4.0.0-dev4

Changed

• ccf::RpcContext::set_response() has been renamed to ccf::RpcContext::set_response_json() (#4813).
• The built-in authentication policies for JWTs and certs will now enforce expiry times, based on the current time received from the host. JWTs must contain "nbf" and "exp" claims, and if those are outside the current time then the request will get an authentication error (#4786).
• ccf.crypto.sign() previously returned DER-encoded ECDSA signatures and now returns IEEE P1363 encoded signatures, aligning with the behavior of the Web Crypto API and ccf.crypto.verifySignature() (#4829).
• Proposals authenticated with COSE Sign1 must now contain a ccf.gov.msg.created_at header parameter, set to a positive integer number of seconds since epoch. This timestamp is used to detect potential proposal replay. The ccf_cose_sign1* scripts have been updated accordingly and require a --ccf-gov-msg-created_at.
• Updated Clang version requirement to >= 10 in cmake.

Added

• Added ccf.enableUntrustedDateTime to JS API. After calling ccf.enableUntrustedDateTime(true), the Date global object will use the untrusted host time to retrieve the current time.
• Add new ccf.crypto.jwkToPem, ccf.crypto.pubJwkToPem, ccf.crypto.rsaJwkToPem, ccf.crypto.pubRsaJwkToPem, ccf.crypto.eddsaJwkToPem, ccf.crypto.pubEddsaJwkToPem to JavaScript/TypesScript API to convert EC/RSA/EdDSA keys from PEM to Json Web Key (#4876).
• Add new constructors to cryptography C++ API to generate EC/RSA/EdDSA keys from Json Web Key (#4876).

3.0.5

Added

• Add new ccf.crypto.jwkToPem, ccf.crypto.pubJwkToPem, ccf.crypto.rsaJwkToPem, ccf.crypto.pubRsaJwkToPem, ccf.crypto.eddsaJwkToPem, ccf.crypto.pubEddsaJwkToPem to JavaScript/TypesScript API to convert EC/RSA/EdDSA keys from PEM to Json Web Key (#4876).
• Add new constructors to cryptography C++ API to generate EC/RSA/EdDSA keys from Json Web Key (#4876).
• Proposals authenticated with COSE Sign1 must now contain a ccf.gov.msg.created_at header parameter, set to a positive integer number of seconds since epoch. This timestamp is used to detect potential proposal replay. The ccf_cose_sign1* scripts have been updated accordingly and require a --ccf-gov-msg-created_at.

3.0.4

Changed

• ccf.crypto.sign() previously returned DER-encoded ECDSA signatures and now returns IEEE P1363 encoded signatures, aligning with the behavior of the Web Crypto API and ccf.crypto.verifySignature() (#4829).

Added

• Added ccf.enableUntrustedDateTime to JS API. After calling ccf.enableUntrustedDateTime(true), the Date global object will use the untrusted host time to retrieve the current time.

4.0.0-dev3

Fixed

• Node-to-node channels no longer check certificate expiry times. This previously caused "Peer certificate verification failed" error messages when node or service certs expired. (#4733)
• node_data_json_file configuration option is now correctly applied in Start and Recover modes (#4761).

Changed

• Increased default NumHeapPages (heap size) for js_generic from 131072 (500MB) to 524288 (2GB).
• TCP_NODELAY is now set for all incoming and outgoing TCP connections (#4717).

3.0.3

Fixed

• node_data_json_file configuration option is now correctly applied in Start and Recover modes (#4761).

Changed

• Increased default NumHeapPages (heap size) for js_generic from 131072 (500MB) to 524288 (2GB).

2.0.14

Fixed

• node_data_json_file configuration option is now correctly applied in Start and Recover modes (#4761).

3.0.2

Added

• Builtin governance tables now have endpoints for accessing their content directly from the KV, under /gov/kv. For instance, /gov/kv/constitution will read the current constitution.

Changed

• Access to restricted KV tables (eg - private or non-governance reads during governance, or governance writes during application execution) produce more descriptive errors. The documentation has been extended to describe these restrictions. (#4686)
• TCP_NODELAY is now set for all incoming and outgoing TCP connections (#4717).

Fixed

• Node-to-node channels no longer check certificate expiry times. This previously caused "Peer certificate verification failed" error messages when node or service certs expired. (#4733)
• Fixed issue where invalid snapshots could be generated depending on the pattern of additions/removals of keys in a given key-value map (#4730).

2.0.13

Fixed

• Node-to-node channels no longer check certificate expiry times. This previously caused "Peer certificate verification failed" error messages when node or service certs expired. (#4733)
• Fixed issue where invalid snapshots could be generated depending on the pattern of additions/removals of keys in a given key-value map (#4730).

2.0.12

Changed

• Expanded logging in node-to-node channel handshake failure cases (#4723).

4.0.0-dev2

Added

• The ccf Python package now includes a ccf_cose_sign1 CLI tool, to facilitate the creation of COSE Sign1 requests for governance purposes. It also includes ccf_cose_sign1_prepare and ccf_cose_sign1_finish CLI tools, to facilitate the creation of COSE Sign1 requests for governance purposes, signed with external key management systems such as AKV. See documentation for details.
• Builtin governance tables now have endpoints for accessing their content directly from the KV, under /gov/kv. For instance, /gov/kv/constitution will read the current constitution.

Fixed

• Session consistency is now provided even across elections. If session consistency would be broken, the inconsistent request will return an error and the TLS session will be terminated.