1yubico-piv-tool NEWS -- History of user-visible changes.        -*- outline -*-
2
3* Version 2.2.0 (released 2021-01-20)
4
5** ykpiv: Increased SO version
6** ykpiv: Fixed minor memory leaks
7** ykpiv: Improved error handling
8** ykpiv: Improved handling of PCSC card validation
9** ykcs11: Updated Cryptoki version
10** ykcs11: Support for CKM_ECDH1_DERIVE mechanism info
11** ykcs11: Support for destroying ECDH derived keys
12** ykcs11: Improved handling of PIN after device re-connection
13** ykcs11: Improved debug logging
14** cmd: Improved parsing of certificate Distinguished Name to allow an escape character
15** cmd: Warning to discourage generating RSA1024 keys
16** build: Use of platform standard installation path when building yubico-piv-tool
17** tests: Improved testing
18
19* Version 2.1.1 (released 2020-07-20)
20
21** Fixed missing dependency when building debian package
22
23* Version 2.1.0 (released 2020-07-08)
24
25** Replaced building with autotool with building with cmake
26** Security update for https://www.yubico.com/support/security-advisories/ysa-2020-02/[YSA-2020-02]
27** ykpiv: Fixed potential memory leaks
28** ykpiv: Use PIN-protected MGMT key if the device is configured that way
29** ykpiv: Added attestation to CSR if requested
30** ykpiv: Fixed compatibility with LibreSSL
31** ykcs11: Improved handling of error codes
32** ykcs11: Improved handling of examples in the PKCS11 specifications
33** ykcs11: Added the possibility to have debug output as a runtime setting
34** ykcs11: Added support to unblock PIN with PUK
35** ykcs11: Make C_SetPIN backwards compatible while also allowing unblock PIN
36** tests: Improved tests
37
38* Version 2.0.0 (released 2020-01-29)
39
40** ykpiv: Added ykpiv_get_metadata and ykpiv_util_parse_metadata to read and parse private key metadata (supported from YK 5.3).
41
42** ykpiv: Fixed PCSC transaction handling when re-selecting PIV due to external card reset events.
43
44** ykpiv: Improved error reporting.
45
46** ykpiv: Correctly report YK5 devices, and NEO and YK5 over NFC.
47
48** ykpiv: MGM KEY (SO PIN) is cached (in addition to PIN).
49
50** ykpiv: Fixed resetting of cached serial / version when an application re-uses ykpiv_state.
51
52** ykpiv: ykpiv_get_pin_retries selects a different applet before re-selecting PIV since just re-selecting PIV is a no-op on YK5.
53
54** ykcs11: Shared library exports all PKCS11 functions per the spec (For applications that don't use C_GetFunctionList).
55
56** ykcs11: Support for up to 16 simultaneous sessions, with support for multi-threaded access (if requested when calling C_Initialize).
57
58** ykcs11: Support for resetting the PIV application via C_initToken. Requires knowledge of the MGMT KEY (SO PIN) per the PKCS11 spec.
59
60** ykcs11: Support for public-key operations not supported by PIV (C_Verify, C_Encrypt), implemented using OpenSSL.
61
62** ykcs11: Support for attestations, exposed as session objects of certificate class. Generated when opening the first session to a slot.
63
64** ykcs11: Support for forked processes on Linux and MacOS.
65
66** ykcs11: Support for RSA signatures using PKCS or PSS padding with optional digesting by the library. Raw signatures are also supported.
67
68** ykcs11: Support for ECDSA signatures with optional digesting by the library. Raw signatures are also supported.
69
70** ykcs11: Support for RSA encryption / decryption with PKCS or OAEP padding.
71
72** ykcs11: Makes use of key metadata when available (YK 5.3 and above), providing access to keys even if certificates are not present.
73
74** ykcs11: Supports SHA1, SHA256, SHA384 and SHA512 digesting, plus SHA224 digesting for ECDSA signatures and for the MGF1 digest in PSS / OAEP, implemented using OpenSSL.
75
76** ykcs11: Supports C_Login with context-specific user type. This allows use cases that require both SO PIN and normal PIN in the same session.
77
78* Version 1.7.0 (released 2019-04-03)
79
80** Add ykpiv_get_serial() to API.
81
82** Add version and serial to status output.
83
84** FASC-N fixes for CHUID.
85
86** ykcs11: Fix ECDSA signatures.
87
88** Make selfsigned X.509 extensions have correct extensions to match openssl.
89
90** Security fixes.
91
92** Documentation fixes.
93
94** Try to clear memory that might contain secrets.
95
96* Version 1.6.2 (released 2018-09-14)
97
98** Compare reader names case insensitive.
99
100** Fix certificate and certificate request signatures with OpenSSL 1.1.
101
102* Version 1.6.1 (released 2018-08-17)
103
104** Compilation warning fixes for OpenSSL 1.1 builds.
105
106** Fix length when encoding exactly 0xff bytes.
107
108** Check length of objects correctly before storing in buffer.
109
110** Check length of certificate correctly when storing.
111
112* Version 1.6.0 (released 2018-08-08)
113
114** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03].
115
116** Allow builiding against LibreSSL.
117
118** Bugfixes in OpenSSL 1.1 code.
119
120** Fix compilation warnings.
121
122** Fix ykcs11 key generation to work with OpenSSL 1.1.
123
124** Ykcs11 compatibility fixes.
125
126* Version 1.5.0 (released 2017-11-29)
127
128** API additions: Higher-level "util" API added to libykpiv.
129
130** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()
131
132** Added functions for using existing PCSC card handle.
133
134** Support using custom memory allocator.
135
136** Documentation updates.  'make doxygen' for HTML format.
137
138** Expanded automated tests for hardware devices, moved to 'make hwcheck'.
139
140** OpenSSL 1.1 support
141
142** Moderate internal refactoring.  Many small bugs fixed.
143
144* Version 1.4.4 (released 2017-10-17)
145
146** Documentation updates.
147
148** Add pin caching to work around disconnect problems.
149
150** Disable RSA key generation on YubiKey 4 before 4.3.5.
151See https://yubi.co/ysa201701/ for details.
152
153* Version 1.4.3 (released 2017-04-18)
154
155** Encode RSA x509 certificates correctly.
156
157** Documentation updates.
158
159** In ykcs11 return CKA_MODULUS correctly for private keys.
160
161** In ykcs11 fix for signature size approximation.
162
163** Fix PSS signatures in ykcs11.
164
165** Add a CLI flag --stdin-input to make batch execution easier.
166
167* Version 1.4.2 (released 2016-08-12)
168
169** Clarify license headers and clean up YKCS11 licensing.
170Now uses pkcs11.h from the Scute project.
171
172** Don't install ykcs11-version.h.
173
174** No cflags in ykcs11.pc.
175
176** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.
177
178* Version 1.4.1 (released 2016-08-11)
179
180** Documentation updates
181
182** Add possibility to export certificates in SSH format.
183
184** Make certificate serial number random by default.
185
186* Version 1.4.0 (released 2016-05-03)
187
188** Add attest action
189When used on a slot with a generated key, outputs a signed x509 certificate for
190that slot showing that the key was generated in hardware. Available in firmware
1914.3.0 and newer.
192
193** Add cached parameter for touch-policy
194With cached, the touch is valid for an additional 15s. Available in firmware
1954.3.0 and newer.
196
197** Enforce a minimum PIN length of 6 characters.
198
199** Fix a bug with list-readers action where it fell through processing into
200write-object.
201
202* Version 1.3.1 (released 2016-04-19)
203
204** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.
205
206** Clarifications with help texts.
207
208* Version 1.3.0 (released 2016-02-19)
209
210** Fixed extraction of RSA modulus and exponent for pkcs11.
211
212** Implemented C_SetPIN for pkcs11.
213
214** Add generic write and read object actions for the tool.
215Supports hex/binary/base64 formats
216
217** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()
218
219** Print CCC with status action.
220
221** Address bugs with pkcs11 on windows.
222
223** Add --valid-days and --serial to tool for selfsign-certificate action.
224
225** Ask for password for pkcs12 if none is given.
226
227* Version 1.2.2 (released 2015-12-08)
228
229** Fix old buffer overflow in change-pin functionality.
230
231* Version 1.2.1 (released 2015-12-08)
232
233** Fix issue with big certificates and status.
234
235* Version 1.2.0 (released 2015-12-07)
236
237** On OSX use @loader_path instead of @executable_path for ykcs11.
238
239** Add ykpiv_import_private_key to libykpiv.
240
241** Raise buffer sizes to support bigger objects.
242
243** Change behavior of action status, only list populated slots.
244
245** Add retired keys to ykcs11.
246
247** In ykcs11 support login with non null terminated pin.
248
249** Add a new action set-ccc to yubico-piv-tool to set the CCC.
250
251* Version 1.1.2 (released 2015-11-13)
252
253** Properly handle DER encoding in ECDSA signatures.
254
255* Version 1.1.1 (released 2015-11-11)
256
257** Make sure SCardContext is properly acquired and released.
258
259* Version 1.1.0 (released 2015-11-06)
260
261** Add support for new YubiKey 4.
262
263** Add ykcs11.
264
265* Version 1.0.3 (released 2015-10-01)
266
267** Correct wording on unblock-pin action.
268
269** Show pin retries correctly.
270
271** Use a bigger buffer for receiving data.
272
273* Version 1.0.2 (released 2015-09-04)
274
275** Query for different passwords/pins on stdin if they're not supplied.
276
277** If a reader fails continue trying matching readers.
278
279** Authentication failed is supposed to be 0x63cX not 0x630X.
280
281* Version 1.0.1 (released 2015-07-10)
282
283** Project relicensed to 2-clause BSD license
284
285** Minor fixes found with clang scan-build
286
287* Version 1.0.0 (released 2015-06-23)
288
289** Add a test-decipher action.
290
291** Check that e is 0x10001 on importing rsa keys
292
293** Use PCSC transactions when sending and receiving data
294
295* Version 0.1.6 (released 2015-03-23)
296
297** Add a read-certificate action to the tool.
298
299** Add a status action to the tool.
300
301** Fix a library bug so NULL can be passed to ykpiv_verify()
302
303** Add a test-signature action to the tool.
304
305* Version 0.1.5 (released 2015-02-04)
306
307** Revert the check for parity and just set parity before the weak check.
308
309* Version 0.1.4 (released 2015-02-02)
310
311** Prompt for input if input is stdin.
312
313** Mark all bits of the signature as used is certs and requests.
314
315** Correct error for unblock-pin.
316
317** Fix hex decode to decode capital letters and return error.
318
319** Check parity of new management keys.
320
321* Version 0.1.3 (released 2014-12-18)
322
323** Add format DER for importing certificates.
324
325** Make sure diagnostic feedback ends up on stderr.
326
327** Add positive feedback for a couple of actions.
328
329* Version 0.1.2 (released 2014-11-14)
330
331** Fix an issue where shorter component of RSA keys where not packed correctly.
332
333* Version 0.1.1 (released 2014-11-10)
334
335** Correct broken CHUID that made windows work inconsistently.
336
337** Add support for compressed certificates.
338
339** Fix broken unblock-pin action.
340
341** Don't try to accept to short keys for mgm key.
342
343** Only do applet authentication if needed.
344
345** Add --hash for selecting what hash to use for signatures.
346
347** Add hidden --sign command. Should probably not be used.
348
349** Fix for signature algorithm in selfsigned cert.
350
351* Version 0.1.0 (released 2014-08-25)
352
353** Break out functionality into a library.
354
355** More testing.
356
357* Version 0.0.3 (released 2014-05-26)
358
359** Add delete-certificate action.
360
361** Fix minor bugs.
362
363* Version 0.0.2 (released 2014-02-19)
364
365** Fix an offset bug with CHUID.
366
367** Do full mutual auth with the applet.
368
369* Version 0.0.1 (released 2014-02-11)
370
371** Initial release.
372