|
1 | 1 | # Changelog |
2 | | - |
3 | 2 | All notable changes to this project will be documented in this file. |
4 | 3 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). |
5 | 4 |
|
6 | | -## [3.1-?] - TBD |
7 | | - |
8 | | -### Structural changes |
9 | | - |
10 | | -- Moved Smart-ID v3 related classes from ee.sk.smartid.v3 package to root ee.sk.smartid package. |
11 | | -- Removed all Smart-ID v2 related classes, tests, and documentation. |
12 | | -- Updated README to reflect removal of v2-related information. |
13 | | - |
14 | | -### Dynamic-link auth to device-link auth changes |
15 | | - |
16 | | -- Renamed dynamic-link authentication to device-link authentication. |
17 | | -- Updated authentication endpoints to use /device-link/ paths. |
18 | | -- Replaced `randomChallenge` with `rpChallenge` (Base64, length 44–88). |
19 | | -- Replaced signature algorithm list with fixed `rsassa-pss`. |
20 | | -- Added required `signatureAlgorithmParameters.hashAlgorithm` field with validation. |
21 | | -- Converted interaction list to Base64 string and ensured no duplicates. |
22 | | -- Added `initialCallbackUrl` field with regex validation. |
23 | | -- Added `deviceLinkBase` to session response. |
24 | | -- Added new exception `SmartIdRequestSetupException` to handle cases when invalid values are provided for building session request objects. |
25 | | -- Replaced old dynamic content and authCode generation logic to match Smart-ID v3.1 authCode specification. |
26 | | -- Introduced a `DeviceLinkBuilder` to generate device links. |
27 | | - - Validates required parameters such as `deviceLinkBase`, `version`, `deviceLinkType`, `sessionType`, `lang`, `elapsedSeconds` and `sessionToken`. |
28 | | - - Ensures `elapsedSeconds` is only used for QR_CODE flows. |
29 | | - - Moved `deviceLinkBase` to required input (no more default). |
30 | | - - Handles both unprotected device-link generation and HMAC-SHA256 based authCode calculation as per specification. |
31 | | - - New payload structure includes required and optional fields as per documentation. |
32 | | - - `schemeName` is now configurable (default is `"smart-id"`). |
33 | | - - Does not store `sessionSecret`, ensures it must be passed to the build method. |
34 | | -- Removed deprecated dynamic link and QR code generation logic from old builders and helpers. |
35 | | - |
36 | | -- Updates to session status response |
37 | | - - Updated USER_REFUSED_INTERACTION responses and updated error handling for these cases. |
38 | | - - Added new `endResult` error responses (`PROTOCOL_FAILURE`, `EXPECTED_LINKED_SESSION`, `SERVER_ERROR`) with handling |
39 | | - - Added new fields: `userChallenge`, `flowType`, `signatureAlgorithmParameters` |
40 | | - - Renamed `interactionFlowUsed` to `interactionTypeUsed`. |
41 | | -- Updated exception message of `DocumentUnusableException` |
42 | | -- Added AccountUnusableException to handle ACCOUNT_UNUSABLE endResult from session status response |
43 | | -- Updated AuthenticationSessionRequest and related classes to records. |
44 | | -- Refactored loading of trusted CA certificates from AuthenticationResponseValidator to their own class `DefaultTrustedCACertStore`. |
45 | | - - Created to builder-classes for loading trusted CA certificates |
46 | | - - `FileTrustedCACertStoreBuilder` for loading trust anchors and intermediate CA certificates from truststore |
47 | | - - `DefaultTrustedCACertStoreBuilder` for creating DefaultTrustedCACertStore with preloaded certificates, also validates provided certificates |
48 | | -- Update AuthenticationResponseValidator to DeviceLinkAuthenticationResponseValidator |
49 | | - - update signature value validation |
50 | | - - added additional certificate validations (validate certificate chain and certificate purpose) |
51 | | - - added validation for userChallenge and userChallengeVerifier in case of same device flows |
52 | | - - added validators QualifiedAuthenticationCertificatePurposeValidator and NonQualifiedAuthenticationCertificatePurposeValidator to validate |
53 | | - certificate purpose based on requested certificate level. |
54 | | - |
55 | | -- Added CallbackUrlUtil to generate callback URL with token and provides method to validate sessionSecretDigest |
56 | | - |
57 | | -### Added handling for querying certificate by document number |
58 | | - |
59 | | -- Added new endpoint: `POST /v3/signature/certificate/{document-number}`. |
60 | | -- Added new builder CertificateByDocumentNumberRequestBuilder to create the request |
61 | | -- Add new request objects CertificateByDocumentNumberRequest and response CertificateResponse |
62 | | -- Removed notification-based certificate choice request with document number. |
63 | | - |
64 | | -### Updated dynamic-link signature to device-link signature |
65 | | - |
66 | | -- Renamed dynamic-link signature to device-link signature. |
67 | | -- Updated signature endpoints to use /device-link/ paths. |
68 | | -- Replaced signature algorithm list with fixed `rsassa-pss`. |
69 | | -- Added required `signatureAlgorithmParameters.hashAlgorithm` field with validation. |
70 | | -- Converted interaction list to Base64 string and ensured no duplicates. |
71 | | -- Added `initialCallbackUrl` field with regex validation. |
72 | | -- Added `deviceLinkBase` to session response. |
73 | | -- Removed HashType and update SignableHash and SignableData to use HashAlgorithm |
74 | | -- Update signature session-status validations |
75 | | - - Signature |
76 | | - - `signature.value` must match `^[A-Za-z0-9+/]+={0,2}$`. |
77 | | - - Allowed `flowType`: QR · App2App · Web2App · Notification. |
78 | | - - Fixed `signatureAlgorithm` to `rsassa-pss`. |
79 | | - - `signatureAlgorithmParameters` |
80 | | - - `hashAlgorithm`: `SHA-256/384/512, SHA3-256/384/512`. |
81 | | - - `maskGenAlgorithm.algorithm`: `id-mgf1` & its `hashAlgorithm` must equal the main hash. |
82 | | - - `saltLength`: 32 / 48 / 64 bytes to match chosen hash algorithm octet length. |
83 | | - - `trailerField`: `0xbc`. |
84 | | - |
85 | | - - Certificate |
86 | | - - Must be a Smart-ID *signature* certificate: |
87 | | - - `CertificatePolicies (2.5.29.32)` contain either `qualified``1.3.6.1.4.1.10015.17.2`, `0.4.0.194112.1.2`or |
88 | | - `non-qualified``1.3.6.1.4.1.10015.17.1`, `0.4.0.2042.1.1`. |
89 | | - - `KeyUsage (2.5.29.15)` – NonRepudiation bit set. |
90 | | - - `QC-Statement (1.3.6.1.5.5.7.1.3)` contains `0.4.0.1862.1.6.1`. |
91 | | - |
92 | | -- Extracted common certificate validation logic into `CertificateValidator` and will be used by `AuthenticationResponseValidator` and |
93 | | - `SignatureResponseValidator`. |
94 | | - |
95 | | -## Update dynamic-link certificate choice to device-link certificate choice |
96 | | - |
97 | | -- Renamed dynamic-link certificate choice to device-link certificate choice. |
98 | | -- Updated certificate choice endpoint to use /device-link/ paths. |
99 | | -- Added `initialCallbackUrl` field with regex validation. |
100 | | -- Added `deviceLinkBase` to session response. |
101 | | -- Updated CertificateChoiceResponseMapper |
102 | | - - Renamed to CertificateChoiceResponseValidator |
103 | | - - Added CertificateValidator as dependency |
104 | | - |
105 | | -## Added linked signature session support |
106 | | - |
107 | | -- Added endpoint for creating linked signature session `POST /v3/signature/notification/linked/{document-number}`. |
108 | | -- Added builder to create linked signature session request `LinkedSignatureSessionRequestBuilder`. |
109 | | -- Added request LinkedSignatureSessionRequest and LinkedSignatureSessionResponse. |
110 | | - |
111 | | -### Updated notification-based authentication to work with Smart-ID API v3.1 |
112 | | - |
113 | | -- Updated notification-based authentication session request creation to be usable with Smart-ID API v3.1 |
114 | | -- Removed verificationCodeChoice interactions and related handling |
115 | | -- Removed AuthenticationHash. |
116 | | -- Added NotificationAuthenticationResponseValidator |
117 | | - |
118 | | -### Updated notification-based certificate choice to work with Smart-ID API v3.1 |
119 | | - |
120 | | -- Updated SmartIdRestConnector to use v3.1 notification-based certificate choice endpoint |
121 | | -- Added NotificationCertificateChoiceSessionRequest |
122 | | - |
123 | | -### Updated notification-based signature to work with Smart-ID API v3.1 |
124 | | - |
125 | | -- Updated SmartIdRestConnector to use v3.1 notification-based signature endpoint |
126 | | -- Added NotificationSignatureSessionRequest |
127 | | - |
128 | | -## [3.0] - 2023-10-14 |
129 | | - |
130 | | -### Added |
131 | | -- Support for handling RP API v3.0 requests. View V3 section in README.md for more information. Related classes can be found in the ee.sk.smartid.v3 |
132 | | - package. |
133 | | - - New builder classes to start v3 sessions: |
134 | | - - DynamicLinkAuthenticationSessionRequestBuilder |
135 | | - - DynamicLinkCertificateChoiceSessionRequestBuilder |
136 | | - - DynamicLinkSignatureSessionRequestBuilder |
137 | | - - NotificationAuthenticationSessionRequestBuilder |
138 | | - - NotificationCertificateChoiceSessionRequestBuilder |
139 | | - - NotificationSignatureSessionRequestBuilder |
140 | | - - Helper class for dynamic link |
141 | | - - AuthCode - used for generating authCode necessary for dynamic-link |
142 | | - - QrCodeGenerator - to create QR-code from dynamic-link |
143 | | - - DynamicContentBuilder - to create dynamic link or QR-code |
144 | | - - Support for sessions status request handling for the v3 path. |
145 | | - - Added AuthenticationResponseMapper for validating required fields and mapping session status to authentication response |
146 | | - - Added AuthenticationResponseValidator to validate certificate and signed authentication response and construct AuthenticationIdentity |
147 | | - - Added SignatureResponseMapper for validating required fields and mapping session status to signature response |
148 | | - - Added CertificateChoiceResponseMapper for validating required fields and mapping session status to certificate choice response |
149 | | - |
150 | | -### Changed |
151 | | -- Most of the existing code for RP API v2.0 has been moved into the ee.sk.smartid.v2 package for clarity. |
152 | | -- Replaced deprecated `X509Certificate::getSubjectDN()` with `X509Certificate::getSubjectX500Principal()` |
153 | | -- Typo fixes, code cleanup and improvements |
154 | | -- Modified NationalIdentityNumberUtil to handle LV person codes with prefixes 33-39 without throwing an exception during parsing. |
155 | | - |
156 | | -### Removed |
157 | | -- Removed deprecated methods from AuthenticationIdentity |
158 | | - |
159 | | -### Java and dependency updates |
160 | | -- Updated minimal supported java to version 17 |
161 | | -- Updated slf4j-api to version 2.0.16 |
162 | | -- Updated jackson dependencies to version 2.17.2 |
163 | | -- Added jakarta.ws.rs:jakarta.ws.rs-api |
164 | | -- Updated jersey dependencies to version 3.1.8 |
165 | | -- Updated bouncy-castle artifact to bcprov-jdk18on on version 1.78.1 |
166 | | -- Updated jaxb-runtime to version 4.0.5 |
167 | | - |
168 | 5 | ## [2.3] - 2023-05-06 |
169 | 6 | - To request the IP address of the device running Smart-ID app, the following methods were added: |
170 | 7 | - AuthenticationRequestBuilder.withShareMdClientIpAddress(boolean) |
@@ -204,7 +41,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). |
204 | 41 | ### Added |
205 | 42 | - [SmartIdAuthenticationResponse.getDeviceIpAddress()](src/main/java/ee/sk/smartid/SmartIdAuthenticationResponse.java#:~:text=getDeviceIpAddress()) |
206 | 43 | - [SmartIdSignature.getDeviceIpAddress()](src/main/java/ee/sk/smartid/SmartIdSignature.java#:~:text=getDeviceIpAddress()) |
207 | | -- [SessionStatus.getDeviceIpAddress()](src/main/java/ee/sk/smartid/v2/rest/dao/SessionStatus.java#:~:text=getDeviceIpAddress()) |
| 44 | +- [SessionStatus.getDeviceIpAddress()](src/main/java/ee/sk/smartid/rest/dao/SessionStatus.java#:~:text=getDeviceIpAddress()) |
208 | 45 |
|
209 | 46 | ## [2.1.4] - 2022-01-14 |
210 | 47 |
|
|
0 commit comments