Merge branch 'develop'

.mvn/wrapper/maven-wrapper.properties

@@ -1 +1 @@
-distributionUrl=https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip
+distributionUrl=https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.8.2/apache-maven-3.8.2-bin.zip

RELEASE-NOTES.txt

@@ -1,6 +1,25 @@
 DigiDoc4J Java library release notes
 ------------------------------------
 
+Release 4.2.1
+------------------
+Summary of the major changes since 4.2.0
+------------------------------------------
+* ZIP-bombing detection improvements and configurability
+* Upgrade of TSL TLS truststore
+* Dependencies update
+
+Known issues
+------------
+* We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
+* Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
+* While upgrading from versions older than 2.1.1 be sure that your integration :
+  - doesn't use Xalan or XercesImpl dependencies
+  - uses a patched Java version (JDK8 or higher)
+    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
+    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
+
+
 Release 4.2.0
 ------------------
 Summary of the major changes since 4.1.1

ddoc4j/pom.xml

@@ -6,7 +6,7 @@
     <groupId>org.digidoc4j</groupId>
     <artifactId>ddoc4j</artifactId>
     <packaging>jar</packaging>
-    <version>4.2.0</version>
+    <version>4.2.1</version>
 
     <name>DDoc4J</name>
     <description>DDoc4J is Java Library for validating DDOC documents. It's not recommended to use it directly but rather through DigiDoc4J's API.</description>
@@ -15,7 +15,7 @@
     <parent>
         <artifactId>digidoc4j-parent</artifactId>
         <groupId>org.digidoc4j</groupId>
-        <version>4.2.0</version>
+        <version>4.2.1</version>
     </parent>
 
     <dependencies>

digidoc4j/pom.xml

@@ -7,7 +7,7 @@
     <groupId>org.digidoc4j</groupId>
     <artifactId>digidoc4j</artifactId>
     <packaging>jar</packaging>
-    <version>4.2.0</version>
+    <version>4.2.1</version>
 
     <name>DigiDoc4j</name>
     <description>DigiDoc4j is a Java library for digitally signing documents and creating digital signature containers
@@ -18,13 +18,13 @@
     <parent>
         <artifactId>digidoc4j-parent</artifactId>
         <groupId>org.digidoc4j</groupId>
-        <version>4.2.0</version>
+        <version>4.2.1</version>
     </parent>
 
     <properties>
         <hamcrest.version>2.2</hamcrest.version>
         <logback-classic.version>1.2.3</logback-classic.version>
-        <jackson.version>2.12.3</jackson.version>
+        <jackson.version>2.12.4</jackson.version>
         <junit.version>4.13.2</junit.version>
         <dss.groupId>org.digidoc4j.dss</dss.groupId>
         <dss.version>5.7.d4j.2</dss.version>
@@ -45,7 +45,7 @@
         <dependency>
             <artifactId>ddoc4j</artifactId>
             <groupId>org.digidoc4j</groupId>
-            <version>4.2.0</version>
+            <version>4.2.1</version>
         </dependency>
 
         <dependency>
@@ -69,7 +69,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.8.0</version>
+            <version>2.11.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
@@ -105,7 +105,7 @@
         <dependency>
             <groupId>org.yaml</groupId>
             <artifactId>snakeyaml</artifactId>
-            <version>1.28</version>
+            <version>1.29</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
@@ -212,7 +212,7 @@
         <dependency>
             <groupId>org.apache.pdfbox</groupId>
             <artifactId>pdfbox</artifactId>
-            <version>2.0.23</version>
+            <version>2.0.24</version>
         </dependency>
         <dependency>
             <groupId>${dss.groupId}</groupId>
@@ -243,7 +243,7 @@
         <dependency>
             <groupId>org.glassfish.jaxb</groupId>
             <artifactId>jaxb-runtime</artifactId>
-            <version>2.3.4</version>
+            <version>2.3.5</version>
         </dependency>
         <dependency>
             <groupId>javax.activation</groupId>
@@ -253,7 +253,7 @@
         <dependency>
             <groupId>com.sun.xml.bind</groupId>
             <artifactId>jaxb-impl</artifactId>
-            <version>2.3.4</version>
+            <version>2.3.5</version>
         </dependency>
         <dependency>
             <groupId>com.sun.xml.bind</groupId>
@@ -287,7 +287,7 @@
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
-            <version>3.10.0</version>
+            <version>3.12.1</version>
             <scope>test</scope>
         </dependency>
         <dependency>

digidoc4j/src/main/java/org/digidoc4j/Configuration.java

@@ -24,11 +24,28 @@
 import org.slf4j.LoggerFactory;
 import org.yaml.snakeyaml.Yaml;
 
-import java.io.*;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Hashtable;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
 import java.util.concurrent.ExecutorService;
+import java.util.function.BiPredicate;
 
 import static java.util.Arrays.asList;
 
@@ -143,6 +160,10 @@
  * NB! Strict Validation applied by default.</li>
  * <li>ALLOWED_OCSP_RESPONDERS_FOR_TM: whitelist of OCSP responders for timemark validation
  * (for example: SK OCSP RESPONDER 2011, ESTEID-SK OCSP RESPONDER, KLASS3-SK OCSP RESPONDER)</li>
+ * <li>ZIP_COMPRESSION_RATIO_CHECK_THRESHOLD_IN_BYTES: the threshold of how much memory (in bytes) are the unpacked
+ * contents of a ZIP-based container allowed to consume before ZIP compression ratio check kicks in</li>
+ * <li>MAX_ALLOWED_ZIP_COMPRESSION_RATIO: the maximum ratio of how much are the contents of a ZIP-based container
+ * allowed to expand on unpacking before the container is considered harmful.</li>
  * </ul>
  */
 public class Configuration implements Serializable {
@@ -1670,6 +1691,63 @@ public List<String> getAllowedOcspRespondersForTM() {
     return this.getConfigurationValues(ConfigurationParameter.AllowedOcspRespondersForTM);
   }
 
+  /**
+   * Set the maximum ratio of how much are the contents of a ZIP-based container allowed to expand on unpacking before
+   * the container is considered harmful.
+   *
+   * @see #setZipCompressionRatioCheckThresholdInBytes(long)
+   * @see #getZipCompressionRatioCheckThresholdInBytes()
+   *
+   * @param maxAllowedZipCompressionRatio maximum ratio of how much are the contents of a ZIP-based container allowed to expand
+   */
+  public void setMaxAllowedZipCompressionRatio(int maxAllowedZipCompressionRatio) {
+    setConfigurationParameter(ConfigurationParameter.MaxAllowedZipCompressionRatio, String.valueOf(maxAllowedZipCompressionRatio));
+  }
+
+  /**
+   * Get the maximum ratio of how much are the contents of a ZIP-based container allowed to expand on unpacking before
+   * the container is considered harmful.
+   *
+   * @see #setZipCompressionRatioCheckThresholdInBytes(long)
+   * @see #getZipCompressionRatioCheckThresholdInBytes()
+   *
+   * @return maximum ratio of how much are the contents of a ZIP-based container allowed to expand
+   */
+  public int getMaxAllowedZipCompressionRatio() {
+    return Optional
+            .ofNullable(getConfigurationParameter(ConfigurationParameter.MaxAllowedZipCompressionRatio, Integer.class))
+            .orElse(Integer.MAX_VALUE);
+  }
+
+  /**
+   * Set the threshold of how much memory (in bytes) are the unpacked contents of a ZIP-based container allowed to
+   * consume before ZIP compression ratio check kicks in.
+   *
+   * @see #setMaxAllowedZipCompressionRatio(int)
+   * @see #getMaxAllowedZipCompressionRatio()
+   *
+   * @param zipCompressionRatioCheckThresholdInBytes threshold of how much memory are the unpacked contents of
+   *                                                 a ZIP-based container allowed to consume
+   */
+  public void setZipCompressionRatioCheckThresholdInBytes(long zipCompressionRatioCheckThresholdInBytes) {
+    setConfigurationParameter(ConfigurationParameter.ZipCompressionRatioCheckThreshold, String.valueOf(zipCompressionRatioCheckThresholdInBytes));
+  }
+
+  /**
+   * Get the threshold of how much memory (in bytes) are the unpacked contents of a ZIP-based container allowed to
+   * consume before ZIP compression ratio check kicks in.
+   *
+   * @see #setMaxAllowedZipCompressionRatio(int)
+   * @see #getMaxAllowedZipCompressionRatio()
+   *
+   * @return threshold of how much memory are the unpacked contents of a ZIP-based container allowed to consume
+   */
+  public long getZipCompressionRatioCheckThresholdInBytes() {
+    return Optional
+            .ofNullable(getConfigurationParameter(ConfigurationParameter.ZipCompressionRatioCheckThreshold, Long.class))
+            .orElse(Long.MAX_VALUE);
+  }
+
   /**
    * @return true when configuration is Configuration.Mode.TEST
    * @see Configuration.Mode#TEST
@@ -1738,6 +1816,8 @@ private void initDefaultValues() {
     this.setConfigurationParameter(ConfigurationParameter.IsFullSimpleReportNeeded,
         Constant.Default.FULL_SIMPLE_REPORT);
     this.setConfigurationParameter(ConfigurationParameter.useNonce, "true");
+    this.setConfigurationParameter(ConfigurationParameter.ZipCompressionRatioCheckThreshold, "1048576");
+    this.setConfigurationParameter(ConfigurationParameter.MaxAllowedZipCompressionRatio, "100");
     if (Mode.TEST.equals(this.mode)) {
       this.setConfigurationParameter(ConfigurationParameter.TspSource, Constant.Test.TSP_SOURCE);
       this.setConfigurationParameter(ConfigurationParameter.TslLocation, Constant.Test.TSL_LOCATION);
@@ -1849,6 +1929,10 @@ private void loadInitialConfigurationValues() {
     this.setConfigurationParameter(ConfigurationParameter.AllowASN1UnsafeInteger, this.getParameter(Constant
         .System.ORG_BOUNCYCASTLE_ASN1_ALLOW_UNSAFE_INTEGER, "ALLOW_UNSAFE_INTEGER"));
     this.setConfigurationParameter(ConfigurationParameter.preferAiaOcsp, this.getParameterFromFile("PREFER_AIA_OCSP"));
+    this.setConfigurationParameterFromFile("ZIP_COMPRESSION_RATIO_CHECK_THRESHOLD_IN_BYTES",
+            ConfigurationParameter.ZipCompressionRatioCheckThreshold, this::isValidLongParameter);
+    this.setConfigurationParameterFromFile("MAX_ALLOWED_ZIP_COMPRESSION_RATIO",
+            ConfigurationParameter.MaxAllowedZipCompressionRatio, this::isValidIntegerParameter);
     this.loadYamlOcspResponders();
     this.loadYamlTrustedTerritories();
     this.loadYamlTSPs();
@@ -1955,7 +2039,7 @@ private boolean isValidBooleanParameter(String configParameter, String value) {
   }
 
   private boolean isValidIntegerParameter(String configParameter, String value) {
-    Integer parameterValue;
+    int parameterValue;
     try {
       parameterValue = Integer.parseInt(value);
     } catch (Exception e) {
@@ -1973,6 +2057,18 @@ private boolean isValidIntegerParameter(String configParameter, String value) {
     return true;
   }
 
+  private boolean isValidLongParameter(String configParameter, String value) {
+    try {
+      Long.parseLong(value);
+    } catch (Exception e) {
+      String errorMessage = "Configuration parameter " + configParameter + " should have a long integer value"
+              + " but the actual value is: " + value + ".";
+      this.logError(errorMessage);
+      return false;
+    }
+    return true;
+  }
+
   private void loadOCSPCertificates(LinkedHashMap digiDocCA, String caPrefix) {
     String errorMessage;
     @SuppressWarnings("unchecked")
@@ -2162,13 +2258,17 @@ private List<String> getStringListParameterFromFile(String key) {
     return Arrays.asList(value.split("\\s*,\\s*")); //Split by comma and trim whitespace
   }
 
-  private void setConfigurationParameterFromFile(String fileKey, ConfigurationParameter parameter) {
+  private void setConfigurationParameterFromFile(String fileKey, ConfigurationParameter parameter, BiPredicate<String, String> parameterValidator) {
     String fileValue = this.getParameterFromFile(fileKey);
-    if (fileValue != null) {
-      this.setConfigurationParameter(parameter, fileValue.toString());
+    if (fileValue != null && (parameterValidator == null || parameterValidator.test(fileKey, fileValue))) {
+      this.setConfigurationParameter(parameter, fileValue);
     }
   }
 
+  private void setConfigurationParameterFromFile(String fileKey, ConfigurationParameter parameter) {
+    setConfigurationParameterFromFile(fileKey, parameter, null);
+  }
+
   private void setConfigurationParameterFromFile(ConfigurationParameter parameter) {
     setConfigurationParameterFromFile(parameter.fileKey, parameter);
   }

digidoc4j/src/main/java/org/digidoc4j/ConfigurationParameter.java

@@ -98,7 +98,10 @@ public enum ConfigurationParameter {
   TspSslProtocol("TSP_SSL_PROTOCOL"),
   TspSupportedSslProtocols("TSP_SUPPORTED_SSL_PROTOCOLS"),
   TspSupportedSslCipherSuites("TSP_SUPPORTED_SSL_CIPHER_SUITES"),
-  TempFileMaxAgeInMillis;
+
+  TempFileMaxAgeInMillis,
+  MaxAllowedZipCompressionRatio,
+  ZipCompressionRatioCheckThreshold;
 
 
   final String fileKey;