Skip to main content

Release Notes

Securosys TSB 2.8.12

Issued: Jul 2, 2026

Features

  • KMIP Data Object Type Field

    Added support for kmip.dataObjectType on HSM-backed data objects. The POST /v1/dataObject endpoint stores new KMIP_DATAOBJECT_TYPE value, and GET /v1/dataObject/{dataObjectName} returns the stored value in the data object response.

    The kmip.dataObjectType value is encoded as UTF-8 and limited to 65280 bytes, matching the existing data-object value size limit just below 64 KiB.

Bug Fixes

  • PQC Prehash and External Mu Signatures

    Fixed ML-DSA and SLH-DSA prehash signing and verification so TSB applies the Primus JCE algorithm parameters at the correct point in the signature lifecycle.

    Approval token generation for PQC prehash sign requests now authorizes the same payload representation that is used by the signing operation, including the context and digest metadata required by the algorithm. This also fixes approval workflows for ML-DSA external mu sign requests.


Securosys TSB 2.8.11

Issued: Jun 22, 2026

Features

  • HSM Call Latency Statistics Endpoint

    Added GET /v1/hsm/statistics to expose active PrimusDevice.getDeviceInfo() latency statistics for HSM calls.

    The optional deviceInfoIterations query parameter controls the number of measured device-info calls. It defaults to 10 and accepts values from 1 to 200. The response returns deviceInfoLatencyStatistics with count, minimumMillis, maximumMillis, and averageMillis.


Securosys TSB 2.8.10

Issued: Jun 15, 2026

Features

  • Synchronous Block/Unblock for Non-SKA Keys

    Added support for blocking and unblocking non-SKA asymmetric and symmetric keys through POST /v1/synchronousBlock and POST /v1/synchronousUnblock. Non-SKA block/unblock requests execute immediately without the approval workflow. Blocked non-SKA keys cannot be used for key operations or export until they are unblocked, and non-modifiable keys can still transition between blocked and unblocked states.

Bug Fixes

  • VaultCode - support for version 2.2.0

  • PrimusHSM HA Failover Detection

    Reduced the JCE AsyncBroker ping interval and ping call timeout defaults to 15 seconds. Live HSM channel disruptions are now detected faster during HA failover, reducing the time TSB can remain blocked on an already-open channel.

  • PrimusHSM Sub-Role Permission Error Response

    Improved handling for PrimusHSM sub-role permission failures returned by the JCE provider. TSB now detects NotAllowedKeyManager, NotAllowedKeyUser, and NotAllowedKeyAuditor SPI statuses and returns 403 Forbidden / res.error.hsm.operation.not.allowed with a role-specific message instead of a generic HSM error.


Securosys TSB 2.8.9

Issued: Jun 8, 2026

Dependency Upgrades

  • Java - Dependency update of JCE

Securosys TSB 2.8.8

Issued: Jun 8, 2026

Bug Fixes

  • Access Token Session Revalidation

    Cached HSM sessions for access-token authentication now use an absolute five-minute validation window. Repeated requests no longer extend this window. After the window expires, TSB revalidates the stored HSM and proxy credentials before allowing the session to continue.

Documentation Changes

  • Recommended Certificate Signature Hash in OpenAPI Examples

    Updated OpenAPI/Swagger examples and documented defaults for certificate signing and related signature request fields to use SHA-256 based algorithms (SHA256_WITH_RSA or SHA-256) instead of SHA-224. SHA-224 remains available as an explicit selectable algorithm for customers that require it; runtime API behavior is unchanged.


Securosys TSB 2.8.7

Issued: May 25, 2026

API Changes

  • Key Validity Date Fields

    Added optional startDate and endDate fields to key creation (POST /v1/key) and key attribute modification (PATCH /v1/key/changeAttributes) for symmetric and asymmetric keys. The API accepts date-only values in yyyy-MM-dd format and UTC date-time values in yyyy-MM-dd'T'HH:mm:ss format.

Security Updates

  • SBOM and CVE Scan Remediation

    Updated Java dependencies to resolve critical and high SBOM/CVE scan findings. Spring Boot was upgraded to 3.5.14, embedded Tomcat to 10.1.55, Spring Security Web to 6.5.10, the PostgreSQL JDBC driver to 42.7.11, and Bouncy Castle libraries to 1.84.

    The container runtime image now uses the latest eclipse-temurin:17-jre-ubi9-minimal tag and installs available UBI9 package updates during the image build. Trivy, Grype, and Docker Scout/OpenVEX suppression files were added for RHEL 9 CVEs that do not yet have a UBI backport, with a review date of 2026-08-20.

Deployment Changes

  • Vault Container Logging Configuration

    Vault-container builds now include the HSM Logback configuration in the Docker image and select the bundled /opt/app/logging/logback-hsm.xml during image build. This decouples HSM logging configuration updates from external mounted files.

    Standard, non-HSM TSB Docker Compose deployments remain unchanged and continue to use the mounted /etc/app/config/log/logback.xml through the existing logging.config setting.

Bug Fixes

  • PrimusHSM Role Permission Error Response

    Improved handling for PrimusHSM role permission failures returned by the JCE provider. TSB now detects nested NotAllowedException errors from Primus SPI calls, such as certificate operations executed with insufficient HSM roles, and returns 403 Forbidden instead of a generic 500 Internal Server Error.

  • PKCS#12 Key Import Alias Handling

    Improved POST /v1/key/import/plain for PKCS#12 imports when pkcs12KeyName is omitted. If the PKCS#12 container contains exactly one key entry, TSB now imports that key automatically instead of returning a generic NullPointerException error.

    If multiple key entries are present, pkcs12KeyName is required and the API now returns a clear validation error. Explicit pkcs12KeyName values are still validated against the PKCS#12 container aliases.

  • Missing API Endpoint Error Response

    Improved error handling for requests to non-existing API endpoints. Unknown endpoints such now return a JSON 404 Not Found response with a clear message identifying the requested method and path, instead of being blocked by security with an empty 403 response.

    Existing security behavior for normal application requests remains unchanged.

  • Access Token HSM Login Retry

    Fixed an issue in multi-tenant access-token authentication where repeated use of a valid JWT could fail during HSM login retry with an already logged out session error. TSB now handles already closed HSM sessions correctly before retrying the login.


Securosys TSB 2.8.6

Issued: May 13, 2026

Bug Fixes

  • Access Token Approver Onboarding

    Fixed a regression in access-token mode where POST /v1/approver/onboard could fail with res.error.missing.access.token when called without an Authorization header. Approver onboarding now resolves the pending approver by reference and remains available without a JWT as intended.

  • Required Key Initialization on onboardPartition: false

    Access-token HSM login paths now call initializeRequiredKeys() after successful login when partition onboarding is disabled or the secret-based fallback login is used. This ensures missing attestation, integrity, optional RFC timestamp, and approver-management backup keys are initialized before subsequent TSB operations.

  • Access Token Session Validation

    Improved HSM session handling for access-token authentication. Cached HSM sessions are now bound to the specific access token that created them, including proxy-based connections. This prevents an invalid or outdated access token from reusing a session opened by another successful login.


Securosys TSB 2.8.5

Issued: May 11, 2026

Features

  • Modified Key Listing Endpoint

    Added GET /v1/key/modified to list HSM key names modified within a requested time window. The endpoint accepts the mandatory time query parameter, counted backwards from the current TSB host time. It uses HSM modification-time filtering for efficient key enumeration and rejects non-positive time windows with a validation error.

  • Support for XMSS algorithm

    Added XMSS support for key creation and signing through POST /v1/key, POST /v1/sign, and POST /v1/synchronousSign.

    Supported XMSS algorithms:

    • XMSS-SHA256_10_256
    • XMSS-SHAKE256_10_256

    XMSS signatures can be verified through POST /v1/verify, including signatures produced through synchronous signing and SKA approval-based asynchronous signing flows.

  • BYOK General Helper Endpoints

    Added two BYOK helper endpoints under the General helper API:

    • POST /v1/byok/export
    • POST /v1/byok/import

    POST /v1/byok/export exports HSM key material in provider-specific BYOK formats. The request uses multipart/form-data with a JSON request part (ByokExportRequestDto) and a provider public wrapping key file part (wrappingKeyFile) in DER or PEM format.

    Supported export options:

    • AZURE_RSA, AZURE_EC, AZURE_AES - exports Azure BYOK JSON.
    • AWS_RSAES_OAEP_SHA_256, AWS_RSAES_OAEP_SHA_1 - exports an AES key wrapped for AWS KMS BYOK.
    • SALESFORCE_RSAES_OAEP_SHA_1, SALESFORCE_RSAES_OAEP_SHA_256 - exports Salesforce BYOK wrapped key material and hash output.
    • SERVICE_NOW, GOOGLE_CLOUD, GENERIC - exports generic RSA-OAEP wrapped AES key material.

    If the requested BYOK source key does not already exist on the HSM, TSB creates it automatically using provider defaults:

    • RSA: 2048 bit
    • EC: SECP256R1
    • AES: 256 bit
    • Salesforce: HMACSHA256 derivation key

    POST /v1/byok/import imports BYOK material back into the HSM. Supported import options:

    • AZURE_RSA, AZURE_EC, AZURE_AES - imports Azure BYOK JSON input.
    • SERVICE_NOW, GOOGLE_CLOUD, GENERIC - imports generic RSA-OAEP wrapped AES key material.

    AWS and Salesforce BYOK import are not supported by this endpoint.

API Changes

  • Key Attestation JSON Key Check Value

    Key attestation JSON now includes the keyCheckValue field when the HSM attestation XML contains a key_check_value value.

  • Custom HSM Log Message Endpoint

    Updated POST /v1/hsm/customLog to accept only the mandatory customLogMessage field. The clientId request field and related client-context switching logic were removed. The endpoint now writes the provided message directly to the HSM log at informational level.


Securosys TSB 2.8.4

Issued: May 4, 2026

Features

  • Custom HSM Log Message Endpoint

    Added POST /v1/hsm/customLog to the Service Information API. The endpoint accepts a mandatory customLogMessage field and an optional clientId field, then writes the message to the HSM log at informational level.

Documentation Changes

  • Key Password OpenAPI Schema

    Updated the OpenAPI/Swagger schema for key password fields to present password values as JSON strings, for example "string", instead of character arrays. This improves readability for customers in generated API documentation and examples. Runtime API behavior is unchanged; existing requests remain compatible.

Bug Fixes

  • Access Token Approver Lookup

    Access-token approver lookup now resolves approvers by reference within the current HSM partition. This prevents non-unique approver lookup results when different partitions contain approvers with the same reference.


Securosys TSB 2.8.3

Issued: April 21, 2026

Features

  • Customer Note on Keys (Free Field)

    Added support for customerNote when creating keys (POST /v1/key) and modifying key attributes (PATCH /v1/key/changeAttributes). The value is stored in HSM free field using UTF-8 and is returned in key attributes responses. Updates follow existing key-attribute modification rules (modifiable key required). TSB enforces a validation limit of 4096 UTF-8 bytes.

  • Derived Key Password for Persistent Derivation

    Added support for setting a dedicated password on persisted derived keys via POST /v1/derivedKey using the new optional field derivedKeyPassword. This allows a derived key to be protected with a password different from the master key password. Access to the persisted derived key now requires the configured derived-key password; access with the master password or without password is rejected.

  • Key Password for Seed-Imported Keys

    Added support for setting a key password when importing keys from seed via POST /v1/importedKey using password. Seed-imported keys can now be protected at creation time and require the configured password for key operations. If the password is omitted (or provided as an empty value), the key is imported without a password.

  • Chaincode Import for Plain Key Import

    Added support for importing EC/ED CKD chaincode via POST /v1/key/import/plain using the optional derivationValue field. The API accepts derivationValue chaincode encoded as hex or base64. Invalid derivationValue format or unsupported combinations (for example non-EC/ED usage) are rejected with validation errors.


Securosys TSB 2.8.2

Issued: April 20, 2026

Features

  • Housekeeping Query Optimization

    Reduced database load for certificate lookup housekeeping task by using more targeted queries and batched operations.

Bug Fixes

  • Optimized Access Token + API key authentication flow: when API keys are enabled, the already verified/decrypted Access Token is reused and no longer verified twice, reducing request overhead.
  • VaultContainer: Fixed wrong replication configuration on HSM-Clone nodes that could cause approval task fetch failures.
  • Fixed a bug, where certificate lookup task was also run on HSM-Clone.
  • Fixed /v1/verify for BIP32/SLIP10 seed-imported keys for HSM-Keystore.

Securosys TSB 2.8.1

Issued: April 13, 2026

Features

  • Fix Partition Name in logs

    Added 'dynamic client ID' configuration to allow logging of operations logged using appropriate TSB client IDs based on partition name

Bug Fixes

  • Fixed request status workflow when hsm.persistRequestResults=false. Request status now remains PENDING (or APPROVED) until execution, instead of being set to EXPIRED on repeated polling before all approvals are completed. Additionally, the EXPIRED status cannot be modified to its previous status states.
  • Fixed wrong addition of "EdDSA" in timestampDigestAlgorithm for Filtered*Approval Task requests
  • Fixed PATCH /v1/key/changeAttributes for symmetric keys. Modifying a symmetric key no longer fails with res.error.key.not.existent when the source key exists.

Securosys TSB 2.8.0

Issued: March 27, 2026

Features

  • Pre-hashed RSA-PSS Signature Algorithms

    Added support for pre-hashed RSA-PSS signature algorithms, enabling signing workflows where the message digest is computed externally and provided directly to the signing operation. The following signature algorithms are now supported:

    • NONESHA224_WITH_RSA_PSS
    • NONESHA256_WITH_RSA_PSS
    • NONESHA384_WITH_RSA_PSS
    • NONESHA512_WITH_RSA_PSS
    • NONE_WITH_RSA_PSS
  • SAM compliant approver onboarding

    The PUT v1/approverManagement/create endpoint now supports optional issuing CA for approver certificate creation.

    When issuingCaKeyName is provided, the approver certificate is signed by the specified CA instead of being self-signed.

    When approvalKeyName is set, no new approver key will be generated - the existing approver key-pair and its certificate are exported into the PKCS#12 container. Newly added optional request fields:

    • issuingCaKeyName – name of an existing CA key-pair stored in the HSM used to sign the approver certificate.
    • issuingCaKeyPassword – password required to access the issuing CA key.
    • approvalKeyName – use an existing approver key-pair instead of generating a new one.
    • approvalKeyPassword – password of the existing approver key.

    Existing functionality for self-signed certificate generation remains unchanged and is used as default behavior when above parameters are not provided.

  • Air-gapped TSB Creates Timestamp (Sign + Modify)

    In airGapped mode, TSB can now create timestamps locally (without HSM login/connectivity) in:

    • POST /v1/sign
    • POST /v1/modify

    The timestamp and timestamp-signature are persisted in the request and are used when building approvalToBeSigned.

    New air-gapped timestamp keystore configuration(required to enable local timestamp creation):

    • hsm.airGappedTimestamp.keyStore
    • hsm.airGappedTimestamp.keyStoreType
    • hsm.airGappedTimestamp.keyAlias
    • hsm.airGappedTimestamp.keyStorePassword
    • hsm.airGappedTimestamp.keyPassword

    Compatibility behavior:

    • If keyStore or keyAlias is not configured, timestamp creation is skipped and air-gapped behavior remains unchanged.
  • Access Token Connection Reuse

    Added caching of JWT-derived HSM connection parameters and fingerprints to avoid repeated DB decrypts and logins. If a valid JWT matches an existing session, the connection is reused instead of creating a new one.

  • JWT Parsing and Provider Initialization Performance

    Improved JWT parsing and JSON validation paths, reduced redundant HSM provider initialization on each request.

  • Scheduler Behavior Updates

    Switched scheduler configuration from fixed-rate to fixed-delay where applicable to prevent overlapping runs. Default intervals for scheduler parameters below one minute were raised to 60s.

  • Housekeeping Query Optimization

    Reduced database load for request/approval cleanup and housekeeping by using more targeted queries and batched operations.

  • Certificate Caching and Inline Cert Support

    Cached timestamp/request signing certificates for notification service, automated approval, and access-token flows. Configuration now supports inline PEM/base64 certificate values in addition to file/classpath references.


Securosys TSB 2.7.2

Issued: March 23, 2026

Dependency Upgrades

  • Add Primus HSM Firmware support (v3.1.0 and up) for FIPS installations

Securosys TSB 2.7.1.3

Issued: February 17, 2026

Bug fixes

  • Fix transaction leak caused by ReplicationAspect loading without replica datasource in environments where no replication is required

Securosys TSB 2.7.1.2

Issued: February 16, 2026

Logging

User Connected Verbosity - Reduced log verbosity; suppresses duplicate <HOST>:2300:<USER> connected entries when the user is already logged in.

User Context Log - Added Partition context to all log lines; adjusted logback.xml pattern to include [user=%X{partition:-system}]

<pattern>%d{yyyy.MM.dd HH:mm:ss.SSS} %highlight(%-5.5p) [%15.15t] [%-15.15X{partition:-system}] %cyan([%40.40c]) %msg%n</pattern>

Bug fixes

Allowed Timestamp Signing Certificates not found - In TSB v2.4.0, the introduction of the AutomatedApproval Service unintentionally overrode the configured general.allowedTimestampSigningCertificates, causing the AllowedTimestampSigner (which fetches approval challenges and distributes approvalToBeSigned via the Notification Service on behalf of approvers) to no longer recognize the configured timestamp signing certificates.

Helm-Chart

  • Helm Chart v1.1.0
    • Added ConfigMap checksum annotations for automatic pod restarts on configuration changes
    • Stakater Reloader support is now opt-in via reloader.enabled (default: false)
    • NGINX sidecar supports true Layer 4 TLS passthrough via nginx.passthrough: true
    • Default NGINX service type changed from NodePort to ClusterIP; nodePort is now optional
    • Added extraManifests support for injecting custom Kubernetes resources via values.yaml
    • Updated Logback encoder-pattern to support HSM partition-context per log-line
    • Updated workflowEngine settings requestCleanupInterval: 5000 & requestCleanupBatchSize: 50
    • Added configurable deployment strategy via strategy in values.yaml (default: RollingUpdate)
    • Increase the default ressource request limits to 1Gi memory, and 1000m CPU

Securosys TSB 2.7.1.1

Issued: February 12, 2026

Dependency Upgrades

Downgrade Docker Base Image to RHEL 9 - The Docker base image has been reverted from RHEL 10 to RHEL 9 to restore compatibility with x86-64-v2 CPU architectures.


Securosys TSB 2.7.1

Issued: February 06, 2026

Features

  • Adding the signedTimestampPayload to the /v1/systemTime/{payload} response, to construct the signedApproval payload

Bug fixes

  • Improved request cleanup to prevent HTTP thread pool exhaustion under high asynchronous SKA load.

Configuration

  • The parameters
    • general.approvalTaskCleanupInterval
    • general.approvalTaskCleanupMinLock
    • general.approvalTaskCleanupMaxLock are no longer required and will be ignored.
  • SKA task and request cleanup has been unified under the existing configuration property: general.requestCleanupInterval (default: 5000).

Securosys TSB 2.7.0

Issued: December 12, 2025

Features

  • Public Key Retrieval Endpoint - Added GET /v1/key/{keyName}/publicKey endpoint to retrieve public keys by key name
  • Application Monitoring - Integrated Prometheus metrics for SpringBoot application monitoring
  • Enhanced Key Derivation - Xpub now supports ephemeral hardened key derivation

Breaking Changes

Key Derivation Validation

  • Added validation to prevent key creation with unsupported curve types when BIP32 or SLIP10 derivation is enabled
  • TSB now validates the curve OID at key creation time, ensuring it matches one of the supported curves: SECP256k1, SECP256r1 (prime256v1), or Ed25519
  • Keys with BIP32 or SLIP10 attributes and incompatible curves are rejected immediately with a the following error
Error Response: res.error.input.validation.failed (600)
Derivation not defined for this curve, only SECP256k1, SECP256r1 and Ed25519 curves support key derivation

SKA Policy Validation

warning

Action Required: Review and update existing SKA policy configurations to ensure compliance with the new validation rules before upgrading to TSB 2.7.0.

TSB 2.7.0 introduces stricter validation for SKA policies that will reject previously accepted invalid configurations. Policies that were created successfully in earlier versions may now fail validation.

Timeout Validation:

  • Policies specifying a timeout value must now include token groups
  • Previously, policies with timeout but groups: null were accepted but failed during signing operations
  • These policies are now rejected at creation time with validation error

Invalid policy example (now rejected):

"ruleUse": {
"tokens": [{
"name": "Token-1",
"timelock": 0,
"timeout": 3600, // timeout specified
"groups": null // missing groups - now rejected
}]
}

Quorum Validation:

  • Group configurations with inconsistent quorum and approval settings are now rejected at creation time
  • Error cases:
    • Groups with quorum: 0 cannot have approvals defined
    • Groups with quorum >= 1 must have at least one approval defined

Securosys TSB 2.6.4

Issued: December 05, 2025

Features

  • PEM Support for TLS/mTLS - Added support for providing PEM-encoded TLS key + crt directly in application.yml, as an alternative to referencing certificate files.
  • VaultContainer Template Update - Updated the application-tsb-hsm.yml template for deployments running TSB directly on the HSM (v3.3.0).
  • VaultContainer LogLevel - Added support for configuring log levels per class using hsm.log.level.classname: com.securosys.ska.service.business.

Bug fixes

  • VaultContainer: Fetch Approval Task - Fixed a failure occurring on HSM-Clone nodes when fetching approval tasks. This release removes updates to the LAST_FETCHED_DATE field, as updating it requires the master to be online and adds an round trip.
  • VaultContainer: Approver Management - Added support for Approver Management endpoints when invoked on an HSM-Clone.
  • VaultContainer: Automated Approval - Fixed a bug, where automated approval executions were not executed when invoked by a HSM-Clone.

Securosys TSB 2.6.3

Issued: November 22, 2025

Feature

  • Create JKS Truststore - Added support for JKS truststore export certificate via /v1/key/export/plain

Securosys TSB 2.6.2

Issued: November 21, 2025

Feature

  • KMIP Attributes - Attestation parses and returns KMIP generate key attributes

Dependency Upgrades

  • Java - Dependency update of java base image

Securosys TSB 2.6.1

Issued: November 21, 2025

Feature

  • ED-Certificate Support - All certificate endpoints now support ED-Keys with EDDSA signature algorithm
  • Cross-Algorithm Certificate Signing - Sign certificates across EC, ED, and RSA algorithms

Fixes

  • Delete Certificate Only - Fix to delete certificate if a certificate object does not have an associated private-key.

Deployment

  • Helm Charts - Single-tenant Helm charts now available at docs.securosys.com/tsb/Installation/helm

Securosys TSB 2.6.0

Issued: October 20, 2025

Feature

  • Certificate Extension Handling

    When issuing certificates, copyExtension: COPY copies extensions from the CSR to the certificate, excluding basicConstraints for security. This prevents CSRs containing basicConstraints: CA=TRUE from inadvertently granting CA privileges while issuing.

  • ML-DSA-M Support:

    Introduced support for the ML-DSA-M (μ) signature algorithm.

  • New Endpoints

    • POST /v1/key/changeAttributes – Rename keys, update passwords, and modify attributes (attributes can only be strengthened)
    • POST /v1/hsmInfo – Returns HSM system time and firmware version
  • Support payloadType - HEX

    • Signature requests now support payloadType: HEX for hex-encoded payloads.
  • Asymmetric Key Rotation

    Support for asymmetric key rollover, which allows generating a new key pair (with the same logical name) and corresponding self-signed certificate.
    This feature introduces new endpoints:

    • /v1/certificate/rolloverCsr, /v1/certificate/synchronous/rolloverCsr Creates a new key pair named <keyname>-new by copying all attributes and SKA policy from the original key.
      Generates a Certificate Signing Request (CSR) with all certificate fields duplicated from the existing certificate. Returns the generated CSR.
    • /v1/certificate/rolloverImportCert The existing key <keyname> is renamed to <keyname>-vi, where i is the next available index.
      The newly created <keyname>-new is renamed to <keyname>.
      The provided certificate is then imported and associated with the new <keyname>.
    • /v1/certificate/rolloverSelfsign, /v1/certificate/synchronous/rolloverSelfsign Renames the existing <keyname> to <keyname>-vi, where i is the next available index.
      Creates a new <keyname> key pair by copying all attributes and SKA policy from the original key.
      Generates a new self-signed certificate by replicating the certificate fields from the previous version.
  • Database Clustering

    Support for clustered databases with automatic write/read routing when hsm.databaseClusteringService: true is enabled. Configuration example:

    spring:
    datasource: # Local read replica
    url: jdbc:postgresql://localhost:5433/securosys
    masterDatasource: # Master database (write operations)
    url: jdbc:postgresql://localhost:5432/securosys

    Note: Only configure spring.masterDatasource if your local database is a replica. If the closest database is already the master, leave spring.masterDatasource.url empty and set hsm.databaseClusteringService: false. When running on the HSM, the VaultContainer runtime will inject the correct settings.

Fixes

  • Keys no longer require the destroyable flag when working with certificates

Build Changes

  • Docker images now support AMD64 and ARM64 architectures
  • Images are signed with cosign for verification

Migration Notes

  • Database clustering requires external replication setup

Dependency Upgrades

  • Bumped all dependencies to latest versions

Securosys TSB 2.5.1

Issued: August 13, 2025

Feature

  • Support for Certificate Subject Alternative Names (SAN).
  • Added signature algorithms SHA256_WITH_ECDSA and SHA384_WITH_ECDSA for certificate issuance.
  • Introduced COPY_EXTENSIONS for certificates (copies the certificate extensions from the CSR, but excludes basicConstraint, CA=True).
  • Integrity keys such as attestation-key and timestamp-key can no longer be deleted.
  • Added StandardCertificateAttributes (CN, O, OU, ...) to certificate endpoints, if these attributes are not set on issuing the certificate, the attributes from the CSR are taken

Fixes

  • Backported API-Keys for new endpoints, check here for the API-Keys Assignment
  • Fixed a bug where onboarded_approver_certificate was incorrectly replaced on /v1/modify, /v1/importedKey.
  • Fixed a bug when issuing certificates with Brainpool EC keys.

Securosys TSB 2.5.0

Issued: July 17, 2025

Feature

  • Key Rotation New endpoint: Added /v1/key/rotate to perform symmetric key rollover in a single operation. When fetching key attributes, the current derivation-value is returned; synchronous encrypt operations include the used derivation-value in their response, and synchronous decrypt operations accept an optional derivationValue parameter to decrypt with a non‑latest rotation.
  • Xpub Support New endpoint: Introduced /v1/xpub/import and /v1/xpub/export to import and export BIP‑32 extended public keys (xpub) using the standard xpub structure
  • Taproot Support for Schnorr signatures (Bip0341) Support for SegWit version 1 output type, with spending rules based on Taproot, Schnorr signatures, and Merkle branches. (BIP0341) TweakData & MerkleRootData can now be specified when signing with NONE_WITH_EC_SCHNORR_BIP0340 (both SKA and non-ska)
  • Automated SKA Approval Configure the REST API to automatically approve SKA requests using Securosys ATEE. A template is provided in application-automated-approval.yml The Securosys Automated Trusted Execution Enclave (ATEE) is a secure environment for executing custom code with HSM-backed security and evidence. As a container-agnostic solution, ATEE offers the flexibility to load and execute your business logic code either directly within a Primus HSM or on an external host.
  • FIPS203 (ML-KEM) PQC Algorithm Support Added two new endpoints POST /v1/encapsulate and POST /v1/decapsulate to enable FIPS203‑compliant ML‑based key‑encapsulation (ML‑KEM) operations.

Notes: Use /v1/encapsulate to generate a ciphertext and shared secret. Use /v1/decapsulate to recover the shared secret from a ciphertext

API Changes

  • /v1/request endpoint now correctly transitions to FAILED or CANCELLED when appropriate. (fetch request status) never transitioned to FAILED or CANCELLED, always hanging on APPROVED. If a request fails, the result includes the failure reason.
  • Remove the validity field from CSR-based endpoints and introduced in certificate-signing endpoints.
  • All draft post‑quantum (PQC) algorithms have been removed from the Swagger specification, but can still be used.

Fixes

  • Resolved REST API timeouts on listing keys when keystore contained more than 100,000 objects.
  • SKA-Requests specifying quorum = 0 now execute immediately; previously they were never executed.
  • Enabled file signing and encryption using public keys only.
  • Corrected handling so that specifying any ML‑DSA algorithm other than the default 44 is now honored.

Configuration Changes

  • The configuration file application-automated-approval.yml provides a template for integrating the Securosys REST API with the Securosys VaultCode.
  • Renamed standalone profile to air-gapped
    The configuration file application-standalone.yml has been renamed to application-air-gapped.yml. Additionally, the configuration property hsm.standalone has been renamed to hsm.airGapped.
    Definition of hsm.airGapped:
    • true: TSB is running in an online environment.
    • false: TSB is running in an offline (air-gapped) environment with a local profile and access to the key store.

Securosys TSB 2.4.0

Issued: April 28, 2025

Feature

  • New Code Signing and Encryption Endpoint:
    Added /v1/synchronousFileSignEncrypt to perform file signing and encryption in one step.
  • Extended Certificate Listing:
    Introduced /v1/certificate/list for faster and more detailed certificate listings. Supports four levels of detail for human-readable output — ideal for PKI use cases where all asymmetric keys and algorithms must be quickly retrieved.
  • New Hashing Endpoint:
    Added /v1/synchronous/hash to support hashing large payloads that exceed HSM size limits (20 KB for v2.8 and 500 KB for v3.0).
  • Signed Log Export:
    New endpoints /v1/hsm/log and /v1/hsm/log/{time} allow exporting signed HSM logs.
  • Support for ML-DSA and SLH-DSA Algorithms:
    Full support for seed import, pre-hashing, and context management.
  • PostgreSQL Support:
    Now available across all TSB profiles — including Single, Multitenant, External-Keystore, and Standalone — with full compatibility for database clustering. To use PostgreSQL, update your configuration by setting spring.datasource.url to a PostgreSQL connection string (jdbc:postgresql://). A sample configuration is provided in config-files/application-local-psql.yml.
  • PKCS#12 Asymmetric Key Import/Export:
    Added support for importing and exporting asymmetric keys in PKCS#12 format.
  • Ethereum Signature Format:
    Support added for ETH-style signatures on TemporaryDerivedKeys (both hardened and unhardened).

API Changes

  • Updated Certificate Endpoints:
    Certificate-related APIs now return 64-byte, newline-separated (\n) certificate strings:
    • /v1/certificate/synchronous/selfSign
    • /v1/certificate/synchronous/sign
    • /v1/certificate/selfSign (SKA)
    • /v1/certificate/sign (SKA)

Build Changes

  • Multi-Architecture Support:
    TSB is now available for both ARM64 and AMD64 architectures:
    • AMD64: securosys.jfrog.io/external-tsb/securosys-tsb:2.4.0
    • ARM64: securosys.jfrog.io/external-tsb/securosys-tsb-arm64:2.4.0

Configuration Changes

  • Certificate Lookup Interval:
    Introduced a new setting: general.certificateLookupInterval: 86400000
    (This cron job refreshes the certificate database cache every 24 hours [enabled by default].)

Securosys TSB 2.3.1

Issued: March 07, 2025

Feature

  • TSB without HSM
    Now supports operation without an HSM connection for creating & signing approval-challenges in a cold-wallet (off the grid) environment. Use application-standalone.yml with spring profile "standalone" to enable sign request creation and parameter retrieval for /v1/synchronousSign. Available endpoints:
    • /v1/sign
    • /v1/filteredSignApprovalTask
    • /v1/filteredAllApprovalTask
    • /v1/task
    • /v1/approval
    • /v1/request/{id}
    • /v1/versionInfo
  • ED-Approver Support in SKA-Key Policies
    Added support for ED-Approver.
  • BLS-Approver Support in SKA-Key Policies
    Added support for BLS-Approver.
  • Certificate List Endpoint
    New endpoint /v1/certificate/list lists all keystore certificates in a human-readable format.
  • Fetch SystemTime Endpoint
    New endpoint /v1/systemTime/{payload} returns the current system time information about the first connected HSM, including a SHA256withECDSA signature with optional payload and the timestamp of the Host TSB is operating in.
  • JWT Token Revoke in Multi-Tenant Mode
    Ability to revoke individual JWT tokens in multi-tenant deployments.

Fixes

  • PublicKey Export
    Allow export of PublicKey if no private key is present.

Securosys TSB 2.2.0

Issued: December 13, 2024

Feature

  • BIP 0340 Support
    Securosys TSB 2.2.0 now includes support for BIP 0340, enabling compatibility with Schnorr signatures. Schnorr is supported with Primus HSM Firmware v3.2.0+
    This provides the following advantages:

    • Schnorr signatures are smaller in size, making transactions more efficient and lightweight
    • Ensures provable non-malleability, stronger cryptographic assurance
    • Simplifies the creation of multisignature schemes through native key aggreation support
  • FIPS203, 204, 205 PQC Algorithm Support
    Final Post-Quantum Cryptography (PQC) algorithms are now supported. For more details, refer to the PQC Release Overview.

  • LMS Interoperability with BouncyCastle v1.80
    Added support for LMS (Leighton-Micali Signature) interoperability with BouncyCastle version 1.80.

  • PKCS1.5 Cipher Algorithm: RSA_PADDING_PKCS
    Introduced support for the PKCS1.5 cipher algorithm with the RSA_PADDING_PKCS option (legacy).

  • Cluster Failover Timeout Configuration
    You can now configure the timeout behavior for cluster failovers. Example configuration in application-local.yaml:

    hsm:
    clusterFailoverGraceTimeMilliSeconds: 5000 # Timeout in milliseconds for the entire login process, including connection attempts and hello exchanges. Default is 5 seconds (5000 ms).

API Changes

  • Whitelist /v1/approver/onboard for Multi-Tenant Deployments
    This endpoint is now available for multi-tenant deployments and is used by the Securosys Authorization App.
  • Support for API Keys in Multi-Tenant Mode
    API keys are now supported in multi-tenant deployments. For more details, see the API Keys Overview.
  • Optional Certificate Whitelisting for Request Signatures
    Configuration options for request signing certificates are now available:
    • In single-tenant mode: allowedRequestCertificates.
    • In multi-tenant mode: allowedRequestSigningCertificateFingerprints.

Whitelisted certificates are required to sign requests if enabled. Example configuration in application-local.yaml:

general:
allowedRequestCertificates:
- file:/etc/app/config/request_signing_certificate.pem
  • Software Version Logging
    The software version is now printed when the REST API is fully initialized:

    INFO [...] REST-API started: Vendor: Securosys SA, API Version: 2.2.0

Dependency Upgrades

Bumped all dependencies to latest version and SpringBoot to 3.4.1

Securosys TSB 2.1.1

Issued: September 23, 2024

Feature

  • Support for NONESHAxxx_WITH_RSA Algorithms: Added compatibility with pre-hashed algorithms on RSA in conjunction with SKA-Keys.

Securosys TSB 2.1.0

Issued: August 16, 2024

Feature

  • Support for PQC-Algorithm LMS: Introduced support for the Post-Quantum Cryptography (PQC) algorithm LMS, enhancing security and future-proofing cryptographic operations.
  • Extended CSR Requests: Added OrganizationID=2.5.4.97 to CSR requests (both SKA and Non-SKA) to ensure eIDAS-compliant CSR requests.
  • Ed25519 Support with SLIP-0010 Derivation: Now supports Ed25519 key generation with SLIP-0010 derivation for seeded keys.
  • SLIP-0010 Derivation for SmartKeyAttributes: Enabled SLIP-0010 derivation on keys that have SmartKeyAttributes.
  • Extended SLIP-0010 Support: Added support for SLIP-0010 in AES_WRAP_(PAD)ED/EC & AES_UNWRAP(PAD)_ED/EC operations.
  • SKA-Request Result Fetching: Introduced a new parameter that allows the result of an SKA-Request to be fetched only once.

API Changes

  • ED-Derivation Error Handling: The API now correctly returns an HTTP 400 response when ED-Derivation with SLIP-0010 encounters a derivation path containing unhardened elements.

Bug Fixes

  • External KeyStore: Resolved an issue where synchronous sign requests using SKA-Keys were not being executed.
  • ECIES File Encryption: Fixed compatibility issues with ECIES file encryption, specificallywhen handling multi-part streams in SpringBoot version 3.3.2.

Securosys TSB 2.0.1

Issued: July, 25, 2024

Feature

  • Fetch Requests by Status: Retrieve all requests filtered by their status with the new endpoint: /v1/filteredRequests.
  • Fetch All Tasks: Retrieve all approval tasks at once with the new endpoint: /v1/filteredAllApprovalTask.
  • HMAC Support: Added support for HMACSHA256, use the new synchronous HMAC endpoint: /v1/synchronousHmac.

API Changes

  • Added support for Ed25519 SLIP-0010 key derivation.
  • Allowed never fulfillable RuleModify, RuleBlock, and RuleUnblock on SKA-Keys.
  • Key operations will now execute immediately on empty or always fulfillable SKA policies.
    (previously one had to wait for the cron job to execute ska-request if asynchronous API endpoints have been used.)
  • Onboard an approver on an SKA-Key using their name with the Approver Management feature. Previously, onboarding required the approver's certificate or public key. Now, you can simply use the approver's name:
"approvals": [{"type": "onboarded_approver_certificate","name": "approver-name@email.com"}]

Configuration Change

  • Enabling API Authentication Key Rollover: It is now possible to rollover API Authentication-Keys by defining multiple API-Keys in list format:
apiAuthentication:
enabled: true
keyManagementToken:
- keymanagement1
- keymanagement2
...

Dependency Upgrades

  • Bumped all dependencies to latest version and SpringBoot to 3.3.2

Securosys TSB 2.0.0

Issued: April, 04, 2024

API Changes

  • Added HTTP-authentication header consisting of a header name: X-API-KEY and value, individually set within application-configuration.
    • This is optional and will not break existing deployments unless the apiAuthentication.enabled is set to false
  • TSB now generates signatures in r,s,v format for the Ethereum-Blockchain, by specifying the (optional) attribute "signatureType": "ETH", on /v1/synchronousSign & /v1/sign
  • Added Approver-Management endpoints
    • Can be used to securely create approver's private keys with HSM-entropy wrapped and distributed to approvers within a pkcs12-container
    • for more info visit Approver Management API

Configuration Change

  • If approver-management shall be used the backup-key name must be defined

    • if hsm.backupKeyName is specified the SKA-key will be generated on TSB-startup with empty policy (that means all backupRestore procedures will be automatically approved)
      • Modify the key-policy by yourself if you want to have approved backup-restore.
    hsm:
    backupKeyName: approver-mgmt-backup-key-rsa-wrapping
  • You can configure HTTP Header Authentication the following:

    apiAuthentication:
    enabled: true
    keyManagementToken: ''
    keyOperationToken: ''
    approverToken: ''
    serviceToken: ''
    approverKeyManagementToken: ''

Bug fixes

  • Resolved an issue affecting ska-keys when used with an empty policy in conjunction with asynchronous requests in multitenant mode.

Securosys TSB 1.18.0

Issued: March, 07, 2024

API Changes

  • Improved Certificate Management with CSR, self-sign, sign requests using SKA-Keys

Documentation Change

  • Moved documentation of REST API & Transaction Security Broker to: /tsb/overview

Configuration Change

  • Fix deprecated useSSL in spring.datasource.url by using sslMode=false|true
  • If you have not already set the config-parameters, AND using Workflow-Engine (Asynchronous Tasks with SKA-Policy) set and adjust the following in your application-local.yml:
general:
maxTimestampDiffApprovalClient: 600 #in seconds
maxFutureTimestampDiffApprovalClient: 0 # in seconds, allows the timestamp to be allowed chosen in the future. Default 0 seconds.
hsmRequestsTimerServiceInterval: 60000 # in milliseconds, if not specified the hsm requests timer service is disabled
hsmRequestsTimerServiceMinLock: 0 # optional, default is 0s, lock hsm requests timer service for at least the specified value to prevent multiple executions
hsmRequestsTimerServiceMaxLock: 30 # optional, default is 30s, wait at most for the specified value in case the node doing the hsm requests timer service has problems
approvalTaskCleanupInterval: 300000 # in milliseconds, if not specified the approval task cleanup is disabled
approvalTaskCleanupMinLock: 0 # optional, default is 0s, lock approval task cleanup for at least the specified value to prevent multiple executions
approvalTaskCleanupMaxLock: 30 # optional, default is 30s, wait at most for the specified value in case the node doing the approval task cleanup has problems

Bug fixes

  • Fixed an issue with asynchronous close exception handling during scheduled logout procedures, particularly when the API is under heavy load. This resolves occurrences of TCP [RST] 500 errors that occurred in such scenarios.

Dependency Upgrades

  • Upgrade MariaDb Java Client to 3.3.2
  • Add Primus HSM Firmware support 3.0.6, 2.11.4

Securosys TSB 1.17.1

Issued: December, 11, 2023

API Changes

  • add support for Address generation for SKA-Keys on v1/key/import/plain && v1/key/importedKey
  • add support for SingatureAlgorithms on Signing endpoint to be used with pre-hashing the payload

Configuration Change

  • Splitted TLS and mTLS in configuration application-local.yml, to support server instances running TLS but without client Authentication (m)TLS
## HTTPS CONFIGURATION
tls:
# set to true if you want to use TLS (https)
enabled: false
keyStore: 'file:/etc/app/config/tls/securosys-ska-server.p12'
keyStorePassword: secret

## Trust-Store configuration (m)TLS
#server:
#ssl:
## add client certificates and/or CA's to the trustStore if you want mTLS, otherwise comment out.
#trust-store: 'file:/etc/app/config/tls/securosys-ska-truststore-server.jks'
#trust-store-password: secret # yourTrustStorePassword
#trust-store-type: jks
## (Enum: `need` [Client authentication is needed and mandatory], `none` [Client authentication is not wanted], `want` [Client authentication is wanted but not mandatory])
#client-auth: none

Bug fixes

  • fixed a multithreading issues on endpoint v1/certificate/synchronous/request

Securosys TSB 1.17.0.1

Issued: December, 7, 2023

Application Changes

  • If REST API was licensed, TSB tried to execute Approval Cleanup, which results in unlicensed timestamp creation, this is fixed now.

Logging Changes

  • Disabled <withJansi> in logback.xml template on the CONSOLE logger to prevent org.fusesource.jansi.AnsiConsole exception not found.

Security Patches

  • Bumped all dependencies to latest version and SpringBoot to 3.1.6
  • Updated MySQL to 8.1 in docker-compose.yml file

Securosys TSB 1.17.0

Issued: November, 6, 2023

API Changes

  • New endpoints support to create Self Signed Certificates, CSR & Attestation:
    • POST /v1/certificate/synchronous/create/selfSigned Endpoint to create a self-signed certificate
    • POST /v1/certificate/synchronous/request/download Endpoint to provide CSR-Filedownload with RSA Keys
    • POST /v1/certificate/request Endpoint to support CSR with SKA-Keys
    • POST /v1/key/keyAttestation Endpoint to generate key attestation files, to support the qualified Signature Workflow.
      • Namely:
        • <keyname>.sig --> The binary encoded signature
        • <keyname>.xml --> The xml format of the key's properties and capabilities
        • <keyname>.pem --> The Public Key of the Partition dependand Attestation-Key (Attestation-Key signs the key's xml)
        • PrimusHSM_Attestation.crt --> The certificate chain of the HSM.
        • README_PrimusHSM_AuditAndAttestation_AN-E01.md --> Guide on how to proof the authenticity and origin of the key.

Securosys TSB 1.16.1

Issued: October, 10, 2023

Take care

The MariaDB connector is now used instead of the MySQL connector. Follow the steps in the chapter Migration Steps

Application Changes

  • performance improvement on /v1/synchronousSign by 50%. This optimization ensures faster response times for cryptographic signing operations
  • performance improvement on /v1/synchronousDecrypt by 50%
  • Support for additional named EccCurves: "secp224k1: 1.3.132.0.32, secp224r1: 1.3.132.0.33, x962p239v1: 1.2.840.10045.3.1.1, x962p239v2: 1.2.840.10045.3.1.2, x962p239v3: 1.2.840.10045.3.1.3, brainpool224r1: 1.3.36.3.3.2.8.1.1.1, brainpool256r1: 1.3.36.3.3.2.8.1.1.7, brainpool320r1: 1.3.36.3.3.2.8.1.1.9, brainpool384r1: 1.3.36.3.3.2.8.1.1.11, brainpool512r1: 1.3.36.3.3.2.8.1.1.13, frp256v1: 1.2.250.1.223.101.256.1, Ed25519: 1.3.101.112
  • Support for Certificate Signing request with non-ska keys
  • Support for non-PKCS#8 DER encoded RSA-private keys import
  • Changed mysql-connector
  • Key-Usage Properties on CSR-generation are now marked as critical
  • The MariaDB connector is now used instead of the MySQL connector. MariaDB also supports the MySQL connector.

Migration Steps

  • If the config value spring.datasource.url starts with 'jdbc:mysql:' change it to 'jdbc:mariadb:'.

API Changes

  • POST /v1/key/attributes & /v1/derivedKey now returns derivation values (derivationType: "BIP32", derivationValue: "273C08290FA1734D77C5C1D9BDA9B123F5DA38C060AE5D64D5BE987377E71E63")
  • Support for ED-Derivation on all endpoints, bringing significant advancements in key management and performance for ED-keys.
  • Support for Unwrap EC-Keys with BIP32, enabling secure key management and derivation. The feature specifically caters to wrapped keys originating from a Primus HSM, enhancing security and interoperability.
  • New endpoints supporting Certificate Signing Requests:
    • POST /v1/certificate/synchronous/request Create a certificate request. After request the key contains a self-signed certificate, this certificate can be obtained by the endpoint GET /v1/certificate/{keyName}
    • POST /v1/certificate/import/plain Certificate import request, the key must exist, if a certificate already exists (e.g. self-signed), it will be overridden
    • GET /v1/certificate/{keyName} Returns the certificate of a key
    • DELETE /v1/certificate/{keyName} Deletes the certificate identified by the keyName from the HSM

Configuration Changes

  • New property added (optional): general.futureTimestampDiffApprovalClient in seconds, allows the timestamp to be chosen in the future. Default 0 seconds.

Bug fixes

  • Persisted (cached) derived keys were always rederived upon signing requests if specified with derivation path (/1'/2'/3), this is now fixed to use the derived key directly
  • Pending Tasks for session keys (cached-keys) are not deleted upon base_key deletion, this is now fixed
  • Approval on existing approver is rejected when adding new approver to the policy, this is now fixed
  • Multiple tokens with special configured timelock are never sent to HSM if signed from token2, this is fixed now and requests are sent to the HSM correctly

Securosys TSB 1.16.0

Issued: July, 28, 2023

Application Changes

  • performance improvement on /v1/synchronousSign by 50%, This optimization ensures faster response times for cryptographic signing operations

API Changes

  • POST /v1/key/attributes & /v1/derivedKey now returns derivation values (derivationType: "BIP32", derivationValue: "273C08290FA1734D77C5C1D9BDA9B123F5DA38C060AE5D64D5BE987377E71E63")
  • Support for ED-Derivation on all endpoints, bringing significant advancements in key management and performance for ED-keys.
  • Support for Unwarp EC-Keys with BIP32, enabling secure key management and derivation. The feature specifically caters to wrapped keys originating from a Primus HSM, enhancing security and interoperability.

Bug fixes

  • Persisted (cached) derived keys were always rederived upon signing requests if specified with derivation path (/1'/2'/3), this is now fixed to use the derived key directly

Securosys TSB 1.15.2

Issued: July, 19, 2023

API Changes

  • External KeyStore
    • Support for Modify, Block & Unblock
    • Support for Wrap & Unwrap
    • Support for delete key with password
    • External Keystore can now be used in multi-tenant mode
  • Added additional response field to encrypt request 'encryptedPayloadWithouthMAC' to support python users

Bug fixes

  • Fixed, multiple request executions in multi-tenant mode using GET /v1/request/{id} (a problem if block or modify requests are executed twice)

Configuration Changes

  • new optional application-property using built-in key replication service hsm.useKeyReplicationService: true for external KeyStore, rather than SQL clustering logic, slaveDatasource must be configured

Documentation Change

  • Documentation improvements on various places
  • Added template.yml to delivery files to show all configuration possibilities

Security

  • Bump to spring 3.0 and JDK 17

Securosys TSB 1.15.1.1

Issued: June, 12, 2023

Improvements

  • In rare cases a PrimusLogin.logout() can throw SleepInterrupedException which terminates/cancels/interrupts the workerthread on JCE. The InterruptException is now handled. This does not have impact on API-calls, since the call is already completely executed on the HSM upon throwing thread-local exception.

Securosys TSB 1.15.1

Issued: April, 11, 2023

API Changes

  • Allowed public key flags (encrypt, wrap, verify) on asymmetric keys upon key creation, endpoint: POST /v1/key
  • Support for tag_length for AES_GCM_NOPADDING ciphers on POST /v1/encrypt endpoint
  • Added Message Authentication Code is now returned as optional field in encrypt response POST /v1/encrypt. (The MAC is part of the encrypted payload, now MAC is copy-split based on tag_length and returned in its own field)
  • Added optional field signKeyObject on endpoints /v1/synchronousSign & /v1/verify to support operation with External Objects
  • Support for destroyable flag for External Storage
  • Support Bip32 Seed import for External Keystore

Documentation Change

  • Improve logging behaviour, for cleaner logging on level INFO

Securosys TSB 1.15.0

Issued: January, 06, 2023

API Changes

  • The new (optional) attribute copyable is added and can be sent alongside the following request. If set to true key's existing on the HSM can be externalized:
    • POST /v1/key
    • POST /v1/importedKey
    • POST /v1/key/import/plain
    • POST /v1/derivedKey
  • Fetching approval tasks is now possible by providing the approval requestID (optional). This is enabled on all Endpoints filtered*ApprovalTask.
  • New optional attribute UUID returned in key generation response.
  • Self crafted AuthorizationToken's working with external storage must contain the UUID not the key-label. (e.g. POST /v1/synchronousSign { "signRequest": { ... "signedApprovals": [ "AuthorizationTokenWithUUID" ], ... })

Configuration Changes

  • Support for Database master-slave replication. It is usually used to spread read access on multiple servers for scalability, although it can also be used for other purposes such as for failover, or active backup.
    • As the master-slave replication is a one-way replication (from master to slave), only the master database is used for the write operations, while read operations may be spread on multiple slave databases.
      • Replication needs to be configured on the Database level using the DB-Clustering Feature (supported for MySQL and MariaDB)
      • At least one datasource needs to be configured: spring.datasource. spring.slaveDatasource is optional.
      • Dockerized sample for database replication can be found in the config-files.
  • The (optional) property in application.yaml hsm.useExternalKeyStore: true can be used for key externalization. A license update is required.

Documentation Change

  • Added note to Swagger: SKA Key's with policy applied cannot be exported.

Security

  • Bump versions to latest.

Securosys TSB 1.14.2

Issued: April, 11, 2023

Improvements

  • Enhancement for temporarily derived EC-Keys (secp256k1) on retrieving key attributes, affects the following endpoints:
    • POST /v1/key/attributes
    • GET /v1/key/{keyName}/attributes
  • In special cases there was a sleep interrupt when closing the open HSM sessions. This is fixed now.

Configuration Changes

  • all application properties combined in one fileapplication-local.yml, take care to run the application with profile: spring.profiles.active=local this parameter searches for application-local.yml file

Changes in application-local.yml

  • swagger can be disabled: swaggerUI.enabled: false (recommended for productive usage)
  • mutual TLS configuration clientAuthentication: need [Client authentication is needed and mandatory], none [Client authentication is not wanted], want [Client authentication is wanted but not mandatory])
  • it is now possible to configure a slaveDatasource for db-replication (contact support for mysql db-replication setup)
  • template.yml added to show all configuration possibilities.

Documentation Change

  • Remark added on Endpoint PATCH /task, approval is still possible if quorum is not reached
  • Remark added on PolicyDTO, key with SKA policy cannot be exported
  • Remark added on ApprovalToBeSigned, Base64 encoded
  • Forward requests (/v1/sign, /v1/verify, ...) if key has policy and where only the rest_api was licensed to synchronous* endpoints

Security

  • CVE-2021-46877 jackson-databind vulnerability fix before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
  • Bump versions to latest.

Securosys TSB 1.14.1

Issued: December, 07, 2022

Bug fixes

  • Fix on Signing Payload with temporarily derived key after Key modification

Securosys TSB 1.14.0

Issued: October, 31, 2022

API Changes

  • Two new endpoints for ECIES file encryption were added POST /v1/fileEncrypt and /v1/synchronousFileDecrypt
  • Three new endpoints added for Key Requests with KeyPassword: /v1/key/attributes, /v1/key/address, /v1/key/export/plain
  • New Endpoint to change key password /v1/key/changePassword
  • Deprecated endpoint on swagger: GET /v1/key/attributes, GET /v1/key/address, GET /v1/key/export/plain
  • Endpoint POST v1/derivedKey and v1/verify supports now key with keyPassword set on the MasterKey.
  • /v1/filtered*approvalTask now returns MetaData and MetaDataSignature at DetailLevel 2, which increases performance of fetching tasks with metadata

Bug fixes

  • Fix Signature Request on derived key with an empty policy defined
  • Fix issue on get attributes on temporarily derived key

Configuration Changes

  • Specify the rate limits of Fileupload
    • spring.servlet.multipart.enabled ## enable ECIES fileupload
    • spring.servlet.multipart.max-file-size: 200MB ## specifies the maximum size permitted for uploaded files. The default is 1Mb.
    • spring.servlet.multipart.max-request-size: 210MB ## specifies the maximum size allowed for multipart/form-data requests. The default is 10Mb

Documentation Change

  • Swagger-UI now accessible under root path "/" and "/swagger-ui"
  • Sample to create a Bitcoin Key with more compliant policy has been added to the 2.6.2 Samples section

Securosys TSB 1.13.0

Issued: May, 30, 2022

API Changes

  • JWTs are now ignored on the endpoints POST /v1/filtered*ApprovalTask as currently no approval JWT is necessary. The unclear error message 'Can not log in with user secret as the Partition name is not set.' will therefore no longer appear.

Application Changes

  • The scheduled job ApprovalTaskCleanup can now be executed in multi-tenant mode when the Partition is onboarded.
  • The scheduled job HsmRequestsTimerService can now be executed in multi-tenant mode when the Partition is onboarded.

Configuration Changes

  • The config value general.hsmRequestsTimerServiceInterval which previously only worked in single-tenant mode can now be set in multi-tenant mode. Optionally the two config values general.hsmRequestsTimerServiceMinLock and general.hsmRequestsTimerServiceMaxLock can also be set.
  • The config value general.approvalTaskCleanupInterval which previously only worked in single-tenant mode can now be set in multi-tenant mode. Optionally the two config values general.approvalTaskCleanupMinLock and general.approvalTaskCleanupMaxLock can also be set.

Securosys TSB 1.12.0

Issued: May, 04, 2022

API changes

  • A request can now be cancelled which sets it to the new status CANCELLED and deletes the corresponding tasks (DELETE /v1/request/{id})
  • When a key is deleted the associated requests are set to the new status CANCELLED and the corresponding tasks are deleted (DELETE /v1/key/{keyName})
  • Improve description of a signedApproval (POST /v1/synchronousUnwrap, POST /v1/synchronousUnblock, POST /v1/synchronousSign, POST /v1/synchronousModify, POST /v1/synchronousDecrypt, POST /v1/synchronousBlock)
  • Importing a certificate to a private key is now possible. (POST /v1/key/import/plain). The following rules apply here:
    • A single private key, public key or certificate can now be imported
    • Key attributes are no longer required as importing a single public key or certificate does not require attributes to be set
    • An imported public key or certificate can be used for signature verification evenif no private key is assigned to it (/v1/verify)
    • A private key can either be imported with a public key or a certificate
    • Importing a single public key or certificate with an existing key name overwrites the existing public key/certificate but not the potentially assigned private key
    • Importing a private key with an existing key name is blocked
    • OpenSSL headers and footers are ignored

Bug fixes

  • Fix creating EC key with curve secp256r1 (POST /v1/key)

Securosys TSB 1.11.0

Issued: April, 21, 2022

API Changes

  • A key password can now be set when creating a key (/v1/key)
  • A key password can be defined for executing a request on the HSM (/v1/unwrap, /v1/unblock, /v1/sign, /v1/modify, /v1/decrypt, /v1/block, /v1/wrap, /v1/encrypt, /v1/synchronousUnwrap, /v1/synchronousUnblock, /v1/synchronousSign, /v1/synchronousModify, /v1/synchronousDecrypt, /v1/synchronousBlock)
  • A RFC timestamp can no longer be created if the RFC timestamp key is not defined in the config (/v1/createRfcTimestamp)

Configuration Changes

  • Specifying the RFC timestamp key is now optional (hsm.rfcTimestampKeyName)

Securosys TSB 1.10.0.1

Issued: April, 07, 2022

Security

In response to CVE-2022-22965 and CVE-2022-22950 the Spring Boot version was updated to 2.6.6.

Securosys TSB 1.5.1.2

Issued: April, 07, 2022

Security

In response to CVE-2022-22965 and CVE-2022-22950 the Spring Boot version was updated to 2.6.6.

Securosys TSB 1.10.0

Issued: March, 16, 2022

API Changes

  • Importing an ED key is now supported (/v1/key/import/plain)
  • ED keys can now be wrapped and unwrapped using wrap method AES_WRAP_ED or AES_WRAP_PAD_ED (/v1/wrap, /v1/synchronousUnwrap, /v1/unwrap)
  • A policy can now be specified when synchronously unwrapping a key (/v1/synchronousUnwrap)
  • Improved error message in various places
  • Improved and corrected API description in various places

Securosys TSB 1.9.0

Issued: February, 11, 2022

API Changes

  • A new section 'Synchronous Key Operations' is added to the API documentation which contains all synchronous endpoints that can be accessed with the RestAPI license.
  • A timestamp signer can now fetch all tasks of every approver instead of needing to specify a specific approver. In multi-tenant mode the access is still restricted by the Partitions that are available to a timestamp signer. (/v1/filtered*KeyApprovalTask)
  • The key store statistics can now be fetched (/v1//keystore/statistics)
  • When deriving a key the key attributes can now be specified. If no key attributes are specified the key attributes for the base key are fetched and applied. (/v1/derivedKey)

Bug fixes

  • Fix license that was shown as unknown when retrieving the client flags (GET /v1/licenseInfo)
  • Attribute 'format' is removed from response when receiving address from a key as it always contained the value 'null' (/v1/key/{keyName}/address)
  • Various API documentation fixes and additions

Securosys TSB 1.8.0

Issued: February, 01, 2022

Application Changes

  • A connection to the HSM is now disconnected if no requests for a Partition happens in a specific amount of time.

Config Template Changes

  • The config files are rearranged and restructured for docker-compose:
    • Removed .template file ending
    • Adapted comments and default values in application-local.yml
    • Moved logback.xml to /log
    • Added docker-compose.yml
  • hsm.timeout is added that specifies the amount of time until a disconnect for an HSM connection happens.

Securosys TSB 1.7.0.1

Issued: January, 13, 2022

Security

In response to CVE-2021-42550 the logback version was updated to 1.2.9.

Securosys TSB 1.7.0

Issued: November, 11th, 2021

API Changes

  • A specific approval task can now be fetched using its id (POST /v1/filtered*ApprovalTask)
  • The new attribute onboardPartition is added to the access token to control Partition onboarding in multi-tenant mode
  • The new optional attribute signedApprovals is added to the synchronous sign, decrypt and unwrap endpoints where SignedApprovals can be sent alongside the request. This enables to execute these operations with SKA keys. (POST /v1/synchronousSign, POST /v1/synchronousDecrypt, POST /v1/synchronousUnwrap)
  • Endpoints for synchronous block, unblock and modify were added which enables to use these operations with SKA keys (POST /v1/synchronousBlock, POST /v1/synchronousUnblock, POST /v1/synchronousModify)

Bug fixes

  • An unwanted exception was thrown when the scheduled process approvalTaskCleanup was executed in multi-tenant mode. This is fixed and instead a warning is logged that recommends to remove the corresponding config values to disable the scheduled service.

Securosys TSB 1.6.0

Issued: October, 4th, 2021

API Changes

  • An endpoint is added to create a RFC3161 timestamp. (POST /v1/createRfcTimestamp)
  • An EC Key with a custom curve can now be created. The custom curve must be in the regex-format [0-9]+.a[0-9]+.b[0-9]+.x[0-9]+.y[0-9]+.g[0-9]+.h[0-9]+. (POST /v1/key)

Bug fixes

  • The warning 'Found explicit default persistence unit with name 'SECUROSYS-UNIT' in persistence.xml - overriding local default persistence unit settings (packagesToScan/mappingResources)' is now fixed.
  • The warning 'spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning' is now fixed.

Config Template Changes

  • A value is added to define the name of a rfc timestamp key. (hsm.rfcTimestampKeyName)

Application Changes

  • The MySQL connector is now used instead of the MariaDB connector to better support MySQL databases. MariaDB also supports the MySQL connector.

Migration Steps

  • If the config value spring.datasource.url starts with 'jdbc:mariadb:' change it to 'jdbc:mysql:'.
  • The config value spring.datasource.driverClassName must be removed.
  • The new config value hsm.rfcTimestampKeyName must be set.

Dockerfile Changes for Mainframe Release

  • Replaced 'ENV spring.config.location "/etc/app/config/"' with 'ENV spring.config.additional-location "/etc/app/config/"'.

Securosys TSB 1.5.1

Issued: September, 10th, 2021

Config Template Changes

  • Default interval config values for scheduled services were adapted in the template to more sensible values.
  • Description for interval config values for scheduled services were improved in the template.

Bug fixes

  • When a Partition was onboarding then using a token containing an encrypted Partition access token for future api calls would result in an error (LazyInitializationException). This is now fixed.
  • Removing interval config values for scheduled services is now possible again.
  • Default values for minLock and maxLock for scheduled services are now correctly set.

Migration Steps

  • There are no mandatory migration steps but it is recommended to check the config template changes and copy the desired changes into the config

Securosys TSB 1.5.0

Issued: August, 20th, 2021

API Changes

  • The flags modifiable, destroyable and private can now be optionally set for a data object (POST /v1/dataObject) and are now returned when fetching a data object GET /v1/dataObject/{dataObjectName}
  • An endpoint is added to fetch random bytes with a specific length from the HSM (GET /v1/generateRandom/{length})
  • Support for wrapping and unwrapping a BLS key is added (POST /v1/wrap and POST /v1/unwrap)
  • An endpoint for a synchronous unwrap is added (POST /v1/synchronousUnwrap)
  • The new optional attribute allowedTimestampSigningCertificateFingerprints is added to Partition access tokens. Configured certificates are allowed to fetch and delete all tasks for an approver on the onboarded Partition.

Configuration Changes

  • A value is added to define a certificate that is allowed to fetch and delete all tasks for an approver (general.allowedTimestampSigningCertificates)
  • A value is added to set the maximum allowed time difference between the system and the HSM. If this value is exceeded a warning is logged (hsm.maxTimeDifferenceToHsm)

Bug fixes

  • The attestation and integration keys were previously not automatically set up if the TSB runs in JWT mode. Now the keys are automatically initialized on the first request.
  • When the proxy password was not set in the Partition access token the Partition could not be onboarded. This is now fixed.
  • Deleting a task in multi-tenant mode resulted in a res.error.insufficient.login.information error. This is now fixed.
  • The task that sends approved requests to the HSM in a later time window is now again properly scheduled
Get started withCloudHSM for free.
Other questions?Ask Sales.
Feedback
Need help?