EJBCA 7.4.3 Release Notes

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.4.3.

The primary focus of this release has been to work on the EJBCA integration points including further support for Hashicorp Vault, adding end entity management in the EJBCA REST API, and more.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

REST Endpoints for End Entity Management

We've added new commands for end entity management to our REST API with contributions from Roman Cinkais at 3Key Company. If you'd like to try them out, take a look at our Swagger UI which is automatically deployed on non-production instances.

Plugin for Hashicorp Vault

As part of a greater effort to extend interoperability and a serve as an integral part of any PKI ecosystem, we've released a plugin for Hashicorp Vault on GitHub. HashiCorp Vault is a product to manage secrets and when using microservices at scale, there are many services and secrets to manage. The plugin allows you to use EJBCA instead of the built-in Vault's CA in order to combine the usability and dynamics of the Vault with the compliance, scalability, and performance of EJBCA.

CVC Enrollment in EJBCA RA

It's now possible to enroll for Card Verifiable Certificates in the EJBCA RA UI. This improvement is part of our continued effort to deprecate the old Public Web.

Trident HSM Support

We've added some default properties to our configuration files to allow for easy configuration if the HSM driver is installed on the system.

Root Program Compliance Issues

Two issues have been reported that may cause incidents with CAs that conform to the Browser Root program and CA/Browser-Forum requirements.

  1. In previous releases, OCSP responses without extensions were sent with an empty singleExtensions list, while the proper behavior is to omit the list entirely. The issue is now resolved and we recommend that all root program compliant customers upgrade to EJBCA 7.4.3 or later.

  2. It has been found that EJBCA does not calculate the time between notBefore and notAfter correctly, adding an extra second to validity of certificates and OCSP responses than intended by the RFC. While we recommend customers to keep well within any required limits, this issue has been solved in EJBCA 7.4.3.

Security Issue - Domain Security over EST

As a part of our penetration testing, a security issue was found when enrolling with EST while proxied through an RA over the Peers protocol. As a part of EJBCA's domain security model, the peer connector allows the restriction of client certificates (for the RA, not the end user) to a limited set of allowed CAs, thus restricting the accessibility of that RA to the rights it has within a specific role. While this works for other protocols such as CMP, it was found that the EJBCA enrollment over EST implementation bypasses this check, allowing enrollment with a valid client certificate through any functioning and authenticated RA connected to the CA. We consider this issue minor as it does not bypass any of the many other security checks in place, but as per our common policy this issue will be submitted as a CVE two weeks from the release of EJBCA 7.4.3.

Upgrade Information

Review the EJBCA 7.4.3 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.4.3 is available on EJBCA Hardware Appliance 3.5.5 and EJBCA Cloud 2.5 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.4.3, refer to our JIRA Issue Tracker.

Issues Resolved in 7.4.3

Released October 2020

New Features

ECA-5333 - Ability to search for approval requests by part of Subject DN / or e-mail

ECA-7994 - Not possible to request CVC certificates in RA web

ECA-8845 - Planning of grab new installations issue

ECA-9237 - Authentication path for OAuth in CA UI

ECA-9239 - Authentication path for OAuth in RA web

ECA-9240 - Ability to manage OAuth keys via AdminWeb

ECA-9241 - Ability to manage OAuth keys via CLI

ECA-9333 - REST API commands for End Entity Management

ECA-9337 - Landing page for "grab new installation"

ECA-9346 - CLI support to create new CA with AWS/Azure KMS crypto token (ejbca.sh ca init)

ECA-9350 - Authentication path for OAuth in WebService and REST API

ECA-9351 - Ability to configure default OAuth key

ECA-9376 - Add language strings for OAuth in RA Web

ECA-9421 - Add entry for Trident HSM to web.properties defaults

ECA-9431 - System test of URL access with JWT Bearer token

ECA-9450 - Add OAuth support to AuthenticationFilter

ECA-9451 - Add OAuth support to JSP pages

ECA-9453 - Make it possible to ask the healthcheck servlet which VAs are up to date

ECA-9471 - Unit test of OAuth Keys in Configdump

ECA-9481 - Updating preferences in RA Web and CA UI with OAuth authentication

ECA-9509 - Trigger landing page for new installations

Tasks

ECA-8905 - Update JWT libraries for EJBCA

ECA-9315 - Document CA rekey recommendations

ECA-9380 - Upgrade jackson-databind to 2.9.10.6

ECA-9381 - Remove jdom jar

ECA-9383 - Upgrade hibernate jars

ECA-9515 - New Swagger version requires json-patch JAR and newer jackson-databind JAR

ECA-9539 - Skip REST related test in CE

Improvements

ECA-8750 - KeyGenParams is handled inconsistently for RSA

ECA-8800 - Improve usability when selecting crypto tokens/algorithms on CA

ECA-9023 - Use prepared statements in ApprovalSessionBean and org.ejbca.util.query.Query

ECA-9215 - Configure full Azure Key Vault Name which would include the DNS FQDN

ECA-9238 - Ability to access CA UI via OAuth without allowing unauthenticated usage

ECA-9243 - Change or remove svn.revision property

ECA-9283 - SSH Implementation improvements

ECA-9293 - SSH Implementation remaining TODOs

ECA-9309 - CleanUp the code, discovered in SSH implementation/review

ECA-9328 - Improve JackNJI11ProviderTest

ECA-9355 - Prevent admin lock-out when using OAuth

ECA-9368 - Fail over to another node if CRL updater cannot complete work due to crypto token being inaccessible

ECA-9379 - Document how to view number of CRLs for each issuer in housekeeping guide

ECA-9412 - Export\import OAuth keys with configdump

ECA-9415 - Add ACME support for cert-manager

ECA-9428 - Some WS methods swallow AuthorizationDeniedException

ECA-9430 - Avoid using SHA1 for HSM public key dummy certificates

ECA-9457 - Lower logging level in from ERROR to INFO when request key is not allowed

ECA-9458 - Trim external lib

ECA-9462 - Remove unused jar file

ECA-9464 - Upgrade internal library

ECA-9465 - Upgrade internal library

ECA-9467 - Upgrade internal library

ECA-9469 - Upgrade internal library

ECA-9514 - Temporarily remove OAuth configuration from CA Web

ECA-9522 - UI Improvements to installation page

ECA-9523 - EJBCA's validity definition does not align with the one from RFC5280 and baseline requirements

Bug Fixes

ECA-8681 - CRLData query wrongly assumes unique result

ECA-9031 - Regression: certificate validity option for key validators are not shown

ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6

ECA-9185 - Security Issue

ECA-9213 - Regression: 'Close' button not functioning under Role Members 'View Certificate' page

ECA-9280 - SecureXmlDecoder lacks support for UserDataVO, causing deserialization error

ECA-9291 - Incorrect encoding of critical options for SSH certificates

ECA-9296 - SSH values still show up in end entity profiles even if SSH module is not present

ECA-9301 - EJBCA freezes at startup if cyclic cross-signed root certificates are used in OCSP chain

ECA-9302 - Regression: Unable to Generate Certs from WebService When the Username is Set To Autogenerated in the EEP

ECA-9304 - Missing CA causes NPE when viewing KeyBindings

ECA-9318 - Wrong defaultKey selected from crypto token

ECA-9325 - Add quotation marks to the properties argument in the sample command in the CLI for services

ECA-9335 - Regression: SerialNr Octet size not retained after upgrade

ECA-9343 - Duplicated close on stream in EndEntityProfileSessionBean and CertificateProfileSessionBean

ECA-9349 - CLI does not include plugins-ee on first build

ECA-9364 - EjbcaWS.findCerts(username, isValid=true) should also return certificates with status = 21

ECA-9365 - Not possible to delete publisher, if exists ssh CA

ECA-9370 - CMP's EndEntityCertificateAuthenticationModule does not use BC to verify certificates

ECA-9392 - ACME system test includes invalid altName extension in CSR

ECA-9413 - Fix ACME test failures in main

ECA-9426 - OCSP responses without extensions are sent with an empty "singleExtensions" list

ECA-9432 - Removal of unidfnr/src-test causes Unit tests failure and partial execution of unit tests

ECA-9434 - Multiple CRLs with different CRL partition indexes after upgrade causes NonUniqueResultException

ECA-9436 - ProtocolOcspHttpStandaloneTest failure (false positive)

ECA-9437 - Avoid random StringToolsTest failure

ECA-9440 - Regression: CA UI links do not work with a HTTP proxy running on a different port/hostname/scheme

ECA-9448 - Regression: Changes in EndEntityProfileSessionBean and CertificateProfileSessionBean in try-with-resources produce incomplete xml

ECA-9452 - Test for pkcs10enroll endpoint returns error when user is set to autogenerated in EEP

ECA-9455 - Possible NPE in REST search certificate call

ECA-9456 - Approvals created without cert authenticated admins fail in RA Web

ECA-9482 - Missing icon and name of access rule with misconfigured peer connector

ECA-9485 - Regression: XmlSerializer does not B64 encode non-ASCII strings, causing audit record to fail in some cases

ECA-9498 - Regression: OCSP keybinding certificate import fails when CA fingerprint is missing in database

ECA-9501 - Test Failure: KeyValidatorSession

ECA-9503 - Test Failure: REST System tests

ECA-9506 - Update method invocations to getPendingEntriesCountForPublisherInIntervals

ECA-9517 - ant ziprelease doesn't set git revision properly

ECA-9518 - AdminWeb header/logo URL is sometimes not shown due to incorrect URL

ECA-9520 - Jenkins RA/VA builds using invalid revsion property

ECA-9524 - EJBCA CE doesn't build from main

ECA-9528 - ACME NPE while running same certbot request twice or more

ECA-9529 - Regression: Custom logo does not load

ECA-9535 - Too many CT keys would fill up screen during CA creation

ECA-9538 - AcmeConfiguration is missing configdump setting for getRetryAfter

ECA-9541 - Test failures after inclusive validity range fix

ECA-9547 - "ant ziprelease" produces Community Edition zip release that does not build

ECA-9548 - Regression: PKI Disclosure Statements are not encoded correctly in audit log