A new feature for signing JWT (JSON Web Token) has been contributed by Jairo Graterón. It came just a little too late for the 5.5.0 release, so it is included in this update:

The French translation has been extended and improved by The-Lum.

Bug fixes:

  • Fixed import of CA reply failing for EC keys (reported by Stanislav Izmalkov).
  • Incorrect display name CRL SELF CDP for OID 1.3.6.1.4.1.311.21.14 on 'CRL Extensions' screen (reported by The-Lum).
  • Fixed missing menu item for certificate verification feature for trusted certificates (contributed by The-Lum).
  • Fixed issues with dark mode (namely "tip of the day" and "date picker" backgrounds) (reported by The-Lum).

This release includes the following new features, enhancements and bugfixes:

CRL Signing

Previous versions of KSE had some basic CA features like signing X.509 certificates, key creation, PKCS#10 requests, support for many X.509 extensions, extension profiles, but revokating certificates by creating/signing a certificate revocation list (CRL) has been missing so far.

This has changed in version 5.5.0. In the context menu of key pair entries is now a new item called "Sign CRL", which opens the dialog on the right.

Certificates can be added to the CRL in three ways:

  • By selecting a certificate from a keystore file.
  • By selecting a certificate file.
  • By selecting an older CRL from the same issuer certificate.

The generated CRL can then be saved to the file system in PEM or DER format.

The feature uses an automatically created file with the issuer serial number as its name and ".db" as its extension to save meta data like CRL serial number, the revoked certificates and the validity period. This makes creating subsequent CRLs much easier.

This feature was contributed by Jairo Graterón.

Certificate Validation

KSE can now do a certificate validation - including a check of the revocation status with four different methods.

This feature was contributed by Jairo Graterón.

EdDSA

Support for the (twisted) Edwards curves has been added. This includes key generation and EdDSA signature scheme:

  • Ed25519
  • Ed448

Choosing an elliptic curve that is both secure and efficient has not been easy in the past. The Edwards curves are therefore a useful addition to KSE.

RSASSA-PSS

In contrast to the older PKCS#1 v1.5 signature scheme the Probabilistic Signature Scheme (PSS) from PKCS#1 v2.1 is provably secure. This does not mean that the v1.5 scheme is unsecure, but PSS should be preferred if possible.

The PSS versions of the signature algorithms can be recognized by the appended "and MGF1":

  • SHA-1 with RSA and MGF1
  • SHA-224 with RSA and MGF1
  • SHA-256 with RSA and MGF1
  • SHA-384 with RSA and MGF1
  • SHA-512 with RSA and MGF1

CRL Distribution Points Extension

The CRL Distribution Points (CDP) extension is one of the standard certificate extensions from RFC 5280. With KSE being able to create CRLs, this extension is even more relevant now.

The extension can contain multiple distribution points and every distribution point has three optional fields:

  • One or more "General Names" (usually an URL pointing to the current CRL)
  • Reason Flags (for segmenting CRLs by reason code)
  • CRL Issuer (the distinguished name from the issuer field of the CRL)

This feature was contributed by Jairo Graterón.

Custom Certificate Extensions

When generating a certificate with KSE, a wide range of commonly used certificate extensions can be added. There are however some exotic or non-public extensions that are completely out of scope for a tool like KSE. With this new feature any extension can be added to a new certificate by entering the object ID (OID) of the extension and the value as a hex encoded string.

The value has to be entered as the hexadecimal encoding of the DER-encoded ASN.1 value of the extension without the encapsulating OCTET STRING tag and length bytes.

Examples:

  1. The "OCSP No Check" extension is one of the most simple X.509 extensions because it has ASN.1 "NULL" as its value. Just leave the input field for the extension empty in this case.

    Object ID 1.3.6.1.5.5.7.48.1.5
    Value (empty)

  2. The old and obsolete Netscape extensions were removed in KSE 5.5.0 but you can still add them as a custom extension. The OID "2.16.840.1.113730.1.1" represents netscape-cert-type and 03020410 is the hexadecimal encoding of the DER-encoded ASN.1 value for type "Object Signing": BIT STRING (tag "03") with length "02" bytes, 4 unused bits ("04") and '10'H='00010000'B (bit 3 = Object Signing)

    Object ID 2.16.840.1.113730.1.1
    Value 03020410

  3. More complex extensions are of course also possible, it is only a matter of encoding the value correctly. For a CRL Distribution Points extension with URL "http://dodgycert.example.com/evca.crl" you would enter the following OID and value:

    Object ID 2.5.29.31
    Value 302d302ba029a0278625687474703a2f2f646f64
    6779636572742e6578616d706c652e636f6d2f65
    7663612e63726c

This is definitely a feature for advanced users who know what they are doing, but it has been repeatedly requested.

Additional Name Components for Distinguished Names

The distinguished name (DN) chooser/viewer dialog has been extended with seven additional name components:

  • Name (OID 2.5.4.41)
  • Street (OID 2.5.4.9)
  • Title (OID 2.5.4.12)
  • Initials (OID 2.5.4.43)
  • Pseudonym (OID 2.5.4.65)
  • DN Qualifier (OID 2.5.4.46)
  • Generation Qualifier (OID 2.5.4.44)

The first three were added by Jairo Graterón.

Sign Multiple Jars

With KSE 5.5.0 it is now possible to sign multiple jar files at once.

The browse button now opens a file chooser dialog that allows to select multiple files. Next to the button is an indicator showing the number of selected files.

As before it is possible to either replace the original jar file with the signed one or create a new file. In the latter case the file name of the signed jar is created by adding a prefix and/or a suffix. The suffix is added before the file extension.

This feature was contributed by Colbix.

Find KeyStore Entries

You can now search the current keystore.

The keyboard shortcut for "Examine File" (Ctrl-F) has been changed to Ctrl-E in KSE 5.5.0 so that the more intuitive Ctrl-F can be used for this new find feature.

Every keystore entry with a matching name is selected after the search was executed. The number of selected entries has been added to the status bar, which gives an overview of the search result, which is useful if not all found entries fit into the window.

This feature was contributed by Jairo Graterón.

Input Suggestions for Object Identifiers (OIDs)

OIDs are hard to remember and it is easy to make mistakes when entering them.

Wherever in KSE where you can enter OIDs, this new feature makes suggestions that you can select from a drop down list. Of course - if none of the suggestions should match, you can still enter another OID just like before.

This feature was contributed by Jairo Graterón.

Diffie-Hellman Parameters

This new feature allows to create a Diffie-Hellman (DH) key exchange parameters PEM file that can be used for example in OpenVPN.

The Java implementation of the DH parameter generation is pretty slow, so especially for key sizes above 2048 OpenSSL is still the better tool for this task.

This feature was contributed by Colbix.

New Windows Launcher ("kse.exe")

KSE 5.5.0 comes with a completely new launcher executable for Windows. It was written especially for KSE and uses Bill Stewart's JavaInfo.dll for detecting Java installations.

The launcher searches for Java in the following locations in exactly this order:

  1. In a folder named "jre" next to kse.exe.
  2. In the paths where the environment variables JAVA_HOME, JDK_HOME and JRE_HOME point to.
  3. In the folders of the Path environment variable if there is a java.exe.
  4. The registry in the following locations:
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft
    • HKEY_LOCAL_MACHINE\SOFTWARE\IBM
    • HKEY_LOCAL_MACHINE\SOFTWARE\AdoptOpenJDK
    • HKEY_LOCAL_MACHINE\SOFTWARE\Eclipse Adoptium
    • HKEY_LOCAL_MACHINE\SOFTWARE\Eclipse Foundation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Semeru
    • HKEY_LOCAL_MACHINE\SOFTWARE\Azul Systems\Zulu

New Windows Installer

The Windows installer for KSE is now made with InnoSetup and comes with the following improvements:

  • HKLM\SOFTWARE\Classes or HKCU\Software\Classes are used instead of HKEY_CLASSES_ROOT
  • kse.exe is added to "Software\Microsoft\Windows\CurrentVersion\App Paths"
  • A ProgId is created for selected file types
  • Values to OpenWithProgIds subkey are added for selected file types
  • Localization: You can choose your language for the installation (currently English and German)
  • Detection of a currently running KSE process
Also, there are two versions of the Windows installer now:
  • kse-550-setup.exe: This is the recommended version. It includes a custom, size optimized Java runtime (27 MB vs 160 MB).
  • kse-550-setup-no-jre.exe: This version is for those users who want to use a specific Java runtime with KSE.

Other Enhancements

  • Improved usage of JavaFX file chooser in various ways (contributed by Colbix)
  • ExamineClipboard works now also with URLs if they end with one of the following extensions: .cer, .crt, .pem and .crl (contributed by Jairo Graterón)
  • "Sign CSR" can save the certificate now in several formats
  • Added certificate serial number to configurable columns for main window
  • Added option to show hidden files in file chooser
  • Updated list of timestamp authorities (TSAs) in jar sign dialog
  • Certificate serial number is now shown as both hexadecimal and decimal in certificate viewer
  • SHA-256 is now default algorithm for signing jars, removed MD2/5
  • Added popup menu for multiple entry selection
  • Added handler for viewing files via system clipboard (copy file, then do "Examine System Clipboard")
  • Added jar/apk files to "Examine File" feature, which shows the signature certificates for signed jars (dragging and dropping a jar file onto KSE works as well)
  • Added SAN extension to SSL server template
  • Subject DNs can be empty now (explicitly allowed in RFC 5280)
  • Removed old Netscape extensions from AddExtensions dialog
  • Added OIDs of three private Apple certificate extensions to extension viewer
  • Increased maximum number of items in recent files menu from 6 to 9
  • Flat Laf Light is now the default theme for all platforms
  • macOS: Updated VAqua look&feel to v8
  • macOS: Updated DMG background image (144dpi, arrow, text)

Bugfixes

  • Fixed display and entering of IP subnets (reported by Natan Abolafya and fix contributed by Jairo Graterón)
  • Fixed not remembering last used key type and size/curve in key generation dialog (reported by Benny Prange)
  • Fixed display name in ASN.1 view for UPN/1.3.6.1.4.1.311.20.2.3 (reported by Michael Osipov)
  • Fixed bug when signing fat jars (reported by Pavel Yankelevich)
  • Workaround for display issue in verify function of jarsigner (reported by Pavel Yankelevich)
  • Fixed root node in certificate viewer selected instead of leaf (reported by chinkinsei and Maurice Perry)
  • Fixed scaling issue with splash image (reported by Kevin Herron)
  • Fixed error in file type detection (reported by Basti Schneider)
  • Fixed spacing in some dialogs

KeyStore Explorer Release 5.4.0, 5.4.1, 5.4.2, 5.4.3 and 5.4.4

KeyStore Explorer Release 5.3.0, 5.3.1 and 5.3.2

KeyStore Explorer Release 5.2.0, 5.2.1 and 5.2.2

KeyStore Explorer Release 5.1.0 and 5.1.1

KeyStore Explorer Release 5.0.0 and 5.0.1