The PrimeKey SignServer team is pleased to announce the release of SignServer 5.8.

This release brings improvements for short-lived certificates when using JSON-based token authentication and enhancements for eIDAS Advanced level signing. With this release, SignServer also supports setting up one-time keys using an EJBCA Peer Connection in RA mode.

Deployment options include SignServer Hardware Appliance and SignServer Cloud.

Highlights

Use Information from JWT Claims in Short-Lived Signing Certificates

Customers using OAuth 2.0 or OpenID Connect in an identity provider (authorization server), integrated with SignServer using the SignServer JSON Web Token JWT Authorizer, can now use information from the JWT tokens in short-lived certificates. SignServer 5.8 supports configuring mapping rules between JWT claims and short-lived certificates, allowing user data from the JWT token to be part of the certificate used for signatures on behalf of the authorized user. For more information, see JWT Authorizer.

EJBCA Peer Connection in RA Mode for One-Time Keys

SignServer now allows you to set up one-time keys using an EJBCA Peer Connection in RA mode. This improves security on the CA side as the connection is initiated from EJBCA to SignServer, and therefore the network setup will not need to accept incoming connections to the CA when using one-time keys in SignServer. For more information, see Peer Systems.

eIDAS Advanced Level Signing Enhancements

SignServer 5.8 brings improvements for managing long-term archiving of signed documents. For eIDAS Advanced level signing using PAdES and XAdES signature formats, SignServer now supports extending the validity of a document with a previous signature. In addition, the AdES signer has been improved to handle larger signature sizes. For more information, see AdES Signer.

Upgrade Information

Review the SignServer Upgrade Notes for important information about this release. For upgrade instructions, see Upgrade SignServer.

SignServer 5.8.0 is included in SignServer Hardware Appliance 3.9.1 and SignServer Cloud 1.10.

Change Log: Resolved Issues

For full details of fixed bugs and implemented features in SignServer 5.8.0.2, refer to our JIRA Issue Tracker.

Issues Resolved in 5.8.0.2

Released October 2021

New Features

DSS-2285 - Extend validity of already PAdES signed document (PAdES-LTA)

DSS-2306 - Extend validity of already signed XAdES file for XAdES-LTA profile

DSS-2331 - Certificate User Data Mapping from JWT

DSS-2332 - Peers Connection where SignServer acts as RA: Implementing Peers "RA mode"

DSS-2333 - EJBCA Peers CA Connector for use with OneTimeCryptoWorker

DSS-2359 - Signed signature requests (Server Authorization)

DSS-2360 - SignClient support for signed signature requests

DSS-2371 - Support for one-time keys using peers and P11NG

Improvements

DSS-2275 - Respond with failure for incorrectly formatted time-stamp requests

DSS-2277 - Upgrade BC to 1.69 (when available) with stricter TS request checks

DSS-2329 - Handle larger signatures in PAdES Signer

DSS-2354 - Worker template for AdESSigner is missing properties

DSS-2361 - Document that AdES Signer TRUSTANCHOR property could be needed if PDF is already signed

DSS-2362 - Better error handling for unexpected AdES Signer failures

DSS-2368 - Improved SignClient support for signed signature requests

Bug Fixes

DSS-2357 - Some JAR verification test failures since a later Java 8 version

DSS-2358 - AdES Signer gives error when used with OneTimeCryptoWorker