Merge branch 'develop'

open-eid · May 31, 2022 · 7f37926 · 7f37926
2 parents 2c7d07b + 128385d
commit 7f37926
Show file tree

Hide file tree

Showing 150 changed files with 6,433 additions and 3,659 deletions.
diff --git a/.github/workflows/digidoc4j-verify.yml b/.github/workflows/digidoc4j-verify.yml
@@ -19,7 +19,7 @@ jobs:
     strategy:
       matrix:
         os: [ ubuntu-20.04 ]
-        java: [ 8, 11, 15 ]
+        java: [ 8, 11, 17 ]
     steps:
       - uses: actions/checkout@v2
       - name: Set up JDK

diff --git a/.../wrapper/dists/apache-maven-3.8.3-bin.zip → .../wrapper/dists/apache-maven-3.8.5-bin.zip b/.../wrapper/dists/apache-maven-3.8.3-bin.zip → .../wrapper/dists/apache-maven-3.8.5-bin.zip
diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties
@@ -1 +1 @@
-distributionUrl=https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.8.3/apache-maven-3.8.3-bin.zip
+distributionUrl=https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.8.5/apache-maven-3.8.5-bin.zip
diff --git a/README.md b/README.md
@@ -28,7 +28,7 @@ DigiDoc4j is a Java library for digitally signing documents and creating digital
   * **LT** (Long Term) - Signature with **time-stamp** and **OCSP** (both "regular" and AIA OCSP are supported).
   * **LTA** (Long Term Archival) -  signature format has additional **archival time-stamp** to LT profile.
 * **.asice** or **.sce** file is in fact a ZIP container with the signed files, the signatures and the protocol control information and can basically be opened by any program that recognizes the ZIP format.
-* It is recommended not to use special characters in the data file’s name, i.e. it is suggested to use only the characters that are categorized as “unreserved” according to RFC3986 (http://tools.ietf.org/html/rfc3986).
+* It is recommended not to use special characters in the data file’s name, i.e. it is suggested to use only the characters that are categorized as “unreserved” according to RFC3986 (https://datatracker.ietf.org/doc/html/rfc3986).
 
 # BDOC (Estonian specific implementation of Associated Signature Container Extended) container format
 * Has **.bdoc** extension
@@ -40,7 +40,7 @@ DigiDoc4j is a Java library for digitally signing documents and creating digital
   * **LT_TM** (Long Term TimeMark) - signature has **time-mark** ensuring long-term provability of the authenticity of the signature.
     * It is based on **XAdES baseline LT** signature format.
 * **.bdoc** file is in fact a ZIP container with the signed files, the signatures and the protocol control information and can basically be opened by any program that recognizes the ZIP format.
-* It is recommended not to use special characters in the data file’s name, i.e. it is suggested to use only the characters that are categorized as “unreserved” according to RFC3986 (http://tools.ietf.org/html/rfc3986).
+* It is recommended not to use special characters in the data file’s name, i.e. it is suggested to use only the characters that are categorized as “unreserved” according to RFC3986 (https://datatracker.ietf.org/doc/html/rfc3986).
 
 # ASiC-S (ASiC-E - Associated Signature Container Simple) container format
 * Has **.asics** or **.scs** extension
@@ -62,17 +62,17 @@ DigiDoc4j is a Java library for digitally signing documents and creating digital
 * [Examples](https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it)
 * [Wiki](https://github.com/open-eid/digidoc4j/wiki)
 * [Architecture of ID-software](http://open-eid.github.io/)
-* [Digital signature formats](https://www.id.ee/en/rubriik/digital-signing/)
-* [BDOC 2.1.2 specification](http://id.ee/wp-content/uploads/2020/06/bdoc-spec212-eng.pdf)
+* [Digital signature formats](http://www.id.ee/index.php?id=36108)
+* [BDOC 2.1.2 specification](https://www.id.ee/wp-content/uploads/2021/06/bdoc-spec212-eng.pdf)
 * [DDOC specification](https://www.id.ee/wp-content/uploads/2020/08/digidoc_format_1.3.pdf)
 
 # Requirements
 * Java **8** (since version 4.0.0-RC.1)
 * Internet access to external verification services
- * OCSP (Online Certificate Status Protocol) - http://ocsp.sk.ee
- * EU TSL (European Commission's Trusted Status List) - https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml
- * All the EU member states' TL servers referred in the EU TSL. Note that this list may change. (e.g. https://sr.riik.ee/tsl/estonian-tsl.xml, https://sede.minetur.gob.es/Prestadores/TSL/TSL.xml, https://www.viestintavirasto.fi/attachments/TSL-Ficora.xml etc.)
- * TSA (Time Stamping Authority) - http://tsa.sk.ee
+* OCSP (Online Certificate Status Protocol) - http://ocsp.sk.ee
+* EU TSL (European Commission's Trusted Status List) - https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml
+* All the EU member states' TL servers referred in the EU TSL. Note that this list may change. (e.g. https://sr.riik.ee/tsl/estonian-tsl.xml, https://sede.minetur.gob.es/Prestadores/TSL/TSL.xml, https://www.viestintavirasto.fi/attachments/TSL-Ficora.xml etc.)
+* TSA (Time Stamping Authority) - http://tsa.sk.ee
 
 ## Maven
 You can use the library as a Maven dependency from the Maven Central (http://mvnrepository.com/artifact/org.digidoc4j/digidoc4j)
@@ -81,7 +81,7 @@ You can use the library as a Maven dependency from the Maven Central (http://mvn
 <dependency>
 	<groupId>org.digidoc4j</groupId>
 	<artifactId>digidoc4j</artifactId>
-	<version>4.x.x</version>
+	<version>5.x.x</version>
 </dependency>
 ```
 

diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
@@ -1,6 +1,79 @@
 DigiDoc4J Java library release notes
 ------------------------------------
 
+Release 5.0.0
+------------------
+Summary of the major changes since 4.3.0
+------------------------------------------
+* DSS version update to 5.9 (sd-dss.5.9.d4j.1), previously used DSS 5.8. Check changes in DSS here: https://github.com/esig/dss/releases
+* Pivot LOTL support (https://ec.europa.eu/tools/lotl/pivot-lotl-explanation.html):
+  - pivot LOTL support is enabled by default for PROD mode
+  - pivot LOTL support is configurable via Configuration.setLotlPivotSupportEnabled(boolean) and LOTL_PIVOT_SUPPORT_ENABLED configuration parameter
+* Improved digest algorithm selection:
+  - signature digest algorithm and datafile digest algorithm are separately configurable
+  - for ECC signatures, the default signature digest algorithm depends on the key length
+* Changes in handling the encoded datafile names in signatures:
+  - a '+' sign in an encoded data file name is decoded as '+' instead of a whitespace
+* TSL loading default connection and socket timeouts increased to 1 minute
+* TSL refresh callbacks. More information can be found here: https://github.com/open-eid/digidoc4j/wiki/Questions-&-Answers#tsl-refresh-callbacks-since-version-500
+* Separate configurability for HTTP and HTTPS proxy user and password
+* Refactoring of LOTL configuration API (Configuration class and YAML configuration parameters):
+  - added setLotlLocation(String) and getLotlLocation() methods, LOTL_LOCATION parameter (deprecated setTslLocation(String), getTslLocation() and TSL_LOCATION)
+  - added setLotlTruststorePath(String) and getLotlTruststorePath(String) methods, LOTL_TRUSTSTORE_PATH parameter (deprecated setTslKeyStoreLocation(String), getTslKeyStoreLocation() and TSL_KEYSTORE_LOCATION)
+  - added setLotlTruststorePassword(String) and getLotlTruststorePassword() methods, LOTL_TRUSTSTORE_PASSWORD parameter (deprecated setTslKeyStorePassword(String), getTslKeyStorePassword() and TSL_KEYSTORE_PASSWORD)
+  - added setLotlTruststoreType(String) and getLotlTruststoreType() methods, LOTL_TRUSTSTORE_TYPE parameter (set the default to "PKCS12" instead of "JKS")
+* Removal of old API-s that were deprecated before the version 4.0.0; an inconclusive list of removed public API-s:
+  - methods removed from Configuration class:
+    - void enableBigFilesSupport(long)
+    - boolean isBigFilesSupportEnabled()
+  - methods removed from Container interface and its implementing classes:
+    - void addRawSignature(byte[])
+    - void addRawSignature(InputStream)
+    - int countDataFiles()
+    - int countSignatures()
+    - void extendTo(SignatureProfile)
+    - DataFile getDataFile(int)
+    - DigestAlgorithm getDigestAlgorithm()
+    - DocumentType getDocumentType()
+    - Signature getSignature(int)
+    - String getSignatureProfile()
+    - String getVersion()
+    - SignedInfo prepareSigning(X509Certificate)
+    - void removeDataFile(String)
+    - void removeSignature(int)
+    - void save(String)
+    - void setSignatureParameters(SignatureParameters)
+    - void setSignatureProfile(SignatureProfile)
+    - Signature signRaw(byte[])
+    - Signature sign(SignatureToken)
+  - methods removed from Signature interface and its implementing classes:
+    - String getPolicy()
+    - Date getProducedAt()
+    - byte[] getRawSignature()
+    - URI getSignaturePolicyURI()
+    - Date getSigningTime()
+    - List<DigiDoc4JException> validate()
+  - DigestDataFile(String, DigestAlgorithm, byte[]) constructor without mimetype
+  - Signer interface and PKCS12Signer class
+* Removal of custom TSL TLS trust-store:
+  - by default, Java TLS trust-store is used for both PROD and TEST modes
+  - no custom TSL TLS trust-store is shipped with DigiDoc4J library
+* DataFile digest calculation and memory usage improvements:
+  - reduction of making redundant in-memory copies of the contents of datafiles
+  - improved calculation and caching of digest values
+* Dependencies update
+
+Known issues
+------------
+* We have noticed a slight increase in TSL loading times due to pivot LOTL support
+* We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
+* Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
+* While upgrading from versions older than 2.1.1 be sure that your integration :
+  - doesn't use Xalan or XercesImpl dependencies
+  - uses a patched Java version (JDK8 or higher)
+    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
+    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
+
 Release 4.3.0
 ------------------
 Summary of the major changes since 4.2.2

diff --git a/ddoc4j/pom.xml b/ddoc4j/pom.xml
@@ -3,10 +3,9 @@
 
     <modelVersion>4.0.0</modelVersion>
 
-    <groupId>org.digidoc4j</groupId>
     <artifactId>ddoc4j</artifactId>
     <packaging>jar</packaging>
-    <version>4.3.0</version>
+    <version>5.0.0</version>
 
     <name>DDoc4J</name>
     <description>DDoc4J is Java Library for validating DDOC documents. It's not recommended to use it directly but rather through DigiDoc4J's API.</description>
@@ -15,7 +14,7 @@
     <parent>
         <artifactId>digidoc4j-parent</artifactId>
         <groupId>org.digidoc4j</groupId>
-        <version>4.3.0</version>
+        <version>5.0.0</version>
     </parent>
 
     <dependencies>

diff --git a/digidoc4j/pom.xml b/digidoc4j/pom.xml
@@ -4,10 +4,9 @@
 
     <modelVersion>4.0.0</modelVersion>
 
-    <groupId>org.digidoc4j</groupId>
     <artifactId>digidoc4j</artifactId>
     <packaging>jar</packaging>
-    <version>4.3.0</version>
+    <version>5.0.0</version>
 
     <name>DigiDoc4j</name>
     <description>DigiDoc4j is a Java library for digitally signing documents and creating digital signature containers
@@ -18,16 +17,16 @@
     <parent>
         <artifactId>digidoc4j-parent</artifactId>
         <groupId>org.digidoc4j</groupId>
-        <version>4.3.0</version>
+        <version>5.0.0</version>
     </parent>
 
     <properties>
         <hamcrest.version>2.2</hamcrest.version>
-        <logback-classic.version>1.2.7</logback-classic.version>
-        <jackson.version>2.13.0</jackson.version>
+        <logback-classic.version>1.2.11</logback-classic.version>
+        <jackson.version>2.13.3</jackson.version>
         <junit.version>4.13.2</junit.version>
         <dss.groupId>org.digidoc4j.dss</dss.groupId>
-        <dss.version>5.8.d4j.1</dss.version>
+        <dss.version>5.9.d4j.1</dss.version>
         <dss.util.build>${project.build.directory}/build/util</dss.util.build>
         <dss.util.lib>${project.build.directory}/library/util</dss.util.lib>
         <dss.zip.lib>${project.build.directory}/library/zip</dss.zip.lib>
@@ -45,7 +44,7 @@
         <dependency>
             <artifactId>ddoc4j</artifactId>
             <groupId>org.digidoc4j</groupId>
-            <version>4.3.0</version>
+            <version>5.0.0</version>
         </dependency>
 
         <dependency>
@@ -76,11 +75,6 @@
             <artifactId>commons-lang3</artifactId>
             <version>3.12.0</version>
         </dependency>
-        <dependency>
-            <groupId>commons-logging</groupId>
-            <artifactId>commons-logging</artifactId>
-            <version>1.2</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-collections4</artifactId>
@@ -94,7 +88,7 @@
         <dependency>
             <groupId>org.apache.santuario</groupId>
             <artifactId>xmlsec</artifactId>
-            <version>2.1.7</version>
+            <version>2.2.4</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.codehaus.woodstox</groupId>
@@ -105,7 +99,7 @@
         <dependency>
             <groupId>org.yaml</groupId>
             <artifactId>snakeyaml</artifactId>
-            <version>1.29</version>
+            <version>1.30</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
@@ -208,11 +202,10 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <!-- TODO: this overrides vulnerable pdfbox version in DSS; remove this after pdfbox version in DSS has been updated above 2.0.22! -->
         <dependency>
             <groupId>org.apache.pdfbox</groupId>
             <artifactId>pdfbox</artifactId>
-            <version>2.0.24</version>
+            <version>2.0.26</version>
         </dependency>
         <dependency>
             <groupId>${dss.groupId}</groupId>
@@ -243,7 +236,7 @@
         <dependency>
             <groupId>org.glassfish.jaxb</groupId>
             <artifactId>jaxb-runtime</artifactId>
-            <version>2.3.5</version>
+            <version>2.3.6</version>
         </dependency>
         <dependency>
             <groupId>javax.activation</groupId>
@@ -253,7 +246,7 @@
         <dependency>
             <groupId>com.sun.xml.bind</groupId>
             <artifactId>jaxb-impl</artifactId>
-            <version>2.3.5</version>
+            <version>2.3.6</version>
         </dependency>
         <dependency>
             <groupId>com.sun.xml.bind</groupId>
@@ -287,7 +280,7 @@
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
-            <version>3.12.4</version>
+            <version>4.5.1</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -323,7 +316,7 @@
         <dependency>
             <groupId>com.github.tomakehurst</groupId>
             <artifactId>wiremock-jre8</artifactId>
-            <version>2.31.0</version>
+            <version>2.33.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -359,7 +352,7 @@
         <dependency>
             <groupId>org.json</groupId>
             <artifactId>json</artifactId>
-            <version>20210307</version>
+            <version>20220320</version>
             <scope>test</scope>
             <exclusions>
                 <exclusion>
@@ -521,7 +514,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-antrun-plugin</artifactId>
-                <version>3.0.0</version>
+                <version>3.1.0</version>
                 <executions>
                     <execution>
                         <id>ant-util-zip</id>
@@ -613,12 +606,12 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-install-plugin</artifactId>
-                <version>2.5.2</version>
+                <version>3.0.0-M1</version>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-gpg-plugin</artifactId>
-                <version>1.6</version>
+                <version>3.0.1</version>
                 <executions>
                     <execution>
                         <id>sign-artifacts</id>
@@ -639,7 +632,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-install-plugin</artifactId>
-                    <version>2.5.2</version>
+                    <version>3.0.0-M1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -656,12 +649,12 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-jar-plugin</artifactId>
-                    <version>3.2.0</version>
+                    <version>3.2.2</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-shade-plugin</artifactId>
-                    <version>3.2.4</version>
+                    <version>3.3.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -671,7 +664,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-release-plugin</artifactId>
-                    <version>2.5.3</version>
+                    <version>3.0.0-M5</version>
                     <configuration>
                         <autoVersionSubmodules>true</autoVersionSubmodules>
                         <tagNameFormat>${project.version}</tagNameFormat>
@@ -700,27 +693,27 @@
                 <plugin>
                     <groupId>org.jvnet.jaxb2.maven2</groupId>
                     <artifactId>maven-jaxb2-plugin</artifactId>
-                    <version>0.14.0</version>
+                    <version>0.15.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-deploy-plugin</artifactId>
-                    <version>2.8.2</version>
+                    <version>3.0.0-M2</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-antrun-plugin</artifactId>
-                    <version>3.0.0</version>
+                    <version>3.1.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-gpg-plugin</artifactId>
-                    <version>1.6</version>
+                    <version>3.0.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.sonatype.plugins</groupId>
                     <artifactId>nexus-staging-maven-plugin</artifactId>
-                    <version>1.6.8</version>
+                    <version>1.6.13</version>
                     <extensions>true</extensions>
                     <configuration>
                         <serverId>ossrh</serverId>