2022-02-01 15:37:49 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 31 20:31:47 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
|
|
- update to 2.2.1:
|
|
|
|
|
* ykpiv: Minor bug fixes
|
|
|
|
|
* ykcs11: Improved handling of object attributes
|
|
|
|
|
* ykcs11: Update flags for EC related mechanisms
|
|
|
|
|
* ykcs11: Minor bug fixes
|
|
|
|
|
* test: Improved testing
|
|
|
|
|
* doc: Improved documentation
|
|
|
|
|
|
2021-03-02 07:16:17 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Feb 28 18:33:22 UTC 2021 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
|
|
- update to 2.2.0:
|
|
|
|
|
* ykpiv: Increased SO version
|
|
|
|
|
* ykpiv: Fixed minor memory leaks
|
|
|
|
|
* ykpiv: Improved error handling
|
|
|
|
|
* ykpiv: Improved handling of PCSC card validation
|
|
|
|
|
* ykcs11: Updated Cryptoki version
|
|
|
|
|
* ykcs11: Support for CKM_ECDH1_DERIVE mechanism info
|
|
|
|
|
* ykcs11: Support for destroying ECDH derived keys
|
|
|
|
|
* ykcs11: Improved handling of PIN after device re-connection
|
|
|
|
|
* ykcs11: Improved debug logging
|
|
|
|
|
* cmd: Improved parsing of certificate Distinguished Name to allow an escape character
|
|
|
|
|
* cmd: Warning to discourage generating RSA1024 keys
|
|
|
|
|
* build: Use of platform standard installation path when building yubico-piv-tool
|
|
|
|
|
* tests: Improved testing
|
|
|
|
|
* Replaced building with autotool with building with cmake
|
|
|
|
|
* Security update for YSA-2020-02
|
|
|
|
|
* ykpiv: Fixed potential memory leaks
|
|
|
|
|
* ykpiv: Use PIN-protected MGMT key if the device is configured that way
|
|
|
|
|
* ykpiv: Added attestation to CSR if requested
|
|
|
|
|
* ykpiv: Fixed compatibility with LibreSSL
|
|
|
|
|
* ykcs11: Improved handling of error codes
|
|
|
|
|
* ykcs11: Improved handling of examples in the PKCS11 specifications
|
|
|
|
|
* ykcs11: Added the possibility to have debug output as a runtime setting
|
|
|
|
|
* ykcs11: Added support to unblock PIN with PUK
|
|
|
|
|
* ykcs11: Make C_SetPIN backwards compatible while also allowing unblock PIN
|
|
|
|
|
* tests: Improved tests
|
|
|
|
|
- run tests
|
|
|
|
|
- add pthread-link.patch
|
|
|
|
|
|
2020-03-01 01:15:48 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Mar 1 00:11:08 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
|
|
|
|
|
|
|
|
|
|
- Version 2.0.0
|
|
|
|
|
- ykpiv: Added ykpiv_get_metadata and ykpiv_util_parse_metadata
|
|
|
|
|
to read and parse private key metadata (supported from YK 5.3).
|
|
|
|
|
- ykpiv: Fixed PCSC transaction handling when re-selecting PIV
|
|
|
|
|
due to external card reset events.
|
|
|
|
|
- ykpiv: Improved error reporting.
|
|
|
|
|
- ykpiv: Correctly report YK5 devices, and NEO and YK5 over NFC.
|
|
|
|
|
- ykpiv: MGM KEY (SO PIN) is cached (in addition to PIN).
|
|
|
|
|
- ykpiv: Fixed resetting of cached serial / version when an
|
|
|
|
|
application re-uses ykpiv_state.
|
|
|
|
|
- ykpiv: ykpiv_get_pin_retries selects a different applet before
|
|
|
|
|
re-selecting PIV since just re-selecting PIV is a no-op on YK5.
|
|
|
|
|
- ykcs11: Shared library exports all PKCS11 functions per the
|
|
|
|
|
spec (For applications that don’t use C_GetFunctionList).
|
|
|
|
|
- ykcs11: Support for up to 16 simultaneous sessions, with
|
|
|
|
|
support for multi-threaded access (if requested when calling
|
|
|
|
|
C_Initialize).
|
|
|
|
|
- ykcs11: Support for resetting the PIV application via
|
|
|
|
|
C_initToken. Requires knowledge of the MGMT KEY (SO PIN) per
|
|
|
|
|
the PKCS11 spec.
|
|
|
|
|
- ykcs11: Support for public-key operations not supported by PIV
|
|
|
|
|
(C_Verify, C_Encrypt), implemented using OpenSSL.
|
|
|
|
|
- ykcs11: Support for attestations, exposed as session objects of
|
|
|
|
|
certificate class. Generated when opening the first session to
|
|
|
|
|
a slot.
|
|
|
|
|
- ykcs11: Support for forked processes on Linux and MacOS.
|
|
|
|
|
- ykcs11: Support for RSA signatures using PKCS or PSS padding
|
|
|
|
|
with optional digesting by the library. Raw signatures are also
|
|
|
|
|
supported.
|
|
|
|
|
- ykcs11: Support for ECDSA signatures with optional digesting by
|
|
|
|
|
the library. Raw signatures are also supported.
|
|
|
|
|
- ykcs11: Support for RSA encryption / decryption with PKCS or
|
|
|
|
|
OAEP padding.
|
|
|
|
|
- ykcs11: Makes use of key metadata when available (YK 5.3 and
|
|
|
|
|
above), providing access to keys even if certificates are not
|
|
|
|
|
present.
|
|
|
|
|
- ykcs11: Supports SHA1, SHA256, SHA384 and SHA512 digesting,
|
|
|
|
|
plus SHA224 digesting for ECDSA signatures and for the MGF1
|
|
|
|
|
digest in PSS / OAEP, implemented using OpenSSL.
|
|
|
|
|
- ykcs11: Supports C_Login with context-specific user type. This
|
|
|
|
|
allows use cases that require both SO PIN and normal PIN in the
|
|
|
|
|
same session.
|
|
|
|
|
|
2019-06-03 10:34:04 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 3 08:22:20 UTC 2019 - Karol Babioch <kbabioch@suse.de>
|
|
|
|
|
|
|
|
|
|
- Version 1.7.0 (released 2019-04-03)
|
|
|
|
|
* Add ykpiv_get_serial() to API.
|
|
|
|
|
* Add version and serial to status output.
|
|
|
|
|
* FASC-N fixes for CHUID.
|
|
|
|
|
* ykcs11: Fix ECDSA signatures.
|
|
|
|
|
* Make selfsigned X.509 extensions have correct extensions to match openssl.
|
|
|
|
|
* Security fixes.
|
|
|
|
|
* Documentation fixes.
|
|
|
|
|
* Try to clear memory that might contain secrets.
|
|
|
|
|
|
2018-09-28 11:27:16 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 28 09:10:38 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Rename %soname to %sover to better reflect its use.
|
|
|
|
|
- Fix RPM groups.
|
|
|
|
|
|
2018-09-27 20:11:29 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 27 11:58:29 UTC 2018 - Karol Babioch <kbabioch@suse.com>
|
|
|
|
|
|
|
|
|
|
- Version 1.6.2 (released 2018-09-14)
|
|
|
|
|
- Compare reader names case insensitive
|
|
|
|
|
- Fix certificate and certificate request signatures with OpenSSL 1.1
|
|
|
|
|
|
2018-08-28 15:31:16 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 28 09:37:34 UTC 2018 - kbabioch@suse.com
|
|
|
|
|
|
|
|
|
|
- Version 1.6.1 (released 2018-08-17)
|
|
|
|
|
- Compilation warning fixes for OpenSSL 1.1 builds
|
|
|
|
|
- Fix length when encoding exactly 0xff bytes
|
|
|
|
|
- Check length of objects correctly before storing in buffer
|
|
|
|
|
- Check length of certificate correctly when storing
|
|
|
|
|
- Version 1.6.0 (released 2018-08-08)
|
|
|
|
|
- Security release to mitigate YSA-2018-03 (YSA-2018-03, CVE-2018-14779,
|
|
|
|
|
CVE-2018-14780, bsc#1104809, bsc#1104811)
|
|
|
|
|
- Allow building against LibreSSL
|
|
|
|
|
- Bugfixes in OpenSSL 1.1 code
|
|
|
|
|
- Fix compilation warnings
|
|
|
|
|
- Fix ykcs11 key generation to work with OpenSSL 1.1
|
|
|
|
|
- Ykcs11 compatibility fixes
|
|
|
|
|
- Make use of %license macro instead of %doc for COPYING
|
|
|
|
|
- Applied spec-cleaner
|
|
|
|
|
|
2017-12-01 12:46:22 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 30 15:14:13 UTC 2017 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.5.0 (released 2017-11-29)
|
|
|
|
|
- API additions: Higher-level "util" API added to libykpiv.
|
|
|
|
|
- Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()
|
|
|
|
|
- Added functions for using existing PCSC card handle.
|
|
|
|
|
- Support using custom memory allocator.
|
|
|
|
|
- Documentation updates. make doxygen for HTML format.
|
|
|
|
|
- Expanded automated tests for hardware devices, moved to make hwcheck.
|
|
|
|
|
- OpenSSL 1.1 support
|
|
|
|
|
- Moderate internal refactoring. Many small bugs fixed.
|
|
|
|
|
|
2017-11-22 07:12:40 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Nov 15 19:19:15 UTC 2017 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.4.4 (released 2017-10-17)
|
|
|
|
|
- Documentation updates.
|
|
|
|
|
- Add pin caching to work around disconnect problems.
|
|
|
|
|
- Disable RSA key generation on YubiKey 4 before 4.3.5. See https://yubi.co/ysa201701/ for details.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 29 14:46:53 UTC 2017 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.4.3 (released 2017-04-18)
|
|
|
|
|
- Encode RSA x509 certificates correctly.
|
|
|
|
|
- Documentation updates.
|
|
|
|
|
- In ykcs11 return CKA_MODULUS correctly for private keys.
|
|
|
|
|
- In ykcs11 fix for signature size approximation.
|
|
|
|
|
- Fix PSS signatures in ykcs11.
|
|
|
|
|
- Add a CLI flag --stdin-input to make batch execution easier.
|
|
|
|
|
|
2016-08-17 16:32:51 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 17 14:03:58 UTC 2016 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.4.2 (released 2016-08-12)
|
|
|
|
|
- Clarify license headers and clean up YKCS11 licensing. Now uses pkcs11.h from the Scute project.
|
|
|
|
|
- Don’t install ykcs11-version.h.
|
|
|
|
|
- No cflags in ykcs11.pc.
|
|
|
|
|
- Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.
|
|
|
|
|
|
|
|
|
|
- Version 1.4.1 (released 2016-08-11)
|
|
|
|
|
- Documentation updates
|
|
|
|
|
- Add possibility to export certificates in SSH format.
|
|
|
|
|
- Make certificate serial number random by default.
|
|
|
|
|
|
2016-05-19 16:02:44 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 17 14:55:42 UTC 2016 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.4.0 (released 2016-05-03)
|
|
|
|
|
- Add attest action When used on a slot with a generated key,
|
|
|
|
|
outputs a signed x509 certificate for that slot showing that
|
|
|
|
|
the key was generated in hardware. Available in firmware 4.3.0 and newer.
|
|
|
|
|
- Add cached parameter for touch-policy With cached, the touch is valid
|
|
|
|
|
for an additional 15s. Available in firmware 4.3.0 and newer.
|
|
|
|
|
- Enforce a minimum PIN length of 6 characters.
|
|
|
|
|
- Fix a bug with list-readers action where it fell through processing into write-object.
|
|
|
|
|
|
2016-04-25 22:56:22 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 25 20:04:14 UTC 2016 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.3.1 (released 2016-04-19)
|
|
|
|
|
- Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.
|
|
|
|
|
- Clarifications with help texts.
|
|
|
|
|
|
|
|
|
|
- Version 1.3.0 (released 2016-02-19)
|
|
|
|
|
- Fixed extraction of RSA modulus and exponent for pkcs11.
|
|
|
|
|
- Implemented C_SetPIN for pkcs11.
|
|
|
|
|
- Add generic write and read object actions for the tool. Supports hex/binary/base64 formats
|
|
|
|
|
- Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()
|
|
|
|
|
- Print CCC with status action.
|
|
|
|
|
- Address bugs with pkcs11 on windows.
|
|
|
|
|
- Add --valid-days and --serial to tool for selfsign-certificate action.
|
|
|
|
|
- Ask for password for pkcs12 if none is given.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 11 08:12:48 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.2.2 (released 2015-12-08)
|
|
|
|
|
- Fix old buffer overflow in change-pin functionality.
|
|
|
|
|
|
|
|
|
|
- Version 1.2.1 (released 2015-12-08)
|
|
|
|
|
-Fix issue with big certificates and status.
|
|
|
|
|
|
|
|
|
|
- Version 1.2.0 (released 2015-12-07)
|
|
|
|
|
- On OSX use @loader_path instead of @executable_path for ykcs11.
|
|
|
|
|
- Add ykpiv_import_private_key to libykpiv.
|
|
|
|
|
- Raise buffer sizes to support bigger objects.
|
|
|
|
|
- Change behavior of action status, only list populated slots.
|
|
|
|
|
- Add retired keys to ykcs11.
|
|
|
|
|
- In ykcs11 support login with non null terminated pin.
|
|
|
|
|
- Add a new action set-ccc to yubico-piv-tool to set the CCC.
|
|
|
|
|
|
2015-11-25 15:59:29 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Nov 18 20:57:56 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.1.2 (released 2015-11-13)
|
|
|
|
|
- Properly handle DER encoding in ECDSA signatures.
|
|
|
|
|
|
2015-11-13 11:39:28 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 12 14:30:09 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.1.1 (released 2015-11-11)
|
|
|
|
|
- Make sure SCardContext is properly acquired and released.
|
|
|
|
|
|
2015-11-10 12:54:48 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 6 21:05:07 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.1.0 (released 2015-11-06)
|
|
|
|
|
- Add support for new YubiKey 4.
|
|
|
|
|
- Add ykcs11.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 13 07:47:50 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Add dependencive in .spec file
|
|
|
|
|
|
2015-10-02 11:42:06 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 1 21:18:34 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.0.3 (released 2015-10-01)
|
|
|
|
|
- Correct wording on unblock-pin action.
|
|
|
|
|
- Show pin retries correctly.
|
|
|
|
|
- Use a bigger buffer for receiving data.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 15 13:32:27 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.0.2 (released 2015-09-04)
|
|
|
|
|
- Query for different passwords/pins on stdin if they’re not supplied.
|
|
|
|
|
- If a reader fails continue trying matching readers.
|
|
|
|
|
- Authentication failed is supposed to be 0x63cX not 0x630X.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jul 11 14:49:43 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.0.1 (released 2015-07-10)
|
|
|
|
|
- Project relicensed to 2-clause BSD license
|
|
|
|
|
- Minor fixes found with clang scan-build
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 8 21:14:24 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 1.0.0 (released 2015-06-23)
|
|
|
|
|
- Add a test-decipher action.
|
|
|
|
|
- Check that e is 0x10001 on importing rsa keys
|
|
|
|
|
- Use PCSC transactions when sending and receiving data
|
|
|
|
|
|
2015-04-28 09:31:20 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 27 16:22:36 UTC 2015 - cdenicolo@suse.com
|
|
|
|
|
|
|
|
|
|
- license update: GPL-3.0+
|
|
|
|
|
COPYING files says package is under GPL-3.0+.
|
|
|
|
|
|
2015-03-29 12:44:25 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 26 12:47:38 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 0.1.6 (released 2015-03-23)
|
|
|
|
|
Add a read-certificate action to the tool.
|
|
|
|
|
Add a status action to the tool.
|
|
|
|
|
Fix a library bug so NULL can be passed to ykpiv_verify()
|
|
|
|
|
Add a test-signature action to the tool.
|
|
|
|
|
|
2015-02-20 16:35:12 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 9 14:54:37 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 0.1.5 (released 2015-02-04)
|
|
|
|
|
Revert the check for parity and just set parity before the weak check.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 3 13:43:10 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 0.1.4 (released 2015-02-02)
|
|
|
|
|
Prompt for input if input is stdin.
|
|
|
|
|
Mark all bits of the signature as used is certs and requests.
|
|
|
|
|
Correct error for unblock-pin.
|
|
|
|
|
Fix hex decode to decode capital letters and return error.
|
|
|
|
|
Check parity of new management keys.
|
|
|
|
|
|
2015-01-31 00:48:35 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 23 07:47:58 UTC 2015 - t.gruner@katodev.de
|
|
|
|
|
|
|
|
|
|
- Version 0.1.3 (released 2014-12-18)
|
|
|
|
|
Add format DER for importing certificates.
|
|
|
|
|
Make sure diagnostic feedback ends up on stderr.
|
|
|
|
|
Add positive feedback for a couple of actions.
|
|
|
|
|
|
|
|
|
|
- Version 0.1.2 (released 2014-11-14)
|
|
|
|
|
Fix an issue where shorter component of RSA keys where not packed correctly.
|
|
|
|
|
|
|
|
|
|
- Version 0.1.1 (released 2014-11-10)
|
|
|
|
|
Correct broken CHUID that made windows work inconsistently.
|
|
|
|
|
Add support for compressed certificates.
|
|
|
|
|
Fix broken unblock-pin action.
|
|
|
|
|
Don’t try to accept to short keys for mgm key.
|
|
|
|
|
Only do applet authentication if needed.
|
|
|
|
|
Add --hash for selecting what hash to use for signatures.
|
|
|
|
|
Add hidden --sign command. Should probably not be used.
|
|
|
|
|
Fix for signature algorithm in selfsigned cert.
|
|
|
|
|
|
|
|
|
|
- Version 0.1.0 (released 2014-08-25)
|
|
|
|
|
Break out functionality into a library.
|
|
|
|
|
More testing.
|
|
|
|
|
|
|
|
|
|
- Version 0.0.3 (released 2014-05-26)
|
|
|
|
|
Add delete-certificate action.
|
|
|
|
|
Fix minor bugs.
|
|
|
|
|
|
|
|
|
|
- Version 0.0.2 (released 2014-02-19)
|
|
|
|
|
Fix an offset bug with CHUID.
|
|
|
|
|
Do full mutual auth with the applet.
|
|
|
|
|
|
|
|
|
|
- Version 0.0.1 (released 2014-02-11)
|
|
|
|
|
Initial release.
|