------------------------------------------------------------------- Fri Mar 3 21:51:36 UTC 2023 - Dirk Müller - update to 2.3.1: * ykpiv: Add support for T=0 smartcards * ykpiv: ykcs11: Minor code optimization * ykpiv: ykcs11: Improve logging * ykpiv: ykcs11: Improve error handling * ykpiv: ykcs11: Fix minor bugs * ykcs11: Add support for several PKCS11 Attributes * ykcs11: Add support for CKM_ECDSA_SHA512 mechanism * ykcs11: Fix incorrect value for public key attributes CKA_PRIVATE, CKA_SENSITIVE, CKA_ALWAYS_SENSITIVE, CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE * doc: Minor documentation improvement ------------------------------------------------------------------- Sat Dec 3 17:05:31 UTC 2022 - Dirk Müller - update to 2.3.0: * ykpiv: Add support for AES management keys * ykpiv: Better handling of connection reset * ykpiv: Add support for T=0 protocol * ykcs11: Support YubiKeys in NFC readers * ykcs11: Support touch and PIN policies for imported private keys * ykcs11: Support touch and PIN policy when generating keys * ykcs11: Set length to -1 on function fail * ykcs11: Ignore CKA_NAME_HASH_ALGORITHM and CKA_HASH_OF_SUBJECT_PUBLIC_KEY for certificates * cmd: Support attestation in selfsign certificates * build: Compile cleanly with openssl 1.1 and 3 - add keyring ------------------------------------------------------------------- Mon Jan 31 20:31:47 UTC 2022 - Dirk Müller - update to 2.2.1: * ykpiv: Minor bug fixes * ykcs11: Improved handling of object attributes * ykcs11: Update flags for EC related mechanisms * ykcs11: Minor bug fixes * test: Improved testing * doc: Improved documentation ------------------------------------------------------------------- Sun Feb 28 18:33:22 UTC 2021 - Dirk Müller - update to 2.2.0: * ykpiv: Increased SO version * ykpiv: Fixed minor memory leaks * ykpiv: Improved error handling * ykpiv: Improved handling of PCSC card validation * ykcs11: Updated Cryptoki version * ykcs11: Support for CKM_ECDH1_DERIVE mechanism info * ykcs11: Support for destroying ECDH derived keys * ykcs11: Improved handling of PIN after device re-connection * ykcs11: Improved debug logging * cmd: Improved parsing of certificate Distinguished Name to allow an escape character * cmd: Warning to discourage generating RSA1024 keys * build: Use of platform standard installation path when building yubico-piv-tool * tests: Improved testing * Replaced building with autotool with building with cmake * Security update for YSA-2020-02 * ykpiv: Fixed potential memory leaks * ykpiv: Use PIN-protected MGMT key if the device is configured that way * ykpiv: Added attestation to CSR if requested * ykpiv: Fixed compatibility with LibreSSL * ykcs11: Improved handling of error codes * ykcs11: Improved handling of examples in the PKCS11 specifications * ykcs11: Added the possibility to have debug output as a runtime setting * ykcs11: Added support to unblock PIN with PUK * ykcs11: Make C_SetPIN backwards compatible while also allowing unblock PIN * tests: Improved tests - run tests - add pthread-link.patch ------------------------------------------------------------------- Sun Mar 1 00:11:08 UTC 2020 - Marcus Rueckert - Version 2.0.0 - ykpiv: Added ykpiv_get_metadata and ykpiv_util_parse_metadata to read and parse private key metadata (supported from YK 5.3). - ykpiv: Fixed PCSC transaction handling when re-selecting PIV due to external card reset events. - ykpiv: Improved error reporting. - ykpiv: Correctly report YK5 devices, and NEO and YK5 over NFC. - ykpiv: MGM KEY (SO PIN) is cached (in addition to PIN). - ykpiv: Fixed resetting of cached serial / version when an application re-uses ykpiv_state. - ykpiv: ykpiv_get_pin_retries selects a different applet before re-selecting PIV since just re-selecting PIV is a no-op on YK5. - ykcs11: Shared library exports all PKCS11 functions per the spec (For applications that don’t use C_GetFunctionList). - ykcs11: Support for up to 16 simultaneous sessions, with support for multi-threaded access (if requested when calling C_Initialize). - ykcs11: Support for resetting the PIV application via C_initToken. Requires knowledge of the MGMT KEY (SO PIN) per the PKCS11 spec. - ykcs11: Support for public-key operations not supported by PIV (C_Verify, C_Encrypt), implemented using OpenSSL. - ykcs11: Support for attestations, exposed as session objects of certificate class. Generated when opening the first session to a slot. - ykcs11: Support for forked processes on Linux and MacOS. - ykcs11: Support for RSA signatures using PKCS or PSS padding with optional digesting by the library. Raw signatures are also supported. - ykcs11: Support for ECDSA signatures with optional digesting by the library. Raw signatures are also supported. - ykcs11: Support for RSA encryption / decryption with PKCS or OAEP padding. - ykcs11: Makes use of key metadata when available (YK 5.3 and above), providing access to keys even if certificates are not present. - ykcs11: Supports SHA1, SHA256, SHA384 and SHA512 digesting, plus SHA224 digesting for ECDSA signatures and for the MGF1 digest in PSS / OAEP, implemented using OpenSSL. - ykcs11: Supports C_Login with context-specific user type. This allows use cases that require both SO PIN and normal PIN in the same session. ------------------------------------------------------------------- Mon Jun 3 08:22:20 UTC 2019 - Karol Babioch - Version 1.7.0 (released 2019-04-03) * Add ykpiv_get_serial() to API. * Add version and serial to status output. * FASC-N fixes for CHUID. * ykcs11: Fix ECDSA signatures. * Make selfsigned X.509 extensions have correct extensions to match openssl. * Security fixes. * Documentation fixes. * Try to clear memory that might contain secrets. ------------------------------------------------------------------- Fri Sep 28 09:10:38 UTC 2018 - Jan Engelhardt - Rename %soname to %sover to better reflect its use. - Fix RPM groups. ------------------------------------------------------------------- Thu Sep 27 11:58:29 UTC 2018 - Karol Babioch - Version 1.6.2 (released 2018-09-14) - Compare reader names case insensitive - Fix certificate and certificate request signatures with OpenSSL 1.1 ------------------------------------------------------------------- Tue Aug 28 09:37:34 UTC 2018 - kbabioch@suse.com - Version 1.6.1 (released 2018-08-17) - Compilation warning fixes for OpenSSL 1.1 builds - Fix length when encoding exactly 0xff bytes - Check length of objects correctly before storing in buffer - Check length of certificate correctly when storing - Version 1.6.0 (released 2018-08-08) - Security release to mitigate YSA-2018-03 (YSA-2018-03, CVE-2018-14779, CVE-2018-14780, bsc#1104809, bsc#1104811) - Allow building against LibreSSL - Bugfixes in OpenSSL 1.1 code - Fix compilation warnings - Fix ykcs11 key generation to work with OpenSSL 1.1 - Ykcs11 compatibility fixes - Make use of %license macro instead of %doc for COPYING - Applied spec-cleaner ------------------------------------------------------------------- Thu Nov 30 15:14:13 UTC 2017 - t.gruner@katodev.de - Version 1.5.0 (released 2017-11-29) - API additions: Higher-level "util" API added to libykpiv. - Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries() - Added functions for using existing PCSC card handle. - Support using custom memory allocator. - Documentation updates. make doxygen for HTML format. - Expanded automated tests for hardware devices, moved to make hwcheck. - OpenSSL 1.1 support - Moderate internal refactoring. Many small bugs fixed. ------------------------------------------------------------------- Wed Nov 15 19:19:15 UTC 2017 - t.gruner@katodev.de - Version 1.4.4 (released 2017-10-17) - Documentation updates. - Add pin caching to work around disconnect problems. - Disable RSA key generation on YubiKey 4 before 4.3.5. See https://yubi.co/ysa201701/ for details. ------------------------------------------------------------------- Mon May 29 14:46:53 UTC 2017 - t.gruner@katodev.de - Version 1.4.3 (released 2017-04-18) - Encode RSA x509 certificates correctly. - Documentation updates. - In ykcs11 return CKA_MODULUS correctly for private keys. - In ykcs11 fix for signature size approximation. - Fix PSS signatures in ykcs11. - Add a CLI flag --stdin-input to make batch execution easier. ------------------------------------------------------------------- Wed Aug 17 14:03:58 UTC 2016 - t.gruner@katodev.de - Version 1.4.2 (released 2016-08-12) - Clarify license headers and clean up YKCS11 licensing. Now uses pkcs11.h from the Scute project. - Don’t install ykcs11-version.h. - No cflags in ykcs11.pc. - Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED. - Version 1.4.1 (released 2016-08-11) - Documentation updates - Add possibility to export certificates in SSH format. - Make certificate serial number random by default. ------------------------------------------------------------------- Tue May 17 14:55:42 UTC 2016 - t.gruner@katodev.de - Version 1.4.0 (released 2016-05-03) - Add attest action When used on a slot with a generated key, outputs a signed x509 certificate for that slot showing that the key was generated in hardware. Available in firmware 4.3.0 and newer. - Add cached parameter for touch-policy With cached, the touch is valid for an additional 15s. Available in firmware 4.3.0 and newer. - Enforce a minimum PIN length of 6 characters. - Fix a bug with list-readers action where it fell through processing into write-object. ------------------------------------------------------------------- Mon Apr 25 20:04:14 UTC 2016 - t.gruner@katodev.de - Version 1.3.1 (released 2016-04-19) - Fix a bug where unblock pin would instead change puk, introduced in 1.3.0. - Clarifications with help texts. - Version 1.3.0 (released 2016-02-19) - Fixed extraction of RSA modulus and exponent for pkcs11. - Implemented C_SetPIN for pkcs11. - Add generic write and read object actions for the tool. Supports hex/binary/base64 formats - Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin() - Print CCC with status action. - Address bugs with pkcs11 on windows. - Add --valid-days and --serial to tool for selfsign-certificate action. - Ask for password for pkcs12 if none is given. ------------------------------------------------------------------- Fri Dec 11 08:12:48 UTC 2015 - t.gruner@katodev.de - Version 1.2.2 (released 2015-12-08) - Fix old buffer overflow in change-pin functionality. - Version 1.2.1 (released 2015-12-08) -Fix issue with big certificates and status. - Version 1.2.0 (released 2015-12-07) - On OSX use @loader_path instead of @executable_path for ykcs11. - Add ykpiv_import_private_key to libykpiv. - Raise buffer sizes to support bigger objects. - Change behavior of action status, only list populated slots. - Add retired keys to ykcs11. - In ykcs11 support login with non null terminated pin. - Add a new action set-ccc to yubico-piv-tool to set the CCC. ------------------------------------------------------------------- Wed Nov 18 20:57:56 UTC 2015 - t.gruner@katodev.de - Version 1.1.2 (released 2015-11-13) - Properly handle DER encoding in ECDSA signatures. ------------------------------------------------------------------- Thu Nov 12 14:30:09 UTC 2015 - t.gruner@katodev.de - Version 1.1.1 (released 2015-11-11) - Make sure SCardContext is properly acquired and released. ------------------------------------------------------------------- Fri Nov 6 21:05:07 UTC 2015 - t.gruner@katodev.de - Version 1.1.0 (released 2015-11-06) - Add support for new YubiKey 4. - Add ykcs11. ------------------------------------------------------------------- Tue Oct 13 07:47:50 UTC 2015 - t.gruner@katodev.de - Add dependencive in .spec file ------------------------------------------------------------------- Thu Oct 1 21:18:34 UTC 2015 - t.gruner@katodev.de - Version 1.0.3 (released 2015-10-01) - Correct wording on unblock-pin action. - Show pin retries correctly. - Use a bigger buffer for receiving data. ------------------------------------------------------------------- Tue Sep 15 13:32:27 UTC 2015 - t.gruner@katodev.de - Version 1.0.2 (released 2015-09-04) - Query for different passwords/pins on stdin if they’re not supplied. - If a reader fails continue trying matching readers. - Authentication failed is supposed to be 0x63cX not 0x630X. ------------------------------------------------------------------- Sat Jul 11 14:49:43 UTC 2015 - t.gruner@katodev.de - Version 1.0.1 (released 2015-07-10) - Project relicensed to 2-clause BSD license - Minor fixes found with clang scan-build ------------------------------------------------------------------- Wed Jul 8 21:14:24 UTC 2015 - t.gruner@katodev.de - Version 1.0.0 (released 2015-06-23) - Add a test-decipher action. - Check that e is 0x10001 on importing rsa keys - Use PCSC transactions when sending and receiving data ------------------------------------------------------------------- Mon Apr 27 16:22:36 UTC 2015 - cdenicolo@suse.com - license update: GPL-3.0+ COPYING files says package is under GPL-3.0+. ------------------------------------------------------------------- Thu Mar 26 12:47:38 UTC 2015 - t.gruner@katodev.de - Version 0.1.6 (released 2015-03-23) Add a read-certificate action to the tool. Add a status action to the tool. Fix a library bug so NULL can be passed to ykpiv_verify() Add a test-signature action to the tool. ------------------------------------------------------------------- Mon Feb 9 14:54:37 UTC 2015 - t.gruner@katodev.de - Version 0.1.5 (released 2015-02-04) Revert the check for parity and just set parity before the weak check. ------------------------------------------------------------------- Tue Feb 3 13:43:10 UTC 2015 - t.gruner@katodev.de - Version 0.1.4 (released 2015-02-02) Prompt for input if input is stdin. Mark all bits of the signature as used is certs and requests. Correct error for unblock-pin. Fix hex decode to decode capital letters and return error. Check parity of new management keys. ------------------------------------------------------------------- Fri Jan 23 07:47:58 UTC 2015 - t.gruner@katodev.de - Version 0.1.3 (released 2014-12-18) Add format DER for importing certificates. Make sure diagnostic feedback ends up on stderr. Add positive feedback for a couple of actions. - Version 0.1.2 (released 2014-11-14) Fix an issue where shorter component of RSA keys where not packed correctly. - Version 0.1.1 (released 2014-11-10) Correct broken CHUID that made windows work inconsistently. Add support for compressed certificates. Fix broken unblock-pin action. Don’t try to accept to short keys for mgm key. Only do applet authentication if needed. Add --hash for selecting what hash to use for signatures. Add hidden --sign command. Should probably not be used. Fix for signature algorithm in selfsigned cert. - Version 0.1.0 (released 2014-08-25) Break out functionality into a library. More testing. - Version 0.0.3 (released 2014-05-26) Add delete-certificate action. Fix minor bugs. - Version 0.0.2 (released 2014-02-19) Fix an offset bug with CHUID. Do full mutual auth with the applet. - Version 0.0.1 (released 2014-02-11) Initial release.