Released on 2025-09-03
New Features
Service Extensions
The Orchestrator now supports the secp256k1 package for building service extensions. This support makes it possible to implement key generation, ECDH, and key parsing inside service extensions.
Available functions include:
GeneratePrivateKey: create new private keys for secp256k1.
GenerateSharedSecret: perform Diffie-Hellman key exchange (ECDH, RFC 5903) to derive a shared secret.
ParsePubKey: parse public keys encoded per ANSI X9.62-1998.
PrivKeyFromBytes: create private keys from a 256-bit big-endian byte slice.
To learn more about this package see the developer’s documentation and how to import this package in your service extensions see Additional third party packages.
Orchestrator binary Go version upgrade to 1.25
The orchestrator binary has been upgraded to Go version 1.25. This includes the following changes:
TLS handshakes: TLS 1.2 handshakes now reject SHA-1 signatures (per RFC 9155).
Protocol version selection: TLS servers now choose the highest protocol version supported by both the server and client. Previously, the client’s preference was used.
Certificate validation: The x509 parser now consistently rejects invalid or malformed certificates. Some certificates that were previously accepted may no longer be valid.
macOS support: For evaluators running on Mac, the orchestrator now requires macOS 12 (Monterey) or later. macOS 11 (Big Sur) is no longer supported.
Resolved Issues
Support token revocation from client_credentials grant
Allow float when setting TLS Min Version