Releases: microsoft/CCF
Releases · microsoft/CCF
5.0.4
5.0.3
5.0.2
Developer API
C++
RSAKeyPair::sign
andRSAKeyPair::verify
now useRSA-PSS
instead ofRSASSA-PKCS1-v1_5
.- Users can specify
salt_length
(defaulted to0
).
TypeScript/JavaScript
ccfapp.crypto.sign()
andccfapp.crypto.verifySignature()
no longer supportRSASSA-PKCS1-v1_5
, insteadRSA-PSS
has been added.SigningAlgorithm
has been extended with optionalsaltLength
, defaulted to0
if not passed.
Bug Fixes
- The
/tx
endpoint returns more accurate error messages for incorrectly formed transactions ids (#6359).
4.0.20
Base image
- Updated container base image.
5.0.1
5.0.0
In order to upgrade an existing 4.x service to 5.x, CCF must be on the latest 4.x version (at least 4.0.19).
For more information, see our documentation
Important
- 5.0.0 is the last long term support release for Intel SGX. Live code upgrades to AMD SEV-SNP on Confidential Containers on Azure Container Instances and Confidential Containers Azure Kubernetes Service are supported.
- The forwarding of requests between nodes is deprecated in favour of HTTP redirects, and will be removed in 6.0.0.
- Recovery shares created with releases older than 4.0.9 are deprecated, and support will be removed completely in 6.0.0. Ledgers created on older versions must re-share at least once after having upgraded to a release newer than 4.0.9.
- 5.0.0 introduces an Azure-compliant governance REST API, the old API is deprecated, and will be removed in 6.0.0.
- Containers are now published to the GitHub Container Registry. The platform has moved from the tag to the image name, to enable meaningful usage of GitHub attestation, and the tag now matches the git tag used to cut the release. For example, the SGX Development container for this release is ghcr.io/microsoft/ccf/app/dev/sgx:ccf-5.0.0.
Developer API
C++
TypeScript/JavaScript Programmability
- Reusable functionality allowing applications to expose TypeScript/JavaScript-implemented endpoints has been added to the public C++ API. Applications should subclass
ccf::js::DynamicJSEndpointRegistry
to get similar behaviour to the existing JS Generic app, seesamples/app/programmability
for samples usage. - Introduce
DynamicJSEndpointRegistry::record_action_for_audit_v1
andDynamicJSEndpointRegistry::check_action_not_replayed_v1
to allow an application making use of the programmability feature to easily implement auditability, and protect users that make use of signature-based authentication to update the application against replay attacks (#6285). - The
programmability
sample app also demonstrates how applications can define their own extensions, create bindings between C++ and JS state, and allow JS endpoints to call functions implemented in C++.
Redirect
- CCF now supports a mode where HTTP redirect responses are returned, rather than relying on internal forwarding. See docs for description of redirection behaviour and migration instructions.
- Endpoints now support a
ToBackup
redirection strategy, for requests which should never be executed on a primary. These must also be read-only. These are configured similar toToPrimary
endpoints, with ato_backup
object (specifying by-role or statically-addressed targets) in each node's configuration.
Other
- Introduced
ccf::historical::read_only_adapter_v4
andccf::historical::read_write_adapter_v4
. Users can now pass a custom error handler to the adapter to customise RPC responses for internal historical queries errors, which are listed inccf::historical::HistoricalQueryErrorCode
enum. ccf::historical::adapter_v3
is deprecated in favour of_v4
version,ccf::historical::adapter_v2
is removed.- Public namespaces are all under
::ccf
::ds
is now::ccf::ds
::siphash
is now::ccf::siphash
::threading
is now::ccf::threading
, andccf/ds/thread_ids.h
has moved toccf/threading/thread_ids.h
::consensus
is now::ccf::consensus
::tls
is now::ccf::tls
::http
is now::ccf::http
::nonstd
is now::ccf::nonstd
::crypto
is now::ccf::crypto
::kv
is now::ccf::kv
::logger
is now::ccf::logger
::ccfapp
is now::ccf
- There is now a
contains_globally_committed(k)
method onkv::Set<K>
, with the same semantics asget_globally_committed(k)
onkv::Map<K, V>
(#5928). ccf::EnclaveAttestationProvider
has been removed. It is replaced byccf::AttestationProvider
- JWT verifiers are now automatically cached, for increased performance (#5575)
TypeScript/JavaScript
- Added support for reusing JS interpreters, persisting global state. See docs for more detail.
- Added TypeScript
TypedKvSet
andccfapp.typedKv<K>
to facilitate set handling from application code. - Added
ccf.SnpAttestation.verifySnpAttestation()
for TypeScript apps. (#5653) - Removed unused
openenclave.verifyOpenEnclaveEvidence
API from JS/TS. - Added a
ccfapp.checkedJson
converter to the CCF TypeScript package, which will raise errors when given objects which cannot be roundtrip-converted through JSON (currentlyMap
andDate
). There is a slight cost to checking this on each instance duringencode
, so the behaviour is opt-in (not directly replacingccfapp.json
), but it is recommended that most tables update to use this converter. - JS endpoints marked as
"mode": "readonly"
are prevented from writing to the KV. Attempting to callmap.set(k, v)
,map.delete(k)
, ormap.clear()
on any KV table in such an endpoint will now result in an error being thrown (#5921). ccf.crypto.generateEddsaKeyPair
,pubEddsaPemToJwk
andeddsaPemToJwk
now supportx25519
as well ascurve25519
(#5846).- ccf.crypto.unwrapKey() has been added to the JS API (#5792).
- In governance contexts, JS runtimes now only use runtime limits from the public:ccf.gov.js_runtime_options map if they are strictly higher than the defaults (#5730).
- Add HMAC support to JS API. Call with
ccf.crypto.sign({"name": "HMAC", "hash": "SHA-256"}, key, data)
.
Authentication
- Added token.iss claim validation to JWT authentication (#5809). Must-knows:
- Supports both the OpenID requirements and the Entra specification of it.
- All keys fetched after the upgrade will not work against tokens missing the
iss
claim if the issuer has been specified in the .well-known/openid-configuration/. - Due to an internal schema change, networks that are in the process of upgrading to this version may see inconsistent authorization behaviour while the network contains nodes of different versions (depending which node executes the auto-refresh, any nodes on the other version will not use any newly provided keys). We recommend a full upgrade to this version, removing any nodes on prior versions, followed by a key and issuer refresh.
- A future release will remove the old tables entirely. Until then, some redundant state will be retained in the ledger. This is tracked in #6222.
- Authentication policies can now be conjoined (AND) together, in addition to the previous disjoint (OR) behaviour. The new
ccf::AllOfAuthnPolicy
takes a collection of other policies, all of which must be true for this auth policy to pass. In JS, this can be configured in theapp.json
as"authn_policies": [{ "all_of": ["policy_a", "policy_b"] }]
.
Governance
proposalId
is now passed toresolve(proposal, proposerId, votes, proposalId)
, allowing proposals to consider other pending proposals in their resolution process. (#5995)- The current state of an accepted proposal is written to the KV so that it can be accessed in the constitution's
apply(proposal, proposalId)
function (#6114). POST /recovery/members/{memberId}:recover
is now authenticated by COSE Sign1, making it consistent with the otherPOST
endpoints in governance, and avoiding a potential denial of service where un-authenticated and un-authorised clients could submit invalid shares repeatedly. Thesubmit_recovery_share.sh
script has been amended accordingly, and now takes a--member-id-privk
and--member-id-cert
(#5821).- A new versioned governance API is now available, with the
api-version=2024-07-01
query parameter. This will fully replace the previous governance endpoints, which will be removed in a future release. A guide to aid in upgrading from the previous API is available here - New endpoints
GET /gov/service/javascript-modules
andGET /gov/service/javascript-modules/{moduleName}
to retrieve the raw JS code of the currently installed app. Note that the{moduleName}
path parameter will need to be URL-encoded to escape any/
characters (eg -/foo/bar.js
should become%2Ffoo%2Fbar.js
).
Operations
Configuration
- The
cchost
configuration file now includes anidle_connection_timeout
option. This controls how long the node will keep idle connections (for user TLS sessions) before automatically closing them. This may be set tonull
to restore the previous behaviour, where idle connections are never closed. By default connections will be closed after 60s of idle time. - A soft size limit can now be set for the historical store cache in the node configuration:
historical_cache_soft_limit
. T...
5.0.0-rc2
5.0.0-rc1
Added
- The
cchost
configuration file now includes anidle_connection_timeout
option. This controls how long the node will keep idle connections (for user TLS sessions) before automatically closing them. This may be set tonull
to restore the previous behaviour, where idle connections are never closed. By default connections will be closed after 60s of idle time. - New endpoints
GET /gov/service/javascript-modules
andGET /gov/service/javascript-modules/{moduleName}
to retrieve the raw JS code of the currently installed app. Note that the{moduleName}
path parameter will need to be URL-encoded to escape any/
characters (eg -/foo/bar.js
should become%2Ffoo%2Fbar.js
). - New gov API version
2024-07-01
. This is near-identical to2023-06-01-preview
, but additionally offers the newjavascript-modules
endpoints. - Historical cache soft limit now is a node-specific startup parameter.
Changed
- Set LTO on for both debug/release linkages to support linking against CCF libraries if the client code has been built in debug mode.
5.0.0-rc0
Added
- More public namespaces have been moved under
::ccf
::ds
is nowccf::ds
::siphash
is nowccf::siphash
::threading
is nowccf::threading
, andccf/ds/thread_ids.h
has moved toccf/threading/thread_ids.h
::consensus
is nowccf::consensus
::tls
is nowccf::tls
::http
is nowccf::http
::nonstd
is nowccf::nonstd
::crypto
is nowccf::crypto
::kv
is nowccf::kv
::logger
is nowccf::logger
::ccfapp
is now::ccf
- The
programmability
sample app now demonstrates how applications can define their own extensions, creating bindings between C++ and JS state, and allowing JS endpoints to call functions implemented in C++. - Introduce
DynamicJSEndpointRegistry::record_action_for_audit_v1
andDynamicJSEndpointRegistry::check_action_not_replayed_v1
to allow an application making use of the programmability feature to easily implement auditability, and protect users allowed to update the application against replay attacks (#6285). - Endpoints now support a
ToBackup
redirection strategy, for requests which should never be executed on a primary. These must also be read-only. These are configured similar toToPrimary
endpoints, with ato_backup
object (specifying by-role or statically-addressed targets) in each node's configuration. - Introduced
ccf::historical::read_only_adapter_v4
andccf::historical::read_write_adapter_v4
. Users are now capable of passing a custom error handler to the adapter to customise RPC responses for internal historical queries errors, which are listed inccf::historical::HistoricalQueryErrorCode
enum.
Changed
- Updated Open Enclave to 0.19.7.
- Containers are now published to the GitHub Container Registry. The platform has moved from the tag to the image name, to enable meaningful usage of GitHub attestation, and the tag now matches the git tag used to cut the release. For example, the SGX Development container for this release is
ghcr.io/microsoft/ccf/app/dev/sgx:ccf-5.0.0-rc0
.
Deprecated
ccf::historical::adapter_v3
becomes deprecated in favour of_v4
version.
Removed
- Removed the existing metrics endpoint and API (
GET /api/metrics
,get_metrics_v1
). Stats for request execution can instead be gathered by overriding theEndpointRegistry::handle_event_request_completed()
method. - Removed automatic msgpack support from JSON endpoint adapters, and related
include/ccf/serdes.h
file.