v4.5.0

• Updated to ph-commons 12.2.5
• Updated to ph-web 11.4.0
• Updated to peppol-commons 12.5.0
• AS4Configuration configuration item phase4.incoming.duplicatedisposal.minutes is now also supported as phase4.incoming.duplicatedisposal using the new unit-less duration format introduced in ph-commons 12.2.5 (e.g. 10m or 1h 30m). The legacy .minutes key keeps working but logs a deprecation warning.
  • New method AS4Configuration.getIncomingDuplicateDisposal() returning a Duration
  • Existing method AS4Configuration.getIncomingDuplicateDisposalMinutes() is deprecated and now delegates to the Duration-based getter
• HTTP client timeout, retry interval and other duration-style configuration values consumed via HttpClientSettingsConfig (from ph-web 11.4.0) now accept the new unit-less form (http.timeout.connect=5s, http.timeout.response=2m, http.retry.interval=10s, ...). The legacy .millis/.seconds/.minutes/.hours per-unit-suffix keys keep working but log a deprecation warning.
• Made 4-argument AS4DuplicateItem constructor public
• Added new EBMS error code EBMS:4001 which is phase4 specific and refers to receiving a duplicate AS4 message
• (Peppol) The CRL downloader for Peppol is now limited to downloading CRLs from http://crl.one.nl.digicert.com/ and below
• (Peppol) Support for G2 certificates was removed - both from the trusted CAs in the code as well as from the predefined truststores
• (Peppol) Added new class Phase4PeppolCRLHttpClientSettings for the default CRL settings - has shorter timeouts than the default ones
• (Peppol) SMP signing certificates are now checked for revocation by default
• (Peppol) Extended Phase4PeppolReceiverConfiguration and Phase4PeppolDefaultReceiverConfiguration with new options to control the revocation check of SMP response certificates
  • New builder methods smpRevocationCheckMode(ERevocationCheckMode) and smpRevocationSoftFail(boolean)
  • Matching static getters/setters on Phase4PeppolDefaultReceiverConfiguration
  • Both values are applied to SMP clients created internally via getOrCreateSMPClientForRecipient(IParticipantIdentifier). Pre-built SMP clients passed via serviceMetadataProvider(...) must be configured by the caller.
• (Peppol) Extended Phase4PeppolSender builder with new options to control the revocation check of the receiver AP certificate on a per-send basis
  • New builder methods apRevocationCheckMode(ERevocationCheckMode) and apCacheRevocationCheckResult(ETriState)
  • Defaults preserve the previous behaviour (use the JVM-wide defaults from CertificateRevocationCheckerDefaults)
• (Peppol) Added a revocation soft-fail toggle for the AP certificate check, surfacing the new ECertificateCheckResult.REVOCATION_STATUS_UNKNOWN value from ph-commons 12.2.4
  • Phase4PeppolSender builder method apRevocationSoftFail(boolean) for the outbound receiver AP certificate check
  • Phase4PeppolReceiverConfiguration builder method apRevocationSoftFail(boolean) and Phase4PeppolDefaultReceiverConfiguration.setAPRevocationSoftFail(boolean) for the inbound signing certificate check
  • When enabled, only REVOCATION_STATUS_UNKNOWN (e.g. unreachable CRL with no working OCSP fallback) is logged at WARN and accepted; all other invalid states still hard-fail
  • Default is false (strict) to preserve the previous behaviour
• (Peppol) AP and SMP connections can now be done with TLS 1.3 and TLS 1.2 by default
• TLS connections are using the Java runtime truststore by default (instead of trusting all server-side certificates), increasing the security level slightly.

Full Changelog: phase4-parent-pom-4.4.3...phase4-parent-pom-4.5.0
Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.2.5
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.4.0
• ph-oton-io/ph-oton-audit/ph-oton-security 10.2.2
• ph-masterdata/ph-tenancy 8.1.1
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.5.0
• phive 12.0.3 [Peppol only]
• phive-rules-peppol 4.3.0 [Peppol only]
• peppol-reporting-api 4.1.3 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6.1
• BouncyCastle 1.84
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x

v4.4.3

• Updated to BouncyCastle 1.84 (fixing CVE-2026-5588, CVE-2025-14813 and CVE-2026-5598)
• Extended AS4IncomingHelper.getIncomingMetadataAsJson to include all fields from IAS4IncomingMessageMetadata: RemoteTlsCerts, RequestMessageID and ResponseHttpStatusCode

Full Changelog: phase4-parent-pom-4.4.2...phase4-parent-pom-4.4.3

Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.2.0
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.2.6
• ph-oton-io/ph-oton-audit/ph-oton-security 10.2.2
• ph-masterdata/ph-tenancy 8.1.1
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.4.1
• phive 12.0.3 [Peppol only]
• phive-rules-peppol 4.3.0 [Peppol only]
• peppol-reporting-api 4.1.1 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6
• BouncyCastle 1.84
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x

v4.4.2

• (Peppol) Extended Phase4PeppolReceiverConfiguration to support dynamic per-participant SMP resolution via ISMLInfo + ISMPURLProvider as an alternative to a fixed ISMPExtendedServiceMetadataProvider
  • New builder methods smlInfo(ISMLInfo) and smpURLProvider(ISMPURLProvider)
  • New method getOrCreateSMPClientForRecipient(IParticipantIdentifier) to dynamically create an SMP client per recipient
• (Peppol) Extended Phase4PeppolDefaultReceiverConfiguration with static setSMLInfo(ISMLInfo) and setSMPURLProvider(ISMPURLProvider) methods
• (ENTSOG) Added support for ENTSOG AS4 v4.0 profile (EdDSA/X25519 and ECDSA/ECDH-ES). See #296
  • New profile IDs entsog4-eddsa (primary) and entsog4-ecdsa (alternative)
  • New classes ENTSOG4PMode and ENTSOG4CompatibilityValidator for v4.0 specific PMode creation and validation
  • New sender builders Phase4ENTSOGSender.builderEdDSA() and Phase4ENTSOGSender.builderECDSA() for v4.0
  • Updated Phase4ENTSOGHttpClientSettings to prefer TLS 1.3 with fallback to TLS 1.2
  • The existing entsog profile ID and Phase4ENTSOGSender.builder() remain available for v3.6 backward compatibility

Full Changelog: phase4-parent-pom-4.4.1...phase4-parent-pom-4.4.2

Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.1.5
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.2.5
• ph-oton-io/ph-oton-audit/ph-oton-security 10.2.2
• ph-masterdata/ph-tenancy 8.1.1
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.4.0
• phive 12.0.1 [Peppol only]
• phive-rules-peppol 4.2.5 [Peppol only]
• peppol-reporting-api 4.1.1 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6
• BouncyCastle 1.83
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x

v4.4.1

• Updated to peppol-commons 12.4.0
• (Peppol) This is the first version that prefers the new OpenPeppol SML URLs over the old EC SML ones for SMP lookups

Full Changelog: phase4-parent-pom-4.4.0...phase4-parent-pom-4.4.1

Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.1.5
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.2.4
• ph-oton-io/ph-oton-audit/ph-oton-security 10.2.2
• ph-masterdata/ph-tenancy 8.1.0
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.4.0
• phive 12.0.1 [Peppol only]
• phive-rules-peppol 4.2.3 [Peppol only]
• peppol-reporting-api 4.1.1 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6
• BouncyCastle 1.83
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x

v4.4.0

• Added support for the eDelivery AS4 2.0 specification (published December 2024 by the EC)
  • See [[Profile eDelivery2]] for further details
• New submodule phase4-profile-edelivery2 with four profile variants:
  • edelivery2-eddsa and edelivery2-eddsa-two-corner for the Common Usage Profile (EdDSA/X25519)
  • edelivery2-ecdsa and edelivery2-ecdsa-two-corner for the Alternative Elliptic Curve Profile (ECDSA/ECDH-ES)
• New submodule phase4-edelivery2-client with Phase4EDelivery2Sender providing preconfigured builders for both profile variants
• New enum ECryptoKeyAgreementMethod for key agreement methods (ECDH-ES, X25519, X448)
• New enum ECryptoKeyDerivationMethod for key derivation functions (ConcatKDF, HKDF)
• New enum ECryptoKeyWrapAlgorithm for key wrap algorithms (AES-128/192/256, TripleDES)
• Extended AS4CryptParams with key agreement, key derivation, and key wrap fields
  • Added convenience methods setEDelivery2KeyAgreementX25519() and setEDelivery2KeyAgreementECDHES()
• Extended AS4Encryptor to support key agreement-based encryption (X25519/ECDH-ES + HKDF + AES KeyWrap) as an alternative to RSA-OAEP key transport
• Successfully tested against the EC eDelivery2 AS4 Security Validator
• Removed OSGi bundle support from all submodules - packaging changed from bundle to jar. The Automatic-Module-Name manifest entry is preserved for JPMS compatibility.

What's Changed

• eDelivery2 profile by @phax in #366

Full Changelog: phase4-parent-pom-4.3.2...phase4-parent-pom-4.4.0

Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.1.5
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.2.4
• ph-oton-io/ph-oton-audit/ph-oton-security 10.2.2
• ph-masterdata/ph-tenancy 8.1.0
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.3.12
• phive 12.0.1 [Peppol only]
• phive-rules-peppol 4.2.3 [Peppol only]
• peppol-reporting-api 4.1.1 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6
• BouncyCastle 1.83
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x

v4.3.2

• Updated to ph-commons 12.1.4 improves certificate revocation check caching (independent of check date time)
• (Peppol) Extended the Phase4PeppolSendingReport with fields:
  • c3SmpUrl for the SMP URL as resolved from the DNS
  • c3CertSubjectC for the country code of the AP Certificate Subject determined from the SMP lookup
  • lookupError to summarize error details specific on SMP lookup
  • lookupException to summarize exception on SMP lookup - only occurs in combination with the lookupError
  • lookupDurationMillis to contain the duration of the SMP lookup in milliseconds
  • sendingError to summarize error details specific to AS4 sending
  • sendingDurationMillis to contain the duration of the AS4 sending in milliseconds
• (Peppol) The incoming message processor now correctly uses the configured receiption IIdentifierFactory from Phase4PeppolDefaultReceiverConfiguration

Full Changelog: phase4-parent-pom-4.3.1...phase4-parent-pom-4.3.2

Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.1.4
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.2.3
• ph-oton-io/ph-oton-audit/ph-oton-security 10.2.2
• ph-masterdata/ph-tenancy 8.1.0
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.3.12
• phive 12.0.0 [Peppol only]
• phive-rules-peppol 4.2.1 [Peppol only]
• peppol-reporting-api 4.1.0 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6
• BouncyCastle 1.83
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x

v4.3.1

• The log lines on incoming messages about the signing and decrypting certificate now also includes the certificate issuer
• The phase4-peppol-server-webapp demo application was updated to have full outbound proxy support by default
• (Peppol) Added an undocumented, temporary configuration property to disable rejecting messages on non-compliance

Full Changelog: phase4-parent-pom-4.3.0...phase4-parent-pom-4.3.1

Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.1.3
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.2.3
• ph-oton-io/ph-oton-audit/ph-oton-security 10.2.2
• ph-masterdata/ph-tenancy 8.1.0
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.3.11
• phive 12.0.0 [Peppol only]
• phive-rules-peppol 4.2.1 [Peppol only]
• peppol-reporting-api 4.1.0 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6
• BouncyCastle 1.83
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x

v4.3.0

• Extended the SPI method IAS4IncomingMessageProcessorSPI.processAS4ResponseMessage with a parameter AS4ErrorList. Backwards incompatible change
• (Peppol) Extended the SPI method IPhase4PeppolIncomingSBDHandlerSPI.processAS4ResponseMessage with a parameter AS4ErrorList. Backwards incompatible change
• Extended the interface method IAS4RequestHandlerErrorConsumer.onAS4ErrorMessage with an additional IAS4IncomingMessageMetadata parameter. Backwards incompatible change
• (Peppol) Receiving messages are checking for the layout of the PartyInfo/From/PartyId and PartyInfo/To/PartyId constraints

Full Changelog: phase4-parent-pom-4.2.7...phase4-parent-pom-4.3.0

Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.1.2
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.2.1
• ph-oton-io/ph-oton-audit/ph-oton-security 10.1.2
• ph-masterdata/ph-tenancy 8.1.0
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.3.9
• phive 11.1.1 [Peppol only]
• phive-rules-peppol 4.1.7 [Peppol only]
• peppol-reporting-api 4.1.0 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6
• BouncyCastle 1.83
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x

v4.2.7

• (Peppol) Improved the error handling on invalid originalSender and finalRecipient properties was improved. See #356 - thx @mikkelbm
• (Peppol) Improved the verification of FromPartyId and ToPartyId on the sending side, to follow the Peppol Seat-ID regular expression.

Full Changelog: phase4-parent-pom-4.2.6...phase4-parent-pom-4.2.7

Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.1.2
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.2.1
• ph-oton-io/ph-oton-audit/ph-oton-security 10.1.2
• ph-masterdata/ph-tenancy 8.1.0
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.3.8
• phive 11.1.1 [Peppol only]
• phive-rules-peppol 4.1.7 [Peppol only]
• peppol-reporting-api 4.1.0 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6
• BouncyCastle 1.83
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x

v4.2.6

• Added new class AS4CertificateOnlySignatureTrustValidator to verify signature verification only happens on certificates and not on public keys
• (Peppol) Introduced new class Phase4PeppolAS4Servlet that uses AS4CertificateOnlySignatureTrustValidator
• Extended IAS4IncomingMessageState with the possibility to store the signing and decrypting certificate reference type
• (Peppol) The default inbound Peppol processor added a check that both signing and decrypting certificates are provided as direct references
• (Peppol) The scheduled time to transmit reports to OpenPeppol can be customized. See #355 - thx @alvarolivie

What's Changed

• Add configurable reporting date to peppol server by @alvarolivie in #355

New Contributors

• @alvarolivie made their first contribution in #355

Full Changelog: phase4-parent-pom-4.2.5...phase4-parent-pom-4.2.6

Dependencies required:

• ph-bc/ph-collection/ph-commons/ph-dao/ph-datetime/ph-jaxb/ph-json/ph-scopes/ph-security/ph-settings/ph-xml 12.1.2
• ph-xsds-xmldsig 4.1.0
• ph-http/ph-httpclient/ph-mail/ph-network/ph-servlet/ph-useragent/ph-web 11.2.1
• ph-oton-io/ph-oton-audit/ph-oton-security 10.1.2
• ph-masterdata/ph-tenancy 8.1.0
• peppol-commons/peppol-id/peppol-sbdh/peppol-smp-client 12.3.8
• phive 11.1.1 [Peppol only]
• phive-rules-peppol 4.1.5 [Peppol only]
• peppol-reporting-api 4.1.0 [Peppol only]
• ph-xhe 5.1.0 [DBNAlliance only]
• angus-activation 2.0.3
• angus-mail 2.0.5
• httpclient 5.6
• BouncyCastle 1.83
• WSS4J 4.0.1
• XMLSec 4.0.4
• Servlet API 6.0.x
• JAXB 4.0.x
• SLF4J 2.0.x