DECEMBER 2021

The PrimeKey SignServer team is pleased to announce the release of SignServer 5.8.1.

This release includes a new feature where signature requests can be signed by a remote client allowing a new end-to-end authorization mechanism for deployment scenarios with proxies or similar between the client and the server. The release also addresses security issues and customers are advised to upgrade to this version as soon as possible.

Deployment options include SignServer Hardware Appliance and SignServer Cloud.

Highlights

Signed Signature Requests

SignServer 5.8.1 introduces support for Signed Signature Requests. This feature extends the request authorization capabilities of SignServer beyond client certificate and JSON Web Token (JWT) authorization. In deployment scenarios where there are mutual TLS (mTLS) hops between the client and SignServer it may not be feasible to use an mTLS connection for the closest network element to authorize the signature request. When the Signed Signature Request feature is used, a signature is added as metadata to the request by the client. Adding the signature to the request can now be done using the SignServer SignClient or by following the request format specification when generating the request from a client using the SignServer Web Services API. For more information, see Signed Request Authorizer.

Security Notice

Third-party Apache Santuario Library Upgrade (CVE-2021-40690)

Versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

SignServer Enterprise incorporates the Apache Santuario - XML Security for Java as a third-party library and may be affected if configured to provide XML or XAdES validators.

As of SignServer Enterprise 5.8.1, the Apache Santuario - XML Security for Java library is updated to version 2.1.7, which includes a fix for CVE-2021-40690. After upgrading to SignServer Enterprise 5.8.1, your installation is no longer affected by this security issue.

Severity

  • Medium – There is no known exposure if XML or XAdES validators are not configured in SignServer. In addition, an attacker would need to be authorized to use configured workers if any. 

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

SignServer 5.8.1 is included in SignServer Hardware Appliance 3.9.3 and SignServer Cloud 1.10.1.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.8.1, refer to our JIRA Issue Tracker.

Issues Resolved in 5.8.1

Released December 2021

New Features

DSS-2279 - EC support with P11NG

DSS-2367 - Signed Signature Request through Web Service API based on format specification

DSS-2375 - Support for WildFly 24

Improvements

DSS-2278 - Merge updated P11NG from EJBCA 7.8.0.1

DSS-2353 - Key removal operation consistency between P11NG and SunPKCS11

DSS-2379 - Document supported algorithms

DSS-2384 - Add demo client certificate issued by a sub CA

DSS-2394 - P11NG signature provider implementation should throw JCA exceptions instead of P11NG-specific runtime exceptions

DSS-2402 - Upgrade BC to 1.70

Bug Fixes

DSS-2382 - Issue with overriding DIGESTALGORITHM in PDF

DSS-2385 - JUnit test MRTDSODSignerTest signer certificate expired

DSS-2389 - Security Issue

DSS-2391 - Regression: Client-side hashing on Windows fails with "used by another process"

DSS-2396 - Certain recent JRE versions breaks PKCS11CryptoToken

DSS-2401 - Security Issue