Skip to content

@pukskula pukskula released this Jun 12, 2020

Summary of the major changes since 4.0.0

  • Added implementation for getOCSPNonce() method in Signature

Bug fixes

  • Fixed getSignatureMethod() for BES signature to use SignatureAlgorithm instead of DigestAlgorithm
  • Fixed HASHCODE support for DDOC 1.0
Assets 6

@rsarendus rsarendus released this Feb 19, 2020 · 5 commits to master since this release

Summary of the major changes since 4.0.0-RC.1

  • Removal of system information being exposed via User-Agent (zip comments and request headers)
  • Enforcement of ASiC/BDOC "mimetype" always being the first entry and not compressed on re-saving an existing container
  • Addition of default HTTP redirect-supporting data loader for accessing AIA certificate sources
  • Removal of unnecessary logging dependencies
  • Dependencies update

Known issues

  • We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
  • Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
  • BouncyCastle versions 1.64 and up are not supported when validating signatures containing encapsulated CRL data
  • While upgrading from versions older than 2.1.1 be sure that your integration :
    • doesn't use Xalan or XercesImpl dependencies
    • uses a patched Java version (JDK8 or higher)
      Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
      If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Assets 6

@rsarendus rsarendus released this Feb 5, 2020

NB! 3.3.1 is intended for legacy systems. Support for versions 3.x.x is not planned to extend beyond the end of 2020.

Summary of the major changes since 3.3.0

  • Ensure that signature creation fails if making an OCSP request is not possible
  • Removal of system information being exposed via User-Agent (zip comments and request headers)
  • Dependencies updates and adjustments (in order to be compatible with Java 7)

NB! The versions of some dependencies have been adjusted in order to be compatible with Java 7 out-of-the-box.
When using Java versions 8 and up, it is advisable to override the versions of at least the following dependencies:

  • org.apache.santuario:xmlsec at least up to version 2.1.4
  • org.bouncycastle:bcpkix-jdk15on & org.bouncycastle:bcprov-jdk15on
    • up to version 1.62 - if validation of signatures containing encapsulated CRL data is required
    • beyond version 1.62 - if validation of signatures containing encapsulated CRL data is not needed
Assets 6
Pre-release
Pre-release

@rsarendus rsarendus released this Dec 20, 2019 · 23 commits to master since this release

NB! 4.0.0-RC.1 introduces breaking changes compared to 3.x.x version. Substantial changes may be further introduced before finalization of version 4.0.0.

Summary of the major changes since 3.3.0

  • Required minimum Java version increased to 8
  • Started to use DSS version 5.5 (sd-dss.5.5.d4j.1)
  • Enabled SSL certificate validation enforcement + added default TSL truststore for PROD mode
    • when using custom digidoc4j.yaml and default TSL in PROD mode, the usage of the default TSL truststore must be configured in digidoc4j.yaml
  • Improved configurability of SSL settings, added possibility to configure SSL and proxy settings separately for TSL, OCSP and TSP
  • Additional checks for XAdES signature validation:
    • if present, timestamp must be taken during the validity period of the signing certificate
    • if present, timestamp must be taken before or at the same time as OCSP
  • API improvements:
    • possibility to add custom data loaders for TSL loading, OCSP and TSP requests
    • possibility to listen to OCSP and TSP events when using default data loaders
  • Reduced logging of personal information at INFO level
  • Dependencies update

Bug fixes (inconclusive list):

  • Ensure that signature creation fails if making an OCSP request is not possible
  • Allow signatures with different signature digest algorithm and data files digest algorithm to correctly validate
  • Always re-validate a container when asked for a container validation result in order to avoid returning stale results in case the container has been updated since last validation
  • Removed creation of temporary TSL keystore files that were never deleted

Known issues

  • We have noticed a decrease in performance with new DSS 5.5 version
  • Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
  • BouncyCastle versions 1.64 and up are not supported when validating signatures containing encapsulated CRL data
  • While upgrading from version older than 2.1.1 be sure that your integration :
    • doesn't use Xalan or XercesImpl dependencies
    • uses a patched Java version (JDK7u40+, JDK8 or higher)
      Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
      If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Assets 6

@siimsuu1 siimsuu1 released this Aug 23, 2019 · 62 commits to master since this release

Summary of the major changes since 3.2.0

  • Default LOTL location update
  • Deprecate current method for DigestDataFile creation. Addition of obligatory mimeType setting.
  • Fix of removeDataFile functionality
  • Dependencies update
Assets 6

@JorgenHeinsoo JorgenHeinsoo released this Jun 27, 2019 · 77 commits to master since this release

Summary of the major changes since 3.1.1

  • DataToSign serialization improvements
  • Added two-step signing option without Container nor DataToSign object serialization. Container can be saved to disk and only SignatureParameters has to be serialized. Later one can finalize signature with SignatureFinalizer which is initialized from the loaded Container and deserialized SignatureParameters.
  • OCSP and TSA services requests error handling changes - more logical exceptions and stopping of signing process in case of any fault
  • Removal of unnecessary logging
  • Dependencies update

Bug fixes (inconclusive list):

  • Fix for opening stream based DDOC container with BOM beginning
  • Fix for removal of datafiles from not signed container
Assets 6

@siimsuu1 siimsuu1 released this Apr 16, 2019 · 126 commits to master since this release

Summary of the major changes since 3.1.0

  • Performance improvement
  • New LOTL signer certs added to truststore

Bug fixes (inconclusive list):

  • Fix for BDOC/ASIC-E container detection - NB! it is not possible to add LT_TM (TimeMark) signatures to ASIC-E container (container that contains only Time Stamp based signatures).
  • Fix for not able to remove signatures from ASIC-E container

Known issues

While upgrading, be sure that your integration :

  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK7u40+, JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Assets 6

@JorgenHeinsoo JorgenHeinsoo released this Mar 22, 2019 · 152 commits to master since this release

Changes

  • Started to use DSS version 5.4 (sd-dss.5.4.d4j.1)
  • AIA OCSP usage for ASIC-E containers
  • Upgrade of dependencies

Bug fixes (inconclusive list):

  • PDF validation fix
  • ASIC-S container creation fix
  • JAVA 7 support for truststore
  • TimeStamp url logging fix
  • Fixes in DD4J utility for PDF validation

Known issues

We have noticed a decrease in performance with new DSS 5.4 version. Performance test results can be found here.

While upgrading from version older than 2.1.1 be sure that your integration :

  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK7u40+, JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Assets 6

@siimsuu1 siimsuu1 released this Dec 19, 2018 · 203 commits to master since this release

Summary of the major changes since 2.1.1

  • Refactor of jDigidoc into DDOC4J module. Only DDOC validation is now supported, other functionality removed!
  • PKCS11 slot selection with label
  • Possibility to sign and validate detached XAdES signatures
  • OCSP check for TM suitability
  • Enabling LOTL validation constraints

Bug fixes (inconclusive list):

  • Fix for loosing configuration during serialization/deserialization
  • Changes in DDOC error handling
  • Support for old DDOC formats (1.0, 1.1)
  • Fixes in digidoc4j utility

Known issues

  • PDF validation always returns invalid status
  • Creating ASIC-S containers produces non standard containers
  • AIA OCSP usage not supported

While upgrading, be sure that your integration :

  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK7u40+, JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Assets 6

@siimsuu1 siimsuu1 released this Nov 9, 2018 · 261 commits to master since this release

Summary of the major changes since 2.1.0

  • Updated dependency libraries to latest versions for security purposes
  • Started to use DSS version 5.2.1 (sd-dss.5.2.d4j.4)

Known issues

While upgrading, be sure that your integration :

  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK7u40+, JDK8 or higher)

Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Assets 5
You can’t perform that action at this time.