Release 5.2.0

Summary of the major changes since 5.1.0

• Disabled the possibility to create signatures with LT_TM and B_EPES profiles
• Fixed OCSP request nonce encoding (in CommonOCSPSource) on signature creation - OCSP nonce, used in id-pkix-ocsp-nonce OCSP extension, is now a DER-encoded OCTET STRING, which is encapsulated as another OCTET STRING (see RFC 4366, section 3.6 and RFC 6961, section 2.2)
• Deprecated "full report" configuration flag, as enabling it can produce false negative validation results in some cases:
  • Deprecated setFullReportNeeded and isFullReportNeeded methods in Configuration class
  • Deprecated -err/-showerrors command line option in DigiDoc4J command line utility
• Updated dependencies

Known issues

• We have noticed a slight increase in TSL loading times due to pivot LOTL support
• We have noticed a decrease in performance with the introduction of properly accessing AIA certificate resources
• Opening a container that contains signatures, triggers TSL loading (TSL lazy loading does not work as expected)
• While upgrading from versions older than 2.1.1 be sure that your integration :
  • doesn't use Xalan or XercesImpl dependencies
  • uses a patched Java version (JDK8 or higher)
    Xalan and XercesImpl were used to patch XML vulnerabilities in older java versions. They should be discarded with higher versions because they override default Java XML security.
    If it is not possible to remove Xalan, then you can set your system property to override TransformerFactory : System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");