[5.16.0] - 2026-02-04
🚀 Features
- Add PQC hybridized KEM support via
cosmian_cover_crypt:- The Cosmian KMS supports Post-Quantum Cryptography (PQC) hybridized Key Encapsulation Mechanisms (KEM)
via the cosmian_cover_crypt crate. This crate provides
a configurable KEM framework that can operate in pure classical, pure post-quantum, or hybrid mode
by combining a pre-quantum KEM with a post-quantum KEM through a KEM combiner (using SHA-256). - Server supports
CreateKeyPairfor Configurable-KEM andEncrypt/Decryptencapsulation/decapsulation flows.
- The Cosmian KMS supports Post-Quantum Cryptography (PQC) hybridized Key Encapsulation Mechanisms (KEM)
- Add server-side KMIP algorithm policy allowlists (enforcement via
kmip.policy_idand[kmip.allowlists]) #700kmip.policy_idselects a policy (case-insensitive):DEFAULT: built-in conservative allowlists (e.g., SHA-2/3, P-256/P-384/P-521 + Curve25519/448, AEAD/wrapping modes, OAEP/PSS/PKCS5, RSA 3072/4096).CUSTOM: enforce the allowlists you set under[kmip.allowlists].
- If
kmip.policy_idis unset, the KMIP policy layer is disabled. Nonevs[]semantics (for each allowlist):Nonemeans "no restriction", while an empty list[]means "deny all" when enforcement is enabled.
- (UI) Runtime branding support via
/ui/branding.json(title, theme, and favicon resolved before React renders)- Theme asset support under
/ui/themes/<theme>/...with Ant Design token overrides - Replace the example theme favicons with neutral, non-Cosmian icons
- (docs) Add post-install UI branding / theme override guide (paths under
/usr/local/cosmian/ui/dist/) - (packaging) Include nested UI theme assets in linux packages (recursive
dist/**/*globs) - (nix) Stage and validate UI
dist/content during packaging (checksindex.html,assets/,themes/,branding.json)
- Theme asset support under
🐛 Bug Fixes
- Fix SQL Locate request for OpenTelemetry metrics collector (#694):
- Refactored SQL Locate query building in locate_query.rs to use bound, typed parameters (LocateQuery + LocateParam) instead of interpolating values into SQL (safer + fixes type/cast handling across SQLite/Postgres/MySQL).
- Updated the SQL backends to consume the new LocateQuery API: crate/server_database/src/stores/sql/{mysql,pgsql,sqlite}.rs.
- Improved DB test error context in json_access_test.rs to make failures easier to diagnose.
- OpenTelemetry wiring updates:
- mod.rs: add OTEL resource attributes (service name/version + optional environment).
- otel_metrics.rs: ensure active_keys_count time series exists even when 0.
- cron.rs: fall back to default username if hsm_admin is empty.
- Fix regression on KMIP 1.0 (Fresh and InitialDate attributes) (#689)
- Fix Linux packaging smoke tests when the host has
/etc/cosmian/kms.tomlpresent by running with an explicit temp config. - Make OpenTelemetry export tests resilient under FIPS Nix shells by running
curlin a clean environment (avoid inherited OpenSSL/LD overrides). - (ui) Azure BYOK export (#697)
⚙️ Build
- Nix builds now target GLIBC ≤ 2.34 (Rocky Linux 9 compatibility) by updating pins and building Linux OpenSSL/server outputs against a glibc 2.34 stdenv; server vendor hash expectations are split by static/dynamic on Linux.
- SBOM generation improvements:
.github/scripts/nix.sh sbomstrictly validates--target/--variant/--link, defaults to generating all combinations, and supports generating a specific server subset.- SBOM tooling runs in an isolated workdir to avoid stray repo-root artifacts, keeps only final
sbom.csv+vulns.csvreports per output directory, and deduplicates CVE rows in-place (vianix/scripts/dedup_cves.py, with optional filtering helpernix/scripts/filter_vulns.py).
- (deps) Bump jsonwebtoken in the cargo group across 1 directory (#702)
- (deps) Bump bytes in the cargo group across 1 directory (#703)
- (deps) Bump time in the cargo group across 1 directory (#706)
- (deps) Bump actix-files in the cargo group across 1 directory (#707)
📚 Documentation
- Update SBOM documentation to match the generator output layout and behavior.
- Update OpenSSL versions (#713)