Skip to content

Releases: MicrochipTech/cryptoauthlib

Release v3.7.9 (20250916)

16 Sep 17:47

Choose a tag to compare

🚀 New Features

  • MbedTLS Upgrade
    • Upgraded MbedTLS CAL wrapper APIs for compatibility with Mbed TLS v3.6.3.1 (previously v2.28.4)

🛠 Fixes & Improvements

  • Certificate & Key Handling

    • Fixed atcacert_verify_ APIs to use correct key size macros and cal_buffer members
    • Fixed atca_mbedtls_cert_add() to correctly read public key using is_genkey check
    • Modified buffer size setting to use P256 signature size before calling atcacert_set_signature(), ensuring correct WPC certificate reads from ECC608 devices
    • Fixed ATCA_MBEDTLS guards to exclude MbedTLS code when disabled
  • HAL (Hardware Abstraction Layer)

    • Enhanced error handling for initialization (halinit) failures by adding appropriate hal_release calls
    • Updated hal_kit_hid_send() to flush any pending data from HID device input buffer before writes
    • Added validation of input parameters in hal_free_shared() and updated access permissions for shared memory in hal_linux.c
    • Updated Zephyr I2C HAL wrapper
      • Integrated latest I2C driver configuration updates from Zephyr 3.6.0
      • Now utilizes word_address parameter in hal_i2c_send() even when transmit buffer is empty (e.g., device wake-up)
    • Updated hal_esp32_i2c.c to support latest ESP-IDF library
      • Maintained backward-compatible I2C initialization and command methods
      • ⚠️ Note: i2c_config_t fields and i2c_driver_install API may be deprecated in future ESP-IDF releases. Refer to ESP-IDF official documentation.
  • Initialization & Configuration

    • Updated atcab_init_ext() to read ECC608 config zone only with ATCA_NO_POLL configuration
    • MPLAB Harmony Configurator updates
      • Added device_conf.json to define feature sets per secure element, used as base configuration for device selection
      • Updated TNG device selection to also generate Tester module files
  • Code Quality & Compliance

    • Replaced memset with pkcs11_util_memset in PKCS#11 implementation (for structure handling)
    • MISRA C:2012 & CERT C compliance
      • Addressed more REQUIRED category violations
      • Added file-based suppression lists for maximum MISRA check coverage with MPLAB Analysis tool suite
  • Build System

    • Replaced CMAKE_INSTALL_FULL_<dir> with CMAKE_INSTALL_<dir> to ensure proper handling of --prefix and cpack

Support for Compressed Certificate Years Beyond 2031 in CryptoAuthentication Devices

21 Jul 16:58

Choose a tag to compare

🚀 Extended Year Support for Compressed Certificates in CryptoAuthentication Devices

Secure element ICs provisioned with compressed certificates after 2031 will be incompatible with CryptoAuthLib versions earlier than 3.7.5.
To ensure compatibility and proper functionality, it is recommended to use CryptoAuthLib version 3.7.5 or later.

This release is especially relevant for existing users utilizing compressed certificates with CAL library versions earlier than v3.7.5 who wish to upgrade and take advantage of the new extended year support.

x509_comp_cert_extended_years.zip

Note:

  • For more details, please refer to the README.md file included with the attached x509_comp_cert_extended_years.zip package
  • Assets contain latest CALv3.7.8 release for reference purposes only, and not relevant for the patching purposes

Release v3.7.8 (20250505)

04 Jun 05:49

Choose a tag to compare

Library improvement/bug fixes summary

  • Updated minimum required version of CMake to v3.20 to support its new features and improvements
    
  • Resolved tng_atcacert_read_signer_cert build failure when using MPLAB Harmony projects
    
  • Fixed tng_atcacert_max_device_cert_size function to prevent overwriting max_cert_size
    
  • Addressed the dependency issue where SHA512 is required for SHA384 in the SW Crypto module
    
  • Fixed an issue in the Linux environment where the SPI file descriptor was inadvertently closed twice
    
  • Incorporated additional ATCA_CHECK_PARAMS_EN checks in sections of the code where they were previously absent
    
  • Eliminated all compiler warnings in MPLAB Melody related to the atcacert module
    
  • Eliminated all compiler warnings in MPLAB Harmony projects when adding the CAL library as a project component
    
  • Addressed all MISRA violations categorized as "Required" in MPLAB Harmony. Note that "Advisory" issues remain unaddressed
    
  • Resolved build issues in the PyCAL library to ensure its compatibility CAL library counterpart in C
    
  • Resolved build errors on arm64 MacOS platforms when utilizing the USB library for hidapi; kick-start transition to libusb-maintained version of hidapi, moving away from the previous signal11 repository
    
  • Addressed incorrect header file inclusions in atca_mbedtls_wrap.h related to the ATCA_MBEDTLS configuration
    
  • PKCS11 layer fixes/updates
    
  •     Corrected return value in C_FindObjectsInit API to no longer return CKR_OK when no objects are found
    
  •     Fixed an issue causing certificate export failures when using ATECCC608 TNGTLS devices
    
  •     Resolved a race condition that occurred during the creation of a mutex
    

Release v3.7.7 (20250213)

14 Feb 10:04

Choose a tag to compare

New Features

  • Extended atcacert module to support compressed certificate usage for TA devices
    
  • Enhanced WPC application to support TA devices
    
  • Updated PKCS#11 and Openssl wiki documentation to include steps for using Openssl 3.0+ versions
    
  • Updated PKCS#11 module to add compatibility for higher [SHA-2](https://bitbucket.microchip.com/plugins/servlet/jira-integration/issues/SHA-2) (SHA384 and SHA512) functions
    
  • Added NIST vector tests to cover AES CCM module validation
    
  • Modified calib packet allocation to use memory from either heap or data segment based on user configuration instead of always using data segment.
    

Fixes

  • Resolved SWI 1-wire communication failure occuring in hal_swi_gpio while using MPLABx Harmony projects
    
  •     delay routines in hal_cortex_m_delay are optimized to generate accurate delays for SAM cortex-m device family
    
  •     removed call stack overhead in hal_swi_gpio to meet required SWI bit timing
    
  • Minimum required version for CMake is changed from 3.0.1 to 3.10.0
    
  • Fixed compilation issues with atcac_get_subj_public_key when WolfSSL configuration is enabled
    

API CHANGES

  • Replaced I/O buffers in atcacert with cal_buffer at few instances to support resource-constrained PIC18 devices
    
  •     Refer [lib/atcacert/MIGRATION.md] for details on atcacert API changes
    

Release v3.7.6 (20240926)

01 Oct 10:17

Choose a tag to compare

New Features

  • Add support for RSA key types, certificates and algorithms
  • Add SHA384 and SHA512 support for host side software crypto (lib/crypto/) operations
  • Modified WPC application to support ECC204 and TA010 devices

Fixes

  • Shared library build (libcryptoauth.so) sets ABI version number (libcryptoauth.so.x)
  • Fix atcacert_read_cert() API failure while using ECC204 and TA010 devices
  • Resolve kit protocol compilation failure for PIC18 device (XC8) builds
  • Fix PKCS#11 layer C_DestroyObject failure when deleting a key pair
  • Fix PKCS#11 layer C_DeriveKey API usage sequence

Release v3.5.1 (20230320)

11 May 16:06

Choose a tag to compare

New Features

  • Add support for SHA104, SHA105, & SHA106 devices

Release v3.5.0 (20230314)

11 May 16:05

Choose a tag to compare

New Features

  • Add support for ECC204, TA010 and framework for future devices of the same generation

Release v3.4.1 (20221114)

16 Nov 18:05

Choose a tag to compare

Hotfixes

  • Update test_atcacert_build_start_signer to verify the structure fields since the structure is no longer packed
  • Update Python ctypes_to_bytes routine to work for all python versions
  • Add pkcs11 signature rule verification function to check mechanism and input parameters per section 5.2 of the specification
  • Fix compilation error when PKCS11 monotonic counter is enabled
  • Fix compilation error when no HALs are specified during configuration

Release v3.4.0 (20221104)

05 Nov 18:07

Choose a tag to compare

New Features

  • Added framework for fine grain library configuration including configuration check
    header files <api>_config_check.h see lib/atca_config_check.h for the top level
    header
  • Added WPC application files with reference message generation/parsing and library
    configuration file to optimize to the smallest footprint
  • TA100 read/write apis updated to segment incoming buffer into partial read/write
    operations if it exceeds the maximum supported packet size
  • Added PKCS7 padding algorithm for use with AES-CBC
  • Expose PKCS11 configuration options to CMake configuration

Fixes

  • Improve ECC204 apis to match cryptoauthlib apis and abstract the device differences
  • Support for strict C99 compliance and clean up warnings from -Wall and pedantic levels
  • Add rsa2048 key size support to talib_rsaenc command
  • Fix for ta100 devupdate to set the proper auth session exit flags so the library will
    properly reconnect when the ta100 reboots
  • Fix ECC608 verify failure when ReqRandom bit is set for a stored public key by using
    tempkey in this situation rather than the message digest buffer. See the ECC608
    datasheet for more details of this special condition
  • Improve ta100 auth session handling of long messages by reporting the message size
    exceeds the wrapped message limit earlier in the packet creation process
  • Fixes and Improvements for PKCS11 interface based on compliance testing
  • Add missing include for atca_device.h by @mickeprag in #264
  • Fix no member named 'address' errors when using ATCA_ENABLE_DEPRECATED by @rashedtalukder in #273
  • Fix undefined type error and ESP32 RTOS timer function call by @rashedtalukder in #277
  • Fix model number for ATECC608 by @AndreyLalaev in #282
  • Don't attempt to pack structures with pointers - should fix aarch64 issues by @bryan-hunt in #283
  • Add fixes to cryptoauthlib to support Java PKCS11 requirements, to support Greengrass V2 by @JamieHunter in #290
  • CKA_ID support to enable Java / Greengrass V2 by @JamieHunter in #291

New Contributors

Full Changelog: v3.3.3...v3.4.0

Release v3.3.3 (20211006)

08 Oct 05:40
055dd4a

Choose a tag to compare

New features

  • Added Zephyr support and zephyr driver api HALs for I2C & SPI. Adding cryptoauthlib to a zephyr project CMakeLists.txt is now possible - use subdirectory(cryptoauthlib/lib). One can also include the repo in the west manifest
  • Added SWI device support for linux platforms using hardware uarts
  • Added contributing guidelines and PR process documentation
  • SWI bitbang driver for harmony - supports Atmel SWI and ECC204 protocols

Fixes

  • Wolfssl build errors when generating MHC projects containing wolfssl
  • Removed zero length aad limitation in CCM implementation
  • Changed ECC204 zone identifiers and slot types to align with cryptoauthlib standard forms
  • XC8/XC16 build warnings
  • Several pkcs11 fixes - token_init deadlock, null num_in for private key writes, secret key length parsing, object_create failing, etc
  • Null pointer access violation in atcab_release when using a native hal and double free in openssl implementation of atcac_pk_verify