5.21.0

[5.21.0] - 2026-04-21

🚀 Features

PKCS#11 Enhancements

• cosmian_pkcs11_verify diagnostic binary: new standalone tool that dynamically loads libcosmian_pkcs11.so via the standard PKCS#11 C API and validates ckms.toml loading and KMS server reachability; enumerates all supported object classes with per-class counts; supports OIDC/JWT bearer-token auth via --token <JWT> or COSMIAN_PKCS11_TOKEN env var
• Oracle TDE wallet migration support: remove CKF_WRITE_PROTECTED from token flags; add CKM_AES_KEY_GEN, CKM_AES_CBC, CKM_AES_CBC_PAD to the supported mechanism list; enables both forward (software → HSM) and reverse (HSM → software) wallet migrations
• Standalone PKCS#11 ZIP package: cosmian_pkcs11_verify, libcosmian_pkcs11.{so,dylib}, and signing key bundled in a signed cross-platform ZIP and published to package.cosmian.com

Web UI

• Formalised connection states: the UI now explicitly handles five states — DEV unrestricted mode, no KMS server reachable, server with no auth, mTLS (certificate) auth, and JWT/OIDC auth (including combined JWT+mTLS)
• No-auth warning banner: displays a clear banner when the KMS is started without authentication
• mTLS login page: shows a clear error when no valid client certificate is provided, instead of silently looping

🔒 Security

• EXT2-1/A04-1: Reduce HTTP payload size limit from 10 GB to 64 MB (PayloadConfig and JsonConfig) to prevent memory exhaustion DoS
• EXT2-2/A03-2: Add recursion depth limit (MAX_TTLV_DEPTH = 64) to TTLV binary parser to prevent stack-overflow DoS via deeply-nested structures
• EXT2-3/A03-3: Add stack-depth limit (MAX_XML_STACK_DEPTH = 64) to TTLV XML deserializer to prevent DoS via deeply-nested XML
• EXT2-4/A04-3: Add MAX_LOCATE_ITEMS = 1000 server-side cap in locate.rs; effective limit is min(client_requested_max, 1000)
• EXT2-5/A04-2: Add rate-limiting middleware (actix-governor) controlled by KMS_RATE_LIMIT_PER_SECOND / rate_limit_per_second; disabled by default
• EXT1-1: Change derive_pbkdf2 and derive_hkdf return types to Zeroizing<Vec<u8>> so derived key bytes are scrubbed from memory on drop
• TTLV OOM guard: Add MAX_TTLV_FIELD_BYTES = 64 MiB per-field length guard to TTLVBytesDeserializer; ByteString, TextString, and BigInteger reject oversized length claims before any allocation
• A01-1/A05-1: Replace Cors::permissive() on the main KMIP scope with Cors::default() restricted to cors_allowed_origins; add cors_allowed_origins config field (env KMS_CORS_ALLOWED_ORIGINS)
• A07-1: Reject symmetric JWT algorithms (HS256/HS384/HS512) via an explicit asymmetric-only allowlist; explicitly pin validation.algorithms to prevent confusion attacks
• A07-2: Replace plain == API-token comparison with constant-time subtle::ConstantTimeEq to eliminate timing side-channel
• A07-4: Change session cookie SameSite attribute from None to Strict to prevent CSRF attacks
• A07-5: Add validate_jwks_uris_are_https() startup guard; any non-HTTPS JWKS URI causes the server to refuse to start (gated behind #[cfg(not(feature = "insecure"))])
• A08-2: Emit a startup warn! when ui_session_salt is not configured
• A09-1: Mask database URL passwords in MainDBConfig::Display using a URL-parser-based mask_db_url_password() helper
• A09-2: Replace dot-only TLS P12 password masking with a proper [****] redaction
• A09-3: Change debug! to warn! for all 401-unauthorized paths in jwt_token_auth.rs
• A10-2/A10-3: Build reqwest HTTP client with redirect::Policy::none() in the JWKS fetcher and UI OAuth token exchange to prevent SSRF via crafted redirects
• SSDF PW.5.1: Add [[bans.features]] entry in deny.toml banning serde_json::unbounded_depth

🐛 Bug Fixes

Server / Auth

• Stale session cookie warnings: session cookie key is now derived deterministically from the public URL instead of being regenerated randomly each start; configure ui_session_salt for multi-instance deployments
• Header crash on partial server-info response: guard serverInfo?.hsm before accessing hsm.configured

Web UI

• E2E test race condition: fixed non-deterministic sitemap test failures caused by the initial render briefly showing the error page before auth resolved
• Dev setup login crash: fixed a crash in the dev setup OAuth flow despite valid credentials
• OAuth/OIDC: multiple fixes to the OAuth interface, mostly dev-only scenarios; removed misleading "JWT is enabled" message

Logging / Startup

• HttpConfig::Display: no longer hardcodes http://; a new scheme() helper returns the correct scheme based on TLS config; ClapConfig::Debug now logs the correct https:// or http:// URL

📚 Documentation

Oracle TDE / PKCS#11

• Rewrite Mode 1 and Mode 2 architecture diagrams (Mermaid); expand "HSM Identity and Authentication" section clarifying libcosmian_pkcs11.so proxy role; add environment variable reference table; add "OIDC / JWT Keystore Authentication" section; add "Wallet Migration" section covering forward and reverse migrations

Web UI

• configuration/ui.md: document the five UI connection states and the Certificate Authentication (mTLS) setup

🧪 Testing

• PKCS#11: add integration tests test_pkcs11_oidc_login_full_sequence, test_pkcs11_migrate_software_to_hsm, and test_pkcs11_reverse_migrate_hsm_to_software (non-fips)
• KMIP wire edge cases: 25 binary wire tests (W1–W25), 3 TTLV OOM-guard tests (W26–W28), and 18 XML edge-case tests (X1–X18)
• Security regression tests: JWT algorithm allowlist (A1–A6), CORS no-wildcard policy (C1–C3), privilege bypass (PB1–PB4), KMIP batch abuse (B1–B5), JWKS SSRF (SR1–SR2), DB URL masking (N1–N5), JWKS HTTPS startup guard (J1–J4)
• CLI adversarial payloads: 15 wire-payload tests (S1–S15) — empty, truncated, garbage, deeply-nested TTLV, malformed JSON, 1 MB random binary
• HSM: fix flaky SIGSEGV in test_hsm_*_all by sharing a single BaseHsm and Arc<SlotManager> instance per test run instead of repeated C_Initialize/C_Finalize/dlopen/dlclose cycles

🔄 Refactor

• Move CLI crates to crate/clients/ subdirectory; flatten kms/ subdirectory under actions and tests; rename cosmian_kms_cli → cosmian_kms_cli_actions

🔧 CI

• Automated release workflow (release.yml): new workflow_dispatch workflow that fully automates the release flow — creates the release/<version> branch, bumps all versions via release.sh --ci, regenerates the CBOM, updates Nix vendor hashes, triggers packaging, retrieves SBOMs, pushes the annotated tag, and performs git-flow finalisation
• PKCS#11 build fix: add explicit cargo build -p cosmian_pkcs11 --features non-fips step before workspace lib tests in main_base.yml, cargo_test.ps1, and common.sh so libcosmian_pkcs11.{so,dylib,dll} exists at test time
• Oracle TDE CI: fix migration test order (reverse before forward), handle ORA-28354 (wallet already open) as non-fatal, remove WITH BACKUP from SW→HSM migration to avoid ORA-46623
• Pin pnpm to 10.17.1 across all CI environments (ui/package.json, test_ui.sh, build_ui.sh, test_wasm.sh, test_windows.yml) to prevent ERR_PNPM_LOCKFILE_CONFIG_MISMATCH
• Windows test_ui.ps1: fix KMS log file paths, add --frozen-lockfile to pnpm install, fix PowerShell 7+ readiness check (Invoke-WebRequest exception handling)
• pkcs11-zip added to default Linux package types in nix.sh so ZIP artifacts are built and published correctly
• Update macOS Nix CLI vendor hash files (cli.vendor.*.darwin.sha256) after PKCS#11 loader dependency additions

5.20.1

Release 5.20.1

5.20.0

[5.20.0] - 2026-04-03

🚀 Features

Support Veeam Backup via KMIP 1.x Protocol

• KmipUnexpectedTagException when Veeam Backup decodes a Get response for an asymmetric key: Cosmian KMS was embedding all object-metadata attributes (including Link, UniqueIdentifier, State, Name, etc.) inside the KeyValue structure of the returned key object. KMIP 1.x clients such as Veeam Backup do not expect these non-cryptographic attributes inside KeyValue and fail with Unexpected Tag 66, expected Attribute. Fixed by stripping all embedded KeyValue attributes for PublicKey and PrivateKey objects in KMIP 1.x Get responses (perform_response_tweaks in routes/kmip.rs). Cryptographic metadata (algorithm, length) is still exposed at the KeyBlock level.

📚 Documentation

• Fix CLI authentication docs: correct wrong field names (ssl_client_pem_cert_path / ssl_client_pkcs12_path → tls_client_*), add dedicated bearer/access-token section, and link each TOML example to the corresponding test_data/configs/client/*.toml reference file in cli_documentation/docs/authentication.md (#895)
• Reorganize storage integration docs: move vcenter.md, synology_dsm.md, veeam.md, openssh.md, pykmip.md, smime.md, user_defined_function_for_pyspark_databricks_in_python/, and disk_encryption/ from documentation/docs/integrations/ root into the dedicated documentation/docs/integrations/storage/ subfolder; update mkdocs.yml, README.md, documentation/docs/index.md, and CLAUDE.md accordingly (#874)
• Align README.md with documentation/docs
• Fix refactor and dead links (#898)

🐛 Bug Fixes

KMIP Socket Server

• TLS session resumption failure with mTLS clients: the TCP socket server (cosmian_kms_server::socket_server) was missing a call to SSL_CTX_set_session_id_context. When client certificate verification (SSL_VERIFY_PEER) is enabled alongside the default TLS session cache, OpenSSL requires a session ID context to be set; without it any session-resumption attempt aborts with error:0A000115:SSL routines:ssl_get_prev_session:session id context uninitialized. Fixed by calling builder.set_session_id_context(b"cosmian_kms_socket") in create_openssl_acceptor before building the acceptor.

⚙️ Miscellaneous Tasks

• Refactoring + deduplicate of the UI codebase (#737)

5.19.0

[5.19.0] - 2026-04-01

🚀 Features

• PostgreSQL HA cluster support with multi-host URLs (#818)

OpenSSH PKCS#11 Support

• Reliable key material refresh: fixed ObjectsStore::upsert() replacement logic so placeholder objects are properly updated with fetched key bytes, preventing CKR_GENERAL_ERROR during OpenSSH key enumeration.
• Correct public-key decoding paths: fixed RSA/EC public key extraction to use SPKI BIT STRING payload bytes and refactored conversion through try_from_spki, including correct EC OID handling.
• PKCS#11-compliant EC point export: encoded CKA_EC_POINT as DER OCTET STRING (PKCS#11 v2.40), enabling OpenSSH/OpenSSL parsing compatibility.
• Safer attribute exposure for mixed key types: guarded RSA-only attributes (CKA_MODULUS, CKA_PUBLIC_EXPONENT) behind is_rsa() checks to avoid non-RSA lookup failures.
• Provider runtime and API hardening: migrated provider internals to lock-free/shared primitives (OnceLock, shared runtime, LazyKeyMaterial) and reduced cloning/boilerplate (remote_id() -> &str, macro-based trait impls),
• improving stability and performance under OpenSSH PKCS#11 usage patterns.

Web UI Enhancements - Sync UI with ckms

• UI: Add DeriveKey page — derive a symmetric key from an existing key or password using PBKDF2/HKDF, with full WASM binding (derive_key_ttlv_request, parse_derive_key_ttlv_response).
• UI: Add /server-info endpoint exposing KMS version, FIPS mode, and HSM status; display HSM info in the UI header.
• UI: Add --no-ui / KMS_UI_ENABLE=false server flag to disable the built-in web interface at runtime.
• UI: Regroup Azure, AWS, and Google CSE menu entries under a "Hyperscalers" group; add icons to all sidebar categories.
• UI: Hide PQC, MAC, and Covercrypt menu entries when the server is running in FIPS mode.

🐛 Bug Fixes

JWT authentication

• Fix server worker panic on the first JWT-authenticated request: jsonwebtoken 10.x requires
  an explicit crypto-backend feature (rust_crypto or aws_lc_rs); added rust_crypto to both
  the workspace and CLI jsonwebtoken dependencies
• Fix 401 No authentication provided when the JWT token carries an aud claim but the server
  has no expected audience configured: jsonwebtoken 10.x now rejects such tokens with
  InvalidAudience unless validate_aud is explicitly disabled; the server's JWT validation now
  sets validate_aud = false when no audience restriction is configured

Server Security and Configuration

• TLS auth (#811): Reject client certificates whose CN is empty or *; prevents wildcard spoofing attacks.
• HSM config (#695): Expose KMS_HSM_PASSWORD and KMS_HSM_SLOT environment variables for --hsm-password / --hsm-slot server options so HSM credentials can be injected without config-file edits.

CLI Operations

• CLI destroy type-safety (#763): ckms {sym,rsa,ec,pqc,cc} keys destroy now performs a GetAttributes pre-flight check and rejects attempts to destroy a key of the wrong type with a clear error message.

HSM Operations

• Server-side HSM destroy type guard (#763): When Destroy.expected_object_type is set and the target UID belongs to an HSM object (prefix hsm::), the server performs a PKCS#11 attribute roundtrip to retrieve the actual key type and
• rejects the destroy with Invalid_Object_Type if the types do not match (e.g. attempting to destroy an AES key via rsa keys destroy). (#763)
• HSM destroy type-guard test assertion (#763): Fixed send_message test helper in HSM tests to include result_reason in the error string so that Invalid_Object_Type is surfaced when the destroy-type guard fires;
  the assertion now reliably matches the KMIP ErrorReason. (#763)

Web UI

• UI no-auth mode (#739): The web UI create / import buttons are now enabled immediately in no-auth mode (AuthMethod::None); previously the async sequencing called the permissions API before the auth method was resolved,
  causing buttons to stay disabled.

🔧 CI

• CI: All test scripts that start the KMS server are now protected against a system-level /etc/cosmian/kms.toml; test_hsm_softhsm2.sh, test_hsm_utimaco.sh, and test_hsm_proteccio.sh write a temporary config file and
  pass --config explicitly so the server never falls back to the default path. common.sh now warns early when the default config file is found on the host. (#810)

SBOM Generation

• Fix sbomnix version and arguments: The global nixpkgs pin ships an older sbomnix that does not support --impure or --include-vulns, causing "unrecognized arguments" errors in CI.
  Pinned sbomnix to v1.7.4 via its own GitHub flake (github:tiiuae/sbomnix/v1.7.4) — independent of the nixpkgs pin — so the supported flags are guaranteed. Restored --impure --include-vulns on all three sbomnix invocations,
  moved NIX_CONFIG=nix-command flakes export to script start (needed for nix run), and removed the now-unnecessary dedup_cves.py post-processing step.

📚 Documentation

• Docs: Reintegrate PKCS#11 pages from cli_documentation/docs/pkcs11 into main docs under documentation/docs/integrations, grouping database integrations in integrations/databases, disk encryption in integrations/disk_encryption,
  and adding an OpenSSH integration entry.

KMIP Wrapping Documentation

• CKM_RSA_AES_KEY_WRAP invocation (#688): Document that this scheme is selected by pairing CryptographicAlgorithm::RSA with PaddingMethod::None; explains the counter-intuitive routing (None ≠ unpadded RSA), adds a KMIP JSON TTLV example,
  and adds a routing table. Fix broken ../algorithms.md links in _export.md and _import.md.

Benchmarking and CI Documentation

• Benchmarks CI (#776): benchmarks.sh now builds the KMS server + ckms CLI, starts a temporary SQLite KMS instance, and runs ckms bench --speed sanity --format json as an end-to-end smoke test;
  supports BENCH_SAVE_BASELINE / BENCH_LOAD_BASELINE env vars for criterion regression comparisons on a dedicated machine.
• Benchmark regression workflow (#776): New benchmark_regression.sh script and benchmark.yml GitHub Actions workflow provide automated performance regression detection.
  The script downloads the reference benchmarks.json from package.cosmian.com, runs benchmarks on the current branch, and fails if the average global regression exceeds a configurable threshold (default 10%).
  The workflow runs on a self-hosted runner (for stable timings) on a weekly schedule and on demand. (#776)

🔄 Refactor

Script Infrastructure Reorganization

• Script reorganization: Reorganized 76 scripts from the flat .github/scripts/, nix/scripts/, and scripts/ directories into logical subdirectories under
  .github/scripts/: test/, build/, package/, release/, benchmarks/, pykmip/, sbom/, docs/, demo/, windows/, shared/. All cross-references in nix.sh, workflow YAMLs, and the scripts themselves have been updated.
  Added shared/colors.sh for shared terminal color helpers and benchmarks/docker_helpers.sh for shared Docker benchmark utilities.
• ckms: Renamed TLS-related CLI parameters and environment variables from ssl_xxx to tls_xxx (e.g. --ssl-client-pkcs12-path → --tls-client-pkcs12-path, KMS_SSL_CLIENT_PKCS12_PATH → KMS_TLS_CLIENT_PKCS12_PATH).
  Update any scripts or config files that reference the old ssl_ prefix.

⚙️ Build

• (deps) Bump sigstore/cosign-installer from 4.1.0 to 4.1.1 (#832)
• (deps) Bump picomatch (#831)
• (deps) Bump brace-expansion (#833)
• (deps) Bump brace-expansion (#836)
• (deps) Bump crazy-max/ghaction-dump-context from 2 to 3 (#865)
• (deps) Bump actions/checkout from 4 to 6 (#872)
• (deps) Bump actions/upload-artifact from 4 to 7 (#873)

5.18.0

[5.18.0] - 2026-03-25

🚀 Features

Post-Quantum Cryptography (ML-KEM + ML-DSA + SLH-DSA) (#787)

Full support for NIST post-quantum algorithms via OpenSSL 3.x default provider
(non-FIPS builds only):

• ML-KEM (Key Encapsulation Mechanism): ML-KEM-512, ML-KEM-768, ML-KEM-1024 — key pair
  creation, encapsulation, and decapsulation via KMIP Encrypt/Decrypt operations
• ML-DSA (Digital Signature Algorithm): ML-DSA-44, ML-DSA-65, ML-DSA-87 — key pair
  creation, signing, and verification via KMIP Sign/SignatureVerify operations
• SLH-DSA (Supersingular Isogeny-based Hash-based DSA): SLH-DSA-SHA2-128s, SLH-DSA-SHA2-192s,
  SLH-DSA-SHA2-256s — key pair creation, signing, and verification via KMIP Sign/SignatureVerify
  operations
• New KMIP enumeration values for all six PQC algorithms
• Server dispatch for PQC key creation, encrypt/decrypt (KEM), and sign/verify
• CLI actions: ckms pqc keys create, ckms pqc encapsulate, ckms pqc decapsulate,
  ckms pqc sign, ckms pqc verify
• WASM bindings: create_pqc_key_pair_ttlv_request(), get_pqc_algorithms()
• Web UI pages: PQC key creation, ML-KEM encapsulate/decapsulate, ML-DSA sign/verify
• Playwright E2E tests for all PQC UI flows
• CLI integration tests for ML-KEM and ML-DSA roundtrips

Configurable Hybrid KEM merged into PQC (#787)

• Merged the standalone ckms kem subcommand into ckms pqc — the four hybridized KEM
  algorithms (ml-kem-512-p256, ml-kem-768-p256, ml-kem-512-curve25519, ml-kem-768-curve25519)
  are now created, encapsulated, and decapsulated through the standard PQC workflow
• Auto-detection in encapsulate response handles both PQC and ConfigurableKEM response formats
• WASM bindings updated with the 4 hybrid algorithms
• UI branding supports hiddenPqcAlgorithms to hide specific algorithms from the PQC dropdown
• CLI and ckms integration tests added for configurable hybrid KEM roundtrips

Support of AWS Bring Your Own Key (BYOK) (#681)

• Introduce 2 CLI actions for AWS BYOK
• Add scripts that automate the AWS BYOK flow, available to download with the documentation

Oracle TDE HSM integration on Windows (#794)

• New PowerShell scripts test_oracle_tde.ps1 and set_hsm.ps1 install cosmian_pkcs11.dll
  and run a full end-to-end Oracle TDE test on a native Windows Oracle installation (no Docker)
• Workarounds for two Oracle 26ai Windows bugs: DLL placed at C:\opt\oracle\extapi\64\pkcs11\
  (drive-relative Linux path) and TDE parameters injected via plain PFILE to bypass the
  ALTER SYSTEM SET pkcs11_library_location validator that rejects Windows paths

HSM multi-admin support with wildcard (#801)

hsm_admin is now a list of KMS usernames with HSM admin privileges. Use ["*"] to grant all
authenticated users access to all HSM operations. TOML: hsm_admin = ["alice", "bob"];
CLI: --hsm-admin alice --hsm-admin bob; env: KMS_HSM_ADMIN=alice,bob.

Migration to jsonwebtoken crate for JWT validation (#790)

JWT validation: complete migration from alcoholic_jwt to jsonwebtoken in server middleware,
adding support for multiple algorithms (RS256, ES256, ...).
Update the documentation, Google CSE routes, and OIDC UI auth flow; updated Google CSE tests accordingly.

HMAC-SHA-1 and HMAC-SHA-224 Support (#786) (#797)

NIST SP 800-131A Rev. 2 Table 7 classifies HMAC-SHA-1 and HMAC-SHA-224 as
Acceptable algorithms. The KMS server previously blocked them via the
algorithm policy layer. They are now fully supported.

Synology DSM NAS Volume Encryption Integration

Cosmian KMS is now validated against Synology DSM 7.x KMIP-based volume
encryption. A Python simulation client (scripts/synology_dsm_client.py)
replays the exact KMIP operation sequence performed by DSM when it configures
an external KMS server, and a corresponding CI job (synology_dsm) is added
to the test matrix so regressions are caught automatically:

• Simulates all 10 DSM KMIP steps: DiscoverVersions → Query → Create (AES-256) → Activate → GetAttributes → ModifyAttribute → Get → Locate → Revoke → Destroy

• New documentation page documentation/docs/synology_dsm.md covering server
  setup, DSM configuration, and automated CI testing

• README.md updated with Synology DSM in the disk encryption compatibility table

• Synology DSM simulation (PyKMIP): fix ModifyAttribute step after issue #820 server fix:
  KMIPProxy.send_request_payload() returns the response payload object on success (not a batch
  item), so the returned object has no result_status field. Calling _check_result() on it
  always returned False, causing spurious cleanup (Destroy) even when the server returned
  SUCCESS. Fix: drop the _check_result call — send_request_payload raises
  OperationFailure on server errors; reaching the success path without an exception is sufficient.
  Also fixed test_pykmip.sh set -e preventing simulation output from being visible when the
  script fails. Fixes CI failure for Test on pykmip - non-fips. (#799)

• OperationPolicyName round-trip preservation (issue #796): KMIP 1.x clients (e.g. Synology
  DSM 7.2.2) include the OperationPolicyName attribute in Register/Create requests per the KMIP
  1.0 spec section 3.18. This attribute was deprecated in KMIP 1.3 and removed in KMIP 2.0+. The
  server now emits a WARN log entry (useful for tracing legacy clients in server logs) and
  preserves the value internally as a vendor attribute (KMIP1 / __Operation Policy Name__) so
  that a subsequent GetAttributes request for "Operation Policy Name" from the same KMIP 1.x
  client returns the expected value. Additionally, the server correctly ignores OperationPolicyName
  when sent via AddAttribute to avoid creating a duplicate entry on top of the one already stored
  during Create/Register.
  Fixes (#796)

• KMIP 1.x → 2.1 attribute conversion fixes: Several KMIP 1.x attributes were incorrectly
  lost or corrupted during the KMIP 1.x → 2.1 internal conversion:

  • X509CertificateIdentifier, X509CertificateIssuer, X509CertificateSubject, Digest,
    and Pkcs12FriendlyName all exist in KMIP 2.1 but were being dropped with a WARN in the
    bulk conversion path (Create/Register), and mapped to a garbage Comment attribute in the
    single-attribute path (AddAttribute/SetAttribute). They are now correctly mapped to their
    KMIP 2.1 equivalents in both paths.
  • CertificateIdentifier, CertificateIssuer, and CertificateSubject (the non-X509 variants
    removed in KMIP 2.0+) are now preserved as VendorAttribute(KMIP1, ...) in both paths
    instead of being silently dropped, and are decoded back to their KMIP 1.4 types when a KMIP
    1.x client retrieves them via GetAttributes.
  • StorageStatusMask in the single-attribute path no longer corrupts the Comment attribute
    slot; it is preserved as a VendorAttribute with a WARN. (#799)

• TransparentECPrivateKey/TransparentECPublicKey → KMIP 1.4 conversion: The
  TryFrom<kmip_2_1::KeyFormatType> for kmip_1_4::KeyFormatType conversion previously returned
  an error for these key format types even though KMIP 1.4 defines them with the same numeric
  values (0x14/0x15). They are now correctly converted, enabling KMIP 1.4 clients to retrieve
  EC keys whose format was stored internally by the server using the KMIP 2.1 canonical type. (#799)

• ModifyAttribute: Fully implement ModifyAttribute operation — attribute changes are now persisted
  and ACL checks enforced; setting ActivationDate to a past/present date on a Pre-Active object
  now correctly transitions it to Active (KMIP spec §3.22). Fixes an incompatibility with Synology
  DSM (#760) (#788)

• Name attribute stored as VendorExtension instead of standard KMIP attribute: Setting the Name
  attribute via the CLI (ckms attributes set --name <value>) or the web UI now correctly stores it
  as the standard KMIP Name attribute instead of a VendorAttribute (hex-encoded bytes inside
  VendorExtension). Fixes (#746) (#795)

KMIP 1.0 XML Non-Regression Test Vectors (#799)

All 84 official OASIS KMIP 1.0 XML conformance test vectors are now parsed and
validated as part of the test suite:

• mandatory/ – 57 files (19 unique test cases × 3 minor-version variants):
  SKLC-M-1..3 (symmetric key lifecycle), SKFF-M-1..12 (symmetric key
  foundry/factory), AKLC-M-1..3 (asymmetric key lifecycle), OMOS-M-1
  (opaque managed object store)
• optional/ – 27 files (9 unique test cases × 3 minor-version variants):
  SKLC-O-1, SKFF-O-1..6, AKLC-O-1, OMOS-O-1

As a side effect, the XML deserializer now correctly maps the SKIPJACK
enumeration token (0x0000_0018) used by SKFF-O-1..3, fixing a
previously-unknown parse error for those optional vectors.

Microsoft SQL Server External Key Management (EKM) (#809)

• Microsoft SQL Server EKM is now available via a Windows DLL provider that forwards key operations to the Cosmian KMS over mutual TLS.

###...

5.17.0

[5.17.0] - 2026-03-13

🚀 Features

AWS External Key Store (XKS) v2

Cosmian KMS can now act as an AWS XKS proxy (#644),
enabling transparent integration with AWS KMS External Key Store:

• Implements the full XKS Proxy API — a single endpoint that gives AWS KMS live-proxy coverage
  for all XKS-capable services (S3, EBS, RDS, DynamoDB, Secrets Manager, and more)
• AWS SigV4 request authentication middleware
• XKS endpoints: health status, key metadata retrieval, encrypt, decrypt
• New --xks-* server configuration flags
• New documentation/docs/aws/xks.md guide

Azure External Key Manager (EKM) v0.1-preview

Cosmian KMS now implements the Azure EKM proxy API v0.1-preview
(#601):

• Endpoints: info, key metadata, Wrap, Unwrap — faithful to the Azure EKM specification
• mTLS (mutual TLS) authentication
• New --azure-ekm-* server configuration flags
• Flexible versioning structure for future API versions
• New documentation/docs/azure/ekm/ekm.md guide

CLI (ckms) moved into this repository

The cosmian CLI (previously maintained in a separate cli repository) is now co-located
in this repository under crate/clients/ckms/:

• The ckms binary and its full test suite are now built and tested from this repo
• CLI documentation moved into cli_documentation/ with its own MkDocs configuration
• Findex server references removed from the CLI documentation and configuration examples
• Nix packaging extended: nix/cli.nix and nix/common.nix added for building and
  distributing the CLI as a standalone DEB, RPM, and DMG package
• Hardcoded system tag strings (e.g. "_sk", "_pk") replaced with SYSTEM_TAG_*
  constants from cosmian_kmip::kmip_2_1::extra::tagging
• WASM and UI test scripts hardened against pnpm major-version mismatches between the
  system pnpm and the nix-shell pnpm
• add --header/-H flag and custom_headers config option to forward arbitrary HTTP headers with every request, enabling use behind zero-trust proxies such as Cloudflare Access (#138)

HSM signing via Crypto Oracles

• KMIP Sign operation is now delegated to HSM Crypto Oracles via PKCS#11 C_SignInit/C_Sign (#771)

White labeling

• The vendor identification string used in KMIP VendorAttribute operations is now
  configurable via --vendor-identification (env: KMS_VENDOR_IDENTIFICATION, default:
  "cosmian"); reported back by QueryServerInformation responses (#758)
• The WASM module exposes set_vendor_id(id) and query_server_information_ttlv_request()
  so the UI can synchronize its vendor ID with the server at startup
• New loginCardColor field in branding.json to control the login card background color
• New blank starter theme at ui/public/themes/blank/ with SVG placeholder assets

Server configure wizard

• New cosmian_kms configure interactive wizard to generate a server configuration file (kms.toml) and self-signed TLS certificates from the command line

🐛 Bug Fixes

• Signing key: Fix corrupted GPG public key (cosmian-kms-public.asc) that caused CRC
  errors on import with GnuPG (#785)
• CI: Fix GCP CMEK FIPS test timeout — strip LD_PRELOAD/LD_LIBRARY_PATH from curl
  in wait_for_kms to prevent the FIPS bootstrap shim from breaking HTTP probes
• (ui) Add Content-Security-Policy against clickjacking attack (#768)
• Unwrap cache: internalize fingerprint check and seed SipHash (#778)
• Fail KMIP operation when multiple keys are found to process the operation (#771)
• Systemd mitigations (#711)
• CLI: ckms is now installed to /usr/local/bin/ instead of /usr/sbin/, making it accessible to non-root users without requiring elevated privileges (cli#136)
• CLI: FIPS-compliant CLI builds are now published alongside non-FIPS builds (cli#134)
• Security: KMIP Import with replace_existing=true now verifies the caller owns the
  existing object before overwriting it (#644)
• Packaging: DEB and RPM removal scripts now clean up /usr/sbin/cosmian_kms and
  /usr/local/cosmian/ on uninstall
• macOS build: retry loop in nix/scripts/package_dmg.sh handles intermittent
  hdiutil: create failed - Resource busy CI errors
• KMIP Encrypt and Sign now fail with a clear error when multiple eligible keys match the identifier, preventing silent key substitution (#771)

⚙️ Build

• Linux packages: README now installed as README.md (was README — not rendered as
  markdown by package managers)
• pnpm version pinned to 10 in build_ui.sh
• CI: mirror nixpkgs archives on package.cosmian.com with GitHub fallback to avoid 502 errors
• (deps) Bump actions/upload-artifact from 6 to 7 (#740)
• (deps) Bump actions/download-artifact from 7 to 8 (#741)
• (deps) Bump crazy-max/ghaction-import-gpg from 6 to 7 (#747)
• (deps) Bump actions/setup-node from 4 to 6 (#755)
• (deps) Bump actions/upload-artifact from 4 to 7 (#756)
• (deps) Bump docker/login-action from 3 to 4 (#759)
• (deps) Bump docker/metadata-action from 5 to 6 (#765)
• (deps) Bump docker/setup-buildx-action from 3 to 4 (#766)
• (deps) Bump sigstore/cosign-installer from 4.0.0 to 4.1.0 (#774)

🧪 Testing

• Add End-to-End (E2E) tests on UI (in browser-tests) (#736)
• Re-enable hsm Proteccio tests (#781)

🔒 Security

• UI ajv updated 6.12.6 → 6.14.0 (vulnerability fix)
• UI minimatch overridden to >=10.2.1 (ReDoS CVE)
• Rustlru 0.14.0 (transitive via mysql_async 0.36.1): RUSTSEC-2026-0002 acknowledged in
  deny.toml — no upstream fix available yet; severity low (CVSS 2.7)

📚 Documentation

• New openssl_override.md: how to point Cosmian KMS to a custom OpenSSL build using a
  systemd drop-in override
• New Azure EKM guide (documentation/docs/azure/ekm/ekm.md)
• New AWS XKS guide (documentation/docs/aws/xks.md)
• HSM operations: added pkcs11-tool key creation examples and label uniqueness constraint warning
• UI branding: loginCardColor field reference and blank theme usage
• README: new 🔗 Integrations section covering cloud providers (AWS/Azure/GCP), databases, and HSMs
• Add HAProxy+KeepAlived example

5.16.2

[5.16.2] - 2026-02-22

🐛 Bug Fixes

• [OpenTelemetry] Deduplicate OpenTelemetry export metric (Revoke and Destroy operations) (#717)
• Debug impl of ServerParams was misleading a algorithms restriction (#719)
• Fix non-FIPS openssl.cnf provider configuration: the FIPS provider was incorrectly
  activated in non-FIPS builds via nix/openssl.nix that now generates
  distinct provider configurations per build variant: FIPS builds use fips+base, non-FIPS
  builds use default+legacy+base.

⚙️ Build

• Refactor OpenSSL provider management into a dedicated openssl_providers module in
  crate/server/src/, consolidating safe_openssl_version_info(), init_openssl_providers()
  (production), and init_openssl_providers_for_tests() (test environments) into a single place.
• Improve determinism of nix/openssl.nix OpenSSL builds:
  • Patch ENGINESDIR/MODULESDIR in the generated Makefile to fixed
    /usr/local/cosmian/lib/... paths, preventing Nix store path embedding in compiled
    libcrypto strings.
  • Set SOURCE_DATE_EPOCH=1 and ZERO_AR_DATE=1 in build and install phases.
  • Normalize all output file timestamps with find $out -exec touch --date=@1 {} +.
• Non-FIPS Nix Linux builds are now bit-for-bit reproducible (nix-build --check passes for all four Linux variants: FIPS/non-FIPS × static/dynamic OpenSSL):
  • Removed ${toString ../.} from RUSTFLAGS -C remap-path-prefix — it embedded the machine-specific workspace path into the derivation, causing cross-machine hash divergence.
  • Added -C strip=symbols and -C symbol-mangling-version=v0 to strip residual host-path artefacts from symbol tables.
  • Scrub the Nix-store path from OpenSSL's buildinf.h at build time so the OpenSSL derivation hash is identical across machines.
• Pin all builtins.fetchTarball calls in default.nix with explicit sha256 hashes (nixpkgs 24.11, rust-overlay, nixpkgs 22.05) — eliminates Nix-version-sensitive evaluation impurity and removes the NIXPKGS_GLIBC_234_URL environment variable override.
• Non-FIPS Docker image now ships OpenSSL 3.6.0 provider modules (legacy.so, openssl.cnf) and sets OPENSSL_CONF/OPENSSL_MODULES environment variables, matching the FIPS image layout.
• macOS packaging fixes in nix/scripts/package_dmg.sh and related CI scripts.
• (deps) Bump keccak in the cargo group across 1 directory (#728)

📚 Documentation

• Add mTLS database configuration examples (#727)

🧪 Testing

• Add React and WASM tests (#708)

5.16.1

[5.16.1] - 2026-02-15

🐛 Bug Fixes

• Add MLKEM algorithms to the predefined DEFAULT KMIP policy

5.16.0

[5.16.0] - 2026-02-04

🚀 Features

• Add PQC hybridized KEM support via cosmian_cover_crypt:
  • The Cosmian KMS supports Post-Quantum Cryptography (PQC) hybridized Key Encapsulation Mechanisms (KEM)
    via the cosmian_cover_crypt crate. This crate provides
    a configurable KEM framework that can operate in pure classical, pure post-quantum, or hybrid mode
    by combining a pre-quantum KEM with a post-quantum KEM through a KEM combiner (using SHA-256).
  • Server supports CreateKeyPair for Configurable-KEM and Encrypt/Decrypt encapsulation/decapsulation flows.
• Add server-side KMIP algorithm policy allowlists (enforcement via kmip.policy_id and [kmip.allowlists]) #700
  • kmip.policy_id selects a policy (case-insensitive):
    • DEFAULT: built-in conservative allowlists (e.g., SHA-2/3, P-256/P-384/P-521 + Curve25519/448, AEAD/wrapping modes, OAEP/PSS/PKCS5, RSA 3072/4096).
    • CUSTOM: enforce the allowlists you set under [kmip.allowlists].
  • If kmip.policy_id is unset, the KMIP policy layer is disabled.
  • None vs [] semantics (for each allowlist): None means "no restriction", while an empty list [] means "deny all" when enforcement is enabled.
• (UI) Runtime branding support via /ui/branding.json (title, theme, and favicon resolved before React renders)
  • Theme asset support under /ui/themes/<theme>/... with Ant Design token overrides
  • Replace the example theme favicons with neutral, non-Cosmian icons
  • (docs) Add post-install UI branding / theme override guide (paths under /usr/local/cosmian/ui/dist/)
  • (packaging) Include nested UI theme assets in linux packages (recursive dist/**/* globs)
  • (nix) Stage and validate UI dist/ content during packaging (checks index.html, assets/, themes/, branding.json)

🐛 Bug Fixes

• Fix SQL Locate request for OpenTelemetry metrics collector (#694):
  • Refactored SQL Locate query building in locate_query.rs to use bound, typed parameters (LocateQuery + LocateParam) instead of interpolating values into SQL (safer + fixes type/cast handling across SQLite/Postgres/MySQL).
  • Updated the SQL backends to consume the new LocateQuery API: crate/server_database/src/stores/sql/{mysql,pgsql,sqlite}.rs.
  • Improved DB test error context in json_access_test.rs to make failures easier to diagnose.
  • OpenTelemetry wiring updates:
    • mod.rs: add OTEL resource attributes (service name/version + optional environment).
    • otel_metrics.rs: ensure active_keys_count time series exists even when 0.
    • cron.rs: fall back to default username if hsm_admin is empty.
• Fix regression on KMIP 1.0 (Fresh and InitialDate attributes) (#689)
• Fix Linux packaging smoke tests when the host has /etc/cosmian/kms.toml present by running with an explicit temp config.
• Make OpenTelemetry export tests resilient under FIPS Nix shells by running curl in a clean environment (avoid inherited OpenSSL/LD overrides).
• (ui) Azure BYOK export (#697)

⚙️ Build

• Nix builds now target GLIBC ≤ 2.34 (Rocky Linux 9 compatibility) by updating pins and building Linux OpenSSL/server outputs against a glibc 2.34 stdenv; server vendor hash expectations are split by static/dynamic on Linux.
• SBOM generation improvements:
  • .github/scripts/nix.sh sbom strictly validates --target/--variant/--link, defaults to generating all combinations, and supports generating a specific server subset.
  • SBOM tooling runs in an isolated workdir to avoid stray repo-root artifacts, keeps only final sbom.csv + vulns.csv reports per output directory, and deduplicates CVE rows in-place (via nix/scripts/dedup_cves.py, with optional filtering helper nix/scripts/filter_vulns.py).
• (deps) Bump jsonwebtoken in the cargo group across 1 directory (#702)
• (deps) Bump bytes in the cargo group across 1 directory (#703)
• (deps) Bump time in the cargo group across 1 directory (#706)
• (deps) Bump actix-files in the cargo group across 1 directory (#707)

📚 Documentation

• Update SBOM documentation to match the generator output layout and behavior.
• Update OpenSSL versions (#713)

5.15.0

[5.15.0] - 2026-01-21

🚀 Features

• Upgrade OpenSSL to 3.6.0 but keep 3.1.2 for FIPS crypto provider #667

  • Summary of changes:

    OpenSSL Linkage	FIPS	Non‑FIPS
    Static	Linkage: OpenSSL 3.6.0; runtime loads FIPS provider from OpenSSL 3.1.2	Linkage: OpenSSL 3.6.0; runtime uses default/legacy providers
    Dynamic	Linkage: OpenSSL 3.1.2; ships FIPS configs and provider OpenSSL 3.1.2	Linkage: OpenSSL 3.6.0; ships libssl/libcrypto and providers

• Provide /health endpoint #690

• Add k256 (RFC6979) curve for sign/verify for non-fips builds #671

• Download CLI through UI #678

• Support RFC 3394 (AESKeyWrap with no padding) #658

  ⚠️ WARNING about AES Key Wrap changes

  Any previously manually exported keys in JSON format must be manually updated if they have been previously wrapped with AES. This can be done using the following command:

  sed -i 's/NISTKeyWrap/AESKeyWrapPadding/g' your_exported_key.json

🐛 Bug Fixes

• Remove RUSTSEC-2023-0071 about rsa dependency and handle database without sqlx #646.

  • Summary of changes:

    • openidconnect is removed in favor of manual OIDC implementation
    • jwt-simple is replaced by jsonwebtoken
    • old cratecloudproof_findex (->crypto_core->rsa) has been removed
    • sqlx has been replaced by those crates:
      • tokio-postgres
      • deadpool-postgres
      • mysql_async
      • tokio-rusqlite
      • rusqlite

    ⚠️ WARNING about Redis migration: For KMS server versions less than v5.12, first migrate KMS Redis-Findex database to 5.14 then 5.15. For KMS server versions 5.12 to 5.14, no migration needed to 5.15.

• Fix Docker container issues #692 and #670 thanks to #667

• Upgrade lru and downgrade yank flat2 to 1.1.5 #680

• Fix double hash in RSASSAPSS in raw and digest data mode for sign/verify #677

• RSA signature/verify tests only run on non-fips #684

• Derive session cookie encryption key from public URL and user-provided salt for load-balanced deployments #664

📚 Documentation

• Add MySQL integration doc #647
• Update Percona integration doc #665
• Add AWS ECS Fargate doc #686

⚙️ Build

• (deps) Bump react-router from 7.5.3 to 7.12.0 in /ui in the npm_and_yarn group across 1 directory #673

⚙️ Miscellaneous Tasks

• Filter test_all workflow for dependabot branches #674
• Test packaging on dependabot branch but wo GPG #675
• Re-enable packaging workflow #676