YubiKit 3.0.0

Updated list of supported devices (and list of devices that doesn't support NFC)

Improvements to NFC API:

• Allows multiple tags to be scanned during one open NFCSession
• Added method to customize NFC alert message at any state of NFC session (see nfcScanAlertMessage for initial text message, nfcScanSuccessAlertMessage and setAlertMessage for updating message when NFC session is already open)
• Exposes iso7816SessionError to check the cause why session was closed

Some improvements to OATH service:

• Support YubiKey NEO that returns response without algorithm tag on applet selection
• Allow to rename credentials that were scanned with QR code

YubiKit 3.0.0 Preview

To use YubiKit 3.0.0-Preview, the application needs to be compiled with Xcode 11 or newer (iOS 13 SDK).

3.0.0-Preview [2.0.1 -> 3.0.0-Preview]
This version now supports NFC-Enabled YubiKeys for FIDO2. Note: All NFC capabilities (except Yubico OTP) require iOS 13+ on the user's device. See NFC-Notes.md for more details on the addition of NFC support and notable changes to the key sessions.

The YubiKit 3.0.0-Preview adds support for ISO 7816 tags which allows your application to use the FIDO2 functionality of the YubiKey over NFC on devices running iOS 13 or newer.

The FIDO2 protocol implementation now supports any NFC-Enabled YubiKey, in addition to the YubiKey 5Ci. The library provides examples for implementing FIDO2 over an accessory (YubiKey 5Ci) or NFC. In addition, the YubiKit Demo application provides an end-to-end solution for both protocols.

Adds support for OATH protocol over NFC on devices running iOS 13 or newer. Also wraps and simplifies raw APDU communication with NFC-Enabled YubiKeys.

Note: There are some breaking changes. See Refactoring Changes section under NFC-Notes.md

YubiKit 2.0.1

2.0.1 [2.0.0 -> 2.0.1]

• Fixed an edge case for CCID when the WTX responses are concatenated with the payload. This issue mostly affects the calculation of OATH credentials with touch.

• Added the possibility to attach a custom application logger to process the library logs. For more details check the Examples/CustomLogger in the YubiKit Demo application.

• Several other improvements to OATH, including the possibility to create OATH credentials without issuer and the ability to read and add credentials with 7 digits.

YubiKit 2.0.0

2.0.0 [2.0.0 RC1 -> 2.0.0]

• The internal CBOR encoder used by the FIDO2 API is now sorting the map keys according to canonical CBOR rules when the keys are text strings. This fixes a bug with the order of the keys in the webauthnAttestationObject returned by the YKFKeyFIDO2MakeCredentialResponse.

• Improved the error handling when the applications are disabled on the YubiKey. In case of FIDO (FIDO2 and U2F) the application is shared (the CTAP specifications use the same AID). In this specific scenario, when only one of them is enabled, YubiKit was returning YKFKeyAPDUErrorCodeInsNotSupported. Now the library will return YKFKeySessionErrorMissingApplicationCode when trying to use the disabled application, similar with the scenario when both applications are disabled.

• Added a new constant, YKFKeyFIDO2GetInfoResponseOptionUserVerification, which can be used to test if the authenticator supports UV (User Verification). Removed from the YubiKit Demo application the explicit set of the UV options flag when creating FIDO2 credentials or getting assertions because the YubiKey 5Ci is not capable of verifying the user within itself. This update is available from firmware version 5.2.x and reflects the latest CTAP2 specifications.

• Renamed the supportsLightningKey property from YubiKitDeviceCapabilities to supportsMFIAccessoryKey. The property will also return NO/false when the iOS device has an USB-C connector, such as the iPad Pro 3rd generation. These devices do not officially support MFi external accessories.

• Renamed several classes, properties and UI labels in the YubiKit Demo application to not use the term Lightning. This change was made to avoid possible trademark issues with this term.

• Some minor improvements to the PC/SC API to dynamically read some properties, like the name and the model of the key, from the YKFKeySession instead of returning hardcoded values.

• Several OATH improvements, including support for touch credentials and improved compatibility with other libraries/applications which implement the YOATH protocol, such as Yubico Authenticator for Android and desktop.

• Improved the ability to manually build OATH credentials using the YKFOATHCredential model provided by the library.

• The build.sh script will generate a release-universal flavour of the library, together with the previous flavours (release and debug-universal).

YubiKit 2.0.0 RC1

2.0.0 RC1 [2.0.0 B8 -> 2.0.0 RC1]

• The YKFKeyFIDO2MakeCredentialResponse has two new properties: ctapAttestationObject and webauthnAttestationObject:

  • The ctapAttestationObject is identical to the rawResponse from the key. This attestation format follows the CTAP2 specifications for packing the attestation object from the authenticator. In this format the top level CBOR map is using numeric keys for authData, fmt and attStmt.
  • The webauthnAttestationObject is similar with the ctapAttestationObject. The only difference is in the top level CBOR map keys which are text, as defined in the WebAuthN Attestation Object specifications.

• The attStmt property from the YKFKeyFIDO2MakeCredentialResponse is an opaque object now (NSData/Data) instead of a parsed CBOR map to comply with the CTAP2 specifications on how the clients need to handle this object.

• The U2F external accessory protocol support has been removed from both YubiKit and YubiKit Demo application. The library supports from this version only the com.yubico.ylp external accessory protocol. Make sure to remove the U2F protocol from the application Info.plist file before submitting the application for an AppStore review.

• The YubiKitDeviceCapabilities contains a new property: supportsLightningKey. This property should be used in the application before starting the key session. If the check is not performed, in debug builds the library will assert when trying to start the key session on an unsupported iOS version. This property returns YES/true when:

  • the iOS version is iOS 10 or newer.
  • the iOS version is not in a blacklist of versions where the external accessories don't work due to iOS bugs.

• Moved the WebAuthN clientData into the library. The new class provided by the library is called YKFWebAuthnClientData. This change avoids duplicate implementations of the Client Data in every application which could lead to different results when using the FIDO2 APIs. When using Swift 5, this change avoids a random memory corruption of the old implementation from the YubiKit Demo application, when creating and passing the data to the library. Make sure to use the new implementation if the demo application code was reused.

• Several improvements and bug fixes to the logging of the library in debug builds. The library check in debug builds if the application is configured properly when starting the key session by looking at the application external accessory protocols.

• The firmware version, available in YKFKeyDescription.firmwareRevision returns now the format [major].[minor].[patch] instead of a number.

• Improvements and bug fixes to the YubiKit Demo application:

  • Removed a bug in the Other demos, Raw Commands where the logs were wiped immediately after running a demo, if the flow was successful.

• Several internal library improvements related to: debug assertions, unit testability and performance.