Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yubico-piv-tool for openSUSE:Factory
checked in at 2024-02-15 21:01:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yubico-piv-tool (Old)
and /work/SRC/openSUSE:Factory/.yubico-piv-tool.new.1815 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yubico-piv-tool"
Thu Feb 15 21:01:21 2024 rev:20 rq:1146792 version:2.5.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/yubico-piv-tool/yubico-piv-tool.changes
2024-02-09 23:55:20.369492454 +0100
+++
/work/SRC/openSUSE:Factory/.yubico-piv-tool.new.1815/yubico-piv-tool.changes
2024-02-15 21:02:33.320537377 +0100
@@ -1,0 +2,9 @@
+Wed Feb 14 09:05:14 UTC 2024 - Wolfgang Frisch <wolfgang.fri...@suse.com>
+
+- update to 2.5.1:
+ * ykpiv: cmd: ykcs11: Fix buffer size for key import.
+- add cmake-flags-upstream-issue-474.patch:
+ proper fix for the cmake flags issue
+- remove temporary-cmake-flags-fix.patch
+
+-------------------------------------------------------------------
Old:
----
temporary-cmake-flags-fix.patch
yubico-piv-tool-2.5.0.tar.gz
yubico-piv-tool-2.5.0.tar.gz.sig
New:
----
cmake-flags-upstream-issue-474.patch
yubico-piv-tool-2.5.1.tar.gz
yubico-piv-tool-2.5.1.tar.gz.sig
BETA DEBUG BEGIN:
Old: proper fix for the cmake flags issue
- remove temporary-cmake-flags-fix.patch
BETA DEBUG END:
BETA DEBUG BEGIN:
New: * ykpiv: cmd: ykcs11: Fix buffer size for key import.
- add cmake-flags-upstream-issue-474.patch:
proper fix for the cmake flags issue
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yubico-piv-tool.spec ++++++
--- /var/tmp/diff_new_pack.fLWFPc/_old 2024-02-15 21:02:33.936559028 +0100
+++ /var/tmp/diff_new_pack.fLWFPc/_new 2024-02-15 21:02:33.940559169 +0100
@@ -18,7 +18,7 @@
%define sover 2
Name: yubico-piv-tool
-Version: 2.5.0
+Version: 2.5.1
Release: 0
Summary: Yubico YubiKey NEO CCID Manager
License: BSD-2-Clause
@@ -28,8 +28,8 @@
Source1:
https://developers.yubico.com/yubico-piv-tool/Releases/%{name}-%{version}.tar.gz.sig
Source3: yubico-piv-tool.keyring
Patch1: pthread-link.patch
-# Remove the following patch once cmake/* is fixed in upstream:
-Patch2: temporary-cmake-flags-fix.patch
+# https://github.com/Yubico/yubico-piv-tool/issues/474
+Patch2: cmake-flags-upstream-issue-474.patch
BuildRequires: c++_compiler
BuildRequires: check-devel
BuildRequires: cmake
++++++ cmake-flags-upstream-issue-474.patch ++++++
commit a3b81d574ac20a1f17eea245da6096f59416b8f7
Author: Wolfgang Frisch <wolfgang.fri...@suse.com>
Date: Thu Feb 15 10:23:03 2024 +0100
cmake: fix semicolons in CFLAGS of custom modules
Both `openssl.cmake` and `pcscd.cmake` use FindPkgConfig to retrieve the
required CFLAGS and LDFLAGS. However FindPkgConfig returns lists [1],
which are stored as semicolon-separated strings in CMake. This breaks
the build when there's more than one flag in any of those variables.
Fixes https://github.com/Yubico/yubico-piv-tool/issues/474
diff --git a/CMakeLists.txt b/CMakeLists.txt
index ae6654e..1bc068a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -25,7 +25,7 @@
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-cmake_minimum_required (VERSION 3.5)
+cmake_minimum_required (VERSION 3.12)
# policy CMP0025 is to get AppleClang identifier rather than Clang for both
# this matters since the apple compiler accepts different flags.
cmake_policy(SET CMP0025 NEW)
diff --git a/cmake/openssl.cmake b/cmake/openssl.cmake
index e650d81..ec29ee3 100644
--- a/cmake/openssl.cmake
+++ b/cmake/openssl.cmake
@@ -84,8 +84,9 @@ macro (find_libcrypto)
endif(WIN32 OR OPENSSL_STATIC_LINK)
message(" OpenSSL version: ${OPENSSL_VERSION}")
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${LIBCRYPTO_CFLAGS}")
- set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${LIBCRYPTO_CFLAGS}")
+ list(JOIN LIBCRYPTO_CFLAGS " " LIBCRYPTO_CFLAGS_STRING)
+ set(CMAKE_C_FLAGS "${LIBCRYPTO_CFLAGS_STRING} ${CMAKE_C_FLAGS}")
+ set(CMAKE_CXX_FLAGS "${LIBCRYPTO_CFLAGS_STRING} ${CMAKE_CXX_FLAGS}")
link_directories(${LIBCRYPTO_LIBRARY_DIRS})
include_directories(${LIBCRYPTO_INCLUDE_DIRS})
diff --git a/cmake/pcscd.cmake b/cmake/pcscd.cmake
index 4222693..5fe0ad9 100644
--- a/cmake/pcscd.cmake
+++ b/cmake/pcscd.cmake
@@ -75,7 +75,7 @@ macro (find_pcscd)
set(ENV{PKG_CONFIG_PATH} "${PCSCLITE_PKG_PATH}:$ENV{PKG_CONFIG_PATH}")
pkg_check_modules(PCSC REQUIRED libpcsclite)
if(PCSC_FOUND)
- set(PCSC_LIBRARIES ${PCSC_LDFLAGS})
+ list(JOIN PCSC_LDFLAGS " " PCSC_LIBRARIES)
if(VERBOSE_CMAKE)
message("PCSC_FOUND: ${PCSC_FOUND}")
message("PCSC_LIBRARY_DIRS: ${PCSC_LIBRARY_DIRS}")
@@ -100,8 +100,9 @@ macro (find_pcscd)
else(${PCSC_DIR} NOT STREQUAL "")
set(PCSC_CUSTOM_LIBS "-Wl,-l${PCSC_LIB}")
endif(${PCSC_DIR} NOT STREQUAL "")
- set(CMAKE_C_FLAGS ${PCSC_CFLAGS} ${CMAKE_C_FLAGS})
- set(PCSC_LIBRARIES ${PCSC_LIBRARIES} ${PCSC_CUSTOM_LIBS})
+ list(JOIN PCSC_CFLAGS " " PCSC_CFLAGS_STRING)
+ set(CMAKE_C_FLAGS "${PCSC_CFLAGS_STRING} ${CMAKE_C_FLAGS}")
+ set(PCSC_LIBRARIES "${PCSC_LIBRARIES} ${PCSC_CUSTOM_LIBS}")
unset(PCSC_MACOSX_LIBS)
unset(PCSC_WIN_LIBS)
unset(PCSC_LIBS)
++++++ yubico-piv-tool-2.5.0.tar.gz -> yubico-piv-tool-2.5.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/CMakeLists.txt
new/yubico-piv-tool-2.5.1/CMakeLists.txt
--- old/yubico-piv-tool-2.5.0/CMakeLists.txt 2024-01-31 12:38:07.000000000
+0100
+++ new/yubico-piv-tool-2.5.1/CMakeLists.txt 2024-02-12 13:19:18.000000000
+0100
@@ -40,7 +40,7 @@
set (yubico_piv_tool_VERSION_MAJOR 2)
set (yubico_piv_tool_VERSION_MINOR 5)
-set (yubico_piv_tool_VERSION_PATCH 0)
+set (yubico_piv_tool_VERSION_PATCH 1)
set (VERSION
"${yubico_piv_tool_VERSION_MAJOR}.${yubico_piv_tool_VERSION_MINOR}.${yubico_piv_tool_VERSION_PATCH}")
set (SO_VERSION 2)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/NEWS
new/yubico-piv-tool-2.5.1/NEWS
--- old/yubico-piv-tool-2.5.0/NEWS 2024-01-31 12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/NEWS 2024-02-12 13:19:18.000000000 +0100
@@ -1,11 +1,12 @@
yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*-
+* Version 2.5.1 (released 2024-02-14)
+
+** ykpiv: cmd: ykcs11: Fix buffer size for key import.
+
* Version 2.5.0 (released 2024-01-31)
-** ykpiv: cmd: ykcs11: Add support for RSA3072 and RSA4096 key types.
Available in firmware 5.7.0 and newer
-** ykpiv: cmd: Add support for ED25519 and X25519 key types. Available in
firmware 5.7.0 and newer
-** ykpiv: cmd: Add support for deleting keys. Available in firmware 5.7.0 and
newer
-** ykpiv: cmd: Add support for moving keys between slots. Available in
firmware 5.7.0 and newer
+** ykpiv: cmd: ykcs11: Various changes and improvements.
* Version 2.4.2 (released 2023-12-07)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/debian/changelog
new/yubico-piv-tool-2.5.1/debian/changelog
--- old/yubico-piv-tool-2.5.0/debian/changelog 2024-01-31 12:38:07.000000000
+0100
+++ new/yubico-piv-tool-2.5.1/debian/changelog 2024-02-12 13:19:18.000000000
+0100
@@ -1,3 +1,9 @@
+yubico-piv-tool (2.5.1) stable; urgency=medium
+
+ * ykpiv: cmd: ykcs11: Fix buffer size for key import.
+
+ -- Aveen Ismail <aveen.ism...@yubico.com> Wed, 14 Feb 2024 13:08:31 +0100
+
yubico-piv-tool (2.5.0) stable; urgency=medium
* ykpiv: cmd: ykcs11: Add support for RSA3072 and RSA4096 key types.
Available in firmware 5.7.0 and newer
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/doc/Actions/index.adoc
new/yubico-piv-tool-2.5.1/doc/Actions/index.adoc
--- old/yubico-piv-tool-2.5.0/doc/Actions/index.adoc 2024-01-31
12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/doc/Actions/index.adoc 2024-02-12
13:19:18.000000000 +0100
@@ -12,6 +12,8 @@
|link:key_generation.adoc[request, request-certificate] | Generated a
certification request for an asymmetric key stored on a specific slot
|link:key_generation.adoc[selfsign, selfsign-certificate] | Generates a
self signed X509 certificate for an asymmetric key stored on a specific slot
|link:delete_certificate.adoc[delete-cert, delete-certificate] | Deletes a
certificate from a specific slot
+|link:key_delete.adoc[delete-key] | Deletes a
key from a specific slot
+|link:key_move.adoc[move-key] | Moves a key
between slots
|link:read_certificate.adoc[read-cert, read-certificate] | Returns the
X509 certificate stored on a specific slot
|link:read_write_objects.adoc[write-object] | Stores an
object in a slot
|link:read_write_objects.adoc[read-object] | Returns the
content of a slot
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/doc/Actions/key_delete.adoc
new/yubico-piv-tool-2.5.1/doc/Actions/key_delete.adoc
--- old/yubico-piv-tool-2.5.0/doc/Actions/key_delete.adoc 1970-01-01
01:00:00.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/doc/Actions/key_delete.adoc 2024-02-12
13:19:18.000000000 +0100
@@ -0,0 +1,31 @@
+== Key Delete
+ $ yubico-piv-tool -a delete-key -s <slot> -k
+
+=== Description
+Deletes a key from the specified PIV slot.
+
+NOTE: This actions deletes only the key, not the certificate. So if the slot
already stores a certificate, it
+might still look populated even if the key is no longer there.
+
+Deleting a key is an action that requires authentication, which is done
+by providing the management key. If no management key is provided, the tool
will try to authenticate
+using the default management key.footnote:[It is strongly recommended to
change the Yubikey's PIN, PUK and
+management key before start using it.]
+
+=== Parameters
+
+|===================================
+|Parameter | Required | Optional | Description | Possible values |
Default value
+
+|-s, --slot | X | | What key slot to delete the key from | 9a, 9c, 9d,
9e, 82, 83, 84, 85, 86, 87, 88, 89,
+8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9 |
+|-k, --key | X | | Management key to use, if no value is specified
key will be asked for | | 010203040506070801020304050607080102030405060708
+|===================================
+
+=== Examples
+
+ $ yubico-piv-tool -a delete-key -s 9c -k
+ Enter Password:
+ Enter management key:
+ Successfully deleted key.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yubico-piv-tool-2.5.0/doc/Actions/key_generation.adoc
new/yubico-piv-tool-2.5.1/doc/Actions/key_generation.adoc
--- old/yubico-piv-tool-2.5.0/doc/Actions/key_generation.adoc 2024-01-31
12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/doc/Actions/key_generation.adoc 2024-02-12
13:19:18.000000000 +0100
@@ -30,7 +30,7 @@
|-s, --slot | X | | What key slot to operate on | 9a, 9c, 9d, 9e, 82,
83, 84, 85, 86, 87, 88, 89,
8a, 8b, 8c, 8d, 8e,
8f, 90, 91, 92, 93, 94, 95, f9 |
|-k, --key | X | | Management key to use, if no value is specified key
will be asked for | | 010203040506070801020304050607080102030405060708
-|-A, --algorithm | | X | What algorithm to use to generate the key pair |
RSA1024, RSA2048, ECCP256, ECCP384 | RSA2048
+|-A, --algorithm | | X | What algorithm to use to generate the key pair |
RSA1024, RSA2048, RSA3072, RSA4096, ECCP256, ECCP384, ED25519, X25519 | RSA2048
|-i, --input | | X | Filename to use as input | file name or "-" for
stdin | -
|-o, --output | | X | Filename to use as output | file name or "-" for
stdin | -
|-S, --subject | | X | The subject to use for the certificate. The subject
must be written as: /CN=host.example.com/OU=test/O=example.com/ | |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/doc/Actions/key_move.adoc
new/yubico-piv-tool-2.5.1/doc/Actions/key_move.adoc
--- old/yubico-piv-tool-2.5.0/doc/Actions/key_move.adoc 1970-01-01
01:00:00.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/doc/Actions/key_move.adoc 2024-02-12
13:19:18.000000000 +0100
@@ -0,0 +1,33 @@
+== Key Move
+ $ yubico-piv-tool -a move-key -s <slot> --to-slot <slot> -k
+
+=== Description
+Moves a key from one PIV slot to another.
+
+NOTE: This actions moves only the key, not the certificate. So if the slot
already stores a certificate, it
+might still look populated even if the key is no longer there.
+
+Moving a key is an action that requires authentication, which is done
+by providing the management key. If no management key is provided, the tool
will try to authenticate
+using the default management key.footnote:[It is strongly recommended to
change the Yubikey's PIN, PUK and
+management key before start using it.]
+
+=== Parameters
+
+|===================================
+|Parameter | Required | Optional | Description | Possible values |
Default value
+
+|-s, --slot | X | | What key slot to move the key from | 9a, 9c, 9d,
9e, 82, 83, 84, 85, 86, 87, 88, 89,
+8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9 |
+|--to-slot | X | | What key slot to move the key to | 9a, 9c, 9d, 9e,
82, 83, 84, 85, 86, 87, 88, 89,
+8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9 |
+|-k, --key | X | | Management key to use, if no value is specified
key will be asked for | | 010203040506070801020304050607080102030405060708
+|===================================
+
+=== Examples
+
+ $ yubico-piv-tool -a move-key -s 9c --to-slot 84 -k
+ Enter Password:
+ Enter management key:
+ Successfully moved key.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/doc/Actions/signing.adoc
new/yubico-piv-tool-2.5.1/doc/Actions/signing.adoc
--- old/yubico-piv-tool-2.5.0/doc/Actions/signing.adoc 2024-01-31
12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/doc/Actions/signing.adoc 2024-02-12
13:19:18.000000000 +0100
@@ -14,7 +14,7 @@
|-s, --slot | X | | What key slot to operate on | 9a, 9c, 9d, 9e, 82,
83, 84, 85, 86, 87, 88, 89,
8a, 8b, 8c, 8d, 8e,
8f, 90, 91, 92, 93, 94, 95, f9 |
-|-A, --algorithm | | X | What algorithm to use to generate the key pair |
RSA1024, RSA2048, ECCP256, ECCP384 | RSA2048
+|-A, --algorithm | | X | What algorithm to use to generate the key pair |
RSA1024, RSA2048, RSA3072, RSA4096, ECCP256, ECCP384, ED25519 | RSA2048
|-H, --hash | | X | Hash to use for signatures | SHA1, SHA256, SHA384,
SHA512 | SHA256
|-i, --input | | X | Filename to use as input | file name or "-" for
stdin | -
|-o, --output | | X | Filename to use as output | file name or "-" for
stdin | -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/lib/tests/api.c
new/yubico-piv-tool-2.5.1/lib/tests/api.c
--- old/yubico-piv-tool-2.5.0/lib/tests/api.c 2024-01-31 12:38:07.000000000
+0100
+++ new/yubico-piv-tool-2.5.1/lib/tests/api.c 2024-02-12 13:19:18.000000000
+0100
@@ -228,55 +228,92 @@
// RSA2048 private key, generated with: `openssl genrsa 2048 -out private.pem`
static const char *private_key_pem =
- "-----BEGIN RSA PRIVATE KEY-----\n"
- "MIIEpAIBAAKCAQEAwVUwmVbc+ffOy2+RivxBpgleTVN6bUa0q7jNYB+AseFQYaYq\n"
- "EGfa+VGdxSGo+8DV1KT9+fNEd5243gXn/tcjtMItKeB+oAQc64s9lIFlYuR8bpq1\n"
- "ibr33iW2elnnv9mpecqohdCVwM2McWveoPyb7MwlwVuhqexOzJO29bqJcazLbtkf\n"
- "ZETK0oBx53/ylA4Y6nE9Pa46jW2qhj+KShf1iBg+gAyt3eI+wI2Wmub1WxLLH8D2\n"
- "w+kow8QhQOa8dHCkRRw771JxVO5+d+Y/Y+x9B1HgF4q0q9xUlhWLK2TR4ChBFzXe\n"
- "47sAHsSqi/pl5JbwYrHPOE/VEBLukmjL8NFCSQIDAQABAoIBADmEyOK2DyRnb6Ti\n"
- "2qBJEJb/boj+7wuX36S/ZIrWlIlXiXyj3RvoaiOG/rNpokbURknvlIhKsfIMgLW9\n"
- "eBo/k6Xxp1IwMjwVPS1uzbFjFfDoHYUijiQd9iSnf7TDDsnrThqoCp9VQViNTt1n\n"
- "xGKNBS7cRddTFbPiVEdVIzfUeZPR2oRrc4maBCRCrQgg8WNknawmc8zhkf2NiPj3\n"
- "tWLQHMy1/MgW2W1LM9sgzllEtS5CZUnyGy2HbbhS2tbZ6j9kPzOp0pPxxTTzJmmV\n"
- "fi1vkJcVW4+MdXjWmhALcPA4dO7Y2Ljiu6VxIxQORRO1DyiCjAs1AVMQxgPAAY41\n"
- "YR4Q2EkCgYEA4zE0oytg97aVaBY9CKi7/PqR+NI/uEvfoQCnT+ddaJgp/qsspuXo\n"
- "tJt94p13ANd8O7suqQTVNvbZq1rX10xQjJZ9nvlqQa6iHkN6Epq31XBK3Z+acjIV\n"
- "A2rAgKBByjz9/CpKHqnOsrTWU1Y7x416IG4BZt42hHdrxRH98/wiDH8CgYEA2djj\n"
- "AjwgK+MwDnshwT1NNgCSP/2ZHatBAykZ5BCs9BJ6MNYqqXVGYoqs5Z5kSkow+Db3\n"
- "pipkEieo5w2Rd5zkolTThaVCvRkSe5wRiBpZhaeY+b0UFwavGCb6zU/MmJIMDPiI\n"
- "2iRGeCXgQDvIS/icIqzbTtp6dZaoMgG7LdSR7TcCgYBtxGhaLas8A8tL7vKuLFgn\n"
- "cij0vyBqOr5hW596y54l2t7vXGTGfm5gVIAN7WaB0ZsEgPuaTet2Eu44DDwcmZKR\n"
- "WmR3Wqor8eQCGzfvpTEMvqRtT5+fbPMaI4m+m68ttyo/m28UQZbMYPLscM2RLJnE\n"
- "8WFcAiD0/33iST8ZksggoQKBgQDE/7Yhsj+hkHxHzB+1QPtOp2uaBHnvc4uCESwB\n"
- "qvbMbN0kxrejsJLqz98UcozdBYSNIiAHmvQN2uGJuCJhGXdEORNjGxRkLoUhVPwh\n"
- "qTplfC8BQHQncnrqi21oNw6ctg3BuQsAwaccRZwqWiWCVhrT3J8iCr6NEaWeOySK\n"
- "iF1CNwKBgQCRpkkZArlccwS0kMvkK+tQ1rG2xWm7c05G34gP/g6dHFRy0gPNMyvi\n"
- "SkiLTJmQIEZSAEiq0FFgcVwM6o556ftvQZuwDp5rHUbwqnHCpMJKpD9aJpStvfPi\n"
- "4p9JbYdaGqnq4eoNKemmGnbUof0dR9Zr0lGmcMTwwzBib+4E1d7soA==\n"
- "-----END RSA PRIVATE KEY-----\n";
+ "-----BEGIN RSA PRIVATE KEY-----\n"
+ "MIIJKAIBAAKCAgEAvPae/qsMe8ClDmjVFuNQyZu8L2yzGGRud+m1jkPDN/1f9Tu7\n"
+ "8HoJmjN+1jeYyNa39v7C4YN9fZq/7isyJY/aFCbV1ODyTjWZIliEog3FgGjhE9KL\n"
+ "Sm0A+bLLzCxJExVmQm1ZRPxZQbZVq/IQG6QU76CxVthV9NeS0X5RkX91bzREru27\n"
+ "S4cdPd443ftWOcMcXughUD7Y81mg2neNqTgrw75Xq42i+x8dHexMwrwo7y3vzhka\n"
+ "4Wfwa9v3nvo1BV+wtL0+YuNt9pdGDa4WcGTTwmF4AjFGb20bYTmpCeatEgPLH7K/\n"
+ "pxP+jE4aGA8z+eYjAmY9gSxbqx2HUAQlNIhOLg8EBNtajXZlfwKroAosxgCftJHL\n"
+ "HWQoEfcUiJD2UI7NcCX6QUeB6sIgqo5CzIOEeN5UUSXo6+EKPsp0D89+yJhQnLRk\n"
+ "lsaG9prtFbj6PHpqIUYYmZNU6V14IEzut4twKdfLu+wsDCvsYV89I/yQv420CElM\n"
+ "t68G6wrM2COC4g9wJNyJ8JMUVYC1kfiWEQI2UwAFdrLinOfkSyELa93SVZEDUTrv\n"
+ "hhryv2CUp5SDWwLYH/4iAfox+kyksNNvtqdnODXyDm+ApEYKgA8rCx9dZ/pOoTW+\n"
+ "2az7H1yLlD3mK7yRU/++vGs3Kw9THB7/MuYQuRvTyrQq2Jm057gj72WWyccCAwEA\n"
+ "AQKCAgArPPNcqp8MoiQii/JWbmVJ/Iyu/VxttG1imuOkTfUZlqyiXKzAdexEkIvx\n"
+ "UH9xVVB7AAhvubq5RvOr985dsfDgs5IyR9ap9rG3njGbMzOCEn2OH5snyJF0kWj4\n"
+ "qxl9eGQRxxuqIWP7GVG5KoZtDLqNqmNpz867W6iIrzLS7Cte6sLclCFLQvt58KNq\n"
+ "h9xPE0omnU8iIX9bD6My2jBcDDJXc/JzmtE0TQZIlo1p8cwcDpLUwgHYmgP1ajva\n"
+ "8L25IRA6CyN/VTMQPcUV1EPmK+wYilz/g27uiDS/poX7cgEgIiYUdr5L6NNSH3zx\n"
+ "DGmEQRi5r9Na/19qZDNWJ9yrjJT2qD0U4Om3apIdvs2DQ0t+qkE9RA6aYWLhfeeC\n"
+ "WdCilqONxoJy7E09k8ImaR91/r+QPysHzsx2L2V0xhiJo5sWsILn3GK4+UILU2NT\n"
+ "JrGcCmqL3YjouZrFnHtgwVuRNV/xUv52uRPIwBJV2BKb4NnSegLbbKKym21EMRmo\n"
+ "gNz/8iYphdrTS6tqsEIKmb4JzkPHVbbm8BJkBsOjXqRhFczaZ0JniFpzctjVo6C9\n"
+ "xTcf+nwUbFksSEH0SJFyCHDRCDOGQecA8yJ8RqPmKHs/z1DQ/L505jML0/jqniuY\n"
+ "vFHp2hhRFja+xDMXopDrMFtxmyZeRkTnVQgDwj6C3cjs4whyIQKCAQEA6TaPK/c4\n"
+ "5+PenS+qjUNW+VqibckZn5B6qLEjPHC4e85AjA90PJriRYw5lecfw1jY4imIWj21\n"
+ "MlqkAMRuaiiqj3td61l4pRN/n5HhhyKE6bNOuxCDCvwA5244q42VLgosGbm/SGzG\n"
+ "Xswpbee0nwNXBR/Iu/s8utY9fdTT5z/0hd4IMU7NmaEZ1psDG/0o2ykru8UnLcCj\n"
+ "0cCsgsPDl6Ew1mKWNM5ht+1sqTp2JvgNZ4Z8zHxgHC0wC9YFU8X4NNp/+6iyTmfj\n"
+ "fYPszq3lfGVDUwTroqWGrgAix0LlDsbPnYqoayG9OIiCEpZJ+J1oj7mZO5zvLtSO\n"
+ "t/2UBQ8A4XbXGwKCAQEAz206LMh0X10Wt+quhrKiwirKE/aRzPg7uQg7LQCRdoUE\n"
+ "aPP+tP9PfGEwy3aGnChdStf457qyjbXiSi0Bids70EQQtIOMjDJyllFT2CvvFJir\n"
+ "e5YDgan5v/ltUdJxfa1weq08xFgzF/tP3p2uZs9iDJ6I5g1pxzFMi7VGXELqAEg7\n"
+ "vPqn82UOzo4vD8zPohLcrI1kozlBp1GJ9RMDq6FVASb/ztpnArv6ExYoUAehKPDU\n"
+ "AqPHIFp6dA9KkfupIA1TjSmx/sJQgPXMMeuPBlAoPvVH91eQvgdeytmJA6Xpif3O\n"
+ "osBIjc+ThHp8f7jR8N6T0At4IiFataI1PUs9qLPmxQKCAQBCwPo0RHyGa8RBy+4O\n"
+ "p1LS5y2NLT3nXYyukp2aZE16KqxxKs9DtbXE4IFvNgvyd5EFE4xTAEzIUAeXrKJK\n"
+ "Qr+neFGG10JgRfeG7lPWwXu4BToo823/C+kaVYNlH46u8fxzlKZ7DZ+ubNQDAIrD\n"
+ "5UnYTqO/owdcF4zcYroQ/E56rvY7Xuoc6m8h7ZbzQQCb0uoQwjsXrod1t6fpei2X\n"
+ "Tm1TQD7seJKh+hTbT7+YIfJ8SpOYWJWOGyUgji9SLl2Ai3aMy1nWdYg5WjTDaCVC\n"
+ "+R1POx5TnPuy/Jj33l8AXsn4t0LD/5FRCEnrFhewUSYn1aFV3fLcvbzoT246EHRZ\n"
+ "FRI3AoIBAQDO54lL+nf6WAS9WB7WxYGMZNpFp4IwDrykCQ3eCd8Pdge8GQZMzQ8g\n"
+ "ZmIh0gzb33ePnHbvz08kA/XBP7t1I3Y6fGqdZUrg3cFnJ6CW1Nwak18aW70Lrd0u\n"
+ "HUNqhpwmXMcB16PxxnjQxyIYUPkSHHMVW136/A4zX32XLi8NAMIhnevYyb6WDowC\n"
+ "hdlzzTyf0mjExhVIq2hN2gvepiTXIoqEJ76rOzfdhlwghc2YZsPe7rrMF0odf6L9\n"
+ "+fLMQ1ekXSamfJzMHk/nE0en0+xKw9IhWtF6a6I5q2hmty7wsKKPvthLh7nXmuLv\n"
+ "Fq7xSA5CUgLnV0lx4gt1emPYzCCpEypxAoIBADtuc1mzU/Momo8GMoSUOrOvTKam\n"
+ "zGafwLfxKhevqQaajlUhgaerYfJ5zxITmWk73p4d0Hin8OHpyO+NP49hPs0th8eW\n"
+ "FfhmZN/g9alKM39vJd69GyghQLdXkPeUVVt6sTWijmc9/Q991+Gq97xB/pT7NF58\n"
+ "p92BYPWLy5dItn3OGZeI6FJSGZGHgd1Xu+k0qsAAqaTuQ5MEzsklUpNbgQVmMX5V\n"
+ "TY5Ns7jqhserbjwSFt2wc3N9oUEsaTQTA6OyF1MzS50w/oVXRj6FIti1HpuEg9PT\n"
+ "yEaZ9BmaMWkVLEqUxWW+robyb6VpjayYfv53ZcQZmUdzgc/0ByUa84xmCZg=\n"
+ "-----END RSA PRIVATE KEY-----\n";
// Certificate signed with key above:
// `openssl req -x509 -key private.pem -out cert.pem -subj
"/CN=bar/OU=test/O=example.com/" -new`
static const char *certificate_pem =
- "-----BEGIN CERTIFICATE-----\n"
- "MIIC5zCCAc+gAwIBAgIJAOq8A/cmpxF5MA0GCSqGSIb3DQEBCwUAMDMxDDAKBgNV\n"
- "BAMMA2JhcjENMAsGA1UECwwEdGVzdDEUMBIGA1UECgwLZXhhbXBsZS5jb20wHhcN\n"
- "MTcwODAzMTE1MDI2WhcNMTgwODAzMTE1MDI2WjAzMQwwCgYDVQQDDANiYXIxDTAL\n"
- "BgNVBAsMBHRlc3QxFDASBgNVBAoMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B\n"
- "AQEFAAOCAQ8AMIIBCgKCAQEAwVUwmVbc+ffOy2+RivxBpgleTVN6bUa0q7jNYB+A\n"
- "seFQYaYqEGfa+VGdxSGo+8DV1KT9+fNEd5243gXn/tcjtMItKeB+oAQc64s9lIFl\n"
- "YuR8bpq1ibr33iW2elnnv9mpecqohdCVwM2McWveoPyb7MwlwVuhqexOzJO29bqJ\n"
- "cazLbtkfZETK0oBx53/ylA4Y6nE9Pa46jW2qhj+KShf1iBg+gAyt3eI+wI2Wmub1\n"
- "WxLLH8D2w+kow8QhQOa8dHCkRRw771JxVO5+d+Y/Y+x9B1HgF4q0q9xUlhWLK2TR\n"
- "4ChBFzXe47sAHsSqi/pl5JbwYrHPOE/VEBLukmjL8NFCSQIDAQABMA0GCSqGSIb3\n"
- "DQEBCwUAA4IBAQCamrwdEhNmY2GCQWq6U90Q3XQT6w0HHW/JmtuGeF+BTpVr12gN\n"
- "/UvEXTo9geWbGcCTjaMMURTa7mUjVUIttIWEVHZMKqBuvsUM1RcuOEX/vitaJJ8K\n"
- "Sw4upjCNa3ZxUXmSA1FBixZgDzFqjEeSiaJjMU0yX5W2p1T4iNYtF3YqzMF5AWSI\n"
- "qCO7gP5ezPyg5kDnrO3V7DBgnDiqawq7Pyn9DynKNULX/hc1yls/R+ebb2u8Z+h5\n"
- "W4YXbzGZb8qdT27qIZaHD638tL6liLkI6UE4KCXH8X8e3fqdbmqvwrq403nOGmsP\n"
- "cbJb2PEXibNEQG234riKxm7x7vNDLL79Jwtc\n"
- "-----END CERTIFICATE-----\n";
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIFRzCCAy+gAwIBAgIUU+jDEMBfkBpcmygX0QnZB4AyyeowDQYJKoZIhvcNAQEL\n"
+ "BQAwMzEMMAoGA1UEAwwDYmFyMQ0wCwYDVQQLDAR0ZXN0MRQwEgYDVQQKDAtleGFt\n"
+ "cGxlLmNvbTAeFw0yNDAyMDkxNDM5NDlaFw0yNDAzMTAxNDM5NDlaMDMxDDAKBgNV\n"
+ "BAMMA2JhcjENMAsGA1UECwwEdGVzdDEUMBIGA1UECgwLZXhhbXBsZS5jb20wggIi\n"
+ "MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC89p7+qwx7wKUOaNUW41DJm7wv\n"
+ "bLMYZG536bWOQ8M3/V/1O7vwegmaM37WN5jI1rf2/sLhg319mr/uKzIlj9oUJtXU\n"
+ "4PJONZkiWISiDcWAaOET0otKbQD5ssvMLEkTFWZCbVlE/FlBtlWr8hAbpBTvoLFW\n"
+ "2FX015LRflGRf3VvNESu7btLhx093jjd+1Y5wxxe6CFQPtjzWaDad42pOCvDvler\n"
+ "jaL7Hx0d7EzCvCjvLe/OGRrhZ/Br2/ee+jUFX7C0vT5i4232l0YNrhZwZNPCYXgC\n"
+ "MUZvbRthOakJ5q0SA8sfsr+nE/6MThoYDzP55iMCZj2BLFurHYdQBCU0iE4uDwQE\n"
+ "21qNdmV/AqugCizGAJ+0kcsdZCgR9xSIkPZQjs1wJfpBR4HqwiCqjkLMg4R43lRR\n"
+ "Jejr4Qo+ynQPz37ImFCctGSWxob2mu0VuPo8emohRhiZk1TpXXggTO63i3Ap18u7\n"
+ "7CwMK+xhXz0j/JC/jbQISUy3rwbrCszYI4LiD3Ak3InwkxRVgLWR+JYRAjZTAAV2\n"
+ "suKc5+RLIQtr3dJVkQNROu+GGvK/YJSnlINbAtgf/iIB+jH6TKSw02+2p2c4NfIO\n"
+ "b4CkRgqADysLH11n+k6hNb7ZrPsfXIuUPeYrvJFT/768azcrD1McHv8y5hC5G9PK\n"
+ "tCrYmbTnuCPvZZbJxwIDAQABo1MwUTAdBgNVHQ4EFgQU6bj+/AsV7xO0lYOeUDQO\n"
+ "+xcsZF0wHwYDVR0jBBgwFoAU6bj+/AsV7xO0lYOeUDQO+xcsZF0wDwYDVR0TAQH/\n"
+ "BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAsaleHaVa9YvX0gYmoAveif6K/Nlv\n"
+ "J72bAg9612jS1LbNNe1rsvHs45+LojtF8BC5+3kJa5+H7QE/vI2zJyfnY9dwDfWP\n"
+ "0sWlOEZD/csNsVPFw1dxjy73kE49Ec+9eY0PlSSi1pdgipFNZRXqn2gpTKXnNceO\n"
+ "XJtFqZ2MD+JPTye0TevKN1qC6p3TV3OtXG+8Wr+Gv6O+FJfNisxoCbIm5zp2sr0j\n"
+ "GLLBEe89fnAe1B1LbsopdqA4waBN6qIiVkyDGEFOOnMPehXoM+5vkEUnr3GsA2fC\n"
+ "1t7FUR2Np1/ncMGnuGM4aeoQGWLi0KXvHmZJgo05/n9/wveU2POWHaJvUL5wzZsp\n"
+ "+OxSyDZagNeri6rq6E6n+R2q/sXardhQWSZW9khkN/3jsdTc3p5zVTH0ahGs/mt0\n"
+ "NhXErJOk2Ot/7BN3uuIA0enc1/58TmJN9z1FBP1oRE+HpRXmBAb1TDslPSvPf1tL\n"
+ "Aydd0+qSrKrR7KJknr8mzSHalWmXDhdm0h5ZteWo5RBOMkb/Kdr5Htp44ioi0JgS\n"
+ "tVnCq0VDvDQlRKvewkux4DDB+ZmTZEvIHQq5cOD37h09VPDT5AmYMnug9HMDiOT7\n"
+ "W+nnb5bVpw+cpKbcpMz7xiz1TGjHKm7wovJIgGe+M6P3ZcRvWfi7yYaL8U/JJChp\n"
+ "CuRM0YVggUE4so4=\n"
+ "-----END CERTIFICATE-----\n";
static void import_key(unsigned char slot, unsigned char pin_policy) {
@@ -288,12 +325,12 @@
BIO *bio = NULL;
RSA *rsa_private_key = NULL;
unsigned char e[4] = {0};
- unsigned char p[128] = {0};
- unsigned char q[128] = {0};
- unsigned char dmp1[128] = {0};
- unsigned char dmq1[128] = {0};
- unsigned char iqmp[128] = {0};
- int element_len = 128;
+ unsigned char p[256] = {0};
+ unsigned char q[256] = {0};
+ unsigned char dmp1[256] = {0};
+ unsigned char dmq1[256] = {0};
+ unsigned char iqmp[256] = {0};
+ int element_len = 256;
const BIGNUM *bn_e, *bn_p, *bn_q, *bn_dmp1, *bn_dmq1, *bn_iqmp;
bio = BIO_new_mem_buf(private_key_pem, strlen(private_key_pem));
@@ -328,7 +365,7 @@
// Try right algorithm
res = ykpiv_import_private_key(g_state,
slot,
- YKPIV_ALGO_RSA2048,
+ YKPIV_ALGO_RSA4096,
p, element_len,
q, element_len,
dmp1, element_len,
@@ -346,9 +383,9 @@
BIO *bio = NULL;
X509 *cert = NULL;
EVP_PKEY *pub_key = NULL;
- unsigned char secret[32] = {0};
- unsigned char secret2[32] = {0};
- unsigned char data[256] = {0};
+ unsigned char secret[64] = {0};
+ unsigned char secret2[64] = {0};
+ unsigned char data[512] = {0};
int len;
size_t len2 = sizeof(data);
RSA *rsa = NULL;
@@ -367,7 +404,7 @@
ck_assert_int_ge(len, 0);
res = ykpiv_verify(g_state, "123456", NULL);
ck_assert_int_eq(res, YKPIV_OK);
- res = ykpiv_decipher_data(g_state, data, (size_t)len, data, &len2,
YKPIV_ALGO_RSA2048, slot);
+ res = ykpiv_decipher_data(g_state, data, (size_t)len, data, &len2,
YKPIV_ALGO_RSA4096, slot);
ck_assert_int_eq(res, YKPIV_OK);
len = RSA_padding_check_PKCS1_type_2(secret2, sizeof(secret2), data + 1,
len2 - 1, RSA_size(rsa));
ck_assert_int_eq(len, sizeof(secret));
@@ -391,14 +428,14 @@
const EVP_MD *md = EVP_sha256();
EVP_MD_CTX *mdctx;
- unsigned char signature[1024] = {0};
- unsigned char encoded[1024] = {0};
- unsigned char data[1024] = {0};
- unsigned char signinput[1024] = {0};
+ unsigned char signature[2048] = {0};
+ unsigned char encoded[2048] = {0};
+ unsigned char data[2048] = {0};
+ unsigned char signinput[2048] = {0};
unsigned char rand[128] = {0};
size_t sig_len = sizeof(signature);
- size_t padlen = 256;
+ size_t padlen = 512;
unsigned int enc_len;
unsigned int data_len;
@@ -420,7 +457,7 @@
prepare_rsa_signature(data, data_len, encoded, &enc_len, EVP_MD_type(md));
ck_assert_int_ne(RSA_padding_add_PKCS1_type_1(signinput, padlen, encoded,
enc_len), 0);
- res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA2048, 0x9a);
+ res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA4096, 0x9a);
ck_assert_int_eq(res, YKPIV_OK);
ck_assert_int_eq(RSA_verify(EVP_MD_type(md), data, data_len, signature,
sig_len, rsa), 1);
@@ -432,7 +469,7 @@
// Verify that imported key can not be attested
{
- unsigned char attest[2048] = {0};
+ unsigned char attest[4096] = {0};
size_t attest_len = sizeof(attest);
ykpiv_devmodel model;
model = ykpiv_util_devicemodel(g_state);
@@ -502,23 +539,23 @@
ck_assert_int_ne(RSA_padding_add_PKCS1_type_1(signinput, padlen, encoded,
enc_len), 0);
// Sign without verify: fail
- res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA2048, 0x9e);
+ res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA4096, 0x9e);
ck_assert_int_eq(res, YKPIV_AUTHENTICATION_ERROR);
// Sign with verify: pass
res = ykpiv_verify(g_state, "123456", NULL);
ck_assert_int_eq(res, YKPIV_OK);
- res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA2048, 0x9e);
+ res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA4096, 0x9e);
ck_assert_int_eq(res, YKPIV_OK);
// Sign again without verify: fail
- res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA2048, 0x9e);
+ res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA4096, 0x9e);
ck_assert_int_eq(res, YKPIV_AUTHENTICATION_ERROR);
// Sign again with verify: pass
res = ykpiv_verify(g_state, "123456", NULL);
ck_assert_int_eq(res, YKPIV_OK);
- res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA2048, 0x9e);
+ res = ykpiv_sign_data(g_state, signinput, padlen, signature, &sig_len,
YKPIV_ALGO_RSA4096, 0x9e);
ck_assert_int_eq(res, YKPIV_OK);
ck_assert_int_eq(RSA_verify(EVP_MD_type(md), data, data_len, signature,
sig_len, rsa), 1);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/lib/ykpiv-config.h
new/yubico-piv-tool-2.5.1/lib/ykpiv-config.h
--- old/yubico-piv-tool-2.5.0/lib/ykpiv-config.h 2024-01-31
12:38:15.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/lib/ykpiv-config.h 2024-02-12
13:19:28.000000000 +0100
@@ -43,7 +43,7 @@
* version number. Used together with ykneomgr_check_version() to
verify
* header file and run-time library consistency.
*/
-#define YKPIV_VERSION_STRING "2.5.0"
+#define YKPIV_VERSION_STRING "2.5.1"
/**
* YKPIV_VERSION_NUMBER
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/lib/ykpiv.c
new/yubico-piv-tool-2.5.1/lib/ykpiv.c
--- old/yubico-piv-tool-2.5.0/lib/ykpiv.c 2024-01-31 12:38:07.000000000
+0100
+++ new/yubico-piv-tool-2.5.1/lib/ykpiv.c 2024-02-12 13:19:18.000000000
+0100
@@ -1887,7 +1887,7 @@
const unsigned char *ec_data, unsigned char
ec_data_len,
const unsigned char pin_policy, const
unsigned char touch_policy) {
- unsigned char key_data[1024] = {0};
+ unsigned char key_data[2048] = {0};
unsigned char *in_ptr = key_data;
unsigned char templ[] = {0, YKPIV_INS_IMPORT_KEY, algorithm, key};
unsigned char data[256] = {0};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/lib/ykpiv.pc
new/yubico-piv-tool-2.5.1/lib/ykpiv.pc
--- old/yubico-piv-tool-2.5.0/lib/ykpiv.pc 2024-01-31 12:38:15.000000000
+0100
+++ new/yubico-piv-tool-2.5.1/lib/ykpiv.pc 2024-02-12 13:19:28.000000000
+0100
@@ -33,7 +33,7 @@
Name: yubico-piv-tool
Description: Yubico PIV C Library
URL: https://www.yubico.com/
-Version: 2.5.0
+Version: 2.5.1
Requires.private: libcrypto
Libs: -L${libdir} -lykpiv
Cflags: -I${includedir}/ykpiv
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yubico-piv-tool-2.5.0/resources/macos/make_release_binaries.sh
new/yubico-piv-tool-2.5.1/resources/macos/make_release_binaries.sh
--- old/yubico-piv-tool-2.5.0/resources/macos/make_release_binaries.sh
2024-01-31 12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/resources/macos/make_release_binaries.sh
2024-02-12 13:19:18.000000000 +0100
@@ -75,13 +75,13 @@
install_name_tool -change $BREW_LIB/openssl@3/lib/libcrypto.3.dylib
@loader_path/../lib/libcrypto.3.dylib
$FINAL_INSTALL_DIR/lib/libykcs11.$VERSION.dylib
install_name_tool -change $BREW_LIB/openssl@3/lib/libcrypto.3.dylib
@loader_path/../lib/libcrypto.3.dylib $FINAL_INSTALL_DIR/bin/yubico-piv-tool
-install_name_tool -change $BREW_LIB/zlib/lib/libz.1.dylib
@loader_path/../lib/libz.1.dylib $FINAL_INSTALL_DIR/lib/libykpiv.$VERSION.dylib
-install_name_tool -change $BREW_LIB/zlib/lib/libz.1.dylib
@loader_path/../lib/libz.1.dylib $FINAL_INSTALL_DIR/lib/libykcs11.$VERSION.dylib
-install_name_tool -change $BREW_LIB/zlib/lib/libz.1.dylib
@loader_path/../lib/libz.1.dylib $FINAL_INSTALL_DIR/bin/yubico-piv-tool
+install_name_tool -change /usr/lib/libz.1.dylib
@loader_path/../lib/libz.1.dylib $FINAL_INSTALL_DIR/lib/libykcs11.$VERSION.dylib
+install_name_tool -change /usr/lib/libz.1.dylib
@loader_path/../lib/libz.1.dylib $FINAL_INSTALL_DIR/lib/libykpiv.$VERSION.dylib
+install_name_tool -change /usr/lib/libz.1.dylib
@loader_path/../lib/libz.1.dylib $FINAL_INSTALL_DIR/bin/yubico-piv-tool
-install_name_tool -rpath "$FINAL_INSTALL_DIR/lib" "@loader_path/../lib"
"$FINAL_INSTALL_DIR/lib/libykpiv.$VERSION.dylib"
-install_name_tool -rpath "$FINAL_INSTALL_DIR/lib" "@loader_path/../lib"
"$FINAL_INSTALL_DIR/lib/libykcs11.$VERSION.dylib"
-install_name_tool -rpath "$FINAL_INSTALL_DIR/lib" "@loader_path/../lib"
"$FINAL_INSTALL_DIR/bin/yubico-piv-tool"
+install_name_tool -rpath "/usr/local/lib" "@loader_path/../lib"
"$FINAL_INSTALL_DIR/lib/libykcs11.$VERSION.dylib"
+install_name_tool -rpath "/usr/local/lib" "@loader_path/../lib"
"$FINAL_INSTALL_DIR/lib/libykpiv.$VERSION.dylib"
+install_name_tool -rpath "/usr/local/lib" "@loader_path/../lib"
"$FINAL_INSTALL_DIR/bin/yubico-piv-tool"
if otool -L $FINAL_INSTALL_DIR/lib/*.dylib $FINAL_INSTALL_DIR/bin/* | grep
'$FINAL_INSTALL_DIR' | grep -q compatibility; then
echo "something is incorrectly linked!";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yubico-piv-tool-2.5.0/resources/scripts/opensc_tests.sh
new/yubico-piv-tool-2.5.1/resources/scripts/opensc_tests.sh
--- old/yubico-piv-tool-2.5.0/resources/scripts/opensc_tests.sh 2024-01-31
12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/resources/scripts/opensc_tests.sh 2024-02-12
13:19:18.000000000 +0100
@@ -20,6 +20,8 @@
pkcs11-tool --module $MODULE --login --login-type so --so-pin
010203040506070801020304050607080102030405060708 --keypairgen --id 2 --key-type
EC:prime256v1
pkcs11-tool --module $MODULE --login --login-type so --so-pin
010203040506070801020304050607080102030405060708 --keypairgen --id 3 --key-type
rsa:1024
pkcs11-tool --module $MODULE --login --login-type so --so-pin
010203040506070801020304050607080102030405060708 --keypairgen --id 4 --key-type
rsa:2048
+pkcs11-tool --module $MODULE --login --login-type so --so-pin
010203040506070801020304050607080102030405060708 --keypairgen --id 5 --key-type
rsa:3072
+pkcs11-tool --module $MODULE --login --login-type so --so-pin
010203040506070801020304050607080102030405060708 --keypairgen --id 6 --key-type
rsa:4096
echo "******************* Signing Tests ********************* "
echo "this is test data" > data.txt
@@ -27,6 +29,8 @@
pkcs11-tool --module $MODULE --sign --pin 123456 --id 2 -m ECDSA-SHA1
--signature-format openssl -i data.txt -o data.sig
pkcs11-tool --module $MODULE --sign --pin 123456 --id 3 -i data.txt -o data.sig
pkcs11-tool --module $MODULE --sign --pin 123456 --id 4 -i data.txt -o data.sig
+pkcs11-tool --module $MODULE --sign --pin 123456 --id 5 -i data.txt -o data.sig
+pkcs11-tool --module $MODULE --sign --pin 123456 --id 6 -i data.txt -o data.sig
rm data.txt
rm data.sig
@@ -41,6 +45,14 @@
openssl x509 -inform DER -outform PEM -in 9e_cert.crt -out 9e_cert.pem
openssl x509 -in 9e_cert.pem -pubkey -noout > 9e_pubkey.pem
+pkcs11-tool --module $MODULE --read-object --type cert --id 5 -o 5_cert.crt
+openssl x509 -inform DER -outform PEM -in 5_cert.crt -out 5_cert.pem
+openssl x509 -in 5_cert.pem -pubkey -noout > 5_pubkey.pem
+
+pkcs11-tool --module $MODULE --read-object --type cert --id 6 -o 6_cert.crt
+openssl x509 -inform DER -outform PEM -in 6_cert.crt -out 6_cert.pem
+openssl x509 -in 6_cert.pem -pubkey -noout > 6_pubkey.pem
+
openssl rsautl -encrypt -oaep -inkey 9d_pubkey.pem -pubin -in data.txt -out
data.oaep
pkcs11-tool --module $MODULE --decrypt --pin 123456 --id 3 -m RSA-PKCS-OAEP -i
data.oaep
rm data.oaep
@@ -49,8 +61,18 @@
pkcs11-tool --module $MODULE --decrypt --pin 123456 --id 4 -m RSA-PKCS-OAEP -i
data.oaep
rm data.oaep
+openssl rsautl -encrypt -oaep -inkey 5_pubkey.pem -pubin -in data.txt -out
data.oaep
+pkcs11-tool --module $MODULE --decrypt --pin 123456 --id 5 -m RSA-PKCS-OAEP -i
data.oaep
+rm data.oaep
+
+openssl rsautl -encrypt -oaep -inkey 6_pubkey.pem -pubin -in data.txt -out
data.oaep
+pkcs11-tool --module $MODULE --decrypt --pin 123456 --id 6 -m RSA-PKCS-OAEP -i
data.oaep
+rm data.oaep
+
rm 9d_cert.crt 9d_cert.pem 9d_pubkey.pem
rm 9e_cert.crt 9e_cert.pem 9e_pubkey.pem
+rm 5_cert.crt 5_cert.pem 5_pubkey.pem
+rm 6_cert.crt 6_cert.pem 6_pubkey.pem
rm data.txt
echo "******************* Testing RSA Tests ********************* "
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yubico-piv-tool-2.5.0/resources/win/yubico-piv-tool_x64.wxs
new/yubico-piv-tool-2.5.1/resources/win/yubico-piv-tool_x64.wxs
--- old/yubico-piv-tool-2.5.0/resources/win/yubico-piv-tool_x64.wxs
2024-01-31 12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/resources/win/yubico-piv-tool_x64.wxs
2024-02-12 13:19:18.000000000 +0100
@@ -1,6 +1,6 @@
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi";
xmlns:util="http://schemas.microsoft.com/wix/UtilExtension";>
- <?define ProductVersion="2.5.0" ?>
+ <?define ProductVersion="2.5.1" ?>
<?define ProductName="Yubico PIV Tool (x64)" ?>
<Product Id="*" UpgradeCode="e4f980c4-5dd5-4d39-95b7-c6362ae65be8"
Name="$(var.ProductName)" Version="$(var.ProductVersion)" Manufacturer="Yubico
AB" Language="1033">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/yubico-piv-tool-2.5.0/resources/win/yubico-piv-tool_x86.wxs
new/yubico-piv-tool-2.5.1/resources/win/yubico-piv-tool_x86.wxs
--- old/yubico-piv-tool-2.5.0/resources/win/yubico-piv-tool_x86.wxs
2024-01-31 12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/resources/win/yubico-piv-tool_x86.wxs
2024-02-12 13:19:18.000000000 +0100
@@ -1,6 +1,6 @@
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi";
xmlns:util="http://schemas.microsoft.com/wix/UtilExtension";>
- <?define ProductVersion="2.5.0" ?>
+ <?define ProductVersion="2.5.1" ?>
<?define ProductName="Yubico PIV Tool (x86)" ?>
<Product Id="*" UpgradeCode="1aa2f085-add9-4556-9e21-299b078e6273"
Name="$(var.ProductName)" Version="$(var.ProductVersion)" Manufacturer="Yubico
AB" Language="1033">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/tool/yubico-piv-tool.1
new/yubico-piv-tool-2.5.1/tool/yubico-piv-tool.1
--- old/yubico-piv-tool-2.5.0/tool/yubico-piv-tool.1 2024-01-31
12:38:20.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/tool/yubico-piv-tool.1 2024-02-12
13:19:33.000000000 +0100
@@ -1,5 +1,5 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.49.1.
-.TH YUBICO-PIV-TOOL "1" "January 2024" "yubico-piv-tool 2.5.0" "User Commands"
+.TH YUBICO-PIV-TOOL "1" "February 2024" "yubico-piv-tool 2.5.1" "User Commands"
.SH NAME
yubico-piv-tool \- Tool for managing Personal Identity Verification
credentials on Yubikeys
.SH SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/tool/yubico-piv-tool.c
new/yubico-piv-tool-2.5.1/tool/yubico-piv-tool.c
--- old/yubico-piv-tool-2.5.0/tool/yubico-piv-tool.c 2024-01-31
12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/tool/yubico-piv-tool.c 2024-02-12
13:19:18.000000000 +0100
@@ -520,16 +520,30 @@
if(YKPIV_IS_RSA(algorithm)) {
RSA *rsa_private_key = EVP_PKEY_get1_RSA(private_key);
unsigned char e[4] = {0};
- unsigned char p[128] = {0};
- unsigned char q[128] = {0};
- unsigned char dmp1[128] = {0};
- unsigned char dmq1[128] = {0};
- unsigned char iqmp[128] = {0};
+ unsigned char p[256] = {0};
+ unsigned char q[256] = {0};
+ unsigned char dmp1[256] = {0};
+ unsigned char dmq1[256] = {0};
+ unsigned char iqmp[256] = {0};
const BIGNUM *bn_e, *bn_p, *bn_q, *bn_dmp1, *bn_dmq1, *bn_iqmp;
- int element_len = 128;
- if(algorithm == YKPIV_ALGO_RSA1024) {
- element_len = 64;
+ int element_len = 0;
+ switch(algorithm) {
+ case YKPIV_ALGO_RSA1024:
+ element_len = 64;
+ break;
+ case YKPIV_ALGO_RSA2048:
+ element_len = 128;
+ break;
+ case YKPIV_ALGO_RSA3072:
+ element_len = 192;
+ break;
+ case YKPIV_ALGO_RSA4096:
+ element_len = 256;
+ break;
+ default:
+ fprintf(stderr, "Unsupported RSA algorithm\n");
+ goto import_out;
}
RSA_get0_key(rsa_private_key, NULL, &bn_e, NULL);
@@ -567,11 +581,11 @@
}
rc = ykpiv_import_private_key(state, key, algorithm,
- p, (size_t)element_len,
- q, (size_t)element_len,
- dmp1, (size_t)element_len,
- dmq1, (size_t)element_len,
- iqmp, (size_t)element_len,
+ p, element_len,
+ q, element_len,
+ dmp1, element_len,
+ dmq1, element_len,
+ iqmp, element_len,
NULL, 0,
pp, tp);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/ykcs11/mechanisms.c
new/yubico-piv-tool-2.5.1/ykcs11/mechanisms.c
--- old/yubico-piv-tool-2.5.0/ykcs11/mechanisms.c 2024-01-31
12:38:07.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/ykcs11/mechanisms.c 2024-02-12
13:19:18.000000000 +0100
@@ -292,7 +292,7 @@
}
// Sign with PIV
- unsigned char sigbuf[256] = {0};
+ unsigned char sigbuf[512] = {0};
size_t siglen = sizeof(sigbuf);
ykpiv_rc rcc = ykpiv_sign_data(session->slot->piv_state,
session->op_info.buf, session->op_info.buf_len, sigbuf, &siglen,
session->op_info.op.sign.algorithm, session->op_info.op.sign.piv_key);
if(rcc == YKPIV_OK) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/ykcs11/objects.c
new/yubico-piv-tool-2.5.1/ykcs11/objects.c
--- old/yubico-piv-tool-2.5.0/ykcs11/objects.c 2024-01-31 12:38:07.000000000
+0100
+++ new/yubico-piv-tool-2.5.1/ykcs11/objects.c 2024-02-12 13:19:18.000000000
+0100
@@ -2171,7 +2171,7 @@
return CKR_TEMPLATE_INCOMPLETE;
}
- if (*p_len != 64 && *p_len != 128) {
+ if (*p_len != 64 && *p_len != 128 && *p_len != 192 && *p_len != 256) {
DBG("Invalid RSA component lengths");
return CKR_ATTRIBUTE_VALUE_INVALID;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/ykcs11/ykcs11-config.h
new/yubico-piv-tool-2.5.1/ykcs11/ykcs11-config.h
--- old/yubico-piv-tool-2.5.0/ykcs11/ykcs11-config.h 2024-01-31
12:38:15.000000000 +0100
+++ new/yubico-piv-tool-2.5.1/ykcs11/ykcs11-config.h 2024-02-12
13:19:28.000000000 +0100
@@ -43,7 +43,7 @@
* version number. Used together with ykneomgr_check_version() to
verify
* header file and run-time library consistency.
*/
-#define YKCS11_VERSION_STRING "2.5.0"
+#define YKCS11_VERSION_STRING "2.5.1"
/**
* YKCS11_VERSION_NUMBER
@@ -53,7 +53,7 @@
* this symbol will have the value 0x01020300. The last two digits
* are only used between public releases, and will otherwise be 00.
*/
-#define YKCS11_VERSION_NUMBER 2.5.0
+#define YKCS11_VERSION_NUMBER 2.5.1
/**
* YKCS11_VERSION_MAJOR
@@ -80,7 +80,7 @@
* level of the header file version number. For example, when the
* header version is 1.2.3 this symbol will be 3.
*/
-#define YKCS11_VERSION_PATCH 0
+#define YKCS11_VERSION_PATCH 1
/**
* _WIN32
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yubico-piv-tool-2.5.0/ykcs11/ykcs11.pc
new/yubico-piv-tool-2.5.1/ykcs11/ykcs11.pc
--- old/yubico-piv-tool-2.5.0/ykcs11/ykcs11.pc 2024-01-31 12:38:15.000000000
+0100
+++ new/yubico-piv-tool-2.5.1/ykcs11/ykcs11.pc 2024-02-12 13:19:28.000000000
+0100
@@ -33,5 +33,5 @@
Name: yubico-piv-tool
Description: Yubico PIV PKCS#11 Module
URL: https://www.yubico.com/
-Version: 2.5.0
+Version: 2.5.1
Libs: -L${libdir} -lykcs11
