Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions design-doc/3.1-engine-dss.md
Original file line number Diff line number Diff line change
Expand Up @@ -381,8 +381,16 @@ Read by the engine through the phase-1 `EngineConfig` view (which already maps
# Required for producing LT/LTA. Default false to keep B/T fully offline.
engine.dss.online.enabled=false

# Trusted-list (LOTL) support for building the trust anchor set.
engine.dss.trust.useDefaultLotl=false
# EU LOTL support for building the trust anchor set. trust.eu.enabled wires the
# bundled European LOTL and validates its signature against the bundled Official
# Journal (OJ) keystore; the eu.* overrides are optional (effective when enabled).
engine.dss.trust.eu.enabled=false
engine.dss.trust.eu.lotlUrl=
engine.dss.trust.eu.ojUrl=
engine.dss.trust.eu.ojKeystoreFile=
engine.dss.trust.eu.ojKeystorePassword=

# Generic / advanced trust material.
engine.dss.trust.lotlUrls=
engine.dss.trust.certFiles=
engine.dss.trust.certUrls=
Expand All @@ -391,6 +399,20 @@ engine.dss.trust.truststoreType=
engine.dss.trust.truststorePassword=
```

EU LOTL keys live under the `trust.eu.*` sub-namespace (the turnkey path that
validates the LOTL signature against the bundled OJ keystore and follows the OJ
pivot chain); `trust.lotlUrls` and the cert/truststore keys stay un-prefixed as
the generic "bring your own trust" path. The bundled OJ keystore
(`engines/dss/src/main/resources/.../eu-oj-keystore.p12`) must be refreshed when
the OJ re-issues the LOTL signing certificates — see the keystore README.

**LT/LTA preflight (issue #432).** Because LT/LTA only embed revocation data for a
*trusted* chain reachable *online*, a missing trust source or `online.enabled`
makes DSS fail deep with an opaque untrusted-chain alert. `DssLtTrustPreflight`
checks `online.enabled AND (trust.eu.enabled ∨ truststoreFile ∨ certFiles ∨
certUrls ∨ lotlUrls)` up front: the CLI fails fast with the exact keys to set, and
the GUI offers to enable the prerequisites before signing.

`EngineConfig` currently exposes `getString` / `getBoolean` / `getInt`; list-
valued keys (`lotlUrls`, `certFiles`, `certUrls`) are parsed by the engine from
a delimiter-separated string, so no `EngineConfig` API change is required. (If a
Expand Down
18 changes: 18 additions & 0 deletions distribution/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@
<unix>.sh</unix>
<windows>.cmd</windows>
</binFileExtensions>
<!--
PKCS#11 access needs the same JDK-internal exports the jpackage
native launchers get from distribution/jpackage/common-jvm-options.txt.
Keep this list in sync with that file.
-->
<extraJvmArguments>--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED --add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED --add-exports=java.base/sun.security.action=ALL-UNNAMED --add-exports=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/sun.security.util=ALL-UNNAMED</extraJvmArguments>
<platforms>
<platform>unix</platform>
<platform>windows</platform>
Expand Down Expand Up @@ -240,6 +246,18 @@
<version>${project.version}</version>
</dependency>

<!--
SLF4J binding so the DSS engine's logging (LOTL / trusted-list download, signature
validation, revocation) is not silently dropped to the NOP logger. slf4j-jdk14 routes
it into java.util.logging, the same stream JSignPdf already logs to.
-->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<version>2.0.17</version>
<scope>runtime</scope>
</dependency>

<!--
Platform-specific JavaFX natives. Each classifier jar carries the native libraries for
one OS/arch. The full ZIP relocates them to lib/javafx/ so Bootstrap can pick the right
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,23 @@ output.suffix=_signed
# Fetch revocation data (OCSP/CRL) and intermediate certs (AIA) online.
# Required to produce LT/LTA. Default false keeps B/T fully offline.
engine.dss.online.enabled=false
# Use the default EU List Of Trusted Lists (LOTL) to build the trust anchors.
engine.dss.trust.useDefaultLotl=false
# Comma-separated lists of custom trust material.
# Use the bundled EU List Of Trusted Lists (LOTL) to build the trust anchors.
# Validates the LOTL signature against the bundled Official Journal (OJ) keystore.
engine.dss.trust.eu.enabled=false
# Optional overrides for the EU LOTL machinery (effective when trust.eu.enabled=true):
# eu.lotlUrl - relocate the default EU LOTL (default https://ec.europa.eu/tools/lotl/eu-lotl.xml)
# eu.ojUrl - Official Journal scheme-information URL for the announcement predicate
# eu.ojKeystoreFile - external OJ keystore overriding the bundled one
# eu.ojKeystorePassword
engine.dss.trust.eu.lotlUrl=
engine.dss.trust.eu.ojUrl=
engine.dss.trust.eu.ojKeystoreFile=
engine.dss.trust.eu.ojKeystorePassword=
# Comma-separated lists of custom trust material (advanced).
engine.dss.trust.lotlUrls=
# Enable MRA processing for the custom lotlUrls (third-country mutual-recognition LOTLs,
# e.g. the eIDAS international pilot mra_lotl.xml). Off by default.
engine.dss.trust.lotlMraSupport=false
engine.dss.trust.certFiles=
engine.dss.trust.certUrls=
# Truststore holding trust anchors (type defaults to the JVM default).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ console.dss.tsaUpgrade=A TSA is configured, upgrading the PAdES level B to T (so
console.dss.ltNoRevocation=The PAdES level LT/LTA needs revocation data, but online fetching is disabled (engine.dss.online.enabled=false) or no trust material is reachable. Signing aborted.
console.dss.ltNoTsa=The PAdES level LT/LTA builds on a signature timestamp, but no TSA is configured. Enable timestamping (-ts / TSA settings) or choose level B. Signing aborted.
console.dss.trustConfigFailed=Failed to load the configured DSS trust material (truststore / certificate file / certificate URL / LOTL). Check the engine.dss.trust.* settings. Signing aborted.
console.dss.ltPreflightFailed=The PAdES level LT/LTA needs reachable revocation data and a trusted certificate chain, but the DSS engine is not configured for it. Signing aborted.
console.dss.ltPreflight.online=Enable online fetching of revocation data: set engine.dss.online.enabled=true.
console.dss.ltPreflight.trust=Configure a trust source: set engine.dss.trust.eu.enabled=true (EU LOTL), or provide engine.dss.trust.truststoreFile / certFiles / certUrls / lotlUrls.
console.dss.untrustedChain=LT/LTA could not collect revocation data: the signer''s certificate chain is not trusted by the configured anchors. Add its issuing CA via engine.dss.trust.certFiles/truststoreFile (or a matching trusted list); for a third-country MRA trusted list also set engine.dss.trust.lotlMraSupport=true. Also ensure the revocation endpoints are reachable. Signing aborted.
console.dss.socksProxyUnsupported=The DSS engine does not support SOCKS proxies; OCSP/CRL/AIA/TSA requests will bypass the proxy. Configure an HTTP proxy to route DSS revocation/timestamp traffic.
console.dss.unsupportedHash=The DSS engine does not support the hash algorithm ''{0}'' for PAdES. Use SHA-256, SHA-384 or SHA-512.
console.dss.cannotEncryptSigned=Cannot encrypt a PDF that already contains signatures.
Expand Down Expand Up @@ -298,7 +302,7 @@ jfx.gui.padesLevel.help=PAdES baseline level for the produced signature. Only av
jfx.gui.dss.section.label=DSS engine
jfx.gui.dss.online.enabled=Fetch revocation data online (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Required to produce LT/LTA. When off, the DSS engine works fully offline (B/T only).
jfx.gui.dss.trust.useDefaultLotl=Use the default EU List of Trusted Lists (LOTL)
jfx.gui.dss.trust.eu.enabled=Use the default EU List of Trusted Lists (LOTL)
jfx.gui.dss.trust.lotlUrls=LOTL URLs (comma-separated)
jfx.gui.dss.trust.certFiles=Trusted certificate files (comma-separated)
jfx.gui.dss.trust.certUrls=Trusted certificate URLs (comma-separated)
Expand Down Expand Up @@ -426,6 +430,10 @@ jfx.gui.dialog.resetSettings.title=Reset Settings
jfx.gui.dialog.resetSettings.text=This will delete all saved settings and reset the application to its default state. Continue?
jfx.gui.dialog.portalFallback.title=File dialog
jfx.gui.dialog.portalFallback.text=Could not open the system file dialog. Using the built-in one instead.
jfx.gui.dialog.ltPreflight.title=LT/LTA requires online trust
jfx.gui.dialog.ltPreflight.text=The PAdES level LT/LTA needs online fetching of revocation data and a trusted certificate chain (EU LOTL). These are currently disabled, so signing would fail. Enable them now (online fetching and the EU LOTL), or sign anyway.
jfx.gui.dialog.ltPreflight.enable=Enable and sign
jfx.gui.dialog.ltPreflight.anyway=Sign anyway
jfx.gui.status.settingsReset=Settings have been reset to defaults
jfx.gui.console.title=Output Console
jfx.gui.console.clear=Clear
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,7 @@ jfx.gui.padesLevel.help=Základní úroveň PAdES pro vytvářený podpis. Dostu
jfx.gui.dss.section.label=Engine DSS
jfx.gui.dss.online.enabled=Stahovat data o zneplatnění online (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Nutné pro vytvoření LT/LTA. Při vypnutí pracuje engine DSS plně offline (pouze B/T).
jfx.gui.dss.trust.useDefaultLotl=Použít výchozí seznam důvěryhodných seznamů EU (LOTL)
jfx.gui.dss.trust.eu.enabled=Použít výchozí seznam důvěryhodných seznamů EU (LOTL)
jfx.gui.dss.trust.lotlUrls=URL adresy LOTL (oddělené čárkou)
jfx.gui.dss.trust.certFiles=Soubory důvěryhodných certifikátů (oddělené čárkou)
jfx.gui.dss.trust.certUrls=URL adresy důvěryhodných certifikátů (oddělené čárkou)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ jfx.gui.padesLevel.help=PAdES-Baseline-Stufe für die erzeugte Signatur. Nur fü
jfx.gui.dss.section.label=DSS-Engine
jfx.gui.dss.online.enabled=Sperrdaten online abrufen (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Erforderlich zum Erzeugen von LT/LTA. Wenn deaktiviert, arbeitet die DSS-Engine vollständig offline (nur B/T).
jfx.gui.dss.trust.useDefaultLotl=Die Standard-EU-Liste der Vertrauenslisten (LOTL) verwenden
jfx.gui.dss.trust.eu.enabled=Die Standard-EU-Liste der Vertrauenslisten (LOTL) verwenden
jfx.gui.dss.trust.lotlUrls=LOTL-URLs (durch Komma getrennt)
jfx.gui.dss.trust.certFiles=Vertrauenswürdige Zertifikatsdateien (durch Komma getrennt)
jfx.gui.dss.trust.certUrls=Vertrauenswürdige Zertifikats-URLs (durch Komma getrennt)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -271,7 +271,7 @@ jfx.gui.padesLevel.help=Βασικό επίπεδο PAdES για την παρα
jfx.gui.dss.section.label=Μηχανή DSS
jfx.gui.dss.online.enabled=Λήψη δεδομένων ανάκλησης μέσω διαδικτύου (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Απαιτείται για την παραγωγή LT/LTA. Όταν είναι απενεργοποιημένο, η μηχανή DSS λειτουργεί πλήρως εκτός σύνδεσης (μόνο B/T).
jfx.gui.dss.trust.useDefaultLotl=Χρήση της προεπιλεγμένης λίστας έμπιστων λιστών της ΕΕ (LOTL)
jfx.gui.dss.trust.eu.enabled=Χρήση της προεπιλεγμένης λίστας έμπιστων λιστών της ΕΕ (LOTL)
jfx.gui.dss.trust.lotlUrls=URL LOTL (διαχωρισμένα με κόμμα)
jfx.gui.dss.trust.certFiles=Αρχεία έμπιστων πιστοποιητικών (διαχωρισμένα με κόμμα)
jfx.gui.dss.trust.certUrls=URL έμπιστων πιστοποιητικών (διαχωρισμένα με κόμμα)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,7 @@ jfx.gui.padesLevel.help=Nivel base PAdES para la firma producida. Solo disponibl
jfx.gui.dss.section.label=Motor DSS
jfx.gui.dss.online.enabled=Obtener datos de revocación en línea (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Necesario para producir LT/LTA. Si está desactivado, el motor DSS funciona totalmente sin conexión (solo B/T).
jfx.gui.dss.trust.useDefaultLotl=Usar la lista de listas de confianza de la UE predeterminada (LOTL)
jfx.gui.dss.trust.eu.enabled=Usar la lista de listas de confianza de la UE predeterminada (LOTL)
jfx.gui.dss.trust.lotlUrls=URL de LOTL (separadas por comas)
jfx.gui.dss.trust.certFiles=Archivos de certificados de confianza (separados por comas)
jfx.gui.dss.trust.certUrls=URL de certificados de confianza (separadas por comas)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ jfx.gui.padesLevel.help=Niveau de base PAdES pour la signature produite. Disponi
jfx.gui.dss.section.label=Moteur DSS
jfx.gui.dss.online.enabled=Récupérer les données de révocation en ligne (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Requis pour produire LT/LTA. Désactivé, le moteur DSS fonctionne entièrement hors ligne (B/T uniquement).
jfx.gui.dss.trust.useDefaultLotl=Utiliser la liste des listes de confiance de l'UE par défaut (LOTL)
jfx.gui.dss.trust.eu.enabled=Utiliser la liste des listes de confiance de l'UE par défaut (LOTL)
jfx.gui.dss.trust.lotlUrls=URL LOTL (séparées par des virgules)
jfx.gui.dss.trust.certFiles=Fichiers de certificats de confiance (séparés par des virgules)
jfx.gui.dss.trust.certUrls=URL de certificats de confiance (séparées par des virgules)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ jfx.gui.padesLevel.help=Osnovna razina PAdES za stvoreni potpis. Dostupno samo z
jfx.gui.dss.section.label=Pogon DSS
jfx.gui.dss.online.enabled=Dohvati podatke o opozivu putem mreže (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Potrebno za stvaranje LT/LTA. Kad je isključeno, pogon DSS radi potpuno izvanmrežno (samo B/T).
jfx.gui.dss.trust.useDefaultLotl=Upotrijebi zadani popis pouzdanih popisa EU-a (LOTL)
jfx.gui.dss.trust.eu.enabled=Upotrijebi zadani popis pouzdanih popisa EU-a (LOTL)
jfx.gui.dss.trust.lotlUrls=URL-ovi LOTL (odvojeni zarezom)
jfx.gui.dss.trust.certFiles=Datoteke pouzdanih certifikata (odvojene zarezom)
jfx.gui.dss.trust.certUrls=URL-ovi pouzdanih certifikata (odvojeni zarezom)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -406,7 +406,7 @@ jfx.gui.padesLevel.help=Az előállított aláírás PAdES-alapszintje. Csak PAd
jfx.gui.dss.section.label=DSS-motor
jfx.gui.dss.online.enabled=Visszavonási adatok online lekérése (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Az LT/LTA előállításához szükséges. Kikapcsolva a DSS-motor teljesen offline működik (csak B/T).
jfx.gui.dss.trust.useDefaultLotl=Az alapértelmezett EU-s megbízhatósági listák listájának (LOTL) használata
jfx.gui.dss.trust.eu.enabled=Az alapértelmezett EU-s megbízhatósági listák listájának (LOTL) használata
jfx.gui.dss.trust.lotlUrls=LOTL-URL-ek (vesszővel elválasztva)
jfx.gui.dss.trust.certFiles=Megbízható tanúsítványfájlok (vesszővel elválasztva)
jfx.gui.dss.trust.certUrls=Megbízható tanúsítvány-URL-ek (vesszővel elválasztva)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ jfx.gui.padesLevel.help=Ստեղծվող ստորագրության PAdES բազ
jfx.gui.dss.section.label=DSS շարժիչ
jfx.gui.dss.online.enabled=Չեղարկման տվյալների ստացում առցանց (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Պահանջվում է LT/LTA ստեղծելու համար: Անջատված դեպքում DSS շարժիչն աշխատում է լիովին անցանց (միայն B/T):
jfx.gui.dss.trust.useDefaultLotl=Օգտագործել ԵՄ վստահելի ցուցակների կանխադրված ցուցակը (LOTL)
jfx.gui.dss.trust.eu.enabled=Օգտագործել ԵՄ վստահելի ցուցակների կանխադրված ցուցակը (LOTL)
jfx.gui.dss.trust.lotlUrls=LOTL URL-ներ (ստորակետերով բաժանված)
jfx.gui.dss.trust.certFiles=Վստահելի վկայագրերի ֆայլեր (ստորակետերով բաժանված)
jfx.gui.dss.trust.certUrls=Վստահելի վկայագրերի URL-ներ (ստորակետերով բաժանված)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -404,7 +404,7 @@ jfx.gui.padesLevel.help=Livello base PAdES per la firma prodotta. Disponibile so
jfx.gui.dss.section.label=Motore DSS
jfx.gui.dss.online.enabled=Recupera i dati di revoca online (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Necessario per produrre LT/LTA. Se disattivato, il motore DSS funziona completamente offline (solo B/T).
jfx.gui.dss.trust.useDefaultLotl=Usa l'elenco delle liste di fiducia dell'UE predefinito (LOTL)
jfx.gui.dss.trust.eu.enabled=Usa l'elenco delle liste di fiducia dell'UE predefinito (LOTL)
jfx.gui.dss.trust.lotlUrls=URL LOTL (separati da virgole)
jfx.gui.dss.trust.certFiles=File di certificati attendibili (separati da virgole)
jfx.gui.dss.trust.certUrls=URL di certificati attendibili (separati da virgole)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ jfx.gui.padesLevel.help=生成される署名の PAdES ベースラインレベ
jfx.gui.dss.section.label=DSS エンジン
jfx.gui.dss.online.enabled=失効データをオンラインで取得(OCSP/CRL、AIA)
jfx.gui.dss.online.enabled.tooltip=LT/LTA の生成に必要です。オフの場合、DSS エンジンは完全にオフラインで動作します(B/T のみ)。
jfx.gui.dss.trust.useDefaultLotl=既定の EU 信頼リストのリスト(LOTL)を使用
jfx.gui.dss.trust.eu.enabled=既定の EU 信頼リストのリスト(LOTL)を使用
jfx.gui.dss.trust.lotlUrls=LOTL URL(カンマ区切り)
jfx.gui.dss.trust.certFiles=信頼する証明書ファイル(カンマ区切り)
jfx.gui.dss.trust.certUrls=信頼する証明書 URL(カンマ区切り)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ jfx.gui.padesLevel.help=PAdES-baselinenivå for den produserte signaturen. Kun t
jfx.gui.dss.section.label=DSS-motor
jfx.gui.dss.online.enabled=Hent tilbakekallingsdata på nett (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Kreves for å produsere LT/LTA. Når deaktivert, fungerer DSS-motoren helt frakoblet (kun B/T).
jfx.gui.dss.trust.useDefaultLotl=Bruk EUs standardliste over tillitslister (LOTL)
jfx.gui.dss.trust.eu.enabled=Bruk EUs standardliste over tillitslister (LOTL)
jfx.gui.dss.trust.lotlUrls=LOTL-URL-er (kommadelt)
jfx.gui.dss.trust.certFiles=Klarerte sertifikatfiler (kommadelt)
jfx.gui.dss.trust.certUrls=Klarerte sertifikat-URL-er (kommadelt)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -406,7 +406,7 @@ jfx.gui.padesLevel.help=Bazowy poziom PAdES dla tworzonego podpisu. Dostępny ty
jfx.gui.dss.section.label=Silnik DSS
jfx.gui.dss.online.enabled=Pobieraj dane o unieważnieniu online (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Wymagane do utworzenia LT/LTA. Po wyłączeniu silnik DSS działa całkowicie offline (tylko B/T).
jfx.gui.dss.trust.useDefaultLotl=Użyj domyślnej listy list zaufania UE (LOTL)
jfx.gui.dss.trust.eu.enabled=Użyj domyślnej listy list zaufania UE (LOTL)
jfx.gui.dss.trust.lotlUrls=Adresy URL LOTL (oddzielone przecinkami)
jfx.gui.dss.trust.certFiles=Pliki zaufanych certyfikatów (oddzielone przecinkami)
jfx.gui.dss.trust.certUrls=Adresy URL zaufanych certyfikatów (oddzielone przecinkami)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ jfx.gui.padesLevel.help=Nível base PAdES para a assinatura produzida. Disponív
jfx.gui.dss.section.label=Motor DSS
jfx.gui.dss.online.enabled=Obter dados de revogação online (OCSP/CRL, AIA)
jfx.gui.dss.online.enabled.tooltip=Necessário para produzir LT/LTA. Quando desativado, o motor DSS funciona totalmente offline (apenas B/T).
jfx.gui.dss.trust.useDefaultLotl=Usar a lista de listas de confiança da UE predefinida (LOTL)
jfx.gui.dss.trust.eu.enabled=Usar a lista de listas de confiança da UE predefinida (LOTL)
jfx.gui.dss.trust.lotlUrls=URLs de LOTL (separados por vírgulas)
jfx.gui.dss.trust.certFiles=Ficheiros de certificados fidedignos (separados por vírgulas)
jfx.gui.dss.trust.certUrls=URLs de certificados fidedignos (separados por vírgulas)
Expand Down
Loading