SignServer 5.11 Release Notes
DECEMBER 2022
The SignServer team is pleased to announce the release of SignServer 5.11.1. (SignServer 5.11.0 was an internal release, not generally available for customers).
This release includes a new OS-independent TimeMonitor mechanism and Google Cloud KMS support among other features. Starting with this release, the P11NG crypto token is recommended for all use cases on all platforms. This release also upgrades Bouncy Castle to 1.72.
Deployment options include SignServer Hardware Appliance, SignServer Software Appliance, and SignServer Cloud.
Highlights
OS Independent TimeMonitor
SignServer TimeMonitor is utilized in time-stamping use cases to monitor the difference between the local time and the time of an external NTP server to avoid issuing timestamps if the time difference exceeds a configured value. With SignServer 5.11, SNTP is by default supported natively, enabling using the SignServer TimeMonitor feature without the need for ntpdate and ntpq commands in the operating system. This new mode of operation for TimeMonitor also supports the use of multiple time servers for redundancy. For customers running SignServer on operating systems with the ntpdate and ntpq commands, it is still possible to configure SignServer to use these as per the legacy functionality. For more information, see SignServer TimeMonitor Overview.
Full-featured P11NG as recommended PKCS#11 Crypto Token for new deployments
As of SignServer 5.11, P11NG is the recommended crypto token for new deployments of all use cases on all deployment types. P11NG was first introduced in SignServer 4.3 as an alternative PKCS#11 crypto token for certain functionality not supported by the Java SunPKCS11 provider. The functionality supported by the P11NG provider has evolved over time and now includes key wrapping, EdDSA algorithm support, and various Cloud HSM options. For more information, see the documentation on how to Migrate from SunPKCS11 to P11NG.
Google Cloud KMS Support
SignServer 5.11 includes support for Google Cloud KMS as HSM, expanding the SignServer Cloud HSM support beyond the previously supported AWS and Azure Cloud HSM options. The support for Google Cloud KMS is based on the use of the P11NG PKCS#11 crypto token.
Keyfactor branded user interface
The Keyfactor branded web user interface is now available per default for all new deployments and all existing deployments upgraded to SignServer 5.11.
Announcements
Deprecation of old WildFly versions
As of SignServer 5.11, the use of WildFly versions 9, 10, and 11 is deprecated.
Deprecation of SignServerWS/ValidationWS
As of SignServer 5.11, the use of SignServerWS/ValidationWS is deprecated.
Deprecation of XAdESSigner
As of SignServer 5.11, the use of XAdESSigner is deprecated. Use of AdES Signer is recommended for XAdES signatures.
Deprecation of OOXML Signer
As of SignServer 5.11, the use of OOXML Signer is deprecated.
Deprecation of ODF Signer
As of SignServer 5.11, the use of ODF Signer is deprecated.
Deprecation of Certificate Validation Framework
As of SignServer 5.11, the use of Certificate Validation Framework is deprecated.
Deprecation of Crypto Token definition in Signers
As of SignServer 5.11, the use of Crypto Token definitions in Signers is deprecated. Customers with legacy Signer configurations including Crypto Token definitions are advised to separate the Crypto Token configuration into a Crypto Token worker and update the Signer configurations with a reference to the Crypto Token worker.
Upgrade Information
Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.
SignServer 5.11 is included in SignServer Hardware Appliance 3.11, SignServer Software Appliance 2.3, and SignServer Cloud 1.13.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in SignServer 5.11, refer to our JIRA Issue Tracker.
Issues Resolved in 5.11.1
Released December 2022
Bug Fixes
DSS-2533 - Regression: TSA_URL is not working in PDFSigner
DSS-2534 - Regression: Error page about connecting using certificate displayed blank
Issues Resolved in 5.11
Internal Release December 2022
New Features
DSS-825 - Implement internal SNTP client instead of executing the NTP commands in TimeMonitor
DSS-1902 - Support for building on Java 11
DSS-2428 - Add support for specifying RSA public exponent also with P11NG crypto token
DSS-2450 - Add option for MSAuthCode signatures to replace existing signatures
DSS-2469 - Support for running the web tests against a remote SignServer (of any packaging type)
DSS-2478 - GCP KMS PKCS#11 support in SignServer based on P11NG
DSS-2491 - Add support for Ed25519 on Utimaco (HSM custom mode)
DSS-2500 - Add support for SHA384withECDSA and SHA512withECDSA in MRTDSODSigner
DSS-2517 - Rebranded SignServer CE UI theme
Improvements
DSS-1942 - Remove WildFly remoting output from when running AdminCLI
DSS-2289 - Include class name in error message for incorrect time source
DSS-2315 - Update BC deprecated reference
DSS-2383 - Remove worker name from error messages from SODProcessServlet
DSS-2492 - Web UI hardening
DSS-2499 - P11NG-tool uses deprecated "which" command
DSS-2501 - Synchronize default P11 library definitions with EJBCA
DSS-2505 - Add parameter to specify self-signed DN when generating key pair with P11NG-tool
DSS-2507 - Add TRUSTANCHORS property to AdES Signer template
DSS-2508 - Clarify input format for PlainSigner in legacy client-side hashing mode with RSASSA-PKCS1_v1.5
DSS-2511 - Move TimeMonitor Manual into the normal documentation
DSS-2514 - Detection of HSM vendor in P11NG
DSS-2516 - Upgrade BC to 1.72
DSS-2525 - Upgrade dependencies
Bug Fixes
DSS-1681 - Confusing error message with alias selector, noauth and key wrapping
DSS-1811 - SignClient can not be run from directory having a space character in its file name
DSS-1815 - SignDocument Command fails with CLIENTWS & WEBSERVICES protocols if host not specified
DSS-2270 - JWT Authorizer: "Unknown issuer" is incorrectly logged
DSS-2342 - Error 500 when you reload audit log page with empty value for "Displaying results" or "Entries per page"
DSS-2397 - NPE when not specifying signature algorithm and using ECDSA
DSS-2399 - NPE in JwtAuthorizer
DSS-2412- Configuring JwtAuthorizer with public key in PEM format instead of Base64 gives IllegalArgumentException instead of being listed as error
DSS-2455 - Failed key test results rendered as success message instead of failure message
DSS-2483 - EMBED_CRL is in wrong place in the PDF Signer document
DSS-2489 - Transitive dependency on older Bouncy Castle (1.64) not excluded/overridden
DSS-2496 - Can not remove global configuration properties with special characters using delete button
DSS-2503 - P11NG tool fails to generate self-signed cert for ECDSA keypair
DSS-2504 - P11NG-tool gives return code 0 with unknown key algorithm
DSS-2509 - Client HTTP interface relays on platform encoding for data submitted in URL encoded form
DSS-2523 - JArchiveSigner worker template missing in CE