Machina Tools SDK Release Notes v 2.1

Introduction

Welcome to the 2.1 release of the Machina SDK. This release contains significant changes to the underlying cryptography, including the integration (by default) of the FIPS-validated version of the OpenSSL open source library.

Details are summarized below.

New Features / Improvements

CryptoPP Usage Mostly Replaced with OpenSSL

• SDK usage of the CryptoPP cryptography library has been replaced with the OpenSSL v1.0.2 library, which is FIPS 140-2 validated.
• CryptoPP usage is limited to use of the Shamir Secret Sharing algorithm (used in ISCryptoSecretSharePersistor).

Alternative Cryptography Library (Platform-Specific) Available

• The SDK package includes an additional platform-specific implementation of the CryptoAbstract interface. This library may be used instead of the OpenSSL FIPS implementation if needed, in order to work around cross-platform limitations.
• The ISCrypto::setCryptoSharedLibraryLoadedFilename() and ISCrypto::getCryptoSharedLibraryLoadedFilename() APIs have been added to ascertain the version of the loaded cryptography library.

MacOS KeyVault Enhancement

An optional ISKeyVaultMac::enableUniqueKeyPerVault() call has been implemented, allowing multiple KeyVault files to exist in different filesystem locations, each with a unique encryption key.

Identity Assertion Validation API Available

The API ISAgent::validateAssertion() has been added, allowing SDK users to verify the authenticity of identity assertions generated both externally, and by the SDK.

Create Identity Assertion API Uses Default Nonce When None Provided

On use of SDK identity assertion APIs, a default nonce is provided when no nonce is supplied by the caller.

• ISAgent::createIdentityAssertion()
• ISAgent::validateAssertion()

Additional Documentation Included with Release Distributable

The SDK release distributable now includes the following documents, in markdown and html formats:

• README, describing high-level SDK project functionality
• LICENSE, providing the Machina license agreement for Ionic resources
• CHANGELOG, with line items providing summary information about the issues included in each release
• RELEASE_NOTES, detailing the features and fixes included in the release

Machina Service Policy Decision Simulation Support

The SDK now allows the use of a flag when calling CreateKey to perform a policy evaluation at the service without creating any keys.

Issues Addressed

• A logging issue has been addressed in the OpenXml file cipher when reading unexpected content from a PowerPoint file.
• Issues have been corrected that caused some doxygen documentation to be excluded from the SDK distributables.
• Additional content has been added to the documentation for the class ISFileCryptoCipherGeneric.
• The ISCrypto library module now includes additional logging, in order to easily diagnose usage issues.
• The language level of the SDK source has been updated to C++ 11.
• Issues have been addressed with the documentation of the ProfilePersistor classes, and their relationship to the base Agent class.
• Information about password length requirements has been added to the documentation for IonicAgentDeviceProfilePersistorPassword.
• KeyVault requests now properly filter expired keys out of responses.
• The documentation for the CreateKey operation notes the service limitation on the number of newly created keys that may be requested in a single request.

Discontinued Support

• None.

Additional Notes

• Since Crypto initialization now loads a library module dynamically, it should not be called in startup code.

Supported Platforms

The Machina SDK is tested against the following platform configurations: