1.12.1 - Patch release

Release date: December 19th, 2024

What's Changed

Bug Fixes:

• ConnectionFactory incorrectly using SmartCardConnection by @DennisDyallo in #179
• OathSession now correctly disposes the session in #179

Miscellaneous:

• ci: fixed bug in sign.ps1 by @DennisDyallo in #174

• ci: improvements to sign output by @DennisDyallo in #176

• documentation: Including README.md in the NuGet Packages by @DennisDyallo in #175

• documentation: management key algorithm by @equijano21 in #177

• Release 1.12.1 by @DennisDyallo in #181

Full Changelog: 1.12.0...1.12.1

1.12.0 - December 2024 Release

1.12.0

Release date: December 18th, 2024

Features:

• Security Domain application and Secure Channel Protocol (SCP) (#164):

  • SCP11a/b/c is now supported for the PIV, OATH, OTP, and YubiHSM applications.
  • SCP03 support has been extended to the OATH, OTP, and YubiHSM applications (previously PIV only).
  • The Yubico.YubiKey.Scp namespace now provides all SCP and Security Domain functionality. This namepace replaces functionality in the Yubico.YubiKey.Scp03 namespace, which has been deprecated.
  • The new SecurityDomainSession class provides an interface for managing the Security Domain application of a YubiKey. This includes SCP configuration (managing SCP03 key sets and SCP11 asymmetric keys and certificates) and creation of an encrypted communication channel with other YubiKey applications.
  • New key parameter classes have been added: ScpKeyParameters, Scp03KeyParameters, Scp11KeyParameters, ECKeyParameters, ECPrivateKeyParameters, ECPublicKeyParameters.

• YubiKeyDeviceListener has been reconfigured to run the listeners in the background instead of the main thread. In addition, the listeners can now be stopped when needed to reclaim resources. Once stopped, the listeners can be restarted. (#89)

• Microsoft.Extensions.Logging.Console is now the default logger. To enable logging from a dependent project (e.g. unit tests, integration tests, an app), you can either add an appsettings.json to your project or use the ConfigureLoggerFactory. (#139)

• The SDK now uses inferred variable types (var) instead of explicit types in all projects except Yubico.Core. This change aims to improve code readability, reduce verbosity, and enhance developer productivity while maintaining type safety. (#141)

Bug Fixes:

• The PivSession.ChangeManagementKey method was incorrectly assuming Triple-DES was the default management key algorithm for FIPS keys. The SDK now verifies the management key alorithm based on key type and firmware version. (#162, #167)
• The SDK now correctly sets the IYubiKeyDeviceInfo property IsSkySeries to True for YubiKey Security Key Series Enterprise Edition keys. (#158)
• Exceptions are now caught when running PivSession.Dispose. This fixes an issue where the Dispose method could not close the Connection in the event of a disconnected YubiKey. (#104)
• A dynamic DLL resolution based on process architecture (x86/x64) has been implemented for NativeShims.dll. This fixes a reported issue with the NativeShims.dll location for 32-bit processes. (#154)

Miscellaneous:

• Users are now able to verify that the NuGet package has been generated from our repository using Github Attestations (#169) like this:

  > gh attestation verify .\Yubico.Core.1.12.0.nupkg --repo Yubico/Yubico.NET.SDK

Deprecations:

• Yubico.YubiKey/Scp03 namespace.
• All Yubico.Yubikey.StaticKeys endpoints.

Migration Notes:

• Use the SecurityDomainSession for Security Domain operations.
• Review your logging configuration if using custom logging.
• Align with Android/Python SDK naming conventions.

Full Changelog: 1.11.0...1.12.0

1.11.0 - June 2024 Release

Release date: June 28th, 2024

This release introduces significant enhancements and new features for YubiKeys running the latest firmware (version 5.7) and YubiKey Bio/Bio Multi-Protocol Edition keys. Highlights include temporary disablement of NFC connectivity, PIN complexity status, support for RSA 3072 and 4096-bit keys, and support for biometric verification. Additionally, USB reclaim speed has been optimized and adjustments to the touch sensor sensitivity have been implemented. For details on all changes, see below.

Features:

• Support for YubiKeys with the latest firmware (version 5.7):
  • NFC connectivity can now be temporarily disabled with SetIsNfcRestricted() (#91).
  • Additional property pages on the YubiKey are now read into YubiKeyDeviceInfo (#92).
  • PIN complexity:
    • Complexity status can now be checked with IsPinComplexityEnabled (#92).
    • PIN complexity error messages and exceptions have been added (#112).
  • The set of YubiKey applications that are capable of being put into FIPS mode can be retrieved with FipsCapable. The set of YubiKey applications that are in FIPS mode can be retrieved with FipsApproved (#92).
  • The part number for a key’s Secure Element processor, if available, can be retrieved with PartNumber (#92).
  • The set of YubiKey applications that are blocked from being reset can be retrieved with ResetBlocked (#92).
  • PIV:
    • 3072 and 4096 RSA keys can now be generated and imported (#100).
    • Keys can now be moved between all YubiKey PIV slots except for the attestation slot with MoveKeyCommand. Any PIV key can now be deleted from any PIV slot with DeleteKeyCommand (#103).
• Support for YubiKey Bio/Bio Multi-Protocol Edition keys:
  • Bio metadata can now be retrieved with GetBioMetadataCommand (#108).
  • New PIV PIN verification policy enum values (MatchOnce, MatchAlways) have been added (#108).
  • Biometric verification is now supported (#108).
  • A device-wide reset can now be performed on YubiKey Bio Multi-protocol keys with DeviceReset (#110).
• The USB reclaim speed, which controls the time it takes to switch from one YubiKey application to another, has been reduced for compatible YubiKeys. To use the previous 3-second reclaim timeout for all keys, see UseOldReclaimTimeoutBehavior (#93).
• The sensitivity of the YubiKey’s capacitive touch sensor can now be temporarily adjusted with SetTemporaryTouchThreshold (#95).

Bug fixes:

• The ManagementKeyAlgorithm is now updated when the PIV Application is reset (#105).
• macOS input reports are now queued so that large responses aren't dropped (#84).
• Smart card handles are now opened shared by default. To open them exclusively, use OpenSmartCardHandlesExclusively with AppContext.SetSwitch (#83).
• A build issue that occurred when compiling Yubico.NativeShims on MacOS has been fixed (#109).
• The correct certificate OID friendly names are now used for ECDsaCng (nistP256) and ECDsaOpenSsl (ECDSA_P256) (#78).

Miscellaneous:

• The way that YubiKey device info is read by the SDK has changed, and as a result, the following GetDeviceInfo command classes have been deprecated (#91):
  • Yubico.YubiKey.Management.Commands.GetDeviceInfoCommand
  • Yubico.YubiKey.Otp.Commands.GetDeviceInfoCommand
  • Yubico.YubiKey.U2f.Commands.GetDeviceInfoCommand
  • Yubico.YubiKey.Management.Commands.GetDeviceInfoResponse
  • Yubico.YubiKey.Otp.Commands.GetDeviceInfoResponse
  • Yubico.YubiKey.U2f.Commands.GetDeviceInfoResponse
• Integration test guardrails have been added to ensure tests are done only on specified keys. (#100).
• Unit tests were run on all platforms in CI (#80).

Dependencies:

• The test packages xUnit and Microsoft.NET.Test.Sdk have been updated (#94).

New Contributors

• @alanssitis made their first contribution in #78
• @GregDomzalski made their first contribution in #83
• @twistedstream made their first contribution in #97
• @equijano21 made their first contribution in #102
• @AdamVe made their first contribution in #109
• @jamiehankins made their first contribution in #120

Full Changelog: 1.10.0...1.11.0

1.10.0 - April 2024 Release

Release date: April 10th, 2024

This release improves our native dependencies exposed through the Yubico.NativeShims package. We have also worked to improve the build and test experience of this repository by improving our automation and build files.

Changes:

• Yubico.NativeShims targets OpenSSL version 3.x on all platforms - OpenSSL v1.1.x has reached end-of-life. The SDK now removes this dependency on all platforms, now upgrading to the supported 3.x version.
• Dropped support for 32-bit Linux - Yubico.NativeShims no longer builds for 32-bit (x86) Linux. We now depend on Ubuntu releases that contain OpenSSL 3.x by default. These newer releases no longer have mainstream support for this platform.
• Compilation hardening of Yubico.NativeShims - Added commonly used compiler flags to increase security and code quality
  MacOS / Linux:
  -Wformat: Warn about format string issues in printf-like functions.
  -Wformat-nonliteral: Warn about format strings that are not string literals.
  -Wformat-security: Warn about potential security issues related to format strings.
  -Wall: Enable most warning messages
  -Wextra: Enable some additional warning messages not included in -Wall
  -Werror: Treat all warnings as errors
  -Wcast-qual: Warn when casting away const-ness
  -Wshadow: Warn when a local variable shadows another variable
  -pedantic: Issue warnings for language features beyond the C standard
  -pedantic-errors: Treat pedantic warnings as errors
  -Wbad-function-cast: Warn about dubious function pointer casts
  -O2: Optimize code for performance
  -fpic: Generate position-independent code
  -fstack-protector-all: Enable stack protection for all functions
  -D_FORTIFY_SOURCE=2: Enable runtime and compile-time checks for certain security-critical functions
  Windows flags:
  /guard:cf: Enable control flow guard security feature
  /GS: Enable buffer security check
  /Gs: Control stack security check
• Addressed compiler warning concerning Runtime Identifiers (RID)
• Enabled dotnet format - The repository now uses dotnet format to ensure that pull requests adhere to the repository's coding standards. A pass of the tool has been run against the entire repository and a new baseline has been checked in.

1.9.1 - November bugfix release

Release date: November 14th, 2023

Bug fixes:

• SCard handle contention. Previously, the SDK was opening all smart card handles with
  shared permissions, meaning that other applications and services were still able to interact
  with the YubiKey while the SDK performed smart card operations. However, this allowed these
  other entities (such as smart card minidrivers) to alter the current state of the YubiKey
  without the SDK's knowledge. This would sometimes cause random failures and exceptions to
  occur when using the SDK. The SDK now opens the handle exclusively, which means other
  applications will not be able to open the smart card handle for read and write operations
  while the SDK is using it. Callers should take care to not keep a YubiKey connection or
  session open longer than is needed.
• Config changes over FIDO2. The YubiKey Management commands are now available over all
  three logical USB interfaces (HID keyboard, HID FIDO, and smart card). The SDK will typically
  use the first available interface, giving some preference to the smart card. Previously,
  this operation would have failed on FIDO-only devices as the management commands were not
  properly wired up over this interface.

Miscellaneous:

• Dependency updates. The dependencies of the SDK were updated to the latest packages
  available. Since the SDK itself does not take many dependencies outside of the .NET Base
  Class Libraries (BCL), there should not be much of a noticeable impact. The two that
  affect the SDK itself (and not just test code) are:
  • Microsoft.Extensions.Logging.Abstractions (6.0.1 -> 7.0.1)
  • System.Memory (4.5.4 -> 4.5.5)

1.9.0 - October 2023 release

Release date: October 13th, 2023

Features:

• FIDO2 PIN Config. The PIN config feature, if supported by the connected YubiKey, is a set of operations: set the minimum PIN length, force a PIN change, and return a minimum PIN length to a relying party.
• FIDO2 GUI option for sample code. There is now a version of the FIDO2 sample code that uses Windows Forms. This GUI version of the sample code is provided mainly to demonstrate how to build touch and fingerprint notifications in a KeyCollector. This sample code runs only in a Windows environment.
• SCP03 CMAC added to CryptographyProviders. SCP03 operations rely on the AES-CMAC algorithm, and, starting in this release, they will call on the CryptogrphyProviders class to retrieve an implementation. The default implementation uses OpenSSL.
• SCP03 keys. This release adds the ability to change SCP03 key sets. This includes replacing the default key set, adding new key sets, and removing key sets. This is done using the new Scp03Session class.
• SCP03 architecture. The process for building an SCP03 connection was updated. The previous method (Yubico.YubiKey.YubiKeyDeviceExtensions.WithScp03()) is now deprecated, and the new method (Yubico.YubiKey.IYubiKeyDevice.ConnectScp03()) simply requires passing in the SCP03 key set in addition to the application to connect to. Additionally, a convenience constructor has been added to PivSession that accepts the SCP03 static keys Yubico.YubiKey.Piv.PivSession(IYubiKeyDevice, Scp03.StaticKeys).
• SCP03 documentation. The User's Manual article on SCP03 was updated to provide more comprehensive information.

1.8.0 - June 2023 release

Release date: June 30th, 2023

Features:

• FIDO2 Bio Enroll. This allows enrolling and enumerating fingerprint templates. In addition, the SDK implemented fingerprint verification for FIDO2 and incorporated it into the automatic verification process.
• FIDO2 Authenticator Config Operations. This is a series of new methods that allow the programmer to perform some esoteric FIDO2 configuration operations, such as enabling enterprise attestation and increasing the minimum PIN length.
• FIDO2 Update Credential Management to Support CredentialMgmtPreview. Some older YubiKeys do not support the "credential management" feature (enumerate credentials, delete credentials, and others), but do support the "credential management preview" feature. This is the same as "credential management" except that the preview version does not include "Update User Info". The credential management commands and Fido2Session methods now support "Preview", meaning calls to the credential management methods (e.g. Fido2Session.EnumerateRelyingParties) will work on older YubiKeys that support "CredentialMgmtPreview", just as the newer YubiKeys.
• FIDO2 HMAC Secret Extension and CredProtect Extension. These are oft-used extensions, and the SDK now has methods to make using them easier (e.g. MakeCredentialParameters.AddHmacExtension and AuthenticatorData.GetHmacSecretExtension).
• FIDO2 Encoded Attestation The full encoded attestation statement is available when making a credential. This is useful if you are implementing or interoperating with the WebAuthn data types. That is, it is often easier to copy this field in its encoded form rather than using the parsed properties.
• FIDO2 Update Sample Code. The FIDO2 sample project now contains examples that perform bio enroll, credential management, authenticator config, HMAC secret, and credProtect operations.
• OTP Documentation Updates. There are new articles and information about slots (e.g. access codes, deleting), new articles on Hotp (what it is and programming an Hotp credential), new articles on static passwords (what it is and programming a slot to contain a static password), and a new article on updating slots, including manual update.

Bug Fixes:

• NFC response code in FIDO2 now handled properly.
• Community contribution by @jkolo that fixes high CPU usage on Linux due to the HID device listener not blocking properly. Thanks, @jkolo !

1.7.0 - March 2023 release

Release date: March 31st, 2023

Features:

• FIDO2 Credential Management. The credential management feature allows a client application to retrieve
  information about discoverable FIDO2 credentials on a YubiKey, update user information, and delete credentials.
  This includes enumerating the relying parties and user information for all the discoverable credentials.

1.6.1

Release date: February 2nd, 2023

Features:

• Added KeyCollector variants to the YubiHsmAuthSession class for methods which require credential gathering.

Bug fixes:

• Fixed a bug which prevented large responses from the OATH application from being received by the SDK. Fixes
  GitHub Issue #35.
• The YubiKey can now accept a zero-length NDEF text prefix, which was previously prevented by the SDK.
• Added an MSBuild target that instructs .NET Framework-based builds to automatically copy the correct
  version of Yubico.NativeShims.dll into the build's output directory. This requires the use of PackageReferences
  in the consuming project's csproj file in order to properly consume this dependency transitively through
  the Yubico.YubiKey package. Packages.config is not supported. Fixes
  GitHub Issue #11.
• Addressed a difference in behavior found in EcdsaVerify that caused .NET Framework users to receive
  an exception. Fixes GitHub Issue #36.

1.6.0 - January 2023 release

Release date: January 16th, 2023

Features:

• FIDO2 Credential Blobs and Large Blob support. FIDO2 allows applications to store additional information
  alongside a credential. Credential Blobs and Large Blobs are two separate, though related, features for achieving
  this.

Bug fixes:

• Added an MSBuild rule for projects that target .NET Framework 4.x that now automatically copy the correct
  version of Yubico.NativeShims.dll into the build directory. This addresses the "Missing DLL" issue that .NET
  Framework users would encounter. Fixes GitHub Issue #11.
• Addressed an issue where the SDK would enumerate FIDO devices on Windows despite being un-elevated. Windows requires
  process elevation in order to communicate with FIDO devices. The SDK would display one or more YubiKeys with
  incorrect properties as a result. Fixes GitHub Issue #20.
• A difference in behavior between .NET Framework 4.x and .NET 6 caused OAEP padding operations to fail for projects
  running on .NET Framework 4.x. The SDK has been updated to work around this difference in behavior and should
  now work for all supported versions of .NET. Fixes GitHub Issue #33.
• The YubiKey requires a short delay when switching between its USB interfaces. Switching too quickly can result
  in failed operations and other strange behaviors. The SDK will now automatically wait the required amount of
  time to ensure stable communication with the YubiKey. Note that this may cause the first operation or command
  sent to the YubiKey to appear slow. Subsequent calls to the same application will not be affected.
  Fixes GitHub Issue #34.