*********************************************** Digital eIDAS-Node Release Version 2.7.1 *********************************************** • Product name: eIDAS-Node • Purpose: Sample Implementation of eIDAS-Node based on eIDAS Technical Specifications: v1.3 • Produced by: Digital eID • Support Contact: EC-EID-SUPPORT@ec.europa.eu • Public URL: https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/All+releases • eIDAS internal ref: eIDAS eID Implementation > eIDAS-Node - Releases > eIDAS-Node v2.7.1 release • License: EUPL v1.2 https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf *********************************************** ** Documentation ** + Digital eID technical documentation pertaining to this release can be found on: ++ Digital Home > eID > Services eID > eIDAS-Node Integration Package > VIEW CURRENT VERSION 2.7.1 ** Distribution ** + EIDAS-2.7.1.zip : Distribution version 2.7.1 of the sample eIDAS-Node ++ EIDAS-Sources-2.7.1.zip : Source files (Maven project) of the sample eIDAS-Node Proxy Service and eIDAS-Node Connector including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-wildfly-2.7.1.zip: Deployable war files of a preconfigured eIDAS-Node Proxy Service and eIDAS-Node Connector for a wildfly server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNodeConnector.war,EidasNodeProxy.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.7.1.zip: Deployable war files of a preconfigured eIDAS-Node eIDAS-Node Proxy Service and eIDAS-Node Connector for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNodeConnector.war,EidasNodeProxy.war, SP.war) ++ EIDAS-Binaries-Was-2.7.1.zip : Deployable war files of a preconfigured eIDAS-Node eIDAS-Node Proxy Service and eIDAS-Node Connector for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNodeConnector.war,EidasNodeProxy.war, SP.war) ++ EIDAS-Binaries-Wls-2.7.1.zip : Deployable war files of a preconfigured eIDAS-Node Proxy Service and eIDAS-Node Connector for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNodeConnector.war,EidasNodeProxy.war, SP.war) ** Source repository: https://ec.europa.eu/digital-building-blocks/code/scm/eid/eidasnode-pub.git ** This release contains the following improvements: + Epic: Connection Status: DiGraph representation of the eIDAS network (EIDINT-6851) .EIDINT-6699 POC: Connected metadata for dashboard to visualize network .EIDINT-6855 List of Connected URI's in the Proxy Metadata .EIDINT-6856 List of Connected URI's in the Connector Metadata .EIDINT-6857 List of Trust Anchors in the Connector Metadata .EIDINT-6858 List of Trust Anchors in the Proxy Metadata .EIDINT-6867 Implementation of the Node-Dashboard Features .EIDINT-6897 List of Content Encryption Algorithms Available for Encryption in the Proxy Metadata .EIDINT-6900 Message Signing Certificate is exposed as a Trustanchor in Example config .EIDINT-6901 Provide documentation to the features developed by the Dashboard .EIDINT-6916 For Trust Anchor Digests use base64 in Metadata .EIDINT-6917 For URL Digests use base64 in Metadata .EIDINT-6919 Inconsistency regarding the hashing of the metadata signing certificate in the connector-md-signature-trust-store ** This release has been successfully tested for interoperability with previous releases of eIDAS-Node versions v2.6.0 & v2.7.0 ** This release was successfully tested and works with Middleware version 3.1 (3.1.1) ** Known Limitations The up to date list can be found at https://ec.europa.eu/digital-building-blocks/wikis/display/EIDIMPL/eIDAS-Node+-+Releases ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/digital-building-blocks/wikis/pages/viewpage.action?spaceKey=EIDIMPL&title=Dependencies+Vulnerabilities+-+eIDAS-Node+v2.x ####### IMPORTANT NOTICE ######################################## ######################################################################################################################################### The eIDAS-Node logs may contain person identification data. Hence, these logs should be handled and protected appropriately, following the European privacy regulations [Dir95/46/EC] and [Reg2016/679]. [Reg2016/679] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. [Dir95/46/EC] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. ######################################################################################################################################################################################################### ####################### previous releases ####################### *********************************************** Digital eIDAS-Node Release Version 2.7.0 *********************************************** • Product name: eIDAS-Node • Purpose: Sample Implementation of eIDAS-Node based on eIDAS Technical Specifications: v1.3 • Produced by: Digital eID • Support Contact: EC-EID-SUPPORT@ec.europa.eu • Public URL: https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/All+releases • eIDAS internal ref: eIDAS eID Implementation > eIDAS-Node - Releases > eIDAS-Node v2.7.0 release • License: EUPL v1.2 https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf *********************************************** ** Documentation ** + Digital eID technical documentation pertaining to this release can be found on: ++ Digital Home > eID > Services eID > eIDAS-Node Integration Package > VIEW CURRENT VERSION 2.7.0 ** Distribution ** + EIDAS-2.7.0.zip : Distribution version 2.7.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.7.0.zip : Source files (Maven project) of the sample eIDAS-Node Proxy Service and eIDAS-Node Connector including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-wildfly-2.7.0.zip: Deployable war files of a preconfigured eIDAS-Node Proxy Service and eIDAS-Node Connector for a wildfly server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNodeConnector.war,EidasNodeProxy.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.7.0.zip: Deployable war files of a preconfigured eIDAS-Node eIDAS-Node Proxy Service and eIDAS-Node Connector for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNodeConnector.war,EidasNodeProxy.war, SP.war) ++ EIDAS-Binaries-Was-2.7.0.zip : Deployable war files of a preconfigured eIDAS-Node eIDAS-Node Proxy Service and eIDAS-Node Connector for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNodeConnector.war,EidasNodeProxy.war, SP.war) ++ EIDAS-Binaries-Wls-2.7.0.zip : Deployable war files of a preconfigured eIDAS-Node Proxy Service and eIDAS-Node Connector for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNodeConnector.war,EidasNodeProxy.war, SP.war) ** Source repository: https://ec.europa.eu/digital-building-blocks/code/scm/eid/eidasnode-pub.git ** This release contains the following improvements: + Epic: Dependency and servers upgrade (EIDINT-5123) .EIDINT-6533 Upgrade to latest version of tomcat (9.x.x ) .EIDINT-6164 Upgrade OpenSaml to 4.3.0: Relax validation on ECDH .EIDINT-6797 Align Bouncycastle to OpenSaml 4.3.0 Dependency + Split of the Eidas Node (EID-599) + + Epic: Split the EIdasNode into EidasNodeConnector and EidasNodeProxy (EIDINT-5800) .EIDINT-6347 Change specificcommunication definition to load configurations decoupled .EIDINT-5961 Update ignite's configuration keyStoreFilePath and trustStoreFilePath environment variable references .EIDINT-5908 Create the eidas-node-proxy external configuration folder .EIDINT-5907 Create the eidas-node-connector external configuration folder .EIDINT-5909 Copy keystore into inside server folder .EIDINT-6171 Replace cookie path for Connector and ProxyService in weblogic.xml .EIDINT-5919 Adapt ssos.serviceMetadataGeneratorIDP.redirect.location value to new eidas-node-proxy URL .EIDINT-5963 Change specific communication definition to load connector and proxy configurations .EIDINT-5903 Created module Eidas-Node-Proxy .EIDINT-5902 Create module Eidas-Node-Connector .EIDINT-5962 Adapt proxy's configuration for country CA to new connector's metadata URL .EIDINT-5917 Adapt service.metadata.url value in proxy-service to new eidas-node-proxy metadata URL .EIDINT-5916 Adapt specific.proxyservice.response.url value to use the one from eidas-node-proxy .EIDINT-5913 Adapt specific.connector.request.url value to use the one from eidas-node-connector .EIDINT-5915 Adapt connector.metadata.url value in connector configuration to new eidas-node-connector metadata URL .EIDINT-5914 Adapt connector's configuration for country CA to new proxy-service metadata URL .EIDINT-6068 Remove eidas node's configuration files .EIDINT-5906 Make eidas-node-proxy build produce EidasNodeProxy.war .EIDINT-5905 Make eidas-node-connector build produce EidasNodeConnector.war .EIDINT-5920 Adapt ssos.serviceMetadataGeneratorIDP.post.location value to new eidas-node-proxy URL .EIDINT-5912 Create new specific environment variable to replace EIDAS_CONFIG_REPOSITORY for proxy-service configuration .EIDINT-5911 Create new specific environment variable to replace EIDAS_CONFIG_REPOSITORY for connector configuration .EIDINT-6198 Replace EidasNodeErrorUtil.processSAMLEngineException by ConnectorErrorUtil.processSAMLEngineException in EidasNodeMetadataGenerator.java .EIDINT-5918 Adapt connector.assertion.url value in connector configuration to new eidas-node-connector metadata URL .EIDINT-5904 Make pom adaptations to allow build of eidas-node-connector and eidas-node-proxy from parent .EIDINT-6199 Replace EidasNodeErrorUtil.processSAMLEngineException by ProxyServiceErrorUtil.processSAMLEngineException in EidasNodeMetadataGenerator.java .EIDINT-5964 Increase the port range in igniteSpecificCommunication.xml files of connector and proxy configuration + Epic: Split of the Node issues (complementary changes) (EIDINT-3122) .EIDINT-6551 Remove example config for Encryption Key Override for CountryCode .EIDINT-6457 Split ignite cache configurations for specific connector and specific proxy service .EIDINT-6451 Avoid substitution of 'specific config repo' path with 'eidas connector/proxy config path' .EIDINT-6499 Rename NodeBeanNames to ProxyBeanNames for ProxyService .EIDINT-6498 Rename NodeBeanNames to ConnectorBeanNames for Connector .EIDINT-6392 Removed colleagueRequestRedirect.jsp file from proxy-service .EIDINT-5074 ServiceMetadataFetcher should be used instead of NodeMetadataFetcher .EIDINT-5073 ConnectorMetadataFetcher should be used instead of NodeMetadataFetcher .EIDINT-6565 Design an interface for the specific cache impl and settings .EIDINT-6364 After the node split the EIDAS-Node-Connector and the EIDAS-Node-Proxy use the same configuration for ignite .EIDINT-6377 EIDAS-Node folders still contained in the source code .EIDINT-5722 Displayed user error 003009 - Metadata information does not log metadata URL in log files. .EIDINT-6124 Missing cookie path for SpecificConnector.war and SpecificProxyService.war (EID-1293) .EIDINT-5779 Removing decryption keystore from ProxyService (EID-1243) .EIDINT-6248 EidasNodeConnector and the EidasNodeProxy write logs in the same files .EIDINT-6217 Default value for default.specific.proxyservice.idp.response.service.url contains /EidasNode/IdpResponse .EIDINT-6138 Inconsistencies for properties related to prefix country.code after the node split .EIDINT-6159 Inconsitency for properties connector.contact.email and service.contact.email .EIDINT-6459 URLs containing EidasNode are still used in the logging document after the node split. + Epic: Further split Eidas Node modules and code to align with EidasNode split (EIDINT-5803) .EIDINT-6071 Remove encryption certificate from being published in proxy-service's metadata (EID-608) .EIDINT-6237 Remove generateErrorAuthenticationResponse from AUCONNECTORSAML in the Connector .EIDINT-6058 Move Ignite configuration files into ignite folder .EIDINT-6453 Remove service.id parameter from Proxy Service eidas.xml .EIDINT-6098 Updated Copyright .EIDINT-6097 Remove build version from jsp pages .EIDINT-6157 Remove footer-img.jsp .EIDINT-6085 Remove deprecated ServiceExceptionHandlerServlet class .EIDINT-6240 Replace deprecated method AuthnContextClassRef#setAuthnContextClassRef by recommended XSURI#setURI .EIDINT-6102 Replace deprecated method AuthnContextClassRef#getAuthnContextClassRef by recommended XSURI#getURI .EIDINT-6073 Remove unnecessary PluginPropertyLoader class .EIDINT-6072 Remove unnecessary AUCONNECTORCountrySelector class and ICONNECTORCountrySelectorService interface .EIDINT-6077 Remove unnecessary InternalExceptionHandlerServlet class .EIDINT-6076 Remove unnecessary EidasNodeInterceptorException class .EIDINT-6083 Remove deprecated ConnectorExceptionHandlerServlet class .EIDINT-6084 Remove deprecated ResponseCarryingConnectorException class .EIDINT-6086 Remove unused embedded-validator profile from connector and proxy's pom.xml .EIDINT-6080 Move WrappedMetadataFetcher out of production code .EIDINT-6100 Remove authorship .EIDINT-6204 Remove active.module.connector entry and related functionality .EIDINT-6205 Remove active.module.service entry and related functionality .EIDINT-6342 Remove Encryption configuration from connector + Epic: Removal of proxy-service code from EidasNodeConnector.war (EIDINT-5801) .EIDINT-6007 Adapt EidasNodeValidationUtil.java to removal of classes from eu.eidas.node.service and from eu.eidas.node.auth.service .EIDINT-5998 Adapt MessageLoggerUtils.java to removal of classes from eu.eidas.node.logging.service .EIDINT-6245 Adapt NodeBeanNames.java to removal of classes from eu.eidas.node.logging.service .EIDINT-6012 Adapt EidasNodeErrorUtil.java to removal of classes from eu.eidas.node.service .EIDINT-6244 Adapt NodeBeanNames.java to removal of classes from eu.eidas.node.service .EIDINT-6008 Adapt EidasNodeMetadataGenerator.java to removal of classes from eu.eidas.node.service and from eu.eidas.node.auth.service .EIDINT-6000 Adapt PropertiesUtil.java to removal of classes from eu.eidas.node.service and from eu.eidas.node.auth.service .EIDINT-6065 Create a keystore folder inside connector configuration folder .EIDINT-5997 Remove classes from package and sub-packages of eu.eidas.node.service from connector .EIDINT-6234 Remove EidasNodeErrorUtil from EIDAS-Node-Connector .EIDINT-6010 Remove specificProxyServiceWarPackaging profile from connector .EIDINT-6016 Remove tokenRedirectMsProxyService.jsp page from connector .EIDINT-6013 Remove proxyServiceErrorPage.jsp page from connector .EIDINT-5972 Remove Proxy-service configuration from connector's configuration .EIDINT-6039 Remove proxy-service's configuration entries from connector's external and default eidas.xml .EIDINT-5976 Remove proxy-service logging related classes from connector code .EIDINT-6009 Remove specificProxyServiceJarPackaging profile from connector .EIDINT-5996 Remove classes from package and sub-packages of eu.eidas.node.auth.service from connector .EIDINT-6017 Remove connectorRedirect.jsp page from connector .EIDINT-6018 Remove proxy-service's references from connector's web.xml .EIDINT-6047 Remove unused idpRedirect.js file .EIDINT-6046 Remove unused base64.js file .EIDINT-6011 Replace ProxyServiceError by ConnectorError in ConnectorErrorServlet.java .EIDINT-6015 Remove saml-engine-stork-attributes.xml file + Epic: Removal of connector code from EidasNodeProxy.war code (EIDINT-5802) .EIDINT-6241 Adapt NodeBeanNames.java to removal of classes from eu.eidas.node.logging.connector .EIDINT-6243 Adapt NodeBeanNames.java to removal of classes from eu.eidas.node.connector and eu.eidas.node.auth.connector .EIDINT-6066 Create a keystore folder inside proxy-service's configuration folder .EIDINT-6027 Adapt PropertiesUtil.java to removal of classes from eu.eidas.node.connector and from eu.eidas.node.auth.connector .EIDINT-6028 Adapt EidasNodeMetadataGenerator.java to removal of classes from eu.eidas.node.connector .EIDINT-6033 Adapt MessageLoggerUtils.java to removal of classes from eu.eidas.node.logging.connector .EIDINT-6044 Removed tokenRedirectMsConnector.jsp file from proxy-service .EIDINT-6042 Remove connectorErrorPage.jsp page from proxy-service .EIDINT-6020 Remove connector's references in proxy-service's applicationContext.xml .EIDINT-6019 Remove connector related configuration files from proxy-service's configuration .EIDINT-6038 Remove connector's configuration entries from proxy-service's external and default eidas.xml .EIDINT-6023 Remove connector logging related classes from proxy-service code .EIDINT-6040 Remove specificConnectorJarPackaging profile from proxy-service .EIDINT-6041 Remove specificConnectorWarPackaging profile from proxy-service .EIDINT-6025 Remove classes from package and sub-packages of eu.eidas.node.auth.connector from proxy-service module .EIDINT-6026 Remove classes from package and sub-packages of eu.eidas.node.connector from proxy-service module .EIDINT-6035 Remove connector's references from proxy-service's web.xml .EIDINT-6043 Remove saml-engine-stork-attributes.xml file .EIDINT-6045 Remove unused base64.js file .EIDINT-6048 Remove unused idpRedirect.js file .EIDINT-6030 Replace Logger ConnectorIncomingLightRequestLogger from ProxyServiceIncomingEidasRequestLoggerTest.java .EIDINT-6031 Adapt EidasNodeErrorUtil.java to removal of classes from eu.eidas.node.auth.connector + Specifications alignments 1.3 + + Epic: 1.3 Specification alignments - 2.7 (EIDINT-5176) .EIDINT-5806 Allow mask generation function of rsa-oaep algorithm to be configured .EIDINT-6519 Change the default mask generation function for rsa-oaep .EIDINT-6496 Allow ds:DigestMethod of RSA-OAEP algorithm to be configured .EIDINT-6688 Update enum EidasProtocolVersion to include 1.3 + Epic: Support for new Common Attributes (EIDINT-6552) .EIDINT-6426 Add AttributeDefinition Nationality for naturalperson .EIDINT-6427 Add AttributeDefinition CountryOfBirth for naturalperson .EIDINT-6428 Add AttributeDefinition TownOfBirth for naturalperson .EIDINT-6429 Add AttributeDefinition CountryOfResidence for naturalperson .EIDINT-6430 Add AttributeDefinition PhoneNumber for naturalperson .EIDINT-6431 Add AttributeDefinition EmailAddress for naturalperson .EIDINT-6432 Add AttributeDefinition LegalPhoneNumber for legalperson .EIDINT-6433 Add AttributeDefinition LegalEmailAddress for legalperson .EIDINT-6434 Modify Demotools to show Nationality for naturalperson .EIDINT-6435 Modify Demotools to show CountryOfBirth for naturalperson .EIDINT-6436 Modify Demotools to show TownOfBirth for naturalperson .EIDINT-6437 Modify Demotools to show CountryOfResidence for naturalperson .EIDINT-6438 Modify Demotools to show PhoneNumber for naturalperson .EIDINT-6439 Modify Demotools to show EmailAddress for naturalperson .EIDINT-6440 Modify Demotools to show LegalPhoneNumber for legalperson .EIDINT-6441 Modify Demotools to show LegalEmailAddress for legalperson .EIDINT-6584 Finally: Resort the AttributeDefinitions .EIDINT-6659 Create AttributeValueMarshaller for Countrycodes .EIDINT-6664 Duplicate AttributeDefinitions to Representation .EIDINT-6672 Modify Demotools to allow representation .EIDINT-6677 Validate countrycode with AttributeValueMarshaller .EIDINT-6683 Add Protocol version 1.3 to eIDAS Node 2.7 Metadata + Specifications 1.1 + + Epic: Removal eIDAS technical specification 1.1 support from CEF eID node's code (EIDINT-5536) .EIDINT-2406 Remove Not Specified gender value due to end of transition period .EIDINT-6369 Add validation to stop messages that only support 1.1 specifications .EIDINT-5532 Remove SHA-1 RSA-OAEP Digest Algorithm when eIDAS Node version 1.x support is dropped .EIDINT-5895 Remove requesterId adaptations to nodes supporting EIDAS specifications v.1.1 or lower .EIDINT-5894 Remove protocol version 1.1 from metadata pages .EIDINT-5896 Remove non-notified LoA adaptations to nodes supporting EIDAS specifications v.1.1 or lower .EIDINT-5897 Remove NameIDPolicy adaptations to nodes supporting EIDAS specifications v.1.1 or lower + Error handling improvement + + Epic: Enhancement of error management (EIDINT-1483) .EIDINT-6370 Create a Connector implementation of AbstractParameterValidator .EIDINT-5743 Replace exceptions with ConnectorError .EIDINT-5656 Catch InvalidParameterEIDASException in ConnectorIncomingLightRequestLogger .EIDINT-5658 Catch InvalidParameterEIDASException in ProxyServiceOutgoingLightRequestLogger .EIDINT-5657 Catch InvalidParameterEIDASException in ProxyServiceIncomingLightResponseLogger .EIDINT-5683 Catch EIDASMetadataRuntimeException in EidasProtocolProcessor .EIDINT-5864 Catch EidasNodeException in EIDAS-SAMLEngine .EIDINT-5974 Adapt exceptions for SecurityRequestFilter in EIDAS-Connector .EIDINT-5694 Align exceptions to be consistent .EIDINT-5744 Replace exceptions with ProxyServiceError .EIDINT-5975 Adapt exceptions for SecurityRequestFilter and AbstractSecurityRequest in EIDAS-ProxyService .EIDINT-6092 Adapt exceptions for AbstractSecurityRequest in EIDAS-Connector .EIDINT-5645 Replace EidasNodeException with ProxyServiceError .EIDINT-5639 Split EidasNodeErrorUtil into ConnectorErrorUtil and ProxyServiceErrorUtil .EIDINT-6201 Remove unused STORK image from webapp resources .EIDINT-6145 Error message in logs is confusing when using http (metadata.restrict.http set to default value) .EIDINT-5709 Eidas Error pages : add Locators .EIDINT-5638 Create new error page for ProxyService .EIDINT-5652 Add catch blocks in EidasNodeMetadataGenerator for EidasNodeException .EIDINT-5644 Replace EidasNodeException with ConnectorError .EIDINT-5641 Create new servlet to handle ProxyServiceError .EIDINT-5640 Create new servlet to handle ConnectorError .EIDINT-5659 Add event id to exceptions .EIDINT-5940 Eidas 2.7 Error handling : Distinguish error pages : connector/Proxy service side .EIDINT-5648 Fix NPE in ProxyServiceOutgoingEidasResponseLoggerFilter and ProxyServiceIncomingLightResponseLoggerFilter .EIDINT-5971 EIDAS 2.7 : JAVADOC : Add description for new deprecated code .EIDINT-5636 Create new exception class SamlFailureResponseException .EIDINT-5642 Create a new servlet to handle SamlFailureResponseException .EIDINT-5647 Deprecate generateSamlTokenFail methods from ISERVICEService .EIDINT-5635 Create new exception classes for Connector and ProxyService .EIDINT-5650 Deprecate unused exceptions .EIDINT-5651 Delete unused jsp .EIDINT-5654 Replace ServletException with ProxyServiceError .EIDINT-5649 Deprecate generateErrorAuthenticationResponse from ISERVICESAMLService .EIDINT-5646 Replace ResponseCarryingServiceException with SamlFailureResponseException .EIDINT-5653 Replace ServletException with ConnectorError .EIDINT-5655 Deprecate error handler servlets .EIDINT-5793 Deprecate attributes in AbstractEIDASException .EIDINT-5809 Update contactEmail constant to contactSupportEmail .EIDINT-5888 deprecate EidasMetadataRuntimeException .EIDINT-5637 Create new error page for Connector .EIDINT-6001 Unexpected error page displayed when connectorErrorPage.jsp is expected on invalid LightRequest .EIDINT-6022 Unexpected error page displayed when failure element in LightResponse is null or empty .EIDINT-6003 Flows stops when it should continue on LightRequest containing unknown attribute .EIDINT-6601 Error Handling 2.7 : Flow should fail when connector receives invalid light request : empty element .EIDINT-6602 Error Handling 2.7 : Flow should fail when connector receives invalid light request : Duplicate element + Other issues eIDAS-Node + + Epic: Key agreement support (EIDINT-3984) .EIDINT-4091 Changing the name of the property "key.encryption.algorithm + Epic: Enhancement of Security Provider Support (EIDINT-5360) .EIDINT-5838 Avoid use of JCE names parameter when obtaining algorithm from the Security Providers + Epic: Regressions (EIDINT-5056) .EIDINT-1041 Dependency missing :org.jetbrains.annotations .EIDINT-6529 Invalid default value for security.header.CSP.report.uri in EIDAS-Config ** This release contains the following bug fixes: + Specifications 1.3 + + Epic: 1.3 Specification alignments - 2.7 (EIDINT-5176) .EIDINT-6660 Representative/PersonIdentifier has wrong NamespacePrefix + Other issues eIDAS-Node + + Epic: Code Cleanup and removal (EIDINT-5079) .EIDINT-5347 Remove unused Interfaces and classes CControllerService and SControllerService .EIDINT-6290 Some modules have the property java.version still set to 1.8 .EIDINT-5926 Remove file LIC.sh in repository .EIDINT-5898 Reference of "CEF" should be removed from html pages .EIDINT-5899 Version of the Node (metadata) must be updated : eIDAS-ref: 2.7.0 .EIDINT-6331 Narrow Scope of "component-scan" in the Connector .EIDINT-6332 Narrow Scope of "component-scan" in the ProxyService .EIDINT-5347 Remove unused Interfaces and classes CControllerService and SControllerService .EIDINT-6638 Remove Bootstrap from the Eidas Node modules + Reported issues + + Epic: Reported issues (EIDINT-4925, EIDINT-5008) .EIDINT-5984 Typo in eu.eidas.auth.engine.configuration.dom.DOMConfigurator#configureMetadataFetcher (EID-1271) .EIDINT-6368 eID parsing errors (EID-1311) .EIDINT-6500 Unexpected access to metadata directory (EID-1322) .EIDINT-6127 ECDH does not interoperate between version 2.5.0 and 2.6.0 (EID-1294) .EIDINT-5778 Separate Keystore for trusted metadata certificate (EID-1242) + Epic: Member State reported issues - 2.7 pre-release .EIDINT-6772 (EID-1341) Defaults in SamlEngine.xml .EIDINT-6719 Clear DEPRICATED messages .EIDINT-6748 Error message when using HSM for decryption .EIDINT-6718 Error in validateIssuerProtocolVersions (Proxy) .EIDINT-6725 Error in validateIssuerProtocolVersions (Connector) .EIDINT-6771 (EID-1342) Compatibility with multiple versions of the protocol .EIDINT-6747 Return back to dynamic registration of BouncyCastle provider .EIDINT-6714 Keep possibility for /EidasNode/ prefix in 2.7 ** This release contains the following security improvments/fixes: + Static Code Analysis + + Epic: Robustness and Quality (EIDINT-1458, EIDINT-5314) EIDINT-6002 EIDINT-6004 EIDINT-6005 EIDINT-6006 EIDINT-5499 EIDINT-6494 + Epic: Content Security Policy (EIDINT-5363) .EIDINT-4126 CSP scanner : frame-ancestor header is not defined .EIDINT-6579 CSP warnings Eidas Node .EIDINT-5389 Remove or improve code concerning the configuration entry "validation.method" .EIDINT-2532 Inconsistent behavior when the CSP report is truncated in log message .EIDINT-6607 CSP scanner : frame-ancestor headers are not defined : Specific connector .EIDINT-6780 eidas.xml CSP.report.uri can only be configured partially .EIDINT-6705 CSP script-src policy in specificConnector / specificProxyService .EIDINT-6629 Two CSP violation reports received when retrieving the metadata in Chrome + Epic: Other Security Issues (EIDINT-5124) .EIDINT-5608 Subdependency version is not the correct one when reusing eidas-saml-engine .EIDINT-6668 Process truststores and keystores differently + Epic: Other PT or SAST issues (EIDINT-5626) .EIDINT-5766 Apply if necessary best practices for passwords are being followed for Ignite configuration + Epic: Enhancement of Demo Tools (EIDINT-1466) .EIDINT-6258 Add user with non-latin characters in first name and family name attribute values .EIDINT-6263 Implement the CSP functionality in Specific Proxy-Service .EIDINT-6274 Implement the CSP functionality in Specific Connector .EIDINT-6262 Fix Redirect loop in jsp pages .EIDINT-6235 Remove or Upgrade vulnerable jquery-1.11.3.min.js + Epic Analysis of "Dependency - Vulnerability" in eIDAS-Node 2.7.0 (EIDINT-6036) .EIDINT-5943 CVE-2021-29425 .EIDINT-5944 CVE-2013-2185 .EIDINT-5945 CVE-2013-4444 .EIDINT-5946 CVE-2020-8022 .EIDINT-5947 CVE-2020-8908 .EIDINT-5948 CVE-2021-28170 .EIDINT-5949 CVE-2016-1000027 .EIDINT-5950 CVE-2018-15756 .EIDINT-5951 CVE-2020-5421 .EIDINT-5952 CVE-2022-22965 .EIDINT-5953 CVE-2022-22968 .EIDINT-6037 CVE-2022-22950 .EIDINT-6049 CVE-2022-22950 .EIDINT-6069 CVE-2022-22970 .EIDINT-6444 CVE-2021-37533 ++ Documentation Improvements 2.7: + Epic : Other documentation issues (EIDINT-1455) .EIDINT-6390 EIDINT-6161 EIDINT-6024 EIDINT-6371 EIDINT-6391 EIDINT-5867 EIDINT-6685 EIDINT-6817 ** This release has been successfully tested for interoperability with previous releases of eIDAS-Node versions v2.6.0 ** This release was successfully tested and works with Middleware version 3.1 (3.1.1) ** Known Limitations The up to date list can be found at https://ec.europa.eu/digital-building-blocks/wikis/display/EIDIMPL/eIDAS-Node+-+Releases ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/digital-building-blocks/wikis/pages/viewpage.action?spaceKey=EIDIMPL&title=Dependencies+Vulnerabilities+-+eIDAS-Node+v2.x *********************************************** CEF eIDAS-Node Release Version 2.6.0 *********************************************** • Product name: CEF eIDAS-Node • Purpose: Sample Implementation of eIDAS-Node based on eIDAS Technical Specifications: v1.2 • Produced by: CEF eID • Support Contact: CEF-EID-SUPPORT@ec.europa.eu • Public URL: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/All+releases • eIDAS internal ref: eIDAS eID Implementation > eIDAS-Node - Releases > eIDAS-Node v2.6.0 release • License: EUPL v1.2 https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf *********************************************** ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > Services eID > eIDAS-Node Integration Package > VIEW CURRENT VERSION 2.6.0 ** Distribution ** + EIDAS-2.6.0.zip : Distribution version 2.6.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.6.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-wildfly-2.6.0.zip: Deployable war files of a preconfigured eIDAS-Node for a wildfly server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.6.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.6.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.6.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ** This release contains the following improvements: .EIDINT-5614 Add support for Justice and Consumers Financial Stability, Financial Services and Capital Markets Union (AKA BORIS) sector specific attributes + Improve user error pages for failures .EIDINT-5526 Adapt error page to include contact details +Member State reported issues .EIDINT-4664 (EID-1086) The EidasNode 2.4. version breaks metadata signing using HSM .EIDINT-4691 (EID-1090) Decryption uses all keys in keystore to decrypt .EIDINT-5529 ProxyService not taking country code from Connector's metadata .EIDINT-3187 Documentation update with regard to EID-815 .EIDINT-5762 sha512-rsa-MGF1 not allowed (EID-1241) +Enhancement of Security Provider Support .EIDINT-5403 Implement support for encrypting with HSM keys .EIDINT-5618 Support of decryption for RSA using PKCS11 .EIDINT-5402 Implement support for Signing with HSM keys .EIDINT-5404 Removal of BouncyCastle configuration through code .EIDINT-5577 Remove add.BouncyCastle.provider and related functionality .EIDINT-4569 eIDAS node default provider should be made more restrictive towards certificate validation .EIDINT-2070 Analyse implementation of an "HSM" Interface (EID-572) .EIDINT-5366 Custom security provider configuration in java.security makes Junit test fail .EIDINT-5761 Fix JCENames for verification of signature algorithms for PKCS11 (EID-1240) .EIDINT-5754 sha256 MessageDigest not available (EID-1240) +Other Security Interface issues .EIDINT-4228 Remove limitation in signature verification based on the order of certificates (EID-1027) .EIDINT-5297 Metadata signing certificate chain should not be extrapolated from keystore content +Move from Java 8 to Java 11 .EIDINT-5200 Add jaxb dependency .EIDINT-5201 Add dependency org.glassfish:javax.json .EIDINT-5202 Update org.eclipse.persistence:org.eclipse.persistence.moxy dependency to version 2.7.8 +Jcache with java 11 .EIDINT-5203 Allow jdk.unsupported module for support of Ignite in wildfly .EIDINT-5288 Hazelcast configuration with java 11 +Upgrade to OpenSAML 4 .EIDINT-5380 Static files in webapp/resources folder are not loaded in Weblogic 14.1.1.0.0 .EIDINT-5210 Upgrade opensaml.version to version 4.0.1 .EIDINT-5209 Upgrade opensaml.api.version to version 4.0.1 .EIDINT-5206 Add org.opensaml:opensaml-security-impl dependency .EIDINT-5371 Use version major version 23.0.2 Final Servlet-Only Distribution as the only supported server for Wildfly .EIDINT-5368 Identify the servers that support OpenSaml4/Java11 .EIDINT-5212 Fix compilation issues due to dependencies upgrade .EIDINT-5207 Upgrade shibboleth.xmlsupport.version to version 8.0.0 .EIDINT-5211 Upgrade opensaml-security-ext.version to version 2.0.1 .EIDINT-5557 IgniteException when using external BouncyCastle provider and JDK 11.0.11 .EIDINT-5497 Review migration guide regarding OpenSaml 4 +1.2 Specification alignments .EIDINT-5175 Remove validation of 2 maximum number of MDSs .EIDINT-2252 (EID-623) Read only first item in metadata -bug 2 (Signing certificate) +Default configuration for CSP .EIDINT-4959 Default configuration for security.header.HSTS.includeSubDomains .EIDINT-4958 Default configuration for security.header.XFrameOptions.sameOrigin .EIDINT-4957 Default configuration for security.header.XContentTypeOptions.noSniff .EIDINT-4956 Default configuration for security.header.XXssProtection.block .EIDINT-4549 Default configuration for security.header.CSP.enabled .EIDINT-4955 Default configuration for security.header.CSP.includeMozillaDirectives +Default configuration for Metadata .EIDINT-4555 Default configuration for nonDistributedMetadata.retention .EIDINT-4554 Default configuration for metadata.validity.duration .EIDINT-4553 Default configuration for metadata.file.repository .EIDINT-4965 Default configuration for node.metadata.not.signed.descriptors .EIDINT-4962 Default configuration for metadata.restrict.http .EIDINT-4966 Default configuration for metadata.check.signature .EIDINT-4960 Default configuration for metadata.http.retrieval .EIDINT-4390 Default configuration for metadata.activate .EIDINT-4964 Default configuration for metadata.sector .EIDINT-2172 End transition period for display of xsi:type from LOA's metadata's attribute value .EIDINT-4961 Default configuration for metadata.hide.loatype +Default configuration for requests .EIDINT-4952 Default configuration for request.sign.with.key.value .EIDINT-4450 Default configuration for max.requests.sp .EIDINT-4449 Default configuration for max.requests.ip .EIDINT-4548 Default configuration for max.time.sp .EIDINT-4954 Default configuration for max.time.ip +Default configuration for responses .EIDINT-4389 Default configuration for assertion.encrypt.with.key.value .EIDINT-4384 Default configuration for response.encryption.mandatory .EIDINT-4953 Default configuration for response.sign.with.key.value .EIDINT-4951 Default configuration for response.sign.assertions +Default configuration for TLS .EIDINT-4376 Default configuration for tls.enabled.protocols .EIDINT-4949 Default configuration for tls.enabled.ciphers +Default configuration for Application identifiers .EIDINT-4386 Default configuration for eidas.protocol.version .EIDINT-4388 Default configuration for active.module.connector .EIDINT-4385 Default configuration for eidas.application.identifier .EIDINT-4950 Default configuration for active.module.service +Default configuration of properties for Country code validation .EIDINT-4387 Default configuration for insert.prefix.identifiers.country.code .EIDINT-4972 Default configuration for validate.prefix.country.code.identifiers .EIDINT-4377 Default configuration for check.citizenCertificate.serviceCertificate +Default configuration for logging .EIDINT-4552 Default configuration for hashDigest.className .EIDINT-5160 Default configuration for saml.audit .EIDINT-4383 Default configuration for full.message.logging +Other default configurations saml engine .EIDINT-4497 Change default signature algorithm from sha512-rsa-MGF1 to ecdsa-sha512 .EIDINT-4661 Improvement of (default) configuration for SAML engine .EIDINT-5133 Default configuration for disallow_self_signed_certificate .EIDINT-5068 Default configuration for signature.algorithm.whitelist .EIDINT-5132 Default configuration for check_certificate_validity_period .EIDINT-5134 Default configuration for data.encryption.algorithm .EIDINT-5135 Default configuration for encryption.algorithm.whitelist .EIDINT-5168 Default configuration for key.encryption.algorithm.key.wrapping .EIDINT-5167 Default configuration for key.encryption.algorithm .EIDINT-5105 Default configuration for enable.address.attribute.subject.confirmation.data +Other default parameters configuration .EIDINT-5573 Invalid error page when redirect.binding is disallowed .EIDINT-4448 Default configuration for validation.method .EIDINT-5131 Default configuration for validate.binding .EIDINT-5370 Remove service configuration from EIDAS-Config eidas.xml other than CA and CB .EIDINT-5158 Default configuration for saml.connector .EIDINT-5159 Default configuration for saml.service .EIDINT-5129 Default configuration for DEMO-SP.validation .EIDINT-4447 Default configuration for validation.bypass .EIDINT-5128 Default configuration for trusted.sp.domains .EIDINT-5161 Default configuration for service.LoA .EIDINT-5122 Remove disable.check.mandatory.eidas.attributes +Code Cleanup and removal .EIDINT-2383 Remove EIDAS-ConfigModule as dependency from node and demo tools .EIDINT-2064 Remove stork's QAA related code .EIDINT-5181 Remove unused properties from ConfigurationSecurityBean .EIDINT-5182 Cleaning applicationContext default values .EIDINT-5866 Cleanup unused JcacheProvidedImpl profil +Junit tests coverage improvements in 2.6 .EIDINT-5245 Improve code coverage in AbstractProtocolEncrypter .EIDINT-5243 Improve code coverage in AbstractProtocolCipher .EIDINT-5241 Improve code coverage in AbstractCachingMetadataFetcher .EIDINT-5237 Improve code coverage in LightTokenEncoder .EIDINT-5236 Improve code coverage in AbstractSecurityRequest .EIDINT-5244 Improve code coverage in AbstractProtocolDecrypter .EIDINT-5246 Improve code coverage in AbstractProtocolEngine .EIDINT-5247 Improve code coverage in AbstractProtocolSigner .EIDINT-5249 Improve code coverage in AssertionUtil .EIDINT-5250 Improve code coverage in AttributeDefinition .EIDINT-5252 Improve code coverage in AttributeValidator .EIDINT-5253 Improve code coverage in AUCONNECTOR .EIDINT-5267 Improve code coverage in EidasRequestedAuthContextValidator .EIDINT-5251 Improve code coverage in AttributeRegistry .EIDINT-5270 Improve code coverage in FileMetadataLoader .EIDINT-5257 Improve code coverage in AUSERVICESAML .EIDINT-5255 Improve code coverage in AUSERVICE .EIDINT-5265 Improve code coverage in EidasNodeValidationUtil .EIDINT-5264 Improve code coverage in EidasDigestUtil .EIDINT-5260 Improve code coverage in BuilderFactoryUtil .EIDINT-5254 Improve code coverage in AUCONNECTORSAML .EIDINT-5256 Improve code coverage in AUSERVICECitizen .EIDINT-5262 Improve code coverage in ColleagueRequestServlet .EIDINT-5261 Improve code coverage in CertificateValidator .EIDINT-5268 Improve code coverage in EidasRequestedAttributeValidator .EIDINT-5269 Improve code coverage in ExtensionsSchemaValidator .EIDINT-5271 Improve code coverage in GenderAttributeValueMarshaller .EIDINT-5272 Improve code coverage in IncomingLightRequestValidatorLoaComponent .EIDINT-5275 Improve code coverage in LightMessagesConverter .EIDINT-5276 Improve code coverage in MetadataUtil .EIDINT-5278 Improve code coverage in ProtocolEngine .EIDINT-5279 Improve code coverage in ProtocolEngineFactory .EIDINT-5280 Improve code coverage in ResponseUtil .EIDINT-5281 Improve code coverage in SAMLEngineUtils .EIDINT-5282 Improve code coverage in SecurityRequestFilter .EIDINT-5284 Improve code coverage in SpecificConnectorRequestServlet .EIDINT-5285 Improve code coverage in XmlSchemaUtil .EIDINT-4106 Improve Junit tests with NIST Curve P-256 cases +Documentation Improvements 2.6 .EIDINT-4802 Migration of the documentation to Confluence 2.6 .EIDINT-5086 (EID-1129) Improve the documentation of installation and configuration guide ** This release contains the following bug fixes: +Improvement Metadata trustchain publishing and consuming. .EIDINT-4773 The trust validation of the Metadata breaks when only the intermediate is trusted .EIDINT-4774 The node publishes the chain certificate in a different order depending of the content of Metadata keystore +Other issues eIDAS-Node .EIDINT-5031 Enabling/Disabling of security.header.CSP.enabled not working .EIDINT-4868 (EID-1126) - IEIDASLogger could be removed .EIDINT-5377 Fix failing Junit Tests for TLSv1.1 on jdk1.8.0_219 and jdk11.0.11 .EIDINT-5455 Fix Ignite nodes time out due to Multicast address unavailable .EIDINT-5346 Test classes replacing application context should restore original context. .EIDINT-5094 Sometimes the node fails to block the requests from Specific Connector. .EIDINT-4201 Mixed signature types is not possible with eIDAS-Node .EIDINT-4505 Fix tests in EidasNodeMetadataGeneratorTest .EIDINT-4940 Test Failure missing BC provider +Feedback (issues, bugs,...) coming from UUM&DS team .EIDINT-5084 (EID-1188) Validation of representation response only allows two types of persons .EIDINT-5006 (EID-1163) AssertionUtil issue with the enableAddressAttributeSubjectConfirmationData field .EIDINT-5085 (EID-1189, EID-1191) Deployment of standalone eIDAS node should not require specific connector and proxy configuration +Static Code Analisys EIDINT-5525 EIDINT-5466 EIDINT-5498 EIDINT-5119 EIDINT-5118 EIDINT-5017 EIDINT-4606 ** This release contains the following security fixes: +Issues identified by PT 20200928 .EIDINT-4815 PTES-011 CSP Report URL Poisoning .EIDINT-4818 PTES-008 Cache in browser .EIDINT-4814 PTES-012 - INFO - Traffic analysis +Issues identified by SAST 20200928 .EIDINT-4823 SAST-ERR-004 .EIDINT-4820 SAST-ERR-001 .EIDINT-4822 SAST-ERR-002 +Other PT or SAST issues .EIDINT-5767 Futher restrict web.xml error codes to generic error pages +Analysis of "Dependency - Vulnerability" in eIDAS-Node 2.6.0 .EIDINT-5011 CVE-2020-29244 .EIDINT-5012 CVE-2020-29245 .EIDINT-5010 CVE-2020-29243 .EIDINT-5009 CVE-2020-29242 .EIDINT-5708 CVE-2020-15522 .EIDINT-5495 CVE-2021-28170 .EIDINT-5344 CVE-2020-7226 .EIDINT-5311 CVE-2021-29425 .EIDINT-4994 CVE-2020-8908 .EIDINT-4982 CVE-2016-10750 .EIDINT-4983 CVE-2012-5568 .EIDINT-4984 CVE-2013-2185 .EIDINT-4985 CVE-2013-4444 .EIDINT-4986 CVE-2020-8022 .EIDINT-4987 CVE-2013-6440 .EIDINT-4988 CVE-2017-16853 .EIDINT-4989 CVE-2018-15756 .EIDINT-4990 CVE-2020-5421 .EIDINT-5539 CVE-2021-28164 .EIDINT-5719 CVE-2021-42550 .EIDINT-5558 CVE-2021-40690 .EIDINT-5312 CVE-2020-13936 .EIDINT-5859 CVE-2022-22965 +Upgrade plugins and dependencies .EIDINT-5199 Upgrade plugin org.codehaus.mojo:jaxb2.maven.plugin to version 2.5.0 .EIDINT-5198 Upgrade plugin org.apache.maven.plugins:maven-compiler-plugin to version 3.8.0 .EIDINT-5197 Upgrade dependency org.mockito:mockito-core to version 3.7.0 .EIDINT-5437 Replace cobertura plugin by JaCoCo plugin for code coverage .EIDINT-5575 Upgrade org.apache.santuario:xmlsec dependency to version 2.2.3 .EIDINT-5720 Upgrade BouncyCastle dependency from current version 1.64 to at least 1.66 (1.70) +Other Security Issues .EIDINT-5362 Replace JKS keystores by PKCS12 keystores .EIDINT-5035 SecurityRequestFilter is being activated for ServiceProvider instead of SpecificConnectorRequest .EIDINT-2362 Update expired keys and certificates in keystores .EIDINT-3621 Add support of SHA-256 to Encryption RSA OAP (EID-921) .EIDINT-4506 Metatada Signature algo is not validated with its own whitelist .EIDINT-5306 Add configuration for metadata signature algorithm .EIDINT-5111 SecurityRequestFilter is not being activated for IdpResponse and SpecificProxyServiceResponse ** This release has been successfully tested for interoperability with previous releases of eIDAS-Node versions v2.5.0 and v1.4.5 ** This release was successfully tested and works with Middleware version 2.2 (2.2.6) ** Known Limitations The up to date list can be found at https://ec.europa.eu/digital-building-blocks/wikis/display/EIDIMPL/eIDAS-Node+-+Releases ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/digital-building-blocks/wikis/display/EIDIMPL/eIDAS-Node+-+Releases *********************************************** CEF eIDAS-Node Release Version 2.5.0 *********************************************** • Product name: CEF eIDAS-Node • Purpose: Sample Implementation of eIDAS-Node based on eIDAS Technical Specifications: v1.2 • Produced by: CEF eID • Support Contact: CEF-EID-SUPPORT@ec.europa.eu • Public URL: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/All+releases • eIDAS internal ref: eIDAS eID Implementation > eIDAS-Node - Releases > eIDAS-Node v2.5.0 release • License: EUPL v1.2 https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf *********************************************** ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > Services eID > eIDAS-Node Integration Package > VIEW CURRENT VERSION 2.5.0 ** Distribution ** + EIDAS-2.5.0.zip : Distribution version 2.5.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.5.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.5-0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-wildfly-2.5.0.zip: Deployable war files of a preconfigured eIDAS-Node for a wildfly server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.5.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.5.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.5.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ** This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) + Technical Specifications 1.2 .EIDINT-4424 Extend Connector's LOA validation to non-notified scheme LOAs .EIDINT-4683 Enforce decision page 04. RequesterId MSs consultation page .EIDINT-4423 Extend Proxy-Service LOA validation to non-notified scheme LOAs .EIDINT-4176 (EID-1063) Before validating the signature of a SAML object, the node does not check the digest algorithm .EIDINT-4559 Implement support for 1.1 and 1.2 eIDAS specification for Gender attribute .EIDINT-4438 Add RequesterID flag to Proxy-Service's metadata .EIDINT-4562 Set the eidas.protocol.version values to 1.1 and 1.2 .EIDINT-4439 Extend Simple Protocol to support requester_id .EIDINT-4425 Foward the non-notified scheme LOAs in Light Response into Simple Protocol Response .EIDINT-4412 Foward the non-notified scheme LOAs in Simple Protocol Request into Light Request .EIDINT-2221 Align allowed signature algorithms to eIDAS specification 1.2 .EIDINT-4461 Proxy-Service's LOA validation for Connector eiDAS Request .EIDINT-4413 Extend Light Request to allow support to non-notified scheme LOAs .EIDINT-4415 Foward the non-notified LOAs in Light Request into eIDAS Request .EIDINT-4416 Foward the non-notified scheme LOAs in eiDAS Request into Light Request .EIDINT-4320 Implement support for multiple application identifier values .EIDINT-4457 Add publishing of non-notified LOAs in Proxy-Service Metadata .EIDINT-4411 Fill in non-notified scheme LOAs Simple Protocol with Demo SP chosen ones .EIDINT-4410 Extend Simple Protocol request to allow support to non-notified scheme LOAs .EIDINT-4456 Forward the Light Request requesterId into requester_Id of Simple Protocol Request .EIDINT-4455 Foward the eIDAS Request requester Id into the Light Request requesterId .EIDINT-4440 Extend Light Request to support requesterId .EIDINT-4319 Implement support for multiple protocol versions values in separate elements .EIDINT-4418 Add non-notified loa's values to Demo IdP's Level of Assurance view options .EIDINT-4409 Add multi-selection of non-notified scheme LOAs support to Demo SP .EIDINT-4453 Foward the requester_Id in Simple Protocol Request into Light Request requesterId .EIDINT-4452 Add RequesterId support to Demo SP .EIDINT-2466 Set "temporary 256" upper limit to the length of the EUID .EIDINT-4324 Update to the TLS 1.2 supported Java 8 ciphers that are in eidas 1.2 specifications .EIDINT-4323 Restrict the node configuration to the use of TLSv1.2 .EIDINT-4317 Implement publishing of NodeCountry in Proxy-Service metadata .EIDINT-4318 Implement consuming of the NodeCountry to fill in the Identifier prefix .EIDINT-4316 Β Implement publishing of NodeCountry in Connector metadata .EIDINT-4414 Extend eIDAS Request to allow support to non-notified LOAs .EIDINT-4417 Foward the non-notified scheme LOAs in Light Request into Simple Protocol .EIDINT-4701 Exact match between Response and Published LoA .EIDINT-4454 Foward the requesterId Light Request into the eIDAS Request .EIDINT-4630 Extend Light Request validateLevelsOfAssurance for empty .EIDINT-4321 Allow representative attributes to be requested .EIDINT-4521 Valiation of RequesterID value in Connector .EIDINT-4520 Valiation of RequesterID value in ProxyService .EIDINT-4395 Update code related to citizen country code's validation .EIDINT-4370 Remove SHA1 tls enabled ciphers .EIDINT-2222 Remove "Not Specified" from Gender possible values .EIDINT-4488 Remove rsa-ripemd160 from test code + Break of the LightRequest / LightResponse interface .EIDINT-3925 (EID-980) VersionMismatch in LightResponse should be statusCode and not subStatusCode .EIDINT-4343 Add SP Country Code to Light Request interface .EIDINT-4677 Generation of LightMessage model from XSD .EIDINT-4550 Extend Light Response to allow support of SAML consent values .EIDINT-3919 (EID-978) XML for failed LightResponse is not valid according XSD .EIDINT-4551 Set Consent Attribute to in eIDAS SAML Response to Unspecified if no other acceptable value is provided in the Light Response .EIDINT-4168 (EID-1022) Light Response and LightRequest xml Namespaces + eIDAS Default parameters configuration .EIDINT-4372 Creation of default eidas.xml configuration file .EIDINT-4532 Default configuration for signature.algorithm.whitelist + Jcache support for the eIDAS Node .EIDINT-3186 Unnecessary Hazelcast code removal + Logging of messages eIDAS Node 2.x branch .EIDINT-4264 Create a new log configuration that allows a new log file for debug full message logging .EIDINT-4231 Improve Light Message logging process to avoid finish without logging .EIDINT-4206 Refactoring MessageLogging: Replace StringBuilders with MessageLog Model .EIDINT-4462 Correct logging order for incoming EIDAS request/response .EIDINT-4205 Refactoring MessageLogging: Centralize util methods .EIDINT-4259 Log the complete Light Request leaving the Proxy-Service .EIDINT-3077 log the complete eIDAS SAML Response received by the Connector .EIDINT-3076 log the complete eIDAS SAML Response leaving the Proxy-Service .EIDINT-3075 log the complete eIDAS SAML Request received by the Proxy-Service .EIDINT-3074 log the complete eIDAS SAML Request leaving the Connector .EIDINT-4261 Log the complete Light Response leaving the Connector .EIDINT-4260 Log the complete Light Response received by the Proxy-Service .EIDINT-4258 Log the complete Light Request received by the Connector .EIDINT-4229 LightRequest MessageLoggers should not remove request from cache .EIDINT-4230 LightResponse MessageLoggers should not remove response from cache .EIDINT-4263 Add external configuration property to enable/disable full message debug logging .EIDINT-4479 Remove commented/unnecessary code from ConnectorOutgoingLightResponseLoggerTest + Member States specific node (migration ) .EIDINT-4150 Externalize EIDAS-JCache-Ignite-Specific-Communication caches. .EIDINT-4152 Externalize EIDAS-JCache-Hazelcast-Specific-Communication cache names .EIDINT-4151 Renaming of Hazelcast specific communication cache names to align with Ignite cache names + Other issues eIDAS-Node 2.5 .EIDINT-4721 Allow digest method algorithm and digest method algorithm whitelist to be externally configurable .EIDINT-3891 Analyse and estimate the eIDAS SAML to Light Request/Response Specific modules implementations .EIDINT-3193 SpecificConnector cannot parse message - org.apache.ignite.IgniteException: Failed to initialize SSL context .EIDINT-4160 UPDATE POM version EIDAS-Node-2.5.0-SNAPSHOT .EIDINT-4380 Connector check the nationality code of a sending country in assertions .EIDINT-4482 Remove config param "include.assertion.fail.response.application.identifiers" .EIDINT-4480 Discontinue support for sys property "org.opensaml.httpclient.https.disableHostnameVerification" .EIDINT-4340 (EID-1046) - SecurityConsiderations - add awareness about the risks related to org.opensaml.httpclient.https.disableHostnameVerification property .EIDINT-4311 (EID-1043) Avoid or document that Ignite and other entities "call home" .EIDINT-4105 (EID-1014) Interoperability issues .EIDINT-4496 Replace Glassfish 5.0.0 full platform by 5.0.1 web profile .EIDINT-4350 Javadoc improvement : 34 warnings .EIDINT-4543 Transform EIDAS-Config properties into a deploy-able set of property files .EIDINT-4460 Move call to checkConnectorActive to beggining servlet call at SpecificConnectorRequestServlet .EIDINT-4391 CertificateUtilTest two test in error in one Dev environment .EIDINT-4220 Remove service url validation from Connector .EIDINT-3644 Reload of the metadata in the cache after a refresh of the ApplicationContext. .EIDINT-4221 Remove unneeded version element from dependency in SimpleProtocol pom.xml .EIDINT-4314 Update the doc - WLP disable Webprofile .EIDINT-3488 Externalize samlresponse max size in EidasAuthnResponseValidator .EIDINT-3487 Externalize samlrequest max size in EidasAuthnRequestValidator .EIDINT-4217 Remove commented code from specificConnectorApplicationContext.xml and specificProxyServiceApplicationContext.xml .EIDINT-4162 Javadoc is pointing to itself ** This release contains the following bug fixes (Please note that EIDINT-XXXX references are for internal use only): + Technical Specifications 1.2 .EIDINT-4671 Metadata validation passes when trust chain is signed using SHA1 .EIDINT-4582 RSA keys of lenght less than 3072 are accepted by the Node to validate metadata + Break of the LightRequest / LightResponse interface .EIDINT-4445 Invalid substatus code is conveyed in SAML response .EIDINT-4159 The Connector does not validate the NameIDPolicy value from the SAML Response + Improve user error pages for failures .EIDINT-4009 Test Specific: Blank page after submitting Edit Light Request page with an invalid XML .EIDINT-4041 Test Specific: Blank page after submitting Edit Light Response page with an invalid XML + Logging of messages eIDAS Node 2.x branch .EIDINT-4581 Oversized Light messages are logged in eIDASNodeFullMsgExchange .EIDINT-4373 Long string received instead of SAML message is logged in eIDASNodeFullMsgExchange .EIDINT-4066 SAML Response message is exposed in the log when sending big light request .EIDINT-4522 (EID-1051) Method retrieveProxyServiceAttributes possibly removed by mistake + Split of the Node into Connector and ProxyService .EIDINT-3130 Implement custom publishing of eIDAS attributes at ServiceMetadata + Other issues eIDAS-Node 2.5 .EIDINT-3903 (EID-974) Signature algorithms listed as digest algorithm in metadata .EIDINT-4537 Exception when building Eidas Node using Dev/Dev cache configuration .EIDINT-4173 Build of tests failing due to order .EIDINT-4105 (EID-1014) Interoperability issues .EIDINT-4704 JAVADOC Errors eidas 2.5 .EIDINT-4530 ProxyService Metadata Generation checks incorrect metadata enabled flag .EIDINT-4127 Metadata retrieval read for active.module.connector or active.module.service are false .EIDINT-4544 "SEVERE" Error thrown at startup - Unable to process Jar entry .EIDINT-3953 Inconsistency in Eidas-attributes.xml config files .EIDINT-4348 Javadoc failure .EIDINT-4391 CertificateUtilTest two test in error in one Dev environment .EIDINT-4266 Invalid subStatusCode in case of partial minimum dataset is provided by Idp .EIDINT-3648 Websphere 8 (node1): Flow fails on the SpecificProxyServiceResponse in case of LoA mismatch .EIDINT-4265 UPDATE protocol version in Metadata 2.5.0 .EIDINT-4545 Flow fails with Invalid Light Response error if the connector metadata is not reachable when generating the SAML response. .EIDINT-2570 EIDAS 2.2 : version not set correctly in consent page .EIDINT-4768 Regression Eidas 2.5 Compilation error when building Profile -PNodeOnly +Static Code Analisys EIDINT-4604 EIDINT-4748 EIDINT-4707 EIDINT-4708 EIDINT-4709 EIDINT-4659 EIDINT-4599 EIDINT-4605 EIDINT-4477 EIDINT-4658 EIDINT-4504 **This release contains the following security fixes: .EIDINT-4629 CVE-2020-1963 .EIDINT-3963 Upgrade javax.servlet:jstl:1.1.2 dependency .EIDINT-4171 Upgrade org.apache.santuario:xmlsec:jar:2.0.10 dependency by a non vulnerable one .EIDINT-3001 Upgrade current guava version 19.0 .EIDINT-4624 Upgrading version of "opensaml-security-ext" .EIDINT-4936 CVE-2020-13956 Upgrade org.apache.httpcomponents:httpclient from version 4.5.5 to 4.5.13 **This release contains the following fixes related to the feedback received from MSs on the 2.5 pre-release.(Please note that EIDINT-XXXX references are for internal use only): + Source code fixes .EIDINT-4835 (EID-1105) Unknown hash algorithm null .EIDINT-4891 (EID-1112) Unsupported algorithms shouldn't be allowed in metadata .EIDINT-4888 (EID-1110) Node 2.5.0 produce illegal Metadata with schema violation .EIDINT-4875 (EID-1139) Invalid value "false" for omitXmlDeclaration .EIDINT-4872 (EID-1138) JavaScript error in citizenConsentResponse.jsp page .EIDINT-4895 (EID-1115) Wrong error message in XmlSchemaUtilTest .EIDINT-4894 (EID-1119) eIDAS-Node Error Codes document has not deprecated codes .EIDINT-4870 (EID-1136) Typos "metdata" instead of "metadata" .EIDINT-4869 (EID-1135) Typos "fecther" instead of "fetcher" + Documentation fixes .EIDINT-4842 (EID-1121) TLS configuration in documentation still mentions TLSv1.1 .EIDINT-4864 (EID-1130) Incorrections in eIDAS-Node Installation and Configuration Guide document .EIDINT-4866 (EID-1131) The XML LightRequest figure missing in eIDAS-Node National IdP and SP Integration Guide document .EIDINT-4865 (EID-1134) Broken reference in eIDAS-Node Migration Guide 2.5 documentation .EIDINT-4873 (EID-1127) Application server folder names incorrect in documentation .EIDINT-4874 (EID-1132) Incorrections in eIDAS-Node and SAML document .EIDINT-4867 (EID-1123) Documented Websphere configuration context roots are incorrect .EIDINT-4879 (EID-1128) Deployment procedures inconsistency .EIDINT-4895 (EID-1118) websphere session cookie configuration rejected .EIDINT-4852 (EID-1102) LightRequest XML must have namespace .EIDINT-4885 (EID-1109) use any other hash algorithm than SHA 512 when signing ** This release has been successfully tested for interoperability with previous releases of eIDAS-Node versions v2.4.0 and v1.4.5 ** This release was successfully tested and works with Middleware version 2.0 (2.0.1) ** Known Limitations The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/IgdIEQ ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/cefdigital/wiki/x/CwB2Ag ** The eIDAS default supported Cipher suites for java8 https://ec.europa.eu/cefdigital/wiki/x/6MXuAw *********************************************** CEF eIDAS-Node Release Version 2.4.0 *********************************************** • Product name: CEF eIDAS-Node • Purpose: Sample Implementation of eIDAS-Node based on eIDAS Technical Specifications: v1.1 • Produced by: CEF eID • Support Contact: CEF-EID-SUPPORT@ec.europa.eu • Public URL: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/All+releases • eIDAS internal ref: eIDAS eID Implementation > eIDAS-Node - Releases > eIDAS-Node v2.4.0 release • License: EUPL v1.2 https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf *********************************************** ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > Services eID > eIDAS-Node Integration Package > VIEW CURRENT VERSION 2.4.0 ** Distribution ** + EIDAS-2.4.0.zip : Distribution version 2.4.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.4.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.4.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-wildfly-2.4.0.zip: Deployable war files of a preconfigured eIDAS-Node for a wildfly server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.4.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.4.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.4.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ** This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) + Implementation of Key agreement support (EIDINT-3672, EIDINT-4006, EIDINT-4007, EIDINT-4008, EIDINT-4035,EIDINT-4069, EIDINT-4092, EIDINT-4170, EIDINT-4090), (EID-594) : . Add se.swedenconnect.opensaml:opensaml-security-ext dependency (EIDINT-4004) . Upgrade shibboleth version from 7.3.0 to 7.5.0 (EIDINT-4002) . Upgrade the opensaml version from 3.3.0 to 3.4.4 (EIDINT-4003) . Create an ecc key certificate and add it to Connector keystores (EIDINT-4005) . Upgrade BouncyCastle dependency to version 1.64 (EIDINT-4047) . Implement support for multiple private keys in Connector's keystore (EIDINT-4011) (EID-1013) + Implementation of Support brainpool curves for SAML Signing (EID-1017): . Support brainpool curves for SAML Metadata Signing (EIDINT-4107) (EID-1017) + Implementing of support for http(s) forwarding proxy: . Eidas Node support for http(s) forwarding proxy / egress (EIDINT-2590) (EID-657) + Conveying SPCountry in LightRequest (EID-922) . Design - SPCountry to LightRequest (EIDINT-3918) . Add external configuration property to enable/disable validation of prefixing identifier like attribute values (EIDINT-4032). . Add external configuration property to enable/disable prefixing identifier attribute values (EIDINT-4031). + Ignite default config with SSL . Reintroduce default enabled SSL/TLS from Ignite configuration files (EIDINT-4055 ) + Implementing of Enable/Disable adding Bouncy castle provider (EIDINT-3100) (EID-803) + Failure when NameIDPolicy of request and response don't match : issue 2 (EIDINT-3911) (EID-975) (EID-925) + Change property key in idp.properties (EIDINT-2016) + Eidas-attributes.xml config file contains typo on 20.XmlType.NamespacePrefix eidas-reprentative-natural and eidas-reprentative-legal should be eidas-representative- (EIDINT-3954,EIDINT-4086) (EID-984) + Improvement in "SEC Consult - vulnerability 1" (EIDINT-3845,EIDINT-3950) (EID-1001) + Improvements of Logging of messages eIDAS Node 2.x branch (EIDINT-3003) : . Extract common code from the various Logger classes (EIDINT-3768) . Remove MessageLoggerBean from message loggers (EIDINT-3769) . Refactor MessageLoggerUtils class (EIDINT-3770) + Other improvements: . Replace Outgoing Logger Filters to use redirect page instead of Servlet Url pattern (EIDINT-3692) . Remove commented code from SimpleProtocolProcess.java (EIDINT-1988 ) . Replace or remove input fields with id="dummyField" (EIDINT-3099) . Remove use of e.printStackTrace() (EIDINT-3548) . Replace printStackTrace method call on exception by logger (EIDINT-3512) . Remove Config profile from EIDAS-Parent pom (EIDINT-2386) . Extract method for duplicate code on AUCONNECTORSAML#processSpRequest (EIDINT-3615) . Embedded attribute configuration data on SP, IdP (EIDINT-2404) . Update EIDAS Metadata VERSION 2.4.0 (EIDINT-3701) ** This release contains the following bug fixes: + Correct of Build of tests failing due to order (EIDINT-4173) + Correct of Issuer in Light Response is not correct (EIDINT-3422) + Correct of Failure when NameIDPolicy of request and response don't match : issue 1 (EIDINT-3910)(EID-925) (EID-975) + Correct of Self assignment issue : severity HIGH (EIDINT-3997) + Correct of Redirect and Post location whitelists are not correctly validated (EIDINT-4022) (EID-916) + Correct of LightResponse generated at Generic Connector doesn't contain RelayState (EIDINT-3926)(EID-977) + Correct of Unable to decrypt (v2.2) (EIDINT-2787) (EID-674) + Correct of Inconsistent behaviour when replaying Incoming LightRequest and Incoming LightResponse (EIDINT-3638) + Correct of Alllow only necessary settings of Consent attribute value from configuration files (EIDINT-3627) + Correct of Sonar scan: EIDAS-SAMLEngine: 11 Bugs reported (EIDINT-2648) + Correct of Maven Warning EIDAS-Metadata\pom.xml (EIDINT-3326) + Correct of Maven Warning EIDAS-SAMLEngine\pom.xml (EIDINT-3327) + Correct of CR\LF character ending an antry in saml-engine-additional-attributes.xml file cause the key not recognised (EIDINT-3149) + Correct of Typos found in saml-engine-eidas-attributes.xml (eidas-node) (EIDINT-4087) + Correct of Warnings creating javadoc (java 8 more strict) (EIDINT-3588) + Correct of Declaration and setting of local variable strSamlToken done in different subsequent lines (EIDINT-3885) + Correct of DEMO SP : Referer is not correct (EIDINT-2557) + Correct of Profile Jboss 7 is still present in POM for Eidas-Node-Jar (EIDINT-3522) + Correct of 7 http sessions are created by authentication (EIDINT-3599) + Correct of Exception thrown at a random frequency when using Chrome - NullPointerException: Unable to create ILightResponse (EIDINT-3669) ** This release contains the following security fixes: + SEC Consult - vulnerability 1 (EIDINT-3845,EIDINT-3950) (EID-1001) + SEC Consult - vulnerability 3 (EIDINT-3847) (EID-958) + SEC Consult - vulnerability 4 (EIDINT-3958) (EID-959) + SEC Consult - vulnerability 5 (EIDINT-3849) (EID-960) + PT 20190814 - PTES-006 (EIDINT-3944) (EIDINT-3958) (EID-1001) + PT 20190814 - PTES-012 (EIDINT-3947) (EIDINT-3983) + Property active.module.connector should also disable incoming eIDAS SAML Response (EIDINT-3941) + Property active.module.service should also disable Proxy-Service response's entry point (EIDINT-3940) + Upgrade logback-classic-1.1.2 dependency (EIDINT-2958) + Caches default config Expiration policy: . Add expiration to ignite caches igniteNode.xml and igniteSpecificCommunication.xml files (EIDINT-3948) . Duration for expiration caches for hazelcast update based on Ignite cache's duration expiration (EIDINT-4178) ** This release has been successfully tested for interoperability with previous releases of eIDAS-Node versions v2.3.1 and v1.4.5 ** This release was successfully tested and works with Middleware version 1.2.0 except for the encryption functionality with key agreement. This is a limitation in the Middleware, that will be fixed in the Middleware 1.2.1 ** Known Limitations The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/YwM9Cg ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/cefdigital/wiki/x/CwB2Ag ** The eIDAS default supported Cipher suites for java8 https://ec.europa.eu/cefdigital/wiki/x/6MXuAw CEF eIDAS-Node Release Version 2.3.1 *********************************************** • Product name: CEF eIDAS-Node • Purpose: Sample Implementation of eIDAS-Node based on eIDAS Technical Specifications: v1.1 • Produced by: CEF eID • Support Contact: CEF-EID-SUPPORT@ec.europa.eu • Public URL: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/All+releases • eIDAS internal ref: eIDAS eID Implementation > eIDAS-Node - Releases > eIDAS-Node v2.3.1 release • License: EUPL v1.2 https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf *********************************************** ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > Services eID > eIDAS-Node Integration Package > VIEW CURRENT VERSION 2.3.1 ** Distribution ** + EIDAS-2.3.1.zip : Distribution version 2.3.1 of the sample eIDAS-Node ++ EIDAS-Sources-2.3.1.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.3.1.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-wildfly-2.3.1.zip: Deployable war files of a preconfigured eIDAS-Node for a wildfly server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.3.1.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.3.1.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.3.1.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) **This release contains the following bug fixes: EIDINT-3864 Update keystores of the sample config **This release contains the following security fixes: EIDINT-3855 SEC Consult - vulnerability 1 (EID-956) ** This release has been successfully tested for interoperability with previous releases of eIDAS-Node versions v2.3 and v1.4.5 ** This release has been successfully tested and works with Middleware version 1.1.0 ** Known Limitations The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/YgJfBw ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/cefdigital/wiki/x/CwB2Ag ** The eIDAS default supported Cipher suites for java8 https://ec.europa.eu/cefdigital/wiki/x/6MXuAw ** Acknowledgements ** CEF eID team thanks Wolfgang Ettlinger from the SEC Consult Vulnerability Lab (https://www.sec-consult.com) for responsibly reporting the identified issues. *********************************************** CEF eIDAS-Node Release Version 2.3 *********************************************** • Product name: CEF eIDAS-Node • Purpose: Sample Implementation of eIDAS-Node based on eIDAS Technical Specifications: v1.1 • Produced by: CEF eID • Support Contact: CEF-EID-SUPPORT@ec.europa.eu • URL: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/All+releases • License: EUPL v1.2 https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf *********************************************** ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > Services eID > eIDAS-Node Integration Package > VIEW CURRENT VERSION 2.3.0 ** Distribution ** + EIDAS-2.3.0.zip : Distribution version 2.3.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.3.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.3.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-wildfly-2.3.0.zip: Deployable war files of a preconfigured eIDAS-Node for a wildfly server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.3.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.3.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.3.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) .Java 8 Migration (EIDINT-2296, EIDINT-3467,EIDINT-2583 ) + Upgrade to Java 8 servers. .JCache support for Distributed Caches (EDINT-2614,EIDINT-2531,EIDINT-3039, EIDINT-3058 ) .Improvement of message logging (EIDINT-2614) (EID-667) + Log the outgoing Light Response (EIDINT-3054) + Log the outgoing Light Request (EIDINT-3050) + Log the outgoing Light Request (EIDINT-3050) + Log the incoming Light Request (EIDINT-3047) + Log the incoming Light Response (EIDINT-3051) + Log the outgoing Saml Request (EIDINT-3048) + Log the incoming Saml Request EIDINT-3049) + Log the incoming Saml Response (EIDINT-3053) + Enable saml.audit propperty (EIDINT-3562) + Use UTC (Zulu) format to Timestamp of audit messages (EIDINT-3059) + Use UTC (Zulu) format in the logs of EidasNode (EIDINT-3060) + Use UTC (Zulu) format in the logs of SP (EIDINT-3595) + Implementation of a flowId for logging (Implement a flowId for logging (EIDINT-3045) + Generate a new Id for the outgoing LightRequest. (EIDINT-3055) + Generate a new Id for the outgoing LightResponse. (EIDINT-3057,EDINT-3201 ) . Refactoring of metadata whitelist from SamlEngine to MetadataFetcher (EIDINT-2606, EIDINT-2734, EIDINT-2732, EIDINT-2733 ) . Improvement of unit test coverage (EIDINT-2653). **This release contains the following bug fixes: + Correct of Unit test failure :eu.eidas.node.auth.metadata.TestEidasNodeMetadataLoader.testValidatesignature (EIDINT-3607) (EID-920) + Correct of EidasNode fails to start on Linux (EIDINT-3424) + Correct of (EID-652) Problem in validation of entityID of SP (EIDINT-2539) + Correct of Build failure due to Unit failure on LINUX (EIDINT-3429) + Correct of Validate Signature flag not working for unmarshall response (EIDINT-3177) + Correct of Static metadata : including entityId (URI) containing illegal characters should not be loaded (EIDINT-2711) + Add the missing values for consent attribute validation in both request and response (EIDINT-3156) + Correct of Alllow setting of Consent attribute value from configuration files (EIDINT-3157) + Correct of Typo in the supported values for "Consent" attribute in SAML response messages (EIDINT-3103) + Correct of Duplicated Copyright headers (EIDINT-2381) + Correct of Metadata whitelist should be reloadable (EIDINT-3110) + Correct of Unexpected CSP violation logged in eIDASNodeDetail (EIDINT-2511) + Correct of Color convention is not respected in the proxyservice consent page when building using specificjar (EIDINT-3174) + Correct of CSP violation reported for EidasNode/AfterCitizenConsentRequest (EIDINT-2186) + Correct of CSP violation reported for EidasNode/IdpResponse (EIDINT-2187) + Correct of (EID-659) Interface changes in EIDAS-SAMLEngine (EIDINT-2592) + Remove extra string from weblogic.xml file (EIDINT-3626) + Correct of Logging: default log directory is not created for jboss and wildfly (EIDINT-2607) **This release contains the following security fixes: + Remove or upgrade jquery-1.11.3.min.js (EIDINT-3034) Library removed from eIDAS-Node Generic parts, but still present in the Specific parts Vulnerable version of JQuery EID-799 CVE-2019-11358 EID-909 CVE-2015-9251 EID-858 + Remove or upgrade bootstrap.min.js (EIDINT-3033) Library updated to v4.3.1 Vulnerable version of Bootsrap EID-800 CVE-2016-1000343 EID-864 CVE-2018-14042 EID-856 CVE-2018-14040 EID-854 CVE-2019-8331 EID-857 + Upgrade bouncycastle version (EIDINT-3408, EIDINT-3472) Library updated to v1.60 CVE-2018-1000180 EID-912 CVE-2016-1000339 EID-860 CVE-2017-13098 EID-869 CVE-2016-1000346 EID-867 CVE-2016-1000340 EID-861 CVE-2016-1000341 EID-862 CVE-2016-1000342 EID-863 CVE-2016-1000343 EID-864 CVE-2016-1000344 EID-865 CVE-2016-1000345 EID-866 CVE-2018-1000613 EID-870 CVE-2016-1000352 EID-868 CVE-2016-1000338 EID-859 + Correct of DTD is not disabled in the XML parser (light response) (EIDINT-3531) (EID-914) + Correct of DTD is not disabled in the XML parser (light request) (EIDINT-3415) (EID-914) + Correct of Create size limitation for incoming Connector's LightRequest (EIDINT-3455) + Correct of Create size limitation for incoming ProxyService's LightResponse (EIDINT-3456) + Correct of Upgrade version of Ignite from 2.6.0 to 2.7.0 (EIDINT-3082) + Exclude ignite-shmem dependency (EIDINT-3558) + Correct of Possible Cross-Site-Scripting : Sanitize input/output field (EIDINT-2514) + Correct of Unnecessary xalan dependency declaration in EIDAS-Parent pom.xml (EIDINT-2994) + Correct of Upgrade Spring Framework from v4.1.0 to newer version (EIDINT-2594) Library updated to v4.3.18 CVE-2014-3625 EID-754 CVE-2016-5007 EID-758 CVE-2015-0201 EID-755 CVE-2018-1270 EID-759 CVE-2015-3192 EID-756 CVE-2018-1271 EID-760 CVE-2015-5211 EID-757 CVE-2018-1272 EID-761 CVE-2018-1199 EID-911 + Correct of Replace report-uri value from configuration instead from httpServletRequest fields (EIDINT-2733) (EID-671) ** This release has been successfully tested for interoperability with previous releases of eIDAS-Node versions v2.2 and v1.4.5 ** This release successfully tested and works with Middleware version 1.1.0 ** Known Limitations The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/e4YnBg ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/cefdigital/wiki/x/CwB2Ag ** The eIDAS default supported Cipher suites for java8 https://ec.europa.eu/cefdigital/wiki/x/6MXuAw ####################### previous releases ####################### CEF eIDAS-Node Release Version 2.2 *********************************************** • Product name: CEF eIDAS-Node • Purpose: Sample Implementation of eIDAS-Node based on eIDAS Technical Specifications: v1.1 • Produced by: CEF eID • Support Contact: CEF-EID-SUPPORT@ec.europa.eu • URL: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node+-+All+releases • License: EUPL v1.2 https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/eupl_v1.2_en.pdf • Release date: 19th September 2018 *********************************************** ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > All eID services > eIDAS Node integration package > View latest version. ** Distribution ** + EIDAS-2.2.0.zip : Distribution version 2.2.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.2.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.2.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-2.2.0.zip: Deployable war files of a preconfigured eIDAS-Node for a wildfly server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.2.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.2.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.2.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) ** This release contains the following changes to eIDAS-Node + Implement Allow SAML Response without assertion (EID-617, EID-630, EDINT-2489) + Implement usage of simple DSI keys in SAML messages : ENCRYPTION (EID-570, EIDINT-2219) + Remove maven profile: tomcat, webpshere, jBoss7 profile for wildfly (EIDINT-2436 EIDINT-638, EIDINT-2396) + Use of libraries: remove dependencies xml-apis-1.4.01.jar, xercesImpl-2.11.0.jar (EIDINT-1092, EIDINT-2246) + Use of libraries: Move dependencies serializer-2.7.2.jar xalan-2.7.2.jar from application server level to war (EIDINT-1092) + Cleanup of dependencies in EidasNode (EIDINT-638) + Remove org.owasp.esapi dependency in EidasNode (EIDINT-2437) **This release contains the following bug fixes: + Correct of Published extra certificate outside trustchain in metadata can validate metadata(EIDINT-2247) + Correct of Wrong character encoding in Metadata (EID-643, EIDINT-2474) + Consolidate eIDAS cipher suites white list for TLS (EIDINT-2002, EIDINT-2274, EIDINT-2470, EIDINT-2374) + Metadata issuer whitelist URL is case insensitive, should be sensitive (EIDINT-2475) + Support of Sub-CA for Metadata Signer (EID-606 EIDINT-2385) + Current address: inconsistency with the specifications (EIDINT-2210) + Correct of SpecificCommunicationApplicationContextProviderTest (Some unit tests did not reset it) (EIDINT-2234). + Correct of SpecificCommunicationApplicationContextProvider is not thread safe (EIDINT-2235) + Correct of ApplicationContextProvider implementations should be improved (EIDINT-2257) + Websphere accepts urls only with trailing slash (EIDINT-2101) + Replace jasper-el with the newer library tomcat-jasper-el (EIDINT-2456) **This release contains the following security fixes: + Processing authnrequest allows for manipulation of issuer element (EID-631, EIDINT-2236) + Analyse and Correct penetration test findings : ++ Incorrect use of methods (EIDINT-2244) ++ Cross-Site-Scripting (EIDINT-2410) ++ Use of deprecated hash cryptographic (EIDINT-2242) ++ Lack of validation on error logs (EIDINT-2243) ++ Library analysis (EIDINT-2238) ++ File handling is not done correctly (EIDINT-2245) ++ xercesImpl dependency is vulnerable : has been Removed of the project (EIDINT-2246) ** This release contains the following Changes to Demo Tools + Status code in simple protocol missing support for urn:oasis:names:tc:SAML:2.0:status:Requester (EIDINT-2491,EIDINT-2492) ** This release has been tested with the German Middelware version 1.0.4 and 1.0.6. ** Known Limitations The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/SqMSB ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/cefdigital/wiki/x/CwB2Ag ** The eIDAS default supported Cipher suites for Java7 and Java8 https://ec.europa.eu/cefdigital/wiki/x/6MXuAw CEF eID eIDAS-Node Build 2.1.0 Content This release is based on version 1.1 of the eIDAS Technical Specifications. This release includes stability improvements.. ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > All eID services > eIDAS Node integration package > View latest version. ** Distribution ** + EIDAS-2.1.0.zip : Distribution version 2.1.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.1.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.1.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-2.1.0.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.1.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.1.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.1.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) ** This release contains the following changes to eIDAS-Node + Change in Gender allowed values : Allow temporarily "Not Specified" (EIDINT-2215) + Add protocol versioning elements to metadata (EDINT-2201) + Support of Sub-CA for Metadata Signer (EIDINT-2191,EIDINT-1378) + Implement usage of simple DSI keys in SAML messages (EIDINT-1860) + Use of SingleSignOnService instead of hardcoded URLs (EIDINT-2145) + Build separation between Demo and Node modules (EIDINT-2085) + Update copyright headers and remove authorship (EIDINT-669) **This release contains the following bug fixes: + Correct of unit tests, Metadata were expired (EIDINT-2183) + Correct applicationContext with default values (EIDINT-2149) + Update cipher suite from configuration whitelist (EIDINT-2189) + Remove xsi:type from LOA's metadata's attribute value (EIDINT-2037) + eIDAS flow with JavaScript off (EIDINT-1993) + Correct reference key name related to TLS cipher suites (EIDINT-2373) + Change the order of validation when processing the SP request (EIDINT-2127) + Replaced the error message "user refused consent at response phase" with "Citizen consent not given." (EIDINT-1872) + Replaced the error message "user refused consent at request phase" with "Consent not given for a mandatory attribute." (EIDINT-1873) + Throw SAML_ENGINE_NO_METADATA instead of SPROVIDER_SELECTOR_INVALID_SAML when metadata can not be read. (EIDINT-2063) + Clean up labels in redirecting jsp pages (EIDINT-1993). **This release contains the following security fixes: + Correction of possible arbitrary data injection in audit trail log (EIDINT-1352) ** Changes to Demo Tools + Correct of Null or absent RelayState is handled incorrectly (EIDINT-2207) ** Known Limitations The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/QZfuAw ** Known Vulnerabilities Latest vulnerability notifications are found at https://ec.europa.eu/cefdigital/wiki/x/CwB2Ag CEF eID eIDAS-Node Build 2.0.0 Content This release is based on version 1.1 of the eIDAS Technical Specifications. This release includes major improvements in the architecture by mainly decoupling the Specific modules from the core of the eIDAS-Node. ** Documentation ** + CEF eID technical documentation pertaining to this release can be found on: ++ CEF Digital Home > eID > All eID services > eIDAS Node integration package > View latest version. ** Distribution ** + EIDAS-2.0.0.zip : Distribution version 2.0.0 of the sample eIDAS-Node ++ EIDAS-Sources-2.0.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a Specific Proxy Service module, Specific Connector module , a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-2.0.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including SpecificConnector.war, SpecificProxyService.war,IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-2.0.0.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-2.0.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-2.0.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-2.0.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including SpecificConnector.war, SpecificProxyService.war, IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) + Add support of application server GlassFish Open Source Edition 5.0 (full profile), Glassfish 3 is deprecated. + Add support of application server WildFly with version 11. + Add support of application server Tomcat 8.5. + Add support of application server WebSphere Application Server Liberty Core 9. + Analyse and validate the OWASP dependency check report on EidasNode (EIDINT-1595) ** This release contains the following changes to eIDAS-Node + Migration from OpenSAML 2.6.5 to OpenSAML 3.0 (EIDINT-1531, EIDINT-1545, EIDINT-1996) + New look and feel (EIDINT-1961, EIDINT-1999 ) + Upgrade eIDAS-Node to servlet 3.0 (EIDINT-1634) + Relocate Metadata infrastructure to a new module (EIDINT-1635). + Definition and implementation of the data communication between Specific [Connector|Proxy-Service] and eIDAS-Node (EIDINT-1663, EIDINT-1943) + Improvements to Light Objects interface regarding Subject and RelayState (EIDINT-1777) . + Change the build process to produce wars or jar from Specific Connector and Specific Proxy-Service (EIDINT-1661) + Citizen consent logic moved to Specific Proxy-Service module (EIDINT-1648) + Change properties for enabling display of attributes/values in consent pages. (EIDINT-1848) + Improvements to Light Objects interface regarding Subject and RelayState (EIDINT-1777) . + Updater component activated by Maven profile (EIDINT-1886) ** Changes to Demo Tools + New Service Provider 2.0 Demo Tools communicating using a simple protocol. (EIDINT-1650, EIDINT-1781) + New Identity Provider 2.0 Demo Tools communicating using a simple protocol. (EIDINT-2049, EIDINT-1779, EIDINT-1651, EIDINT-1686, EIDINT-1689, EIDINT-1675) + Removal of Relay State from the Service Provider 2.0 (EIDINT-1785) + Upgrade struts library in Demo Tools (EIDINT-1863) + New Look and feel (EIDINT-1961, EIDINT-1999 ) + Definition of the Simple Protocol between the SP 2.0 and the Specific Connector and between the Specific Proxy Service and the Identity Provider 2.0 . (EIDINT-1704 , EIDINT-1696 , EIDINT-1700) + Split Specific Module (EIDAS-Specific) to Specific Proxy Service module (EIDAS-SpecificProxyService) and Specific Connector module (EIDAS-SpecificConnector) (EIDINT-1820, EIDINT-1652 ,EIDINT-1778,EIDINT-1628, EIDINT-1658, EIDINT-1657,EIDINT-1654 , EIDINT-1655, EIDINT-2005 ) + Change simple protocol's LOA possible values to distinguish further from eIDAS LOA (EIDINT-1846) **This release contains the following bug fixes: + Correct German integration : Exception when parsing German metadata (EIDINT-2030) + Correct support of ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(EIDINT-2080) + Correction of LegalPersonAddress and VATRegistrationNumber attributes (EIDINT-1583) + Correction of NameIDFormat changed to optional (EIDINT-1706) + Add "AddressID" property to PostalAddress (EIDINT-1664) ** Known Limitations (Note: The up to date list can be found at https://ec.europa.eu/cefdigital/wiki/x/SzuHAw) + Node checks metadata signature explicitly, rather than against a trust chain (EID-82) + SAML HTTP Redirect Binding not implemented correctly (EID-575) + Key representation as ds:KeyValue/RSAKeyValue in ds:KeyInfo not supported in eIDAS Response (EID-570) + Metadata Aggregator Format (ser:MetadataServiceList) not supported (EID-598) + Key rollover not supported (EID-581) + Key agreement method not supported for encryption of session keys (EID-594) + eIDAS Connector and ProxyService should be separate components (EID-599) + Using Gender attribute with 3rd value fails to work (EID-582) eIDAS-Node Build 1.4.0 Content This release is based on version 1.1 of the eIDAS Technical Specifications. This release includes stability improvements. ** Documentation ** CEF eID technical documentation pertaining to this release can be found on: CEF Digital Home > eID > All eID services > eIDAS Node integration package > View latest version. + EIDAS-1.4.0.zip : Distribution version 1.4.0 of the sample eIDAS-Node ++ EIDAS-Sources-1.4.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-1.4.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-1.4.0.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-1.4.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-1.4.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-1.4.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: (Please note that EIDINT-XXXX references are for internal use only) + Improvements in documentation. + Analyse and validate the OWASP dependency check report (EIDINT-1665) + Default JBoss server is now 7.1.1, JBoss 6 is deprecated (EIDINT-1626) + Metadata file loader improvements: Load files only with 'xml' extension and if one loaded file contains an error, the others still need to be loaded /checked (EIDINT-1619) + Display the ID of metadata failed on signature check (EDINT-1566) + Protocol Engine - use ProtocolEngine clock (EIDINT-1611) + Make Metadatautil extendable by MS implementers (EDINT-1609) + Remove unnecessary code and properties related to old AT and DE plugins (EIDINT-1608) + Add support of server WebLogic 12.2.1.2.0 , WebLogic 10 is now deprecated (EIDINT-1597, EIDINT-1598) + SPType is added AuthnRequest to IdP (EIDINT-1251) + Re-enforce and validate that Code possibly is not vulnerable to XXE (EIDINT-1248) + Removal of PersonalAttributeList( (EDINT-888) + Denial of service: size limit of IDP returned attributes (EIDINT-701) **This release contains the following bug fixes: + Correct support of signing algorithm "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1" for JBOSS 7 (EIDINT-1718) + Correct inconsistencies in the default configuration directory EIDAS-Config (EIDINT-1717) + Correct missing "AddressID" property to PostalAddress(EIDINT-1664) + Thread safety bug in document builder pool (EIDAS-1606) + Correct Wrong paths to encryptionConf.xml and backslashes in config files ( EIDINT-1582; EDINT-1489) + Correction of LegalPersonAddress and VATRegistrationNumber attributes (EIDINT-1500) ####################### previous releases ####################### eIDAS-Node Build 1.3.1 Content This intermediary release is based on version 1.1 of the eIDAS technical specifications. This intermediary release includes stability improvements. **This intermediary release contains the artifacts : + Document : eIDAS-Node Installation, Configuration and Integration Manual v1.3.0.pdf + Document : eIDAS-Node Error Codes v1.0 + EIDAS-1.3.1.zip : Distribution version 1.3.1 of the sample eIDAS-Node ++ EIDAS-Sources-1.3.1.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-1.3.1.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-1.3.1.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-1.3.1.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-1.3.1.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-1.3.1.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including IdP.war, EidasNode.war, SP.war) **This intermediary release contains the following bug fixes: + Correction of 'Remove validation on optionality of sector specific attributes' (EIDINT-1532) eIDAS-Node Build 1.3.0 Content This release is based on version 1.1 of the eIDAS technical specifications. This release includes stability improvements. **This release contains the artifacts : + Document : eIDAS-Node Installation, Configuration and Integration Manual v1.3.0.pdf + Document : eIDAS-Node Error Codes v1.0 + EIDAS-1.3.0.zip : Distribution version 1.3.0 of the sample eIDAS-Node ++ EIDAS-Sources-1.3.0.zip : Source files (Maven project) of the sample eIDAS-Node including an example of implementation of a SP (Service Provider) and IdP (Identity Provider). ++ EIDAS-Binaries-Glassfish-1.3.0.zip : Deployable war files of a preconfigured eIDAS-Node for a Glassfish server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Jboss-1.3.0.zip: Deployable war files of a preconfigured eIDAS-Node for a JBoss server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Tomcat-1.3.0.zip: Deployable war files of a preconfigured eIDAS-Node for a Tomcat server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Was-1.3.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebSphere server (including IdP.war, EidasNode.war, SP.war) ++ EIDAS-Binaries-Wls-1.3.0.zip : Deployable war files of a preconfigured eIDAS-Node for a WebLogic server (including IdP.war, EidasNode.war, SP.war) **This release contains the following improvements: + Improvement by adding Natural and the Legal person MDS representation (EIDINT-1221) + Improvement in configuration of the eIDAS-Node by externalising configuration files (EIDINT-926) + Improvement in configuration of the DEMO SP by externalising configuration files (EIDINT-1310) + Improvement in configuration of the DEMO IDP by externalising configuration files (EIDINT-1310) + Improvement in SP result page by propagation of the relay state from Connector to SP (EIDINT-648) + Improvement in security by running and analysing a dependency checker. **This release contains the following bug fixes: + Correction of Handshake failure invalid session while retrieving metadata (EIDINT-1312) + Correction of Double validation on time skew (EIDINT-693) + Correction of Hazelcast in eIDAS components: stop "phoning home" (EIDINT-1245) + Correction of The specific logger used in eIDAS-Node (EIDINT-1331) + Correction of Proxy should validate the SAML request regarding optional attributes (EIDINT-1241) + Correction of support of SHA256-rsa-MGF1 signing algorithm (EIDINT-1276) + Correction of is optional, no longer checked, no longer sent in responses by default (can be configured) (EIDINT-1240) + Correction of Security issue- Infinite redirect loop by accessing JSP pages at IdP (EIDINT-1174) + Correction of Publication of all supported attributes ( eIDAS Attributes, Specific Business attributes, Representatives attributes)(EIDINT-1174) + Correction of Sptype is no longer transmitted to the Proxy Service (EIDINT-1311) + Correction of METADATA OrganizationName missing (EIDINT-668) + Correction of METADATA should contain FriendlyName and NameFormat in the Attribute tag (EIDINT-633) + Correction of Consumer skewtime (EIDINT-1430) + Correction of Wrong value for OpType field (EIDINT-1356) + Correction of AssertionUtil - make generateAuthStatement method public (EIDINT-1484) + Correction of Upgrade struts library in demo tools (EIDINT-1480) + Correction of Very weak authorisation mechanism for accessing the updater service (EIDINT-1249) eIDAS-Node Build 1.2 Content This release is based on version 1.0 of the eIDAS technical specifications. This release includes stability improvements. **This release contains the following improvements: + Improvements in security - Penetration tested; + Improvement in code quality: - Corrections based on code quality analysis. + Improvements in build process: - Reorganising Maven POM in a standardised way; + Improvements in eIDAS-Node configuration: - Make eIDAS software compliant with eIDAS specification regarding TLS version by introducing new configuration property tls.enabled.protocols; - Add configuration properties service.askconsent.all.attributes, service.askconsent.attribute.names.only to manage the business attribute/Value in the consent page. + Improvements in metadata: - Metadata was double-signed. Both the Entity descriptor as well as the role descriptor were signed. Only the root element is now signed. + Improvements in Specific module configuration: - Merge of the two files specific.properties and eidas_Specific.xml into eidas_Specific.xml; - Rename SAML Engine configuration files, XXX_Specific.xml is renamed to XXX_Specific-IdP.xml, XXX_SP-Connector.xml is renamed to XXX_SP-Specific.xml. + Improvements in sample SP configuration: - Add configuration properties (sp.metadata.validatesignature, sp.metadata.trusteddescriptors) to manage the validation of the metadata signature. + Improvements in sample IDP configuration: - Add configuration properties (idp.metadata.validatesignature, idp.metadata.trusteddescriptors) to manage the validation of the metadata signature. + Improved utilisation of Hazelcast: - Now only one Hazelcast instance is used by default, but it can be reconfigured to have multiple instances in application context. + **This release contains the following bugs fixed: + Correction of the white list for encryption algorithm was not working properly when configured differently than the standard ()Eidas-Specific to IDP) (internal ref EIDINT-1177) + Correction of error in SP during validation of AudienceRestriction element of the SAML response ( internal ref : EIDINT-1160) + Correction when using a CA having a certificate with special characters, it failed to load the certificate for signing and encrypting (internal ref EIDINT-1146) + Correction of the eIDAS node rejects personIdentifier attributes containing the hyphen character (internal ref EIDINT-1120) + Correction of too many sessions still active (internal ref EIDINT-1113) + Correction of signature of static metadata was not validated ( internal ref : EIDINT-1094) + Correction of Proxy service did not complain when minimum data set was not correctly set (internal ref : EIDINT-1058) + Correction of data digest method is sha1, should be SHA 256 in metadata(internal ref : EIDINT-969) + Correction of Cleanup eIDASSession from the code and replace the logic when needed (internal ref : EIDINT-1051) + Correction of failed encryption doesn't throw exceptions ( internal EIDINT-1049) + Correction of Incorrect issuer URL (ConnectorMetadata instead of ConnectorResponderMetadata) in Connector response to SP (internal ref EIDINT-1048) + Correction of Loss of RelayState parameter in the workflow (internal ref EIDINT-1046) + Correction of transliteration by removing validation from NODE enabling any transliterated value(internal ref EIDINT-1041) + Correction of no more usable production mode setting parameter by remove it (internal ref EIDINT-980,EIDINT-970,EIDINT-949) + Correction of NodeMetadataFetcher, getFromCache returned null (internal ref EIDINT-971) + Correction of WebSphere Default Url for /SP (SP/populateindexpage) was not recognised (internal ref EIDINT-964) + Correction of infinite redirect loop by accessing JSP pages (internal ref EIDINT-948) + Correction of PersonalAttrList by replacing it by Immutable Attr and delete session in specific (EIDINT-945) + Correction of Broken UTF-8 (internal ref EIDINT-923) + Correction of off encoding by adding the CharacterEncodingFilter in web.xml (otherwise the default charset is ISO-8859-1 for HTTP). + Correction of Proxy service validation binding : exception (internal ref EIDINT-860) + Correction of the Validation of the SPType, The validation is now in the Specific part of the connector (internal ref EIDINT-845) + Correction of the audit files location by using java system property "LOG_HOME" (internal ref EIDINT-672) + Correction of Allowing SHA256-rsa-MGF1 as signing algorithm (internal ref EDINT-1276) + Correction of Adding OrganizationName in metadata (internal ref EDINT-1269) + Correction of Removing ID in IDPSSODescriptor as well as SPSSPDescriptor in the metadata (internal ref EIDINT-1268) + Correction of Wrong type of extension : SAML Protocol XML Schema is changed xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" (internal ref EIDINT-1267) + Correction of HTTPMetadataProvider was not released (internal refEIDINT-1256) + Correction of is changed to optional (internal ref EIDINT-1242) + Correction of is changed to optional (internal refEIDINT-1259) eIDAS-Node Build 1.1 Content This eIDAS release includes architectural and stability improvements. Please be aware that the related documentation covering this release is not yet available but will be updated in the coming weeks. This release contains the following improvements: - definition of an abstraction and clear conformity of light Request/Response (in the module EIDAS-Light-Commons). These light objects (SAML agnostic) are designed to be used in the eIDAS-Node (SP to Connector) and also in the country specific modules (Proxy Service to IDP); - definition of an abstraction and a clear conformity for the country specific modules (in the module EIDAS-SpecificCommunicationDefinition). With this abstraction the dependency with the SAML Engine is no longer needed in the country specific modules; - improvements to the SAML Engine for complete independence and to able to be configured separately from the eIDAS-Node (metadata configuration, white list of signature and encryption algorithms); - definition of an attribute registry used by the SAML Engine to provide clear definition, conformity of the attributes supported (configuration based) and enforcing validation; - full coverage of the transliteration at the attribute and attribute registry level; and - hardening to ensure immutability when necessary on the classes used in the SAML Engine (builder pattern). The release also includes the following changes : + complete refactoring of the commons API to define a clear contract, prevent security and concurrency issues; + clear separation between Connector and Proxy Service; + definition of a clear contract of the SAML Engine API; + opening and definition of the SAML Engine ExtensionProcessorInterface, allowing extensibility to other SAML protocols (e.g. eIDAS, STORK etc.); + definition and declaration of a clear contract of the methods used in the Specific module; + dynamic configuration for properties used by the SAML Engine, these properties have been extracted from the eIDAS-Node general configuration and allow a more granular configuration (eidas.xml, eidas-specific.xml); + implementation of the minimum data set validation based on the attribute registry; +implementation of a stable light-weight abstraction layer, exposed as an API and shipped as a library, on top of the OpenSAML library, which would wrap up all the low-level SAML boilerplate code; + implementation of two namespaces http://eidas.europa.eu/attributes/naturalperson and http://eidas.europa.eu/attributes/legalperson; and + remote code execution during object deserialization correction - upgrade the dependency version to commons-collection 3.2.2. N.B. For compatibility, some APIs from 1.0.2 have been kept from previous unofficial releases but declared as deprecated. They could disappear in a future release, replaced by the new already provided implementation. eIDAS Node Build 1.0.2 Content This intermediary release includes architectural and stability improvements (documentation not updated). The tested applications servers are Tomcat, GlassFish and WebLogic. This release provides an end-to-end sample of the happy path of a citizen's identification with a complete refactoring of the SAML Engine. This refactoring covered: - defining an abstraction and clear conformity of light Request/Response (in the module EIDAS-Light-Commons). These light objects (SAML agnostic) are designed to be used in the eIDAS-Node and also in the country specific modules; - defining an abstraction and a clear conformity for the country specific modules (in the module EIDAS-SpecificCommunicationDefinition). With this abstraction the dependency with the SAML Engine is no longer needed in the country specific modules; - defining an attribute registry used by the SAML Engine to provide clear definition and conformity of the attributes supported (configuration based); and - hardening and ensuring immutability when necessary on the classes used in the SAML Engine (builder pattern). eIDAS Node Build 1.0 Content N.B: In a future release, it is intended to provide a major architectural improvement involving the Specific module. The Specific module is inherited from the STORK PEPS Pilot 1 application. It provides a sample implementation of a Member State Specific module to customise the communication between the Identity Provider and the eIDAS-Node Proxy Service. Version 1.0 does not contain any improvements to or enhancements of the Specific module. The architectural improvements of the Specific module will: - Provide abstraction and a correct placeholder for the Member State's specific implementation; - Remove the dependency between the SAML Engine and the Specific module; - Extend the Specific module to cover communications between Service Provider and eIDAS-Node Connector as well as the communications between Identity Provider and the eIDAS-Node Proxy Service. Version 1.0 includes the following: + Improvement of the software look and feel; + Renaming of the STORK references to eIDAS terminology; + Modifications of the eIDAS-Node related to the technical specification: Parametrisation of the signing certificate of the metadata; Verification of the metadata expiration when processing it from the cache; Check the certificate validity on metadata generation, no metadata published if certificate expired; Suppression of EXACT implementation of the LoA (Level of Assurance); Support sector specific attributes; Disable the support for STORK1 message format; Change of message format (namespace from "stork" to "eidas"). + Modification in the sample SP-IDP and AP: Support eIDAS LoA in the SP and IDP; Support eIDAS attributes; Extend eIDAS compliance to include communication between SP and the eIDAS-Node; Extend eIDAS compliance to include communication between IDP and the eIDAS-Node; Improvement of the sample Service Provider to show the decrypted assertion. + Security : Update of third party libraries to the latest version(Bouncycastle-XMLSec-XML Santuario-Xalan-Commons-httpClient); + Migration from Maven 2 to Maven 3; + provide new sample of eIDAS Keystore (double key + metadata signature) provided for each binary. List of conformance documents and requirements: - eIDAS Interoperability Architecture v1.0 - eIDAS Message Format v1.0 - eIDAS SAML Attribute Profile v1.0 - eIDAS - Crypto Requirements for the Interop Framework v1.0 eIDAS Node Build 0.9 Content Version 0.9 + Add a feature selector enforcing eIDAS regulation compliance (when set to true); + Support of eIDAS compliant message format (eIDAS Technical Specifications); + Extension of eIDAS metadata (eIDAS Technical Specifications); + Security improvements: Strengthen browser cache weakness: add no-cache policy in the HTTP response header; Reflected Cross-site scripting mitigation: sanitisation of displayed values; + Removal of Middleware plugin; + Extension of the sample applications (SP, IDP, AP) to provide a sample of use of the eIDAS regulation features.