Hello community, here is the log from the commit of package yubico-piv-tool for openSUSE:Factory checked in at 2016-06-02 09:36:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yubico-piv-tool (Old) and /work/SRC/openSUSE:Factory/.yubico-piv-tool.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yubico-piv-tool" Changes: -------- --- /work/SRC/openSUSE:Factory/yubico-piv-tool/yubico-piv-tool.changes 2016-04-28 17:02:01.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.yubico-piv-tool.new/yubico-piv-tool.changes 2016-06-02 09:36:42.000000000 +0200 @@ -1,0 +2,12 @@ +Tue May 17 14:55:42 UTC 2016 - [email protected] + +- Version 1.4.0 (released 2016-05-03) + - Add attest action When used on a slot with a generated key, + outputs a signed x509 certificate for that slot showing that + the key was generated in hardware. Available in firmware 4.3.0 and newer. + - Add cached parameter for touch-policy With cached, the touch is valid + for an additional 15s. Available in firmware 4.3.0 and newer. + - Enforce a minimum PIN length of 6 characters. + - Fix a bug with list-readers action where it fell through processing into write-object. + +------------------------------------------------------------------- Old: ---- yubico-piv-tool-1.3.1.tar.gz yubico-piv-tool-1.3.1.tar.gz.sig New: ---- yubico-piv-tool-1.4.0.tar.gz yubico-piv-tool-1.4.0.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yubico-piv-tool.spec ++++++ --- /var/tmp/diff_new_pack.iw0lpa/_old 2016-06-02 09:36:44.000000000 +0200 +++ /var/tmp/diff_new_pack.iw0lpa/_new 2016-06-02 09:36:44.000000000 +0200 @@ -18,7 +18,7 @@ %define soname 1 Name: yubico-piv-tool -Version: 1.3.1 +Version: 1.4.0 Release: 0 Summary: Yubico YubiKey NEO CCID Manager License: BSD-2-Clause @@ -102,12 +102,12 @@ %files -n libykpiv%{soname} %defattr(-,root,root) %{_libdir}/libykpiv.so.%{soname} -%{_libdir}/libykpiv.so.%{soname}.3.1 +%{_libdir}/libykpiv.so.%{soname}.3.2 %files -n libykcs11-%{soname} %defattr(-,root,root) %{_libdir}/libykcs11.so.%{soname} -%{_libdir}/libykcs11.so.%{soname}.3.1 +%{_libdir}/libykcs11.so.%{soname}.3.2 %files -n libykpiv-devel %defattr(-,root,root) ++++++ yubico-piv-tool-1.3.1.tar.gz -> yubico-piv-tool-1.4.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/ChangeLog new/yubico-piv-tool-1.4.0/ChangeLog --- old/yubico-piv-tool-1.3.1/ChangeLog 2016-04-19 07:39:52.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/ChangeLog 2016-05-03 09:43:07.000000000 +0200 @@ -1,3 +1,43 @@ +2016-05-03 Klas Lindfors <[email protected]> + + * NEWS, configure.ac: release 1.4.0 + +2016-05-03 Klas Lindfors <[email protected]> + + * Makefile.am: add attest doc to dist + +2016-05-03 Klas Lindfors <[email protected]> + + * mac.mk, windows.mk: bump openssl to 1.0.2g + +2016-05-03 Klas Lindfors <[email protected]> + + * : commit b1139a516b5a2d9e97ac7cbf8a63f0131b4623df Author: Klas + Lindfors <[email protected]> Date: Fri Apr 22 09:41:41 2016 +0200 + +2016-04-19 Klas Lindfors <[email protected]> + + * doc/YubiKey_PIV_introduction.adoc: change examples to be with 6 + digit pins + +2016-04-19 Klas Lindfors <[email protected]> + + * tool/yubico-piv-tool.c: enforce minimum 6 digits of pin when + changing in the tool + +2016-04-19 Klas Lindfors <[email protected]> + + * tool/yubico-piv-tool.c: error isn't an iso error, run + ykpiv_strerror() on it + +2016-04-19 Klas Lindfors <[email protected]> + + * .gitignore: ignore more + +2016-04-19 Klas Lindfors <[email protected]> + + * NEWS, configure.ac: bump version + 2016-04-19 Klas Lindfors <[email protected]> * NEWS: NEWS for 1.3.1 @@ -8,6 +48,10 @@ 2016-03-31 Klas Lindfors <[email protected]> + * doc/Attestation.adoc: add some documentation for attestation + +2016-03-31 Klas Lindfors <[email protected]> + * tool/cmdline.ggo: change wording in help text authentication key -> management key 2016-03-23 Klas Lindfors <[email protected]> @@ -23,9 +67,28 @@ * mac.mk, windows.mk: newer openssl for windows and mac -2016-02-19 Klas Lindfors <[email protected]> +2016-03-17 Klas Lindfors <[email protected]> + + * lib/ykpiv.c: add ykpiv touchpolicy to ykpiv + +2016-03-17 Klas Lindfors <[email protected]> + + * lib/ykpiv.c, lib/ykpiv.h: add YKPIV_KEY_ATTESTATION to + ykpiv_import_key() - * mac.mk, windows.mk: bump openssl to 1.0.1r +2016-03-17 Klas Lindfors <[email protected]> + + * lib/ykpiv.h, tool/cmdline.ggo, tool/util.c: add touch-policy + cached + +2016-03-17 Klas Lindfors <[email protected]> + + * tool/yubico-piv-tool.c: actually open output_file in attest() + +2016-03-10 Klas Lindfors <[email protected]> + + * : commit d52b8bd3efb179f20b5ee5f3bc36c05a6ec29fc7 Author: Klas + Lindfors <[email protected]> Date: Fri Feb 19 12:40:23 2016 +0100 2016-02-19 Klas Lindfors <[email protected]> @@ -508,6 +571,16 @@ * : Merge pull request #36 from akgood/master Use @loader_path rather than @executable_path for OS X dylib paths +2015-11-18 Klas Lindfors <[email protected]> + + * lib/ykpiv.h, tool/cmdline.ggo, tool/yubico-piv-tool.c: add attest + action + +2015-11-18 Klas Lindfors <[email protected]> + + * lib/ykpiv.h, tool/cmdline.ggo, tool/util.c: add f9 slot for + attestation + 2015-11-16 Adam Goodman <[email protected]> * mac.mk: YKCS11: On OS X, use @loader_path rather than diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/Makefile.am new/yubico-piv-tool-1.4.0/Makefile.am --- old/yubico-piv-tool-1.3.1/Makefile.am 2016-03-10 15:29:26.000000000 +0100 +++ new/yubico-piv-tool-1.4.0/Makefile.am 2016-05-03 09:42:56.000000000 +0200 @@ -31,7 +31,7 @@ EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl -EXTRA_DIST += doc/Android_code_signing.adoc doc/Certificate_Authority.adoc doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc doc/YKCS11_release_notes.adoc doc/YubiKey_PIV_introduction.adoc +EXTRA_DIST += doc/Android_code_signing.adoc doc/Attestation.adoc doc/Certificate_Authority.adoc doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc doc/YKCS11_release_notes.adoc doc/YubiKey_PIV_introduction.adoc if ENABLE_COV diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/Makefile.in new/yubico-piv-tool-1.4.0/Makefile.in --- old/yubico-piv-tool-1.3.1/Makefile.in 2016-03-21 08:14:22.000000000 +0100 +++ new/yubico-piv-tool-1.4.0/Makefile.in 2016-05-03 09:43:03.000000000 +0200 @@ -382,9 +382,10 @@ SUBDIRS = lib tool ykcs11 ACLOCAL_AMFLAGS = -I m4 EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl \ - doc/Android_code_signing.adoc doc/Certificate_Authority.adoc \ - doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc \ - doc/Windows_certificate.adoc doc/YKCS11_release_notes.adoc \ + doc/Android_code_signing.adoc doc/Attestation.adoc \ + doc/Certificate_Authority.adoc doc/OS_X_code_signing.adoc \ + doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc \ + doc/YKCS11_release_notes.adoc \ doc/YubiKey_PIV_introduction.adoc all: all-recursive diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/NEWS new/yubico-piv-tool-1.4.0/NEWS --- old/yubico-piv-tool-1.3.1/NEWS 2016-04-19 07:39:07.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/NEWS 2016-05-03 09:42:56.000000000 +0200 @@ -1,5 +1,21 @@ yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*- +* Version 1.4.0 (released 2016-05-03) + +** Add attest action +Will when used on a slot with a generated key output a signed x509 certificate +for that slot showing that the key was generated in hardware. Available in +firmware 4.3.0 and newer. + +** Add touch-policy cached +Will treat the touch as valid for additional usage for 15s when used. Available +in firmware 4.3.0 and newer. + +** Enforce a minimum PIN length of 6 characters. + +** Fix a bug with list-readers action where it fell through processing into +write-object. + * Version 1.3.1 (released 2016-04-19) ** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/configure new/yubico-piv-tool-1.4.0/configure --- old/yubico-piv-tool-1.3.1/configure 2016-03-21 08:14:22.000000000 +0100 +++ new/yubico-piv-tool-1.4.0/configure 2016-05-03 09:43:03.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for yubico-piv-tool 1.3.1. +# Generated by GNU Autoconf 2.69 for yubico-piv-tool 1.4.0. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='yubico-piv-tool' PACKAGE_TARNAME='yubico-piv-tool' -PACKAGE_VERSION='1.3.1' -PACKAGE_STRING='yubico-piv-tool 1.3.1' +PACKAGE_VERSION='1.4.0' +PACKAGE_STRING='yubico-piv-tool 1.4.0' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1350,7 +1350,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures yubico-piv-tool 1.3.1 to adapt to many kinds of systems. +\`configure' configures yubico-piv-tool 1.4.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1420,7 +1420,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of yubico-piv-tool 1.3.1:";; + short | recursive ) echo "Configuration of yubico-piv-tool 1.4.0:";; esac cat <<\_ACEOF @@ -1544,7 +1544,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -yubico-piv-tool configure 1.3.1 +yubico-piv-tool configure 1.4.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1909,7 +1909,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by yubico-piv-tool $as_me 1.3.1, which was +It was created by yubico-piv-tool $as_me 1.4.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2294,7 +2294,7 @@ # Interfaces removed: AGE=0 LT_CURRENT=4 -LT_REVISION=1 +LT_REVISION=2 LT_AGE=3 @@ -2785,7 +2785,7 @@ # Define the identity of the package. PACKAGE='yubico-piv-tool' - VERSION='1.3.1' + VERSION='1.4.0' cat >>confdefs.h <<_ACEOF @@ -13631,7 +13631,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by yubico-piv-tool $as_me 1.3.1, which was +This file was extended by yubico-piv-tool $as_me 1.4.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13688,7 +13688,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -yubico-piv-tool config.status 1.3.1 +yubico-piv-tool config.status 1.4.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/configure.ac new/yubico-piv-tool-1.4.0/configure.ac --- old/yubico-piv-tool-1.3.1/configure.ac 2016-03-21 08:14:17.000000000 +0100 +++ new/yubico-piv-tool-1.4.0/configure.ac 2016-05-03 09:42:56.000000000 +0200 @@ -26,7 +26,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -AC_INIT([yubico-piv-tool], [1.3.1]) +AC_INIT([yubico-piv-tool], [1.4.0]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) @@ -35,7 +35,7 @@ # Interfaces added: AGE++ # Interfaces removed: AGE=0 AC_SUBST([LT_CURRENT], 4) -AC_SUBST([LT_REVISION], 1) +AC_SUBST([LT_REVISION], 2) AC_SUBST([LT_AGE], 3) AM_INIT_AUTOMAKE([-Wall -Werror foreign]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/doc/Attestation.adoc new/yubico-piv-tool-1.4.0/doc/Attestation.adoc --- old/yubico-piv-tool-1.3.1/doc/Attestation.adoc 1970-01-01 01:00:00.000000000 +0100 +++ new/yubico-piv-tool-1.4.0/doc/Attestation.adoc 2016-05-03 09:31:21.000000000 +0200 @@ -0,0 +1,20 @@ +Using Attestation +----------------- + +Attestation works through a special key slot called “f9” this comes +pre-loaded from factory with a key and cert signed by Yubico, but can be +overwritten. +After a key has been generated in a normal slot it can be attested by this +special key, this can be realised by using the yubico-piv-tool action attest: + + $ yubico-piv-tool --action=generate --slot=9a + ... + $ yubico-piv-tool --action=attest --slot=9a + +The output of this is a PEM encoded certificate, signed by the key in slot f9. There are a couple of special extensions on this certificate: + +* +1.3.6.1.4.1.41482.3.3+: Firmware version, encoded as 3 bytes, like: 040300 for 4.3.0 +* +1.3.6.1.4.1.41482.3.7+: Serial number, encoded as an integer. +* +1.3.6.1.4.1.41482.3.8+: Two bytes, the first encoding pin policy and the second touch policy +** Pin policy: 01 - never, 02 - once per session, 03 - always +** Touch policy: 01 - never, 02 - always, 03 - cached for 15s diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/doc/YubiKey_PIV_introduction.adoc new/yubico-piv-tool-1.4.0/doc/YubiKey_PIV_introduction.adoc --- old/yubico-piv-tool-1.3.1/doc/YubiKey_PIV_introduction.adoc 2016-03-10 15:29:16.000000000 +0100 +++ new/yubico-piv-tool-1.4.0/doc/YubiKey_PIV_introduction.adoc 2016-04-19 14:23:00.000000000 +0200 @@ -67,14 +67,14 @@ of times -- you need to modify this if you have changed the default number of PIN/PUK retries). - yubico-piv-tool -a verify-pin -P 4711 - yubico-piv-tool -a verify-pin -P 4711 - yubico-piv-tool -a verify-pin -P 4711 - yubico-piv-tool -a verify-pin -P 4711 - yubico-piv-tool -a change-puk -P 4711 -N 67567 - yubico-piv-tool -a change-puk -P 4711 -N 67567 - yubico-piv-tool -a change-puk -P 4711 -N 67567 - yubico-piv-tool -a change-puk -P 4711 -N 67567 + yubico-piv-tool -a verify-pin -P 471112 + yubico-piv-tool -a verify-pin -P 471112 + yubico-piv-tool -a verify-pin -P 471112 + yubico-piv-tool -a verify-pin -P 471112 + yubico-piv-tool -a change-puk -P 471112 -N 6756789 + yubico-piv-tool -a change-puk -P 471112 -N 6756789 + yubico-piv-tool -a change-puk -P 471112 -N 6756789 + yubico-piv-tool -a change-puk -P 471112 -N 6756789 yubico-piv-tool -a reset Software diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/lib/ykpiv-version.h new/yubico-piv-tool-1.4.0/lib/ykpiv-version.h --- old/yubico-piv-tool-1.3.1/lib/ykpiv-version.h 2016-03-21 08:14:27.000000000 +0100 +++ new/yubico-piv-tool-1.4.0/lib/ykpiv-version.h 2016-05-03 09:43:06.000000000 +0200 @@ -43,7 +43,7 @@ * version number. Used together with ykneomgr_check_version() to verify * header file and run-time library consistency. */ -#define YKPIV_VERSION_STRING "1.3.1" +#define YKPIV_VERSION_STRING "1.4.0" /** * YKPIV_VERSION_NUMBER @@ -53,7 +53,7 @@ * this symbol will have the value 0x01020300. The last two digits * are only used between public releases, and will otherwise be 00. */ -#define YKPIV_VERSION_NUMBER 0x010301 +#define YKPIV_VERSION_NUMBER 0x010400 /** * YKPIV_VERSION_MAJOR @@ -71,7 +71,7 @@ * level of the header file version number. For example, when the * header version is 1.2.3 this symbol will be 2. */ -#define YKPIV_VERSION_MINOR 3 +#define YKPIV_VERSION_MINOR 4 /** * YKPIV_VERSION_PATCH @@ -80,7 +80,7 @@ * level of the header file version number. For example, when the * header version is 1.2.3 this symbol will be 3. */ -#define YKPIV_VERSION_PATCH 1 +#define YKPIV_VERSION_PATCH 0 const char *ykpiv_check_version (const char *req_version); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/lib/ykpiv.c new/yubico-piv-tool-1.4.0/lib/ykpiv.c --- old/yubico-piv-tool-1.3.1/lib/ykpiv.c 2016-04-18 22:03:38.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/lib/ykpiv.c 2016-05-03 09:31:21.000000000 +0200 @@ -873,7 +873,7 @@ if (key == YKPIV_KEY_CARDMGM || key < YKPIV_KEY_RETIRED1 || (key > YKPIV_KEY_RETIRED20 && key < YKPIV_KEY_AUTHENTICATION) || - key > YKPIV_KEY_CARDAUTH) { + (key > YKPIV_KEY_CARDAUTH && key != YKPIV_KEY_ATTESTATION)) { return YKPIV_KEY_ERROR; } @@ -885,7 +885,8 @@ if (touch_policy != YKPIV_TOUCHPOLICY_DEFAULT && touch_policy != YKPIV_TOUCHPOLICY_NEVER && - touch_policy != YKPIV_TOUCHPOLICY_ALWAYS) + touch_policy != YKPIV_TOUCHPOLICY_ALWAYS && + touch_policy != YKPIV_TOUCHPOLICY_CACHED) return YKPIV_GENERIC_ERROR; if (algorithm == YKPIV_ALGO_RSA1024 || algorithm == YKPIV_ALGO_RSA2048) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/lib/ykpiv.h new/yubico-piv-tool-1.4.0/lib/ykpiv.h --- old/yubico-piv-tool-1.3.1/lib/ykpiv.h 2016-04-18 22:03:38.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/lib/ykpiv.h 2016-05-03 09:31:21.000000000 +0200 @@ -141,6 +141,7 @@ #define YKPIV_KEY_RETIRED18 0x93 #define YKPIV_KEY_RETIRED19 0x94 #define YKPIV_KEY_RETIRED20 0x95 +#define YKPIV_KEY_ATTESTATION 0xf9 #define YKPIV_OBJ_CAPABILITY 0x5fc107 #define YKPIV_OBJ_CHUID 0x5fc102 @@ -177,6 +178,8 @@ #define YKPIV_OBJ_RETIRED19 0x5fc11f #define YKPIV_OBJ_RETIRED20 0x5fc120 +#define YKPIV_OBJ_ATTESTATION 0x5fff01 + #define YKPIV_INS_VERIFY 0x20 #define YKPIV_INS_CHANGE_REFERENCE 0x24 #define YKPIV_INS_RESET_RETRY 0x2c @@ -191,6 +194,7 @@ #define YKPIV_INS_GET_VERSION 0xfd #define YKPIV_INS_RESET 0xfb #define YKPIV_INS_SET_PIN_RETRIES 0xfa +#define YKPIV_INS_ATTEST 0xf9 #define YKPIV_PINPOLICY_TAG 0xaa #define YKPIV_PINPOLICY_DEFAULT 0 @@ -202,6 +206,7 @@ #define YKPIV_TOUCHPOLICY_DEFAULT 0 #define YKPIV_TOUCHPOLICY_NEVER 1 #define YKPIV_TOUCHPOLICY_ALWAYS 2 +#define YKPIV_TOUCHPOLICY_CACHED 3 #define YKPIV_IS_EC(a) ((a == YKPIV_ALGO_ECCP256 || a == YKPIV_ALGO_ECCP384)) #define YKPIV_IS_RSA(a) ((a == YKPIV_ALGO_RSA1024 || a == YKPIV_ALGO_RSA2048)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/mac.mk new/yubico-piv-tool-1.4.0/mac.mk --- old/yubico-piv-tool-1.3.1/mac.mk 2016-04-18 22:03:38.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/mac.mk 2016-05-03 09:33:41.000000000 +0200 @@ -26,7 +26,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PACKAGE=yubico-piv-tool -OPENSSLVERSION=1.0.1s +OPENSSLVERSION=1.0.2g CFLAGS="-mmacosx-version-min=10.6" all: usage mac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/cmdline.c new/yubico-piv-tool-1.4.0/tool/cmdline.c --- old/yubico-piv-tool-1.3.1/tool/cmdline.c 2016-04-18 22:03:40.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/tool/cmdline.c 2016-05-03 09:43:08.000000000 +0200 @@ -40,9 +40,9 @@ " -v, --verbose[=INT] Print more information (default=`0')", " -r, --reader=STRING Only use a matching reader (default=`Yubikey')", " -k, --key[=STRING] Management key to use\n (default=`010203040506070801020304050607080102030405060708')", - " -a, --action=ENUM Action to take (possible values=\"version\",\n \"generate\", \"set-mgm-key\", \"reset\",\n \"pin-retries\", \"import-key\",\n \"import-certificate\", \"set-chuid\",\n \"request-certificate\", \"verify-pin\",\n \"change-pin\", \"change-puk\", \"unblock-pin\",\n \"selfsign-certificate\", \"delete-certificate\",\n \"read-certificate\", \"status\",\n \"test-signature\", \"test-decipher\",\n \"list-readers\", \"set-ccc\", \"write-object\",\n \"read-object\")", + " -a, --action=ENUM Action to take (possible values=\"version\",\n \"generate\", \"set-mgm-key\", \"reset\",\n \"pin-retries\", \"import-key\",\n \"import-certificate\", \"set-chuid\",\n \"request-certificate\", \"verify-pin\",\n \"change-pin\", \"change-puk\", \"unblock-pin\",\n \"selfsign-certificate\", \"delete-certificate\",\n \"read-certificate\", \"status\",\n \"test-signature\", \"test-decipher\",\n \"list-readers\", \"set-ccc\", \"write-object\",\n \"read-object\", \"attest\")", "\n Multiple actions may be given at once and will be executed in order\n for example --action=verify-pin --action=request-certificate\n", - " -s, --slot=ENUM What key slot to operate on (possible\n values=\"9a\", \"9c\", \"9d\", \"9e\", \"82\",\n \"83\", \"84\", \"85\", \"86\", \"87\", \"88\",\n \"89\", \"8a\", \"8b\", \"8c\", \"8d\", \"8e\",\n \"8f\", \"90\", \"91\", \"92\", \"93\", \"94\",\n \"95\")", + " -s, --slot=ENUM What key slot to operate on (possible\n values=\"9a\", \"9c\", \"9d\", \"9e\", \"82\",\n \"83\", \"84\", \"85\", \"86\", \"87\", \"88\",\n \"89\", \"8a\", \"8b\", \"8c\", \"8d\", \"8e\",\n \"8f\", \"90\", \"91\", \"92\", \"93\", \"94\",\n \"95\", \"f9\")", "\n 9a is for PIV Authentication\n 9c is for Digital Signature (PIN always checked)\n 9d is for Key Management\n 9e is for Card Authentication (PIN never checked)\n 82-95 is for Retired Key Management\n", " -A, --algorithm=ENUM What algorithm to use (possible values=\"RSA1024\",\n \"RSA2048\", \"ECCP256\", \"ECCP384\"\n default=`RSA2048')", " -H, --hash=ENUM Hash to use for signatures (possible\n values=\"SHA1\", \"SHA256\", \"SHA384\",\n \"SHA512\" default=`SHA256')", @@ -60,7 +60,7 @@ " -P, --pin=STRING Pin/puk code for verification", " -N, --new-pin=STRING New pin/puk code for changing", " --pin-policy=ENUM Set pin policy for action generate or import-key\n (possible values=\"never\", \"once\", \"always\")", - " --touch-policy=ENUM Set touch policy for action generate, import-key or\n set-mgm-key (possible values=\"never\",\n \"always\")", + " --touch-policy=ENUM Set touch policy for action generate, import-key or\n set-mgm-key (possible values=\"never\",\n \"always\", \"cached\")", " --id=INT Id of object for write/read object", " -f, --format=ENUM Format of data for write/read object (possible\n values=\"hex\", \"base64\", \"binary\"\n default=`hex')", " --sign Sign data (default=off)", @@ -124,13 +124,13 @@ static int cmdline_parser_required2 (struct gengetopt_args_info *args_info, const char *prog_name, const char *additional_error); -const char *cmdline_parser_action_values[] = {"version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc", "write-object", "read-object", 0}; /*< Possible values for action. */ -const char *cmdline_parser_slot_values[] = {"9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", 0}; /*< Possible values for slot. */ +const char *cmdline_parser_action_values[] = {"version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc", "write-object", "read-object", "attest", 0}; /*< Possible values for action. */ +const char *cmdline_parser_slot_values[] = {"9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9", 0}; /*< Possible values for slot. */ const char *cmdline_parser_algorithm_values[] = {"RSA1024", "RSA2048", "ECCP256", "ECCP384", 0}; /*< Possible values for algorithm. */ const char *cmdline_parser_hash_values[] = {"SHA1", "SHA256", "SHA384", "SHA512", 0}; /*< Possible values for hash. */ const char *cmdline_parser_key_format_values[] = {"PEM", "PKCS12", "GZIP", "DER", 0}; /*< Possible values for key-format. */ const char *cmdline_parser_pin_policy_values[] = {"never", "once", "always", 0}; /*< Possible values for pin-policy. */ -const char *cmdline_parser_touch_policy_values[] = {"never", "always", 0}; /*< Possible values for touch-policy. */ +const char *cmdline_parser_touch_policy_values[] = {"never", "always", "cached", 0}; /*< Possible values for touch-policy. */ const char *cmdline_parser_format_values[] = {"hex", "base64", "binary", 0}; /*< Possible values for format. */ static char * diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/cmdline.ggo new/yubico-piv-tool-1.4.0/tool/cmdline.ggo --- old/yubico-piv-tool-1.3.1/tool/cmdline.ggo 2016-04-18 22:03:38.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/tool/cmdline.ggo 2016-05-03 09:31:21.000000000 +0200 @@ -33,11 +33,11 @@ "request-certificate","verify-pin","change-pin","change-puk","unblock-pin", "selfsign-certificate","delete-certificate","read-certificate","status", "test-signature","test-decipher","list-readers","set-ccc","write-object", - "read-object" enum multiple + "read-object","attest" enum multiple text " Multiple actions may be given at once and will be executed in order for example --action=verify-pin --action=request-certificate\n" -option "slot" s "What key slot to operate on" values="9a","9c","9d","9e","82","83","84","85","86","87","88","89","8a","8b","8c","8d","8e","8f","90","91","92","93","94","95" enum optional +option "slot" s "What key slot to operate on" values="9a","9c","9d","9e","82","83","84","85","86","87","88","89","8a","8b","8c","8d","8e","8f","90","91","92","93","94","95","f9" enum optional text " 9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) @@ -62,7 +62,7 @@ option "pin" P "Pin/puk code for verification" string optional option "new-pin" N "New pin/puk code for changing" string optional dependon="pin" option "pin-policy" - "Set pin policy for action generate or import-key" values="never","once","always" enum optional -option "touch-policy" - "Set touch policy for action generate, import-key or set-mgm-key" values="never","always" enum optional +option "touch-policy" - "Set touch policy for action generate, import-key or set-mgm-key" values="never","always","cached" enum optional option "id" - "Id of object for write/read object" int optional option "format" f "Format of data for write/read object" values="hex","base64","binary" enum optional default="hex" option "sign" - "Sign data" flag off hidden diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/cmdline.h new/yubico-piv-tool-1.4.0/tool/cmdline.h --- old/yubico-piv-tool-1.3.1/tool/cmdline.h 2016-04-18 22:03:40.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/tool/cmdline.h 2016-05-03 09:43:08.000000000 +0200 @@ -38,13 +38,13 @@ #define CMDLINE_PARSER_VERSION VERSION #endif -enum enum_action { action__NULL = -1, action_arg_version = 0, action_arg_generate, action_arg_setMINUS_mgmMINUS_key, action_arg_reset, action_arg_pinMINUS_retries, action_arg_importMINUS_key, action_arg_importMINUS_certificate, action_arg_setMINUS_chuid, action_arg_requestMINUS_certificate, action_arg_verifyMINUS_pin, action_arg_changeMINUS_pin, action_arg_changeMINUS_puk, action_arg_unblockMINUS_pin, action_arg_selfsignMINUS_certificate, action_arg_deleteMINUS_certificate, action_arg_readMINUS_certificate, action_arg_status, action_arg_testMINUS_signature, action_arg_testMINUS_decipher, action_arg_listMINUS_readers, action_arg_setMINUS_ccc, action_arg_writeMINUS_object, action_arg_readMINUS_object }; -enum enum_slot { slot__NULL = -1, slot_arg_9a = 0, slot_arg_9c, slot_arg_9d, slot_arg_9e, slot_arg_82, slot_arg_83, slot_arg_84, slot_arg_85, slot_arg_86, slot_arg_87, slot_arg_88, slot_arg_89, slot_arg_8a, slot_arg_8b, slot_arg_8c, slot_arg_8d, slot_arg_8e, slot_arg_8f, slot_arg_90, slot_arg_91, slot_arg_92, slot_arg_93, slot_arg_94, slot_arg_95 }; +enum enum_action { action__NULL = -1, action_arg_version = 0, action_arg_generate, action_arg_setMINUS_mgmMINUS_key, action_arg_reset, action_arg_pinMINUS_retries, action_arg_importMINUS_key, action_arg_importMINUS_certificate, action_arg_setMINUS_chuid, action_arg_requestMINUS_certificate, action_arg_verifyMINUS_pin, action_arg_changeMINUS_pin, action_arg_changeMINUS_puk, action_arg_unblockMINUS_pin, action_arg_selfsignMINUS_certificate, action_arg_deleteMINUS_certificate, action_arg_readMINUS_certificate, action_arg_status, action_arg_testMINUS_signature, action_arg_testMINUS_decipher, action_arg_listMINUS_readers, action_arg_setMINUS_ccc, action_arg_writeMINUS_object, action_arg_readMINUS_object, action_arg_attest }; +enum enum_slot { slot__NULL = -1, slot_arg_9a = 0, slot_arg_9c, slot_arg_9d, slot_arg_9e, slot_arg_82, slot_arg_83, slot_arg_84, slot_arg_85, slot_arg_86, slot_arg_87, slot_arg_88, slot_arg_89, slot_arg_8a, slot_arg_8b, slot_arg_8c, slot_arg_8d, slot_arg_8e, slot_arg_8f, slot_arg_90, slot_arg_91, slot_arg_92, slot_arg_93, slot_arg_94, slot_arg_95, slot_arg_f9 }; enum enum_algorithm { algorithm__NULL = -1, algorithm_arg_RSA1024 = 0, algorithm_arg_RSA2048, algorithm_arg_ECCP256, algorithm_arg_ECCP384 }; enum enum_hash { hash__NULL = -1, hash_arg_SHA1 = 0, hash_arg_SHA256, hash_arg_SHA384, hash_arg_SHA512 }; enum enum_key_format { key_format__NULL = -1, key_format_arg_PEM = 0, key_format_arg_PKCS12, key_format_arg_GZIP, key_format_arg_DER }; enum enum_pin_policy { pin_policy__NULL = -1, pin_policy_arg_never = 0, pin_policy_arg_once, pin_policy_arg_always }; -enum enum_touch_policy { touch_policy__NULL = -1, touch_policy_arg_never = 0, touch_policy_arg_always }; +enum enum_touch_policy { touch_policy__NULL = -1, touch_policy_arg_never = 0, touch_policy_arg_always, touch_policy_arg_cached }; enum enum_format { format__NULL = -1, format_arg_hex = 0, format_arg_base64, format_arg_binary }; /** @brief Where the command line options are stored */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/util.c new/yubico-piv-tool-1.4.0/tool/util.c --- old/yubico-piv-tool-1.3.1/tool/util.c 2016-04-18 22:03:38.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/tool/util.c 2016-05-03 09:31:21.000000000 +0200 @@ -330,6 +330,9 @@ case slot_arg_95: object = YKPIV_OBJ_RETIRED20; break; + case slot_arg_f9: + object = YKPIV_OBJ_ATTESTATION; + break; case slot__NULL: default: object = 0; @@ -601,6 +604,8 @@ return YKPIV_TOUCHPOLICY_NEVER; case touch_policy_arg_always: return YKPIV_TOUCHPOLICY_ALWAYS; + case touch_policy_arg_cached: + return YKPIV_TOUCHPOLICY_CACHED; case touch_policy__NULL: default: return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/yubico-piv-tool.1 new/yubico-piv-tool-1.4.0/tool/yubico-piv-tool.1 --- old/yubico-piv-tool-1.3.1/tool/yubico-piv-tool.1 2016-04-18 22:03:40.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/tool/yubico-piv-tool.1 2016-05-03 09:43:08.000000000 +0200 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.2. -.TH YUBICO-PIV-TOOL "1" "April 2016" "yubico-piv-tool 1.3.1" "User Commands" +.TH YUBICO-PIV-TOOL "1" "May 2016" "yubico-piv-tool 1.4.0" "User Commands" .SH NAME yubico-piv-tool \- Yubico PIV tool .SH SYNOPSIS .B yubico-piv-tool [\fI\,OPTIONS\/\fR]... .SH DESCRIPTION -yubico\-piv\-tool 1.3.1 +yubico\-piv\-tool 1.4.0 .TP \fB\-h\fR, \fB\-\-help\fR Print help and exit @@ -38,7 +38,7 @@ "read\-certificate", "status", "test\-signature", "test\-decipher", "list\-readers", "set\-ccc", "write\-object", -"read\-object") +"read\-object", "attest") .IP Multiple actions may be given at once and will be executed in order for example \fB\-\-action\fR=\fI\,verify\-pin\/\fR \fB\-\-action\fR=\fI\,request\-certificate\/\fR @@ -49,7 +49,7 @@ "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", -"95") +"95", "f9") .IP 9a is for PIV Authentication 9c is for Digital Signature (PIN always checked) @@ -118,7 +118,7 @@ \fB\-\-touch\-policy\fR=\fI\,ENUM\/\fR Set touch policy for action generate, import\-key or set\-mgm\-key (possible values="never", -"always") +"always", "cached") .TP \fB\-\-id\fR=\fI\,INT\/\fR Id of object for write/read object diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/yubico-piv-tool.c new/yubico-piv-tool-1.4.0/tool/yubico-piv-tool.c --- old/yubico-piv-tool-1.3.1/tool/yubico-piv-tool.c 2016-04-18 22:03:38.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/tool/yubico-piv-tool.c 2016-05-03 09:31:21.000000000 +0200 @@ -1000,6 +1000,11 @@ return false; } + if(new_len < 6) { + fprintf(stderr, "Minimum 6 digits of PIN supported.\n"); + return false; + } + if(action == action_arg_unblockMINUS_pin) { op = ykpiv_unblock_pin; } @@ -1025,7 +1030,7 @@ return false; default: - fprintf(stderr, "Failed changing/unblocking code, error: %x\n", res); + fprintf(stderr, "Failed changing/unblocking code, error: %s\n", ykpiv_strerror(res)); return false; } } @@ -1646,6 +1651,68 @@ return true; } +static bool attest(ykpiv_state *state, const char *slot, + enum enum_key_format key_format, const char *output_file_name) { + unsigned char data[2048]; + unsigned long len = sizeof(data); + bool ret = false; + X509 *x509 = NULL; + unsigned char templ[] = {0, YKPIV_INS_ATTEST, 0, 0}; + int key; + int sw; + FILE *output_file = open_file(output_file_name, OUTPUT); + if(!output_file) { + return false; + } + + sscanf(slot, "%2x", &key); + templ[2] = key; + + if(key_format != key_format_arg_PEM && key_format != key_format_arg_DER) { + fprintf(stderr, "Only PEM and DER format are supported for attest..\n"); + return false; + } + + if(ykpiv_transfer_data(state, templ, NULL, 0, data, &len, &sw) != YKPIV_OK) { + fprintf(stderr, "Failed to communicate.\n"); + goto attest_out; + } else if(sw != 0x9000) { + fprintf(stderr, "Failed to attest key.\n"); + goto attest_out; + } + + if(data[0] == 0x30) { + if(key_format == key_format_arg_PEM) { + const unsigned char *ptr = data; + int len2 = len; + x509 = X509_new(); + if(!x509) { + fprintf(stderr, "Failed allocating x509 structure.\n"); + goto attest_out; + } + x509 = d2i_X509(NULL, &ptr, len2); + if(!x509) { + fprintf(stderr, "Failed parsing x509 information.\n"); + goto attest_out; + } + PEM_write_X509(output_file, x509); + ret = true; + } else { + fwrite(data, len, 1, output_file); + } + ret = true; + } + +attest_out: + if(output_file != stdout) { + fclose(output_file); + } + if(x509) { + X509_free(x509); + } + return ret; +} + static bool write_object(ykpiv_state *state, int id, const char *input_file_name, int verbosity, enum enum_format format) { bool ret = false; @@ -1748,6 +1815,7 @@ case action_arg_readMINUS_certificate: case action_arg_testMINUS_signature: case action_arg_testMINUS_decipher: + case action_arg_attest: if(args_info.slot_arg == slot__NULL) { fprintf(stderr, "The '%s' action needs a slot (-s) to operate on.\n", cmdline_parser_action_values[action]); @@ -1865,6 +1933,7 @@ case action_arg_testMINUS_signature: case action_arg_testMINUS_decipher: case action_arg_listMINUS_readers: + case action_arg_attest: case action_arg_readMINUS_object: case action__NULL: default: @@ -2042,6 +2111,7 @@ if(list_readers(state) == false) { ret = EXIT_FAILURE; } + break; case action_arg_writeMINUS_object: if(write_object(state, args_info.id_arg, args_info.input_arg, verbosity, args_info.format_arg) == false) { @@ -2054,6 +2124,12 @@ ret = EXIT_FAILURE; } break; + case action_arg_attest: + if(attest(state, args_info.slot_orig, args_info.key_format_arg, + args_info.output_arg) == false) { + ret = EXIT_FAILURE; + } + break; case action__NULL: default: fprintf(stderr, "Wrong action. %d.\n", action); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/windows.mk new/yubico-piv-tool-1.4.0/windows.mk --- old/yubico-piv-tool-1.3.1/windows.mk 2016-04-18 22:03:38.000000000 +0200 +++ new/yubico-piv-tool-1.4.0/windows.mk 2016-05-03 09:33:41.000000000 +0200 @@ -26,7 +26,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PACKAGE=yubico-piv-tool -OPENSSLVERSION=1.0.1s +OPENSSLVERSION=1.0.2g all: usage 32bit 64bit diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/ykcs11/ykcs11-version.h new/yubico-piv-tool-1.4.0/ykcs11/ykcs11-version.h --- old/yubico-piv-tool-1.3.1/ykcs11/ykcs11-version.h 2016-03-21 08:14:27.000000000 +0100 +++ new/yubico-piv-tool-1.4.0/ykcs11/ykcs11-version.h 2016-05-03 09:43:06.000000000 +0200 @@ -42,7 +42,7 @@ * version number. Used together with ykneomgr_check_version() to verify * header file and run-time library consistency. */ -#define YKCS11_VERSION_STRING "1.3.1" +#define YKCS11_VERSION_STRING "1.4.0" /** * YKCS11_VERSION_NUMBER @@ -52,7 +52,7 @@ * this symbol will have the value 0x01020300. The last two digits * are only used between public releases, and will otherwise be 00. */ -#define YKCS11_VERSION_NUMBER 0x010301 +#define YKCS11_VERSION_NUMBER 0x010400 /** * YKCS11_VERSION_MAJOR @@ -70,7 +70,7 @@ * level of the header file version number. For example, when the * header version is 1.2.3 this symbol will be 2. */ -#define YKCS11_VERSION_MINOR 3 +#define YKCS11_VERSION_MINOR 4 /** * YKCS11_VERSION_PATCH @@ -79,7 +79,7 @@ * level of the header file version number. For example, when the * header version is 1.2.3 this symbol will be 3. */ -#define YKCS11_VERSION_PATCH 1 +#define YKCS11_VERSION_PATCH 0 const char *ykcs11_check_version (const char *req_version);
