6.0.0-dev10

Added

• Expose ccf:http::parse_accept_header() and ccf::http::AcceptHeaderField (#6706).
• Added ccf::cose::AbstractCOSESignaturesConfig subsystem to expose COSE signature configuration to application handlers (#6707).
• Package build_bundle.ts under npx ccf-build-bundle to allow javascript users to build a ccf schema bundle (#6704).

6.0.0-dev9

Changed

• The read_ledger.py tool now has a --quiet option which avoids printing anything per-transaction, as well as other performance improvements, which should make it more useful in verifying the integrity of large ledgers.
• COSE signatures now set a kid that is a hex-encoded SHA-256 of the DER representation of the key used to produce them (#6703).

6.0.0-dev8

Changed

• All definitions in CCF's public headers are now under the ccf:: namespace. Any application code which references any of these types directly (notably StartupConfig, http_status, LoggerLevel), they will now need to be prefixed with the ccf:: namespace.

5.0.11

Dependencies

• Updated Open Enclave from 0.19.7 to 0.19.8 (#6685).
• Updated Intel PSW from 2.20.100 to 2.25.100 (#6685).

5.0.10

• Added OpenAPI support for std::unordered_set.

Changed

• Service certificates and endorsements used for historical receipts now have a pathlen constraint of 1 instead of 0, reflecting the fact that there can be a single intermediate in endorsement chains. Historically the value had been 0, which happened to work because of a quirk in OpenSSL when Issuer and Subject match on an element in the chain.

Fixed

• Services upgrading from 4.x to 5.x may accidentally change their service's subject name, resulting in cryptographic errors when verifying anything endorsed by the old subject name. The subject name field is now correctly populated and retained across joins, renewals, and disaster recoveries.

6.0.0-dev7

Changed

• ccf::http::get_query_value() now supports bool types with "true" and "false" as values.
• Service certificates and endorsements used for historical receipts now have a pathlen constraint of 1 instead of 0, reflecting the fact that there can be a single intermediate in endorsement chains. Historically the value had been 0, which happened to work because of a quirk in OpenSSL when Issuer and Subject match on an element in the chain.

Fixed

• Services upgrading from 4.x to 5.x may accidentally change their service's subject name, resulting in cryptographic errors when verifying anything endorsed by the old subject name. The subject name field is now correctly populated and retained across joins, renewals, and disaster recoveries.

5.0.9

Added

• Enhanced certificate renewal logging (#6645).

6.0.0-dev6

Added

• Added a ccf::any_cert_auth_policy (C++), or any_cert (JS/TS), implementing TLS client certificate authentication, but without checking for the presence of the certificate in the governance user or member tables. This enables applications wanting to do so to perform user management in application space, using application tables (#6608).
• Added OpenAPI support for std::unordered_set (#6634).
• Added "cose_signatures" entry in the configuration, which allows setting "issuer" and "subject" at network start or recovery time (#6637).

5.0.8

Added

• Added a ccf::any_cert_auth_policy (C++), or any_cert (JS/TS), implementing TLS client certificate authentication, but without checking for the presence of the certificate in the governance user or member tables. This enables applications wanting to do so to perform user management in application space, using application tables (#6608).
• Set VMPL value when creating SNP attestations, and check VMPL value is in guest range when verifiying attestation, since recent updates allow host-initiated attestations (#6583).

6.0.0-dev5

Added

• Updated ccf::cose::edit::set_unprotected_header() API, to allow removing the unprotected header altogether (#6607).
• Updated ccf.cose.verify_receipt() to support checking the claim_digest against a reference value (#6607).