COMMUNITY EDITION JUNE 2022

We are happy to announce the newest release of our open source signing software SignServer Community Edition with version 5.9.1 and thank each and every SignServer Contributor for your work in getting us here.

These release notes cover new SignServer Community features and improvements implemented between SignServer Community 5.2.0 and SignServer Community 5.9.1.

This latest community release includes several new features, including experimental support for post-quantum signing as well as Azure Key Vault support and DNSSEC signing. The release also includes bug fixes resolved relating to SignServer Community and contains a few security enhancements.

Highlights

Post-quantum Signing

The CMS Signer and Keystore Crypto Token have been extended with experimental support for the SPHINCS+ algorithm to enable creation of post-quantum keys and signatures. This experimental support is suited for proof of concept implementations. The generated keys are associated with self-signed post-quantum certificates, also based on the SPHINCS+ post-quantum algorithm.

By leveraging post-quantum signing in SignServer together with the SPHINCS+ algorithm in Bouncy Castle, it is possible to build an end-to-end system for creating and verifying signatures, thereby bringing use cases such as IoT code signing to a stage of post-quantum readiness through crypto agility. 

For information on what is going on with Post-Quantum Cryptography (PQC) and how to prepare for PQC, with certificate issuance, digital signatures, and crypto agility, refer to our documentation about Post-Quantum Readiness.

Azure Key Vault Support

Based on a much-appreciated community contribution, we have implemented a new Crypto Token that allows you to store and use the signing keys in Azure Key Vault. This Azure Key Vault Crypto Token can thus be used as an alternative to using a Hardware Security Module (HSM) or a software keystore. For more information, see AzureKeyVaultCryptoToken.

DNSSEC Signing

DNS Security Extensions (DNSSEC) is a valuable tool for improving trust and integrity by adding security on top of the Domain Name System (DNS).

When the DNS system for translating human-friendly domain names to IP addresses was designed in the 1980s, security was not a primary consideration and DNS has remained an insecure and unauthenticated protocol. The DNS Security Extensions (DNSSEC) create a secure domain name system by adding cryptographic signatures to existing DNS records. The signatures are stored in DNS name servers and are used to ensure that the requested DNS record comes from the right source and that it is not altered during transmission.

SignServer Community now supports signing DNS zone files according to the DNSSEC standard using the new signers ZoneFileServerSideSigner, ZoneZipFileServerSideSigner, and ZoneHashSigner.

Custom Folder for Configuration

To ease upgrades and allow keeping your configurations from one version to another, you can now store your SignServer configurations in a signserver-custom folder outside of the SignServer home directory.

Your configuration files placed in the signserver-custom folder will override the corresponding files found in the SIGNSERVER_HOME directory. Thus, when upgrading SignServer, you can then replace the SignServer folder without having to manually copy old configurations. For more information, see Custom Configuration Outside of Installation Directory in Install SignServer

Log4j Upgrade

As has been stated before, SignServer was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that SignServer handles logging through JBoss EAP/WildFly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that some of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about SignServer being vulnerable. 

Security Enhancements

Third-party Apache Santuario Library Upgrade (CVE-2021-40690)

Versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

SignServer incorporates the Apache Santuario - XML Security for Java as a third-party library and may be affected if configured to provide XML or XAdES validators.

As of this SignServer release, the Apache Santuario - XML Security for Java library is updated to version 2.1.7, which includes a fix for CVE-2021-40690. We rate the issue as having a severity level medium, as there is no known exposure if XML or XAdES validators are not configured in SignServer. In addition, an attacker would need to be authorized to use configured workers if any. After upgrading SignServer, your installation is no longer affected by this security issue.

Cross-site Scripting Issue in Admin Web (CVE-2022-26494)

During our testing with a new combination of test data and request sequence in the SignServer Admin Web interface, a cross-site scripting issue was found. By setting up a new worker where JavaScript code is used in the worker name followed by a Generate CSR request, the script in the worker name will be executed in the generate CSR step. This issue has been fixed in SignServer 5.8.1 and similar issues in other parts of Admin Web were also fixed. 

We rate the issue as having a severity level low, as only an authorized SignServer administrator could perform an attack. Any update of worker names configured in SignServer will be logged in the audit log. This issue has been reported in CVE-2022-26494.

Announcements

Deprecation of Java SE 8 as Runtime Environment

The recommended Java runtime environment for SignServer is Java SE 11. Java SE 8 is still supported but associated with certain limitations. Customers using Java SE 8 are advised to plan for upgrading to Java SE 11. With Java SE 17 being the next Long Term Support version for Java expected to become available later this year we plan to support Java 11 and Java 17 in the next major version of SignServer.

Downloads and Resources

As of this release, SignServer Community releases will follow the release schedule for the Enterprise Edition, including all major and feature releases.

To download the latest version of SignServer Community, you can choose from several options:

  • SignServer Community is available for download from GitHub.
  • SignServer Community Container is available for download from Docker Hub.
  • SignServer Community is available for download from SourceForge.

For download links, documentation, and contact information, see signserver.org. For upgrade instructions, see Upgrade SignServer.

Want to learn more about our open-source software? Get in touch over at SignServer Discussions on GitHub, a collective space where you can share feedback and contribute ideas to future releases. We would love to hear from you.

Keyfactor Community

In the Keyfactor Community, developers, engineers, and security teams can get hands-on with Keyfactor's open-source PKI and signing software, share ideas with peers, and learn from industry experts. Find out more and sign up for the Keyfactor Community Newsletter at Keyfactor Community.