Release Notes - eSignature DSS - Version 6.1.1

This release provides a hotfix for enabling support of Trusted List v6 (as per ETSI TS 119 612 v2.3.1). The release contains minimal changes.

New features / Improvements

• [DSS-3486] Add validation of Trusted List v6
• Updated dependencies (BouncyCastle, VeraPdf, FOP, logback);
• Fixed expired unit tests

Note

This migration requires changes in the used validation policy to support a new Trusted List version.

In order to support both v5 and v6 Trusted Lists, you may update constraint as shown below:

6.1	6.1.1
<eIDAS> ... <TLVersion Level="FAIL" value="5" /> ... </eIDAS>	<eIDAS> ... <TLVersion Level="FAIL"> <Id>5</Id> <Id>6</Id> </TLVersion> ... </eIDAS>

More information about the migration procedure can be found at the Migration Guide.

Release Notes - eSignature DSS - Version 6.0.1

This release provides a hotfix for enabling support of Trusted List v6 (as per ETSI TS 119 612 v2.3.1). The release contains minimal changes.

New features / Improvements

• [DSS-3486] Add validation of Trusted List v6
• Updated dependencies containing vulnerabilities (BouncyCastle, VeraPdf, FOP, logback);
• Fixed expired unit tests

Bug fixes

• [DSS-3348] Possible memory leak in XAdESSignature on Santuario signature creation
• [DSS-3406] CertificateValues in validation report incorrect format
• [DSS-3408] RevocationValues in validation report incorrect format

Note

This migration requires changes in the used validation policy to support a new Trusted List version.

In order to support both v5 and v6 Trusted Lists, you may update constraint as shown below:

6.0	6.0.1
<eIDAS> ... <TLVersion Level="FAIL" value="5" /> ... </eIDAS>	<eIDAS> ... <TLVersion Level="FAIL"> <Id>5</Id> <Id>6</Id> </TLVersion> ... </eIDAS>

More information about the migration procedure can be found at the Migration Guide.

Release Notes - eSignature DSS - Version 5.13.1

This release provides a hotfix for enabling support of Trusted List v6 (as per ETSI TS 119 612 v2.3.1). The release contains minimal changes.

New features / Improvements

• [DSS-3486] Add validation of Trusted List v6
• Updated dependencies containing vulnerabilities (BouncyCastle, VeraPdf, FOP, logback);
• Fixed expired unit tests

Bug fixes

• [DSS-3348] Possible memory leak in XAdESSignature on Santuario signature creation
• [DSS-3406] CertificateValues in validation report incorrect format
• [DSS-3408] RevocationValues in validation report incorrect format

Note

This migration requires changes in the used validation policy to support a new Trusted List version.

In order to support both v5 and v6 Trusted Lists, you may update constraint as shown below:

5.13	5.13.1
<eIDAS> ... <TLVersion Level="FAIL" value="5" /> ... </eIDAS>	<eIDAS> ... <TLVersion Level="FAIL"> <Id>5</Id> <Id>6</Id> </TLVersion> ... </eIDAS>

More information about the migration procedure can be found at the Migration Guide.

Release Notes - eSignature DSS - Version 6.2

Bug fixes / Issues

• [DSS-3519] Enforce TimeStamp level checks when no LTA material is present
• [DSS-3520] XAdES validation fails in case of tempered ds:KeyInfo certificate
• [DSS-3523] Misleading log warning on XAdES enveloping signature
• [DSS-3526] AlertOnNoRevocationAfterBestSignatureTime returns NextUpdate before current time
• [DSS-3529] dss-crl-parser-stream invalidates some CRLs signed by RSASSA-PSS

Improvements

• [DSS-3524] Vulnerability report review
• [DSS-3554] Upgrade to BouncyCastle 1.80
• [DSS-3555] DSS Demonstrations : add property to skip ASN1ObjectIdentifier validation

+ All the changes included in DSS 6.2.RC1.

For more information about code changes and migration process, please refer to the Migration Guide in documentation.

Release Notes - eSignature DSS - Version 6.2.RC1

New features

• [DSS-3166] Add support of ECDSA with SHA3 algorithms defined in RFC 9231
• [DSS-3207] Configurable memory settings on PAdES signature creation
• [DSS-3341] Add definition of trust anchors with time
• [DSS-3369] Implement support of noRevAvail RFC 9608
• [DSS-3393] Add option of nested CMS signatures creation
• [DSS-3468] Add ValidationTime to validateSignature REST/SOAP API
• [DSS-3486] Add validation of Trusted List v6

Improvements

• [DSS-2623] XAdES/JAdES : Separate timestamp validation data on LT level
• [DSS-2849] PAdES : add support of 142-2 extended profiles on validation
• [DSS-3374] REST/SOAP webservices : add unit tests for on signature augmentation with detached content
• [DSS-3404] Update trust anchor definition per TS 119 615 v1.2.1
• [DSS-3419] Adjust anchor links within Detailed Reports for new sunset checks
• [DSS-3428] Allow a check skip with alerts
• [DSS-3445] ASiCArchiveManifest shall refer a set of signed or timestamped files from covered signatures/timestamps
• [DSS-3454] Fix "CRL Signature cannot be validated" warning message
• [DSS-3460] Align getFilename method naming
• [DSS-3484] Automate digest encoding on signing with RSA algorithm
• [DSS-3487] Add support of AnyValidationData unsigned property
• [DSS-3513] Add option to choose between strict and lax validation of ats-hash-index attribute (CAdES)
• [DSS-3514] No minKeySize cryptographic constraint should not result in validation failure

Bug fixes / Issues

• [DSS-2353] JAdES LT adds time-stamps validation data to the xVals
• [DSS-2355] JAdES augmentation adds validation data for the signing certificate into the tstVD
• [DSS-2359] XAdES LT adds time-stamps validation data to CertificateValues and RevocationValues
• [DSS-2360] XAdES augmentation adds validation data for the signing certificate to the TimeStampValidationData element
• [DSS-2361] LTA augmentation of LTA signatures adds new revocation data for the signing certificate
• [DSS-3392] ASiC-S with CAdES creates invalid signature when a CMS signature is provided as an input
• [DSS-3395] Bad debug log in ImageUtils
• [DSS-3401] ASiCUtils.isZip(DSSDocument) method fails when a DigestDocument provided
• [DSS-3411] ASiC with XAdES creates manifest.xml with null media-type
• [DSS-3418] DiagnosticData does not include all certificate references when a custom TokenIdentifierProvider is used
• [DSS-3439] PAdES ByteRange is not properly checked
• [DSS-3451] Wrong link in reference to RFC4998
• [DSS-3452] Expected and actual values switched in error message
• [DSS-3458] XAdESPath contain imports from jaxb related modules
• [DSS-3475] crlSignKeyUsage validation
• [DSS-3478] Expired hardcoded test certificates break build
• [DSS-3480] DSS WebApp logs Using generated security password warning
• [DSS-3481] WebApp : CXF OpenAPI generates wrong JSON schema
• [DSS-3482] Failed validation of detached CMS signature when using not id-data content type
• [DSS-3490] Deadlock in TLValidationJob on TL URL change when CacheCleaner is not used
• [DSS-3495] Slow XAdES validation with large amount of datafiles
• [DSS-3506] Xades Signature DataObjectFormat missing reference to KeyInfo element
• [DSS-3512] Inconsistent ats-hash-index-v3 building for non Baseline or invalid CAdES structures
• [DSS-3519] Enforce TimeStamp level checks when no LTA material is present

Tasks / Other

• [DSS-3065] Refactor CustomProcessExecutorTest class
• [DSS-3122] Upgrade to PdfBox 3.0.0
• [DSS-3325] Upgrade to Apache Santuario 3.0.5
• [DSS-3435] Update highlightjs
• [DSS-3465] Upgrade to FOP 2.10
• [DSS-3483] Update BouncyCastle 1.79
• [DSS-3496] Nexu : fix link in demo
• [DSS-3499] Update cryptographic suites as per ETSI TS 119 312 v1.5.1
• [DSS-3501] Update HttpClient5 to version 4.5.x
• [DSS-3515] Update json-sKema v0.20.0

Release Notes - eSignature DSS - Version 6.1

Bug fixes / Issues

• [DSS-3366] XAdES: assertSignaturePossible blocks even on DetachedSignatureBuilder
• [DSS-3395] Bad debug log in ImageUtils
• [DSS-3400] JAdES iat header parameter incorrect value
• [DSS-3401] ASiCUtils.isZip(DSSDocument) method fails when a DigestDocument provided
• [DSS-3406] CertificateValues in validation report incorrect format
• [DSS-3407] Validation of ASiC-E containg an ASN.1 ER when the reducedHashtree field is not present
• [DSS-3408] RevocationValues in validation report incorrect format
• [DSS-3409] XAdES : reference name check fails for URL-encoded entries
• [DSS-3410] Hash Failure when validating XMLERS with 3 ArchiveTimeStampChain or more
• [DSS-3411] ASiC with XAdES creates manifest.xml with null media-type
• [DSS-3412] Hash Failure when validating an XMLERS with a hashtree renewal followed by a timestamp renewal
• [DSS-3415] JAXBPKILoader invalid behavior for multiple cross certificates
• [DSS-3423] ASiC-E signatures are not reported when no linked manifest found
• [DSS-3424] ASiC with ER chooses wrong DocumentValidator
• [DSS-3438] Sha2FileCacheDataLoader should rethrow original exception

Improvements

• [DSS-3436] dss-demo-bundle to use JDK 21 by default

+ All the changes included in DSS 6.1.RC1.

NOTE: This release includes a breaking change, impacting the signature validation process. If you use validation, please include the following module to the list of dependencies:

<dependencies>
    ...
    <dependency>
        <groupId>eu.europa.ec.joinup.sd-dss</groupId>
        <artifactId>dss-validation</artifactId>
    </dependency>
    ...
</dependencies>

For more information about code changes and migration process, please refer to the Migration Guide in documentation.

Release Notes - eSignature DSS - Version 6.1.RC1

New features

• [DSS-3006] Warn the user if the PDF contains annotations done after the signature
• [DSS-3124] Add policy constraints for certificate attributes
• [DSS-3181] Add support of ASN.1 Evidence records
• [DSS-3238] DSS Demos: add configuration of TrustAllStrategy on TL loading
• [DSS-3240] Add configuration of revocation skip condition in validation policy
• [DSS-3248] Introduce Document Digest Generator for Evidence Record creation and validation
• [DSS-3278] Improve cache handling of LOTL/TLs with sha2 files
• [DSS-3283] Create Document Digest Generator for ASiC containers
• [DSS-3289] Add a possibility to specify a signature field for a visual time-stamp
• [DSS-3301] Create Document Digest Generator for Evidence Record renewal
• [DSS-3315] JAdES : add support of RFC 7519 'iat' header
• [DSS-3344] Introduce TimestampTokenVerifier
• [DSS-3364] DSS Demonstrations : add property to configure maximum number of XML manifest references
• [DSS-3372] Allow partial documents validation within an XML Manifest
• [DSS-3373] Add JAdES base64url signature parameters to signature creation endpoints

Improvements

• [DSS-2322] Allow to configure alerts in CertificateVerifier for the signature validation
• [DSS-2392] Add developer extension augmented documents
• [DSS-2751] Use CertificateVerifier to enforce certificate validation on signature creation
• [DSS-2935] Support for ISO 32001 and ISO 32002
• [DSS-3025] Placing LT signature on document containing LTA signature
• [DSS-3108] Differentiate RSA and RSA-PSS and validation policy
• [DSS-3123] PAdESService : verify if the provided document is a PDF file
• [DSS-3125] Custom CertificateSource implementations for trusted lists certificate sources
• [DSS-3204] Align Id attributes produced for XAdES timestamps
• [DSS-3223] Add support of Evidence Records on standalone time-stamps
• [DSS-3226] Detection of numeric object modification faulty/dubious
• [DSS-3235] ASN.1 Evidence Records : add verification of digest algorithm
• [DSS-3236] Merge reference digest algorithm cryptographic validation block
• [DSS-3242] XAdES: Cannot sign multiple times with Enveloped transform
• [DSS-3279] DSSDocument.getDigest should return byte array
• [DSS-3297] ASiC merger : add handling of evidence records
• [DSS-3298] Configurable revocation update based on maximum revocation freshness constraint
• [DSS-3326] Ease requirements for JAdES protected headers within 'crit'
• [DSS-3331] dss-demo - add config property to load Java default proxy settings
• [DSS-3338] Skip .sha2 file verification for LOTL Pivots
• [DSS-3367] Allow ASiC signature of 2GB+ documents

Bug fixes / Issues

• [DSS-2730] Revocation data not considered fresh in LTA with qualified timestamp
• [DSS-2805] Validation result depends on signature certificate validity
• [DSS-3053] SVG : notBefore/notAfter dates displayed on hover are duplicated between all certificates
• [DSS-3191] DSS does not detect duplicated signing-certificate attributes in CMS
• [DSS-3192] NOT_YET_VALID certificate passes validation when basic validation process returns REVOCATION_OUT_OF_BOUNDS_NO_POE
• [DSS-3221] Different validation outcomes in two logically identical scenarios
• [DSS-3228] NPE when two equivalent evidence records with the same filename provided to validation
• [DSS-3233] ER ArchiveTimeStampSequence time-stamp's validation does not ensure all original documents are covered
• [DSS-3234] Fix Dockerfile in master
• [DSS-3239] PdfByteRangeDocument cannot be used on document validation
• [DSS-3241] Inconsistencies in handling the signature policy ID in XAdESSignature::buildSignaturePolicy
• [DSS-3269] Double signature annotation when open action is set with destination array targeting the first page
• [DSS-3271] Cannot compile Transformer for Simple Report PDF when using Saxon-HE 12.4
• [DSS-3281] DiagnosticDataBuilder fails on evidence record covering an orphan reference
• [DSS-3323] Wrong timestamp order returned from unsigned properties (BC 1.78+)
• [DSS-3330] ASiC-E with CAdES validation : ASICManifest documents get duplicated in the report
• [DSS-3336] QCForLegalPerson qualifier is not processed correctly
• [DSS-3342] Cryptographic constraint shall be applied at current time for X509 certificate validation
• [DSS-3348] Possible memory leak in XAdESSignature on Santuario signature creation
• [DSS-3349] xades signature with empty namespace prefix
• [DSS-3356] Validation fails when SigningCertificateDigestAlgorithm constraint level is higher than failed Cryptographic level
• [DSS-3365] DSS returns XAdES-BASELINE-* for a signature without signing-certificate in KeyInfo
• [

Release Notes - eSignature DSS - Version 6.0

Main changes

• [DSS-2774] Update xml jakarta.xml.bind-api - support namespace change from javax to jakarta
• [DSS-2838] DSS WebApp : migrate from Spring to Spring Boot
• [DSS-3184] Remove sscd-mocca-adapter

Bug fixes / Issues

• [DSS-3220] KeyEntityTSPSource : add null safe processing

+ All the changes included in DSS 5.13.

NOTE: This release uses "jakarta.*" namespaces. For "javax.*" version please use 5.13.

Release Notes - eSignature DSS - Version 5.13

Bug fixes / Issues

• [DSS-3169] Simple Report: Copy ID button generates a wrong Id for evidence records
• [DSS-3170] Evidence record validation within ASiC-E fails when having more signed objects than referenced by manifest
• [DSS-3171] Detached signed content is not provided to the evidence record validation
• [DSS-3172] Validation of Xml Evidence Record with omitted HashTree fails
• [DSS-3174] Validation of renewed evidence records within ASiC container fails
• [DSS-3177] Pretty-printed XAdES extension from -LT to -LTA fails when having TimeStampValidationData
• [DSS-3179] ASiC-S container with an evidence record file shall not require a manifest file
• [DSS-3183] DSS Standalone : TL-signing generates invalid signature for a non SHA-256 algo
• [DSS-3188] NPE on CertificateRef user-friendly identifier building
• [DSS-3189] Unhandled casting of COSArray in PdfBox implementation
• [DSS-3201] B-level signature validation with an evidence record my cause NPE
• [DSS-3209] KeyEntityTSPSource returns a different signing-time than set productionTime
• [DSS-3211] XMLERS : XML document is not canonicalized for omitted hashtree
• [DSS-3212] Null values from CertEntityRepository are not handled
• [DSS-3214] Add support of LOTL location change workflow

+ All the changes included in DSS 5.13.RC1.

Release Notes - eSignature DSS - Version 5.13.RC1

New features

• [DSS-2511] XAdES manifest signature : mime type of referenced entries
• [DSS-2775] JAdES please add support for x5u header
• [DSS-2972] Add optional check verifying a presence and validity of a signature timestamp
• [DSS-3024] XAdES : add support of EdDSA algo
• [DSS-3064] Add docker compose file to demonstrations project
• [DSS-3069], [DSS-3120], [DSS-3146] Introduce offline PKI Factory module to DSS
• [DSS-3090] Add support of XML Evidence Recods

Improvements

• [DSS-2517] XAdES: dss doesn't validate xades:DataObjectFormat
• [DSS-2913] ASiC : introduce CONTAINER_TIMESTAMP type
• [DSS-3017] Add links to referenced standards within cookbook
• [DSS-3044] Add qualification messages to HTML/PDF simple certificate reports
• [DSS-3045] TLValidationJob : extract OtherTSLPointer information to a TL DTO
• [DSS-3056] Add a possibility to define a wildcard within proxy configuration
• [DSS-3060] Align implementation per TS 119 615 v1.2.1
• [DSS-3082] OCSP fails when server does not support "nonce" extension
• [DSS-3096] Make DSSErrorHandlerAlert to retrieve column/line numbers for an error
• [DSS-3098] Process detached timestamp validation with lowest POE time
• [DSS-3099] Add rotation processing on add an empty signature field
• [DSS-3110] Ease signature policy validation constraints
• [DSS-3114] Add support of NoRotate flag on existing annotation position extraction
• [DSS-3158] OCSP error handling
• [DSS-3161] Improve ASiC container type determination

Bug fixes / Issues

• [DSS-2994] Name restriction on an unsupported name form
• [DSS-3004] DSS demo bundle webapp startup time
• [DSS-3036] Utils.fromBase64 condition is not covered
• [DSS-3067] Problem iwth the certificate validation tool at DSS/webapp-demo/certificate-validation
• [DSS-3076] OnlineOCSPSource and nonce length
• [DSS-3083] Default SecureRandomNonceSource should generate nonces of at least 16 octets
• [DSS-3089] Wrong Javadoc for eu.europa.esig.dss.enumerations.Indication.TOTAL_FAILED
• [DSS-3097] ManifestFilePresentCheck shall allow manifest presence for ASIC-S container
• [DSS-3105] esig-dss generates an invalid enveloped XML signature if the origin XML has comments before the root node
• [DSS-3106] esig-dss generates an invalid enveloped XML signature if the origin XML is encoded in latin-1
• [DSS-3111] PAdES : improve LT-level validation
• [DSS-3113] NPE in Diagnostic data builder
• [DSS-3117] Calls that utilize the ZipUtils class is not thread safe
• [DSS-3119] XAdES Enveloping signature does not incorporate comments within root element
• [DSS-3141] esig-dss generates an invalid enveloped XML signature when using URI "#xpointer(/)" if the origin XML has comments
• [DSS-3148] Wrong RefURI check
• [DSS-3162] ASiC-S : SignedFilesPresentCheck verifies across all files, while should check only root level files

Tasks / Other

• [DSS-2898] Create a key store TSPSource implementation
• [DSS-3009] Upgrade BouncyCastle
• [DSS-3042] Fix TrustService element wording in Diagnostic Data XSD
• [DSS-3061] Update ETSI validation report per TS 119 102-2 v1.4.1
• [DSS-3087] Update maven-jaxb plugin to version 2.x
• [DSS-3163] Upgrade to OpenPdf 1.3.32