Improved functionality

The Security Toolkit 9.0 for Java adds the following improvements.

SHA3 hashing

This release implements the Secure Hash Algorithm-3 (SHA-3) per NIST FIPS 202 .

Internal identifier: PKI-29262

ECC support for CMS

This release adds CMS (Cryptographic Message Syntax) support for ECC (Elliptic Curve Cryptography) as stated in RFC 5753 .

Internal identifier: PKI-26411, PKI-21929, PKI-20001

Secure key transport for strict FIPS Mode in HSM

In stricter Federal Information Processing Standards (FIPS), the Hardware Security Module (HSM) firmware and middleware do not allow wrapping and unwrapping keys with 3DES symmetric keys. Therefore, this release uses AES symmetric keys instead.

Additionally, this release supports:

  • RSA-OAEP (SHA-256) with available mechanism instead of the older RSA-PKCS (SHA-1) for RSA key transport.

  • ECDH HSM P11 to improve security key strength and performance.

Internal identifier: PKI-4001, PKI-16166, PKI-25483, PKI-29094, PKI-29762, PKI-33091

Enhanced PKCS#12 security

This release implements Password-Based Encryption Scheme 2 (PBES2) for Public Key Cryptography Standard (PKCS) #12 as stated in RFC 7292.

The PBES2 format is compatible with OpenSSL version 3.0.

Internal identifier: PKI-22581, PKI-26491, PKI-35709

Enhanced CMP crypto

This release enhances CMP (Certificate Management Protocol) crypto to work with Entrust Certificate Authority (ECA) 10.1+ when algorithm enforcement is enabled.

Internal identifier: PKI-30200

New public API to set the application name in the CMP PKIHeader

The toolkit allows applications to set the name and version strings that appear in the Entrust Certificate Authority (ECA) logs to improve traceability.

Internal identifier: PKI-34395

AES-128 support added to ProfileServerKeyType

AES-128 support added to the ProfileServerKeyType parameter of the entrust.ini settings to work with the Entrust Roaming Server. This parameter supports now the following algorithms.

  • 3DES

  • AES-128

  • CAST-128

  • IDEA

Internal identifier: PKI-34336

Improved Entrust Profile encryption algorithm support

This release improves the Entrust Profile encryption algorithm to support AES-CBC and AES-GCM.

The EPF format must be compatible with ECA 10.1.1.

Internal identifier: PKI-33223, PKI-33414, PKI-34220

UAL upgrade from Entrust Security Toolkit 8.0

The re-bind operation allows updating the Un-Attended Login (UAL) or a Security Toolkit 8.0 commercial release (EOL) to Security Toolkit 9.0.

Internal identifier: PKI-36530

Added support for Apple Keychain

This toolkit release adds the P11 JNI build for MacOS. This library allows:

  • Signing and decrypting with private keys stored in the Apple KeyChain

  • Verifying and encrypting data using public keys from the keychain

Internal identifiers: PKI-7368, PKI-11844, PKI-13148, PKI-15231, PKI-15867, PKI-20426, PKI-20904, PKI-35795

Additional platform support

This release supports additional platforms. Download the support and integration report for details.

To download the support and integration report

  1. Log into https://trustedcare.entrust.com

  2. Select the PRODUCTS tab.

  3. Navigate to MY PRODUCTS > PKI > Authority > Product Support Center for Authority.

  4. Select the DOCUMENTS tab.

  5. Click the Download link for the PSIC-Entrust Security Toolkit 9.0 for Java document.

Add support for LDAP timers in Generic Token Reader Cert Verifier

This release adds support to edit the following setup when specifying LDAP in the cert Verifier.

  • connectionTimeout

  • socketTimeOut

  • searchTimeout

Internal identifier: PKI-31258

Improved performance for checking large CRLs

When checking Certificate Revocation Lists (CRLs), the toolkit collects all CRLs in a Name and processes them until it finds a good one. This procedure may be an issue for large combined CRLs at the end of the list.

This release improves the process to ensure the CRL cache works correctly in all cases. Specifically, the Map object storing the cached CRLs is now static – that is, is shared across all instances of the CachedCRLRS objects.

Internal identifier: PKI-7082, PKI-35637, PKI-36645

PKCS11 token profile enhanced to protect the integrity of public token certificates

This release enhances the Message Authentication Code (MAC) protection algorithm for Public-Key Cryptography Standards (PKCS) #11 public token certificate objects.

In previous releases, deleting or updating a certificate removed the MAC protection of the old certificate.

Internal identifier: PKI-33223, PKI-22040, PKI-22057, PKI-21319

Support for authenticated encryption using AES-GCM in PKCS7

Added support for authentication encryption using AES-GCM in PKCS/CMS.

Internal identifier: PKI-12573, PKI-36815

Support for ECDHCofactorKeyAgreement with cofactor greater than 1

The EcParameterFactory class supports parameters with cofactor other than 1 when the partialVAlidation is false.

When using a curve with a cofactor greater than 1, the cofactor needs a scalar point multiply operation.

Internal identifier: PKI-34510

Support to maintain the uniqueId during user updates

When performing a user update on a Public-Key Cryptography Standards (PKCS) #11 token, this release supports maintaining the uniqueId set when the user was created or recovered.

In previous releases, a new uniqueId was created during an update.

Internal identifier: PKI-22145

Timestamp requests updated to support reading a SigningCertificateAttributeV2 with an ESSCertIDv2

This release updates the timestamp requests to RFC 5816 (which supersedes RFC 3161 ) to support reading a SigningCertificateAttributeV2 with an ESSCertIDv2.

Internal identifier: PKI-34644

UAL Encryption algorithm updated

This release updates:

  • The Un-Attended Login (UAL) version to be compatible with Entrust Certificate Authority (ECA) 10.1.1.

  • The encryption algorithm to use AES-CBC.

Internal identifier: PKI-37438