yubico-piv-tool NEWS -- History of user-visible changes.        -*- outline -*-

* Version 1.6.1 (released 2018-08-17)

** Compilation warning fixes for OpenSSL 1.1 builds.

** Fix length when encoding exactly 0xff bytes.

** Check length of objects correctly before storing in buffer.

** Check length of certificate correctly when storing.

* Version 1.6.0 (released 2018-08-08)

** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03].

** Allow builiding against LibreSSL.

** Bugfixes in OpenSSL 1.1 code.

** Fix compilation warnings.

** Fix ykcs11 key generation to work with OpenSSL 1.1.

** Ykcs11 compatibility fixes.

* Version 1.5.0 (released 2017-11-29)

** API additions: Higher-level "util" API added to libykpiv.

** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()

** Added functions for using existing PCSC card handle.

** Support using custom memory allocator.

** Documentation updates.  'make doxygen' for HTML format.

** Expanded automated tests for hardware devices, moved to 'make hwcheck'.

** OpenSSL 1.1 support

** Moderate internal refactoring.  Many small bugs fixed.

* Version 1.4.4 (released 2017-10-17)

** Documentation updates.

** Add pin caching to work around disconnect problems.

** Disable RSA key generation on YubiKey 4 before 4.3.5.
See https://yubi.co/ysa201701/ for details.

* Version 1.4.3 (released 2017-04-18)

** Encode RSA x509 certificates correctly.

** Documentation updates.

** In ykcs11 return CKA_MODULUS correctly for private keys.

** In ykcs11 fix for signature size approximation.

** Fix PSS signatures in ykcs11.

** Add a CLI flag --stdin-input to make batch execution easier.

* Version 1.4.2 (released 2016-08-12)

** Clarify license headers and clean up YKCS11 licensing.
Now uses pkcs11.h from the Scute project.

** Don't install ykcs11-version.h.

** No cflags in ykcs11.pc.

** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.

* Version 1.4.1 (released 2016-08-11)

** Documentation updates

** Add possibility to export certificates in SSH format.

** Make certificate serial number random by default.

* Version 1.4.0 (released 2016-05-03)

** Add attest action
When used on a slot with a generated key, outputs a signed x509 certificate for
that slot showing that the key was generated in hardware. Available in firmware
4.3.0 and newer.

** Add cached parameter for touch-policy
With cached, the touch is valid for an additional 15s. Available in firmware
4.3.0 and newer.

** Enforce a minimum PIN length of 6 characters.

** Fix a bug with list-readers action where it fell through processing into
write-object.

* Version 1.3.1 (released 2016-04-19)

** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.

** Clarifications with help texts.

* Version 1.3.0 (released 2016-02-19)

** Fixed extraction of RSA modulus and exponent for pkcs11.

** Implemented C_SetPIN for pkcs11.

** Add generic write and read object actions for the tool.
Supports hex/binary/base64 formats

** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()

** Print CCC with status action.

** Address bugs with pkcs11 on windows.

** Add --valid-days and --serial to tool for selfsign-certificate action.

** Ask for password for pkcs12 if none is given.

* Version 1.2.2 (released 2015-12-08)

** Fix old buffer overflow in change-pin functionality.

* Version 1.2.1 (released 2015-12-08)

** Fix issue with big certificates and status.

* Version 1.2.0 (released 2015-12-07)

** On OSX use @loader_path instead of @executable_path for ykcs11.

** Add ykpiv_import_private_key to libykpiv.

** Raise buffer sizes to support bigger objects.

** Change behavior of action status, only list populated slots.

** Add retired keys to ykcs11.

** In ykcs11 support login with non null terminated pin.

** Add a new action set-ccc to yubico-piv-tool to set the CCC.

* Version 1.1.2 (released 2015-11-13)

** Properly handle DER encoding in ECDSA signatures.

* Version 1.1.1 (released 2015-11-11)

** Make sure SCardContext is properly acquired and released.

* Version 1.1.0 (released 2015-11-06)

** Add support for new YubiKey 4.

** Add ykcs11.

* Version 1.0.3 (released 2015-10-01)

** Correct wording on unblock-pin action.

** Show pin retries correctly.

** Use a bigger buffer for receiving data.

* Version 1.0.2 (released 2015-09-04)

** Query for different passwords/pins on stdin if they're not supplied.

** If a reader fails continue trying matching readers.

** Authentication failed is supposed to be 0x63cX not 0x630X.

* Version 1.0.1 (released 2015-07-10)

** Project relicensed to 2-clause BSD license

** Minor fixes found with clang scan-build

* Version 1.0.0 (released 2015-06-23)

** Add a test-decipher action.

** Check that e is 0x10001 on importing rsa keys

** Use PCSC transactions when sending and receiving data

* Version 0.1.6 (released 2015-03-23)

** Add a read-certificate action to the tool.

** Add a status action to the tool.

** Fix a library bug so NULL can be passed to ykpiv_verify()

** Add a test-signature action to the tool.

* Version 0.1.5 (released 2015-02-04)

** Revert the check for parity and just set parity before the weak check.

* Version 0.1.4 (released 2015-02-02)

** Prompt for input if input is stdin.

** Mark all bits of the signature as used is certs and requests.

** Correct error for unblock-pin.

** Fix hex decode to decode capital letters and return error.

** Check parity of new management keys.

* Version 0.1.3 (released 2014-12-18)

** Add format DER for importing certificates.

** Make sure diagnostic feedback ends up on stderr.

** Add positive feedback for a couple of actions.

* Version 0.1.2 (released 2014-11-14)

** Fix an issue where shorter component of RSA keys where not packed correctly.

* Version 0.1.1 (released 2014-11-10)

** Correct broken CHUID that made windows work inconsistently.

** Add support for compressed certificates.

** Fix broken unblock-pin action.

** Don't try to accept to short keys for mgm key.

** Only do applet authentication if needed.

** Add --hash for selecting what hash to use for signatures.

** Add hidden --sign command. Should probably not be used.

** Fix for signature algorithm in selfsigned cert.

* Version 0.1.0 (released 2014-08-25)

** Break out functionality into a library.

** More testing.

* Version 0.0.3 (released 2014-05-26)

** Add delete-certificate action.

** Fix minor bugs.

* Version 0.0.2 (released 2014-02-19)

** Fix an offset bug with CHUID.

** Do full mutual auth with the applet.

* Version 0.0.1 (released 2014-02-11)

** Initial release.
