Version 5.12

This is a release which solves some bugs and adds enhancements.

New

• Add support to ESP32-S3.
• Add support to RP2350 MCU.
• Add support to multiple boards with RP2350.

Enhancements

• Add EF.DIR list AID.
• Emulation uses pthread thread synchronization for a reliable integration.
• CCID interface is better thread synchronized.
• Upgrade to Pico SDK 2.0.

Changes

• Rewritten HID interface to minimize the number of memcpy's. Now, it uses a single internal buffer, which speeds notably the overall performance.
• HID manages thread synchronicity more precisely.
• RP2350 boards use partitions to prevent data space be overwritten by firmware.
• Emulation does not use crt_dbrg since it is not reliable.

Bugfixes

• Fix Windows compatibility.
• Fix potential infinite loop when bad ASN1 is processed.
• Fix idVendor, idProduct allocation for Pico Patcher.
• Fix memory boundary check.
• Fix non-freed context.
• Fix TinyUSB vendor interface numbering.
• Fix thread cancellation in ESP32.
• Fix CBOR encoding.
• Fix OATH selection.
• Fix OTP crash.
• Fix U2F/FIDO app selection.

Full Changelog: v5.10...v5.12

Version 5.12 EdDSA 1

This release brings EdDSA to version 4.2.

Important: EdDSA cannot work in ESP32, since Espressif uses its own MbedTLS fork.

This is an experimental release. It adds support for EdDSA with Ed25519 and Ed448 curves.

Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.

Use with caution.

Full Changelog: v5.10...v5.12-eddsa1

v5.10

This release is a maintenance release to fix the following bugs:

Enhancements

• Upgrade to MbedTLS 3.6.
• Increase internal number of memory pages.
• Added support for WebCCID.
• Added support for ESP32 boards.
• Added support for APDU chaining.
• Added -DVIDPID= for easier build.

Bug fixes

• Fix Pico Patcher.
• Fix potential infinite ASN1 loop.
• Fix EF.DIR.
• Fix BCD for Windows.
• Fix potential overflow.
• Add support for PHY file.
• Upgrade internal page buffer.
• Fix X509 generation.
• Added 3DES for compatibility (NOT RECOMMENDED!)
• Fix chained responses.
• Fix ASN1 initialization.
• Fix HID buffer sizes.
• Fix Windows emulation.
• Fix wrapped APDU.
• Fix byte chain for long RAPDU.
• Fix SM verification.
• Fix ATR overwrite.
• Fix Apple emulation.

Full Changelog: v5.8...v5.10

Version 5.8

This release includes the following enhancements:

• Added support for Pico W LED.
• Added backfall compatibility.
• Added Windows/Linux backend for backup/restore python utility.
• Added support for --pin flag in Pico-fido tool.

and fixes:

• Fix FIDO app selection.
• Fix Pico W build.
• Fix memory leak.
• Fix potential crash with button.
• Fix OTP reading through HID.
• Fix config vendor command with python-fido2.
• Fix secure key generation in macOS.
• Use new Pico Keys SDK.
• Fix max length of OTP static passwords.

What's Changed

• Update pico-fido-patch-vidpid.sh by @sylvainpelissier in #26

New Contributors

• @sylvainpelissier made their first contribution in #26

Full Changelog: v5.4...v5.8

Version 5.8 Eddsa 1

This release includes release 5.8 and EdDSA support.

Full Changelog: v5.6-eddsa1...v5.8-eddsa1

Version 5.6

This new release includes the following enhancements:

• Added support for Secp256k1 curve, in the form of ES256K algorithm.
• Added support for ES256K algorithm.
• Added support for thirdPartyPayment extension.
• Added support for management via Yubikey Manager to enable/disable specific interfaces individually.
• Added support to Nitrokey's nitropy tool.
• Added support for ssh-keygen.

and the following bug fixes:

• Added tests for ES256K algorithm.
• Fixed pubKeyCredParams verification.
• Fixed return errors for pubKeyCredParams verification.
• Fixed Secp521r1 key load.
• Fixed credential creation for ES512 algorithm.
• Fixed chained response.
• Fixed OTP applet selection.
• Fixed signature computation for ES384 and ES512 algorithms.
• Fixed enabled capabilities detection.
• Fixed enabled cap detection when applet is already selected.
• Fixed OTP slot deletion.
• Fixed return error when no applet is selected.
• Fixed return error of CBOR.
• Fix credential creation when not supported algorithm is provided.

Full Changelog: v5.4...v5.6

Version 5.6 EdDSA 1

This is an experimental release. It adds support for EdDSA and Ed25519 curve.

Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.

Use with caution.

Version 5.4

This release includes support for Yubikey emulation. With this release, Pico Fido key can be used with Yubico tools.

Enhancements:

• Added support for OTP (HOTP and TOTP).
• Added support for OATH (YKOATH protocol).
• Added support for challenge-response generation.
• Added support for emulated keyboard.
• If configured, when BOOTSEL button is pressed, an OTP is typed directly by emulating a keyboard. So, the OTP is introduced in the box where cursor is placed.
• Added support for YKMAN tool.
• Added support for YubiOTP specification.
• Added support for U2F applet selection.

This release brings support to Yubico OTP. In contrast to Yubikey slot selection (short and long button press), slots in Pico Fido are selected by pressing BOOTSEL button multiple times (1 press selects 1st slot, 2 consecutive presses select 2nd slot, etc).

This release jumps from previous v3.0 to v5.4 to enable Yubico compatibility, as it depends on the specific version +5.4.

Full Changelog: v3.0...v5.4

Version 3.0

This is a major release that includes support for additional interfaces, such as CCID.

New features

• Added support for OATH. It is based on YKOATH protocol specification via CCID interface.
• Added basic support for OTP (not useful yet).
• New HSM SDK.
• Added support for LED drivers based on WS2812, such as waveshare boards.

Enhancements

• Pico FIDO supports local build emulation. It creates an executable that implements CTAP 2.1 stack and allows remote testing.
• Upgraded to Pico SDK 1.5.
• Added interruption endpoint.
• Improved the compatibility with Windows host.
• Increased validity of certificate to 50 years.
• Added support for newer waveshare boards.

Fixes

• Fix AID selection.
• Fix ATR response.
• Fix returned version.
• Fix uninitialized variable.
• Fix increasing counter on make credential.
• Fix crash when missing PubKey type.
• Fix encoding map on credmgmt listing credentials for specific RP.
• Fix cbor processing when unknown command is used.
• Fix sending keepalive on cbor processing.
• Fix potential crash on delete file.
• Fix race condition.

Version 2.10

This release includes the following enhancements and new features:

New Features

• Enterprise attestation
• credBlobs extension
• largeBlobKey extension
• largeBlobs support (2048 bytes máx.)

Enhancements

• Added support for Entreprise Attestation. Once enabled, it allows to generate a CSR in the device, which is sent to our PKI. If valid, it returns a signed certificate by an intermediate CA that will be used for attestation.
• Upgraded pico-fido-tool.py to support Enterprise Attestation by uploading a CSR or a signed certificate.
• Added support for credBlob.
• Added MAX_MSG_SIZE parameter in getInfo.
• Added key derivation for largeBlob.
• Added support for largeBlobKey.
• Added minPinLength extension test.
• Added credBlob test.
• Added largeBlob support.
• Added lbw permission.

and fixes:

Fixes

• credProtect is not returned in getAssertion.
• Fixed buffer overflow deriving the credential key.
• Fixed double free .
• Fix GET permission in getAssertion.
• Fixed numberOfCredentials return.
• Fix token rp link clear.
• Fix credMgmt tests.