was unable to be launched
by the Registration Tool when the Windows User was listed in the Local
Administrators group in Windows.

New Features
■ Classic Client for Windows now supports Windows 8.1. and Windows
Server 2012 R2 64-bit.
■ For cards with the Classic Applet V3, PIN policies are now supported with
PIN pad readers (but limited to the minimum and maximum PIN lengths)

In this version, support for some old versions was removed and support for
some new versions was added. The changes are as follows:
Browsers
■ Internet Explorer - support added for version 11
Other Applications
■ Adobe Acrobat Reader - support removed for version 10
Improvements in Classic Client 6.3.3 – 001 (since 6.3 Patch 2 – 001)

Corrected Problems
The following problems have been corrected in this version:
■ V1 minidriver only (therefore only affects all cards that use the Classic
Applet V1): If logged in to the toolbox as an administrator, changing the
Admin PIN caused the default container to be destroyed.
■ V1 minidriver only: As a consequence of the first bug, if the default certificate
was absent, no certificates were loaded in the card. Now all the certificates
are loaded, and if only one is present it is defined as the default certificate.
■ IAS Minidriver only (therefore only affects all cards that use the IAS ECC
Applet): This modification corrects the problem where forcing the use of
the IAS minidriver did not load the certificates and display the First PIN
Change dialog box (which was what was supposed to happen).
15
■ IAS Minidriver only: The minidriver, SCU and IAS API have been
modified to improve the internal handling of transactions. This corrects
several different problems that arose when switching from local to
remote desktop protocol (and vice-versa) smart card logons: Ref
318700.
– When in minidriver mode, the SCU internal transactions are
deactivated - leaving the Base CSP to manage them and thus
avoid memory sharing problems when switching sessions.
– By changing the order in which PC/SC transactions are processed, with
regard to the internal semaphore of the IAS API – this avoids deadlock
when one application accesses the card via P11/CSP and another via
the minidriver.
– The detection of session changes has been improved to avoid freezing
LSASS and also allow log activation.
■ There was a scenario where a new card was inserted in the reader and
the “Init PIN” dialog box forced the user to change the PIN from the
default - as it should. The problem was that when the card was removed
and re-inserted, the same “Init PIN” dialog box forced the user to change
the PIN again. This problem only occurred for cards whose maxLength
parameter (an optional parameter) was not set in the AOD file.
Ref#318863
■ When using “qualified signature” keys to perform SSL authentication to a
web site, the user should be asked to enter the PIN for each session.
Unfortunately when closing and restarting the browser, the user was not
reprompted to enter the PIN.

Browsers
■ Mozilla Firefox - support removed for versions 20-21
■ Mozilla Firefox - support added for version 26
■ Google Chrome - support removed for versions 26-27
■ Google Chrome - support added for version 31
e-mail Applications
■ Mozilla Thunderbird - support removed for versions 16-17
■ Mozilla Thunderbird - support added for version 24
16
Improvements in Classic Client 6.3 Patch 2 – 001 (since 6.3 Patch 1 – 001)
Supported Smart Cards
The following card is now supported by Classic Client:
■ Optelio/Desineo D72 FXR1
Corrected Problems
■ Improvements have been made to PKCS#11 attribute management. This
fixes a problem where an “out of memory” error was returned.
■ The visual C++ runtime libraries installed with Classic Client have been
updated to improve the stability of Classic Client when it is installed on a
server.
■ A problem has been fixed with the C_InitToken function so that the
management of spaces in the label has been improved. This avoids
problems for storing the label EF.

Operating Systems
■ Windows 7 SP1 – 32-bit and 64-bit added
■ Windows Server 2012 64-bit added
Browsers
■ Mozilla Firefox - support removed for versions 12-18
■ Mozilla Firefox - support added for versions 20 and 21
■ Google Chrome - support removed for versions 19-24
■ Google Chrome - support added for versions 26 and 27
e-mail Applications
■ Mozilla Thunderbird - - support removed for versions 12-15
Other Applications
■ Adobe Acrobat Reader - support removed for versions 8 and 9
■ Adobe Acrobat Reader - support added for version 11
Improvements in Classic Client 6.3 Patch 1 – 001 (since 6.3 – 003)

Corrected Problems
■ It is now possible to generate User Setups in Windows 7 and 8 using
the User Setup tool.
■ The stability of Classic Client has been improved for cases where it
performs cryptographic operations and search operations at the same
time.
17
Improvements in Classic Client 6.3 – 003 (since 6.2 Patch 3 – 001)

New Features
■ The Personal Data plug-in also supports the personal data defined for the
new eID Generic Identities.
■ The User Setup plug-in supports the Mini Driver option. This option is
possible instead of the Cryptographic Service Provider (CSP) option.
■ The Administration installation supports the Windows 64-bit operating
system.
Enhancements
■ Biometry support is available with the Administrator Package installation.

Operating Systems
■ Windows 8 (32-bit and 64-bit) added
Browsers
■ Google Chrome - support added for versions 20 and 21
■ Internet Explorer - support added for version 10
Other Applications
■ Adobe Acrobat Reader - support added for version 10
■ Microsoft SharePoint 2010 web server - support added
Corrected Problems
The following problems were corrected in this version:
■ The issue of the inability to import the same certificate into Mozilla
Firefox after deleting the certificate is fixed.
■ Registration Tool works properly after Smart Card Logon on a 64-bit
computer.
■ Classic Client Toolbox works properly when a certificate is imported
from the Trusted Root CA in the Internet Explorer Store.
■ Smart Card Logon works properly in Windows XP 64-bit.
■ You can now change the Administrator PIN if BIO PIN is available.
■ Certificates are now recognized when performing Smart Card
Unlock in Windows 7 – 64-bit.
18
Corrected Problems
■ There was a problem when Classic Client needed to prompt for the User
PIN when requested by the java applet embedded in a secure web site.
The “Enter PIN” dialog box would freeze. (Ref 148449)
■ This patch corrects some problems concerning the detection of card
reader insertion and removal by the registration tool. (Ref 148458)
Browsers
■ Mozilla Firefox - support added for versions 14 and 15.
Mail
■ Mozilla Thunderbird - support added for versions 14 and 15.
Corrected Problems
■ The ATR for the “Other Optelio Card (Santander MPCOS)” has been
corrected.
■ A shortcut name has been corrected (“secutity” to “security”).
■ When the user automatically registers Classic Client as a security module
in Firefox, Firefox displays a warning to say “A script from “file://” is
requesting enhanced abilities that are UNSAFE and could be used to
compromise your machine or data”. This is normal, but could alarm the
user. Consequently, a note has been added to the HTML page that
displays during the registration, telling the user that a security warning
may display but it is safe to authorize the installation.
■ A problem existed when using a PIN pad reader when the PIN policy file
was corrupted. This has been corrected so that now, if the PIN policy file
is corrupted, the PIN pad reader uses a default PIN policy.
Browsers
■ Mozilla Firefox - support added for version 13.
Mail
■ Mozilla Thunderbird - support added for version 13.
19
Improvements in Classic Client 6.2 Patch 1 - 001 (since 6.2 – 005)

New ATRs
The following ATRs have been added:
■ Other Optelio Card (Santander MPCOS) see page 6.
■ MultiApp ID Dual Citizen EAC 80K CC / IDClassic 3340 (then called
Classic TPC DM) (with MPCOS Applet installed by default) - Contactless
Mode with Prox DU see page 7.
Corrected Problems
■ An improvement has been made so that when Classic Client is used
remotely (Terminal Services or VMWare VDI for example), services.exe
no longer uses 100% of CPU (ref 141184).
■ Classic Client's shared memory service has been made more robust in
order to prevent it crashing when other applications using Classic Client's
PKCS#11 have stopped abnormally (ref 139797).
■ An enhancement has been made in order to improve the recognition of
X.509 v3 root certificates (ref 141093).
■ A bug has been fixed where no message was appearing after a remote
unblock PIN operation (regardless of whether the operation was
successful or not). The message now appears (141285).
some new versions was added. The changes were as follows:
Browsers
■ Mozilla Firefox - support removed for 7.0; added for 12.0.
■ Google Chrome - support removed for 15; added for 19.
Mail
■ Mozilla Thunderbird - support removed for 7.0; added for 12.0.
20
Improvements in Classic Client 6.2 - 005 (since 6.1 Patch 4 – 001)

New Features
■ Classic Client now checks IAS XL / IAS ECC cards to see if the User PIN
has been changed since first use. If it has not, Classic Client forces the
user to change the PIN. Note that this feature is only implemented for
those IAS XL /IAS ECC cards that have a particular profile. If you require
more information about this profile, please contact your Gemalto technical
consultant.
■ Match on Card client AID is now configurable via the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Gemplus\Cryptography\Biom
etry\ MOCAID\Client.
■ Supports virtual slots for BioPIN.
■ Fixes some problems from the previous version.
■ Removes legacy tokens from the User Setup plugin.
■ Adds the Biometric feature option in User Setup plugin.
■ Supports MultiApp v2.1 cards.
Supported Fingerprint Readers and Scanners

In this release support for the following fingerprint scanner has been added.
■ Covadis Auriga scanner
Enhancements
In Classic Client 6.1 – 005 a feature was added whereby the registration tool
calls the Microsoft Base CSP if Classic Client’s CSP does not recognize the
card. The base CSP then chooses the correct minidriver for the card
according to its ATR. This feature is mandatory for people who have .Net
solution for example. However if a card uses its own CSP, it will not be
recognized by Classic Client’s CSP and will not be recognized by Microsoft
Base CSP, so the Registration Tool is calling the Microsoft Base CSP for
nothing. To avoid this, an enhancement has been made whereby the
registration tool only calls the base CSP if the card has an associated
minidriver.
Corrected Problems
■ This release corrects a problem where removing a reader was causing
Registration Tool to take up to 90% of CPU.
■ In certain cases, Classic Client had problems detecting card events
(multiple removals and insertions). This release corrects these
problems.
■ Under certain rare conditions, not all of the card data were read. This is
corrected by improving the parsing of the PKCS#15 data structure.
■ In the Toolbox splash screen, the “Show this window at startup” check
box was unresponsive. This release corrects this problem.
■ The reboot message at the end of the installation process in the French
version of Classic Client is now displayed correctly.
■ It is now possible to go into Hibernate mode in Windows when using Classic
Client.
■ Fast User Switching feature is now supported.
21
■ Some localization issues are fixed.
some new versions was added. The changes were as follows:
Browsers
■ Mozilla Firefox - support removed for 3.5, 3.6 and 4.0; added for 7.0.
■ Google Chrome - support removed for 13; added for 15.
Mail
■ Mozilla Thunderbird - support removed for 2.0, 3.0 and 3.1; added for 7.0.
Other Applications
■ Microsoft Identity Lifecycle Manager (ILM) 2007 - support removed
Improvements in Classic Client 6.1 Patch 4 - 001 (since Patch 3–001)

Corrected Problems
■ In certain cases, Classic Client has problems detecting card events
(multiple removals and insertions). This patch corrects these
problems.
■ Under certain rare conditions, not all of the card’s data are read. This is
corrected by improving the parsing of the PKCS#15 data structure.
Improvements in Classic Client 6.1 Patch 3 – 001 (since 6.1.0 – 005)

Patch 3 corrected certain problems. There are no changes regarding the
support of applications, OS, cards, and so on.
New Feature
The setup has been modified such that if you are installing Classic Client and
Firefox is already installed on the computer, you are given the option of
registering Classic Client as a Gemalto Cryptographic Security Module at the
same time as the installation (so that it is recognized by Firefox). You must
reboot the computer to perform this registration.
Corrected Problems
■ Enrollment with IAS ECC card (ref #111755)
After enrolling a certificate on an IAS ECC card, there was a problem when
refreshing the toolbox: The certificate or some of its keys appeared twice.
■ Internet Explorer 9 - SSL client authentication (PIN window is to the center
screen) (ref #111759)
When using IE9 to perform an SSL to a web site, the PIN prompt appeared
in the top left of the screen instead of in the center of the IE window.
■ IE8 IE9 - SSL authentication with Protected mode on (ref #111761)
When Protected mode was enabled for IE 8 or 9 but the web site was not
added in the trusted sites list, it was impossible to connect to this site
using SSL with a card.
■ IAS ECC card: PIN Request on card insertion with a PIN pad reader (ref
#112109)
22
If the card was removed during a signature scenario, each time the card
was reinserted the PIN was requested on the PIN pad.
■ Limit the number of PIN presentations required to enroll a CC key

pair on a transparent reader (ref #112400)
On Classic v2/3 cards, when enrolling a CC certificate using Internet
Explorer, you were prompted to enter the PIN 4 times instead of 3 when
using CertEnroll (Vista/ W7). Windows XP using XEnroll was OK.
■ With a PIN pad, if the PPC file is not signed, PIN minimum size is not set
to 8 for change/unblock commands. Transparent readers OK. (ref
#113077)
If you manually change a PIN policy file so that the minimum PIN length goes from 6 to 5
characters, a message appears to say that the PPC file is not signed so the most secure PIN
policy will be used (minimum PIN length of 8). This is correct behavior. This minimum length
applies to change and unblock PIN functions. The problem that has been fixed is that you
could change the PIN to a value of length 4 characters, whereas the minimum should be 8.
■ Intermittent error when trying to sign with IAS ECC cards (ref #115866)
For IAS ECC cards, there was an intermittent error when logging in twice
consecutively during a P11 session. If you do not logout between the two
logins, the second login failed with an invalid PIN message.
■ Key pairs duplicated on the card in certain scenarios (ref
#115869) The following were true for all the scenarios in
question:
OS: Windows 7 ultimate 64 bits
Card: TopDL v2 (empty card)
Reader: PCTwin
The problem was that when you imported a certificate, removed the card
and then reinserted it, the key pair appeared twice.
■ It is now possible to import a pkcs#12 in a MultiApp ID IAS ECC 72K CC
Type 1 card (with IAS ECC Applet) card (IAS ECC card with IAM profile)
in the Personal Data tool of the ECC Management module of the toolbox
(ref #115875).
■ Problem with IDClassic 3340 (then called Classic TPC DM) MPCOS
cards when running “Certutil -scinfo” under Windows 7 (ref #115965)
The command did not end successfully
Improvements in Classic Client 6.1 – 005 (since 6.0.0 SP1 – 001)

OS supported
■ Removed Windows 2000 Professional SP4 – 32-bit only
Applications Supported
■ Added Google Chrome 9.0
■ Added Firefox 3.6
■ Removed Firefox 3.0
■ Added Microsoft Outlook 2010
■ Removed Microsoft Outlook Express
■ Added Mozilla Thunderbird 3.0 and 3.1
■ Added Microsoft Office 2010
23
■ Added Citrix Metaframe Xenapp 6.0 on Microsoft Server 2008 R2 (with

Fat and Thin Clients)
■ Added the Gemalto application eSigner 4.1.9 for Windows.
Fingerprint Scanners Supported
■ Added DERMALOG ZF1 single finger scanner
■ Added UPEK TouchChip TCS1
■ Added Futronic FS80: single finger scanner
Cards Supported
■ Added MultiApp ID Dual Citizen EAC 80K CC (with IAS Classic
Applet V3) / IDClassic 3340 (then called Classic TPC DM) (with
Classic Applet V3)
■ Added MultiApp ID Dual Citizen EAC 144K CC (with IAS Classic Applet V3)
■ Added MultiApp ID Citizen BioPIN
■ Added TOP DL V2 – dual (contact and contactless) card.
■ Removed Classic MDE TPC IM (Classic MDE Applet)
■ Removed TOP DM GX4 – MPH51 – dual (contact and contactless)
card with Classic MDE Applet
New Features
■ Fingerprint authentication supported. The smart card must have the MoC
(Match on Card) algorithm loaded inside it.
■ Global bioPIN supported (global PIN that can be PIN or fingerprints).
■ Registration Tool calls Microsoft Base if Classic Client’s CSP does not
recognize the card.
Pre-Requisite
■ .NET Framework version 2.0 or later must be installed
Corrections
■ PIN Try Counter displays when entering an incorrect PIN during a
Change PIN operation with the registration tool.
■ When entering a PIN in the Enter PIN window, the masking characters
appear correctly. This was not previously the case when the window was
called from a Java applet.
■ For cards that support virtual slots, it is now possible to choose a
slot when enrolling a certificate (all the available slots are visible).
Improvements in Classic Client 6.0.0 SP1 – 001 (since 6.0.0 – 002)

OS supported
■ Added 64-bit versions of Windows
■ Gemalto’s eSigner 4.0.7 for Windows
Enhancements
24
■ Improvements made in session management.

■ Improvements made in performance for cards with the Classic Applets V1,
V2 and V3.
■ The signature mechanism for the configuration file and PIN Policy file has
been modified to allow Core PC deployment. Core PC deployment
means that you can install Classic Client on a reference machine and
take an image of the environment. You can then deploy this image to any
computer with the same environment – thus avoiding the need to install
Classic Client on each individual machine.
■ The following modification concerns only cards containing the Classic
Applet V2 or Classic Applet V3. The mechanism for asking the user to
enter his or her PIN has been modified so that it seems more logical to the
end user.
■ Gemalto has added some registry keys to define the timeout values for
PIN pad readers.
Corrections
■ A correction was made that concerns cards containing the Classic Applet
V1 only. After an incorrect IdenTrust PIN entry, the number of remaining
PIN tries is now returned by Classic Client.
■ The following bug was corrected: It is now possible to perform smart card
login and smart card unlock computer operations in Windows Vista and
Windows 7 with a PIN of more than 8 characters.
■ A correction was made that concerns cards containing the Classic Applet
V2 or Classic Applet V3 only. If you call a PKCS#11 function when no
card is inserted in the reader, Classic Client now returns the correct error
code.
Improvements in Classic Client 6.0.0 – 002 (since 5.3.0)

OS supported
■ Added Windows 7
■ Added Windows Server 2008 R2
■ Added Windows BitLocker Drive Encryption (Windows 7 only)
Cards supported: added the following:

■ IDClassic IAS (then called IAS TPC) (with IAS ECC applet)
New Features:
■ The PIN pad reader now supports the minimum PIN length as defined in
the PIN management policy
Improvements in Classic Client 5.3.0 (since 5.2.0 Patch 2)

Readers Supported
■ Added Gemalto’s GCR 5500
Cards Supported
Support for the following cards has been added:
25
■ MultiApp ID IAS ECC 72K CC (with IAS ECC applet)

■ MultiApp ID Citizen 72K CC (with IAS Classic Applet V3)
■ MultiApp ID 72K (with IAS Classic Applet V2)
■ MultiApp ID 144K (with IAS Classic Applet V2)
■ MultiApp ID Combi 72K Type A (with IAS Classic Applet V2)
New Features: Note that they are available only for cards that contain the IAS ECC applet.
■ A PKCS#15 plug-in has been added to the toolbox. This enables you to
navigate through the PKCS#15 structure of the IAS ECC applet.
■ An Identity Management plug-in has been added to the toolbox. This
enables you to display and modify the identity data in the IAS ECC
applet.
■ The User Setup plug-in has been modified so that an Administrator can
include the PKCS#15 and Identity Management plug-ins and the IAS ECC
token in a User Setup.
■ An IAS API has been added. This provides entry points to enable you to
navigate through the PKCS#15 structure of the IAS ECC applet.
Improvements in Classic Client 5.2.0–004 Patch 2 (since 5.2.0 Patch 1)

OS Supported
■ Added Windows Vista SP2 (32-bit and 64-bit)
■ Added Windows Server 2008 SP1 and SP2 (32-bit and 64-bit)
Corrected Problems
The following issues have been resolved in this release.
■ Some localization problems have been solved in the Japanese version (Ref
495)
■ When selecting a PKCS#12 file in the toolbox, all the certificates in that
file are automatically selected. This makes importing PKCS#12 files
easier.
■ The CSP is now able to sign data that has been hashed using SHA-256
(Ref 477 and 489)
■ A problem with the C_Unwrap Key function has been fixed – it no longer
creates an extra “ghost” key
■ An object management problem has been fixed – it is no longer necessary
to read the card before creating an object
■ Command data objects for key set management are only updated in the card
when an operation is performed on a key set (set as default; create; destroy)
or by a PIN management operation (change and unblock).
Note: This is the default behavior, but it can be modified by configuring the
TransientRules registry key. Please refer to the Classic Client Integration
Guide for more information on how to do this.
26
Improvements in Classic Client 5.2.0 Patch 1 (since 5.2.0 – 004)

Readers Supported
■ Driver 4.0.7.5 for Gemalto’s IDBridge CT700 (formerly called PC Pinpad)
readers included.
Corrected Problems
■ A problem concerning the display of the PIN prompt when using PIN pad
readers has been corrected. With certain applications (eSigner in
particular), this window was hidden, but this patch ensures it is displayed
in front of all other open windows.
■ GPK cards under Vista can now be used with a reasonable level of
performance.
■ For IdenTrust cards, sometimes PIN messages would relate to the
wrong PIN (IdenTrust instead of User or vice-versa). This has now
been corrected.
■ PIN Pad readers only: After changing a PIN, you need to relog on to the
card with the User PIN. Previously, if the User PIN was entered
incorrectly, a message displayed to say that the PIN had not been
changed, when in fact it had. This message has now been changed so
that it says that the PIN has been successfully changed.

OS Supported
■ Windows Server 2008 (32-bit and 64-bit versions) supported
Support for the following applications has been added:
Browsers
■ Internet Explorer 8
■ Mozilla Firefox 3.0
e-Mail
■ Mozilla Thunderbird 2.0
■ Microsoft Outlook 2003 SP1 and 2007
Other Applications
■ Office 2007
■ Adobe Acrobat 9
■ Adobe Acrobat Reader 8 and 9
■ Citrix Metaframe Xenapp 5.0 (on Microsoft Server 2008)
Cards Supported
Support for the following cards has been added:
■ Optelio D38-D72 R6 with Classic applet v2
■ Optelio Contactless D72 R2 with Classic applet v1
■ MultiApp Easy 72K Type B (with Classic Applet V2)
■ MultiApp Combi 72K Type B (with Classic Applet V2)
27
■ TOP DM GX4 – MPH51 – dual (contact and contactless) card with

Classic Applet V1.
■ TOP DM GX4 – MPH51 – dual (contact and contactless) card with
Classic MDE Applet
Corrected Problems
■ CSN now displays correctly when remotely unblocking user PIN (Ref 114)
■ Virtual Slots 2 and 3 now correctly refreshed in the Toolbox (Ref 127)
■ Certificates now correctly registered for all virtual slots by Registration
Tool, even for card insertions after the first.
■ SSL now works when using Firefox with a PIN pad and CC V2 card (Ref 334)
■ After resuming from standby, the padlock icon in the toolbox displays
correctly (sometimes the padlock was open, when in fact the card was
not logged into the toolbox (Ref 337).
■ For certain cards with an IdenTrust mapping, the IdenTrust PIN prompt
displays correctly (previously the PIN field contained asterisks instead of
being empty (Ref 339)
■ The Toolbox: Certificates Plug_In / Card Movement test / Connection fails”
problem has been solved (when moving multicards with multislots from
one reader to another. (Ref 340)
■ Importing pkcs#12 certificates no longer freezes Classic Client (Ref 378)
■ C_InitToken no longer hangs (Ref 297) – This was only a problem for
customers personalizing cards themselves
■ Classic Client configuration file signature is now verified (Ref 382)
■ Certificates in Israeli no longer cause Classic Client to freeze (Ref 288)
■ Some Localization problems resolved (Ref 231)
■ Secure Pin Entry is now supported with Dell Smartcard keyboards (Ref 293)
■ PIN pad dialog box no longer displays in background, so is not longer
hidden. (Ref 276)
■ Toolbox: Export function now OK for multi-readers and multi-cards (Ref 342)
■ With Firefox, you can now import a certificate to the second virtual slot
■ Unlock now possible after a wrong card insertion (for example if when
trying to unblock a User PIN, the Administrator inserts the User’s card
instead of the Administrator card). (Ref 218)
■ Problems with UAC under Vista fixed. (Ref 278)
■ C_GetMechanismInfo(slot0, CKM_RSA_X_509) returns the correct
response message (i.e. Whether or not the mechanism is supported)
(SL2 ref G-7KWECE) (Ref 379)
■ C_findobject() issue when trying to access the same objects twice in a
row now fixed (SL2 ref: G-7KQHYQ) (Ref 381)
28

Enhancements
■ Enhancement of service management at Windows startup
■ Improvement of PKCS#11 slot management
Corrected Problems
■ Bug fix in First PIN Change management

Enhancements
■ Localization update
■ Specific description for PIN policy

Enhancements
■ Deactivated “selective suspend” function from readers configuration
■ Improvement of multi-slot management
Corrected Problems
■ Bug fix in reader selection in User Setup Plugin

Enhancements
■ Backward compatibility with GemSafe Libraries 4.2 keyset management
■ Improvement of object handle management in token v1 and GPK

Enhancements
■ The same certificate can be imported several times in the same card.
■ The option to export private key using Microsoft certificate
management environment is systematically disabled.
Improvements in Classic Client 5.1.4 – 002 (since Classic Client RC Edition 5.1.0
– 003)
Enhancements
■ Support of Virtual Slot through CSP
■ Support of Citrix
■ Support of PKCS#11 find object with some non-standard parameters.
Corrected Problems
■ Correction of C_InitToken side effects
29
Improvements in Classic Client RC Edition 5.1.0 – 003 (since GemSafe Standard

Edition 5.1.x)
OS Supported
■ Support of Windows 64-bit operating systems
Cards Supported
■ GPK support available in option with User Setup
Enhancements
■ New branding
■ Documentation update
Improvements in GemSafe Standard Edition 5.1.x (since GemSafe Standard

Edition 5.0.x)
OS Supported
■ Support of Windows Vista
Cards Supported
■ Support of Classic MDE applet
Enhancements
■ Enhanced robustness regarding semaphore management
■ Enhanced robustness regarding abnormal termination of the calling
application
■ Possibility to import pkcs#12 certificates not protected by password
■ Changed import mechanism to be compliant with any type of string
encoding in certificates.
■ When the type of a certificate is unknown, it is considered to be an
exchange certificate
■ Stability improvement during the enrollment phase
■ Full Office compatibility for multi languages in container names
■ Possibility to perform common criteria signature through CSP.
Corrected Problems
■ Added “critical section” of code to avoid a lock on multiple signatures in
a single thread
■ Correction of display error on a Chinese certificate when imported with
Certificate tool or CSP
■ Correction regarding import from IE store
■ Corrected display of Chinese characters for certificate name in Certificate
Tool, and in Registration Tool
■ Corrected issue of importing certificate with Chinese name in Certificate Tool.
What’s Up?
This section provides a list of the known issues at the time of this current release and also of
the limitations of the product.
Known Issues
 When uninstalling 64-bit versions (both CORP and IS), a message may appear saying
“NXPlugIn.dll cannot be unregistered”. Just click OK – the uninstallation will complete
successfully.
 For Identrust installations, the “Identrust.Version” parameter must always be specified.
 If a smart card is expired and has never been initialized, eSigner will first prompt an error
stating that the certificate is not valid rather than the smart card is not initialized.
 In browsing mode, when a user is loading a multi-page document from the hard drive, a
refresh issue can occur on the first rendering of the first page.
 The Print button is not disabled when signing a document not supported by the eSigner
internal viewer such as a Word or .pdf file. #Ref193718
 If a web page uses target=”_new” for opening a signature result in an external window.
This is considered as a pop-up window and is blocked by default in most modern
browsers. #Ref189595
 When installing eSigner on a Terminal server running Windows 2008 R2, the
MSIEmbeddedChainer function is not supported: http://msdn.microsoft.com/en-
us/library/windows/desktop/bb736316(v=vs.85).aspx Therefore, it is not possible to install
the eSigner bundle. eSigner must be installed separately from Classic Client.
 When the eSigner banner is customized with a logo (integration customization), the logo
appears correctly, but the hyperlink to the given URL does not work. This behavior is the
same for both modes: embedded and pop-up. Ref#176970.
 If the multi-page display feature is deactivated (LargeData.MultiPageDisplay = 0), or the
value of Text.Plain.MaxGridSize is increased from the default of 360,000 characters the
eSigner window may have difficulty in managing the data.
 The Save button always appears and is enabled, even if the
CFG_GUI_SHOWSAVEBUTTON parameter is set to 0 (meaning hide Save button). Refs
#152920 and #159801
 When the Sign.Save.Button parameter is set to 2 in the local.conf file (meaning hide the
Save After Signature button) the button is masked by a white square or rectangle. This
happens in both modes (embedded and pop-up) Ref #125688.
 eSigner is grayed after cancelling a Save Signature File process. The user has to reload
the page. Ref #125559.
 When trying to sign an external data source, if Internet Explorer returns the error page
404 (page not found), eSigner signs this error page.
 When verifying a signature, you cannot navigate around the eSigner window using the
keyboard only.
 In Internet Explorer, the response sent by eSigner to the web server is sometimes missing
the “content-type” field.
31
 When using the Print button in eSigner, some extra blank pages may be printed at the
end of the document.
 For the IdenTrust version, in Java technology, the menu is not displayed.
 When choosing the DDA shortcuts to perform an operation, you should not be able to
perform another operation until the first is completed. Unfortunately, you can.
 When the CFG_GUI_SHOWSIGNBUTTON is set to 0, the Sign button appears disabled,
as it should. However, the Sign option in the Post menu does not appear dimmed, giving
the impression that it can be used to make a signature. However the signature can still not
be performed with the DDA shortcuts.
 CustomLogo.Url should not be specified in the local.conf file. The parameter
CFG_GUI_CUSTOM_BMP_URL should be used instead.
 The following parameters have not been implemented:
 CFG_GUI_BUTTON_BMP
 CFG_GUI_BUTTON_BMP_URL
In practice, the button mode can only be used with text but not with a picture in the button.
There are certain issues independent of Classic Client that you

need to know in order to use Classic client correctly, such as
Microsoft hotfixes. These are described in “Tips” on page 32.
The following Classic Client-related issues were known at the time
of writing this release note.
 When performing the forced PIN change on first use using the CT710 Pin Pad reader, the
“Enter PIN” prompt does not display on the reader (* are displayed instead). The problem
is display only - it does not prevent the User PIN change. Ref #66647.
 It is not possible to sign a mail in Thunderbird 38 using V1 and V2 cards and the
PKCS#11 security module. The problem does not occur in earlier versions of Thunderbird.
Ref #66017.
 Versions of Adobe Reader from 9.1 onwards do not work with the PKCS#11 security
module for V1 and V2 cards because Adobe Reader performs the signature using SHA-
256 and V1/V2 cards do not support it. Ref #66014
 If local security authority (LSA) is activated in Windows 8.1 it is not possible to perform a
smart card logon with IAS ECC cards. (Ref #191672).
 In Windows 8.1, the toolbox displays the version of Windows as 6.2.9200 (Windows 8)
whereas for Windows 8.1 it should be 6.3.9600. (Ref #191417)
 If Classic Client has been installed from an Administrator account it is not possible to
uninstall it from a User account even if the Administrator Password is provided when
requested by User Access Control (UAC). (Ref #190866)
 When changing the Admin PIN using a PIN pad reader, the Admin PIN policy is not
respected. (Ref #190882)
 For V1 cards personalized with the “Change PIN at first use” option, the first time that the
card is inserted in a reader, the user should be forced to change the IdenTrust PIN.
However the prompt message is never displayed. This is true for all readers. (Ref
#190637)
 The PDF icons in the Documentation window do not display correctly. (Ref
 #175894)
32
 When changing the Admin PIN via the toolbox, using a CT700 PIN pad reader, the reader
display asks the user to enter the User PIN instead of asking for the Admin PIN. Entering
the User PIN would of course be regarded as an invalid attempt as far as the Admin PIN
is concerned, and there is a risk that the user could accidentally block the Admin PIN.
(Ref #175897)
 When installing a User Setup, a dialog box offers the possibility to perform a customized
installation, but at present there are no customizable options, so the installation is exactly
the same as the typical one. (Ref #175946)
 When the user is forced to change the User PIN when inserting the smart card for the first
time, a dialog box should display to enable the user to do this. The Reg Tool should do
this, but does not. The Classic Client Toolbox may perform the operation, but naturally
there is no guarantee that it will be running. (Ref #176094)
 User setup only: In cases where a User PIN Policy and an Administrator PIN policy have
been defined, Classic Client checks that the new PIN obeys the rules defined in the
Administrator PIN policy when unblocking a PIN. It should be the User PIN policy that is
used. A workaround is to make sure that the Administrator PIN policy and User PIN policy
are identical (Ref #4585).
 For cards with the Classic Applet V3, it is not possible to sign documents in Microsoft
Word 2003 and Excel 2003 spreadsheets because the “Digital Signature” window is
blank. This is not an issue for the 2007 and 2010 versions of Word and Excel. (Ref: Issue
#4505)
 When locking the computer please make sure that no PIN windows are open on the
desktop otherwise it may not be possible to unlock the computer using the smart
card/token
 It is mandatory not to overload any Java card (such as any IDClassic 3XX or 3XXX card).
Use Classic Client Toolbox to check for free key containers and free memory space
before adding keys and certificates on the card.
 When the Toolbox calculates the amount of free memory in the smart card, it does not
take read-only certificates into account.
 The Splash Screen “display timeout” feature used in user setups is ignored. (Ref 120).
 If you remove and reinsert your card too quickly, you may find that when you attempt to
unlock your system that the following message appears “Your credentials could not be
verified”. In this case, remove the card and allow a short pause before reinserting the
card. You should then be able to unlock your system as normal.
 For some specific card personalizations, Classic Client 6.x behaves differently than
GemSafe™ Libraries 4.x.
 Firefox does not systematically refresh the certificate display when removing/ inserting
cards. (Ref 344)
 As Firefox uses static management of PKCS#11 slots, moving cards between readers can
lead to problems. If this occurs, it is recommended to close Firefox and re-open it. (Also
Ref 344)
 It is recommended not to perform a reader hot-plug on a Citrix Client.
 Normally, performing a ScardDisconnect operation should free a “Mutex” called
CTXMTXSmartCard, so that it can be accessed by other programming threads. However,
this does not always work.
 In a Citrix environment, it is strongly recommended not to disconnect the Citrix session.
Instead you should log off. If disconnected, a Citrix session must be re- opened on the
same PC to recover its specific smart card environment.
 CITRIX: 2 sessions opened from same terminal not supported - Smart Card Logon (Ref
354)
33
 CITRIX: 2 sessions opened from same terminal not supported - Normal Logon (Ref 355)
 If you perform a smart card logon with the Classic Applet V1, and then perform a smart
card logon with the Classic Applet V2, the second log on will fail. This is also true for
Classic Applet V2 followed by Classic Applet V1. (Ref 253)
 Under Vista, using the Toolbox, it is impossible to export a certificate to the IE store.
 Gemalto recommends that you close Internet Explorer after each certificate enrollment on
Citrix.
 If Classic Client is used with several readers and several cards at the same time, it can
become overloaded if you perform too many card movements, for example, swapping
cards from one reader to another, or even withdrawing and reinserting cards in the same
reader. When overloaded in this way, it is possible that Classic Client will confuse one
card with another.
 Problem enrolling certificates with IE under Vista when using virtual slots (Ref 470)
 When signing a document in Adobe Acrobat Reader 9, Adobe prompts you to select SHA-
256. However when using the CSP security module, the signature is performed using the
SHA-1 algorithm. This means the signature cannot be successfully verified as the hash
algorithm is wrong. This does not apply to later versions of Adobe Reader as you are not
prompted to choose an algorithm. (Ref 483)
 With IAS ECC cards only, the Card Properties plug-in does not display the amount of free
memory for the private portion and public portion of the key. It also does not provide the
“Advanced” view of the card. (Ref 486)
 Citrix Metaframe Xenapp 5.0 is very slow when disconnecting: (Ref 490)
o A Winlogon temporary session appears to freeze (but in fact it just takes
more than one minute to disconnect).
o When two sessions are open simultaneously, changing from one session to
the other can take over one minute.
o When two sessions are open simultaneously, changing from one session to
the other can cause a “network error” or a “Wshell error”.
 When more than one session is open in Citrix Metaframe Presentation Server 4.5, the
mutex of the sessions mix together. This can cause deadlock and block at least one of the
sessions. (Ref 491)
 There can be installation problems when installing Classic Client on a PC that already has
Classic Client installed - it depends on the version and specifics of the version that is
already installed. Gemalto recommends therefore that you uninstall the old version of
Classic Client before installing the new one. (Ref 492).
 If you try to update a certificate through the Personal Data plug-in, the update fails. (Ref
493).
 For the Administrator version or a user setup which includes the IAS ECC applet and an
(IAS) Classic Applet (V1, V2 or V3): It is possible after opening a new session that the first
SSL authentication may not work. (Ref 537)
 Solution for User Setups: Make sure that the setup includes only the tokens that are
needed and in the case of IAS ECC tokens, that the setup includes the IAS ECC token
only.
 General Solution: After opening the session, perform another operation (such as opening
the Toolbox, or signing an email) before attempting the SSL authentication.
Localization Issues
 There are still some localization issues for non-English versions of the product.
34
 In Windows Server 2008 64-bit version there is a sentence in the PIN administration tool
that appears in English (Ref 282)
 In Windows Server 2008 64-bit version there is a sentence in the PIN dialog box that
appears in English (Ref 283)
 Unicode characters of a specific language are correctly displayed only on an OS version
of the same language (for example, Simplified Chinese characters are correctly displayed
only on Simplified Chinese Windows).
Product Limitations
 For some use cases in HTML mode displaying wide tables. eSigner can support up to
1000 rows displayed. This applies to an example of full table with BACS payments having
approx. 1000 payments.
 Sometimes in multi-page mode, if the data is too large – the signature cannot be verified.
 The Pkcs11.ForcePin parameter is valid only for V2/V3 cards and even then it depends
on how the cards have been personalized. Ref#179286
 The msiexec.exe must NOT use the /forcerestart parameter, otherwise the computer will
restart after the installation of the bundle, which means that Classic Client and eSigner will
not be installed at all. Ref#183165.
 In multi-page mode, if a single line of data is larger than the Text.Plain.MaxGridSize
parameter, the data cannot be broken into multi-pages and eSigner returns an error to say
the file is too large. You should make sure that no single line exceeds the MaxGridSize.
As indicated earlier, when going to multi-page display, eSigner always displays in pop-up
mode, regardless of the window size parameter values. Ref #176970.
Text in documents to be signed must be limited to those in the ASCII range of 33-126.
The following table is a reminder of the ASCII values in this range. Ref #179657.
35
 Internet Explorer 10 provides two interfaces: Desktop and Metro. The Metro interface of IE
10 is not supported, because it does not support plug-ins. On the Metro interface, the web
page calling eSigner appears with an empty frame instead of the eSigner window.
 Internet Explorer 10 is supported by the 32-bit version of eSigner only (not the 64-bit
version of eSigner).
 The 32-bit version of the eSigner bundle cannot be executed on a 64-bit operating
system, such as Windows 8. Similarly, a 64-bit version of the eSigner bundle cannot be
executed on a 32-bit operating system. Such attempts are refused.
Note: The 32-bit version of eSigner can be installed on a 64-bit operating system by
executing the 64-bit version of the eSigner bundle (which installs both the 32-bit and 64-
bit versions of eSigner). In such a case, the 32-bit version of eSigner can run on IE 10,
even when IE 10 is configured in Enhanced Protected Mode (thus behaving like a 64-bit
version of IE).
 Only regular versions of Firefox are supported, not the nightly build versions.
 The PIN Pad Reader ref: P/N HWP113026B is not compliant with eSigner 4.X regarding
the Change PIN at first use feature. This is a known PIN Pad reader HWP113026B
limitation. Up-to-date supplied Gemalto PIN Pad readers do not present this issue.
 When calling eSigner to sign a file, you must specify the mime-type for each type of file
that you want to be able to sign. If you do not, the browse function (when selecting a file to
sign) will not work correctly. The extension of the file you are opening must correspond to
the type of file specified in the mime type.
 In Internet Explorer, when starting eSigner in “Button” mode, the button size must be
given - otherwise the button will be displayed as a single pixel. eSigner 3 had the same
limitation.
 In certain cases where the eSigner call made by the server is incorrect, the error message
that should be sent to the server may not be sent or may not be exactly as expected or
may not display correctly – depending on the browser. These issues should not occur in a
normal call to eSigner by a correct live web site complying with the eSigner call
specifications. These problems could affect web developers when developing new calls.
 There is no counter-signature process implemented; when calling eSigner with a
mime_type text/signature, eSigner does not propose an additional signature on top of the
input signature.
 Third party browsers, for example Internet Explorer and Firefox must be installed on the
PC before eSigner.
Note: Gemalto therefore recommends that if you want to install a new version of a browser,
you should uninstall eSigner, then install the browser, then reinstall eSigner.
■ Windows Smart Card Logon with PIN pad readers (CT700 and CT710)
is not supported for the V1/V2/V3/IAS smart cards.
■ The MS Edge browser is not supported by default because CSP cannot
load certificates with it, and so it is not possible to display to perform
SSL authentication. It is possible to configure Classic Client to use the
minidriver instead of CSP to propagate certificates so that Edge can be
used for SSL authentication.
Note: This solution is supported only for V2 and V3 cards. Edge is not supported at all for V1
and IAS cards
 The configuration is as follows:

36
 Under the Regtool key, located as shown below, create a REG_DWORD value called
ForceMinidriver and set it to 1 in order to force the Registration Tool to load certificates using
the minidriver instead of the CSP.
 This value can be set to 0 to revert to the default behavior (loading certificates using CSP
which makes them unusable under Edge).
 The Regtool key is located in:
o 32-bit machines: "HKEY_LOCAL_MACHINE\SOFTWARE\Gemplus\
Cryptography\RegTool\ForceMinidriver"
o 64-bit machines: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Gemplus\Cryptography\RegTool\ForceMinidriver"
 Browsers now use TLS (evolution of SSL). TLS v1.2 uses SHA-256 to perform signatures as
SHA-1 is deprecated. This means that if the browser and server select TLS v1.2 for
authentication, it will not be possible to perform a signature with V1 and V2 cards.
 After entering an incorrect PIN, Mozilla Firefox does not display an “incorrect PIN” error
message or indicate how many attempts remain. It appears to the user as if Firefox is
reprompting for the PIN for no apparent reason. This is true even after the PIN has been
blocked. This is a limitation on the Mozilla Firefox and not of the middleware itself. (Ref
#5711).
 IMPORTANT: If a computer is using Citrix Client (ICA) or Terminal Services, Classic Client
must not be installed on both the Client and the Server.
 It is not possible to use the Covadis Auriga Reader-Scanner with the Gem PC Twin reader
due to hardware limitations. Auriga uses the same PC/SC channel to perform both fingerprint
scanning and smart card transactions.
 For card having two virtual slots, only the first slot will be identified and use at smart card
logon. This is because the current minidriver specification has no way to identify and select
between the two virtual slots.
 It is impossible to import a “sign only” certificate through Firefox. This is a limitation of Firefox,
NOT Classic Client.
 Firefox imports “sign-only” certificates into a “sign and exchange” key container. This is an
issue for CC certified applications, as the certificate must be imported into a “sign-only” key
pair.
 Under Vista, only the first slot can be used to perform a smart card logon.
 Impossible to import p7 and .cert certificates files in the card if the card does not contain the
corresponding RSA key pair (Ref 122)
 To use EFS (encrypted file system) on Windows Vista, you must use a non self- signed
certificate and perform the EFS operation with no card inserted in the reader. Wait until EFS
prompts you before inserting the card.
 It is not possible to perform SHA-256 operations using Microsoft applications (CertEnroll,
Outlook, and so on) when CSP is used to load certificates. This is due to the fact that
Microsoft applications require the use of a KSP (key storage provider) to use certain
cryptographic algorithms such as SHA-256. It is possible to perform SHA-256 operations
when the minidriver is used to load certificates but only with V3 and IAS cards. To use the
minidriver, create a ForceMinidriver REG_DWORD value under the Regtool key as described
earlier in this section on page 30.
 The operations Verify PIN, Change PIN and Unblock PIN cannot be performed in the secure
desktop of Windows for cards that impose secure messaging for these operations. This is true
for Windows Vista, 7, 8, 8.1 and 10.
 When registering Classic Client as a Cryptographic Security Module (CSM) in Firefox, it is
only registered for the current user account. If another user logs on to the computer, Classic
Client will need to be registered manually. This can be done either as described in the Classic
37
Client User Guide or by using the registration utility (Start > All programs > Gemalto > Classic
Client > Cryptographic Security Module registration).
 If you uninstall Classic Client, it is not automatically unregistered as a CSM in Firefox. This is
not necessarily important, but if you really want to unregister Classic Client in Firefox, do so
manually before uninstalling Classic Client (Start > All programs > Gemalto > Classic Client >
Cryptographic Security Module unregistration).
 For certain versions of Microsoft Outlook it is not possible to sign a mail in Microsoft Outlook
using a qualified signature in a card with the IAS XL / IAS ECC applet. This is because
Outlook performs the hash instead of allowing the card to perform the hash as required.
 When using Adobe Reader, users can perform login and logout in the Security Settings
window. After performing a login, if users remove and re-insert the card, they can still see that
the card status is “logging in”. At this point, if users press the Logout button, logging out fails.
This is an Adobe Reader issue due to its mechanism on getting card status. Status update of
the card only occurs when the Security Settings windows is open. If the Security Settings
windows is closed, Adobe Reader is unable to know the status of the card.
 Improper name of the certificate is displayed after importing the certificate using Firefox.
When users import the certificate file that does not have a friendly name, Mozilla Firefox
generates a new random string as the name of the certificate. As a result, a not-so-friendly
certificate name is displayed in the Classic Client Toolbox.
 Users are unable to perform SSL Authentication using Internet Explorer 11 in Windows 8.1 if
using the Metro interface with “Enhanced Protected Mode” activated (not to be confused with
standard Protected Mode).
 Google Chrome does not support Certificate Enrollment, so users are unable to perform
certificate enrollment using Google Chrome.
 PKCS #11 security registration is not supported in Firefox 15 and later. This limitation is due
to the removal of a JavaScript privilege module in Firefox 15 for security reasons.
Observations
 Buttons for multi-page navigation (previous, first, next, last page) are never disabled.
Using them has no effect when they are irrelevant.
 If a user is changing the local.conf file manually, permissions can be modified. eSigner
might stop working because of modified access rights.
 If previous versions of eSigner and/or Classic Client are already present on the PC, you
must uninstall these before running the eSigner bundle. Ref #182
 If the multi-page display feature is activated (LargeData.MultiPageDisplay = 1), and the
user clicks Print, only the current page is printed – not the whole document. Ref #183214
 If the eSigner bundle is run from an administrator account, including the case where an
administrator performs a silent installation for a user, the bundle appears in the Control
Panel > Programs and Features, as it should. However it appears only when an
administrator account logs on to the machine – not when a standard user logs on. This
means eSigner and Classic Client cannot be uninstalled by uninstalling the bundle when a
standard user is logged on. Ref#183163.
Note: There is no problem if eSigner is installed from a standard user account that
temporarily has administrator rights.
38
Where’s the Doc?
This section describes the documentation that is provided with eSigner 6 and where to find it:
eSigner 6 Documentation
Document Location Description

eSigner Installation & User  Provided alongside the eSigner Describes how to install eSigner 6 and
Guide installation package perform certain end-user tasks.
Release Notes (this  Provided alongside the eSigner Describes the features and
document) installation package environments supported in eSigner 6.
EULA  Appears during installation Describes the End User License
when asked to accept terms Agreement – the terms and condition
and conditions of use for eSigner.
 Installed in default installation
directory of bundle

Esigner Windows 6 4 ReleaseNotes CC PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Esigner Windows 6 4 ReleaseNotes CC PDF

Transféré par

Droits d'auteur :

Formats disponibles

eSigner 6.

Document Reference: D1411144A

What’s New? ........................................................................................................................... 3

What’s Gone? .......................................................................................................................... 3

What’s in? ................................................................................................................................ 4

What’s History? ...................................................................................................................... 5

What’s Up? ............................................................................................................................ 30

Where’s the Doc? ................................................................................................................. 38

Supported Operating Systems and Applications

The version of msiexec must be 4.5 or later.

Supported Smart Cards

Supported Thin Clients

Application Operating Browsers Smart Smart Card Thin Clients

The following limitations have been discovered on these thin clients.

Supported Document Types

Compliant with the Following Standards

Changes in eSigner 6.2.0 - 001 (since eSigner 6.1.0 - 001)

 CFG_SIGN_UNSEEN=1 and CFG_GUI_BUTTON_MODE=0 can no longer be used together as it

Changes in eSigner 6.1.0 - 001 (since eSigner 6.0.5 - 001)

Changes in eSigner 6.0.5 - 001 (since eSigner 5.2.3 - 001)

Changes in eSigner 5.2.3 - 001 (since eSigner 5.2.2 - 001)

Changes in eSigner 5.2.2 - 001 (since eSigner 5.1.2 - 001)

Changes in eSigner 5.1.1 - 001 (since eSigner 5.0.3 - 001)

Changes in eSigner 5.0.3 - 001 (since eSigner 4.3.9 - 001)

Changes in eSigner 4.3.9 - 001 (since eSigner 4.3.8 - 001)

Changes in eSigner 4.3.8 - 001 (since eSigner 4.3.5 - 004)

Changes in eSigner 4.3.5-004 since (eSigner 4.2.18-003)

Changes in eSigner 4.2.18-003 since (eSigner 4.2.18-002)

Changes in eSigner 4.2.18-002 since (eSigner 4.2.18-001)

Changes in eSigner 4.2.18-001 since (eSigner 4.2.17-004)

Changes in eSigner 4.2.17-004 since (eSigner 4.2.17-002)

Changes in eSigner 4.2.17-002 since (eSigner 4.1.15-001)

Changes in eSigner 4.1.15-001 since (eSigner 4.1.14-005)

Changes in eSigner 4.1.14-005 since (eSigner 4.1.9-001)

Changes in eSigner 4.1.9-001 since (eSigner 4.0.7-003)

and width = 390 pixels.

Changes in eSigner 4.0.7-003 since (eSigner 4.0.6)

Changes in eSigner 4.0.6 since (eSigner 3.0)

Improvements in Classic Client 6.3.10 – 001 (since 6.3.9 – 004)

Improvements in Classic Client 6.3.9 – 004 (since 6.3.8 – 004)

Improvements in Classic Client 6.3.8 – 004 (since 6.3.7 – 001)

Improvements in Classic Client 6.3.7 – 001 (since 6.3.5 – 001)

Improvements in Classic Client 6.3.5 – 001 (since 6.3.4 – 005)

Improvements in Classic Client 6.3.4 – 005 (since 6.3.4 – 004)

Improvements in Classic Client 6.3.4 – 004 (since 6.3.3 – 001)

Supported OS and Applications

Improvements in Classic Client 6.3.3 – 001 (since 6.3 Patch 2 – 001)

Supported OS and Applications

Supported OS and Applications

Improvements in Classic Client 6.3 Patch 1 – 001 (since 6.3 – 003)

Improvements in Classic Client 6.3 – 003 (since 6.2 Patch 3 – 001)

Supported OS and Applications

Improvements in Classic Client 6.2 Patch 1 - 001 (since 6.2 – 005)

Improvements in Classic Client 6.2 - 005 (since 6.1 Patch 4 – 001)

Supported Fingerprint Readers and Scanners

■ Some localization issues are fixed.

Improvements in Classic Client 6.1 Patch 4 - 001 (since Patch 3–001)

Improvements in Classic Client 6.1 Patch 3 – 001 (since 6.1.0 – 005)

■ Limit the number of PIN presentations required to enroll a CC key

Improvements in Classic Client 6.1 – 005 (since 6.0.0 SP1 – 001)

■ Added Citrix Metaframe Xenapp 6.0 on Microsoft Server 2008 R2 (with

Improvements in Classic Client 6.0.0 SP1 – 001 (since 6.0.0 – 002)

■ Improvements made in session management.