SignServer 5.4 Release Notes
The PrimeKey SignServer team is pleased to announce the release of SignServer 5.4.
With this release, we have implemented a new Azure Key Vault Crypto Token as well as a JSON Web Token (JWT) Authorizer.
This release also brings support for keeping SignServer configurations and custom modifications in an external directory, shared between versions.
Highlights
Azure Key Vault Support
We have implemented a new Crypto Token that allows you to store and use the signing keys in Azure Key Vault. This Azure Key Vault Crypto Token can thus be used as an alternative to using a Hardware Security Module (HSM) or a software keystore. For more information, see AzureKeyVaultCryptoToken.
JSON Web Token Authorizer
A new Authorizer implementation makes it possible to allow signature requests based on the provided JSON Web Token (JWT) included in the request. This allows having an identity provider separate from the SignServer application. Such an identity provider (or authorization server) can potentially offer support for standards like OpenID Connect or OAuth 2.0 etcetera and user directories such as LDAP and Active Directory. For more information, see JWT Authorizer.
Custom Folder for Configuration
To ease upgrades and allow keeping your configurations from a version to another, you can now store your SignServer configurations in a signserver-custom folder outside of the SignServer home directory.
Your configuration files placed in the signserver-custom folder will override the corresponding files found in the SIGNSERVER_HOME directory. Thus, when upgrading SignServer, you can then replace the SignServer folder without having to manually copy old configurations. For more information, see Custom Configuration Outside of Installation Directory in Install SignServer.
Upgrade Information
No database changes are required for this release. Review the SignServer Upgrade Notes for important information on changes and requirements to be aware of when upgrading SignServer. For upgrade instructions, see Upgrade SignServer.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in SignServer 5.4.0, refer to our JIRA Issue Tracker.
Issues Resolved in 5.4.0
Released April 2020
New Features
DSS-296 - Folder for custom code/configuration outside SignServer tree (see ejbca-custom)
DSS-2064 - Initial support for Azure Key Vault
DSS-2105 - Initial JWT Authorizer
Tasks
DSS-2124 - Upgrade Bouncy Castle to 1.61
DSS-2132 - Test Azure Crypto token with different algorithms
DSS-2133 - Implement system tests for Azure Crypto token
DSS-2134 - Document Azure Crypto token
Improvements
DSS-1551 - Implement toggling to enable/disable worker
DSS-2122 - Do not display activate/deactive buttons for workers that do not have a crypto token in its configuration
DSS-2139 - Properly handle when a key alias contains characters that are illegal by Azure Key Vault
Bug Fixes
DSS-891 - JUnit test ListBasedAddressAuthorizerTest fails some times
DSS-925 - NPE if ordering attribute not specified when querying using AdminWS
DSS-1132 - SignServer does not allow signing a certified PDF were level is FORM_FILLING
DSS-1560 - queryTokenEntries Webservice operation throws NPE if ordering parameter not provided
DSS-1779 - XAdESSigner not using strong algorithm by default
DSS-2136 - Regression: PKCS11CryptoToken is not properly auto-activated after deactivation operation is performed
DSS-2137 - Regression: Database CLI / audit log verification tool does not read its configuration properly