Client API:
- Node.js SDKv2: Removed duplicate sign method, added TypeScript type definitions
Database:
- use encryptor for pkcs11 table
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241108191957-fa514ef75a0f
Client API:
- New PKCS11 implementation with improved security
Client Communication:
- Added PKCS11 endpoints
Database:
- Add table for PKCS11 protocol
Node Communication:
- Added PKCS11 protocol
Node Configuration:
- Added PKCS11 protocol configuration
Patch changes (no effect on compatibility):
- Fixed errors in the OCSP configuration
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241016134751-7ff83004ec2c
Client API:
- mTLS authentication with limited access based on certificate fields, specified in the configuration file.
- SDKv2 (Go, Node.js, Java, C): Added WithRootCAFile, WithPublicKeyPinning, WithOCSPValidation to the configuration builder
- SDKv2 (Go, Node.js, Java, C): Removed public key pinning from the mTLS authenticator, and added support for OCSP stapling of the client certificate
Node Configuration:
- Added OCSP configuration to the SDK server and the TLS authenticator
Patch changes (no effect on compatibility):
- Passing a negative UID or GID value to the tsm-node will now disable privilege dropping
- Updated required Go version to 1.22.0 (no need to specify a higher version than we need), but always build with the latest version
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241016134751-7ff83004ec2c
Filtering on certificate fields for mTLS authentication has been added.
Client API changes (Client API 55.0)
WithPublicKeyPinning is now an option on the client configuration, whereas it was part of the mTLS configuration before.
This means that public key pinning is now also possible for API key and OIDC authentication.
When using mTLS you can now choose to OCSP staple the client certificate. If this is not used, just pass nil as the
ocspStapling value when configuring mTLS authentication.
Finally, all the builder steps in the configuration can no longer return an error. The error will instead be reported
when instantiating the client.
Patch changes (no effect on compatibility):
- Update Docker packages
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241016134751-7ff83004ec2c
Client API:
- Node.js SDKv2: Added support for RSA, AES and HMAC
Patch changes (no effect on compatibility):
- Upgrade to Go 1.23.2 (https://go.dev/doc/devel/release#go1.23.minor)
- Update dependencies
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241004191011-08a83c5af9f8
Patch changes (no effect on compatibility):
- Upgrade to Go 1.23.2 (https://go.dev/doc/devel/release#go1.23.minor)
- Update dependencies
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241004191011-08a83c5af9f8
Node Configuration:
- All MPC protocol methods can be toggled on and off, and are DISABLED by default. You must explicitly enable the ones you need.
Patch changes (no effect on compatibility):
- Fixed error with DNS lookup when using iOS SDKs
- SDKv2 method for signing with a recovered schnorr private key
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20240905004112-7c4916698cc9
MPC protocol features such as GenerateKey, Sign, PublicKey, etc. can now be enabled or disabled per MPC protocol, and by default all methods are DISABLED. This means that without changes to the configuration file, the node will not be able to use the given MPC protocol, and it will fail to start.
Each MPC protocol (here we use DKLS19 as an example) now have a configuration section called DKLS19.Features that can look like this:
Each MPC protocol can have a different feature set. Check the example configuration for a complete list of features for each protocol. The feature names correspond to methods in the SDK. If a feature is not listed, it defaults to false.
Also, some configuration options have been removed from the MPC protocols, as they are now controlled through the protocol features instead. This includes options such as EnableResharing, EnableShareBackup, EnableExport,
EnableERSExport and EnableBIP32ExportSeed.
If all features for an MPC protocol are disabled, the MPC node will refuse to start. In this case you should just
disable the protocol completely in the configuration.
Do not just enable all features without considering the impact of doing so. Especially features that allow export of
key shares in some way should be used with caution. In the example above the potentially dangerous features are
GenerateRecoveryData, BackupKeyShare, ExportKeyShares and BIP32ExportSeed.
Patch changes (no effect on compatibility):
- Fixed error with DNS lookup when using iOS SDKs
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20240905004112-7c4916698cc9
Patch changes (no effect on compatibility):
- Change release to depend on libmpc version from go.mod
- Update dependencies
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20240806205939-81131f6468ab