David Hook of BouncyCastle wrote this on the dev-crypto mailinglist.
-----
Hi all,
While we're not in a habit of making a huge fuss about things, one thing
is about to come up which we thought we'd mention.
Monday 24th of May, marks 10 years since the first release of the Bouncy
Castle Cryptography APIs.
To give you an idea of what this means, the first release was on the
order of 24,000 lines of java. Ten years on we are now looking at
200,000 lines of Java and 160,000 lines of C# with a substantial
increase in functionality. The passage of time has certainly been felt.
Anyway, a lot of people outside of the core developers have contributed
over the years, so once again, thanks! And for us, them, and everyone
else, if you're inclined to celebrate 10 years of open source crypto
from this project, Monday is a good time to do it!
Cheers,
David
-----
An incredibly consistent track record of one of the best open source projects out there!
Monday, May 24, 2010
External RA enrollment Web GUI, sponsored by APNIC
I would like to take this opportunity to remind you that in EJBCA 3.10 there is a new, much awaited, feature. A web GUI for enrollment using the External RA.
The web GUI can be used to enroll for browser certificates using most browsers on all platforms. You can also enroll for server certificates and keystores.
The new GUI is developed with JSF and Facelets, using the IceFaces component library. This gives it a nice modern look and function.
The development of this new feature was sponsored by APNIC, who makes sure internet works in the Asia Pacific.
The web GUI can be used to enroll for browser certificates using most browsers on all platforms. You can also enroll for server certificates and keystores.
The new GUI is developed with JSF and Facelets, using the IceFaces component library. This gives it a nice modern look and function.
The development of this new feature was sponsored by APNIC, who makes sure internet works in the Asia Pacific.
Monday, May 17, 2010
EJBCA at the Greek police
I held a presentation about EJBCA and SignServer at two conferences, held by Eellak, in Greece this weekend. As a part of this I gave as example an installation of EJBCA at the Greek police. A short summary below.
- Project PoL, Police on-line.
- EJCBA replaces RSA Keon CA.
- Installation by BYTE and PrimeKey.
- All certificates in smart cards (~25.000).
- Cards are used to access the PoL network and sign documents.
- Both old cards and new cards produced with EJBCA, used simultaneously
- to access, sign and encrypt using a new client, NetID.
- An old RSA cards that expire is replaced with a new card.
- Users and documents are not affected.
Tuesday, May 4, 2010
EJBCA 3.9.7 and 3.10.1 released
Monday saw a double release of EJBCA. 3.9.7 fixes a very low number of issues in the old 3.9 branch, while 3.10.1 contains 34 fixes and feature enhancements for the 3.10 branch.
3.10.1 is the recommended release for all new installations.
Noteworthy changes in 3.10.1
Changes in 3.9.7
3.10.1 is the recommended release for all new installations.
Noteworthy changes in 3.10.1
- New WS-API methods for renewing CAs. This enables the possibility for
automated SPoCs in an EAC ePassport PKI. - New CMP proxy module letting you have a separate server terminating
CMP connections and then forwarding them to the CA. - Possibility to renew CAs without activating new keys, enabling the CA
to continue working until a new certificate is imported. - Support for SHA384WithECDSA signature algorithm.
- Fixed deployment on JBoss EAP 5.0.0.
- Fixed admin GUI bug with problems selecting privileges for RA
administrators. - Fixed some issues with cli and renewal of expired CAs.
- Fixed a bug with cli for getting delta CRLs.
- Other minor bug fixes.
Changes in 3.9.7
- Fixed an error when creating DVs signed by external CVCAs (EAC
ePassport only). - Give better error message when the same public key is passed in
initial CVC request (EAC ePassport only). - Log OCSP responder startup and shutdown.
- Fix possible NullpointerException in
EjbcaWS.getAvailableCertificateProfiles.
Wednesday, April 21, 2010
Better late then never... EJBCA 3.10.0 released
I missed to write about this important event. On the 26th of march EJBCA 3.10.0 was released.
This was a major release with lots of internal reorganisations, new features and fixes. It's in much a preparation for EJBCA 4.0, with restructuring of the code to make transition easier and the whole code base better organized. But also a few noteworthy features entered this release.
Noteworthy changes:
- Restructuring and refactoring to improve maintainability, prepare for the EJBCA 4 release and Common Criteria certification.
- Web Service method for creation or update of a user and creation of a certificate in a single transaction.
- Enforcement of unique public keys and subject DNs.
- New External RA API GUI for browser enrollment without ingoing traffic to the CA.
- Support for Ingres 9.3.
This was a major release with lots of internal reorganisations, new features and fixes. It's in much a preparation for EJBCA 4.0, with restructuring of the code to make transition easier and the whole code base better organized. But also a few noteworthy features entered this release.
Noteworthy changes:
- Restructuring and refactoring to improve maintainability, prepare for the EJBCA 4 release and Common Criteria certification.
- Web Service method for creation or update of a user and creation of a certificate in a single transaction.
- Enforcement of unique public keys and subject DNs.
- New External RA API GUI for browser enrollment without ingoing traffic to the CA.
- Support for Ingres 9.3.
Wednesday, March 24, 2010
Using pure OpenSC formatted smart cards with EJBCA and FireFox
OpenSC comes with a number of tools that can be used to generate keys and store certificates on a CardOS 4.3b smart card, this can then be used in FireFox.
This makes it possible to have a completely open source solution for smart cards, one that is available simply using apt-get install in Ubuntu. Note that opensc in Ubuntu 9.10 is buggy so you need Ubuntu 10.04 or manually installed opensc packages.
You can not use a completely blank CardOS 4.3b card because there is a factory key needed in order to set the state of the card so it can be formatted with cardos-tool.
If you have a card formatted as an "instant id" card, using PrimeCard for example, you cen reformat the card with cardos-tool.
On to the howto
---------------
Check that card is found and display info:
>>cardos-tool -i
Format:
>cardos-tool -f
Create pkcs15 (E=erase, C=create pkcs15):
>pkcs15-init -EC
Init pkcs15 (P=store pin, a=auth-id, l=label of key):
>pkcs15-init -P -a 01 -l test01
Now pkcs11-tool list a slot:
>pkcs11-tool -L
Generate keys
>pkcs15-init -G RSA1024 -a 01 -l test01
Generate cert request with openssl:
>sudo apt-get install libengine-pkcs11-openssl
>openssl
OpenSSL>engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL>req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -subj "/CN=Open SC"
CSR is stored as req.pem. Get certificate from EJBCA using "Create Certificate from CSR" in public web and store on card:
>pkcs15-init --store-certificate cert.pem -v -i 45
To use in FireFox you just need to add a "Security Device" with module path /usr/lib/opensc-pkcs11.so
This makes it possible to have a completely open source solution for smart cards, one that is available simply using apt-get install in Ubuntu. Note that opensc in Ubuntu 9.10 is buggy so you need Ubuntu 10.04 or manually installed opensc packages.
You can not use a completely blank CardOS 4.3b card because there is a factory key needed in order to set the state of the card so it can be formatted with cardos-tool.
If you have a card formatted as an "instant id" card, using PrimeCard for example, you cen reformat the card with cardos-tool.
On to the howto
---------------
Check that card is found and display info:
>>cardos-tool -i
Format:
>cardos-tool -f
Create pkcs15 (E=erase, C=create pkcs15):
>pkcs15-init -EC
Init pkcs15 (P=store pin, a=auth-id, l=label of key):
>pkcs15-init -P -a 01 -l test01
Now pkcs11-tool list a slot:
>pkcs11-tool -L
Generate keys
>pkcs15-init -G RSA1024 -a 01 -l test01
Generate cert request with openssl:
>sudo apt-get install libengine-pkcs11-openssl
>openssl
OpenSSL>engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL>req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -subj "/CN=Open SC"
CSR is stored as req.pem. Get certificate from EJBCA using "Create Certificate from CSR" in public web and store on card:
>pkcs15-init --store-certificate cert.pem -v -i 45
To use in FireFox you just need to add a "Security Device" with module path /usr/lib/opensc-pkcs11.so
Friday, February 26, 2010
Register for Öppna Ekosystem in Skövde 23 april
There will be an Open Space conference (in Swedish sorry) about open ecosystems putting together developers, users and commercial entities in Skövde on the 23rd of April 2010.
Register and join: Öppna Ekosystem.
EJBCA and SignServer will most probably be there displaying and discussing.
Register and join: Öppna Ekosystem.
EJBCA and SignServer will most probably be there displaying and discussing.
Subscribe to:
Comments (Atom)
Posts
