|
1 | 1 | # Changelog |
| 2 | + |
2 | 3 | All notable changes to this project will be documented in this file. |
3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). |
4 | 5 |
|
| 6 | +## [3.1-?] - TBD |
| 7 | + |
| 8 | +### Structural changes |
| 9 | + |
| 10 | +- Moved Smart-ID v3 related classes from ee.sk.smartid.v3 package to root ee.sk.smartid package. |
| 11 | +- Removed all Smart-ID v2 related classes, tests, and documentation. |
| 12 | +- Updated README to reflect removal of v2-related information. |
| 13 | + |
| 14 | +### Dynamic-link auth to device-link auth changes |
| 15 | + |
| 16 | +- Renamed dynamic-link authentication to device-link authentication. |
| 17 | +- Updated authentication endpoints to use /device-link/ paths. |
| 18 | +- Replaced `randomChallenge` with `rpChallenge` (Base64, length 44–88). |
| 19 | +- Replaced signature algorithm list with fixed `rsassa-pss`. |
| 20 | +- Added required `signatureAlgorithmParameters.hashAlgorithm` field with validation. |
| 21 | +- Converted interaction list to Base64 string and ensured no duplicates. |
| 22 | +- Added `initialCallbackUrl` field with regex validation. |
| 23 | +- Added `deviceLinkBase` to session response. |
| 24 | +- Added new exception `SmartIdRequestSetupException` to handle cases when invalid values are provided for building session request objects. |
| 25 | +- Replaced old dynamic content and authCode generation logic to match Smart-ID v3.1 authCode specification. |
| 26 | +- Introduced a `DeviceLinkBuilder` to generate device links. |
| 27 | + - Validates required parameters such as `deviceLinkBase`, `version`, `deviceLinkType`, `sessionType`, `lang`, `elapsedSeconds` and `sessionToken`. |
| 28 | + - Ensures `elapsedSeconds` is only used for QR_CODE flows. |
| 29 | + - Moved `deviceLinkBase` to required input (no more default). |
| 30 | + - Handles both unprotected device-link generation and HMAC-SHA256 based authCode calculation as per specification. |
| 31 | + - New payload structure includes required and optional fields as per documentation. |
| 32 | + - `schemeName` is now configurable (default is `"smart-id"`). |
| 33 | + - Does not store `sessionSecret`, ensures it must be passed to the build method. |
| 34 | +- Removed deprecated dynamic link and QR code generation logic from old builders and helpers. |
| 35 | + |
| 36 | +- Updates to session status response |
| 37 | + - Updated USER_REFUSED_INTERACTION responses and updated error handling for these cases. |
| 38 | + - Added new `endResult` error responses (`PROTOCOL_FAILURE`, `EXPECTED_LINKED_SESSION`, `SERVER_ERROR`) with handling |
| 39 | + - Added new fields: `userChallenge`, `flowType`, `signatureAlgorithmParameters` |
| 40 | + - Renamed `interactionFlowUsed` to `interactionTypeUsed`. |
| 41 | +- Updated exception message of `DocumentUnusableException` |
| 42 | +- Added AccountUnusableException to handle ACCOUNT_UNUSABLE endResult from session status response |
| 43 | +- Updated AuthenticationSessionRequest and related classes to records. |
| 44 | +- Refactored loading of trusted CA certificates from AuthenticationResponseValidator to their own class `DefaultTrustedCACertStore`. |
| 45 | + - Created to builder-classes for loading trusted CA certificates |
| 46 | + - `FileTrustedCACertStoreBuilder` for loading trust anchors and intermediate CA certificates from truststore |
| 47 | + - `DefaultTrustedCACertStoreBuilder` for creating DefaultTrustedCACertStore with preloaded certificates, also validates provided certificates |
| 48 | +- Update AuthenticationResponseValidator to DeviceLinkAuthenticationResponseValidator |
| 49 | + - update signature value validation |
| 50 | + - added additional certificate validations (validate certificate chain and certificate purpose) |
| 51 | + - added validation for userChallenge and userChallengeVerifier in case of same device flows |
| 52 | + - added validators QualifiedAuthenticationCertificatePurposeValidator and NonQualifiedAuthenticationCertificatePurposeValidator to validate |
| 53 | + certificate purpose based on requested certificate level. |
| 54 | + |
| 55 | +- Added CallbackUrlUtil to generate callback URL with token and provides method to validate sessionSecretDigest |
| 56 | + |
| 57 | +### Added handling for querying certificate by document number |
| 58 | + |
| 59 | +- Added new endpoint: `POST /v3/signature/certificate/{document-number}`. |
| 60 | +- Added new builder CertificateByDocumentNumberRequestBuilder to create the request |
| 61 | +- Add new request objects CertificateByDocumentNumberRequest and response CertificateResponse |
| 62 | +- Removed notification-based certificate choice request with document number. |
| 63 | + |
| 64 | +### Updated dynamic-link signature to device-link signature |
| 65 | + |
| 66 | +- Renamed dynamic-link signature to device-link signature. |
| 67 | +- Updated signature endpoints to use /device-link/ paths. |
| 68 | +- Replaced signature algorithm list with fixed `rsassa-pss`. |
| 69 | +- Added required `signatureAlgorithmParameters.hashAlgorithm` field with validation. |
| 70 | +- Converted interaction list to Base64 string and ensured no duplicates. |
| 71 | +- Added `initialCallbackUrl` field with regex validation. |
| 72 | +- Added `deviceLinkBase` to session response. |
| 73 | +- Removed HashType and update SignableHash and SignableData to use HashAlgorithm |
| 74 | +- Update signature session-status validations |
| 75 | + - Signature |
| 76 | + - `signature.value` must match `^[A-Za-z0-9+/]+={0,2}$`. |
| 77 | + - Allowed `flowType`: QR · App2App · Web2App · Notification. |
| 78 | + - Fixed `signatureAlgorithm` to `rsassa-pss`. |
| 79 | + - `signatureAlgorithmParameters` |
| 80 | + - `hashAlgorithm`: `SHA-256/384/512, SHA3-256/384/512`. |
| 81 | + - `maskGenAlgorithm.algorithm`: `id-mgf1` & its `hashAlgorithm` must equal the main hash. |
| 82 | + - `saltLength`: 32 / 48 / 64 bytes to match chosen hash algorithm octet length. |
| 83 | + - `trailerField`: `0xbc`. |
| 84 | + |
| 85 | + - Certificate |
| 86 | + - Must be a Smart-ID *signature* certificate: |
| 87 | + - `CertificatePolicies (2.5.29.32)` contain either `qualified``1.3.6.1.4.1.10015.17.2`, `0.4.0.194112.1.2`or |
| 88 | + `non-qualified``1.3.6.1.4.1.10015.17.1`, `0.4.0.2042.1.1`. |
| 89 | + - `KeyUsage (2.5.29.15)` – NonRepudiation bit set. |
| 90 | + - `QC-Statement (1.3.6.1.5.5.7.1.3)` contains `0.4.0.1862.1.6.1`. |
| 91 | + |
| 92 | +- Extracted common certificate validation logic into `CertificateValidator` and will be used by `AuthenticationResponseValidator` and |
| 93 | + `SignatureResponseValidator`. |
| 94 | + |
| 95 | +## Update dynamic-link certificate choice to device-link certificate choice |
| 96 | + |
| 97 | +- Renamed dynamic-link certificate choice to device-link certificate choice. |
| 98 | +- Updated certificate choice endpoint to use /device-link/ paths. |
| 99 | +- Added `initialCallbackUrl` field with regex validation. |
| 100 | +- Added `deviceLinkBase` to session response. |
| 101 | +- Updated CertificateChoiceResponseMapper |
| 102 | + - Renamed to CertificateChoiceResponseValidator |
| 103 | + - Added CertificateValidator as dependency |
| 104 | + |
| 105 | +## Added linked signature session support |
| 106 | + |
| 107 | +- Added endpoint for creating linked signature session `POST /v3/signature/notification/linked/{document-number}`. |
| 108 | +- Added builder to create linked signature session request `LinkedSignatureSessionRequestBuilder`. |
| 109 | +- Added request LinkedSignatureSessionRequest and LinkedSignatureSessionResponse. |
| 110 | + |
| 111 | +### Updated notification-based authentication to work with Smart-ID API v3.1 |
| 112 | + |
| 113 | +- Updated notification-based authentication session request creation to be usable with Smart-ID API v3.1 |
| 114 | +- Removed verificationCodeChoice interactions and related handling |
| 115 | +- Removed AuthenticationHash. |
| 116 | +- Added NotificationAuthenticationResponseValidator |
| 117 | + |
| 118 | +### Updated notification-based certificate choice to work with Smart-ID API v3.1 |
| 119 | + |
| 120 | +- Updated SmartIdRestConnector to use v3.1 notification-based certificate choice endpoint |
| 121 | +- Added NotificationCertificateChoiceSessionRequest |
| 122 | + |
| 123 | +### Updated notification-based signature to work with Smart-ID API v3.1 |
| 124 | + |
| 125 | +- Updated SmartIdRestConnector to use v3.1 notification-based signature endpoint |
| 126 | +- Added NotificationSignatureSessionRequest |
| 127 | + |
| 128 | +## [3.0] - 2023-10-14 |
| 129 | + |
| 130 | +### Added |
| 131 | +- Support for handling RP API v3.0 requests. View V3 section in README.md for more information. Related classes can be found in the ee.sk.smartid.v3 |
| 132 | + package. |
| 133 | + - New builder classes to start v3 sessions: |
| 134 | + - DynamicLinkAuthenticationSessionRequestBuilder |
| 135 | + - DynamicLinkCertificateChoiceSessionRequestBuilder |
| 136 | + - DynamicLinkSignatureSessionRequestBuilder |
| 137 | + - NotificationAuthenticationSessionRequestBuilder |
| 138 | + - NotificationCertificateChoiceSessionRequestBuilder |
| 139 | + - NotificationSignatureSessionRequestBuilder |
| 140 | + - Helper class for dynamic link |
| 141 | + - AuthCode - used for generating authCode necessary for dynamic-link |
| 142 | + - QrCodeGenerator - to create QR-code from dynamic-link |
| 143 | + - DynamicContentBuilder - to create dynamic link or QR-code |
| 144 | + - Support for sessions status request handling for the v3 path. |
| 145 | + - Added AuthenticationResponseMapper for validating required fields and mapping session status to authentication response |
| 146 | + - Added AuthenticationResponseValidator to validate certificate and signed authentication response and construct AuthenticationIdentity |
| 147 | + - Added SignatureResponseMapper for validating required fields and mapping session status to signature response |
| 148 | + - Added CertificateChoiceResponseMapper for validating required fields and mapping session status to certificate choice response |
| 149 | + |
| 150 | +### Changed |
| 151 | +- Most of the existing code for RP API v2.0 has been moved into the ee.sk.smartid.v2 package for clarity. |
| 152 | +- Replaced deprecated `X509Certificate::getSubjectDN()` with `X509Certificate::getSubjectX500Principal()` |
| 153 | +- Typo fixes, code cleanup and improvements |
| 154 | +- Modified NationalIdentityNumberUtil to handle LV person codes with prefixes 33-39 without throwing an exception during parsing. |
| 155 | + |
| 156 | +### Removed |
| 157 | +- Removed deprecated methods from AuthenticationIdentity |
| 158 | + |
| 159 | +### Java and dependency updates |
| 160 | +- Updated minimal supported java to version 17 |
| 161 | +- Updated slf4j-api to version 2.0.16 |
| 162 | +- Updated jackson dependencies to version 2.17.2 |
| 163 | +- Added jakarta.ws.rs:jakarta.ws.rs-api |
| 164 | +- Updated jersey dependencies to version 3.1.8 |
| 165 | +- Updated bouncy-castle artifact to bcprov-jdk18on on version 1.78.1 |
| 166 | +- Updated jaxb-runtime to version 4.0.5 |
| 167 | + |
5 | 168 | ## [2.3] - 2023-05-06 |
6 | 169 | - To request the IP address of the device running Smart-ID app, the following methods were added: |
7 | 170 | - AuthenticationRequestBuilder.withShareMdClientIpAddress(boolean) |
@@ -41,7 +204,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). |
41 | 204 | ### Added |
42 | 205 | - [SmartIdAuthenticationResponse.getDeviceIpAddress()](src/main/java/ee/sk/smartid/SmartIdAuthenticationResponse.java#:~:text=getDeviceIpAddress()) |
43 | 206 | - [SmartIdSignature.getDeviceIpAddress()](src/main/java/ee/sk/smartid/SmartIdSignature.java#:~:text=getDeviceIpAddress()) |
44 | | -- [SessionStatus.getDeviceIpAddress()](src/main/java/ee/sk/smartid/rest/dao/SessionStatus.java#:~:text=getDeviceIpAddress()) |
| 207 | +- [SessionStatus.getDeviceIpAddress()](src/main/java/ee/sk/smartid/v2/rest/dao/SessionStatus.java#:~:text=getDeviceIpAddress()) |
45 | 208 |
|
46 | 209 | ## [2.1.4] - 2022-01-14 |
47 | 210 |
|
|
0 commit comments