yubico-piv-tool NEWS -- History of user-visible changes.        -*- outline -*-

* Version 2.2.1 (released 2021-09-07)

** ykpiv: Minor bug fixes
** ykcs11: Improved handling of object attributes
** ykcs11: Update flags for EC related mechanisms
** ykcs11: Minor bug fixes
** test: Improved testing
** doc: Improved documentation

* Version 2.2.0 (released 2021-01-20)

** ykpiv: Increased SO version
** ykpiv: Fixed minor memory leaks
** ykpiv: Improved error handling
** ykpiv: Improved handling of PCSC card validation
** ykcs11: Updated Cryptoki version
** ykcs11: Support for CKM_ECDH1_DERIVE mechanism info
** ykcs11: Support for destroying ECDH derived keys
** ykcs11: Improved handling of PIN after device re-connection
** ykcs11: Improved debug logging
** cmd: Improved parsing of certificate Distinguished Name to allow an escape character
** cmd: Warning to discourage generating RSA1024 keys
** build: Use of platform standard installation path when building yubico-piv-tool
** tests: Improved testing

* Version 2.1.1 (released 2020-07-20)

** Fixed missing dependency when building debian package

* Version 2.1.0 (released 2020-07-08)

** Replaced building with autotool with building with cmake
** Security update for https://www.yubico.com/support/security-advisories/ysa-2020-02/[YSA-2020-02]
** ykpiv: Fixed potential memory leaks
** ykpiv: Use PIN-protected MGMT key if the device is configured that way
** ykpiv: Added attestation to CSR if requested
** ykpiv: Fixed compatibility with LibreSSL
** ykcs11: Improved handling of error codes
** ykcs11: Improved handling of examples in the PKCS11 specifications
** ykcs11: Added the possibility to have debug output as a runtime setting
** ykcs11: Added support to unblock PIN with PUK
** ykcs11: Make C_SetPIN backwards compatible while also allowing unblock PIN
** tests: Improved tests

* Version 2.0.0 (released 2020-01-29)

** ykpiv: Added ykpiv_get_metadata and ykpiv_util_parse_metadata to read and parse private key metadata (supported from YK 5.3).

** ykpiv: Fixed PCSC transaction handling when re-selecting PIV due to external card reset events.

** ykpiv: Improved error reporting.

** ykpiv: Correctly report YK5 devices, and NEO and YK5 over NFC.

** ykpiv: MGM KEY (SO PIN) is cached (in addition to PIN).

** ykpiv: Fixed resetting of cached serial / version when an application re-uses ykpiv_state.

** ykpiv: ykpiv_get_pin_retries selects a different applet before re-selecting PIV since just re-selecting PIV is a no-op on YK5.

** ykcs11: Shared library exports all PKCS11 functions per the spec (For applications that don't use C_GetFunctionList).

** ykcs11: Support for up to 16 simultaneous sessions, with support for multi-threaded access (if requested when calling C_Initialize).

** ykcs11: Support for resetting the PIV application via C_initToken. Requires knowledge of the MGMT KEY (SO PIN) per the PKCS11 spec.

** ykcs11: Support for public-key operations not supported by PIV (C_Verify, C_Encrypt), implemented using OpenSSL.

** ykcs11: Support for attestations, exposed as session objects of certificate class. Generated when opening the first session to a slot.

** ykcs11: Support for forked processes on Linux and MacOS.

** ykcs11: Support for RSA signatures using PKCS or PSS padding with optional digesting by the library. Raw signatures are also supported.

** ykcs11: Support for ECDSA signatures with optional digesting by the library. Raw signatures are also supported.

** ykcs11: Support for RSA encryption / decryption with PKCS or OAEP padding.

** ykcs11: Makes use of key metadata when available (YK 5.3 and above), providing access to keys even if certificates are not present.

** ykcs11: Supports SHA1, SHA256, SHA384 and SHA512 digesting, plus SHA224 digesting for ECDSA signatures and for the MGF1 digest in PSS / OAEP, implemented using OpenSSL.

** ykcs11: Supports C_Login with context-specific user type. This allows use cases that require both SO PIN and normal PIN in the same session.

* Version 1.7.0 (released 2019-04-03)

** Add ykpiv_get_serial() to API.

** Add version and serial to status output.

** FASC-N fixes for CHUID.

** ykcs11: Fix ECDSA signatures.

** Make selfsigned X.509 extensions have correct extensions to match openssl.

** Security fixes.

** Documentation fixes.

** Try to clear memory that might contain secrets.

* Version 1.6.2 (released 2018-09-14)

** Compare reader names case insensitive.

** Fix certificate and certificate request signatures with OpenSSL 1.1.

* Version 1.6.1 (released 2018-08-17)

** Compilation warning fixes for OpenSSL 1.1 builds.

** Fix length when encoding exactly 0xff bytes.

** Check length of objects correctly before storing in buffer.

** Check length of certificate correctly when storing.

* Version 1.6.0 (released 2018-08-08)

** Security release to mitigate https://www.yubico.com/support/security-advisories/ysa-2018-03/[YSA-2018-03].

** Allow builiding against LibreSSL.

** Bugfixes in OpenSSL 1.1 code.

** Fix compilation warnings.

** Fix ykcs11 key generation to work with OpenSSL 1.1.

** Ykcs11 compatibility fixes.

* Version 1.5.0 (released 2017-11-29)

** API additions: Higher-level "util" API added to libykpiv.

** Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()

** Added functions for using existing PCSC card handle.

** Support using custom memory allocator.

** Documentation updates.  'make doxygen' for HTML format.

** Expanded automated tests for hardware devices, moved to 'make hwcheck'.

** OpenSSL 1.1 support

** Moderate internal refactoring.  Many small bugs fixed.

* Version 1.4.4 (released 2017-10-17)

** Documentation updates.

** Add pin caching to work around disconnect problems.

** Disable RSA key generation on YubiKey 4 before 4.3.5.
See https://yubi.co/ysa201701/ for details.

* Version 1.4.3 (released 2017-04-18)

** Encode RSA x509 certificates correctly.

** Documentation updates.

** In ykcs11 return CKA_MODULUS correctly for private keys.

** In ykcs11 fix for signature size approximation.

** Fix PSS signatures in ykcs11.

** Add a CLI flag --stdin-input to make batch execution easier.

* Version 1.4.2 (released 2016-08-12)

** Clarify license headers and clean up YKCS11 licensing.
Now uses pkcs11.h from the Scute project.

** Don't install ykcs11-version.h.

** No cflags in ykcs11.pc.

** Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.

* Version 1.4.1 (released 2016-08-11)

** Documentation updates

** Add possibility to export certificates in SSH format.

** Make certificate serial number random by default.

* Version 1.4.0 (released 2016-05-03)

** Add attest action
When used on a slot with a generated key, outputs a signed x509 certificate for
that slot showing that the key was generated in hardware. Available in firmware
4.3.0 and newer.

** Add cached parameter for touch-policy
With cached, the touch is valid for an additional 15s. Available in firmware
4.3.0 and newer.

** Enforce a minimum PIN length of 6 characters.

** Fix a bug with list-readers action where it fell through processing into
write-object.

* Version 1.3.1 (released 2016-04-19)

** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.

** Clarifications with help texts.

* Version 1.3.0 (released 2016-02-19)

** Fixed extraction of RSA modulus and exponent for pkcs11.

** Implemented C_SetPIN for pkcs11.

** Add generic write and read object actions for the tool.
Supports hex/binary/base64 formats

** Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()

** Print CCC with status action.

** Address bugs with pkcs11 on windows.

** Add --valid-days and --serial to tool for selfsign-certificate action.

** Ask for password for pkcs12 if none is given.

* Version 1.2.2 (released 2015-12-08)

** Fix old buffer overflow in change-pin functionality.

* Version 1.2.1 (released 2015-12-08)

** Fix issue with big certificates and status.

* Version 1.2.0 (released 2015-12-07)

** On OSX use @loader_path instead of @executable_path for ykcs11.

** Add ykpiv_import_private_key to libykpiv.

** Raise buffer sizes to support bigger objects.

** Change behavior of action status, only list populated slots.

** Add retired keys to ykcs11.

** In ykcs11 support login with non null terminated pin.

** Add a new action set-ccc to yubico-piv-tool to set the CCC.

* Version 1.1.2 (released 2015-11-13)

** Properly handle DER encoding in ECDSA signatures.

* Version 1.1.1 (released 2015-11-11)

** Make sure SCardContext is properly acquired and released.

* Version 1.1.0 (released 2015-11-06)

** Add support for new YubiKey 4.

** Add ykcs11.

* Version 1.0.3 (released 2015-10-01)

** Correct wording on unblock-pin action.

** Show pin retries correctly.

** Use a bigger buffer for receiving data.

* Version 1.0.2 (released 2015-09-04)

** Query for different passwords/pins on stdin if they're not supplied.

** If a reader fails continue trying matching readers.

** Authentication failed is supposed to be 0x63cX not 0x630X.

* Version 1.0.1 (released 2015-07-10)

** Project relicensed to 2-clause BSD license

** Minor fixes found with clang scan-build

* Version 1.0.0 (released 2015-06-23)

** Add a test-decipher action.

** Check that e is 0x10001 on importing rsa keys

** Use PCSC transactions when sending and receiving data

* Version 0.1.6 (released 2015-03-23)

** Add a read-certificate action to the tool.

** Add a status action to the tool.

** Fix a library bug so NULL can be passed to ykpiv_verify()

** Add a test-signature action to the tool.

* Version 0.1.5 (released 2015-02-04)

** Revert the check for parity and just set parity before the weak check.

* Version 0.1.4 (released 2015-02-02)

** Prompt for input if input is stdin.

** Mark all bits of the signature as used is certs and requests.

** Correct error for unblock-pin.

** Fix hex decode to decode capital letters and return error.

** Check parity of new management keys.

* Version 0.1.3 (released 2014-12-18)

** Add format DER for importing certificates.

** Make sure diagnostic feedback ends up on stderr.

** Add positive feedback for a couple of actions.

* Version 0.1.2 (released 2014-11-14)

** Fix an issue where shorter component of RSA keys where not packed correctly.

* Version 0.1.1 (released 2014-11-10)

** Correct broken CHUID that made windows work inconsistently.

** Add support for compressed certificates.

** Fix broken unblock-pin action.

** Don't try to accept to short keys for mgm key.

** Only do applet authentication if needed.

** Add --hash for selecting what hash to use for signatures.

** Add hidden --sign command. Should probably not be used.

** Fix for signature algorithm in selfsigned cert.

* Version 0.1.0 (released 2014-08-25)

** Break out functionality into a library.

** More testing.

* Version 0.0.3 (released 2014-05-26)

** Add delete-certificate action.

** Fix minor bugs.

* Version 0.0.2 (released 2014-02-19)

** Fix an offset bug with CHUID.

** Do full mutual auth with the applet.

* Version 0.0.1 (released 2014-02-11)

** Initial release.
