yubihsm-shell 2.6.0
yubihsm-connector 3.0.5
yubihsm-setup 2.3.2
yubihsm-ksp 2.6.0
Repackaging of yubihsm-setup MSI installer
yubihsm-shell 2.6.0
yubihsm-connector 3.0.5
yubihsm-setup 2.3.2
yubihsm-ksp 2.6.0
Library: Shell: PKCS11: Add support for asymmetric wrap (Requires firmware version 2.4 and later)
PKCS11: Add support for PKCS11 3.0
Shell: Fix opening a session using credentials stored on a YubiKey
Build: Always compile with YubiHSM Auth enabled
Connector: Increase maximum message size the connector can handle
Connector: Fix compatibility with later Go versions
yubihsm-shell 2.4.2
yubihsm-connector 3.0.4
yubihsm-setup 2.3.1
yubihsm-ksp 2.3.3
Rebuild yubihsm-ksp with libyubihsm 2.4.2
yubihsm-shell 2.4.2
yubihsm-connector 3.0.4
yubihsm-setup 2.3.1
yubihsm-ksp 2.3.2
Rename yubihsm-shell installer file in the Windows release package. No binaries are effected.
yubihsm-shell 2.4.2
yubihsm-connector 3.0.4
yubihsm-setup 2.3.1
yubihsm-ksp 2.3.2
PKCS11: Add Symmetric key capabilities to searchable criteria
PKCS11: Add support for CKA_KEY_TYPE when searching for objects
PKCS11: Add support for CKA_MODIFIABLE and CKA_COPYABLE attributes for AES and Wrap keys
Test: Increase test coverage
yubihsm-shell 2.4.1
yubihsm-connector 3.0.4
yubihsm-setup 2.3.1
yubihsm-ksp 2.3.2
PKCS11: Security update for YSA-2023-01
PKCS11: Allow only a user with access to all the object’s domains to edit its attributes
PKCS11: Allow for the creation of an asymmetric key even if CKA_ID or CKA_LABEL attribute values for the private and public key are different.
PKCS11: Improve backup capabilities of objects whose attributes have been changed
PKCS11: Add support for CKA_ALLOWED_MECHANISMS
PKCS11: Fix CKA_SENSITIVE and CKA_PRIVATE return value for opaque objects
PKCS11: Add support for CKA_EXTRACTABLE for imported certificates
PKCS11: Fix regression that only allowed encryption with private keys
Library: PKCS11: Delay client side MAC check to avoid leaving unauthenticated sessions open
Shell: Fix handling of ED25519 keys
Build: Update release script for Centos7
Build: Fix paths in pkg-config template
Build: Set linker flags by platform
Test: Improve test coverage
yubihsm-shell 2.4.0
yubihsm-connector 3.0.4
yubihsm-setup 2.3.1
yubihsm-ksp 2.3.2
Library: Shell: PKCS11: Add support for symmetric encryption, AES-ECB and AES-CBC (Requires firmware version 2.3 and later)
Shell: Enable asymmetric authentication by default (Requires firmware version 2.3 and later)
Shell: Allow hex format when creating symmetric authentication key
Shell: Improve usage of the list command
Shell: Allow yubihsm-auth reader to be specified
Shell: Enable backend TLS support in the command line
PKCS11: Add support for modifying CKA_ID and CKA_LABEL attribute values
PKCS11: Improve handling of attributes
PKCS11: Improve debug output
PKCS11: Improve error handling
PKCS11: Change in firmware/hardware version representation. The version as reported by C_GetSlotInfo and C_GetTokenInfo will now show minor*10+patch, instead of minor*100+patch
Build: Dependency updates
Connector: Add changelog
Connector: Minor code improvements
yubihsm-shell 2.3.2
yubihsm-connector 3.0.3
yubihsm-setup 2.3.1
yubihsm-ksp 2.3.2
Shell: Remove limit on input file size
Shell: PKCS11: Minor improvements
Setup: Dependency update
Connector: Dependency update
yubihsm-shell 2.3.0b
yubihsm-connector 3.0.2
yubihsm-setup 2.2.0
yubihsm-ksp 2.3.2
Rebuild for MacOS with ARM architecture to fix dynamic linking issues
Rebuild for YubiHSM KSP to fix versioning
yubihsm-shell 2.3.0b
yubihsm-connector 3.0.2
yubihsm-setup 2.2.0
Rebuild for Linux with CMake < 3.14 to enable additional hardening flags
yubihsm-shell 2.3.0
yubihsm-connector 3.0.2
yubihsm-setup 2.2.0
yubihsm-ksp 2.2.1
Library: Security update for YSA-2021-04
Library: PKCS11: Shell: Fix minor bugs
Library: Improve backend loading on Windows
Library: Add support for ecdh primitives using bcrypt on Windows
Library: Shell Improve error handling
Library: PKCS11: Add more connection option
PKCS11: Add support for RSA encryption
Shell: Rename set-option to put-option and add support for get-option
YubiHSM Auth: No PSCS reader name filtering by default
Test: Improve testing
yubihsm-shell 2.2.0
yubihsm-connector 3.0.2
yubihsm-setup 2.2.0
yubihsm-ksp 2.2.1
Connector: Timeout functionality deprecated
KSP: Add support for EC keys
Setup: Add EC keys capabilities in ksp subcommand
yubihsm-shell 2.2.0
yubihsm-connector 3.0.1
yubihsm-setup 2.1.1
yubihsm-ksp 2.2.0
Connector: Security update for YSA-2021-02
Shell: Library: Add support for YubiHSM Auth
Library: Security update for YSA-2021-01
Library: Add FIPS-mode option
Library: Add support for rsa-pkcs1-decrypt algorithm
Library: shell: Add support for OTP AEAD rewrap
PKCS11: Add support for CKA_TRUSTED attribute
Connector: Improved compatibility with ESXi
Library: Fix memory leaks
Library: Security fixes
Shell: Improve parsing of command line arguments when using OAEP decryption
All: Move away from archaic offensive terms
Install: YubiHSM Shell has 32 and 64-bit MSI installers for Windows
PKCS11: Enable .Net to load yubihsm-pkcs11.dylib
Library: Add a session identifier for the backend
Library/KSP: Make the backend more thread-safe on Windows
Library/Shell: Build with Windows with Visual Studio 2019
Shell: Update build scripts to account for changes in newer MACOS
Shell: Honor the base64 format when returning a public key
Shell: Honor the PEM format when returning a certificate
Shell: Add support for special (national) characters
Test: Improve testing
Deployment Guides: Change in YubiHSM2 Windows Deployment Guide to set the YubiHSM connector service (yhconsrv) as a dependency for the ADCS service (certsvc) to prevent it from starting before the YubiHSM connector service and thus causing the ADCS service to fail. See YubiHSM2 Windows Deployment Guide.
Shell: Fix Wrapping and public key PEM formatting of ED25519 keys
Shell: Add filtering of non-printable characters to prevent terminal control characters embedded in a label from being used to compromise a user using a vulnerable terminal as in CVE-2019-9535. Reported by Julian Biehl <julianbiehl@yahoo.de> of the CISPA Helmholtz Center for Information Security.
Install: KSP installer installs both 32 and 64-bit versions on supported operating systems.
Shell: Allow reading the password from stdin
Shell: Stop the timer for keepalive functionality while reading the password string
Shell: Fail early if DEFAULT_CONNECTOR_URL is not set
Library: Update dependencies
Library: Fix 32-bit Windows builds with mingw32/gcc7
Library: PCSC is not automatically used on Windows
Library: Allow disabling link time optimization.
Library: Fixes and improvements to build, work and test on FreeBSD.
Library: Ensure closing the USB connection before destroying it
Connector: Drop gb dependency manager and move to Go modules and google/gousb. The minimum required version of golang is 1.11.x
Connector: Update dependencies
Shell: Add new commands in CLI mode
Shell: Add more command line options
Shell: No opening a session for commands that do not need one
Shell/yhwrap/pkcs11: Improved compatibility with Windows
Shell: Add support for installing to lib64 on Fedora
Shell: Only use LTO on clang > 7
Library: Improve handling of device memory
Library: Allow both USB and HTTP support to be compiled in static library
Library: Implement signing using sign-eddsa
Library: More informative error handling
Setup: Added support for configuring the YubiHSM 2 for use with EJBCA
Library: Fix issue with session creation if the authentication key ID is too high
Library: Fix a potential issue with memory operations
Library: Fix a potential issue with data left after previous transactions or connections
Shell: More efficient use of the keepalive function
Shell: More efficient handling of sessions when a connection is terminated
Tests: Make code examples compile
All: Drop unused files
Library: Better documentation of arguments
Library: Better handling of errors
Library: Rename object types, algorithms, capabilities, commands, command options and errors
Library: API improvements
Library: Add a feature to derive an authentication key from a password
Library: Add a feature to change an authentication key
Pkcs11: Added support for C_DeriveKey()
Shell: Change keepalive command to a toggle (on/off)
Tests: Add support for running tests using direct USB connection
Documentation: Drop documentation from the code base and moved the content to Yubico’s developers website (https://developers.yubico.com/YubiHSM2/)
All: Re-organization of file structure
Pkcs11: Fix a potential issue with RSA bit calculation in C_GetMechanismInfo()
Pkcs11: Fix a case where we return the wrong error from C_GetMechanismList()
Connector: Fix a race condition when the usb state was re-created.
Connector: Better error reporting in some failure cases.
Connector: Fix issues where the connector could hang on Windows.
Connector: Fix an issue where the connector would not reconnect on Windows.
Shell: Fix an issue with importing HMAC keys.
Pkcs11: Add a way for users to pass in options over the API to C_Initialize()
Shell: Handle return values from reset correctly on windows.
Connector: Return HTTP errors when operations fail.
Library: Handle HTTP errors correctly on windows.
Library: Fix printing of time in debug on windows.
Pkcs11: Fix a problem in C_FindObjects() where not all items would be returned
Library: Fix connect timeout on windows
Library: Fix debugging to file
Pkcs11: Fix an error case leaving the session in a broken state
Pkcs11: Start session IDs from 1, not 0
Setup: Fix broken debian package
Library/Pkcs11/Shell: Openssl 1.1 compatibility
Library: Mark internal symbols as hidden correctly
Pkcs11: Add option to set connect timeout
Pkcs11: Accept C_SetAttributeValue() for CKA_ID and CKA_LABEL if unchanged
Shell: Implement decrypt-ecdh in non-interactive mode
Connector: On Windows use internal USB libraries instead of libusb
Connector: Implement Host header allow listing (Use to prevent DNS rebinding attacks in applicable environments, e.g., if there is an absolute need to use a web browser on the host where the Yubihsm2 is installed to connect to untrusted web sites on the Internet. This is not a recommended practice.)
Shell: Fix hashing so signing from windows shell works
Pkcs11: Handle ecdsa with longer hash than key
Pkcs11: Correct error for trying to extract EC key
Pkcs11: Fix native locking on windows
Pkcs11: Correct linking on macos
Library: Fix logic in session re-use
Ksp: Handle passwords longer than 8 characters
Shell: Sorted output
Library: Mark all internal symbols as hidden
All: Provide deb packages on debian/ubuntu