-
Notifications
You must be signed in to change notification settings - Fork 126
/
NEWS
333 lines (288 loc) · 18 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
* Version 5.5.1 (released 2024-07-01)
* Bugfix: CLI - Don't use formatting that doesn't work on older Python versions.
Note: As the 5.5.0 installers bundle Python 3.12, this will be a source-only release.
* Version 5.5.0 (released 2024-06-26)
* Add Secure Channel support to smartcard sessions.
* Support extended APDUs in the "apdu" command (this is now the default).
* HSMAuth: Treat management key as a PIN/password instead of a key, adding new CLI
commands.
* PIV: Deprecate explicit passing of management key type when authenticating.
* CLI: Add "config nfc --restrict" command to set "NFC restricted mode".
* CLI: Display more information about PIN complexity and FIPS status for compatible
YubiKeys.
* CLI: Improved error messages for illegal values of PIV PIN and PUK.
* CLI: Drop error messages for old 3.x commands.
* CLI: Removal of --upload for YubiCloud credentials. Export to CSV and upload via web
instead.
* CLI: Add more detailed information to the CLI output for several commands.
* Version 5.4.0 (released 2024-03-27)
* Support for YubiKey Bio Multi-protocol Edition.
* CLI: Improve error messages for several failures.
* Attempt to send SIGHUP to yubikey-agent if it is blocking the connection.
* Bugfix: Allow "fido config" to work when no PIN is set on the YubiKey.
* Bugfix: MacOS - Fix race condition resulting in unneeded delay in fido commands over
USB.
* Bugfix: Linux - Fix error when listing OTP devices when no YubiKeys are attached.
* Bugfix: OpenPGP - Fix RSA key generation on YubiKey NEO.
* Version 5.3.0 (released 2024-01-31)
** FIDO: Add new CLI commands for PIN management and authenticator config
(force-change, set-min-length, toggle-always-uv, enable-ep-attestation).
** PIV: Improve handling of legacy "PUK blocked" flag.
** PIV: Improve handling of malformed certificates.
** PIV: Display key information in "piv info" output on supported devices.
** OTP: Fix some commands incorrectly showing errors when used over NFC/CCID.
** Add tab-completion for YubiKey serial numbers and NFC readers.
* Version 5.2.1 (released 2023-10-10)
** Add support for Python 3.12.
** OATH: detect and remove corrupted credentials.
** Bugfix: HSMAUTH: Fix order of CLI arguments.
* Version 5.2.0 (released 2023-08-21)
** PIV: Support for compressed certificates.
** OpenPGP: Use InvalidPinError for wrong PIN.
** Add YubiHSM Auth application support.
** Improved API documentation.
** Scripting: Add name attribute to device.
** Bugfix: PIV: don't throw InvalidPasswordError on malformed PEM private key.
* Version 5.1.1 (released 2023-04-27)
** Bugfix: PIV: string representation of SLOT caused infinite loop on Python <3.11.
** Bugfix: Fix errors in 'ykman config nfc' on YubiKeys without NFC capability.
** Bugfix: Fix error message shown when invalid modhex input length given for YubiOTP.
* Version 5.1.0 (released 2023-04-17)
** Add OpenPGP functionality to supported API.
** Add PIV key info command to CLI.
** PIV: Support signing prehashed data via API.
** Bugfix: Fix signing PIV certificates/CSRs with key that always requires PIN.
** Bugfix: Fix incorrect display name detection for certain keys over NFC.
* Version 5.0.1 (released 2023-01-17)
** Bugfix: Fix the interactive confirmation prompt for some CLI commands.
** Bugfix: OpenPGP Signature PIN policy values were swapped.
** Bugfix: FIDO: Handle discoverable credentials that are missing name or displayName.
** Add support for Python 3.11.
** Remove extra whitespace characters from CLI into command output.
* Version 5.0.0 (released 2022-10-19)
** Various cleanups and improvements to the API.
** Improvements to the handling of YubiKeys and connections.
** Command aliases for ykman 3.x (introduced in ykman 4.0) have now been dropped.
** Installers for ykman are now provided for Windows (amd64) and MacOS (universal2).
** Logging has been improved, and a new TRAFFIC level has been introduced.
** The codebase has been improved for scripting usage, either directly as a Python
module, or via the new "ykman script" command.
See doc/Scripting.adoc, doc/Library_Usage.adoc, and examples/ for more details.
** PIV: Add support for dotted-string OIDs when parsing RFC4514 strings.
** PIV: Drop support for signing certificates and CSRs with SHA-1.
** FIDO: Credential management commands have been improved to deal with ambiguity
in certain cases.
** OATH: Access Keys ("remembered" passwords) are now stored in the system keyring.
** OpenPGP: Commands have been added to manage PINs.
* Version 4.0.9 (released 2022-06-17)
** Dependency: Add support for python-fido2 1.x
** Fix: Drop stated support for Click 6 as features from 7 are being used.
* Version 4.0.8 (released 2022-01-31)
** Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential.
** Bugfix: Fix issue with displaying a Steam credential when it is the only account.
** Bugfix: Prevent installation of files in site-packages root.
** Bugfix: Fix cleanup logic in PIV for protected management key.
** Add support for token identifier when programming slot-based HOTP.
** Add support for programming NDEF in text mode.
** Dependency: Add support for Cryptography <= 38.
* Version 4.0.7 (released 2021-09-08)
** Bugfix release: Fix broken naming for "YubiKey 4", and a small OATH issue with
touch Steam credentials.
* Version 4.0.6 (released 2021-09-08)
** Improve handling of YubiKey device reboots.
** More consistently mask PIN/password input in prompts.
** Support switching mode over CCID for YubiKey Edge.
** Run pkill from PATH instead of fixed location.
* Version 4.0.5 (released 2021-07-16)
** Bugfix: Fix PIV feature detection for some YubiKey NEO versions.
** Bugfix: Fix argument short form for --period when adding TOTP credentials.
** Bugfix: More strict validation for some arguments, resulting in better error messages.
** Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required.
** Bugfix: Fix prompting for access code in the otp settings command (now uses "-A -").
* Version 4.0.3 (released 2021-05-17)
** Add support for fido reset over NFC.
** Bugfix: The --touch argument to piv change-management-key was ignored.
** Bugfix: Don't prompt for password when importing PIV key/cert if file is invalid.
** Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.
** Bugfix: Detect PKCS#12 format when outer sequence uses indefinite length.
** Dependency: Add support for Click 8.
* Version 4.0.2 (released 2021-04-12)
** Update device names.
** Add read_info output to the --diagnose command, and show exception types.
** Bugfix: Fix read_info for YubiKey Plus.
* Version 4.0.1 (released 2021-03-29)
** Add support for YK5-based FIPS YubiKeys.
** Bugfix: Fix OTP device enumeration on Win32.
* Version 4.0.0 (released 2021-03-02)
** Drop support for Python < 3.6.
** Drop reliance on libusb and libykpersonalize.
** Support the "fido" and "otp" subcommands over NFC (using the --reader flag)
** New "ykman --diagnose" command to aid in troubleshooting.
** New "ykman apdu" command for sending raw APDUs over the smart card interface.
** Restructuring of subcommands, with aliases for old versions (to be removed
in a future release).
** Major changes to the underlying "library" code:
*** New "yubikit" package added for custom development and advanced scripting.
*** Type hints added for a large part of the "public" API.
** OpenPGP: Add support for KDF enabled YubiKeys.
** Static password: Add support for FR, IT, UK and BEPO keyboard layouts.
* Version 3.1.2 (released 2021-01-21)
** Bugfix release: Fix dependency on python-fido2 version.
* Version 3.1.1 (released 2020-01-29)
** Add support for YubiKey 5C NFC
** OpenPGP: set-touch now performs compatibility checks before prompting for PIN
** OpenPGP: Improve error messages and documentation for set-touch
** PIV: read-object command no longer adds a trailing newline
** CLI: Hint at missing permissions when opening a device fails
** Linux: Improve error handling when pcscd is not running
** Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this!
** Bugfix: set-touch now accepts the cached-fixed option
** Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing
** Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate
** Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type `InvalidCertificate`
** Library: PivController.list_certificates() now returns `None` for slots containing invalid certificate, instead of raising an exception
* Version 3.1.0 (released 2019-08-20)
** Add support for YubiKey 5Ci
** OpenPGP: the info command now prints OpenPGP specification version as well
** OpenPGP: Update support for attestation to match OpenPGP v3.4
** PIV: Use UTC time for self-signed certificates
** OTP: Static password now supports the Norman keyboard layout
* Version 3.0.0 (released 2019-06-24)
** Add support for new YubiKey Preview and lightning form factor
** FIDO: Support for credential management
** OpenPGP: Support for OpenPGP attestation, cardholder certificates and cached touch policies
** OTP: Add flag for using numeric keypad when sending digits
* Version 2.1.1 (released 2019-05-28)
** OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud
** Don't automatically select the U2F applet on YubiKey NEO, it might be blocked by the OS
** ChalResp: Always pad challenge correctly
** Bugfix: Don't crash with older versions of cryptography
** Bugfix: Password was always prompted in OATH command, even if sent as argument
* Version 2.1.0 (released 2019-03-11)
** Add --reader flag to ykman list, to list available smart card readers
** FIPS: Checking if a YubiKey FIPS is in FIPS mode is now opt-in, with the --check-fips flag
** PIV: Add commands for writing and reading arbitrary PIV objects
** PIV: Verify that the PIN must be between 6 - 8 characters long
** PIV: In import-certificate, make the verification that the certificate and private key matches opt-in, with the --verify flag
** PIV: The piv info command now shows the serial number of the certificates
** PIV: The piv info command now shows the full Distinguished Name (DN) of the certificate subject and issuer, if possible
** PIV: Malformed certificates are now handled better
** OpenPGP: The openpgp touch command now shows current touch policies
** The ykman usb/nfc config command now accepts openpgp as well as opgp as an argument
** Bugfix: Fix support for german (DE) keyboard layout for static passwords
* Version 2.0.0 (released 2019-01-09)
** Add support for Security Key NFC
** Add experimental support for external smart card reader. See --reader flag
** Add a minimal manpage
** Add examples in help texts
** PIV: update CHUID when importing a certificate
** PIV: Optionally validate that private key and certificate match when importing a certificate (on by default in CLI)
** PIV: Improve support for importing certificate chains and .PEM files with comments
** Breaking API changes:
*** Merge CCID status word constants into a single SW enum in ykman.driver_ccid
*** Throw custom exception types instead of raw APDUErrors from many methods of PivController
*** Write CLI prompts to standard error instead of standard output
*** Replace function `ykman.util.parse_certificate` with `parse_certificates` which returns a list
* Version 1.0.1 (released 2018-10-10)
** Support for YubiKey 5A
** OATH: Ignore extra parameters in URI parsing
** Bugfix: Never say that NFC is supported for YubiKeys without NFC
* Version 1.0.0 (released 2018-09-24)
** Add support for YubiKey 5 Series
** Config: Add flag to generate a random configuration lock
** OATH: Give a proper error message when a touch credential times out
** NDEF: Allow setting the NDEF prefix from the CLI
** FIDO: Block reset when multiple YubiKeys are connected
* Version 0.7.1 (released 2018-07-09)
** Support for YubiKey FIPS.
** OTP: Allow setting and removing access codes on the slots.
** Interfaces: set-lock-code now only accepts hexadecimal inputs.
** Bugfix: Don't fail to open the YubiKey when the serial is not visible.
* Version 0.7.0 (released 2018-05-07)
** Support for YubiKey Preview.
** Add command to configure enabled applications over USB and NFC. See ykman config -h.
** Add command for selecting which slot to use for NDEF. See ykman otp ndef -h.
* Version 0.6.1 (released 2018-04-16)
** Support for YubiKeys with FIDO2. See ykman fido -h
** Report the form factor for YubiKeys that support it.
** OTP: slot command is now called otp. See ykman otp -h for all changes.
** Static password: Add support for different keyboard layouts. See ykman otp static -h
** PIV: Signatures for CSRs are now correct.
** PIV: Commands on slots with PIN policy ALWAYS no longer fail if the YubiKey has a management key protected by PIN.
** Mode: The U2F mode is now called FIDO.
** Dependencies: libu2f-host is no longer used for FIDO communication over USB, instead the python library fido2 is used.
* Version 0.6.0 (released 2018-02-09)
** OpenPGP: Expose remaining PIN retries in info command and API.
** CCID: Only try YubiKey smart card readers by default.
** Handle NEO issues with challenge-response credentials better.
** Improve logging.
** Improve error handling when opening device over OTP.
** Bugfix: Fix adding OTP data through the interactive prompt.
* Version 0.5.0 (released 2017-12-15)
** API breaking changes:
*** OATH: New API more similar to yubioath-android
** CLI breaking changes:
*** OATH: Touch prompt now written to stderr instead of stdout
*** OATH: `-a|--algorithm` option to `list` command removed
*** OATH: Columns in `code` command are now dynamically spaced depending on contents
*** OATH: `delete` command now requires confirmation or `-f|--force` argument
*** OATH: IDs printed by `list` command now include TOTP period if not 30
*** Changed outputs:
**** INFO: "Device name" output changed to "Device type"
**** PIV: "Management key is stored on device" output changed to "Management key is stored on the YubiKey"
**** PIV: "All PIV data have been cleared from the device" output changed to "All PIV data have been cleared from your YubiKey"
**** PIV: "The current management key is stored on the device" prompt changed to "The current management key is stored on the YubiKey"
**** SLOT: "blank to use device serial" prompt changed to "blank to use YubiKey serial number"
**** SLOT: "Using device serial" output changed to "Using YubiKey device serial"
**** Lots of failure case outputs changed
** New features:
*** Support for multiple devices via new top-level option `-d|--device`
*** New top-level option `-l|--log-level` to enable logging
*** OATH: Support for remembering passwords locally.
*** OATH: New option `-s|--single` for `code` command
*** PIV: `set-pin-retries` command now warns that PIN and PUK will be reset to factory defaults, and prints those defaults after resetting
** API bug fixes:
*** OATH: `valid_from` and `valid_to` for `Code` are now absolute instead of relative to the credential period
*** OATH: `period` for non-TOTP `Code` is now `None`
* Version 0.4.6 (released 2017-10-17)
** Will now attempt to open device 3 times before failing
** OpenPGP: Don't say data is removed when not
** OpenPGP: Don't swallow APDU errors
** PIV: Block on-chip RSA key generation for firmware versions 4.2.0 to 4.3.4 (inclusive) since these chips are vulnerable to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361[CVE-2017-15631].
* Version 0.4.5 (released 2017-09-14)
** OATH: Don't print issuer if there is no issuer.
* Version 0.4.4 (released 2017-09-06)
** OATH: Fix yet another issue with backwards compatibility, for adding new credentials.
* Version 0.4.3 (released 2017-09-06)
** OATH: Fix issue with backwards compatibility, when used as a library.
* Version 0.4.2 (released 2017-09-05)
** OATH: Support 7 digit credentials.
** OATH: Support credentials with a period other than 30 seconds.
** OATH: The remove command is now called delete.
* Version 0.4.1 (released 2017-08-10)
** PIV: Dropped support for deriving a management key from PIN.
** PIV: Added support for generating a random management key and storing it on the device protected by the PIN.
** OpenPGP: The reset command now handles a device in terminated state.
** OATH: Credential filtering is now working properly on Python 2.
* Version 0.4.0 (released 2017-06-19)
** Added PIV support. The tool and library now supports most of the PIV functionality found on the YubiKey 4 and NEO. To list the available commands, run ykman piv -h.
** Mode command now supports adding and removing modes incrementally.
* Version 0.3.3 (released 2017-05-08)
** Bugfix: Fix issue with OATH credentials from Steam on YubiKey 4.
* Version 0.3.2 (released 2017-04-24)
** Allow access code input through an interactive prompt.
** Bugfix: Some versions of YubiKey NEO occasionally failed calculating challenge-response credentials with touch.
* Version 0.3.1 (released 2017-03-13)
** Allow programming of TOTP credentials in YubiKey Slots using the chalresp command.
** Add a calculate command (and library support) to perform a challenge-response operation. Can also be used to generate TOTP codes for credentials stored in a slot.
** OATH: Remove whitespace in secret keys provided by the user.
** OATH: Prompt the user to touch the YubiKey for HOTP touch credentials.
** Bugfix: The flag for showing hidden credentials was not working correctly for the oath code command.
* Version 0.3.0 (released 2017-01-23)
** OATH functionality added. The tool now exposes the OATH functionality found on the YubiKey 4 and NEO. To list the available commands, run ykman oath -h.
** Added support for randomly generated static passwords.
* Version 0.2.0 (released 2016-11-23)
** Removed all GUI code. This project is now only for the python library and CLI tool. The GUI will be re-released separately in a different project.
** Added command to update settings for YubiKey Slots.
* Version 0.1.0 (released 2016-07-07)
** Initial release for beta testing.