=== Version 2.7.0

lib: shell: pkcs11: Add support for compressing X509Certificate before import
shell: Add subcommand to generate certificate signing request (CSR)
test: Increase test coverage

=== Version 2.6.0

lib: shell: pkcs11: Add support for asymmetric wrap
pkcs11: Add support for PKCS11 3.0
shell: Fix opening a session using credentials stored on a YubiKey
build: Always compile with YubiHSM Auth enabled

=== Version 2.5.0

pkcs11: Add support for applying KDF after ECDH derivation
pkcs11: Shell: Fix minor bugs
test: Increase test coverage

=== Version 2.4.2

pkcs11: Add Symmetric key capabilities to searchable criteria
pkcs11: Add support for CKA_KEY_TYPE when searching for objects
pkcs11: Add support for CKA_MODIFIABLE and CKA_COPYABLE attributes for AES and Wrap keys
test: Increase test coverage

=== Version 2.4.1

pkcs11: Security update for https://www.yubico.com/support/security-advisories/ysa-2023-01/[YSA-2023-01]
pkcs11: Allow only a user with access to all the object's domains to edit its attributes
pkcs11: Allow for the creation of an asymmetric key even if CKA_ID or CKA_LABEL attribute values for the private and public key are different.
pkcs11: Improve backup capabilities of objects whose attributes have been changed
pkcs11: Add support for CKA_ALLOWED_MECHANISMS
pkcs11: Fix CKA_SENSITIVE and CKA_PRIVATE return value for opaque objects
pkcs11: Add support for CKA_EXTRACTABLE for imported certificates
pkcs11: Fix regression that only allowed encryption with private keys
lib: pkcs11: Delay client side MAC check to avoid leaving unauthenticated sessions open
shell: Fix handling of ED25519 keys
build: Update release script for Centos7
build: Fix paths in pkg-config template
build: Set linker flags by platform
test: Improve test coverage

=== Version 2.4.0

lib: shell: pkcs11: Add support for symmetric encryption, AES-ECB and AES-CBC (Requires firmware version 2.3 and later)
shell: Enable asymmetric authentication by default (Requires firmware version 2.3 and later)
shell: Allow hex format when creating symmetric authentication key
shell: Improve usage of the list command
shell: Allow yubihsm-auth reader to be specified
shell: Enable backend TLS support in the command line
pkcs11: Add support for modifying CKA_ID and CKA_LABEL attribute values
pkcs11: Improve handling of attributes
pkcs11: Improve debug output
pkcs11: Improve error handling
pkcs11: Change in firmware/harware version representation. The version as reported by C_GetSlotInfo and C_GetTokenInfo will now show minor*10+patch, instead of minor*100+patch
build: Dependecy updates

=== Version 2.3.2

shell: Remove limit on input file size
shell: pkcs11: build: Minor improvements

=== Version 2.3.1

lib: Fix handling errors received from the YubiHSM
shell: Enforce valid DER certificate when importing a certificate
shell: Support PEM in-format when importing a certificate
shell: pkcs11: Fix minor memory leaks
pkcs11: Better handling of invalid input
build: Better build experience on MacOS
build: Better usage of security flags
build: Improve scripts to build debian packages
test: Improve testing

=== Version 2.3.0a

build: Enable additional hardening flags when building with CMake < 3.14

=== Version 2.3.0

lib: Security update for https://www.yubico.com/support/security-advisories/ysa-2021-04/[YSA-2021-04]
lib: Improve backend loading on Windows
lib: Add support for ecdh primitives using bcrypt on Windows
lib: cli: Improve error handling
lib: pkcs11: Add more connection option
lib: pkcs11: cli: Fix minor bugs
cli: Rename set-option to put-option and add support for get-option
pkcs11: Add support for RSA encryption
yubihsm-auth: No PSCS reader name filtering by default
build: Add version details to yubihsm_pkcs11 module and libykhsmauth library files on Windows
build: Make minimum CMake version required 3.5
test: Improved testing

=== Version 2.2.0

shell: Enable ykhsmauth to be used from commandline
ykhsmauth: lib: Add support for YubiCrypt authentication
yubihsm-auth: Add CLI for YubiCrypt authentication

=== Version 2.1.0

lib: Security update for https://www.yubico.com/support/security-advisories/ysa-2021-01/[YSA-2021-01]
lib: Add FIPS-mode option
lib: Add support for rsa-pkcs1-decrypt algorithm
lib: shell: Add support for OTP AEAD rewrap
shell: Add support writing attestation certificate to a file
pkcs11: Add support for CKA_TRUSTED attribute
all: Fix potential memory leaks
all: Improve error handling
doc: Clarify the minimum length of the password used with PKCS11

=== Version 2.0.3

all: Move away from archaic offensive terms
all: Update build scripts to account for changes in newer MACOS
all: Build on Windows with Visual Studio 2019
pkcs11: Enable .Net to load yubihsm-pkcs11.dylib
lib: Fix memory leaks
lib: Security fixes
lib: Add a session identifier for the backend
lib: Make the backend more thread-safe on Windows
shell: Honor the base64 format when returning a public key
shell: Honor the PEM format when returning a certificate
shell: Improve parsing of command line arguments when using OAEP decryption
shell: Add support for special (national) characters
test: Improve testing

=== Version 2.0.2

yhauth: Report touch policy as part of the "list" command
ykyh: Allow reading the password from stdin
yhwrap: Fix wrapping of ED25519 keys
shell: Fix ED25519 public key PEM formatting
shell: Replace unprintable characters in the object label with '.'
ci: Fail early if DEFAULT_CONNECTOR_URL is not set
ci: Update homebrew dependencies
build: Add two bionic-based builds
build: Fix 32-bit Windows builds with mingw32/gcc7
build: Ensure that PCSC is not automatically used on Windows
tool: Stop the timer for keepalive functionality while reading the password string
misc: Allow disabling link time optimization.
misc: Fixes and improvements to build, work and test on FreeBSD.

=== Version 2.0.1

shell: Add "blink-device" command in CLI mode
shell: Add "set-log-index" command to CLI mode
shell: Add "exit" as an alias to the "quit" command.
shell: Add an optional output file to "audit get" command
shell: No openning a session for commands that do not need one
shell/yhwrap/pkcs11: open all files in binary mode to keep Windows from changing line ends
shell: Install the sigalarm handler in CLI mode
build: Add support for installing to lib64 on Fedora
build: Only use LTO on clang > 7
build: Add a library only build option
examples: Improve code examples
test: Tests are improved and are better adapted for MacOS
pkcs11/tests: Only run ecdh engine tests on openssl 1.1+
lib: Improve handling of device memory
lib: Allow both USB and HTTP support to be compiled in static library
lib: Implement signing using sign-eddsa
lib: Add the possibility to generate authkey specifying all the capabilities in their string form
lib/curl: Include the curl strerror in debug when a connection fails
doc: Improvement in documentation, README files and command help

=== Version 2.0.0

lib: Fix issue with session creation if the authentication key ID is too high
lib: Fix a potential issue with memory operations
lib: Fix a potential issue with data left after previous transactions or connections
lib: Better documentation of arguments
lib: Better handling of errors
lib: Rename object types, algorithms, capabilities, commands, command options and errors
lib: API improvements
lib: Add a feature to derive an authentication key from a password
lib: Add a feature to change an authentication key
pkcs11: Added support for C_DeriveKey()
shell: More efficient use of the keepalive function
shell: More efficient handling of sessions when a connection is terminated
shell: Change keepalive command to a toggle (on/off) 
tests: Make code examples compile
tests: Add support for running tests using direct USB connection
all: Drop unused files
all: Re-organization of file structure
doc: Drop documentation from the code base and moved the content to Yubico's developers website (https://developers.yubico.com/YubiHSM2/)

=== Version 1.0.4

pkcs11: Fix a potential issue with RSA bit calculation in C_GetMechanismInfo()
pkcs11: Fix a case where we return the wrong error from C_GetMechanismList()
pkcs11: Add a way for users to pass in options over the API to C_Initialize()
connector: Fix a race condition when the usb state was re-created.
connector: Better error reporting in some failure cases.
connector: Fix issues where the connector could hang on Windows.
connector: Fix an issue where the connector would not reconnect on Windows.
shell: Fix an issue with importing HMAC keys.

=== Version 1.0.3

shell: Handle return values from reset correctly on windows.
connector: Return HTTP errors when operations fail.
lib: Handle HTTP errors correctly on windows.
lib: Fix printing of time in debug on windows.
pkcs11: Fix a problem in C_FindObjects() where not all items would be returned

=== Version 1.0.2

lib: Fix connect timeout on windows
lib: Fix debugging to file
lib/pkcs11/shell: Openssl 1.1 compatibility
lib: Mark internal symbols as hidden correctly
pkcs11: Fix an error case leaving the session in a broken state
pkcs11: Start session IDs from 1, not 0
pkcs11: Add option to set connect timeout
pkcs11: Accept C_SetAttributeValue() for CKA_ID and CKA_LABEL if unchanged
setup: Fix broken debian package
shell: Implement decrypt-ecdh in non-interactive mode
connector: On Windows use internal USB libraries instead of libusb
connector: Implement Host header allow listing (Use to prevent DNS rebinding attacks in applicable environments, e.g., if there is an absolute need to use a web browser on the host where the Yubihsm2 is installed to connect to untrusted web sites on the Internet. This is not a recommended practice.)

=== Version 1.0.1

shell: Fix hashing so signing from windows shell works
shell: Sorted output
pkcs11: Handle ecdsa with longer hash than key
pkcs11: Correct error for trying to extract EC key
pkcs11: Fix native locking on windows
pkcs11: Correct linking on macos
lib: Fix logic in session re-use
lib: Mark all internal symbols as hidden
ksp: Handle passwords longer than 8 characters
all: Provide deb packages on debian/ubuntu

=== Version 0.2.1

doc: add Compatibility.adoc
doc: fixup GET LOGS text
doc: fixup GET LOGS stanza
doc: fixup GET OBJECT INFO text
doc: add text about pkcs11 configuration
examples/attest: add reading out of cert after loading it
examples/import_rsa: change import_rsa example to use pss signing
examples: add wrap_data example
examples: change all examples to use yh_parse_domains
lib/tool/doc: add blink command
log: add yh_set_connector_option for transport options
lib: give create_session functions a reopen option
lib: add OBJECT_EXISTS error
lib: allow yh_util_get_object_info to not fill in an object
lib: implement yh_util_reset
lib: new function for setting debug output: yh_set_debug_output
pkcs11: add CKA_ENCRYPT and CKA_VERIFY to public keys
pkcs11: add an offset to the vendor defined values
pkcs11: add checks for boolean attributes we just accept
pkcs11: add configfile options for setting verbosity
pkcs11: add debug output file to pkcs11 config
pkcs11: don't set CKF_DECRYPT for pkcs+hash mechanisms
pkcs11: fix verify for CKM_RSA_PKCS_PSS
pkcs11: fixup for C_FindObjectsInit being called without logging in
pkcs11: fixup session release in C_CloseSession
pkcs11: ignore CKA_APPLICATION in object filtering
pkcs11: ignore CKA_KEY_TYPE in C_FindObjectsInit
pkcs11: in C_FindObjectsInit make more initial state earlier
pkcs11: in C_FindObjectsInit set operation type as late as possible
pkcs11: in C_GetSlotList detect overflow more reliably
pkcs11: move CKA_ENCRYPT and CKA_VERIFY from hard true on pubkey
pkcs11: move CKA_VERIFY and CKA_ENCRYPT from hard true for ec pubkey
pkcs11: move wrap/unwrap on rsa generate to unchecked
pkcs11: never try to delete a public key, lie and say it's fine instead
pkcs11: print more debug info on OAEP mechanism error
pkcs11: remove some skipped pkcs11test tests, we fail them correctly
pkcs11: return CKR_ATTRIBUTE_SENSITIVE on CKA_PRIVATE_EXPONENT
pkcs11: truncate CKA_ID to two bytes if it's longer
pkcs11: when closing the debug output file, reset it to stderr
tool: drop local connector spawn code
tool: add decrypt ecdh command
tool: add decrypt oaep command
tool: add output for decrypt pkcs1v15
tool: cleanup created objects after benchmark
tool: fixup otp decrypt that has to hex decode the otp
tool: for ecdh benchmarks delete the temporary key
tool: print a message when doing benchmark setup
tool: make the reset command print nicer messages
yhwrap: add hmac key pre-split
