SignServer 5.8 Release Notes
The PrimeKey SignServer team is pleased to announce the release of SignServer 5.8.
This release brings improvements for short-lived certificates when using JSON-based token authentication and enhancements for eIDAS Advanced level signing. With this release, SignServer also supports setting up one-time keys using an EJBCA Peer Connection in RA mode.
Deployment options include SignServer Hardware Appliance and SignServer Cloud.
Highlights
Use Information from JWT Claims in Short-Lived Signing Certificates
Customers using OAuth 2.0 or OpenID Connect in an identity provider (authorization server), integrated with SignServer using the SignServer JSON Web Token JWT Authorizer, can now use information from the JWT tokens in short-lived certificates. SignServer 5.8 supports configuring mapping rules between JWT claims and short-lived certificates, allowing user data from the JWT token to be part of the certificate used for signatures on behalf of the authorized user. For more information, see JWT Authorizer.
EJBCA Peer Connection in RA Mode for One-Time Keys
SignServer now allows you to set up one-time keys using an EJBCA Peer Connection in RA mode. This improves security on the CA side as the connection is initiated from EJBCA to SignServer, and therefore the network setup will not need to accept incoming connections to the CA when using one-time keys in SignServer. For more information, see Peer Systems.
eIDAS Advanced Level Signing Enhancements
SignServer 5.8 brings improvements for managing long-term archiving of signed documents. For eIDAS Advanced level signing using PAdES and XAdES signature formats, SignServer now supports extending the validity of a document with a previous signature. In addition, the AdES signer has been improved to handle larger signature sizes. For more information, see AdES Signer.
Upgrade Information
Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.
SignServer 5.8.0 is included in SignServer Hardware Appliance 3.9.1 and SignServer Cloud 1.10.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in SignServer 5.8.0.2, refer to our JIRA Issue Tracker.
Issues Resolved in 5.8.0.2
Released October 2021 DSS-2285 - Extend validity of already PAdES signed document (PAdES-LTA) DSS-2306 - Extend validity of already signed XAdES file for XAdES-LTA profile DSS-2331 - Certificate User Data Mapping from JWT DSS-2332 - Peers Connection where SignServer acts as RA: Implementing Peers "RA mode" DSS-2333 - EJBCA Peers CA Connector for use with OneTimeCryptoWorker DSS-2359 - Signed signature requests (Server Authorization) DSS-2360 - SignClient support for signed signature requests DSS-2371 - Support for one-time keys using peers and P11NG DSS-2275 - Respond with failure for incorrectly formatted time-stamp requests DSS-2277 - Upgrade BC to 1.69 (when available) with stricter TS request checks DSS-2329 - Handle larger signatures in PAdES Signer DSS-2354 - Worker template for AdESSigner is missing properties DSS-2361 - Document that AdES Signer TRUSTANCHOR property could be needed if PDF is already signed DSS-2362 - Better error handling for unexpected AdES Signer failures DSS-2368 - Improved SignClient support for signed signature requests DSS-2357 - Some JAR verification test failures since a later Java 8 version DSS-2358 - AdES Signer gives error when used with OneTimeCryptoWorkerNew Features
Improvements
Bug Fixes