The PrimeKey SignServer team is pleased to announce the release of SignServer 5.8.1.
This release includes a new feature where signature requests can be signed by a remote client allowing a new end-to-end authorization mechanism for deployment scenarios with proxies or similar between the client and the server. The release also addresses security issues and customers are advised to upgrade to this version as soon as possible.
Signed Signature Requests
SignServer 5.8.1 introduces support for Signed Signature Requests. This feature extends the request authorization capabilities of SignServer beyond client certificate and JSON Web Token (JWT) authorization. In deployment scenarios where there are mutual TLS (mTLS) hops between the client and SignServer it may not be feasible to use an mTLS connection for the closest network element to authorize the signature request. When the Signed Signature Request feature is used, a signature is added as metadata to the request by the client. Adding the signature to the request can now be done using the SignServer SignClient or by following the request format specification when generating the request from a client using the SignServer Web Services API. For more information, see Signed Request Authorizer.
Third-party Apache Santuario Library Upgrade (CVE-2021-40690)
Versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
SignServer Enterprise incorporates the Apache Santuario - XML Security for Java as a third-party library and may be affected if configured to provide XML or XAdES validators.
As of SignServer Enterprise 5.8.1, the Apache Santuario - XML Security for Java library is updated to version 2.1.7, which includes a fix for CVE-2021-40690. After upgrading to SignServer Enterprise 5.8.1, your installation is no longer affected by this security issue.
- Medium – There is no known exposure if XML or XAdES validators are not configured in SignServer. In addition, an attacker would need to be authorized to use configured workers if any.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in SignServer 5.8.1, refer to our JIRA Issue Tracker.
DSS-2279 - EC support with P11NG
DSS-2367 - Signed Signature Request through Web Service API based on format specification
DSS-2375 - Support for WildFly 24
DSS-2278 - Merge updated P11NG from EJBCA 126.96.36.199
DSS-2353 - Key removal operation consistency between P11NG and SunPKCS11
DSS-2379 - Document supported algorithms
DSS-2384 - Add demo client certificate issued by a sub CA
DSS-2394 - P11NG signature provider implementation should throw JCA exceptions instead of P11NG-specific runtime exceptions
DSS-2402 - Upgrade BC to 1.70
DSS-2382 - Issue with overriding DIGESTALGORITHM in PDF
DSS-2385 - JUnit test MRTDSODSignerTest signer certificate expired
DSS-2389 - Security Issue
DSS-2391 - Regression: Client-side hashing on Windows fails with "used by another process"
DSS-2396 - Certain recent JRE versions breaks PKCS11CryptoToken
DSS-2401 - Security Issue