What's on this page
Latest version
What is DSS?
Purpose of the service
DSS (Digital Signature Services) is an open-source software library for electronic signature creation and validation. DSS supports the creation and verification of interoperable and secure electronic signatures in line with European legislation. In particular, DSS aims to follow the eIDAS Regulation and related standards closely.
DSS can be re-used in an IT solution for electronic signatures to ensure that signatures are created and verified in line with European legislation and standards. DSS allows re-use in a variety of different ways: in an applet, in a stand-alone application or in a server application. DSS can also be used as a reference implementation for IT solutions which do not directly re-use it. Demos are also available to assist the use of DSS as a reference implementation. DSS was developed by Nowina Solutions and is maintained up-to-date via new releases.
Users of the service
The Digital Europe eSignature DSS service is intended for Service Providers active in the implementation of e-signature solutions.
Benefits of the service
Digital Europe eSignature's DSS open-source library delivers the following benefits to its users:
- Open-source software under LGPL 2.1, a non-viral open source license;
- Written in Java, guaranteeing portability on numerous platforms;
- Interoperability of the e-signatures;
- Supports both e-signatures and e-seals;
- Validation of countersignatures and multiple signatures;
- A flexible library, that can be:
- Reused in different topologies: in an applet, as a stand-alone application, server-based, or any combination;
- Used in its entirety or on a module-by-module basis;
- Adapted to numerous usages via configuration files or extension points;
- Alignment with the eIDAS Regulation and related standards;
- Supports EU standards on:
- Signature formats and packaging methods;
- Signature validation procedures;
- Validation relying on Member States' trusted lists:
- Status of trust service providers/trust service, compensation of information, path validation.
How can it be used?
The library, realised in Java, is open-source, available to all Member States, businesses and citizens for re-use in electronic signature solutions. It is continuously updated and maintained to anticipate and follow developments in regulations and standards.
Anyone can integrate it and redistribute it under the terms of the Lesser General Public License (LGPL 2.1).
In accordance with ETSI standards, DSS supports various document and signature formats including PAdES, XAdES, CAdES and ASiC and is compliant with Implementing Decision 2015/1506/EU. A “cook-book” is also provided with documentation targeting implementers/developers and aiming at facilitating the integration and use of DSS in their applications.
Validation of qualified and advanced signatures and seals
In anticipation of the ETSI standard, TS 119 172-4, which is currently being drafted with the aim of standardising a “signature validation policy for European qualified electronic signatures/seals using trusted lists”, eSignature Building Block’s provides its interpretation of the eIDAS Regulation's requirements for the validation of qualified and advanced signatures and seals.
This algorithm has been designed following discussions and meetings with experts involved in the field, in the context of the Digital Europe eSignature Building Block. This algorithm is to be considered as guidelines for implementers, or parties interested in understanding how QES validation is implemented in DSS.
The algorithm (available below) focuses on determining 3 sub-conclusions:
- Whether the certificate is qualified
- What is the type of this certificate
- Whether the corresponding private key is protected by a QSCD.
Demonstration tool
Demos of DSS for electronic signature creation, extension and validation
The Digital Europe eSignature building block maintains a demonstration tool that allows everybody interested in the DSS functionalities to try them out.
The demo tool is a web application that, among others, allows users to:
- upload and sign a document
- upload and sign multiple documents
- access REST / SOAP webservices
- extend an electronic signature
- validate an electronic signature
The DSS demonstration tool is accessible from here
Releases and Bitbucket
DSS releases are part of the eSignature service offering.
The Digital Europe eSignature building block collects all issues, bugs, or requests for change in the DSS project's JIRA. More information on how to use JIRA can be found here.
Source code is also made available on the DSS Bitbucket repository.
Releases
Summary of current version
| Version | Release date | Features |
|---|---|---|
v5.11 | October 2022 | Main new features / improvements :
Bug fixes :
|
New features
- [DSS-2659] - ASiC : introduce ZipEntryDocument
- [DSS-2687], [DSS-2713] - ASiC : add merge capability
- [DSS-2692] - PAdES: signing app name for pades signatures
- [DSS-2716] - Demo WebApp : Add a webpage with ASiC merger possibility
- [DSS-2717] - Add a possibility to customize naming of documents within ASiC container
- [DSS-2725] - PAdESService : add new method allowing to define a custom factory to create OutputStream and DSSDocument
- [DSS-2726] - PAdES : introduce temporary document/digest caching
- [DSS-2745] - Demo : Add TL-Signing feature in the standalone
- [DSS-2767] - Demo : Add XAdES manifest feature in the standalone
- [DSS-2779] - Add manifestSignature and embedXML parameters to web-services
- [DSS-2803], [DSS-2819] - Mutual Recognition Agreement
- [DSS-2808] - Add custom qualifier for a CommitmentType
Improvements
- [DSS-2419] - Memory heap error on pades signature
- [DSS-2619] - SignaturePolicyStore : add support of sigPol local URI attribute
- [DSS-2674] - CAdES : improve extension naming on signature creation
- [DSS-2732] - Cookbook 5.11 improvements
- [DSS-2748] - PAdES : improve Pdf Modification Detection
- [DSS-2754] - Simple Report - Add SignatureScope ID to SignatureScopes
- [DSS-2769] - SVC : store unsuccessful result of issuer finding
- [DSS-2787] - ETSI VR : add AdditionalValidationReportData to BBB
- [DSS-2824] - Detailed validation report - seemingly inconsistent result when thisUpdate is not in validity range
- [DSS-2834] - MRA : add unit tests for KeyUsage and PolicySet within CriteriaList
Improvements / Tasks
- [DSS-2393] - Demos : JUnit tests for eSignature validation test cases
- [DSS-2736] - Update cryptographic constraints according to TS 119 132 v1.4.2
- [DSS-2744] , [DSS-2822] - Upgrade OpenPdf 1.3.29
- [DSS-2756] - Upgrade PdfBox 2.0.26
- [DSS-2837] - Use Maven Central repository for everit-json-schema dependency
- [DSS-2869] - Dependencies update
Bug fixes
- [DSS-2472] - Excess memory usage by XMLSignatureInput created in DetachedSignatureResolver::createFromCommonDocument
- [DSS-2570] - Signature not found error on PDF with XRef streams
- [DSS-2691] - addNewSignatureField adds a Default Appearance using Helvetica but doesn't embed it into the PDF
- [DSS-2697] - SVC : register POE only from valid timestamps
- [DSS-2761] - LTA signature is indeterminate because no revocations lists found
- [DSS-2712] - DSS PADES library: Secured PDF Signature
- [DSS-2729] - Exception when a not supported encryption algorithm is provided
- [DSS-2731] - JAdES : signature can be created with ECDSA algorithm using a wrong elliptic curve
- [DSS-2752] - Signature Ids in the signature scopes don't use the IdentifierBuilder
- [DSS-2772] - Only the first Qualifier is captured from a TSPService element
- [DSS-2777] - Certificate/Signature qualification determination adjustments
- [DSS-2778] - Validation for ASiC without mimetype returns FORMAT_FAILURE
- [DSS-2780] - Forbid manifest signature for an XML document with Id in the root level
- [DSS-2785] - Skipped AcceptableRevocationDataFound constraint may lead to false positive validation result
- [DSS-2839] - DSS WebApp : excluded hosts from properties file are not converted to a List
- [DSS-2859] - Simple Report - Signatures with indication INDETERMINATE/TRY_LATER are counted as valid
Past releases
Security information
Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.
Delivered patches are:
Please consider that use of older versions should be discouraged.
XAdES / ASiC with XAdES / TL-based signature validation
If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.
The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).
While upgrading, be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK7u40+, JDK8 or higher)
PAdES
If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.
Contribute
If you would like to speak to us about suggested improvement for Digital Europe eSignature, we would love to hear from you. Please contact us by clicking on the button below.
Click here to see the DSS Jira project's current issue list.
Thanks for downloading DSS
We would greatly appreciate if you could also help us enhance the user experience of this website and fill in this survey to tell us who you are: