Release Notes - eSignature DSS - Version 6.1

Bug fixes / Issues

• [DSS-3366] XAdES: assertSignaturePossible blocks even on DetachedSignatureBuilder
• [DSS-3395] Bad debug log in ImageUtils
• [DSS-3400] JAdES iat header parameter incorrect value
• [DSS-3401] ASiCUtils.isZip(DSSDocument) method fails when a DigestDocument provided
• [DSS-3406] CertificateValues in validation report incorrect format
• [DSS-3407] Validation of ASiC-E containg an ASN.1 ER when the reducedHashtree field is not present
• [DSS-3408] RevocationValues in validation report incorrect format
• [DSS-3409] XAdES : reference name check fails for URL-encoded entries
• [DSS-3410] Hash Failure when validating XMLERS with 3 ArchiveTimeStampChain or more
• [DSS-3411] ASiC with XAdES creates manifest.xml with null media-type
• [DSS-3412] Hash Failure when validating an XMLERS with a hashtree renewal followed by a timestamp renewal
• [DSS-3415] JAXBPKILoader invalid behavior for multiple cross certificates
• [DSS-3423] ASiC-E signatures are not reported when no linked manifest found
• [DSS-3424] ASiC with ER chooses wrong DocumentValidator
• [DSS-3438] Sha2FileCacheDataLoader should rethrow original exception

Improvements

• [DSS-3436] dss-demo-bundle to use JDK 21 by default

+ All the changes included in DSS 6.1.RC1.

NOTE: This release includes a breaking change, impacting the signature validation process. If you use validation, please include the following module to the list of dependencies:

<dependencies>
    ...
    <dependency>
        <groupId>eu.europa.ec.joinup.sd-dss</groupId>
        <artifactId>dss-validation</artifactId>
    </dependency>
    ...
</dependencies>

For more information about code changes and migration process, please refer to the Migration Guide in documentation.

Release Notes - eSignature DSS - Version 6.1.RC1

New features

• [DSS-3006] Warn the user if the PDF contains annotations done after the signature
• [DSS-3124] Add policy constraints for certificate attributes
• [DSS-3181] Add support of ASN.1 Evidence records
• [DSS-3238] DSS Demos: add configuration of TrustAllStrategy on TL loading
• [DSS-3240] Add configuration of revocation skip condition in validation policy
• [DSS-3248] Introduce Document Digest Generator for Evidence Record creation and validation
• [DSS-3278] Improve cache handling of LOTL/TLs with sha2 files
• [DSS-3283] Create Document Digest Generator for ASiC containers
• [DSS-3289] Add a possibility to specify a signature field for a visual time-stamp
• [DSS-3301] Create Document Digest Generator for Evidence Record renewal
• [DSS-3315] JAdES : add support of RFC 7519 'iat' header
• [DSS-3344] Introduce TimestampTokenVerifier
• [DSS-3364] DSS Demonstrations : add property to configure maximum number of XML manifest references
• [DSS-3372] Allow partial documents validation within an XML Manifest
• [DSS-3373] Add JAdES base64url signature parameters to signature creation endpoints

Improvements

• [DSS-2322] Allow to configure alerts in CertificateVerifier for the signature validation
• [DSS-2392] Add developer extension augmented documents
• [DSS-2751] Use CertificateVerifier to enforce certificate validation on signature creation
• [DSS-2935] Support for ISO 32001 and ISO 32002
• [DSS-3025] Placing LT signature on document containing LTA signature
• [DSS-3108] Differentiate RSA and RSA-PSS and validation policy
• [DSS-3123] PAdESService : verify if the provided document is a PDF file
• [DSS-3125] Custom CertificateSource implementations for trusted lists certificate sources
• [DSS-3204] Align Id attributes produced for XAdES timestamps
• [DSS-3223] Add support of Evidence Records on standalone time-stamps
• [DSS-3226] Detection of numeric object modification faulty/dubious
• [DSS-3235] ASN.1 Evidence Records : add verification of digest algorithm
• [DSS-3236] Merge reference digest algorithm cryptographic validation block
• [DSS-3242] XAdES: Cannot sign multiple times with Enveloped transform
• [DSS-3279] DSSDocument.getDigest should return byte array
• [DSS-3297] ASiC merger : add handling of evidence records
• [DSS-3298] Configurable revocation update based on maximum revocation freshness constraint
• [DSS-3326] Ease requirements for JAdES protected headers within 'crit'
• [DSS-3331] dss-demo - add config property to load Java default proxy settings
• [DSS-3338] Skip .sha2 file verification for LOTL Pivots
• [DSS-3367] Allow ASiC signature of 2GB+ documents

Bug fixes / Issues

• [DSS-2730] Revocation data not considered fresh in LTA with qualified timestamp
• [DSS-2805] Validation result depends on signature certificate validity
• [DSS-3053] SVG : notBefore/notAfter dates displayed on hover are duplicated between all certificates
• [DSS-3191] DSS does not detect duplicated signing-certificate attributes in CMS
• [DSS-3192] NOT_YET_VALID certificate passes validation when basic validation process returns REVOCATION_OUT_OF_BOUNDS_NO_POE
• [DSS-3221] Different validation outcomes in two logically identical scenarios
• [DSS-3228] NPE when two equivalent evidence records with the same filename provided to validation
• [DSS-3233] ER ArchiveTimeStampSequence time-stamp's validation does not ensure all original documents are covered
• [DSS-3234] Fix Dockerfile in master
• [DSS-3239] PdfByteRangeDocument cannot be used on document validation
• [DSS-3241] Inconsistencies in handling the signature policy ID in XAdESSignature::buildSignaturePolicy
• [DSS-3269] Double signature annotation when open action is set with destination array targeting the first page
• [DSS-3271] Cannot compile Transformer for Simple Report PDF when using Saxon-HE 12.4
• [DSS-3281] DiagnosticDataBuilder fails on evidence record covering an orphan reference
• [DSS-3323] Wrong timestamp order returned from unsigned properties (BC 1.78+)
• [DSS-3330] ASiC-E with CAdES validation : ASICManifest documents get duplicated in the report
• [DSS-3336] QCForLegalPerson qualifier is not processed correctly
• [DSS-3342] Cryptographic constraint shall be applied at current time for X509 certificate validation
• [DSS-3348] Possible memory leak in XAdESSignature on Santuario signature creation
• [DSS-3349] xades signature with empty namespace prefix
• [DSS-3356] Validation fails when SigningCertificateDigestAlgorithm constraint level is higher than failed Cryptographic level
• [DSS-3365] DSS returns XAdES-BASELINE-* for a signature without signing-certificate in KeyInfo
• [

Release Notes - eSignature DSS - Version 6.0

Main changes

• [DSS-2774] Update xml jakarta.xml.bind-api - support namespace change from javax to jakarta
• [DSS-2838] DSS WebApp : migrate from Spring to Spring Boot
• [DSS-3184] Remove sscd-mocca-adapter

Bug fixes / Issues

• [DSS-3220] KeyEntityTSPSource : add null safe processing

+ All the changes included in DSS 5.13.

NOTE: This release uses "jakarta.*" namespaces. For "javax.*" version please use 5.13.

Release Notes - eSignature DSS - Version 5.13

Bug fixes / Issues

• [DSS-3169] Simple Report: Copy ID button generates a wrong Id for evidence records
• [DSS-3170] Evidence record validation within ASiC-E fails when having more signed objects than referenced by manifest
• [DSS-3171] Detached signed content is not provided to the evidence record validation
• [DSS-3172] Validation of Xml Evidence Record with omitted HashTree fails
• [DSS-3174] Validation of renewed evidence records within ASiC container fails
• [DSS-3177] Pretty-printed XAdES extension from -LT to -LTA fails when having TimeStampValidationData
• [DSS-3179] ASiC-S container with an evidence record file shall not require a manifest file
• [DSS-3183] DSS Standalone : TL-signing generates invalid signature for a non SHA-256 algo
• [DSS-3188] NPE on CertificateRef user-friendly identifier building
• [DSS-3189] Unhandled casting of COSArray in PdfBox implementation
• [DSS-3201] B-level signature validation with an evidence record my cause NPE
• [DSS-3209] KeyEntityTSPSource returns a different signing-time than set productionTime
• [DSS-3211] XMLERS : XML document is not canonicalized for omitted hashtree
• [DSS-3212] Null values from CertEntityRepository are not handled
• [DSS-3214] Add support of LOTL location change workflow

+ All the changes included in DSS 5.13.RC1.

Release Notes - eSignature DSS - Version 5.13.RC1

New features

• [DSS-2511] XAdES manifest signature : mime type of referenced entries
• [DSS-2775] JAdES please add support for x5u header
• [DSS-2972] Add optional check verifying a presence and validity of a signature timestamp
• [DSS-3024] XAdES : add support of EdDSA algo
• [DSS-3064] Add docker compose file to demonstrations project
• [DSS-3069], [DSS-3120], [DSS-3146] Introduce offline PKI Factory module to DSS
• [DSS-3090] Add support of XML Evidence Recods

Improvements

• [DSS-2517] XAdES: dss doesn't validate xades:DataObjectFormat
• [DSS-2913] ASiC : introduce CONTAINER_TIMESTAMP type
• [DSS-3017] Add links to referenced standards within cookbook
• [DSS-3044] Add qualification messages to HTML/PDF simple certificate reports
• [DSS-3045] TLValidationJob : extract OtherTSLPointer information to a TL DTO
• [DSS-3056] Add a possibility to define a wildcard within proxy configuration
• [DSS-3060] Align implementation per TS 119 615 v1.2.1
• [DSS-3082] OCSP fails when server does not support "nonce" extension
• [DSS-3096] Make DSSErrorHandlerAlert to retrieve column/line numbers for an error
• [DSS-3098] Process detached timestamp validation with lowest POE time
• [DSS-3099] Add rotation processing on add an empty signature field
• [DSS-3110] Ease signature policy validation constraints
• [DSS-3114] Add support of NoRotate flag on existing annotation position extraction
• [DSS-3158] OCSP error handling
• [DSS-3161] Improve ASiC container type determination

Bug fixes / Issues

• [DSS-2994] Name restriction on an unsupported name form
• [DSS-3004] DSS demo bundle webapp startup time
• [DSS-3036] Utils.fromBase64 condition is not covered
• [DSS-3067] Problem iwth the certificate validation tool at DSS/webapp-demo/certificate-validation
• [DSS-3076] OnlineOCSPSource and nonce length
• [DSS-3083] Default SecureRandomNonceSource should generate nonces of at least 16 octets
• [DSS-3089] Wrong Javadoc for eu.europa.esig.dss.enumerations.Indication.TOTAL_FAILED
• [DSS-3097] ManifestFilePresentCheck shall allow manifest presence for ASIC-S container
• [DSS-3105] esig-dss generates an invalid enveloped XML signature if the origin XML has comments before the root node
• [DSS-3106] esig-dss generates an invalid enveloped XML signature if the origin XML is encoded in latin-1
• [DSS-3111] PAdES : improve LT-level validation
• [DSS-3113] NPE in Diagnostic data builder
• [DSS-3117] Calls that utilize the ZipUtils class is not thread safe
• [DSS-3119] XAdES Enveloping signature does not incorporate comments within root element
• [DSS-3141] esig-dss generates an invalid enveloped XML signature when using URI "#xpointer(/)" if the origin XML has comments
• [DSS-3148] Wrong RefURI check
• [DSS-3162] ASiC-S : SignedFilesPresentCheck verifies across all files, while should check only root level files

Tasks / Other

• [DSS-2898] Create a key store TSPSource implementation
• [DSS-3009] Upgrade BouncyCastle
• [DSS-3042] Fix TrustService element wording in Diagnostic Data XSD
• [DSS-3061] Update ETSI validation report per TS 119 102-2 v1.4.1
• [DSS-3087] Update maven-jaxb plugin to version 2.x
• [DSS-3163] Upgrade to OpenPdf 1.3.32

Release Notes - eSignature DSS - Version 5.12.1

This release includes some improvements for Trust Service validation, MRA processing, but also dependency updates and minor issue fixes.

New features / Improvements

• [DSS-2851] - MRA with future TrustServiceEquivalenceStatusStartingTime
• [DSS-2852] - Validation report of a certificate issued by a "withdrawn" TSP
• [DSS-3014] - Report more information on Trust Service validation
• [DSS-3037] - Return information about MRA CertificateContentReferencesEquivalenceList processing
• [DSS-3049] - Update jQuery to 3.6.4
• [DSS-3051] - eSig validation tests : add a possibility to provide a custom access point through arguments

Bug fixes / Issues

• [DSS-3035] - DSS demo is not able to load OCSP request provided the JDBC source is disabled
• [DSS-3043] - DiagnosticData unmarshalling fails for certificate validation with orphan certificates
• [DSS-3047] - NPE on unknown DigestAlgorithm

Release Notes - eSignature DSS - Version 5.12

New features / Improvements

• [DSS-2982] - WebApp : add PDF Download button for Replay Diagnostic Data webpage
• [DSS-2984] - WebApp : add a property to define a custom trusted certificate source
• [DSS-2990] - WebApp : add all world flags to be accessible from css
• [DSS-3001] - Provide a code snippet describing how to create a certification signature
• [DSS-3011] - SubjectAlternativeNames to return GeneralName type
• [DSS-3016] - WebApp: propogate tl.browser.root.url to FOPService
• [DSS-3018] - Add support of SAML metadata XSD
• [DSS-3021] - PdfBox : ensure DocMDP is created as a direct object

Bug fixes / Issues

• [DSS-2975] - Fix unknown MRA equivalence context URI
• [DSS-2977] - xml-apis depedency problematic in Java 11+
• [DSS-2992] - NameConstraints with permitted value and SubjectAlternativeName
• [DSS-2993] - NameConstraints with excluded value and SubjectAlternativeName
• [DSS-2996] - Unrecognized critical extensions
• [DSS-2998] - Disable SHA3 digest algorithms when MSCAPI token is selected
• [DSS-2999] - CAdES signature creation save dialog file filter
• [DSS-3005] - Errata in the DSS CookBook in the Lock Dictionary standard reference
• [DSS-3013] - CAdES-LT signature not compliant with RFC 5940
• [DSS-3015] - Skipping ProspectiveCertificateChain always results to PASSED

+ All the changes included in DSS 5.12.RC1.

Release Notes - eSignature DSS - Version 5.12.RC1

New features

• [DSS-2394], [DSS-2609] - Allow signature with external CMS provider
• [DSS-2685] - DSS Standalone : introduce extension feature
• [DSS-2686] - DSS Standalone : introduce validation feature
• [DSS-2689] - PDF/A : add optional structure validation with VeraPDF
• [DSS-2768] - Add multiple documents signature support in the standalone
• [DSS-2802] - PDF : spoofing attack detection
• [DSS-2854] - PAdES : make VRI dictionaries creation optional
• [DSS-2857] - AbstractKeyStoreTokenConnection : add key filter predicate
• [DSS-2861] - Evaluate the possibility to implement a pre-emptive basic authentication on CommonDataLoader
• [DSS-2914] - Add BasicConstraints.CA check for CA certificates
• [DSS-2925] - Reject certificates with unsupported critical extensions
• [DSS-2926] - Reject certificates with not allowed extensions
• [DSS-2927] - Verify Responder Id against found OCSP's issuer
• [DSS-2931] - WebServices: add methods to sign providing a SignatureAlgorithm
• [DSS-2938] - Review expiration of cryptographic algorithms in XML validation policy
• [DSS-2943] - WebServices : add setter of default validation policy
• [DSS-2951] - Add support for Ed25519 signatures in Jades
• [DSS-2964] - Add processing of policy constraints certificate extension
• [DSS-2970] - Add processing of name constraints certificate extension

Improvements

• [DSS-2727] - Avoid loading OutputStream in memory when computing digest
• [DSS-2749] - PAdES : introduce a new PdfByteRangeDocument
• [DSS-2816] - Simple Report : add information about trust anchors
• [DSS-2818] - PAdES : report incorrect ByteRange incorporation
• [DSS-2829] - PAdES : add support of TU/TS entries within VRI dictionary
• [DSS-2841] - WebApp : ensure DTO contain binaries when applicable instead of base64-encoded String
• [DSS-2842] - RepositoryRevocationSource : add a possibility to process multiple revocation data
• [DSS-2846] - Refactor MimeType class
• [DSS-2858] - WebApp Demo : make use of Jdbc repository optional
• [DSS-2869] - Vulnerability report : dependencies update
• [DSS-2870] - Use byte[] or char[] instead of String to provide a password
• [DSS-2872] - PDF : detect ByteRange collision
• [DSS-2873] - PDF : execute related constraints from FC for timestamps
• [DSS-2901] - Cookbook : make HTML documentation offline
• [DSS-2909] - PAdES: create documentId based on a large set of parameters
• [DSS-2910] - AdES validation: return INDETERMINATE/CERTIFICATE_CHAIN_GENERAL_FAILURE if no acceptable revocation found
• [DSS-2921] - Enforce keyCertSign check for CA certificates
• [DSS-2923] - SimpleCertificateReport : include validation messages
• [DSS-2924] - Enforce timestamping ExtendedKeyUsage constraint to FAIL level
• [DSS-2928] - Reject OCSP response with invalid version
• [DSS-2929] - PAdES: add post-processing for timestamps
• [DSS-2941] - PAdES Object modification detection : compare streams directly

Bug fixes / Issues

• [DSS-2821] - PAdES-Baseline-B signature cannot be extended to LT due to hasLTAProfile check
• [DSS-2826] - DLSequence for postalAddress 2.5.4.16
• [DSS-2835] - Not possible to sign an existing signature field
• [DSS-2836] - JdbcCacheConnector : avoid implicit object conversion
• [DSS-2845] - One PDF which is before signing compliant A/2A but after signing is not compliant PDF/A -2A anymore
• [DSS-2850] - Not expected behavior on auto fitting text
• [DSS-2859] - Simple Report - Signatures with indication INDETERMINATE/TRY_LATER are counted as valid
• [DSS-2871] - Vulnerability report : information disclosure
• [DSS-2885] - Fix OID extraction from XML Trusted List
• [DSS-2890] - threads can stuck/hang in NativeDataLoaderCall.call()
• [DSS-2891] - intermediate certs in KeyStoreCertificateSource are not found during path building process
• [DSS-2911] - TLValidationJob: LOTL validation status may get stuck in certain scenario
• [DSS-2916] - Unable to extend a TOTAL_PASSED document with a revoked signing certificate but PoE to an LTA-level
• [DSS-2919] - Invalid signature of document (root) element
• [DSS-2920] - Invalid RefURI causes invalid signature
• [DSS-2947] - Sealing an XML in DSS demo webapp is not working
• [DSS-2957] - Problem in documentation
• [DSS-2958] - Undocumented policy change in 5.9
• [DSS-2968] - IllegalStateException during online LTL refresh: Transition from 'REFRESH_NEEDED' to 'TO_BE_DELETED' is not allowed
• [

Release Notes - eSignature DSS - Version 5.11.1

This is the Maven Central release: https://mvnrepository.com/artifact/eu.europa.ec.joinup.sd-dss

When upgrading to the version 5.11.1, you no longer need to specify "cefdigital" repository within pom.xml file of your project. For more information about integrating DSS to your project, please see the readme.

Bugs / Issues

• [DSS-2885] - Fix OID extraction from XML Trusted List

Improvements / Tasks

• [DSS-2896] - DSS Version 5.11.1 Maven Central release

Release Notes - eSignature DSS - Version 5.10.2

This is the first release published on Maven Central: https://mvnrepository.com/artifact/eu.europa.ec.joinup.sd-dss

When upgrading to the version 5.10.2, you no longer need to specify "cefdigital" repository within pom.xml file of your project. For more information about integrating DSS to your project, please see the readme.

Bugs / Issues

• [DSS-2729] - Exception when a not supported encryption algorithm is provided
• [DSS-2885] - Fix OID extraction from XML Trusted List

Improvements / Tasks

• [DSS-2895] - DSS Version 5.10.2 Maven Central release