v5.4.12

• Updated dependencies with vulnerabilities
• Fixed issue with failed network events giving errors at startup

Full Changelog: v5.4.11...v5.4.12

v6.0.0

Full Changelog: v5.4.0...v6.0.0

Breaking changes

• Container user has changed from root to 18081.
  When migrating from v5, change the owner of the data directory on the host to that of the container's user. (chown -R 18081:18081 /path/to/host/data-dir)
• Docker image tags have been changed: previously version tags had were prefixed with v (e.g., v5.0.0), this prefix has been dropped to better adhere to industry standards.
• The VDR v1 createDID (POST /internal/vdr/v1/did) no longer supports the controller and selfControl fields. All did:nuts documents are now self controlled. All existing documents will be migrated to self controlled at startup.
• Managed did:nuts DIDs are migrated to the new SQL storage. Unresolved DID document conflicts may contain an incorrect state after migrating to v6. See /status/diagnostics if you own any DIDs with a document conflict; use /internal/vdr/v1/did/conflicted to find the specific DIDs.
• Removed legacy API authentication tokens.

New Features

The following new features have been added:

• Resolving and creating did:web DID documents (see the VDR v2 API reference for usage).
• Resolving did:jwk and did:key DID documents.
• Running a Discovery Server and Client
• Added the VDR v2 API.
• Added a Verifiable Credential system-wallet, which is used in Presentation Exchanges (e.g. OpenID4VP).
  See the VCR API reference for usage.
• Added a VCR API operation to list Verifiable Credentials in a local wallet.
• Added a VCR API operation to delete Verifiable Credentials from a local wallet.
• Added support in the IssueVC VCR API operation to issue Verifiable Credentials that don't use the nuts.nl JSON-LD context.
• Added experimental support for OpenID4VP (OpenID for Verifiable Presentations)
• Added experimental support for OpenID4VCI (OpenID for Verifiable Credential Issuance)
• Added support for Nuts RFC021, which negotiates an OAuth2 access token for a system through a Presentation Exchange using Verifiable Credentials.
• Added support for StatusList2021 as revocation means for Verifiable Credentials.
• Added support for storage in SQL databases (PostgreSQL, MySQL, SQLite and Microsoft SQL Server
• Added a Docker developer image which is useful for local development. It is built from the latest master build.
• Added a VDR API operation to list locally managed DIDs.

Changes

• Removed support for deprecated network TLS properties. Configuring these properties will now cause the node not to start.
• Removed usage of deprecated purposeOfUseClaim in NutsAuthorizationCredential.
• Removed support for the UZI authentication means.
• Documentation of did:nuts-related features have been removed (refer to v5 documentation).
• Documentation of specific use cases (e.g. health care in general or eOverdracht) has been moved to the Nuts wiki.
• Node can now be run without configuring TLS when the gRPC network isn't used (didmethods does not contain nuts), to cater use cases that don't use did:nuts.
• Crypto backends store keys under a key name and are linked to the kid via the key_reference SQL table.

The following features have also been changed:

DID management

You no longer manage changes to DIDs but to Subjects. Each subject has multiple DIDs, one for each enabled DID method.
You're free to choose an ID for a Subject. This feature enables forwards compatibility with new DID methods.
DID methods can be enabled and disabled via the didmethods config parameter. (Default: ['web','nuts']).
Existing did:nuts documents will be migrated to self-controlled at startup and the DID will be added as SubjectID together with a new did:web DID.

HTTP interface

The HTTP interface has been reworked to make deployments simpler and more secure:

• No more dynamic binding of endpoints to ports, endpoints are now bound to the internal interface (8081) or the public interface (8080).
• Server-side TLS for HTTP has been dropped, since the Nuts node is always expected to be deployed behind a reverse proxy/ingress that handles TLS termination.
• API authentication is now only applied to /internal endpoints, since those are the only API endpoints that should be protected with authentication.
• CORS support has been removed. As it is only required by user authentication endpoints that are considered to be deprecated, CORS headers can be set by a reverse proxy if still required.

Port configuration

To simplify HTTP configuration and proxying and make the default more secure, HTTP endpoints now map to 2 HTTP interfaces:

• port 8081 for all internal-facing endpoints (/internal, /status, /metrics, /health)
• port 8080 for all public-facing endpoints (all others)

Note that 8081 by default maps to 127.0.0.1 only, so you might need to configure it to allow it to be accessible from other machines.

Deprecated features

The following features have been deprecated:

• The external key store API has been deprecated and will be removed in the next major release.
  It was introduced to allow flexible support for other key storage backends, while reducing the number of dependencies and clients to maintain in the Nuts node.
  But, in practice the secret store API is unmaintained itself and lacks features (e.g. authentication/authorization).
  Starting v6, the preferred way to support other key storage backends is to directly implement it in the Nuts node itself.
  This also reduces the complexity of a Nuts node deployment (one service less to configure and deploy).
  Users are recommended to switch to the built-in client of their key storage backend.
• Auth v1 API, replaced by Auth v2
• DIDMan v1 API, to be removed
• Network v1 API, to be removed
• VDR v1 API, replaced by VDR v2

v5.4.11

What's Changed

• Fixed an issue where the deactivated status of a DID document could be resolved incorrectly

Full Changelog: v5.4.10...v5.4.11

v5.4.10

What's Changed

• Minor nuts-network stability improvement

Full Changelog: v5.4.9...v5.4.10

v5.4.9

What's Changed

• Disabled darkmode in UI for EmployeeID contract screen by @stevenvegt in #3306
• Clarified logging when existence of private key cannot be determined by @gerardsn in #3305

Full Changelog: v5.4.8...v5.4.9

v5.4.8

What's Changed

• Fixed a VC search bug where certain VCs could no longer be found.

Full Changelog: v5.4.7...v5.4.8

v5.4.7

What's Changed

• Fixed an issue where the node would panic during startup when retrying unfinished private transactions.
• Updated dependencies

Full Changelog: v5.4.6...v5.4.7

Hazelnut update (v5.4.6)

What's Changed

• VCR JSON-LD context not allowed logging fix by @reinkrul in #2838
• Updated dependencies

Full Changelog: v5.4.5...v5.4.6

Hazelnut update (v5.4.5)

What's Changed

• Auth: create session and validate signatures perform the same checks by @reinkrul in #2673

Full Changelog: v5.4.4...v5.4.5

Hazelnut update (v5.4.4)

What's Changed

• refactor retry event at startup by @gerardsn in #2571
• release notes v5.4.4 by @gerardsn in #2573

Full Changelog: v5.4.3...v5.4.4