4.20.0

[4.20.0] - 2024-11-30

🚀 Features

• HSM support (#344)
  • support for the Proteccio HSM that provides both
    • the ability to perform the Create, Destroy, Export, Encrypt, and Decrypt operations on the HSM
    • the ability to create keys in the KMS which are wrapped by a key in the HSM
  • the database components are now in a separate crate server_database. They are now split in 2 implementations:
    Objects store and Permissions store
  • a new interfaces crate gathers interfaces to be implemented by new external components. Interfaces include:
    • Object Store
    • Permissions Store
    • Encryption Oracle
  • key unique identifiers now support prefixes. Object Stores, Permissions stores, and Encryption Oracles can be
    registered against the prefixes.
  • support for the Sensitive Attribute in addition to the ability to wrap a key by another key has been added to all
    keys creations
• Make keys non revocable on server (#341)
• Docker for Linux ARM and keep support for MacOS Intel (#343)

🐛 Bug Fixes

• The macOS-12 environment is now deprecated
• Better permissions checking on wrapping and unwrapping

📚 Documentation

• Add benchmarks on simultaneous encryptions/decryptions

4.19.3

[4.19.3] - 2024-10-29

🐛 Bug Fixes

• Launch encrypted GMeet through GCal (#334)
• MacOS-maturin:
  • Upgrade python version from 3.12 to 3.13 (#333)
  • force forward compatibility (#336)
• Dont panic on indexing slicing (#331)

📚 Documentation

• ckms installation - specifically for Windows (#332)

4.19.1

[4.19.1] - 2024-10-11

🚀 Features

• Client ckms: merge attributes handling (set/get/delete) under attributes subcommand (#329)

🐛 Bug Fixes

• Guard on size of ciphertexts for BulkData (#330)
• KMIP Attributes: fix deletion on Links and Vendor Attributes (#329)

4.19.0

[4.19.0] - 2024-10-09

🚀 Features

• Google Workspace Client-Side-Encryption (CSE)
  updates (#319)
  • Generate Google S/MIME key-pairs and identities and upload them to Gmail API from ckms
    CLI (#270)
  • Server-side, export cert at PKCS7 format
  • Implement missing CSE endpoints
  • Wrap/unwrap CSE elements with authenticated encryption
  • Export wrapped keys from KMS specifying the cipher mode
  • Handle auth for guest users (#271)
• Add SetAttribute/DeleteAttribute KMIP operations (#303)
• Re-enable wrap/unwrap on ckms by linking statically on openssl (#317)
• Added AES GCM-SIV and AES XTS (#328)
• Added the ability to client side encrypt files with ckms and a hybrid scheme (#328)
• Add bulk encrypt / decrypt facility (#318)
• Create Symmetric Key / Private keys with custom unique id (#326)
• Replace Debug derive trait of KMIP Object by a custom Display impl (#327)

Documentation

• Documentation: Migrating emails to Gmail CSE (#316)
• Update CSE documentation (Gmail S/MIME) (#316)
• Update KMS build instructions (#320)

🧪 Testing

• Add test on database backends (#311)
• Reduce CI pipeline duration in debug (#315)
• Add CSE endpoints testing (#319)

⚙️ Miscellaneous Tasks

• Clippy hardening in crate kmip (#304)

4.18.0

[4.18.0] - 2024-09-17

🚀 Features

• Add ReKey KMIP operation (#294)
• Add API token authentication between server and
  clients (#290)
• Build a generic database upgrade mechanism (#299)
• Export of certificates can now be performed using the certificate id (instead of just the private
  key id)
• More intuitive PKCS#12 import (#306)
• Support for export under legacy PKCS#12 format (#306)
• Documentation (S/MIME)

🐛 Bug Fixes

• KMIP Attributes:
  • In get_attributes, use attributes from ObjectWithMetadata instead of
    Object.Attributes (#278)
  • When inserting in db, force Object::Attributes to be synced with
    Attributes (#279)
• Certificates handling/tasks:
  • Validate KMIP operation:
    • Simplify getting CRLs and get returned
      errors (#268)
    • Validate certificate generation (#283)
    • Use certificate file path in ckms
      arguments (#292)
  • Certify KMIP operation: Server must sign x509 after adding X509
    extensions (#282)
• Merge decrypt match in same function (#295)
• Fix Public RSA Key size in get attributes (#275)
• RUSTSEC:
  • RUSTSEC-2024-0357: MemBio::get_buf has undefined behavior with empty buffers: upgrade
    crate openssl from 1.0.64 to 1.0.66 (#280)
  • RUSTSEC-2024-0363: Binary Protocol Misinterpretation caused by Truncating or Overflowing
    Casts: bump sqlx to 0.8.1 (#291
    and #297)
• CLI doc fixes (certificates certify)
• Fix PKCS#12 export of self-signed cert (#305)
• Fix serialization of Attributes in redis-findex (#307)

⚙️ Miscellaneous Tasks

• clippy tasks:
  • Only expose pub functions that need to be
    public (#277)
  • Hardcode clippy lints (#293)
• Rename MacOS artifacts giving CPU architecture
• Configure ckms to build reqwest with minimal idle connections
  reuse (#272)
• Do not delete tags if none are provided (#276)
• De-activated Google CSE tests when tokens are not supplied through env. var.
• Cleaned-up and improved certificates import tests
• Made test DB backend selectable using env. var. KMS_TEST_URL

4.17.0

[4.17.0] - 2024-07-05

🚀 Features

• Add KMIP operation Validate for certificates (#247)
• Added RSA benchmarks (#251)
• Add OpenTelemetry OTLP protocol support to KMS server (#253)
• Support for multiple certification scenarios and self-signing (#248)

🐛 Bug Fixes

• Fix vulnerability RUSTSEC-2024-0336 (#244)
• Fix vulnerability RUSTSEC-2024-0344 (#254) and (#255)

⚙️ Miscellaneous Tasks

• Create Debian/RPM packages for Ubuntu 2x.04 and RHEL 9 (#264)
• Drop Centos 7 support (#265)
• Replace cargo audit with cargo deny (#245)
• Replace Linux cross-compiling for Windows with compiling on Windows Github runner (#249)
• Add support for build on MacOS ARM

4.16.0

[4.16.0] - 2024-05-06

Bug Fixes

• Fixed import of symmetric key tag to '_kk' from '_sk'

Features

• Add support for LUKS via PKCS#11 module
• Add support for CKM_RSA_PKCS (PKCS#1 v1.5) for RSA encryption/decryption

4.15.2

[4.15.2] - 2024-05-03

Features

• Create Gmail key pairs and identities via ckms (#243)

Bug Fixes

• Comment out mermaid configuration

4.15.1

[4.15.1] - 2024-05-02

Features

• Add Google Workspace CSE endpoints for encrypted Gmail (#192)

Bug Fixes

• RUSTSEC-2024-0336 (#244)
• Remove everything related to GCP images build (#241)

Documentation

• Oauth2 OIDC doc fixes

4.15.0

Bug Fixes

• Add license to KMS GCP image (#235)
• Re-enable the validation of JWT Issuer URI
• Fix CSE error status code, propagating the right status code instead of generic server code error

Features

• Handle many identity providers in jwt authentification
• New command line argument --key-usage to define key or certificate usage on import
• Exhaustive verification that the key used to perform cryptographic operations is allowed to do them
• KMIP object creation can now precisely define the usage of the key it describes