yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*- * Version 1.6.1 (unreleased) * Version 1.6.0 (released 2018-08-08) ** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03]. * Version 1.5.0 (released 2017-11-29) ** API additions: Higher-level "util" API added to libykpiv. ** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries() ** Added functions for using existing PCSC card handle. ** Support using custom memory allocator. ** Documentation updates. 'make doxygen' for HTML format. ** Expanded automated tests for hardware devices, moved to 'make hwcheck'. ** OpenSSL 1.1 support ** Moderate internal refactoring. Many small bugs fixed. * Version 1.4.4 (released 2017-10-17) ** Documentation updates. ** Add pin caching to work around disconnect problems. ** Disable RSA key generation on YubiKey 4 before 4.3.5. See https://yubi.co/ysa201701/ for details. * Version 1.4.3 (released 2017-04-18) ** Encode RSA x509 certificates correctly. ** Documentation updates. ** In ykcs11 return CKA_MODULUS correctly for private keys. ** In ykcs11 fix for signature size approximation. ** Fix PSS signatures in ykcs11. ** Add a CLI flag --stdin-input to make batch execution easier. * Version 1.4.2 (released 2016-08-12) ** Clarify license headers and clean up YKCS11 licensing. Now uses pkcs11.h from the Scute project. ** Don't install ykcs11-version.h. ** No cflags in ykcs11.pc. ** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED. * Version 1.4.1 (released 2016-08-11) ** Documentation updates ** Add possibility to export certificates in SSH format. ** Make certificate serial number random by default. * Version 1.4.0 (released 2016-05-03) ** Add attest action When used on a slot with a generated key, outputs a signed x509 certificate for that slot showing that the key was generated in hardware. Available in firmware 4.3.0 and newer. ** Add cached parameter for touch-policy With cached, the touch is valid for an additional 15s. Available in firmware 4.3.0 and newer. ** Enforce a minimum PIN length of 6 characters. ** Fix a bug with list-readers action where it fell through processing into write-object. * Version 1.3.1 (released 2016-04-19) ** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0. ** Clarifications with help texts. * Version 1.3.0 (released 2016-02-19) ** Fixed extraction of RSA modulus and exponent for pkcs11. ** Implemented C_SetPIN for pkcs11. ** Add generic write and read object actions for the tool. Supports hex/binary/base64 formats ** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin() ** Print CCC with status action. ** Address bugs with pkcs11 on windows. ** Add --valid-days and --serial to tool for selfsign-certificate action. ** Ask for password for pkcs12 if none is given. * Version 1.2.2 (released 2015-12-08) ** Fix old buffer overflow in change-pin functionality. * Version 1.2.1 (released 2015-12-08) ** Fix issue with big certificates and status. * Version 1.2.0 (released 2015-12-07) ** On OSX use @loader_path instead of @executable_path for ykcs11. ** Add ykpiv_import_private_key to libykpiv. ** Raise buffer sizes to support bigger objects. ** Change behavior of action status, only list populated slots. ** Add retired keys to ykcs11. ** In ykcs11 support login with non null terminated pin. ** Add a new action set-ccc to yubico-piv-tool to set the CCC. * Version 1.1.2 (released 2015-11-13) ** Properly handle DER encoding in ECDSA signatures. * Version 1.1.1 (released 2015-11-11) ** Make sure SCardContext is properly acquired and released. * Version 1.1.0 (released 2015-11-06) ** Add support for new YubiKey 4. ** Add ykcs11. * Version 1.0.3 (released 2015-10-01) ** Correct wording on unblock-pin action. ** Show pin retries correctly. ** Use a bigger buffer for receiving data. * Version 1.0.2 (released 2015-09-04) ** Query for different passwords/pins on stdin if they're not supplied. ** If a reader fails continue trying matching readers. ** Authentication failed is supposed to be 0x63cX not 0x630X. * Version 1.0.1 (released 2015-07-10) ** Project relicensed to 2-clause BSD license ** Minor fixes found with clang scan-build * Version 1.0.0 (released 2015-06-23) ** Add a test-decipher action. ** Check that e is 0x10001 on importing rsa keys ** Use PCSC transactions when sending and receiving data * Version 0.1.6 (released 2015-03-23) ** Add a read-certificate action to the tool. ** Add a status action to the tool. ** Fix a library bug so NULL can be passed to ykpiv_verify() ** Add a test-signature action to the tool. * Version 0.1.5 (released 2015-02-04) ** Revert the check for parity and just set parity before the weak check. * Version 0.1.4 (released 2015-02-02) ** Prompt for input if input is stdin. ** Mark all bits of the signature as used is certs and requests. ** Correct error for unblock-pin. ** Fix hex decode to decode capital letters and return error. ** Check parity of new management keys. * Version 0.1.3 (released 2014-12-18) ** Add format DER for importing certificates. ** Make sure diagnostic feedback ends up on stderr. ** Add positive feedback for a couple of actions. * Version 0.1.2 (released 2014-11-14) ** Fix an issue where shorter component of RSA keys where not packed correctly. * Version 0.1.1 (released 2014-11-10) ** Correct broken CHUID that made windows work inconsistently. ** Add support for compressed certificates. ** Fix broken unblock-pin action. ** Don't try to accept to short keys for mgm key. ** Only do applet authentication if needed. ** Add --hash for selecting what hash to use for signatures. ** Add hidden --sign command. Should probably not be used. ** Fix for signature algorithm in selfsigned cert. * Version 0.1.0 (released 2014-08-25) ** Break out functionality into a library. ** More testing. * Version 0.0.3 (released 2014-05-26) ** Add delete-certificate action. ** Fix minor bugs. * Version 0.0.2 (released 2014-02-19) ** Fix an offset bug with CHUID. ** Do full mutual auth with the applet. * Version 0.0.1 (released 2014-02-11) ** Initial release.