ejbca-develop — Development discussions

Re: [Ejbca-develop] =?iso-8859-1?q?=28no?= =?iso-8859-1?q?_subject=29?=

[Tomas G. <to...@ta...>]

Hi, I will try to give answers to your questions.

1. EJBCA can in theory be used for any kind of certificates implementing the
Java Certificate interface. If the CV certificates are very special, you would
implement a special subclass of the interface
se.anatom.ejbca.ca.sign.ISignSession. If the CV certificates on the other hand
is only a specially limited form of a regular X509 certificate, changes to
se.anatom.ejbca.ca.sign.RSASignSession is the only thing needed. Possibly even
configuration changes ni src/ca/META-INF/ejb-jar.xml is sufficient, since you
can disable use of any v3 extensions etc through configuration.
Is there any specification available of the CV certificates?

2. There is no OCSP module to date. The application server works with http or
rmi-iiop calls, so there is no standard way of adding a custom protocol, such as
OCSP, if it is not used over http.
The database however is available in the backend, so it is completely possible
to have an OCSP service besides the app.server who reads the database and
answers queries. In that case nothing in EJBCA would have to be changed, but
off-course the OCSP service must be created.
There is no OCSP-work in progress for the time being in EJBCA.
I would welcome any initiative, or market requirement, though...

3. The complete issuance of a certificate consists of two steps, reistering the
user and issuing the certificate (in response to a request). None of these tasks
are very demanding, creating the certificate typically takes less than 1 second
on a PIII 800 MHz (actually less than .5 secs with 1024 bit CA key).
With these figures in mind, I would say the possible number of certificates
generated in one day would be in the 10-thousands.

4. Yes, in the current version in CVS there is a sample configuration for using
Oracle. It is available on the EJBCA homepage (http://ejbca.sourceforge.net/)
under Documentation->HOWTO-Database.

5. No. Since Resin is not a full J2EE server (last time I checked) it cannot be
used to run EJB Session Beans, which is used in EJBCA. The Caontainer used must
fully implement the EJB 1.1 spec.

Hope the answers are helpful.

Regards,
Tomas

-------------------
> Dear Mr. Sirs,
> 
> I would be very grateful, if you would answer  the following questions
> related to EJBCA:
> 
> 1.)  Which files are to be changed in order to issue CV certificate ?
> 2.)  Can OCSP be used with EJBCA and what should be changed for this
> application?
> 3.)  Can you indicate approximate amount of certificate, which can be
> issued this software in day (1000 .... 3000 certificates) ?
> 4.)  Is it possible to use Oracle as data base? What should be changed for
> this application ?
> 5.)  Is it possible to use Resin as application server? What should be
> changed for this application ?
> 
> I would be grateful for any information.
> I thank you in advance for your co-operation
> 
> Sincerely yours
> 
> Slava Sklarewski

[Ejbca-develop] (no subject)

[<Sla...@de...>]

Dear Mr. Sirs,

I would be very grateful, if you would answer  the following questions
related to EJBCA:

1.)  Which files are to be changed in order to issue CV certificate ?
2.)  Can OCSP be used with EJBCA and what should be changed for this
application?
3.)  Can you indicate approximate amount of certificate, which can be
issued this software in day (1000 .... 3000 certificates) ?
4.)  Is it possible to use Oracle as data base? What should be changed for
this application ?
5.)  Is it possible to use Resin as application server? What should be
changed for this application ?

I would be grateful for any information.
I thank you in advance for your co-operation

Sincerely yours

Slava Sklarewski

[Ejbca-develop] New PKI book

[Timothy F. <trf...@ya...>]

There is an excellent new book out covering the
details of implementing PKI.

Title:
Introduction to the Public Key Infrastructure (PKI)
for the Internet
Author:  Messaoud Benantar


The book can serve as a valuable reference as it
contains sections describing PKIX, X.509, ASN1 and
other relevant standards.

Tim

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

[Ejbca-develop] Uppdated homepage

[Tomas G. <to...@ta...>]

I have updated the homepage with for example Timothys excelent 
architectural overview.

/Tomas

Re: [Ejbca-develop] Architecture Tier Diagram

[Timothy F. <trf...@ya...>]

I certainly agree with your comment about a picture
saying more than a thousand words.  As I was looking
at EJBCA, I found it very helpful to diagram its
architecture in the way I did.  After having completed
the diagram, I realized that it might be very useful
to others as well.  It would probably be a good idea
to include the diagram in the doc directory.

As far as exploding down another level in the CA
component.  The only reason I didn't was for lack of
space and to keep the diagram looking neat.  I will
see what I can do to create another version that does
show the additional detail.  I'll send you an update
when I have something.

Tim


--- Tomas Gustavsson <to...@ta...> wrote:
> 
> Nice, really nice! To make it complete, should we
> explode the subcomponents in CA-component also?
> 
> i.e. Store Component contains CertificateDataBean,
> CRLDataBean, CertificateStoreSession and
> PublisherSession.
> 
> One picture really says more than a thousand words!
> 
> /Tomas
> 
> -------------------
> > Attached is a Word document that contains a
> diagram
> > which is a high level overview of EJBCA's tiers.
> > 
> > Tim
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Greetings - Send FREE e-cards for every
> occasion!
> > http://greetings.yahoo.com
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com

Re: [Ejbca-develop] Architecture Tier Diagram

[Tomas G. <to...@ta...>]

> to others as well.  It would probably be a good idea
> to include the diagram in the doc directory.

I will, and also put it on the webpage.

/Tomas

Re: [Ejbca-develop] Architecture Tier Diagram

[Tomas G. <to...@ta...>]

Nice, really nice! To make it complete, should we explode the subcomponents in CA-component also?

i.e. Store Component contains CertificateDataBean, CRLDataBean, CertificateStoreSession and PublisherSession.

One picture really says more than a thousand words!

/Tomas

-------------------
> Attached is a Word document that contains a diagram
> which is a high level overview of EJBCA's tiers.
> 
> Tim
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Greetings - Send FREE e-cards for every occasion!
> http://greetings.yahoo.com

[Ejbca-develop] Architecture Tier Diagram

[Timothy F. <trf...@ya...>]

Attached is a Word document that contains a diagram
which is a high level overview of EJBCA's tiers.

Tim


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com

[Ejbca-develop] Restructuring of LICENSE

[Tomas G. <mp...@ch...>]

I just checked in some work restructuring the LICENSE terms of EJBCA. The structure is simply as this:

EJBCA it self is GPL.
Interfaces are LGPL, i.e. using an interface to make a custom authentication module (not touching EJBCA code, only modifying deployment descriptors) falls under LGPL.

I think this is the most logical model.

/Tomas

[Ejbca-develop] version 1.1

[Tomas G. <to...@ta...>]

I just made a release for version 1.1. I finished som e stuff I liked and thought, "best to release before more major work starts" or something like that.

/Tomas

[Ejbca-develop] databases again.

[Tomas G. <to...@ta...>]

I changed my mind and made the mySQL configuration optional, so the default JBoss database works out of the box.
To use mySQL now jaws-mysql.xml must be renamed to jaws.xml.

I think PostgreSQL wil work with default settings as well, I I can just get the jdbc driver to work in JBoss...

/Tomas

[Ejbca-develop] ny databas conf i CVS

[Tomas G. <to...@ta...>]

I changed in the CVS tree so the default database that works is mySQL.
To be able to use the JBoss default database (hypersonicDB) the file src/ca/META-INF/jaws.xml must be removed before building with ant.

I made relevant documentation (now in doc subdirectory) to use mySQL.
I'm now trying to get PostgreSQL to work. Have anyone used it with JBoss?

/Tomas

[Ejbca-develop] New CertificateStore/Publisher architecture

[Tomas G. <to...@ta...>]

I am staring to work on a new CertificateStore/Publisher architecture.

The old architecture works simply by the CA putting certificates and CRLs in the CertificateStoreSession defined in ca/ejb-jar.xml.

To be able to also use LDAP directories etc, I will make a new architecture.

New architecture:
-----------------

The CertificateStore/Publisher architecture is defined by the two interfaces
IPublisherSession and ICertificateStoreSession:

public interface IPublisherSession;
public interface ICertificateStoreSession extends IPublisherSession;

The CertificateStoreSession is the primary storage
for certificates and CRL. The CA always puts certificates and CRLs in the
CertificateStoreSession session bean defined in ca/ejb-jar.xml. The
CertificateStoreSession is also used to retrieve and find certificates,
retrieve CRLs, check for revocation etc. the CertificateStoreSession implements
the interface ICertificateStoreSession.

Certificates and CRLs can also be published to any number of other certificate
stores, which are defined by session beans PublisherSession1, PublisherSession2,
etc. A PublisherSession is a simple subset of the CertificateStoreSession and
can only be used to store certificates and CRLs. PublisherSession's implement
the interface IPublisherSession.

The IPublisherSession is a simple interface which is only used to store a
certificate or a CRL.
The ICertificateStoreSession extends the IPublisherSession interface with
capabilities to find certificates and CRL etc.
A class implementing the ICertificateStoreSession interface can thus also be
used a PublisherSession and a class implementing the IPublisherSession can
easily (well maybe not so easily) be extended to a fully fledged
CertificateStore.

This architecture gives us the choice of for example an SQL database aa
CertificateStoreSession where we also publish certificates to an LDAP directory,
or the LDAP directory as the primary CertificateStoreSession where we also
publish certificates to a specific SQL database for a specific purpose.

Any objections? I didn't think so :-)

/Tomas

[Ejbca-develop] EJBCA 1.0 released

[Tomas G. <to...@ta...>]

EJBCA is a fully functional OpenSource Java CA building on the J2EE plattform. EJBCA runs on the JBoss J2EE application server. 
This is version 1.0 to be user as stand-alone CA or integrated into any J2EE application. 

Changes since 1.0b2 
------------------- 
Fixed bug with not returning correct content-length to browser when returning PE 
M-certificates. 
New version of BouncyCastle provider with minor PKCS12 fix. 
Updated docs. 
Added FAQ. 

[Ejbca-develop] version 1.0 branch

[Tomas G. <to...@ta...>]

I branched version 1.0 final with tag Rel_1_0 today.
No known outstanding bugs exist.
Now new fantastic development can start in the HEAD branch.

ETA for the next version should be several months away I think.

/Tomas

[Ejbca-develop] new bugfixes

[Tomas G. <to...@ta...>]

I checked in two more bugfixed. When returning certs from manual 
certificate requests or retrieveing the CA cert in PEM-format the 
content-length was not set correctly causing the cert file to be 
truncated in some browsers (mozilla doesn't seem to care about 
content-length though).

/Tomas