New features:
- Support for YubicoPIV 5.7.x features:
- Ed25519 keys/certs
- RSA3072/4096 keys/certs
- AES-192 default admin key
- Full support for extended-length APDUs, reducing latency during enumeration and signing with hash-on-card algorithms (like Ed25519)
- pivy-zfs: now compatible with current OpenZFS releases (2.3.x), and current illumos ZFS
- pivy-tool: new
delete-certcommand - certs: support for generating certs with multiple UPN SANs, IKE certs, cert policy extensions
Bugs fixed:
- pivy-box: stop -b batch mode prompting for PIN
- pivy-box, pivy-agent: better audit logging with ECDH operations and the rebox extension
- pivy-agent: fix notify-send options and newlines for GNOME 46+
- pivy-zfs, pivy-ca: exit cleanly on invalid options
- pivy-ca: include SPKI extension on subordinate CAs
- certs: include keyEncipherment KU on RSA computer certs (so they can be used for IKE)
- pivy-tool: init command crashes on some errors
- updated bundled libressl to 3.9.2, openssh to 9.9p1
- CBMC formal verification of some components (a decent chunk of the code which runs unconditionally against device-provided data is now being formally verified): TLV parser, PIV RTS parser, cardcap parser, CHUID parser, FASC-N parser