Hello community,
here is the log from the commit of package yubico-piv-tool for openSUSE:Factory checked in at 2016-06-02 09:36:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yubico-piv-tool (Old)
and /work/SRC/openSUSE:Factory/.yubico-piv-tool.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yubico-piv-tool"
Changes:
--------
--- /work/SRC/openSUSE:Factory/yubico-piv-tool/yubico-piv-tool.changes 2016-04-28 17:02:01.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.yubico-piv-tool.new/yubico-piv-tool.changes 2016-06-02 09:36:42.000000000 +0200
@@ -1,0 +2,12 @@
+Tue May 17 14:55:42 UTC 2016 - t.gruner@katodev.de
+
+- Version 1.4.0 (released 2016-05-03)
+ - Add attest action When used on a slot with a generated key,
+ outputs a signed x509 certificate for that slot showing that
+ the key was generated in hardware. Available in firmware 4.3.0 and newer.
+ - Add cached parameter for touch-policy With cached, the touch is valid
+ for an additional 15s. Available in firmware 4.3.0 and newer.
+ - Enforce a minimum PIN length of 6 characters.
+ - Fix a bug with list-readers action where it fell through processing into write-object.
+
+-------------------------------------------------------------------
Old:
----
yubico-piv-tool-1.3.1.tar.gz
yubico-piv-tool-1.3.1.tar.gz.sig
New:
----
yubico-piv-tool-1.4.0.tar.gz
yubico-piv-tool-1.4.0.tar.gz.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yubico-piv-tool.spec ++++++
--- /var/tmp/diff_new_pack.iw0lpa/_old 2016-06-02 09:36:44.000000000 +0200
+++ /var/tmp/diff_new_pack.iw0lpa/_new 2016-06-02 09:36:44.000000000 +0200
@@ -18,7 +18,7 @@
%define soname 1
Name: yubico-piv-tool
-Version: 1.3.1
+Version: 1.4.0
Release: 0
Summary: Yubico YubiKey NEO CCID Manager
License: BSD-2-Clause
@@ -102,12 +102,12 @@
%files -n libykpiv%{soname}
%defattr(-,root,root)
%{_libdir}/libykpiv.so.%{soname}
-%{_libdir}/libykpiv.so.%{soname}.3.1
+%{_libdir}/libykpiv.so.%{soname}.3.2
%files -n libykcs11-%{soname}
%defattr(-,root,root)
%{_libdir}/libykcs11.so.%{soname}
-%{_libdir}/libykcs11.so.%{soname}.3.1
+%{_libdir}/libykcs11.so.%{soname}.3.2
%files -n libykpiv-devel
%defattr(-,root,root)
++++++ yubico-piv-tool-1.3.1.tar.gz -> yubico-piv-tool-1.4.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/ChangeLog new/yubico-piv-tool-1.4.0/ChangeLog
--- old/yubico-piv-tool-1.3.1/ChangeLog 2016-04-19 07:39:52.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/ChangeLog 2016-05-03 09:43:07.000000000 +0200
@@ -1,3 +1,43 @@
+2016-05-03 Klas Lindfors
+
+ * NEWS, configure.ac: release 1.4.0
+
+2016-05-03 Klas Lindfors
+
+ * Makefile.am: add attest doc to dist
+
+2016-05-03 Klas Lindfors
+
+ * mac.mk, windows.mk: bump openssl to 1.0.2g
+
+2016-05-03 Klas Lindfors
+
+ * : commit b1139a516b5a2d9e97ac7cbf8a63f0131b4623df Author: Klas
+ Lindfors Date: Fri Apr 22 09:41:41 2016 +0200
+
+2016-04-19 Klas Lindfors
+
+ * doc/YubiKey_PIV_introduction.adoc: change examples to be with 6
+ digit pins
+
+2016-04-19 Klas Lindfors
+
+ * tool/yubico-piv-tool.c: enforce minimum 6 digits of pin when
+ changing in the tool
+
+2016-04-19 Klas Lindfors
+
+ * tool/yubico-piv-tool.c: error isn't an iso error, run
+ ykpiv_strerror() on it
+
+2016-04-19 Klas Lindfors
+
+ * .gitignore: ignore more
+
+2016-04-19 Klas Lindfors
+
+ * NEWS, configure.ac: bump version
+
2016-04-19 Klas Lindfors
* NEWS: NEWS for 1.3.1
@@ -8,6 +48,10 @@
2016-03-31 Klas Lindfors
+ * doc/Attestation.adoc: add some documentation for attestation
+
+2016-03-31 Klas Lindfors
+
* tool/cmdline.ggo: change wording in help text authentication key -> management key
2016-03-23 Klas Lindfors
@@ -23,9 +67,28 @@
* mac.mk, windows.mk: newer openssl for windows and mac
-2016-02-19 Klas Lindfors
+2016-03-17 Klas Lindfors
+
+ * lib/ykpiv.c: add ykpiv touchpolicy to ykpiv
+
+2016-03-17 Klas Lindfors
+
+ * lib/ykpiv.c, lib/ykpiv.h: add YKPIV_KEY_ATTESTATION to
+ ykpiv_import_key()
- * mac.mk, windows.mk: bump openssl to 1.0.1r
+2016-03-17 Klas Lindfors
+
+ * lib/ykpiv.h, tool/cmdline.ggo, tool/util.c: add touch-policy
+ cached
+
+2016-03-17 Klas Lindfors
+
+ * tool/yubico-piv-tool.c: actually open output_file in attest()
+
+2016-03-10 Klas Lindfors
+
+ * : commit d52b8bd3efb179f20b5ee5f3bc36c05a6ec29fc7 Author: Klas
+ Lindfors Date: Fri Feb 19 12:40:23 2016 +0100
2016-02-19 Klas Lindfors
@@ -508,6 +571,16 @@
* : Merge pull request #36 from akgood/master Use @loader_path rather than @executable_path for OS X dylib paths
+2015-11-18 Klas Lindfors
+
+ * lib/ykpiv.h, tool/cmdline.ggo, tool/yubico-piv-tool.c: add attest
+ action
+
+2015-11-18 Klas Lindfors
+
+ * lib/ykpiv.h, tool/cmdline.ggo, tool/util.c: add f9 slot for
+ attestation
+
2015-11-16 Adam Goodman
* mac.mk: YKCS11: On OS X, use @loader_path rather than
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/Makefile.am new/yubico-piv-tool-1.4.0/Makefile.am
--- old/yubico-piv-tool-1.3.1/Makefile.am 2016-03-10 15:29:26.000000000 +0100
+++ new/yubico-piv-tool-1.4.0/Makefile.am 2016-05-03 09:42:56.000000000 +0200
@@ -31,7 +31,7 @@
EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl
-EXTRA_DIST += doc/Android_code_signing.adoc doc/Certificate_Authority.adoc doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc doc/YKCS11_release_notes.adoc doc/YubiKey_PIV_introduction.adoc
+EXTRA_DIST += doc/Android_code_signing.adoc doc/Attestation.adoc doc/Certificate_Authority.adoc doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc doc/YKCS11_release_notes.adoc doc/YubiKey_PIV_introduction.adoc
if ENABLE_COV
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/Makefile.in new/yubico-piv-tool-1.4.0/Makefile.in
--- old/yubico-piv-tool-1.3.1/Makefile.in 2016-03-21 08:14:22.000000000 +0100
+++ new/yubico-piv-tool-1.4.0/Makefile.in 2016-05-03 09:43:03.000000000 +0200
@@ -382,9 +382,10 @@
SUBDIRS = lib tool ykcs11
ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = windows.mk mac.mk tool/tests/basic.sh tools/fasc.pl \
- doc/Android_code_signing.adoc doc/Certificate_Authority.adoc \
- doc/OS_X_code_signing.adoc doc/SSH_with_PIV_and_PKCS11.adoc \
- doc/Windows_certificate.adoc doc/YKCS11_release_notes.adoc \
+ doc/Android_code_signing.adoc doc/Attestation.adoc \
+ doc/Certificate_Authority.adoc doc/OS_X_code_signing.adoc \
+ doc/SSH_with_PIV_and_PKCS11.adoc doc/Windows_certificate.adoc \
+ doc/YKCS11_release_notes.adoc \
doc/YubiKey_PIV_introduction.adoc
all: all-recursive
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/NEWS new/yubico-piv-tool-1.4.0/NEWS
--- old/yubico-piv-tool-1.3.1/NEWS 2016-04-19 07:39:07.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/NEWS 2016-05-03 09:42:56.000000000 +0200
@@ -1,5 +1,21 @@
yubico-piv-tool NEWS -- History of user-visible changes. -*- outline -*-
+* Version 1.4.0 (released 2016-05-03)
+
+** Add attest action
+Will when used on a slot with a generated key output a signed x509 certificate
+for that slot showing that the key was generated in hardware. Available in
+firmware 4.3.0 and newer.
+
+** Add touch-policy cached
+Will treat the touch as valid for additional usage for 15s when used. Available
+in firmware 4.3.0 and newer.
+
+** Enforce a minimum PIN length of 6 characters.
+
+** Fix a bug with list-readers action where it fell through processing into
+write-object.
+
* Version 1.3.1 (released 2016-04-19)
** Fix a bug where unblock pin would instead change puk, introduced in 1.3.0.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/configure new/yubico-piv-tool-1.4.0/configure
--- old/yubico-piv-tool-1.3.1/configure 2016-03-21 08:14:22.000000000 +0100
+++ new/yubico-piv-tool-1.4.0/configure 2016-05-03 09:43:03.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for yubico-piv-tool 1.3.1.
+# Generated by GNU Autoconf 2.69 for yubico-piv-tool 1.4.0.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='yubico-piv-tool'
PACKAGE_TARNAME='yubico-piv-tool'
-PACKAGE_VERSION='1.3.1'
-PACKAGE_STRING='yubico-piv-tool 1.3.1'
+PACKAGE_VERSION='1.4.0'
+PACKAGE_STRING='yubico-piv-tool 1.4.0'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1350,7 +1350,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures yubico-piv-tool 1.3.1 to adapt to many kinds of systems.
+\`configure' configures yubico-piv-tool 1.4.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1420,7 +1420,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of yubico-piv-tool 1.3.1:";;
+ short | recursive ) echo "Configuration of yubico-piv-tool 1.4.0:";;
esac
cat <<\_ACEOF
@@ -1544,7 +1544,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-yubico-piv-tool configure 1.3.1
+yubico-piv-tool configure 1.4.0
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1909,7 +1909,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by yubico-piv-tool $as_me 1.3.1, which was
+It was created by yubico-piv-tool $as_me 1.4.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2294,7 +2294,7 @@
# Interfaces removed: AGE=0
LT_CURRENT=4
-LT_REVISION=1
+LT_REVISION=2
LT_AGE=3
@@ -2785,7 +2785,7 @@
# Define the identity of the package.
PACKAGE='yubico-piv-tool'
- VERSION='1.3.1'
+ VERSION='1.4.0'
cat >>confdefs.h <<_ACEOF
@@ -13631,7 +13631,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by yubico-piv-tool $as_me 1.3.1, which was
+This file was extended by yubico-piv-tool $as_me 1.4.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -13688,7 +13688,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-yubico-piv-tool config.status 1.3.1
+yubico-piv-tool config.status 1.4.0
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/configure.ac new/yubico-piv-tool-1.4.0/configure.ac
--- old/yubico-piv-tool-1.3.1/configure.ac 2016-03-21 08:14:17.000000000 +0100
+++ new/yubico-piv-tool-1.4.0/configure.ac 2016-05-03 09:42:56.000000000 +0200
@@ -26,7 +26,7 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-AC_INIT([yubico-piv-tool], [1.3.1])
+AC_INIT([yubico-piv-tool], [1.4.0])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_MACRO_DIR([m4])
@@ -35,7 +35,7 @@
# Interfaces added: AGE++
# Interfaces removed: AGE=0
AC_SUBST([LT_CURRENT], 4)
-AC_SUBST([LT_REVISION], 1)
+AC_SUBST([LT_REVISION], 2)
AC_SUBST([LT_AGE], 3)
AM_INIT_AUTOMAKE([-Wall -Werror foreign])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/doc/Attestation.adoc new/yubico-piv-tool-1.4.0/doc/Attestation.adoc
--- old/yubico-piv-tool-1.3.1/doc/Attestation.adoc 1970-01-01 01:00:00.000000000 +0100
+++ new/yubico-piv-tool-1.4.0/doc/Attestation.adoc 2016-05-03 09:31:21.000000000 +0200
@@ -0,0 +1,20 @@
+Using Attestation
+-----------------
+
+Attestation works through a special key slot called “f9” this comes
+pre-loaded from factory with a key and cert signed by Yubico, but can be
+overwritten.
+After a key has been generated in a normal slot it can be attested by this
+special key, this can be realised by using the yubico-piv-tool action attest:
+
+ $ yubico-piv-tool --action=generate --slot=9a
+ ...
+ $ yubico-piv-tool --action=attest --slot=9a
+
+The output of this is a PEM encoded certificate, signed by the key in slot f9. There are a couple of special extensions on this certificate:
+
+* +1.3.6.1.4.1.41482.3.3+: Firmware version, encoded as 3 bytes, like: 040300 for 4.3.0
+* +1.3.6.1.4.1.41482.3.7+: Serial number, encoded as an integer.
+* +1.3.6.1.4.1.41482.3.8+: Two bytes, the first encoding pin policy and the second touch policy
+** Pin policy: 01 - never, 02 - once per session, 03 - always
+** Touch policy: 01 - never, 02 - always, 03 - cached for 15s
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/doc/YubiKey_PIV_introduction.adoc new/yubico-piv-tool-1.4.0/doc/YubiKey_PIV_introduction.adoc
--- old/yubico-piv-tool-1.3.1/doc/YubiKey_PIV_introduction.adoc 2016-03-10 15:29:16.000000000 +0100
+++ new/yubico-piv-tool-1.4.0/doc/YubiKey_PIV_introduction.adoc 2016-04-19 14:23:00.000000000 +0200
@@ -67,14 +67,14 @@
of times -- you need to modify this if you have changed the default
number of PIN/PUK retries).
- yubico-piv-tool -a verify-pin -P 4711
- yubico-piv-tool -a verify-pin -P 4711
- yubico-piv-tool -a verify-pin -P 4711
- yubico-piv-tool -a verify-pin -P 4711
- yubico-piv-tool -a change-puk -P 4711 -N 67567
- yubico-piv-tool -a change-puk -P 4711 -N 67567
- yubico-piv-tool -a change-puk -P 4711 -N 67567
- yubico-piv-tool -a change-puk -P 4711 -N 67567
+ yubico-piv-tool -a verify-pin -P 471112
+ yubico-piv-tool -a verify-pin -P 471112
+ yubico-piv-tool -a verify-pin -P 471112
+ yubico-piv-tool -a verify-pin -P 471112
+ yubico-piv-tool -a change-puk -P 471112 -N 6756789
+ yubico-piv-tool -a change-puk -P 471112 -N 6756789
+ yubico-piv-tool -a change-puk -P 471112 -N 6756789
+ yubico-piv-tool -a change-puk -P 471112 -N 6756789
yubico-piv-tool -a reset
Software
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/lib/ykpiv-version.h new/yubico-piv-tool-1.4.0/lib/ykpiv-version.h
--- old/yubico-piv-tool-1.3.1/lib/ykpiv-version.h 2016-03-21 08:14:27.000000000 +0100
+++ new/yubico-piv-tool-1.4.0/lib/ykpiv-version.h 2016-05-03 09:43:06.000000000 +0200
@@ -43,7 +43,7 @@
* version number. Used together with ykneomgr_check_version() to verify
* header file and run-time library consistency.
*/
-#define YKPIV_VERSION_STRING "1.3.1"
+#define YKPIV_VERSION_STRING "1.4.0"
/**
* YKPIV_VERSION_NUMBER
@@ -53,7 +53,7 @@
* this symbol will have the value 0x01020300. The last two digits
* are only used between public releases, and will otherwise be 00.
*/
-#define YKPIV_VERSION_NUMBER 0x010301
+#define YKPIV_VERSION_NUMBER 0x010400
/**
* YKPIV_VERSION_MAJOR
@@ -71,7 +71,7 @@
* level of the header file version number. For example, when the
* header version is 1.2.3 this symbol will be 2.
*/
-#define YKPIV_VERSION_MINOR 3
+#define YKPIV_VERSION_MINOR 4
/**
* YKPIV_VERSION_PATCH
@@ -80,7 +80,7 @@
* level of the header file version number. For example, when the
* header version is 1.2.3 this symbol will be 3.
*/
-#define YKPIV_VERSION_PATCH 1
+#define YKPIV_VERSION_PATCH 0
const char *ykpiv_check_version (const char *req_version);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/lib/ykpiv.c new/yubico-piv-tool-1.4.0/lib/ykpiv.c
--- old/yubico-piv-tool-1.3.1/lib/ykpiv.c 2016-04-18 22:03:38.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/lib/ykpiv.c 2016-05-03 09:31:21.000000000 +0200
@@ -873,7 +873,7 @@
if (key == YKPIV_KEY_CARDMGM ||
key < YKPIV_KEY_RETIRED1 ||
(key > YKPIV_KEY_RETIRED20 && key < YKPIV_KEY_AUTHENTICATION) ||
- key > YKPIV_KEY_CARDAUTH) {
+ (key > YKPIV_KEY_CARDAUTH && key != YKPIV_KEY_ATTESTATION)) {
return YKPIV_KEY_ERROR;
}
@@ -885,7 +885,8 @@
if (touch_policy != YKPIV_TOUCHPOLICY_DEFAULT &&
touch_policy != YKPIV_TOUCHPOLICY_NEVER &&
- touch_policy != YKPIV_TOUCHPOLICY_ALWAYS)
+ touch_policy != YKPIV_TOUCHPOLICY_ALWAYS &&
+ touch_policy != YKPIV_TOUCHPOLICY_CACHED)
return YKPIV_GENERIC_ERROR;
if (algorithm == YKPIV_ALGO_RSA1024 || algorithm == YKPIV_ALGO_RSA2048) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/lib/ykpiv.h new/yubico-piv-tool-1.4.0/lib/ykpiv.h
--- old/yubico-piv-tool-1.3.1/lib/ykpiv.h 2016-04-18 22:03:38.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/lib/ykpiv.h 2016-05-03 09:31:21.000000000 +0200
@@ -141,6 +141,7 @@
#define YKPIV_KEY_RETIRED18 0x93
#define YKPIV_KEY_RETIRED19 0x94
#define YKPIV_KEY_RETIRED20 0x95
+#define YKPIV_KEY_ATTESTATION 0xf9
#define YKPIV_OBJ_CAPABILITY 0x5fc107
#define YKPIV_OBJ_CHUID 0x5fc102
@@ -177,6 +178,8 @@
#define YKPIV_OBJ_RETIRED19 0x5fc11f
#define YKPIV_OBJ_RETIRED20 0x5fc120
+#define YKPIV_OBJ_ATTESTATION 0x5fff01
+
#define YKPIV_INS_VERIFY 0x20
#define YKPIV_INS_CHANGE_REFERENCE 0x24
#define YKPIV_INS_RESET_RETRY 0x2c
@@ -191,6 +194,7 @@
#define YKPIV_INS_GET_VERSION 0xfd
#define YKPIV_INS_RESET 0xfb
#define YKPIV_INS_SET_PIN_RETRIES 0xfa
+#define YKPIV_INS_ATTEST 0xf9
#define YKPIV_PINPOLICY_TAG 0xaa
#define YKPIV_PINPOLICY_DEFAULT 0
@@ -202,6 +206,7 @@
#define YKPIV_TOUCHPOLICY_DEFAULT 0
#define YKPIV_TOUCHPOLICY_NEVER 1
#define YKPIV_TOUCHPOLICY_ALWAYS 2
+#define YKPIV_TOUCHPOLICY_CACHED 3
#define YKPIV_IS_EC(a) ((a == YKPIV_ALGO_ECCP256 || a == YKPIV_ALGO_ECCP384))
#define YKPIV_IS_RSA(a) ((a == YKPIV_ALGO_RSA1024 || a == YKPIV_ALGO_RSA2048))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/mac.mk new/yubico-piv-tool-1.4.0/mac.mk
--- old/yubico-piv-tool-1.3.1/mac.mk 2016-04-18 22:03:38.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/mac.mk 2016-05-03 09:33:41.000000000 +0200
@@ -26,7 +26,7 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PACKAGE=yubico-piv-tool
-OPENSSLVERSION=1.0.1s
+OPENSSLVERSION=1.0.2g
CFLAGS="-mmacosx-version-min=10.6"
all: usage mac
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/cmdline.c new/yubico-piv-tool-1.4.0/tool/cmdline.c
--- old/yubico-piv-tool-1.3.1/tool/cmdline.c 2016-04-18 22:03:40.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/tool/cmdline.c 2016-05-03 09:43:08.000000000 +0200
@@ -40,9 +40,9 @@
" -v, --verbose[=INT] Print more information (default=`0')",
" -r, --reader=STRING Only use a matching reader (default=`Yubikey')",
" -k, --key[=STRING] Management key to use\n (default=`010203040506070801020304050607080102030405060708')",
- " -a, --action=ENUM Action to take (possible values=\"version\",\n \"generate\", \"set-mgm-key\", \"reset\",\n \"pin-retries\", \"import-key\",\n \"import-certificate\", \"set-chuid\",\n \"request-certificate\", \"verify-pin\",\n \"change-pin\", \"change-puk\", \"unblock-pin\",\n \"selfsign-certificate\", \"delete-certificate\",\n \"read-certificate\", \"status\",\n \"test-signature\", \"test-decipher\",\n \"list-readers\", \"set-ccc\", \"write-object\",\n \"read-object\")",
+ " -a, --action=ENUM Action to take (possible values=\"version\",\n \"generate\", \"set-mgm-key\", \"reset\",\n \"pin-retries\", \"import-key\",\n \"import-certificate\", \"set-chuid\",\n \"request-certificate\", \"verify-pin\",\n \"change-pin\", \"change-puk\", \"unblock-pin\",\n \"selfsign-certificate\", \"delete-certificate\",\n \"read-certificate\", \"status\",\n \"test-signature\", \"test-decipher\",\n \"list-readers\", \"set-ccc\", \"write-object\",\n \"read-object\", \"attest\")",
"\n Multiple actions may be given at once and will be executed in order\n for example --action=verify-pin --action=request-certificate\n",
- " -s, --slot=ENUM What key slot to operate on (possible\n values=\"9a\", \"9c\", \"9d\", \"9e\", \"82\",\n \"83\", \"84\", \"85\", \"86\", \"87\", \"88\",\n \"89\", \"8a\", \"8b\", \"8c\", \"8d\", \"8e\",\n \"8f\", \"90\", \"91\", \"92\", \"93\", \"94\",\n \"95\")",
+ " -s, --slot=ENUM What key slot to operate on (possible\n values=\"9a\", \"9c\", \"9d\", \"9e\", \"82\",\n \"83\", \"84\", \"85\", \"86\", \"87\", \"88\",\n \"89\", \"8a\", \"8b\", \"8c\", \"8d\", \"8e\",\n \"8f\", \"90\", \"91\", \"92\", \"93\", \"94\",\n \"95\", \"f9\")",
"\n 9a is for PIV Authentication\n 9c is for Digital Signature (PIN always checked)\n 9d is for Key Management\n 9e is for Card Authentication (PIN never checked)\n 82-95 is for Retired Key Management\n",
" -A, --algorithm=ENUM What algorithm to use (possible values=\"RSA1024\",\n \"RSA2048\", \"ECCP256\", \"ECCP384\"\n default=`RSA2048')",
" -H, --hash=ENUM Hash to use for signatures (possible\n values=\"SHA1\", \"SHA256\", \"SHA384\",\n \"SHA512\" default=`SHA256')",
@@ -60,7 +60,7 @@
" -P, --pin=STRING Pin/puk code for verification",
" -N, --new-pin=STRING New pin/puk code for changing",
" --pin-policy=ENUM Set pin policy for action generate or import-key\n (possible values=\"never\", \"once\", \"always\")",
- " --touch-policy=ENUM Set touch policy for action generate, import-key or\n set-mgm-key (possible values=\"never\",\n \"always\")",
+ " --touch-policy=ENUM Set touch policy for action generate, import-key or\n set-mgm-key (possible values=\"never\",\n \"always\", \"cached\")",
" --id=INT Id of object for write/read object",
" -f, --format=ENUM Format of data for write/read object (possible\n values=\"hex\", \"base64\", \"binary\"\n default=`hex')",
" --sign Sign data (default=off)",
@@ -124,13 +124,13 @@
static int
cmdline_parser_required2 (struct gengetopt_args_info *args_info, const char *prog_name, const char *additional_error);
-const char *cmdline_parser_action_values[] = {"version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc", "write-object", "read-object", 0}; /*< Possible values for action. */
-const char *cmdline_parser_slot_values[] = {"9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", 0}; /*< Possible values for slot. */
+const char *cmdline_parser_action_values[] = {"version", "generate", "set-mgm-key", "reset", "pin-retries", "import-key", "import-certificate", "set-chuid", "request-certificate", "verify-pin", "change-pin", "change-puk", "unblock-pin", "selfsign-certificate", "delete-certificate", "read-certificate", "status", "test-signature", "test-decipher", "list-readers", "set-ccc", "write-object", "read-object", "attest", 0}; /*< Possible values for action. */
+const char *cmdline_parser_slot_values[] = {"9a", "9c", "9d", "9e", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "90", "91", "92", "93", "94", "95", "f9", 0}; /*< Possible values for slot. */
const char *cmdline_parser_algorithm_values[] = {"RSA1024", "RSA2048", "ECCP256", "ECCP384", 0}; /*< Possible values for algorithm. */
const char *cmdline_parser_hash_values[] = {"SHA1", "SHA256", "SHA384", "SHA512", 0}; /*< Possible values for hash. */
const char *cmdline_parser_key_format_values[] = {"PEM", "PKCS12", "GZIP", "DER", 0}; /*< Possible values for key-format. */
const char *cmdline_parser_pin_policy_values[] = {"never", "once", "always", 0}; /*< Possible values for pin-policy. */
-const char *cmdline_parser_touch_policy_values[] = {"never", "always", 0}; /*< Possible values for touch-policy. */
+const char *cmdline_parser_touch_policy_values[] = {"never", "always", "cached", 0}; /*< Possible values for touch-policy. */
const char *cmdline_parser_format_values[] = {"hex", "base64", "binary", 0}; /*< Possible values for format. */
static char *
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/cmdline.ggo new/yubico-piv-tool-1.4.0/tool/cmdline.ggo
--- old/yubico-piv-tool-1.3.1/tool/cmdline.ggo 2016-04-18 22:03:38.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/tool/cmdline.ggo 2016-05-03 09:31:21.000000000 +0200
@@ -33,11 +33,11 @@
"request-certificate","verify-pin","change-pin","change-puk","unblock-pin",
"selfsign-certificate","delete-certificate","read-certificate","status",
"test-signature","test-decipher","list-readers","set-ccc","write-object",
- "read-object" enum multiple
+ "read-object","attest" enum multiple
text "
Multiple actions may be given at once and will be executed in order
for example --action=verify-pin --action=request-certificate\n"
-option "slot" s "What key slot to operate on" values="9a","9c","9d","9e","82","83","84","85","86","87","88","89","8a","8b","8c","8d","8e","8f","90","91","92","93","94","95" enum optional
+option "slot" s "What key slot to operate on" values="9a","9c","9d","9e","82","83","84","85","86","87","88","89","8a","8b","8c","8d","8e","8f","90","91","92","93","94","95","f9" enum optional
text "
9a is for PIV Authentication
9c is for Digital Signature (PIN always checked)
@@ -62,7 +62,7 @@
option "pin" P "Pin/puk code for verification" string optional
option "new-pin" N "New pin/puk code for changing" string optional dependon="pin"
option "pin-policy" - "Set pin policy for action generate or import-key" values="never","once","always" enum optional
-option "touch-policy" - "Set touch policy for action generate, import-key or set-mgm-key" values="never","always" enum optional
+option "touch-policy" - "Set touch policy for action generate, import-key or set-mgm-key" values="never","always","cached" enum optional
option "id" - "Id of object for write/read object" int optional
option "format" f "Format of data for write/read object" values="hex","base64","binary" enum optional default="hex"
option "sign" - "Sign data" flag off hidden
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/cmdline.h new/yubico-piv-tool-1.4.0/tool/cmdline.h
--- old/yubico-piv-tool-1.3.1/tool/cmdline.h 2016-04-18 22:03:40.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/tool/cmdline.h 2016-05-03 09:43:08.000000000 +0200
@@ -38,13 +38,13 @@
#define CMDLINE_PARSER_VERSION VERSION
#endif
-enum enum_action { action__NULL = -1, action_arg_version = 0, action_arg_generate, action_arg_setMINUS_mgmMINUS_key, action_arg_reset, action_arg_pinMINUS_retries, action_arg_importMINUS_key, action_arg_importMINUS_certificate, action_arg_setMINUS_chuid, action_arg_requestMINUS_certificate, action_arg_verifyMINUS_pin, action_arg_changeMINUS_pin, action_arg_changeMINUS_puk, action_arg_unblockMINUS_pin, action_arg_selfsignMINUS_certificate, action_arg_deleteMINUS_certificate, action_arg_readMINUS_certificate, action_arg_status, action_arg_testMINUS_signature, action_arg_testMINUS_decipher, action_arg_listMINUS_readers, action_arg_setMINUS_ccc, action_arg_writeMINUS_object, action_arg_readMINUS_object };
-enum enum_slot { slot__NULL = -1, slot_arg_9a = 0, slot_arg_9c, slot_arg_9d, slot_arg_9e, slot_arg_82, slot_arg_83, slot_arg_84, slot_arg_85, slot_arg_86, slot_arg_87, slot_arg_88, slot_arg_89, slot_arg_8a, slot_arg_8b, slot_arg_8c, slot_arg_8d, slot_arg_8e, slot_arg_8f, slot_arg_90, slot_arg_91, slot_arg_92, slot_arg_93, slot_arg_94, slot_arg_95 };
+enum enum_action { action__NULL = -1, action_arg_version = 0, action_arg_generate, action_arg_setMINUS_mgmMINUS_key, action_arg_reset, action_arg_pinMINUS_retries, action_arg_importMINUS_key, action_arg_importMINUS_certificate, action_arg_setMINUS_chuid, action_arg_requestMINUS_certificate, action_arg_verifyMINUS_pin, action_arg_changeMINUS_pin, action_arg_changeMINUS_puk, action_arg_unblockMINUS_pin, action_arg_selfsignMINUS_certificate, action_arg_deleteMINUS_certificate, action_arg_readMINUS_certificate, action_arg_status, action_arg_testMINUS_signature, action_arg_testMINUS_decipher, action_arg_listMINUS_readers, action_arg_setMINUS_ccc, action_arg_writeMINUS_object, action_arg_readMINUS_object, action_arg_attest };
+enum enum_slot { slot__NULL = -1, slot_arg_9a = 0, slot_arg_9c, slot_arg_9d, slot_arg_9e, slot_arg_82, slot_arg_83, slot_arg_84, slot_arg_85, slot_arg_86, slot_arg_87, slot_arg_88, slot_arg_89, slot_arg_8a, slot_arg_8b, slot_arg_8c, slot_arg_8d, slot_arg_8e, slot_arg_8f, slot_arg_90, slot_arg_91, slot_arg_92, slot_arg_93, slot_arg_94, slot_arg_95, slot_arg_f9 };
enum enum_algorithm { algorithm__NULL = -1, algorithm_arg_RSA1024 = 0, algorithm_arg_RSA2048, algorithm_arg_ECCP256, algorithm_arg_ECCP384 };
enum enum_hash { hash__NULL = -1, hash_arg_SHA1 = 0, hash_arg_SHA256, hash_arg_SHA384, hash_arg_SHA512 };
enum enum_key_format { key_format__NULL = -1, key_format_arg_PEM = 0, key_format_arg_PKCS12, key_format_arg_GZIP, key_format_arg_DER };
enum enum_pin_policy { pin_policy__NULL = -1, pin_policy_arg_never = 0, pin_policy_arg_once, pin_policy_arg_always };
-enum enum_touch_policy { touch_policy__NULL = -1, touch_policy_arg_never = 0, touch_policy_arg_always };
+enum enum_touch_policy { touch_policy__NULL = -1, touch_policy_arg_never = 0, touch_policy_arg_always, touch_policy_arg_cached };
enum enum_format { format__NULL = -1, format_arg_hex = 0, format_arg_base64, format_arg_binary };
/** @brief Where the command line options are stored */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/util.c new/yubico-piv-tool-1.4.0/tool/util.c
--- old/yubico-piv-tool-1.3.1/tool/util.c 2016-04-18 22:03:38.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/tool/util.c 2016-05-03 09:31:21.000000000 +0200
@@ -330,6 +330,9 @@
case slot_arg_95:
object = YKPIV_OBJ_RETIRED20;
break;
+ case slot_arg_f9:
+ object = YKPIV_OBJ_ATTESTATION;
+ break;
case slot__NULL:
default:
object = 0;
@@ -601,6 +604,8 @@
return YKPIV_TOUCHPOLICY_NEVER;
case touch_policy_arg_always:
return YKPIV_TOUCHPOLICY_ALWAYS;
+ case touch_policy_arg_cached:
+ return YKPIV_TOUCHPOLICY_CACHED;
case touch_policy__NULL:
default:
return 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/yubico-piv-tool.1 new/yubico-piv-tool-1.4.0/tool/yubico-piv-tool.1
--- old/yubico-piv-tool-1.3.1/tool/yubico-piv-tool.1 2016-04-18 22:03:40.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/tool/yubico-piv-tool.1 2016-05-03 09:43:08.000000000 +0200
@@ -1,12 +1,12 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.2.
-.TH YUBICO-PIV-TOOL "1" "April 2016" "yubico-piv-tool 1.3.1" "User Commands"
+.TH YUBICO-PIV-TOOL "1" "May 2016" "yubico-piv-tool 1.4.0" "User Commands"
.SH NAME
yubico-piv-tool \- Yubico PIV tool
.SH SYNOPSIS
.B yubico-piv-tool
[\fI\,OPTIONS\/\fR]...
.SH DESCRIPTION
-yubico\-piv\-tool 1.3.1
+yubico\-piv\-tool 1.4.0
.TP
\fB\-h\fR, \fB\-\-help\fR
Print help and exit
@@ -38,7 +38,7 @@
"read\-certificate", "status",
"test\-signature", "test\-decipher",
"list\-readers", "set\-ccc", "write\-object",
-"read\-object")
+"read\-object", "attest")
.IP
Multiple actions may be given at once and will be executed in order
for example \fB\-\-action\fR=\fI\,verify\-pin\/\fR \fB\-\-action\fR=\fI\,request\-certificate\/\fR
@@ -49,7 +49,7 @@
"83", "84", "85", "86", "87", "88",
"89", "8a", "8b", "8c", "8d", "8e",
"8f", "90", "91", "92", "93", "94",
-"95")
+"95", "f9")
.IP
9a is for PIV Authentication
9c is for Digital Signature (PIN always checked)
@@ -118,7 +118,7 @@
\fB\-\-touch\-policy\fR=\fI\,ENUM\/\fR
Set touch policy for action generate, import\-key or
set\-mgm\-key (possible values="never",
-"always")
+"always", "cached")
.TP
\fB\-\-id\fR=\fI\,INT\/\fR
Id of object for write/read object
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/tool/yubico-piv-tool.c new/yubico-piv-tool-1.4.0/tool/yubico-piv-tool.c
--- old/yubico-piv-tool-1.3.1/tool/yubico-piv-tool.c 2016-04-18 22:03:38.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/tool/yubico-piv-tool.c 2016-05-03 09:31:21.000000000 +0200
@@ -1000,6 +1000,11 @@
return false;
}
+ if(new_len < 6) {
+ fprintf(stderr, "Minimum 6 digits of PIN supported.\n");
+ return false;
+ }
+
if(action == action_arg_unblockMINUS_pin) {
op = ykpiv_unblock_pin;
}
@@ -1025,7 +1030,7 @@
return false;
default:
- fprintf(stderr, "Failed changing/unblocking code, error: %x\n", res);
+ fprintf(stderr, "Failed changing/unblocking code, error: %s\n", ykpiv_strerror(res));
return false;
}
}
@@ -1646,6 +1651,68 @@
return true;
}
+static bool attest(ykpiv_state *state, const char *slot,
+ enum enum_key_format key_format, const char *output_file_name) {
+ unsigned char data[2048];
+ unsigned long len = sizeof(data);
+ bool ret = false;
+ X509 *x509 = NULL;
+ unsigned char templ[] = {0, YKPIV_INS_ATTEST, 0, 0};
+ int key;
+ int sw;
+ FILE *output_file = open_file(output_file_name, OUTPUT);
+ if(!output_file) {
+ return false;
+ }
+
+ sscanf(slot, "%2x", &key);
+ templ[2] = key;
+
+ if(key_format != key_format_arg_PEM && key_format != key_format_arg_DER) {
+ fprintf(stderr, "Only PEM and DER format are supported for attest..\n");
+ return false;
+ }
+
+ if(ykpiv_transfer_data(state, templ, NULL, 0, data, &len, &sw) != YKPIV_OK) {
+ fprintf(stderr, "Failed to communicate.\n");
+ goto attest_out;
+ } else if(sw != 0x9000) {
+ fprintf(stderr, "Failed to attest key.\n");
+ goto attest_out;
+ }
+
+ if(data[0] == 0x30) {
+ if(key_format == key_format_arg_PEM) {
+ const unsigned char *ptr = data;
+ int len2 = len;
+ x509 = X509_new();
+ if(!x509) {
+ fprintf(stderr, "Failed allocating x509 structure.\n");
+ goto attest_out;
+ }
+ x509 = d2i_X509(NULL, &ptr, len2);
+ if(!x509) {
+ fprintf(stderr, "Failed parsing x509 information.\n");
+ goto attest_out;
+ }
+ PEM_write_X509(output_file, x509);
+ ret = true;
+ } else {
+ fwrite(data, len, 1, output_file);
+ }
+ ret = true;
+ }
+
+attest_out:
+ if(output_file != stdout) {
+ fclose(output_file);
+ }
+ if(x509) {
+ X509_free(x509);
+ }
+ return ret;
+}
+
static bool write_object(ykpiv_state *state, int id,
const char *input_file_name, int verbosity, enum enum_format format) {
bool ret = false;
@@ -1748,6 +1815,7 @@
case action_arg_readMINUS_certificate:
case action_arg_testMINUS_signature:
case action_arg_testMINUS_decipher:
+ case action_arg_attest:
if(args_info.slot_arg == slot__NULL) {
fprintf(stderr, "The '%s' action needs a slot (-s) to operate on.\n",
cmdline_parser_action_values[action]);
@@ -1865,6 +1933,7 @@
case action_arg_testMINUS_signature:
case action_arg_testMINUS_decipher:
case action_arg_listMINUS_readers:
+ case action_arg_attest:
case action_arg_readMINUS_object:
case action__NULL:
default:
@@ -2042,6 +2111,7 @@
if(list_readers(state) == false) {
ret = EXIT_FAILURE;
}
+ break;
case action_arg_writeMINUS_object:
if(write_object(state, args_info.id_arg, args_info.input_arg, verbosity,
args_info.format_arg) == false) {
@@ -2054,6 +2124,12 @@
ret = EXIT_FAILURE;
}
break;
+ case action_arg_attest:
+ if(attest(state, args_info.slot_orig, args_info.key_format_arg,
+ args_info.output_arg) == false) {
+ ret = EXIT_FAILURE;
+ }
+ break;
case action__NULL:
default:
fprintf(stderr, "Wrong action. %d.\n", action);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/windows.mk new/yubico-piv-tool-1.4.0/windows.mk
--- old/yubico-piv-tool-1.3.1/windows.mk 2016-04-18 22:03:38.000000000 +0200
+++ new/yubico-piv-tool-1.4.0/windows.mk 2016-05-03 09:33:41.000000000 +0200
@@ -26,7 +26,7 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PACKAGE=yubico-piv-tool
-OPENSSLVERSION=1.0.1s
+OPENSSLVERSION=1.0.2g
all: usage 32bit 64bit
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yubico-piv-tool-1.3.1/ykcs11/ykcs11-version.h new/yubico-piv-tool-1.4.0/ykcs11/ykcs11-version.h
--- old/yubico-piv-tool-1.3.1/ykcs11/ykcs11-version.h 2016-03-21 08:14:27.000000000 +0100
+++ new/yubico-piv-tool-1.4.0/ykcs11/ykcs11-version.h 2016-05-03 09:43:06.000000000 +0200
@@ -42,7 +42,7 @@
* version number. Used together with ykneomgr_check_version() to verify
* header file and run-time library consistency.
*/
-#define YKCS11_VERSION_STRING "1.3.1"
+#define YKCS11_VERSION_STRING "1.4.0"
/**
* YKCS11_VERSION_NUMBER
@@ -52,7 +52,7 @@
* this symbol will have the value 0x01020300. The last two digits
* are only used between public releases, and will otherwise be 00.
*/
-#define YKCS11_VERSION_NUMBER 0x010301
+#define YKCS11_VERSION_NUMBER 0x010400
/**
* YKCS11_VERSION_MAJOR
@@ -70,7 +70,7 @@
* level of the header file version number. For example, when the
* header version is 1.2.3 this symbol will be 2.
*/
-#define YKCS11_VERSION_MINOR 3
+#define YKCS11_VERSION_MINOR 4
/**
* YKCS11_VERSION_PATCH
@@ -79,7 +79,7 @@
* level of the header file version number. For example, when the
* header version is 1.2.3 this symbol will be 3.
*/
-#define YKCS11_VERSION_PATCH 1
+#define YKCS11_VERSION_PATCH 0
const char *ykcs11_check_version (const char *req_version);