Release 3.13.0

Date: 2026-03-26

Bugfixes

MTG KMS-Server and MTG KMS-UI

  • A CONFLICT error is now returned when trying to insert an HSM whose name and/or address already exist in the database

MTG KMS-Server

  • Added handling of unsupported KMIP features:

    • Unsupported KMIP header values in request messages: MaximumResponseSize, AsynchronousIndicator, AttestationCapableIndicator, and AttestationType now cause FEATURE_NOT_SUPPORTED errors if given. ClientCorrelationValue, ServerCorrelationValue, and TimeStamp only cause warnings for compatibility reasons.

    • Unsupported KMIP attributes in request messages: ProtectionStorageMask and QuantumSafe cause UNSUPPORTED_ATTRIBUTE errors if given.

  • Changed error reasons in accordance with the KMIP v2.0+ specification the official KMIP profile test cases:

    • When an illegal Authenticated Encryption Tag length is given during a symmetric Encryption and Decryption operation, the result reason is now GENERAL_FAILURE instead of INVALID_FIELD.

    • When an IV Counter Nonce isn’t given during a symmetric Encryption and Decryption operation, the result reason is now INVALID_MESSAGE instead of ILLEGAL_OPERATION.

  • In accordance with the specification, only for KMIP v2.1+, the error reason WRONG_KEY_LIFECYCLE_STATE instead of PERMISSION_DENIED is returned:

    • if objects are deleted but not in pre-active, deactivated or compromised state,

    • if the activation date of an object that is not in pre-active state is modified, and

    • if the process start date of an object that is not in pre-active or active state is modified, or it is set before the activation date or the current time.

  • In accordance with the specification, only for KMIP v2.0+, the object type enumeration returned by the 'Query' operation no longer includes 'Template'.

Features and updates

All MTG Java Application Projects

List of all MTG Java Application Projects see [MTG_ERS_JAVA].

Supported Operating Systems [OS].

All Applications support TLS 1.2 and 1.3

  • Spring boot version increased to 3.5.12 (includes tomcat 10.1.52).

  • MTG KMS-Crypto-API

    • Support of swagger interface, call via <BaseURL of crypto api >kms-crypto-api/swagger-ui/index.html

  • MTG KMS-Server, KMIP-API

Table 1. Post-Quantum Cryptography Algorithms
Cryptographic Algorithm

ML-DSA-44

ML-DSA-65

ML-DSA-87

SLH-DSA-SHA2-128s

SLH-DSA-SHA2-128f

SLH-DSA-SHA2-192s

SLH-DSA-SHA2-192f

SLH-DSA-SHA2-256s

SLH-DSA-SHA2-256f

SLH-DSA-SHAKE-128s

SLH-DSA-SHAKE-128f

SLH-DSA-SHAKE-192s

SLH-DSA-SHAKE-192f

SLH-DSA-SHAKE-256s

SLH-DSA-SHAKE-256f

Pre-Hash variants

Hash-ML-DSA-44-with-SHA512

Hash-ML-DSA-65-with-SHA512

Hash-ML-DSA-44-with-SHA512

Hash-SLH-DSA-SHA2-128s-with-SHA256

Hash-SLH-DSA-SHA2-128f-with-SHA256

Hash-SLH-DSA-SHA2-192s-with-SHA256

Hash-SLH-DSA-SHA2-192f-with-SHA256

Hash-SLH-DSA-SHA2-256s-with-SHA256

Hash-SLH-DSA-SHA2-256f-with-SHA256

Hash-SLH-DSA-SHAKE-128s-with-SHAKE128

Hash-SLH-DSA-SHAKE-128f-with-SHAKE128

Hash-SLH-DSA-SHAKE-192s-with-SHAKE128

Hash-SLH-DSA-SHAKE-192f-with-SHAKE128

Hash-SLH-DSA-SHAKE-256s-with-SHAKE128

Hash-SLH-DSA-SHAKE-256f-with-SHAKE128

MTG KMS-PKCS#11-Library

Support of OpenSSL versions, see [OpenSSL_compatibility].

Supported Operating Systems [OS_PKCS11].

MTG KMS-UI

  • Upgraded libraries.

  • The PKCS#11 ID column has been removed from the Cryptographic Objects table and is now displayed only when searching for asymmetric keys in KMS Crypto UI.

  • The PKCS#11 ID search field is now displayed only when Object Type is set to 'Keypair', 'Public Key' or 'Private Key' in KMS Crypto UI.

  • Added indicators to the Cryptographic Objects table page for each active filter in KMS Crypto UI.

  • Added the option of navigating to the protected KEK create page by clicking the "Create" button above the list of KEKs in KMS Tenant UI(see Process steps: Protected KEKs (create, activate, add HSM profile, remove HSM profile, delete, restore) - Step 02).

Installation instructions

  • None