|
1 | 1 | # Changelog |
| 2 | + |
2 | 3 | All notable changes to this project will be documented in this file. |
3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). |
4 | 5 |
|
5 | | -Changes mentioned under 3.1.x version have not been published yet. Will be released when v3.1 is stable. |
6 | | - |
7 | | -## [3.1.17] - 2025-10-07 |
8 | | -- Updated SmartIdRestConnector to use v3.1 notification-based signature endpoint |
9 | | - |
10 | | -## [3.1.16] - 2025-10-04 |
11 | | -- Updated SmartIdRestConnector to use v3.1 notification-based certificate choice endpoint |
12 | | -- Added AccountUnusableException to handle ACCOUNT_UNUSABLE endResult from session status response |
13 | | - |
14 | | -## [3.1.15] - 2025-09-17 |
15 | | -- Added CallbackUrlUtil to generate callback URL with token and provides method to validate sessionSecretDigest |
16 | | -- Updated DeviceLinkAuthenticationResponseValidator to also validate userChallenge and userChallengeVerifier same device flows. |
17 | | - |
18 | | -## [3.1.14] - 2025-09-17 |
19 | | -- Updated notification-based authentication session request creation to be usable with Smart-ID API v3.1 |
20 | | -- Removed verificationCodeChoice interactions and related handling |
21 | | -- Removed AuthenticationHash. |
22 | | - |
23 | | -## [3.1.13] - 2025-09-08 |
24 | | -- Added endpoint for creating linked signature session `POST /v3/signature/notification/linked/{document-number}`. |
25 | | -- Added builder to create linked signature session request `LinkedSignatureSessionRequestBuilder`. |
26 | | - |
27 | | -## [3.1.12] - 2025-09-08 |
28 | | -- Removed HashType and update SignableHash and SignableData to use HashAlgorithm |
29 | | - |
30 | | -## [3.1.11] - 2025-08-25 |
31 | | -- Updated CertificateChoiceResponseMapper |
32 | | - - Renamed to CertificateChoiceResponseValidator |
33 | | - - Added CertificateValidator as dependency |
34 | | - |
35 | | -## [3.1.10] - 2025-08-28 |
36 | | -- Updated exception message of `DocumentUnusableException` |
37 | | - |
38 | | -## [3.1.9] - 2025-07-20 |
39 | | -- Extracted common certificate validation logic into `CertificateValidator` and will be used by `AuthenticationResponseValidator` and `SignatureResponseValidator`. |
40 | | - |
41 | | -## [3.1.8] - 2025-07-15 |
42 | | -- Added new exception `SmartIdRequestSetupException` to handle cases when invalid values are provided for building session request objects. |
43 | | - |
44 | | -## [3.1.7] - 2025-07-10 |
| 6 | +## [3.1-?] - TBD |
45 | 7 |
|
46 | | -- Renamed dynamic-link certificate choice to device-link certificate choice. |
47 | | -- Updated certificate choice endpoint to use /device-link/ paths. |
48 | | -- Added `initialCallbackUrl` field with regex validation. |
49 | | -- Added `deviceLinkBase` to session response. |
| 8 | +### Structural changes |
50 | 9 |
|
51 | | -## [3.1.6] - 2025-07-08 |
| 10 | +- Moved Smart-ID v3 related classes from ee.sk.smartid.v3 package to root ee.sk.smartid package. |
| 11 | +- Removed all Smart-ID v2 related classes, tests, and documentation. |
| 12 | +- Updated README to reflect removal of v2-related information. |
52 | 13 |
|
53 | | -### Added |
54 | | -- Session-status (signature) |
55 | | - - `signature.value` must match `^[A-Za-z0-9+/]+={0,2}$`. |
56 | | - - Allowed `flowType`: QR · App2App · Web2App · Notification. |
57 | | - - Fixed `signatureAlgorithm` to `rsassa-pss`. |
58 | | - - `signatureAlgorithmParameters` |
59 | | - - `hashAlgorithm`: `SHA-256/384/512, SHA3-256/384/512`. |
60 | | - - `maskGenAlgorithm.algorithm`: `id-mgf1` & its `hashAlgorithm` must equal the main hash. |
61 | | - - `saltLength`: 32 / 48 / 64 bytes to match chosen hash. |
62 | | - - `trailerField`: `0xbc`. |
63 | | - |
64 | | -- Certificate |
65 | | - - Must be a Smart-ID *signature* certificate: |
66 | | - - `CertificatePolicies (2.5.29.32)` contain either `qualified``1.3.6.1.4.1.10015.17.2`, `0.4.0.194112.1.2`or `non-qualified``1.3.6.1.4.1.10015.17.1`, `0.4.0.2042.1.1`. |
67 | | - - `KeyUsage (2.5.29.15)` – NonRepudiation bit set. |
68 | | - - `QC-Statement (1.3.6.1.5.5.7.1.3)` contains `0.4.0.1862.1.6.1`. |
69 | | - |
70 | | -## [3.1.5] - 2025-06-30 |
| 14 | +### Dynamic-link auth to device-link auth changes |
71 | 15 |
|
72 | | -- Renamed dynamic-link signature to device-link signature. |
73 | | -- Updated signature endpoints to use /device-link/ paths. |
| 16 | +- Renamed dynamic-link authentication to device-link authentication. |
| 17 | +- Updated authentication endpoints to use /device-link/ paths. |
| 18 | +- Replaced `randomChallenge` with `rpChallenge` (Base64, length 44–88). |
74 | 19 | - Replaced signature algorithm list with fixed `rsassa-pss`. |
75 | 20 | - Added required `signatureAlgorithmParameters.hashAlgorithm` field with validation. |
76 | 21 | - Converted interaction list to Base64 string and ensured no duplicates. |
77 | 22 | - Added `initialCallbackUrl` field with regex validation. |
78 | 23 | - Added `deviceLinkBase` to session response. |
| 24 | +- Added new exception `SmartIdRequestSetupException` to handle cases when invalid values are provided for building session request objects. |
| 25 | +- Replaced old dynamic content and authCode generation logic to match Smart-ID v3.1 authCode specification. |
| 26 | +- Introduced a `DeviceLinkBuilder` to generate device links. |
| 27 | + - Validates required parameters such as `deviceLinkBase`, `version`, `deviceLinkType`, `sessionType`, `lang`, `elapsedSeconds` and `sessionToken`. |
| 28 | + - Ensures `elapsedSeconds` is only used for QR_CODE flows. |
| 29 | + - Moved `deviceLinkBase` to required input (no more default). |
| 30 | + - Handles both unprotected device-link generation and HMAC-SHA256 based authCode calculation as per specification. |
| 31 | + - New payload structure includes required and optional fields as per documentation. |
| 32 | + - `schemeName` is now configurable (default is `"smart-id"`). |
| 33 | + - Does not store `sessionSecret`, ensures it must be passed to the build method. |
| 34 | +- Removed deprecated dynamic link and QR code generation logic from old builders and helpers. |
79 | 35 |
|
80 | | -## [3.1.4] - 2025-07-05 |
81 | | - |
82 | | -### Changed |
83 | 36 | - Updates to session status response |
84 | | - - Updated USER_REFUSED_INTERACTION responses and updated error handling for these cases. |
85 | | - - Added new `endResult` error responses (`PROTOCOL_FAILURE`, `EXPECTED_LINKED_SESSION`, `SERVER_ERROR`) with handling |
86 | | - - Added new fields: `userChallenge`, `flowType`, `signatureAlgorithmParameters` |
87 | | - - Renamed `interactionFlowUsed` to `interactionTypeUsed`. |
| 37 | + - Updated USER_REFUSED_INTERACTION responses and updated error handling for these cases. |
| 38 | + - Added new `endResult` error responses (`PROTOCOL_FAILURE`, `EXPECTED_LINKED_SESSION`, `SERVER_ERROR`) with handling |
| 39 | + - Added new fields: `userChallenge`, `flowType`, `signatureAlgorithmParameters` |
| 40 | + - Renamed `interactionFlowUsed` to `interactionTypeUsed`. |
| 41 | +- Updated exception message of `DocumentUnusableException` |
| 42 | +- Added AccountUnusableException to handle ACCOUNT_UNUSABLE endResult from session status response |
88 | 43 | - Updated AuthenticationSessionRequest and related classes to records. |
89 | 44 | - Refactored loading of trusted CA certificates from AuthenticationResponseValidator to their own class `DefaultTrustedCACertStore`. |
90 | | - - Created to builder-classes for loading trusted CA certificates |
91 | | - - `FileTrustedCACertStoreBuilder` for loading trust anchors and intermediate CA certificates from truststore |
92 | | - - `DefaultTrustedCACertStoreBuilder` for creating DefaultTrustedCACertStore with preloaded certificates, also validates provided certificates |
93 | | -- Refactored AuthenticationResponseMapper to be used as singleton instead of static class and added it as dependency for AuthenticationResponseValidator |
94 | | -- Update AuthenticationResponseValidator |
95 | | - - update signature value validation |
96 | | - - added additional certificate validations (validate certificate chain and certificate purpose) |
| 45 | + - Created to builder-classes for loading trusted CA certificates |
| 46 | + - `FileTrustedCACertStoreBuilder` for loading trust anchors and intermediate CA certificates from truststore |
| 47 | + - `DefaultTrustedCACertStoreBuilder` for creating DefaultTrustedCACertStore with preloaded certificates, also validates provided certificates |
| 48 | +- Update AuthenticationResponseValidator to DeviceLinkAuthenticationResponseValidator |
| 49 | + - update signature value validation |
| 50 | + - added additional certificate validations (validate certificate chain and certificate purpose) |
| 51 | + - added validation for userChallenge and userChallengeVerifier in case of same device flows |
| 52 | + - added validators QualifiedAuthenticationCertificatePurposeValidator and NonQualifiedAuthenticationCertificatePurposeValidator to validate |
| 53 | + certificate purpose based on requested certificate level. |
97 | 54 |
|
98 | | -## [3.1.3] - 2025-06-13 |
| 55 | +- Added CallbackUrlUtil to generate callback URL with token and provides method to validate sessionSecretDigest |
99 | 56 |
|
100 | | -### Added |
| 57 | +### Added handling for querying certificate by document number |
101 | 58 |
|
102 | 59 | - Added new endpoint: `POST /v3/signature/certificate/{document-number}`. |
103 | | - |
104 | | -### Removed |
105 | | - |
| 60 | +- Added new builder CertificateByDocumentNumberRequestBuilder to create the request |
| 61 | +- Add new request objects CertificateByDocumentNumberRequest and response CertificateResponse |
106 | 62 | - Removed notification-based certificate choice request with document number. |
107 | 63 |
|
108 | | -## [3.1.2] - 2025-06-05 |
109 | | - |
110 | | -### Changed |
111 | | - |
112 | | -- Replaced old dynamic content and authCode generation logic to match Smart-ID v3.1 authCode specification. |
113 | | -- Introduced a `DeviceLinkBuilder` to generate device-links. |
114 | | - - Validates required parameters such as `deviceLinkBase`, `version`, `deviceLinkType`, `sessionType`, `lang`, `elapsedSeconds` and `sessionToken`. |
115 | | - - Ensures `elapsedSeconds` is only used for QR_CODE flows. |
116 | | - - Moved `deviceLinkBase` to required input (no more default). |
117 | | - - Handles both unprotected device-link generation and HMAC-SHA256 based authCode calculation as per specification. |
118 | | - - New payload structure includes required and optional fields as per documentation. |
119 | | - - `schemeName` is now configurable (default is `"smart-id"`). |
120 | | - - Does not store `sessionSecret`, ensures it must be passed to the build method. |
121 | | -- Removed deprecated dynamic link and QR code generation logic from old builders and helpers. |
122 | | - |
123 | | -## [3.1.1] - 2025-06-02 |
| 64 | +### Updated dynamic-link signature to device-link signature |
124 | 65 |
|
125 | | -### Changed |
126 | | - |
127 | | -- Renamed dynamic-link authentication to device-link authentication. |
128 | | -- Updated authentication endpoints to use /device-link/ paths. |
129 | | -- Replaced `randomChallenge` with `rpChallenge` (Base64, length 44–88). |
| 66 | +- Renamed dynamic-link signature to device-link signature. |
| 67 | +- Updated signature endpoints to use /device-link/ paths. |
130 | 68 | - Replaced signature algorithm list with fixed `rsassa-pss`. |
131 | 69 | - Added required `signatureAlgorithmParameters.hashAlgorithm` field with validation. |
132 | 70 | - Converted interaction list to Base64 string and ensured no duplicates. |
133 | 71 | - Added `initialCallbackUrl` field with regex validation. |
134 | 72 | - Added `deviceLinkBase` to session response. |
| 73 | +- Removed HashType and update SignableHash and SignableData to use HashAlgorithm |
| 74 | +- Update signature session-status validations |
| 75 | + - Signature |
| 76 | + - `signature.value` must match `^[A-Za-z0-9+/]+={0,2}$`. |
| 77 | + - Allowed `flowType`: QR · App2App · Web2App · Notification. |
| 78 | + - Fixed `signatureAlgorithm` to `rsassa-pss`. |
| 79 | + - `signatureAlgorithmParameters` |
| 80 | + - `hashAlgorithm`: `SHA-256/384/512, SHA3-256/384/512`. |
| 81 | + - `maskGenAlgorithm.algorithm`: `id-mgf1` & its `hashAlgorithm` must equal the main hash. |
| 82 | + - `saltLength`: 32 / 48 / 64 bytes to match chosen hash algorithm octet length. |
| 83 | + - `trailerField`: `0xbc`. |
| 84 | + |
| 85 | + - Certificate |
| 86 | + - Must be a Smart-ID *signature* certificate: |
| 87 | + - `CertificatePolicies (2.5.29.32)` contain either `qualified``1.3.6.1.4.1.10015.17.2`, `0.4.0.194112.1.2`or |
| 88 | + `non-qualified``1.3.6.1.4.1.10015.17.1`, `0.4.0.2042.1.1`. |
| 89 | + - `KeyUsage (2.5.29.15)` – NonRepudiation bit set. |
| 90 | + - `QC-Statement (1.3.6.1.5.5.7.1.3)` contains `0.4.0.1862.1.6.1`. |
| 91 | + |
| 92 | +- Extracted common certificate validation logic into `CertificateValidator` and will be used by `AuthenticationResponseValidator` and |
| 93 | + `SignatureResponseValidator`. |
| 94 | + |
| 95 | +## Update dynamic-link certificate choice to device-link certificate choice |
135 | 96 |
|
136 | | -## [3.1] - 2025-05-20 |
| 97 | +- Renamed dynamic-link certificate choice to device-link certificate choice. |
| 98 | +- Updated certificate choice endpoint to use /device-link/ paths. |
| 99 | +- Added `initialCallbackUrl` field with regex validation. |
| 100 | +- Added `deviceLinkBase` to session response. |
| 101 | +- Updated CertificateChoiceResponseMapper |
| 102 | + - Renamed to CertificateChoiceResponseValidator |
| 103 | + - Added CertificateValidator as dependency |
137 | 104 |
|
138 | | -### Changed |
139 | | -- Moved Smart-ID v3 related classes from ee.sk.smartid.v3 package to root ee.sk.smartid package. |
140 | | -- Removed all Smart-ID v2 related classes, tests, and documentation. |
141 | | -- Updated README to reflect removal of v2-related information. |
| 105 | +## Added linked signature session support |
| 106 | + |
| 107 | +- Added endpoint for creating linked signature session `POST /v3/signature/notification/linked/{document-number}`. |
| 108 | +- Added builder to create linked signature session request `LinkedSignatureSessionRequestBuilder`. |
| 109 | +- Added request LinkedSignatureSessionRequest and LinkedSignatureSessionResponse. |
| 110 | + |
| 111 | +### Updated notification-based authentication to work with Smart-ID API v3.1 |
| 112 | + |
| 113 | +- Updated notification-based authentication session request creation to be usable with Smart-ID API v3.1 |
| 114 | +- Removed verificationCodeChoice interactions and related handling |
| 115 | +- Removed AuthenticationHash. |
| 116 | +- Added NotificationAuthenticationResponseValidator |
| 117 | + |
| 118 | +### Updated notification-based certificate choice to work with Smart-ID API v3.1 |
| 119 | + |
| 120 | +- Updated SmartIdRestConnector to use v3.1 notification-based certificate choice endpoint |
| 121 | +- Added NotificationCertificateChoiceSessionRequest |
| 122 | + |
| 123 | +### Updated notification-based signature to work with Smart-ID API v3.1 |
| 124 | + |
| 125 | +- Updated SmartIdRestConnector to use v3.1 notification-based signature endpoint |
| 126 | +- Added NotificationSignatureSessionRequest |
142 | 127 |
|
143 | 128 | ## [3.0] - 2023-10-14 |
144 | 129 |
|
|
0 commit comments