1
0
yubico-piv-tool/yubico-piv-tool.changes
Karol Babioch 7b7db64f0a Accepting request 707077 from home:kbabioch:branches:security
- Version 1.7.0 (released 2019-04-03)
  * Add ykpiv_get_serial() to API.
  * Add version and serial to status output.
  * FASC-N fixes for CHUID.
  * ykcs11: Fix ECDSA signatures.
  * Make selfsigned X.509 extensions have correct extensions to match openssl.
  * Security fixes.
  * Documentation fixes.
  * Try to clear memory that might contain secrets.

OBS-URL: https://build.opensuse.org/request/show/707077
OBS-URL: https://build.opensuse.org/package/show/security/yubico-piv-tool?expand=0&rev=28
2019-06-03 08:34:04 +00:00

260 lines
10 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

-------------------------------------------------------------------
Mon Jun 3 08:22:20 UTC 2019 - Karol Babioch <kbabioch@suse.de>
- Version 1.7.0 (released 2019-04-03)
* Add ykpiv_get_serial() to API.
* Add version and serial to status output.
* FASC-N fixes for CHUID.
* ykcs11: Fix ECDSA signatures.
* Make selfsigned X.509 extensions have correct extensions to match openssl.
* Security fixes.
* Documentation fixes.
* Try to clear memory that might contain secrets.
-------------------------------------------------------------------
Fri Sep 28 09:10:38 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
- Rename %soname to %sover to better reflect its use.
- Fix RPM groups.
-------------------------------------------------------------------
Thu Sep 27 11:58:29 UTC 2018 - Karol Babioch <kbabioch@suse.com>
- Version 1.6.2 (released 2018-09-14)
- Compare reader names case insensitive
- Fix certificate and certificate request signatures with OpenSSL 1.1
-------------------------------------------------------------------
Tue Aug 28 09:37:34 UTC 2018 - kbabioch@suse.com
- Version 1.6.1 (released 2018-08-17)
- Compilation warning fixes for OpenSSL 1.1 builds
- Fix length when encoding exactly 0xff bytes
- Check length of objects correctly before storing in buffer
- Check length of certificate correctly when storing
- Version 1.6.0 (released 2018-08-08)
- Security release to mitigate YSA-2018-03 (YSA-2018-03, CVE-2018-14779,
CVE-2018-14780, bsc#1104809, bsc#1104811)
- Allow building against LibreSSL
- Bugfixes in OpenSSL 1.1 code
- Fix compilation warnings
- Fix ykcs11 key generation to work with OpenSSL 1.1
- Ykcs11 compatibility fixes
- Make use of %license macro instead of %doc for COPYING
- Applied spec-cleaner
-------------------------------------------------------------------
Thu Nov 30 15:14:13 UTC 2017 - t.gruner@katodev.de
- Version 1.5.0 (released 2017-11-29)
- API additions: Higher-level "util" API added to libykpiv.
- Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()
- Added functions for using existing PCSC card handle.
- Support using custom memory allocator.
- Documentation updates. make doxygen for HTML format.
- Expanded automated tests for hardware devices, moved to make hwcheck.
- OpenSSL 1.1 support
- Moderate internal refactoring. Many small bugs fixed.
-------------------------------------------------------------------
Wed Nov 15 19:19:15 UTC 2017 - t.gruner@katodev.de
- Version 1.4.4 (released 2017-10-17)
- Documentation updates.
- Add pin caching to work around disconnect problems.
- Disable RSA key generation on YubiKey 4 before 4.3.5. See https://yubi.co/ysa201701/ for details.
-------------------------------------------------------------------
Mon May 29 14:46:53 UTC 2017 - t.gruner@katodev.de
- Version 1.4.3 (released 2017-04-18)
- Encode RSA x509 certificates correctly.
- Documentation updates.
- In ykcs11 return CKA_MODULUS correctly for private keys.
- In ykcs11 fix for signature size approximation.
- Fix PSS signatures in ykcs11.
- Add a CLI flag --stdin-input to make batch execution easier.
-------------------------------------------------------------------
Wed Aug 17 14:03:58 UTC 2016 - t.gruner@katodev.de
- Version 1.4.2 (released 2016-08-12)
- Clarify license headers and clean up YKCS11 licensing. Now uses pkcs11.h from the Scute project.
- Dont install ykcs11-version.h.
- No cflags in ykcs11.pc.
- Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.
- Version 1.4.1 (released 2016-08-11)
- Documentation updates
- Add possibility to export certificates in SSH format.
- Make certificate serial number random by default.
-------------------------------------------------------------------
Tue May 17 14:55:42 UTC 2016 - t.gruner@katodev.de
- Version 1.4.0 (released 2016-05-03)
- Add attest action When used on a slot with a generated key,
outputs a signed x509 certificate for that slot showing that
the key was generated in hardware. Available in firmware 4.3.0 and newer.
- Add cached parameter for touch-policy With cached, the touch is valid
for an additional 15s. Available in firmware 4.3.0 and newer.
- Enforce a minimum PIN length of 6 characters.
- Fix a bug with list-readers action where it fell through processing into write-object.
-------------------------------------------------------------------
Mon Apr 25 20:04:14 UTC 2016 - t.gruner@katodev.de
- Version 1.3.1 (released 2016-04-19)
- Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.
- Clarifications with help texts.
- Version 1.3.0 (released 2016-02-19)
- Fixed extraction of RSA modulus and exponent for pkcs11.
- Implemented C_SetPIN for pkcs11.
- Add generic write and read object actions for the tool. Supports hex/binary/base64 formats
- Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()
- Print CCC with status action.
- Address bugs with pkcs11 on windows.
- Add --valid-days and --serial to tool for selfsign-certificate action.
- Ask for password for pkcs12 if none is given.
-------------------------------------------------------------------
Fri Dec 11 08:12:48 UTC 2015 - t.gruner@katodev.de
- Version 1.2.2 (released 2015-12-08)
- Fix old buffer overflow in change-pin functionality.
- Version 1.2.1 (released 2015-12-08)
-Fix issue with big certificates and status.
- Version 1.2.0 (released 2015-12-07)
- On OSX use @loader_path instead of @executable_path for ykcs11.
- Add ykpiv_import_private_key to libykpiv.
- Raise buffer sizes to support bigger objects.
- Change behavior of action status, only list populated slots.
- Add retired keys to ykcs11.
- In ykcs11 support login with non null terminated pin.
- Add a new action set-ccc to yubico-piv-tool to set the CCC.
-------------------------------------------------------------------
Wed Nov 18 20:57:56 UTC 2015 - t.gruner@katodev.de
- Version 1.1.2 (released 2015-11-13)
- Properly handle DER encoding in ECDSA signatures.
-------------------------------------------------------------------
Thu Nov 12 14:30:09 UTC 2015 - t.gruner@katodev.de
- Version 1.1.1 (released 2015-11-11)
- Make sure SCardContext is properly acquired and released.
-------------------------------------------------------------------
Fri Nov 6 21:05:07 UTC 2015 - t.gruner@katodev.de
- Version 1.1.0 (released 2015-11-06)
- Add support for new YubiKey 4.
- Add ykcs11.
-------------------------------------------------------------------
Tue Oct 13 07:47:50 UTC 2015 - t.gruner@katodev.de
- Add dependencive in .spec file
-------------------------------------------------------------------
Thu Oct 1 21:18:34 UTC 2015 - t.gruner@katodev.de
- Version 1.0.3 (released 2015-10-01)
- Correct wording on unblock-pin action.
- Show pin retries correctly.
- Use a bigger buffer for receiving data.
-------------------------------------------------------------------
Tue Sep 15 13:32:27 UTC 2015 - t.gruner@katodev.de
- Version 1.0.2 (released 2015-09-04)
- Query for different passwords/pins on stdin if theyre not supplied.
- If a reader fails continue trying matching readers.
- Authentication failed is supposed to be 0x63cX not 0x630X.
-------------------------------------------------------------------
Sat Jul 11 14:49:43 UTC 2015 - t.gruner@katodev.de
- Version 1.0.1 (released 2015-07-10)
- Project relicensed to 2-clause BSD license
- Minor fixes found with clang scan-build
-------------------------------------------------------------------
Wed Jul 8 21:14:24 UTC 2015 - t.gruner@katodev.de
- Version 1.0.0 (released 2015-06-23)
- Add a test-decipher action.
- Check that e is 0x10001 on importing rsa keys
- Use PCSC transactions when sending and receiving data
-------------------------------------------------------------------
Mon Apr 27 16:22:36 UTC 2015 - cdenicolo@suse.com
- license update: GPL-3.0+
COPYING files says package is under GPL-3.0+.
-------------------------------------------------------------------
Thu Mar 26 12:47:38 UTC 2015 - t.gruner@katodev.de
- Version 0.1.6 (released 2015-03-23)
Add a read-certificate action to the tool.
Add a status action to the tool.
Fix a library bug so NULL can be passed to ykpiv_verify()
Add a test-signature action to the tool.
-------------------------------------------------------------------
Mon Feb 9 14:54:37 UTC 2015 - t.gruner@katodev.de
- Version 0.1.5 (released 2015-02-04)
Revert the check for parity and just set parity before the weak check.
-------------------------------------------------------------------
Tue Feb 3 13:43:10 UTC 2015 - t.gruner@katodev.de
- Version 0.1.4 (released 2015-02-02)
Prompt for input if input is stdin.
Mark all bits of the signature as used is certs and requests.
Correct error for unblock-pin.
Fix hex decode to decode capital letters and return error.
Check parity of new management keys.
-------------------------------------------------------------------
Fri Jan 23 07:47:58 UTC 2015 - t.gruner@katodev.de
- Version 0.1.3 (released 2014-12-18)
Add format DER for importing certificates.
Make sure diagnostic feedback ends up on stderr.
Add positive feedback for a couple of actions.
- Version 0.1.2 (released 2014-11-14)
Fix an issue where shorter component of RSA keys where not packed correctly.
- Version 0.1.1 (released 2014-11-10)
Correct broken CHUID that made windows work inconsistently.
Add support for compressed certificates.
Fix broken unblock-pin action.
Dont try to accept to short keys for mgm key.
Only do applet authentication if needed.
Add --hash for selecting what hash to use for signatures.
Add hidden --sign command. Should probably not be used.
Fix for signature algorithm in selfsigned cert.
- Version 0.1.0 (released 2014-08-25)
Break out functionality into a library.
More testing.
- Version 0.0.3 (released 2014-05-26)
Add delete-certificate action.
Fix minor bugs.
- Version 0.0.2 (released 2014-02-19)
Fix an offset bug with CHUID.
Do full mutual auth with the applet.
- Version 0.0.1 (released 2014-02-11)
Initial release.