Update notification based certificate choice to use v3.1 endpoint (#140)

* SLIB-126 - add util to create callbackUrl with url-token

* SLIB-126 - move UrlSafeTokenGenerator and CallbackUrl to common package

* SLIB-113 - update notification-based certificate choice path and request object; update relying party UUID used in test data

* SLIB-113 - update notification-based certificate choice builder validations to new standard; activate integrations tests with DEMO environment for notification-based flows

* SLIB-113 - improve notification-based certificate choice example and Readme test

* SLIB-113 - add handling for ACCOUNT_UNUSABLE end result

* SLIB-113 - update notification-based certificate choice builder to use SmartIdRequestSetupException and improve javadoc

* SLIB-113 - move UrlSafeTokenGeneratorTest to correct package; fix incorrect validation

* SLIB-113 - remove todos

* SLIB-113 - improve code style in NotificationCertificateChoiceSessionRequestBuilderTest

Author: umuser

CHANGELOG.md

@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 Changes mentioned under 3.1.x version have not been published yet. Will be released when v3.1 is stable.
 
+## [3.1.16] - 2025-10-04
+- Updated SmartIdRestConnector to use v3.1 notification-based certificate choice endpoint
+- Added AccountUnusableException to handle ACCOUNT_UNUSABLE endResult from session status response
+
 ## [3.1.15] - 2025-09-17 
 - Added CallbackUrlUtil to generate callback URL with token and provides method to validate sessionSecretDigest
 - Updated DeviceLinkAuthenticationResponseValidator to also validate userChallenge and userChallengeVerifier same device flows.

README.md

@@ -1178,9 +1178,6 @@ Jump to [Query session status](#example-of-using-session-status-poller-to-query-
 
 ### Notification-based certificate choice session
 
-> [!CAUTION]
-> The notification-based certificate choice has not yet been updated to be used with Smart-ID API v3.1
-
 #### Request parameters
 
 * `relyingPartyUUID`: Required. UUID of the Relying Party.
@@ -1206,10 +1203,12 @@ SemanticsIdentifier semanticsIdentifier = new SemanticsIdentifier(
         SemanticsIdentifier.CountryCode.EE, // 2 character ISO 3166-1 alpha-2 country code
         "40504040001"); // identifier (according to country and identity type reference)
 
+// Use requested certificate level to validate certificate choice session status OK response. 
+CertificateLevel requestedCertificateLevel = CertificateLevel.QSCD; // Certificate level can either be "QUALIFIED", "ADVANCED" or "QSCD"
 NotificationCertificateChoiceSessionResponse certificateChoiceSessionResponse = client
         .createNotificationCertificateChoice()
         .withSemanticsIdentifier(semanticsIdentifier)
-        .withCertificateLevel(CertificateLevel.QSCD) // Certificate level can either be "QUALIFIED", "ADVANCED" or "QSCD"
+        .withCertificateLevel(requestedCertificateLevel) 
         .initCertificateChoice();
 
 String sessionId = certificateChoiceSessionResponse.sessionID();
@@ -1431,6 +1430,7 @@ Exception Categories
   These exceptions handle issues related to the user's Smart-ID account or session requirements.
   * `CertificateLevelMismatchException` Thrown when the returned certificate level does not meet the requested level.
   * `DocumentUnusableException` Indicates that the requested document cannot be used for the operation.
+  * `UserAccountUnusableException` Thrown when the user's Smart-ID account is not currently usable for the requested operation.
 * Validation and Parsing Exceptions
   These exceptions arise during validation or parsing operations within the library.
   * `CertificateParsingException` Thrown when the X.509 certificate cannot be parsed.
@@ -1499,7 +1499,7 @@ ResteasyClient resteasyClient = new ResteasyClientBuilder()
         .build();
 
 SmartIdClient client = new SmartIdClient();
-client.setRelyingPartyUUID("00000000-0000-0000-0000-000000000000");
+client.setRelyingPartyUUID("00000000-0000-4000-8000-000000000000");
 client.setRelyingPartyName("DEMO");
 client.setHostUrl("https://sid.demo.sk.ee/smart-id-rp/v3/");
 client.setConfiguredClient(resteasyClient);

src/main/java/ee/sk/smartid/DeviceLinkCertificateChoiceSessionRequestBuilder.java

@@ -33,7 +33,7 @@
 import ee.sk.smartid.exception.UnprocessableSmartIdResponseException;
 import ee.sk.smartid.exception.permanent.SmartIdRequestSetupException;
 import ee.sk.smartid.rest.SmartIdConnector;
-import ee.sk.smartid.rest.dao.CertificateChoiceSessionRequest;
+import ee.sk.smartid.rest.dao.DeviceLinkCertificateChoiceSessionRequest;
 import ee.sk.smartid.rest.dao.DeviceLinkSessionResponse;
 import ee.sk.smartid.rest.dao.RequestProperties;
 import ee.sk.smartid.util.StringUtil;
@@ -150,8 +150,8 @@ public DeviceLinkCertificateChoiceSessionRequestBuilder withInitialCallbackUrl(S
      */
     public DeviceLinkSessionResponse initCertificateChoice() {
         validateRequestParameters();
-        CertificateChoiceSessionRequest certificateChoiceSessionRequest = createCertificateRequest();
-        DeviceLinkSessionResponse deviceLinkCertificateChoiceSessionResponse = connector.initDeviceLinkCertificateChoice(certificateChoiceSessionRequest);
+        DeviceLinkCertificateChoiceSessionRequest deviceLinkCertificateChoiceSessionRequest = createCertificateRequest();
+        DeviceLinkSessionResponse deviceLinkCertificateChoiceSessionResponse = connector.initDeviceLinkCertificateChoice(deviceLinkCertificateChoiceSessionRequest);
         validateResponseParameters(deviceLinkCertificateChoiceSessionResponse);
         return deviceLinkCertificateChoiceSessionResponse;
     }
@@ -169,8 +169,8 @@ private void validateRequestParameters() {
         validateInitialCallbackUrl();
     }
 
-    private CertificateChoiceSessionRequest createCertificateRequest() {
-        return new CertificateChoiceSessionRequest(
+    private DeviceLinkCertificateChoiceSessionRequest createCertificateRequest() {
+        return new DeviceLinkCertificateChoiceSessionRequest(
                 relyingPartyUUID,
                 relyingPartyName,
                 certificateLevel != null ? certificateLevel.name() : null,

src/main/java/ee/sk/smartid/ErrorResultHandler.java

@@ -35,6 +35,7 @@
 import ee.sk.smartid.exception.permanent.SmartIdServerException;
 import ee.sk.smartid.exception.useraccount.DocumentUnusableException;
 import ee.sk.smartid.exception.useraccount.RequiredInteractionNotSupportedByAppException;
+import ee.sk.smartid.exception.useraccount.UserAccountUnusableException;
 import ee.sk.smartid.exception.useraction.SessionTimeoutException;
 import ee.sk.smartid.exception.useraction.UserRefusedCertChoiceException;
 import ee.sk.smartid.exception.useraction.UserRefusedConfirmationMessageException;
@@ -77,6 +78,7 @@ public static void handle(SessionResult sessionResult) {
             case "PROTOCOL_FAILURE" -> throw new ProtocolFailureException();
             case "EXPECTED_LINKED_SESSION" -> throw new ExpectedLinkedSessionException();
             case "SERVER_ERROR" -> throw new SmartIdServerException();
+            case "ACCOUNT_UNUSABLE" -> throw new UserAccountUnusableException();
             default -> throw new UnprocessableSmartIdResponseException("Unexpected session result: " + sessionResult.getEndResult());
         }
     }

src/main/java/ee/sk/smartid/NotificationCertificateChoiceSessionRequestBuilder.java

@@ -28,23 +28,23 @@
 
 import java.util.Set;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import ee.sk.smartid.exception.UnprocessableSmartIdResponseException;
 import ee.sk.smartid.exception.permanent.SmartIdClientException;
+import ee.sk.smartid.exception.permanent.SmartIdRequestSetupException;
 import ee.sk.smartid.rest.SmartIdConnector;
-import ee.sk.smartid.rest.dao.CertificateChoiceSessionRequest;
+import ee.sk.smartid.rest.dao.NotificationCertificateChoiceSessionRequest;
 import ee.sk.smartid.rest.dao.NotificationCertificateChoiceSessionResponse;
 import ee.sk.smartid.rest.dao.RequestProperties;
 import ee.sk.smartid.rest.dao.SemanticsIdentifier;
 import ee.sk.smartid.util.StringUtil;
 
+/**
+ * Builder for notification-based certificate choice session requests
+ */
 public class NotificationCertificateChoiceSessionRequestBuilder {
 
-    private static final Logger logger = LoggerFactory.getLogger(NotificationCertificateChoiceSessionRequestBuilder.class);
-
     private final SmartIdConnector connector;
+
     private String relyingPartyUUID;
     private String relyingPartyName;
     private CertificateLevel certificateLevel;
@@ -142,72 +142,53 @@ public NotificationCertificateChoiceSessionRequestBuilder withSemanticsIdentifie
     }
 
     /**
-     * Sends the notification request and get the init session response
-     * <p>
-     * There are 2 supported ways to start authentication session:
-     * <ul>
-     *     <li>with semantics identifier by using {@link #withSemanticsIdentifier(SemanticsIdentifier)}</li>
-     * </ul>
+     * Initializes a notification-based certificate choice session
      *
      * @return init session response
+     * @throws SmartIdRequestSetupException          whe the provided request parameters are invalid
+     * @throws UnprocessableSmartIdResponseException when the response is missing required parameters
+     * @throws SmartIdClientException                when the request could not be sent
      */
     public NotificationCertificateChoiceSessionResponse initCertificateChoice() {
         validateRequestParameters();
-        CertificateChoiceSessionRequest request = createCertificateChoiceRequest();
+        NotificationCertificateChoiceSessionRequest request = createCertificateChoiceRequest();
         NotificationCertificateChoiceSessionResponse notificationCertificateChoiceSessionResponse = initCertificateChoiceSession(request);
         validateResponseParameters(notificationCertificateChoiceSessionResponse);
         return notificationCertificateChoiceSessionResponse;
     }
 
-    private NotificationCertificateChoiceSessionResponse initCertificateChoiceSession(CertificateChoiceSessionRequest request) {
+    private NotificationCertificateChoiceSessionResponse initCertificateChoiceSession(NotificationCertificateChoiceSessionRequest request) {
         if (semanticsIdentifier == null) {
-            throw new SmartIdClientException("SemanticsIdentifier must be set.");
+            throw new SmartIdRequestSetupException("Value for 'semanticIdentifier' must be set");
         }
         return connector.initNotificationCertificateChoice(request, semanticsIdentifier);
     }
 
     private void validateRequestParameters() {
         if (StringUtil.isEmpty(relyingPartyUUID)) {
-            logger.error("Parameter relyingPartyUUID must be set");
-            throw new SmartIdClientException("Parameter relyingPartyUUID must be set");
+            throw new SmartIdRequestSetupException("Value for 'relyingPartyUUID' cannot be empty");
         }
         if (StringUtil.isEmpty(relyingPartyName)) {
-            logger.error("Parameter relyingPartyName must be set");
-            throw new SmartIdClientException("Parameter relyingPartyName must be set");
+            throw new SmartIdRequestSetupException("Value for 'relyingPartyName' cannot be empty");
+        }
+        if (nonce != null && (nonce.isEmpty() || nonce.length() > 30)) {
+            throw new SmartIdRequestSetupException("Value for 'nonce' length must be between 1 and 30 characters");
         }
-        validateNonce();
     }
 
-    private CertificateChoiceSessionRequest createCertificateChoiceRequest() {
-        return new CertificateChoiceSessionRequest(
+    private NotificationCertificateChoiceSessionRequest createCertificateChoiceRequest() {
+        return new NotificationCertificateChoiceSessionRequest(
                 relyingPartyUUID,
                 relyingPartyName,
                 certificateLevel != null ? certificateLevel.name() : null,
                 nonce,
                 capabilities,
-                shareMdClientIpAddress != null ? new RequestProperties(shareMdClientIpAddress) : null,
-                null
-        );
-    }
-
-    private void validateNonce() {
-        if (nonce == null) {
-            return;
-        }
-        if (nonce.isEmpty()) {
-            logger.error("Parameter nonce value has to be at least 1 character long");
-            throw new SmartIdClientException("Parameter nonce value has to be at least 1 character long");
-        }
-        if (nonce.length() > 30) {
-            logger.error("Nonce cannot be longer that 30 chars");
-            throw new SmartIdClientException("Nonce cannot be longer that 30 chars");
-        }
+                shareMdClientIpAddress != null ? new RequestProperties(shareMdClientIpAddress) : null);
     }
 
     private void validateResponseParameters(NotificationCertificateChoiceSessionResponse notificationCertificateChoiceSessionResponse) {
         if (StringUtil.isEmpty(notificationCertificateChoiceSessionResponse.getSessionID())) {
-            logger.error("Session ID is missing from the response");
-            throw new UnprocessableSmartIdResponseException("Session ID is missing from the response");
+            throw new UnprocessableSmartIdResponseException("Notification-based certificate choice response field 'sessionID' is missing or empty");
         }
     }
 }

src/main/java/ee/sk/smartid/exception/useraccount/UserAccountUnusableException.java

@@ -0,0 +1,37 @@
+package ee.sk.smartid.exception.useraccount;
+
+/*-
+ * #%L
+ * Smart ID sample Java client
+ * %%
+ * Copyright (C) 2018 - 2025 SK ID Solutions AS
+ * %%
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ * #L%
+ */
+
+import ee.sk.smartid.exception.UserAccountException;
+
+
+public class UserAccountUnusableException extends UserAccountException {
+
+    public UserAccountUnusableException() {
+        super("The account is currently unusable");
+    }
+}

src/main/java/ee/sk/smartid/rest/SmartIdConnector.java

@@ -33,17 +33,18 @@
 
 import ee.sk.smartid.exception.SessionNotFoundException;
 import ee.sk.smartid.rest.dao.CertificateByDocumentNumberRequest;
+import ee.sk.smartid.rest.dao.DeviceLinkCertificateChoiceSessionRequest;
 import ee.sk.smartid.rest.dao.CertificateResponse;
+import ee.sk.smartid.rest.dao.DeviceLinkAuthenticationSessionRequest;
+import ee.sk.smartid.rest.dao.DeviceLinkSessionResponse;
 import ee.sk.smartid.rest.dao.LinkedSignatureSessionRequest;
 import ee.sk.smartid.rest.dao.LinkedSignatureSessionResponse;
 import ee.sk.smartid.rest.dao.NotificationAuthenticationSessionRequest;
-import ee.sk.smartid.rest.dao.SemanticsIdentifier;
-import ee.sk.smartid.rest.dao.DeviceLinkAuthenticationSessionRequest;
-import ee.sk.smartid.rest.dao.CertificateChoiceSessionRequest;
-import ee.sk.smartid.rest.dao.DeviceLinkSessionResponse;
 import ee.sk.smartid.rest.dao.NotificationAuthenticationSessionResponse;
+import ee.sk.smartid.rest.dao.NotificationCertificateChoiceSessionRequest;
 import ee.sk.smartid.rest.dao.NotificationCertificateChoiceSessionResponse;
 import ee.sk.smartid.rest.dao.NotificationSignatureSessionResponse;
+import ee.sk.smartid.rest.dao.SemanticsIdentifier;
 import ee.sk.smartid.rest.dao.SessionStatus;
 import ee.sk.smartid.rest.dao.SignatureSessionRequest;
 
@@ -72,7 +73,7 @@ public interface SmartIdConnector extends Serializable {
      * @param request CertificateChoiceSessionRequest containing necessary parameters
      * @return DeviceLinkSessionResponse containing sessionID, sessionToken, sessionSecret and deviceLinkBase URL.
      */
-    DeviceLinkSessionResponse initDeviceLinkCertificateChoice(CertificateChoiceSessionRequest request);
+    DeviceLinkSessionResponse initDeviceLinkCertificateChoice(DeviceLinkCertificateChoiceSessionRequest request);
 
     /**
      * Initiates a linked notification based signature session.
@@ -86,15 +87,15 @@ public interface SmartIdConnector extends Serializable {
      * Initiates a notification based certificate choice request.
      *
      * @param request             CertificateChoiceSessionRequest containing necessary parameters
-     * @param semanticsIdentifier The semantics identifier
+     * @param semanticsIdentifier The semantics identifier to be used for the session
      * @return NotificationCertificateChoiceSessionResponse containing sessionID
      */
-    NotificationCertificateChoiceSessionResponse initNotificationCertificateChoice(CertificateChoiceSessionRequest request, SemanticsIdentifier semanticsIdentifier);
+    NotificationCertificateChoiceSessionResponse initNotificationCertificateChoice(NotificationCertificateChoiceSessionRequest request, SemanticsIdentifier semanticsIdentifier);
 
     /**
      * Queries signing certificate by document number.
      *
-     * @param request CertificateByDocumentNumberRequest containing necessary parameters
+     * @param request        CertificateByDocumentNumberRequest containing necessary parameters
      * @param documentNumber The document number
      * @return CertificateResponse containing response state and certificate information.
      */

src/main/java/ee/sk/smartid/rest/SmartIdRestConnector.java

@@ -45,14 +45,15 @@
 import ee.sk.smartid.exception.useraccount.PersonShouldViewSmartIdPortalException;
 import ee.sk.smartid.exception.useraccount.UserAccountNotFoundException;
 import ee.sk.smartid.rest.dao.CertificateByDocumentNumberRequest;
-import ee.sk.smartid.rest.dao.CertificateChoiceSessionRequest;
+import ee.sk.smartid.rest.dao.DeviceLinkCertificateChoiceSessionRequest;
 import ee.sk.smartid.rest.dao.CertificateResponse;
 import ee.sk.smartid.rest.dao.DeviceLinkAuthenticationSessionRequest;
 import ee.sk.smartid.rest.dao.DeviceLinkSessionResponse;
 import ee.sk.smartid.rest.dao.LinkedSignatureSessionRequest;
 import ee.sk.smartid.rest.dao.LinkedSignatureSessionResponse;
 import ee.sk.smartid.rest.dao.NotificationAuthenticationSessionRequest;
 import ee.sk.smartid.rest.dao.NotificationAuthenticationSessionResponse;
+import ee.sk.smartid.rest.dao.NotificationCertificateChoiceSessionRequest;
 import ee.sk.smartid.rest.dao.NotificationCertificateChoiceSessionResponse;
 import ee.sk.smartid.rest.dao.NotificationSignatureSessionResponse;
 import ee.sk.smartid.rest.dao.SemanticsIdentifier;
@@ -85,7 +86,7 @@ public class SmartIdRestConnector implements SmartIdConnector {
     private static final String DEVICE_LINK_CERTIFICATE_CHOICE_DEVICE_LINK_PATH = "signature/certificate-choice/device-link/anonymous";
     private static final String LINKED_NOTIFICATION_SIGNATURE_WITH_DOCUMENT_NUMBER_PATH = "signature/notification/linked";
 
-    private static final String NOTIFICATION_CERTIFICATE_CHOICE_WITH_SEMANTIC_IDENTIFIER_PATH = "/certificatechoice/notification/etsi";
+    private static final String NOTIFICATION_CERTIFICATE_CHOICE_WITH_SEMANTIC_IDENTIFIER_PATH = "signature/certificate-choice/notification/etsi";
 
     private static final String CERTIFICATE_BY_DOCUMENT_NUMBER_PATH = "/signature/certificate/";
 
@@ -186,7 +187,7 @@ public NotificationAuthenticationSessionResponse initNotificationAuthentication(
     }
 
     @Override
-    public DeviceLinkSessionResponse initDeviceLinkCertificateChoice(CertificateChoiceSessionRequest request) {
+    public DeviceLinkSessionResponse initDeviceLinkCertificateChoice(DeviceLinkCertificateChoiceSessionRequest request) {
         logger.debug("Initiating device link based certificate choice request");
         URI uri = UriBuilder
                 .fromUri(endpointUrl)
@@ -207,7 +208,7 @@ public LinkedSignatureSessionResponse initLinkedNotificationSignature(LinkedSign
     }
 
     @Override
-    public NotificationCertificateChoiceSessionResponse initNotificationCertificateChoice(CertificateChoiceSessionRequest request, SemanticsIdentifier semanticsIdentifier) {
+    public NotificationCertificateChoiceSessionResponse initNotificationCertificateChoice(NotificationCertificateChoiceSessionRequest request, SemanticsIdentifier semanticsIdentifier) {
         URI uri = UriBuilder
                 .fromUri(endpointUrl)
                 .path(NOTIFICATION_CERTIFICATE_CHOICE_WITH_SEMANTIC_IDENTIFIER_PATH)