OCTOBER 2021

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.8.0.1. (EJBCA 7.8.0 was an internal release, not generally available for customers).

This release mainly fixes a slew of compliance issues and bugs that have been reported on the feature set released last spring. Transaction handling for publishers has been improved for rollback scenarios. The release also contains a compliance fix related to the validity of CRLs and OCSP responses.

Deployment options include EJBCA Hardware ApplianceEJBCA Software Appliance, and EJBCA Cloud.

Highlights

Transaction Handling for Publishers Improved 

An issue was brought to our attention in regards to transaction handling during publishing operations. The previous behavior was that errors that occur in connection with direct publishing cause an immediate rollback of the entire issuance operation. Normally this behavior is desired, but it has come to light that this may cause compliance issues when also writing pre-certificates to a Certificate Transparency log, due to that action being an "intent to issue".

Transaction handling has thus been improved to ensure that a failure in direct publishing does not lead to a complete rollback, but the certificate is still issued and can be managed accordingly. 

Compliance

CRL and OCSP Validity Compliance

It was brought to our attention by a customer that EJBCA adds a second of validity to CRLs and OCSP replies to what is intended in RFC 5280. This issue has been addressed in EJBCA 7.8.0.1 by reducing the validity of CRLs and OCSP responses by 1 second.

ACME Redirect Ports updated to comply with CA/Browser Forum Baseline Requirements 1.7.6

BR 1.7.6, as defined in SC44, clarified the validity of redirect ports if followed by the CA. It was found that EJBCA follows a 302 status code on port 8080, which is not in the list of approved ports. This has been fixed in EJBCA 7.8.0.

Security Issue

Audience Claims not required by default 

Upon review of our OAuth implementation, it was found that not requiring the aud claim to be defined provides potential for known users to access EJBCA using a valid claim meant for a different audience. A new field has been added to the OAuth configuration, where the aud claim must be filled in for each defined provider. Upon upgrading, you will be prompted to fill in this field before performing post-upgrade. Two weeks after the release of EJBCA 7.8.0 this issue will be reported as a CVE. 

Severity

  • Medium – an attacker would still need to have a valid OAuth token with other claims valid for a defined role, but intended for a different audience. 

Upgrade Information

Review the EJBCA 7.8 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.8.0.1 is included in EJBCA Hardware Appliance 3.9.1 and EJBCA Cloud 2.9.1 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.8.0 and 7.8.0.1, refer to our JIRA Issue Tracker.

Issues Resolved in 7.8.0.1

Released October 2021

Improvements

ECA-10327 - Reduce CRL and OCSP Validities by 1 second

Bug Fixes

ECA-10303 - Throwaway CA Revocation Broken in 7.6.0


Issues Resolved in 7.8.0

Released September 2021

Improvements

ECA-8561 - Add a validation check for Configdump Handlers

ECA-9685 - Improve German translation for AdminWeb and RA

ECA-9752 - Access control too restrictive when searching for end entities using EjbcaWS.findUser

ECA-10069 - Enroll menu in the RA web is not shown until the rule create_end_entity is set to Allowed

ECA-10120 - Deploying EJBCA with oracle 19c DB

ECA-10183 - CABF Compliance: EJBCA follows redirect to other ports than BR 1.7.6 Authorized Ports when validating ACME http-01 challenge

ECA-10205 - Would like to be able to specify key sizes and curves in clientToolBox stresstest

ECA-10208 - Fix message typo: modifyable = modifiable

ECA-10235 - Documentation: Not possible to use custom DN attributes with number 200, as recommended in sample file

ECA-10247 - Ant target for ACME system tests is broken

ECA-10248 - Security issue

ECA-10249 - Extend CLI recover command with delta functionality

ECA-10309 - Implement transaction-aware direct publishing

Bug Fixes

ECA-9235 - Validity of CVC certificate view in RA web should display only full days

ECA-9551 - Permission Loss on EEP Import

ECA-9850 - Configdump exports "CAs to check" for Services, even when it is not applicable

ECA-9991 - Regex validation breaks Certificate Profile field update

ECA-10068 - Possible to view end entities in RA web though the role is set to Deny

ECA-10071 - Enrollment code can not be empty when setting status to generated in RA Web

ECA-10142 - Regression: Notification Subject field in End Entity Profile currently max 40 characters.

ECA-10147 - CA activation should not require /ca_functionality/edit_ca access

ECA-10182 - OAuth is not working with Ping ID

ECA-10185 - REST endentity add user with PEM token fails

ECA-10190 - EST Client mode does not properly parse DN for UID attribute

ECA-10191 - Cannot edit end entity after enabling revocation upon issuance

ECA-10192 - Issuance revocation reason not set by the RA web

ECA-10193 - Pre-Sign Linting is Not Possible for a CA with P-384

ECA-10199 - Enrollment with PublicWeb does not consider the key specification selected by the user

ECA-10200 - Clicking on Audit Log Details column scrolls to the top left of the page

ECA-10201 - The text in the "Profile Description" field of the End Entity profile is not holding after saving the End Entity profile.

ECA-10204 - Proper formatting for worker.properties when creating OCSP Presigner service using ejbca.sh cli

ECA-10210 - OCSP Transaction / Audit log upgrade doesn't work

ECA-10212 - Multiple COUNTRYOFCITIZENSHIP / COUNTRYOFRESIDENCE are silently discarded

ECA-10215 - Database interruption during publishing can cause certificates to be lost

ECA-10218 - Custom extension of type BITSTRING is encoded with double bytes when empty octet is removed

ECA-10220 - Regression: ManagementCA fails to renew due to OID error, after editing CA

ECA-10233 - Why does ant runinstall set the clear password

ECA-10240 - Complete description texts for fields in the AcmeConfiguration

ECA-10241 - Autoenrollment menu link not visible in add/search end entity pages

ECA-10244 - RA Web Search for Certificate by full serial name does not work with Serial Number Octet Size less than 8

ECA-10246 - Fix ACME Name Generation Scheme Re-enrollement + Tests

ECA-10277 - Security Issue

ECA-10289 - Upgrade problem EJBCA 7.4.3 to 7.7.0

ECA-10290 - fix ConfigdumpOAuthKeyInfoUnitTest

ECA-10305 - Implement EJBCA CLI command for getting relevant truststore

ECA-10315 - Error when attempting to set name constraints via EJBCA WS