ccf-0.16.1

Added

• C++ endpoints can be omitted from OpenAPI with set_openapi_hidden(true) (#2008).
• JS endpoints can be omitted from OpenAPI if the "openapi_hidden" field in app.json is true (#2008).

Changed

• Error responses of built-in endpoints are now JSON and follow the OData schema (#1919).
• Code ids are now deleted rather than marked as RETIRED. ACTIVE is replaced with the more precise ALLOWED_TO_JOIN (#1996).
• Authentication policies can be specified per-endpoint with add_authentication. Sample policies are implemented which check for a user TLS handshake, a member TLS handshake, a user HTTP signature, a member HTTP signature, and a valid JWT. This allows multiple policies per-endpoints, and decouples auth from frontends - apps can define member-only endpoints (#2010).
• By default, if no authentication policy is specified, endpoints are now unauthenticated and accessible to anyone (previously the default was user TLS handshakes, where the new default is equivalent to set_require_client_identity(false)).
• CCF now depends on Open Enclave 0.13.

Removed

• The methods Endpoint::set_require_client_signature, Endpoint::set_require_client_identity and Endpoint::set_require_jwt_authentication are removed, and should be replaced by calls to add_authentication. For unauthenticated endpoints, either add no policies, or add the built-in empty_auth policy which accepts all requests.
  • .set_require_client_signature(true) must be replaced with .add_authentication(user_signature_auth_policy)
  • .set_require_client_identity(true) must be replaced with .add_authentication(user_cert_auth_policy)
  • .set_require_jwt_authentication(true) must be replaced with .add_authentication(jwt_auth_policy)

0.16.0

Added

• CLI options are printed on every node launch (#1923).
• JS logging sample app is included in CCF package (#1932).
• C++ apps can be built using cmake's find_package(ccf REQUIRED) (see cmake sample) (#1947).

Changed

• JWT signing keys are auto-refreshed immediately when adding a new issuer instead of waiting until the next auto-refresh event is due (#1978).
• Snapshots are only committed when proof of snapshot evidence is committed (#1972).
• Snapshot evidence must be validated before joining/recovering from snapshot (see doc) (#1925).

Fixed

• Ledger index is recovered correctly even if --ledger-dir directory is empty (#1953).
• Memory leak fixes (#1957, #1959, #1974, #1982).
• Consensus fixes (#1977, #1981).
• Enclave schedules messages in a fairer way (#1991).

Security

• Hostname of TLS certificate is checked when auto-refreshing JWT signing keys (#1934).
• Evercrypt update to 0.3.0 (#1967).

ccf-0.15.2

Added

• JWT key auto-refresh (#1908), can be enabled by providing "auto_refresh": true and "ca_cert_name": "..." in set_jwt_issuer proposal.
  • Auto-refresh is currently only supported for providers following the OpenID Connect standard where keys are published under the /.well-known/openid-configuration path of the issuer URL.
  • ca_cert_name refers to a certificate stored with a set_ca_cert proposal and is used to validate the TLS connection to the provider endpoint.
• JWT signature validation (#1912), can be enabled with the require_jwt_authentication endpoint property.

Changed

• Members can no longer vote multiple times on governance proposals (#1743).
• update_ca_cert proposal has been replaced by set_ca_cert/remove_ca_cert (#1917).

Deprecated

• set_js_app proposal and --js-app-script argument are deprecated, and should be replaced by deploy_js_app and --js-app-bundle. See #1895 for an example of converting from the old style (JS embedded in a Lua script) to the new style (app bundle described by app.json).

Removed

• kv::Store::create is removed.
• luageneric is removed.

ccf-0.15.1

Added

• JWT documentation (#1875).
• Member keys in HSM documentation (#1884).

Changed

• /gov/ack/update_state_digest and /gov/ack now only return/accept a hex string (#1873).
• /node/quote schema update (#1885).
• AFT consensus improvements (#1880, #1881).

0.15.0

Added

• Support for non-recovery members: only members with an associated public encryption key are handed recovery shares (#1866).
• AFT consensus verify entry validity (#1864).
• JWT validation in forum sample app (#1867).
• JavaScript endpoints OpenAPI definition is now included in /api (#1874).

Changed

• The keyId field in the Authorization header must now be set to the hex-encoded SHA-256 digest of the corresponding member certificate encoded in PEM format. The scurl.sh script and Python client have been modified accordingly. scurl.sh can be run with DISABLE_CLIENT_AUTH=1 (equivalent disable_client_auth=False argument to Python client) to issue signed requests without session-level client authentication (#1870).
• Governance endpoints no longer require session-level client authentication matching a member identity, the request signature now serves as authentication. The purpose of this change is to facilitate member key storage in systems such as HSMs (#1870).
• Support for hs2019 scheme for HTTP signatures (#1872).
  • ecdsa-sha256 scheme will be deprecated in the next release.

ccf-0.14.3

Added

• Added support for storing JWT public signing keys (#1834).
  • The new proposals set_jwt_issuer, remove_jwt_issuer, and set_jwt_public_signing_keys can be generated with the latest version of the ccf Python package.
  • sandbox.sh has a new --jwt-issuer <json-path> argument to easily bootstrap with an initial set of signing keys using the set_jwt_issuer proposal.
  • See tests/npm-app/src/endpoints/jwt.ts for validating tokens received in the Authorization HTTP header in TypeScript.
  • Includes special support for SGX-attested signing keys as used in MAA.

Changed

• CCF now depends on Open Enclave 0.12 (#1830).
• /app/user_id now takes {"cert": user_cert_as_pem_string} rather than {"cert": user_cert_as_der_list_of_bytes} (#278).
• Members' recovery shares are now encrypted using RSA-OAEP-256 (#1841). This has the following implications:
  • Network's encryption key is no longer output by the first node of a CCF service is no longer required to decrypt recovery shares.
  • The latest version of the submit_recovery_share.sh script should be used.
  • The latest version of the proposal_generator.py should be used (please upgrade the ccf Python package).
• submit_recovery_share.sh script's --rpc-address argument has been removed. The node's address (e.g. https://127.0.0.1:8000) should be used directly as the first argument instead (#1841).
• The constitution's pass function now takes an extra argument: proposer_id, which contains the member_id of the member who submitted the proposal. To adjust for this change, replace tables, calls, votes = ... with tables, calls, votes, proposer_id = ... at the beginning of the pass definition.
• Bundled votes (ie. the ballot entry in POST /proposals) have been removed. Votes can either happen explicitly via POST /proposals/{proposal_id}/votes, or the constitution may choose to pass a proposal without separate votes by examining its contents and its proposer, as illustrated in the operating member constitution sample. The --vote-against flag in proposal_generator.py, has also been removed as a consequence.

Fixed

• Added tools.cmake to the install, which ccf_app.cmake depends on and was missing from the previous release.

Deprecated

• kv::Store::create is deprecated, and will be removed in a future release. It is no longer necessary to create a kv::Map from a Store, it can be constructed locally (kv::Map<K, V> my_map("my_map_name");) or accessed purely by name (auto view = tx.get_view<K, V>("my_map_name");) (#1847).

ccf-0.14.2

Changed

• The start_test_network.sh script has been replaced by sandbox.sh. Users wishing to override the default network config (a single node on '127.0.0.1:8000') must now explictly specify if they should be started locally (eg. -n 'local://127.4.4.5:7000') or on remote machine via password-less ssh (eg. -n 'ssh://10.0.0.1:6000').
• node/quote endpoint now returns a single JSON object containing the node's quote (#1761).
• Calling foreach on a TxView now iterates over the entries which previously existed, ignoring any modifications made by the functor while iterating.

ccf-0.14.1

Added

• /node/memory endpoint exposing the maximum configured heap size, peak and current used sizes.

Changed

• Public tables in the KV must now indicate this in their name (with a public: prefix), and internal tables have been renamed. Any governance or auditing scripts which operate over internal tables must use the new names (eg - ccf.members is now public:ccf.gov.members).
• --member-info on cchost can now take a third, optional file path to a JSON file containing additional member data (#1712).

Removed

• /api/schema endpoints are removed, as the same information is now available in the OpenAPI document at /api.

Deprecated

• Passing the SecurityDomain when creating a KV map is deprecated, and will be removed in a future release. This should be encoded in the table's name, with a public: prefix for public tables.

ccf-0.14.0

Added

• Nodes can recover rapidly from a snapshot, rather than needing to reprocess an entire ledger (#1656)
• Python client code wraps creation and replacement of an entire JS app bundle in a single operation (#1651)
• Snapshots are only usable when the corresponding evidence is committed (#1668).
• JSON data associated to each consortium member to facilitate flexible member roles (#1657).

Changed

• /api endpoints return an OpenAPI document rather than a custom response (#1612, #1664)
• Python ledger types can process individual chunks as well as entire ledger (#1644)
• POST recovery_share/submit endpoint is renamed to POST recovery_share (#1660).

Fixed

• Elections will not allow transactions which were reported as globally committed to be rolled back (#1641)

Deprecated

• lua_generic app is deprecated and will be removed in a future release. Please migrate old Lua apps to JS

ccf-0.13.4

Changed

• Fixed infinite memory growth issue (#1639)
• Step CLI updated to 0.15.2 (#1636)