3.18.2 / Supreme 0.10.2

• Fixes
  • Fix memory management on iOS
• Dependency Updates:
  • Kotlin 2.2.21
  • Kotlinx.io 0.8.0
  • crypto-rand 0.6.0
• Build Setup:
  • Remove Swift-Klib and massively cleanup Swift Interop

3.18.1 / Supreme 0.10.1

Fix Android target pulling in JDK-21-specifics (KT-71375)

3.18.0 / Supreme 0.10.0

• Fixes:
  • Fix memleak on iOS targets
  • Add stricter length checks to be more resilient towards adversarial inputs
  • Fix RSA signing on Android
  • Correct serialization logic for symmetric CoseKey in CoseKeySerializer
  • Fix prettyPrint for structures
• Asn1String revamp
  • Deprecated Asn1Primitive.asAsn1String(), moved decoding logic into Asn1String.doDecode()
  • Added specific decodeTo functions in Asn1Primitive for every string type that follow usual pattern for decoding primitive, when dealing with implicit tags caller should call function for decoding specific string type. If we do something like 'Asn1String.decodeFromTlv()` we expect explicit tag.
  • Added Asn1String.rawValue property for storing raw ByteArray of the string, used in checks for several charsets and good for reencoding Asn1String, it will be encoded as it was before decoding
• Add COSE_Mac0 support with CoseMac class
• Introduce ProtectedCoseHeaderSerializer for serialization/deserialization protected header
• Replace raw-byte protected header and its ByteArray extension serialization with CoseHeader using the new serializer
• Allow overriding randomness source for symmetric key generation
  • requires HazMat opt in
  • provides only secure random (insecure/test/faux RNGs need to be implemented by consumers)
• Extend properties in JweHeader
• Strictly enforce RFC3394 key wrapping on Android
• Build Setup:
  • Kotlin 2.2.20
  • TestBalloon-powered tests
  • New KMP-AGP Plugin
  • Raise Android minSDK to 26 (Android 8.0 Oreo)
  • Make it possible to disable all apple targets by setting Gradle property disableAppleTargets=true (either through gradle.properties/local.properties or as env variable)
  • Auto-setup unsupported JVM toolchains

3.17.0 (Supreme 0.9.0)

• KDF Support
  • PBKDF2
  • HKDF
  • scrypt
• RSA encryption using in-memory keys (no hardware-backed key management yet)
• X.509 Revamp
  • Introduce X509SignatureAlgorithmDescription, which is the OID + params pair that identifies a X509SignatureAlgorithm
    • Instances of X509SignatureAlgorithm represent algorithms that are known to Signum
    • Test .isSupported() or .requireSupported() (with contract smart-cast support)
  • X509Certificate and Pkcs10CertificationRequest now use X509SignatureAlgorithmDescription to represent a non-validated signature algorithm
  • Refactor X509Certificate and TbsCertificate to store the raw signature as Asn1Primitive and the raw public key as Asn1Sequence enabling support for certificates with unsupported signature algorithms
    • Use the new KmmResult-returning decodedSignature and decodedPublicKey members to replace publicKey and signature, respectively.
    • The old publicKey and signature are being deprecated.
  • Refactor Pkcs10CertificationRequest to store the raw signature as Asn1Primitive enabling unsupported signature algorithms
    • Use the new KmmResult-returning decodedSignature and decodedPublicKey, respectively.
• Add structured iterator-based decoding of Asn1Structure. Asn1Structure now implements Iterable<Asn1Element>:
  • Deprecate child accessors in Asn1Structure with deprecation level ERROR:
    • nextChild()
    • nextChildOrNull()
    • hasMoreChildren()
    • peek()
  • Add inner Iterator for child accesses
    • Add Iterator.reversed() method for getting a new iterator from an existing one, but with reversed direction, keeping the current index
    • Add Asn1Structure.reverseIterator() to get a reversed iterator right away, to iterate over all child elements in reverse.
  • Add decodeAs() for decoding ASN.1 structures via iterator-based lambda, moved trailing data check from decodeFromTlv() to decodeAs()
  • Refactor doDecode() implementations in Asn1Structure subclasses to use the new decodeAs() iterator-based API instead of deprecated child access methods.
• Add SpecializedSymmetricEncryptionAlgorithm
  • This allows randomKey() etc to operate on COSE/JWE algorithms
• Move constants of KnownOIDs into a discrete module indispensable-oids as extensions on the KnownOIDs object
  • → update your imports!
• ASN.1 polishing:
  • rename Asn1Element.length property to Asn1Element.contentLength (and add a delegate with the old name and deprecation annotation to the new property)
  • Add missing Asn1.Real shorthand to the ASN.1 builder
  • Add Asn1Null constant
  • Add human-readable ASN.1 element prettyPrint() method
  • Make Asn1OctetString interface sealed
• Strippable KnownOIDs
  • Move KnownOIDs into a discrete module indispensable-oids
• OID descriptions:
  • KnownOIDs now implements MutableMap<ObjectIdentifier, String> to store and look up descriptions of Object Identifiers
  • OIDs can hence be described using KnownOIDs[theExpressionistsOid] = "Edvard Munch"
  • OID descriptions are exposed in accordance with the map interface: KnownOIDs[theExpressionistsOid] will yield "Edvard Munch" if this description was added prior.
  • All OIDs present in KnownOIDs shipped with the indispensable-oids module come with a description. To actually add them to all known descriptions, call KnownOIDs.describeAll() once.
• Deprecate serialize() and deserialize() methods in COSE+ JOSE data classes
• Clean up some function signatures:
  • SymmetricKey.toJsonWebKey now returns KmmResult
  • SymmetricEncryptionAlgorithm.toJweKwAlgorithm now returns KmmResult
  • SymmetricEncryptionAlgorithm.toJweEncryptionAlgorithm removed
• In JwsHeader add property vcTypeMetadata with key vctm, see SD-JWT VC
• Dependency Updates:
  • Kotlin 2.2.0
  • AGP 8.10.0
  • kotlincrypto:secure-random:0.3.2 -> kotlincrypto.random:crypto-rand:0.5.0
    • This fixes key generation in WASM/JS
  • kotlinx.io 0.7.0
  • Update to kotlinx.datetime 0.7.1.
    • This moves Instant and Clock to stdlib
    • (but introduces typealiases for easier migration)
    • Also forces serialization 1.9.0
  • Update to latest conventions plugin:
    • Bouncy Castle 1.81!!
    • Serialization 1.9.0
    • Coroutines 1.10.2
    • Ktor 3.2.2
    • Kotest 6.0.0.M5

3.16.3 / 0.8.3 indispensable-only Hotfix

• Fix erroneous Base64URL encoding in JOSE data classes
  • toString() of X509Certificate and TbsCertificate have also been adapted to use Base64 Strict
• Add missing serializers in addition to Base64Url encoding:
  • X509CertificateBase64Serializer
  • CertificateChainBase64Serializer
• More targets:
  • watchosSimulatorArm64
  • watchosX64
  • watchosArm32
  • watchosArm64
  • androidNativeX64
  • androidNativeX86
  • androidNativeArm32
  • androidNativeArm64
  • watchosArm64 (ASN.1-only!)
• Drop OKIO dependency from indispensable-josef which was only ever used for to compute a SHA-256 thumbprint and replace it by a pure kotlin SHA-256 implementation

3.16.2 / 0.8.3 Supreme-Only Hotfix

• Set minimum iOS version to 15
• Fix Swift compat linker errors (closes #280)

3.6.2 (Supreme 0.8.2) Lower minSDK

• Lower Android minSDK to 21 (5.0 Lollipop) for all modules Except Supreme
• Update AGP to 8.6.1
• Dependency Updates:
  • KmmResult 1.9.2 (for Android SDK 21 compat)

3.6.1 (Supreme 0.8.1) Hotfix

• Generalized, proper COSE to MAC mapping, preventing unexpected behaviour for HS265_24

3.16.0 (Supreme 0.8.0)

Symmetric Encryption and Major Cleanups

• Note: All debug-only kotlinx.serialization for cryptographic datatypes like certificates, public keys, etc. was removed!

  • We support robust ASN.1 encoding and mapping from/to JOSE and COSE datatypes and our ASN.1 structures support pretty printing.
  • -> There is no need for this misleading serialization support for debugging anymore.
  • @Serializable suggests deserialization from JSON, CBOR, etc. works, which was never universally true.
  • Getting native ASN.1 serialization for kotlinx-serialization is now a no-brainer given we support every primitive required.
  • Serializers like X509CertificateBase64UrlSerializer are here to stay because those are universally useful!
  • ObjectIdSerializer was renamed to ObjectIdentifierStringSerializer

• HMAC Support

  • This finally cleans up the RSAorHMAC mess, which is a breaking change
  • Introduce umbrella DataIntegrityAlgorithms, which is the parent of SignatureAlgorithm and MessageAuthenticationCode
  • JwsAlgorithm and CoseAlgorithm are now abstract, having subclasses.
  • JwsAlgorithms and CoseAlgorithms are now available under .Signature and .MAC respectively. There are no toplevel constants of predefined algorithms anymore!

• Symmetric Encryption

  • Supported Algorithms
    • AES
      • GCM
      • CBC-HMAC
      • CBC
      • ECB
      • KW
    • ChaCha-Poly1305
  • Add algorithm mappings to indispensable-josef This is a binary-incompatible change
    • ivLength and encryptionKeyLength now return BitLength instead of Int
    • text is now properly called identifier

• Move HazardousMaterials annotation from supreme to indispensable This is a breaking change

• Move SecretExposure annotation from supreme to indispensable This is a breaking change

• Expose SecureRandom as API dependency in indispensable

• Rename CoseAlgorithm.value -> CoseAlgorithm.coseValue

• Fix COSE key parsing for unordered properties

• Remove code elements deprecated in 3.15.0, related to OID4VCI and HAIP

3.15.2

Parse not-implemented EC curves as null, e.g. in Json Web Keys.

This release does not contain a new Supreme version, as it is unaffected by these changes