| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: libykcs11-2 | Distribution: SUSE Linux Enterprise 16 |
| Version: 2.6.1 | Vendor: openSUSE |
| Release: bp160.1.12 | Build date: Thu Sep 12 16:56:39 2024 |
| Group: System/Libraries | Build host: reproducible |
| Size: 174138 | Source RPM: yubico-piv-tool-2.6.1-bp160.1.12.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://developers.yubico.com/ | |
| Summary: Yubikey NEO PKCS#11 applet library | |
This is a PKCS#11 module that allows to communicate with the PIV application running on a YubiKey
BSD-2-Clause
* Thu Sep 12 2024 Wolfgang Frisch <wolfgang.frisch@suse.com>
- update to 2.6.1:
* cmd: Fix performing bio verification
* ykcs11: Fix handling ED25519 and X25519 keys
* Mon Aug 26 2024 Wolfgang Frisch <wolfgang.frisch@suse.com>
- update to 2.6.0:
* cmd: Add support for biometric verification and match policy
* ykcs11: Add support for PKCS11 3.0
* ykpiv: cmd: ykcs11: Improve error traceability
* ykpiv: cmd: ykcs11: Fix minor bugs
* build: Make building with zlib optional
* Tue May 07 2024 Wolfgang Frisch <wolfgang.frisch@suse.com>
- update to 2.5.2:
* cmd: Fix signing selfsigned certificate for ED25519 key.
- update cmake-flags-upstream-issue-474.patch
* Wed Feb 14 2024 Wolfgang Frisch <wolfgang.frisch@suse.com>
- update to 2.5.1:
* ykpiv: cmd: ykcs11: Fix buffer size for key import.
- add cmake-flags-upstream-issue-474.patch:
proper fix for the cmake flags issue
- remove temporary-cmake-flags-fix.patch
* Wed Feb 07 2024 Wolfgang Frisch <wolfgang.frisch@suse.com>
- update to 2.5.0:
* ykpiv: cmd: ykcs11: Add support for RSA3072 and RSA4096 key types.
Available in firmware 5.7.0 and newer
* ykpiv: cmd: Add support for ED25519 and X25519 key types.
Available in firmware 5.7.0 and newer
* ykpiv: cmd: Add support for deleting keys.
Available in firmware 5.7.0 and newer
* ykpiv: cmd: Add support for moving keys between slots.
Available in firmware 5.7.0 and newer
- add temporary-cmake-flags-fix.patch
The included cmake modules are buggy. This patch should be removed once the
root cause is fixed in upstream.
* Sun Dec 17 2023 Dirk Müller <dmueller@suse.com>
- update to 2.4.2:
* ykpiv: Fix potential type casting bug.
* ykpiv: ykcs11: Fix building on certain architectures.
* ykpiv: cmd: Add support for compressing certificate upon
import
* ykcs11: Increase maximum number of slots to handle
overflow
* ykcs11: Add support for CKA_COPYABLE and CKA_DESTROYABLE
attributes
* Fri Mar 03 2023 Dirk Müller <dmueller@suse.com>
- update to 2.3.1:
* ykpiv: Add support for T=0 smartcards
* ykpiv: ykcs11: Minor code optimization
* ykpiv: ykcs11: Improve logging
* ykpiv: ykcs11: Improve error handling
* ykpiv: ykcs11: Fix minor bugs
* ykcs11: Add support for several PKCS11 Attributes
* ykcs11: Add support for CKM_ECDSA_SHA512 mechanism
* ykcs11: Fix incorrect value for public key attributes
CKA_PRIVATE, CKA_SENSITIVE, CKA_ALWAYS_SENSITIVE,
CKA_EXTRACTABLE and CKA_NEVER_EXTRACTABLE
* doc: Minor documentation improvement
* Sat Dec 03 2022 Dirk Müller <dmueller@suse.com>
- update to 2.3.0:
* ykpiv: Add support for AES management keys
* ykpiv: Better handling of connection reset
* ykpiv: Add support for T=0 protocol
* ykcs11: Support YubiKeys in NFC readers
* ykcs11: Support touch and PIN policies for imported private keys
* ykcs11: Support touch and PIN policy when generating keys
* ykcs11: Set length to -1 on function fail
* ykcs11: Ignore CKA_NAME_HASH_ALGORITHM and CKA_HASH_OF_SUBJECT_PUBLIC_KEY for certificates
* cmd: Support attestation in selfsign certificates
* build: Compile cleanly with openssl 1.1 and 3
- add keyring
* Mon Jan 31 2022 Dirk Müller <dmueller@suse.com>
- update to 2.2.1:
* ykpiv: Minor bug fixes
* ykcs11: Improved handling of object attributes
* ykcs11: Update flags for EC related mechanisms
* ykcs11: Minor bug fixes
* test: Improved testing
* doc: Improved documentation
* Sun Feb 28 2021 Dirk Müller <dmueller@suse.com>
- update to 2.2.0:
* ykpiv: Increased SO version
* ykpiv: Fixed minor memory leaks
* ykpiv: Improved error handling
* ykpiv: Improved handling of PCSC card validation
* ykcs11: Updated Cryptoki version
* ykcs11: Support for CKM_ECDH1_DERIVE mechanism info
* ykcs11: Support for destroying ECDH derived keys
* ykcs11: Improved handling of PIN after device re-connection
* ykcs11: Improved debug logging
* cmd: Improved parsing of certificate Distinguished Name to allow an escape character
* cmd: Warning to discourage generating RSA1024 keys
* build: Use of platform standard installation path when building yubico-piv-tool
* tests: Improved testing
* Replaced building with autotool with building with cmake
* Security update for YSA-2020-02
* ykpiv: Fixed potential memory leaks
* ykpiv: Use PIN-protected MGMT key if the device is configured that way
* ykpiv: Added attestation to CSR if requested
* ykpiv: Fixed compatibility with LibreSSL
* ykcs11: Improved handling of error codes
* ykcs11: Improved handling of examples in the PKCS11 specifications
* ykcs11: Added the possibility to have debug output as a runtime setting
* ykcs11: Added support to unblock PIN with PUK
* ykcs11: Make C_SetPIN backwards compatible while also allowing unblock PIN
* tests: Improved tests
- run tests
- add pthread-link.patch
* Sun Mar 01 2020 Marcus Rueckert <mrueckert@suse.de>
- Version 2.0.0
- ykpiv: Added ykpiv_get_metadata and ykpiv_util_parse_metadata
to read and parse private key metadata (supported from YK 5.3).
- ykpiv: Fixed PCSC transaction handling when re-selecting PIV
due to external card reset events.
- ykpiv: Improved error reporting.
- ykpiv: Correctly report YK5 devices, and NEO and YK5 over NFC.
- ykpiv: MGM KEY (SO PIN) is cached (in addition to PIN).
- ykpiv: Fixed resetting of cached serial / version when an
application re-uses ykpiv_state.
- ykpiv: ykpiv_get_pin_retries selects a different applet before
re-selecting PIV since just re-selecting PIV is a no-op on YK5.
- ykcs11: Shared library exports all PKCS11 functions per the
spec (For applications that don’t use C_GetFunctionList).
- ykcs11: Support for up to 16 simultaneous sessions, with
support for multi-threaded access (if requested when calling
C_Initialize).
- ykcs11: Support for resetting the PIV application via
C_initToken. Requires knowledge of the MGMT KEY (SO PIN) per
the PKCS11 spec.
- ykcs11: Support for public-key operations not supported by PIV
(C_Verify, C_Encrypt), implemented using OpenSSL.
- ykcs11: Support for attestations, exposed as session objects of
certificate class. Generated when opening the first session to
a slot.
- ykcs11: Support for forked processes on Linux and MacOS.
- ykcs11: Support for RSA signatures using PKCS or PSS padding
with optional digesting by the library. Raw signatures are also
supported.
- ykcs11: Support for ECDSA signatures with optional digesting by
the library. Raw signatures are also supported.
- ykcs11: Support for RSA encryption / decryption with PKCS or
OAEP padding.
- ykcs11: Makes use of key metadata when available (YK 5.3 and
above), providing access to keys even if certificates are not
present.
- ykcs11: Supports SHA1, SHA256, SHA384 and SHA512 digesting,
plus SHA224 digesting for ECDSA signatures and for the MGF1
digest in PSS / OAEP, implemented using OpenSSL.
- ykcs11: Supports C_Login with context-specific user type. This
allows use cases that require both SO PIN and normal PIN in the
same session.
* Mon Jun 03 2019 Karol Babioch <kbabioch@suse.de>
- Version 1.7.0 (released 2019-04-03)
* Add ykpiv_get_serial() to API.
* Add version and serial to status output.
* FASC-N fixes for CHUID.
* ykcs11: Fix ECDSA signatures.
* Make selfsigned X.509 extensions have correct extensions to match openssl.
* Security fixes.
* Documentation fixes.
* Try to clear memory that might contain secrets.
* Fri Sep 28 2018 Jan Engelhardt <jengelh@inai.de>
- Rename %soname to %sover to better reflect its use.
- Fix RPM groups.
* Thu Sep 27 2018 Karol Babioch <kbabioch@suse.com>
- Version 1.6.2 (released 2018-09-14)
- Compare reader names case insensitive
- Fix certificate and certificate request signatures with OpenSSL 1.1
* Tue Aug 28 2018 kbabioch@suse.com
- Version 1.6.1 (released 2018-08-17)
- Compilation warning fixes for OpenSSL 1.1 builds
- Fix length when encoding exactly 0xff bytes
- Check length of objects correctly before storing in buffer
- Check length of certificate correctly when storing
- Version 1.6.0 (released 2018-08-08)
- Security release to mitigate YSA-2018-03 (YSA-2018-03, CVE-2018-14779,
CVE-2018-14780, bsc#1104809, bsc#1104811)
- Allow building against LibreSSL
- Bugfixes in OpenSSL 1.1 code
- Fix compilation warnings
- Fix ykcs11 key generation to work with OpenSSL 1.1
- Ykcs11 compatibility fixes
- Make use of %license macro instead of %doc for COPYING
- Applied spec-cleaner
* Thu Nov 30 2017 t.gruner@katodev.de
- Version 1.5.0 (released 2017-11-29)
- API additions: Higher-level "util" API added to libykpiv.
- Added ykpiv_attest(), ykpiv_get_pin_retries(), ykpiv_set_pin_retries()
- Added functions for using existing PCSC card handle.
- Support using custom memory allocator.
- Documentation updates. make doxygen for HTML format.
- Expanded automated tests for hardware devices, moved to make hwcheck.
- OpenSSL 1.1 support
- Moderate internal refactoring. Many small bugs fixed.
* Wed Nov 15 2017 t.gruner@katodev.de
- Version 1.4.4 (released 2017-10-17)
- Documentation updates.
- Add pin caching to work around disconnect problems.
- Disable RSA key generation on YubiKey 4 before 4.3.5. See https://yubi.co/ysa201701/ for details.
* Mon May 29 2017 t.gruner@katodev.de
- Version 1.4.3 (released 2017-04-18)
- Encode RSA x509 certificates correctly.
- Documentation updates.
- In ykcs11 return CKA_MODULUS correctly for private keys.
- In ykcs11 fix for signature size approximation.
- Fix PSS signatures in ykcs11.
- Add a CLI flag --stdin-input to make batch execution easier.
* Wed Aug 17 2016 t.gruner@katodev.de
- Version 1.4.2 (released 2016-08-12)
- Clarify license headers and clean up YKCS11 licensing. Now uses pkcs11.h from the Scute project.
- Don’t install ykcs11-version.h.
- No cflags in ykcs11.pc.
- Unimplemented YKCS11 functions now return CKR_FUNCTION_FAILED.
- Version 1.4.1 (released 2016-08-11)
- Documentation updates
- Add possibility to export certificates in SSH format.
- Make certificate serial number random by default.
* Tue May 17 2016 t.gruner@katodev.de
- Version 1.4.0 (released 2016-05-03)
- Add attest action When used on a slot with a generated key,
outputs a signed x509 certificate for that slot showing that
the key was generated in hardware. Available in firmware 4.3.0 and newer.
- Add cached parameter for touch-policy With cached, the touch is valid
for an additional 15s. Available in firmware 4.3.0 and newer.
- Enforce a minimum PIN length of 6 characters.
- Fix a bug with list-readers action where it fell through processing into write-object.
* Mon Apr 25 2016 t.gruner@katodev.de
- Version 1.3.1 (released 2016-04-19)
- Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.
- Clarifications with help texts.
- Version 1.3.0 (released 2016-02-19)
- Fixed extraction of RSA modulus and exponent for pkcs11.
- Implemented C_SetPIN for pkcs11.
- Add generic write and read object actions for the tool. Supports hex/binary/base64 formats
- Add ykpiv_change_pin(), ykpiv_change_puk() and ykpiv_unblock_pin()
- Print CCC with status action.
- Address bugs with pkcs11 on windows.
- Add --valid-days and --serial to tool for selfsign-certificate action.
- Ask for password for pkcs12 if none is given.
* Fri Dec 11 2015 t.gruner@katodev.de
- Version 1.2.2 (released 2015-12-08)
- Fix old buffer overflow in change-pin functionality.
- Version 1.2.1 (released 2015-12-08)
- Fix issue with big certificates and status.
- Version 1.2.0 (released 2015-12-07)
- On OSX use @loader_path instead of @executable_path for ykcs11.
- Add ykpiv_import_private_key to libykpiv.
- Raise buffer sizes to support bigger objects.
- Change behavior of action status, only list populated slots.
- Add retired keys to ykcs11.
- In ykcs11 support login with non null terminated pin.
- Add a new action set-ccc to yubico-piv-tool to set the CCC.
* Wed Nov 18 2015 t.gruner@katodev.de
- Version 1.1.2 (released 2015-11-13)
- Properly handle DER encoding in ECDSA signatures.
* Thu Nov 12 2015 t.gruner@katodev.de
- Version 1.1.1 (released 2015-11-11)
- Make sure SCardContext is properly acquired and released.
* Fri Nov 06 2015 t.gruner@katodev.de
- Version 1.1.0 (released 2015-11-06)
- Add support for new YubiKey 4.
- Add ykcs11.
* Tue Oct 13 2015 t.gruner@katodev.de
- Add dependencive in .spec file
* Thu Oct 01 2015 t.gruner@katodev.de
- Version 1.0.3 (released 2015-10-01)
- Correct wording on unblock-pin action.
- Show pin retries correctly.
- Use a bigger buffer for receiving data.
* Tue Sep 15 2015 t.gruner@katodev.de
- Version 1.0.2 (released 2015-09-04)
- Query for different passwords/pins on stdin if they’re not supplied.
- If a reader fails continue trying matching readers.
- Authentication failed is supposed to be 0x63cX not 0x630X.
* Sat Jul 11 2015 t.gruner@katodev.de
- Version 1.0.1 (released 2015-07-10)
- Project relicensed to 2-clause BSD license
- Minor fixes found with clang scan-build
* Wed Jul 08 2015 t.gruner@katodev.de
- Version 1.0.0 (released 2015-06-23)
- Add a test-decipher action.
- Check that e is 0x10001 on importing rsa keys
- Use PCSC transactions when sending and receiving data
* Mon Apr 27 2015 cdenicolo@suse.com
- license update: GPL-3.0+
COPYING files says package is under GPL-3.0+.
* Thu Mar 26 2015 t.gruner@katodev.de
- Version 0.1.6 (released 2015-03-23)
Add a read-certificate action to the tool.
Add a status action to the tool.
Fix a library bug so NULL can be passed to ykpiv_verify()
Add a test-signature action to the tool.
* Mon Feb 09 2015 t.gruner@katodev.de
- Version 0.1.5 (released 2015-02-04)
Revert the check for parity and just set parity before the weak check.
* Tue Feb 03 2015 t.gruner@katodev.de
- Version 0.1.4 (released 2015-02-02)
Prompt for input if input is stdin.
Mark all bits of the signature as used is certs and requests.
Correct error for unblock-pin.
Fix hex decode to decode capital letters and return error.
Check parity of new management keys.
* Fri Jan 23 2015 t.gruner@katodev.de
- Version 0.1.3 (released 2014-12-18)
Add format DER for importing certificates.
Make sure diagnostic feedback ends up on stderr.
Add positive feedback for a couple of actions.
- Version 0.1.2 (released 2014-11-14)
Fix an issue where shorter component of RSA keys where not packed correctly.
- Version 0.1.1 (released 2014-11-10)
Correct broken CHUID that made windows work inconsistently.
Add support for compressed certificates.
Fix broken unblock-pin action.
Don’t try to accept to short keys for mgm key.
Only do applet authentication if needed.
Add --hash for selecting what hash to use for signatures.
Add hidden --sign command. Should probably not be used.
Fix for signature algorithm in selfsigned cert.
- Version 0.1.0 (released 2014-08-25)
Break out functionality into a library.
More testing.
- Version 0.0.3 (released 2014-05-26)
Add delete-certificate action.
Fix minor bugs.
- Version 0.0.2 (released 2014-02-19)
Fix an offset bug with CHUID.
Do full mutual auth with the applet.
- Version 0.0.1 (released 2014-02-11)
Initial release.
/usr/lib64/libykcs11.so.2 /usr/lib64/libykcs11.so.2.6.1
Generated by rpm2html 1.8.1
Fabrice Bellet, Tue Sep 30 22:45:42 2025