Fixed for the Security Toolkit 9.0 for Java
The Security Toolkit 9.0 for Java fixes the following issues.
Class cast exception when using Protected EC keys with adoptOpenJDK11+9 (PKI-26003)
Entrust Java toolkit v8.1 does not fully support TLSv1.3 (PKI-37862)
EntrustVersInfo does not properly encode or decode ASN.1 (PKI-37024)
Exception when importing p12 certificates created with OpenSSL 3.0 (PKI-35709)
Configurable output path for LDAP directory search result files (PKI-19912)
Identifiers in parentheses are for internal purposes only.
Absent parameters when using "RSAWithNone" (PKI-33259)
Validating signatures fails when the Master List from International Civil Aviation Organization (ICAO) has a DER-encoded digest info prefix value using SHA256 with ABSENT parameters instead of NULL (as stated by RFC 5280).
AES-GCM issues in Microsoft CNG API
AES-GCM has compatibility issues with the Microsoft Cryptographic API:Next Generation (CNG) API for crypto operations due to the length of the nonce accepted by CNG API for AES-GCM (PKI-38321)
Class cast exception when using Protected EC keys with adoptOpenJDK11+9 (PKI-26003)
The TLSv1.3 protocol fails with ClassException when EC keys stored in PKCS #11 are fixed in Java 13. See more details at:
Entrust Java toolkit v8.1 does not fully support TLSv1.3 (PKI-37862)
The RSA-PSS algorithm implementation only supports the following RSA-PSS algorithm parameter specifications:
com.entrust.toolkit.security.crypto.rsa.RsaPssParameterSpec
java.security.spec.PSSParameterSpec
When using other specifications, the toolkit throws the following error.
Exception: java.security.InvalidAlgorithmParameterException: Unsupported RSA-PSS parameter specificationEntrustVersInfo does not properly encode or decode ASN.1 (PKI-37024)
Reconstructing the delta certificate fails because the EntrustVersInfo V3Extension re-encodes BIT STRING as 1011000 instead of 1011 from the original ASN.1.
Exception when importing p12 certificates created with OpenSSL 3.0 (PKI-35709)
When converting a keypair to Public-Key Cryptography Standards (PKCS) #12 format (pfx file) using OpenSSL 3.0, the GaKeyTool fails to import the p12 file and throws the following exception.
iaik.pkcs.PKCSExceptionAES-GCM issues in Microsoft CNG API (PKI-38321)
AES-GCM has compatibility issues with the Microsoft CNG API for crypto operations due to the length of the nonce accepted by CNG API for AES-GCM.
Exception when retrieving a CRL from a LDAP URL (PKI-20108)
When a CRL Distribution Points (CDP) extension in the certificate contains a Lightweight Directory Access Protocol (LDAP) URL, the toolkit fails to retrieve the Certificate Revocation List (CRL) and throws the following exception.
CRLs not found; no CRLs were foundConfigurable output path for LDAP directory search result files (PKI-19912)
The toolkit now provides a configurable system property to specify the default location for LDAP directory search result files:
com.entrust.toolkit.x509.directory.JNDIDirectory.DirLogPath=<path_to_new_location>Configurable folder for OCSP output (PKI-21703)
The toolkit now provides a configurable system property to specify the location for the Online Certificate Status Protocol (OCSP) output.
com.entrust.toolkit.x509.revocation.OCSPLogPath=<path_to_new_location>Unused protectionAlgorithm argument (PKI-37876)
In the following method, the protectionAlgorithm the argument is not used because the protection algorithm is always retrieved from the user-client policy.
StreamProfileWriter(OutputStream os, String protectionAlgorithm, int hashCount) Use instead:
StreamProfileWriter(OutputStream os, int hasCount)