Page tree

CEF DIGITAL home page

CEF Digital

Digital Signature Service - DSS

Back to the overview

What's on this page

Back to the overview

Latest version

Access and download DSS v5.9

Here, you can access and download the latest version of the Digital Signature Services open-source library released in February 2021. You can read more about DSS and how it can help you here.

Access to Bitbucket source code



Access to Github source code



Download the DSS Demonstration WebApp



Source code is available in zipandtar.gz

What is DSS?

Purpose of the service

DSS (Digital Signature Services) is an open-source software library for electronic signature creation and validation. DSS supports the creation and verification of interoperable and secure electronic signatures in line with European legislation. In particular, DSS aims to follow the eIDAS Regulation and related standards closely.

DSS can be re-used in an IT solution for electronic signatures to ensure that signatures are created and verified in line with European legislation and standards. DSS allows re-use in a variety of different ways: in an applet, in a stand-alone application or in a server application. DSS can also be used as a reference implementation for IT solutions which do not directly re-use it. Demos are also available to assist the use of DSS as a reference implementation. DSS was developed by Nowina Solutions and is maintained up-to-date via new releases.

Users of the service

The CEF eSignature DSS service is intended for Service Providers active in the implementation of e-signature solutions.

Benefits of the service 

CEF eSignature's DSS open-source library delivers the following benefits to its users:

  • Open-source software under LGPL 2.1, a non-viral open source license;
  • Written in Java, guaranteeing portability on numerous platforms;
  • Interoperability of the e-signatures;
  • Supports both e-signatures and e-seals;
  • Validation of countersignatures and multiple signatures;
  • A flexible library, that can be:
    • Reused in different topologies: in an applet, as a stand-alone application, server-based, or any combination;
    • Used in its entirety or on a module-by-module basis;
    • Adapted to numerous usages via configuration files or extension points;
  • Alignment with the eIDAS Regulation and related standards;
  • Supports EU standards on:
    • Signature formats and packaging methods;
    • Signature validation procedures;
  • Validation relying on Member States' trusted lists:
    • Status of trust service providers/trust service, compensation of information, path validation.

How can it be used?

The library, realised in Java, is open-source, available to all Member States, businesses and citizens for re-use in electronic signature solutions. It is continuously updated and maintained to anticipate and follow developments in regulations and standards. 

Anyone can integrate it and redistribute it under the terms of the Lesser General Public License (LGPL 2.1).

In accordance with ETSI standards, DSS supports various document and signature formats including PAdES, XAdES, CAdES and ASiC and is compliant with Implementing Decision 2015/1506/EU. A “cook-book” is also provided with documentation targeting implementers/developers and aiming at facilitating the integration and use of DSS in their applications.

Validation of qualified and advanced signatures and seals

In anticipation of the ETSI standard, TS 119 172-4, which is currently being drafted with the aim of standardising a “signature validation policy for European qualified electronic signatures/seals using trusted lists”, eSignature Building Block’s provides its interpretation of the eIDAS Regulation's requirements for the validation of qualified and advanced signatures and seals.

This algorithm has been designed following discussions and meetings with experts involved in the field, in the context of the CEF eSignature Building Block. This algorithm is to be considered as guidelines for implementers, or parties interested in understanding how QES validation is implemented in DSS.

The algorithm (available below) focuses on determining 3 sub-conclusions:

- Whether the certificate is qualified

- What is the type of this certificate

- Whether the corresponding private key is protected by a QSCD.


Demonstration tool

Demos of DSS for electronic signature creation, extension and validation

The CEF eSignature building block maintains a demonstration tool that allows everybody interested in the DSS functionalities to try them out.

The demo tool is a web application that, among others, allows users to:

  • upload and sign a document
  • upload and sign multiple documents
  • access REST / SOAP webservices 
  • extend an electronic signature
  • validate an electronic signature

The DSS demonstration tool is accessible from here 

Releases and Bitbucket

DSS releases are part of the eSignature service offering. 

The CEF eSignature building block collects all issues, bugs, or requests for change in the DSS project's JIRA. More information on how to use JIRA can be found here

Source code is also made available on the DSS Bitbucket repository.  

Please note that, due a Joinup migration, older versions of DSS need to be adapted in order to compile successfully. Practical details can be found here.


Documentation

Documentation is available in HTML, PDF and Javadoc.

Releases

Summary of current version

VersionRelease dateFeatures
v5.9September 2021

Main new features / improvements :

  • Many improvements in the validation reports
  • AIASource introduction : more customizations
  • Customization of revocation collection strategy (OCSP/CRL first)
  • DocumentBuilderFactory securities
  • ECDSA / ECDSA-PLAIN support
  • JAdES (JSON AdES) consolidations
  • PAdES visual signature refactorings / improvements :
    • Image scaling : STRETCH / ZOOM_AND_CENTER / CENTER
    • Text wrapping : BOX_FILL / FILL_BOX_AND_LINEBREAK / FONT_BASIC
  • Dependency upgrades (Santuario, BouncyCastle, PDFBox,…)
  • Java 16 support

Bug fixes :

  • Short term OCSP response
  • On hold certificate
  • Qualification conflict (issuance time / best signing time)
  • ASiC-S can’t be timestamped twice
  • PAdES revision extraction
  • PAdES wrong level detection (files with multiple signatures/timestamps)
  • ETSI Validation report : multiple files / references

Bug

  • [DSS-2513] - Certificates embedded into an OCSP response are not timestamped
  • [DSS-2515] - JAdES : avoid exception on a detached LTA signature validation without original file
  • [DSS-2522] - Unable to augment ASiC-E with CAdES LTA with expired signing certificate
  • [DSS-2524] - JAdES : tstVD certificates are not reported within FoundCertificates
  • [DSS-2526] - TL-Summary webPage : rows recalculated on a collapse
  • [DSS-2530] - JAdES ValidationReport with multiple tstVD
  • [DSS-2534] - SVC : check revocation data is known to contain information about certificate
  • [DSS-2539] - JAdES : a new added signature with a higher level extends other signatures
  • [DSS-2540] - PdfBox : cast exception when signing non-signature field
  • [DSS-2545] - Wrong minimal key size for DSA in default validation policy
  • [DSS-2547] - WebApp : unable to sign when the used encryption algorithm is different from the one used to sign the certificate
  • [DSS-2551] - Revocation data is not acceptable warning is reported on LTV process when a valid revocation is available
  • [DSS-2560] - Custom TokenIdentifierProvider duplicates SignerData objects in DiagnosticData

Improvement

  • [DSS-2479] - SVG timeline : add support for independent timestamps validation
  • [DSS-2518] - Deadlocks on TLAnalysis if analysis throws exception
  • [DSS-2535] - WebApp : add dataLoader timeout configuration to properties file
  • [DSS-2549] - WebApp : log exception stacktrace

Past releases

 Expand
VersionRelease dateFeatures
v5.9.RC1July 2021

Many improvements in the validation reports

  • AIASource introduction : more customizations
  • Customization of revocation collection strategy (OCSP/CRL first)
  • DocumentBuilderFactory securities
  • ECDSA / ECDSA-PLAIN support
  • JAdES (JSON AdES) consolidations
  • PAdES visual signature refactorings / improvements :
  • Image scaling : STRETCH / ZOOM_AND_CENTER / CENTER
  • Text wrapping : BOX_FILL / FILL_BOX_AND_LINEBREAK / FONT_BASIC
  • Dependency upgrades (Santuario, BouncyCastle, PDFBox,…)
  • Java 16 support

Bug fixes :

  • Short term OCSP response
  • On hold certificate
  • Qualification conflict (issuance time / best signing time)
  • ASiC-S can’t be timestamped twice
  • PAdES revision extraction
  • PAdES wrong level detection (files with multiple signatures/timestamps)
  • ETSI Validation report : multiple files / references
v5.8February 2021
  • JAdES implementation (ETSI TS 119 182 v0.0.6) : signature creation, extension and validation (advanced electronic signatures based on JWS)
  • PDF Shadow attacks : prevention and detection
  • Counter Signature creation (CAdES, XAdES, JAdES and ASiC containers)
  • Support of the unsigned attribute SignaturePolicyStore (CAdES, XAdES, JAdES and ASiC containers)
  • Support of the QCLimitValue attribute
  • Support of Java 8 up to 15
v5.8.RC1December 2020
  • JAdES implementation (ETSI TS 119 182 v0.0.6) : signature creation, extension and validation (advanced electronic signatures based on JWS)
  • PDF Shadow attacks : prevention and detection
  • Counter Signature creation (CAdES, XAdES, JAdES and ASiC containers)
  • Support of the unsigned attribute SignaturePolicyStore (CAdES, XAdES, JAdES and ASiC containers)
  • Support of the QCLimitValue attribute
  • Support of Java 8 up to 15
v5.7August 2020
  • CertificatePool removal and performance ameliorations
  • QWAC validator
  • New design of PDF reports
  • Support of PSD2 attributes
  • Support of EdDSA
  • Signature representation with a timeline
  • Visual signature creation with REST/SOAP webservices
v5.7.RC1

June 2020

  • CertificatePool removal and performance ameliorations
  • QWAC validator
  • New design of PDF reports
  • Support of PSD2 attributes
  • Support of EdDSA
  • Signature representation with a timeline
  • Visual signature creation with REST/SOAP webservices
v5.6March 2020


  • Complete rewriting of the TL/LOTL loading with: 
    • online / offline refresh
    • 3 caches (download / parse / validate)
    • multiple LOTL support
    • multiple TL support (not linked to a LOTL)
    • Pivot LOTL support
    • Synchronization strategy (eg : expired TL/LOTL are rejected/accepted)
    • multi-lingual support (trust service matching)
    • alerting (eg : LOTL/OJ location desynchronization,...)
    • complete reporting (summary of download / parsing / validation)
  • Independant timestamp creation and validation (not linked to a signature, with ASiC and PDF)
  • Timestamp qualification
  • Internationalization of the validation reports
  • Multiple Trusted Sources support
  • XAdES support of different prefixes / versions
 v5.6.RC1January 2020
 v5.5October 2019
  • The implementation of the ETSI Validation Report
  • The support of Java 12 (multi-release jars)
  • Webservice which allows to validate certificates.
v5.5.RC1August 2019
v5.4.3August 2019
v5.4 January 2019
v5.4.RC1


October 2018

  • Augmentation of signatures with invalid time-stamps, archive-time-stamps and revoked certificates
  • Upgrade to Java 8 or 9
  • Certify documents
  • Add support of KeyHash in OCSP Responses
v5.3.2 October 2018
  • Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3
v5.3.1 July 2018
  • Certificate validation
  • content-timestamps generation
  • SHA-3 support
  • non-EU trusted list(s) support
  • integration of the last version of MOCCA
v5.3 May 2018
  • Certificate validation
  • content-timestamps generation
  • SHA-3 support
  • non-EU trusted list(s) support
  • integration of the last version of MOCCA
v5.3.RC1 April 2018
  • Certificate validation
  • content-timestamps generation
  • SHA-3 support
  • non-EU trusted list(s) support
  • integration of the last version of MOCCA
v5.2.1 October 2018Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3
v5.2 December 2017
  • Qualification matrix guidelines and documentation
  • Improvements regarding visual representation of a signature
  • Alternative packaging: Image docker / spring-boot

v5.2.RC2

December 2017


v5.2.RC1

September 2017


This release candidate comes with 2 main improvements:

  • CRL streaming, the demo won’t use the X509CRL java object by default (it can be changed). With some signatures, we had large CRLs (+60Mo in Estonia) and that could cause memory issues.
  • RSASSA-PSS support, I received some requests to support these algorithms :
    • SHA1withRSAandMGF1 
    • SHA224withRSAandMGF1
    • SHA256withRSAandMGF1
    • SHA384withRSAandMGF1
    • SHA512withRSAandMGF1
v5.1 September 2017
v5.1.RC1 June 2017
v5.0 April 2017
  • Refactoring of ASiC format handling, following the ETSI ASiC Plugtest
  • Signature of multiple files (ASiC and XAdES)
  • Integration of the Qualification matrix as described in draft ETSI 119 172-4, for supporting signatures before and after 01/07/2016 (eIDAS entry into force)
  • Migration to PDFBox 2 for handling PDFs
v5.0.RC1 January 2017
  • Complete refactoring of the ASiC part (creation, extension and validation)
  • Compliance to eIDAS regulation.
v4.7 October 2016
v4.7.RC2 September 2016
v.4.7.RC1

June 2016


A XAdES PlugTest is planned in October / November 2015. Remaining changes resulting from this PlugTest and not included in v4.6 may be included in this release.

An eSignature Validation PlugTest is planned in April 2016. Depending on the actual timeframe, impacts from this PlugTest may be included in this release, and the release of DSS 4.7 will be postponed accordingly.

Other potential improvements and features:

  • Extension of signature validation policy support
  • CAdES attribute certificates
  • CRL in multiple parts
  • Distributed timestamps method
  • Support of cross-certification in path building
v4.6 *08.03.2016

Based on standards:

  • Signature formats when creating a signature: baseline profiles ETSI TS 103 171, 103 172, 103 173, and 103 174
  • Signature formats when validating a signature: baseline profiles, and core specs ETSI TS 101 903, 101 733, 102 778 and 102 918
  • Signature validation process ETSI TS 102 853

Improvements in packaging and core functionalities:

  • CAdES optimisation, CAdES multiple Signer Information. A CAdES PlugTest is occurring in June and July 2015. Changes resulting from this PlugTest will be included in this release. CAdES countersignature will not be supported.
  • Impacts from XAdES PlugTest of October 2015
  • Processing of large files
  • Further refactoring of demo applet (size, validation policy editor)
  • SOAP and REST Web Services
  • Standalone demo application
v4.6.RC218.01.2016-
v4.6.RC1 02.11.2016-
v4.5.0 25.09.2015-
v4.5.0.RC2 18.08.2015-
v4.5.0.RC1 01.07.2015-
v4.4.0 25.06.2015

-


v4.4.RC2 20.04.2015-
v4.4.RC1 05.03.2015-
...

* October 2015: Implementing Acts Art. 27 & 37 (eSig formats)

The main purpose of this milestone is to align DSS on the Implementing Acts of Art. 27, 37 of eIDAS published in September 2015.

Please note that, as these Implementing Acts published in September 2015 will first designate the “former standards” (baseline profiles ETSI TS 103 171, 103 172, 103 173, and 103 174) and not the upcoming ETSI EN 319 1x2, it was decided to rename this release as DSS 4.6 and not DSS 5.0. The major version DSS 5.0 will be used when these Implementing Acts will be modified in 2016 to point to ETSI EN 319 1x2.


Security information

Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

(warning)  Please consider that use of older versions should be discouraged.  (warning)


 XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK7u40+, JDK8 or higher)

PAdES

If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.


Contribute

If you would like to speak to us about suggested improvement for CEF eSignature, we would love to hear from you. Please contact us by clicking on the button below.

Click here to see the DSS Jira project's current issue list.

Thanks for downloading DSS

We would greatly appreciate if you could also help us enhance the user experience of this website and fill in this survey to tell us who you are:


In compliance with our record and privacy statement, I accept that CEF uses the information I have provided for:

 



I don't wish to participate