Release History Support for PDF signature handler. Protection of signed documents against inadvertently modification. Revision of configuration (backwards compatibility assured). Minor bug concerning table format configuration fixed. Support of arbitrary signature/hash algorithms (ACOS04/G3). Evaluation of pdf documents for non-textual objects added. Support for BAIK signatures. Many minor bugfixes. WebApplication: Incompatibility to Tomcat 6.x removed. (Now quoting taglib expressions with nested scriptlets.) Bug concerning text matching algorithm fixed. Web application bug concerning text reconstruction from form fixed. New signature layout for new MOCCA bku integrated (etsi-moc-1.1). New architecture implemented that allows different signature layouts for single types of bkus. Layout for webapplication adjusted for IE. Build script for command line version updated. JavaDoc fixes. Some updates for debugging messages. Parser for MOCCA-CreateXMLSignatureResponses enhanced. Many updates and fixes for the external web app interface. New profile for invisible signatures added. Examples for the help screen of the commandline version corrected. Minor updates for commandline invokation. Restored compatibility for old PdfAS.commandline(...) method invokation. This method is used by external tools (Open Office plugin for instance.) Some more log messages (e.g. encoding related issues). Updating web application (in external invocation mode) enhancing support for being used within an iframe. Two new (optional) parameters for external invocation mode: locale: defines the locale being used for webapp (e.g. locale=de or locale=de_DE), invoke-app-error-url: can be used to declare a callback url to the calling web application in order to transfer error messages from pdf-as. In case of error pdf-as redirects the user to the error-page-url (if given) providing the error and the cause in url encoded parameters ("error", "cause"). Formatter for mocca signature params enhanced. Added signatureKeyIdentifier to SignParameters in the API, which allows to override the one specified in the profile (MOA Connector only). Added maven assembly and batch file for BRZ distribution. Corrected faulty mime-type argument checking in SignResult constructor. Switching to itext-2.1.5-rev3628. (itext-1.4.x is regarded as deprecated.) itext library: minor adjustments for pdf-as Adding new error code (103) for invalid pdfa/1b font configuration. Minor updates for PDF/A support. Support for local MOCCA CCS added. Multi language for web application. Encoding issue for web application fixed by implementing an EncodingFilter. Dynamic sign upload form implemented. Order of input fields for dynamic upload form changed. MOCCA logo added to sign upload form. lib-folder removed. Maven2-repository updated. Adding external patched itext (1.4.2 and 2.1.5) and pdfbox libraries. Removing iText and pdfbox from sources. Cleaning up certstore removing all certificates except MOA-certificates. Removing deprecated templates. Correcting default.bku.sign.detached.xml according to Security Layer spec. Adding DejaVuFont. Adding DejaVuFont license. Adding test file for PDF/A. Removing issues.txt. Preparation for multilingual support for web application. Minor updates of configuration. Sitemesh updates. Minor support for TrueType fonts in preparation for PDF/A added. Deprecated webapp-folder removed from svn repository. New DefaultConfiguration.zip integrated in order to allow mocca signatures. Minor bug concerning choice of cce within the web application fixed. Signature with new online bku MOCCA integrated (new signature device "moc" created). Configuration keys for mocca added. New error codes (371 = signature verification not supported by this connector, 372 = invalid signing time) introduced. Optional check of the signing time for the web application implemented. At signature creation time the signing time is checked for plausibility. This is a workaround for the ITS:mac-linux signing time bug. New configuration key ("signing_time_tolerance") added (applies to web application only) to overcome invalid signing times. A signature is only accepted if its signing time is within a time frame of [current time - signing_time_tolerance, current time + signing_time_tolerance] where signing_time_tolerance is interpreted as seconds. Bugfix: Correct extraction of signatures with wrong signing times implemented. (The order of the signatures is still invalid in case of false signing times.) Optional override of the dynamic creation of the signature retrieval url (locrefcontent) implemented in order to overcome ssl problems (retrieve_signature_data_url_override). Note: Assure that this URL is accessible from the citizen card environment. Download of signed pdf-file for external application interface adjusted. Verification of mocca signed documents implemented. Retrieval of xml response via multipart implemented (mocca strictly follows security layer spec) Parsing of PublicAuthority-Flag and PublicAuthority-Code from MOA-VerifyXMLSignatureResponses implemented. APIDemo updated. (default) configuration updated regarding new configuration keys. Many printStackTraces replaces with logger-messages. Update concerting exclusion of minimal layout profiles for verification. Web-Application: New error code (251) introduced: Textual signature of files with no extractable textual content (e.g. files that solely contain images) is prevented. Configurable line break tolerance for binary signatures (line_break_tolerance). The reserved space for a certificate withing the egiz dictionary can be configured (...phlength.certificate=xxxx). imagescaletofit configuration parameter introduced. Detection of incremental updates updated. Bug fixed. There was an error concerning empty HashInputData parsing a MOA CreateXMLSignatureResponse. Demo source for API usage created. Issue resolved: Prevent signature of empty document which leads to a meaningless error message from the bku. A new check for the existence of a configuration has been implemented. The extraction is skipped if any files or folders would be overwritten. Files like log- or temp-files may exist and do not prevent the deployment of the default configuration. Serious bug solved. Method storeCertificate tried to fetch a certificate from store before storing it. If not found (within the store resp. via ldap) the certificate was not stored!!! Manual deployment of pdf-as configuration (commandline parameter -ddc) considers the system property pdf-as.work-dir. Internal default configuration updated. log4.properties within the workdir is now being considered using the api. Support of a minimal signature mark layout for binary signatures added. Web-Application: Every hardcoded context "pdf-as" has been replaced. Web-Application: Session is now being invalidated after download of the signed pdf file. Web-Application: Configuration may be declared via system property "pdf-as.work-dir" or via Servlet-Init-Parameter "work-dir". Bug fixed in RetrieveSignatureDataServlet: Response header didn't contain a content length attribute. The ITS Mac BKU rejects those requests. Workaround for ITS Mac BKU integrated. A redirect via response does only work if the response contains a valid SL request (e.g. a NullOperationRequest). API: The configuration folder may be omitted at instantiating the api. Configuration may be set via system property "pdf-as.work-dir". If no configuration is given at all, the current user's home directory is searched for a folder "PDF-AS". If not found a default configuration is created. If the configuration is explicitely given than the temporary folder is located within the given directory otherwise within the user's temporary directory. Declaring the configuration folder, replacements for system properties like "${catalina.base}/conf/pdfas" may be used. Bug fixed: If we have a binary signature, the certificate is embedded. So there should be no serial number needed within the signature block. PDF-AS stores the certificate in the certstore but tries to load the certificate via serialnumber and issuername from certstore, which fails because of the missing serial number. Bug fixed: For storage of the certificate in the certstore the issuername is taken from the certificate, normalized and hashed. The base64 value of the hash is used as the directory name. Loading the certificate from the certstore, the issuername is taken from the signature block, normalized and hashed. Some issuernames (with rdns that are not registered) lead to two different hash values (one at storage, another at retrieval), which leads to a certificate not found exception. PDF-AS library version is logged in order to lighten bugfixing.