5.0.8

Added

• Added a ccf::any_cert_auth_policy (C++), or any_cert (JS/TS), implementing TLS client certificate authentication, but without checking for the presence of the certificate in the governance user or member tables. This enables applications wanting to do so to perform user management in application space, using application tables (#6608).
• Set VMPL value when creating SNP attestations, and check VMPL value is in guest range when verifiying attestation, since recent updates allow host-initiated attestations (#6583).

6.0.0-dev5

Added

• Updated ccf::cose::edit::set_unprotected_header() API, to allow removing the unprotected header altogether (#6607).
• Updated ccf.cose.verify_receipt() to support checking the claim_digest against a reference value (#6607).

6.0.0-dev4

Added

• ccf.cose.verify_receipt() to support verifiying draft COSE receipts (#6603).

Removed

• Remove SECP256K1 support as a part of the migration to Azure Linux (#6592).

6.0.0-dev3

Changed

• Set VMPL value when creating SNP attestations, and check VMPL value is in guest range when verifiying attestation, since recent updates allow host-initiated attestations (#6583).
• Added ccf::cose::edit::set_unprotected_header() API, to allow easy injection of proofs in signatures, and of receipts in signed statements (#6586).

6.0.0-dev2

Added

• Introduced ccf::describe_cose_endorsements_v1(receipt) for COSE-endorsements chain of previous service identities (#6500).
• Ignore time when resolving did:x509 against x5chain, resolution establishes a point-in-time endorsement, not ongoing validity (#6575).

5.0.7

• Ignore time when resolving did:x509 against x5chain, resolution establishes a point-in-time endorsement, not ongoing validity (#6575).

6.0.0-dev1

Changed

• Output of ccf::describe_merkle_proof_v1(receipt) has been updated, and is now described by ccf-tree-alg schema.
• Improved error message when attempting to obtain receipts for a past epoch during a recovery (#6507).

4.0.22

Base image

• Updated container base image.

6.0.0-dev0

Changed

• The set_jwt_issuer governance action has been updated, and no longer accepts key_filter or key_policy arguments (#6450).
• Nodes started in Join mode will shut down if they receive an unrecoverable condition such as StartupSeqnoIsOld or InvalidQuote when attempting to join (#6471, #6489).
• In configuration, attestation.snp_endorsements_servers can specify a max_retries_count. If the count has been exhausted without success for all configured servers, the node will shut down (#6478).
• When deciding which nodes are allowed to join, only UVM roots of trust defined in public:ccf.gov.nodes.snp.uvm_endorsements are considered (#6489).

Removed

• SGX Platform support.

Added

• Provided API for getting COSE signatures and Merkle proofs (#6477).
• Exposed COSE signature in historical API via TxReceiptImpl.
• Introduced ccf::describe_merkle_proof_v1(receipt) for Merkle proof construction in CBOR format.
• Added COSE signatures over the Merkle root to the KV (#6449).
• Signing is done with service key (different from raw signatures, which remain unchanged and are still signed by the node key).
• New signature reside in public:ccf.internal.cose_signatures.

5.0.6

Bug fixes

• Added COSE signature verification to consume signature transactions from upgraded primary (#6495).