-
Notifications
You must be signed in to change notification settings - Fork 1
/
Changelog.txt
4359 lines (3931 loc) · 234 KB
/
Changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
EJBCA 6.3.1.1, 2015-06-01
---
Bug
[ECA-4208] - OcspKeyBindings are not listed as available default responders
[ECA-4209] - Regression: Ad hoc upgrade of OCSP might be broken by the CachingCryptoToken
Improvement
[ECA-4038] - Have EJBCA DB CLI fail nicely when built in Community Edition
[ECA-4245] - GUI: CA creation page usability
[ECA-4260] - Add flowchart of SCEP enrollment/renewal to admin docs
Task
[ECA-4119] - Enterprise feature
[ECA-4120] - Enterprise feature
[ECA-4196] - Replace EJBCA logotypes in documentation
[ECA-4227] - Update EJBCA logo and favicon
EJBCA 6.3.1, 2015-03-26
---
Bug
[ECA-4044] - Ignore EJBCA test certificates from been published using the Peer connector
[ECA-4048] - Peer System: Failure to connect when list of trusted certs is empty
[ECA-4068] - Add PeerData to drop tables SQL script
[ECA-4073] - typo in exception 'Failed to write audit log...'
Improvement
[ECA-3146] - Allow an renewal of an external CA certificate by import
[ECA-3951] - Add a column to InternalKeyBindingPage/CLI to warn for inactive certificate
[ECA-4033] - Do not include administrators registered via certificate serial numbers in statedump
[ECA-4092] - Create module for separate enterprise and community specific implementation
[ECA-4093] - Lower log-level of CmsCAService "KEYSTORE is null..." message
[ECA-4117] - CMPProxy not updated to work with different cmpalias
New Feature
[ECA-3581] - Single Active Certificate Constraint
[ECA-3754] - CLI: Create a table utility
[ECA-4062] - WS API support to create a new CA and Superadmin certificate
[ECA-4063] - WS APIs for monitoring certificate expiration
[ECA-4064] - SCEP support for Client Certificate Renewal
[ECA-4159] - Show what version documentation applies to at all times
Task
[ECA-4145] - Document all audit log messages
EJBCA 6.2.9, 2015-03-26
---
Bug
[ECA-3619] - Wrong administrator removed from role when deleting at the same time with two separate CA admins
[ECA-3788] - CLI needs to set argument --password together with the value when setting it
[ECA-3879] - Fix logging of default OCSP responder properly
[ECA-4049] - Certificates of non-CAs are accepted when importing external CAs
[ECA-4071] - A base64 decoder exception is thrown when inspecting a specially-crafted CSR
[ECA-4122] - Typo in Crypto Token HSM Slot
[ECA-4148] - EJBCA WS Test test25CreateandGetCRL fails when delta CRLs are enabled
[ECA-4152] - "Renew Browser Certificate" should require notifications to be set.
[ECA-4156] - Regression: BaseCryptoToken has lost caching of keys since EJBCA4
[ECA-4160] - X509CertStoreSelector does not work as used in BC 1.51
[ECA-4173] - CLI command ca getcacert always outputs root CA certificate when using the -der option
[ECA-4179] - SCEP stress test regression
[ECA-4184] - WaitingForApprovalException declares property as public
Improvement
[ECA-4128] - Replace references to deprecated class DiskFileUpload
[ECA-4137] - Test throw away CA issuance over web service interface
[ECA-4181] - Several EjbcaWS tests fail when EEP-limitations are enabled
[ECA-4182] - Replace deprecated classes: PEMWriter, DERObjectIdentifier and DERTags
Task
[ECA-4090] - Remove broken NetID integration code
EJBCA 6.2.8, 2015-03-05
---
Bug
[ECA-3602] - jboss-cli.bat fails when called from jboss.xml on JDK >= 7.21
[ECA-3807] - Root CA key is always used when decrypting SCEP requests
[ECA-3963] - Save and Test Connection with CT publisher should fail if no CT logs are configured
[ECA-4043] - Timing issue in CaRenewCACommandTest
[ECA-4065] - "Renew" button still exists for a revoked CA, produces stacktrace
[ECA-4067] - Regression: Default RA Admin doesn't have access to the Add End Entity page
[ECA-4070] - External CAs turn up on the list of possible CAs when creating End Entities
[ECA-4074] - AlgorithmIdentifier of RFC 6960 id-pkix-ocsp-pref-sig-algs extension is not parsed correctly
[ECA-4083] - OCSP configuration per certificate profile id is used for CERTPROFILE_NO_PROFILE
[ECA-4094] - Remove extraneous authorization checks from PublisherDataHandler
[ECA-4095] - Incorrect log output in publisher authorization check
[ECA-4096] - Access rule /ca_functionality/edit_publishers does not allow role to edit publishers
[ECA-4101] - Security Issue
[ECA-4103] - References to deprecated rule '/super_administrator'
[ECA-4107] - Allow creation of non standard conformant RAW custom extension
[ECA-4110] - Approve Action - NPE after click on the username
[ECA-4112] - Regression: External CAs not listed as "Available CAs" in CLI when using addadmin
[ECA-4116] - Remove notes and test extension from certextensions.properties
[ECA-4131] - CT options can't be changed when using only publishing
[ECA-4136] - HardToken Certificate Profile Type has wrong label
Improvement
[ECA-3831] - adminmenu.jsp still refers to legacy /superadmin rule
[ECA-4011] - Disable "Name Constraints" fields when External CA is selected
[ECA-4018] - Upgrade to BouncyCastle 1.51
[ECA-4039] - Improve HealthCheck free memory control
[ECA-4053] - Speed up HSMKeyTool stress test
[ECA-4087] - Update EJBCA copyright notice to match homepage
[ECA-4098] - Make sure sure that CAs in add/edit end entity screen are arrange alphabetically
[ECA-4108] - Possibility to disable CT submission for existing non-CT certificates
[ECA-4111] - Upgrade cert-cvc subproject to BC 1.51
[ECA-4114] - Sort CryptoTokens by name when creating a new Key Binding
[ECA-4139] - Editing CMP, SCEP and system configuration requires root privileges
Master Ticket
[ECA-3971] - Improve OCSP responder performance
[ECA-4054] - Reload CA certificate cache in the background
[ECA-4055] - Avoid unnecessary OCSP response signature checks
[ECA-4072] - Avoid interactions with AuditLogger and TransactionLogger when disabled
[ECA-4082] - Improve OcspServlet.addRfc5019CacheHeaders
[ECA-4084] - Improve OCSP HSM signing thread behaviour
[ECA-4085] - Additional caching of objects that are the same between multiple OCSP requests
New Feature
[ECA-3976] - Cache SCTs in OCSP responses
[ECA-4052] - Allow override of EJBCA's subject DN ordering in web service call for issuing certificate
[ECA-4106] - Allow to specify number of SCTs in OCSP responses
Task
[ECA-4060] - Create a subtarget to ant ziprelease that creates a versioned zip of the statedump source.
EJBCA 6.3.0, 2015-01-14
Bug
[ECA-2478] - UnrevokeEndEntity unrevokes cert but not user
[ECA-3528] - GUI: Some messages not localized in Admin Web
[ECA-3590] - Cache the slot list
[ECA-3598] - Fix handling of invalid ZIP contents when importing certificate profiles
[ECA-3599] - Fix handling of invalid ZIP contents when importing end entity profiles
[ECA-3609] - Name constraints properties are duplicated in CLI editca command
[ECA-3631] - database valid connection sql for VA publisher is taken from database.properties instead of va-publisher.properties
[ECA-3634] - OCSP does not audit and transaction log UNAUTHORIZED messages
[ECA-3656] - Forbidden characters can be allowed
[ECA-3719] - GUI: Publisher page usability
[ECA-3745] - Some language have not the standard language code
[ECA-3797] - Statedump incorrectly tries to export full BasePublisher object
[ECA-3804] - httpsserver.an (altname) is ipaddress 127.0.0.1 by default, and no dnsName matching CN
[ECA-3813] - GUIDGeneratorTest fails intermittently
[ECA-3841] - JAR file used by CT should be rebuilt for JDK6
[ECA-3849] - Admin must be authorized to all CAs to import keybinding certificate
[ECA-3855] - Loading saved CMP configuration referencing a deleted EEP results in NPE
[ECA-3892] - GUI: A lot of event messages not set in "View Log"
[ECA-3908] - Allow OcspKeyRenewalTest to run predictably on system with existing AuthenticationKeyBindings
[ECA-3949] - Status parameter in "keybind create" command shouldn't be case sensitive
[ECA-3960] - CaPKCS11SessionTest fails and never recovers if test is aborted
[ECA-3968] - Sort and count peer connectors correctly in statedump
[ECA-3993] - ejbca-db-cli does not work due to PeerConnector
[ECA-4003] - "CRL Updater" service doesn't update the CRL
[ECA-4012] - Reject IP addresses in dNSName name constraints
[ECA-4032] - Regression: Key Recoverable not set in EE when activated and required in profile
Improvement
[ECA-2272] - Refactoring some DN attributes and Alternative names naming
[ECA-2340] - GUI: Audit Log usability
[ECA-2576] - New key sizes available in certificate profiles
[ECA-3043] - Document SameRequestRateLimiter better
[ECA-3256] - Split the va-war module into its logical parts
[ECA-3412] - Rework VA/OCSP documentation
[ECA-3414] - Clean up Exception handling in SignSessionBean
[ECA-3601] - Enterprise feature
[ECA-3654] - Enterprise feature
[ECA-3674] - Allow certificate validity before current date using end entity ExtendedInformation
[ECA-3720] - GUI: Certificate Profile page usability
[ECA-3726] - Make CertSafe implement CustomPublisherUiSupport
[ECA-3746] - GUI: Displaying the language name in configuration sections
[ECA-3753] - Add OpenSC PKCS#11 to default crypto token library path
[ECA-3769] - CryptoToken usage should also include internal key bindings
[ECA-3773] - Add NIST PIV Card Authentication extended key usage
[ECA-3809] - Improve the message for signed SubCAs regarding the need of *.pem or *chain.pem
[ECA-3824] - CertSafePublisher should use a dropdown pane for setting authentication keybindings
[ECA-3854] - Optimize Language tool
[ECA-3869] - Sort key aliases by name in InternalKeyBinding edit view
[ECA-3874] - RSA 4096 keys pre-selected in Crypto Token form
[ECA-3891] - GUI: Firefox CRLs direct import removed
[ECA-3930] - CryptoTokenManager: Add a column for auto-activation status.
[ECA-3955] - Add some missing OCSP system tests
[ECA-4051] - Correct documentation of CLI command when updating a CMP alias
Master Ticket
[ECA-3144] - Improved sub system integration (EJBCA Peer Systems)
[ECA-3652] - Create PeerMessage datatype, ORM and CRUD beans
[ECA-3653] - Create basic JSF pages for Peer mgmt
[ECA-3659] - Connect GUI with CRUD
[ECA-3671] - Add auth checks to CRUD bean
[ECA-3694] - Milestone: Make PingMessage work from a PeerConnector created in the GUI
[ECA-3699] - Outgoing TLS configuration as part AuthenticationKeyBinding
[ECA-3700] - Rename peerconnector-common to *-ejb and move common classes under ear/lib/..jar
[ECA-3702] - Basic publishing to peer system
[ECA-3704] - Framework for making custom publisher configuration nicer
[ECA-3710] - Do parallel publishing when the same thing is published to multiple targets
[ECA-3711] - Changes to publishing API for efficient publishing of full CertificateData (and Base64CertData)
[ECA-3712] - Efficient resynchronization of data between CA and Peer VA
[ECA-3715] - Requested capabilities should be saved when creating peer connector
[ECA-3722] - Create CLI support for PeerConnector
[ECA-3742] - Publish the same updateTime that is used in the CA's database
[ECA-3751] - Manual renewal of OcspKeyBinding at peer
[ECA-3752] - Behavioral configuration for PeerConnectors
[ECA-3756] - Make InternalKeyBinding access rules configurable
[ECA-3757] - Minor PeerConnector refactoring and documentation
[ECA-3759] - Service for automatic renewal of remote key bindings
[ECA-3762] - Documentation: Create a security model for PeerConnectors
[ECA-3770] - PeerConnector GUI improvements
[ECA-3775] - Forbid start and return error when background task with same id exist
[ECA-3777] - ListPeersCommand improvements
[ECA-3778] - Drop concept of capabilities and use regular access rules framework
[ECA-3781] - Improve peer message format
[ECA-3782] - Stop connection pool and prevent start when peer connector is disabled or URL changes
[ECA-3784] - More fine grained access rules for peer connectors
[ECA-3785] - Disable plain http connections for peers
[ECA-3786] - Shorten peer connector Servlet URL
[ECA-3787] - Option for synchronization dry run
[ECA-3803] - Peer connector system tests
[ECA-3805] - Propagation of peer connection errors to UI
[ECA-3806] - CLI for generic peer connection settings
[ECA-3810] - Minor PeerConnector GUI improvements
[ECA-3811] - Lookup authentication token at pool startup
[ECA-3825] - Allow one AuthenticationKeyBinding to be used per Peer Connector
[ECA-3833] - JEE5 support for enterprise edition only SSBs
[ECA-3839] - Use one connection pool per outgoing id instead of URL
[ECA-3840] - Cache PeerOutgoingInformation objects
[ECA-3846] - More fine grained errors than UnknownMessageTypeResponse without information leakage
[ECA-3850] - Use separate GlobalConfiguration for peer connections
[ECA-3867] - Correct peer module license headers
[ECA-3876] - Statedump support for peer connectors and configuration
[ECA-3881] - Improve error message when peer responds with an unknown or broken message
[ECA-3882] - PeerConnector: Ugly errors when using illegal characters in URL
[ECA-3898] - Adjust logging of handled failures during peer publishing
[ECA-3899] - Show mismatched access rules for incoming peer authorization instead of fixing it
[ECA-3923] - Handle additional server side certificate end entity alias from PeerConnectionsTest
[ECA-3928] - Rename Remote Systems menu item to "Peer System"
New Feature
[ECA-3705] - Create a plugin interface for rules
[ECA-3800] - get the certificate of an ocsp keybinding
[ECA-3885] - New signature algorithm SHA512withECDSA
Task
[ECA-3962] - EJBCA Enterprise feature
EJBCA 6.2.7, 2015-01-14
---
Bug
[ECA-3902] - Update EJBCA user guide documentation
[ECA-3973] - OCSP key renewal for all keys leads to NPE when logging
[ECA-3977] - Regression: CMP algorithmId lacking DERNull when using PKCS#11
[ECA-3978] - End entities aren't sorted in statedump output
[ECA-3983] - External CAs turn up on the "CA Activation" list.
[ECA-3991] - CertTools.stringToBcX500Name fails for sn=#foo
[ECA-3994] - ejbca-db-cli copy command does not work due to invalid temp files
[ECA-3995] - Upgrade documentation for CMP has wrong ordering of arguments
[ECA-4000] - Potential security issue without known exploit
[ECA-4007] - "Certification Authorities" and "Publishers" missing from admin menu with access rule /ca_functionality (recursive, accept)
[ECA-4009] - Post upgrade fails when old admin groups don't exist
[ECA-4014] - CRL Downloader doesn't store empty CRLs
[ECA-4019] - Wrong error message for Name Constraint violations with short subject DNs
Improvement
[ECA-3798] - Statedump: Incorrect number of end entity profiles are logged as exported
[ECA-3970] - Log in OCSPResponder when revoked OCSP certificates are read to the cache
[ECA-3984] - Debug log HTTP response body on CT log error
[ECA-3985] - Edit CA page load is slow with many keys in referenced Crypto Token
[ECA-3986] - Optimize CAToken.getTokenStatus
[ECA-3989] - Allow recovery from a bad upgrade of CA Tokens to CryptoTokens
[ECA-3992] - Remove critical BC warnings in order to upgrade BouncyCastle to version 1.51
[ECA-4008] - Port adjustable transaction timeouts to JBoss 7 / EAP 6
[ECA-4017] - Remove database lookups that can be read from cache
[ECA-4024] - Add a [?] link from the User Data Sources page to the admin guide
New Feature
[ECA-4006] - Add test for legacy subject encoding with override enabled via CMP
EJBCA 6.2.6, 2014-12-03
---
Bug
[ECA-3608] - EJB CLI cryptotoken create command issues
[ECA-3828] - Regression: HttpMethodsTest and WebdistHttpTest test failures
[ECA-3862] - Security Issue
[ECA-3931] - Key recovery fails when user data has changed CA
[ECA-3933] - Symmetric keys in crypto token's HSM slot prevent listing of slot keys
[ECA-3935] - Regression: Wrong key length used when creating keystore from public web
[ECA-3936] - Extra space at end of line in transaction log.
[ECA-3937] - Result of stand-alone JUnit tests are discarded during ant test:run
[ECA-3943] - Fix ServiceManifestBuilderTest
[ECA-3944] - superadmin.cn value lacks quotes in cli.xml
[ECA-3948] - OCSP log values ISSUER_NAME_DN and SIGN_ISSUER_NAME_DN contain SERIALNUMBER= instead of SN=
[ECA-3958] - Cannot create new CertSafe publisher
[ECA-3969] - Default OCSP responder is not used for external CAs without OCSP key binding
[ECA-3972] - PKCS#11 keys aren't extractable when they should be
Improvement
[ECA-3916] - WS: Return the EndEntity/Certificate profile of a specific profile ID
[ECA-3927] - Make systemtests.properties available to peer module and PKCS#11 system tests
[ECA-3938] - Add a regression test for ocsp.nonexistingisrevoked
[ECA-3942] - Improve logging of ServiceManifestBuilderTest failures
[ECA-3954] - Improve the properties output of InternalKeyBindingListCommand to show default property values
[ECA-3956] - OCSP response if the requested certificate is revoked is identical in logs to case where issuer of signing cert is revoked.
[ECA-3967] - Update httpclient and httpcore to latest version
New Feature
[ECA-3939] - Add EV Certificate specific DN components
EJBCA 6.2.5, 2014-11-14
---
Bug
[ECA-3901] - Possible NPE when debug is enabled
[ECA-3906] - Missing key in CryptoToken for mapped purpose in CAToken will hang healthcheck
[ECA-3907] - CAToken to CryptoToken upgrade failure
[ECA-3909] - InternalKeyBindingMgmtSessionBean.generateNextKeyPair fails if nextKey already exists
Improvement
[ECA-3723] - Allow verbose preference for CLI
[ECA-3866] - JavaDoc CLI enums
[ECA-3905] - Add instructions how to import certificate profiles in GUI
[ECA-3915] - External RA GUI browser enroll does not work with FF 33 and later
New Feature
[ECA-3900] - Allow CT log publisher to use HTTP Proxy java system settings
EJBCA 6.2.4, 2014-10-29
---
Bug
[ECA-3633] - CMP response caPubs field contain entity certificate instead of CA certificate
[ECA-3657] - RA administrator, failure while Approvement
[ECA-3716] - Regression: Externally imported CAs appear in list of signers when creating a CA
[ECA-3718] - Fix using trusted certificates in Internal Key Binding
[ECA-3776] - Prevent API call from setting InternalKeyBinding status to "active" if there is no referenced certificate
[ECA-3814] - getcacert does not return CA Certificate
[ECA-3822] - CertSafePublisher.testConnection doesn't test URL properly
[ECA-3834] - CertSafePublisher does not work under JDK6
[ECA-3845] - Certificate Transparency, not selecting any CT log passes issuance even if Min SCTs is 1
[ECA-3853] - AKID is different from CA SKID in CRLs, if not using SHA1
[ECA-3868] - Attempting to use a non-ocsp certificate for an OCSPKeyBinding fails silently
Improvement
[ECA-3826] - ant install shows annoying but harmless error messages
[ECA-3843] - Create a link from basic access rules page to documentation
[ECA-3848] - Shift GlobalConfiguration* to CESeCore, make plugin friendly
[ECA-3860] - New call to get registered global configuration types
[ECA-3889] - Allow more than one IKB renewal per second
New Feature
[ECA-3580] - Certificate Transparency: Private Domains
[ECA-3794] - Default OCSP responder improvements
Task
[ECA-3801] - Enterprise feature
EJBCA 6.2.3, 2014-09-25
---
Bug
[ECA-3749] - Batch generation information for end entities in statedumps ignored during import
[ECA-3755] - Regression: Modifying approval settings when editing a certificate profile is broken
[ECA-3760] - Possible ClassCastException when using Subset of SubjectDN in Certificate Profile
[ECA-3763] - InternalKeyBinding.getListOfTrustedCertificates trusts everything if specified with a non existing certificate
[ECA-3765] - ca init command in cli.xml is missing two switches
[ECA-3779] - Values from first loaded certificate profile is shown and saved when editing other profiles
[ECA-3783] - Statedump can not export (custom)publisher where all classes are not on statedump classpath
New Feature
[ECA-3437] - Cert Safe Publisher for EJBCA
EJBCA 6.2.2, 2014-09-03
---
Bug
[ECA-3683] - Statedump: For an uninitialised CA, it appears in its own list of possible issuers.
[ECA-3687] - Error upgrading old installations to JBoss 7 (jboss serialization)
[ECA-3692] - Regression: Certificate and CRL store download pages empty after server restart
[ECA-3695] - 100% upgrade from EJBCA 4 to 6 fails on CertificatePolicy
[ECA-3696] - If there are Ocsp key binding with messed up certificate, you can get NPE
[ECA-3698] - Clear all caches makes crypto tokens off-line
[ECA-3714] - Authority Information Access is deselected in Certificate Profiles under some circumstances when upgrading from EJBCA 4 to EJBCA 6
[ECA-3721] - Import of internal key bindings via statedump requires crypto token to be online
[ECA-3725] - EJBCA CLI prompts twice for the CLI password when using -p
[ECA-3727] - Deprecated (null) extended key usages visible in Certificate profile
[ECA-3729] - Statedump: Properties object is copied the wrong way when generating cryptotoken keys from a template
[ECA-3730] - Not finding some OCSP request signer certificate in DB
[ECA-3732] - clientToolbox ocsp test was not updated after that the root certificate was removed from the certificate chain in the OCSP response.
[ECA-3733] - cryptotoken create command requires attr flag
[ECA-3735] - Statedumped end entities do not keep clear password settings
[ECA-3736] - Unable to "Save and Initialize" externally-signed sub-CA imported via statedump
[ECA-3744] - InternalKeyBindingCreateCommand misses a null check for missing cryptotokens
Improvement
[ECA-3688] - "ant build" failes on JBoss EAP 6.2 installed via RPM package from Redhat repositories
[ECA-3690] - Possible information leakage
[ECA-3691] - Improve message when profile changes name during work in the GUI
[ECA-3707] - Do not generate non-active XKMS and CMS certificates as it can violate name constraints
New Feature
[ECA-3149] - OCSP responder support for CertId using SHA256 in OCSP requests
Task
[ECA-3703] - Upgrade tomahawk to latest 1.1.14
EJBCA 6.2.1, 2014-08-06
---
Bug
[ECA-3589] - First CRL not created when initialising root CA after statedump import
[ECA-3613] - Regression: The CLI doesn't parse the value ca.name from install.properties if it contains spaces.
[ECA-3615] - SECURITY: Security issue
[ECA-3617] - Allow Enterprise Edition to run system tests sans Statedump
[ECA-3620] - Import/export profiles rendered during unrelated operations
[ECA-3621] - Can't save or initialize uninitialized (= statedump imported) externally-signed CA
[ECA-3635] - Regression: Missing user notice and CPS in certificate policy extensions
[ECA-3643] - Autoactivate switch in CryptoTokenCreateCommand is obfuscated
[ECA-3645] - CLI complaining about unknown CA with id 0 (Improve output for unbound admins)
[ECA-3648] - Importing certificate - no email specified error
[ECA-3650] - Changing the Subject DN on an uninitialized (=statedump-imported) CA causes all extended services to be lost
[ECA-3661] - Statedump can't import PKCS#11 cryptotokens with slots referenced by label
[ECA-3664] - Invalid key specification for uninitialised key after importing a statedump
[ECA-3670] - Fix exceptions when excluding system/cmp/admin config in statedump
[ECA-3675] - Not all defined external RA datasources added in persitence.xml
[ECA-3679] - Regression: CA soft keystore pwd is always default when creating CA using CLI
[ECA-3685] - Int to Long cast exception upgrading OCSP
Improvement
[ECA-3501] - Create CryptoToken key aliases (needed for InternalKeyBindings) during statedump import
[ECA-3592] - Update CA IDs for uninitialised CAs when saving
[ECA-3606] - Make HSM system tests configurable
[ECA-3618] - Configurable environment for testAdminWebSecurityHeaders
[ECA-3622] - Fix cosmetic issues with statedump
[ECA-3624] - Hide Name Constraint textboxes for external CAs without keys
[ECA-3625] - Handle external CAs (=without keys) in Statedump
[ECA-3626] - Proper setup of environment for testAuthenticationWithMissingCertificate
[ECA-3630] - Allow importing Key Bindings in statedump even when key aliases are missing
[ECA-3638] - Don't include external CAs in statedump export by default
[ECA-3640] - Modifying uninitialised CAs (from statedump) even if keys are missing/crypto token is offline
[ECA-3662] - Don't export end-entity passwords from statedump
[ECA-3663] - Don't export crypto token auto-activation passwords in statedump
[ECA-3665] - Import all crypto tokens in inactive state during statedump import
[ECA-3666] - Better error message during statedump export if crypto token is offline
[ECA-3667] - Show warnings during statedump export for exclude patterns that did not match anything
[ECA-3668] - Improve options format of statedump tool
[ECA-3669] - Better warning/error output in statedump utility
[ECA-3677] - Do not allow export of CA keystores not protected by password
[ECA-3689] - Improve parameter naming per internal suggestions
New Feature
[ECA-3636] - Statedump CLI command to initialize statedump-imported CA
[ECA-3637] - Ability to limit what is exported in statedump
[ECA-3639] - Placeholders for keys in crypto tokens imported via statedump
[ECA-3642] - Include end entity information in statedump
EJBCA 6.2.0, 2014-06-18
---
Bug
[ECA-3216] - Return unsigned response "unauthorized" when no default responder configured, or wrongly configured
[ECA-3299] - OCSP request signer verification does an additional database lookup
[ECA-3454] - Inconsistent skip options for state dump import
[ECA-3481] - Minor security hardening
[ECA-3489] - Fail fast creating CVCCAs when unique certificatedata_idx12 is enabled
[ECA-3492] - renameRole() tries to change primary key and triggers a HibernateException
[ECA-3495] - The public part of a key is still on the P11 token after the private part is removed.
[ECA-3496] - java.lang.IndexOutOfBoundsException when selecting empty crypto token for internal key binding
[ECA-3499] - Overwriting a CA with StateDump can leave cert/ee profiles in an invisible state
[ECA-3506] - ejbca-ws-generate target missing dependencies
[ECA-3517] - "Lock wait timeout exceeded" when disabling multiple access rules with MariaDB Galera
[ECA-3518] - NPE if only period length is provided for private key usage period
[ECA-3521] - Certificate & End-Entity Profiles with missing CAs become invisible, even for superadmin
[ECA-3534] - NullPointerException when adding a user without password
[ECA-3535] - State dump unselects "Any CA" from profiles during import
[ECA-3536] - ejbca-db-cli does not work since change to use ServiceLocator
[ECA-3537] - Clean up exception handling in CertificateCreateSession
[ECA-3551] - Certificates are not submitted to CT when generated from CLI, etc.
[ECA-3582] - CMP can not handle some valid CSRs.
[ECA-3587] - Update default Modifiable Fields in User Data Sources
[ECA-3588] - Regression: PrintableString encoding for DNs does not work
[ECA-3594] - Security related
[ECA-3596] - Creating limited CertificateData fails with certain databases
[ECA-3605] - Error when trying to create authenticated CVC CSR
Improvement
[ECA-631] - Enforce naming constraints present in CA-certificates
[ECA-2126] - Certificates that are issued in revoked state should never be active
[ECA-2690] - Create a CLI parameter handler
[ECA-3320] - Simpler format for specifying CA validity dates
[ECA-3468] - Implement statedump Subject DN renaming properly inside EJBCA
[ECA-3477] - Give focus to incorrectly marked fields in edit CA page
[ECA-3482] - Minor security hardening
[ECA-3483] - Minor security hardening
[ECA-3484] - Minor security hardening
[ECA-3490] - ICAO Master List Signer extended key usage
[ECA-3491] - Allow system tests to target non-localhost interface
[ECA-3494] - Suppress repeated OcspSigningCache warnings
[ECA-3502] - Allow system tests to use HSM when available
[ECA-3503] - SSB cached in CertificateCache
[ECA-3509] - ExternalRA: Oracle Database Support in database mapping setup
[ECA-3510] - Replace references to java.util.Vector
[ECA-3513] - Audit log when a CT pre-certificate is generated and sent to a log
[ECA-3515] - SCEP: Rewrite the configuration process to use one URL and multiple aliases
[ECA-3516] - SCEP: Implement configuring SCEP in the AdminGUI
[ECA-3519] - Minor security hardening
[ECA-3524] - Improve memory usage during CRL generation
[ECA-3525] - Do not use the HSM for hashing when signing data
[ECA-3531] - SCEP: Remove DefaultCA configuration
[ECA-3532] - Fix documentation of the command "ejbca.sh config cmp uploadfile"
[ECA-3538] - clientToolBox p11 test multiple times in same jvm, to test if objects on a p11 token can be updated from another application.
[ECA-3540] - External RA: Oracle Database mapping support in RA GUI
[ECA-3544] - Make error messages and success messages easier to distinguish
[ECA-3547] - GUI: Better item order for the System Functions menu
[ECA-3555] - CLI: able to list key bindings with non existing cryptotokens
[ECA-3557] - Add simplified CAInfo constructors
[ECA-3561] - Request subCA certificate from external CA without uploading the chain
[ECA-3565] - Rewrite Certificate Profile page in JSF
[ECA-3566] - Encapsulate HashID properly
[ECA-3569] - Effectivize the reloading of CaCertificateCache
[ECA-3572] - Use JavaScript for certificate installation redirect in public web
[ECA-3579] - Remove CERT_TEMP_REVOKED since it's not used
New Feature
[ECA-688] - Import / Export profiles from WebUI
[ECA-2114] - Rename EJB CLI for fetching CA certificates from getrootcert to getcacert
[ECA-3109] - Add native support for Name Constraints
[ECA-3123] - ICAO DocumentType List certificate extension
[ECA-3124] - Add the Issuer Alternative Name certificate extension to the GUI
[ECA-3530] - Ant targets for creating source and binary releases of CESeCore
[ECA-3542] - Support for IE11 in Public Web
[ECA-3543] - Support IE11 in External RA GUI
[ECA-3559] - Service for populating database with revocation status of certificates from CRL
[ECA-3584] - Choice of token type in Public Web self-registration page
Task
[ECA-3394] - French language files updated for the new functionalities
[ECA-3419] - CAAdminSessionBean.exportCAKeyStore throws Exception
[ECA-3478] - Have all system tests write results to the same directory
[ECA-3546] - French language files updated for SCEP Configuration
[ECA-3420] - Convert all EJB CLI commands to the new standard
EJBCA 6.1.3, 2014-04-28
---
Bug
[ECA-3520] - CAs from statedump signed by external CA cannot be initialised
[ECA-3523] - Backport Statedump bug fixes to 6.1
[ECA-3526] - GUI: Missing l10n message keys in CMP Alias Edit page
[ECA-3527] - GUI: Misspelled DN attribute in CMP Alias Edit page
EJBCA 6.1.2, 2014-04-09
---
Bug
[ECA-3514] - Browser enrollment link is generated with incorrect encoding
EJBCA 6.1.1, 2014-03-27
---
Bug
[ECA-3479] - Regression: OCSPSigningCache debug causes an NPE for internal OCSP default responders
[ECA-3480] - Regression: Creating a CA in Adminweb issues Stacktrace
[ECA-3485] - Regression: Certificate Profiles with EAC 2.10 AT role doesn't work with database protection
[ECA-3487] - Regression: Unique certificatedata_idx12 is not detected
EJBCA 6.1.0, 2014-03-24
---
Bug
[ECA-3179] - Regression: NoTicket (r17302) introduced a dependency on EJBCA in a CESeCore test class
[ECA-3182] - Regression: ECA-2988 introduced a dependency on EJBCA in a CESeCore test class
[ECA-3427] - Syntax for jboss-cli.bat through ant targets fails in Win
[ECA-3432] - CertificateCreateException: java.lang.NumberFormatException: For input string: "LU002" when trying to create a foreign DVCA
[ECA-3433] - OcspResponseGeneratorSessionBean.init should not throw AuthDeniedException
[ECA-3435] - JUnit failure in PublisherTest when DB protection enabled, add subjectKeyId to CertificateInfo
[ECA-3439] - Creating a CA with DN: <anyfield>=, creates a StringIndexOutOfBoundsException
[ECA-3447] - Regression: serial numbers in administrator list are not clickable
[ECA-3452] - Make sure that decline+recursive rules aren't saved from the GUI
[ECA-3455] - Files missing from cesecore-common.jar
[ECA-3457] - Unnecessary WARN message
[ECA-3458] - Ant paths don't work Windows via jboss-cli
[ECA-3460] - State dump tool does not import any data with "-overwrite no"
[ECA-3467] - Mail from address is not configured
[ECA-3470] - SCEP operations may fail when using an HSM
Improvement
[ECA-3348] - Add individual OCSP get cache settings for revoked, unknown and good responses
[ECA-3351] - OCSP: don't include root certificate in response certificate chain
[ECA-3411] - Use SHA256WithRSA as default for ManagementCA
[ECA-3429] - Compile on Glassfish 4
[ECA-3430] - Compile on WildFly 8
[ECA-3434] - Upgrade Guava library in order to deploy in JEE7 container
[ECA-3440] - Support running clientToolBox EjbcWsRaCli with IBM java
[ECA-3443] - Allow empty values for start and end time without printing 'invalid' when adding end entity
[ECA-3445] - Document how to use slotLabels with clientToolBox
[ECA-3461] - Add encryption key information to key recovery data in database
[ECA-3472] - Improve usability of edit CA page by marking required fields
New Feature
[ECA-3133] - Support RFC6960 extension for client requested algorithm selection
[ECA-3350] - OCSP: Add option to include signer certificate or not
[ECA-3415] - CVC access control template for additional DGs
[ECA-3444] - Allow longer certificate serial numbers than 64 bits
[ECA-3449] - Show issuer and seralNumber after public web enroll
Task
[ECA-3450] - Update the Public Web logo filename for better integration
EJBCA 6.0.4, 2014-02-20
---
Bug
[ECA-3055] - Not authorized to edit publisher when publisher cache disabled
[ECA-3198] - Regression: ECA-2973 introduced a dependency on EJBCA in CESeCore test code
[ECA-3210] - CA upgrade when ExtRACAServiceWorker fails to persist
[ECA-3337] - KeyBind EJB CLI fingerprint reference is case sensitive
[ECA-3361] - Cannot deploy with web-services disabled
[ECA-3364] - ExternalRA: Allow SCEP GetCACaps without message parameter
[ECA-3366] - Syntax in jboss-cli.bat for passing commands fails in Win
[ECA-3372] - OCSP Archive Cutoff can give NPE
[ECA-3373] - init() method is not called on OCSP extensions
[ECA-3375] - CLI ca restorekeystore gives exception for soft ca
[ECA-3382] - Test files have lost character encoding, change source file encoding to UTF-8
[ECA-3383] - CertTools.genPKCS10CertificationRequest does not use the specified provider
[ECA-3386] - httpserver.external.privhttps default to 8443 even though httpserver.privhttps is set to something else
[ECA-3387] - Can not edit Sub CA signed by external CA
[ECA-3388] - editcapage.jsp contains a slightly confusing help text
[ECA-3389] - OCSP key binding properties visible for authentication key binding
[ECA-3392] - InternalKeyBindingDataSessionBean.getInternalKeyBindingForEdit(int) throws NPE if no value was found.
[ECA-3395] - Proper handling of certificate import/update when base64cert is not populated
[ECA-3396] - InternalKeyBinding error using Postgres 9
[ECA-3397] - Subject key ID not published by VA publisher
[ECA-3398] - java.lang.IllegalArgumentException thrown when importing OCSP key binding certificate
[ECA-3399] - Incorrect error message when editing uninitialised CAs if private keys are missing
[ECA-3401] - Can not generate keys on soft crypto token with allowExport=false
[ECA-3403] - Admin GUI create CRL fails with UTF-8 encoded CA DN
[ECA-3405] - StateDump test fails because of refactorization
[ECA-3406] - Trying to delete a non-existing keybinding causes NPE
[ECA-3408] - StateDump import overwrites CAs with the same name without asking
[ECA-3410] - StateDumpTest needs Hibernate compatibility jar
[ECA-3421] - Upgrade jar file
[ECA-3423] - Fix statedump overwrite response handling and test
Improvement
[ECA-2828] - Document authorization rules in EJBCA
[ECA-2982] - Add option to 'bin/ejbca.sh ca republish' command to republish only CA certificate and CRL
[ECA-3081] - Improved error message during batch generate when using invalid key size
[ECA-3082] - Improve message about configuration during batch generate
[ECA-3150] - Remove scripts used on ejbca.org from bundled documentation.
[ECA-3169] - Improve wording of some options of "Externally signed CA"
[ECA-3290] - Cache headers still present for OCSP responses containing nonce
[ECA-3365] - Audit log Internal Key Binding operations
[ECA-3370] - Allow import of OCSP certificates with non-repudiation key usage
[ECA-3371] - Make JBoss EAP 6 specific physical file deployment of BC provider
[ECA-3374] - Add JUnit test for OCSPUnidExtension
[ECA-3384] - Add a password argument to CaImportCACommand
[ECA-3385] - Movie audit implementation classes to cesecore-ejb-interface
[ECA-3404] - StateDump test should run from test:runsys when availabe
[ECA-3407] - Optimize JBoss reload during deploy
[ECA-3409] - Sort XML in statedump exports in a deterministic order
[ECA-3424] - Regression: All cli commands prints out loading batch properties from default
Master Ticket
[ECA-3355] - Implement Certificate Transparency
Task
[ECA-3368] - Deploy on JBoss EAP 6.2.0 has disabled datasource by default
[ECA-3380] - Move keybinding implementation classes from cesecore-ejb-interface to cesecore-common
[ECA-3400] - Shift OcspExtension* to cesecore-common from cesecore-ejb-interface
Sub-task
[ECA-3377] - Create unit tests for all CLI Commands
EJBCA 6.0.3, 2013-12-30
---
Bug
[ECA-3293] - Customer specific LDAP Publisher should use correct time in loginfo attribute
[ECA-3297] - Other Rules for Supervisor role is not cleared if previously selected for another role type
[ECA-3339] - Statedump doesn't delete certain .jar files on "ant clean"
[ECA-3341] - Creating internal key binding with CLI does not consider types for property values
[ECA-3344] - Regression: PKCS11 sun config does not work
[ECA-3345] - Regression: Max-Age and Response validity no longer visible/editable for ocsp key bindings
[ECA-3346] - CMP Config CLI command should use lazy instatiation of remote EJB
[ECA-3349] - EJBCA deployment not working in WINx64 due to PKCS11
[ECA-3360] - Ejbca deployment tries to use jboss-cli.sh instead of jboss-cli.bat on windows
[ECA-3367] - Editing Key binding integer/long value sin GUI removes the value (becomes default 0)
Improvement
[ECA-3289] - Do not cache "Unknown" OCSP GET responses
[ECA-3347] - Modify EJB CLI to use ServiceLocator
[ECA-3352] - Faster CLI start, use lazy instantiation in EJB CLI
[ECA-3359] - Move authentication tokens from cesecore-interface to cesecore-common
New Feature
[ECA-3314] - OCSP Archive Cutoff
[ECA-3332] - Add Extended Revoked Definition OCSP extension when returning revoked for non existing certificate
[ECA-3335] - Create a standalone manifest builder tool
Task
[ECA-3316] - Modularize EAC
[ECA-3338] - Modularize CMP vendor CA mode
[ECA-3340] - Modularize ValidationTool
[ECA-3342] - Make JUnit tests run for EJBCA Community
EJBCA 6.0.2, 2013-11-29
---
Bug
[ECA-2449] - Creating a CA without a valid SubjectDN causes double JS popups.
[ECA-3321] - Improve CMP configuration user interface
[ECA-3324] - Quote arguments of ca init during install
[ECA-3327] - SaferDailyRollingFileAppender extends wrong base class
[ECA-3328] - OCSP Signing cache should handle cache discrepancies gracefully
[ECA-3331] - EJBCA does not deploy without ejbca-db-cli sources available
[ECA-3334] - Change untilNextUpdate and maxAge properties in OcspKeyBinding from Integer to Long
Improvement
[ECA-3132] - Support returning "revoked" for unknown certificates in line with RFC6960
[ECA-3309] - Some versions of MySQL picks bad index mixing OR and AND
[ECA-3318] - CMP: Include certificate chain in certificate responses
[ECA-3323] - Reload OCSP cache manually
[ECA-3325] - Minimize locking in audit log's sequence counter
EJBCA 6.0.1, 2013-11-19
---
Bug
[ECA-3302] - Escaping of user-provided data when no characters are forbidden
[ECA-3303] - SECURITY: XSS issue
[ECA-3306] - Leaving out "Validity" with Javascript disabled gives an exception
[ECA-3307] - Renamed CAs not be overwritten by statedump
[ECA-3308] - OCSP HealthCheck does not work with InternalKeyBindings
[ECA-3310] - Wrong items are selected in uninitialized CAs
Improvement
[ECA-3295] - Allow editing most fields in uninitialized CAs
[ECA-3301] - Unify error messages for invalid username and pwd
[ECA-3312] - Can't create CAs with DSA extended services key
[ECA-3313] - Problems with extended services and uninitialized (statedumped) CAs
[ECA-3317] - Allow import even if not all files exist
Master Ticket
[ECA-3296] - Improve Statedump usability and fix bugs
New Feature
[ECA-3311] - Ability to choose names to not overwrite during statedump import
Task
[ECA-3305] - Modularize database integrity protection and database cli
EJBCA 6.0.0, 2013-11-08
---
Bug
[ECA-1015] - A ' is valid in an email address - but gets stripped by EJBCA.
[ECA-1640] - Sample code for advanced custom extension missing some arguments
[ECA-1947] - LDAPPublisher have problems with comma in DN
[ECA-2144] - ExtRA PKCS10Request does not set user status to FAILED after failed requests
[ECA-2150] - SignSessionTest.test37privateKeyUsagePeriod_both fails randomly
[ECA-2159] - Password not cleared issuing keystores
[ECA-2200] - CA defined certificate policy ignored when renewing CA
[ECA-2330] - Build failure for External RA with OpenJDK if JavaScript is not available
[ECA-2365] - OCSPCAService upgrade on every startup
[ECA-2393] - Create Certificate Authority Page only gives blank page on wrong validity input
[ECA-2442] - Multiple selectable email addresses in rfc822 altName gives wrong display in edit end entity
[ECA-2477] - Import CA does not generate initial CRL
[ECA-2527] - Wrong exception thrown in HardTokenSessionBean for some errors.
[ECA-2534] - Regression: Not checking that the administrator has the role defined in the hard token issuer any more.
[ECA-2547] - clientToolBox StressTestCommand always logs an error when a certificate is returned
[ECA-2669] - Still possible to create DECLINE RECURSIVE rules in CLI
[ECA-2689] - Misleading error message in JBoss log while trying create a sub CA from the CLI when the root CA is offline.
[ECA-2719] - Download of certificates from Admin GUI fails in Chrome when using "strange" usernames
[ECA-2734] - OCSP rekeying not implemented in trunk yet.
[ECA-2794] - EJB and WS CLI have bad type outputs
[ECA-2815] - OcspExtensionsCache should be made thread safe
[ECA-2834] - Unhelpful error message when changing permission rules for non-existing end entity profile in CLI
[ECA-2860] - Default CRL overlap time is set to 10 hours instead of 10 minutes for imported CA
[ECA-2863] - CMP FailInfo codes are sent as incorrect codes
[ECA-2865] - rfc822Name field can be edited when adding new end entity even if not marked as modifiable
[ECA-2877] - ant test:run breaks installation. Figure out why and fix
[ECA-2894] - Messing up the Validity field in Certificate Profiles gives no warning
[ECA-2905] - PrivateKeyUsagePeriod not matching notBefore of certificate when using validityOverride
[ECA-2914] - Filename of downloaded keystore file is truncated
[ECA-2918] - Clear all caches gives bad error message when host can not be reached
[ECA-2921] - Deprecate InitializeHardTokenIssuing
[ECA-2923] - JUnit class junit.framework.Assert has moved to org.junit.Assert
[ECA-2934] - Revoking a CA revokes all issued certificates, but with fixed reason
[ECA-2940] - Ant target test:runsys broken
[ECA-2952] - Update to new logo in renewal pages
[ECA-2958] - Wrong comments about PrimeCard
[ECA-2961] - Button for viewing CA certificate chain has incorrect text
[ECA-2964] - Native query mapping using MariaDB
[ECA-2977] - ProviderException not handled in BaseCryptoToken
[ECA-2989] - AccessTreeCacheTest can fail if reading the configuration takes too long time
[ECA-2994] - Broken property "xkms.response.causedforsigning" in defaultvalues.properties
[ECA-2996] - Update/set CryptoToken auto-activation PIN from EJB CLI
[ECA-3024] - Error during startup with integrity protected audit disabled
[ECA-3031] - Support EC key generation with ClientToolBox
[ECA-3035] - CA and CryptoToken creation not handled in a transaction.
[ECA-3036] - Cryptotoken prevents a CA to be created with the same name as a previous one.
[ECA-3046] - Help reference for Windows Autoenroll broken
[ECA-3052] - Minor authorization issue
[ECA-3054] - OcspResponseGeneratorSessionBean merely logs a failed signature attempt
[ECA-3056] - Issue PEM with full certificate chain from Public Web certificate request
[ECA-3057] - CryptoTokenManagement logs success deletion even if no crypto token is deleted
[ECA-3058] - CryptoTokenManagement logs success before action is tried
[ECA-3061] - Clean-up CAInterface bean and dependencies
[ECA-3065] - NPE: Inactive (including unsigned) CAs should be ignored by the OCSP Signing Cache
[ECA-3072] - Cmp default CA setting is DN in one place and CA name in another
[ECA-3074] - CMP TCP sets log level to FINEST for JBoss 7/EAP6
[ECA-3079] - Close all existent resource leaks
[ECA-3087] - 'bin/ejbca.sh ca info <unknownca>' tosses stacktrace instead of helpful error message
[ECA-3088] - Test missing for creating a subca from CLI
[ECA-3096] - 'ra finduser' command outputs password as 'null' if hidden.
[ECA-3098] - Regression: Home screen in Admin GUI shows online CAs to be offline for some roles.
[ECA-3101] - Regression: RequestMessage.getRequestX500Name returns SERIALNUMBER instead of SN
[ECA-3103] - Test failures because of left over stuff in database
[ECA-3107] - Investigate strange output from OCSP
[ECA-3111] - JBoss 7 / EAP 6 always binds to 127.0.0.1
[ECA-3113] - JBoss 7: Can't run ant install on HS with blank password
[ECA-3115] - JBoss EAP 6 freezes with WS stress test with 30 threads
[ECA-3117] - client toolbox p11 multi thread test fails when slot is given with TOKEN_LABEL.
[ECA-3121] - Regression: OCSP signing cache may fail to load on startup
[ECA-3129] - Keystore is used instead of truststore for validating client certificates
[ECA-3131] - Encode EC private keys in generated PKCS#12 keystores with NamedCurves
[ECA-3134] - JBOSS 7 / EAP 6 fails in deployment
[ECA-3138] - External RA IE cert enroll ignoring (override) of encryption provider selection
[ECA-3141] - Regression: ECA-3056 introduced a dependency on EJBCA in CESeCore code
[ECA-3142] - Regression: ECA-2973 introduced a dependency on EJBCA in CESeCore code
[ECA-3143] - Regression: ECA-3056 introduced an other dependency on EJBCA in CESeCore code
[ECA-3176] - Regression: Keys possible for CA renewal are only RSA
[ECA-3177] - Data is not validated before being passed to org.bouncycastle.util.encoders.Base64.decode in findActiveCertificatesByType
[ECA-3183] - Healthcheck failure when there are not active OcspKeyBindings
[ECA-3184] - JBOSS7 /EAP 6 fails in installation
[ECA-3186] - Regression: Custom certificate extensions added to certextensions.properties
[ECA-3188] - Document Internal Key Bindings
[ECA-3197] - ClientToolBox requires that CA certificate be included CSP response in order to verify
[ECA-3200] - Healthcheck status is enabled when editing a CA
[ECA-3203] - Disable of CryptoToken auto-activation takes token offline
[ECA-3207] - Regression: add-hoc upgrade of PKCS#11 keystore on VA responder not working
[ECA-3209] - Regression: OCSP default responder configuration uses subject instead of issuerDN
[ECA-3212] - Internal Key Binding certificate link has caid=0
[ECA-3213] - Regression: CA healthcheck does not check token status
[ECA-3215] - Roles renamed with RoleManagementSessionBean.renameRole get wrong primary keys
[ECA-3219] - OcspKeyBinding contains values that become cast to BigDecimals instead of Integers
[ECA-3220] - Regression: Reload OCSP signing cache uses wrong timer property, and a value of 0 makes timers go crazy
[ECA-3221] - Can't edit an OCSPKeyBinding without filling Serial Number (for Trusted Certificates) field.
[ECA-3223] - When new CA is generated with soft keys, unwanted warnings appear in jboss log
[ECA-3224] - Trying to create Internal Key Binding without crypto tokens gives NPE
[ECA-3227] - DirectoryCache should catch errors in initialization
[ECA-3234] - Hard Token Functionality header printed twice
[ECA-3235] - Unwanted warning in jboss-log when we create keys through AdminGUI
[ECA-3237] - cmpTcpProxy fails to start, missing defaultvalues.properties
[ECA-3239] - InternalKeyBindings with a deleted CryptoToken throw NPE when trying to view/edit
[ECA-3242] - Errors in jboss log when 'ca createcrl' and some CAs are not active
[ECA-3246] - Unwanted warning in jboss-log when running AuthenticationModulesTest
[ECA-3251] - Activating/deactivating CA logs as Crypto Token activated/de-activated
[ECA-3266] - EndEntityManagementSession.addUser throws a strange exception
[ECA-3269] - Unwanted warning in jboss-log when running XKMSKRSSTest
[ECA-3270] - Test 'testPublisherOperations' fails when running EjbcaWsCommonCriteriaTest
[ECA-3271] - External CESeCore configuration override is read from the wrong location
[ECA-3274] - Unwanted warnings in jboss-log when running RAApiTest
[ECA-3276] - Unwanted error in jboss-log when running CrmfRARequestTest
[ECA-3277] - Unwanted warning in jboss-log when running NestedMessageContentTest
[ECA-3279] - Fix issues in OCSP TransactionLogger
[ECA-3280] - Upgrade instructions need to be updated for JBoss 7 / EAP 6.1
[ECA-3281] - Fix upgrade message from 4.x to 6.0
[ECA-3284] - ValueExtractor fails for ApprovalId Integer in DB2
[ECA-3286] - Browser enroll Firefox does not take configured encoding into account
[ECA-3287] - OCSP signing exhausts threadpool after some time
[ECA-3288] - Saving "Other rules" when edit access rules does not work
[ECA-3294] - Security issue
[ECA-3300] - OCSP Transaction Logger outputs a newline between each log entry
Improvement
[ECA-519] - Move configuration file from bin/ to conf/
[ECA-786] - Email notification cannot be edited correctly
[ECA-1010] - Simplify installation procedure
[ECA-1398] - Enforce PrivateKeyUsage period when CAs issue certificates
[ECA-1594] - HashCode of Subject/Issuer DN in a certificate is not always the same as CA Id
[ECA-1814] - Make non consecutive ID possible for Extended Key Usage
[ECA-2023] - Trim the values in catoken.properties when importing a CA from CLI
[ECA-2049] - Constants in CertificateHelper should be final
[ECA-2164] - test01PinServiceToNodesIncludingThis is failing randomly
[ECA-2208] - Move authorization for hard tokens into hard token session bean and remove authorization caching.
[ECA-2225] - server TLS for mail requires manual configuration
[ECA-2367] - Refactor CrlCreateSession for CRL publishing
[ECA-2492] - Improve mysql-privileges script to allow users at different hosts etc
[ECA-2500] - Upgrade to BC v1.47
[ECA-2510] - Move methods in PublisherQueueSessionBean to local only.
[ECA-2528] - Clean SecConst
[ECA-2540] - Improve support for ipv6 in subjectAltNames
[ECA-2545] - SCEP GetCaCert operation doesn't support empty message
[ECA-2554] - CMP: Need better error message when a request is not signed by the sender
[ECA-2558] - Improve the run times of some system tests
[ECA-2561] - CMP: Remove repeated code to return the value cmp.authenticationparameter
[ECA-2565] - Move CliAuthenticationToken to authentication component
[ECA-2566] - Disallow server generated tokens when user submits a CSR in public web
[ECA-2568] - CMP: improve ConfirmationMessageHandler
[ECA-2582] - Make an enum for end entity types
[ECA-2623] - Use new BC API for CRL creation.
[ECA-2628] - Use BC CMP classes instead of Novosec
[ECA-2641] - Use BC 1.47 OCSP classes
[ECA-2680] - Clean HardTokenSessionBean of unnecessary AuthenticationToken parameters.
[ECA-2683] - Clean authorization handling in AdminPreferenceSessionBean
[ECA-2684] - Clean authorization in CertReqHistorySession
[ECA-2685] - Clean authorization in KeyRecoverySessionBean
[ECA-2686] - Clean Authorization in ServiceSessonBean
[ECA-2692] - Handle HSM timeouts - handle timeouts elegantly.
[ECA-2725] - CAInfo.setValidity should have long parameter
[ECA-2752] - Deprecate and stop using UserDataConstants. Use EndEntityConstants instead
[ECA-2757] - Add more getters and setters and null checks, use Lists instead of Collections where needed.
[ECA-2793] - Improve javadoc for RoleManagementSession
[ECA-2800] - Move OCSPUnid* classes from org.ejbca.core.protocol.ocsp to org.ejbca.core.protocol.ocsp.extension.unid
[ECA-2807] - Remove PrimeCardHSM references from documentation
[ECA-2821] - Increase concurrency in stand alone tests
[ECA-2826] - RoleManagementSessionBean requires additional authorization checks
[ECA-2840] - ant javatruststore -Dtrust.keystore parameter is treated relative to the ejbca/bin/ directory
[ECA-2857] - EndEntityAccessSession.findUserBySubjectAndIssuerDN should return a List
[ECA-2864] - Change the wording for the E-mail Domain option in end entity profiles
[ECA-2879] - Add custom serialno test test that fails when there is no unique index
[ECA-2895] - Provide ability to provide the administrator password through file for new admins roles GUI with CLI user
[ECA-2903] - Simplify AuthenticationToken framework
[ECA-2908] - Support ECC for CMP signature protection
[ECA-2917] - Rename AdminCA1 to ManagementCA
[ECA-2941] - Unclear description of CRL publishing conditions in Validation Authority Publisher
[ECA-2943] - Modularize the CESeCore source tree
[ECA-2948] - Improve handling of default profiles when using CMP RA mode
[ECA-2957] - Add known PKCS#11 libraries as default available
[ECA-2965] - Allow password to be supplied via command line for clientToolBox PKCS11HSMKeyTool generate
[ECA-2970] - Log remote IP for ADMINISTRATOR_LOGGED_IN events and web service access
[ECA-2978] - Database connection problems can give stacktrace with no msg
[ECA-2986] - Property for hiding manual classpath entry from custom publishers and services
[ECA-2987] - Add debug logging in AccessTreeCacheTest
[ECA-3016] - Ugly errors creating CA with CLI when CryptoToken or CA already exists
[ECA-3018] - Exception classes should end with "Exception" not "Error"
[ECA-3020] - Fix tests using incorrect values for CRL settings
[ECA-3022] - Turn of autocompletion of password on public web
[ECA-3026] - Have parameters outputted from localized messages even if not found
[ECA-3027] - Improve CMP configurations possibilities
[ECA-3028] - Make possible using custom CMP configurations through alias in the URL
[ECA-3030] - Make possible to edit CMP configurations in the AdminGUI
[ECA-3033] - Upgrade BC from 1.49b01 to 1.49b15
[ECA-3062] - Simplify certificate enrollment page
[ECA-3064] - Disable CertReqHistory by default for new CAs
[ECA-3069] - Replace deprecated class org.bouncycastle.jce.PKCS10CertificationRequest with org.bouncycastle.pkcs.PKCS10CertificationRequest
[ECA-3091] - Detect browser directly instead of using of via the log-in page
[ECA-3093] - Re-sort menu options in Admin GUI alphabetically
[ECA-3094] - Update nomenclature in CLI
[ECA-3099] - Add a "result page" after certificate enrollment has been performed
[ECA-3102] - Public Web: rename password to enrollment code
[ECA-3104] - Default key length for batch generation should be 2048, not 1024
[ECA-3105] - Introduce ability of not having any QC statements in the QC extension in certificate profile configuration
[ECA-3106] - Keylength defaults should be 2048 not 1024
[ECA-3108] - Encoding of MS Certificate Template Name extension should be BMPString
[ECA-3112] - Limited admins in admin GUI spams with INFO logs
[ECA-3136] - Support listing of PKCS#11 slots in the AdminGUI by token label
[ECA-3145] - Clean up left overs of EJBCA OCSP code
[ECA-3166] - Use better wording for Certificate Request Data in Admin GUI
[ECA-3175] - Clear All Caches button should also clear GUI session cache
[ECA-3189] - CMP: Read the CA from the relevant End Entity instead of from the request or cmp.defaultca
[ECA-3190] - CMP: Enforce configuration of EndEntityCert authentication module for KeyUpdate request
[ECA-3191] - CMP: Improve the conditions and readability of CMP authentication modules
[ECA-3206] - CMP: Remove PBE authenticating of ConfirmMessage
[ECA-3218] - OCSP cache update logs access control
[ECA-3243] - Editing Internal Key Bindings is slow
[ECA-3244] - Error message about OCSP key renewal although renewal is disabled
[ECA-3245] - Clean up and format the UPGRADE document
[ECA-3247] - Unwanted warning in jboss-log when running CrmfRAPbeRequestTest
[ECA-3254] - Unwanted warning in jboss-log when running CmpRaThrowAwayTest
[ECA-3257] - Exception cancelling already cancelled OCSP renewal timers
[ECA-3259] - unwanted warning in jboss-log when running ProtocolOcspSignedHttpTest
[ECA-3262] - Make saving global and cmp configuration safe
[ECA-3263] - Allow AnyCA to be the only selected available CA in EEPs
[ECA-3285] - Datasources should have validate-on-match=true in order to reconnect from failures
Master Ticket
[ECA-3049] - Optimize trunk
[ECA-3116] - Possibility to Export/Import all CA configurations (a.k.a "The Great Dump")
[ECA-3252] - CMP log fixes for CC test plan
[ECA-3261] - Master ticket for OCSP log tickets
New Feature
[ECA-862] - Command for ascii/XML dump of CA installation
[ECA-1866] - WS-API to get last CRL for a CA
[ECA-1998] - Support for GOST R digital signature and hash algorithms
[ECA-2066] - Support for JBoss 7.1 and EAP 6
[ECA-2621] - cert-cvc: upgrade to work with BouncyCastle (BC) v1.47
[ECA-2691] - Handle HSM timeouts - allow creation of pure keepalive services from GUI/CLI
[ECA-2722] - Validation/conformance tool for certificates and OCSP responses
[ECA-2780] - Integration of DSTU4145-2002 in EJBCA
[ECA-2801] - Manage HSM keys from web GUI
[ECA-2881] - Ukrainian translation of admin GUI
[ECA-2926] - External RA GUI and SCEP deploy on JBoss 7
[ECA-2930] - SCEP RA mode for blind certificate issuance
[ECA-2936] - Support ECC for database integrity protection
[ECA-2972] - EJBCA support for South Slavic languages - Bosnian QA process
[ECA-2973] - Unified OCSP
[ECA-2974] - Use ServiceLoader for Publishers and Services
[ECA-2988] - Unified OCSP: In main build, merge Standalone and Integrated OCSP into a single SSB
[ECA-2992] - White listing of available CryptoToken PKCS#11 slots
[ECA-3092] - Make it possible to hide the menu in publicweb
[ECA-3095] - HSM slot label. Resolve existent issues from ECA-3071, add support for GUI/CLI/Upgrade
[ECA-3128] - Add support for slot labels to ca init command, database protection and ocsp
Task
[ECA-2296] - Master Issue: Look over authorization in all session beans.
[ECA-2298] - Master issue: Unify all names in EJBCA
[ECA-2317] - Migrate OCSP functionality from CESeCore to EJBCA
[ECA-2350] - Add support to other match values than X500Principal based
[ECA-2445] - Rename all references to "Admin Groups" to "Roles"
[ECA-2462] - Rename RSASignSessionBean to SignSessionBean
[ECA-2464] - Change references from 'User' to EndEntity where appropriate. UserAdminSessionBean should be renamed EndEntityManagementSessionBean