Skip to content

Release 4.0.0-RC.1

Pre-release
Pre-release
Compare
Choose a tag to compare
@rsarendus rsarendus released this 20 Dec 12:14
· 292 commits to master since this release
public-4.0.0-RC.1
0bd64fe

NB! 4.0.0-RC.1 introduces breaking changes compared to 3.x.x version. Substantial changes may be further introduced before finalization of version 4.0.0.

Summary of the major changes since 3.3.0

  • Required minimum Java version increased to 8
  • Started to use DSS version 5.5 (sd-dss.5.5.d4j.1)
  • Enabled SSL certificate validation enforcement + added default TSL truststore for PROD mode
    • when using custom digidoc4j.yaml and default TSL in PROD mode, the usage of the default TSL truststore must be configured in digidoc4j.yaml
  • Improved configurability of SSL settings, added possibility to configure SSL and proxy settings separately for TSL, OCSP and TSP
  • Additional checks for XAdES signature validation:
    • if present, timestamp must be taken during the validity period of the signing certificate
    • if present, timestamp must be taken before or at the same time as OCSP
  • API improvements:
    • possibility to add custom data loaders for TSL loading, OCSP and TSP requests
    • possibility to listen to OCSP and TSP events when using default data loaders
  • Reduced logging of personal information at INFO level
  • Dependencies update

Bug fixes (inconclusive list):

  • Ensure that signature creation fails if making an OCSP request is not possible
  • Allow signatures with different signature digest algorithm and data files digest algorithm to correctly validate
  • Always re-validate a container when asked for a container validation result in order to avoid returning stale results in case the container has been updated since last validation
  • Removed creation of temporary TSL keystore files that were never deleted

Known issues

  • We have noticed a decrease in performance with new DSS 5.5 version
  • Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
  • BouncyCastle versions 1.64 and up are not supported when validating signatures containing encapsulated CRL data
  • While upgrading from version older than 2.1.1 be sure that your integration :
    • doesn't use Xalan or XercesImpl dependencies
    • uses a patched Java version (JDK7u40+, JDK8 or higher)
      Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
      If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Assets 6