Release Notes

Fixup release: Remove minimum version for sqlalchemy dependency which was set too high.

yhsm-yubikey-ksm: Add --proxy/--proxies argument for logging proxies requests.

yhsm-validation-server: Support OATH TOTP.

yhsm-init-oath-token: Handle keys with length != 20.

yhsm-yubikey-ksm: Allow passing soft-HSM keys via stdin by passing "-" as device argument.

yhsm-yubikey-ksm: Allow passing --db-url via environment variable.

Moved utils, yubikey-ksm and validation-server to be included when installing using pip.

Use entry_point scripts generated by setuptools.

Moved man pages to man/ directory.

Bugfix: Fix AEAD generation on Windows by writing in binary mode.

Bugfix: Support AEADs generated on Windows using pyhsm ⇐ 1.1.1.

Bugfix: Avoid installing unit test package.

Bugfix: yhsm-import-keys: Fix --aes-key argument used when importing without a YubiHSM.

Fixup release.

Restructured the repository and build process.

Use Semantic Versioning (semver.org).

Added support for a "soft" HSM in yhsm-yubikey-ksm, yhsm-import-keys and yhsm-generate-keys.

Documentation is now in asciidoc format.

yhsm-yubikey-ksm: Fix bug when the same public ID occured for multiple keyhandles.

yhsm-db-import, yhsm-db-export: Fix syntax error.

yhsm-yubikey-ksm: Fix syntax error.

yhsm-yubikey-ksm: Add --daemon.

yhsm-yubikey-ksm: Add --db-url to specify SQL database path to AEAD store.

yhsm-db-import, yhsm-db-export: New tools to do database import/export.

Documentation cleanup.

yhsm-daemon: Use JSON messages instead of Python pickling. (as suggested by Rogdham)

yhsm-daemon: Support listening to non-loopback interfaces.

yhsm-daemon: Forward exceptions to the client.

yhsm-daemon: Handle device unavailable, and attempt to recover.

Fix failing test.

Support URLs in device field, for more info see: http://pyserial.sourceforge.net/pyserial_api.html#serial.serial_for_url

Added yhsm-daemon.

yhsm-decrypt-aead: For yubikey-csv output, fix prefix field. Before the prefix was set to the AEAD nonce which is only correct for old style AEAD files. Now it uses the AEAD filename for the prefix field.

yhsm-decrypt-aead: Improve diagnostic messages. Errors and warnings are now printed to standard error. The count of number of failed and processsed AEADs should now be accurate.

Fix so that yhsm-yubikey-ksm can work with the older format.

When doing OTP verification, if a nonce is written to the AEAD file use that for decryption, not public id.

yhsm-import-keys: add --random-nonce for using hsm generated nonce.

yhsm-generate-keys: add --random-nonce for using hsm generated nonce.

yhsm-import-keys: Support soft HSM AEAD generation.

yhsm-import-keys: Ignore lines starting with #.

yhsm-import-keys: Block all-zero (ccc…c) keys.

yhsm-decrypt-keys: Support generating AEADs.

yhsm-decrypt-keys: Ignores non-modhex files in AEAD directory trees.

yhsm-generate-keys: Bugfix that caused AEAD generation to fail.

yhsm-generate-keys: Bugfix that caused wrong nonce to be used.

yhsm-generate-keys: Prevent generating all-zero (ccc…c) keys.

Added this NEWS file, based on debian/changelog in the Debian package.

Enable IPv6 --addr for network servers.

Verifies communication with YubiHSM on initialization.

Match firmware 1.0.4. Firmware adds flag YSM_USER_NONCE to address security problem for some usages where AEADs could be decrypted by an attacker capable of generating new AEADs.

New file format for stored AEADs (code loading AEADs is backwards

compatible), including key handle and nonce.

AES CCM implementation compatible with YubiHSM in software, for

transparency and to enable willfull decryption of AEADs.

Tools to generate YubiKey secrets into AEADs as well as decrypt

them to enable provisioning YubiKeys with the secrets.

First public release.