Version 4.0

This major release includes several enhancements, with the most important: support for ESP32-S3 boards!

New

• It supports ESP32-S3 boards. Apart from Raspberry Pico boards, Pico HSM can also be flashed onto ESP32-S3 boards, which add natively secure boot and flash encryption.
• VID & PID can be changed on-the-fly with pico-hsm-tool.py.
• pico-hsm-tool.py implements a rescue Pico HSM, which is able to communicate with a Pico HSM not recognized by OS due to bad VID & PID values.
• Added support for Web CCID interface.
• Added support for AES-ECB, AES-CBC with custom IV, AES-OFB, AES-CFB, AES-GCM, AES-CCM, AES-CTR and AES-XTS.
• Added support for CMAC.
• Added support for APDU chaining.

Enhancements

• Added support for OpenSC 0.25.1
• Added -DVIDPID=value flag to build with known VID/PID from known vendors.
• Added keygen command to pico-hsm-tool.py for X25519 and X448 key generation.
• Enable/disable Web CCID interface on-the-fly.
• Added support for EF.DIR AID list.

Changes

• MbedTLS 3.6
• Pull request #40 : Enable/disable BOOTSEL button only by clicking the button.
• ASN.1 parsing and structs.
• New DKEK return format.
• Increased memory pages for handling more files at same time.

Bugfixes

• Fix #43 : listing keys if multiple of 12.
• Fix Windows emulation.
• Fix CVC outer signature length.
• Fix LE computation with wrapped APDU (secure channel).
• Fix asymmetric key exchange.
• Fix byte override with chained response APDU.
• Fix SM wrap for large response APDU (secure channel).
• Fix ATR overwrite.
• Fix PRKD on key unwrap.
• Fix Apple emulation.
• Fix chained responses.
• Fix read binary permissions.
• Fix EF.DIR type identification.

What's Changed

• Security fix for issue 39 by @fastchain in #40
• Fix for multiples of 64 bytes on cmd_list_keys by @al-heisner in #43

New Contributors

• @fastchain made their first contribution in #40
• @al-heisner made their first contribution in #43

Full Changelog: v3.6...v4.0