Release 6.0.0-RC.1

Summary of the major changes since 5.3.1

• Improved LTA support
  • LTA signatures can be extended repeatedly
    • Each extension adds a new LTA archive timestamp to the signature, extending its long term availability and integrity
  • Specific signatures to extend inside a container can be explicitly specified
    • Signatures can be extended one at a time
• Improved support for ASiC-S containers with timestamp tokens
  • Timestamp tokens are now created and validated using DSS
    • Validation rules are stricter: old timestamp tokens from withdrawn services produce warnings
      • Re-timestamping of old timestamped ASiC-S containers is recommended to avoid future incompatibilities
  • ASiC-S containers now support multiple timestamp tokens
    • Each new timestamp token covers container's data file and previous timestamp tokens, extending the container's long term availability and integrity
  • New API for adding timestamp tokens to, removing from, and querying from containers (analogous to signatures API)
    • New Timestamp interface for interacting with an individual timestamp token
    • TimestampBuilder for creating timestamp tokens
  • Deprecation of old API-s:
    • Classes: TimeStampTokenValidator
    • Methods in Container interface and its implementing classes, AsicParseResult class:
      • void setTimeStampToken(DataFile)
      • DataFile getTimeStampToken()
    • Methods in AsicContainerCreator class:
      • void writeTimestampToken(DataFile)
• Support for composite containers
  • Inside timestamped ASiC-S containers, nested ASiC, BDOC, and DDOC containers are supported
  • New CompositeContainer interface for identifying composite containers
    • API methods for accessing the contents of a nested container inside a timestamped ASiC-S container
  • CompositeContainerBuilder for wrapping an existing container inside a timestamped ASiC-S container
  • Validating a composite container, also triggers validation of its nested container
    • A nested container is validated against the creation time of the earliest valid timestamp token of its parent container
    • Validation results/reports contain the aggregated results of both nesting and nested containers
• Support for creating T profile signatures
• Improved configurability
  • Added possibility to configure custom OCSP sources (via OCSP source factories)
  • Added possibility to configure separate timestamp service to be used for archive timestamps
  • Added possibility to configure digest algorithms to be used for archive timestamps
• Improved ContainerValidationResult
  • Validation results of individual signatures and timestamp tokens are now accessible via their unique IDs
  • New API methods:
    • ValidationResult getValidationResult(String)
    • List<String> getSignatureIdList()
    • List<String> getTimestampIdList()
• Removed "META-INF/manifest.xml" requirement for signed ASiC-S containers
• Stricter rules for parsing ASiC-S containers
  • ASiC-S containers with illegal or unsupported contents fail to parse (for more information, see DigiDoc4j wiki)
• Changes in validation policies
  • Allow timestamps from TSA/QTST services only
• Updated dependencies

Known issues

• We have noticed a decrease in performance of parsing/validating XAdES signatures that cover numerous data files since updating to DSS 6.0
• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)

Release 5.3.1

Summary of the major changes since 5.3.0

• Updated DSS to 6.0.d4j.2 in order to fix memory leak issue in XAdESSignature
• Updated Bouncy Castle to 1.78.1
• Fixed/updated unit tests

Known issues

• EDIT 05.12.2024: We have noticed a decrease in performance of parsing/validating XAdES signatures that cover numerous data files since updating to DSS 6.0
• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)

Release 5.3.0

Summary of the major changes since 5.2.0

• DSS version update to 6.0 (sd-dss.6.0.d4j.1), previously used DSS 5.11.1. Check changes in DSS here: https://github.com/esig/dss/releases
  DSS update has caused the following notable changes to dependencies:
  • Migration from Javax to Jakarta namespace
  • JAXB dependencies updated from 2.3.X to 3.0.X
  • Apache Santuario xmlsec updated from 2.3.X to 3.0.X
  • Bouncy Castle updated from jdk15on:1.70 to jdk18on:1.76
  • SLF4J updated from 1.7.X to 2.0.X
• Prefer to use AIA OCSP by default on signature creation
  • In DigiDoc4J command line utility, deprecated -aiaocsp parameter and added new -noaiaocsp parameter
• TEST mode default timestamp URL updated to http://tsa.demo.sk.ee/tsa
• Changes in validation policies
• Updated dependencies

Known issues

• EDIT 10.06.2024: NB! Underlying DSS library version used in this release has memory leak since DSS 5.13.RC1. We are working on fixing it ASAP.
• EDIT 05.12.2024: We have noticed a decrease in performance of parsing/validating XAdES signatures that cover numerous data files since updating to DSS 6.0
• At the time of release, the newest supported Bouncy Castle version is 1.76
  Bouncy Castle version 1.77 causes OCSP response parsing to fail
• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)

Release 5.2.0

Summary of the major changes since 5.1.0

• Disabled the possibility to create signatures with LT_TM and B_EPES profiles
• Fixed OCSP request nonce encoding (in CommonOCSPSource) on signature creation - OCSP nonce, used in id-pkix-ocsp-nonce OCSP extension, is now a DER-encoded OCTET STRING, which is encapsulated as another OCTET STRING (see RFC 4366, section 3.6 and RFC 6961, section 2.2)
• Deprecated "full report" configuration flag, as enabling it can produce false negative validation results in some cases:
  • Deprecated setFullReportNeeded and isFullReportNeeded methods in Configuration class
  • Deprecated -err/-showerrors command line option in DigiDoc4J command line utility
• Updated dependencies

Known issues

• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 5.1.0

Summary of the major changes since 5.0.0

• DSS version update to 5.11.1 (sd-dss.5.11.1.d4j.1), previously used DSS 5.9. Check changes in DSS here: https://github.com/esig/dss/releases
  • identification of timemark signatures was improved in DSS
• The functionality to add timestamp tokens to ASiC-S containers was deprecated and will be removed in the future (see also https://www.id.ee/en/article/the-next-version-of-the-id-card-software-will-introduce-several-significant-changes/)
• Added default TLS configuration for outbound connections in default "digidoc4j.yaml" and "digidoc-test.yaml" files
  • default TLS protocol: TLSv1.3
  • supported protocols: TLSv1.2 ja TLSv1.3
  • configured a set of enabled TLSv1.2 and TLSv1.3 cipher suites
• Improved META-INF/manifest.xml file creation for ASiC containers
  • the manifest tag in newly create ASiC containers now has a version attribute with value 1.2
• Deprecated input parsing constructors of ASiC container classes - it is encouraged to use ContainerOpener and ContainerBuilder instead
• API improvements:
  • added possibility to configure custom AIA sources (via AIA source factories)
  • deprecated possibility to configure AIA data loaders (via AIA data loader factories)
• Dependencies update

Known issues

• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 5.0.0

Summary of the major changes since 4.3.0

• DSS version update to 5.9 (sd-dss.5.9.d4j.1), previously used DSS 5.8. Check changes in DSS here: https://github.com/esig/dss/releases
• Pivot LOTL support (https://ec.europa.eu/tools/lotl/pivot-lotl-explanation.html):
  • pivot LOTL support is enabled by default for PROD mode
  • pivot LOTL support is configurable via Configuration.setLotlPivotSupportEnabled(boolean) and LOTL_PIVOT_SUPPORT_ENABLED configuration parameter
• Improved digest algorithm selection:
  • signature digest algorithm and datafile digest algorithm are separately configurable
  • for ECC signatures, the default signature digest algorithm depends on the key length
• Changes in handling the encoded datafile names in signatures:
  • a + sign in an encoded data file name is decoded as + instead of a whitespace
• TSL loading default connection and socket timeouts increased to 1 minute
• TSL refresh callbacks. More information can be found from the wiki
• Separate configurability for HTTP and HTTPS proxy user and password
• Refactoring of LOTL configuration API (Configuration class and YAML configuration parameters):
  • added setLotlLocation(String) and getLotlLocation() methods, LOTL_LOCATION parameter (deprecated setTslLocation(String), getTslLocation() and TSL_LOCATION)
  • added setLotlTruststorePath(String) and getLotlTruststorePath(String) methods, LOTL_TRUSTSTORE_PATH parameter (deprecated setTslKeyStoreLocation(String), getTslKeyStoreLocation() and TSL_KEYSTORE_LOCATION)
  • added setLotlTruststorePassword(String) and getLotlTruststorePassword() methods, LOTL_TRUSTSTORE_PASSWORD parameter (deprecated setTslKeyStorePassword(String), getTslKeyStorePassword() and TSL_KEYSTORE_PASSWORD)
  • added setLotlTruststoreType(String) and getLotlTruststoreType() methods, LOTL_TRUSTSTORE_TYPE parameter (set the default to "PKCS12" instead of "JKS")
• Removal of old API-s that were deprecated before the version 4.0.0; an inconclusive list of removed public API-s:
  • methods removed from Configuration class:
    • void enableBigFilesSupport(long)
    • boolean isBigFilesSupportEnabled()
  • methods removed from Container interface and its implementing classes:
    • void addRawSignature(byte[])
    • void addRawSignature(InputStream)
    • int countDataFiles()
    • int countSignatures()
    • void extendTo(SignatureProfile)
    • DataFile getDataFile(int)
    • DigestAlgorithm getDigestAlgorithm()
    • DocumentType getDocumentType()
    • Signature getSignature(int)
    • String getSignatureProfile()
    • String getVersion()
    • SignedInfo prepareSigning(X509Certificate)
    • void removeDataFile(String)
    • void removeSignature(int)
    • void save(String)
    • void setSignatureParameters(SignatureParameters)
    • void setSignatureProfile(SignatureProfile)
    • Signature signRaw(byte[])
    • Signature sign(SignatureToken)
  • methods removed from Signature interface and its implementing classes:
    • String getPolicy()
    • Date getProducedAt()
    • byte[] getRawSignature()
    • URI getSignaturePolicyURI()
    • Date getSigningTime()
    • List validate()
  • DigestDataFile(String, DigestAlgorithm, byte[]) constructor without mimetype
  • Signer interface and PKCS12Signer class
• Removal of custom TSL TLS trust-store:
  • by default, Java TLS trust-store is used for both PROD and TEST modes
  • no custom TSL TLS trust-store is shipped with DigiDoc4J library
• DataFile digest calculation and memory usage improvements:
  • reduction of making redundant in-memory copies of the contents of datafiles
  • improved calculation and caching of digest values
• Dependencies update

Known issues

• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.3.0

Summary of the major changes since 4.2.2

• DSS version update to 5.8 (sd-dss.5.8.d4j.1), previously used DSS 5.7. Check changes in DSS here: https://github.com/esig/dss/releases
• CommonOCSPSource improvements of building certificate chain from OCSP certificate to trust anchor in TSL
• ContainerBuilder thread-safety improvements
• TSL TLS truststore update
• Dependencies update

Known issues

• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.2.2

Summary of the major changes since 4.2.1

• Update LOTL signer certificates' truststore
• Update TSL TLS truststore
• Update org.apache.santuario:xmlsec dependency

Known issues

• ContainerBuilder instances share mutable state which may cause unexpected behaviour while concurrently using multiple ContainerBuilder instances which have been created for different container types. This problem have been present since version 2.0.0 but may be more problematic after version 3.1.1. For more info see here.
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.2.1

Summary of the major changes since 4.2.0

• ZIP-bombing detection improvements and configurability
• Upgrade of TSL TLS truststore
• Dependencies update

Known issues

• ContainerBuilder instances share mutable state which may cause unexpected behaviour while concurrently using multiple ContainerBuilder instances which have been created for different container types. This problem have been present since version 2.0.0 but may be more problematic after version 3.1.1. For more info see here.
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Release 4.2.0

Summary of the major changes since 4.1.1

• ZIP-bomb attack protection
• If not specified, create ASiC-E (instead of BDOC) containers by default
  • NB! Keep in mind that it is not possible to add LT_TM profile signatures to ASiC-E containers. If you need LT_TM profile signatures, container type must be set to BDOC.
• Search BDOC TM signature OCSP certificate from OCSP token first and then from the unsigned properties of the signature
• Limitations for empty (0-byte) datafiles:
  • Adding empty datafiles to containers is not permitted; signing containers containing empty datafiles is not permitted
  • Validating containers containing empty datafiles adds additional container warnings
• Changes in validation policies
• Upgrade of TSL TLS truststore
• Dependencies update
• Bug fixes

Known issues

• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");