V3.1

.github/workflows/check.yaml

@@ -0,0 +1,40 @@
+name: Run dependency and spotbugs checks
+
+on:
+  workflow_run:
+    workflows: ["Run tests"]
+    types:
+      - completed
+  workflow_dispatch:
+
+permissions:
+    contents: read
+
+jobs:
+    run-checks:
+      name: Run dependency and spotbugs checks
+      runs-on: ubuntu-latest
+
+      steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Run dependency check
+        run: |
+          ./mvnw -DossIndexUsername=${{ secrets.ossIndexUsername }} -DossIndexPassword=${{ secrets.ossIndexPassword }} -DnvdApiKey=${{ secrets.nvdApiKey }} org.owasp:dependency-check-maven:check
+
+      - name: Archive dependency report
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-report
+          path: target/dependency-check-report.html
+
+      - name: Run spotbugs check
+        run: |
+          ./mvnw spotbugs:check    

.github/workflows/publish.yaml

@@ -0,0 +1,64 @@
+name: Publish to maven repository
+
+on:
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+
+jobs:
+  package_and_publish:
+    name: Publish to maven repository
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Setup java SDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+        cache: maven
+    -
+      name: Import GPG key
+      uses: crazy-max/ghaction-import-gpg@v6
+      with:
+        gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+        #passphrase: ${{ secrets.PASSPHRASE }}
+
+    - name: Create bundle and upload to oss.sonatype.org (staging)
+      # Fail on first error
+      run: |
+        set -e
+        version=${{ github.event.release.name }}
+        artifact=smart-id-java-client-$version
+        echo "[INFO] Artifact name: $artifact"
+        ./mvnw versions:set -DnewVersion="$version"
+        ./mvnw package -DskipTests
+        cd target
+        rm -rf ee/sk/smartid/smart-id-java-client/$version
+        mkdir -p ee/sk/smartid/smart-id-java-client/$version
+        cp $artifact.jar  ee/sk/smartid/smart-id-java-client/$version/ 
+        cp $artifact-sources.jar  ee/sk/smartid/smart-id-java-client/$version/                                        
+        cp $artifact-javadoc.jar  ee/sk/smartid/smart-id-java-client/$version/
+        cp ../pom.xml  ee/sk/smartid/smart-id-java-client/$version/$artifact.pom
+        cd ee/sk/smartid/smart-id-java-client/$version
+        gpg -ab $artifact.pom
+        gpg -ab $artifact.jar
+        gpg -ab $artifact-sources.jar
+        gpg -ab $artifact-javadoc.jar
+        find . -type f \( -name '*.jar' -o -name '*.pom' \) -exec sh -c 'for file; do sha256sum "$file" | cut -d " " -f 1 > "$file.sha256"; done' _ {} +
+        find . -type f \( -name '*.jar' -o -name '*.pom' \) -exec sh -c 'for file; do sha1sum "$file" | cut -d " " -f 1 > "$file.sha1"; done' _ {} +
+        find . -type f \( -name '*.jar' -o -name '*.pom' \) -exec sh -c 'for file; do md5sum "$file" | cut -d " " -f 1 > "$file.md5"; done' _ {} +
+        cd ../../../../../
+        zip bundle.zip ee/sk/smartid/smart-id-java-client/$version/*
+        CODE=$(curl -w "%{http_code}" -o curl_response.txt -s --request POST --verbose --header 'Authorization: Bearer ${{ secrets.SONATYPETOKEN }}' --form bundle=@bundle.zip https://central.sonatype.com/api/v1/publisher/upload) 
+        echo "[INFO] ------------------------------------------------------------------------"
+        echo "[INFO] Upload to central.sonatype.com ResponseCode: $CODE"
+        cat curl_response.txt
+        echo -e "\n[INFO] Login to central.sonatype.com for releasing $artifact"
+        echo "[INFO] ------------------------------------------------------------------------"
+        [[ $CODE == 201 ]] && exit 0 || exit 1 
+

.github/workflows/tests.yaml

@@ -0,0 +1,37 @@
+name: Run tests
+
+on:
+    push:
+      branches: [ "master", "v3.1" ]
+    pull_request:
+      branches: [ "master" ]
+
+permissions:
+    contents: read
+
+jobs:
+    run-tests:
+      runs-on: ubuntu-latest
+      strategy:
+        matrix:
+          java-version: ['17', '21']
+      name: Run tests with java SDK ${{ matrix.java-version }}
+
+      steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ matrix.java-version }}
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Check JAVA version (v${{ matrix.java-version }})
+        run: java -version
+
+      - name: Run tests
+        # Fail on first error
+        run: |
+          set -e
+          mvn test

CHANGELOG.md

@@ -1,7 +1,170 @@
 # Changelog
+
 All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.1-?] - TBD
+
+### Structural changes
+
+- Moved Smart-ID v3 related classes from ee.sk.smartid.v3 package to root ee.sk.smartid package.
+- Removed all Smart-ID v2 related classes, tests, and documentation.
+- Updated README to reflect removal of v2-related information.
+
+### Dynamic-link auth to device-link auth changes
+
+- Renamed dynamic-link authentication to device-link authentication.
+- Updated authentication endpoints to use /device-link/ paths.
+- Replaced `randomChallenge` with `rpChallenge` (Base64, length 44–88).
+- Replaced signature algorithm list with fixed `rsassa-pss`.
+- Added required `signatureAlgorithmParameters.hashAlgorithm` field with validation.
+- Converted interaction list to Base64 string and ensured no duplicates.
+- Added `initialCallbackUrl` field with regex validation.
+- Added `deviceLinkBase` to session response.
+- Added new exception `SmartIdRequestSetupException` to handle cases when invalid values are provided for building session request objects.
+- Replaced old dynamic content and authCode generation logic to match Smart-ID v3.1 authCode specification.
+- Introduced a `DeviceLinkBuilder` to generate device links.
+    - Validates required parameters such as `deviceLinkBase`, `version`, `deviceLinkType`, `sessionType`, `lang`, `elapsedSeconds` and `sessionToken`.
+    - Ensures `elapsedSeconds` is only used for QR_CODE flows.
+    - Moved `deviceLinkBase` to required input (no more default).
+    - Handles both unprotected device-link generation and HMAC-SHA256 based authCode calculation as per specification.
+    - New payload structure includes required and optional fields as per documentation.
+    - `schemeName` is now configurable (default is `"smart-id"`).
+    - Does not store `sessionSecret`, ensures it must be passed to the build method.
+- Removed deprecated dynamic link and QR code generation logic from old builders and helpers.
+
+- Updates to session status response
+    - Updated USER_REFUSED_INTERACTION responses and updated error handling for these cases.
+    - Added new `endResult` error responses (`PROTOCOL_FAILURE`, `EXPECTED_LINKED_SESSION`, `SERVER_ERROR`) with handling
+    - Added new fields: `userChallenge`, `flowType`, `signatureAlgorithmParameters`
+    - Renamed `interactionFlowUsed` to `interactionTypeUsed`.
+- Updated exception message of `DocumentUnusableException`
+- Added AccountUnusableException to handle ACCOUNT_UNUSABLE endResult from session status response
+- Updated AuthenticationSessionRequest and related classes to records.
+- Refactored loading of trusted CA certificates from AuthenticationResponseValidator to their own class `DefaultTrustedCACertStore`.
+    - Created to builder-classes for loading trusted CA certificates
+        - `FileTrustedCACertStoreBuilder` for loading trust anchors and intermediate CA certificates from truststore
+        - `DefaultTrustedCACertStoreBuilder` for creating DefaultTrustedCACertStore with preloaded certificates, also validates provided certificates
+- Update AuthenticationResponseValidator to DeviceLinkAuthenticationResponseValidator
+    - update signature value validation
+    - added additional certificate validations (validate certificate chain and certificate purpose)
+    - added validation for userChallenge and userChallengeVerifier in case of same device flows
+    - added validators QualifiedAuthenticationCertificatePurposeValidator and NonQualifiedAuthenticationCertificatePurposeValidator to validate
+      certificate purpose based on requested certificate level.
+
+- Added CallbackUrlUtil to generate callback URL with token and provides method to validate sessionSecretDigest
+
+### Added handling for querying certificate by document number
+
+- Added new endpoint: `POST /v3/signature/certificate/{document-number}`.
+- Added new builder CertificateByDocumentNumberRequestBuilder to create the request
+- Add new request objects CertificateByDocumentNumberRequest and response CertificateResponse
+- Removed notification-based certificate choice request with document number.
+
+### Updated dynamic-link signature to device-link signature
+
+- Renamed dynamic-link signature to device-link signature.
+- Updated signature endpoints to use /device-link/ paths.
+- Replaced signature algorithm list with fixed `rsassa-pss`.
+- Added required `signatureAlgorithmParameters.hashAlgorithm` field with validation.
+- Converted interaction list to Base64 string and ensured no duplicates.
+- Added `initialCallbackUrl` field with regex validation.
+- Added `deviceLinkBase` to session response.
+- Removed HashType and update SignableHash and SignableData to use HashAlgorithm
+- Update signature session-status validations
+    - Signature
+        - `signature.value` must match `^[A-Za-z0-9+/]+={0,2}$`.
+        - Allowed `flowType`: QR · App2App · Web2App · Notification.
+        - Fixed `signatureAlgorithm` to `rsassa-pss`.
+        - `signatureAlgorithmParameters`
+            - `hashAlgorithm`: `SHA-256/384/512, SHA3-256/384/512`.
+            - `maskGenAlgorithm.algorithm`: `id-mgf1` & its `hashAlgorithm` must equal the main hash.
+            - `saltLength`: 32 / 48 / 64 bytes to match chosen hash algorithm octet length.
+            - `trailerField`: `0xbc`.
+
+    - Certificate
+        - Must be a Smart-ID *signature* certificate:
+            - `CertificatePolicies (2.5.29.32)` contain either `qualified``1.3.6.1.4.1.10015.17.2`, `0.4.0.194112.1.2`or
+              `non-qualified``1.3.6.1.4.1.10015.17.1`, `0.4.0.2042.1.1`.
+            - `KeyUsage (2.5.29.15)` – NonRepudiation bit set.
+            - `QC-Statement (1.3.6.1.5.5.7.1.3)` contains `0.4.0.1862.1.6.1`.
+
+- Extracted common certificate validation logic into `CertificateValidator` and will be used by `AuthenticationResponseValidator` and
+  `SignatureResponseValidator`.
+
+## Update dynamic-link certificate choice to device-link certificate choice
+
+- Renamed dynamic-link certificate choice to device-link certificate choice.
+- Updated certificate choice endpoint to use /device-link/ paths.
+- Added `initialCallbackUrl` field with regex validation.
+- Added `deviceLinkBase` to session response.
+- Updated CertificateChoiceResponseMapper
+    - Renamed to CertificateChoiceResponseValidator
+    - Added CertificateValidator as dependency
+
+## Added linked signature session support
+
+- Added endpoint for creating linked signature session `POST /v3/signature/notification/linked/{document-number}`.
+- Added builder to create linked signature session request `LinkedSignatureSessionRequestBuilder`.
+- Added request LinkedSignatureSessionRequest and LinkedSignatureSessionResponse.
+
+### Updated notification-based authentication to work with Smart-ID API v3.1
+
+- Updated notification-based authentication session request creation to be usable with Smart-ID API v3.1
+- Removed verificationCodeChoice interactions and related handling
+- Removed AuthenticationHash.
+- Added NotificationAuthenticationResponseValidator
+
+### Updated notification-based certificate choice to work with Smart-ID API v3.1
+
+- Updated SmartIdRestConnector to use v3.1 notification-based certificate choice endpoint
+- Added NotificationCertificateChoiceSessionRequest
+
+### Updated notification-based signature to work with Smart-ID API v3.1
+
+- Updated SmartIdRestConnector to use v3.1 notification-based signature endpoint
+- Added NotificationSignatureSessionRequest
+
+## [3.0] - 2023-10-14
+
+### Added
+- Support for handling RP API v3.0 requests. View V3 section in README.md for more information. Related classes can be found in the ee.sk.smartid.v3
+  package.
+  - New builder classes to start v3 sessions:
+    - DynamicLinkAuthenticationSessionRequestBuilder
+    - DynamicLinkCertificateChoiceSessionRequestBuilder
+    - DynamicLinkSignatureSessionRequestBuilder
+    - NotificationAuthenticationSessionRequestBuilder
+    - NotificationCertificateChoiceSessionRequestBuilder
+    - NotificationSignatureSessionRequestBuilder
+  - Helper class for dynamic link
+    - AuthCode - used for generating authCode necessary for dynamic-link
+    - QrCodeGenerator - to create QR-code from dynamic-link
+    - DynamicContentBuilder - to create dynamic link or QR-code
+  - Support for sessions status request handling for the v3 path.
+    - Added AuthenticationResponseMapper for validating required fields and mapping session status to authentication response 
+    - Added AuthenticationResponseValidator to validate certificate and signed authentication response and construct AuthenticationIdentity
+    - Added SignatureResponseMapper for validating required fields and mapping session status to signature response
+    - Added CertificateChoiceResponseMapper for validating required fields and mapping session status to certificate choice response
+
+### Changed
+- Most of the existing code for RP API v2.0 has been moved into the ee.sk.smartid.v2 package for clarity.
+- Replaced deprecated `X509Certificate::getSubjectDN()` with `X509Certificate::getSubjectX500Principal()`
+- Typo fixes, code cleanup and improvements
+- Modified NationalIdentityNumberUtil to handle LV person codes with prefixes 33-39 without throwing an exception during parsing.
+
+### Removed
+- Removed deprecated methods from AuthenticationIdentity
+
+### Java and dependency updates
+- Updated minimal supported java to version 17
+- Updated slf4j-api to version 2.0.16
+- Updated jackson dependencies to version 2.17.2
+- Added jakarta.ws.rs:jakarta.ws.rs-api
+- Updated jersey dependencies to version 3.1.8
+- Updated bouncy-castle artifact to bcprov-jdk18on on version 1.78.1
+- Updated jaxb-runtime to version 4.0.5
+
 ## [2.3] - 2023-05-06
 - To request the IP address of the device running Smart-ID app, the following methods were added:
   - AuthenticationRequestBuilder.withShareMdClientIpAddress(boolean)
@@ -41,7 +204,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Added
 - [SmartIdAuthenticationResponse.getDeviceIpAddress()](src/main/java/ee/sk/smartid/SmartIdAuthenticationResponse.java#:~:text=getDeviceIpAddress())
 - [SmartIdSignature.getDeviceIpAddress()](src/main/java/ee/sk/smartid/SmartIdSignature.java#:~:text=getDeviceIpAddress())
-- [SessionStatus.getDeviceIpAddress()](src/main/java/ee/sk/smartid/rest/dao/SessionStatus.java#:~:text=getDeviceIpAddress())
+- [SessionStatus.getDeviceIpAddress()](src/main/java/ee/sk/smartid/v2/rest/dao/SessionStatus.java#:~:text=getDeviceIpAddress())
 
 ## [2.1.4] - 2022-01-14