Changelog
App Login
Back to All

TSM Release 69.0.0

January 17th, 2025 by Torben Lauritzen

Changelog

Node Configuration:
- Add support for AWS Secrets Manager and dynamic IAM RDS authentication
- Make OCSP hash algorithm configurable
Client API:
- SDKv2(Go, C, Java): Added method to count number of pre-signatures
- SDKv2(Go, C, Java): Added utility method to sign with a raw Schnorr private key
- SDKv2(C, Java, Node.js): Added hash algorithm to OCSP methods
- Make OCSP hash algorithm configurable
  
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20250106192035-c31d5b91ecc3

Versions

Client API: 59.0 (!)
Client Communication: 29.1
Database: 7.12.0
Node Communication: 32.1
Node Configuration: 21.4

AWS Secrets Manager and IAM RDS Authentication (Node Configuration: 21.4)

It is now possible to use the aws tag anywhere in the node config file, like this:

[Database]
  EncryptorMasterPassword = "{{ aws prod/encryptor-master-password eu-central-1 }}"

The node will then replace this with secret named prod/encryptor-master-password from AWS SecretsManager.

The replacement happens once, at startup. The config file can contain multiple secrets like this, but they must all fetch from the same AWS region. To work, the TSM node must be allowed to perform the IAM action secretsmanager:GetSecretValue on each secret, e.g., by running the TSM node on an EC2 instance that is assigned an IAM role with this permission.

It's also possible to connect to AWS RDS using IAM authentication via the iam tag, as follows:

[Database]
  DataSourceName = "{{ iam mariadb dbuser my-rds.cf4m8zm7yt0e.eu-central-1.rds.amazonaws.com:3306 db eu-central-1 }}"

This will be replaced by an RDS IAM token for the given RDS database. Here dbuser is the user for the RDS database, and db is the database name. For this to work, the TSM node must be allowed to perform the IAM action rds-db:connect for the given database user and database, e.g., by running the TSM node on an EC2 instance that is assigned an IAM role with this permission. The iam tag works for mariadb, mysql and postgres databases.

Unlike the aws tag which gets replaced once, when the node starts up, the iam tag gets expanded each time a new database connection is created. Combined with ConnectionMaxLifetime as in the following example, this
ensures that the TSM node will refresh its RDS IAM tokens at least every 10th minute.

[Database]  
  DriverName = "postgres"  
  DataSourceName = "{{ iam postgres my_db_user my_rds.cf4m8zm7yt0e.eu-central-1.rds.amazonaws.com:5432 my_db eu-central-1 }}"  
  ConnMaxLifetime = "10m"

Client API changes (Client API 55.0)

WithPublicKeyPinning is now an option on the client configuration, whereas it was part of the mTLS configuration before. This means that public key pinning is now also possible for API key and OIDC authentication.

When using mTLS you can now choose to OCSP staple the client certificate. If this is not used, just pass nil as the ocspStapling value when configuring mTLS authentication.

Finally, all the builder steps in the configuration can no longer return an error. The error will instead be reported when instantiating the client.