Release Notes
Product Description
CipherTrust Application Data Protection for Java is a Java Cryptography Extension provider that helps the users to integrate their Java applications with the cryptographic and key management abilities of the Key Manager. CADP for Java provides APIs (Java, REST, and SOAP) to perform cryptographic and key management operations using Key Manager.
Release Description
This release includes bug fixes.
The CADP for Java Jar files are signed with the JCE Code Signing Certificate using the RSA SHA256 algorithm, issued by Oracle.
Advisory Notes
Before deploying this release, note the following high-level requirements and limitations:
Jar File Version Change: The jar file version is 8.13.1.000 and the name of the file is CADP_for_JAVA-8.13.1.000.jar. Customers upgrading from previous releases must update the classpath to reflect this new name.
Downloading JCE Policy Files: The CADP for Java Provider does not include the JCE policy files required to use unlimited strength ciphers (e.g., 192- and 256-bit AES keys.) You must download the unlimited strength policy files for Java 8 implementation.
Generate and Install a Client Certificate with an IP Address: A workaround is available to generate and install a client certificate containing a client IP address into a Java key store for JCE client application use.
Key versioning and group key permission are not supported by the Key Manager device with the KMIP protocol.
Resolved Issues and Known Issues
This section lists the issues that have been resolved in this release and that are known to exist in this release. The following table defines the severity of the issues listed in this section.
| Priority | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Resolved Issue
The following issues are fixed in this release.
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-10515 | H | The CADP for Java Jar files is signed using a weaker algorithm, SHA1withDSA. Java 11 does not support this algorithm. |
| CADP-10323 | H | The CADP for Java Jar files signed using SHA1 are not supported on Java 11 and higher versions. |
Known Issues
The following issues are known to exist in the product at the time of release.
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-10355 | H | Bulk crypto operation becomes unresponsive when data size and batch size are greater than 2000. |
| CADP-10241 | H | Bulk operation with AES/CBC/PKCS5Padding returns incorrect ciphertext when batch size exceeds 375. |
| KY-49767 | H | For bulk operation, if data is null or blank, the whole batch is discarded and the operation is terminated. |
| PA-5194 | H | There is a difference in RSA private key export format in local and remote mode. |
| PA-5201 | H | [Local Mode] Key information returns null or NullPointerException message for retired key versions. |
| PA-5196 | H | [Remote Mode] Unable to fetch new key state information after modifying its state during the same session. |
| PAN-1802 | M | In a Multithreaded environment, following exception is thrown if ECB mode is used for encryption/decryption and Persistent cache is also enabled. "Given Final Block not properly padded." |
| PA-4314 | M | KMIP: Authenticated user cannot Locate global keys. |
| 48382 | M | Considerations when using PKCS #5 Padding. Problem: If users attempt a chain of operations that includes two decrypt operations that use PKCS #5 padding, the chain of operations might hang because both decrypt operations wait for the doFinal() method. This scenario poses another potential issue when the user’s input data requires only one block (e.g. 8 bytes for DES and DESede, or 16 bytes for AES), with chances of the NAE server returning incorrect data. |
| 48080 | M | Key Generation Requests and Key Permissions. Problem:NAE users cannot see keys that they do not have permission to use. However, a key generation request will fail if the key already exists on the server. A user could use this behavior to discover the names of existing keys. |
Compatibility Information
Key Manager
CipherTrust Manager
CipherTrust Manager 2.10 and higher versions.
Note
Features added in CADP for Java 8.13.0 and higher versions will work only with Ciphertrust Manager.
KeySecure Classic
Warning
KeySecure Classic will be End of Life based on the announcement shared.
Features added in CADP for Java till 8.12.6 release will continue to work with KeySecure/CipherTrust Manager. Refer to respective CRNs for compatibility details.
Operating Systems
CADP for Java works with most of the operating systems. It is supported on a variety of platforms, including Windows, RHEL, Solaris, HPUX, and AIX PowerPC. Not all operating system versions combinations are explicitly validated.
Supported JRE
Following JRE versions are supported in this release: Oracle Java version 8 (minimum 1.8.0_111), 10, 11 (including OpenJDK and Amazon Corretto), 12 (OpenJDK and Azul Java), 14 (OpenJDK), 15 (OpenJDK), 17 (OpenJDK), 19 (OpenJDK), or IBM Java 8 (minimum 8.0.6.25).
Deliverables
This release includes the following components:
Software: 610-000873-002_cadp_for_java_v8.13.1.000.zip
Product documentation is available on Thalesdocs
CADP for Java samples are available on Github
We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product.
