-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathrelease54.html
More file actions
534 lines (511 loc) · 23.4 KB
/
release54.html
File metadata and controls
534 lines (511 loc) · 23.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
---
layout: default
title: KeyStore Explorer - Release Notes
---
<div class="page-header">
<h1>Release 5.4.4 <small class="text-muted">4 Oct 2020</small></h1>
</div>
<div class="row">
<div class="col-md-6">
<p>
This release includes the following improvements and bug fixes:
<ul>
<li>Certificate serial numbers can now be entered in hexadecimal format as well (contributed by Stephen Tomkinson). Hex numbers are detected ...</li>
<ul>
<li>if the input contains the letters a-f or A-F, for example "1a2b3c4d5e6f" or "1A2B3C4D5E6F" (decimal: 28772997619311)</li>
<li>or if the input starts with "0x", for example "0x12345678" would be interpreted as decimal 305419896 </li>
</ul>
<li>Additional button in "Certificate Extensions" window to save those extensions as a template (contributed by Stephen Tomkinson)</li>
<li>KSE allows now to select multiple entries by pressing SHIFT or CTRL and perform the following operations on all selected entries (contributed by Christoph Kaser):
<ul>
<li>cut</li>
<li>copy</li>
<li>paste</li>
<li>delete</li>
</ul>
Note that you have to use the "Edit" menu, the toolbar icons or the keyboard shortcuts (Ctrl-x, Ctrl-c, etc.) to select the operation.
The right click menu cancels the selection of multiple entries.
</li>
<li>Fixed AKI/SKI extensions and Issuer/Subject Organisation not shown in table view (reported by Michael Karnerfors)</li>
<li>Fixed AKI/SKI extensions not being updated when added from a template or CSR (reported by Michael Karnerfors) </li>
<li>Fixed an error when inspecting a SAN extension that contains a User Principal Name (reported by e4711s)</li>
<li>Key Usage extension is now correctly marked as critical in all default extension templates (reported by James K Polk)</li>
<li>macOS: Fixed an incompatibility with VAqua Look&Feel that caused a save dialog to be shown instead of an open dialog (reported by Filipe Forneck, fix contributed by Gary Bartlett)</li>
<li>macOS: VAqua Look&Feel is no longer the default</li>
<li>macOS: The application bundle now contains a custom Java runtime. This fixes issues with detection of JRE installations and notarization.</li>
<li>SHA256 is now used in timestamp requests (instead of SHA1)</li>
<li>PKCS#12 is now the default when creating a new keystore. This reflects the transition from JKS to PKCS#12 as the default keystore in Java 9
(<a href="http://openjdk.java.net/jeps/229" title="JEP 229">JEP 229</a>).</li>
<li>Updated Bouncy Castle library to version 1.66</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel544_GenerateKeyPairCertificate.png" class="img" align="top" border="0" />
</p>
<p>
<img src="images/releases/release54/rel544_CertificateExtensions1.png" class="img" align="top" border="0" />
<img src="images/releases/release54/rel544_CertificateExtensions2.png" class="img" align="top" border="0" />
</p>
<p>
<img src="images/releases/release54/rel544_multi-selection.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<div class="page-header">
<h1>Release 5.4.3 <small class="text-muted">8 Mar 2020</small></h1>
</div>
<div class="row">
<div class="col-md-6">
<p>
This release includes the following bug fixes and improvements:
<ul>
<li>Added support for custom extended key usages (contributed by Jordi Pinzón García)</li>
<li>Added TSL (Trust-service Status Lists) signing extended key usage, OID "0.4.0.2231.3.0" (contributed by Vakhtang Laluashvili)</li>
<li>After a keystore entry was deleted, the next entry is selected now. This makes deleteting several entries easier.</li>
<li>JKS and JCEKS keystores can now be opened without entering the password, just press enter in the password dialog.</li>
<ul>
<li>This is only possible because the JKS/JCEKS keystore password (in contrast to the passwords of individual key entries) is just an integrity protection.</li>
<li>Key entries are of course still locked.</li>
<li>The keystore is handled by KSE as if no keystore password was set yet. If you want to save the keystore after a modification, you have to set a new keystore password.</li>
</ul>
<li>New Look&Feel for macOS: VAqua (contributed by Lothar Haeger)</li>
<li>New Look&Feel for all platforms: FlatLaf (see screenshot to the right)</li>
<li>Removed Look&Feel Darcula and JGoodies</li>
<li>User manual is now part of the KSE website and was removed from the application.</li>
<li>Fixed some smaller problems with German translation</li>
<li>Updated Bouncy Castle library to 1.64</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel543_custom_ekus.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<div class="page-header">
<h1>Release 5.4.2 <small class="text-muted">11 Aug 2019</small></h1>
</div>
<div class="row">
<div class="col-md-6">
<p>
This release includes the following bug fixes and improvements:
<ul>
<li>Certificate generation: Editing of extensions fixed (contributed by JPinzon01)</li>
<li>Fixed date/time spinners and added shortcut buttons (contributed by Michele Mariotti)</li>
<li>Fixed typos in German translation (contributed by Markus Stein)</li>
<li>Fixed standard templates not working</li>
<li>Fixed typo in EtsiQcsQcPDS in ASN.1 viewer (reported by weddi-eddy)</li>
<li>Fixed issue in extension viewer when an unknown extension is encountered (reported by Daniel Mota Leite and hoogenpi)</li>
<li>Added OID for RFC 6962 "Certificate Transparency"</li>
<li>Allowing secret keys for keystore type PKCS#12 (requested by Laurent Vaills)</li>
<li>Fixed cancel on extension template dialog when deleting current extensions</li>
<li>Added release field to RPM (requested by gpavinteractiv)</li>
<li>EC keys in PEM format with "-----BEGIN EC PARAMETERS-----" are processed now (EC parameters are ignored though)</li>
<li>Fixed naming of ExtKeyUsage "OCSP Signing" (1.3.6.1.5.5.7.3.9)</li>
<li>Fixed german translation of OCSP signing</li>
<li>Fixed import of EC key in OpenSSL format not working (reported by mattes)</li>
<li>"Add certificate extensions to CSR" is now enabled by default</li>
<li>Updated included Bouncy Castle library to version 1.62</li>
<li>Updated appbundler to latest version (fixes problems with alternative Java runtimes under macOS)</li>
<li>Minimum required Java version for running KSE is now 1.8</li>
</ul>
</p>
</div>
<div class="col-md-6">
</div>
</div>
<div class="page-header">
<h1>Release 5.4.1 <small class="text-muted">27 Oct 2018</small></h1>
</div>
<div class="row">
<div class="col-md-6">
<p>
This release includes the following bug fixes:
<ul>
<li>Mac OS version: The Java Runtime Environment was not always found by the app bundle (reported by Gary Bartlett).</li>
<li>Fixed unlimited strength policy file not recognized (reported by basuradeluis and Ralf Hauser).</li>
<li>Fixed error when trying to view the "Policy Constraints" extension (reported by Robert W. Baumgartner).</li>
<li>Fixed error when trying to view the "Subject Directory Attributes" extension (reported by Robert W. Baumgartner).</li>
<li>Mac OS version: Removed version number from bundle identifier (reported by Core Code).</li>
</ul>
</p>
</div>
<div class="col-md-6">
</div>
</div>
<div class="page-header">
<h1>Release 5.4.0 <small class="text-muted">20 Sep 2018</small></h1>
</div>
<p>
This release includes the following new features, enhancements and bugfixes:
</p>
<h2 class="h3">Updated Preferences Dialog</h2>
<div class="row">
<div class="col-md-6">
<p><b>Configurable Columns</b></p>
<p>
In previous versions KSE showed a fixed set of information for keystore entries:
Entry name, algorithm, key size, certificate expiration date and last modification date.
If you wanted to find for example a certificate with a specific issuer DN the you would have to open
every certificate in the keystore.
</p>
<p>
KSE 5.4.0 allows to freely configure the displayed columns. New fields are:
<ul>
<li>Curve (for EC keys)</li>
<li>Subject/Authority Key Identifier</li>
<li>Subject/Issuer DN</li>
<li>Subject/Issuer Organisation</li>
<li>Subject/Issuer CN</li>
</ul>
</p>
<p>
<img src="images/releases/release54/rel54_prefs_columns_ks.png" class="img" align="top" border="0" />
</p>
<p>
Also, certificates that are going to expire in the next n days can now be marked.
</p>
<p>This feature was contributed by Wim Ton.</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_prefs_columns.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<div class="row">
<div class="col-md-6">
<p><b>New Settings for UI Language and Automatic Update Checks</b></p>
<p>
In previous versions KSE always used the system language for its UI (if there was a translation for it).
Now you can explicitly choose between:
<ul>
<li>System Language</li>
<li>English</li>
<li>French</li>
<li>German</li>
</ul>
</p>
<p>
The automatic update check queries the KSE website for new releases of KSE and displays a notification if one was
found.
Starting with KSE 5.4.0 you can enable/disable automatic update checks and set an interval for them.
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_prefs_ui.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<h2 class="h3">Improved CSR Generation and Signing</h2>
<div class="row">
<div class="col-md-6">
<p><b>Edit Subject When Generating a CSR</b></p>
<p>
In previous versions the subject name for a CSR was taken from the certificate of the selected key pair entry.
This might not always be what you want. Therefore the subject is now editable.
</p>
<p><b>Edit Subject When Signing a CSR</b></p>
<p>
When signing a certificate for the public key from a CSR, the subject DN of the certificate is now freely editable.
The subject name from the CSR is only used as a suggestion.
</p>
<p><b>Transfer Extensions from CSR to Certificate</b></p>
<p>
It is possible to add certificate extensions to a CSR. KSE can now transfer those extensions to the certificate.
Every single extension from the CSR can then be edited or removed and additional extensions can be added.
</p>
<p><b>View Additional Information About CSR</b></p>
<p>
The "Sign CSR" dialog can now show more details about the CSR. Namely:
<ul>
<li>The extensions included in the CSR.</li>
<li>An ASN.1 dump of the CSR.</li>
<li>The CSR in PEM format.</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_sign_csr.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<h2 class="h3">Pre-Defined Certificate Extension Templates</h2>
<div class="row">
<div class="col-md-6">
<p>
When generating a certificate it is a relatively cumbersome task to add all the extensions one by one.
With this new feature you can add a basic set of commonly used extensions for four different certificate types.
</p>
<p>The pre-defined extension templates are:</p>
<table class="table table-striped">
<tr>
<th>Template</th>
<th>Extensions</th>
</tr>
<tr class="plain_odd">
<td>Certificate Authority</td>
<td>
Authority Key Identifier <br />
Subject Key Identifier <br />
Basic Constraints: CA=true <br />
Key Usage: Certificate Sign, CRL Sign
</td>
</tr>
<tr class="plain_even">
<td>TLS/SSL Server</td>
<td>
Authority Key Identifier <br />
Subject Key Identifier <br />
Key Usage: Digital Signature, Key Encipherment <br />
Ext. Key Usage: Server Authentication
</td>
</tr>
<tr class="plain_odd">
<td>TLS/SSL Client</td>
<td>
Authority Key Identifier <br />
Subject Key Identifier <br />
Key Usage: Digital Signature, Key Encipherment <br />
Ext. Key Usage: Client Authentication
</td>
</tr>
<tr class="plain_even">
<td>Code Signing</td>
<td>
Authority Key Identifier <br />
Subject Key Identifier <br />
Key Usage: Digital Signature <br />
Ext. Key Usage: Code Signing
</td>
</tr>
</table>
<p>
After selecting an extension template, additional extensions can be added. The extensions from the template can be
edited or removed.
</p>
<p>
Note that these template sets are not necessarily complete, they are rather a starting point (which might be
sufficient for some purposes).
For example a TLS/SSL server certificate should also contain a Subject Alternative Name (SAN) extension with the site
name in it.
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_std_template.png" class="img" align="top" border="0" />
</p>
<p>
<img src="images/releases/release54/rel54_std_template_selection.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<h2 class="h3">Export Button in Certificate Details Dialog</h2>
<div class="row">
<div class="col-md-6">
<p>
When opening a certificate with one of the following methods, it is now possible to save that certificate to the
file system:
<ul>
<li>Examine File (Ctrl-F)</li>
<li>Examine Clipboard (Ctrl-L)</li>
<li>Examine TLS/SSL (Ctrl-Alt-S)</li>
</ul>
</p>
<p>
This is for example useful for ...
<ul>
<li>downloading a HTTPS certificate</li>
<li>converting a certificate from PKCS#7/DER/PEM/SPC to PKCS#7/DER/PEM/SPC format</li>
<li>saving a certificate that you got as PEM in an email as a DER encoded file (after viewing it with "Examine
Clipboard")</li>
</ul>
</p>
<p>
This is a user contribution by Benny Prange.
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_export.png" class="img" align="top" border="0" />
</p>
<p>
<img src="images/releases/release54/rel54_export2.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<h2 class="h3">Multi-User Option for Windows Installer</h2>
<div class="row">
<div class="col-md-6">
<p>
The windows installer has now the option to install KSE for all users instead of only for the current user.
This is especially useful for software deployment tools that run as system user.
</p>
<p>
This option is available in the installer GUI and as a command line parameter ("<code>/AllUsers</code>"). The default is
to install as current user.
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_multi-user.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<h2 class="h3">BCFKS KeyStore Type</h2>
<div class="row">
<div class="col-md-6">
<p>
KSE has now support for Bouncy Castle's BCFKS keystore type. This includes the following operations:
<ul>
<li>Create a new BCFKS keystore</li>
<li>Open a BCFKS keystore</li>
<li>Change keystore type from/to BCFKS</li>
</ul>
</p>
<p>
This feature was contributed by Kable Wilmoth.
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_bcfks.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<h2 class="h3">View Private/Public Keys as PEM</h2>
<div class="row">
<div class="col-md-6">
<p>
The "Private Key Details" and "Public Key Details" dialogs have now a new button "PEM", that shows the key in PEM
format.
It can be copied to system clipboard or saved to file system from there.
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_view_key_pem.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<h2 class="h3">Change Value of Secret Key</h2>
<div class="row">
<div class="col-md-6">
<p>
The text field in the details dialog of secret (i.e. symmetric) key entries is now editable.
This allows to replace an existing symmetric key in a keystore with another one.
</p>
<p>
Allowed format:
<ul>
<li>Hex string ("2DF588C4280D...") </li>
<li>No "0x" allowed</li>
<li>Number of characters has to be even</li>
<li>Upper/lower case does not matter: "2DF588C4280D..." or "2df588c4280d..." works</li>
<li>Whitespace is ignored: "2D F5 88 C4 28 0D ..." works</li>
<li>Colons (":") are ignored: "2D:F5:88:C4:28:0D ..." works</li>
</ul>
</p>
<p>
There are no explicit checks of the key value itself (e.g. no length checks or checks for parity bits in TDES keys).
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_secret_edit.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<h2 class="h3">Updated List of Time Stamping Authorities</h2>
<div class="row">
<div class="col-md-6">
<p>
KSE can generate and store a timestamp when signing a JAR file. You can either enter the URL of a <b>Time Stamping
Authority (TSA)</b> or select one from a list.
Those URLs can change from time to time, therefore the list has been updated.
</p>
<p>
The updated list of TSAs is:
<ul>
<li>http://timestamp.digicert.com</li>
<li>http://timestamp.globalsign.com/scripts/timstamp.dll</li>
<li>http://tsa.starfieldtech.com</li>
<li>http://time.certum.pl</li>
<li>http://sha256timestamp.ws.symantec.com/sha256/timestamp</li>
<li>http://timestamp.comodoca.com/?td=sha25</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>
<img src="images/releases/release54/rel54_tsa.png" class="img" align="top" border="0" />
</p>
</div>
</div>
<h2 class="h3">Other Enhancements</h2>
<div class="row">
<div class="col-md-6">
<p>
<ul>
<li>Added UID to DN chooser (contributed by Ha Nguyen)</li>
<li>New shortcut "F2" for "rename entry"</li>
<li>Focus in alias/password/DNchooser dialog is now on text</li>
<li>Removed version from Windows installation directory name</li>
<li>Made field for key data in details dialogs bigger</li>
<li>Also accept private/public key files for examining/dnd</li>
<li>Export key pair and certificate chain in one file in PEM format</li>
<li>Windows launcher (kse.exe) compatible with Java 10/11 now</li>
<li>KSE packages for Linux distributions in rpm and deb format</li>
<li>Updated included Bouncy Castle library to 1.60</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>
</p>
</div>
</div>
<h2 class="h3">Bugfixes</h2>
<div class="row">
<div class="col-md-6">
<p>
<ul>
<li>Fixed error in German translation (contributed by Benny Prange)</li>
<li>Fixed permissions of kse.sh in zip file (contributed by Todd Kaufmann)</li>
<li>Fixed "Other Name: UPN=" shown twice in extension editor (reported by Sivasubramaniam S MediumOne)</li>
<li>Fixed illegal option error in kse.sh on macOS (reported by Venkateswara Venkatraman Prasanna)</li>
<li>Fixed export of EC private key to OpenSSL format (reported by bsmith-tridium-com)</li>
<li>Fixed missing leading zeroes in certificate fingerprint (reported by UltraChill)</li>
<li>Fixed NPE when QC statement type is unknown and no statement info</li>
<li>Fixed encoding of ECPrivateKey (RFC 5915) for OpenSSL format</li>
<li>Fixed problem when loading EC public key file in OpenSSL format</li>
<li>Fixed loading of OpenSSL format EC private key files</li>
<li>Fixed: An empty key password was set when dragging and dropping a key pair entry</li>
</ul>
</p>
</div>
<div class="col-md-6">
<p>
</p>
</div>
</div>
<div class="page-header">
<h1>Older Release Notes</h1>
</div>
<p>
<a href="release53.html">KeyStore Explorer Release 5.3.0, 5.3.1 and 5.3.2</a>
</p>
<p>
<a href="release52.html">KeyStore Explorer Release 5.2.0, 5.2.1 and 5.2.2</a>
</p>
<p>
<a href="release51.html">KeyStore Explorer Release 5.1.0 and 5.1.1</a>
</p>
<p>
<a href="release50.html">KeyStore Explorer Release 5.0.0 and 5.0.1</a>
</p>