Releases: polhenarejos/pico-fido
Version 5.8 Eddsa 1
This release includes release 5.8 and EdDSA support.
Full Changelog: v5.6-eddsa1...v5.8-eddsa1
Version 5.6
This new release includes the following enhancements:
- Added support for Secp256k1 curve, in the form of ES256K algorithm.
- Added support for ES256K algorithm.
- Added support for thirdPartyPayment extension.
- Added support for management via Yubikey Manager to enable/disable specific interfaces individually.
- Added support to Nitrokey's nitropy tool.
- Added support for ssh-keygen.
and the following bug fixes:
- Added tests for ES256K algorithm.
- Fixed pubKeyCredParams verification.
- Fixed return errors for pubKeyCredParams verification.
- Fixed Secp521r1 key load.
- Fixed credential creation for ES512 algorithm.
- Fixed chained response.
- Fixed OTP applet selection.
- Fixed signature computation for ES384 and ES512 algorithms.
- Fixed enabled capabilities detection.
- Fixed enabled cap detection when applet is already selected.
- Fixed OTP slot deletion.
- Fixed return error when no applet is selected.
- Fixed return error of CBOR.
- Fix credential creation when not supported algorithm is provided.
Full Changelog: v5.4...v5.6
Version 5.6 EdDSA 1
This is an experimental release. It adds support for EdDSA and Ed25519 curve.
Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.
Use with caution.
Version 5.4
This release includes support for Yubikey emulation. With this release, Pico Fido key can be used with Yubico tools.
Enhancements:
- Added support for OTP (HOTP and TOTP).
- Added support for OATH (YKOATH protocol).
- Added support for challenge-response generation.
- Added support for emulated keyboard.
- If configured, when BOOTSEL button is pressed, an OTP is typed directly by emulating a keyboard. So, the OTP is introduced in the box where cursor is placed.
- Added support for YKMAN tool.
- Added support for YubiOTP specification.
- Added support for U2F applet selection.
This release brings support to Yubico OTP. In contrast to Yubikey slot selection (short and long button press), slots in Pico Fido are selected by pressing BOOTSEL button multiple times (1 press selects 1st slot, 2 consecutive presses select 2nd slot, etc).
This release jumps from previous v3.0 to v5.4 to enable Yubico compatibility, as it depends on the specific version +5.4.
Full Changelog: v3.0...v5.4
Version 3.0
This is a major release that includes support for additional interfaces, such as CCID.
New features
- Added support for OATH. It is based on YKOATH protocol specification via CCID interface.
- Added basic support for OTP (not useful yet).
- New HSM SDK.
- Added support for LED drivers based on WS2812, such as waveshare boards.
Enhancements
- Pico FIDO supports local build emulation. It creates an executable that implements CTAP 2.1 stack and allows remote testing.
- Upgraded to Pico SDK 1.5.
- Added interruption endpoint.
- Improved the compatibility with Windows host.
- Increased validity of certificate to 50 years.
- Added support for newer waveshare boards.
Fixes
- Fix AID selection.
- Fix ATR response.
- Fix returned version.
- Fix uninitialized variable.
- Fix increasing counter on make credential.
- Fix crash when missing PubKey type.
- Fix encoding map on credmgmt listing credentials for specific RP.
- Fix cbor processing when unknown command is used.
- Fix sending keepalive on cbor processing.
- Fix potential crash on delete file.
- Fix race condition.
Version 2.10
This release includes the following enhancements and new features:
New Features
- Enterprise attestation
credBlobs
extensionlargeBlobKey
extensionlargeBlobs
support (2048 bytes máx.)
Enhancements
- Added support for Entreprise Attestation. Once enabled, it allows to generate a CSR in the device, which is sent to our PKI. If valid, it returns a signed certificate by an intermediate CA that will be used for attestation.
- Upgraded
pico-fido-tool.py
to support Enterprise Attestation by uploading a CSR or a signed certificate. - Added support for
credBlob
. - Added
MAX_MSG_SIZE
parameter ingetInfo
. - Added key derivation for
largeBlob
. - Added support for
largeBlobKey
. - Added
minPinLength
extension test. - Added
credBlob
test. - Added
largeBlob
support. - Added
lbw
permission.
and fixes:
Fixes
credProtect
is not returned ingetAssertion
.- Fixed buffer overflow deriving the credential key.
- Fixed double
free
. - Fix
GET
permission ingetAssertion
. - Fixed
numberOfCredentials
return. - Fix
token rp link
clear. - Fix
credMgmt
tests.
Version 2.8
This release includes the following enhancements:
Enhancements
- Added Enterprise Attestation support.
- Added vendor subcommand to upload and embed an enterprise certificate.
- Added --filename flag to pico-fido tool.
and the following bug fixes:
Bug fixes
- Fixed UV token request.
- Fixed RP attachment to token.
- Fixed RP enumeration.
- Fixed CM permission in credMgmt preview.
- Fixed memory free.
Version 2.6
This release includes the following enhancements:
Added
- Added minPinLength extension.
- Added support for setMinPinLength.
- Added support for authenticatorConfig verification.
- Added support for permissions.
And the following bug fixes:
Bug fixes
- Fix counting PIN retries.
Version 2.4
This version aims at improving the security of the device.
New
- Added a new feature called Secure Lock, which aims at encrypting the whole device to avoid flash dumpings in case the device is left unattended. Once enabled, the device must be unlocked when plugged.
- Backup with 24 words. Make a backup with 24 words and restore it in another device. With these just 24 words and the backup file you will be able to restore your device in case of damage and recover all your keys and credentials.
- All these features are implemented following the standard, via Vendor and Config Vendor commands.
See python3 pico-fido-tool.py --help
for more information.
Version 2.2
This version includes the following major enhancements:
- Credential management: capability to manage discoverable credentials by listing, updating and deleting.
- Authenticator selection: some applications may require to select a specific authenticator if multiple are attached or at convenience.
- Get assertion also returns userName and userDisplayName.
Developer enhancements:
- Added a test suite which works with python-fido2 package version 1.0, which includes the latest enhancement of CTAP 2.1.
Bug fixes:
- Potential crash on meta edition (albeit pico fido does not use meta data).
- Counting mismatches.
- Consecutive assertion enumerations.
- Changing PIN if not set.
- User data is returned if there are more than 1 discoverable credential for that RP.
- Tons of bug fixes of ProtocolV2 with hmac-secret extension.
- Changing PIN with ProtocolV2.
- Verification of a key if it is U2F.
- Potential overflow on change PIN with ProtocolV2.
- Return numberOfCredentials.
- Public key size in credential id.
- Increasing signature counter.
- Credential creation if
up
is absent. - PIN ProtocolV2.
- Severe crash generating internal device certificate.