1yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*- 2 3* Version 2.2.0 (released 2021-01-20) 4 5** ykpiv: Increased SO version 6** ykpiv: Fixed minor memory leaks 7** ykpiv: Improved error handling 8** ykpiv: Improved handling of PCSC card validation 9** ykcs11: Updated Cryptoki version 10** ykcs11: Support for CKM_ECDH1_DERIVE mechanism info 11** ykcs11: Support for destroying ECDH derived keys 12** ykcs11: Improved handling of PIN after device re-connection 13** ykcs11: Improved debug logging 14** cmd: Improved parsing of certificate Distinguished Name to allow an escape character 15** cmd: Warning to discourage generating RSA1024 keys 16** build: Use of platform standard installation path when building yubico-piv-tool 17** tests: Improved testing 18 19* Version 2.1.1 (released 2020-07-20) 20 21** Fixed missing dependency when building debian package 22 23* Version 2.1.0 (released 2020-07-08) 24 25** Replaced building with autotool with building with cmake 26** Security update for https://www.yubico.com/support/security-advisories/ysa-2020-02/[YSA-2020-02] 27** ykpiv: Fixed potential memory leaks 28** ykpiv: Use PIN-protected MGMT key if the device is configured that way 29** ykpiv: Added attestation to CSR if requested 30** ykpiv: Fixed compatibility with LibreSSL 31** ykcs11: Improved handling of error codes 32** ykcs11: Improved handling of examples in the PKCS11 specifications 33** ykcs11: Added the possibility to have debug output as a runtime setting 34** ykcs11: Added support to unblock PIN with PUK 35** ykcs11: Make C_SetPIN backwards compatible while also allowing unblock PIN 36** tests: Improved tests 37 38* Version 2.0.0 (released 2020-01-29) 39 40** ykpiv: Added ykpiv_get_metadata and ykpiv_util_parse_metadata to read and parse private key metadata (supported from YK 5.3). 41 42** ykpiv: Fixed PCSC transaction handling when re-selecting PIV due to external card reset events. 43 44** ykpiv: Improved error reporting. 45 46** ykpiv: Correctly report YK5 devices, and NEO and YK5 over NFC. 47 48** ykpiv: MGM KEY (SO PIN) is cached (in addition to PIN). 49 50** ykpiv: Fixed resetting of cached serial / version when an application re-uses ykpiv_state. 51 52** ykpiv: ykpiv_get_pin_retries selects a different applet before re-selecting PIV since just re-selecting PIV is a no-op on YK5. 53 54** ykcs11: Shared library exports all PKCS11 functions per the spec (For applications that don't use C_GetFunctionList). 55 56** ykcs11: Support for up to 16 simultaneous sessions, with support for multi-threaded access (if requested when calling C_Initialize). 57 58** ykcs11: Support for resetting the PIV application via C_initToken. Requires knowledge of the MGMT KEY (SO PIN) per the PKCS11 spec. 59 60** ykcs11: Support for public-key operations not supported by PIV (C_Verify, C_Encrypt), implemented using OpenSSL. 61 62** ykcs11: Support for attestations, exposed as session objects of certificate class. Generated when opening the first session to a slot. 63 64** ykcs11: Support for forked processes on Linux and MacOS. 65 66** ykcs11: Support for RSA signatures using PKCS or PSS padding with optional digesting by the library. Raw signatures are also supported. 67 68** ykcs11: Support for ECDSA signatures with optional digesting by the library. Raw signatures are also supported. 69 70** ykcs11: Support for RSA encryption / decryption with PKCS or OAEP padding. 71 72** ykcs11: Makes use of key metadata when available (YK 5.3 and above), providing access to keys even if certificates are not present. 73 74** ykcs11: Supports SHA1, SHA256, SHA384 and SHA512 digesting, plus SHA224 digesting for ECDSA signatures and for the MGF1 digest in PSS / OAEP, implemented using OpenSSL. 75 76** ykcs11: Supports C_Login with context-specific user type. This allows use cases that require both SO PIN and normal PIN in the same session. 77 78* Version 1.7.0 (released 2019-04-03) 79 80** Add ykpiv_get_serial() to API. 81 82** Add version and serial to status output. 83 84** FASC-N fixes for CHUID. 85 86** ykcs11: Fix ECDSA signatures. 87 88** Make selfsigned X.509 extensions have correct extensions to match openssl. 89 90** Security fixes. 91 92** Documentation fixes. 93 94** Try to clear memory that might contain secrets. 95 96* Version 1.6.2 (released 2018-09-14) 97 98** Compare reader names case insensitive. 99 100** Fix certificate and certificate request signatures with OpenSSL 1.1. 101 102* Version 1.6.1 (released 2018-08-17) 103 104** Compilation warning fixes for OpenSSL 1.1 builds. 105 106** Fix length when encoding exactly 0xff bytes. 107 108** Check length of objects correctly before storing in buffer. 109 110** Check length of certificate correctly when storing. 111 112* Version 1.6.0 (released 2018-08-08) 113 114** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03]. 115 116** Allow builiding against LibreSSL. 117 118** Bugfixes in OpenSSL 1.1 code. 119 120** Fix compilation warnings. 121 122** Fix ykcs11 key generation to work with OpenSSL 1.1. 123 124** Ykcs11 compatibility fixes. 125 126* Version 1.5.0 (released 2017-11-29) 127 128** API additions: Higher-level "util" API added to libykpiv. 129 130** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries() 131 132** Added functions for using existing PCSC card handle. 133 134** Support using custom memory allocator. 135 136** Documentation updates. 'make doxygen' for HTML format. 137 138** Expanded automated tests for hardware devices, moved to 'make hwcheck'. 139 140** OpenSSL 1.1 support 141 142** Moderate internal refactoring. Many small bugs fixed. 143 144* Version 1.4.4 (released 2017-10-17) 145 146** Documentation updates. 147 148** Add pin caching to work around disconnect problems. 149 150** Disable RSA key generation on YubiKey 4 before 4.3.5. 151See https://yubi.co/ysa201701/ for details. 152 153* Version 1.4.3 (released 2017-04-18) 154 155** Encode RSA x509 certificates correctly. 156 157** Documentation updates. 158 159** In ykcs11 return CKA_MODULUS correctly for private keys. 160 161** In ykcs11 fix for signature size approximation. 162 163** Fix PSS signatures in ykcs11. 164 165** Add a CLI flag --stdin-input to make batch execution easier. 166 167* Version 1.4.2 (released 2016-08-12) 168 169** Clarify license headers and clean up YKCS11 licensing. 170Now uses pkcs11.h from the Scute project. 171 172** Don't install ykcs11-version.h. 173 174** No cflags in ykcs11.pc. 175 176** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED. 177 178* Version 1.4.1 (released 2016-08-11) 179 180** Documentation updates 181 182** Add possibility to export certificates in SSH format. 183 184** Make certificate serial number random by default. 185 186* Version 1.4.0 (released 2016-05-03) 187 188** Add attest action 189When used on a slot with a generated key, outputs a signed x509 certificate for 190that slot showing that the key was generated in hardware. Available in firmware 1914.3.0 and newer. 192 193** Add cached parameter for touch-policy 194With cached, the touch is valid for an additional 15s. Available in firmware 1954.3.0 and newer. 196 197** Enforce a minimum PIN length of 6 characters. 198 199** Fix a bug with list-readers action where it fell through processing into 200write-object. 201 202* Version 1.3.1 (released 2016-04-19) 203 204** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0. 205 206** Clarifications with help texts. 207 208* Version 1.3.0 (released 2016-02-19) 209 210** Fixed extraction of RSA modulus and exponent for pkcs11. 211 212** Implemented C_SetPIN for pkcs11. 213 214** Add generic write and read object actions for the tool. 215Supports hex/binary/base64 formats 216 217** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin() 218 219** Print CCC with status action. 220 221** Address bugs with pkcs11 on windows. 222 223** Add --valid-days and --serial to tool for selfsign-certificate action. 224 225** Ask for password for pkcs12 if none is given. 226 227* Version 1.2.2 (released 2015-12-08) 228 229** Fix old buffer overflow in change-pin functionality. 230 231* Version 1.2.1 (released 2015-12-08) 232 233** Fix issue with big certificates and status. 234 235* Version 1.2.0 (released 2015-12-07) 236 237** On OSX use @loader_path instead of @executable_path for ykcs11. 238 239** Add ykpiv_import_private_key to libykpiv. 240 241** Raise buffer sizes to support bigger objects. 242 243** Change behavior of action status, only list populated slots. 244 245** Add retired keys to ykcs11. 246 247** In ykcs11 support login with non null terminated pin. 248 249** Add a new action set-ccc to yubico-piv-tool to set the CCC. 250 251* Version 1.1.2 (released 2015-11-13) 252 253** Properly handle DER encoding in ECDSA signatures. 254 255* Version 1.1.1 (released 2015-11-11) 256 257** Make sure SCardContext is properly acquired and released. 258 259* Version 1.1.0 (released 2015-11-06) 260 261** Add support for new YubiKey 4. 262 263** Add ykcs11. 264 265* Version 1.0.3 (released 2015-10-01) 266 267** Correct wording on unblock-pin action. 268 269** Show pin retries correctly. 270 271** Use a bigger buffer for receiving data. 272 273* Version 1.0.2 (released 2015-09-04) 274 275** Query for different passwords/pins on stdin if they're not supplied. 276 277** If a reader fails continue trying matching readers. 278 279** Authentication failed is supposed to be 0x63cX not 0x630X. 280 281* Version 1.0.1 (released 2015-07-10) 282 283** Project relicensed to 2-clause BSD license 284 285** Minor fixes found with clang scan-build 286 287* Version 1.0.0 (released 2015-06-23) 288 289** Add a test-decipher action. 290 291** Check that e is 0x10001 on importing rsa keys 292 293** Use PCSC transactions when sending and receiving data 294 295* Version 0.1.6 (released 2015-03-23) 296 297** Add a read-certificate action to the tool. 298 299** Add a status action to the tool. 300 301** Fix a library bug so NULL can be passed to ykpiv_verify() 302 303** Add a test-signature action to the tool. 304 305* Version 0.1.5 (released 2015-02-04) 306 307** Revert the check for parity and just set parity before the weak check. 308 309* Version 0.1.4 (released 2015-02-02) 310 311** Prompt for input if input is stdin. 312 313** Mark all bits of the signature as used is certs and requests. 314 315** Correct error for unblock-pin. 316 317** Fix hex decode to decode capital letters and return error. 318 319** Check parity of new management keys. 320 321* Version 0.1.3 (released 2014-12-18) 322 323** Add format DER for importing certificates. 324 325** Make sure diagnostic feedback ends up on stderr. 326 327** Add positive feedback for a couple of actions. 328 329* Version 0.1.2 (released 2014-11-14) 330 331** Fix an issue where shorter component of RSA keys where not packed correctly. 332 333* Version 0.1.1 (released 2014-11-10) 334 335** Correct broken CHUID that made windows work inconsistently. 336 337** Add support for compressed certificates. 338 339** Fix broken unblock-pin action. 340 341** Don't try to accept to short keys for mgm key. 342 343** Only do applet authentication if needed. 344 345** Add --hash for selecting what hash to use for signatures. 346 347** Add hidden --sign command. Should probably not be used. 348 349** Fix for signature algorithm in selfsigned cert. 350 351* Version 0.1.0 (released 2014-08-25) 352 353** Break out functionality into a library. 354 355** More testing. 356 357* Version 0.0.3 (released 2014-05-26) 358 359** Add delete-certificate action. 360 361** Fix minor bugs. 362 363* Version 0.0.2 (released 2014-02-19) 364 365** Fix an offset bug with CHUID. 366 367** Do full mutual auth with the applet. 368 369* Version 0.0.1 (released 2014-02-11) 370 371** Initial release. 372