Release note Nexus Timestamp Server 2.4.0

Version: 2.4.0

Release Date: 2026-04-08

Feature/Update	Description
Add esi4-qtstStatement-1 in TSR (if present in TSQ)	The esi4-qtstStatement-1 statement (id-etsi-tsts-EuQCompliance) defined in ETSI EN 319 422 can now be included in the Timestamp Response (TSR) if it is present in the Timestamp Query (TSQ). This requires that the configuration parameter etsiEuQCompliance is enabled for the Extensions filter in the service.properties file of the service: [filter.Extensions] class=com.nexussafe.nano.filters.timestamp.ExtensionFilter etsiEuQCompliance=true
PKCS#11 library reinitialization	For PKCS#11 keystores it is now possible to configure which errors (for example restart of HSM or other network problems) should trigger PKCS#11 reinitialization (call C_FINALIZE) when it performs a login operation. The device is not reinitialized by default. The new configuration parameter signer.store.reinitializeDeviceOnErrors in the service.properties file of the service controls on which errors the reinitialization is performed. It is specified as a space separated list of hexadecimal error codes. For example, a signer configuration in service.properties with this feature enabled could look like this: signer.alias=https://idp.example.org/nexus signer.store=\Volumes\untitled\Lib\cs2_pkcs11.dll signer.store.pin=1234 signer.pinpad=false signer.password=1234 signer.store.description=ObjectLabel signer.store.slotListIndex=1 signer.store.name=Test signer.store.reinitializeDeviceOnErrors=0x30 0x32 0xE0 0xE1 0x101 0x190

Feature/Update

Description

Add esi4-qtstStatement-1 in TSR (if present in TSQ)

The esi4-qtstStatement-1 statement (id-etsi-tsts-EuQCompliance) defined in ETSI EN 319 422 can now be included in the Timestamp Response (TSR) if it is present in the Timestamp Query (TSQ).

This requires that the configuration parameter etsiEuQCompliance is enabled for the Extensions filter in the service.properties file of the service:

[filter.Extensions]
class=com.nexussafe.nano.filters.timestamp.ExtensionFilter
etsiEuQCompliance=true

PKCS#11 library reinitialization

For PKCS#11 keystores it is now possible to configure which errors (for example restart of HSM or other network problems) should trigger PKCS#11 reinitialization (call C_FINALIZE) when it performs a login operation. The device is not reinitialized by default.

The new configuration parameter signer.store.reinitializeDeviceOnErrors in the service.properties file of the service controls on which errors the reinitialization is performed.

It is specified as a space separated list of hexadecimal error codes. For example, a signer configuration in service.properties with this feature enabled could look like this:

signer.alias=https://idp.example.org/nexus
signer.store=\Volumes\untitled\Lib\cs2_pkcs11.dll
signer.store.pin=1234
signer.pinpad=false
signer.password=1234
signer.store.description=ObjectLabel
signer.store.slotListIndex=1
signer.store.name=Test
signer.store.reinitializeDeviceOnErrors=0x30 0x32 0xE0 0xE1 0x101 0x190

Bug fix	Description
AccuracyFilter allowed out of range values	Prior to this fix, it was possible to configure the AccuracyFilter (in service.properties) with values outside the ranges specified in RFC 3161 for the Accuracy field in the TSTInfo structure. Also, configuring "micros" would result in that the "millis" value was automatically set to the value 0. The behavior has now been revised (breaking change) so that: If configured, the valid value ranges are as follows: seconds: positive integer value including zero millis: 1 to 999 (inclusive) micros: 1 to 999 (inclusive) Values outside the permitted ranges will cause the Timestamp Server to not start. Any parameter that is not configured will be excluded from the Accuracy. A new configuration parameter "enabled" has been added to enable or disable the Accuracy filter. If disabled, the Accuracy field will not be included in the TSTInfo structure. Default value is "enabled=true". Note: As before, the GeneralizedTime and NTPTimeManager filters must be placed before the AccuracyFilter in the filter chain in order for the Accuracy field to be included in the TSTInfo structure. Note 2: As before, the validation of the NTP server offset does not take microseconds in account. If set, the microseconds value will be included in the Accuracy field. Example configuration: [filter.Accuracy] class=com.nexussafe.nano.filters.timestamp.AccuracyFilter enabled=true seconds=5 millis=45 #micros=

Bug fix

Description

AccuracyFilter allowed out of range values

Prior to this fix, it was possible to configure the AccuracyFilter (in service.properties) with values outside the ranges specified in RFC 3161 for the Accuracy field in the TSTInfo structure.

Also, configuring "micros" would result in that the "millis" value was automatically set to the value 0.

The behavior has now been revised (breaking change) so that:

If configured, the valid value ranges are as follows:
- seconds: positive integer value including zero
- millis: 1 to 999 (inclusive)
- micros: 1 to 999 (inclusive)
- Values outside the permitted ranges will cause the Timestamp Server to not start.
Any parameter that is not configured will be excluded from the Accuracy.
A new configuration parameter "enabled" has been added to enable or disable the Accuracy filter. If disabled, the Accuracy field will not be included in the TSTInfo structure. Default value is "enabled=true".
Note: As before, the GeneralizedTime and NTPTimeManager filters must be placed before the AccuracyFilter in the filter chain in order for the Accuracy field to be included in the TSTInfo structure.
Note 2: As before, the validation of the NTP server offset does not take microseconds in account. If set, the microseconds value will be included in the Accuracy field.
Example configuration:

[filter.Accuracy]
class=com.nexussafe.nano.filters.timestamp.AccuracyFilter
enabled=true
seconds=5
millis=45
#micros=

Contact and support

For information regarding support, training, and other services in your area, visit https://nexus.ingroupe.com/. Nexus offers maintenance and support services to customers and partners.

For more information, go to Nexus Technical Support or contact your local sales representative.