Client API:
- New PKCS11 implementation with improved security
Client Communication:
- Added PKCS11 endpoints
Database:
- Add table for PKCS11 protocol
Node Communication:
- Added PKCS11 protocol
Node Configuration:
- Added PKCS11 protocol configuration
Patch changes (no effect on compatibility):
- Fixed errors in the OCSP configuration
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241016134751-7ff83004ec2c
Client API:
- mTLS authentication with limited access based on certificate fields, specified in the configuration file.
- SDKv2 (Go, Node.js, Java, C): Added WithRootCAFile, WithPublicKeyPinning, WithOCSPValidation to the configuration builder
- SDKv2 (Go, Node.js, Java, C): Removed public key pinning from the mTLS authenticator, and added support for OCSP stapling of the client certificate
Node Configuration:
- Added OCSP configuration to the SDK server and the TLS authenticator
Patch changes (no effect on compatibility):
- Passing a negative UID or GID value to the tsm-node will now disable privilege dropping
- Updated required Go version to 1.22.0 (no need to specify a higher version than we need), but always build with the latest version
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241016134751-7ff83004ec2c
Filtering on certificate fields for mTLS authentication has been added.
Client API changes (Client API 55.0)
WithPublicKeyPinning is now an option on the client configuration, whereas it was part of the mTLS configuration before.
This means that public key pinning is now also possible for API key and OIDC authentication.
When using mTLS you can now choose to OCSP staple the client certificate. If this is not used, just pass nil as the
ocspStapling value when configuring mTLS authentication.
Finally, all the builder steps in the configuration can no longer return an error. The error will instead be reported
when instantiating the client.
Patch changes (no effect on compatibility):
- Update Docker packages
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241016134751-7ff83004ec2c
Client API:
- Node.js SDKv2: Added support for RSA, AES and HMAC
Patch changes (no effect on compatibility):
- Upgrade to Go 1.23.2 (https://go.dev/doc/devel/release#go1.23.minor)
- Update dependencies
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241004191011-08a83c5af9f8
Patch changes (no effect on compatibility):
- Upgrade to Go 1.23.2 (https://go.dev/doc/devel/release#go1.23.minor)
- Update dependencies
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20241004191011-08a83c5af9f8
Node Configuration:
- All MPC protocol methods can be toggled on and off, and are DISABLED by default. You must explicitly enable the ones you need.
Patch changes (no effect on compatibility):
- Fixed error with DNS lookup when using iOS SDKs
- SDKv2 method for signing with a recovered schnorr private key
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20240905004112-7c4916698cc9
MPC protocol features such as GenerateKey, Sign, PublicKey, etc. can now be enabled or disabled per MPC protocol, and by default all methods are DISABLED. This means that without changes to the configuration file, the node will not be able to use the given MPC protocol, and it will fail to start.
Each MPC protocol (here we use DKLS19 as an example) now have a configuration section called DKLS19.Features that can look like this:
Each MPC protocol can have a different feature set. Check the example configuration for a complete list of features for each protocol. The feature names correspond to methods in the SDK. If a feature is not listed, it defaults to false.
Also, some configuration options have been removed from the MPC protocols, as they are now controlled through the protocol features instead. This includes options such as EnableResharing, EnableShareBackup, EnableExport,
EnableERSExport and EnableBIP32ExportSeed.
If all features for an MPC protocol are disabled, the MPC node will refuse to start. In this case you should just
disable the protocol completely in the configuration.
Do not just enable all features without considering the impact of doing so. Especially features that allow export of
key shares in some way should be used with caution. In the example above the potentially dangerous features are
GenerateRecoveryData, BackupKeyShare, ExportKeyShares and BIP32ExportSeed.
Patch changes (no effect on compatibility):
- Fixed error with DNS lookup when using iOS SDKs
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20240905004112-7c4916698cc9
Patch changes (no effect on compatibility):
- Change release to depend on libmpc version from go.mod
- Update dependencies
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20240806205939-81131f6468ab
Database:
- migrate key data for RSA to a new format
- migrate key data for symmetric key protocols MRZ15 and WRK17 to new format
Node Communication:
- Changed protocol implementation for RSA (removed SEPH20RSA)
Node Configuration:
- Support for the following crypt algorithms when hashing API keys: MD5, SHA256, SHA512, bcrypt, Argon2i, Argon2id
- Renamed SEPH20RSA to ADN06 to reflect the new RSA implementation
- Removed KeySize for the MRZ15 protocol
Client API:
- Java/C SDKv2: Added support for RSA, AES and HMAC
- Go SDKv2: Renamed some static finalize methods to match other methods
- Go SDKv2: Added support for RSA signing, decryption, export and import
- Go SDKv2: New methods for AES and HMAC operations
- SDKv1 (Go, Node.js, Java, C): The AES CTR Keystream method now accepts key stream lengths that are not multiples of 16 bytes
- SDKv1 (Go, Node.js, Java, C): The AES CTR Encrypt and Decrypt methods now accept ciphertext/plaintexts with lengths that are not multiples of 16 bytes
- SDKv1 (Go, Node.js, Java, C): A new max of 16384 bytes in introduced for plaintexts and ciphertexts in the AES-CTR, AES-CBC, and AES-GCM encrypt/decrypt methods
- SDKv1 (Go, Node.js, Java, C): A new max of 16384 bytes for the AES-GCM additional data is introduced
- SDKv1 (Go, Node.js, Java, C): The AES GCMEncrypt/GCMDecrypt methods now require a nonce of 12 bytes (previously, any nonce length of 1-16 bytes was accepted)
- SDKv1 (Go, Node.js, Java, C): The RFC5649 Blob length is limited to 8192 bytes.
- Node.js SDKv2: Add method sdkVersion() and tsmVersion() to TSMClient
- Node.js SDKv2: Add method copyKey() to ECDSA and Schnorr
- Node.js SDKv2: Add util method privateKeyToPKIXPublicKey()
- Node.js SDKv2: Add util method shamirRecombine()
Client Communication:
- Changed endpoints for RSA
- Change to endpoints and transport types for symmetric operations (AES, HMAC, CMAC, AN10922, RFC5649)
Patch changes (no effect on compatibility):
- SDKv2 logs warning on major client communication mismatch between sdk and node
- Update dependencies
- OIDC Access Token Authentication: Now supports arrays in audience of tokens (https://openid.net/specs/openid-connect-core-1_0-35.html#IDToken)
Mobile frameworks have been built using: golang.org/x/mobile v0.0.0-20240806205939-81131f6468ab
Node Communication:
- Added support for copying a key for DKLS19, SEPH18S and SEPD19S
Client API:
- Go SDKv2: Add method SDKVersion() and TSMVersion() to get the version of the SDK and TSM.
- Go SDKv2: Add method method CopyKey() to ECDSA and Schnorr
- Go SDKv2: Add private key derivation for ECDSA and Schnorr
- Go SDKv2: go-tsm-sdkv2 (gitlab release) now uses proper Go versioning i.e. vNN.OO.PP (prefixed 'v')
Client Communication:
- Added endpoints for KeyCopy to DKLS19, SEPH18S and SEPD19S
Patch changes (no effect on compatibility):
- Fix segmentation fault error when doing hardened bip32 derivation using Node.js SDKv2
- Set custom HTTP response headers in configuration
Mobile frameworks have been built using golang.org/x/mobile v0.0.0-20240520174638-fa72addaaa1b
