Skip to content

@conorpp conorpp released this Mar 23, 2021

This is a minor release that fixes an issue where the User ID for a given credential wasn't being returned where it should be. This is when a RK credential is being used as specified from the allowList in a getAssertion request.

Assets 13

@conorpp conorpp released this Feb 3, 2021

Minor change, please check notes in 4.1.0 release.

This update fixes the initialization order of the device so that some devices no longer run into a boot issue (#516).

Assets 13

@conorpp conorpp released this Jan 30, 2021

This release has a number of bug fixes and adds support for Ed255 for FIDO2, thanks to the great work by @enrikb.

  • Add Ed255 support for FIDO2 #478.
  • Adjustments to make fault injection attacks more difficult #504.
  • Fix incorrect logic and memmove that caused UV not to get set #493.
  • Fix incorrect cbor ordering regarding credProtect and hmac-secret extension #508 (thanks @aseigler, @timcappalli for finding & reporting).
  • Build & documentation improvements #509, #495, #490, #485, #482

Note there was an initial 4.1.0 release for a few hours which contained a build issue, and has been updated.

Assets 13

@conorpp conorpp released this Mar 27, 2020

After discussion with @nickray, I'm making this a major version release and deleting the old 3.2.0, because it will likely void any existing RK credentials on your solo device when updating from <4.0.0.

Warning: After this update, any existing RK's on your device will likely not work anymore. If you're not sure about what RK/resident-key is, then you probably do not have any and do not need to worry.

Additional improvements from (now defunct) 3.2.0 release:

  • Bug fixes to credMgmt (#404)
  • Allow depth-first-search when enumerating credentials (#406)

Two big features added in this release:

  • Credential management (able to enumerate and delete resident key credentials).
  • credProtect extension (able to enforce UV on specific credentials)


  • add cred protect extension
  • Fix issues with RK buffer handling
  • Fix issue with credentials being ordered incorrectly for getAssertion's
  • Fix issue with extensions not being applied to getNextAssertion assertions.
  • Fix issue with some getNextAssertions not signing correct rpIdHash.
  • Refactor + bugfix credential management
  • Add delete command for credential management
  • Add user presence check if a credential is excluded during makeCredential step
  • Add custom vendor command for rebooting device to allow easier testing.
  • Fix regression with user presence being collected twice in some cases.

This has been successfully tested for Microsoft / Azure AD compatibility.

Public tests have been added to fido2-tests.

Thank you to @rgerganov for his contributions on credential management and fixing bugs (#392, #398, #391, #404).

Thank you to @My1 for help testing and providing logs.

Assets 13
Mar 25, 2020

@conorpp conorpp released this Mar 16, 2020

The last 3.1.2 could not be updated on most authenticators with version checking due to an error in the build not putting the version in correctly. This corrects the issue.

Thank you to @schwarzeh for mailing me a key to reproduce the issue.

Assets 13

@conorpp conorpp released this Feb 27, 2020

As discovered in our security audit by DoyenSec, there were some potential cbor safety issues, the largest being there wasn't a proper recursion limit to one of the methods we were using from tinycbor. Now that has been fixed.

Assets 13

@conorpp conorpp released this Feb 13, 2020

  • Initialize variable to avoid potential version bypass in bootloader
  • Add a command to support users locking flash that have been locked out from the normal process.
Assets 13

@conorpp conorpp released this Feb 6, 2020

This fixes in issue in the Solo bootloader that allows an old signed-firmware version to be programmed on secured solo builds.

Thanks to @fcremo and @ikkisoft of Doyensec for the security audit and catching this!

Assets 13

@conorpp conorpp released this Dec 1, 2019

Minor update.

  • Refactor to allow building Solo as lib
  • Secure version of Solo will have different certs for Solo, Solo Tap, and Somu now.
    • Additionally, the first byte of the AAGUID for each model is different.
Assets 13