Skip to content

Latest commit

 

History

History
532 lines (454 loc) · 26.7 KB

dss-releases.adoc

File metadata and controls

532 lines (454 loc) · 26.7 KB
Raw

1. DSS upgrades and change history

1.1. Release notes

Table 1. Release notes
Version Release date Features

v5.10.RC1

February 2022

Main new features / improvements :

  • Cookbook update;

  • PAdES : object modification detection;

  • PAdES : visual signature preview;

  • PAdES : avoid repeated creation of OCSP/CRL tokens;

  • PAdES : enforce signature creation/validation against ISO 32 000 restrictions (DocMDP, Lock, etc.);

  • PAdES : add validation data on timestamp method (including data for standalone timestamps);

  • XAdES and CAdES : added support of extended profiles on validation;

  • ASiC services refactoring (various improvements);

  • WebService to sign a Trusted List;

  • Apple KeyStore as a signature token connection;

  • ED448 signature algorithm support;

  • Revocation check on B/T-level signature creation;

  • Added supportive information to Status object in alerts;

  • Same instance of signature parameters can be used for multiple signing operation;

  • Demo : new viewer for XML reports (i.e. for DiagnosticData and ETSI VR);

  • Dependencies upgrade (HttpClient5, BouncyCastle, Santuario, logback, etc.);

  • Java 17 support.

v5.10.RC1

February 2022

Bug fixes :

  • PAdES : erroneously triggered visual signature difference warning;

  • PAdES : wrong LT-/LTA-level determination for documents with multiple signatures;

  • PAdES : original documents extraction does not work against carriage return;

  • XAdES : NPE on validation of XAdES v.1.1.1, 1.2.2;

  • CAdES : NPE on signature validation without signing-certificate;

  • CAdES : counter-signature produces duplicates of existing counter-signatures;

  • JAdES : wrong payload computation for 'sigD' with ObjectIdByURI mechanism;

  • ASiC : MimeType is lost on re-signature;

  • Signature policy caching issue;

  • Revocation freshness checks use different values across the code;

  • Demo : jumping rows on collapse of TL-validation table;

  • Demo : inability to sign when encryption algorithm of the token is different from the one used in signature;

  • Demo : wrong encoding on uploaded filenames containing non-ASCII characters.

v5.9

September 2021

Main new features / improvements :

  • Many improvements in the validation reports;

  • AIASource introduction : more customizations;

  • Customization of revocation collection strategy (OCSP/CRL first);

  • DocumentBuilderFactory securities;

  • ECDSA / ECDSA-PLAIN support;

  • JAdES (JSON AdES) consolidations;

  • PAdES visual signature refactorings / improvements :

    • Image scaling : STRETCH / ZOOM_AND_CENTER / CENTER;

    • Text wrapping : BOX_FILL / FILL_BOX_AND_LINEBREAK / FONT_BASIC.

  • Dependency upgrades (Santuario, BouncyCastle, PDFBox,…);

  • Java 16 support.

Bug fixes :

  • Short term OCSP response;

  • On hold certificate;

  • Qualification conflict (issuance time / best signing time);

  • ASiC-S can’t be timestamped twice;

  • PAdES revision extraction;

  • PAdES wrong level detection (files with multiple signatures/timestamps);

  • ETSI Validation report : multiple files / references.

v5.8

February 2021

  • JAdES implementation (ETSI TS 119 182 v0.0.6) : signature creation, extension and validation (advanced electronic signatures based on JWS);

  • PDF Shadow attacks : prevention and detection;

  • Counter Signature creation (CAdES, XAdES, JAdES and ASiC containers);

  • Support of the unsigned attribute SignaturePolicyStore (CAdES, XAdES, JAdES and ASiC containers);

  • Support of the QCLimitValue attribute;

  • Support of Java 8 up to 15.

v5.7

August 2020

  • CertificatePool removal and performance amelioration;

  • QWAC validator;

  • New design of PDF reports;

  • Support of PSD2 attributes;

  • Support of EdDSA;

  • Signature representation with a timeline;

  • Visual signature creation with REST/SOAP webservices.

v5.6

March 2020

  • Complete rewriting of the TL/LOTL loading with:

    • online / offline refresh;

    • 3 caches (download / parse / validate);

    • multiple LOTL support;

    • multiple TL support (not linked to a LOTL);

    • Pivot LOTL support;

    • Synchronization strategy (eg : expired TL/LOTL are rejected/accepted);

    • multi-lingual support (trust service matching);

    • alerting (eg : LOTL/OJ location desynchronization,…​);

    • complete reporting (summary of download / parsing / validation).

  • Independent timestamp creation and validation (not linked to a signature, with ASiC and PDF);

  • Timestamp qualification;

  • Internationalization of the validation reports;

  • Multiple Trusted Sources support;

  • XAdES support of different prefixes / versions.

v5.5

October 2019

  • The implementation of the ETSI Validation Report;

  • The support of Java 12 (multi-release jars);

  • Webservice which allows to validate certificates.

v5.4.3

August 2019

  • Hotfix release.

v5.4

January 2019

  • Augmentation of signatures with invalid time-stamps, archive-time-stamps and revoked certificates;

  • Upgrade to Java 8 or 9;

  • Certify documents;

  • Add support of KeyHash in OCSP Responses.

v5.3.2

October 2018

  • Security patch, following a security assessment from the Ruhr-Universität Bochum.

v5.3.1

July 2018

  • Certificate validation;

  • content-timestamps generation;

  • SHA-3 support;

  • non-EU trusted list(s) support;

  • integration of the last version of MOCCA.

v5.3

May 2018

  • Certificate validation;

  • content-timestamps generation;

  • SHA-3 support;

  • non-EU trusted list(s) support;

  • integration of the last version of MOCCA.

v5.2.1

October 2018

  • Security patch, following a security assessment from the Ruhr-Universität Bochum.

v5.2

December 2017

  • Qualification matrix guidelines and documentation;

  • Improvements regarding visual representation of a signature;

  • Alternative packaging: Image docker / spring-boot;

  • CRL streaming, the demo won’t use the X509CRL java object by default (it can be changed). With some signatures, we had large CRLs (+60Mo in Estonia) and that could cause memory issues.

  • RSASSA-PSS support, I received some requests to support these algorithms :

    • SHA1withRSAandMGF1;

    • SHA224withRSAandMGF1;

    • SHA256withRSAandMGF1;

    • SHA384withRSAandMGF1;

    • SHA512withRSAandMGF1.

v5.1

September 2017

  • Webservices for Server signing REST and SOAP;

  • PAdES : Support of signature fields;

  • PAdES : distinction of PAdES and PKCS7 signatures;

  • Proxy configuration fix.

v5.0

April 2017

  • Refactoring of ASiC format handling, following the ETSI ASiC Plugtest;

  • Signature of multiple files (ASiC and XAdES);

  • Integration of the Qualification matrix as described in draft ETSI 119 172-4, for supporting signatures before and after 01/07/2016 (eIDAS entry into force);

  • Migration to PDFBox 2 for handling PDFs.

  • Complete refactoring of the ASiC part (creation, extension and validation);

  • Compliance to eIDAS regulation.

v4.7

October 2016

A XAdES PlugTest is planned in October / November 2015. Remaining changes resulting from this PlugTest and not included in v4.6 may be included in this release. An eSignature Validation PlugTest is planned in April 2016. Depending on the actual timeframe, impacts from this PlugTest may be included in this release, and the release of DSS 4.7 will be postponed accordingly.

Other potential improvements and features:

  • Extension of signature validation policy support;

  • CAdES attribute certificates;

  • CRL in multiple parts;

  • Distributed timestamps method;

  • Support of cross-certification in path building.

v4.6*

March 2016

Based on standards:

  • Signature formats when creating a signature: baseline profiles ETSI TS 103 171, 103 172, 103 173, and 103 174;

  • Signature formats when validating a signature: baseline profiles, and core specs ETSI TS 101 903, 101 733, 102 778 and 102 918;

  • Signature validation process ETSI TS 102 853.

Improvements in packaging and core functionalities:

  • CAdES optimisation, CAdES multiple Signer Information. A CAdES PlugTest is occurring in June and July 2015. Changes resulting from this PlugTest will be included in this release. CAdES countersignature will not be supported.

  • Impacts from XAdES PlugTest of October 2015.

  • Processing of large files.

  • Further refactoring of demo applet (size, validation policy editor).

  • SOAP and REST Web Services.

  • Standalone demo application.

* October 2015: Implementing Acts Art. 27 & 37 (eSig formats)

1.2. Version upgrade

To upgrade version of DSS, locate to the pom.xml file of your project, search for the properties and then change the dss version in the corresponding field(s).

The following example shows how to switch to DSS version 5.10 using [BomModule].

pom.xml
<properties>
    ...
    <dss.version>5.10</dss.version>
    ...
</properties>

...

 <dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>eu.europa.ec.joinup.sd-dss</groupId>
            <artifactId>dss-bom</artifactId>
            <version>${dss.version}</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

1.3. Migration guide

This chapter covers the most significant changes in DSS code occurred between different versions, requiring review and possible changes from code implementors.

For changes within XML Signature Policy please refer Validation policy migration guide.

Table 2. Code changes from version 5.9 to 5.10

Title

v5.9

v5.10

ASiC container extraction

 
ASiCExtractResult extractedResult = asicContainerExtractor.extract();
 
ASiCContent extractedResult = asicContainerExtractor.extract();

HttpClient5 transition

 
import org.apache.http.*
 
import org.apache.hc.client5.http.*
import org.apache.hc.core5.http.*

FileCacheDataLoader

 
fileCacheDataLoader.setCacheExpirationTime(Long.MAX_VALUE);
 
fileCacheDataLoader.setCacheExpirationTime(-1); // negative value means cache never expires

DiagnosticData: PDF signature field name

 
List<String> fieldNames = xmlPDFRevision.getSignatureFieldName();
String name = fieldNames.get(i);
 
List<PDFSignatureField> signatureFields = xmlPDFRevision.getPDFSignatureField();
String name = signatureFields.get(i).getName();
Table 3. Code changes from version 5.8 to 5.9

Title

v5.8

v5.9

AIA data loader

 
certificateVerifier.setDataLoader(dataLoader);
 
AIASource aiaSource = new DefaultAIASource(dataLoader);
certificateVerifier.setAIASource(aiaSource);

Signature Policy Provider

 
certificateVerifier.setDataLoader(dataLoader);
 
SignaturePolicyProvider signaturePolicyProvider = new SignaturePolicyProvider();
signaturePolicyProvider.setDataLoader(dataLoader);
documentValidator.setSignaturePolicyProvider(signaturePolicyProvider);

JDBC dataSource

 
JdbcRevocationSource.setDataSource(dataSource);
 
JdbcCacheConnector jdbcCacheConnector = new JdbcCacheConnector(dataSource);
jdbcRevocationSource.setJdbcCacheConnector(jdbcCacheConnector);

DiagnosticData: Signature policy

 
String notice = xmlPolicy.getNotice();
Boolean zeroHash = xmlPolicy.isZeroHash();
XmlDigestAlgoAndValue digestAlgoAndValue = xmlPolicy.getDigestAlgoAndValue();
Boolean status = xmlPolicy.isStatus();
Boolean digestAlgorithsEqual = xmlPolicy.isDigestAlgorithsEqual();
 
XmlUserNotice notice = xmlPolicy.getUserNotice();
Boolean zeroHash = xmlPolicy.getDigestAlgoAndValue().isZeroHash();
XmlPolicyDigestAlgoAndValue digestAlgoAndValue = xmlPolicy.getDigestAlgoAndValue();
Boolean status = xmlPolicy.getDigestAlgoAndValue().isMatch();
Boolean digestAlgorithsEqual = xmlPolicy.getDigestAlgoAndValue().isDigestAlgorithsEqual();

DiagnosticData: QCStatements

 
XmlPSD2Info psd2Info = xmlCertificate.getPSD2Info();
List<XmlOID> qcStatementIds = xmlCertificate.getQCStatementIds();
List<XmlOID> qcTypes = xmlCertificate.getQCTypes();
QCLimitValue qcLimitValue = xmlCertificate.getQCLimitValue();
OID semanticsIdentifier = xmlCertificate.getSemanticsIdentifier();
 
XmlPSD2Info psd2Info = xmlCertificate.getQcStatements().getPSD2Info();
QcCompliance qcCompliance = xmlCertificate.getQcStatements().getQcCompliance();
BigInteger qcEuRetentionPeriod = xmlCertificate.getQcStatements().getQcEuRetentionPeriod();
QcEuPDS qcEuPDS = xmlCertificate.getQcStatements().getQcEuPDS();
List<XmlOID> qcTypes = xmlCertificate.getQcStatements().getQCTypes();
QcEuLimitValue qcLimitValue = xmlCertificate.getQcStatements().getQcEuLimitValue();
QCLimitValue qcLimitValue = xmlCertificate.getQcStatements().getQCLimitValue();
OID semanticsIdentifier = xmlCertificate.getQcStatements().getSemanticsIdentifier();

1.4. Validation policy migration guide

This chapter covers the changes occurred between different versions of DSS within [validationPolicy].

Table 4. Policy changes from version 5.9 to 5.10

Title

v5.9

v5.10

Revocation freshness
(time constraint enforced)

 
<CertificateConstraints>
    ...
    <RevocationDataFreshness Level="FAIL" />
    ...
</CertificateConstraints>

...

<RevocationConstraints>
    ...
	<RevocationFreshness Level="FAIL" Unit="DAYS" Value="0" />
    ...
</RevocationConstraints>
 
<CertificateConstraints>
    ...
    <RevocationFreshness Level="FAIL" Unit="DAYS" Value="0" />
    ...
</CertificateConstraints>

Revocation freshness
(no time constraint)

 
<CertificateConstraints>
    ...
    <RevocationDataFreshness Level="FAIL" />
    ...
</CertificateConstraints>

...

<RevocationConstraints>
    ...
	<!--<RevocationFreshness />-->
    ...
</RevocationConstraints>
 
<CertificateConstraints>
    ...
    <RevocationFreshnessNextUpdate Level="FAIL" />
    ...
</CertificateConstraints>

Signing-certificate reference certificate chain

 
<CertificateConstraints>
    ...
    <SemanticsIdentifierForNaturalPerson />
    <SemanticsIdentifierForLegalPerson />
    ...
</CertificateConstraints>
 
<CertificateConstraints>
    ...
    <SemanticsIdentifier>
        <Id>0.4.0.194121.1.1</Id> // for natural person
        <Id>0.4.0.194121.1.2</Id> // for legal person
    </SemanticsIdentifier>
    ...
</CertificateConstraints>
Table 5. Policy changes from version 5.8 to 5.9

Title

v5.8

v5.9

Revocation nextUpdate check

 
<CertificateConstraints>
    ...
    <RevocationDataNextUpdatePresent />
    ...
</CertificateConstraints>
 
<CertificateConstraints>
    ...
    <CRLNextUpdatePresent />
    <OCSPNextUpdatePresent />
    ...
</CertificateConstraints>

Signing-certificate reference certificate chain

 
<SignedAttributesConstraints>
    ...
    <AllCertDigestsMatch />
    ...
</SignedAttributesConstraints>
 
<SignedAttributesConstraints>
    ...
    <SigningCertificateRefersCertificateChain />
    ...
</SignedAttributesConstraints>

1.5. Frequently asked questions and implementation issues

This chapter covers the most frequently asked questions and issues occurring in implementations using DSS.

Table 6. Possible problems and solutions

Version

Description

Solution

v5.9

Returned signature level is *_NOT_ETSI

DSS 5.9 enforces validation of AdES BASELINE signature profiles as per ETSI standards. The signature is not BASELINE if you receive *_NOT_ETSI output.
Since DSS 5.10 a support of AdES extended signature profiles for (XAdES and CAdES) has been added as per ETSI standards.

v5.8 and higher

PAdES : performance downgrade

 
pdfSignatureService.setMaximalPagesAmountForVisualComparison(0); // skip validation

For a complete code please see the example.

v5.7 and higher

How to filter certain Trusted Lists (for example countries)

To filter LOTLs or TLs you can use predicates. For example, to filter TLs from Germany and Romania:

link:../../../test/java/eu/europa/esig/dss/cookbook/example/snippets/TLValidationJobSnippets.java[role=include]

v5.2 and higher

XAdES : performance downgrade

Xalan dependency has been removed as deprecated.
We do not recommend to use Xalan in production. To use Xalan, you will need to remove security attributes:

XmlDefinerUtils.getInstance().setTransformerFactoryBuilder(
TransformerFactoryBuilder.getSecureTransformerBuilder()
.removeAttribute(XMLConstants.ACCESS_EXTERNAL_DTD)
.removeAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET));

all versions

Build fails when using quick profile

  • DSS 5.9 and lower:
    Build the following modules using mvn clean install (without any profile):

    • dss-utils;

    • dss-crl-parser;

    • dss-test;

    • dss-pades;

    • dss-asic-common (since DSS 5.8).

  • DSS 5.10: Use quick-init profile for the first build of DSS.

all versions

Revocation data is missing on LT-level extension

Verify whether the trust anchors and CRL/OCSP sources are configured appropriately. You need to provide them to the used CertificateVerifier:

CertificateVerifier configuration
link:../../../test/java/eu/europa/esig/dss/cookbook/example/sign/SignXmlXadesLTTest.java[role=include]

all versions

Unable to access DSS Maven repository

If the error occurs, more likely DSS-team is already aware about the issue.
You need to try to connect again in a few hours.

all versions

PAdES validation without sending the document

PAdES format requires a complete document to perform a signature validation. You cannot validate a PDF signature as a DETACHED XAdES or CAdES.
The only possible way to perform the cryptographic signature validation is to extract the embedded CMS signature and the covered range as a detached document. But the validation result will not be able to conclude it as a valid PAdES nor CAdES.

all versions

When validating a PDF with embedded CAdES-BASELINE signature the returned format is PDF_NOT_ETSI

PAdES-BASELINE format establishes some limitations on the embedded CMS signature, which are not compliant with CAdES-BASELINE signatures. Therefore, it is not possible to have a valid PAdES-BASELINE profile with embedded CAdES-BASELINE signature. For more information about supported CMS please see [R03].