Version 2.4

This release contains a major enhancement: Public Key Authentication (PKA). This mechanism replaces the need of using a PIN. Instead, it uses a private/public key pairs from another trusted device (a Pico HSM or Pico OpenPGP).

Enhancements:

• Added Public Key Authentication.
• Cache and storage of 3rd-party public keys.
• Improved interoperability between multiple Pico HSM devices.
• Added PSO command.
• Bugfixes.

Full Changelog: v2.2...v2.4

Version 2.2

This version implements a new CCID stack to reduce the original file size by a 30%. It implements only those features that are used by the Pico HSM. In parallel, MbedTLS is also reconfigured to enable only the required algorithms.

Version 2.2 has the following enhancements:

• Key domains: it supports up to 16 different key domains, with their own DKEK and private/secret keys. Key domains can be used with SCS3 tool.
• Key usage counter: when the counter is enabled, the key can be used only n times before being disabled. It allows to limit the use of a key and perform and audit of its usage. The counter is reduced by 1 every time the key is used for signing, decrypting or deriving.
• Optional key usage counter for all keys: when enabled, all generated keys are attached to a counter with the initial value of 2^32-1 (FFFFFFFEh) to track its usage.
• PIN DKEK is encrypted with a random IV.
• DKEK consistency with internal CRC.
• Removed dependency with Gnuk and OpenSC.
• Many fixes.

Full Changelog: v2.0...v2.2

Version 2.0

This version incorporates a major refactor of the core functionalities, which are migrated into another repo.
Version 2.0 has the following capabilities:

• Added Secure Messaging. It stablishes a secure channel, where the information and payloads are ciphered and authenticated to avoid attacks.
• Added Session PIN.
• Introducing the PKI for Pico HSM. It generates CVCerts and burns them onto the firmware. The process is a bit more complex, but it consists in generating a private key, making a CSR and sending to a remote PKI, which returns a signed CVCert. All private key, CVCert and CA CVCert are burned onto the firmware. All are used to stablishing the secure channel for Secure Messaging.

Full Changelog: v1.12...v2.0

Version 1.12

This version adds the following features:

• Capability to store and retrieve arbitrary binary files. It can save and recover any data file up to 4 kB of size.
• Real Time Clock to set and get current datetime.
• Time counter to count seconds from boot.
• Press-to-confirm feature to require user confirmation when loading a private/secret key to perform signature, decrypt, etc. With it, we can ensure that no malicious application is able to sign documents silently.
• Capability to enable or disable press-to-confirm feature dynamically without reinitializing the device.

Full Changelog: v1.10...v1.12

Version 1.10

This release adds Transport PIN and other initialization options.
Transport PIN allows provisioning the Pico HSM with some private and secret keys to deployed securely. Once disconnected after the device initialization with Transport PIN flag, the user cannot log in without the default password. It must be changed before start working.

Other options allow to reset retry counter by setting a new PIN or just resetting the counter, preserving the PIN.

Full Changelog: v1.8...v1.10

Version 1.8

This version adds comptatibility with SCS3 tool and allows PKCS#12 imports (private keys and certificates). It also adds support for RSA 4096 bits keys.
Also it fixes lots of bugs.

Full Changelog: v1.6...v1.8

Version 1.6

This release fixes lots of bugs. It is the first release that passes all tests.

Full Changelog: v1.4...v1.6

Version 1.4

Full Changelog: v1.2...v1.4

Version 1.2

Full Changelog: v1.0...v1.2

Version 1.0

Initial release.

Full Changelog: https://github.com/polhenarejos/pico-hsm/commits/v1.0