- replace expired test certificates
- update dependencies
- replace expired test certificates
- update dependencies
- update dependencies
- change the order of the elements in the subjectDN of the ocsp responder id
- add test to verify NIST curve support
- update DSS Lib and tidy up dependencies
- update dependencies
- update tsl signer
- add CRL service type identifier
- new certificate types C.HSK.SIG and C.HSK.ENC
- new OID SM-B NCPeH
- update dependencies
- refactor code for better readability
- bump bouncy castle
- introduce validation interface to encapsulate validation steps gematik#7
- add NONCE extension to OCSP response if it existed in request
- refactor code for better readability
- add gitHub templates for issues and pull requests
- update dependencies
- add missing OIDs from gem_Spec_OID for different roles
- add method to check the profession oid in the returned admission of a certificate:
TucPki018Verifier.checkAllowedProfessionOids()
- update soon expiring unit test certificates
- update dependencies
- introduce a generic enum (
CertificateProfile.CERT_PROFILE_ANY
) to allow any certificate profile for TUC_PKI_018 checks. The usage of this certificate profile disables the checks of keyUsage, extendedKeyUsage, and certificateTypeOids. This should resolve issue gematik#3. - remove log messages that reveal personal information
- update dependencies
- API change: rename some methods that provide a TSL and deliver unsigned content
- API change: rename method
performTucPki18Checks
toperformTucPki018Checks
to match name from specification - API change: rename method
performOcspChecks
toperformTucPki006Checks
to match name from specification - API change: method
performTucPki006Checks()
does not need the OCSP requests anymore because of change in certId checks - change behavior of certId checks in OCSP responses: it is calculated from announced hash algorithm and compared to the fields of the response
- change default behavior of certId OCSP response generation: the algorithm used is mirrored by the
algorithm used in the OCSP request, this can be overwritten with the
responseAlgoBehavior
builder parameter via an enum - introduce handling of SHA256 hashes in OCSP context (certId)
- add TLS-S and TLS-C certificate profiles to solve issue gematik#3
- update dependencies
- API change: harmonize variable names like tslSeqNr
- add static method to check validity of the current TSL:
verifyTslValidity()
in TucPki001Verifier - add tests of critical extensions according to RFC5280#4.2 in CertificateProfileVerification
- add tsl xml well-formed test in TucPki001Verifier
- rework some code for better readability
- increase code coverage
- update dependencies
- add scheme validation tests in TucPki001Verifier
- add missing certificate types
- add some convenience methods
- update test data
- update dependencies
- API change: modify TslSigner to be a builder
- API change: TslConverter does not return optionals anymore
- extend with TslConverter formatting options (pretty print, etc.)
- API change: TucPki001Verifier returns a TslTrustanchorUpdate object to easily verify trust anchor updates
- extend to TucPki001Verifier check TSL id, sequence number and announced trust anchor if applicable
- add possibility to sign TSLs with certificates with incorrect key usages and validities
- extend TslModifier with various modification methods
- update dependencies
- API change in TucPki001Verifier
- add TUC_PKI_012 XML-Signatur-Prüfung to TucPki001Verifier
- extend CertificateID manipulations in OcspResponseGenerator
- change maven groupId to "de.gematik.pki"
- change OCSP caching behavior
- add certificate profile for ak.aut certs
- updated dependencies
- cleanup and small fixes
- replace expired test certificates in unit tests for tsl signature and validation
- add unit tests for bouncy castle usage und ocsp edge case
- update dependencies
- repair images
- BUGFIX: save only ocsp responses to cache with status SUCCESSFUL (0)
- prepare reproducible builds: change line endings to LF
- fix sonar issue in builder parameter
- API change: rename enum elements in CertificateProfile
- API change: rename getTspServiceSubset() to getIssuerTspServiceSubset() in CertificateProfile
- Update XAdES4j because of luisgoncalves/xades4j#261. This brings new dependencies in jaxb context (glassfish, jakarta, etc.)
- add OCSP validations according to TUC_PKI_006 of gemSpec_PKI
- timings like producedAt, etc.
- signature
- certificate status like revoked and unknown
- OCSP response status like TryLater, Unauthorized, etc.
- chertHash
- certId
- OCSP timeout
- add possibility to generate OCSP responses with invalid parameter (signature, certId, etc.)
- add ocsp checks against TUC_PKI_018 for TSL signer certificate during TSL validation (TUC_PKI_001)
- add possibility to generate certId with or without null parameter in hash algorithm
- finalize OCSP caching
- add possibility to verify an offline ocsp response
- bug fixes and code improvements
- change language-specific code (>Java 11)
- fix small issues
- API change: move the whole package from de.gematik.pki to de.gematik.pki.gemlibpki
- usage of BouncyCastle as crypto provider is enforced in every class/method that deals with brainpool curves
- switch code formatting to google java formatter
- switch from OpenJDK 11 to OpenJDK 17
- update dependencies
- update maven plugins
- multiple small bug fixes and improvements
- API change: rename TucPki001Verifier builder member tspServiceList to currentTrustedServices for clarity
- API change: rename method doOcsp() to doOcspIfConfigured() in TucPki018Verifier
- API change: rework exception handling
- add class TucPki001Verifier for checks of TSL. The only check at the moment is the ocsp status of the TSL signing certificate.
- allow disabling of OCSP checks
- add dependency checks for CVE's
- refactor unit tests
- update dependencies
- BUGFIX: make certHash extension non-critical
- BUGFIX: correct certHash extension to be part of single response instead of basic response
- add certHash extension in OCSP responses (enabled by default)
- add certHash validation of OCSP responses (enabled by default)
- refactor OcspVerifier class to harmonize with CertificateVerifier
- add C.FD.OSIG certificate profile
- set AccessLevel from private to protected for class TucPki018Verifier to make it extendable gematik#2
- raise code coverage
- P12Container serializable
- P12Reader extended
- dependencies updated
- API change: Main method for certificate checks "performTucPki18Checks(..)" in class TucPki018Verifier returns Admission instead of CertificateType.
- add methods for TSL handling: read, write, modify, sign+validate (RSA/ECC)
- OCSP request implemented, active by default
- additional CertificateProfiles implemented
- resign test certificates
- refactoring: separate TspInformationProvider from TslInformationProvider
- OCSP request implemented, not used in certificate checks atm
- cleanup JavaDoc
- fix gematik#1
- refactor class names
- accept several profiles/policies in certificates
- change behaviour of certificate checks (for [ext]KeyUsage) to fit gematik certificate profiles
- improve error logging in certificate checks
- fix KeyUsage in cert profile EGK
- rename enum CertificateProfiles to CertificateProfile
- encapsulate eu.europa.esig - lib uk ready now ;-)
- pump code coverage
- refactor packages
- This is the initial release of GemLibPki
- Certificate checks of TUC_PKI_018 are implemented
- see README.md for usage instructions and further information