Release Notes

What's New in Crescendo SDK v1.2.1

This version provides the following improvements with respect to the previous version:

New features

  • Added authenticatorConfig() and FIDOConfig() (that includes the full authentication flow) methods to enable the CTAP 2.1 authenticatorConfig command.

Bug fixes

  • FIDOGetAssertion(), FIDOMakeCredential() and FIDOCredentialManagement no longer use hardcoded CTAP 2.1 parameters, so they can be used with CTAP 2.0 as well.

  • Fixed CredentialManagementRequest class - the authentication parameters were wrongly defined as mandatory.

  • Fixed minor mistake in CTAP error logging - the errors should correctly print the CTAP error code and description instead of just the description twice

New Features

  • Added the CRESCENDO CL FIDO token ATR to the list of supported tokens.

  • Added automatic logout of used applets when disposing of the SDKCore object.

  • Added (and modified the original CTAP1 & CTAP2 FIDO functionality - functions and data structures inside FIDODataStructures class, as well as:

    • SDK methods that implement CTAP1 functions:

      • U2FRegistration()

      • U2FAuthentication()

      • U2FGetVersion()

    • SDK methods that implement CTAP2.x functions: 
      • AuthenticatorClientPIN()
      • AuthenticatorGetAssertion()
      • AuthenticatorGetNextAssertion()
      • AuthenticatorCredentialManagement()
      • AuthenticatorMakeCredential()
      • AuthenticatorReset()
      • AuthenticatorGetInfo()
    • SDK methods that implement CTAP2.x functions with full authentication flow:
      • FIDOSetPIN()
      • FIDOChangePIN()
      • FIDOGetAssertion()
      • FIDOCredentialManagement()
      • FIDOMakeCredential()

  • Added a new method PIVChangePKISlotACR() for modifying the ACR of PKI objects (--piv-pki-acr command in the CLI Tool).

  • Renamed the FIDOTokenReset() function to AuthenticatorReset to align with the FIDO specification.

  • Added GetAllAvailableTokens() that returns a list of all tokens with basic details.

  • Added a requireTouch parameter to:

    • ConfigureStaticPassword
    • ConfigureOATHSlot
    • ConfigureOCRASlot.

    This parameter now allows to configure Crescendo Key V3 to require button touch to generate an OTP (not to be confused with the button-press slots that generate OTP only after pressing the button).

  • Introduced a new return variableResult<T> instead of the FunctionResult structure.

    This allows returning any data type instead of just strings, plus improves error handling (see below).

  • Improved error handling:

    • Added specific error messages for each command/function based on internal documentation.
    • Replaced most of the possible exceptions with structured Error class inside Result<T>.

  • Added a PSKC file creation possibility to the ConfigureOCRASlot() function (--ocra-slot-configure command in the CLI Tool).

  • PSKC file logic is now handled exclusively in the CLI Tool. The SDK now uses only PSKC strings as input/output, instead of handling files directly.

    This allows users to receive a PSCK string from the SDK for further use without the need to handle additional files.

  • Added authentication specifically on the PIV applet before accessing certain PIV data objects (e.g., 5FC109).

  • Modified the logic for storing PKI objects on the token so that when a user uploads both a certificate and a private key to the token, the PKI_CONTAINER_INFO inside the MSCUID keys is correctly updated for EC keys.

  • Added the option to use the PIV discovery object 7E the same way as all the other PIV objects defined by BER-TLV tags.

  • Added option to export the SKI transport key to a PEM file from the CLI Tool.

  • Modified the --piv-pki-put command to support input files (e.g., *.pem or *.pfx) without password protection.

  • Removed the obsolete --ski-key-put command. SKI import can now be done using the existing commands:

    • --piv-pki-put

    • --xauth-key-put

    • --otp-pass-configure

    • --otp-slot-configure

    • --ocra-slot-configure

      Full functionality of these functions/commands is therefore now available for SKI.

  • Enabled static password import using SKI.

  • Modified the SKI JSON file content to match the format used by HID Crescendo Manager.

  • Modified the PIVGetCertificate function (--piv-cert-get command in the CLI Tool) to not require authentication when reading certificates.

  • Added storing public keys into corresponding PIV data objects whenever possible (during SKI, key pair generation, or key import).

  • Reversed the byte order of RSA public keys (modulus) when storing them on the token, to match the format used by HID Crescendo Manager, ActivID ActivClient, and HID Crescendo Minidriver.

  • Removed the possibility of automatic usage of key Reference 9E when storing PKI objects.

    The user must now explicitly specify the Key Reference 9E if they want to use it, because 9E is not PIN-protected as defined in the PIV specification.

  • When using -p interactive in the CLI Tool, the SCard transaction now remains open as long as the PIN window is open. Previously, the transaction timed out after approximately 5 seconds.

Bug fixes

  • Fixed input parsing in OCRAOCRAAuthenticate() function (--ocra-authenticate command in the CLI Tool):
    • The challenge is now correctly parsed when using hexadecimal or numeric input.
    • The secret is now correctly hashed with specified hashing algorithm.
    • OCRA authenticate now works correctly using Crescendo Key V3 and OTP slots configured with button-press ACR.
    • Fixed the time unit definition - all values are now converted properly to seconds.
  • Fixed Static Password input - it now works with non-hexadecimal strings.
  • Revision of logging messages - they now appear directly before the relevant APDU calls.