Release Notes

yubico-piv-tool NEWS — History of user-visible changes. -- outline --

  • Version 2.7.1 (released 2024-12-19)

    • ykpiv: Fix type casting issues affecting systems using Big-endian architecture

  • Version 2.7.0 (released 2024-12-19)

    • ykpiv: cmd: Add support for communication over a secure channel according to SCP11b specifications

    • ykpiv: cmd: Add support for device global reset

  • Version 2.6.1 (released 2024-09-12)

    • cmd: Fix performing bio verification

    • ykcs11: Fix handling ED25519 and X25519 keys

  • Version 2.6.0 (released 2024-08-21)

    • cmd: Add support for biometric verification and match policy

    • ykcs11: Add support for PKCS11 3.0

    • ykpiv: cmd: ykcs11: Improve error traceability

    • ykpiv: cmd: ykcs11: Fix minor bugs

    • build: Make building with zlib optional

  • Version 2.5.2 (released 2024-05-07)

    • cmd: Fix signing selfsigned certificate for ED25519 key.

  • Version 2.5.1 (released 2024-02-14)

    • ykpiv: cmd: ykcs11: Fix buffer size for key import.

  • Version 2.5.0 (released 2024-01-31)

    • ykpiv: cmd: ykcs11: Add support for RSA3072 and RSA4096 key types. Available in firmware 5.7.0 and newer

    • ykpiv: cmd: Add support for ED25519 and X25519 key types. Available in firmware 5.7.0 and newer

    • ykpiv: cmd: Add support for deleting keys. Available in firmware 5.7.0 and newer

    • ykpiv: cmd: Add support for moving keys between slots. Available in firmware 5.7.0 and newer

  • Version 2.4.2 (released 2023-12-07)

    • ykpiv: Fix potential type casting bug.

  • Version 2.4.1 (released 2023-12-05)

    • ykpiv: ykcs11: Fix building on certain architectures. Existing builds are not affected.

  • Version 2.4.0 (released 2023-11-30)

    • ykpiv: cmd: Add support for compressing certificate upon import

    • ykcs11: Increase maximum number of slots to handle overflow

    • ykcs11: Add support for CKA_COPYABLE and CKA_DESTROYABLE attributes

  • Version 2.3.1 (released 2023-02-07)

    • ykpiv: Add support for T=0 smartcards

    • ykpiv: ykcs11: Minor code optimization

    • ykpiv: ykcs11: Improve logging

    • ykpiv: ykcs11: Improve error handling

    • ykpiv: ykcs11: Fix minor bugs

    • ykcs11: Add support for several PKCS11 Attributes

    • ykcs11: Add support for CKM_ECDSA_SHA512 mechanism

    • ykcs11: Fix incorrect value for public key attributes CKA_PRIVATE, CKA_SENSITIVE, CKA_ALWAYS_SENSITIVE, CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE

    • doc: Minor documentation improvement

  • Version 2.3.0 (released 2022-03-01)

    • ykpiv: Add support for AES management keys

    • ykpiv: Better handling of connection reset

    • ykpiv: Add support for T=0 protocol

    • ykcs11: Support YubiKeys in NFC readers

    • ykcs11: Support touch and PIN policies for imported private keys

    • ykcs11: Support touch and PIN policy when generating keys

    • ykcs11: Set length to -1 on function fail

    • ykcs11: Ignore CKA_NAME_HASH_ALGORITHM and CKA_HASH_OF_SUBJECT_PUBLIC_KEY for certificates

    • cmd: Support attestation in selfsign certificates

    • build: Compile cleanly with openssl 1.1 and 3

  • Version 2.2.1 (released 2021-09-07)

    • ykpiv: Minor bug fixes

    • ykcs11: Improved handling of object attributes

    • ykcs11: Update flags for EC related mechanisms

    • ykcs11: Minor bug fixes

    • test: Improved testing

    • doc: Improved documentation

  • Version 2.2.0 (released 2021-01-20)

    • ykpiv: Increased SO version

    • ykpiv: Fixed minor memory leaks

    • ykpiv: Improved error handling

    • ykpiv: Improved handling of PCSC card validation

    • ykcs11: Updated Cryptoki version

    • ykcs11: Support for CKM_ECDH1_DERIVE mechanism info

    • ykcs11: Support for destroying ECDH derived keys

    • ykcs11: Improved handling of PIN after device re-connection

    • ykcs11: Improved debug logging

    • cmd: Improved parsing of certificate Distinguished Name to allow an escape character

    • cmd: Warning to discourage generating RSA1024 keys

    • build: Use of platform standard installation path when building yubico-piv-tool

    • tests: Improved testing

  • Version 2.1.1 (released 2020-07-20)

    • Fixed missing dependency when building debian package

  • Version 2.1.0 (released 2020-07-08)

    • Replaced building with autotool with building with cmake

    • Security update for YSA-2020-02

    • ykpiv: Fixed potential memory leaks

    • ykpiv: Use PIN-protected MGMT key if the device is configured that way

    • ykpiv: Added attestation to CSR if requested

    • ykpiv: Fixed compatibility with LibreSSL

    • ykcs11: Improved handling of error codes

    • ykcs11: Improved handling of examples in the PKCS11 specifications

    • ykcs11: Added the possibility to have debug output as a runtime setting

    • ykcs11: Added support to unblock PIN with PUK

    • ykcs11: Make C_SetPIN backwards compatible while also allowing unblock PIN

    • tests: Improved tests

  • Version 2.0.0 (released 2020-01-29)

    • ykpiv: Added ykpiv_get_metadata and ykpiv_util_parse_metadata to read and parse private key metadata (supported from YK 5.3).

    • ykpiv: Fixed PCSC transaction handling when re-selecting PIV due to external card reset events.

    • ykpiv: Improved error reporting.

    • ykpiv: Correctly report YK5 devices, and NEO and YK5 over NFC.

    • ykpiv: MGM KEY (SO PIN) is cached (in addition to PIN).

    • ykpiv: Fixed resetting of cached serial / version when an application re-uses ykpiv_state.

    • ykpiv: ykpiv_get_pin_retries selects a different applet before re-selecting PIV since just re-selecting PIV is a no-op on YK5.

    • ykcs11: Shared library exports all PKCS11 functions per the spec (For applications that don’t use C_GetFunctionList).

    • ykcs11: Support for up to 16 simultaneous sessions, with support for multi-threaded access (if requested when calling C_Initialize).

    • ykcs11: Support for resetting the PIV application via C_initToken. Requires knowledge of the MGMT KEY (SO PIN) per the PKCS11 spec.

    • ykcs11: Support for public-key operations not supported by PIV (C_Verify, C_Encrypt), implemented using OpenSSL.

    • ykcs11: Support for attestations, exposed as session objects of certificate class. Generated when opening the first session to a slot.

    • ykcs11: Support for forked processes on Linux and MacOS.

    • ykcs11: Support for RSA signatures using PKCS or PSS padding with optional digesting by the library. Raw signatures are also supported.

    • ykcs11: Support for ECDSA signatures with optional digesting by the library. Raw signatures are also supported.

    • ykcs11: Support for RSA encryption / decryption with PKCS or OAEP padding.

    • ykcs11: Makes use of key metadata when available (YK 5.3 and above), providing access to keys even if certificates are not present.

    • ykcs11: Supports SHA1, SHA256, SHA384 and SHA512 digesting, plus SHA224 digesting for ECDSA signatures and for the MGF1 digest in PSS / OAEP, implemented using OpenSSL.

    • ykcs11: Supports C_Login with context-specific user type. This allows use cases that require both SO PIN and normal PIN in the same session.

  • Version 1.7.0 (released 2019-04-03)

    • Add ykpiv_get_serial() to API.

    • Add version and serial to status output.

    • FASC-N fixes for CHUID.

    • ykcs11: Fix ECDSA signatures.

    • Make selfsigned X.509 extensions have correct extensions to match openssl.

    • Security fixes.

    • Documentation fixes.

    • Try to clear memory that might contain secrets.

  • Version 1.6.2 (released 2018-09-14)

    • Compare reader names case insensitive.

    • Fix certificate and certificate request signatures with OpenSSL 1.1.

  • Version 1.6.1 (released 2018-08-17)

    • Compilation warning fixes for OpenSSL 1.1 builds.

    • Fix length when encoding exactly 0xff bytes.

    • Check length of objects correctly before storing in buffer.

    • Check length of certificate correctly when storing.

  • Version 1.6.0 (released 2018-08-08)

    • Security release to mitigate YSA-2018-03.

    • Allow builiding against LibreSSL.

    • Bugfixes in OpenSSL 1.1 code.

    • Fix compilation warnings.

    • Fix ykcs11 key generation to work with OpenSSL 1.1.

    • Ykcs11 compatibility fixes.

  • Version 1.5.0 (released 2017-11-29)

    • API additions: Higher-level "util" API added to libykpiv.

    • Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()

    • Added functions for using existing PCSC card handle.

    • Support using custom memory allocator.

    • Documentation updates. make doxygen for HTML format.

    • Expanded automated tests for hardware devices, moved to make hwcheck.

    • OpenSSL 1.1 support

    • Moderate internal refactoring. Many small bugs fixed.

  • Version 1.4.4 (released 2017-10-17)

    • Documentation updates.

    • Add pin caching to work around disconnect problems.

    • Disable RSA key generation on YubiKey 4 before 4.3.5. See https://yubi.co/ysa201701/ for details.

  • Version 1.4.3 (released 2017-04-18)

    • Encode RSA x509 certificates correctly.

    • Documentation updates.

    • In ykcs11 return CKA_MODULUS correctly for private keys.

    • In ykcs11 fix for signature size approximation.

    • Fix PSS signatures in ykcs11.

    • Add a CLI flag --stdin-input to make batch execution easier.

  • Version 1.4.2 (released 2016-08-12)

    • Clarify license headers and clean up YKCS11 licensing. Now uses pkcs11.h from the Scute project.

    • Don’t install ykcs11-version.h.

    • No cflags in ykcs11.pc.

    • Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.

  • Version 1.4.1 (released 2016-08-11)

    • Documentation updates

    • Add possibility to export certificates in SSH format.

    • Make certificate serial number random by default.

  • Version 1.4.0 (released 2016-05-03)

    • Add attest action When used on a slot with a generated key, outputs a signed x509 certificate for that slot showing that the key was generated in hardware. Available in firmware 4.3.0 and newer.

    • Add cached parameter for touch-policy With cached, the touch is valid for an additional 15s. Available in firmware 4.3.0 and newer.

    • Enforce a minimum PIN length of 6 characters.

    • Fix a bug with list-readers action where it fell through processing into write-object.

  • Version 1.3.1 (released 2016-04-19)

    • Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.

    • Clarifications with help texts.

  • Version 1.3.0 (released 2016-02-19)

    • Fixed extraction of RSA modulus and exponent for pkcs11.

    • Implemented C_SetPIN for pkcs11.

    • Add generic write and read object actions for the tool. Supports hex/binary/base64 formats

    • Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()

    • Print CCC with status action.

    • Address bugs with pkcs11 on windows.

    • Add --valid-days and --serial to tool for selfsign-certificate action.

    • Ask for password for pkcs12 if none is given.

  • Version 1.2.2 (released 2015-12-08)

    • Fix old buffer overflow in change-pin functionality.

  • Version 1.2.1 (released 2015-12-08)

    • Fix issue with big certificates and status.

  • Version 1.2.0 (released 2015-12-07)

    • On OSX use @loader_path instead of @executable_path for ykcs11.

    • Add ykpiv_import_private_key to libykpiv.

    • Raise buffer sizes to support bigger objects.

    • Change behavior of action status, only list populated slots.

    • Add retired keys to ykcs11.

    • In ykcs11 support login with non null terminated pin.

    • Add a new action set-ccc to yubico-piv-tool to set the CCC.

  • Version 1.1.2 (released 2015-11-13)

    • Properly handle DER encoding in ECDSA signatures.

  • Version 1.1.1 (released 2015-11-11)

    • Make sure SCardContext is properly acquired and released.

  • Version 1.1.0 (released 2015-11-06)

    • Add support for new YubiKey 4.

    • Add ykcs11.

  • Version 1.0.3 (released 2015-10-01)

    • Correct wording on unblock-pin action.

    • Show pin retries correctly.

    • Use a bigger buffer for receiving data.

  • Version 1.0.2 (released 2015-09-04)

    • Query for different passwords/pins on stdin if they’re not supplied.

    • If a reader fails continue trying matching readers.

    • Authentication failed is supposed to be 0x63cX not 0x630X.

  • Version 1.0.1 (released 2015-07-10)

    • Project relicensed to 2-clause BSD license

    • Minor fixes found with clang scan-build

  • Version 1.0.0 (released 2015-06-23)

    • Add a test-decipher action.

    • Check that e is 0x10001 on importing rsa keys

    • Use PCSC transactions when sending and receiving data

  • Version 0.1.6 (released 2015-03-23)

    • Add a read-certificate action to the tool.

    • Add a status action to the tool.

    • Fix a library bug so NULL can be passed to ykpiv_verify()

    • Add a test-signature action to the tool.

  • Version 0.1.5 (released 2015-02-04)

    • Revert the check for parity and just set parity before the weak check.

  • Version 0.1.4 (released 2015-02-02)

    • Prompt for input if input is stdin.

    • Mark all bits of the signature as used is certs and requests.

    • Correct error for unblock-pin.

    • Fix hex decode to decode capital letters and return error.

    • Check parity of new management keys.

  • Version 0.1.3 (released 2014-12-18)

    • Add format DER for importing certificates.

    • Make sure diagnostic feedback ends up on stderr.

    • Add positive feedback for a couple of actions.

  • Version 0.1.2 (released 2014-11-14)

    • Fix an issue where shorter component of RSA keys where not packed correctly.

  • Version 0.1.1 (released 2014-11-10)

    • Correct broken CHUID that made windows work inconsistently.

    • Add support for compressed certificates.

    • Fix broken unblock-pin action.

    • Don’t try to accept to short keys for mgm key.

    • Only do applet authentication if needed.

    • Add --hash for selecting what hash to use for signatures.

    • Add hidden --sign command. Should probably not be used.

    • Fix for signature algorithm in selfsigned cert.

  • Version 0.1.0 (released 2014-08-25)

    • Break out functionality into a library.

    • More testing.

  • Version 0.0.3 (released 2014-05-26)

    • Add delete-certificate action.

    • Fix minor bugs.

  • Version 0.0.2 (released 2014-02-19)

    • Fix an offset bug with CHUID.

    • Do full mutual auth with the applet.

  • Version 0.0.1 (released 2014-02-11)

    • Initial release.