Xipki Versions Save

XiPKI: Compact open source PKI (CA, OCSP responder, certificate protocols ACME, CMP, EST, SCEP) with HSM support.

v5.3.14

2 years ago
  • CA
    • Feature: Include postgres jdbc driver in the binary.
    • Feature: Deprecate the use of CertPublisher.isAsyn().
    • Feature: Add support of SM2 in unprofessional HSMs.
    • Feature: Generating self-signed certificate requires now only subject instead of CSR.
    • Feature: Allow the per-HSM configuration of the vendor mechanisms.
    • Feature: Use id-certProfile defined in CMPv3 instead of xipki's customized method to specify the certificate profile.
    • Feature: Extend the certificate profile to specify the behaviour of notAfter (STRICT, CutOff, BY_CA).
  • OCSP
    • Feature: Allow the per-HSM configuration of the vendor mechanisms.
    • Feature: Add option to control maxNextUpdatePeriod in OCSP response.
    • Feature: Reduce the column size of OCSP response in the OCSP cache database.
  • CLI
    • Feature: Allow the per-HSM configuration of the vendor mechanisms.
  • DB Tool
    • N/A
  • Dependencies
    • Update karaf 4.2.11 to 4.2.14, bouncycastle 1.69 to 1.70, slf4j from 1.7.25 to 1.7.32, pkcs11-wrapper from 1.4.7 to 1.4.8, fastjson 1.2.76 to 1.2.79
  • SHA256 Checksum
    • 3563731e85c5d69e64498d9b547933f670b4808d07207a10e4cffb0170e2797c xipki-ca-5.3.14.zip
    • 8ab7ced0b8360c5acc6242a5e3a8c3f6d7d8f39fff4651d9f01f8c484eb0442a xipki-cli-5.3.14.tar.gz
    • 991d548eec77627fe349723efc13124ecb4e3d9610cc9af67404530a67e9b86a xipki-dbtool-5.3.14.zip
    • 262a6c195705a681244aca13dcaf9128ac0404a8f94d0c0580241c03e5a6c9e3 xipki-ocsp-5.3.14.zip
    • e29c012dc17070344ed453f11fe306f77d318ac1d4ba432eb6c40e190373d67f xipki-p11proxy-5.3.14.zip

v5.3.13

2 years ago
  • CA
    • Bug fix: Fix NullPointerException if no SubjectKeyIdentifier mode is configured in CertProfile.
    • Feature: In PKCS#11 emulator, use AES_GCM instead of PBE to encrypt the secret/private keys
    • Feature: Rename the binary from ca-war-*.zip to xipki-ca-*.zip
    • Note: Since version 1.69 of bouncycaste, download and copy also the bcutil-<version>.jar to lib (in tomcat) and lib/ext (in jetty).
  • OCSP
    • Feature: In PKCS#11 emulator, use AES_GCM instead of PBE to encrypt the secret/private keys
    • Feature: Rename the binary from ocsp-war-*.zip to xipki-ocsp-*.zip
    • Note: Since version 1.69 of bouncycaste, download and copy also the bcutil-<version>.jar to lib (in tomcat) and lib/ext (in jetty).
  • CLI
    • Feature: Exclude the original bouncycastle jars delivered in karaf.
    • Feature: In PKCS#11 emulator, use AES_GCM instead of PBE to encrypt the secret/private keys
  • DB Tool
    • Feature: Rename the binary from dbtool-*.zip to xipki-dbtool-*.zip
  • Dependencies
    • N/A
  • SHA256 Checksum
    • 0d3a954a52f0aa732a314a95ab9a63e9b837c4628c297ce87c095b242090ee73 xipki-ca-5.3.13.zip
    • bba7f56664197b6c2ee711eac67dcf651eaaf47950fa98d52f6b26d33aa31d1b xipki-cli-5.3.13.tar.gz
    • 4c8e381c87705a8f11646a8cc2ec6dfde3ae5a3b56671410add5fae7114460b2 xipki-dbtool-5.3.13.zip
    • 98024ebb050e25dfedd675199cdc2b589951bb33780ec734acd88b201b562933 xipki-ocsp-5.3.13.zip
    • 6e7380eacf82264f56bfe8ad2b8cc39388a15b0766a2d557b2bebe32822003b6 xipki-p11proxy-5.3.13.zip

v5.3.12

2 years ago

This version has bugs in CA, please use v5.3.13 instead.

  • CA
    • Bug fix: Fix file path bug in Windows
    • Bug fix: In CMP, Use NULL Sender if MAC is used to protect the message
    • Bug fix: Fixed incorrect behaviour of extra-control
    • Feature: Add support of certificates signed with SHAKE128WITHRSAPSS, SHAKE256WITHRSAPSS, ECDSAWITHSHAKE128 and ECDSAWITHSHAKE256.
    • Feature: Allow the configuration of signature algorithm *withRSAandMGF1 with *withRSAPSS.
    • Feature: Allow the configuration of method to compute SubjectKeyIdentifier
    • Feature: Reduce the minimal size of serial number from 9 to 1
    • Feature: Allow the derivation of subject field from the SubjectPublicKeyInfo
    • Feature: Allow sending certchain in CMP and SCEP response
    • Feature: Allow generating random serial number for self-signed certificate
  • OCSP
    • Feature: Better Hash Algorithm's Parameters (ASN.1)
    • Feature: Allow configuration of signature algorithm *withRSAandMGF1 with *withRSAPSS.
  • CLI
    • Bug fix: Fixed ClassNotFoundException for JDBC classes.
    • Bug fix: Fixed incorrect behaviour of extra-control
    • Feature: Allow configuration of signature algorithm *withRSAandMGF1 with *withRSAPSS.
    • Feature: Set the default type of cert profile of ca:profile-add to xijson.
    • Feature: Add commands xi:osinfo, xi:file-exists, xi:datetime, xi:key-exists-p11.
  • DB Tool
    • N/A
  • Dependencies
    • Bump bouncycastle from 1.68 to 1.69
    • Bump apache-karaf from 4.2.9 to 4.2.11
    • Bump hikaricp from 3.4.5 to 4.0.3
    • Bump fastjson from 1.2.73 to 1.2.76
    • Bump fastjson from 2.1.2 to 2.3.2
    • Bump liquibase from 3.6.3 to 3.10.3.
  • SHA256 Checksum
    • da220d6f26a6a0d89d7a7fc80bf7e1b70baced7ff9109c59b162062cde7e783d ca-war-5.3.12.zip
    • 19acac8105a1e09c7e78d5044bd837eb02724e8accc69ca2f2e24ae6f4c5e96f dbtool-5.3.12.zip
    • cbd29c23254c23c7d600b5a6448ac10e478ec1f1b85ed2bef2af322b0c10cf4a ocsp-war-5.3.12.zip
    • 69903934d9f8b7faa679ad213635110cc4b40add9f5b6b5e03993bba8931956c p11proxy-war-5.3.12.zip
    • 01a0624511da7337248416e3ef4a0c26ae2f2949f8b230aef9139f3e7d7791e9 xipki-cli-5.3.12.tar.gz

v5.3.11

3 years ago

  • CA

    • Split large java classes
    • Changed max. validity of CAB EE cert: 825 -> 397
    • Simplified the SQL queries
    • Added expiredCertsOnCrl extesion if expired certificates in contained in CRL
    • Do not remove revoked but expired certs
    • Bump bouncycastle from 1.66 to 1.68

  • OCSP

    • Split large java classes
    • Simplified the SQL queries
    • Bump bouncycastle from 1.66 to 1.68

  • CLI

    • Split large java classes
    • Bump bouncycastle from 1.66 to 1.68

  • DB Tool

    • Split large java classes

  • PKCS#11 Proxy

    • Split large java classes

  • SHA256 Checksum

    • f86140af150539530d810c9a9e7634b1779b1b4ebbbcab30261347f8d7ea4e81 ca-war-5.3.11.zip
    • b8bfee26d5040b4bbfb558e45573e3f76ac1269482b89134226b6b0384b49992 dbtool-5.3.11.zip
    • 56102396c9cb56de7a962fd3eca29df194dd068a8b8145a5dde6cbb257ba6458 ocsp-war-5.3.11.zip
    • cd19d08b64371bf03f3aaf1178e295910410091de27a4fadd2c966fda88c4f34 p11proxy-war-5.3.11.zip
    • 681daf5044f1740940d19431ca07df0886d2c03679009601c901b0dae5710ff9 xipki-cli-5.3.11.tar.gz

v5.3.10

3 years ago

  • CA

    • Fixed "Duplicate primary key ID" database error in some cluster databases. #186
    • Added option to control whether to include the expired certificate. #188
    • Add a dummy CRLEntry in an indirect CRL without revoked certificates to contain the certificate's issuer name. #189
    • Removed table DELTACRL_CACHE. Use better method to generate the delta CRL.
    • Removed generation of CRL with only CA or EE certs, this feature will not be used in general.
    • Removed support of custom extension xipki-authorizationTemplate
    • Removed unsupproted options duplicate-subject and duplicate-key
    • Removed xipki custom request extension cmpRequestExtensions (1.3.6.1.4.1.45522.1.3)

  • OCSP

    • Fixed "Duplicate primary key ID" database error in some cluster databases. #186

  • CLI

    • N/A

  • DB Tool

    • N/A

  • PKCS#11 Proxy

    • N/A

  • SHA256 Checksum

    • 688d3169e5f1dfc836080bd116483ddcd9a36ca76fe2c20e848513ef4ac07926 ca-war-5.3.10.zip
    • 7e264ca1bf8f95f30480b80b0e3dc2f35127a4f9efb6b82aebafbabfba8addad dbtool-5.3.10.zip
    • 1104360b0b0d08077a7778bdf59792323fcab73b0aef870b62698ed0e821d9c0 ocsp-war-5.3.10.zip
    • 4774816ec77d8105b9b494438938903d1c8ece6f9347e45ecafdbf52280ea04c p11proxy-war-5.3.10.zip
    • 3a0d80432b22a4265bd1661780249833ed3f466670be2963b85fa419427731af xipki-cli-5.3.10.tar.gz

v5.3.9

3 years ago
  • CA
    • Relax FQDN check
    • Handle the file calock correclty
    • Fixed BUG: #179 handle requestor name case-insensitive
    • Fixed BUG: #180 CA cannot process certificate request (CA generate keypair) via REST service
    • Removed support of audit over syslog
    • Removed support of yubikey token
    • Use tinylog instead log4j2
  • OCSP
    • Removed support of yubikey token
    • Use tinylog instead log4j2
  • CLI
    • Removed support of yubikey token
    • Use tinylog instead log4j2
  • DB Tool
    • New module introduced.
  • SHA256 Checksum
    • f8f119502138b4ebc169a3b7bc34b2ea1b56c1cbc1d09f80d85915bdb315e221 ca-war-5.3.9.zip
    • bb7ebe8651a72069dfb6f5accb388c0aaca1fb86198d5ef0a546a8ac1af7cdec dbtool-5.3.9.zip
    • 3590a66d5724f617f66d2eb97860b013becadafda3915138a231af3b23a8a7dc ocsp-war-5.3.9.zip
    • 3f6e338248e0d4eb34a2c7d8a23b1c7926c3c52fde5844890fbdf0eb02f2b3d1 p11proxy-war-5.3.9.zip
    • 6051d87ad9c3a07413141860522c364c62698f95bc4c90896c4c56cc4688f2f3 xipki-cli-5.3.9.tar.gz

v5.3.8

3 years ago
  • CA
    • Fixed bug: Set extension critical if contains key-purpose timeStamping
    • Fixed bug: add extension deltaCRLIndicator to DeltaCRL
    • Verify SCT before adding it to the cert
    • Unify the use of X.509 certificate and CRL
    • Add validation of IPv6 address
    • Log software version
    • Remove the CA controls DUPLICATE_{KEY|SUBJECT}
    • For pre-defined DSA parameters, using Pi as seed
    • Check pathLenConstraint before issuing certificate
    • Use tagNo or tagName to identify a SAN tag in a certificat request
    • accept also PEM encoded CSR in rest servlet
  • OCSP
    • Unify the use of X.509 certificate and CRL
    • Log software version
    • Use generatedAt instead thisUpdate for OCSP cache
  • CLI
    • Unify the use of X.509 certificate and CRL
    • For pre-defined DSA parameters, using Pi as seed
    • Add default value to slot, better usage for the param id
  • SHA256 Checksum
    • 9f842b129e445f812095eabe95c9608000bf38c27b844e9dbe73772473211e04 ca-war-5.3.8.zip
    • ff0b3795c61950583e025e28f77ee1c82a4f64197990544ff8edd97965d6bb79 ocsp-war-5.3.8.zip
    • 13a12ecc1192ee5c194baa0cfdad893c8a8a2a865aef8fc1208c63ba0b2a5686 p11proxy-war-5.3.8.zip
    • 447c14b15c49c6994ae66a1b2c0ecd8980f5ea78b21487395fefa1fd60f4ed02 xipki-cli-5.3.8.tar.gz

v5.3.7

4 years ago
  • CA
    • Make XIPKI_BASE configurable.
    • Do not set the highest bit, increase the dflt bit length from 127 to 159 of serial numbers
    • Use overlap.days instead overlap.minutes to control the overlap in CRL
    • Update hikaricp 3.4.1 to 3.4.2, fastjson 1.2.62 to 1.2.66.
  • OCSP
    • Make XIPKI_BASE configurable.
    • Fixed #447 OCSP-server cannot parse CRLs without revoked certificates.
    • Corrected type from 'ejbca' to 'ejbca-db' in the configuration file.
    • Fixed #148 Ocspd ignores the folder certs in case of CRL as source in ocspd.
    • Use bytes instead of bits to specify the length of serial number.
    • Change fullcrl.intervals from 1 to 7.
    • Fixed #154 OCSP server cannot answer request with unknown extension.
    • Update hikaricp 3.4.1 to 3.4.2, fastjson 1.2.62 to 1.2.66.
  • CLI
    • Better print of time in the benchmark test
    • Update karaf 4.2.7 to 4.2.8, hikaricp 3.4.1 to 3.4.2, fastjson 1.2.62 to 1.2.66.
  • SHA256 Checksum
    • 929b56ad72b8fdb05c80570aca004569ff4738da1aa406ddd2e8c77bba49f3b1 ca-war-5.3.7.zip
    • 89cc0855cb32ef7740c2050e38fdc95d082bf29429eb5fd6bed1b856549e342b ocsp-war-5.3.7.zip
    • f864ecfde786892c16918d1d3dab75ad812ce08051b7e26678f68a2b29889e21 p11proxy-war-5.3.7.zip
    • 65c226b3ed8de7e27e18e326e6bc99ff5e861951862a83a1c3f8e157f74be841 xipki-cli-5.3.7.tar.gz

v5.3.6

4 years ago
  • CA
    • BUG: Fixed #134 The issuerCertIssuer in the extension AKI is not set correctly
    • Better handle of proxyed TLS connection
    • Removed the support of insecure JKS keystore
  • OCSP
    • BUG: Fixed NPE
    • BUG: Fixed #137: set OCSP extension extendedRevoke to not critical
    • BUG Fixed #140: OCSP response cacher saves time in (incorrect) milliseconds instead of (correct) seconds.
    • Better handle of proxyed TLS connection
    • Removed the support of insecure JKS keystore
    • Changed the mode in ocsp-responder.json from RFC6960 to RFC2560 (configurable)
    • #138 Set the extension nonce in OCSP response as NOT critical
    • Include extn extendedRevoke only if unknown marked as revoked
  • CLI
    • Removed the support of insecure JKS keystore
  • SHA256 Checksum
    • 93dd572ba4766265549101037369d9c8f9624c0bb06d534ca324c9b69e144306 ca-war-5.3.6.zip
    • d88d6bf2570a4b950216ee884d009537b30f81101e607ce91941ebd1007322c5 ocsp-war-5.3.6.zip
    • 949363fef281c11ce5d501f6c9b69496cd16998fb763047c936ab8a346a4f527 p11proxy-war-5.3.6.zip
    • e5117e7bf6f3d0224264543293d9bd294305220f6293fab03a58533d1979a24b xipki-cli-5.3.6.tar.gz

v5.3.5

4 years ago

  • CA

    • Upgrade bcprov-jdk15on and bcpkix-jdk15on to 1.64
    • Fixed bug #128 "CA cannot start with NULL CMP_CONTROL"
    • Downgrade liquibase from 3.8.0 to 3.6.3 to support MariaDB 10.3+
    • Securities accepts explicit P11ModuleFactories

  • OCSP

    • Upgrade bcprov-jdk15on and bcpkix-jdk15on to 1.64
    • Downgrade liquibase from 3.8.0 to 3.6.3 to support MariaDB 10.3+
    • Securities accepts explicit P11ModuleFactories

  • CLI

    • Optimized the display of benchmark with number over 1,000,000,000
    • Securities accepts explicit P11ModuleFactories

  • SHA256 Checksum

    • 73f95cdc427e2156952b5a8dad2547adbf17a14993ce7d7a8f2984ed884d85e9 ca-war-5.3.5.zip
    • 6a67862320daf83cad78b005f1cf293055537c1f756d20d938680566330cfab0 ocsp-war-5.3.5.zip
    • 6701f114b264f992bcaa47c3e77a8940215643dc6105fe52381d2b08f4ab2e09 p11proxy-war-5.3.5.zip
    • 210d087b68b4810be3a07056af982f66bcab5441d38cdfa07594fb4803e851e2 xipki-cli-5.3.5.tar.gz