Releases: Nitrokey/nitrokey-3-firmware
v1.7.2-test.20240813
Features
- fido-authenticator: Implement the largeBlobKey extension and the largeBlobs command (fido-authenticator#38)
- OpenPGP: add support for additional curves when using the se050 backend: (#524)
- NIST P-384
- NIST P-521
- brainpoolp256r1
- brainpoolp384r1
- brainpoolp512r1
Fixes
- piv: Fix crash when changing PUK (piv-authenticator#38)
Known issues
-
This firmware version updates the format of the FIDO2 state stored on the device. If a device is reverted to v1.7.2 or a previous test release after running this version, the FIDO2 state can be reset and all credentials can be invalidated.
-
This firmware seems to have issues with authenticating FIDO2 credentials, while registering works we currently analyze an issue during authentication.
v1.7.2-test.20240808
This release is currently in internal testing, signed binaries to be used with nitropy will be uploaded within the next days
v1.7.2-test.20240625
Bugfixes
- PIV: Fix incompatibility with Windows Logon (#516)
v1.7.2
Bugfixes
- fido-authenticator: Fix incompatibility when enumerating resident keys with libfido2/ssh-agent (#496)
- Ensure that an application reset erases all relevant objects on the secure element (trussed-se050-backend#30)
v1.7.1
Bugfixes
- secrets-app: Require PIN for registering Reverse HOTP credentials (trussed-secrets-app#114)
Known Issues
ssh-agent
cannot access the resident key used for SSH logins with firmware versions v1.7.0 and v1.7.1. This will be fixed in v1.7.2. (#496)
Notes
This release is not compatible with any Nitrokey/Nitropad HEADS versions before v2.5. To use this firmware version together with HEADS you strictly need to use a Nitropad firmware release v2.5+. For upstream HEADS this is any commit after this version was released.
v1.7.0
This release adds SE050 support to opcard, updates fido-authenticator to support CTAP 2.1 and introduces app and device factory reset.
Features
- Report errors when loading the configuration during initialization and disable opcard if an error occured (#394)
- Fix LED during user presence check for NK3AM (#93)
- fido-authenticator: Implement CTAP 2.1
- OpenPGP: fix locking out after an aborted factory-reset operation (#443)
- Add an SE050 driver and its tests (#335)
- Use SE050 entropy to bootstrap the random number generator (#335)
- Enable SE050 support in OpenPGP by default (#471)
- Support app and device factory reset (#383, #479)
Known Issues
ssh-agent
cannot access the resident key used for SSH logins with firmware versions v1.7.0 and v1.7.1. This will be fixed in v1.7.2. (#496)
Notes
- When upgrading from the test firmware release v1.6.0-test.20231218, OpenPGP keys will not be retained after the update if the
opcard.use_se050_backend
config option has been set to true.
v1.7.0-rc.3
v1.7.0-rc.2
Features
- Add an SE050 driver and its tests (#335)
- Use SE050 entropy to bootstrap the random number generator (#335)
- Enable SE050 support in OpenPGP by default (#471)
Notes
- When upgrading from the test firmware release v1.6.0-test.20231218, OpenPGP keys will not be retained after the update if the
opcard.use_se050_backend
config option has been set to true.
v1.7.0-rc.1
v1.6.0-test.20231218
This update requires pynitrokey v0.4.35 or newer. You can install it with:
$ nitropy nk3 update --version v1.6.0-test.20231218
Changes
(since v1.6.0-test.20231206)
Opcard (OpenPGP): Add experimental configuration option to enable the SE050 secure element backend. This can be done, with pynitrokey v0.4.44: nitropy nk3 set-config opcard.use_se050_backend true
.
This will cause a factory-reset of opcard data. On older versions of nitropy, the command may work but will require a power cycle of the device before opcard is functional.
This new backend will increase the security of PIN protected operations. It will also improve the performance of cryptographic operation, especially RSA. This means that when the secure element backend is enabled, RSA 4096 bit keys can now be generated on-device.
Fixed
- Piv: Fixed generation of RSA keys.
Functions
Stable
- admin-app v0.1.0-nitrokey.9
- fido-authenticator v0.1.1-nitrokey.10 (FIDO2)
- secrets v0.13.0-rc2 (OTP and Passwords)
- opcard v1.3.0 (OpenPGP)
Unstable
- piv-authenticator v0.3.3
- websmartcard v0.8.0-rc5