EJBCA 7.4.3 Release Notes
The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.4.3.
The primary focus of this release has been to work on the EJBCA integration points including further support for Hashicorp Vault, adding end entity management in the EJBCA REST API, and more.
Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.
Highlights
REST Endpoints for End Entity Management
We've added new commands for end entity management to our REST API with contributions from Roman Cinkais at 3Key Company. If you'd like to try them out, take a look at our Swagger UI which is automatically deployed on non-production instances.
Plugin for Hashicorp Vault
As part of a greater effort to extend interoperability and a serve as an integral part of any PKI ecosystem, we've released a plugin for Hashicorp Vault on GitHub. HashiCorp Vault is a product to manage secrets and when using microservices at scale, there are many services and secrets to manage. The plugin allows you to use EJBCA instead of the built-in Vault's CA in order to combine the usability and dynamics of the Vault with the compliance, scalability, and performance of EJBCA.
CVC Enrollment in EJBCA RA
It's now possible to enroll for Card Verifiable Certificates in the EJBCA RA UI. This improvement is part of our continued effort to deprecate the old Public Web.
Trident HSM Support
We've added some default properties to our configuration files to allow for easy configuration if the HSM driver is installed on the system.
Root Program Compliance Issues
Two issues have been reported that may cause incidents with CAs that conform to the Browser Root program and CA/Browser-Forum requirements.
- In previous releases, OCSP responses without extensions were sent with an empty singleExtensions list, while the proper behavior is to omit the list entirely. The issue is now resolved and we recommend that all root program compliant customers upgrade to EJBCA 7.4.3 or later.
- It has been found that EJBCA does not calculate the time between notBefore and notAfter correctly, adding an extra second to validity of certificates and OCSP responses than intended by the RFC. While we recommend customers to keep well within any required limits, this issue has been solved in EJBCA 7.4.3.
Security Issue - Domain Security over EST
As a part of our penetration testing, a security issue was found when enrolling with EST while proxied through an RA over the Peers protocol. As a part of EJBCA's domain security model, the peer connector allows the restriction of client certificates (for the RA, not the end user) to a limited set of allowed CAs, thus restricting the accessibility of that RA to the rights it has within a specific role. While this works for other protocols such as CMP, it was found that the EJBCA enrollment over EST implementation bypasses this check, allowing enrollment with a valid client certificate through any functioning and authenticated RA connected to the CA. We consider this issue minor as it does not bypass any of the many other security checks in place, but as per our common policy this issue will be submitted as a CVE two weeks from the release of EJBCA 7.4.3.
Upgrade Information
Review the EJBCA 7.4.3 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.
EJBCA 7.4.3 is available on EJBCA Hardware Appliance 3.5.5 and EJBCA Cloud 2.5 and can be deployed as EJBCA Software Appliance.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in EJBCA 7.4.3, refer to our JIRA Issue Tracker.
Issues Resolved in 7.4.3
New Features
ECA-5333 - Ability to search for approval requests by part of Subject DN / or e-mail
ECA-7994 - Not possible to request CVC certificates in RA web
ECA-8845 - Planning of grab new installations issue
ECA-9237 - Authentication path for OAuth in CA UI
ECA-9239 - Authentication path for OAuth in RA web
ECA-9240 - Ability to manage OAuth keys via AdminWeb
ECA-9241 - Ability to manage OAuth keys via CLI
ECA-9333 - REST API commands for End Entity Management
ECA-9337 - Landing page for "grab new installation"
ECA-9346 - CLI support to create new CA with AWS/Azure KMS crypto token (ejbca.sh ca init)
ECA-9350 - Authentication path for OAuth in WebService and REST API
ECA-9351 - Ability to configure default OAuth key
ECA-9376 - Add language strings for OAuth in RA Web
ECA-9421 - Add entry for Trident HSM to web.properties defaults
ECA-9431 - System test of URL access with JWT Bearer token
ECA-9450 - Add OAuth support to AuthenticationFilter
ECA-9451 - Add OAuth support to JSP pages
ECA-9453 - Make it possible to ask the healthcheck servlet which VAs are up to date
ECA-9471 - Unit test of OAuth Keys in Configdump
ECA-9481 - Updating preferences in RA Web and CA UI with OAuth authentication
ECA-9509 - Trigger landing page for new installations
Tasks
ECA-8905 - Update JWT libraries for EJBCA
ECA-9315 - Document CA rekey recommendations
ECA-9380 - Upgrade jackson-databind to 2.9.10.6
ECA-9381 - Remove jdom jar
ECA-9383 - Upgrade hibernate jars
ECA-9515 - New Swagger version requires json-patch JAR and newer jackson-databind JAR
ECA-9539 - Skip REST related test in CE
Improvements
ECA-8750 - KeyGenParams is handled inconsistently for RSA
ECA-8800 - Improve usability when selecting crypto tokens/algorithms on CA
ECA-9023 - Use prepared statements in ApprovalSessionBean and org.ejbca.util.query.Query
ECA-9215 - Configure full Azure Key Vault Name which would include the DNS FQDN
ECA-9238 - Ability to access CA UI via OAuth without allowing unauthenticated usage
ECA-9243 - Change or remove svn.revision property
ECA-9283 - SSH Implementation improvements
ECA-9293 - SSH Implementation remaining TODOs
ECA-9309 - CleanUp the code, discovered in SSH implementation/review
ECA-9328 - Improve JackNJI11ProviderTest
ECA-9355 - Prevent admin lock-out when using OAuth
ECA-9368 - Fail over to another node if CRL updater cannot complete work due to crypto token being inaccessible
ECA-9379 - Document how to view number of CRLs for each issuer in housekeeping guide
ECA-9412 - Export\import OAuth keys with configdump
ECA-9415 - Add ACME support for cert-manager
ECA-9428 - Some WS methods swallow AuthorizationDeniedException
ECA-9430 - Avoid using SHA1 for HSM public key dummy certificates
ECA-9457 - Lower logging level in from ERROR to INFO when request key is not allowed
ECA-9458 - Trim external lib
ECA-9462 - Remove unused jar file
ECA-9464 - Upgrade internal library
ECA-9465 - Upgrade internal library
ECA-9467 - Upgrade internal library
ECA-9469 - Upgrade internal library
ECA-9514 - Temporarily remove OAuth configuration from CA Web
ECA-9522 - UI Improvements to installation page
ECA-9523 - EJBCA's validity definition does not align with the one from RFC5280 and baseline requirements
Bug Fixes
ECA-8681 - CRLData query wrongly assumes unique result
ECA-9031 - Regression: certificate validity option for key validators are not shown
ECA-9170 - SecureXmlDecoder cannot deserialize enums created in Java 6
ECA-9185 - Security Issue
ECA-9213 - Regression: 'Close' button not functioning under Role Members 'View Certificate' page
ECA-9280 - SecureXmlDecoder lacks support for UserDataVO, causing deserialization error
ECA-9291 - Incorrect encoding of critical options for SSH certificates
ECA-9296 - SSH values still show up in end entity profiles even if SSH module is not present
ECA-9301 - EJBCA freezes at startup if cyclic cross-signed root certificates are used in OCSP chain
ECA-9302 - Regression: Unable to Generate Certs from WebService When the Username is Set To Autogenerated in the EEP
ECA-9304 - Missing CA causes NPE when viewing KeyBindings
ECA-9318 - Wrong defaultKey selected from crypto token
ECA-9325 - Add quotation marks to the properties argument in the sample command in the CLI for services
ECA-9335 - Regression: SerialNr Octet size not retained after upgrade
ECA-9343 - Duplicated close on stream in EndEntityProfileSessionBean and CertificateProfileSessionBean
ECA-9349 - CLI does not include plugins-ee on first build
ECA-9364 - EjbcaWS.findCerts(username, isValid=true) should also return certificates with status = 21
ECA-9365 - Not possible to delete publisher, if exists ssh CA
ECA-9370 - CMP's EndEntityCertificateAuthenticationModule does not use BC to verify certificates
ECA-9392 - ACME system test includes invalid altName extension in CSR
ECA-9413 - Fix ACME test failures in main
ECA-9426 - OCSP responses without extensions are sent with an empty "singleExtensions" list
ECA-9432 - Removal of unidfnr/src-test causes Unit tests failure and partial execution of unit tests
ECA-9434 - Multiple CRLs with different CRL partition indexes after upgrade causes NonUniqueResultException
ECA-9436 - ProtocolOcspHttpStandaloneTest failure (false positive)
ECA-9437 - Avoid random StringToolsTest failure
ECA-9440 - Regression: CA UI links do not work with a HTTP proxy running on a different port/hostname/scheme
ECA-9448 - Regression: Changes in EndEntityProfileSessionBean and CertificateProfileSessionBean in try-with-resources produce incomplete xml
ECA-9452 - Test for pkcs10enroll endpoint returns error when user is set to autogenerated in EEP
ECA-9455 - Possible NPE in REST search certificate call
ECA-9456 - Approvals created without cert authenticated admins fail in RA Web
ECA-9482 - Missing icon and name of access rule with misconfigured peer connector
ECA-9485 - Regression: XmlSerializer does not B64 encode non-ASCII strings, causing audit record to fail in some cases
ECA-9498 - Regression: OCSP keybinding certificate import fails when CA fingerprint is missing in database
ECA-9501 - Test Failure: KeyValidatorSession
ECA-9503 - Test Failure: REST System tests
ECA-9506 - Update method invocations to getPendingEntriesCountForPublisherInIntervals
ECA-9517 - ant ziprelease doesn't set git revision properly
ECA-9518 - AdminWeb header/logo URL is sometimes not shown due to incorrect URL
ECA-9520 - Jenkins RA/VA builds using invalid revsion property
ECA-9524 - EJBCA CE doesn't build from main
ECA-9528 - ACME NPE while running same certbot request twice or more
ECA-9529 - Regression: Custom logo does not load
ECA-9535 - Too many CT keys would fill up screen during CA creation
ECA-9538 - AcmeConfiguration is missing configdump setting for getRetryAfter
ECA-9541 - Test failures after inclusive validity range fix
ECA-9547 - "ant ziprelease" produces Community Edition zip release that does not build
ECA-9548 - Regression: PKI Disclosure Statements are not encoded correctly in audit log