Release 5.3.0

Summary of the major changes since 5.2.0

• DSS version update to 6.0 (sd-dss.6.0.d4j.1), previously used DSS 5.11.1. Check changes in DSS here: https://github.com/esig/dss/releases
  DSS update has caused the following notable changes to dependencies:
  • Migration from Javax to Jakarta namespace
  • JAXB dependencies updated from 2.3.X to 3.0.X
  • Apache Santuario xmlsec updated from 2.3.X to 3.0.X
  • Bouncy Castle updated from jdk15on:1.70 to jdk18on:1.76
  • SLF4J updated from 1.7.X to 2.0.X
• Prefer to use AIA OCSP by default on signature creation
  • In DigiDoc4J command line utility, deprecated -aiaocsp parameter and added new -noaiaocsp parameter
• TEST mode default timestamp URL updated to http://tsa.demo.sk.ee/tsa
• Changes in validation policies
• Updated dependencies

Known issues

• At the time of release, the newest supported Bouncy Castle version is 1.76
  Bouncy Castle version 1.77 causes OCSP response parsing to fail
• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)

Release 5.2.0

Summary of the major changes since 5.1.0

• Disabled the possibility to create signatures with LT_TM and B_EPES profiles
• Fixed OCSP request nonce encoding (in CommonOCSPSource) on signature creation - OCSP nonce, used in id-pkix-ocsp-nonce OCSP extension, is now a DER-encoded OCTET STRING, which is encapsulated as another OCTET STRING (see RFC 4366, section 3.6 and RFC 6961, section 2.2)
• Deprecated "full report" configuration flag, as enabling it can produce false negative validation results in some cases:
  • Deprecated setFullReportNeeded and isFullReportNeeded methods in Configuration class
  • Deprecated -err/-showerrors command line option in DigiDoc4J command line utility
• Updated dependencies

Known issues

• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 5.1.0

Summary of the major changes since 5.0.0

• DSS version update to 5.11.1 (sd-dss.5.11.1.d4j.1), previously used DSS 5.9. Check changes in DSS here: https://github.com/esig/dss/releases
  • identification of timemark signatures was improved in DSS
• The functionality to add timestamp tokens to ASiC-S containers was deprecated and will be removed in the future (see also https://www.id.ee/en/article/the-next-version-of-the-id-card-software-will-introduce-several-significant-changes/)
• Added default TLS configuration for outbound connections in default "digidoc4j.yaml" and "digidoc-test.yaml" files
  • default TLS protocol: TLSv1.3
  • supported protocols: TLSv1.2 ja TLSv1.3
  • configured a set of enabled TLSv1.2 and TLSv1.3 cipher suites
• Improved META-INF/manifest.xml file creation for ASiC containers
  • the manifest tag in newly create ASiC containers now has a version attribute with value 1.2
• Deprecated input parsing constructors of ASiC container classes - it is encouraged to use ContainerOpener and ContainerBuilder instead
• API improvements:
  • added possibility to configure custom AIA sources (via AIA source factories)
  • deprecated possibility to configure AIA data loaders (via AIA data loader factories)
• Dependencies update

Known issues

• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 5.0.0

Summary of the major changes since 4.3.0

• DSS version update to 5.9 (sd-dss.5.9.d4j.1), previously used DSS 5.8. Check changes in DSS here: https://github.com/esig/dss/releases
• Pivot LOTL support (https://ec.europa.eu/tools/lotl/pivot-lotl-explanation.html):
  • pivot LOTL support is enabled by default for PROD mode
  • pivot LOTL support is configurable via Configuration.setLotlPivotSupportEnabled(boolean) and LOTL_PIVOT_SUPPORT_ENABLED configuration parameter
• Improved digest algorithm selection:
  • signature digest algorithm and datafile digest algorithm are separately configurable
  • for ECC signatures, the default signature digest algorithm depends on the key length
• Changes in handling the encoded datafile names in signatures:
  • a + sign in an encoded data file name is decoded as + instead of a whitespace
• TSL loading default connection and socket timeouts increased to 1 minute
• TSL refresh callbacks. More information can be found from the wiki
• Separate configurability for HTTP and HTTPS proxy user and password
• Refactoring of LOTL configuration API (Configuration class and YAML configuration parameters):
  • added setLotlLocation(String) and getLotlLocation() methods, LOTL_LOCATION parameter (deprecated setTslLocation(String), getTslLocation() and TSL_LOCATION)
  • added setLotlTruststorePath(String) and getLotlTruststorePath(String) methods, LOTL_TRUSTSTORE_PATH parameter (deprecated setTslKeyStoreLocation(String), getTslKeyStoreLocation() and TSL_KEYSTORE_LOCATION)
  • added setLotlTruststorePassword(String) and getLotlTruststorePassword() methods, LOTL_TRUSTSTORE_PASSWORD parameter (deprecated setTslKeyStorePassword(String), getTslKeyStorePassword() and TSL_KEYSTORE_PASSWORD)
  • added setLotlTruststoreType(String) and getLotlTruststoreType() methods, LOTL_TRUSTSTORE_TYPE parameter (set the default to "PKCS12" instead of "JKS")
• Removal of old API-s that were deprecated before the version 4.0.0; an inconclusive list of removed public API-s:
  • methods removed from Configuration class:
    • void enableBigFilesSupport(long)
    • boolean isBigFilesSupportEnabled()
  • methods removed from Container interface and its implementing classes:
    • void addRawSignature(byte[])
    • void addRawSignature(InputStream)
    • int countDataFiles()
    • int countSignatures()
    • void extendTo(SignatureProfile)
    • DataFile getDataFile(int)
    • DigestAlgorithm getDigestAlgorithm()
    • DocumentType getDocumentType()
    • Signature getSignature(int)
    • String getSignatureProfile()
    • String getVersion()
    • SignedInfo prepareSigning(X509Certificate)
    • void removeDataFile(String)
    • void removeSignature(int)
    • void save(String)
    • void setSignatureParameters(SignatureParameters)
    • void setSignatureProfile(SignatureProfile)
    • Signature signRaw(byte[])
    • Signature sign(SignatureToken)
  • methods removed from Signature interface and its implementing classes:
    • String getPolicy()
    • Date getProducedAt()
    • byte[] getRawSignature()
    • URI getSignaturePolicyURI()
    • Date getSigningTime()
    • List validate()
  • DigestDataFile(String, DigestAlgorithm, byte[]) constructor without mimetype
  • Signer interface and PKCS12Signer class
• Removal of custom TSL TLS trust-store:
  • by default, Java TLS trust-store is used for both PROD and TEST modes
  • no custom TSL TLS trust-store is shipped with DigiDoc4J library
• DataFile digest calculation and memory usage improvements:
  • reduction of making redundant in-memory copies of the contents of datafiles
  • improved calculation and caching of digest values
• Dependencies update

Known issues

• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.3.0

Summary of the major changes since 4.2.2

• DSS version update to 5.8 (sd-dss.5.8.d4j.1), previously used DSS 5.7. Check changes in DSS here: https://github.com/esig/dss/releases
• CommonOCSPSource improvements of building certificate chain from OCSP certificate to trust anchor in TSL
• ContainerBuilder thread-safety improvements
• TSL TLS truststore update
• Dependencies update

Known issues

• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.2.2

Summary of the major changes since 4.2.1

• Update LOTL signer certificates' truststore
• Update TSL TLS truststore
• Update org.apache.santuario:xmlsec dependency

Known issues

• ContainerBuilder instances share mutable state which may cause unexpected behaviour while concurrently using multiple ContainerBuilder instances which have been created for different container types. This problem have been present since version 2.0.0 but may be more problematic after version 3.1.1. For more info see here.
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.2.1

Summary of the major changes since 4.2.0

• ZIP-bombing detection improvements and configurability
• Upgrade of TSL TLS truststore
• Dependencies update

Known issues

• ContainerBuilder instances share mutable state which may cause unexpected behaviour while concurrently using multiple ContainerBuilder instances which have been created for different container types. This problem have been present since version 2.0.0 but may be more problematic after version 3.1.1. For more info see here.
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.2.0

Summary of the major changes since 4.1.1

• ZIP-bomb attack protection
• If not specified, create ASiC-E (instead of BDOC) containers by default
  • NB! Keep in mind that it is not possible to add LT_TM profile signatures to ASiC-E containers. If you need LT_TM profile signatures, container type must be set to BDOC.
• Search BDOC TM signature OCSP certificate from OCSP token first and then from the unsigned properties of the signature
• Limitations for empty (0-byte) datafiles:
  • Adding empty datafiles to containers is not permitted; signing containers containing empty datafiles is not permitted
  • Validating containers containing empty datafiles adds additional container warnings
• Changes in validation policies
• Upgrade of TSL TLS truststore
• Dependencies update
• Bug fixes

Known issues

• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.1.1

Signer certificate for the EU List of eIDAS Trusted Lists (LOTL) was changed on 25.03.2021. This resulted in failure to sign or validate signatures with DD4J version 4.1.0.

Current version of DD4J (4.1.1) must be used to ensure that signing and signature validation works.

It is also possible to create a new custom keystore according to https://github.com/open-eid/digidoc4j/wiki/Questions-&-Answers#how-to-add-trust-for-new-eu-tsl-signing-certificates.

Summary of the major changes since 4.1.0

• Updated LOTL signer certificates in truststore

Known issues

• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.1.0

Summary of the major changes since 4.1.0-RC.1

• Added PolicyImplied policy support - now defaults to standard validation procedure
• Added validity verification of timestamp and OCSP certificate when creating signatures
• Fixed OCSP revocation validation
• Upgrade of TSL TLS truststore

Known issues

• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");