Release Notes

What's New in Crescendo SDK 1.3.1

This version provides the following improvements with respect to the previous version:

New Features

  • Entire Codebase migrated to .NET 8.0. Full backward compatibility with previous SDK releases, no changes in the API.

    Note: It is necessary to have .NET 8.0 installed for successful migration from previous SDK releases.

  • Added the USB-HID communication capability to all CTAP 2.0 and 2.1 FIDO commands. This means FIDO can now be used with Crescendo Keys plugged in USB. SDK chooses the communication interface automatically based on the token and communication media type.

  • New Third Party Component introduced - HidSharpCore version 1.3.0 with license Apache-2.0.

  • Updated Third Party Component PCSC-sharp to the latest version.

  • Modification of the live reader/token monitoring - added a CardRemoved event before ReaderRemoved event.

Bug Fixes

  • Refined logging for generating OTP's - waiting for user is no longer considered an error in the logs, plus only the relevant info will get logged based on chosen log level.

  • Corrected the otp-slot-configure command usage example inside the CLI.

  • Fixed getting properties on FIDO applet V3. The expected return message from the applet was wrongly set to 6A80 instead of 6D00.

New Features

  • GetAllAvailableTokens() now returns an empty list if no tokens are available, instead of throwing an exception. CLI also reflects this change and exits gracefully with an error message.

  • Added a new GetAllAvailableReaders() function that lists all connected readers regardless of the connected tokens.

  • Added a new GetAllReaderInfo() function, that returns a list of structured ReaderInfo objects.

  • Removed the unnecessary PrintAllAvailableTokens() method from the SDKCore class.

  • Added FIDOGetChallenge() and FIDOUnblockPIN() to allow the FIDO PIN Unblock functionality for applet V4.1 and higher.

  • Updated Third Party Components (Bouncy Castle and PCSC-Lite) to the latest versions.

  • Added support for FIDO only tokens. All FIDO related functionality is available even if no PIV or ACA applet is present on the token.

  • Added the option for live monitoring of readers and tokens using StartMonitoring and EndMonitoring methods.

  • Fixed log message not appearing for the first operation on FIDO Attestation applet.

  • Documentation improvement and small fixes.

  • Added an Examples folder in the package, that includes complete projects and a solution that can be run directly.

  • Added the CRESCENDO 4000 FIDO contact and contactless ATR to the list of oficially supported tokens.

Bug Fixes

Logs reorganization to print APDU Response before information about time it took to execute the command.

New Features

  • Added authenticatorConfig() and FIDOConfig() (that includes the full authentication flow) methods to enable the CTAP 2.1 authenticatorConfig command.

Bug Fixes

  • FIDOGetAssertion(), FIDOMakeCredential() and FIDOCredentialManagement no longer use hardcoded CTAP 2.1 parameters, so they can be used with CTAP 2.0 as well.

  • Fixed CredentialManagementRequest class - the authentication parameters were wrongly defined as mandatory.

  • Fixed minor mistake in CTAP error logging - the errors should correctly print the CTAP error code and description instead of just the description twice.

New Features

  • Added the CRESCENDO CL FIDO token ATR to the list of supported tokens.

  • Added automatic logout of used applets when disposing of the SDKCore object.

  • Added (and modified the original CTAP1 & CTAP2 FIDO functionality - functions and data structures inside FIDODataStructures class, as well as:

    • SDK methods that implement CTAP1 functions:

      • U2FRegistration()

      • U2FAuthentication()

      • U2FGetVersion()

    • SDK methods that implement CTAP2.x functions: 
      • AuthenticatorClientPIN()
      • AuthenticatorGetAssertion()
      • AuthenticatorGetNextAssertion()
      • AuthenticatorCredentialManagement()
      • AuthenticatorMakeCredential()
      • AuthenticatorReset()
      • AuthenticatorGetInfo()
    • SDK methods that implement CTAP2.x functions with full authentication flow:
      • FIDOSetPIN()
      • FIDOChangePIN()
      • FIDOGetAssertion()
      • FIDOCredentialManagement()
      • FIDOMakeCredential()

  • Added a new method PIVChangePKISlotACR() for modifying the ACR of PKI objects (--piv-pki-acr command in the CLI Tool).

  • Renamed the FIDOTokenReset() function to AuthenticatorReset to align with the FIDO specification.

  • Added GetAllAvailableTokens() that returns a list of all tokens with basic details.

  • Added a requireTouch parameter to:

    • ConfigureStaticPassword
    • ConfigureOATHSlot
    • ConfigureOCRASlot.

    This parameter now allows to configure Crescendo Key V3 to require button touch to generate an OTP (not to be confused with the button-press slots that generate OTP only after pressing the button).

  • Introduced a new return variableResult<T> instead of the FunctionResult structure.

    This allows returning any data type instead of just strings, plus improves error handling (see below).

  • Improved error handling:

    • Added specific error messages for each command/function based on internal documentation.
    • Replaced most of the possible exceptions with structured Error class inside Result<T>.

  • Added a PSKC file creation possibility to the ConfigureOCRASlot() function (--ocra-slot-configure command in the CLI Tool).

  • PSKC file logic is now handled exclusively in the CLI Tool. The SDK now uses only PSKC strings as input/output, instead of handling files directly.

    This allows users to receive a PSCK string from the SDK for further use without the need to handle additional files.

  • Added authentication specifically on the PIV applet before accessing certain PIV data objects (e.g., 5FC109).

  • Modified the logic for storing PKI objects on the token so that when a user uploads both a certificate and a private key to the token, the PKI_CONTAINER_INFO inside the MSCUID keys is correctly updated for EC keys.

  • Added the option to use the PIV discovery object 7E the same way as all the other PIV objects defined by BER-TLV tags.

  • Added option to export the SKI transport key to a PEM file from the CLI Tool.

  • Modified the --piv-pki-put command to support input files (e.g., *.pem or *.pfx) without password protection.

  • Removed the obsolete --ski-key-put command. SKI import can now be done using the existing commands:

    • --piv-pki-put

    • --xauth-key-put

    • --otp-pass-configure

    • --otp-slot-configure

    • --ocra-slot-configure

      Full functionality of these functions/commands is therefore now available for SKI.

  • Enabled static password import using SKI.

  • Modified the SKI JSON file content to match the format used by HID Crescendo Manager.

  • Modified the PIVGetCertificate function (--piv-cert-get command in the CLI Tool) to not require authentication when reading certificates.

  • Added storing public keys into corresponding PIV data objects whenever possible (during SKI, key pair generation, or key import).

  • Reversed the byte order of RSA public keys (modulus) when storing them on the token, to match the format used by HID Crescendo Manager, ActivID ActivClient, and HID Crescendo Minidriver.

  • Removed the possibility of automatic usage of key Reference 9E when storing PKI objects.

    The user must now explicitly specify the Key Reference 9E if they want to use it, because 9E is not PIN-protected as defined in the PIV specification.

  • When using -p interactive in the CLI Tool, the SCard transaction now remains open as long as the PIN window is open. Previously, the transaction timed out after approximately 5 seconds.

Bug Fixes

  • Fixed input parsing in OCRA OCRAAuthenticate() function (--ocra-authenticate command in the CLI Tool):
    • The challenge is now correctly parsed when using hexadecimal or numeric input.
    • The secret is now correctly hashed with specified hashing algorithm.
    • OCRA authenticate now works correctly using Crescendo Key V3 and OTP slots configured with button-press ACR.
    • Fixed the time unit definition - all values are now converted properly to seconds.
  • Fixed Static Password input - it now works with non-hexadecimal strings.
  • Revision of logging messages - they now appear directly before the relevant APDU calls.