Skip to content

6.0.0
Compare
Choose a tag to compare
@github-actions github-actions released this 28 Mar 21:32
· 16 commits to main since this release
ccf-6.0.0
7b64e99
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Important

CCF 6.0.0 removes support for SGX, and targets Azure Linux 3.0 and SEV-SNP exclusively.

It also adds COSE_Sign1 ledger signatures, to support the generation of COSE receipts. The cose_signatures section of the configuration can be used to set desired issuer and subject values.

Packaging

  • CCF releases now contain two separate RPM packages
  • ccf_{platform}_devel RPM to support building CCF applications (#6904)
  • ccf to support running pre-built CCF applications (#6909)

COSE Signatures

  • Added COSE signatures over the Merkle root to the KV (#6449).
  • Signing is done with service key (unlike raw signatures, which remain unchanged and are still signed by the node key).
  • New signatures reside in public:ccf.internal.cose_signatures
  • COSE signatures set a kid that is a hex-encoded SHA-256 of the DER representation of the key used to produce them (#6703).
  • Provided API for getting COSE signatures and Merkle proofs (#6477).
  • Exposed COSE signature in historical API via TxReceiptImpl.
  • Introduced ccf::describe_merkle_proof_v1(receipt) for Merkle proof construction in CBOR format, described by ccf-tree-alg schema.
  • Added ccf::cose::edit::set_unprotected_header() API, to allow easy injection of proofs in signatures, and of receipts in signed statements (#6586). It also allows removing the unprotected header altogether (#6607).
  • Introduced ccf::describe_cose_endorsements_v1(receipt) for COSE-endorsements chain of previous service identities (#6500).
  • Added ccf::cose::AbstractCOSESignaturesConfig subsystem to expose COSE signature configuration to application handlers (#6707).

Developer API

C++

Added
  • ccf::http::get_query_value() now supports bool types with "true" and "false" as values.
  • Added OpenAPI support for std::unordered_set (#6634).
  • Added a ccf::any_cert_auth_policy (C++), or any_cert (JS/TS), implementing TLS client certificate authentication, but without checking for the presence of the certificate in the governance user or member tables. This enables applications wanting to do so to perform user management in application space, using application tables (#6608).
  • Expose ccf:http::parse_accept_header() and ccf::http::AcceptHeaderField (#6706).
  • OpenSSL helpers in ccf/crypto/openssl/openssl_wrappers.h are now exposed (#6895).
  • Expose AttestationProvider::get_snp_attestation to extract snp attestations from a quote. (#6837)
  • Applications can now extend js_generic (ie - a JS app where JS endpoints are edited by governance transactions), from the public header ccf/js/samples/governance_driven_registry.h. The API for existing JS-programmability apps using DynamicJSEndpointRegistry should be unaffected.
Changed
  • All definitions in CCF's public headers are now under the ccf:: namespace. Any application code which references any of these types directly (notably StartupConfig, http_status, LoggerLevel), they will now need to be prefixed with the ccf:: namespace.
Removed
  • Internal logging macros (LOG_INFO_FMT, LOG_DEBUG_FMT etc) deprecated in 3.0 (#4024), have been removed and can no longer be used by application code. Replace with the CCF_APP_* equivalent (#6908).
  • The function ccf::get_js_plugins() and associated FFI plugin system for JS is removed. Similar functionality should now be implemented through a js::Extension returned from DynamicJSEndpointRegistry::get_extensions().

TypeScript/JavaScript

  • Package build_bundle.ts under npx ccf-build-bundle to allow javascript users to build a ccf schema bundle (#6704).

Python

Other

  • secp256k1 support has been removed as a side-effect of the migration to Azure Linux 3.0 and its crypto provider (#6592).

Authentication

  • Ignore time when resolving did:x509 against x5chain, resolution establishes a point-in-time endorsement, not ongoing validity (#6575).
  • Service certificates and endorsements used for historical receipts now have a pathlen constraint of 1 instead of 0, reflecting the fact that there can be a single intermediate in endorsement chains. Historically the value had been 0, which happened to work because of a quirk in OpenSSL when Issuer and Subject match on an element in the chain.
  • Set VMPL value when creating SNP attestations, and check VMPL value is in guest range when verifiying attestation, since recent updates allow host-initiated attestations (#6583).

Governance

Added

  • Members can now be configured with an explicit recovery_role. Members without an encryption key default to NonParticipant, members with an encryption key set default to Participant and continue to receive a recovery share. A new recovery role Owner allows members to receive a full key, letting them perform a recovery single-handedly. The process and APIs remain identical (#6705).
  • Attestations of new SNP nodes must be from a trusted TCB version higher than the minimum TCB version stored for that CPU model in public:ccf.gov.nodes.snp.tcb_versions. Added set_snp_minimum_tcb_version(cpuid, tcb_version) and remove_snp_minimum_tcb_version(cpuid) governance actions. New networks will automatically populate the TCB version, pre-existing networks must set a TCB version when upgrading. (#6837)
  • Added /gov/service/users and /gov/service/users/{userId} to list or fetch user details (#6118).

Changed

  • When deciding which nodes are allowed to join, only UVM roots of trust defined in public:ccf.gov.nodes.snp.uvm_endorsements are considered (#6489).
  • Nodes in Start and Recovery modes no longer enforce specific UVM descriptors, and will instead derive one from UVM endorsements if found. The consortium must check that the value is acceptable, record their agreement by opening the network (#6869).
  • JWT authentication now supports raw public keys along with certificates (#6601).
  • Public key information ('n' and 'e', or 'x', 'y' and 'crv' fields) now have a priority if defined in JWK set, 'x5c' remains as a backup option.
  • Has same side-effects as #5809 does please see the changelog entry for that change for more details. In short:
  • stale JWKs may be used for JWT validation on older nodes during the upgrade.
  • old tables are not cleaned up, #6222 is tracking those.
  • A deprecated GET /gov/jwt_keys/all has been altered because of #6601, as soon as JWT certificates are no longer stored in CCF. A new "public_key" field has been added, "cert" is now left empty.
  • GET /gov/service/javascript-app now takes an optional ?case=original query argument. When passed, the response will contain the raw original snake_case field names, for direct comparison, rather than the API-standard camelCase projections.

Removed

  • The key_filter or key_policy arguments to set_jwt_issuer have been removed (#6450).

Operations

Added

  • Joining nodes can now request a snapshot from their peers at startup, rather than relying on file access. The joinee's snapshot will be fetched and used if it is more recent than the joiner has access to. This behaviour is enabled by default, but can be disabled via the command.join.fetch_recent_snapshot config option (#6758).
  • In configuration, attestation.snp_endorsements_servers can specify a max_retries_count. If the count has been exhausted without success for all configured servers, the node will shut down (#6478).
  • The read_ledger.py tool now has a --quiet option which avoids printing anything per-transaction, as well as other performance improvements, which should make it more useful in verifying the integrity of large ledgers.
  • Added "cose_signatures" entry in the configuration, which allows setting "issuer" and "subject" at network start or recovery time (#6637).
  • The read-ledger.py tool now has a --recovery argument, which will allow it to parse .recovery files. Previously these were ignored (#6896)

Changed

  • Nodes started in Join mode will shut down if they receive an unrecoverable condition such as StartupSeqnoIsOld or InvalidQuote when attempting to join (#6471, #6489).
  • ccf.ledger/read_ledger.py previously enforced too strict a condition on node membership when validating ledger files (#6849).
  • cchost now requires --config.
  • Don't throw error if the ledger directory exists but is empty on node start (#6885).
  • Removed default value for redirection-kind parameter to start_network script (#6887).

Client API

  • Improved error message when attempting to obtain receipts for a past epoch during a recovery (#6507).
  • Added GET /node/attestations and GET /node/attestations/self, as aliases for the /quote endpoints.

Dependencies

  • CCF now defaults to using libstdc++ rather than libc++, and no longer builds with LTO, to improve compatibility with other C++ libraries.
  • nghttp2 is now picked up from the OS rather than vendored to enable libcurl usage.
  • Misc dependency updates (#6725).

Bug Fixes

  • CA certificate bundles used for JWT refresh and containing more than one certificate are now handled correctly (#6817).
  • Memory leak during EC key creation is fixed (#6845).
  • Fixed thread-safety issues when CCF nodes attempted to contact non-TLS servers. This previously could cause errors when running SNP builds with multiple worker threads (#6836).
  • SNP nodes will no longer crash when run on firmware returning v3 attestations (#6841).
  • Fixed potential races in indexing interfaces and LazyStrategy (#6886).
  • Fixed a bug which could produce an invalid secret chain (containing duplicate ledger secret sealing entries) in the ledger if an election occurred during private recovery (#6926).

Removed

  • verify_quote.sh script (#6919).
Assets 12
Loading