265 lines
6.3 KiB
Plaintext
265 lines
6.3 KiB
Plaintext
yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*-
|
|
|
|
* Version 1.6.1 (unreleased)
|
|
|
|
* Version 1.6.0 (released 2018-08-08)
|
|
|
|
** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03].
|
|
|
|
** Allow builiding against LibreSSL.
|
|
|
|
** Bugfixes in OpenSSL 1.1 code.
|
|
|
|
** Fix compilation warnings.
|
|
|
|
** Fix ykcs11 key generation to work with OpenSSL 1.1.
|
|
|
|
** Ykcs11 compatibility fixes.
|
|
|
|
* Version 1.5.0 (released 2017-11-29)
|
|
|
|
** API additions: Higher-level "util" API added to libykpiv.
|
|
|
|
** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()
|
|
|
|
** Added functions for using existing PCSC card handle.
|
|
|
|
** Support using custom memory allocator.
|
|
|
|
** Documentation updates. 'make doxygen' for HTML format.
|
|
|
|
** Expanded automated tests for hardware devices, moved to 'make hwcheck'.
|
|
|
|
** OpenSSL 1.1 support
|
|
|
|
** Moderate internal refactoring. Many small bugs fixed.
|
|
|
|
* Version 1.4.4 (released 2017-10-17)
|
|
|
|
** Documentation updates.
|
|
|
|
** Add pin caching to work around disconnect problems.
|
|
|
|
** Disable RSA key generation on YubiKey 4 before 4.3.5.
|
|
See https://yubi.co/ysa201701/ for details.
|
|
|
|
* Version 1.4.3 (released 2017-04-18)
|
|
|
|
** Encode RSA x509 certificates correctly.
|
|
|
|
** Documentation updates.
|
|
|
|
** In ykcs11 return CKA_MODULUS correctly for private keys.
|
|
|
|
** In ykcs11 fix for signature size approximation.
|
|
|
|
** Fix PSS signatures in ykcs11.
|
|
|
|
** Add a CLI flag --stdin-input to make batch execution easier.
|
|
|
|
* Version 1.4.2 (released 2016-08-12)
|
|
|
|
** Clarify license headers and clean up YKCS11 licensing.
|
|
Now uses pkcs11.h from the Scute project.
|
|
|
|
** Don't install ykcs11-version.h.
|
|
|
|
** No cflags in ykcs11.pc.
|
|
|
|
** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.
|
|
|
|
* Version 1.4.1 (released 2016-08-11)
|
|
|
|
** Documentation updates
|
|
|
|
** Add possibility to export certificates in SSH format.
|
|
|
|
** Make certificate serial number random by default.
|
|
|
|
* Version 1.4.0 (released 2016-05-03)
|
|
|
|
** Add attest action
|
|
When used on a slot with a generated key, outputs a signed x509 certificate for
|
|
that slot showing that the key was generated in hardware. Available in firmware
|
|
4.3.0 and newer.
|
|
|
|
** Add cached parameter for touch-policy
|
|
With cached, the touch is valid for an additional 15s. Available in firmware
|
|
4.3.0 and newer.
|
|
|
|
** Enforce a minimum PIN length of 6 characters.
|
|
|
|
** Fix a bug with list-readers action where it fell through processing into
|
|
write-object.
|
|
|
|
* Version 1.3.1 (released 2016-04-19)
|
|
|
|
** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.
|
|
|
|
** Clarifications with help texts.
|
|
|
|
* Version 1.3.0 (released 2016-02-19)
|
|
|
|
** Fixed extraction of RSA modulus and exponent for pkcs11.
|
|
|
|
** Implemented C_SetPIN for pkcs11.
|
|
|
|
** Add generic write and read object actions for the tool.
|
|
Supports hex/binary/base64 formats
|
|
|
|
** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()
|
|
|
|
** Print CCC with status action.
|
|
|
|
** Address bugs with pkcs11 on windows.
|
|
|
|
** Add --valid-days and --serial to tool for selfsign-certificate action.
|
|
|
|
** Ask for password for pkcs12 if none is given.
|
|
|
|
* Version 1.2.2 (released 2015-12-08)
|
|
|
|
** Fix old buffer overflow in change-pin functionality.
|
|
|
|
* Version 1.2.1 (released 2015-12-08)
|
|
|
|
** Fix issue with big certificates and status.
|
|
|
|
* Version 1.2.0 (released 2015-12-07)
|
|
|
|
** On OSX use @loader_path instead of @executable_path for ykcs11.
|
|
|
|
** Add ykpiv_import_private_key to libykpiv.
|
|
|
|
** Raise buffer sizes to support bigger objects.
|
|
|
|
** Change behavior of action status, only list populated slots.
|
|
|
|
** Add retired keys to ykcs11.
|
|
|
|
** In ykcs11 support login with non null terminated pin.
|
|
|
|
** Add a new action set-ccc to yubico-piv-tool to set the CCC.
|
|
|
|
* Version 1.1.2 (released 2015-11-13)
|
|
|
|
** Properly handle DER encoding in ECDSA signatures.
|
|
|
|
* Version 1.1.1 (released 2015-11-11)
|
|
|
|
** Make sure SCardContext is properly acquired and released.
|
|
|
|
* Version 1.1.0 (released 2015-11-06)
|
|
|
|
** Add support for new YubiKey 4.
|
|
|
|
** Add ykcs11.
|
|
|
|
* Version 1.0.3 (released 2015-10-01)
|
|
|
|
** Correct wording on unblock-pin action.
|
|
|
|
** Show pin retries correctly.
|
|
|
|
** Use a bigger buffer for receiving data.
|
|
|
|
* Version 1.0.2 (released 2015-09-04)
|
|
|
|
** Query for different passwords/pins on stdin if they're not supplied.
|
|
|
|
** If a reader fails continue trying matching readers.
|
|
|
|
** Authentication failed is supposed to be 0x63cX not 0x630X.
|
|
|
|
* Version 1.0.1 (released 2015-07-10)
|
|
|
|
** Project relicensed to 2-clause BSD license
|
|
|
|
** Minor fixes found with clang scan-build
|
|
|
|
* Version 1.0.0 (released 2015-06-23)
|
|
|
|
** Add a test-decipher action.
|
|
|
|
** Check that e is 0x10001 on importing rsa keys
|
|
|
|
** Use PCSC transactions when sending and receiving data
|
|
|
|
* Version 0.1.6 (released 2015-03-23)
|
|
|
|
** Add a read-certificate action to the tool.
|
|
|
|
** Add a status action to the tool.
|
|
|
|
** Fix a library bug so NULL can be passed to ykpiv_verify()
|
|
|
|
** Add a test-signature action to the tool.
|
|
|
|
* Version 0.1.5 (released 2015-02-04)
|
|
|
|
** Revert the check for parity and just set parity before the weak check.
|
|
|
|
* Version 0.1.4 (released 2015-02-02)
|
|
|
|
** Prompt for input if input is stdin.
|
|
|
|
** Mark all bits of the signature as used is certs and requests.
|
|
|
|
** Correct error for unblock-pin.
|
|
|
|
** Fix hex decode to decode capital letters and return error.
|
|
|
|
** Check parity of new management keys.
|
|
|
|
* Version 0.1.3 (released 2014-12-18)
|
|
|
|
** Add format DER for importing certificates.
|
|
|
|
** Make sure diagnostic feedback ends up on stderr.
|
|
|
|
** Add positive feedback for a couple of actions.
|
|
|
|
* Version 0.1.2 (released 2014-11-14)
|
|
|
|
** Fix an issue where shorter component of RSA keys where not packed correctly.
|
|
|
|
* Version 0.1.1 (released 2014-11-10)
|
|
|
|
** Correct broken CHUID that made windows work inconsistently.
|
|
|
|
** Add support for compressed certificates.
|
|
|
|
** Fix broken unblock-pin action.
|
|
|
|
** Don't try to accept to short keys for mgm key.
|
|
|
|
** Only do applet authentication if needed.
|
|
|
|
** Add --hash for selecting what hash to use for signatures.
|
|
|
|
** Add hidden --sign command. Should probably not be used.
|
|
|
|
** Fix for signature algorithm in selfsigned cert.
|
|
|
|
* Version 0.1.0 (released 2014-08-25)
|
|
|
|
** Break out functionality into a library.
|
|
|
|
** More testing.
|
|
|
|
* Version 0.0.3 (released 2014-05-26)
|
|
|
|
** Add delete-certificate action.
|
|
|
|
** Fix minor bugs.
|
|
|
|
* Version 0.0.2 (released 2014-02-19)
|
|
|
|
** Fix an offset bug with CHUID.
|
|
|
|
** Do full mutual auth with the applet.
|
|
|
|
* Version 0.0.1 (released 2014-02-11)
|
|
|
|
** Initial release.
|