Release 2.3.5

New
  • Published on Dec 19, 2025
  • 1 minute(s) read
Prev Next

What’s New

Added support for ECC (Elliptic Curve Cryptography) certificates: ECC provides strong encryption with smaller key sizes, delivering improved performance and security efficiency. (refs PB-118805)

The default padding for RSA digital signatures has reverted to PKCS#1 v1.5: Starting with version 2.3.2, RSASSA-PSS was introduced as the default RSA signature padding. However, some older smart cards and USB tokens do not support RSASSA-PSS. To maintain compatibility with these devices and to avoid the need for additional configurations, PKCS#1 v1.5 has been restored as the default RSA signature padding. (refs PB-121339)

Users who wish to use RSASSA-PSS can enable it by creating or modifying the following registry value (REG_SZ):

HKEY_CURRENT_USER\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography
RsaPadding = PSS

Alternatively, this can be configured by executing the following:

reg add "HKCU\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography" /v RsaPadding /t REG_SZ /d PSS

Bug Fixes

The following issues were resolved in this release:

  • Fixed a concurrency issue. (refs PB-121626)

  • We have Improved certificate filtering for digital signing. PCC requires that certificates used for signing contain a KeyUsage extension explicitly permitting digital signing, including the nonRepudiation (contentCommitment) flag. For more information see Personal Certificate Client Prerequisites. (refs PB-118805)

    This policy aligns certificate selection with common document signing compliance profiles (for example, PAdES / AdES) and helps prevent users from inadvertently signing documents with certificates not intended for this purpose.

    In previous versions, it was also possible to sign using certificates that did not contain a KeyUsage extension at all. As of version 2.3.5, such certificates are excluded by default.

    If you need to allow certificates without a KeyUsage extension, this behavior can be overridden by setting the following registry value (REG_SZ):

    HKEY_CURRENT_USER\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography\AllowNoKeyUsageCertificates = 1

    Alternatively, the registry value can be added by executing:

    reg add "HKCU\SOFTWARE\OneSpan\OneSpan Personal Certificate Client\Cryptography" /v AllowNoKeyUsageCertificates /t REG_SZ /d 1