0.23.14 (stable)

 * proxy: Avoid invalid memory access when unloading proxy module [PR#180]

 * Update pkcs11 header to allow SoftHSMv2 to compile [PR#181]

 * build: Restore libpthread dependency [PR#183]

 * Build fixes [PR#188]

0.23.13 (stable)

 * server: Enable socket activation through systemd [PR#173]

 * rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules [PR#174]

 * proxy: Fail early if there is no slot mapping [PR#175]

 * Remove hard dependency on libpthread [PR#177]

 * Build fixes [PR#170, PR#176]

0.23.12 (stable)

 * Fix compile error when PKCS#11 GNU calling convention is enabled [PR#160]

 * Fix getauxval() and secure_getenv() emulation on macOS and FreeBSD [PR#167]

 * Build and test fixes on macOS [PR#162, PR#168]

0.23.11 (stable)

 * trust: Add extractor for edk2/cacerts.bin [PR#139]

 * modules: Add option to control module visibility from proxy [PR#140]

 * trust: Prevent trust module being loaded by proxy module [PR#142]

 * library: Use dedicated locale object for printing error [PR#148]

 * Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly [PR#134]

 * Improve const correctness for P11KitUri [PR#152]

 * PKCS#11 URI scheme comparison is now case insensitive [PR#156]

 * Build and test fixes [PR#151, PR#149, PR#141, PR#138, PR#135]

0.23.10 (devel)

 * filter: Respect "write-protected" vendor-specific attribute in

   PKCS#11 URI [PR#129]

 * server: Improve shell integration and documentation [PR#107, PR#108]

 * proxy: Reuse existing slot ID mapping in after fork() [PR#120]

 * trust: Forcibly mark "Default Trust" read-only [PR#123]

 * New function p11_kit_override_system_files() which can be used for

   testing [PR#110]

 * trust: Filter out duplicate extensions [PR#69]

 * Update translations [PR#128]

 * Bug fixes [PR#125, PR#126]

0.23.9 (devel)

 * Fix p11-kit server regressions [PR#103, PR#104]

 * trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]

 * Build fixes related to reallocarray [PR#96, PR#98, PR#100]

0.23.8 (devel)

 * Improve vendor query attributes handling in PKCS#11 URI [PR#92]

 * Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]

 * New envvar P11_KIT_NO_USER_CONFIG to stop looking at user

   configurations [PR#87]

 * Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]

0.23.7 (devel)

 * Fix memory issues with "p11-kit server" [PR#78]

 * Build fixes [PR#77 ...]

0.23.6 (devel)

 * Port "p11-kit server" to Windows and portability fixes of the RPC

   protocol [PR#67, PR#72, PR#74]

 * Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]

 * Build fixes [PR#63 ...]

0.23.5 (devel)

 * Fix license notice of common/unix-peer.c [PR#58]

 * Remove systemd unit files for now [PR#60]

 * Build fixes for FreeBSD [PR#56]

0.23.4 (devel)

 * Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,

   PR#37, PR#52]

 * The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY

   attribute, used by Firefox [#99453, PR#46]

 * Add 'trust dump' command to dump all PKCS#11 objects in the

   persistence format [PR#44]

 * New experimental 'p11-kit server' command that allows PKCS#11

   forwarding through a Unix domain socket.  A client-side module

   p11-kit-client.so is also provided [PR#15]

 * Add systemd unit files for exporting the proxy module through a

   Unix domain socket [PR#35]

 * New P11KitIter API to iterate over slots, tokens, and modules in

   addition to objects [PR#28]

 * libffi dependency is now optional [PR#9]

 * Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]

0.23.3 (devel)

 * Install private executables in libexecdir [#98817]

 * Fix link error of proxy module on macOS [#98022]

 * Use new PKCS#11 URI specification for URIs [#97245]

 * Support x-init-reserved argument of C_Initialize() in remote modules [#80519]

 * Incorporate changes from PKCS#11 2.40 specification

 * Bump libtool library version

 * Documentation fixes

 * Build fixes [#87192 ...]

0.23.2 (devel)

 * Fix forking issues with libffi [#90289 ...]

 * Updated translations

 * Build fixes [#90827 #89081 #92434 #92520 #92445 #92551 #92843 #92842 #92807 #93211 ...]

0.23.1 (devel)

 * Use new PKCS#11 URI draft fields for URIs [#86474 #87582]

 * Add pem-directory-hash extract format

 * Build fixes

0.22.1 (stable)

 * Use SubjectKeyIdentifier for CKA_ID when available [#84761]

 * Allow 'BEGIN PuBLIC KEY' PEM blocks in .p11-kit files

 * Bump libtool library version

 * Build fixes [#84665 ...]

0.22.0 (stable)

 * Remove the 'isolated = yes' option due to unclear semantics

   replacement forth coming in later versions.

 * Use secure_getenv() where necessary

 * Run separate binary for 'p11-kit remote' command

0.21.3 (unstable)

 * New public pkcs11x.h header containing extensions [#83495]

 * Export necessary defines to lookup attached extensions [#83495]

 * Use term 'attached extensions' rather than 'stabled extensions'

 * Make proxy module respect 'critical = no' [#83651]

 * Show public-key-info in 'trust list --details'

 * Build fixes [#75674 ...]

0.21.2 (unstable)

 * Don't use invalid keys for looking up stapled extensions [#82328]

 * Better error messages when invalid certificate extensions

 * Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files

 * Fix some leaks, and memory issues

 * Silence some clang scanner warnings

 * Fix build against older pthread implementations [#82617]

 * Move to a non-recursive Makefile

 * Can now specify which tests to run on command line

0.21.1 (unstable)

 * Add new 'isolate' pkcs11 config option [#80472]

 * Add 'p11-kit remote' command for isolating modules [#54105]

 * Don't complain about C_Finalize after a fork

 * Other minor fixes

0.20.3 (stable)

 * Fix problems reinitializing managed modules after fork

 * Fix bad bookeeping when fail initializing one of the modules

 * Fix case where module would be unloaded while in use [#74919]

 * Remove assertions when module used before initialized [#74919]

 * Fix handling of mmap failure and mapping empty files [#74773]

 * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions

 * Require automake 1.12 or later

 * Build fixes for Windows [#76594 #74149]

0.20.2 (stable)

 * Fix bug where blacklist didn't affect extracted ca-anchors if the anchor

   and blacklist were not in the same trust path (regression) [#73558]

 * Check for race in BasicConstraints stapled extension [#69314]

 * autogen.sh now runs configure as srcdir != builddir by default

 * Build fixes and cleanup

0.20.1 (stable)

 * Extract compat trust data after we've changes

 * Skip compat extraction if running as non-root

 * Better failure messages when removing anchors

 * Build cleanup

0.20.0 (stable)

 * Doc fixes

0.19.4 (unstable)

 * 'trust anchor' now adds/removes certificate anchors

 * 'trust list' lists trust policy stuff

 * 'p11-kit extract' is now 'trust extract'

 * 'p11-kit extract-trust' is now 'trust extract-compat'

 * Workarounds for working on broken zfsonlinux.org [#68525]

 * Add --with-module-config parameter to the configure script [#68122]

 * Add support for removing stored PKCS#11 objects in trust module

 * Various debugging tweaks

0.19.3 (unstable)

 * Fix up problems with automake testing

 * Fix a bunch of memory leaks in newly refactored code

 * Don't use _GNU_SOURCE and the unportability it brings

 * Testing fixes

0.19.2 (unstable)

 * Add basic 'trust anchor' command to store a new anchor

 * Support for writing out trust token objects

 * Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec

 * Add option to use freebl for hashing

 * Implement reloading of token data

 * Fix warnings and possible minor bugs higlighted by code scanners

 * Don't load configs in home directories when running setuid or setgid

 * Support treating ~/.config as $XDG_CONFIG_HOME

 * Use $XDG_DATA_HOME/pkcs11 as default user config directory

 * Use $TMPDIR instead of $TEMP while testing

 * Open files and fds with O_CLOEXEC

 * Abort initialization if a critical module fails to load

 * Don't use thread-unsafe functions: strerror, getpwuid

 * Fix p11_kit_space_strlen() result when empty string

 * Refactoring of where various components live

 * Build fixes

0.19.1 (unstable)

 * Refactor API to be able to handle managed modules

 * Deprecate much of old p11-kit API

 * Implement concept of managed modules

 * Make C_CloseAllSessions function work for multiple callers

 * New dependency on libffi

 * Fix possible threading problems reported by hellgrind

 * Add log-calls option

 * Mark p11_kit_message() as a stable function

 * Use our own unit testing framework

0.18.3 (stable)

 * Fix reinitialization of trust module [#65401]

 * Fix crash in trust module C_Initialize

 * Mac OS fixes [#57714]

0.18.2 (stable)

 * Build fixes [#64378 ...]

0.18.1 (stable)

 * Put the external tools in $libdir/p11-kit

 * Documentation build fixes

0.18.0 (stable)

 * Fix use of trust module with gcr and empathy [#62896]

 * Further tweaks to trust module date parsing

 * Fix unaligned memory reads [#62819]

 * Win32 fixes [#63062, #63046]

 * Debug and logging tweaks [#62874]

 * Other build fixes

0.17.5 (unstable)

 * Don't try to guess at overflowing time values on 32-bit systems [#62825]

 * Test fixes [#927394]

0.17.4 (unstable)

 * Check for duplicate certificates in a token, warn and discard [#62548]

 * Implement a proper index so we have decent load performance

0.17.3 (unstable)

 * Use descriptive labels for the trust module tokens [#62534]

 * Remove the temporary built in distrust objects

 * Make extracted output directories and files read-only [#61898]

 * Don't export unneccessary ABI

 * Build fixes [#62479]

0.17.2 (unstable)

 * Fix build on 32-bit linux

 * Fix several crashers

0.17.1 (unstable)

 * Support a p11-kit specific PKCS#11 attribute persistance format [#62156]

 * Use the SHA1 hash of SPKI as the CKA_ID in the trust module by default [#62329]

 * Refactor a trust builder which builds objects out of parsed data [#62329]

 * Combine trust policy when extracting certificates [#61497]

 * The extract --comment option adds comments to PEM bundles [#62029]

 * A new 'priority' config option for ordering modules [#61978]

 * Make each configured path its own trust module token [#61499]

 * Use --with-trust-paths to configure trust module [#62327]

 * Fix bug decoding some PEM files

 * Better debug output for trust module lookups

 * Work around bug in NSS when doing serial number lookups

 * Work around broken strndup() function in firefox

 * Fix the nickname for the distrusted attribute

 * Build fixes

0.16.4 (stable)

 * Display per command help again [#62153]

 * Don't always print tools debug output [#62152]

0.16.3 (stable)

 * When iterating don't skip tokens without the CKF_TOKEN_INITIALIZED flag

 * Hardcode some distrust records for NSS temporarily

 * Parse global options better in the p11-kit command

 * Better debugging

0.16.2 (stable)

 * Fix regression in 'p11-kit extract --purpose' option [#62009]

 * Documentation updates

 * Build fixes [#62001, ...]

0.16.1 (stable)

 * Don't break when cA field of BasicConstraints is missing [#61975]

 * Documentation fixes and updates

 * p11-kit extract-trust is a placeholder script now

0.16.0 (stable)

 * Update the pkcs11.h header for new mechanisms

 * Fix build and tests on mingw64 (ie: win32)

 * Relicense LGPL code to BSD license

 * Documentation tweaks

 * Pull translations from Transifex [#60792]

 * Build fixes [#61739, #60894, #61740]

0.15.2 (unstable)

 * Add German and Finish translations

 * Better define the libtasn1 dependency

 * Crasher and bug fixes

 * Build fixes

0.15.1 (unstable)

 * Fix some memory leaks

 * Add a location for packages to drop module configs

 * Documentation updates and fixes

 * Add command line tool manual page

 * Remove unused err() function and friends

 * Move more code into common/ directory and refactor

 * Add a system trust policy module

 * Refactor how the p11-kit command line tool works

 * Add p11-kit extract and extract-trust commands

 * Don't complain if we cannot access ~/.pkcs11/pkcs11.conf

 * Refuse to load the p11-kit-proxy.so as a registered module

 * Don't fail initialization if last initialized module fails

0.14

 * Change default for user-config to merge

 * Always URI-encode the 'id' attribute in PKCS#11 URIs

 * Expect a .module extension on module configs

 * Windows compatibility fixes

 * Testing fixes

 * Build fixes

0.13

 * Don't allow reading of PIN files larger than 4096 bytes

 * If a module is not marked as critical then ignore init failure

 * Use preconditions to check for input problems and out of memory

 * Add enable-in and disable-in options to module config

 * Fix the flags in pin.h

 * Use gcc extensions to check varargs during compile

 * Fix crasher when a duplicate module is present

 * Fix broken hashmap behavior

 * Testing fixes

 * Win32 build fixes

 * 'p11-kit -h' now works

 * Documentation fixes

0.12

 * Build fix

0.11

 * Remove automatic reinitialization of PKCS#11 after fork

0.10

 * Build fixes, for windows, gcc 4.6.1

0.9

 * p11-kit can't be used as a static library

 * Fix problems crashing when freeing TLS on windows

 * Add debug output to windows init and uninit of library

 * Build fixes, especially for windows

0.8

 * Rename non-static functions to have a _p11_xxx prefix

 * No concurrent calling of C_Initialize and C_Finalize

 * Print more information in 'p11-kit -l'

 * Initial port to win32

 * Build, testing fixes

0.7

 * Expand p11-kit config variables correctly invarious build scenarios

 * Add test tool to print out error messages

 * Build fix on FreeBSD

0.6

 * Add concept of a default module directory from which modules with

   relative paths are loaded.

 * Renamed pkg-config variables to make it clearer what's what.

0.5

 * Fix crasher in p11_kit_registered_modules()

 * Add 'critical' setting for modules, which defaults to 'no'

 * Fix initialization issues in the proxy module

0.4

 * Fix endless loop if module forks during initialization

 * Update PKCS#11 URI code for new draft of spec

 * Don't fail when duplicate modules are configured

 * Better debug output

 * Add example configuration documentation

 * Support whitespace in PKCS#11 URIs

0.3

 * Rewrite hash table, and simplify licensing.

 * Correct paths for p11-kit config files.

 * Many build fixes and tweaks.

0.2

 * List token labels in 'p11-kit -l'

 * Add API's for handing the pinfile part of URIs

 * Use /etc/pkcs11 by default instead of ${prefix}/etc/pkcs11

 * Bug fixes

0.1

 * Initial release