Cosmian KMS - Ubuntu 24.04 (AMD SEV-SNP)

[5.14.0] - 2025-12-15

Features :

• Sign and SignatureVerify support across CLI, and UI:
  • CLI: Added sign and signature_verify subcommands for RSA and Elliptic Curves (crate/cli/src/actions/kms/.../sign.rs, .../signature_verify.rs).
  • UI: Added React pages for RSA and EC signing and verification (ui/src/RsaSign.tsx, ui/src/RsaVerify.tsx, ui/src/ECSign.tsx, ui/src/ECVerify.tsx), and surfaced object type in Locate.
• Make DB pool max_connections configurable
• Support sign and verify on CLI/UI + issue 619

Refactor :

• Server: Consolidate KMIP operations Sign and SignatureVerify for RSA and Elliptic Curves (crate/server/src/core/operations/sign.rs, signature_verify.rs; routes updated). Supported signature schemes: RSASSA-PSS, ECDSA, EdDSA (Ed25519, Ed448).
• Digest (pre-hashed) mode for signing and verification:
  • Introduced digested=true handling so inputs are treated as final digests (no implicit hashing) across RSA and EC paths (crypto + server).
  • RSA: Added verify support using pre-hashed input, including PKCS#1 v1.5 and RSASSA-PSS flows (crate/crypto/src/crypto/rsa/verify.rs).
  • EC: Added verify support using pre-hashed input (crate/crypto/src/crypto/elliptic_curves/verify.rs).
• Non-FIPS EC deterministic behavior (RFC 6979-like) via RustCrypto P256 implementation in non-FIPS builds.
• RSASSA-PSS: Server respects salt_len when specified (including 0) during Sign.

Testing :

• Added CLI and crypto tests for sign/verify flows, including digested mode

Bug Fixes :

• MySQL schema missing PRIMARY KEY
• On JWT auth, token was not properly forwarded in requests
• Support COSMIAN_KMS_CONF env. variable in docker
• Support AWS ECS Fargate
• ObjectType Attribute problem
• (UI) Remove in home page the incorrect HSM comment
• Support mysql TDE while fixing the KMIP 1.x TTLV deserializer
• Cli needs snake case

Documentation :

• Rename .github/README.md
• Update installation instructions

Build :

• (deps) Bump sigstore/cosign-installer from 3.7.0 to 4.0.0
• (deps) Bump crazy-max/ghaction-dump-context from 1 to 2
• (deps) Bump actions/setup-node from 4 to 6
• (deps) Bump actions/download-artifact from 4 to 6
• (deps) Bump actions/download-artifact from 6 to 7
• (deps) Bump actions/upload-artifact from 5 to 6

[5.13.0] - 2025-12-07

Features :

• KMIP XML Vector Conformance (1.4 & 2.1) (see details )
• Nix: Reproducible Package Management (see details ):
• Create OpenTelemetryConfig to be consumed for server metrics

Bug Fixes :

• Better sql for the Find query
• HSM unwrapping without permission

Documentation :

• Fix UI README.md
• Add vsphere minimal version

Testing :

• Support official KMIP test vectors 1.4/2.1

Build :

• Reproducible Package Management with Nix
• (deps) Bump docker/metadata-action from 4 to 5
• (deps) Bump actions/checkout from 4 to 6
• (deps) Bump crazy-max/ghaction-import-gpg from 5 to 6
• (deps) Bump actions/upload-artifact from 4 to 5
• (deps) Bump softprops/action-gh-release from 1 to 2

KMIP XML Vector Conformance (1.4 & 2.1) :

• End-to-end alignment with the official KMIP XML test vectors across library, server routing, and CLI: Create, Query/DiscoverVersions, attribute flows, and OpaqueObject revoke/destroy are covered.

Features :

• KMIP crate

  • Operations/types/messages:
    • Expanded Operation enum and message wiring to include: Interop, PKCS11, Check, RNG Retrieve, RNG Seed, GetAttributeList, MACVerify, ModifyAttribute, Log, plus responses.
    • Request/Response batch items are Clone with structured Display for clearer diagnostics.
    • Added Vendor OpaqueDataType; Display impls for CryptographicDomainParameters, ProtectionStorageMasks, StorageStatusMask.
  • TTLV improvements:
    • Deserializer coercions: Integer/Interval to i64, Enumeration/LongInteger to u8; ByteString to hex for ShortUniqueIdentifier.
    • Relaxed Attribute decoding supporting VendorAttribute and AttributeName+Value forms.
    • deserialize_ignored_any no-op to avoid loops in permissive paths.
  • Protocol alignment:
    • DiscoverVersions now uses KMIP 0.x types (protocol_version_major/minor) per spec; Query advertises operations/objects supported.
  • XML support:
    • Added XML serializer/deserializer and parser with tests for 1.4 and 2.1 XML vectors.

• server

  • New KMIP operations exposed and routed: DiscoverVersions, Query, RNG Retrieve, RNG Seed, MACVerify, GetAttributeList, ModifyAttribute, Check.
  • OpaqueObject Revoke/Destroy parity with vectors; deterministic ordering for GetAttributeList.
  • RNG implementation module (ANSI X9.31) with public routing.
  • Optional cascade mechanism for Destroy and Revoke.

• CLI

  • New subcommands: rng (Retrieve/Seed), mac verify, discover-versions, query.
  • New opaque-object subcommands: Create/Import/Export/Revoke/Destroy (no wrap/unwrap).

• kms_client

  • REST client methods added for RNG Retrieve/Seed, MACVerify, Query, DiscoverVersions, Check, GetAttributeList, attribute ops, register, and crypto ops.

• server_database

  • Deterministic GetAttributeList behavior across backends; Locate query refinements; backend adapters updated (MySQL, PostgreSQL, SQLite, Redis-Findex).

• crypto

  • Robustness and consistency improvements to RSA OAEP and wrap/unwrap paths used by KMIP flows.

• interfaces / hsm / access / client_utils

  • Minor interface refinements and HSM integration stability improvements supporting the new routes and attribute flows.

Bug Fixes :

• Export OpaqueObject Raw/Base64 returns opaque bytes (no KeyBlock).
• DiscoverVersions type/field mismatches fixed by switching to KMIP 0.x (major/minor).
• TTLV deserializer: better errors and coercions (u8 from Enumeration/LongInteger; i64 widening from Integer/Interval; vendor Attribute decoding) for XML vector compatibility.
• GetAttributeList: unified, deterministic ordering across environments.

Testing :

• Extensive XML vector tests for 1.4 and 2.1 in the kmip crate (mandatory/optional suites, crypto coverage).
• Added CLI tests: OpaqueObject CRUD (create/import, export json/base64/raw, revoke, destroy), RNG Retrieve/Seed, MAC Verify, Query, and DiscoverVersions.
• Server TTLV tests expanded (e.g., DSA creation/get flows) and vector integrations.

Documentation / Tooling :

• Added KMIP specification scaffolding READMEs and a script to generate XML-based support tables.
• Build scripts adjusted for the new test coverage and flows.

Nix: Reproducible Package Management

Features :

• Reproducible builds with Nix:

  • Full migration to Nix package manager for deterministic, bit-for-bit reproducible builds
  • Automated hash verification system ensuring build artifact integrity across platforms
  • Support for offline/air-gapped builds with complete dependency caching
  • Unified build system replacing platform-specific scripts (.sh, .ps1)
  • Comprehensive build variants: FIPS/non-FIPS x static/dynamic x vendor/non-vendor
  • Native support for cross-platform builds (Linux x86_64/ARM64, macOS x86_64/ARM64, Windows)

• Build infrastructure improvements:

  • New nix/ directory with reproducible derivations for KMS server, OpenSSL 3.1.2, UI, and Docker images
  • Automated hash tracking system with 400+ expected hashes for all build artifacts and dependencies
  • Deterministic OpenSSL 3.1.2 builds (both FIPS and non-FIPS variants) with static linking support
  • Docker images built entirely through Nix for consistency
  • Package signing infrastructure for Debian (.deb) and RPM packages
  • SBOM (Software Bill of Materials) generation integrated into build process

• Testing & CI enhancements:

  • Refactored GitHub workflows with comprehensive reusable components
  • New test suites: test_all.sh, smoke_test_deb.sh, smoke_test_rpm.sh, smoke_test_dmg.sh
  • Database-specific test scripts for MySQL, PostgreSQL, Redis, and SQLite backends
  • HSM integration tests for Utimaco, Proteccio, SoftHSM2, and Crypt2pay
  • Google CSE endpoint testing with HSM integration
  • Systemd service file validation tests
  • Docker image smoke tests with health checks

Refactor :

• CI/CD pipeline reorganization:
  • New reusable workflow structure: main.yml to main_base.yml/packaging.yml
  • Separated authentication tests by FIPS/non-FIPS variants
  • Modularized test execution with dedicated scripts per component
  • Common utilities consolidated in .github/scripts/common.sh

Documentation :

• Comprehensive Nix build system documentation with visual diagrams:
  • Build architecture and reproducibility guarantees
  • Hash verification flow and offline build processes
  • Package signing setup and verification procedures
  • Troubleshooting guides and learning resources
• GitHub workflows documentation with complete execution flow diagrams
• Updated Copilot instructions for Nix-based development
• Build and test guide in .github/copilot-instructions.md

[5.12.1] - 2025-11-28

Bug Fixes :

• Avoid negative certificate serial number

Other :

• Remove useless css in autogenerated doc

Build :

• (deps) Bump actions/checkout from 5 to 6

[5.12.0] - 2025-11-19

Features :

• Azure byok UI
• Upgrade Findex from v5 to v8
  • (redis): Created a new data storage schema for Redis, using a double-index instead of the "next Keyword".
  • (redis): Developed a migration algorithm to update data under KMSes prior to 5.12.x.
  • (redis): Introduction of strong typing for UserId and ObjectUid to reduce string manipulation errors, and created new types inspired from legacy cloudproof components.
  • Used new crypto core serializations for storage (when applicable)

Bug Fixes :

• Automatic key unwrapping depending on ObjectType :
  • Automatically unwrap keys (that are wrapped) when retrieving keys from database. It can be useful when server is configured with a Key Encryption Key that wraps all new keys. The unwrapped keys stay temporarily in expiring cache.
  • This feature is combined to the parameter default_unwrap_type that filters the ObjectType to unwrap.
  • Possible filters in server configuration are: All, Certificate, CertificateRequest, OpaqueObject, PGPKey, PrivateKey, PublicKey, SecretData, SplitKey, SymmetricKey

Documentation:

• Rework all the databases migration and represent more easy to read schemas
• Document migration flows
• Update KMS configuration TOML file with parameter default_unwrap_type.

Build :

• (deps-dev): bump js-yaml from 4.1.0 to 4.1.1 in /ui in the npm_and_yarn group across 1 directory

Testing :

• (redis): Add two integration tests that migrate from version 5.1.0 and 5.2.0 to (#542 )

!!! WARNING !!!

Redis users: Starting version 5.12.0, the KMS will start operating with a new version of Findex (the SSE used with the Redis DB), and a data migration is necessary :

IMPORTANT: Back up your Redis database before upgrading to version 5.12.0.

• If you're upgrading from a version prior to 5.0.0 : Please export your keys using standard formats (PKCS#8, PEM, etc.) and re-import them after clearing the redis store. Databases created with version 4.x.x are not compatible with the automated migration routine and won't start if the db_version key is unset.
• If you're upgrading from a 5.x DB : A transparent migration process will occur and should typically take less than a minute.

[5.11.2] - 2025-11-12

Bug Fixes :

• Fix key wrapping where wrapping-key is itself wrapped: unwrap it and then use it
• Add an automatic key unwrapping for google_cse key at server startup
• Create a OnceCell HSM instance when multiple KMS servers are use - avoiding potential startup error
• Improved handling of wrapped keys, attribute propagation, and TLS cipher suite configuration

Testing :

• Add CLI-tests on Google CSE endpoints (/wrap, /privatekeydecrypt, etc.) and on Google key pair creation - all with the google_cse key wrapped by HSM

Documentation :

• Example of configuration file: replace deprecated [auth] section with [idp_auth]

[5.11.1] - 2025-11-04

Documentation :

• Rework KMIP support documentation
• Remove double entry on KMIP Support

Testing :

• (windows): Enable test on whole workspace