Cosmian KMS - Ubuntu 24.04 (AMD SEV-SNP)

[5.17.0] - 2026-02-24

Features : AWS External Key Store (XKS) v2 Cosmian KMS can now act as an AWS XKS proxy enabling transparent integration with AWS KMS External Key Store: Implements the full XKS Proxy API - a single endpoint that gives AWS KMS live-proxy coverage for all XKS-capable services (S3, EBS, RDS, DynamoDB, Secrets Manager, and more) AWS SigV4 request authentication middleware XKS endpoints: health status, key metadata retrieval, encrypt, decrypt New --xks-* server configuration flags New documentation/docs/aws/xks.md guide Azure External Key Manager (EKM) v0.1-preview Cosmian KMS now implements the Azure EKM proxy API v0.1-preview : Endpoints: info, key metadata, Wrap, Unwrap - faithful to the Azure EKM specification mTLS (mutual TLS) authentication New --azure-ekm-* server configuration flags Flexible versioning structure for future API versions New documentation/docs/azure/ekm/ekm.md guide CLI (ckms) moved into this repository : The cosmian CLI (previously maintained in a separate cli repository) is now co-located in this repository under crate/clients/ckms/: The ckms binary and its full test suite are now built and tested from this repo CLI documentation moved into cli_documentation/ with its own MkDocs configuration Findex server references removed from the CLI documentation and configuration examples Nix packaging extended: nix/cli.nix and nix/common.nix added for building and distributing the CLI as a standalone DEB, RPM, and DMG package Hardcoded system tag strings (e.g. "_sk", "pk") replaced with SYSTEM_TAG* constants from cosmian_kmip::kmip_2_1::extra::tagging WASM and UI test scripts hardened against pnpm major-version mismatches between the system pnpm and the nix-shell pnpm add --header/-H flag and custom_headers config option to forward arbitrary HTTP headers with every request, enabling use behind zero-trust proxies such as Cloudflare Access UI Branding : New loginCardColor field in branding.json to control the login card background color New blank starter theme at ui/public/themes/blank/ with SVG placeholder assets Bug Fixes : Security: KMIP Import with replace_existing=true now verifies the caller owns the existing object before overwriting it Packaging DEB and RPM removal scripts now clean up /usr/sbin/cosmian_kms and /usr/local/cosmian/ on uninstall macOS build retry loop in nix/scripts/package_dmg.sh handles intermittent hdiutil: create failed - Resource busy CI errors Build : Linux packages: README now installed as README.md (was README - not rendered as markdown by package managers) pnpm version pinned to 10 in build_ui.sh Security : ajv updated 6.12.6 -> 6.14.0 (vulnerability fix) minimatch overridden to >=10.2.1 (ReDoS CVE) lru 0.14.0 (transitive via mysql_async 0.36.1): RUSTSEC-2026-0002 acknowledged in deny.toml - no upstream fix available yet; severity low (CVSS 2.7) Documentation : New openssl_override.md: how to point Cosmian KMS to a custom OpenSSL build using a systemd drop-in override New Azure EKM guide (documentation/docs/azure/ekm/ekm.md) New AWS XKS guide (documentation/docs/aws/xks.md) HSM operations: added pkcs11-tool key creation examples and label uniqueness constraint warning UI branding: loginCardColor field reference and blank theme usage README: new Integrations section covering cloud providers (AWS/Azure/GCP), databases, and HSMs

[5.16.2] - 2026-02-22

Bug Fixes : [OpenTelemetry] Deduplicate OpenTelemetry export metric (Revoke and Destroy operations) Debug impl of ServerParams was misleading a algorithms restriction Fix non-FIPS openssl.cnf provider configuration: the FIPS provider was incorrectly activated in non-FIPS builds via nix/openssl.nix that now generates distinct provider configurations per build variant: FIPS builds use fips+base, non-FIPS builds use default+legacy+base. Build : Refactor OpenSSL provider management into a dedicated openssl_providers module in crate/server/src/, consolidating safe_openssl_version_info(), init_openssl_providers() (production), and init_openssl_providers_for_tests() (test environments) into a single place. Improve determinism of nix/openssl.nix OpenSSL builds: Patch ENGINESDIR/MODULESDIR in the generated Makefile to fixed /usr/local/cosmian/lib/... paths, preventing Nix store path embedding in compiled libcrypto strings. Set SOURCE_DATE_EPOCH=1 and ZERO_AR_DATE=1 in build and install phases. Normalize all output file timestamps with find $out -exec touch --date=@1 {} +. Non-FIPS Nix Linux builds are now bit-for-bit reproducible (nix-build --check passes for all four Linux variants: FIPS/non-FIPS x static/dynamic OpenSSL): Removed ${toString ../.} from RUSTFLAGS -C remap-path-prefix - it embedded the machine-specific workspace path into the derivation, causing cross-machine hash divergence. Added -C strip=symbols and -C symbol-mangling-version=v0 to strip residual host-path artefacts from symbol tables. Scrub the Nix-store path from OpenSSL's buildinf.h at build time so the OpenSSL derivation hash is identical across machines. Pin all builtins.fetchTarball calls in default.nix with explicit sha256 hashes (nixpkgs 24.11, rust-overlay, nixpkgs 22.05) - eliminates Nix-version-sensitive evaluation impurity and removes the NIXPKGS_GLIBC_234_URL environment variable override. Non-FIPS Docker image now ships OpenSSL 3.6.0 provider modules (legacy.so, openssl.cnf) and sets OPENSSL_CONF/OPENSSL_MODULES environment variables, matching the FIPS image layout. macOS packaging fixes in nix/scripts/package_dmg.sh and related CI scripts. (deps) Bump keccak in the cargo group across 1 directory Documentation : Add mTLS database configuration examples Testing : Add React and WASM tests

[5.16.1] - 2026-02-15 Bug Fixes : Add MLKEM algorithms to the predefined DEFAULT KMIP policy

[5.16.0] - 2026-02-04

Features : Add PQC hybridized KEM support via cosmian_cover_crypt: The Cosmian KMS supports Post-Quantum Cryptography (PQC) hybridized Key Encapsulation Mechanisms (KEM) via the cosmian_cover_crypt crate. This crate provides a configurable KEM framework that can operate in pure classical, pure post-quantum, or hybrid mode by combining a pre-quantum KEM with a post-quantum KEM through a KEM combiner (using SHA-256). Server supports CreateKeyPair for Configurable-KEM and Encrypt/Decrypt encapsulation/decapsulation flows. Add server-side KMIP algorithm policy allowlists (enforcement via kmip.policy_id and [kmip.allowlists]) kmip.policy_id selects a policy (case-insensitive): DEFAULT: built-in conservative allowlists (e.g., SHA-2/3, P-256/P-384/P-521 + Curve25519/448, AEAD/wrapping modes, OAEP/PSS/PKCS5, RSA 3072/4096). CUSTOM: enforce the allowlists you set under [kmip.allowlists]. If kmip.policy_id is unset, the KMIP policy layer is disabled. None vs [] semantics (for each allowlist): None means "no restriction", while an empty list [] means "deny all" when enforcement is enabled. (UI) Runtime branding support via /ui/branding.json (title, theme, and favicon resolved before React renders) Theme asset support under /ui/themes//... with Ant Design token overrides Replace the example theme favicons with neutral, non-Cosmian icons (docs) Add post-install UI branding / theme override guide (paths under /usr/local/cosmian/ui/dist/) (packaging)Include nested UI theme assets in linux packages (recursive dist/**/ globs) (nix) Stage and validate UI dist/ content during packaging (checks index.html, assets/, themes/, branding.json) Bug Fixes : Fix SQL Locate request for OpenTelemetry metrics collector: Refactored SQL Locate query building in locate_query.rs to use bound, typed parameters (LocateQuery + LocateParam) instead of interpolating values into SQL (safer + fixes type/cast handling across SQLite/Postgres/MySQL). Updated the SQL backends to consume the new LocateQuery API: crate/server_database/src/stores/sql/{mysql,pgsql,sqlite}.rs. Improved DB test error context in json_access_test.rs to make failures easier to diagnose. OpenTelemetry wiring updates: mod.rs: add OTEL resource attributes (service name/version + optional environment). otel_metrics.rs: ensure active_keys_count time series exists even when 0. cron.rs: fall back to default username if hsm_admin is empty. Fix regression on KMIP 1.0 (Fresh and InitialDate attributes) Fix Linux packaging smoke tests when the host has /etc/cosmian/kms.toml present by running with an explicit temp config. Make OpenTelemetry export tests resilient under FIPS Nix shells by running curl in a clean environment (avoid inherited OpenSSL/LD overrides). (ui) Azure BYOK export Build : Nix builds now target GLIBC <= 2.34 (Rocky Linux 9 compatibility) by updating pins and building Linux OpenSSL/server outputs against a glibc 2.34 stdenv; server vendor hash expectations are split by static/dynamic on Linux. SBOM generation improvements: .github/scripts/nix.sh sbom strictly validates --target/--variant/--link, defaults to generating all combinations, and supports generating a specific server subset. SBOM tooling runs in an isolated workdir to avoid stray repo-root artifacts, keeps only final sbom.csv + vulns.csv reports per output directory, and deduplicates CVE rows in-place (via nix/scripts/dedup_cves.py, with optional filtering helper nix/scripts/filter_vulns.py). (deps) Bump jsonwebtoken in the cargo group across 1 directory (deps) Bump bytes in the cargo group across 1 directory (deps) Bump time in the cargo group across 1 directory (deps) Bump actix-files in the cargo group across 1 directory Documentation : Update SBOM documentation to match the generator output layout and behavior. Update OpenSSL versions

[5.15.0] - 2026-01-21

Features : Upgrade OpenSSL to 3.6.0 but keep 3.1.2 for FIPS crypto provider Provide /health endpoint Add k256 (RFC6979) curve for sign/verify for non-fips builds Download CLI through UI Support RFC 3394 (AESKeyWrap with no padding)

WARNING about AES Key Wrap changes Any previously manually exported keys in JSON format must be manually updated if they have been previously wrapped with AES. This can be done using the following command:

sed -i 's/NISTKeyWrap/AESKeyWrapPadding/g' your_exported_key.json Bug Fixes : Remove RUSTSEC-2023-0071 about rsa dependency and handle database without sqlx Summary of changes: openidconnect is removed in favor of manual OIDC implementation jwt-simple is replaced by jsonwebtoken old crate cloudproof_findex has been removed sqlx has been replaced by those crates: tokio-postgres deadpool-postgres mysql_async tokio-rusqlite rusqlite

WARNING about Redis migration: For KMS server versions less than v5.12, first migrate KMS Redis-Findex database to 5.14 then 5.15. For KMS server versions 5.12 to 5.14, no migration needed to 5.15.

Fix Docker container issues : Upgrade lru and downgrade yank flat2 to 1.1.5 Fix double hash in RSASSAPSS in raw and digest data mode for sign/verify RSA signature/verify tests only run on non-fips Derive session cookie encryption key from public URL and user-provided salt for load-balanced deployments Documentation : Add MySQL integration doc Update Percona integration doc Add AWS ECS Fargate doc Build : (deps) Bump react-router from 7.5.3 to 7.12.0 in /ui in the npm_and_yarn group across 1 directory

[5.14.1] - 2025-12-26

Features : Add IDP multiple audiences configuration on [idp_auth]. Dehardcode kacls-migration audience for Google CSE migration and allow alternative audiences (e.g. for Google Decrypter use)

WARNING Server TOML configuration - kms.toml: The deprecated [auth] section has been fully removed in favor of [idp_auth]. Usage is:

... [idp_auth] jwt_auth_provider = [ "https://accounts.google.com ,https://www.googleapis.com/oauth2/v3/certs ,my-audience,another_client_id", "https://auth0.example.com ,,my-app", "https://keycloak.example.com/auth/realms/myrealm ,,audience_1,audience_2" ] ... Documentation : Publish SBOM and vulnerability reports Improve readme Bug Fixes : Sign and verify for raw and digest data - rfc6979 Allow explicitly AGPL-3.0-or-later license