1.13.2 - July release

Release date: July 3rd, 2025

Features:

• A new RawData property, which exposes raw CBOR-encoded data, has been added to the FIDO2 MakeCredentialData class. (#225)
• A new VersionQualifier has been added for handling YubiKey firmware (by version number, type, and iteration). The YubiKeyDeviceInfo class has also been updated to support VersionQualifier. (#240)
• The GitHub Actions workflows have been updated to use the windows-2022 runner instead of windows-2019, which ensures compatibility with newer environments and improves the consistency of the build and publish pipelines. (#242)

Documentation:

• The documentation site has been updated with a new search bar, light/dark mode, new styling, and a modified table of contents. (#241)
• New documentation covering the YubiKey Bio Multi-protocol Edition and its quirks, including the DeviceReset() method, has been added. (#237)
• A discrepancy in the documentation on attestation statement generation has been fixed. (#236)
• The documentation covering the default management key value and algorithm has been clarified. (#233)
• The DER encoding details in the documentation on the PIV AuthenticateSignCommand() have been corrected. (#239)

Bug Fixes:

• NativeShims now outputs Net47 build files into the correct architecture-specific folders. Supported architectures include x86, x64, and Arm64. (#211)
• An ongoing dotnet issue that has broken the resolution of core libraries on macOS 15 prevented the SDK from locating important dependencies on Mac when using .NET8 and above. To fix macOS and .NET compatibility with the SDK, the CoreFoundation, IOKitFramework, and WinSCard constants have been updated to use absolute paths (/System/Library/Frameworks/...) instead of relative paths (.framework/...) to align with macOS system conventions. (#255)
• Use of the deprecated PivPrivateKey and PivPublicKey types when importing into the new PIV methods is now handled correctly (by throwing an exception). (#231)
• An issue affecting the use of the RSA-3072 and RSA-4096 algorithms with attestation certificates has been fixed. (#230)

Dependencies:

• The Yubico.NET.SDK repository now includes the GitHub dependabot to automate dependency updates for the nuget and dotnet-sdk package ecosystems. (#244)
• Several dependencies across the Core (Yubico.Core.csproj), Integration Tests (Yubico.YubiKey.IntegrationTests.csproj), Sandbox (Yubico.YubiKey.TestApp.csproj), Unit Tests (Yubico.YubiKey.UnitTests.csproj), and Utilities (Yubico.YubiKey.TestUtilities.csproj) projects have been updated to newer versions. (#256, #254, #250)

Deprecations:

• PivEccPublic, PivEccPrivateKey, PivRsaPublic, and PivRsaPrivateKey have been marked as obsolete. Use implementations of ECPublicKey, ECPrivateKey, RSAPublicKey, and RSAPrivateKey instead. (#231)
• The CreateFromPkcs8 methods in the Curve25519PublicKey, ECPublicKey, and RSAPublicKey classes have been marked as obsolete and replaced with new CreateFromSubjectPublicKeyInfo methods. (#243)

All changes:

• github: Add issue type to GitHub issue template by @DennisDyallo in #232
• feat: Expose the cbor raw data from a MakeCredential command by @DennisDyallo in #225
• docs: Changed wording for default management key value and algorithm by @equijano21 in #233
• docs: Corrected docs on attestation statement by @equijano21 in #236
• fix: Fixed bug importing PIV private key in legacy classes by @DennisDyallo in #231
• build(deps): bump setuptools from 70.0.0 to 78.1.1 in /Yubico.YubiKey/examples/python/PythonForNet by @dependabot in #238
• fix,tests: Fixed bug where attest cert could not be RSA3072 or RSA4096, removed obsolete tests and consolidated Piv tests by @DennisDyallo in #230
• docs: New docs covering YubiKey Bio MPE quirks and special considerations by @equijano21 in #237
• ci: Updating windows runners to 2022 by @DennisDyallo in #242
• feat: Implement reading of VersionQualifier into YubikeyDeviceInfo by @DennisDyallo in #240
• feat: Improved documentation site with search, dark mode, sitemap.xml and less cluttered navigation by @DennisDyallo in #241
• docs: Fix docs about encodings for PIV signing command by @YourMJK in #239
• ci: Add dependabot scanning for dependency updates by @DennisDyallo in #244
• refactor: Add consistent docs and proper naming for certain methods for creating keys by @DennisDyallo in #243
• ci: Add comprehensive summary for build by @DennisDyallo in #248
• ci: fix links for build output and add image hash by @DennisDyallo in #249
• Bump Microsoft.SourceLink.GitHub and System.Memory by @dependabot in #250
• Bump Microsoft.Extensions.Logging.Console and 4 others by @dependabot in #254
• Bump coverlet.collector and 11 others by @dependabot in #253
• fix(net47): NativeShims correctly outputs net47 dlls in the correct folders by @DennisDyallo in #211
• fix(macOS): Hard coding the default frameworks path in order to resolve macOS frameworks by @DennisDyallo in #255
• Update dependencies by @DennisDyallo in #256
• Replace Moq with NSubstitute by @DennisDyallo in #258
• Update access modifier of VersionQualifier by @DennisDyallo in #261

New Contributors

• @YourMJK made their first contribution in #239

Full Changelog: 1.13.1...1.13.2

1.13.1 - Patch release

Release date: April 28th, 2025

This release mainly addresses an issue that was affecting FIDO2 on YubiKey 5.7.4 and greater as well as adds support for compressed certificates within the PIV application. It also contains miscellaneous and documentation updates.

Features:

• Support for compressed certificates in the PIV application #219
• Ability to create a FirmwareVersion object through parsing a version string (e.g. 1.0.0) #220

Bug fixes:

• PinUvAuthParam was erroneously truncated which caused failures on multiple FIDO2 commands for YubiKey v 5.7.4 #222

Documentation:

• Updates to challenge-response documentation to improve clarity #221

Miscellaneous:

• Integration tests will now run on Bio USB C keys as well a4c4df.

What's changed

• docs: Minor formatting changes to release notes by @equijano21 in #216
• feat: Support compressed PIV certificates by @AdamVe in #219
• feat: Add FirmwareVersion.Parse(versionString) by @DennisDyallo in #220
• fix: Remove incorrect auth token truncation from various commands by @AaFortner in #222
• docs: Updates to challenge-response documentation to improve clarity by @equijano21 in #221
• Release 1.13.1 by @DennisDyallo in #224

Full Changelog: 1.13.0...1.13.1

1.13.0 - April 2025 Release

Release date: April 9th, 2025

Features:

Curve25519 support has been added for PIV #210:

Keys can now be imported or generated using the Ed25519 and X25519 algorithms.
The key agreement operation can be performed with an X25519 key.
Digital signatures can now be created with a Ed25519 key.
New related unit tests have been added.
Unit tests have been added for RSA-3072 and RSA-4096 keys #197.

Support for large APDUs has been improved #208:

When sending large APDU commands to a YubiKey via the smartcard connection, the CommandChainingTransform will now throw an exception when the cumulative APDU data (sent in chunks of up to 255 bytes) exceeds the max APDU size for the given YubiKey (varies based on firmware version; see SmartCardMaxApduSizes).
Support for Ed25519 and P384 credentials has been added for FIDO #186.

Ubuntu runners have been upgraded from version 20.04 to 22.04 to support the compilation of Yubico.NativeShims #188.

Bug fixes:

The default logger now only writes output for the "Error" log level unless another level is specified #185. Previously, the logger wrote output for all log levels, which could become overly long and difficult to evaluate.

Miscellaneous:

The License was updated to remove the information for the AesCmac.cs file from the Bouncy Castle library #196.

What's changed

• docs: Documentation edits for SCP by @DennisDyallo in #180
• fix: The default logger only writes output for the Error log level unless other is specified by @DennisDyallo in #185
• ci: Only package artifacts on manual trigger (nativeshims) by @DennisDyallo in #187
• ci: Upgrade Ubuntu runners from 20.04 to 22.04 by @DennisDyallo in #188
• Fix failing NativeShims build by @DennisDyallo in #189
• Adding Appcompat.md to toc.tml for visibility on the documentation site by @equijano21 in #190
• misc: Removed Bouncy Castle license by @DennisDyallo in #196
• Feature: Supports enumerating Ed25519 and P521 credentials within FIDO by @DennisDyallo in #186
• merged transport article content into overview by @equijano21 in #195
• Consolidated public, private key and certificate test data into manageable class by @DennisDyallo in #197
• Using PolySharp to allow use of C#13 by @DennisDyallo in #132
• feat: Skip waiting for the first connection to the key by @TimLico in #203
• Rework of docfx docs building-process by @DennisDyallo in #201
• docs: add section on build asset attestation to README by @DennisDyallo in #206
• Add workflow to automate deployment of docs by @ajhall in #207
• Update fido2-auth-tokens.md by @joostd in #212
• fix: Stop send short APDUs when exceeded max APDU size by @DennisDyallo in #208
• Tim/revert initial three seconds delay changes by @TimLico in #213
• feature: Added Ed25519 and X25519 keys to the PIV application by @DennisDyallo in #210
• Release notes for 1.13 by @equijano21 in #214

New Contributors

• @TimLico made their first contribution in #203
• @ajhall made their first contribution in #207
• @joostd made their first contribution in #212

Full Changelog: 1.12.1...1.13.0

1.12.1 - Patch release

Release date: December 19th, 2024

What's Changed

Bug Fixes:

• ConnectionFactory incorrectly using SmartCardConnection by @DennisDyallo in #179
• OathSession now correctly disposes the session in #179

Miscellaneous:

• ci: fixed bug in sign.ps1 by @DennisDyallo in #174

• ci: improvements to sign output by @DennisDyallo in #176

• documentation: Including README.md in the NuGet Packages by @DennisDyallo in #175

• documentation: management key algorithm by @equijano21 in #177

• Release 1.12.1 by @DennisDyallo in #181

Full Changelog: 1.12.0...1.12.1

1.12.0 - December 2024 Release

1.12.0

Release date: December 18th, 2024

Features:

• Security Domain application and Secure Channel Protocol (SCP) (#164):

  • SCP11a/b/c is now supported for the PIV, OATH, OTP, and YubiHSM applications.
  • SCP03 support has been extended to the OATH, OTP, and YubiHSM applications (previously PIV only).
  • The Yubico.YubiKey.Scp namespace now provides all SCP and Security Domain functionality. This namepace replaces functionality in the Yubico.YubiKey.Scp03 namespace, which has been deprecated.
  • The new SecurityDomainSession class provides an interface for managing the Security Domain application of a YubiKey. This includes SCP configuration (managing SCP03 key sets and SCP11 asymmetric keys and certificates) and creation of an encrypted communication channel with other YubiKey applications.
  • New key parameter classes have been added: ScpKeyParameters, Scp03KeyParameters, Scp11KeyParameters, ECKeyParameters, ECPrivateKeyParameters, ECPublicKeyParameters.

• YubiKeyDeviceListener has been reconfigured to run the listeners in the background instead of the main thread. In addition, the listeners can now be stopped when needed to reclaim resources. Once stopped, the listeners can be restarted. (#89)

• Microsoft.Extensions.Logging.Console is now the default logger. To enable logging from a dependent project (e.g. unit tests, integration tests, an app), you can either add an appsettings.json to your project or use the ConfigureLoggerFactory. (#139)

• The SDK now uses inferred variable types (var) instead of explicit types in all projects except Yubico.Core. This change aims to improve code readability, reduce verbosity, and enhance developer productivity while maintaining type safety. (#141)

Bug Fixes:

• The PivSession.ChangeManagementKey method was incorrectly assuming Triple-DES was the default management key algorithm for FIPS keys. The SDK now verifies the management key alorithm based on key type and firmware version. (#162, #167)
• The SDK now correctly sets the IYubiKeyDeviceInfo property IsSkySeries to True for YubiKey Security Key Series Enterprise Edition keys. (#158)
• Exceptions are now caught when running PivSession.Dispose. This fixes an issue where the Dispose method could not close the Connection in the event of a disconnected YubiKey. (#104)
• A dynamic DLL resolution based on process architecture (x86/x64) has been implemented for NativeShims.dll. This fixes a reported issue with the NativeShims.dll location for 32-bit processes. (#154)

Miscellaneous:

• Users are now able to verify that the NuGet package has been generated from our repository using Github Attestations (#169) like this:

  > gh attestation verify .\Yubico.Core.1.12.0.nupkg --repo Yubico/Yubico.NET.SDK

Deprecations:

• Yubico.YubiKey/Scp03 namespace.
• All Yubico.Yubikey.StaticKeys endpoints.

Migration Notes:

• Use the SecurityDomainSession for Security Domain operations.
• Review your logging configuration if using custom logging.
• Align with Android/Python SDK naming conventions.

Full Changelog: 1.11.0...1.12.0

1.11.0 - June 2024 Release

Release date: June 28th, 2024

This release introduces significant enhancements and new features for YubiKeys running the latest firmware (version 5.7) and YubiKey Bio/Bio Multi-Protocol Edition keys. Highlights include temporary disablement of NFC connectivity, PIN complexity status, support for RSA 3072 and 4096-bit keys, and support for biometric verification. Additionally, USB reclaim speed has been optimized and adjustments to the touch sensor sensitivity have been implemented. For details on all changes, see below.

Features:

• Support for YubiKeys with the latest firmware (version 5.7):
  • NFC connectivity can now be temporarily disabled with SetIsNfcRestricted() (#91).
  • Additional property pages on the YubiKey are now read into YubiKeyDeviceInfo (#92).
  • PIN complexity:
    • Complexity status can now be checked with IsPinComplexityEnabled (#92).
    • PIN complexity error messages and exceptions have been added (#112).
  • The set of YubiKey applications that are capable of being put into FIPS mode can be retrieved with FipsCapable. The set of YubiKey applications that are in FIPS mode can be retrieved with FipsApproved (#92).
  • The part number for a key’s Secure Element processor, if available, can be retrieved with PartNumber (#92).
  • The set of YubiKey applications that are blocked from being reset can be retrieved with ResetBlocked (#92).
  • PIV:
    • 3072 and 4096 RSA keys can now be generated and imported (#100).
    • Keys can now be moved between all YubiKey PIV slots except for the attestation slot with MoveKeyCommand. Any PIV key can now be deleted from any PIV slot with DeleteKeyCommand (#103).
• Support for YubiKey Bio/Bio Multi-Protocol Edition keys:
  • Bio metadata can now be retrieved with GetBioMetadataCommand (#108).
  • New PIV PIN verification policy enum values (MatchOnce, MatchAlways) have been added (#108).
  • Biometric verification is now supported (#108).
  • A device-wide reset can now be performed on YubiKey Bio Multi-protocol keys with DeviceReset (#110).
• The USB reclaim speed, which controls the time it takes to switch from one YubiKey application to another, has been reduced for compatible YubiKeys. To use the previous 3-second reclaim timeout for all keys, see UseOldReclaimTimeoutBehavior (#93).
• The sensitivity of the YubiKey’s capacitive touch sensor can now be temporarily adjusted with SetTemporaryTouchThreshold (#95).

Bug fixes:

• The ManagementKeyAlgorithm is now updated when the PIV Application is reset (#105).
• macOS input reports are now queued so that large responses aren't dropped (#84).
• Smart card handles are now opened shared by default. To open them exclusively, use OpenSmartCardHandlesExclusively with AppContext.SetSwitch (#83).
• A build issue that occurred when compiling Yubico.NativeShims on MacOS has been fixed (#109).
• The correct certificate OID friendly names are now used for ECDsaCng (nistP256) and ECDsaOpenSsl (ECDSA_P256) (#78).

Miscellaneous:

• The way that YubiKey device info is read by the SDK has changed, and as a result, the following GetDeviceInfo command classes have been deprecated (#91):
  • Yubico.YubiKey.Management.Commands.GetDeviceInfoCommand
  • Yubico.YubiKey.Otp.Commands.GetDeviceInfoCommand
  • Yubico.YubiKey.U2f.Commands.GetDeviceInfoCommand
  • Yubico.YubiKey.Management.Commands.GetDeviceInfoResponse
  • Yubico.YubiKey.Otp.Commands.GetDeviceInfoResponse
  • Yubico.YubiKey.U2f.Commands.GetDeviceInfoResponse
• Integration test guardrails have been added to ensure tests are done only on specified keys. (#100).
• Unit tests were run on all platforms in CI (#80).

Dependencies:

• The test packages xUnit and Microsoft.NET.Test.Sdk have been updated (#94).

New Contributors

• @alanssitis made their first contribution in #78
• @GregDomzalski made their first contribution in #83
• @twistedstream made their first contribution in #97
• @equijano21 made their first contribution in #102
• @AdamVe made their first contribution in #109
• @jamiehankins made their first contribution in #120

Full Changelog: 1.10.0...1.11.0

1.10.0 - April 2024 Release

Release date: April 10th, 2024

This release improves our native dependencies exposed through the Yubico.NativeShims package. We have also worked to improve the build and test experience of this repository by improving our automation and build files.

Changes:

• Yubico.NativeShims targets OpenSSL version 3.x on all platforms - OpenSSL v1.1.x has reached end-of-life. The SDK now removes this dependency on all platforms, now upgrading to the supported 3.x version.
• Dropped support for 32-bit Linux - Yubico.NativeShims no longer builds for 32-bit (x86) Linux. We now depend on Ubuntu releases that contain OpenSSL 3.x by default. These newer releases no longer have mainstream support for this platform.
• Compilation hardening of Yubico.NativeShims - Added commonly used compiler flags to increase security and code quality
  MacOS / Linux:
  -Wformat: Warn about format string issues in printf-like functions.
  -Wformat-nonliteral: Warn about format strings that are not string literals.
  -Wformat-security: Warn about potential security issues related to format strings.
  -Wall: Enable most warning messages
  -Wextra: Enable some additional warning messages not included in -Wall
  -Werror: Treat all warnings as errors
  -Wcast-qual: Warn when casting away const-ness
  -Wshadow: Warn when a local variable shadows another variable
  -pedantic: Issue warnings for language features beyond the C standard
  -pedantic-errors: Treat pedantic warnings as errors
  -Wbad-function-cast: Warn about dubious function pointer casts
  -O2: Optimize code for performance
  -fpic: Generate position-independent code
  -fstack-protector-all: Enable stack protection for all functions
  -D_FORTIFY_SOURCE=2: Enable runtime and compile-time checks for certain security-critical functions
  Windows flags:
  /guard:cf: Enable control flow guard security feature
  /GS: Enable buffer security check
  /Gs: Control stack security check
• Addressed compiler warning concerning Runtime Identifiers (RID)
• Enabled dotnet format - The repository now uses dotnet format to ensure that pull requests adhere to the repository's coding standards. A pass of the tool has been run against the entire repository and a new baseline has been checked in.

1.9.1 - November bugfix release

Release date: November 14th, 2023

Bug fixes:

• SCard handle contention. Previously, the SDK was opening all smart card handles with
  shared permissions, meaning that other applications and services were still able to interact
  with the YubiKey while the SDK performed smart card operations. However, this allowed these
  other entities (such as smart card minidrivers) to alter the current state of the YubiKey
  without the SDK's knowledge. This would sometimes cause random failures and exceptions to
  occur when using the SDK. The SDK now opens the handle exclusively, which means other
  applications will not be able to open the smart card handle for read and write operations
  while the SDK is using it. Callers should take care to not keep a YubiKey connection or
  session open longer than is needed.
• Config changes over FIDO2. The YubiKey Management commands are now available over all
  three logical USB interfaces (HID keyboard, HID FIDO, and smart card). The SDK will typically
  use the first available interface, giving some preference to the smart card. Previously,
  this operation would have failed on FIDO-only devices as the management commands were not
  properly wired up over this interface.

Miscellaneous:

• Dependency updates. The dependencies of the SDK were updated to the latest packages
  available. Since the SDK itself does not take many dependencies outside of the .NET Base
  Class Libraries (BCL), there should not be much of a noticeable impact. The two that
  affect the SDK itself (and not just test code) are:
  • Microsoft.Extensions.Logging.Abstractions (6.0.1 -> 7.0.1)
  • System.Memory (4.5.4 -> 4.5.5)

1.9.0 - October 2023 release

Release date: October 13th, 2023

Features:

• FIDO2 PIN Config. The PIN config feature, if supported by the connected YubiKey, is a set of operations: set the minimum PIN length, force a PIN change, and return a minimum PIN length to a relying party.
• FIDO2 GUI option for sample code. There is now a version of the FIDO2 sample code that uses Windows Forms. This GUI version of the sample code is provided mainly to demonstrate how to build touch and fingerprint notifications in a KeyCollector. This sample code runs only in a Windows environment.
• SCP03 CMAC added to CryptographyProviders. SCP03 operations rely on the AES-CMAC algorithm, and, starting in this release, they will call on the CryptogrphyProviders class to retrieve an implementation. The default implementation uses OpenSSL.
• SCP03 keys. This release adds the ability to change SCP03 key sets. This includes replacing the default key set, adding new key sets, and removing key sets. This is done using the new Scp03Session class.
• SCP03 architecture. The process for building an SCP03 connection was updated. The previous method (Yubico.YubiKey.YubiKeyDeviceExtensions.WithScp03()) is now deprecated, and the new method (Yubico.YubiKey.IYubiKeyDevice.ConnectScp03()) simply requires passing in the SCP03 key set in addition to the application to connect to. Additionally, a convenience constructor has been added to PivSession that accepts the SCP03 static keys Yubico.YubiKey.Piv.PivSession(IYubiKeyDevice, Scp03.StaticKeys).
• SCP03 documentation. The User's Manual article on SCP03 was updated to provide more comprehensive information.

1.8.0 - June 2023 release

Release date: June 30th, 2023

Features:

• FIDO2 Bio Enroll. This allows enrolling and enumerating fingerprint templates. In addition, the SDK implemented fingerprint verification for FIDO2 and incorporated it into the automatic verification process.
• FIDO2 Authenticator Config Operations. This is a series of new methods that allow the programmer to perform some esoteric FIDO2 configuration operations, such as enabling enterprise attestation and increasing the minimum PIN length.
• FIDO2 Update Credential Management to Support CredentialMgmtPreview. Some older YubiKeys do not support the "credential management" feature (enumerate credentials, delete credentials, and others), but do support the "credential management preview" feature. This is the same as "credential management" except that the preview version does not include "Update User Info". The credential management commands and Fido2Session methods now support "Preview", meaning calls to the credential management methods (e.g. Fido2Session.EnumerateRelyingParties) will work on older YubiKeys that support "CredentialMgmtPreview", just as the newer YubiKeys.
• FIDO2 HMAC Secret Extension and CredProtect Extension. These are oft-used extensions, and the SDK now has methods to make using them easier (e.g. MakeCredentialParameters.AddHmacExtension and AuthenticatorData.GetHmacSecretExtension).
• FIDO2 Encoded Attestation The full encoded attestation statement is available when making a credential. This is useful if you are implementing or interoperating with the WebAuthn data types. That is, it is often easier to copy this field in its encoded form rather than using the parsed properties.
• FIDO2 Update Sample Code. The FIDO2 sample project now contains examples that perform bio enroll, credential management, authenticator config, HMAC secret, and credProtect operations.
• OTP Documentation Updates. There are new articles and information about slots (e.g. access codes, deleting), new articles on Hotp (what it is and programming an Hotp credential), new articles on static passwords (what it is and programming a slot to contain a static password), and a new article on updating slots, including manual update.

Bug Fixes:

• NFC response code in FIDO2 now handled properly.
• Community contribution by @jkolo that fixes high CPU usage on Linux due to the HID device listener not blocking properly. Thanks, @jkolo !