1.11.0 - June 2024 Release

Release date: June 28th, 2024

This release introduces significant enhancements and new features for YubiKeys running the latest firmware (version 5.7) and YubiKey Bio/Bio Multi-Protocol Edition keys. Highlights include temporary disablement of NFC connectivity, PIN complexity status, support for RSA 3072 and 4096-bit keys, and support for biometric verification. Additionally, USB reclaim speed has been optimized and adjustments to the touch sensor sensitivity have been implemented. For details on all changes, see below.

Features:

• Support for YubiKeys with the latest firmware (version 5.7):
  • NFC connectivity can now be temporarily disabled with SetIsNfcRestricted() (#91).
  • Additional property pages on the YubiKey are now read into YubiKeyDeviceInfo (#92).
  • PIN complexity:
    • Complexity status can now be checked with IsPinComplexityEnabled (#92).
    • PIN complexity error messages and exceptions have been added (#112).
  • The set of YubiKey applications that are capable of being put into FIPS mode can be retrieved with FipsCapable. The set of YubiKey applications that are in FIPS mode can be retrieved with FipsApproved (#92).
  • The part number for a key’s Secure Element processor, if available, can be retrieved with PartNumber (#92).
  • The set of YubiKey applications that are blocked from being reset can be retrieved with ResetBlocked (#92).
  • PIV:
    • 3072 and 4096 RSA keys can now be generated and imported (#100).
    • Keys can now be moved between all YubiKey PIV slots except for the attestation slot with MoveKeyCommand. Any PIV key can now be deleted from any PIV slot with DeleteKeyCommand (#103).
• Support for YubiKey Bio/Bio Multi-Protocol Edition keys:
  • Bio metadata can now be retrieved with GetBioMetadataCommand (#108).
  • New PIV PIN verification policy enum values (MatchOnce, MatchAlways) have been added (#108).
  • Biometric verification is now supported (#108).
  • A device-wide reset can now be performed on YubiKey Bio Multi-protocol keys with DeviceReset (#110).
• The USB reclaim speed, which controls the time it takes to switch from one YubiKey application to another, has been reduced for compatible YubiKeys. To use the previous 3-second reclaim timeout for all keys, see UseOldReclaimTimeoutBehavior (#93).
• The sensitivity of the YubiKey’s capacitive touch sensor can now be temporarily adjusted with SetTemporaryTouchThreshold (#95).

Bug fixes:

• The ManagementKeyAlgorithm is now updated when the PIV Application is reset (#105).
• macOS input reports are now queued so that large responses aren't dropped (#84).
• Smart card handles are now opened shared by default. To open them exclusively, use OpenSmartCardHandlesExclusively with AppContext.SetSwitch (#83).
• A build issue that occurred when compiling Yubico.NativeShims on MacOS has been fixed (#109).
• The correct certificate OID friendly names are now used for ECDsaCng (nistP256) and ECDsaOpenSsl (ECDSA_P256) (#78).

Miscellaneous:

• The way that YubiKey device info is read by the SDK has changed, and as a result, the following GetDeviceInfo command classes have been deprecated (#91):
  • Yubico.YubiKey.Management.Commands.GetDeviceInfoCommand
  • Yubico.YubiKey.Otp.Commands.GetDeviceInfoCommand
  • Yubico.YubiKey.U2f.Commands.GetDeviceInfoCommand
  • Yubico.YubiKey.Management.Commands.GetDeviceInfoResponse
  • Yubico.YubiKey.Otp.Commands.GetDeviceInfoResponse
  • Yubico.YubiKey.U2f.Commands.GetDeviceInfoResponse
• Integration test guardrails have been added to ensure tests are done only on specified keys. (#100).
• Unit tests were run on all platforms in CI (#80).

Dependencies:

• The test packages xUnit and Microsoft.NET.Test.Sdk have been updated (#94).

New Contributors

• @alanssitis made their first contribution in #78
• @GregDomzalski made their first contribution in #83
• @twistedstream made their first contribution in #97
• @equijano21 made their first contribution in #102
• @AdamVe made their first contribution in #109
• @jamiehankins made their first contribution in #120

Full Changelog: 1.10.0...1.11.0

1.10.0 - April 2024 Release

Release date: April 10th, 2024

This release improves our native dependencies exposed through the Yubico.NativeShims package. We have also worked to improve the build and test experience of this repository by improving our automation and build files.

Changes:

• Yubico.NativeShims targets OpenSSL version 3.x on all platforms - OpenSSL v1.1.x has reached end-of-life. The SDK now removes this dependency on all platforms, now upgrading to the supported 3.x version.
• Dropped support for 32-bit Linux - Yubico.NativeShims no longer builds for 32-bit (x86) Linux. We now depend on Ubuntu releases that contain OpenSSL 3.x by default. These newer releases no longer have mainstream support for this platform.
• Compilation hardening of Yubico.NativeShims - Added commonly used compiler flags to increase security and code quality
  MacOS / Linux:
  -Wformat: Warn about format string issues in printf-like functions.
  -Wformat-nonliteral: Warn about format strings that are not string literals.
  -Wformat-security: Warn about potential security issues related to format strings.
  -Wall: Enable most warning messages
  -Wextra: Enable some additional warning messages not included in -Wall
  -Werror: Treat all warnings as errors
  -Wcast-qual: Warn when casting away const-ness
  -Wshadow: Warn when a local variable shadows another variable
  -pedantic: Issue warnings for language features beyond the C standard
  -pedantic-errors: Treat pedantic warnings as errors
  -Wbad-function-cast: Warn about dubious function pointer casts
  -O2: Optimize code for performance
  -fpic: Generate position-independent code
  -fstack-protector-all: Enable stack protection for all functions
  -D_FORTIFY_SOURCE=2: Enable runtime and compile-time checks for certain security-critical functions
  Windows flags:
  /guard:cf: Enable control flow guard security feature
  /GS: Enable buffer security check
  /Gs: Control stack security check
• Addressed compiler warning concerning Runtime Identifiers (RID)
• Enabled dotnet format - The repository now uses dotnet format to ensure that pull requests adhere to the repository's coding standards. A pass of the tool has been run against the entire repository and a new baseline has been checked in.

1.9.1 - November bugfix release

Release date: November 14th, 2023

Bug fixes:

• SCard handle contention. Previously, the SDK was opening all smart card handles with
  shared permissions, meaning that other applications and services were still able to interact
  with the YubiKey while the SDK performed smart card operations. However, this allowed these
  other entities (such as smart card minidrivers) to alter the current state of the YubiKey
  without the SDK's knowledge. This would sometimes cause random failures and exceptions to
  occur when using the SDK. The SDK now opens the handle exclusively, which means other
  applications will not be able to open the smart card handle for read and write operations
  while the SDK is using it. Callers should take care to not keep a YubiKey connection or
  session open longer than is needed.
• Config changes over FIDO2. The YubiKey Management commands are now available over all
  three logical USB interfaces (HID keyboard, HID FIDO, and smart card). The SDK will typically
  use the first available interface, giving some preference to the smart card. Previously,
  this operation would have failed on FIDO-only devices as the management commands were not
  properly wired up over this interface.

Miscellaneous:

• Dependency updates. The dependencies of the SDK were updated to the latest packages
  available. Since the SDK itself does not take many dependencies outside of the .NET Base
  Class Libraries (BCL), there should not be much of a noticeable impact. The two that
  affect the SDK itself (and not just test code) are:
  • Microsoft.Extensions.Logging.Abstractions (6.0.1 -> 7.0.1)
  • System.Memory (4.5.4 -> 4.5.5)

1.9.0 - October 2023 release

Release date: October 13th, 2023

Features:

• FIDO2 PIN Config. The PIN config feature, if supported by the connected YubiKey, is a set of operations: set the minimum PIN length, force a PIN change, and return a minimum PIN length to a relying party.
• FIDO2 GUI option for sample code. There is now a version of the FIDO2 sample code that uses Windows Forms. This GUI version of the sample code is provided mainly to demonstrate how to build touch and fingerprint notifications in a KeyCollector. This sample code runs only in a Windows environment.
• SCP03 CMAC added to CryptographyProviders. SCP03 operations rely on the AES-CMAC algorithm, and, starting in this release, they will call on the CryptogrphyProviders class to retrieve an implementation. The default implementation uses OpenSSL.
• SCP03 keys. This release adds the ability to change SCP03 key sets. This includes replacing the default key set, adding new key sets, and removing key sets. This is done using the new Scp03Session class.
• SCP03 architecture. The process for building an SCP03 connection was updated. The previous method (Yubico.YubiKey.YubiKeyDeviceExtensions.WithScp03()) is now deprecated, and the new method (Yubico.YubiKey.IYubiKeyDevice.ConnectScp03()) simply requires passing in the SCP03 key set in addition to the application to connect to. Additionally, a convenience constructor has been added to PivSession that accepts the SCP03 static keys Yubico.YubiKey.Piv.PivSession(IYubiKeyDevice, Scp03.StaticKeys).
• SCP03 documentation. The User's Manual article on SCP03 was updated to provide more comprehensive information.

1.8.0 - June 2023 release

Release date: June 30th, 2023

Features:

• FIDO2 Bio Enroll. This allows enrolling and enumerating fingerprint templates. In addition, the SDK implemented fingerprint verification for FIDO2 and incorporated it into the automatic verification process.
• FIDO2 Authenticator Config Operations. This is a series of new methods that allow the programmer to perform some esoteric FIDO2 configuration operations, such as enabling enterprise attestation and increasing the minimum PIN length.
• FIDO2 Update Credential Management to Support CredentialMgmtPreview. Some older YubiKeys do not support the "credential management" feature (enumerate credentials, delete credentials, and others), but do support the "credential management preview" feature. This is the same as "credential management" except that the preview version does not include "Update User Info". The credential management commands and Fido2Session methods now support "Preview", meaning calls to the credential management methods (e.g. Fido2Session.EnumerateRelyingParties) will work on older YubiKeys that support "CredentialMgmtPreview", just as the newer YubiKeys.
• FIDO2 HMAC Secret Extension and CredProtect Extension. These are oft-used extensions, and the SDK now has methods to make using them easier (e.g. MakeCredentialParameters.AddHmacExtension and AuthenticatorData.GetHmacSecretExtension).
• FIDO2 Encoded Attestation The full encoded attestation statement is available when making a credential. This is useful if you are implementing or interoperating with the WebAuthn data types. That is, it is often easier to copy this field in its encoded form rather than using the parsed properties.
• FIDO2 Update Sample Code. The FIDO2 sample project now contains examples that perform bio enroll, credential management, authenticator config, HMAC secret, and credProtect operations.
• OTP Documentation Updates. There are new articles and information about slots (e.g. access codes, deleting), new articles on Hotp (what it is and programming an Hotp credential), new articles on static passwords (what it is and programming a slot to contain a static password), and a new article on updating slots, including manual update.

Bug Fixes:

• NFC response code in FIDO2 now handled properly.
• Community contribution by @jkolo that fixes high CPU usage on Linux due to the HID device listener not blocking properly. Thanks, @jkolo !

1.7.0 - March 2023 release

Release date: March 31st, 2023

Features:

• FIDO2 Credential Management. The credential management feature allows a client application to retrieve
  information about discoverable FIDO2 credentials on a YubiKey, update user information, and delete credentials.
  This includes enumerating the relying parties and user information for all the discoverable credentials.

1.6.1

Release date: February 2nd, 2023

Features:

• Added KeyCollector variants to the YubiHsmAuthSession class for methods which require credential gathering.

Bug fixes:

• Fixed a bug which prevented large responses from the OATH application from being received by the SDK. Fixes
  GitHub Issue #35.
• The YubiKey can now accept a zero-length NDEF text prefix, which was previously prevented by the SDK.
• Added an MSBuild target that instructs .NET Framework-based builds to automatically copy the correct
  version of Yubico.NativeShims.dll into the build's output directory. This requires the use of PackageReferences
  in the consuming project's csproj file in order to properly consume this dependency transitively through
  the Yubico.YubiKey package. Packages.config is not supported. Fixes
  GitHub Issue #11.
• Addressed a difference in behavior found in EcdsaVerify that caused .NET Framework users to receive
  an exception. Fixes GitHub Issue #36.

1.6.0 - January 2023 release

Release date: January 16th, 2023

Features:

• FIDO2 Credential Blobs and Large Blob support. FIDO2 allows applications to store additional information
  alongside a credential. Credential Blobs and Large Blobs are two separate, though related, features for achieving
  this.

Bug fixes:

• Added an MSBuild rule for projects that target .NET Framework 4.x that now automatically copy the correct
  version of Yubico.NativeShims.dll into the build directory. This addresses the "Missing DLL" issue that .NET
  Framework users would encounter. Fixes GitHub Issue #11.
• Addressed an issue where the SDK would enumerate FIDO devices on Windows despite being un-elevated. Windows requires
  process elevation in order to communicate with FIDO devices. The SDK would display one or more YubiKeys with
  incorrect properties as a result. Fixes GitHub Issue #20.
• A difference in behavior between .NET Framework 4.x and .NET 6 caused OAEP padding operations to fail for projects
  running on .NET Framework 4.x. The SDK has been updated to work around this difference in behavior and should
  now work for all supported versions of .NET. Fixes GitHub Issue #33.
• The YubiKey requires a short delay when switching between its USB interfaces. Switching too quickly can result
  in failed operations and other strange behaviors. The SDK will now automatically wait the required amount of
  time to ensure stable communication with the YubiKey. Note that this may cause the first operation or command
  sent to the YubiKey to appear slow. Subsequent calls to the same application will not be affected.
  Fixes GitHub Issue #34.

1.5.1

Release date: November 18th, 2022

Bug fixes:

• Fixed a bug in Yubico.NativeShims where a function parameter wasn't properly initialized. This
  affected enumeration of smart cards in some cases.
• Upgraded System.Formats.Cbor to 7.0.0 now that .NET 7 has been released.
• FIDO2 re-initializes the auth protocol after a failed PIN attempt. This now matches spec behavior.
• Upgraded the version of OpenSSL that Yubico.NativeShims uses to 3.0.7. Note: the SDK was not affected by any of
  the November 2022 security advisories.

1.5.0 - October 2022 release

Release date: October 28th, 2022

Features:

• YubiHSM Auth. YubiHSM Auth is a YubiKey application that stores the long-lived credentials used to
  establish secure sessions with a YubiHSM 2. The secure session protocol is based on Secure Channel Protocol
  3 (SCP03). The SDK adds full support for this application. This includes both management of credentials
  and creating the session keys for communicating with a YubiHSM 2.
• FIDO2 partial support. The basic building blocks for FIDO2 are now available. Making credentials and
  generating assertions are now possible using the SDK, along with verification using both PIN and biometric
  touch. Both PIN protocols are also available. Future releases will add additional FIDO2 functionality.