Release Notes - eSignature DSS - Version 6.2

Bug fixes / Issues

• [DSS-3519] Enforce TimeStamp level checks when no LTA material is present
• [DSS-3520] XAdES validation fails in case of tempered ds:KeyInfo certificate
• [DSS-3523] Misleading log warning on XAdES enveloping signature
• [DSS-3526] AlertOnNoRevocationAfterBestSignatureTime returns NextUpdate before current time
• [DSS-3529] dss-crl-parser-stream invalidates some CRLs signed by RSASSA-PSS

Improvements

• [DSS-3524] Vulnerability report review
• [DSS-3554] Upgrade to BouncyCastle 1.80
• [DSS-3555] DSS Demonstrations : add property to skip ASN1ObjectIdentifier validation

+ All the changes included in DSS 6.2.RC1.

For more information about code changes and migration process, please refer to the Migration Guide in documentation.

Release Notes - eSignature DSS - Version 6.2.RC1

New features

• [DSS-3166] Add support of ECDSA with SHA3 algorithms defined in RFC 9231
• [DSS-3207] Configurable memory settings on PAdES signature creation
• [DSS-3341] Add definition of trust anchors with time
• [DSS-3369] Implement support of noRevAvail RFC 9608
• [DSS-3393] Add option of nested CMS signatures creation
• [DSS-3468] Add ValidationTime to validateSignature REST/SOAP API
• [DSS-3486] Add validation of Trusted List v6

Improvements

• [DSS-2623] XAdES/JAdES : Separate timestamp validation data on LT level
• [DSS-2849] PAdES : add support of 142-2 extended profiles on validation
• [DSS-3374] REST/SOAP webservices : add unit tests for on signature augmentation with detached content
• [DSS-3404] Update trust anchor definition per TS 119 615 v1.2.1
• [DSS-3419] Adjust anchor links within Detailed Reports for new sunset checks
• [DSS-3428] Allow a check skip with alerts
• [DSS-3445] ASiCArchiveManifest shall refer a set of signed or timestamped files from covered signatures/timestamps
• [DSS-3454] Fix "CRL Signature cannot be validated" warning message
• [DSS-3460] Align getFilename method naming
• [DSS-3484] Automate digest encoding on signing with RSA algorithm
• [DSS-3487] Add support of AnyValidationData unsigned property
• [DSS-3513] Add option to choose between strict and lax validation of ats-hash-index attribute (CAdES)
• [DSS-3514] No minKeySize cryptographic constraint should not result in validation failure

Bug fixes / Issues

• [DSS-2353] JAdES LT adds time-stamps validation data to the xVals
• [DSS-2355] JAdES augmentation adds validation data for the signing certificate into the tstVD
• [DSS-2359] XAdES LT adds time-stamps validation data to CertificateValues and RevocationValues
• [DSS-2360] XAdES augmentation adds validation data for the signing certificate to the TimeStampValidationData element
• [DSS-2361] LTA augmentation of LTA signatures adds new revocation data for the signing certificate
• [DSS-3392] ASiC-S with CAdES creates invalid signature when a CMS signature is provided as an input
• [DSS-3395] Bad debug log in ImageUtils
• [DSS-3401] ASiCUtils.isZip(DSSDocument) method fails when a DigestDocument provided
• [DSS-3411] ASiC with XAdES creates manifest.xml with null media-type
• [DSS-3418] DiagnosticData does not include all certificate references when a custom TokenIdentifierProvider is used
• [DSS-3439] PAdES ByteRange is not properly checked
• [DSS-3451] Wrong link in reference to RFC4998
• [DSS-3452] Expected and actual values switched in error message
• [DSS-3458] XAdESPath contain imports from jaxb related modules
• [DSS-3475] crlSignKeyUsage validation
• [DSS-3478] Expired hardcoded test certificates break build
• [DSS-3480] DSS WebApp logs Using generated security password warning
• [DSS-3481] WebApp : CXF OpenAPI generates wrong JSON schema
• [DSS-3482] Failed validation of detached CMS signature when using not id-data content type
• [DSS-3490] Deadlock in TLValidationJob on TL URL change when CacheCleaner is not used
• [DSS-3495] Slow XAdES validation with large amount of datafiles
• [DSS-3506] Xades Signature DataObjectFormat missing reference to KeyInfo element
• [DSS-3512] Inconsistent ats-hash-index-v3 building for non Baseline or invalid CAdES structures
• [DSS-3519] Enforce TimeStamp level checks when no LTA material is present

Tasks / Other

• [DSS-3065] Refactor CustomProcessExecutorTest class
• [DSS-3122] Upgrade to PdfBox 3.0.0
• [DSS-3325] Upgrade to Apache Santuario 3.0.5
• [DSS-3435] Update highlightjs
• [DSS-3465] Upgrade to FOP 2.10
• [DSS-3483] Update BouncyCastle 1.79
• [DSS-3496] Nexu : fix link in demo
• [DSS-3499] Update cryptographic suites as per ETSI TS 119 312 v1.5.1
• [DSS-3501] Update HttpClient5 to version 4.5.x
• [DSS-3515] Update json-sKema v0.20.0

Release Notes - eSignature DSS - Version 6.1

Bug fixes / Issues

• [DSS-3366] XAdES: assertSignaturePossible blocks even on DetachedSignatureBuilder
• [DSS-3395] Bad debug log in ImageUtils
• [DSS-3400] JAdES iat header parameter incorrect value
• [DSS-3401] ASiCUtils.isZip(DSSDocument) method fails when a DigestDocument provided
• [DSS-3406] CertificateValues in validation report incorrect format
• [DSS-3407] Validation of ASiC-E containg an ASN.1 ER when the reducedHashtree field is not present
• [DSS-3408] RevocationValues in validation report incorrect format
• [DSS-3409] XAdES : reference name check fails for URL-encoded entries
• [DSS-3410] Hash Failure when validating XMLERS with 3 ArchiveTimeStampChain or more
• [DSS-3411] ASiC with XAdES creates manifest.xml with null media-type
• [DSS-3412] Hash Failure when validating an XMLERS with a hashtree renewal followed by a timestamp renewal
• [DSS-3415] JAXBPKILoader invalid behavior for multiple cross certificates
• [DSS-3423] ASiC-E signatures are not reported when no linked manifest found
• [DSS-3424] ASiC with ER chooses wrong DocumentValidator
• [DSS-3438] Sha2FileCacheDataLoader should rethrow original exception

Improvements

• [DSS-3436] dss-demo-bundle to use JDK 21 by default

+ All the changes included in DSS 6.1.RC1.

NOTE: This release includes a breaking change, impacting the signature validation process. If you use validation, please include the following module to the list of dependencies:

<dependencies>
    ...
    <dependency>
        <groupId>eu.europa.ec.joinup.sd-dss</groupId>
        <artifactId>dss-validation</artifactId>
    </dependency>
    ...
</dependencies>

For more information about code changes and migration process, please refer to the Migration Guide in documentation.

Release Notes - eSignature DSS - Version 6.1.RC1

New features

• [DSS-3006] Warn the user if the PDF contains annotations done after the signature
• [DSS-3124] Add policy constraints for certificate attributes
• [DSS-3181] Add support of ASN.1 Evidence records
• [DSS-3238] DSS Demos: add configuration of TrustAllStrategy on TL loading
• [DSS-3240] Add configuration of revocation skip condition in validation policy
• [DSS-3248] Introduce Document Digest Generator for Evidence Record creation and validation
• [DSS-3278] Improve cache handling of LOTL/TLs with sha2 files
• [DSS-3283] Create Document Digest Generator for ASiC containers
• [DSS-3289] Add a possibility to specify a signature field for a visual time-stamp
• [DSS-3301] Create Document Digest Generator for Evidence Record renewal
• [DSS-3315] JAdES : add support of RFC 7519 'iat' header
• [DSS-3344] Introduce TimestampTokenVerifier
• [DSS-3364] DSS Demonstrations : add property to configure maximum number of XML manifest references
• [DSS-3372] Allow partial documents validation within an XML Manifest
• [DSS-3373] Add JAdES base64url signature parameters to signature creation endpoints

Improvements

• [DSS-2322] Allow to configure alerts in CertificateVerifier for the signature validation
• [DSS-2392] Add developer extension augmented documents
• [DSS-2751] Use CertificateVerifier to enforce certificate validation on signature creation
• [DSS-2935] Support for ISO 32001 and ISO 32002
• [DSS-3025] Placing LT signature on document containing LTA signature
• [DSS-3108] Differentiate RSA and RSA-PSS and validation policy
• [DSS-3123] PAdESService : verify if the provided document is a PDF file
• [DSS-3125] Custom CertificateSource implementations for trusted lists certificate sources
• [DSS-3204] Align Id attributes produced for XAdES timestamps
• [DSS-3223] Add support of Evidence Records on standalone time-stamps
• [DSS-3226] Detection of numeric object modification faulty/dubious
• [DSS-3235] ASN.1 Evidence Records : add verification of digest algorithm
• [DSS-3236] Merge reference digest algorithm cryptographic validation block
• [DSS-3242] XAdES: Cannot sign multiple times with Enveloped transform
• [DSS-3279] DSSDocument.getDigest should return byte array
• [DSS-3297] ASiC merger : add handling of evidence records
• [DSS-3298] Configurable revocation update based on maximum revocation freshness constraint
• [DSS-3326] Ease requirements for JAdES protected headers within 'crit'
• [DSS-3331] dss-demo - add config property to load Java default proxy settings
• [DSS-3338] Skip .sha2 file verification for LOTL Pivots
• [DSS-3367] Allow ASiC signature of 2GB+ documents

Bug fixes / Issues

• [DSS-2730] Revocation data not considered fresh in LTA with qualified timestamp
• [DSS-2805] Validation result depends on signature certificate validity
• [DSS-3053] SVG : notBefore/notAfter dates displayed on hover are duplicated between all certificates
• [DSS-3191] DSS does not detect duplicated signing-certificate attributes in CMS
• [DSS-3192] NOT_YET_VALID certificate passes validation when basic validation process returns REVOCATION_OUT_OF_BOUNDS_NO_POE
• [DSS-3221] Different validation outcomes in two logically identical scenarios
• [DSS-3228] NPE when two equivalent evidence records with the same filename provided to validation
• [DSS-3233] ER ArchiveTimeStampSequence time-stamp's validation does not ensure all original documents are covered
• [DSS-3234] Fix Dockerfile in master
• [DSS-3239] PdfByteRangeDocument cannot be used on document validation
• [DSS-3241] Inconsistencies in handling the signature policy ID in XAdESSignature::buildSignaturePolicy
• [DSS-3269] Double signature annotation when open action is set with destination array targeting the first page
• [DSS-3271] Cannot compile Transformer for Simple Report PDF when using Saxon-HE 12.4
• [DSS-3281] DiagnosticDataBuilder fails on evidence record covering an orphan reference
• [DSS-3323] Wrong timestamp order returned from unsigned properties (BC 1.78+)
• [DSS-3330] ASiC-E with CAdES validation : ASICManifest documents get duplicated in the report
• [DSS-3336] QCForLegalPerson qualifier is not processed correctly
• [DSS-3342] Cryptographic constraint shall be applied at current time for X509 certificate validation
• [DSS-3348] Possible memory leak in XAdESSignature on Santuario signature creation
• [DSS-3349] xades signature with empty namespace prefix
• [DSS-3356] Validation fails when SigningCertificateDigestAlgorithm constraint level is higher than failed Cryptographic level
• [DSS-3365] DSS returns XAdES-BASELINE-* for a signature without signing-certificate in KeyInfo
• [

Release Notes - eSignature DSS - Version 6.0

Main changes

• [DSS-2774] Update xml jakarta.xml.bind-api - support namespace change from javax to jakarta
• [DSS-2838] DSS WebApp : migrate from Spring to Spring Boot
• [DSS-3184] Remove sscd-mocca-adapter

Bug fixes / Issues

• [DSS-3220] KeyEntityTSPSource : add null safe processing

+ All the changes included in DSS 5.13.

NOTE: This release uses "jakarta.*" namespaces. For "javax.*" version please use 5.13.

Release Notes - eSignature DSS - Version 5.13

Bug fixes / Issues

• [DSS-3169] Simple Report: Copy ID button generates a wrong Id for evidence records
• [DSS-3170] Evidence record validation within ASiC-E fails when having more signed objects than referenced by manifest
• [DSS-3171] Detached signed content is not provided to the evidence record validation
• [DSS-3172] Validation of Xml Evidence Record with omitted HashTree fails
• [DSS-3174] Validation of renewed evidence records within ASiC container fails
• [DSS-3177] Pretty-printed XAdES extension from -LT to -LTA fails when having TimeStampValidationData
• [DSS-3179] ASiC-S container with an evidence record file shall not require a manifest file
• [DSS-3183] DSS Standalone : TL-signing generates invalid signature for a non SHA-256 algo
• [DSS-3188] NPE on CertificateRef user-friendly identifier building
• [DSS-3189] Unhandled casting of COSArray in PdfBox implementation
• [DSS-3201] B-level signature validation with an evidence record my cause NPE
• [DSS-3209] KeyEntityTSPSource returns a different signing-time than set productionTime
• [DSS-3211] XMLERS : XML document is not canonicalized for omitted hashtree
• [DSS-3212] Null values from CertEntityRepository are not handled
• [DSS-3214] Add support of LOTL location change workflow

+ All the changes included in DSS 5.13.RC1.

Release Notes - eSignature DSS - Version 5.13.RC1

New features

• [DSS-2511] XAdES manifest signature : mime type of referenced entries
• [DSS-2775] JAdES please add support for x5u header
• [DSS-2972] Add optional check verifying a presence and validity of a signature timestamp
• [DSS-3024] XAdES : add support of EdDSA algo
• [DSS-3064] Add docker compose file to demonstrations project
• [DSS-3069], [DSS-3120], [DSS-3146] Introduce offline PKI Factory module to DSS
• [DSS-3090] Add support of XML Evidence Recods

Improvements

• [DSS-2517] XAdES: dss doesn't validate xades:DataObjectFormat
• [DSS-2913] ASiC : introduce CONTAINER_TIMESTAMP type
• [DSS-3017] Add links to referenced standards within cookbook
• [DSS-3044] Add qualification messages to HTML/PDF simple certificate reports
• [DSS-3045] TLValidationJob : extract OtherTSLPointer information to a TL DTO
• [DSS-3056] Add a possibility to define a wildcard within proxy configuration
• [DSS-3060] Align implementation per TS 119 615 v1.2.1
• [DSS-3082] OCSP fails when server does not support "nonce" extension
• [DSS-3096] Make DSSErrorHandlerAlert to retrieve column/line numbers for an error
• [DSS-3098] Process detached timestamp validation with lowest POE time
• [DSS-3099] Add rotation processing on add an empty signature field
• [DSS-3110] Ease signature policy validation constraints
• [DSS-3114] Add support of NoRotate flag on existing annotation position extraction
• [DSS-3158] OCSP error handling
• [DSS-3161] Improve ASiC container type determination

Bug fixes / Issues

• [DSS-2994] Name restriction on an unsupported name form
• [DSS-3004] DSS demo bundle webapp startup time
• [DSS-3036] Utils.fromBase64 condition is not covered
• [DSS-3067] Problem iwth the certificate validation tool at DSS/webapp-demo/certificate-validation
• [DSS-3076] OnlineOCSPSource and nonce length
• [DSS-3083] Default SecureRandomNonceSource should generate nonces of at least 16 octets
• [DSS-3089] Wrong Javadoc for eu.europa.esig.dss.enumerations.Indication.TOTAL_FAILED
• [DSS-3097] ManifestFilePresentCheck shall allow manifest presence for ASIC-S container
• [DSS-3105] esig-dss generates an invalid enveloped XML signature if the origin XML has comments before the root node
• [DSS-3106] esig-dss generates an invalid enveloped XML signature if the origin XML is encoded in latin-1
• [DSS-3111] PAdES : improve LT-level validation
• [DSS-3113] NPE in Diagnostic data builder
• [DSS-3117] Calls that utilize the ZipUtils class is not thread safe
• [DSS-3119] XAdES Enveloping signature does not incorporate comments within root element
• [DSS-3141] esig-dss generates an invalid enveloped XML signature when using URI "#xpointer(/)" if the origin XML has comments
• [DSS-3148] Wrong RefURI check
• [DSS-3162] ASiC-S : SignedFilesPresentCheck verifies across all files, while should check only root level files

Tasks / Other

• [DSS-2898] Create a key store TSPSource implementation
• [DSS-3009] Upgrade BouncyCastle
• [DSS-3042] Fix TrustService element wording in Diagnostic Data XSD
• [DSS-3061] Update ETSI validation report per TS 119 102-2 v1.4.1
• [DSS-3087] Update maven-jaxb plugin to version 2.x
• [DSS-3163] Upgrade to OpenPdf 1.3.32

Release Notes - eSignature DSS - Version 5.12.1

This release includes some improvements for Trust Service validation, MRA processing, but also dependency updates and minor issue fixes.

New features / Improvements

• [DSS-2851] - MRA with future TrustServiceEquivalenceStatusStartingTime
• [DSS-2852] - Validation report of a certificate issued by a "withdrawn" TSP
• [DSS-3014] - Report more information on Trust Service validation
• [DSS-3037] - Return information about MRA CertificateContentReferencesEquivalenceList processing
• [DSS-3049] - Update jQuery to 3.6.4
• [DSS-3051] - eSig validation tests : add a possibility to provide a custom access point through arguments

Bug fixes / Issues

• [DSS-3035] - DSS demo is not able to load OCSP request provided the JDBC source is disabled
• [DSS-3043] - DiagnosticData unmarshalling fails for certificate validation with orphan certificates
• [DSS-3047] - NPE on unknown DigestAlgorithm

Release Notes - eSignature DSS - Version 5.12

New features / Improvements

• [DSS-2982] - WebApp : add PDF Download button for Replay Diagnostic Data webpage
• [DSS-2984] - WebApp : add a property to define a custom trusted certificate source
• [DSS-2990] - WebApp : add all world flags to be accessible from css
• [DSS-3001] - Provide a code snippet describing how to create a certification signature
• [DSS-3011] - SubjectAlternativeNames to return GeneralName type
• [DSS-3016] - WebApp: propogate tl.browser.root.url to FOPService
• [DSS-3018] - Add support of SAML metadata XSD
• [DSS-3021] - PdfBox : ensure DocMDP is created as a direct object

Bug fixes / Issues

• [DSS-2975] - Fix unknown MRA equivalence context URI
• [DSS-2977] - xml-apis depedency problematic in Java 11+
• [DSS-2992] - NameConstraints with permitted value and SubjectAlternativeName
• [DSS-2993] - NameConstraints with excluded value and SubjectAlternativeName
• [DSS-2996] - Unrecognized critical extensions
• [DSS-2998] - Disable SHA3 digest algorithms when MSCAPI token is selected
• [DSS-2999] - CAdES signature creation save dialog file filter
• [DSS-3005] - Errata in the DSS CookBook in the Lock Dictionary standard reference
• [DSS-3013] - CAdES-LT signature not compliant with RFC 5940
• [DSS-3015] - Skipping ProspectiveCertificateChain always results to PASSED

+ All the changes included in DSS 5.12.RC1.

Release Notes - eSignature DSS - Version 5.12.RC1

New features

• [DSS-2394], [DSS-2609] - Allow signature with external CMS provider
• [DSS-2685] - DSS Standalone : introduce extension feature
• [DSS-2686] - DSS Standalone : introduce validation feature
• [DSS-2689] - PDF/A : add optional structure validation with VeraPDF
• [DSS-2768] - Add multiple documents signature support in the standalone
• [DSS-2802] - PDF : spoofing attack detection
• [DSS-2854] - PAdES : make VRI dictionaries creation optional
• [DSS-2857] - AbstractKeyStoreTokenConnection : add key filter predicate
• [DSS-2861] - Evaluate the possibility to implement a pre-emptive basic authentication on CommonDataLoader
• [DSS-2914] - Add BasicConstraints.CA check for CA certificates
• [DSS-2925] - Reject certificates with unsupported critical extensions
• [DSS-2926] - Reject certificates with not allowed extensions
• [DSS-2927] - Verify Responder Id against found OCSP's issuer
• [DSS-2931] - WebServices: add methods to sign providing a SignatureAlgorithm
• [DSS-2938] - Review expiration of cryptographic algorithms in XML validation policy
• [DSS-2943] - WebServices : add setter of default validation policy
• [DSS-2951] - Add support for Ed25519 signatures in Jades
• [DSS-2964] - Add processing of policy constraints certificate extension
• [DSS-2970] - Add processing of name constraints certificate extension

Improvements

• [DSS-2727] - Avoid loading OutputStream in memory when computing digest
• [DSS-2749] - PAdES : introduce a new PdfByteRangeDocument
• [DSS-2816] - Simple Report : add information about trust anchors
• [DSS-2818] - PAdES : report incorrect ByteRange incorporation
• [DSS-2829] - PAdES : add support of TU/TS entries within VRI dictionary
• [DSS-2841] - WebApp : ensure DTO contain binaries when applicable instead of base64-encoded String
• [DSS-2842] - RepositoryRevocationSource : add a possibility to process multiple revocation data
• [DSS-2846] - Refactor MimeType class
• [DSS-2858] - WebApp Demo : make use of Jdbc repository optional
• [DSS-2869] - Vulnerability report : dependencies update
• [DSS-2870] - Use byte[] or char[] instead of String to provide a password
• [DSS-2872] - PDF : detect ByteRange collision
• [DSS-2873] - PDF : execute related constraints from FC for timestamps
• [DSS-2901] - Cookbook : make HTML documentation offline
• [DSS-2909] - PAdES: create documentId based on a large set of parameters
• [DSS-2910] - AdES validation: return INDETERMINATE/CERTIFICATE_CHAIN_GENERAL_FAILURE if no acceptable revocation found
• [DSS-2921] - Enforce keyCertSign check for CA certificates
• [DSS-2923] - SimpleCertificateReport : include validation messages
• [DSS-2924] - Enforce timestamping ExtendedKeyUsage constraint to FAIL level
• [DSS-2928] - Reject OCSP response with invalid version
• [DSS-2929] - PAdES: add post-processing for timestamps
• [DSS-2941] - PAdES Object modification detection : compare streams directly

Bug fixes / Issues

• [DSS-2821] - PAdES-Baseline-B signature cannot be extended to LT due to hasLTAProfile check
• [DSS-2826] - DLSequence for postalAddress 2.5.4.16
• [DSS-2835] - Not possible to sign an existing signature field
• [DSS-2836] - JdbcCacheConnector : avoid implicit object conversion
• [DSS-2845] - One PDF which is before signing compliant A/2A but after signing is not compliant PDF/A -2A anymore
• [DSS-2850] - Not expected behavior on auto fitting text
• [DSS-2859] - Simple Report - Signatures with indication INDETERMINATE/TRY_LATER are counted as valid
• [DSS-2871] - Vulnerability report : information disclosure
• [DSS-2885] - Fix OID extraction from XML Trusted List
• [DSS-2890] - threads can stuck/hang in NativeDataLoaderCall.call()
• [DSS-2891] - intermediate certs in KeyStoreCertificateSource are not found during path building process
• [DSS-2911] - TLValidationJob: LOTL validation status may get stuck in certain scenario
• [DSS-2916] - Unable to extend a TOTAL_PASSED document with a revoked signing certificate but PoE to an LTA-level
• [DSS-2919] - Invalid signature of document (root) element
• [DSS-2920] - Invalid RefURI causes invalid signature
• [DSS-2947] - Sealing an XML in DSS demo webapp is not working
• [DSS-2957] - Problem in documentation
• [DSS-2958] - Undocumented policy change in 5.9
• [DSS-2968] - IllegalStateException during online LTL refresh: Transition from 'REFRESH_NEEDED' to 'TO_BE_DELETED' is not allowed
• [