Merge branch 'develop'

open-eid · Mar 19, 2024 · c8c65c1 · c8c65c1
2 parents fb68686 + d706bdf
commit c8c65c1
Show file tree

Hide file tree

Showing 117 changed files with 3,939 additions and 1,966 deletions.
diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties
@@ -1 +1 @@
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.4/apache-maven-3.9.4-bin.zip
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.6/apache-maven-3.9.6-bin.zip
diff --git a/README.md b/README.md
@@ -68,11 +68,19 @@ The support for creating BDOC-specific **time-mark** signatures was removed sinc
 
 # Requirements
 * Java **8** or higher (since version 4.0.0-RC.1)
-* Internet access to external verification services
-  * OCSP (Online Certificate Status Protocol) - http://ocsp.sk.ee
-  * EU TSL (European Commission's Trusted Status List) - https://ec.europa.eu/information_society/policy/esignature/trusted-list/tl-mp.xml
-  * All the EU member states' TL servers referred in the EU TSL. Note that this list may change. (e.g. https://sr.riik.ee/tsl/estonian-tsl.xml, https://sede.minetur.gob.es/Prestadores/TSL/TSL.xml, https://www.viestintavirasto.fi/attachments/TSL-Ficora.xml etc.)
-  * TSA (Time Stamping Authority) - http://tsa.sk.ee
+* Internet access to external services
+  * OCSP (Online Certificate Status Protocol) - AIA OCSP URL from signer's certificate or default fallback value
+    http://ocsp.sk.ee (for more information, see
+    [here](https://github.com/open-eid/digidoc4j/wiki/Questions-&-Answers#usage-of-aia-ocsp-for-timestamp-based-asic-e-containers-since-release-310))
+  * EU TSL (European Commission's Trusted Status List) - default value https://ec.europa.eu/tools/lotl/eu-lotl.xml (for
+    more information, see [here](https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it#using-configuration))
+  * All the EU member states' TL servers referred in the EU TSL. Note that this list may change.
+    (e.g. https://sr.riik.ee/tsl/estonian-tsl.xml, https://sedediatid.mineco.gob.es/Prestadores/TSL/TSL.xml, https://dp.trustedlist.fi/fi-tl.xml etc.)
+  * TSA (Time Stamping Authority) - default value http://tsa.sk.ee (for more information, see
+    [here](https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it#using-configuration))
+  * AIA (Authority Information Access) CA issuers - missing certificates of certificate chains downloaded from the URLs
+    referred to in existing certificates
+  * Signature Policy documents, if applicable (e.g. https://www.sk.ee/repository/bdoc-spec21.pdf)
 
 ## Maven
 You can use the library as a Maven dependency from the Maven Central (http://mvnrepository.com/artifact/org.digidoc4j/digidoc4j)

diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
@@ -1,6 +1,31 @@
 DigiDoc4J Java library release notes
 ------------------------------------
 
+Release 5.3.0
+------------------
+Summary of the major changes since 5.2.0
+------------------------------------------
+* DSS version update to 6.0 (sd-dss.6.0.d4j.1), previously used DSS 5.11.1. Check changes in DSS here: https://github.com/esig/dss/releases
+  DSS update has caused the following notable changes to dependencies:
+  - Migration from Javax to Jakarta namespace
+  - JAXB dependencies updated from 2.3.X to 3.0.X
+  - Apache Santuario xmlsec updated from 2.3.X to 3.0.X
+  - Bouncy Castle updated from jdk15on:1.70 to jdk18on:1.76
+  - SLF4J updated from 1.7.X to 2.0.X
+* Prefer to use AIA OCSP by default on signature creation
+  - In DigiDoc4J command line utility, deprecated -aiaocsp parameter and added new -noaiaocsp parameter
+* TEST mode default timestamp URL updated to http://tsa.demo.sk.ee/tsa
+* Changes in validation policies
+* Updated dependencies
+
+Known issues
+------------
+* At the time of release, the newest supported Bouncy Castle version is 1.76
+  Bouncy Castle version 1.77 causes OCSP response parsing to fail
+* We have noticed a slight increase in TSL loading times due to pivot LOTL support
+* We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
+* Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
+
 Release 5.2.0
 ------------------
 Summary of the major changes since 5.1.0

diff --git a/ddoc4j/pom.xml b/ddoc4j/pom.xml
@@ -5,7 +5,7 @@
 
     <artifactId>ddoc4j</artifactId>
     <packaging>jar</packaging>
-    <version>5.2.0</version>
+    <version>5.3.0</version>
 
     <name>DDoc4J</name>
     <description>DDoc4J is Java Library for validating DDOC documents. It's not recommended to use it directly but rather through DigiDoc4J's API.</description>
@@ -14,7 +14,7 @@
     <parent>
         <artifactId>digidoc4j-parent</artifactId>
         <groupId>org.digidoc4j</groupId>
-        <version>5.2.0</version>
+        <version>5.3.0</version>
     </parent>
 
     <dependencies>
@@ -24,11 +24,11 @@
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk15on</artifactId>
+            <artifactId>bcpkix-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
+            <artifactId>bcprov-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>commons-codec</groupId>

diff --git a/ddoc4j/src/main/java/org/digidoc4j/ddoc/factory/BouncyCastleNotaryFactory.java b/ddoc4j/src/main/java/org/digidoc4j/ddoc/factory/BouncyCastleNotaryFactory.java
@@ -1,27 +1,39 @@
 package org.digidoc4j.ddoc.factory;
 
-import org.digidoc4j.ddoc.*;
-import org.digidoc4j.ddoc.utils.BouncyCastleNotaryUtil;
-import org.digidoc4j.ddoc.utils.ConfigManager;
-import org.digidoc4j.ddoc.utils.ConvertUtils;
-import org.bouncycastle.asn1.*;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ocsp.BasicOCSPResponse;
 import org.bouncycastle.asn1.ocsp.ResponderID;
-import org.bouncycastle.asn1.x509.X509Name;
 import org.bouncycastle.cert.X509CertificateHolder;
-import org.bouncycastle.cert.ocsp.*;
+import org.bouncycastle.cert.ocsp.BasicOCSPResp;
+import org.bouncycastle.cert.ocsp.CertificateID;
+import org.bouncycastle.cert.ocsp.OCSPResp;
+import org.bouncycastle.cert.ocsp.RevokedStatus;
+import org.bouncycastle.cert.ocsp.SingleResp;
+import org.bouncycastle.cert.ocsp.UnknownStatus;
 import org.bouncycastle.operator.ContentVerifier;
 import org.bouncycastle.operator.ContentVerifierProvider;
 import org.bouncycastle.operator.DigestCalculatorProvider;
 import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
 import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
+import org.digidoc4j.ddoc.Base64Util;
+import org.digidoc4j.ddoc.CertID;
+import org.digidoc4j.ddoc.CertValue;
+import org.digidoc4j.ddoc.DigiDocException;
+import org.digidoc4j.ddoc.Notary;
 import org.digidoc4j.ddoc.Signature;
+import org.digidoc4j.ddoc.SignedDoc;
+import org.digidoc4j.ddoc.utils.BouncyCastleNotaryUtil;
+import org.digidoc4j.ddoc.utils.ConfigManager;
+import org.digidoc4j.ddoc.utils.ConvertUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.FileInputStream;
 import java.io.OutputStream;
-import java.security.*;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Security;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.List;
@@ -321,16 +333,13 @@ public Notary parseAndVerifyResponse(Signature sig, Notary not)
      * @param basResp
      * @return stringified responder ID
      */
-    private String responderIDtoString(BasicOCSPResp basResp) {
+    static String responderIDtoString(BasicOCSPResp basResp) {
         if(basResp != null) {
             ResponderID respid = basResp.getResponderId().toASN1Primitive();
-            Object o = ((DERTaggedObject)respid.toASN1Primitive()).getObject();
-            if(o instanceof org.bouncycastle.asn1.DEROctetString) {
-                org.bouncycastle.asn1.DEROctetString oc = (org.bouncycastle.asn1.DEROctetString)o;
-                return "byKey: " + SignedDoc.bin2hex(oc.getOctets());
+            if(respid.getKeyHash() != null) {
+                return "byKey: " + SignedDoc.bin2hex(respid.getKeyHash());
             } else {
-                X509Name name = new X509Name((ASN1Sequence)o);
-                return "byName: " + name.toString();
+                return "byName: " + respid.getName().toString();
             }
         }
         else

diff --git a/digidoc4j/pom.xml b/digidoc4j/pom.xml
@@ -6,7 +6,7 @@
 
     <artifactId>digidoc4j</artifactId>
     <packaging>jar</packaging>
-    <version>5.2.0</version>
+    <version>5.3.0</version>
 
     <name>DigiDoc4j</name>
     <description>DigiDoc4j is a Java library for digitally signing documents and creating digital signature containers
@@ -17,35 +17,30 @@
     <parent>
         <artifactId>digidoc4j-parent</artifactId>
         <groupId>org.digidoc4j</groupId>
-        <version>5.2.0</version>
+        <version>5.3.0</version>
     </parent>
 
     <properties>
         <dss.groupId>org.digidoc4j.dss</dss.groupId>
 
-        <activation.version>1.1.1</activation.version>
-        <commons-cli.version>1.5.0</commons-cli.version>
+        <commons-cli.version>1.6.0</commons-cli.version>
         <commons-collections4.version>4.4</commons-collections4.version>
-        <commons-io.version>2.13.0</commons-io.version>
-        <commons-lang3.version>3.13.0</commons-lang3.version>
+        <commons-io.version>2.15.1</commons-io.version>
+        <commons-lang3.version>3.14.0</commons-lang3.version>
         <contiperf.version>2.4.3</contiperf.version>
-        <dss.version>5.11.1.d4j.1</dss.version>
+        <dss.version>6.0.d4j.1</dss.version>
         <hamcrest.version>2.2</hamcrest.version>
-        <httpclient5.version>5.2.1</httpclient5.version>
-        <jackson.version>2.15.2</jackson.version>
-        <jaxb.version>2.3.8</jaxb.version><!-- DSS depends on jaxb-runtime 2.3.X -->
-        <jaxb-core.version>2.3.0.1</jaxb-core.version>
-        <jcabi-matchers.version>1.6.0</jcabi-matchers.version>
-        <json.version>20230618</json.version>
-        <jsonassert.version>1.5.1</jsonassert.version>
+        <httpclient5.version>5.3.1</httpclient5.version>
+        <jackson.version>2.16.1</jackson.version>
+        <jaxb.version>3.0.2</jaxb.version><!-- DSS depends on jaxb-runtime 3.0.X -->
         <junit.version>4.13.2</junit.version>
         <junit-toolbox.version>2.4</junit-toolbox.version>
-        <logback-classic.version>1.2.12</logback-classic.version><!-- logback versions 1.3.X cause problems in DD4J command line utility -->
+        <logback-classic.version>1.3.14</logback-classic.version>
         <mockito.version>4.11.0</mockito.version><!-- Java 8 is not supported since version 5.X.X -->
-        <snakeyaml.version>2.1</snakeyaml.version>
+        <snakeyaml.version>2.2</snakeyaml.version>
         <system-rules.version>1.19.0</system-rules.version>
-        <wiremock.version>2.35.0</wiremock.version>
-        <xmlsec.version>2.3.3</xmlsec.version><!-- DSS depends on xmlsec 2.3.X -->
+        <wiremock.version>2.35.2</wiremock.version><!-- Java 8 is not supported since version 3.X.X -->
+        <xmlsec.version>3.0.4</xmlsec.version><!-- DSS depends on xmlsec 3.0.X -->
         <xmlunit.version>1.6</xmlunit.version>
 
         <buildnumber-maven-plugin.version>1.4</buildnumber-maven-plugin.version>
@@ -58,7 +53,7 @@
         <maven-jaxb2-plugin.version>0.15.3</maven-jaxb2-plugin.version>
         <maven-release-plugin.version>3.0.1</maven-release-plugin.version>
         <maven-resources-plugin.version>3.3.1</maven-resources-plugin.version>
-        <maven-shade-plugin.version>3.5.0</maven-shade-plugin.version>
+        <maven-shade-plugin.version>3.5.2</maven-shade-plugin.version>
         <nexus-staging-maven-plugin.version>1.6.13</nexus-staging-maven-plugin.version>
 
         <dss.util.build>${project.build.directory}/build/util</dss.util.build>
@@ -79,16 +74,16 @@
         <dependency>
             <artifactId>ddoc4j</artifactId>
             <groupId>org.digidoc4j</groupId>
-            <version>5.2.0</version>
+            <version>5.3.0</version>
         </dependency>
 
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk15on</artifactId>
+            <artifactId>bcpkix-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
+            <artifactId>bcprov-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>commons-codec</groupId>
@@ -260,27 +255,18 @@
             <artifactId>dss-crl-parser-stream</artifactId>
             <version>${dss.version}</version>
         </dependency>
-        <!-- To build successfully with >= Java 9 -->
+
         <dependency>
             <groupId>org.glassfish.jaxb</groupId>
             <artifactId>jaxb-runtime</artifactId>
             <version>${jaxb.version}</version>
         </dependency>
-        <dependency>
-            <groupId>javax.activation</groupId>
-            <artifactId>activation</artifactId>
-            <version>${activation.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>com.sun.xml.bind</groupId>
-            <artifactId>jaxb-impl</artifactId>
-            <version>${jaxb.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.glassfish.jaxb</groupId>
             <artifactId>jaxb-core</artifactId>
-            <version>${jaxb-core.version}</version>
+            <version>${jaxb.version}</version>
         </dependency>
+
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
@@ -299,12 +285,6 @@
             <version>${hamcrest.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>com.jcabi</groupId>
-            <artifactId>jcabi-matchers</artifactId>
-            <version>${jcabi-matchers.version}</version>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
@@ -347,6 +327,10 @@
             <version>${wiremock.version}</version>
             <scope>test</scope>
             <exclusions>
+                <exclusion>
+                    <groupId>com.jayway.jsonpath</groupId>
+                    <artifactId>json-path</artifactId>
+                </exclusion>
                 <exclusion>
                     <groupId>commons-fileupload</groupId>
                     <artifactId>commons-fileupload</artifactId>
@@ -371,34 +355,6 @@
             <version>${jackson.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.skyscreamer</groupId>
-            <artifactId>jsonassert</artifactId>
-            <version>${jsonassert.version}</version>
-            <scope>test</scope>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.vaadin.external.google</groupId>
-                    <artifactId>android-json</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.json</groupId>
-            <artifactId>json</artifactId>
-            <version>${json.version}</version>
-            <scope>test</scope>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.jayway.jsonpath</groupId>
-                    <artifactId>json-path</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>net.minidev</groupId>
-                    <artifactId>json-smart</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
         <dependency>
             <groupId>com.googlecode.junit-toolbox</groupId>
             <artifactId>junit-toolbox</artifactId>
@@ -561,8 +517,6 @@
                                     <zipgroupfileset dir="${dss.util.lib}" includes="**/*.jar" excludes="bcprov-*.jar"/>
                                     <zipgroupfileset dir="${project.build.directory}" includes="**/digidoc4j-*.jar"
                                                      excludes="*-javadoc.jar *-sources.jar"/>
-                                    <zipgroupfileset dir="${project.build.directory}"
-                                                     includes="**/logback-*.jar"/>
                                 </jar>
                                 <jar destfile="${dss.util.build}/digidoc4j-util.jar">
                                     <zipfileset src="${dss.util.build}/temp.jar"
@@ -574,13 +528,19 @@
                                         <attribute name="Implementation-Title" value="Java BDoc/DigiDoc utility"/>
                                         <attribute name="Implementation-Version" value="${project.version}"/>
                                         <attribute name="Main-Class" value="org.digidoc4j.main.DigiDoc4J"/>
-                                        <attribute name="Class-Path" value=". ./bcprov-jdk15on.jar"/>
+                                        <attribute name="Class-Path" value=". ./bcprov-jdk18on.jar ./logback-classic.jar ./logback-core.jar"/>
                                         <attribute name="Multi-Release" value="true"/>
                                     </manifest>
                                 </jar>
                                 <delete file="${dss.util.build}/temp.jar"/>
-                                <copy tofile="${dss.util.build}/bcprov-jdk15on.jar">
-                                    <fileset dir="${dss.util.lib}" includes="**/bcprov-jdk15on*.jar"/>
+                                <copy tofile="${dss.util.build}/bcprov-jdk18on.jar">
+                                    <fileset dir="${dss.util.lib}" includes="**/bcprov-jdk18on*.jar"/>
+                                </copy>
+                                <copy tofile="${dss.util.build}/logback-classic.jar">
+                                    <fileset dir="${project.build.directory}" includes="**/logback-classic*.jar"/>
+                                </copy>
+                                <copy tofile="${dss.util.build}/logback-core.jar">
+                                    <fileset dir="${project.build.directory}" includes="**/logback-core*.jar"/>
                                 </copy>
                                 <copy todir="${dss.util.build}/">
                                     <fileset dir="${project.basedir}/src/main/etc" includes="*.xml"/>

diff --git a/digidoc4j/src/main/java/org/digidoc4j/Configuration.java b/digidoc4j/src/main/java/org/digidoc4j/Configuration.java
@@ -2167,7 +2167,7 @@ private void initDefaultValues() {
       this.setDDoc4JParameter("SIGN_OCSP_REQUESTS", "false");
       setDDoc4JParameter("ALLOWED_OCSP_RESPONDERS_FOR_TM", StringUtils.join(Constant.Test.DEFAULT_OCSP_RESPONDERS, ","));
       this.setConfigurationParameter(ConfigurationParameter.AllowedOcspRespondersForTM, Constant.Test.DEFAULT_OCSP_RESPONDERS);
-      this.setConfigurationParameter(ConfigurationParameter.preferAiaOcsp, "false");
+      this.setConfigurationParameter(ConfigurationParameter.preferAiaOcsp, "true");
       this.loadYamlAiaOCSPs(loadYamlFromResource("defaults/demo_aia_ocsp.yaml"), true);
     } else {
       this.setConfigurationParameter(ConfigurationParameter.TspSource, Constant.Production.TSP_SOURCE);
@@ -2183,7 +2183,7 @@ private void initDefaultValues() {
       this.setDDoc4JParameter("SIGN_OCSP_REQUESTS", "false");
       setDDoc4JParameter("ALLOWED_OCSP_RESPONDERS_FOR_TM", StringUtils.join(Constant.Production.DEFAULT_OCSP_RESPONDERS, ","));
       this.setConfigurationParameter(ConfigurationParameter.AllowedOcspRespondersForTM, Constant.Production.DEFAULT_OCSP_RESPONDERS);
-      this.setConfigurationParameter(ConfigurationParameter.preferAiaOcsp, "false");
+      this.setConfigurationParameter(ConfigurationParameter.preferAiaOcsp, "true");
       this.loadYamlAiaOCSPs(loadYamlFromResource("defaults/live_aia_ocsp.yaml"), true);
     }
     LOGGER.debug("{} configuration: {}", this.mode, this.registry);