Digital

Page tree

European Commission Digital


Digital Signature Service - DSS

Back to the overview

DSS v6.0

Access and download DSS v6.0

Here, you can access and download the latest version of the Digital Signature Services open-source library released in December 2023. You can read more about DSS and how it can help you below.

Access to Bitbucket source code


Access to Github source code


Download the DSS Demonstration WebApp


Source code is available in zipandtar.gz

What is DSS?

Purpose of the service

DSS (Digital Signature Services) is an open-source software library for electronic signature creation and validation. DSS supports the creation and verification of interoperable and secure electronic signatures in line with European legislation. In particular, DSS aims to follow the eIDAS Regulation and related standards closely.

DSS can be re-used in an IT solution for electronic signatures to ensure that signatures are created and verified in line with European legislation and standards. DSS allows re-use in a variety of different ways: in an applet, in a stand-alone application or in a server application. DSS can also be used as a reference implementation for IT solutions which do not directly re-use it. Demos are also available to assist the use of DSS as a reference implementation. DSS was developed by Nowina Solutions and is maintained up-to-date via new releases.

Users of the service

The Digital Europe eSignature DSS service is intended for Service Providers active in the implementation of e-signature solutions.

Benefits of the service 

Digital Europe eSignature's DSS open-source library delivers the following benefits to its users:

  • Open-source software under LGPL 2.1, a non-viral open source license;
  • Written in Java, guaranteeing portability on numerous platforms;
  • Interoperability of the e-signatures;
  • Supports both e-signatures and e-seals;
  • Validation of countersignatures and multiple signatures;
  • A flexible library, that can be:
    • Reused in different topologies: in an applet, as a stand-alone application, server-based, or any combination;
    • Used in its entirety or on a module-by-module basis;
    • Adapted to numerous usages via configuration files or extension points;
  • Alignment with the eIDAS Regulation and related standards;
  • Supports EU standards on:
    • Signature formats and packaging methods;
    • Signature validation procedures;
  • Validation relying on Member States' trusted lists:
    • Status of trust service providers/trust service, compensation of information, path validation.

How can it be used?

The library, realised in Java, is open-source, available to all Member States, businesses and citizens for re-use in electronic signature solutions. It is continuously updated and maintained to anticipate and follow developments in regulations and standards. 

Anyone can integrate it and redistribute it under the terms of the Lesser General Public License (LGPL 2.1).

In accordance with ETSI standards, DSS supports various document and signature formats including PAdES, XAdES, CAdES and ASiC and is compliant with Implementing Decision 2015/1506/EU. A “cook-book” is also provided with documentation targeting implementers/developers and aiming at facilitating the integration and use of DSS in their applications.

Validation of qualified and advanced signatures and seals

In anticipation of the ETSI standard, TS 119 172-4, which is currently being drafted with the aim of standardising a “signature validation policy for European qualified electronic signatures/seals using trusted lists”, eSignature Building Block’s provides its interpretation of the eIDAS Regulation's requirements for the validation of qualified and advanced signatures and seals.

This algorithm has been designed following discussions and meetings with experts involved in the field, in the context of the Digital Europe eSignature Building Block. This algorithm is to be considered as guidelines for implementers, or parties interested in understanding how QES validation is implemented in DSS.

The algorithm (available below) focuses on determining 3 sub-conclusions:

- Whether the certificate is qualified

- What is the type of this certificate

- Whether the corresponding private key is protected by a QSCD.


Qualified electronic signature (QES) validation algorithm.pdf

Demonstration tool

Demos of DSS for electronic signature creation, extension and validation

The Digital Europe eSignature building block maintains a demonstration tool that allows everybody interested in the DSS functionalities to try them out.

The demo tool is a web application that, among others, allows users to:

  • upload and sign a document
  • upload and sign multiple documents
  • access REST / SOAP webservices 
  • extend an electronic signature
  • validate an electronic signature

The DSS demonstration tool is accessible from here 

Releases and Bitbucket

DSS releases are part of the eSignature service offering. 

The Digital Europe eSignature building block collects all issues, bugs, or requests for change in the DSS project's JIRA. More information on how to use JIRA can be found here

Source code is also made available on the DSS Bitbucket repository.  

Documentation

Documentation is available in HTML, PDF and Javadoc.

Releases

Summary of current version

VersionRelease dateFeatures
6.0
December 2023

Main new features / improvements :

  • Transition from javax.* to jakarta.* namespaces;
  • Demos : webapp migrated from Spring to Spring-Boot 3;
  • Demos : removed sscd-mocca-adapter module.

Bug fixes / issues :

  • KeyEntityTSPSource : add null safe processing.

+ All the changes included in DSS 5.13.

NOTE: This version uses jakarta.* namespaces. Use DSS 5.13 for javax.* support.


Past releases

VersionRelease dateFeatures
5.13
December 2023

Main new features / improvements :

  • RFC 6283 XML Evidence Records (XMLERS) validation support;
  • Offline PKI Factory;
  • Support of new standard versions TS 119 102-2 v1.4.1 and TS 119 615 v1.2.1;
  • Validation of detached time-stamps considers POEs from other time-stamps;
  • XAdES : added support of EdDSA algorithm;
  • XAdES : support of a custom DataObjectFormat element;
  • JAdES : added support of "x5u" header;
  • Added support for OCSP responders without nonce;
  • Added qualification information messages to simple certificate report;
  • Added optional validation constraint for enforced time-stamp presence and validity verification;
  • Added Dockerfile to run DSS Demo WebApp;
  • Dependencies update (BouncyCastle, Apache Santuario, PdfBox, OpenPdf, etc.);
  • Documentation improvements;
  • Java 21 support.

Bug fixes / issues :

  • XAdES : fixed signing of XML documents with comments / non UTF-8 encoding;
  • XAdES : fixed signature creation with custom DSSReference definition;
  • PAdES : improved LT-level determination algorithm;
  • ASiC : fixed false negative validation result on ASiC-S container validation with a manifest;
  • Adjusted OCSP nonce generation to required 32 octets;
  • Fixed multi-threading issue within ZipUtils;
  • Fixed NullPointerException in DiagnosticData when validating with a custom trusted list certificate source;
  • Demo WebApp : fixed custom validation time input field on a certificate validation webpage;
  • Demo WebApp : added a customizable property to skip RSA keys validation (fixes issue with long application launching);
  • Other minor fixes and improvements.
5.13.RC1 
November 2023

-

5.12.1
June 2023

Main new features / improvements:

  • Improved Trust Service validation and qualification status reporting;
  • Improved MRA processing;
  • Dependencies update;
  • Demonstrations : improved eSig validation tests.

Bug fixes / issues:

  • Fixed Diagnostic Data unmarshalling on certificate validation;
  • Fixed NullPointerException on unknown Digest Algorithm;
  • WebApp : fixed OCSP load with disabled JDBC source.
5.12 
April 2023

Main new features / improvements :

  • PAdES : signature creation with external CMS provider;
  • PAdES : added PDF/A validation support;
  • PAdES : spoofing attack detection;
  • PAdES : improved performance and memory consumption on signature validation;
  • PAdES : VRI dictionary made optional;
  • XAdES : less memory consuming message-imprint computation;
  • JAdES : added support of EdDSA algorithms;
  • Validation : improved RFC 5280 conformance;
  • Validation : return INDETERMINATE/CERTIFICATE_CHAIN_GENERAL_FAILURE if no acceptable revocation found;
  • Validation policy : improved handling of expired cryptographic algorithms;
  • DataLoader : removed default SSL-protocol definition;
  • DataLoader : added an option of pre-emptive basic authentication;
  • SignatureTokenConnection : possibility to filter keys;
  • REST/SOAP services : added a setter of default validation policy;
  • REST/SOAP services : added a signing method with a provided SignatureAlgorithm;
  • Simple report : added information about trust anchors;
  • Add support for SAML metadata XSD;
  • Removed redundant xml-apis and commons-codec dependencies declaration;
  • DSS Standalone : signing of multiple document;
  • DSS Standalone : extension of signed documents;
  • DSS Standalone : validation of documents;
  • WebApp : add a property to define a custom trusted certificate source;
  • Dependencies update (BouncyCastle, HttpClient5, Apache Santuario, PdfBox, etc.);
  • Documentation improvement (F.A.Q. section, offline support, etc.);
  • Java 19 support.

Bug fixes / issues :

  • PAdES : unable to extend a document with /DSS dictionary before a timestamp;
  • PAdES : improved code to preserve PDF/A documents validity;
  • PAdES : fixed text auto-fitting function in certain configurations;
  • PAdES : ensure DocMDP is created as a direct object;
  • CAdES : OCSP responses incorporation for CAdES-BASELINE-LT profile;
  • XAdES : improved handling of custom DSSReference configurations;
  • XAdES : fixed rare issue with inability to create ENVELOPED signature;
  • Fixed extension of not AdES signatures with a revoked certificate;
  • TLValidationJob : fixed unexpected exception and thread stuck during the refresh;
  • NativeHTTPDataLoader : threads can get stuck;
  • JdbcCacheConnector : improved code to allow some database implementations;
  • SubjectAlternativeName certificate extension extraction;
  • Skipping ProspectiveCertificateChain always results to PASSED;
  • Unknown MRA equivalence URI caused an error.
5.12.RC1
February 2023

-

v5.11.1
November 2022

Main new features / improvements :
•    Maven Central release;
•    Update vulnerable dependencies.

Bug fixes :
•    Fixed URN OID extraction from an XML Trusted List.

v5.11
October 2022

Main new features / improvements :

  • PAdES : improved PDF-signing performance (add caching of the temporary revision);
  • PAdES : introduce temporary document processing factory (e.g. in-file or in-memory);
  • PAdES : simplified configuration of modification detection modules;
  • PAdES : added signing app name for signature;
  • ASiC : introduce ASiC Merger;
  • ASiC : improved ASiC in-file processing (avoid loading document into memory);
  • XAdES : add support of a custom CommitmentType qualifier;
  • CAdES : improved signature file extension naming;
  • TL-validation : Trust Service equivalence scheme and Mutual Recognition Agreement support;
  • Other : dependencies update (Apache Santuario, PdfBox, OpenPdf, httpclient5, etc.);
  • Demo : eSignature Validation Test Cases automated validation module;
  • Demo : added ASiC Merger webpage;
  • Standalone app : add TL signing function;
  • Standalone app : add XMLManifest signing function;
  • Java 18 support.

Bug fixes :

  • Qualification determination : Improved algorithm to comply with TS 119 615 + fixed issues;
  • JAdES : signature can be created with ECDSA algorithm using a wrong elliptic curve;
  • LTA signature is indeterminate because no revocations lists found;
  • Exception when a not supported encryption algorithm is provided;
  • Validation for ASiC without mimetype returns FORMAT_FAILURE;
  • Skipped AcceptableRevocationDataFound constraint may lead to false positive validation result;
  • ASiC : unable to proceed validation of CEN-header invalid files;
  • SimpleReport : fix valid signatures counter;
  • Demo : fix proxy configuration conversion.
v5.11.RC1
August 2022-
v5.10.2October 2022

Main new features / improvements :

  • Maven Central release;
  • Update vulnerable dependencies.

Bug fixes :

  • Fixed validation of signatures with invalid cryptographic algorithm OID;
  • Fixed URN OID extraction from an XML Trusted List.
v5.10.1April 2022

Main new features / improvements :

  • Cookbook update;
  • PAdES : object modification detection;
  • PAdES : visual signature preview;
  • PAdES : avoid repeated creation of OCSP/CRL tokens;
  • PAdES : enforce signature creation/validation against ISO 32 000 restrictions (DocMDP, Lock, etc.);
  • XAdES and CAdES : added support of extended profiles on validation;
  • ASiC services refactoring (various improvements);
  • WebService to sign a Trusted List;
  • Apple KeyStore as a signature token connection;
  • ED448 signature algorithm support;
  • Demo : new viewer for XML reports;
  • Dependencies upgrade (HttpClient5, BouncyCastle, Santuario, logback, etc.);
  • Java 17 support.

Bug fixes :

  • PAdES : erroneously triggered visual signature difference warning;
  • PAdES : wrong LT-/LTA-level determination for documents with multiple signatures;
  • PAdES : original documents extraction does not work against carriage return;
  • XAdES : NPE on validation of XAdES v.1.1.1, 1.2.2;
  • JAdES : wrong payload computation for 'sigD' with ObjectIdByURI mechanism;
  • ASiC : MimeType is lost on re-signature;
  • Signature policy caching issue;
  • Revocation freshness checks use different values across the code;
  • Demo : jumping rows on collapse of TL-validation table;
  • Demo : inability to sign when encryption algorithm of the token is different from the one used in signature;
  • Demo : wrong encoding on uploaded filenames containing non-ASCII characters.
v5.10March 2022

New features:

  • Add an Apple signature token
  • Add 'user notice' to signature policy
  • PAdES : detect prohibited changes
  • SimpleReport : add timestamp signature scopes
  • Invalid signatures can be made with Revoked and Suspended certificates on level B and T
  • SAV : verify if used digest algorithm for signing-certificate reference is reliable at validation time
  • PAdES : check if a visual signature field is within page size
  • PAdES : alert on restricted signature creation
  • SVC : return possible extension time on failed signature augmentation
  • Add support for SHA-3 with PLAIN-ECDSA and ED448 signature algorithms
  • PAdES : visual signature pre-visualization

Bugs:

  • Add a content timestamp checkbox ignored when signing a digest
  • DSS demo : improve exception escalating on content timestamp creation
v5.10.RC1January 2022

-

v5.9September 2021

Many improvements in the validation reports

  • AIASource introduction : more customizations
  • Customization of revocation collection strategy (OCSP/CRL first)
  • DocumentBuilderFactory securities
  • ECDSA / ECDSA-PLAIN support
  • JAdES (JSON AdES) consolidations
  • PAdES visual signature refactorings / improvements :
  • Image scaling : STRETCH / ZOOM_AND_CENTER / CENTER
  • Text wrapping : BOX_FILL / FILL_BOX_AND_LINEBREAK / FONT_BASIC
  • Dependency upgrades (Santuario, BouncyCastle, PDFBox,…)
  • Java 16 support

Bug fixes :

  • Short term OCSP response
  • On hold certificate
  • Qualification conflict (issuance time / best signing time)
  • ASiC-S can’t be timestamped twice
  • PAdES revision extraction
  • PAdES wrong level detection (files with multiple signatures/timestamps)
  • ETSI Validation report : multiple files / references
v5.9.RC1July 2021-
v5.8February 2021
  • JAdES implementation (ETSI TS 119 182 v0.0.6) : signature creation, extension and validation (advanced electronic signatures based on JWS)
  • PDF Shadow attacks : prevention and detection
  • Counter Signature creation (CAdES, XAdES, JAdES and ASiC containers)
  • Support of the unsigned attribute SignaturePolicyStore (CAdES, XAdES, JAdES and ASiC containers)
  • Support of the QCLimitValue attribute
  • Support of Java 8 up to 15
v5.8.RC1December 2020

-

v5.7August 2020
  • CertificatePool removal and performance ameliorations
  • QWAC validator
  • New design of PDF reports
  • Support of PSD2 attributes
  • Support of EdDSA
  • Signature representation with a timeline
  • Visual signature creation with REST/SOAP webservices
v5.7.RC1

June 2020

-

v5.6March 2020
  • Complete rewriting of the TL/LOTL loading with: 
    • online / offline refresh
    • 3 caches (download / parse / validate)
    • multiple LOTL support
    • multiple TL support (not linked to a LOTL)
    • Pivot LOTL support
    • Synchronization strategy (eg : expired TL/LOTL are rejected/accepted)
    • multi-lingual support (trust service matching)
    • alerting (eg : LOTL/OJ location desynchronization,...)
    • complete reporting (summary of download / parsing / validation)
  • Independant timestamp creation and validation (not linked to a signature, with ASiC and PDF)
  • Timestamp qualification
  • Internationalization of the validation reports
  • Multiple Trusted Sources support
  • XAdES support of different prefixes / versions
 v5.6.RC1January 2020-
 v5.5October 2019
  • The implementation of the ETSI Validation Report
  • The support of Java 12 (multi-release jars)
  • Webservice which allows to validate certificates.
v5.5.RC1August 2019-
v5.4.3August 2019-
v5.4 January 2019
  • Augmentation of signatures with invalid time-stamps, archive-time-stamps and revoked certificates
  • Upgrade to Java 8 or 9
  • Certify documents
  • Add support of KeyHash in OCSP Responses
v5.4.RC1

October 2018

-
v5.3.2 October 2018
  • Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3
v5.3.1 July 2018
  • Certificate validation
  • content-timestamps generation
  • SHA-3 support
  • non-EU trusted list(s) support
  • integration of the last version of MOCCA
v5.3 May 2018
  • Certificate validation
  • content-timestamps generation
  • SHA-3 support
  • non-EU trusted list(s) support
  • integration of the last version of MOCCA
v5.3.RC1 April 2018

-

v5.2.1 October 2018Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3
v5.2 December 2017
  • Qualification matrix guidelines and documentation
  • Improvements regarding visual representation of a signature

  • Alternative packaging: Image docker / spring-boot

  • CRL streaming, the demo won’t use the X509CRL java object by default (it can be changed). With some signatures, we had large CRLs (+60Mo in Estonia) and that could cause memory issues.
  • RSASSA-PSS support, I received some requests to support these algorithms :
    • SHA1withRSAandMGF1 
    • SHA224withRSAandMGF1
    • SHA256withRSAandMGF1
    • SHA384withRSAandMGF1
    • SHA512withRSAandMGF1
v5.2.RC2

December 2017

-
v5.2.RC1

September 2017


-
v5.1 September 2017-
v5.1.RC1 June 2017-
v5.0 April 2017
  • Refactoring of ASiC format handling, following the ETSI ASiC Plugtest
  • Signature of multiple files (ASiC and XAdES)
  • Integration of the Qualification matrix as described in draft ETSI 119 172-4, for supporting signatures before and after 01/07/2016 (eIDAS entry into force)
  • Migration to PDFBox 2 for handling PDFs
  • Complete refactoring of the ASiC part (creation, extension and validation)
  • Compliance to eIDAS regulation.
v5.0.RC1 January 2017

-

v4.7 October 2016A XAdES PlugTest is planned in October / November 2015. Remaining changes resulting from this PlugTest and not included in v4.6 may be included in this release.

An eSignature Validation PlugTest is planned in April 2016. Depending on the actual timeframe, impacts from this PlugTest may be included in this release, and the release of DSS 4.7 will be postponed accordingly.

Other potential improvements and features:

  • Extension of signature validation policy support
  • CAdES attribute certificates
  • CRL in multiple parts
  • Distributed timestamps method
  • Support of cross-certification in path building
v4.7.RC2 September 2016-
v.4.7.RC1

June 2016


-
v4.6 *08.03.2016

Based on standards:

  • Signature formats when creating a signature: baseline profiles ETSI TS 103 171, 103 172, 103 173, and 103 174
  • Signature formats when validating a signature: baseline profiles, and core specs ETSI TS 101 903, 101 733, 102 778 and 102 918
  • Signature validation process ETSI TS 102 853

Improvements in packaging and core functionalities:

  • CAdES optimisation, CAdES multiple Signer Information. A CAdES PlugTest is occurring in June and July 2015. Changes resulting from this PlugTest will be included in this release. CAdES countersignature will not be supported.
  • Impacts from XAdES PlugTest of October 2015
  • Processing of large files
  • Further refactoring of demo applet (size, validation policy editor)
  • SOAP and REST Web Services
  • Standalone demo application
v4.6.RC218.01.2016-
v4.6.RC1 02.11.2016-
v4.5.0 25.09.2015-
v4.5.0.RC2 18.08.2015-
v4.5.0.RC1 01.07.2015-
v4.4.0 25.06.2015

-


v4.4.RC2 20.04.2015-
v4.4.RC1 05.03.2015-
...

* October 2015: Implementing Acts Art. 27 & 37 (eSig formats)

The main purpose of this milestone is to align DSS on the Implementing Acts of Art. 27, 37 of eIDAS published in September 2015.

Please note that, as these Implementing Acts published in September 2015 will first designate the “former standards” (baseline profiles ETSI TS 103 171, 103 172, 103 173, and 103 174) and not the upcoming ETSI EN 319 1x2, it was decided to rename this release as DSS 4.6 and not DSS 5.0. The major version DSS 5.0 will be used when these Implementing Acts will be modified in 2016 to point to ETSI EN 319 1x2.




Security information

Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.

Delivered patches are:

(warning)  Please consider that use of older versions should be discouraged.  (warning)

XAdES / ASiC with XAdES / TL-based signature validation

If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.

The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).

While upgrading, be sure that your integration :

    • doesn't use Xalan or XercesImpl dependencies
    • uses a patched Java version (JDK7u40+, JDK8 or higher)

PAdES

If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.


Contribute

If you would like to speak to us about suggested improvement for Digital Europe eSignature, we would love to hear from you. Please contact us by clicking on the button below.

Click here to see the DSS Jira project's current issue list.



Thanks for downloading DSS

We would greatly appreciate if you could also help us enhance the user experience of this website and fill in this survey to tell us who you are:

In compliance with our record and privacy statement, I accept that CEF uses the information I have provided for:

 
I don't wish to participate