From c947cc7c2b517f1ac71efca9ad82e1578fd8baa7d861b82fe05cb090a6c9dcb0 Mon Sep 17 00:00:00 2001 From: Torsten Gruner Date: Mon, 26 Aug 2024 08:50:42 +0000 Subject: [PATCH] - update to 2.6.0: * cmd: Add support for biometric verification and match policy * ykcs11: Add support for PKCS11 3.0 * ykpiv: cmd: ykcs11: Improve error traceability * ykpiv: cmd: ykcs11: Fix minor bugs * build: Make building with zlib optional OBS-URL: https://build.opensuse.org/package/show/security/yubico-piv-tool?expand=0&rev=47 --- .gitattributes | 23 ++ .gitignore | 1 + cmake-flags-upstream-issue-474.patch | 63 ++++ pthread-link.patch | 23 ++ yubico-piv-tool-2.5.2.tar.gz | 3 + yubico-piv-tool-2.5.2.tar.gz.sig | Bin 0 -> 566 bytes yubico-piv-tool-2.6.0.tar.gz | 3 + yubico-piv-tool-2.6.0.tar.gz.sig | Bin 0 -> 566 bytes yubico-piv-tool.changes | 435 +++++++++++++++++++++++++++ yubico-piv-tool.keyring | 204 +++++++++++++ yubico-piv-tool.spec | 127 ++++++++ 11 files changed, 882 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 cmake-flags-upstream-issue-474.patch create mode 100644 pthread-link.patch create mode 100644 yubico-piv-tool-2.5.2.tar.gz create mode 100644 yubico-piv-tool-2.5.2.tar.gz.sig create mode 100644 yubico-piv-tool-2.6.0.tar.gz create mode 100644 yubico-piv-tool-2.6.0.tar.gz.sig create mode 100644 yubico-piv-tool.changes create mode 100644 yubico-piv-tool.keyring create mode 100644 yubico-piv-tool.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/cmake-flags-upstream-issue-474.patch b/cmake-flags-upstream-issue-474.patch new file mode 100644 index 0000000..134b6ee --- /dev/null +++ b/cmake-flags-upstream-issue-474.patch @@ -0,0 +1,63 @@ +commit a3b81d574ac20a1f17eea245da6096f59416b8f7 +Author: Wolfgang Frisch +Date: Thu Feb 15 10:23:03 2024 +0100 + + cmake: fix semicolons in CFLAGS of custom modules + + Both `openssl.cmake` and `pcscd.cmake` use FindPkgConfig to retrieve the + required CFLAGS and LDFLAGS. However FindPkgConfig returns lists [1], + which are stored as semicolon-separated strings in CMake. This breaks + the build when there's more than one flag in any of those variables. + + Fixes https://github.com/Yubico/yubico-piv-tool/issues/474 + +Index: yubico-piv-tool-2.5.2/CMakeLists.txt +=================================================================== +--- yubico-piv-tool-2.5.2.orig/CMakeLists.txt ++++ yubico-piv-tool-2.5.2/CMakeLists.txt +@@ -25,7 +25,7 @@ + # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +-cmake_minimum_required (VERSION 3.5) ++cmake_minimum_required (VERSION 3.12) + # policy CMP0025 is to get AppleClang identifier rather than Clang for both + # this matters since the apple compiler accepts different flags. + cmake_policy(SET CMP0025 NEW) +Index: yubico-piv-tool-2.5.2/cmake/openssl.cmake +=================================================================== +--- yubico-piv-tool-2.5.2.orig/cmake/openssl.cmake ++++ yubico-piv-tool-2.5.2/cmake/openssl.cmake +@@ -84,8 +84,9 @@ macro (find_libcrypto) + endif(WIN32 OR OPENSSL_STATIC_LINK) + + message(" OpenSSL version: ${OPENSSL_VERSION}") +- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${LIBCRYPTO_CFLAGS}") +- set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${LIBCRYPTO_CFLAGS}") ++ list(JOIN LIBCRYPTO_CFLAGS " " LIBCRYPTO_CFLAGS_STRING) ++ set(CMAKE_C_FLAGS "${LIBCRYPTO_CFLAGS_STRING} ${CMAKE_C_FLAGS}") ++ set(CMAKE_CXX_FLAGS "${LIBCRYPTO_CFLAGS_STRING} ${CMAKE_CXX_FLAGS}") + link_directories(${LIBCRYPTO_LIBRARY_DIRS}) + include_directories(${LIBCRYPTO_INCLUDE_DIRS}) + +Index: yubico-piv-tool-2.5.2/cmake/pcscd.cmake +=================================================================== +--- yubico-piv-tool-2.5.2.orig/cmake/pcscd.cmake ++++ yubico-piv-tool-2.5.2/cmake/pcscd.cmake +@@ -75,7 +75,7 @@ macro (find_pcscd) + set(ENV{PKG_CONFIG_PATH} "${PCSCLITE_PKG_PATH}:$ENV{PKG_CONFIG_PATH}") + pkg_check_modules(PCSC REQUIRED libpcsclite) + if(PCSC_FOUND) +- set(PCSC_LIBRARIES ${PCSC_LDFLAGS}) ++ list(JOIN PCSC_LDFLAGS " " PCSC_LIBRARIES) + if(VERBOSE_CMAKE) + message("PCSC_FOUND: ${PCSC_FOUND}") + message("PCSC_LIBRARY_DIRS: ${PCSC_LIBRARY_DIRS}") +@@ -124,4 +124,5 @@ macro (find_pcscd) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${PCSC_CFLAGS}") + link_directories(${PCSC_LIBRARY_DIRS}) + +-endmacro() +\ No newline at end of file ++endmacro() ++ diff --git a/pthread-link.patch b/pthread-link.patch new file mode 100644 index 0000000..c1e8474 --- /dev/null +++ b/pthread-link.patch @@ -0,0 +1,23 @@ +Index: yubico-piv-tool-2.5.0/ykcs11/CMakeLists.txt +=================================================================== +--- yubico-piv-tool-2.5.0.orig/ykcs11/CMakeLists.txt ++++ yubico-piv-tool-2.5.0/ykcs11/CMakeLists.txt +@@ -60,6 +60,9 @@ if(${ENABLE_HARDWARE_TESTS}) + set(HW_TESTS 1) + endif(${ENABLE_HARDWARE_TESTS}) + ++set(THREADS_PREFER_PTHREAD_FLAG ON) ++find_package(Threads REQUIRED) ++ + # static library + if(BUILD_STATIC_LIB) + add_library(ykcs11 STATIC ${SOURCE}) +@@ -73,7 +76,7 @@ endif(BUILD_STATIC_LIB) + + # dynamic library + add_library(ykcs11_shared SHARED ${SOURCE}) +-target_link_libraries(ykcs11_shared ${LIBCRYPTO_LDFLAGS} ykpiv_shared) ++target_link_libraries(ykcs11_shared ${LIBCRYPTO_LDFLAGS} ykpiv_shared Threads::Threads) + set_target_properties(ykcs11_shared PROPERTIES SOVERSION ${SO_VERSION} VERSION ${VERSION}) + if (${CMAKE_SYSTEM_NAME} MATCHES "Darwin") + set_target_properties(ykcs11_shared PROPERTIES INSTALL_RPATH "${YKPIV_INSTALL_LIB_DIR}") diff --git a/yubico-piv-tool-2.5.2.tar.gz b/yubico-piv-tool-2.5.2.tar.gz new file mode 100644 index 0000000..7e38e31 --- /dev/null +++ b/yubico-piv-tool-2.5.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:918e76bad99463dc0a858a4771ec674a579fad284d99d90c57fb9cf44fb059b8 +size 1324642 diff --git a/yubico-piv-tool-2.5.2.tar.gz.sig b/yubico-piv-tool-2.5.2.tar.gz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..0b78a1b53623801d105c54bc2cea11c99b316fdc58fb746d2d3288ba9b7d066d GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j+v&K7wT?&31JBYRX3%EXo~1INq-0%keOOaKZA5D?15 zmM#Ow%zHKu|8^(!T=(KOove*AEKj&6)6bwWP9a<;iZi5Qlp6wqF5#FnBNI9Y%BD|A(^sL2_~ehT?Vm;whqxU~ApI!v}kLF9t{TS|i>DE3gDA|v|S1F{makgQXr_aAhumu>F4 z#P-~>aT7-iG16pSg(%W``_Yz*V2k$E32TIxO@9)+A2zRnv+-X-oJLMvB;RaNUUcUx z4qmIP&knNAniYG~SdR%vFl7_5bdSk}^Xwbm#w%9KWPG+Ib(9rQw@89Y&hcB&?2lW= z@=&(sT$g8}G~&4EUWx(bRl&@IOnc|RCA8O)W<$lcC(0J9UgP|v4$9|i!Vcm{oF#>4 zxQsr@FnR0TxljHA)xsE0jjO*?x5_76!sZDom>CQCS9SWUSrKRhZYkUMTOA|TDT`_42md6j!5eEE`W8M(n_@vz z2!PG+aeP=x8So6M-m%H8mV+$G%VpJS&oL#n86#+Vng$Yr`Br$JHs0qk*r_f3ovz2JD^&)6qU0=!IAl)}4MD<^JG4I7ArXVWUu#Q{K4YPvd^ zxw3vkC1wz7B2lqPHwRZKv7=?yD>6?*uV9L>iCTy3I8UXmAWJRozh5isz{AudIX}}Z zFsljv5C~dmm$jSi%+KwcBR`lJ!IjLVlZzVyoaH6KbM>H|-w7oQA<%8_hllT>G5_MZ z2?&9!z|GER&Dk&^S$HoHnB5wRXm;uJ;xBY~qYiInmf)fPl9l zC>i@KcFE8ibx};zU_i0XDC!GVNx6Qd&=6F#^$nxi?&C{-oLHdEgG-Zf$1rUT`IG9I z)u3-=!NSY~NCcf8mE|NC^~@+b*aid_8D+*D@1%#-m^i3tn}^U4>q^h?xr;Fowk$St zLf-E$QL7}8pu-I55@hJ|8*zdLiE}lv_OaAM8N$r@NVwA%wY1Ay-$HGU+-#K2B!vbH zIn-*|-EcpJS@VtTcJkJ_C4PTdpIb9$Dwy-pxTIA{KmEmEQh}81Pq3TO5Fiq^b*y;5 z7q>`2;pa1{> literal 0 HcmV?d00001 diff --git a/yubico-piv-tool.changes b/yubico-piv-tool.changes new file mode 100644 index 0000000..2385da3 --- /dev/null +++ b/yubico-piv-tool.changes @@ -0,0 +1,435 @@ +------------------------------------------------------------------- +Mon Aug 26 08:11:45 UTC 2024 - Wolfgang Frisch + +- update to 2.6.0: + * cmd: Add support for biometric verification and match policy + * ykcs11: Add support for PKCS11 3.0 + * ykpiv: cmd: ykcs11: Improve error traceability + * ykpiv: cmd: ykcs11: Fix minor bugs + * build: Make building with zlib optional + +------------------------------------------------------------------- +Tue May 7 09:05:14 UTC 2024 - Wolfgang Frisch + +- update to 2.5.2: + * cmd: Fix signing selfsigned certificate for ED25519 key. +- update cmake-flags-upstream-issue-474.patch + +------------------------------------------------------------------- +Wed Feb 14 09:05:14 UTC 2024 - Wolfgang Frisch + +- update to 2.5.1: + * ykpiv: cmd: ykcs11: Fix buffer size for key import. +- add cmake-flags-upstream-issue-474.patch: + proper fix for the cmake flags issue +- remove temporary-cmake-flags-fix.patch + +------------------------------------------------------------------- +Wed Feb 7 12:32:15 UTC 2024 - Wolfgang Frisch + +- update to 2.5.0: + * ykpiv: cmd: ykcs11: Add support for RSA3072 and RSA4096 key types. + Available in firmware 5.7.0 and newer + * ykpiv: cmd: Add support for ED25519 and X25519 key types. + Available in firmware 5.7.0 and newer + * ykpiv: cmd: Add support for deleting keys. + Available in firmware 5.7.0 and newer + * ykpiv: cmd: Add support for moving keys between slots. + Available in firmware 5.7.0 and newer +- add temporary-cmake-flags-fix.patch + The included cmake modules are buggy. This patch should be removed once the + root cause is fixed in upstream. + +------------------------------------------------------------------- +Sun Dec 17 15:01:35 UTC 2023 - Dirk Müller + +- update to 2.4.2: + * ykpiv: Fix potential type casting bug. + * ykpiv: ykcs11: Fix building on certain architectures. + * ykpiv: cmd: Add support for compressing certificate upon + import + * ykcs11: Increase maximum number of slots to handle + overflow + * ykcs11: Add support for CKA_COPYABLE and CKA_DESTROYABLE + attributes + +------------------------------------------------------------------- +Fri Mar 3 21:51:36 UTC 2023 - Dirk Müller + +- update to 2.3.1: + * ykpiv: Add support for T=0 smartcards + * ykpiv: ykcs11: Minor code optimization + * ykpiv: ykcs11: Improve logging + * ykpiv: ykcs11: Improve error handling + * ykpiv: ykcs11: Fix minor bugs + * ykcs11: Add support for several PKCS11 Attributes + * ykcs11: Add support for CKM_ECDSA_SHA512 mechanism + * ykcs11: Fix incorrect value for public key attributes + CKA_PRIVATE, CKA_SENSITIVE, CKA_ALWAYS_SENSITIVE, + CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE + * doc: Minor documentation improvement + +------------------------------------------------------------------- +Sat Dec 3 17:05:31 UTC 2022 - Dirk Müller + +- update to 2.3.0: + * ykpiv: Add support for AES management keys + * ykpiv: Better handling of connection reset + * ykpiv: Add support for T=0 protocol + * ykcs11: Support YubiKeys in NFC readers + * ykcs11: Support touch and PIN policies for imported private keys + * ykcs11: Support touch and PIN policy when generating keys + * ykcs11: Set length to -1 on function fail + * ykcs11: Ignore CKA_NAME_HASH_ALGORITHM and CKA_HASH_OF_SUBJECT_PUBLIC_KEY for certificates + * cmd: Support attestation in selfsign certificates + * build: Compile cleanly with openssl 1.1 and 3 +- add keyring + +------------------------------------------------------------------- +Mon Jan 31 20:31:47 UTC 2022 - Dirk Müller + +- update to 2.2.1: + * ykpiv: Minor bug fixes + * ykcs11: Improved handling of object attributes + * ykcs11: Update flags for EC related mechanisms + * ykcs11: Minor bug fixes + * test: Improved testing + * doc: Improved documentation + +------------------------------------------------------------------- +Sun Feb 28 18:33:22 UTC 2021 - Dirk Müller + +- update to 2.2.0: + * ykpiv: Increased SO version + * ykpiv: Fixed minor memory leaks + * ykpiv: Improved error handling + * ykpiv: Improved handling of PCSC card validation + * ykcs11: Updated Cryptoki version + * ykcs11: Support for CKM_ECDH1_DERIVE mechanism info + * ykcs11: Support for destroying ECDH derived keys + * ykcs11: Improved handling of PIN after device re-connection + * ykcs11: Improved debug logging + * cmd: Improved parsing of certificate Distinguished Name to allow an escape character + * cmd: Warning to discourage generating RSA1024 keys + * build: Use of platform standard installation path when building yubico-piv-tool + * tests: Improved testing + * Replaced building with autotool with building with cmake + * Security update for YSA-2020-02 + * ykpiv: Fixed potential memory leaks + * ykpiv: Use PIN-protected MGMT key if the device is configured that way + * ykpiv: Added attestation to CSR if requested + * ykpiv: Fixed compatibility with LibreSSL + * ykcs11: Improved handling of error codes + * ykcs11: Improved handling of examples in the PKCS11 specifications + * ykcs11: Added the possibility to have debug output as a runtime setting + * ykcs11: Added support to unblock PIN with PUK + * ykcs11: Make C_SetPIN backwards compatible while also allowing unblock PIN + * tests: Improved tests +- run tests +- add pthread-link.patch + +------------------------------------------------------------------- +Sun Mar 1 00:11:08 UTC 2020 - Marcus Rueckert + +- Version 2.0.0 + - ykpiv: Added ykpiv_get_metadata and ykpiv_util_parse_metadata + to read and parse private key metadata (supported from YK 5.3). + - ykpiv: Fixed PCSC transaction handling when re-selecting PIV + due to external card reset events. + - ykpiv: Improved error reporting. + - ykpiv: Correctly report YK5 devices, and NEO and YK5 over NFC. + - ykpiv: MGM KEY (SO PIN) is cached (in addition to PIN). + - ykpiv: Fixed resetting of cached serial / version when an + application re-uses ykpiv_state. + - ykpiv: ykpiv_get_pin_retries selects a different applet before + re-selecting PIV since just re-selecting PIV is a no-op on YK5. + - ykcs11: Shared library exports all PKCS11 functions per the + spec (For applications that don’t use C_GetFunctionList). + - ykcs11: Support for up to 16 simultaneous sessions, with + support for multi-threaded access (if requested when calling + C_Initialize). + - ykcs11: Support for resetting the PIV application via + C_initToken. Requires knowledge of the MGMT KEY (SO PIN) per + the PKCS11 spec. + - ykcs11: Support for public-key operations not supported by PIV + (C_Verify, C_Encrypt), implemented using OpenSSL. + - ykcs11: Support for attestations, exposed as session objects of + certificate class. Generated when opening the first session to + a slot. + - ykcs11: Support for forked processes on Linux and MacOS. + - ykcs11: Support for RSA signatures using PKCS or PSS padding + with optional digesting by the library. Raw signatures are also + supported. + - ykcs11: Support for ECDSA signatures with optional digesting by + the library. Raw signatures are also supported. + - ykcs11: Support for RSA encryption / decryption with PKCS or + OAEP padding. + - ykcs11: Makes use of key metadata when available (YK 5.3 and + above), providing access to keys even if certificates are not + present. + - ykcs11: Supports SHA1, SHA256, SHA384 and SHA512 digesting, + plus SHA224 digesting for ECDSA signatures and for the MGF1 + digest in PSS / OAEP, implemented using OpenSSL. + - ykcs11: Supports C_Login with context-specific user type. This + allows use cases that require both SO PIN and normal PIN in the + same session. + +------------------------------------------------------------------- +Mon Jun 3 08:22:20 UTC 2019 - Karol Babioch + +- Version 1.7.0 (released 2019-04-03) + * Add ykpiv_get_serial() to API. + * Add version and serial to status output. + * FASC-N fixes for CHUID. + * ykcs11: Fix ECDSA signatures. + * Make selfsigned X.509 extensions have correct extensions to match openssl. + * Security fixes. + * Documentation fixes. + * Try to clear memory that might contain secrets. + +------------------------------------------------------------------- +Fri Sep 28 09:10:38 UTC 2018 - Jan Engelhardt + +- Rename %soname to %sover to better reflect its use. +- Fix RPM groups. + +------------------------------------------------------------------- +Thu Sep 27 11:58:29 UTC 2018 - Karol Babioch + +- Version 1.6.2 (released 2018-09-14) + - Compare reader names case insensitive + - Fix certificate and certificate request signatures with OpenSSL 1.1 + +------------------------------------------------------------------- +Tue Aug 28 09:37:34 UTC 2018 - kbabioch@suse.com + +- Version 1.6.1 (released 2018-08-17) + - Compilation warning fixes for OpenSSL 1.1 builds + - Fix length when encoding exactly 0xff bytes + - Check length of objects correctly before storing in buffer + - Check length of certificate correctly when storing +- Version 1.6.0 (released 2018-08-08) + - Security release to mitigate YSA-2018-03 (YSA-2018-03, CVE-2018-14779, + CVE-2018-14780, bsc#1104809, bsc#1104811) + - Allow building against LibreSSL + - Bugfixes in OpenSSL 1.1 code + - Fix compilation warnings + - Fix ykcs11 key generation to work with OpenSSL 1.1 + - Ykcs11 compatibility fixes +- Make use of %license macro instead of %doc for COPYING +- Applied spec-cleaner + +------------------------------------------------------------------- +Thu Nov 30 15:14:13 UTC 2017 - t.gruner@katodev.de + +- Version 1.5.0 (released 2017-11-29) + - API additions: Higher-level "util" API added to libykpiv. + - Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries() + - Added functions for using existing PCSC card handle. + - Support using custom memory allocator. + - Documentation updates. make doxygen for HTML format. + - Expanded automated tests for hardware devices, moved to make hwcheck. + - OpenSSL 1.1 support + - Moderate internal refactoring. Many small bugs fixed. + +------------------------------------------------------------------- +Wed Nov 15 19:19:15 UTC 2017 - t.gruner@katodev.de + +- Version 1.4.4 (released 2017-10-17) + - Documentation updates. + - Add pin caching to work around disconnect problems. + - Disable RSA key generation on YubiKey 4 before 4.3.5. See https://yubi.co/ysa201701/ for details. + +------------------------------------------------------------------- +Mon May 29 14:46:53 UTC 2017 - t.gruner@katodev.de + +- Version 1.4.3 (released 2017-04-18) + - Encode RSA x509 certificates correctly. + - Documentation updates. + - In ykcs11 return CKA_MODULUS correctly for private keys. + - In ykcs11 fix for signature size approximation. + - Fix PSS signatures in ykcs11. + - Add a CLI flag --stdin-input to make batch execution easier. + +------------------------------------------------------------------- +Wed Aug 17 14:03:58 UTC 2016 - t.gruner@katodev.de + +- Version 1.4.2 (released 2016-08-12) + - Clarify license headers and clean up YKCS11 licensing. Now uses pkcs11.h from the Scute project. + - Don’t install ykcs11-version.h. + - No cflags in ykcs11.pc. + - Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED. + +- Version 1.4.1 (released 2016-08-11) + - Documentation updates + - Add possibility to export certificates in SSH format. + - Make certificate serial number random by default. + +------------------------------------------------------------------- +Tue May 17 14:55:42 UTC 2016 - t.gruner@katodev.de + +- Version 1.4.0 (released 2016-05-03) + - Add attest action When used on a slot with a generated key, + outputs a signed x509 certificate for that slot showing that + the key was generated in hardware. Available in firmware 4.3.0 and newer. + - Add cached parameter for touch-policy With cached, the touch is valid + for an additional 15s. Available in firmware 4.3.0 and newer. + - Enforce a minimum PIN length of 6 characters. + - Fix a bug with list-readers action where it fell through processing into write-object. + +------------------------------------------------------------------- +Mon Apr 25 20:04:14 UTC 2016 - t.gruner@katodev.de + +- Version 1.3.1 (released 2016-04-19) + - Fix a bug where unblock pin would instead change puk, introduced in 1.3.0. + - Clarifications with help texts. + +- Version 1.3.0 (released 2016-02-19) + - Fixed extraction of RSA modulus and exponent for pkcs11. + - Implemented C_SetPIN for pkcs11. + - Add generic write and read object actions for the tool. Supports hex/binary/base64 formats + - Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin() + - Print CCC with status action. + - Address bugs with pkcs11 on windows. + - Add --valid-days and --serial to tool for selfsign-certificate action. + - Ask for password for pkcs12 if none is given. + +------------------------------------------------------------------- +Fri Dec 11 08:12:48 UTC 2015 - t.gruner@katodev.de + +- Version 1.2.2 (released 2015-12-08) + - Fix old buffer overflow in change-pin functionality. + +- Version 1.2.1 (released 2015-12-08) + -Fix issue with big certificates and status. + +- Version 1.2.0 (released 2015-12-07) + - On OSX use @loader_path instead of @executable_path for ykcs11. + - Add ykpiv_import_private_key to libykpiv. + - Raise buffer sizes to support bigger objects. + - Change behavior of action status, only list populated slots. + - Add retired keys to ykcs11. + - In ykcs11 support login with non null terminated pin. + - Add a new action set-ccc to yubico-piv-tool to set the CCC. + +------------------------------------------------------------------- +Wed Nov 18 20:57:56 UTC 2015 - t.gruner@katodev.de + +- Version 1.1.2 (released 2015-11-13) + - Properly handle DER encoding in ECDSA signatures. + +------------------------------------------------------------------- +Thu Nov 12 14:30:09 UTC 2015 - t.gruner@katodev.de + +- Version 1.1.1 (released 2015-11-11) + - Make sure SCardContext is properly acquired and released. + +------------------------------------------------------------------- +Fri Nov 6 21:05:07 UTC 2015 - t.gruner@katodev.de + +- Version 1.1.0 (released 2015-11-06) + - Add support for new YubiKey 4. + - Add ykcs11. + +------------------------------------------------------------------- +Tue Oct 13 07:47:50 UTC 2015 - t.gruner@katodev.de + +- Add dependencive in .spec file + +------------------------------------------------------------------- +Thu Oct 1 21:18:34 UTC 2015 - t.gruner@katodev.de + +- Version 1.0.3 (released 2015-10-01) + - Correct wording on unblock-pin action. + - Show pin retries correctly. + - Use a bigger buffer for receiving data. + +------------------------------------------------------------------- +Tue Sep 15 13:32:27 UTC 2015 - t.gruner@katodev.de + +- Version 1.0.2 (released 2015-09-04) + - Query for different passwords/pins on stdin if they’re not supplied. + - If a reader fails continue trying matching readers. + - Authentication failed is supposed to be 0x63cX not 0x630X. + +------------------------------------------------------------------- +Sat Jul 11 14:49:43 UTC 2015 - t.gruner@katodev.de + +- Version 1.0.1 (released 2015-07-10) + - Project relicensed to 2-clause BSD license + - Minor fixes found with clang scan-build + +------------------------------------------------------------------- +Wed Jul 8 21:14:24 UTC 2015 - t.gruner@katodev.de + +- Version 1.0.0 (released 2015-06-23) + - Add a test-decipher action. + - Check that e is 0x10001 on importing rsa keys + - Use PCSC transactions when sending and receiving data + +------------------------------------------------------------------- +Mon Apr 27 16:22:36 UTC 2015 - cdenicolo@suse.com + +- license update: GPL-3.0+ + COPYING files says package is under GPL-3.0+. + +------------------------------------------------------------------- +Thu Mar 26 12:47:38 UTC 2015 - t.gruner@katodev.de + +- Version 0.1.6 (released 2015-03-23) + Add a read-certificate action to the tool. + Add a status action to the tool. + Fix a library bug so NULL can be passed to ykpiv_verify() + Add a test-signature action to the tool. + +------------------------------------------------------------------- +Mon Feb 9 14:54:37 UTC 2015 - t.gruner@katodev.de + +- Version 0.1.5 (released 2015-02-04) + Revert the check for parity and just set parity before the weak check. + +------------------------------------------------------------------- +Tue Feb 3 13:43:10 UTC 2015 - t.gruner@katodev.de + +- Version 0.1.4 (released 2015-02-02) + Prompt for input if input is stdin. + Mark all bits of the signature as used is certs and requests. + Correct error for unblock-pin. + Fix hex decode to decode capital letters and return error. + Check parity of new management keys. + +------------------------------------------------------------------- +Fri Jan 23 07:47:58 UTC 2015 - t.gruner@katodev.de + +- Version 0.1.3 (released 2014-12-18) + Add format DER for importing certificates. + Make sure diagnostic feedback ends up on stderr. + Add positive feedback for a couple of actions. + +- Version 0.1.2 (released 2014-11-14) + Fix an issue where shorter component of RSA keys where not packed correctly. + +- Version 0.1.1 (released 2014-11-10) + Correct broken CHUID that made windows work inconsistently. + Add support for compressed certificates. + Fix broken unblock-pin action. + Don’t try to accept to short keys for mgm key. + Only do applet authentication if needed. + Add --hash for selecting what hash to use for signatures. + Add hidden --sign command. Should probably not be used. + Fix for signature algorithm in selfsigned cert. + +- Version 0.1.0 (released 2014-08-25) + Break out functionality into a library. + More testing. + +- Version 0.0.3 (released 2014-05-26) + Add delete-certificate action. + Fix minor bugs. + +- Version 0.0.2 (released 2014-02-19) + Fix an offset bug with CHUID. + Do full mutual auth with the applet. + +- Version 0.0.1 (released 2014-02-11) + Initial release. diff --git a/yubico-piv-tool.keyring b/yubico-piv-tool.keyring new file mode 100644 index 0000000..af580b8 --- /dev/null +++ b/yubico-piv-tool.keyring @@ -0,0 +1,204 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFt0NG0BEAC0oU+vBj0VLB1LSmoqYO26esNXEC2nrMYthsbe/XkFLUJGlLi4 +LoN8RDGZHUd4XMA2Ru3jG5t5M9olPOx8GeWpwOtVWOQEbi5UzSE7qGtVDI2duYm8 +6rNfviwKsJ39yIJMXRqyzytxMN2GXK9oCuxhLVUpdTjAbVOq9Ojiza99dvpny7DH +6j9R+Chs/CufYDODABmCVwUxcz0C/g4VqymbZKv/2bq/llSE+qaNIyEUDD/6Qoz7 +4+GDgBEafj3izQiLSW8Ho8Db9jgmwPYLNdJR7MWHQwloQgTCsg6zjZPX9dzCPPzV +AY038RbH53+6C5ZqarnPg5DznIp9LCW6rx8EH1qyvgXHSqi3rQflJoLPSzjPPGfN +GQLWtYCIThOWCkAQqF/QZ4ldcTbPIO3bQvNjM6li+T2FYzZ5jzT2A11AjwaVfC59 +49pQ0TB2JxMyxIrN+9i403ES06vq2LXtDyqOoUx2ADlC3eIMsTGiK6iKkDW+nFoZ +gSXtCRynAywhemwZIfXSxhv3xlfTiuvvevZ/2Kdiw5OhWv3LTs6Yu7thN/FqM79S +0tNMdtdHDFHLZ1AvTzStjYkfb/6TgJ+CqhqDQBU2B32h5xQcUYE7XSHZi3GDSnsz +xa1rpQRc6oGOsHvtmo7Geffz46B96kDIjG8NkvPL6x3WpAD7EGijlp6AdQARAQAB +tCZBdmVlbiBJc21haWwgPGF2ZWVuLmlzbWFpbEB5dWJpY28uY29tPokCVAQTAQgA +PgIbAQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBB1zCLAFX1rvNpRKjyepwk2V +iOoPBQJiyevoBQkJNur7AAoJECepwk2ViOoPBgkP/A3GZsNYjaWER/yIwh91Jwpu +8dzKuOKHHcX0KuERmXTfwLyLChfzYKulXm8xaofXEbI+vuZ0frCydoRGwUWGOsAP +O80WIdzs2LINEpHxaR/UbaT3I86Umk+NKNFBSh1K7Kq/EylkN3qPT5hGiAepyWof +ZzBuY35JohaFId0ryYgSR5dVgjXlgpOPY8g8xOT8w+3Si2xTCPhQYHTjdM3eFObJ +ygVmB4ycitwtaAasLizBvMkTl+GV4YaVmtogRHUl2slBWaYIbYedaNzO3u4hQ7Lx +eXJnnyjIARbtgOBhEwmYd83MrpTETRjnvh0FiJWcr1b7zz8ChgqJVdNtGyuzHbLY +Vfzov2HFmWEsssUaBnffmOl1k2M0ZxgXhLq5xbcVbmpKY+xsNH4cETn3gjRhGZ1T +U44BJT/w/3XY5QusL/m7/UT/PcqZ6DdNqOflB9ohQzzwWyRfcMdRMZCg8m3frfna +oYv954htuW2d6iFK4tc+2uxHP6KEe2JmyUhnudbQQ5sKDGcBdFzQOD2bDqjoKfXk +KNfmvEdJ9H2Gzd7DZvd0CYfzVVErfZbOqXISI7sSwTWT/q55LXgT80Cf1G0t/RUa +6+2iAoVliE3xCJqyt/6J6ELNDBx1KlZyzXVJ9Xjznq8r1dvyHnNRVsZNCUBffvN+ +l7Iv7p6MInHCzjzdnS36uQINBGFpjqwBEADomiJgkIPAnOz1zptmOP94smcCFmwf +/YgWuvXDlYqAktV1qeYyDT3n2HZ0gaBpXOftUdgd1QIhLGkglJfZvRbVbwc1J5oi +Wdhlvt48+BsakUiRvznqE3XjEwiRn8nOU8zwiCf9YjiRMBHXe4vXMlt/5XSl5CtD +YcOe1oPiuz7bru5JRcvVqk+jfMdFmNEd1Geijmz4ZULV1Bg8u34abgbmASHp+UAc +EijDwBR/08NLDhvmoQehLmaomUxRKHKHxZ5vnK0CA/cGbfm2JE/EzVy0ZYgV+ryw +EORFehapCDaWGncIsMOjLm+2BSu3LNz2hQGXYhp2Rz5jtTl7DIj0rjPPzmYjNHZt +Fq6tYMEIv8E9Urc169vJeQLNYzF8fFhfYn+DLisqfoi3ZqQsR4XqpLUTHr0Q2/f3 +RYrIUv42xlSsWNP5C3jW7RB/Lot+m4vRLfQlkkea6hfWbE676RFJso+wE/LdJBVc +ydHi+eLC3R/KXn5TpPnlSoesVpBG22yFppuu64S8zehAiaCmyiWsn4uX7Aj6JIzR +ee0ShuIPoT+fYZpqlSJIJq6VFaLtTvzANIUZl/3uHHnBsWLnweQYoVEGSTN4gUso +wygDPbao92Y8/IXTYnvMZ2MMerDtLcNJlFsN9C8CCdQI9s4DRuggmuhjfylKADTl +Ot8qJPHKaEYWowARAQABiQI8BBgBCAAmAhsgFiEEHXMIsAVfWu82lEqPJ6nCTZWI +6g8FAmNhJGYFCQPYyTQACgkQJ6nCTZWI6g8Q8BAAk2yYpPyQFzayg1k5DSXpmBDI +pKHlFHjXEcflp05AxFmlXzYOXUC9TgiVoQ6EmVxo1Lvc61Xj9FTE958ZBXoYC0e0 +igwCbeu1vEaM+ZG6ruETDJFVQZgIaK/xK4137teZ/S3vN1iWuLMergfN1ig0hoh4 +6fsDEw6Jb9vNCefbrfvjqxIGNZupoOzFZYgJG60M3pCKlbShtZoPGIzHvk8g8BRn +1jplIKIGEQzA1bi7+M+0eAR843YnFh7UWIMH1MiO0jN8X+C/JZPj1AxpxJRC5iOd +7cR8XhLSypHBGNgWHnl41jxY4Yf4GjPziM1MUSrxivhSEMz65hxLXOYZpQkBZBtN +3FhUQXjEKWe5r7cU7BATCosij5rbZSCfPyX7D2MqKE56JVaeR3ZQjliNCnTujVHd +NrR8VRMpJpv20AEXX6ueDdHpruBSh7hE62965VFUt48pYLmg+WEhFKWy6COkcj7w +5YyDhNwr5XEOvVN+NealkzfCkYa0KvbSonapNMP3mna17MsdpXnycVjLo2ZSx7ri +xkBAor1oHjhc/eixDp/D2KE/UxsD2qBECHndsa7tnJCjaJ1xRkuQ6c5sGZnP9Yxh +WJcBYphXg8hV5Lm0lcxLAvRl42GDBKFtLN4g3JAA8UGAejdaAtXu/oyBwplrClwj +y29S8wF1LHU4fjJQeEW5Ag0EYWmORwEQALBu6fR1fvMF2FJn9atg12ZbxfE+vCie +tZitECt/Y2IBbh1K43O0LCfH55b1g52Zh6ePUGQ4xJO4m6iZmuVxMOiFvr6+hxdO +tO+VWXoJ1e7d++rtAhzHEpJPsRPQjWM5fhrG/NU3yuKe1W0G1mLZ3LdSVUhj0oLN +dVZnh8Sgla/xvSrzFcwPUxAoy0Hycu70JpSNmucivmiWelsXAW8+++Xy2YwAvL01 +UUFiUkCVOJMIGI+vsrZQWtzMyklOYLLqI7XYPtQQrGo8G4fjfkRN0i3mndQGo2eY +lrjVH7E0AAUmTl9Z0JEMgx6N2JPvKVV8YaiPl+3yYTvNUi9eJyTSYISTRncmahaO +1gtAjeTYFCh264dXcjLD4g2yQQONE9Aj7jdX3L/qpHKiCJXtwTdlIYjM3gZW8mbi +IG7gFzPVS2h7MK6/GwLyIgZ1k42EZ8qAMVUr9RN2uU4gRxjr12YiuLhk7SwOxji0 +Tklydji9IlHpW9vPjM/xbYqJc8hm+TLGAgGx69eLrXLiKaVECtV0f5gVTuSygnjq +vvfZQ91ucuv2tWCXtHQYLFzn1QXuYIOmAAgFnWsoqm5T3tvgAQvC0SbTFi1jNxtx +tvV8TV1s1zGUOLHjZwpDevoOcvk1pvbpAr/CUQcKpvAafqr4Gl+Y60eMR2otYUSw +8gxv8wxEsK4ZABEBAAGJBHIEGAEIACYCGwIWIQQdcwiwBV9a7zaUSo8nqcJNlYjq +DwUCY2EkYAUJA9jJmQJAwXQgBBkBCgAdFiEEqM4WeRTu4jK5I3tUEMrEli4Dx8wF +AmFpjkcACgkQEMrEli4Dx8y3Pg//UGxB5ABE7dn3/DMj7vqqDWvBvmJTw4Oj2FiI +yt8mSBT/TkNRheRljhn0K5h6Dow+Khyc8EzKRpf/XaW3E6ucAPXkhvO/eL+NTXVu +u2Hwnik+LE0xG88q1Dvhnt6zt82UoesHgfxp5d+VdVl8IRIrSopwlfMF1Aee/+aB +HSQw5gusr43gKnP88OsEB7YB6P6aL67ZXtExgnV65fl1R+cAiFHCNlGrJGGRQl0Q +OY0PtWJSqSBtYy38QnMfjxH6V//JcvBGs/akYKo3saLHfeknnyeR17YlZO42F14d +nDPbVLspmeFFki2srODz2dqP70akvxarC66mXQIcYAIR3KcbEvTLJ2L+4fmqkmy/ +9/jfmGK0ikVWc8S04AB6GyqJ/tS+eO+bmBqdbJsJ3ZLMtMPineXXgaVAlDg/1hAF +jizMdwfaTpa4Spglce6sYv19vdt21dgEYerdAmH2Wmx6W+3gY4pAKExrKRRGLwki +A6iDX/xXk836By25opnAHs2NrZcKFEAunx7PICbWOjhz/xNWVWv7oVRI6BJPtGnJ +YL6pE0TXE1AOByBVCy3YQW3dH58wP0xM0SSbSuVb/eRGnrEozqjjFLZd4t6Z96l0 +pJXgoob3jCiEaGV9a/LAcWWwgkyXukwWJU3GUe8xX3LN161AVezV8ZYDDDrwxJr8 +dTTuDLAJECepwk2ViOoP90QP/39mKJXcCpGhLSePFOrfzXSk8V1m9iNSGm6ecLIi +uuNqDRGzzPYEI5FA0Lbd0ZkfaOtx7Lj1d66KN3xD/VgEUsqeDz9HSjWyRgwYVcjz +vCT/vLWeaokq4Kc6bX8u+8JRBqLHi6c1i99hF4nIEITUZESoDdDP4sErRaY0tHLB +d4RK57khScWxPYXHthpLn40Lh8q1+6IHHM0iBCbx/cTZfH2Beh7/s8/njlKSh6ro +dhjT/Cy5Nzbh9lrgTrxqOGAyF+pT9XpbwrSoKQNp4IKXd7Zj1kp9mn/QjXtLxiA8 +iVfDX2yj6F4u7Pa0wqvULz4V/tgw9aJKK+zFKOhHdkEzLxe403bRRJSUf2etXuxk +1PR4EM8o9FOQ4gNiHs+p2VI9l9DhoYHK/YHJxYqtnnF7YXfeyDUwF25cE+oOu3SU +i/yED2xOwhC7+DAUqoGkleWh+mT0kLLw95Py5Cxwbr2moRD8+vJQ/Rniylax17iK +ci/bSO1f23SXsL0ezdiqWHaVq97MKDmv6GP7P8yjWrToe7Z+0tSbqZ/JVSjokU1X ++nQRs7kqqo8728boN8tMzjFrd50Iqc0x9tR4FW2dPWGK5jeLrUvOAl71NYltLI5W +qgqcCxSWnm544fnpTicKW/qR3QR2gATDRL0+jMmgDjK461Y0YJLq0GQ3d/NKYxaq +lBYIuQENBFt0Rs4BCAC2ypGR7OUEkNx/uBjfGXj14p9yB4KVf70fkf4kHPWPHgj/ +0te6/on04gUK//1PeWkrU49jDzqjHfZGz7rAhesJIRRQg8DDzCkb6e9UbyVZqO2X +GXhFhYt9daxJbMV/Fx8Dk3JZnN1mP00pusyCVrGIUH/hbIf5uJD/nRajTRuu3AZX +j9J0GO1nltk9Vw4JW3a3DEuIezxq0iv2h8UG0YbmirGMcdOg5CORed4r5Ip7ZGWz +423MqjKthc9zqk/b6vLSJTq8a1l7dFEBclFSke+6ut22wMpFwD+nxi21odw+wgbt +DjGELLKR/qDcgm3C6gZMEIj3pWhjNh4fZHmLDJJ9ABEBAAGJAjwEGAEIACYCGyAW +IQQdcwiwBV9a7zaUSo8nqcJNlYjqDwUCYsntyQUJCTbadAAKCRAnqcJNlYjqD9jK +EACvViwGhn58TcwcBmCFr92UIB7SJwo9HJZzz+mQURuknCneaIRp3yY5XmoK0lmB +/4+lES3hw2V8QxpCjNOiXx45vaKoHePMIxZcIRzB/+MscHQE9X0JLeXGauPXQSWE +maOBtmFERVMwqFP8F2Vc7m3JGxiB7SLNu6IEZ0Wls2YJU4Y6wFr1/ke2Dt96hEW5 +ICBge+AYNZqDR9KbdjxZ4vrVm24YyurH88+4i6ccMzIjOoY8vvLCNkDFCHyxUcup +aFF7J/zIozzERikPG3nfglb4XQIGdAJAii/YdP2tAvjYkAEOwJ7tgD5bVxi7kaiA +/Z8Q4SZiBU2xrDbUv+Sk4pwh4RshDEgcrIUmuHE8qnlX4JNvy5RmkDTqqWIKRsOJ +qMbzHMAjWBzBs0Boo839rq0qw85kPCgVG8R0xTyHFeewrUuGha155ClavbUBMy/W +pbyGWqr/7530q0o7LvmhDDuQVC++D8MTFGIQBh6pLwZ/TnzS4OOdshPLPAoiinV3 +dIkzyxm4sGgwK37tycPJdbQfhTca9zHUhekevblwOF/OPr6L0vUOzFTel4B2gBmu +3cPH1qCLcLEyLTGGDfrKcvWtFmFsSMR2hsJt/o1hF8Wrq/g1hh7dGmuo44ZWh81B +im0kMq7NMVRYz9GrQ8HmCAAi825hSsbMyKpVA3fgP0HcR7kBDQRbdEaNAQgAqBap +TmJjnBe9R2wt8syEwna9FQB8XXu2XzjPVANyAatcqchA0za46LFaf4iSwuoNDOaz +i9luCfiTQjr9ZuEVtKB7qluGJbTtt5EoOEVuKAwWQmK4tLGo6MiOAASZxq6JDopy +FU6wnIMpCkA4adfCruaerY77br/J2ZS1aHfZuS7DNqA/HNvT/JOoQ+Y43FzN5au/ +aWOYa7EOZJ8oE1mmSWT8UouKSrAswZc6gBO7lkP+Ug5iuWE0cOOuC7GVn+rl5Rdz +JNZkftSwheEy57nRimbJIrvK7ZCbK4isar2nxTwiYDCnDpqz+w/m/D00pbVxNo8U +qLkhnwpr+KQnHg+yEQARAQABiQNyBBgBCAAmAhsCFiEEHXMIsAVfWu82lEqPJ6nC +TZWI6g8FAmLJ7cYFCQk22rUBQMB0IAQZAQoAHRYhBNCO0njlUp2DKgOXoMrBdLic +j8OlBQJbdEaNAAoJEMrBdLicj8Ol/TMH/3XFZRAKJoDcRx6Jvt8NK3KOVl9wkV7X +Hq+ZX2Jd3yDmVxWNz45gJncMbYF6QSEbPiNp54HyP2dtu+d9ovvPo3aP7o2c8DeS +x3K9vxbN69C5y5JO8jODj0SSZGSLePk3OGNKacpDm0asn6e/gLAFbMudYEySWTFu +XWyMDKe3WSm/AZNiUiV1HIlHxBxeNYGD1V4+e8uSzI7vtOnyWPjR4pdL0Z2yT68i +apfdolbBOYdJ1tfXcSxCtjAELlHeWixn5Okj/yCcbzKF8Wv0YKPfzbQ4iORCvgTv +6oiEXk+RGMtk8i/p2v8Duzu2dh2GLsrWZD+sevWgxkNGKwXuIpS8nYMJECepwk2V +iOoPV0cP/AkqV944sK5WCD1Yrm7i+U+EqnkFshjDWmIy/RDLDfCbTXh2sLk7k7A3 +ULJ+G7Tk1y9MzH18GSLBiQboYqHSmciaZilgGvWuRhP4lLfoHESA0oAYWrlx/C5c +3bCWXqenF9DkZhOPCKnVZ1dHlYDkk2swRlLbGxbyPNk4ne6nDmwMeuv8pPls9s/d +tX+2KQZNFr6voXTgrx6EwM8TMhEyRdmNdQ1gvfdAigT8l9mpMmzxKMslWPfqS5Ld +cF4JpAAOfbkyk68blnirkPkJnnrFxWgsfCQNrYFchXEzwKFTBMAbAwsx5ouVrMk5 +weQ2y7Z720Z15GasLligsseCYUogJ9qWhrbh/DCbLXJaXyloeCujuKYy+J0q34I+ +XHFQNjS2mYdq40M1ViSKKMVDAOEhFIMLHKgn0uGB+a9C9kcf5LUxFyF82/VNSGaN +/en09pJFkDIM5B9qTVxJbEhPX3ZjhV9NuNN/fqef3XAbGm2OHUfEQKuzTUZESDVz +Ee/+551uE3BSPHWWF0agcJp8Ez742GA9wysNrWPQN6FgBiouydpVDSyzCcC7EgE+ +HpZji9gPa1oiHb69R1hhSoYHUMPkhMid/uEWVbv4bzgmSuZQYQd3mSzXkAwGTPH2 +yoJGZlSQHLZ8k5cNadNUy+ED9pacdyYwPzMLikscKhBYdaTW+tOOuQENBFt0NtoB +CADXgqAQlChK8VMHg0L3U6FDPyWGtiYzWpOL33TgE4jh6enEcD4QyI4wHf24crgf +RV8GomFb4/enolI0rzsZt0DBGezNATTMN0eORibkhpFt+aOnC/lr79iC3Az/SrvO +Vbc32hBILIw6gqO3z8XViBxzVniXA7ulR1Fy/Bjh9lV16Y6ynOlBD/OwBg/XC+mn +leKqG1L1E70ejSer8WiJqHQ5I2u88NBgrmD3vvY9ZPRNfcHu6EB3bE3LITMFVM1V +MB4jNH63H7NnUK/UZqty1q7U2jnASD2LJgEscAXioRhepD4W5L3mGibEaZdg7sY5 +1+eTzRHFniy24qBaQgkf5hBXABEBAAGJAjwEGAEIACYCGwwWIQQdcwiwBV9a7zaU +So8nqcJNlYjqDwUCYsntwgUJCTbqaAAKCRAnqcJNlYjqD90gD/9yksvphfQDIZHI +LOEcPqV4HzIZpuGj6lgE6fPPD8ENQUZdgBJmbVJBtEP5wztrdL7Y9/ZLh+xuzHCo +JpoBz0dqiYqktUVQBvPP4KZ9j7JueWxRJsf7Ffre139oS88lvRzXRATWYWobvE1Z +M9pMfp0apZHAKeCEy1ZckEJgn4rYX1qkXlBoFzgqcMYbKpPPWiQC54yvHB+3C2uc +Gau74VnzEMFMfnr9M5WxkjKdnCfP1t+meUdtov5zEoQLNMRWXM53f1PJFlXIL3vh +wxXmJw0ZkjpE/pBA1A+sB1rYv/pWCW3aPi9l36IY3bXoyeahT/CwxQGDzBz9s9dg +guj8olWXo1HKEEbekpWPUiVVLFtSDDlcWqwxThan61fWYIak3W3oNbBw9fqEIUlE +F5IvkWEN64r6k0TfUqzW7i8+B+dNGe9WE3frGP6cTXITPFxpbJj4ou2/NbIFS+U3 +JU//7k1Wa+Qx73/C2eDxMgppR8PjMFz6RnDH3S1NkGT25z6E8PcaMo69XW+X1GqF +7mCokfJGntmlb9xhlUEUEuZz0O8MyjAEugLLP5DHlfvGK6jERZaJ/za3jTedUYuc +qBN09JEUIlzUF8SPDFLYPYisg8vtNJmRBd7KP/z/unhem51+QRJBtlYHYDyCDc7Y +4SDB0MtL8MzmK/kXuiiD0S9ARMwHL7kCDQRbdTd3ARAAuKPbjBFXv5rnvV6uXGfj +Gf73Av3YPcR1eWES15Whnc9DzvKnSQr9KFlv4LqEOlNFK3xNGZZ8KJ7Noio7EHv7 +W4lpB6o1JK4JZJXzldrncg6u1PY0QWZxLjALdcWCUF2uIjKGyIIId7a9/QnTiXvb +WL9EAYWo2P61uC6qAG0TVRMWSebonYX0PBM7Osr4V7Jw+3dqeZ/uLpFq3vtxAQHL +efSqDZejaqVX481oEMfUDyLSgBFkApW6773LYN3XXowqX3XGVRnn1VS8CqtFqQuT +Unt+XT2XxcgPnZXH4+IjjQEiTJaP+tIRf+tgTw6qNzYtV/oMUQoTHVJMiAN1nyOs ++gU7dcL1XOiFjEDbvyyOzdFEs19gd0mLoQNb7tQ9AsLMlZf9H4B/AWBT7iIUY8hF +S/MYwiwrXyblfQPhcWxGpGxTFcy1CGquBy60krq03KlwQAd3tuGMdZld9AxIF/A8 +nAEP9AqzvX9/MkMKEKmYqVuEPnRzVXWuLo/kpKbhlriUIJRP4qnr6e3fNC1qDSy0 +Bcag0lScZJ+wrK+yJhK8HK3ZuvuZGzjPWbhrI4yAc0JWJredE8SbQpxGERq9E12u +vB6LPZ95FRZwHb1FiiF/qujKnvGwb9Lykqda9UZXMPu/KLTjpzXHzP6o2mzRyeHb +JMQCrFKGFK4Rpm3O6KVEjdsAEQEAAYkEcgQYAQgAJgIbAhYhBB1zCLAFX1rvNpRK +jyepwk2ViOoPBQJg70FGBQkHWz1FAkDBdCAEGQEKAB0WIQRw1xRfLzXEdFUBgpob +IVePxGhr/gUCW3U3dwAKCRAbIVePxGhr/rGUD/9O+uq0Vbx3tbszbPZUs5++2xd6 +3QXR9aTP0ixoxTu5eOc29KdkH4IZWb+tCZVPabLLompxq0RchJnxstOiZPG2w23k +hxrsG6ddgdFEJA6nCksSYbZazK1lMKyfSiOsy9DTebHNSHJw/+m9VToadPLdpxX+ +eh7Lh37W0haaypbcg81n3xy1UyK7T9OdVK6WVU1KEWpDOivYvOGKQ+SZwGf1e5PN +odmHZ7HUh7p4ueXxTiXVWhjqUHxMshA7lA3yRBpTdgbi7V238uvP1MqvDGi1RHvB +xzeMBZLxG+Jo7YNieujhXzjQUxrLg4JRlB1r2WU3JZ4YVmt5FOmTHkiNPOZ+zZ1O +pXNtyfNGoNKh6RVlW5JraWeQJTEgBu6JprbFD5/tBOJo5DoTSGoqJUh9cwe1Omwp +dO/ZCP6se7EeCo9JahYqtfOFb2ZotSynPxsWeeklmHnmVlQHo/npczIjwyJ5WNYw +rctGYtn1xFOUQ0mKIDOUxeOUd+U3FYKMAVV97uFP071GYsAi1Fq9kK2SXJR2XP2U +4Xqs9BnS6/FLj0upIrQYf1EW6DGbCRT0vE8hitTA1SVCyDImBeWU/mEnS0d4eoj5 ++6RfjUOD7B9Ne6QdmbWHqh75KJ280V9tpM6ZPFyU7p4if8fLuj4OzoZnzkjDLrxr +pbK7VnLgpMDcrp1ImQkQJ6nCTZWI6g+c8g//UaG05Mf4JsHdEXB10GMh+WevzFlG +8VsE0aKLAV7Z3NdDwo0rjH6U1I2zVD4ON81YZ9LkucggYTsvPfuBmCq6l34XWj2u +QGOirgJ1IiDx5wv/xiYOr4gXu8poGV71iGNdNHM4K6leKlRzpm0QXKBkzrrMxG2j +W4QMHtPW4QBHGyELAWpo46iVBSTSSyB7/bPMY4SWZ+RClLs14/2+/08yZXn8hVUN +qT9QZaLzMQsNJjK23J7o9iWIs3iUOQQ6k/P/8lxikZUQSKley4rVm2zv7LLu56KG +Jhl+QKNtNhCdQcowIHVbPIBshT9v8f6I5nV0fexhbDSQnj142EmiNxkYXrHqu+0m +ScBU7vMonSTsALceC5oQPVJM7KbePpdrlWxEkw2bM47L9xyk+j10hlIZN2JG3qgl +4SHlfredosUvvuZhIasasqOV3OXmqwp2aDR5g/uQXnFUcfeHwSDxt1no44d8xbkI ++R8TO3VGDN9IwpBCiu9HkRz5Sb3J9L0zcfBQoUqP1HRaccaCukELpOx4MMhBVNZu +yrDFDTucoP+dVPRjCST/qdChHKll3dWzcQi1eCj4XzJ60jCPmT4ktVN8vlppeb+o +nrtjiyvKesKl7axipTfyNpioUUKeWm7sk+bAzja0wNgPmHgHFn4mouchuC1Le5sR +eRFIb5Qgl/utTz+5Ag0EW3U4kgEQALmVbqZ1ETE2BbFFsFioPeK3p7k3UBX0ZT/n +IczPJe4bEGAHYf4ItxHgIXjBTj+QfXVHlQVObj3twj21YgKKATR8b9M2gP3pPkLf +eVOX0VYjY8skBqkoSm9dxKmep8vFyEhloYfAsEhcyyG4f71nn0io71V5QiOU3sic +EUfjiQsErdB59e+PPpVUcjp4yO1dcrnIKZno3Ag/cuCAVR4kPb8sVgIcdqeHzkJ0 +2NLDOfEDIYLMYjLQK4dD/dROG9yq5M9hxaQs8LqXe/Os83UDzyir8HJehsfmAUoU +GQYfiPC1NPknj5A07UW2HFkU2cVAUuLomAgAtS/qVEMJemeLPRT1FrKN4IXHCVP7 +u12+5XSEWHqPEOoFy67h9HUA+SdRNmbgHUxXHFFkiGZaL8HK/qT7OwT/PsdY+kqB +7laySxxUTOq4A0hupb5pXsgZ+/Wkrcdov9r9FP9Pb5T8Elo+jHyxXHBGgzfdC9Vm +ioT2ZG38d54RV7rGbOSRc93OWO+1TMTpmlcibYHBKq85UPPXxufWfJgEtYtELo6S +Z/Mm1e9fcCOY6laKUQgBgbc29dFYpOLNm+XSR0vJNbXglI3FVuscOf+pPlyqIRT8 +KpQ52XvcsAbfPISPNW9De1vNrnqEKjTWjKKDER28H3ak4SMk4R25CrPKkHjD9hlL +Bt7zOK1fABEBAAGJAjwEGAEIACYCGyAWIQQdcwiwBV9a7zaUSo8nqcJNlYjqDwUC +YO9BSQUJB1s8KgAKCRAnqcJNlYjqDwNpD/9kchmspmi38JMl4QdDtgiagDTx3qYQ +LcB+8yLH2s/XhgoinGhaeyxQ8bAIPn9U66Zru2Fk/5TjBub6CYEOIsnQqR6f4FPz +9bOdPS4+3L5IB1KbynUUyRX6iPKvq378ABJHy4VubKeuSLFTDWLYaZDqmgKhsjJE +GQYXYSn5oFPgqZ7S4MrC9/ezclIcCotitNf6qZD0+AyxiKqtRVJv61YM34f5vBky +facsrGdE+dg8qR4ckAISZWLKu2KbDoCcG2KS5P8oq/f0fYT+E/kAHwoVKtyZfw9b +9EmGEH++QmsloCybaLTMEOF1Gj1Xu7pdQGS1ERt+pHU8fI3Wa81flM/DKUc/VH++ +pQSulcySUh8Mtl1cwZ6C0GSDy0D42FGWun1Q33gdDYBFhMVxySWL51BXgfHKiuX9 +ZFz6QaE6+Hom0SR5Mcr+xehFeLLDMd1aGOm4JhhMh/AbWXelMdO8nv0Tny6U28FY +EJdvc1vNCCw1nmw9xzU+15CE4o28Afyx1HLuSTRhlVa0xzKyoo7G1w7xfYKdSo+r +kdfdCmHcq0jYhTyJWJwTtffqQS4dxkt+mWpOY+X+5JiBM7WQFMrwnlO72QnnDPj2 +rlgJ/w6peHvxPUPNJFVRfmmub8Cmq4BTTbUKwwLOEU9ghBLnXnre51ltZPF12c10 +W+dOfr3N9/d1zQ== +=kpxO +-----END PGP PUBLIC KEY BLOCK----- diff --git a/yubico-piv-tool.spec b/yubico-piv-tool.spec new file mode 100644 index 0000000..7b5c090 --- /dev/null +++ b/yubico-piv-tool.spec @@ -0,0 +1,127 @@ +# +# spec file for package yubico-piv-tool +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define sover 2 +Name: yubico-piv-tool +Version: 2.6.0 +Release: 0 +Summary: Yubico YubiKey NEO CCID Manager +License: BSD-2-Clause +Group: Productivity/Networking/Security +URL: https://developers.yubico.com/ +Source0: https://developers.yubico.com/yubico-piv-tool/Releases/%{name}-%{version}.tar.gz +Source1: https://developers.yubico.com/yubico-piv-tool/Releases/%{name}-%{version}.tar.gz.sig +Source3: yubico-piv-tool.keyring +Patch1: pthread-link.patch +# https://github.com/Yubico/yubico-piv-tool/issues/474 +Patch2: cmake-flags-upstream-issue-474.patch +BuildRequires: c++_compiler +BuildRequires: check-devel +BuildRequires: cmake +BuildRequires: gengetopt +BuildRequires: help2man +BuildRequires: libboost_thread-devel +BuildRequires: pcsc-lite-devel +BuildRequires: pkgconfig +BuildRequires: valgrind +BuildRequires: pkgconfig(openssl) +Requires: libykcs11-%{sover} = %{version} +Requires: libykpiv%{sover} = %{version} + +%description +This is a command line tool to interact with the PIV applet on a YubiKey NEO. +Among other functions it supports, generating keys on device, importing keys +and certificates and creating certificate requests. + +%package -n libykpiv%{sover} +Summary: Yubikey NEO PIV applet library +Group: System/Libraries +Requires: pcsc-ccid + +%description -n libykpiv%{sover} +This is a low-level library to interact the PIV applet on a YubiKey NEO + +%package -n libykcs11-%{sover} +Summary: Yubikey NEO PKCS#11 applet library +Group: System/Libraries +Requires: pcsc-ccid + +%description -n libykcs11-%{sover} +This is a PKCS#11 module that allows to communicate with the PIV application running on a YubiKey + +%package -n libykpiv-devel +Summary: Development files for the Yubikey NEO PIV applet library +Group: Development/Libraries/C and C++ +Requires: libykpiv%{sover} = %{version} + +%description -n libykpiv-devel +This package contains the header file needed to develop applications that use +Yubikey NEO PIV applet library. + +%package -n libykcs11-devel +Summary: Development files for the Yubikey NEO PKCS#11 applet library +Group: Development/Libraries/C and C++ +Requires: libykcs11-%{sover} = %{version} + +%description -n libykcs11-devel +This package contains the header file needed to develop applications that use +Yubikey NEO PKCS#11 applet library. + +%prep +%setup -q +%autopatch -p1 + +%build +%cmake -DBUILD_STATIC_LIB=OFF +%cmake_build + +%check +cd build +make test + +%install +%cmake_install + +%post -n libykpiv%{sover} -p /sbin/ldconfig +%postun -n libykpiv%{sover} -p /sbin/ldconfig +%post -n libykcs11-%{sover} -p /sbin/ldconfig +%postun -n libykcs11-%{sover} -p /sbin/ldconfig + +%files +%license COPYING +%doc NEWS README +%{_bindir}/%{name} +%{_mandir}/man1/* + +%files -n libykpiv%{sover} +%{_libdir}/libykpiv.so.%{sover}* + +%files -n libykcs11-%{sover} +%{_libdir}/libykcs11.so.%{sover}* + +%files -n libykpiv-devel +%dir %{_includedir}/ykpiv/ +%{_includedir}/ykpiv/* +%{_libdir}/libykpiv.so +%{_libdir}/pkgconfig/ykpiv.pc + +%files -n libykcs11-devel +%{_libdir}/libykcs11.so +%{_libdir}/pkgconfig/ykcs11.pc + +%changelog