forked from Yubico/yubico-piv-tool
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS
427 lines (242 loc) · 12.6 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*-
* Version 2.5.1 (released 2024-02-14)
** ykpiv: cmd: ykcs11: Fix buffer size for key import.
* Version 2.5.0 (released 2024-01-31)
** ykpiv: cmd: ykcs11: Various changes and improvements.
* Version 2.4.2 (released 2023-12-07)
** ykpiv: Fix potential type casting bug.
* Version 2.4.1 (released 2023-12-05)
** ykpiv: ykcs11: Fix building on certain architectures. Existing builds are not affected.
* Version 2.4.0 (released 2023-11-30)
** ykpiv: cmd: Add support for compressing certificate upon import
** ykcs11: Increase maximum number of slots to handle overflow
** ykcs11: Add support for CKA_COPYABLE and CKA_DESTROYABLE attributes
* Version 2.3.1 (released 2023-02-07)
** ykpiv: Add support for T=0 smartcards
** ykpiv: ykcs11: Minor code optimization
** ykpiv: ykcs11: Improve logging
** ykpiv: ykcs11: Improve error handling
** ykpiv: ykcs11: Fix minor bugs
** ykcs11: Add support for several PKCS11 Attributes
** ykcs11: Add support for CKM_ECDSA_SHA512 mechanism
** ykcs11: Fix incorrect value for public key attributes CKA_PRIVATE, CKA_SENSITIVE, CKA_ALWAYS_SENSITIVE, CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE
** doc: Minor documentation improvement
* Version 2.3.0 (released 2022-03-01)
** ykpiv: Add support for AES management keys
** ykpiv: Better handling of connection reset
** ykpiv: Add support for T=0 protocol
** ykcs11: Support YubiKeys in NFC readers
** ykcs11: Support touch and PIN policies for imported private keys
** ykcs11: Support touch and PIN policy when generating keys
** ykcs11: Set length to -1 on function fail
** ykcs11: Ignore CKA_NAME_HASH_ALGORITHM and CKA_HASH_OF_SUBJECT_PUBLIC_KEY for certificates
** cmd: Support attestation in selfsign certificates
** build: Compile cleanly with openssl 1.1 and 3
* Version 2.2.1 (released 2021-09-07)
** ykpiv: Minor bug fixes
** ykcs11: Improved handling of object attributes
** ykcs11: Update flags for EC related mechanisms
** ykcs11: Minor bug fixes
** test: Improved testing
** doc: Improved documentation
* Version 2.2.0 (released 2021-01-20)
** ykpiv: Increased SO version
** ykpiv: Fixed minor memory leaks
** ykpiv: Improved error handling
** ykpiv: Improved handling of PCSC card validation
** ykcs11: Updated Cryptoki version
** ykcs11: Support for CKM_ECDH1_DERIVE mechanism info
** ykcs11: Support for destroying ECDH derived keys
** ykcs11: Improved handling of PIN after device re-connection
** ykcs11: Improved debug logging
** cmd: Improved parsing of certificate Distinguished Name to allow an escape character
** cmd: Warning to discourage generating RSA1024 keys
** build: Use of platform standard installation path when building yubico-piv-tool
** tests: Improved testing
* Version 2.1.1 (released 2020-07-20)
** Fixed missing dependency when building debian package
* Version 2.1.0 (released 2020-07-08)
** Replaced building with autotool with building with cmake
** Security update for https://www.yubico.com/support/security-advisories/ysa-2020-02/[YSA-2020-02]
** ykpiv: Fixed potential memory leaks
** ykpiv: Use PIN-protected MGMT key if the device is configured that way
** ykpiv: Added attestation to CSR if requested
** ykpiv: Fixed compatibility with LibreSSL
** ykcs11: Improved handling of error codes
** ykcs11: Improved handling of examples in the PKCS11 specifications
** ykcs11: Added the possibility to have debug output as a runtime setting
** ykcs11: Added support to unblock PIN with PUK
** ykcs11: Make C_SetPIN backwards compatible while also allowing unblock PIN
** tests: Improved tests
* Version 2.0.0 (released 2020-01-29)
** ykpiv: Added ykpiv_get_metadata and ykpiv_util_parse_metadata to read and parse private key metadata (supported from YK 5.3).
** ykpiv: Fixed PCSC transaction handling when re-selecting PIV due to external card reset events.
** ykpiv: Improved error reporting.
** ykpiv: Correctly report YK5 devices, and NEO and YK5 over NFC.
** ykpiv: MGM KEY (SO PIN) is cached (in addition to PIN).
** ykpiv: Fixed resetting of cached serial / version when an application re-uses ykpiv_state.
** ykpiv: ykpiv_get_pin_retries selects a different applet before re-selecting PIV since just re-selecting PIV is a no-op on YK5.
** ykcs11: Shared library exports all PKCS11 functions per the spec (For applications that don't use C_GetFunctionList).
** ykcs11: Support for up to 16 simultaneous sessions, with support for multi-threaded access (if requested when calling C_Initialize).
** ykcs11: Support for resetting the PIV application via C_initToken. Requires knowledge of the MGMT KEY (SO PIN) per the PKCS11 spec.
** ykcs11: Support for public-key operations not supported by PIV (C_Verify, C_Encrypt), implemented using OpenSSL.
** ykcs11: Support for attestations, exposed as session objects of certificate class. Generated when opening the first session to a slot.
** ykcs11: Support for forked processes on Linux and MacOS.
** ykcs11: Support for RSA signatures using PKCS or PSS padding with optional digesting by the library. Raw signatures are also supported.
** ykcs11: Support for ECDSA signatures with optional digesting by the library. Raw signatures are also supported.
** ykcs11: Support for RSA encryption / decryption with PKCS or OAEP padding.
** ykcs11: Makes use of key metadata when available (YK 5.3 and above), providing access to keys even if certificates are not present.
** ykcs11: Supports SHA1, SHA256, SHA384 and SHA512 digesting, plus SHA224 digesting for ECDSA signatures and for the MGF1 digest in PSS / OAEP, implemented using OpenSSL.
** ykcs11: Supports C_Login with context-specific user type. This allows use cases that require both SO PIN and normal PIN in the same session.
* Version 1.7.0 (released 2019-04-03)
** Add ykpiv_get_serial() to API.
** Add version and serial to status output.
** FASC-N fixes for CHUID.
** ykcs11: Fix ECDSA signatures.
** Make selfsigned X.509 extensions have correct extensions to match openssl.
** Security fixes.
** Documentation fixes.
** Try to clear memory that might contain secrets.
* Version 1.6.2 (released 2018-09-14)
** Compare reader names case insensitive.
** Fix certificate and certificate request signatures with OpenSSL 1.1.
* Version 1.6.1 (released 2018-08-17)
** Compilation warning fixes for OpenSSL 1.1 builds.
** Fix length when encoding exactly 0xff bytes.
** Check length of objects correctly before storing in buffer.
** Check length of certificate correctly when storing.
* Version 1.6.0 (released 2018-08-08)
** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03].
** Allow builiding against LibreSSL.
** Bugfixes in OpenSSL 1.1 code.
** Fix compilation warnings.
** Fix ykcs11 key generation to work with OpenSSL 1.1.
** Ykcs11 compatibility fixes.
* Version 1.5.0 (released 2017-11-29)
** API additions: Higher-level "util" API added to libykpiv.
** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()
** Added functions for using existing PCSC card handle.
** Support using custom memory allocator.
** Documentation updates. 'make doxygen' for HTML format.
** Expanded automated tests for hardware devices, moved to 'make hwcheck'.
** OpenSSL 1.1 support
** Moderate internal refactoring. Many small bugs fixed.
* Version 1.4.4 (released 2017-10-17)
** Documentation updates.
** Add pin caching to work around disconnect problems.
** Disable RSA key generation on YubiKey 4 before 4.3.5.
See https://yubi.co/ysa201701/ for details.
* Version 1.4.3 (released 2017-04-18)
** Encode RSA x509 certificates correctly.
** Documentation updates.
** In ykcs11 return CKA_MODULUS correctly for private keys.
** In ykcs11 fix for signature size approximation.
** Fix PSS signatures in ykcs11.
** Add a CLI flag --stdin-input to make batch execution easier.
* Version 1.4.2 (released 2016-08-12)
** Clarify license headers and clean up YKCS11 licensing.
Now uses pkcs11.h from the Scute project.
** Don't install ykcs11-version.h.
** No cflags in ykcs11.pc.
** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.
* Version 1.4.1 (released 2016-08-11)
** Documentation updates
** Add possibility to export certificates in SSH format.
** Make certificate serial number random by default.
* Version 1.4.0 (released 2016-05-03)
** Add attest action
When used on a slot with a generated key, outputs a signed x509 certificate for
that slot showing that the key was generated in hardware. Available in firmware
4.3.0 and newer.
** Add cached parameter for touch-policy
With cached, the touch is valid for an additional 15s. Available in firmware
4.3.0 and newer.
** Enforce a minimum PIN length of 6 characters.
** Fix a bug with list-readers action where it fell through processing into
write-object.
* Version 1.3.1 (released 2016-04-19)
** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.
** Clarifications with help texts.
* Version 1.3.0 (released 2016-02-19)
** Fixed extraction of RSA modulus and exponent for pkcs11.
** Implemented C_SetPIN for pkcs11.
** Add generic write and read object actions for the tool.
Supports hex/binary/base64 formats
** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()
** Print CCC with status action.
** Address bugs with pkcs11 on windows.
** Add --valid-days and --serial to tool for selfsign-certificate action.
** Ask for password for pkcs12 if none is given.
* Version 1.2.2 (released 2015-12-08)
** Fix old buffer overflow in change-pin functionality.
* Version 1.2.1 (released 2015-12-08)
** Fix issue with big certificates and status.
* Version 1.2.0 (released 2015-12-07)
** On OSX use @loader_path instead of @executable_path for ykcs11.
** Add ykpiv_import_private_key to libykpiv.
** Raise buffer sizes to support bigger objects.
** Change behavior of action status, only list populated slots.
** Add retired keys to ykcs11.
** In ykcs11 support login with non null terminated pin.
** Add a new action set-ccc to yubico-piv-tool to set the CCC.
* Version 1.1.2 (released 2015-11-13)
** Properly handle DER encoding in ECDSA signatures.
* Version 1.1.1 (released 2015-11-11)
** Make sure SCardContext is properly acquired and released.
* Version 1.1.0 (released 2015-11-06)
** Add support for new YubiKey 4.
** Add ykcs11.
* Version 1.0.3 (released 2015-10-01)
** Correct wording on unblock-pin action.
** Show pin retries correctly.
** Use a bigger buffer for receiving data.
* Version 1.0.2 (released 2015-09-04)
** Query for different passwords/pins on stdin if they're not supplied.
** If a reader fails continue trying matching readers.
** Authentication failed is supposed to be 0x63cX not 0x630X.
* Version 1.0.1 (released 2015-07-10)
** Project relicensed to 2-clause BSD license
** Minor fixes found with clang scan-build
* Version 1.0.0 (released 2015-06-23)
** Add a test-decipher action.
** Check that e is 0x10001 on importing rsa keys
** Use PCSC transactions when sending and receiving data
* Version 0.1.6 (released 2015-03-23)
** Add a read-certificate action to the tool.
** Add a status action to the tool.
** Fix a library bug so NULL can be passed to ykpiv_verify()
** Add a test-signature action to the tool.
* Version 0.1.5 (released 2015-02-04)
** Revert the check for parity and just set parity before the weak check.
* Version 0.1.4 (released 2015-02-02)
** Prompt for input if input is stdin.
** Mark all bits of the signature as used is certs and requests.
** Correct error for unblock-pin.
** Fix hex decode to decode capital letters and return error.
** Check parity of new management keys.
* Version 0.1.3 (released 2014-12-18)
** Add format DER for importing certificates.
** Make sure diagnostic feedback ends up on stderr.
** Add positive feedback for a couple of actions.
* Version 0.1.2 (released 2014-11-14)
** Fix an issue where shorter component of RSA keys where not packed correctly.
* Version 0.1.1 (released 2014-11-10)
** Correct broken CHUID that made windows work inconsistently.
** Add support for compressed certificates.
** Fix broken unblock-pin action.
** Don't try to accept to short keys for mgm key.
** Only do applet authentication if needed.
** Add --hash for selecting what hash to use for signatures.
** Add hidden --sign command. Should probably not be used.
** Fix for signature algorithm in selfsigned cert.
* Version 0.1.0 (released 2014-08-25)
** Break out functionality into a library.
** More testing.
* Version 0.0.3 (released 2014-05-26)
** Add delete-certificate action.
** Fix minor bugs.
* Version 0.0.2 (released 2014-02-19)
** Fix an offset bug with CHUID.
** Do full mutual auth with the applet.
* Version 0.0.1 (released 2014-02-11)
** Initial release.