DSS releases

September 2024

July 2024

-

December 2023

Main new features / improvements :

• Transition from javax.* to jakarta.* namespaces;
• Demos : webapp migrated from Spring to Spring-Boot 3;
• Demos : removed sscd-mocca-adapter module.

Bug fixes / issues :

• KeyEntityTSPSource : add null safe processing.

+ All the changes included in DSS 5.13.

NOTE: This version uses jakarta.* namespaces. Use DSS 5.13 for javax.* support.

December 2023

Main new features / improvements :

• RFC 6283 XML Evidence Records (XMLERS) validation support;
• Offline PKI Factory;
• Support of new standard versions TS 119 102-2 v1.4.1 and TS 119 615 v1.2.1;
• Validation of detached time-stamps considers POEs from other time-stamps;
• XAdES : added support of EdDSA algorithm;
• XAdES : support of a custom DataObjectFormat element;
• JAdES : added support of "x5u" header;
• Added support for OCSP responders without nonce;
• Added qualification information messages to simple certificate report;
• Added optional validation constraint for enforced time-stamp presence and validity verification;
• Added Dockerfile to run DSS Demo WebApp;
• Dependencies update (BouncyCastle, Apache Santuario, PdfBox, OpenPdf, etc.);
• Documentation improvements;
• Java 21 support.

Bug fixes / issues :

• XAdES : fixed signing of XML documents with comments / non UTF-8 encoding;
• XAdES : fixed signature creation with custom DSSReference definition;
• PAdES : improved LT-level determination algorithm;
• ASiC : fixed false negative validation result on ASiC-S container validation with a manifest;
• Adjusted OCSP nonce generation to required 32 octets;
• Fixed multi-threading issue within ZipUtils;
• Fixed NullPointerException in DiagnosticData when validating with a custom trusted list certificate source;
• Demo WebApp : fixed custom validation time input field on a certificate validation webpage;
• Demo WebApp : added a customizable property to skip RSA keys validation (fixes issue with long application launching);
• Other minor fixes and improvements.

November 2023

-

June 2023

Main new features / improvements:

• Improved Trust Service validation and qualification status reporting;
• Improved MRA processing;
• Dependencies update;
• Demonstrations : improved eSig validation tests.

Bug fixes / issues:

• Fixed Diagnostic Data unmarshalling on certificate validation;
• Fixed NullPointerException on unknown Digest Algorithm;
• WebApp : fixed OCSP load with disabled JDBC source.

April 2023

Main new features / improvements :

• PAdES : signature creation with external CMS provider;
• PAdES : added PDF/A validation support;
• PAdES : spoofing attack detection;
• PAdES : improved performance and memory consumption on signature validation;
• PAdES : VRI dictionary made optional;
• XAdES : less memory consuming message-imprint computation;
• JAdES : added support of EdDSA algorithms;
• Validation : improved RFC 5280 conformance;
• Validation : return INDETERMINATE/CERTIFICATE_CHAIN_GENERAL_FAILURE if no acceptable revocation found;
• Validation policy : improved handling of expired cryptographic algorithms;
• DataLoader : removed default SSL-protocol definition;
• DataLoader : added an option of pre-emptive basic authentication;
• SignatureTokenConnection : possibility to filter keys;
• REST/SOAP services : added a setter of default validation policy;
• REST/SOAP services : added a signing method with a provided SignatureAlgorithm;
• Simple report : added information about trust anchors;
• Add support for SAML metadata XSD;
• Removed redundant xml-apis and commons-codec dependencies declaration;
• DSS Standalone : signing of multiple document;
• DSS Standalone : extension of signed documents;
• DSS Standalone : validation of documents;
• WebApp : add a property to define a custom trusted certificate source;
• Dependencies update (BouncyCastle, HttpClient5, Apache Santuario, PdfBox, etc.);
• Documentation improvement (F.A.Q. section, offline support, etc.);
• Java 19 support.

Bug fixes / issues :

• PAdES : unable to extend a document with /DSS dictionary before a timestamp;
• PAdES : improved code to preserve PDF/A documents validity;
• PAdES : fixed text auto-fitting function in certain configurations;
• PAdES : ensure DocMDP is created as a direct object;
• CAdES : OCSP responses incorporation for CAdES-BASELINE-LT profile;
• XAdES : improved handling of custom DSSReference configurations;
• XAdES : fixed rare issue with inability to create ENVELOPED signature;
• Fixed extension of not AdES signatures with a revoked certificate;
• TLValidationJob : fixed unexpected exception and thread stuck during the refresh;
• NativeHTTPDataLoader : threads can get stuck;
• JdbcCacheConnector : improved code to allow some database implementations;
• SubjectAlternativeName certificate extension extraction;
• Skipping ProspectiveCertificateChain always results to PASSED;
• Unknown MRA equivalence URI caused an error.

February 2023

-

v5.11.1

November 2022

Main new features / improvements :
•    Maven Central release;
•    Update vulnerable dependencies.

Bug fixes :
•    Fixed URN OID extraction from an XML Trusted List.

v5.11

Main new features / improvements :

• PAdES : improved PDF-signing performance (add caching of the temporary revision);
• PAdES : introduce temporary document processing factory (e.g. in-file or in-memory);
• PAdES : simplified configuration of modification detection modules;
• PAdES : added signing app name for signature;
• ASiC : introduce ASiC Merger;
• ASiC : improved ASiC in-file processing (avoid loading document into memory);
• XAdES : add support of a custom CommitmentType qualifier;
• CAdES : improved signature file extension naming;
• TL-validation : Trust Service equivalence scheme and Mutual Recognition Agreement support;
• Other : dependencies update (Apache Santuario, PdfBox, OpenPdf, httpclient5, etc.);
• Demo : eSignature Validation Test Cases automated validation module;
• Demo : added ASiC Merger webpage;
• Standalone app : add TL signing function;
• Standalone app : add XMLManifest signing function;
• Java 18 support.

Bug fixes :

• Qualification determination : Improved algorithm to comply with TS 119 615 + fixed issues;
• JAdES : signature can be created with ECDSA algorithm using a wrong elliptic curve;
• LTA signature is indeterminate because no revocations lists found;
• Exception when a not supported encryption algorithm is provided;
• Validation for ASiC without mimetype returns FORMAT_FAILURE;
• Skipped AcceptableRevocationDataFound constraint may lead to false positive validation result;
• ASiC : unable to proceed validation of CEN-header invalid files;
• SimpleReport : fix valid signatures counter;
• Demo : fix proxy configuration conversion.

v5.11.RC1

Main new features / improvements :

• Maven Central release;
• Update vulnerable dependencies.

Bug fixes :

• Fixed validation of signatures with invalid cryptographic algorithm OID;
• Fixed URN OID extraction from an XML Trusted List.

Main new features / improvements :

• Cookbook update;
• PAdES : object modification detection;
• PAdES : visual signature preview;
• PAdES : avoid repeated creation of OCSP/CRL tokens;
• PAdES : enforce signature creation/validation against ISO 32 000 restrictions (DocMDP, Lock, etc.);
• XAdES and CAdES : added support of extended profiles on validation;
• ASiC services refactoring (various improvements);
• WebService to sign a Trusted List;
• Apple KeyStore as a signature token connection;
• ED448 signature algorithm support;
• Demo : new viewer for XML reports;
• Dependencies upgrade (HttpClient5, BouncyCastle, Santuario, logback, etc.);
• Java 17 support.

Bug fixes :

• PAdES : erroneously triggered visual signature difference warning;
• PAdES : wrong LT-/LTA-level determination for documents with multiple signatures;
• PAdES : original documents extraction does not work against carriage return;
• XAdES : NPE on validation of XAdES v.1.1.1, 1.2.2;
• JAdES : wrong payload computation for 'sigD' with ObjectIdByURI mechanism;
• ASiC : MimeType is lost on re-signature;
• Signature policy caching issue;
• Revocation freshness checks use different values across the code;
• Demo : jumping rows on collapse of TL-validation table;
• Demo : inability to sign when encryption algorithm of the token is different from the one used in signature;
• Demo : wrong encoding on uploaded filenames containing non-ASCII characters.

New features:

• Add an Apple signature token
• Add 'user notice' to signature policy
• PAdES : detect prohibited changes
• SimpleReport : add timestamp signature scopes
• Invalid signatures can be made with Revoked and Suspended certificates on level B and T
• SAV : verify if used digest algorithm for signing-certificate reference is reliable at validation time
• PAdES : check if a visual signature field is within page size
• PAdES : alert on restricted signature creation
• SVC : return possible extension time on failed signature augmentation
• Add support for SHA-3 with PLAIN-ECDSA and ED448 signature algorithms
• PAdES : visual signature pre-visualization

Bugs:

• Add a content timestamp checkbox ignored when signing a digest
• DSS demo : improve exception escalating on content timestamp creation

-

Many improvements in the validation reports

• AIASource introduction : more customizations
• Customization of revocation collection strategy (OCSP/CRL first)
• DocumentBuilderFactory securities
• ECDSA / ECDSA-PLAIN support
• JAdES (JSON AdES) consolidations
• PAdES visual signature refactorings / improvements :
• Image scaling : STRETCH / ZOOM_AND_CENTER / CENTER
• Text wrapping : BOX_FILL / FILL_BOX_AND_LINEBREAK / FONT_BASIC
• Dependency upgrades (Santuario, BouncyCastle, PDFBox,…)
• Java 16 support

Bug fixes :

• Short term OCSP response
• On hold certificate
• Qualification conflict (issuance time / best signing time)
• ASiC-S can’t be timestamped twice
• PAdES revision extraction
• PAdES wrong level detection (files with multiple signatures/timestamps)
• ETSI Validation report : multiple files / references

• JAdES implementation (ETSI TS 119 182 v0.0.6) : signature creation, extension and validation (advanced electronic signatures based on JWS)
• PDF Shadow attacks : prevention and detection
• Counter Signature creation (CAdES, XAdES, JAdES and ASiC containers)
• Support of the unsigned attribute SignaturePolicyStore (CAdES, XAdES, JAdES and ASiC containers)
• Support of the QCLimitValue attribute
• Support of Java 8 up to 15

-

• CertificatePool removal and performance ameliorations
• QWAC validator
• New design of PDF reports
• Support of PSD2 attributes
• Support of EdDSA
• Signature representation with a timeline
• Visual signature creation with REST/SOAP webservices

June 2020

-

• The implementation of the ETSI Validation Report
• The support of Java 12 (multi-release jars)
• Webservice which allows to validate certificates.

• Augmentation of signatures with invalid time-stamps, archive-time-stamps and revoked certificates
• Upgrade to Java 8 or 9
• Certify documents
• Add support of KeyHash in OCSP Responses

• Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3

• Certificate validation
• content-timestamps generation
• SHA-3 support
• non-EU trusted list(s) support
• integration of the last version of MOCCA

• Certificate validation
• content-timestamps generation
• SHA-3 support
• non-EU trusted list(s) support
• integration of the last version of MOCCA

-

• Qualification matrix guidelines and documentation
• Improvements regarding visual representation of a signature

• Alternative packaging: Image docker / spring-boot

• CRL streaming, the demo won’t use the X509CRL java object by default (it can be changed). With some signatures, we had large CRLs (+60Mo in Estonia) and that could cause memory issues.
• RSASSA-PSS support, I received some requests to support these algorithms :
  • SHA1withRSAandMGF1 
  • SHA224withRSAandMGF1
  • SHA256withRSAandMGF1
  • SHA384withRSAandMGF1
  • SHA512withRSAandMGF1

December 2017

• Refactoring of ASiC format handling, following the ETSI ASiC Plugtest
• Signature of multiple files (ASiC and XAdES)
• Integration of the Qualification matrix as described in draft ETSI 119 172-4, for supporting signatures before and after 01/07/2016 (eIDAS entry into force)
• Migration to PDFBox 2 for handling PDFs
• Complete refactoring of the ASiC part (creation, extension and validation)
• Compliance to eIDAS regulation.

-

An eSignature Validation PlugTest is planned in April 2016. Depending on the actual timeframe, impacts from this PlugTest may be included in this release, and the release of DSS 4.7 will be postponed accordingly.

Other potential improvements and features:

• Extension of signature validation policy support
• CAdES attribute certificates
• CRL in multiple parts
• Distributed timestamps method
• Support of cross-certification in path building

Based on standards:

• Signature formats when creating a signature: baseline profiles ETSI TS 103 171, 103 172, 103 173, and 103 174
• Signature formats when validating a signature: baseline profiles, and core specs ETSI TS 101 903, 101 733, 102 778 and 102 918
• Signature validation process ETSI TS 102 853

Improvements in packaging and core functionalities:

• CAdES optimisation, CAdES multiple Signer Information. A CAdES PlugTest is occurring in June and July 2015. Changes resulting from this PlugTest will be included in this release. CAdES countersignature will not be supported.
• Impacts from XAdES PlugTest of October 2015
• Processing of large files
• Further refactoring of demo applet (size, validation policy editor)
• SOAP and REST Web Services
• Standalone demo application