Release Notes

yubico-piv-tool NEWS — History of user-visible changes. -- outline --

  • Version 1.5.1 (unreleased)

  • Version 1.5.0 (released 2017-11-29)

    • API additions: Higher-level "util" API added to libykpiv.

    • Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()

    • Added functions for using existing PCSC card handle.

    • Support using custom memory allocator.

    • Documentation updates. make doxygen for HTML format.

    • Expanded automated tests for hardware devices, moved to make hwcheck.

    • OpenSSL 1.1 support

    • Moderate internal refactoring. Many small bugs fixed.

  • Version 1.4.4 (released 2017-10-17)

    • Documentation updates.

    • Add pin caching to work around disconnect problems.

    • Disable RSA key generation on YubiKey 4 before 4.3.5. See https://yubi.co/ysa201701/ for details.

  • Version 1.4.3 (released 2017-04-18)

    • Encode RSA x509 certificates correctly.

    • Documentation updates.

    • In ykcs11 return CKA_MODULUS correctly for private keys.

    • In ykcs11 fix for signature size approximation.

    • Fix PSS signatures in ykcs11.

    • Add a CLI flag --stdin-input to make batch execution easier.

  • Version 1.4.2 (released 2016-08-12)

    • Clarify license headers and clean up YKCS11 licensing. Now uses pkcs11.h from the Scute project.

    • Don’t install ykcs11-version.h.

    • No cflags in ykcs11.pc.

    • Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.

  • Version 1.4.1 (released 2016-08-11)

    • Documentation updates

    • Add possibility to export certificates in SSH format.

    • Make certificate serial number random by default.

  • Version 1.4.0 (released 2016-05-03)

    • Add attest action When used on a slot with a generated key, outputs a signed x509 certificate for that slot showing that the key was generated in hardware. Available in firmware 4.3.0 and newer.

    • Add cached parameter for touch-policy With cached, the touch is valid for an additional 15s. Available in firmware 4.3.0 and newer.

    • Enforce a minimum PIN length of 6 characters.

    • Fix a bug with list-readers action where it fell through processing into write-object.

  • Version 1.3.1 (released 2016-04-19)

    • Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.

    • Clarifications with help texts.

  • Version 1.3.0 (released 2016-02-19)

    • Fixed extraction of RSA modulus and exponent for pkcs11.

    • Implemented C_SetPIN for pkcs11.

    • Add generic write and read object actions for the tool. Supports hex/binary/base64 formats

    • Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()

    • Print CCC with status action.

    • Address bugs with pkcs11 on windows.

    • Add --valid-days and --serial to tool for selfsign-certificate action.

    • Ask for password for pkcs12 if none is given.

  • Version 1.2.2 (released 2015-12-08)

    • Fix old buffer overflow in change-pin functionality.

  • Version 1.2.1 (released 2015-12-08)

    • Fix issue with big certificates and status.

  • Version 1.2.0 (released 2015-12-07)

    • On OSX use @loader_path instead of @executable_path for ykcs11.

    • Add ykpiv_import_private_key to libykpiv.

    • Raise buffer sizes to support bigger objects.

    • Change behavior of action status, only list populated slots.

    • Add retired keys to ykcs11.

    • In ykcs11 support login with non null terminated pin.

    • Add a new action set-ccc to yubico-piv-tool to set the CCC.

  • Version 1.1.2 (released 2015-11-13)

    • Properly handle DER encoding in ECDSA signatures.

  • Version 1.1.1 (released 2015-11-11)

    • Make sure SCardContext is properly acquired and released.

  • Version 1.1.0 (released 2015-11-06)

    • Add support for new YubiKey 4.

    • Add ykcs11.

  • Version 1.0.3 (released 2015-10-01)

    • Correct wording on unblock-pin action.

    • Show pin retries correctly.

    • Use a bigger buffer for receiving data.

  • Version 1.0.2 (released 2015-09-04)

    • Query for different passwords/pins on stdin if they’re not supplied.

    • If a reader fails continue trying matching readers.

    • Authentication failed is supposed to be 0x63cX not 0x630X.

  • Version 1.0.1 (released 2015-07-10)

    • Project relicensed to 2-clause BSD license

    • Minor fixes found with clang scan-build

  • Version 1.0.0 (released 2015-06-23)

    • Add a test-decipher action.

    • Check that e is 0x10001 on importing rsa keys

    • Use PCSC transactions when sending and receiving data

  • Version 0.1.6 (released 2015-03-23)

    • Add a read-certificate action to the tool.

    • Add a status action to the tool.

    • Fix a library bug so NULL can be passed to ykpiv_verify()

    • Add a test-signature action to the tool.

  • Version 0.1.5 (released 2015-02-04)

    • Revert the check for parity and just set parity before the weak check.

  • Version 0.1.4 (released 2015-02-02)

    • Prompt for input if input is stdin.

    • Mark all bits of the signature as used is certs and requests.

    • Correct error for unblock-pin.

    • Fix hex decode to decode capital letters and return error.

    • Check parity of new management keys.

  • Version 0.1.3 (released 2014-12-18)

    • Add format DER for importing certificates.

    • Make sure diagnostic feedback ends up on stderr.

    • Add positive feedback for a couple of actions.

  • Version 0.1.2 (released 2014-11-14)

    • Fix an issue where shorter component of RSA keys where not packed correctly.

  • Version 0.1.1 (released 2014-11-10)

    • Correct broken CHUID that made windows work inconsistently.

    • Add support for compressed certificates.

    • Fix broken unblock-pin action.

    • Don’t try to accept to short keys for mgm key.

    • Only do applet authentication if needed.

    • Add --hash for selecting what hash to use for signatures.

    • Add hidden --sign command. Should probably not be used.

    • Fix for signature algorithm in selfsigned cert.

  • Version 0.1.0 (released 2014-08-25)

    • Break out functionality into a library.

    • More testing.

  • Version 0.0.3 (released 2014-05-26)

    • Add delete-certificate action.

    • Fix minor bugs.

  • Version 0.0.2 (released 2014-02-19)

    • Fix an offset bug with CHUID.

    • Do full mutual auth with the applet.

  • Version 0.0.1 (released 2014-02-11)

    • Initial release.