Release eumw-2.2.8

.hgtags

@@ -10,8 +10,6 @@ e78b3ff8c6e824ac3ab43fcaeb695aaafb3c236c eumw-1.0.2
 f33f98135e4d97738965caf8369910526a4ba5eb eumw-1.0.3
 241787841eb0799eca7a5e1fc975de7d34186807 eumw-1.0.4-rc.1
 1832cd8ad07210ce87e68e1efe861200ed1974d2 eumw-1.0.4-rc.2
-cd6877486ad7373dae2fec12f9f74d19e78d1110 eumw-1.0.4
-0000000000000000000000000000000000000000 eumw-1.0.4
 76f405023426c019aee600be45f72020a1f66159 eumw-1.0.4
 6220fdf6481bec6cbc12535f3e3ac49ac6bbecff eumw-1.0.5-rc.1
 e98bc5c6b60496c8d6533c5655626ba39701cf37 eumw-1.0.5
@@ -29,6 +27,20 @@ cab23503ef5a4721ac789dffeaad3df560dcee82 eumw-1.1.1-RC6
 b01495d97282ae2924ab25abe0763cc93fc8d54e eumw-1.2.1-RC1
 8d74a962ecff8ec2954b4c9f51d036895baf6c2d eumw-1.2.1-RC2
 7da180b5ae985ccd7ffef8335696a7e8308f98d1 eumw-1.2.1
+2e6792315f795ea50e85cad763e953c6413ac418 eumw-1.2.2-RC1
+a9c1ff339910007353533c1313b85eabe6977841 eumw-1.2.2
+8d23e5933e432d3c1ec50b3c0396d1715142dd7b eumw-1.2.3
+d65263ffe90755090d34f12b3c004314054b7df5 eumw-1.2.4
+e54d5cb3b65b74d8b30313ca74aaf64c0c264313 eumw-1.2.5-RC1
+cda1d0b643d39c779c1e4dc05993a970615f3d8d eumw-1.2.5-RC2
+b36b79f2f790edccdf27ee0efff074d8bad7ef0e eumw-1.2.5-RC3
+c32fa044d6546fbcff28c1ab2591d0268fcd8f83 eumw-1.2.5-RC4
+093ee8cbd455748b198c964bbb0e6d7c4097b93c eumw-1.2.5
+7fede4cd9eee0795c892fac8e6fce78a2b12c0a6 eumw-1.2.6
+8cfe5f501056bdde4b8ffe028b69600274632815 eumw-1.2.7
+d4f0cafd746f40445e0cf2f3a1ee005b197e63c1 eumw-1.2.8
+0a959c0df52e7a4ee4999bd1fb6b254ce2bea4bc eumw-1.2.9-RC1
+73310e3b7199a93cba55c095f211f116e96bba53 eumw-1.2.9
 6e928cdb65eb38694283ca40db2b37cb0b1d9629 2.0.0-RC1
 4beb3e84b9234f82ab9087100b6101c18197557e 2.0.0-RC2
 70e771f09cf0b158a14642e3b7fb58482c1aac0e 2.0.0-RC3
@@ -62,8 +74,10 @@ d14cac49af140383c0e21a6d5321af9e093277b6 eumw-2.2.2
 d2932df2e87d2e2c9e4a11180f4b794c19ceea20 eumw-2.2.3-RC2
 4e9da5cfcfd457536c4b1dc963c8ecb5cc3c2f26 eumw-2.2.3
 eebce4e024fdcf705d1ea6baef62e86e3f2eb947 eumw-2.2.4
-e01a380d0d99b17902d01ca28dcdb0b6e8072ddc eumw-2.2.5
-0000000000000000000000000000000000000000 eumw-2.2.5
 854ea49f65d739d700862571fb2c15b72ee83b1e eumw-2.2.5
 77cb42758a67f5fbe90c829fc90a47cec6dd78aa eumw-2.2.6
 343fffed2f34c771c7d79cff1818cf4ea807d6f6 eumw-2.2.7-RC1
+1902cd7de6274dbdb89516283e0b9db57e30b28e eumw-2.2.7
+ad72b05e4f74397acc3725e0000a5881c823d4f4 eumw-2.2.8-RC1
+c8da8c54dd21220a86db8c326a752bd0dacda6f0 eumw-2.2.8-RC2
+b1c4925d7f9bb7c9b7d5fa5d50e598f230453d2f eumw-2.2.8-RC3

configuration-checker/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <artifactId>eumw</artifactId>
         <groupId>de.governikus.eumw</groupId>
-        <version>2.2.7</version>
+        <version>2.2.8</version>
     </parent>
 
     <artifactId>configuration-checker</artifactId>

configuration-wizard/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <groupId>de.governikus.eumw</groupId>
         <artifactId>eumw</artifactId>
-        <version>2.2.7</version>
+        <version>2.2.8</version>
     </parent>
     <artifactId>configuration-wizard</artifactId>
 

configuration-wizard/src/main/java/de/governikus/eumw/configuration/wizard/web/model/ApplicationPropertiesForm.java

@@ -258,7 +258,10 @@ public synchronized Enumeration<Object> keys()
     properties.setProperty(ApplicationPropertiesIdentifier.ADMIN_USERNAME.getPropertyName(), adminUsername.trim());
     properties.setProperty(ApplicationPropertiesIdentifier.ADMIN_PASSWORD.getPropertyName(),
                            hashIfNecessary(adminPassword));
-    properties.setProperty(ApplicationPropertiesIdentifier.LOGGING_FILE.getPropertyName(), logFile);
+    if (StringUtils.isNotEmpty(logFile))
+    {
+      properties.setProperty(ApplicationPropertiesIdentifier.LOGGING_FILE.getPropertyName(), logFile);
+    }
 
     properties.setProperty(ApplicationPropertiesIdentifier.HSM_TYPE.getPropertyName(), hsmType);
 

databasemigration/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <artifactId>eumw</artifactId>
         <groupId>de.governikus.eumw</groupId>
-        <version>2.2.7</version>
+        <version>2.2.8</version>
     </parent>
     <artifactId>database-migration</artifactId>
 

distribution/pom.xml

@@ -15,11 +15,11 @@
     <parent>
         <groupId>de.governikus.eumw</groupId>
         <artifactId>eumw</artifactId>
-        <version>2.2.7</version>
+        <version>2.2.8</version>
     </parent>
 
     <artifactId>distribution</artifactId>
-    <version>2.2.7</version>
+    <version>2.2.8</version>
     <packaging>pom</packaging>
 
     <dependencies>

doc/source/chapter/Changelog.rst

@@ -42,10 +42,11 @@ Changelog
 
 * 1.0.7
 
-    **Security Advisory**
+  **Security Advisory**
 
-    There were two security issues reported to the German POSC and Governikus. This release fixes these issues.
-    It is strongly recommended to immediately update to this release as the XXE attack allows an unauthenticated remote attacker to read ASCII files from the file system which can be read by the Middleware Java process.
+  There were two security issues reported to the German POSC and Governikus. This release fixes these issues.
+  It is strongly recommended to immediately update to this release as the XXE attack allows an unauthenticated
+  remote attacker to read ASCII files from the file system which can be read by the Middleware Java process.
 
     - eIDAS Middleware: **Security Fix** Endpoints that parse XML content like ``/RequestReceiver`` or ``/paosreceiver`` were vulnerable to XXE attacks. These endpoints are no longer vulnerable against XXE attacks.
     - eIDAS Middleware: **Security Fix** The ``/TcToken`` endpoint was vulnerable against XXS attacks as requests parameters were inserted in the HTML response. All endpoints that display HTML content no longer insert user input into the HTML content.
@@ -64,6 +65,10 @@ Changelog
     - eIDAS Middleware: Add whitelist for allowed document signer types which can be extended using the configuration.
     - eIDAS Middleware: The validity of the metadata is now configurable, the default value is 30 days.
 
+* 1.1.1
+
+    - eIDAS Middleware: Fix a bug where the newest generation of German eID cards were not accepted.
+
 * 1.2.0
 
     - eIDAS Middleware: Fix handling of empty or absent RelayState.
@@ -75,18 +80,42 @@ Changelog
   Note: The carriage returns inside the SAML response, e.g. in signatures and cipher texts, are not removed.
   These are created by OpenSAML / xmlsec following W3C XML signature and encryption specifications.
 
-
   Known Issue:
   The SUN PKCS11 security provider that is shipped with JAVA 8 does not support RSA-PSS signatures.
-  In order to use a HSM module and stay in line with the eIDAS cryptographic requirements,
-  the use of EC cryptography for the SAML signature is mandatory.
-  This issue will be resolved when the eIDAS Middleware supports JAVA 11 as this version
-  comes with a newer SUN PKCS11 security provider.
+  In order to use a HSM module and stay in line with the eIDAS cryptographic requirements, the use
+  of EC cryptography for the SAML signature is mandatory.
+  This issue will be resolved when the eIDAS Middleware supports JAVA 11 as this version comes with
+  a newer SUN PKCS11 security provider.
 
 * 1.2.1
 
     - eIDAS Middleware: Fix SAML encryption with EC certificates.
 
+* 1.2.2
+
+    - eIDAS Middleware: Fix a bug where the newest generation of German eID cards were not accepted.
+
+* 1.2.4
+
+    - eIDAS Middleware: Security Patch
+
+* 1.2.5
+
+    - eIDAS Middleware: Change certificate chain building algorithm.
+    - eIDAS Middleware: Update xmlsec and bouncycastle.
+
+* 1.2.7
+
+    - eIDAS Middleware: Fix Log4j security issue.
+
+* 1.2.8
+
+    - eIDAS Middleware: Update log4j to version 2.17.1.
+
+* 1.2.9
+
+    - eIDAS Middleware: Update third party libraries for security fixes.
+
 * 2.0.0
 
     - eIDAS Middleware: Support version 1.2 of the eIDAS specifications.
@@ -104,7 +133,7 @@ Changelog
   Note: The new test CA is introduced to slowly replace the old one. Do not change CA settings on your own.
   The process of phasing out the old and migrating to the new will be initiated and guided by Governikus.
 
-* 2.0.1, 1.2.2 and 1.1.1
+* 2.0.1
 
     - eIDAS Middleware: Fix a bug where the newest generation of German eID cards were not accepted.
 
@@ -152,4 +181,9 @@ Changelog
 
 * 2.2.7
 
-    - - eIDAS Middleware: Security Patch.
+    - eIDAS Middleware: Update eidas-opensaml to fix a bug with the CurrentAddress
+      and update other third party libraries for security fixes.
+
+* 2.2.8
+
+    - eIDAS Middleware: Security patch.

doc/source/chapter/Configuration.rst

@@ -72,7 +72,7 @@ In case you are using your own environment, copy the JAR file to a folder of you
 
 You can start the application with the following command::
 
-    java -jar configuration-wizard-2.2.7.jar
+    java -jar configuration-wizard-2.2.8.jar
 
 In addition you can define the config folder with adding the parameter ``DconfigDirectory`` and its value to the
 command. This way the configuration wizard will be available at ``http://localhost:8080/config-wizard.``
@@ -102,7 +102,7 @@ to run the wizard again whenever you need it.
 To run the configuration wizard, execute the following command.
 It will mount the named volume in the container so that the configuration wizard can store the configuration in the volume. ::
 
-    docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -p 8080:8080 --name eidas-configuration-wizard governikus/eidas-configuration-wizard:2.2.7
+    docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -p 8080:8080 --name eidas-configuration-wizard governikus/eidas-configuration-wizard:2.2.8
 
 Running this command the configuration wizard will be available on http://localhost:8080/config-wizard.
 
@@ -116,7 +116,7 @@ with the alias ``localhost`` and the password ``123456`` for the keystore and th
 You can also use PKCS12 keystores,
 in this case you must change the value of ``SERVER_SSL_KEY_STORE_TYPE`` to ``PKCS12``. ::
 
-    docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -v /home/user/keystore.jks:/opt/eidas-middleware/keystore.jks -p 443:8080 -e SERVER_SSL_KEY_STORE=file:/opt/eidas-middleware/keystore.jks -e SERVER_SSL_KEY_STORE_TYPE=JKS -e SERVER_SSL_KEY_STORE_PASSWORD=123456 -e SERVER_SSL_KEY_ALIAS=localhost -e SERVER_SSL_KEY_PASSWORD=123456 --name eidas-configuration-wizard governikus/eidas-configuration-wizard:2.2.7
+    docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -v /home/user/keystore.jks:/opt/eidas-middleware/keystore.jks -p 443:8080 -e SERVER_SSL_KEY_STORE=file:/opt/eidas-middleware/keystore.jks -e SERVER_SSL_KEY_STORE_TYPE=JKS -e SERVER_SSL_KEY_STORE_PASSWORD=123456 -e SERVER_SSL_KEY_ALIAS=localhost -e SERVER_SSL_KEY_PASSWORD=123456 --name eidas-configuration-wizard governikus/eidas-configuration-wizard:2.2.8
 
 Because the application is now bound to the host in port 443,
 the configuration wizard is available at https://localhost/config-wizard.

doc/source/chapter/DemoApplication.rst

@@ -50,8 +50,8 @@ Using the eIDAS Demo Application
 To use the eIDAS Demo Application, start by running the eIDAS Demo Application.
 
 #. Change to the correct directory where the aforementioned configuration is present.
-#. If not present, copy the ``eidas-demo-2.2.7.jar`` file in this directory.
-#. Start the application by executing ``java -jar eidas-demo-2.2.7.jar``.
+#. If not present, copy the ``eidas-demo-2.2.8.jar`` file in this directory.
+#. Start the application by executing ``java -jar eidas-demo-2.2.8.jar``.
 
 Now you must configure your eIDAS Middleware to communicate with the eIDAS Demo Application.
 
@@ -93,7 +93,7 @@ Also bear in mind that you must use the path of the container file system in the
 
 To run the middleware, execute the following command after you have prepared the configuration, certificate and keystores::
 
-    docker run --rm -it -v /path/to/your/config-directory:/opt/eidas-middleware/config -p 8080:8080 governikus/eidas-demo-application:2.2.7
+    docker run --rm -it -v /path/to/your/config-directory:/opt/eidas-middleware/config -p 8080:8080 governikus/eidas-demo-application:2.2.8
 
 Now you can follow the steps above to configure and test the eIDAS Middleware.
 

doc/source/chapter/Operating.rst

@@ -106,14 +106,14 @@ To run the eIDAS Middleware, execute the following command.
 It will mount the named volumes containing the database and configuration in the container
 and the application will be available on port 8443. ::
 
-    docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -v eidas-database:/opt/eidas-middleware/database -p 8443:8443 --name eidas-middleware-application governikus/eidas-middleware-application:2.2.7
+    docker run --rm -it -v eidas-configuration:/opt/eidas-middleware/configuration -v eidas-database:/opt/eidas-middleware/database -p 8443:8443 --name eidas-middleware-application governikus/eidas-middleware-application:2.2.8
 
 To stop and remove the container, just hit ``CTRL+C``.
 
 To keep the container running longer without being attached to the STDOUT and STDERR, change the command to
 the following::
 
-    docker run -d -v eidas-configuration:/opt/eidas-middleware/configuration -v eidas-database:/opt/eidas-middleware/database -p 8443:8443 --name eidas-middleware-application governikus/eidas-middleware-application:2.2.7
+    docker run -d -v eidas-configuration:/opt/eidas-middleware/configuration -v eidas-database:/opt/eidas-middleware/database -p 8443:8443 --name eidas-middleware-application governikus/eidas-middleware-application:2.2.8
 
 For more information on starting and stopping containers and viewing the logs,
 see the `Docker Docs <https://docs.docker.com/engine/reference/run/>`_.
@@ -177,7 +177,7 @@ Scalability
 The performance of the eIDAS Middleware improves by adding more memory (RAM) and using a faster CPU.
 In case the memory configuration has changed, the server needs to be restarted.
 To start the JVM with more memory, add ``-Xmx`` with the new maximum memory size to the start command,
-e.g. ``java -Xmx8g -jar eidas-middleware-2.2.7.jar`` for 8 GB.
+e.g. ``java -Xmx8g -jar eidas-middleware-2.2.8.jar`` for 8 GB.
 
 
 Request Signer Certificate
@@ -269,7 +269,7 @@ Optional property for ``TRAP`` is ``poseidas.snmp.managementport`` (port 162 is
 set).
 
 All existing SNMP GET values are explained in detail in the MIB located at
-``https://github.com/Governikus/eidas-middleware/blob/2.2.7/poseidas/snmp/EIDASMW-SNMP-MIB.mib``.
+``https://github.com/Governikus/eidas-middleware/blob/2.2.8/poseidas/snmp/EIDASMW-SNMP-MIB.mib``.
 
 Global GET
 ''''''''''
@@ -369,6 +369,6 @@ Stop the eIDAS Middleware Application and copy the database file to your backup
 e.g. ``cp /opt/eidas-middleware/database/eidasmw.mv.db /path/to/your/backup-location/eidasmw.mv.db``.
 
 To perform the migration, copy the database migration JAR file to the directory where your
-configuration file is available and execute the command ``java -jar database-migration-2.2.7.jar``.
+configuration file is available and execute the command ``java -jar database-migration-2.2.8.jar``.
 If there are errors in the log output, please send the complete log output and some information on your environment to
 eidas-middleware@governikus.com.

doc/source/conf.py

@@ -55,9 +55,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '2.2.7'
+version = '2.2.8'
 # The full version, including alpha/beta/rc tags.
-release = '2.2.7'
+release = '2.2.8'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

dvca-connection-configurator/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <groupId>de.governikus.eumw</groupId>
         <artifactId>eumw</artifactId>
-        <version>2.2.7</version>
+        <version>2.2.8</version>
     </parent>
     <artifactId>dvca-connection-configurator</artifactId>
     <name>dvca-connection-configurator</name>

eidas-base-container/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <artifactId>eumw</artifactId>
         <groupId>de.governikus.eumw</groupId>
-        <version>2.2.7</version>
+        <version>2.2.8</version>
     </parent>
 
     <artifactId>eidas-base-container</artifactId>

eidas-common/pom.xml

@@ -14,7 +14,7 @@
 	<parent>
 		<groupId>de.governikus.eumw</groupId>
 		<artifactId>eumw</artifactId>
-		<version>2.2.7</version>
+		<version>2.2.8</version>
 	</parent>
 	<artifactId>eidas-common</artifactId>
 

eidas-demo/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <groupId>de.governikus.eumw</groupId>
         <artifactId>eumw</artifactId>
-        <version>2.2.7</version>
+        <version>2.2.8</version>
     </parent>
     <artifactId>eidas-demo</artifactId>
 

eidas-middleware/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <groupId>de.governikus.eumw</groupId>
         <artifactId>eumw</artifactId>
-        <version>2.2.7</version>
+        <version>2.2.8</version>
     </parent>
     <artifactId>eidas-middleware</artifactId>
 
@@ -54,6 +54,11 @@
             <artifactId>spring-boot-starter-thymeleaf</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-data-jpa</artifactId>
+        </dependency>
+
 
         <dependency>
             <groupId>com.h2database</groupId>

eidas-middleware/src/main/java/de/governikus/eumw/eidasmiddleware/EIDASMiddlewareApplication.java

@@ -17,6 +17,7 @@
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.context.annotation.ComponentScan;
+import org.springframework.scheduling.annotation.EnableScheduling;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
 
 import de.governikus.eumw.eidascommon.Utils;
@@ -27,14 +28,15 @@
 @ServletComponentScan(basePackages = {"de.governikus.eumw.poseidas.paosservlet.authentication.paos",
                                       "de.governikus.eumw.eidasmiddleware"})
 @EnableTransactionManagement
+@EnableScheduling
 public class EIDASMiddlewareApplication
 {
 
   public static void main(String[] args)
   {
     // do not remove bouncy without consideration, it will impact ECDH
     Security.addProvider(new BouncyCastleProvider());
-    System.setProperty("jdk.tls.namedGroups", "secp521r1,secp384r1,secp256r1,secp224r1");
+    System.setProperty("jdk.tls.namedGroups", "secp521r1,secp384r1,secp256r1");
     System.setProperty("jdk.tls.ephemeralDHKeySize", "2048");
     Security.setProperty("jdk.tls.disabledAlgorithms",
                          "SSLv3, RC4, MD5, DSA, DH keySize < " + Utils.MIN_KEY_SIZE_RSA_TLS + ", ECDH keySize < "