Release Notes

Dependency: Add support for python-fido2 1.x

Fix: Drop stated support for Click 6 as features from 7 are being used.

Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential.

Bugfix: Fix issue with displaying a Steam credential when it is the only account.

Bugfix: Prevent installation of files in site-packages root.

Bugfix: Fix cleanup logic in PIV for protected management key.

Add support for token identifier when programming slot-based HOTP.

Add support for programming NDEF in text mode.

Dependency: Add support for Cryptography ⇐ 38.

Bugfix release: Fix broken naming for "YubiKey 4", and a small OATH issue with touch Steam credentials.

Improve handling of YubiKey device reboots.

More consistently mask PIN/password input in prompts.

Support switching mode over CCID for YubiKey Edge.

Run pkill from PATH instead of fixed location.

Bugfix: Fix PIV feature detection for some YubiKey NEO versions.

Bugfix: Fix argument short form for --period when adding TOTP credentials.

Bugfix: More strict validation for some arguments, resulting in better error messages.

Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required.

Bugfix: Fix prompting for access code in the otp settings command (now uses "-A -").

Add support for fido reset over NFC.

Bugfix: The --touch argument to piv change-management-key was ignored.

Bugfix: Don’t prompt for password when importing PIV key/cert if file is invalid.

Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.

Bugfix: Detect PKCS#12 format when outer sequence uses indefinite length.

Dependency: Add support for Click 8.

Update device names.

Add read_info output to the --diagnose command, and show exception types.

Bugfix: Fix read_info for YubiKey Plus.

Add support for YK5-based FIPS YubiKeys.

Bugfix: Fix OTP device enumeration on Win32.

Drop support for Python < 3.6.

Drop reliance on libusb and libykpersonalize.

Support the "fido" and "otp" subcommands over NFC (using the --reader flag)

New "ykman --diagnose" command to aid in troubleshooting.

New "ykman apdu" command for sending raw APDUs over the smart card interface.

Restructuring of subcommands, with aliases for old versions (to be removed in a future release).

Major changes to the underlying "library" code:

OpenPGP: Add support for KDF enabled YubiKeys.

Static password: Add support for FR, IT, UK and BEPO keyboard layouts.

Bugfix release: Fix dependency on python-fido2 version.

Add support for YubiKey 5C NFC

OpenPGP: set-touch now performs compatibility checks before prompting for PIN

OpenPGP: Improve error messages and documentation for set-touch

PIV: read-object command no longer adds a trailing newline

CLI: Hint at missing permissions when opening a device fails

Linux: Improve error handling when pcscd is not running

Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this!

Bugfix: set-touch now accepts the cached-fixed option

Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing

Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate

Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type InvalidCertificate

Library: PivController.list_certificates() now returns None for slots containing invalid certificate, instead of raising an exception

Add support for YubiKey 5Ci

OpenPGP: the info command now prints OpenPGP specification version as well

OpenPGP: Update support for attestation to match OpenPGP v3.4

PIV: Use UTC time for self-signed certificates

OTP: Static password now supports the Norman keyboard layout

Add support for new YubiKey Preview and lightning form factor

FIDO: Support for credential management

OpenPGP: Support for OpenPGP attestation, cardholder certificates and cached touch policies

OTP: Add flag for using numeric keypad when sending digits

OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud

Don’t automatically select the U2F applet on YubiKey NEO, it might be blocked by the OS

ChalResp: Always pad challenge correctly

Bugfix: Don’t crash with older versions of cryptography

Bugfix: Password was always prompted in OATH command, even if sent as argument

Add --reader flag to ykman list, to list available smart card readers

FIPS: Checking if a YubiKey FIPS is in FIPS mode is now opt-in, with the --check-fips flag

PIV: Add commands for writing and reading arbitrary PIV objects

PIV: Verify that the PIN must be between 6 - 8 characters long

PIV: In import-certificate, make the verification that the certificate and private key matches opt-in, with the --verify flag

PIV: The piv info command now shows the serial number of the certificates

PIV: The piv info command now shows the full Distinguished Name (DN) of the certificate subject and issuer, if possible

PIV: Malformed certificates are now handled better

OpenPGP: The openpgp touch command now shows current touch policies

The ykman usb/nfc config command now accepts openpgp as well as opgp as an argument

Bugfix: Fix support for german (DE) keyboard layout for static passwords

Add support for Security Key NFC

Add experimental support for external smart card reader. See --reader flag

Add a minimal manpage

Add examples in help texts

PIV: update CHUID when importing a certificate

PIV: Optionally validate that private key and certificate match when importing a certificate (on by default in CLI)

PIV: Improve support for importing certificate chains and .PEM files with comments

Breaking API changes:

Support for YubiKey 5A

OATH: Ignore extra parameters in URI parsing

Bugfix: Never say that NFC is supported for YubiKeys without NFC

Add support for YubiKey 5 Series

Config: Add flag to generate a random configuration lock

OATH: Give a proper error message when a touch credential times out

NDEF: Allow setting the NDEF prefix from the CLI

FIDO: Block reset when multiple YubiKeys are connected

Support for YubiKey FIPS.

OTP: Allow setting and removing access codes on the slots.

Interfaces: set-lock-code now only accepts hexadecimal inputs.

Bugfix: Don’t fail to open the YubiKey when the serial is not visible.

Support for YubiKey Preview.

Add command to configure enabled applications over USB and NFC. See ykman config -h.

Add command for selecting which slot to use for NDEF. See ykman otp ndef -h.

Support for YubiKeys with FIDO2. See ykman fido -h

Report the form factor for YubiKeys that support it.

OTP: slot command is now called otp. See ykman otp -h for all changes.

Static password: Add support for different keyboard layouts. See ykman otp static -h

PIV: Signatures for CSRs are now correct.

PIV: Commands on slots with PIN policy ALWAYS no longer fail if the YubiKey has a management key protected by PIN.

Mode: The U2F mode is now called FIDO.

Dependencies: libu2f-host is no longer used for FIDO communication over USB, instead the python library fido2 is used.

OpenPGP: Expose remaining PIN retries in info command and API.

CCID: Only try YubiKey smart card readers by default.

Handle NEO issues with challenge-response credentials better.

Improve logging.

Improve error handling when opening device over OTP.

Bugfix: Fix adding OTP data through the interactive prompt.

API breaking changes:

CLI breaking changes:

New features:

API bug fixes:

Will now attempt to open device 3 times before failing

OpenPGP: Don’t say data is removed when not

OpenPGP: Don’t swallow APDU errors

PIV: Block on-chip RSA key generation for firmware versions 4.2.0 to 4.3.4 (inclusive) since these chips are vulnerable to CVE-2017-15631.

OATH: Don’t print issuer if there is no issuer.

OATH: Fix yet another issue with backwards compatibility, for adding new credentials.

OATH: Fix issue with backwards compatibility, when used as a library.

OATH: Support 7 digit credentials.

OATH: Support credentials with a period other than 30 seconds.

OATH: The remove command is now called delete.

PIV: Dropped support for deriving a management key from PIN.

PIV: Added support for generating a random management key and storing it on the device protected by the PIN.

OpenPGP: The reset command now handles a device in terminated state.

OATH: Credential filtering is now working properly on Python 2.

Added PIV support. The tool and library now supports most of the PIV functionality found on the YubiKey 4 and NEO. To list the available commands, run ykman piv -h.

Mode command now supports adding and removing modes incrementally.

Bugfix: Fix issue with OATH credentials from Steam on YubiKey 4.

Allow access code input through an interactive prompt.

Bugfix: Some versions of YubiKey NEO occasionally failed calculating challenge-response credentials with touch.

Allow programming of TOTP credentials in YubiKey Slots using the chalresp command.

Add a calculate command (and library support) to perform a challenge-response operation. Can also be used to generate TOTP codes for credentials stored in a slot.

OATH: Remove whitespace in secret keys provided by the user.

OATH: Prompt the user to touch the YubiKey for HOTP touch credentials.

Bugfix: The flag for showing hidden credentials was not working correctly for the oath code command.

OATH functionality added. The tool now exposes the OATH functionality found on the YubiKey 4 and NEO. To list the available commands, run ykman oath -h.

Added support for randomly generated static passwords.

Removed all GUI code. This project is now only for the python library and CLI tool. The GUI will be re-released separately in a different project.

Added command to update settings for YubiKey Slots.

Initial release for beta testing.