Release Notes

  • Version 1.2.2 (unreleased)

  • Version 1.2.1 (released 2016-11-03)

    • Fixup release: Remove minimum version for sqlalchemy dependency which was set too high.

    • yhsm-yubikey-ksm: Add --proxy/--proxies argument for logging proxies requests.

  • Version 1.2.0 (released 2016-11-02)

    • yhsm-validation-server: Support OATH TOTP.

    • yhsm-init-oath-token: Handle keys with length != 20.

    • yhsm-yubikey-ksm: Allow passing soft-HSM keys via stdin by passing "-" as device argument.

    • yhsm-yubikey-ksm: Allow passing --db-url via environment variable.

    • Moved utils, yubikey-ksm and validation-server to be included when installing using pip.

    • Use entry_point scripts generated by setuptools.

    • Moved man pages to man/ directory.

    • Bugfix: Fix AEAD generation on Windows by writing in binary mode.

    • Bugfix: Support AEADs generated on Windows using pyhsm ⇐ 1.1.1.

    • Bugfix: Avoid installing unit test package.

    • Bugfix: yhsm-import-keys: Fix --aes-key argument used when importing without a YubiHSM.

  • Version 1.1.1 (released 2016-01-08)

    • Fixup release.

  • Version 1.1.0 (released 2016-01-08)

    • Restructured the repository and build process.

    • Use Semantic Versioning (semver.org).

    • Added support for a "soft" HSM in yhsm-yubikey-ksm, yhsm-import-keys and yhsm-generate-keys.

  • Version 1.0.4l (released 2015-08-24)

    • Documentation is now in asciidoc format.

    • yhsm-yubikey-ksm: Fix bug when the same public ID occured for multiple keyhandles.

  • Version 1.0.4k (released 2014-09-18)

    • yhsm-db-import, yhsm-db-export: Fix syntax error.

  • Version 1.0.4j (released 2014-09-16)

    • yhsm-yubikey-ksm: Fix syntax error.

  • Version 1.0.4i (released 2014-09-16)

    • yhsm-yubikey-ksm: Add --daemon.

    • yhsm-yubikey-ksm: Add --db-url to specify SQL database path to AEAD store.

    • yhsm-db-import, yhsm-db-export: New tools to do database import/export.

    • Documentation cleanup.

  • Version 1.0.4h (released 2014-01-09)

    • yhsm-daemon: Use JSON messages instead of Python pickling. (as suggested by Rogdham)

  • Version 1.0.4g (released 2013-05-06)

    • yhsm-daemon: Support listening to non-loopback interfaces.

    • yhsm-daemon: Forward exceptions to the client.

    • yhsm-daemon: Handle device unavailable, and attempt to recover.

  • Version 1.0.4f (released 2013-04-12)

  • Version 1.0.4e (released 2013-04-06)

    • yhsm-decrypt-aead: For yubikey-csv output, fix prefix field. Before the prefix was set to the AEAD nonce which is only correct for old style AEAD files. Now it uses the AEAD filename for the prefix field.

    • yhsm-decrypt-aead: Improve diagnostic messages. Errors and warnings are now printed to standard error. The count of number of failed and processsed AEADs should now be accurate.

  • Version 1.0.4d (released 2013-03-18)

    • Fix so that yhsm-yubikey-ksm can work with the older format.

  • Version 1.0.4c (released 2013-03-18)

    • When doing OTP verification, if a nonce is written to the AEAD file use that for decryption, not public id.

    • yhsm-import-keys: add --random-nonce for using hsm generated nonce.

    • yhsm-generate-keys: add --random-nonce for using hsm generated nonce.

  • Version 1.0.4b (released 2013-02-11)

    • yhsm-import-keys: Support soft HSM AEAD generation.

    • yhsm-import-keys: Ignore lines starting with #.

    • yhsm-import-keys: Block all-zero (ccc…c) keys.

    • yhsm-decrypt-keys: Support generating AEADs.

    • yhsm-decrypt-keys: Ignores non-modhex files in AEAD directory trees.

    • yhsm-generate-keys: Bugfix that caused AEAD generation to fail.

    • yhsm-generate-keys: Bugfix that caused wrong nonce to be used.

    • yhsm-generate-keys: Prevent generating all-zero (ccc…c) keys.

    • Added this NEWS file, based on debian/changelog in the Debian package.

  • Version 1.0.4a (released 2012-06-26)

    • Enable IPv6 --addr for network servers.

    • Verifies communication with YubiHSM on initialization.

  • Version 1.0.4 (released 2012-06-21)

    • Match firmware 1.0.4. Firmware adds flag YSM_USER_NONCE to address security problem for some usages where AEADs could be decrypted by an attacker capable of generating new AEADs.

    • New file format for stored AEADs (code loading AEADs is backwards

    • compatible), including key handle and nonce.

    • AES CCM implementation compatible with YubiHSM in software, for

    • transparency and to enable willfull decryption of AEADs.

    • Tools to generate YubiKey secrets into AEADs as well as decrypt

    • them to enable provisioning YubiKeys with the secrets.

  • Version 1.0.3c (released 2012-01-05)

    • First public release.