Skip to content

Fix #432: make PAdES LT/LTA work with the DSS engine (EU LOTL)#436

Open
kwart wants to merge 2 commits into
masterfrom
fix/432
Open

Fix #432: make PAdES LT/LTA work with the DSS engine (EU LOTL)#436
kwart wants to merge 2 commits into
masterfrom
fix/432

Conversation

@kwart

@kwart kwart commented Jun 28, 2026

Copy link
Copy Markdown
Member

Fixes #432. PAdES LT/LTA on the DSS engine failed two ways: an untrusted-chain abort (revocation skipped), and a hard NPE after enabling "use default LOTL".

Changes

  • Proper EU LOTL wiring (DssTrustConfigurer): URL + bundled Official Journal keystore + OJ announcement predicate + pivot support. Fixes the null-URL NPE and the missing LOTL-signature material. Custom trust.lotlUrls entries get the OJ cert source + pivot; blank URLs are guarded.
  • Bundled OJ keystore from dss-demonstrations 6.4+20260415 (post April-2026 rotation; 6 EC qualified signer certs, no private keys), overridable via trust.eu.ojKeystoreFile/ojKeystorePassword/ojUrl and trust.eu.lotlUrl. Refresh scripts + README under engines/dss.
  • Config namespace: EU LOTL keys grouped under trust.eu.*; trust.useDefaultLotltrust.eu.enabled (only ever shipped broken in RC-2). Updated GUI label keys (all translations), FXML, prefs VM/controller.
  • LT/LTA preflight (DssLtTrustPreflight): CLI fails fast with the exact keys to set; GUI offers to enable the online + trust prerequisites — instead of the opaque deep DSS failure.
  • Tests: offline unit tests for the LOTL wiring and the preflight predicate.

Defaults stay opt-in (online.enabled + trust.eu.enabled both false).

Notes

  • Bundled keystore validates the LOTL signature only; document-signer anchors remain trust.truststoreFile.
  • A gated live-LOTL onlineRefresh() integration test (real network) is not included yet.

🤖 Generated with Claude Code

kwart and others added 2 commits June 28, 2026 16:44
Wire the EU List of Trusted Lists correctly so LT/LTA can embed revocation
data and resolve trust anchors:

- DssTrustConfigurer: build a proper European LOTL (URL + bundled Official
  Journal keystore + OJ announcement predicate + pivot support), fixing the
  null-URL NPE and the missing LOTL-signature material. Custom trust.lotlUrls
  entries are wired with the OJ cert source + pivot; blank URLs are guarded.
- Bundle the OJ keystore (dss-demonstrations 6.4+20260415) as a classpath
  resource, overridable via trust.eu.ojKeystoreFile/ojKeystorePassword/ojUrl
  and trust.eu.lotlUrl. Refresh scripts + README under engines/dss.
- Group EU LOTL keys under trust.eu.* and rename trust.useDefaultLotl ->
  trust.eu.enabled (config, GUI label keys, FXML, prefs VM/controller).
- Add DssLtTrustPreflight: CLI fails fast and the GUI offers to enable the
  online + trust prerequisites when LT/LTA is selected but not configured.
- Offline unit tests for the LOTL wiring and the preflight predicate.

Defaults stay opt-in (online + EU LOTL both false).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…port

Follow-up fixes found while testing LT against a real (eIDAS pilot) LOTL:

- Package the DSS modules the trusted-list path needs at runtime, which were
  missing/test-scoped so the whole LOTL feature failed in the distribution:
  - specs-trusted-list-v211 (TrustedList211Utils) — LOTL parsing
  - dss-validation + dss-policy-jaxb — LOTL/TL signature validation
    (were declared test-only)
- Ship an SLF4J binding (slf4j-jdk14) in the distribution so DSS logging
  (LOTL download / validation / revocation) is no longer dropped to the NOP
  logger — these failures were previously invisible.
- DssTrustConfigurer: add engine.dss.trust.lotlMraSupport to enable DSS MRA
  processing for third-country mutual-recognition LOTLs on the lotlUrls path.
- DssSigningEngine: catch the untrusted-chain AlertException and log an
  actionable message (console.dss.untrustedChain) instead of a raw stack trace.
- Defaults + test coverage for the new flag.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

PAdES LT and LTA doesn't work in JSignPdf_3_1_0-RC-2

1 participant