Changelog

View Source

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

0.7.0 - 2026-02-01

Added

  • Error test vector validation suite with 4,240 negative test cases (#77)
  • Compressed EC public key decompression for P-256 and P-384 curves (#77)
  • Multi-curve ECDSA signature verification supporting SHA-256/secp256r1 and SHA-384/secp384r1 (#77)
  • API mismatch test validating unsigned-only streaming decryption mode (#77)
  • Comprehensive error categorization (bit flip, truncation, API mismatch, other) (#77)
  • Full test vector runner executing 2,861 success test vectors via complete decrypt flow (#76)
  • Comprehensive test coverage for all 11 ESDK algorithm suites including committed suites (0x0478, 0x0578)
  • Test vector filtering helpers (success/error tests, raw key tests, encryption algorithm filters)
  • Automatic test vector execution in CI with caching for performance
  • EDK-based key name extraction for accurate keyring configuration
  • Non-AWS encryption examples for local key usage without AWS credentials (#74)
  • Raw AES example demonstrating all key sizes (128/192/256-bit) with encryption context
  • Raw RSA example with all 5 padding schemes and PEM key loading from environment variables
  • Multi-keyring local example showing key redundancy and rotation patterns
  • API Stability Policy guide documenting semantic versioning and breaking change policy (#72)
  • Comprehensive module grouping in Hex docs for all keyrings, CMMs, caching, and streaming modules (#72)
  • User guides for Getting Started, Choosing Components, and Security Best Practices (#73)
  • Automated testing for guide code examples with extraction and validation (#73)
  • Advanced feature examples demonstrating streaming, caching, and required encryption context (#75)
  • Streaming file encryption example with 10MB test file and memory-efficient processing
  • Caching CMM example showing 2x performance improvement for high-throughput scenarios
  • Required Encryption Context example enforcing mandatory context keys for compliance

Changed

  • README updated for v1.0.0 preparation with pre-release messaging removed (#79)
  • Feature list converted to clean presentation without checkmark indicators (#79)
  • Test statistics updated to reflect current 852 passing tests (#79)
  • Documentation section added with links to guides, examples, and API reference (#79)
  • Test vectors now run by default when available, improving from 91.8% to 92.6% code coverage (#76)
  • Header authentication now uses full encryption context with required key filtering for spec compliance (#76)
  • Algorithm suite deprecation warnings removed for cleaner test output (#76)
  • Consolidated CHANGELOG entries to improve readability and scannability (#81)
  • Enhanced streaming module documentation with usage guidance, memory efficiency details, and verification handling (#72)
  • Examples reorganized into complexity-based subdirectories (01_basics, 02_advanced, 03_aws_kms) (#75)
  • Examples README updated with category-based navigation and quick start commands

Fixed

  • ECDSA signature verification now handles compressed EC public keys (0x02/0x03 prefix) (#77)
  • Signature verification uses correct hash algorithm and curve based on algorithm suite (#77)
  • Header body serialization to include version/type bytes in AAD computation per spec (#76)
  • Required encryption context filtering in header authentication tag computation (#76)
  • CMM test vector helpers to extract key names from EDK provider_info (#76)
  • Dialyzer typespec for compute_header_auth_tag/4 to allow nil for optional parameter (#76)
  • RSA keyring PEM loading to correctly decode keys using pem_entry_decode instead of der_decode (#74)
  • All KMS examples updated to use correct Client API format (map-based return values)
  • Client module now supports Caching CMM in dispatch clauses for encryption and decryption (#75)

0.6.0 - 2026-01-31

Added

  • Streaming encryption and decryption APIs for memory-efficient processing of large data (#60)
  • Caching CMM for reducing expensive key provider calls with TTL and usage limits (#61)
  • Required Encryption Context CMM for enforcing critical AAD keys during encryption/decryption (#62)

Changed

  • Integration tests now run by default in CI (#68)
  • Coverage threshold adjusted from 94% to 92%

Fixed

  • KMS integration tests skip gracefully when AWS credentials unavailable (#68)

Removed

  • Temporary coveralls-ignore markers (#68)

0.5.0 - 2026-01-28

Added

  • AWS KMS Keyring for encrypting/decrypting data keys with AWS KMS (#48)
  • AWS KMS Discovery Keyring for decrypt-only operations without specifying key ARN (#49)
  • AWS KMS MRK Keyrings for cross-region Multi-Region Key decryption and disaster recovery (#50, #51)
  • Multi-keyring enhancements: KMS generator validation, convenience constructors for MRK scenarios (#52)
  • KMS client abstraction layer with ExAws implementation and mock for testing (#46, #47)
  • Comprehensive documentation for AWS KMS keyrings with examples and usage guide (#53)

Changed

  • Increased minimum code coverage requirement from 93% to 94%

0.4.0 - 2026-01-27

Added

  • CMM (Cryptographic Materials Manager) behaviour interface with commitment policy support (#36)
  • Default CMM implementation with keyring orchestration and ECDSA signing (#37)
  • Client module with encrypt/decrypt APIs and commitment policy enforcement (#38, #39)
  • Support for all 17 algorithm suites including signing and non-signing variants
  • EDK count limit enforcement (max_encrypted_data_keys configuration)

Changed

  • Main API now recommends Client-based encryption workflow
  • Renamed encrypt/decrypt to encrypt_with_materials/decrypt_with_materials
  • Increased minimum code coverage requirement from 92% to 93%

0.3.0 - 2026-01-26

Added

  • Multi-Keyring for composing multiple keyrings with generator and child key support (#28)
  • Raw RSA Keyring with support for PKCS1 v1.5 and OAEP padding schemes (#27)

Changed

  • Increased minimum code coverage requirement from 90% to 92%

0.2.0 - 2026-01-25

Added

  • Keyring behaviour interface with on_encrypt/on_decrypt callbacks (#25)
  • Raw AES Keyring with AES-128/192/256 support (#26)
  • GitHub Actions CI workflow with Elixir 1.16-1.18 and OTP 26-27 test matrix (#15)
  • /release skill for automated version releases (#30)

Changed

  • Minimum Elixir version requirement from 1.18 to 1.16
  • Minimum OTP version requirement to 26

0.1.0 - 2025-01-12

Added

  • Initial project structure with Apache License 2.0 and contribution guidelines (#20)
  • Algorithm suite definitions for all 11 ESDK suites with commitment and signing support (#7)
  • HKDF key derivation implementation per RFC 5869 (#8)
  • Message format serialization supporting header v1/v2, framed/non-framed body, and footer (#9)
  • Basic encryption and decryption operations with AES-GCM and key commitment (#10)
  • Test vector harness for AWS Encryption SDK compatibility testing (#13)