Discuss this help topic in SecureBlackbox Forum

General notes

Please check What's New in this version. Also be sure to review, what is new in SecureBlackbox 8.x comparing to previous release (7.2).

If you are upgrading from SecureBlackbox 7.x-4.x, it's a must to read Release Notes for version 8.0. It contains the list of breaking changes made between version 7.x and 8.0.

XAdES and CAdES changes

Besides, the release comes with improved CAdES and XAdES engines, being a result of our participation in international XAdES/CAdES plugtest event conducted by the ETSI (European Telecommunication Standards Institute). As the code of the components was slightly reworked according to a number of "best practice" decisions made by the participants of the event, in order to agree on interpretation of certain ambiguities found in the standards, upgrading to the 8.2 release may introduce a breaking change to your SBB-driven software. Please find the exhaustive list of changes below.

What code is affected? You should take special care if:

  • your code generates or validates CAdES long-term signatures (involving the use of ES-C, CertsAndCrls and Archive timestamps),
  • your code generates CAdES signatures with Complete Revocation Values attribute carrying OCSP responses (CRL-only Complete Revocation Values attributes are not affected),
  • your code generates CAdES signatures, and the third-party verifying software is sensitive to particular values of CMS version and content type fields.

What kind of issues might occur in response to the mentioned changes?
Various compatibility issues:

  • your signatures may stop being validated correctly by third-party software,
  • you may start receiving verification failures when validating third-party signatures. We've done our best to leave the components compatible with existing signatures though.

The complete list of changes that might affect your CAdES application follows.

  • ArchiveTimestampV2 digest calculation method has been updated to follow the algorithm described in the Annex K of CAdES 1.8.1 specification (replacing the algorithm described in p. 6.4.1 of the specification). If you need your product to keep calculating archive timestamp digests in the older way, please remove the csoAnnexKArchiveTimestampV2Mode flag from the TElCMSSignature.SigningOptions flag set.
  • Only BasicOCSPResponse structures (instead of complete OCSP server replies) are now placed in revocation values attribute.
  • Content-type attribute is not included to countersignatures by default now.
  • An unassigned content type now defaults to id-data (was id-signedData).
  • CMS message version is now chosen automatically depending on the data contained in the CMS (see RFC3126, p.3.4).

Applications built on XMLBlackbox XAdES components are not affected.

Please do not hesitate to contact us if you are unsure whether the above modifications affect your code.

Discuss this help topic in SecureBlackbox Forum