Releases: open-eid/digidoc4j
Releases · open-eid/digidoc4j
Release 5.3.1
Summary of the major changes since 5.3.0
- Updated DSS to 6.0.d4j.2 in order to fix memory leak issue in
XAdESSignature
- Updated Bouncy Castle to 1.78.1
- Fixed/updated unit tests
Known issues
- We have noticed a slight increase in TSL loading times due to pivot LOTL support
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
Release 5.3.0
Summary of the major changes since 5.2.0
- DSS version update to 6.0 (sd-dss.6.0.d4j.1), previously used DSS 5.11.1. Check changes in DSS here: https://github.com/esig/dss/releases
DSS update has caused the following notable changes to dependencies:- Migration from Javax to Jakarta namespace
- JAXB dependencies updated from 2.3.X to 3.0.X
- Apache Santuario xmlsec updated from 2.3.X to 3.0.X
- Bouncy Castle updated from jdk15on:1.70 to jdk18on:1.76
- SLF4J updated from 1.7.X to 2.0.X
- Prefer to use AIA OCSP by default on signature creation
- In DigiDoc4J command line utility, deprecated
-aiaocsp
parameter and added new-noaiaocsp
parameter
- In DigiDoc4J command line utility, deprecated
- TEST mode default timestamp URL updated to http://tsa.demo.sk.ee/tsa
- Changes in validation policies
- Updated dependencies
Known issues
- EDIT 10.06.2024: NB! Underlying DSS library version used in this release has memory leak since DSS 5.13.RC1. We are working on fixing it ASAP.
- At the time of release, the newest supported Bouncy Castle version is 1.76
Bouncy Castle version 1.77 causes OCSP response parsing to fail - We have noticed a slight increase in TSL loading times due to pivot LOTL support
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
Release 5.2.0
Summary of the major changes since 5.1.0
- Disabled the possibility to create signatures with LT_TM and B_EPES profiles
- Fixed OCSP request nonce encoding (in
CommonOCSPSource
) on signature creation - OCSP nonce, used inid-pkix-ocsp-nonce
OCSP extension, is now a DER-encoded OCTET STRING, which is encapsulated as another OCTET STRING (see RFC 4366, section 3.6 and RFC 6961, section 2.2) - Deprecated "full report" configuration flag, as enabling it can produce false negative validation results in some cases:
- Deprecated
setFullReportNeeded
andisFullReportNeeded
methods inConfiguration
class - Deprecated
-err
/-showerrors
command line option in DigiDoc4J command line utility
- Deprecated
- Updated dependencies
Known issues
- We have noticed a slight increase in TSL loading times due to pivot LOTL support
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
- While upgrading from versions older than 2.1.1 be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK8 or higher)
Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Release 5.1.0
Summary of the major changes since 5.0.0
- DSS version update to 5.11.1 (sd-dss.5.11.1.d4j.1), previously used DSS 5.9. Check changes in DSS here: https://github.com/esig/dss/releases
- identification of timemark signatures was improved in DSS
- The functionality to add timestamp tokens to ASiC-S containers was deprecated and will be removed in the future (see also https://www.id.ee/en/article/the-next-version-of-the-id-card-software-will-introduce-several-significant-changes/)
- Added default TLS configuration for outbound connections in default "digidoc4j.yaml" and "digidoc-test.yaml" files
- default TLS protocol: TLSv1.3
- supported protocols: TLSv1.2 ja TLSv1.3
- configured a set of enabled TLSv1.2 and TLSv1.3 cipher suites
- Improved
META-INF/manifest.xml
file creation for ASiC containers- the manifest tag in newly create ASiC containers now has a version attribute with value
1.2
- the manifest tag in newly create ASiC containers now has a version attribute with value
- Deprecated input parsing constructors of ASiC container classes - it is encouraged to use
ContainerOpener
andContainerBuilder
instead - API improvements:
- added possibility to configure custom AIA sources (via AIA source factories)
- deprecated possibility to configure AIA data loaders (via AIA data loader factories)
- Dependencies update
Known issues
- We have noticed a slight increase in TSL loading times due to pivot LOTL support
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
- While upgrading from versions older than 2.1.1 be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK8 or higher)
Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Release 5.0.0
Summary of the major changes since 4.3.0
- DSS version update to 5.9 (sd-dss.5.9.d4j.1), previously used DSS 5.8. Check changes in DSS here: https://github.com/esig/dss/releases
- Pivot LOTL support (https://ec.europa.eu/tools/lotl/pivot-lotl-explanation.html):
- pivot LOTL support is enabled by default for
PROD
mode - pivot LOTL support is configurable via
Configuration.setLotlPivotSupportEnabled(boolean)
andLOTL_PIVOT_SUPPORT_ENABLED
configuration parameter
- pivot LOTL support is enabled by default for
- Improved digest algorithm selection:
- signature digest algorithm and datafile digest algorithm are separately configurable
- for ECC signatures, the default signature digest algorithm depends on the key length
- Changes in handling the encoded datafile names in signatures:
- a
+
sign in an encoded data file name is decoded as+
instead of a whitespace
- a
- TSL loading default connection and socket timeouts increased to 1 minute
- TSL refresh callbacks. More information can be found from the wiki
- Separate configurability for HTTP and HTTPS proxy user and password
- Refactoring of LOTL configuration API (Configuration class and YAML configuration parameters):
- added
setLotlLocation(String)
andgetLotlLocation()
methods,LOTL_LOCATION
parameter (deprecatedsetTslLocation(String)
,getTslLocation()
andTSL_LOCATION
) - added
setLotlTruststorePath(String)
andgetLotlTruststorePath(String)
methods,LOTL_TRUSTSTORE_PATH
parameter (deprecatedsetTslKeyStoreLocation(String)
,getTslKeyStoreLocation()
andTSL_KEYSTORE_LOCATION
) - added
setLotlTruststorePassword(String)
andgetLotlTruststorePassword()
methods,LOTL_TRUSTSTORE_PASSWORD
parameter (deprecatedsetTslKeyStorePassword(String)
,getTslKeyStorePassword()
andTSL_KEYSTORE_PASSWORD
) - added
setLotlTruststoreType(String)
andgetLotlTruststoreType()
methods,LOTL_TRUSTSTORE_TYPE
parameter (set the default to "PKCS12" instead of "JKS")
- added
- Removal of old API-s that were deprecated before the version 4.0.0; an inconclusive list of removed public API-s:
- methods removed from
Configuration
class:- void enableBigFilesSupport(long)
- boolean isBigFilesSupportEnabled()
- methods removed from
Container
interface and its implementing classes:- void addRawSignature(byte[])
- void addRawSignature(InputStream)
- int countDataFiles()
- int countSignatures()
- void extendTo(SignatureProfile)
- DataFile getDataFile(int)
- DigestAlgorithm getDigestAlgorithm()
- DocumentType getDocumentType()
- Signature getSignature(int)
- String getSignatureProfile()
- String getVersion()
- SignedInfo prepareSigning(X509Certificate)
- void removeDataFile(String)
- void removeSignature(int)
- void save(String)
- void setSignatureParameters(SignatureParameters)
- void setSignatureProfile(SignatureProfile)
- Signature signRaw(byte[])
- Signature sign(SignatureToken)
- methods removed from
Signature
interface and its implementing classes:- String getPolicy()
- Date getProducedAt()
- byte[] getRawSignature()
- URI getSignaturePolicyURI()
- Date getSigningTime()
- List validate()
DigestDataFile(String, DigestAlgorithm, byte[])
constructor without mimetypeSigner
interface andPKCS12Signer
class
- methods removed from
- Removal of custom TSL TLS trust-store:
- by default, Java TLS trust-store is used for both PROD and TEST modes
- no custom TSL TLS trust-store is shipped with DigiDoc4J library
DataFile
digest calculation and memory usage improvements:- reduction of making redundant in-memory copies of the contents of datafiles
- improved calculation and caching of digest values
- Dependencies update
Known issues
- We have noticed a slight increase in TSL loading times due to pivot LOTL support
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
- While upgrading from versions older than 2.1.1 be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK8 or higher)
Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Release 4.3.0
Summary of the major changes since 4.2.2
- DSS version update to 5.8 (sd-dss.5.8.d4j.1), previously used DSS 5.7. Check changes in DSS here: https://github.com/esig/dss/releases
- CommonOCSPSource improvements of building certificate chain from OCSP certificate to trust anchor in TSL
- ContainerBuilder thread-safety improvements
- TSL TLS truststore update
- Dependencies update
Known issues
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
- While upgrading from versions older than 2.1.1 be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK8 or higher)
Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Release 4.2.2
Summary of the major changes since 4.2.1
- Update LOTL signer certificates' truststore
- Update TSL TLS truststore
- Update org.apache.santuario:xmlsec dependency
Known issues
- ContainerBuilder instances share mutable state which may cause unexpected behaviour while concurrently using multiple ContainerBuilder instances which have been created for different container types. This problem have been present since version 2.0.0 but may be more problematic after version 3.1.1. For more info see here.
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
- While upgrading from versions older than 2.1.1 be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK8 or higher)
Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Release 4.2.1
Summary of the major changes since 4.2.0
- ZIP-bombing detection improvements and configurability
- Upgrade of TSL TLS truststore
- Dependencies update
Known issues
- ContainerBuilder instances share mutable state which may cause unexpected behaviour while concurrently using multiple ContainerBuilder instances which have been created for different container types. This problem have been present since version 2.0.0 but may be more problematic after version 3.1.1. For more info see here.
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
- While upgrading from versions older than 2.1.1 be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK8 or higher)
Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Release 4.2.0
Summary of the major changes since 4.1.1
- ZIP-bomb attack protection
- If not specified, create ASiC-E (instead of BDOC) containers by default
- NB! Keep in mind that it is not possible to add LT_TM profile signatures to ASiC-E containers. If you need LT_TM profile signatures, container type must be set to BDOC.
- Search BDOC TM signature OCSP certificate from OCSP token first and then from the unsigned properties of the signature
- Limitations for empty (0-byte) datafiles:
- Adding empty datafiles to containers is not permitted; signing containers containing empty datafiles is not permitted
- Validating containers containing empty datafiles adds additional container warnings
- Changes in validation policies
- Upgrade of TSL TLS truststore
- Dependencies update
- Bug fixes
Known issues
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
- While upgrading from versions older than 2.1.1 be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK8 or higher)
Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Release 4.1.1
Signer certificate for the EU List of eIDAS Trusted Lists (LOTL) was changed on 25.03.2021. This resulted in failure to sign or validate signatures with DD4J version 4.1.0.
Current version of DD4J (4.1.1) must be used to ensure that signing and signature validation works.
It is also possible to create a new custom keystore according to https://github.com/open-eid/digidoc4j/wiki/Questions-&-Answers#how-to-add-trust-for-new-eu-tsl-signing-certificates.
Summary of the major changes since 4.1.0
- Updated LOTL signer certificates in truststore
Known issues
- We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
- Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
- While upgrading from versions older than 2.1.1 be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK8 or higher)
Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");