Smartcard 2.0

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2558] Improve the run times of system tests Created: 2012-02-06  Updated: 2012-02-06 Status: In Progress Project: EJBCA Component/s: None Affects Version/s: None Fix Version/s: EJBCA 5.1.0
Type: Improvement Priority: Major Reporter: Mike Kushner Assignee: Mike Kushner Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified

 Description    System tests are taking way too long. See if anything can be done about this.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2553] Improve CRL generation memory requirements Created: 2012-02-02  Updated: 2012-02-06 Status: Open Project: EJBCA Component/s: PKI core Affects Version/s: None Fix Version/s: EJBCA 5.1.0
Type: Improvement Priority: Minor Reporter: Johan Eklund Assignee: Johan Eklund Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
File Attachments: ECA-2553_ejbca_trunk_v000.patch     Issue Links: Relate
is related to ECA-2500 Upgrade to BC v1.47 Open
 Description    org.cesecore.certificates.crl.RevokedCertInfo
 shallow object size: 52 bytes
 String fingerprint: 140 bytes
 Date expireDate: 32 bytes
 Date revocationDate: 32 bytes
 BigInteger userCertificate: 76 bytes
 -> 332 bytes in total

This means that a CRL with 10M revoked certificates will take 3.3 GiB..


I propose that we change this to:
org.cesecore.certificates.crl.RevokedCertInfo
 shallow object size: 52 bytes
      long expireDate: 8 bytes (0 marks a null was read from the database)
      long revocationDate: 8 bytes (0 marks a null was read from the database)
 byte[] fingerprint: 64 bytes for a 40 char fingerprint
 byte[] userCertificate: 32 bytes (BigInteger.toArray())
 -> 148 bytes in total

This means that a CRL with 10M revoked certificates and few expiring will take 1.5 GiB..

Even for smaller CRLs this memory is better spent caching things.

The proposed changes above are non-intrusive and only affects the internals of RevokedCertInfo and CertificateData.

BouncyCastle memory usage studies depend on pending changes in ECA-2500.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2500] Upgrade to BC v1.47 Created: 2012-01-11  Updated: 2012-02-06 Status: Open Project: EJBCA Component/s: PKI core Affects Version/s: None Fix Version/s: EJBCA 5.1.0
Type: Improvement Priority: Critical Reporter: Tomas Gustavsson Assignee: Tomas Gustavsson Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
File Attachments: eca-2500-branch40.patch     Issue Links: Relate
relates ECA-2553 Improve CRL generation memory require... Open
 Description    We should upgrade to the latest BC provider. The latest provider have efficency improvements for CRL generation.
It does introduce a completely new API (BC v2 APIs), and deprecated most of the old stuff, so there are a lot of code changes in order to upgrade beyond BC 1.45 that we currently use.


 Comments    Comment by Tomas Gustavsson [ 2012-01-11 09:24 ] Attaching initial patch for Branch_4_0 Comment by Tomas Gustavsson [ 2012-01-11 10:41 ] Updating patch Comment by Tomas Gustavsson [ 2012-01-12 10:10 ] CVC library also has to be updated for the new BC version.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2534] Regression: Not checking that the administrator has the role defined in the hard token issuer any more. Created: 2012-01-24  Updated: 2012-02-06 Status: Resolved Project: EJBCA Component/s: PKI core Affects Version/s: EJBCA 5.0.1, EJBCA 5.0.2 Fix Version/s: EJBCA 5.0.3, EJBCA 5.1.0
Type: Bug Priority: Critical Reporter: Lars Silvén Assignee: Mike Kushner Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified

 Description    Each "hard token issuer" is associated with one administrator role.
The administrator that is using a "hard token issuer" to issue a hard token must belong to the role defined in the "hard token issuer".

This was checked in the method "getAuthorizedToHardTokenIssuer" of HardTokenSessionBean in version 4.
In version 5 the method has been renamed to "isAuthorizedToHardTokenIssuer" and the admin role is no longer checked against the role defined in the "hard token issuer".

The check must be done again in version 5.

I have tried to figure out how to fix this in the new architecture but failed. Maybe it is faster if someone else with better knowledge of the new architecture will have a look at it. I can test when all is done.

 Comments    Comment by Mike Kushner [ 2012-02-06 17:12 ] Done =) Lars, feel free to verify and close.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2261] SenderKeyID does not need to be set in a CMP request Created: 2011-09-06  Updated: 2012-02-06 Status: Open Project: EJBCA Component/s: Protocols Affects Version/s: None Fix Version/s: EJBCA 4.0.8, EJBCA 5.0.3, EJBCA 5.1.0
Type: Bug Priority: Minor Reporter: Aveen Ismail Assignee: Aveen Ismail Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified

 Description    SenderKeyID in a CMP request is used to find the CAID, EEProfile and CertProfile used by CMP in case these values are not set in cmp.properties file. If these values are set in the cmp.properties file, there is no use for the senderKeyID value. However, Ejbca checks the value of senderKeyID before checking if it is actually needed and returns an error message in case senderKeyID was not set. This behavior should be changed so that senderKeyID does not need to be set if it is not needed.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2504] Rename LIST button in Approve Actions section Created: 2012-01-12  Updated: 2012-02-06 Status: Closed Project: EJBCA Component/s: AdminGUI Affects Version/s: EJBCA 4.0.7 Fix Version/s: EJBCA 4.0.8
Type: Bug Priority: Cosmetic Reporter: David Carella Assignee: David Carella Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
Issue Links: Relate
relates ECA-2525 Merge changes from ECA-2504 Resolved Verified by: Tomas Gustavsson
 Description    Bug: the button message key "LIST" doesn't exist.

Minor re-factoring of the following message key:
- LIST --> SEARCH

 Comments    Comment by Tomas Gustavsson [ 2012-02-06 13:32 ] Button renamed to Search. Closing.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2525] Merge changes from ECA-2504 Created: 2012-01-21  Updated: 2012-02-06 Status: Resolved Project: EJBCA Component/s: None Affects Version/s: None Fix Version/s: EJBCA 5.1.0
Type: Task Priority: Minor Reporter: David Carella Assignee: Tomas Gustavsson Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
Issue Links: Relate
is related to ECA-2504 Rename LIST button in Approve Actions... Closed

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2557] Minor XSS issues: merge bugfix from ECA-2482 Created: 2012-02-06  Updated: 2012-02-06 Status: Open Project: EJBCA Component/s: None Affects Version/s: None Fix Version/s: EJBCA 3.11.4
Type: Bug Priority: Major Reporter: Marcus Lundblad Assignee: Marcus Lundblad Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified

 Description    Merge XSS bugfix from ECA-2482 to 3.11.x branch.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2518] Add link to Help page for ECDSA keys Created: 2012-01-19  Updated: 2012-02-06 Status: Closed Project: EJBCA Component/s: AdminGUI Affects Version/s: EJBCA 4.0.7 Fix Version/s: EJBCA 4.0.8
Type: Improvement Priority: Minor Reporter: David Carella Assignee: David Carella Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
Issue Links: Relate
relates ECA-2526 Merge changes from ECA-2518 Resolved Verified by: Tomas Gustavsson
 Description    Action:
- In CA Creation form, add a link "[?]" to Help page for ECDSA key specifications.

 Comments    Comment by Tomas Gustavsson [ 2012-02-06 12:57 ] Simple nice. Merged to trunk. Closing.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2526] Merge changes from ECA-2518 Created: 2012-01-21  Updated: 2012-02-06 Status: Resolved Project: EJBCA Component/s: None Affects Version/s: None Fix Version/s: EJBCA 5.1.0
Type: Task Priority: Minor Reporter: David Carella Assignee: Tomas Gustavsson Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
Issue Links: Relate
is related to ECA-2518 Add link to Help page for ECDSA keys Closed

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2556] Make sure that EjbRemoteHelper is used instead of JndiHelper for retrieving remote interfaces Created: 2012-02-06  Updated: 2012-02-06 Status: Resolved Project: EJBCA Component/s: None Affects Version/s: EJBCA 5.0.2 Fix Version/s: EJBCA 5.1.0
Type: Task Priority: Cosmetic Reporter: Mike Kushner Assignee: Mike Kushner Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified

 Description    Make sure that EjbRemoteHelper is used instead of JndiHelper for retrieving remote interfaces. This is mostly a cosmetic issue for the tests.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2552] CMP: Skip verifying CertificateConfirmationRequest if not required Created: 2012-02-02  Updated: 2012-02-06 Status: Open Project: EJBCA Component/s: Protocols Affects Version/s: None Fix Version/s: EJBCA 4.0.8
Type: Bug Priority: Major Reporter: Aveen Ismail Assignee: Aveen Ismail Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
Issue Links: Relate
relates ECA-2406 Can not process signed Cert Confirmat... Open is related to ECA-2406 Can not process signed Cert Confirmat... Open
 Description    The CertConfirm request is not always signed, and if signed, we don't always want to authenticate it. In such case, we need to skip the verification. Since the CertConfirm request does not contain any data that is used or "picked up" by Ejbca, there shouldn't be any real security risk in skipping the verification.

 Comments    Comment by Aveen Ismail [ 2012-02-06 10:52 ] Fixing ECA-2552 will fix ECA-2406 too

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2406] Can not process signed Cert Confirmation Messages Created: 2011-11-24  Updated: 2012-02-06 Status: Open Project: EJBCA Component/s: Protocols Affects Version/s: EJBCA 4.0.6 Fix Version/s: EJBCA 4.0.8, EJBCA 5.1.0
Type: Bug Priority: Major Reporter: Tomas Gustavsson Assignee: Aveen Ismail Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
Issue Links: Relate
relates ECA-2552 CMP: Skip verifying CertificateConfir... Open is related to ECA-2552 CMP: Skip verifying CertificateConfir... Open
 Description    If you configure EJBCA with:

cmp.operationmode=ra
cmp.authenticationmodule=EndEntityCertificate
cmp.authenticationparameters=-
cmp.responseprotection=signature

You can use cmpforopenssl with superadmin certificate:

./cmpclient --server localhost --port 8080 --path ejbca/publicweb/cmp --cacert HSMCA.cacert.pem --ir --clcert superadmin_cert.der --key superadmin_key.pem --newclcert new_cert.der --newkey new_key.pem --subject "CN=User Name;O=My Organization;C=SE"

If works to get the certificate response, but CertConfirm fails:
-----
INFO: Sending Initialization Request
SUCCESS: validating protection of incoming message
INFO: Sending Certificate Confirm
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 406
140358031103648:error:3209E065:CMP routines:CMP_protection_verify:cmperror:cmp_vfy.c:175:
140358031103648:error:3209006F:CMP routines:CMP_doInitialRequestSeq:error validating protection:cmp_ses.c:347:
140358031103648:error:32090065:CMP routines:CMP_doInitialRequestSeq:cmperror:cmp_ses.c:370:
-----

In EJBCA log you can see why it goes wrong. The CertConfirm does not have extraCerts parameter.
-----
2011-11-24 14:30:23,114 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (http-0.0.0.0-8080-1) Received CMP message with pvno=2, sender=4: CN
=SuperAdmin, recipient=4: CN=HSM CA
2011-11-24 14:30:23,114 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (http-0.0.0.0-8080-1) Body is of type: 24
2011-11-24 14:30:23,114 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (http-0.0.0.0-8080-1) PKIMessage: ( header: PKIHeader: ( pvno: 2, se
nder: 4: CN=SuperAdmin, recipient: 4: CN=HSM CA, messageTime: org.bouncycastle.asn1.DERGeneralizedTime@a1ab2e36, protectionAlg: org.bouncycastle.asn1.x509.Algor
ithmIdentifier@4bd6596a, senderKID: #b62a7cdde4923f3a77cf25bc0461ba2e391c353f, transactionID: #0d418d31b4b6ac560c8a62377308007d, senderNonce: #3882fc706f7911e90
75062354131c16e, , body: PKIBody: (CertConfirmContent: (certHash = #e5e383b091a3de98da66fda6a19d7deb70fa1f51, certReqId = 0)), protection: #03818100366EE934D8E5
5049C09954D6B71AF2FBBB2F463D9802CC866A39EF80E2B5E4B34CE69A9EECD2921B4C205A4AA8F293EE0ECE63F4B77228646040AC5D39D6E5E8DB360926AF3558CF77544E35EAE6B9E8B01BF19A30FE
54CEF7334346DA2374604E140076F074BC3993BED4EC9DF3DD7F06B52BE4258B84FE5081921F11564469, )
2011-11-24 14:30:23,117 DEBUG [org.ejbca.core.protocol.cmp.GeneralCmpMessage] (http-0.0.0.0-8080-1) Received a Cert Confirm message
2011-11-24 14:30:23,117 TRACE [org.ejbca.core.protocol.cmp.ConfirmationMessageHandler] (http-0.0.0.0-8080-1) >handleMessage

<snip>

2011-11-24 14:30:23,131 TRACE [org.ejbca.core.protocol.cmp.authentication.VerifyPKIMessage] (http-0.0.0.0-8080-1) >verify
2011-11-24 14:30:23,131 DEBUG [org.ejbca.core.protocol.cmp.authentication.VerifyPKIMessage] (http-0.0.0.0-8080-1) Trying to verify the message authentication by using 'EndEntityCertificate' authentication module and authentication parameter 'not null'.
2011-11-24 14:30:23,131 INFO [org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule] (http-0.0.0.0-8080-1) There is no certificate in the extraCert field in the PKIMessage
2011-11-24 14:30:23,131 TRACE [org.ejbca.core.protocol.cmp.authentication.VerifyPKIMessage] (http-0.0.0.0-8080-1) <verify: false
2011-11-24 14:30:23,131 ERROR [org.ejbca.core.protocol.cmp.ConfirmationMessageHandler] (http-0.0.0.0-8080-1) There is no certificate in the extraCert field in the PKIMessage
2011-11-24 14:30:23,132 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageHelper] (http-0.0.0.0-8080-1) Creating an unprotected error message with status=2, failInfo=1, failText=There is no certificate in the extraCert field in the PKIMessage
2011-11-24 14:30:23,134 DEBUG [org.ejbca.core.protocol.cmp.CmpErrorResponseMessage] (http-0.0.0.0-8080-1) Create error message from requestType: 23
2011-11-24 14:30:23,136 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (http-0.0.0.0-8080-1) Received a response message from CmpMessageHandler.
-----

CertConfirm messages should verify without extraCert parameter somehow....



 Comments    Comment by Tomas Gustavsson [ 2011-11-24 07:44 ] When this is fixed we should also document in adminguide under "Interoperability" how to use cmpforopenssl with client cert for RA mode. Comment by Mike Kushner [ 2011-12-02 08:58 ] Not desperately needed for 5.0.1, so moving up. Comment by Aveen Ismail [ 2012-02-06 10:53 ] Fixing ECA-2552 will fix ECA-2406 too

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2555] Merge changes from ECA-2454 Created: 2012-02-06  Updated: 2012-02-06 Status: Open Project: EJBCA Component/s: None Affects Version/s: None Fix Version/s: EJBCA 5.1.0
Type: Task Priority: Minor Reporter: David Carella Assignee: Tomas Gustavsson Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
Issue Links: Relate
is related to ECA-2454 Improve all table layout (rows: heade... Resolved

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2454] Improve all table layout (rows: header, sections, footer) Created: 2011-12-22  Updated: 2012-02-06 Status: Resolved Project: EJBCA Component/s: AdminGUI Affects Version/s: EJBCA 4.0.6 Fix Version/s: EJBCA 4.0.8
Type: Improvement Priority: Cosmetic Reporter: David Carella Assignee: David Carella Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
Issue Links: Relate
relates ECA-2555 Merge changes from ECA-2454 Open is related to ECA-1978 Certificate Profile form improved Resolved
 Description    Improve section rows in forms, like the certificate profiles form (cf. ECA-1978).

Actions:
- move the CSS class "title" from <td> to <tr> HTML tags
- modify some CSS class "title" to class "section"
- update CSS styles: .edit, and .action/.view


 Comments    Comment by David Carella [ 2012-02-02 19:05 ] Move back to 4.0.8, because I'm working to fix this issue currently. Comment by David Carella [ 2012-02-06 05:34 ] Styles (CSS class):
- .edit (yellow), for Object (entity, profile): Edit EE, Add EE, etc.
- .action (blue), for Form (operation, configuration): Import CA, Edit Admin
- .view (gray), for Display (entity, certificate, token): View Cert, View EE
- .list (white), for List: All list page
- .actions (white), for List/Actions: All list page

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2541] Replace the contents of EjbRemoteHelper with a clever datastructure Created: 2012-01-26  Updated: 2012-02-05 Status: Resolved Project: EJBCA Component/s: None Affects Version/s: None Fix Version/s: EJBCA 5.1.0
Type: Task Priority: Minor Reporter: Mike Kushner Assignee: Mike Kushner Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified

 Description    EjbRemoteHelper is a big hassle in development, because any adding, removal or refactoring of a session bean implies a ton of changes to this class or its dependent classes.

Since all it in essence is a free-for-all cache for remote interfaces, it could pretty much be replaced by a concurrent hashmap<remoteinterface.class, remoteinterfacereference> and an associated getter method. The helper methods it contains have really no use, because the new getter method's argument would be the same as the key to the interface which would be the same as the expected return value. It would save us a lot of code and a lot of hassle.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2527] Wrong exception thrown in HardTokenSessionBean for some errors. Created: 2012-01-23  Updated: 2012-02-04 Status: Closed Project: EJBCA Component/s: PKI core Affects Version/s: None Fix Version/s: EJBCA 5.0.3, EJBCA 5.1.0
Type: Bug Priority: Major Reporter: Lars Silvén Assignee: Lars Silvén Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified
File Attachments: HardTokenSessionBean2.patch     Verified by: Tomas Gustavsson
 Description    Exceptions are cached and then other exceptions are thrown with no information of the original cause and a totally miss-leading exception class name.
The exceptions that are thrown is HardTokenDoesntExistsException or HardTokenExistsException. These exceptions should only be called when hard token can not be found or when it can be found.
For other errors it is better to not catch the original exception and instead handle it by the calling application.

 Comments    Comment by Lars Silvén [ 2012-01-23 12:01 ] Patch that fixes it! Comment by Tomas Gustavsson [ 2012-02-04 19:15 ] I think it's not good to catch so wide ,"catch Exception". When you will throw a HardTokenDoesntExistsException or HardTokenExistsException I guess it's really a FinderException or a PersistenceException you want to catch. Don't catch too wide.

Also adding tests for this in HardTokenTest should be trivial.
Comment by Tomas Gustavsson [ 2012-02-04 19:17 ] It was comitted with comment "-mECA2527" so subversion view in jira does not work. Look in fisheye for diff, http://fisheye.primekey.se/changelog/EJBCA?cs=13957.
Comment by Tomas Gustavsson [ 2012-02-04 19:19 ] Sorry, I looked at the diff the wrong way. It was actually bad before, and Lars fixed it. Looks much better now than before. Comment by Tomas Gustavsson [ 2012-02-04 19:20 ] Closing, looks fine when I'm not so confused, sorry.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2554] CMP: Need better error message when a request is not signed by the sender Created: 2012-02-02  Updated: 2012-02-02 Status: Open Project: EJBCA Component/s: Protocols Affects Version/s: None Fix Version/s: EJBCA 4.0.9
Type: Improvement Priority: Cosmetic Reporter: Aveen Ismail Assignee: Aveen Ismail Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified

 Description    Now in RA mode, when a CMP message is sent without a signature or PBE protection, the returned error message is "Unrecognized authentication module". Ejbca should be sending a better error message, like "No PKI protection to verify."

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2330] Build failure for External RA with OpenJDK if JavaScript is not available Created: 2011-10-14  Updated: 2012-02-02 Status: Open Project: EJBCA Component/s: None Affects Version/s: EJBCA 4.0.1, EJBCA 4.0.2, EJBCA 4.0.3, EJBCA 4.0.4, EJBCA 4.0.5, EJBCA 5.0.0 Fix Version/s: EJBCA 5.1.0
Type: Bug Priority: Major Reporter: Markus Kilås Assignee: Marcus Lundblad Resolution: Unresolved Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified Environment: RHEL, OpenJDK
File Attachments: buildfailure.txt     Issue Links: Relate
relates ECA-2244 Build failure with OpenJDK if JavaScr... Closed
 Description    If JavaScript is not available in platform the External RA build fails. See also ECA-2244.

Way to reproduce:
$ cd modules/externalra
$ ant

As the JavaScript's main purpose in this situation is to perform a loop 25 times it might be possible (but ugly) to unroll the loop. Otherwise there might be some looping or operate-on-list support already in Ant.

* { border: 0; padding: 0; } .tableBorder, .grid { background-color: #fff; width: 100%; border-collapse: collapse; } h3.formtitle { } .tableBorder td, .grid td { vertical-align: top; padding: 2px; border: 1px solid #cccccc; border-collapse: collapse; } .noPadding { padding: 0px !important; } h3 .subText { font-size: 60%; font-weight: normal; } .tabLabel { font-weight: bold; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-left: 1px solid #cccccc; padding: 2px; border-collapse: collapse; display: inline; } td.blank { padding: 0; margin: 0; } .blank td { border: none; } #descriptionArea { margin: 0px; padding: 2px; border: 1px solid #cccccc; } hr.fullcontent { height: 15px; padding: 10px 0px; background: #fff url('https://jira.primekey.se:443/images/icons/hr.gif') no-repeat scroll center; } body { margin: 0px; font-size: 12px; font-family: Arial, Sans-Serif, sans-serif; color:black; } [ECA-2139] Generated CRL distribution points' URIs are not URL-encoded Created: 2011-04-12  Updated: 2012-02-02 Status: Resolved Project: EJBCA Component/s: AdminGUI Affects Version/s: EJCBA 3.11.1 Fix Version/s: EJBCA 5.1.0
Type: Bug Priority: Major Reporter: Anatoly Ershov Assignee: Marcus Lundblad Resolution: Fixed Votes: 0 Remaining Estimate: Not Specified Time Spent: Not Specified Original Estimate: Not Specified Environment: Debian Lenny amd64, jboss-4.2.3.GA, EJBCA 3.11.1

 Description    RFC 3986 requires that in URI, characters other than those explicitly allowed must be percent-encoded. This is true for space which is a valid symbol in DN.
Section 2.4 states that "the only time when octets within a URI are percent-encoded is during the process of producing the URI from its component parts" -- this means, in case of EJBCA, when "Generate" button is pressed in adminweb GUI.

Instead, the value of DN is simply appended:
src/adminweb/ca/editcas/editcapage.jspf:
----
function gendefaultcrldistpoint(){
 <% if(!editca){ %>
    document.ca.<%=TEXTFIELD_DEFAULTCRLDISTPOINT%>.value = "<%=globalconfiguration.getStandardCRLDistributionPointURINoDN() %>" + document.ca.<%=TEXTFIELD_SUBJECTDN%>.value;
 <% }else{ %>
    document.ca.<%=TEXTFIELD_DEFAULTCRLDISTPOINT%>.value = "<%=globalconfiguration.getStandardCRLDistributionPointURINoDN() + cainfo.getSubjectDN()%>";
 <% } %>
}
----

This yields an incorrect URI:
http://ca.it.domain.tld:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=cn=test Root CA,ou=CA,o=test,c=RU
which should rather look as follows:
http://ca.it.domain.tld:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=cn=test%20Root%20CA,ou=CA,o=test,c=RU

Same is true for URIs (with spaces) from the reply of Tomas Gustavsson: https://jira.primekey.se/browse/ECA-562 -- isn't it?

This issue breaks work of "dirmanager" and hence "gpgsm" which is used by "KMail" and "Mutt".

 Comments    Comment by Anatoly Ershov [ 2011-04-12 18:30 ] a typo corrected. Comment by Johan Eklund [ 2011-05-16 10:35 ] New Admin GUI scheduled for EJBCA 4.2. Moving. Comment by Marcus Lundblad [ 2012-02-02 12:42 ] Fixed by URI-encoding DN part of generated URLs in the admin GUI.