Ccf

Developer API

C++

- `RSAKeyPair::sign` and `RSAKeyPair::verify` now use `RSA-PSS` instead of `RSASSA-PKCS1-v1_5`.
- Users can specify `salt_length` (defaulted to `0`).

TypeScript/JavaScript

- `ccfapp.crypto.sign()` and `ccfapp.crypto.verifySignature()` no longer support `RSASSA-PKCS1-v1_5`, instead `RSA-PSS` has been added.
- `SigningAlgorithm` has been extended with optional `saltLength`, defaulted to `0` if not passed.

Bug Fixes

- The `/tx` endpoint returns more accurate error messages for incorrectly formed transactions ids (6359).

Bug Fixes

- All public headers now correctly set pragma once (6388, 6389)

Dependencies

- Base image refresh for containers (6394, 6395)
- Python cryptography package requirement raised to 43.\* (6385)

Fixed

- Restore inline implementation of two symbols, and keep a third symbol private (6362)

Added

- The `cchost` configuration file now includes an `idle_connection_timeout` option. This controls how long the node will keep idle connections (for user TLS sessions) before automatically closing them. This may be set to `null` to restore the previous behaviour, where idle connections are never closed. By default connections will be closed after 60s of idle time.
- New endpoints `GET /gov/service/javascript-modules` and `GET /gov/service/javascript-modules/{moduleName}` to retrieve the raw JS code of the currently installed app. Note that the `{moduleName}` path parameter will need to be URL-encoded to escape any `/` characters (eg - `/foo/bar.js` should become `%2Ffoo%2Fbar.js`).
- New gov API version `2024-07-01`. This is near-identical to `2023-06-01-preview`, but additionally offers the new `javascript-modules` endpoints.
- Historical cache soft limit now is a node-specific startup parameter.

Changed

- Set LTO on for both debug/release linkages to support linking against CCF libraries if the client code has been built in debug mode.

Added

- More public namespaces have been moved under `::ccf`
- `::ds` is now `ccf::ds`
- `::siphash` is now `ccf::siphash`
- `::threading` is now `ccf::threading`, and `ccf/ds/thread_ids.h` has moved to `ccf/threading/thread_ids.h`
- `::consensus` is now `ccf::consensus`
- `::tls` is now `ccf::tls`
- `::http` is now `ccf::http`
- `::nonstd` is now `ccf::nonstd`
- `::crypto` is now `ccf::crypto`
- `::kv` is now `ccf::kv`
- `::logger` is now `ccf::logger`
- `::ccfapp` is now `::ccf`
- The `programmability` sample app now demonstrates how applications can define their own extensions, creating bindings between C++ and JS state, and allowing JS endpoints to call functions implemented in C++.
- Introduce `DynamicJSEndpointRegistry::record_action_for_audit_v1` and `DynamicJSEndpointRegistry::check_action_not_replayed_v1` to allow an application making use of the programmability feature to easily implement auditability, and protect users allowed to update the application against replay attacks (6285).
- Endpoints now support a `ToBackup` redirection strategy, for requests which should never be executed on a primary. These must also be read-only. These are configured similar to `ToPrimary` endpoints, with a `to_backup` object (specifying by-role or statically-addressed targets) in each node's configuration.
- Introduced `ccf::historical::read_only_adapter_v4` and `ccf::historical::read_write_adapter_v4`. Users are now capable of passing a custom error handler to the adapter to customise RPC responses for internal historical queries errors, which are listed in `ccf::historical::HistoricalQueryErrorCode` enum.

Changed

- Updated Open Enclave to [0.19.7](https://github.com/openenclave/openenclave/releases/tag/v0.19.7).

Deprecated

- `ccf::historical::adapter_v3` becomes deprecated in favour of `_v4` version.

Removed

- Removed the existing metrics endpoint and API (`GET /api/metrics`, `get_metrics_v1`). Stats for request execution can instead be gathered by overriding the `EndpointRegistry::handle_event_request_completed()` method.
- Removed automatic msgpack support from JSON endpoint adapters, and related `include/ccf/serdes.h` file.