New features:
-
Added support for more signing algorithms, notably Ed25519, ES256, PS256, but also ES384, PS384, PS512, RS384, RS512.
-
The
providersconfig section can now also be a list (instead of a map), in which case a name is derived fromissuer.
Breaking changes:
-
Diridp now incorporates the ring crate, which introduces portions of code using the OpenSSL license to the diridp build.
-
It is now required to define signing keys for providers in configuration. The previous default was hardcoded
RS256, and you may keep using this type of signing key by simply adding the following to your provider config:keys: - alg: RS256
-
Some provider configuration properties have been moved to be made per signing key:
providers[].keys_dir->providers[].keys[].dirproviders[].key_lifespan->providers[].keys[].lifespanproviders[].key_publish_margin->providers[].keys[].publish_margin
-
The default location of signing keys on disk has changed. If you relied on the default location (ie. did not override it using
keys_dir), you should move your old keys to the new location to prevent accidental rekeying:cd /var/lib/diridp/PROVIDER/keys mkdir RS256 mv index.json key-*.pem RS256/