0.11.0 Password Safe and KeepassXC Support

Changelog

0.11.0 (2023-05-30)

Full Changelog

Implemented enhancements:

• Add challenge-response support for KeepassXC #61
• Add Password Safe #60
• Extend compiler and clippy lints #39
• Extend Credential structure with Password Safe field #63 (szszszsz)

Closed issues:

• Use released version for trussed-auth #58
• Group attributes in Command::Credential per kind #66
• Add config option for the maximum number of credentials #62
• Finalize renaming to secrets-app #47
• Resetting strategy #43

Merged pull requests:

• Match trussed* dependencies to the used in NK3 v1.4.0 #80 (szszszsz)
• Ignore errors on factory reset, and start with the persistent storage #79 (szszszsz)

0.11.0-rc2 (2023-05-30)

Full Changelog

Implemented enhancements:

• Reuse compliance #77

Closed issues:

• Migrate bit manipulation to bitflags crate #78
• Resetting strategy #43
• Use cfg switch for no-encryption feature #23

Merged pull requests:

• Replace feature with a config switch for the debug mode #84 (szszszsz)
• Migrate list properties byte to bitflags #82 (szszszsz)
• Add copyright and spdx identifiers #81 (szszszsz)
• Match trussed* dependencies to the used in NK3 v1.4.0 #80 (szszszsz)
• Ignore errors on factory reset, and start with the persistent storage #79 (szszszsz)

0.11.0-rc1 (2023-05-25)

Full Changelog

Implemented enhancements:

• Add information about static password to List #68
• Add challenge-response support for KeepassXC #61
• Add Password Safe #60
• Return serial number #50
• Extend compiler and clippy lints #39
• Add challenge-response method for KeepassXC support #64 (szszszsz)
• Extend Credential structure with Password Safe field #63 (szszszsz)

Closed issues:

• Group attributes in Command::Credential per kind #66
• Add config option for the maximum number of credentials #62
• Finalize renaming to secrets-app #47

Test report is attached in the previous (rc) release.

0.11.0-rc2

0.11.0-rc2 (2023-05-30)

Full Changelog

Implemented enhancements:

• Reuse compliance #77

Closed issues:

• Migrate bit manipulation to bitflags crate #78
• Resetting strategy #43
• Use cfg switch for no-encryption feature #23

Merged pull requests:

• Replace feature with a config switch for the debug mode #84 (szszszsz)
• Migrate list properties byte to bitflags #82 (szszszsz)
• Add copyright and spdx identifiers #81 (szszszsz)
• Match trussed* dependencies to the used in NK3 v1.4.0 #80 (szszszsz)
• Ignore errors on factory reset, and start with the persistent storage #79 (szszszsz)

Attached test report, done with:

• pynitrokey v0.4.36-59-g47b9861 / the current head of 392-secrets-ui-separate-command
• against USB/IP Simulation 0.11.0-rc2-1-g7d3dbe96

0.11.0-rc1

0.11.0-rc1 (2023-05-25)

Full Changelog

Required pynitrokey: unreleased (v0.4.39?).

Implemented enhancements:

• Add information about static password to List #68
• Add challenge-response support for KeepassXC #61
• Add Password Safe #60
• Return serial number #50
• Extend compiler and clippy lints #39
• Add challenge-response method for KeepassXC support #64 (szszszsz)
• Extend Credential structure with Password Safe field #63 (szszszsz)

Closed issues:

• Group attributes in Command::Credential per kind #66
• Add config option for the maximum number of credentials #62
• Finalize renaming to secrets-app #47

0.10.0 PIN-less mode

1. Encrypt all credentials, but allow to specify which are being additionally protected with a PIN-based encryption key.
2. Implement blinking handlers for Reverse HOTP to signalize success and failure in the Heads measured verification for Nitropads.
3. Brute-force protection for Reverse HOTP is added (disabled by default).

Uses unreleased trussed-auth as a dependency.
Backwards compatible - all user data are retained from the previous version.

Required pynitrokey: v0.4.37.

0.9.0: Maintenance release

This maintenance release bumps the trussed-auth dependency.

0.8.0: Encrypt OTP secrets

Keep OTP secrets always encrypted, and import them to the Volatile keystore when needed

Required pynitrokey: v0.4.34.

0.7.0: PIN-based authentication and encryption

1. Starting with this release the default method for authentication is PIN based, and challenge-response is disabled, and its implementation is marked for removal.
2. PIN-based authentication allows for user data encryption at rest (metadata only; the OTP secrets, which are managed by Trussed).

Required pynitrokey: v0.4.34.

0.6.0: Maintainance

Maintenance release - includes dependency updates and code refactoring.

0.5.0: Encryption and multipacket responses

Improvements:

• Encryption.
• Multipacket responses.
• More error handling and stability corrections.
• Smaller stack pressure.
• Serialize state in CBOR.
• Make default location external.
• Encapsulate internal implementation.
• Handle state writing and deserialization errors.
• Use smaller buffers where possible.
• Decrease write pressure by accessing state RO.

Required for the use with the updated OTP client in pynitrokey (since v0.4.33).

0.4.0: Better error handling and UP checks

Improvements:

• Protocol change - return errors #3
• Fuzzing extension #15
• Stability fixes for the problems found during fuzzing #15
• UP checks for important operations #9

Details: #15

Required for the use with the updated OTP client in pynitrokey (since v0.4.32).