EJBCA 7.8.0 Release Notes

The PrimeKey EJBCA team is pleased to announce the release of EJBCA 7.8.0.1. (EJBCA 7.8.0 was an internal release, not generally available for customers).

This release mainly fixes a slew of compliance issues and bugs that have been reported on the feature set released last spring. Transaction handling for publishers has been improved for rollback scenarios. The release also contains a compliance fix related to the validity of CRLs and OCSP responses.

Deployment options include EJBCA Hardware Appliance, EJBCA Software Appliance, and EJBCA Cloud.

Highlights

Transaction Handling for Publishers Improved

An issue was brought to our attention in regards to transaction handling during publishing operations. The previous behavior was that errors that occur in connection with direct publishing cause an immediate rollback of the entire issuance operation. Normally this behavior is desired, but it has come to light that this may cause compliance issues when also writing pre-certificates to a Certificate Transparency log, due to that action being an "intent to issue".

Transaction handling has thus been improved to ensure that a failure in direct publishing does not lead to a complete rollback, but the certificate is still issued and can be managed accordingly.

Compliance

CRL and OCSP Validity Compliance

It was brought to our attention by a customer that EJBCA adds a second of validity to CRLs and OCSP replies to what is intended in RFC 5280. This issue has been addressed in EJBCA 7.8.0.1 by reducing the validity of CRLs and OCSP responses by 1 second.

ACME Redirect Ports updated to comply with CA/Browser Forum Baseline Requirements 1.7.6

BR 1.7.6, as defined in SC44, clarified the validity of redirect ports if followed by the CA. It was found that EJBCA follows a 302 status code on port 8080, which is not in the list of approved ports. This has been fixed in EJBCA 7.8.0.

Security Issues

Audience Claims not required by default

Upon review of our OAuth implementation, it was found that not requiring the aud claim to be defined provides potential for known users to access EJBCA using a valid claim meant for a different audience. A new field has been added to the OAuth configuration, where the aud claim must be filled in for each defined provider. Upon upgrading, you will be prompted to fill in this field before performing post-upgrade. Two weeks after the release of EJBCA 7.8.0 this issue will be reported as a CVE.

Severity

  • Medium – an attacker would still need to have a valid OAuth token with other claims valid for a defined role, but intended for a different audience.

Upgrade Information

Review the EJBCA 7.8 Upgrade Notes for important information about this release. For upgrade instructions and information on upgrade paths, see Upgrading EJBCA.

EJBCA 7.8.0.1 is included in EJBCA Hardware Appliance 3.9.1 and EJBCA Cloud 2.9.0 and can be deployed as EJBCA Software Appliance.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in EJBCA 7.8.0 and 7.8.0.1, refer to our JIRA Issue Tracker.

Issues Resolved in 7.8.0.1

Released October 2021

    Improvements

    ECA-10327 - Reduce CRL and OCSP Validities by 1 second

    Bug Fixes

    ECA-10303 - Throwaway CA Revocation Broken in 7.6.0


    Issues Resolved in 7.8.0

    Released September 2021

      Improvements

      ECA-8561 - Add a validation check for Configdump Handlers

      ECA-9685 - Improve German translation for AdminWeb and RA

      ECA-9752 - Access control too restrictive when searching for end entities using EjbcaWS.findUser

      ECA-10069 - Enroll menu in the RA web is not shown until the rule create_end_entity is set to Allowed

      ECA-10120 - Deploying EJBCA with oracle 19c DB

      ECA-10183 - CABF Compliance: EJBCA follows redirect to other ports than BR 1.7.6 Authorized Ports when validating ACME http-01 challenge

      ECA-10205 - Would like to be able to specify key sizes and curves in clientToolBox stresstest

      ECA-10208 - Fix message typo: modifyable = modifiable

      ECA-10235 - Documentation: Not possible to use custom DN attributes with number 200, as recommended in sample file

      ECA-10247 - Ant target for ACME system tests is broken

      ECA-10248 - Security issue

      ECA-10249 - Extend CLI recover command with delta functionality

      ECA-10309 - Implement transaction-aware direct publishing

      Bug Fixes

      ECA-9235 - Validity of CVC certificate view in RA web should display only full days

      ECA-9551 - Permission Loss on EEP Import

      ECA-9850 - Configdump exports "CAs to check" for Services, even when it is not applicable

      ECA-9991 - Regex validation breaks Certificate Profile field update

      ECA-10068 - Possible to view end entities in RA web though the role is set to Deny

      ECA-10071 - Enrollment code can not be empty when setting status to generated in RA Web

      ECA-10142 - Regression: Notification Subject field in End Entity Profile currently max 40 characters.

      ECA-10147 - CA activation should not require /ca_functionality/edit_ca access

      ECA-10182 - OAuth is not working with Ping ID

      ECA-10185 - REST endentity add user with PEM token fails

      ECA-10190 - EST Client mode does not properly parse DN for UID attribute

      ECA-10191 - Cannot edit end entity after enabling revocation upon issuance

      ECA-10192 - Issuance revocation reason not set by the RA web

      ECA-10193 - Pre-Sign Linting is Not Possible for a CA with P-384

      ECA-10199 - Enrollment with PublicWeb does not consider the key specification selected by the user

      ECA-10200 - Clicking on Audit Log Details column scrolls to the top left of the page

      ECA-10201 - The text in the "Profile Description" field of the End Entity profile is not holding after saving the End Entity profile.

      ECA-10204 - Proper formatting for worker.properties when creating OCSP Presigner service using ejbca.sh cli

      ECA-10210 - OCSP Transaction / Audit log upgrade doesn't work

      ECA-10212 - Multiple COUNTRYOFCITIZENSHIP / COUNTRYOFRESIDENCE are silently discarded

      ECA-10215 - Database interruption during publishing can cause certificates to be lost

      ECA-10218 - Custom extension of type BITSTRING is encoded with double bytes when empty octet is removed

      ECA-10220 - Regression: ManagementCA fails to renew due to OID error, after editing CA

      ECA-10233 - Why does ant runinstall set the clear password

      ECA-10240 - Complete description texts for fields in the AcmeConfiguration

      ECA-10241 - Autoenrollment menu link not visible in add/search end entity pages

      ECA-10244 - RA Web Search for Certificate by full serial name does not work with Serial Number Octet Size less than 8

      ECA-10246 - Fix ACME Name Generation Scheme Re-enrollement + Tests

      ECA-10277 - Security Issue

      ECA-10289 - Upgrade problem EJBCA 7.4.3 to 7.7.0

      ECA-10290 - fix ConfigdumpOAuthKeyInfoUnitTest

      ECA-10305 - Implement EJBCA CLI command for getting relevant truststore

      ECA-10315 - Error when attempting to set name constraints via EJBCA WS