Craton HSM

Changelog

This page summarises the headline changes in recent Craton HSM Core and Enterprise releases. It is not a replacement for the per-repository CHANGELOG.md files; for the full line-item list, see the upstream files linked at the bottom of each section.

Both projects follow the Keep a Changelog format and Semantic Versioning. Pre-1.0 minor bumps may include breaking changes, always documented in the upstream changelog.

Core

0.9.1 — 2026-03-20 · Security-audit hardening

Eleven security fixes from a full security-review pass, plus a 46-test PKCS#11 conformance suite.

Critical. DRBG bypass in key generation. RSA, P-256, P-384, and Ed25519 keygen was calling OsRng directly, bypassing the SP 800-90A DRBG health checks. All key generation now routes through a DrbgRng wrapper.
High. Per-key AES-GCM nonce counters replace a process-global counter that would hit the 2^32 birthday bound prematurely under multi-key workloads.
High. Circular AES-CBC and AES-CTR KATs (encrypt→decrypt round-trip) replaced with genuine fixed-output KATs. An RSA PKCS#1 v1.5 sign/verify KAT was added — POST is now 17 self-tests (integrity + 16 KATs).
Medium. RSA public-key size validation now strips leading zero bytes before counting bits; all-zero IVs for AES-CBC/CTR are rejected at C_EncryptInit; POST_FAILED is cleared on C_Finalize → C_Initialize so a prior failure no longer permanently blocks the module.
Total tests: 617+.

0.9.0 — 2026-02-24 · Release polish and roadmap items

License clarification to Apache-2.0 across the workspace; new ROADMAP.md and release profile (lto, codegen-units = 1, strip = symbols).
Audit log export in JSON, NDJSON (JSON Lines for SIEM), and syslog RFC 5424. verify_chain() validates the SHA-256 hash chain.
New admin-CLI commands: audit export-json, audit export-ndjson, audit export-syslog, audit verify-chain.
macOS CI on macos-latest; cargo-tarpaulin coverage artefacts.
Multi-slot support (up to 256 slots, default 1, backward compatible); C_GetOperationState and C_SetOperationState; encrypted backup and restore via the admin CLI.

0.8.0 — 2026-01-19 · Test coverage doubling

Eleven new comprehensive test suites across ABI-level sign/verify, wrap, derive, RSA, digest, attribute management, random, session, PQC, audit, and negative edge cases. Total: 547 tests, up from 286. Also fixed a silent drop of CKA_START_DATE / CKA_END_DATE during C_GenerateKey and C_GenerateKeyPair.

0.7.0 — 2025-10-17 · FIPS approved mode

fips_approved_only config flag that restricts operations to FIPS-approved algorithms; C_GetMechanismList filters accordingly.
Pairwise consistency tests (FIPS §9.6): sign/verify or encap/decap roundtrip after every key-pair generation.
Software integrity test (FIPS §9.4): HMAC-SHA256 over the module binary at POST, with an .hmac sidecar and tooling (tools/compute-integrity-hmac.{sh,ps1}).
Algorithm indicator (IG 2.4.C): fips_approved field in every crypto audit entry; last_operation_fips_approved on Session for runtime querying.
Intermediate zeroization of ActiveOperation data and mechanism params.

0.3.0 — 2025-04-28 · FIPS foundations

First release with the aws-lc-rs backend (awslc-backend feature), the CryptoBackend trait, encrypted persistent storage via redb, file locking for multi-process safety, the tamper-evident audit log, 14 POST KATs, continuous RNG health test, mlock / VirtualLock on key material, and fork detection.

Full history: craton-hsm-core/CHANGELOG.md.

Enterprise

Unreleased · Supply chain and cluster hardening

KMIP. Static-token runtime allowlist (CRATON_HSM_ALLOW_INSECURE_STATIC_TOKEN) is re-checked on every request. New public KmipAcl trait consulted by Destroy, Revoke, Activate, Get, GetAttributes, AddAttribute. TTLV decoder gained explicit max_depth, max_items, and max_bytes budgets. AuthRateLimiter now uses a monotonic clock.
Cluster. Release builds refuse to boot without cluster_secret. ReplayCache time-evicts on every insert, freshness check precedes cache check, capacity raised to 16 384. Per-peer vote rate limiter scales with cluster size. Membership changes require a majority-signed ConfigChangeProposal before commit.
aws-lc-rs. GCM counter journal carries a craton-hsm-gcm-journal v1 version marker. MAC key derivation canonicalizes the path and mixes in OS file identity. Eviction-flush failures poison the key on disk after 5 consecutive failures.
Supply chain. Release workflow now generates Syft SPDX + CycloneDX SBOMs, signs artefacts with cosign keyless, and emits SLSA build provenance + SBOM attestations. New SUPPLY_CHAIN.md documents end-to-end verification. Workspace SPDX identifier harmonised to the official BUSL-1.1.

0.1.1 — 2026-04-06 · Security sweep

KMIP. Missing ACL enforcement on Activate, Revoke, Destroy fixed — only the owner may now modify owner-protected objects. Secure zeroization on Destroy. TTLV 1 MB value-size limit; recursion-depth limit (32) with TtlvError::DepthExceeded.
PKCS#11. Verify methods previously swallowed session errors as signature-invalid; now only CKR_SIGNATURE_INVALID returns Ok(false). Key cache upgraded from FIFO to LRU. Cache deadlock fixed by releasing cache_order before session.
Cluster. HMAC-SHA256 replay protection with timestamp-based freshness. Empty node_id rejected. Replication-log append lock to prevent races. O(1) log-entry lookup via HashMap index.
Auth. LDAP DN/filter injection prevention; certificate-chain validation against trusted roots; TOTP constant-time comparison; self-approval bypass fix in dual-control; CRL parse failure now errors (was warn-and-skip, fail-open).
FIPS. AES-128 keygen incorrectly rejected in FIPS mode — fix aligns with FIPS 140-3 which permits AES-128. RSA minimum-key-size check extended from verify-only to sign operations in the OpenSSL backend.
CNG. NTSTATUS error mapping expanded from 5 to 13+ codes (INVALID_HANDLE, ACCESS_DENIED, BUFFER_OVERFLOW, etc.).
New CI jobs: cargo-audit, documentation build, feature matrix. New docs: SECURITY.md, CONTRIBUTING.md, BUILDING.md, CODE_OF_CONDUCT.md.

0.1.0 — 2026-03-13 · Initial public release

Initial release of the Enterprise workspace under Business Source License 1.1 (change date 2030-03-13 to Apache-2.0):

craton-hsm-awslc — FIPS-validated crypto backend using aws-lc-rs.
craton-hsm-openssl — OpenSSL 3.x crypto backend (non-FIPS).
craton-hsm-pkcs11 — PKCS#11 hardware passthrough with LRU key cache.
craton-hsm-auth — RBAC, LDAP, OIDC, X.509, MFA, dual-control, tenants.
craton-hsm-cluster — Raft consensus and key replication.
craton-hsm-kmip — KMIP 1.4-compatible server with TTLV codec.
craton-hsm-cloud — Kubernetes CSI driver plus AWS / Azure / Vault shims.
craton-hsm-infineon — Infineon TPM 2.0 stub backend.
craton-hsm-nxp — NXP HSE stub backend.
craton-hsm-cng — Windows CNG stub backend.

Full history: craton-hsm-enterprise/CHANGELOG.md.

Support Policy

Both projects support only the latest minor line (Core 0.9.x, Enterprise 0.1.x) for community security fixes. Backports to prior minors are available only under a commercial support contract. Pre-1.0 minor bumps may include breaking changes and are called out in the upstream changelog with migration notes.

Enterprise 0.1.1 additionally guarantees a 12-month maintenance window after the next minor release supersedes it; see the Enterprise SUPPORT.md for the full EOL policy. Per the BSL-1.1, every released version auto-converts to Apache-2.0 four years after its first public distribution, independent of support status.