NEWS

* Version 5.5.1 (released 2024-07-01)
 * Bugfix: CLI - Don't use formatting that doesn't work on older Python versions.
   Note: As the 5.5.0 installers bundle Python 3.12, this will be a source-only release.

* Version 5.5.0 (released 2024-06-26)
 * Add Secure Channel support to smartcard sessions.
 * Support extended APDUs in the "apdu" command (this is now the default).
 * HSMAuth: Treat management key as a PIN/password instead of a key, adding new CLI
   commands.
 * PIV: Deprecate explicit passing of management key type when authenticating.
 * CLI: Add "config nfc --restrict" command to set "NFC restricted mode".
 * CLI: Display more information about PIN complexity and FIPS status for compatible
   YubiKeys.
 * CLI: Improved error messages for illegal values of PIV PIN and PUK.
 * CLI: Drop error messages for old 3.x commands.
 * CLI: Removal of --upload for YubiCloud credentials. Export to CSV and upload via web
   instead.
 * CLI: Add more detailed information to the CLI output for several commands.

* Version 5.4.0 (released 2024-03-27)
 * Support for YubiKey Bio Multi-protocol Edition.
 * CLI: Improve error messages for several failures.
 * Attempt to send SIGHUP to yubikey-agent if it is blocking the connection.
 * Bugfix: Allow "fido config" to work when no PIN is set on the YubiKey.
 * Bugfix: MacOS - Fix race condition resulting in unneeded delay in fido commands over
   USB.
 * Bugfix: Linux - Fix error when listing OTP devices when no YubiKeys are attached.
 * Bugfix: OpenPGP - Fix RSA key generation on YubiKey NEO.

* Version 5.3.0 (released 2024-01-31)
 ** FIDO: Add new CLI commands for PIN management and authenticator config
    (force-change, set-min-length, toggle-always-uv, enable-ep-attestation).
 ** PIV: Improve handling of legacy "PUK blocked" flag.
 ** PIV: Improve handling of malformed certificates.
 ** PIV: Display key information in "piv info" output on supported devices.
 ** OTP: Fix some commands incorrectly showing errors when used over NFC/CCID.
 ** Add tab-completion for YubiKey serial numbers and NFC readers.

* Version 5.2.1 (released 2023-10-10)
 ** Add support for Python 3.12.
 ** OATH: detect and remove corrupted credentials.
 ** Bugfix: HSMAUTH: Fix order of CLI arguments.

* Version 5.2.0 (released 2023-08-21)
 ** PIV: Support for compressed certificates.
 ** OpenPGP: Use InvalidPinError for wrong PIN.
 ** Add YubiHSM Auth application support.
 ** Improved API documentation.
 ** Scripting: Add name attribute to device.
 ** Bugfix: PIV: don't throw InvalidPasswordError on malformed PEM private key.

* Version 5.1.1 (released 2023-04-27)
 ** Bugfix: PIV: string representation of SLOT caused infinite loop on Python <3.11.
 ** Bugfix: Fix errors in 'ykman config nfc' on YubiKeys without NFC capability.
 ** Bugfix: Fix error message shown when invalid modhex input length given for YubiOTP.

* Version 5.1.0 (released 2023-04-17)
 ** Add OpenPGP functionality to supported API.
 ** Add PIV key info command to CLI.
 ** PIV: Support signing prehashed data via API.
 ** Bugfix: Fix signing PIV certificates/CSRs with key that always requires PIN.
 ** Bugfix: Fix incorrect display name detection for certain keys over NFC.

* Version 5.0.1 (released 2023-01-17)
 ** Bugfix: Fix the interactive confirmation prompt for some CLI commands.
 ** Bugfix: OpenPGP Signature PIN policy values were swapped.
 ** Bugfix: FIDO: Handle discoverable credentials that are missing name or displayName.
 ** Add support for Python 3.11.
 ** Remove extra whitespace characters from CLI into command output.

* Version 5.0.0 (released 2022-10-19)
 ** Various cleanups and improvements to the API.
 ** Improvements to the handling of YubiKeys and connections.
 ** Command aliases for ykman 3.x (introduced in ykman 4.0) have now been dropped.
 ** Installers for ykman are now provided for Windows (amd64) and MacOS (universal2).
 ** Logging has been improved, and a new TRAFFIC level has been introduced.
 ** The codebase has been improved for scripting usage, either directly as a Python
    module, or via the new "ykman script" command.
    See doc/Scripting.adoc, doc/Library_Usage.adoc, and examples/ for more details.
 ** PIV: Add support for dotted-string OIDs when parsing RFC4514 strings.
 ** PIV: Drop support for signing certificates and CSRs with SHA-1.
 ** FIDO: Credential management commands have been improved to deal with ambiguity
    in certain cases.
 ** OATH: Access Keys ("remembered" passwords) are now stored in the system keyring.
 ** OpenPGP: Commands have been added to manage PINs.

* Version 4.0.9 (released 2022-06-17)
 ** Dependency: Add support for python-fido2 1.x
  ** Fix: Drop stated support for Click 6 as features from 7 are being used.

* Version 4.0.8 (released 2022-01-31)
 ** Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential.
 ** Bugfix: Fix issue with displaying a Steam credential when it is the only account.
 ** Bugfix: Prevent installation of files in site-packages root.
 ** Bugfix: Fix cleanup logic in PIV for protected management key.
 ** Add support for token identifier when programming slot-based HOTP.
 ** Add support for programming NDEF in text mode.
 ** Dependency: Add support for Cryptography <= 38.

* Version 4.0.7 (released 2021-09-08)
 ** Bugfix release: Fix broken naming for "YubiKey 4", and a small OATH issue with
    touch Steam credentials.

* Version 4.0.6 (released 2021-09-08)
 ** Improve handling of YubiKey device reboots.
 ** More consistently mask PIN/password input in prompts.
 ** Support switching mode over CCID for YubiKey Edge.
 ** Run pkill from PATH instead of fixed location.

* Version 4.0.5 (released 2021-07-16)
 ** Bugfix: Fix PIV feature detection for some YubiKey NEO versions.
 ** Bugfix: Fix argument short form for --period when adding TOTP credentials.
 ** Bugfix: More strict validation for some arguments, resulting in better error messages.
 ** Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required.
 ** Bugfix: Fix prompting for access code in the otp settings command (now uses "-A -").

* Version 4.0.3 (released 2021-05-17)
 ** Add support for fido reset over NFC.
 ** Bugfix: The --touch argument to piv change-management-key was ignored.
 ** Bugfix: Don't prompt for password when importing PIV key/cert if file is invalid.
 ** Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.
 ** Bugfix: Detect PKCS#12 format when outer sequence uses indefinite length.
 ** Dependency: Add support for Click 8.

* Version 4.0.2 (released 2021-04-12)
 ** Update device names.
 ** Add read_info output to the --diagnose command, and show exception types.
 ** Bugfix: Fix read_info for YubiKey Plus.

* Version 4.0.1 (released 2021-03-29)
 ** Add support for YK5-based FIPS YubiKeys.
 ** Bugfix: Fix OTP device enumeration on Win32.

* Version 4.0.0 (released 2021-03-02)
 ** Drop support for Python < 3.6.
 ** Drop reliance on libusb and libykpersonalize.
 ** Support the "fido" and "otp" subcommands over NFC (using the --reader flag)
 ** New "ykman --diagnose" command to aid in troubleshooting.
 ** New "ykman apdu" command for sending raw APDUs over the smart card interface.
 ** Restructuring of subcommands, with aliases for old versions (to be removed
    in a future release).
 ** Major changes to the underlying "library" code:
  *** New "yubikit" package added for custom development and advanced scripting.
  *** Type hints added for a large part of the "public" API.
 ** OpenPGP: Add support for KDF enabled YubiKeys.
 ** Static password: Add support for FR, IT, UK and BEPO keyboard layouts.

* Version 3.1.2 (released 2021-01-21)
 ** Bugfix release: Fix dependency on python-fido2 version.

* Version 3.1.1 (released 2020-01-29)
 ** Add support for YubiKey 5C NFC
 ** OpenPGP: set-touch now performs compatibility checks before prompting for PIN
 ** OpenPGP: Improve error messages and documentation for set-touch
 ** PIV: read-object command no longer adds a trailing newline
 ** CLI: Hint at missing permissions when opening a device fails
 ** Linux: Improve error handling when pcscd is not running
 ** Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this!
 ** Bugfix: set-touch now accepts the cached-fixed option
 ** Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing
 ** Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate
 ** Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type `InvalidCertificate`
 ** Library: PivController.list_certificates() now returns `None` for slots containing invalid certificate, instead of raising an exception

* Version 3.1.0 (released 2019-08-20)
 ** Add support for YubiKey 5Ci
 ** OpenPGP: the info command now prints OpenPGP specification version as well
 ** OpenPGP: Update support for attestation to match OpenPGP v3.4
 ** PIV: Use UTC time for self-signed certificates
 ** OTP: Static password now supports the Norman keyboard layout

* Version 3.0.0 (released 2019-06-24)
 ** Add support for new YubiKey Preview and lightning form factor
 ** FIDO: Support for credential management
 ** OpenPGP: Support for OpenPGP attestation, cardholder certificates and cached touch policies
 ** OTP: Add flag for using numeric keypad when sending digits

* Version 2.1.1 (released 2019-05-28)
 ** OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud
 ** Don't automatically select the U2F applet on YubiKey NEO, it might be blocked by the OS
 ** ChalResp: Always pad challenge correctly
 ** Bugfix: Don't crash with older versions of cryptography
 ** Bugfix: Password was always prompted in OATH command, even if sent as argument

* Version 2.1.0 (released 2019-03-11)
 ** Add --reader flag to ykman list, to list available smart card readers
 ** FIPS: Checking if a YubiKey FIPS is in FIPS mode is now opt-in, with the --check-fips flag
 ** PIV: Add commands for writing and reading arbitrary PIV objects
 ** PIV: Verify that the PIN must be between 6 - 8 characters long
 ** PIV: In import-certificate, make the verification that the certificate and private key matches opt-in, with the --verify flag
 ** PIV: The piv info command now shows the serial number of the certificates
 ** PIV: The piv info command now shows the full Distinguished Name (DN) of the certificate subject and issuer, if possible
 ** PIV: Malformed certificates are now handled better
 ** OpenPGP: The openpgp touch command now shows current touch policies
 ** The ykman usb/nfc config command now accepts openpgp as well as opgp as an argument
 ** Bugfix: Fix support for german (DE) keyboard layout for static passwords

* Version 2.0.0 (released 2019-01-09)
 ** Add support for Security Key NFC
 ** Add experimental support for external smart card reader. See --reader flag
 ** Add a minimal manpage
 ** Add examples in help texts
 ** PIV: update CHUID when importing a certificate
 ** PIV: Optionally validate that private key and certificate match when importing a certificate (on by default in CLI)
 ** PIV: Improve support for importing certificate chains and .PEM files with comments
 ** Breaking API changes:
  *** Merge CCID status word constants into a single SW enum in ykman.driver_ccid
  *** Throw custom exception types instead of raw APDUErrors from many methods of PivController
  *** Write CLI prompts to standard error instead of standard output
  *** Replace function `ykman.util.parse_certificate` with `parse_certificates` which returns a list

* Version 1.0.1 (released 2018-10-10)
 ** Support for YubiKey 5A
 ** OATH: Ignore extra parameters in URI parsing
 ** Bugfix: Never say that NFC is supported for YubiKeys without NFC

* Version 1.0.0 (released 2018-09-24)
 ** Add support for YubiKey 5 Series
 ** Config: Add flag to generate a random configuration lock
 ** OATH: Give a proper error message when a touch credential times out
 ** NDEF: Allow setting the NDEF prefix from the CLI
 ** FIDO: Block reset when multiple YubiKeys are connected

* Version 0.7.1 (released 2018-07-09)
 ** Support for YubiKey FIPS.
 ** OTP: Allow setting and removing access codes on the slots.
 ** Interfaces: set-lock-code now only accepts hexadecimal inputs.
 ** Bugfix: Don't fail to open the YubiKey when the serial is not visible.

* Version 0.7.0 (released 2018-05-07)
 ** Support for YubiKey Preview.
 ** Add command to configure enabled applications over USB and NFC. See ykman config -h.
 ** Add command for selecting which slot to use for NDEF. See ykman otp ndef -h.

* Version 0.6.1 (released 2018-04-16)
 ** Support for YubiKeys with FIDO2. See ykman fido -h
 ** Report the form factor for YubiKeys that support it.
 ** OTP: slot command is now called otp. See ykman otp -h for all changes.
 ** Static password: Add support for different keyboard layouts. See ykman otp static -h
 ** PIV: Signatures for CSRs are now correct.
 ** PIV: Commands on slots with PIN policy ALWAYS no longer fail if the YubiKey has a management key protected by PIN.
 ** Mode: The U2F mode is now called FIDO.
 ** Dependencies: libu2f-host is no longer used for FIDO communication over USB, instead the python library fido2 is used.

* Version 0.6.0 (released 2018-02-09)
 ** OpenPGP: Expose remaining PIN retries in info command and API.
 ** CCID: Only try YubiKey smart card readers by default.
 ** Handle NEO issues with challenge-response credentials better.
 ** Improve logging.
 ** Improve error handling when opening device over OTP.
 ** Bugfix: Fix adding OTP data through the interactive prompt.

* Version 0.5.0 (released 2017-12-15)
 ** API breaking changes:
  *** OATH: New API more similar to yubioath-android
 ** CLI breaking changes:
  *** OATH: Touch prompt now written to stderr instead of stdout
  *** OATH: `-a|--algorithm` option to `list` command removed
  *** OATH: Columns in `code` command are now dynamically spaced depending on contents
  *** OATH: `delete` command now requires confirmation or `-f|--force` argument
  *** OATH: IDs printed by `list` command now include TOTP period if not 30
  *** Changed outputs:
   **** INFO: "Device name" output changed to "Device type"
   **** PIV: "Management key is stored on device" output changed to "Management key is stored on the YubiKey"
   **** PIV: "All PIV data have been cleared from the device" output changed to "All PIV data have been cleared from your YubiKey"
   **** PIV: "The current management key is stored on the device" prompt changed to "The current management key is stored on the YubiKey"
   **** SLOT: "blank to use device serial" prompt changed to "blank to use YubiKey serial number"
   **** SLOT: "Using device serial" output changed to "Using YubiKey device serial"
   **** Lots of failure case outputs changed
 ** New features:
  *** Support for multiple devices via new top-level option `-d|--device`
  *** New top-level option `-l|--log-level` to enable logging
  *** OATH: Support for remembering passwords locally.
  *** OATH: New option `-s|--single` for `code` command
  *** PIV: `set-pin-retries` command now warns that PIN and PUK will be reset to factory defaults, and prints those defaults after resetting
 ** API bug fixes:
  *** OATH: `valid_from` and `valid_to` for `Code` are now absolute instead of relative to the credential period
  *** OATH: `period` for non-TOTP `Code` is now `None`

* Version 0.4.6 (released 2017-10-17)
 ** Will now attempt to open device 3 times before failing
 ** OpenPGP: Don't say data is removed when not
 ** OpenPGP: Don't swallow APDU errors
 ** PIV: Block on-chip RSA key generation for firmware versions 4.2.0 to 4.3.4 (inclusive) since these chips are vulnerable to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361[CVE-2017-15631].

* Version 0.4.5 (released 2017-09-14)
 ** OATH: Don't print issuer if there is no issuer.

* Version 0.4.4 (released 2017-09-06)
 ** OATH: Fix yet another issue with backwards compatibility, for adding new credentials.

* Version 0.4.3 (released 2017-09-06)
 ** OATH: Fix issue with backwards compatibility, when used as a library.

* Version 0.4.2 (released 2017-09-05)
 ** OATH: Support 7 digit credentials.
 ** OATH: Support credentials with a period other than 30 seconds.
 ** OATH: The remove command is now called delete.

* Version 0.4.1 (released 2017-08-10)
 ** PIV: Dropped support for deriving a management key from PIN.
 ** PIV: Added support for generating a random management key and storing it on the device protected by the PIN.
 ** OpenPGP: The reset command now handles a device in terminated state.
 ** OATH: Credential filtering is now working properly on Python 2.

* Version 0.4.0 (released 2017-06-19)
 ** Added PIV support. The tool and library now supports most of the PIV functionality found on the YubiKey 4 and NEO. To list the available commands, run ykman piv -h.
 ** Mode command now supports adding and removing modes incrementally.

* Version 0.3.3 (released 2017-05-08)
 ** Bugfix: Fix issue with OATH credentials from Steam on YubiKey 4.

* Version 0.3.2 (released 2017-04-24)
 ** Allow access code input through an interactive prompt.
 ** Bugfix: Some versions of YubiKey NEO occasionally failed calculating challenge-response credentials with touch.

* Version 0.3.1 (released 2017-03-13)
 ** Allow programming of TOTP credentials in YubiKey Slots using the chalresp command.
 ** Add a calculate command (and library support) to perform a challenge-response operation. Can also be used to generate TOTP codes for credentials stored in a slot.
 ** OATH: Remove whitespace in secret keys provided by the user.
 ** OATH: Prompt the user to touch the YubiKey for HOTP touch credentials.
 ** Bugfix: The flag for showing hidden credentials was not working correctly for the oath code command.

* Version 0.3.0 (released 2017-01-23)
 ** OATH functionality added. The tool now exposes the OATH functionality found on the YubiKey 4 and NEO. To list the available commands, run ykman oath -h.
 ** Added support for randomly generated static passwords.

* Version 0.2.0 (released 2016-11-23)
 ** Removed all GUI code. This project is now only for the python library and CLI tool. The GUI will be re-released separately in a different project.
 ** Added command to update settings for YubiKey Slots.

* Version 0.1.0 (released 2016-07-07)
 ** Initial release for beta testing.