Skip to content

Releases: a-sit-plus/vck

5.12.0

23 Apr 14:40
@nodh nodh
5.12.0
b3c7052

Choose a tag to compare

View all tags
5.12.0 Latest
Latest

Release 5.12.0 of VC-K supports issuance of credentials over the Digital Credentials API, improves validation of Verifiable Presentations and DCQL submissions, changes the handling of W3C JWT VCs and supports Wallet Instance Attestations and Key Attestations.

  • W3C JWT VC:
    • Presentation validation: Now verifies that the subject field contains the VP issuer's public key (VC holder's public key).
    • Replaced CredentialSubject abstract class with JsonElement for W3C VC credentialSubject field. Polymorphic deserialization using type discriminator is unreliable since W3C Data Model Spec 1.1 doesn't guarantee this field's presence.
    • Deprecate LibraryInitializer.registerExtensionLibrary overloads that take a SerializersModule; use the overloads without it.
  • Digital Credentials API:
    • Add issuance data classes: CredentialCreationOptions, DigitalCredentialCreationOptions, DigitalCredentialCreateRequest, DigitalCredentialOfferReturn, and DigitalCredentialOfferReturnData. These classes are based on a preliminary specification and are subject to change.
    • Add CredentialRequestOptions.create() method which automatically sets mediation to required and takes the list of requests, make the default constructor private.
    • Change: DCAPIWalletRequest now exposes and serializes credentialIds; deprecated single-ID constructors keep the old call shape available.
  • ISO mdoc:
    • Preserve Document.errors in parsed ISO document results instead of failing validation
    • Add data classes from ISO/IEC 18013-5 from 2026 update
    • BREAKING Change: Return type of Iso180137AnnexCVerifier.validateResponse from Iso180137AnnexCResponseResult to reworked KmmResult<Iso180137AnnexCVerifiedPresentationResult>
  • OpenID for Verifiable Presentations:
    • Change: Executing unsatisfiable DCQL queries no longer throws on matching, only on submission.
    • Change: Holder.matchInputDescriptorsAgainstCredentialStoreV2 now accepts filterByIds: Collection<String>? for multi-credential DC API selections.
    • Change: Update DCQLClaimsQuery and DCQLCredentialQuery to OpenID4VP 1.0
    • Change: Do not fail when only matching credentials without submitting a presentation
    • Allow issuance and verification of IdentifierList Revocation Mechanism
    • Change: Don't send response on user initiated signature cancellation
    • BREAKING CHANGE: The result type from verifyAuthnResponse, AuthnResponseResult has been reworked to a data class
    • DCQL: Add custom credential types and proper satisfaction evaluation
    • Add: DCQL submission requirements validation
    • Add VerifierMetadataMode for OpenId4VpRequestOptions to provide them out-of-band when necessary, e.g. for Age Verification
    • Change: When no cryptographic holder binding is required, present raw W3C Verifiable Credentials
    • Change: When no cryptographic holder binding is required and no holder binding is available in SdJwt credentials, still accept those credentials
    • Change: OpenId4VPRequestOptions now transports a presentation request directly instead of credentials and presentation mechanism
    • Change: Return type of Verifier.verifyPresentationSdJwt from VerifyPresentationResult to KmmResult<VerifyPresentationResult.SuccessSdJwt>
    • Change: Return type of Verifier.verifyPresentationVcJwt from VerifyPresentationResult to KmmResult<VerifyPresentationResult.Success>
    • Change: Return type of Verifier.verifyPresentationIsoMdoc from VerifyPresentationResult to KmmResult<VerifyPresentationResult.SuccessIso>
    • Add: Verifier.verifyUnsignedVcJws
    • Add: AuthnResponseResult.SuccessUnsigned
    • Add: CreatePresentationResult.VcJws
    • Rename: CreatePresentationResult.Signed to CreatePresentationResult.VpJws
  • OAuth 2.0:
    • In SimpleAuthorizationService implement JWT Response for OAuth Token Introspection
    • In SimpleAuthorizationService deprecate credentialOffer* methods to prevent configuration identifier mismatches
    • In SimpleAuthorizationService add offer* methods to take pairs of credential schemes and representations
  • OpenID for Verifiable Credential Issuance:
    • Moved the class RefreshTokenInfo from OpenId4VciClient to SubjectCredentialStore.kt and renamed it to CredentialRenewalInfo to better describe its role in the renewal process.
      Kept RefreshTokenInfo in the original package for backward compatibility
    • Added CredentialRenewalInfo to SubjectCredentialStore.StoreEntry
    • Added support for refresh tokens in BearerTokenService
    • Add method loadUnitAttestationPop to WalletService
    • Add data class LoadUnitAttestationPopInput to WalletService
    • Deprecate OAuth2KtorClient methods loadClientAttestationJwt and signClientAttestationPop, point to loadInstanceAttestation and loadInstanceAttestationPop
    • Deprecate WalletService method loadKeyAttestation, point to loadUnitAttestationPop
    • Change method ProofValidator.verifyAttestationProof to suspend
    • Add member statusListTokenResolver to CredentialIssuer
    • Add member preferredTtl to KeyAttestationRequired
  • SD-JWT:
    • Fix presentation of nested claims with the last name segment being present in structures with different names (e.g. country in place_of_birth and address)
  • Dependencies:
    • Update to Signum 3.21.0 fixing CBOR parsing and tolerating cursed X.509 certificate encodings
    • Remove code elements deprecated in 5.11.0
Assets 2
Loading

5.11.0

05 Feb 09:38
@nodh nodh
5.11.0
83c72ba

Choose a tag to compare

View all tags
5.11.0

Release 5.11.0 of VC-K supports DC API presentations acc. to ISO/IEC 18013-5 and 18013-7, fixes some bugs in the implementations of OpenID4VP 1.0 and OpenID4VCI 1.0, and extends support for DCQL features in presentations.

  • Digital Credentials API:
    • Add request/response models for OpenID4VP and ISO 18013-7 Annex C flows, including protocol identifiers, wallet/verifier request options, and typed responses
    • Add serializers for DeviceRequest, EncryptionInfo, and encrypted responses for Annex C/DC API interop
  • ISO/IEC 18013-5 and 18013-7:
    • Introduce Annex C verifier and request options to create mdoc requests, derive session transcripts, and validate encrypted device responses
    • Adapt wallet data classes to prepare support for iOS
    • Add data classes and serializers for zero-knowledge proofs
    • Add ZkSystemParamRegistry to enable zero-knowledge backends to register serializers for their custom parameters
  • Token status list:
    • Add IdentifierList and IdentifierListInfo and related classes
    • Add RevocationList and RevocationListInfo sealed classes
    • Replace Status claim with RevocationListInfo in VC / SD-JWT / MSO payloads
    • CBOR encoded token status list shall not be tagged with 24 like other COSE payloads (d818 in hex)
    • Move some methods from IssuerCredentialStore to new interface ReferencedTokenStore to decouple StatusListAgent from IssuerAgent
  • OpenID for Verifiable Credential Issuance:
    • In SimpleAuthorizationService add parameter configurationIds to method credentialOfferWithAuthorizationCode
    • Support different supported credential formats having the same scope value (as this is covered by the spec)
    • Be sure to use correct JWE encryption algorithm on issuer and wallet side and advertise keys correctly
    • In WalletEncryptionService add constructor parameter fallbackJweEncryptionAlgorithm and deprecated supportedJweEncryptionAlgorithm
  • OpenID for Verifiable Presentations:
    • In OpenId4VpVerifier add constructor parameter supportedJweEncryptionAlgorithms to advertise in metadata, deprecating supportedJweEncryptionAlgorithm and supportedJweAlgorithm
    • In RequestOptions deprecate property encryption, as this depends on the response mode
    • In AuthnResponseResult returned from OpenId4VpVerifier.validateAuthnResponse() remove parameter state
    • In OpenId4VpVerifier remove validateAuthnResponse(input: Map)
    • In OpenId4VpVerifier add option to provide externalId when validating authn responses, useful for DCAPI flows
    • Rename RequestOptions to OpenId4VpRequestOptions and add DC API/DCQL options like expected_origins, optional client_id, and stricter transaction_data checks
    • Build session transcripts for DC API responses, verify expected_origins, and parse DC API OpenId4VpResponse inputs without requiring state
  • DCQL in OpenID for Verifiable Presentations:
    • Support attribute multiple in in DCQLCredentialQuery
    • Support attribute require_cryptographic_holder_binding in DCQLCredentialQuery
    • Support attribute trusted_authorities in DCQLCredentialQuery, for Authority Key Identifier aki only
    • Result in VerifiableDCQLPresentationValidationResults now carries a map of query id to a list of AuthnResponseResult instead of a single one
    • Support queries for W3C Verifiable Credentials (format jwt_vc_json), with thanks to etnafed
  • OpenID4VC High Assurance Interoperability Profile (HAIP):
    • Add VerifyStatusListTokenHAIP and related resolver/tests to enforce requirements from draft 04
  • OAuth 2.0:
    • In SimpleAuthorizationService offer client_attestation_pop_signing_alg_values_supported and client_attestation_signing_alg_values_supported in line with OAuth 2.0 Attestation-Based Client Authentication
    • OAuth2KtorClient: Read and cache DPoP-Nonce from success responses and include it in subsequent DPoP proofs
    • In SimpleAuthorizationService provide methods parWithDpopNonce, tokenWithDpopNonce and userInfoWithDpopNonce to provide nonces to clients for their next request
  • Refactoring:
    • Move shared nonce/map store utilities and add helpers to choose encryption keys and compute session transcript thumbprints to main module
  • Deprecations:
    • at.asitplus.wallet.lib.oidvci.NonceService is now at.asitplus.wallet.lib.NonceService
    • at.asitplus.wallet.lib.oidvci.DefaultNonceService is now at.asitplus.wallet.lib.DefaultNonceService
    • at.asitplus.wallet.lib.oidvci.MapStore is now at.asitplus.wallet.lib.utils.MapStore
    • at.asitplus.wallet.lib.oidvci.DefaultMapStore is now at.asitplus.wallet.lib.utils.DefaultMapStore
    • at.asitplus.wallet.lib.openid.RequestOptions is now at.asitplus.wallet.lib.openid.OpenId4VpRequestOptions
    • at.asitplus.dcapi.request.DCAPIRequest is now at.asitplus.dcapi.request.DCAPIWalletRequest
    • at.asitplus.dcapi.request.Oid4vpDCAPIRequest is now at.asitplus.dcapi.request.DCAPIWalletRequest.OpenId4VpUnsigned or at.asitplus.dcapi.request.DCAPIWalletRequest.OpenId4VpSigned
  • Dependency Updates:
    • Gradle 9.2.0
    • Kotlin 2.3.0
    • Dokka 2.10.0
    • Return value checker defaults to check
    • AGP 8.12.3
    • Ktor 3.3.3
    • Bouncy Castle 1.83 (no more forcing exact version)
    • TestBalloon 0.8.2-K2.3.0
    • Signum 3.19.3
Loading

5.10.1

05 Dec 12:21
@nodh nodh
5.10.1
f0def99

Choose a tag to compare

View all tags
5.10.1
  • Proximity presentations:
    • Return multiple ISO mDoc credentials in one device response when generating a presentation in proximity flows
  • OpenID for Verifiable Presentations:
    • In RequestOptions deprecate property encryption, as this depends on the response mode
    • In OpenId4VpVerifier remove validateAuthnResponse(input: Map)
    • In OpenId4VpVerifier add option to provide externalId to methods validateAuthnRequest() and submitAuthnRequest(), useful for DCAPI flows
Loading

5.10.0

03 Dec 10:52
@nodh nodh
5.10.0
c1e1bee

Choose a tag to compare

View all tags
5.10.0

VC-K 5.10.0 updates the implementation of OpenID for Verifiable Presentations to 1.0 from 9 July 2025 and the implementation of OpenID for Verifiable Credential Issuance to 1.0 from 16 September 2025 in preparation for EUDI Wallets Launchpad.

Details:

  • StatusListToken:
    • Remove StatusTokenValidator
    • Remove StatusTokenIntegrityValidator class
    • Refactor StatusListToken.StatusListJwt to StatusListJwt
    • Refactor StatusListToken.StatusListCwt to StatusListCwt
  • OAuth 2.0:
    • Use correct path for metadata retrieval (inserting strings between host component and path component)
    • Support reading resource-server provided nonce for OAuth 2.0 Demonstrating Proof of Possession (DPoP)
    • Use pushed authorization requests when AS supports it
    • Use signed authorization requests when AS supports it (but not necessarily when using PAR)
  • OpenID for Verifiable Credential Issuance:
    • Update implementation to 1.0 from 2025-09-16
    • Remove code elements deprecated in 5.9.0
    • Drop single proof in credential request
    • Support credential response encryption correctly, see changed API in CredentialIssuer.credential()
    • Correctly verify credential request regarding credential_configuration_id and credential_identifiers
    • Support credential request encryption correctly, if metadata is set at Issuer
  • OpenID for Verifiable Presentations:
    • Update implementation to 1.0 from 2025-07-09
    • Remove code elements deprecated in 5.9.0
    • Use correct syntax for vp_token in responses to DCQL queries, i.e., with an array
    • Drop session transcript implementation from ISO/IEC 18013-7:2024 Annex B, which was pre-OpenID4VP 1.0
    • Remove deprecated format identifier vc+sd-jwt (now dc+sd-jwt)
    • Remove deprecated client identifier prefix scheme x509_san_uri
    • Use correct response encryption acc. to values stated in encrypted_response_enc_values_supported inside client_metadata
    • Correct evaluation of vp_formats_supported inside client_metadata
    • Advertise correct wallet metadata for retrieving authn requests, e.g. client_id_prefixes_supported
    • Drop support for signed-then-encrypted responses, as in OpenID4VP 1.0
    • Drop support for mdoc generated nonces, as in OpenID4VP 1.0
    • Deprecate method validateAuthnResponse(input: Map<String, String>) in OpenId4VpVerifier because it eluded correct input parsing
    • When returning multiple ISO mDoc credentials, make sure to create one device response object per document, wrapping in separate VP tokens
  • SD-JWT:
    • Fix creation of SD JWTs containing structures that are selectively disclosable
    • Fix creation of arrays in SD JWTs ... issuers are advised to use ClaimToBeIssuedArrayElement for such elements
  • Issuance:
    • Introduce duration to subtract for the issuance date of credentials, see IssuerAgent.issuanceOffset
    • Do not issue SD-JWT credentials with a unique identifier in jti
    • Truncate issuing timestamps to seconds
  • Remote Qualified Electronic Signatures:
    • Remove modules deprecated in 5.9.0: vck-rqes, rqes-data-classes
Loading

5.9.0

03 Nov 14:46
@JesusMcCloud JesusMcCloud
5.9.0
dde3be2

Choose a tag to compare

View all tags
5.9.0
  • Refactor RqesWalletService to be stateless
  • Remove code elements deprecated in 5.8.0
  • Gradle modules:
    • Change dependency structure of modules
    • Remove vck-rqes module, relevant classes have been moved to vck-openid
    • Rename rqes-data-classes to csc-data-classes
    • Move DIF-related classes to dif-data-classes
    • Move OpenId-related classes to openid-data-classes
    • Remove class Initializer from vck-openid
  • Remote Qualified Electronic Signatures:
    • Remove "UC5-flow" option in RQES flows
    • Remove transactionData from KeyBindingJws
    • Remove QesAuthorizationDetails
    • Refactor AuthorizationDetails to sealed class
    • Remove QesInputDescriptor
    • Refactor InputDescriptor to sealed class
    • Remove RqesRequestOptions
    • Remove RequestOptions interface
    • Rename OpenIdRequestOptions to RequestOptions
    • Refactor TransactionData to sealed class
    • In TransactionData make credentialIds mandatory
    • Refactor RequestParameters to sealed class
  • Validation:
    • Improve validation of JWT VC
    • Remove subclass InvalidStructure from Verifier.VerifyCredentialResult, is now mapped to ValidationError
  • Refactor handling of key material:
    • Introduce interface PublishedKeyMaterial to indicate clients can lookup that key with the identifier used as a keyId in a key set
    • Other key material gets randomly assigned identifiers to not rely on DIDs
    • For JVM add PublishedKeyStoreMaterial to load keys from Java key stores with a fixed identifier
    • In class HolderAgent require the identifier to be a URI, set in the constructor, as required for SD-JWT and JWT VC
    • Key material will be referenced by its keyId and key set URL or by its certificate or plain public key in JWS proofs
  • Remove workarounds and deprecated features:
    • OpenID4VP: Verify mDoc generated nonce correctly (not supporting broken EUDIW RI)
    • OpenID4VP: Only send the response parameter when using direct_post.jwt (not supporting broken EUDIW RI)
    • OpenID4VP: Use credential format identifier dc+sd-jwt everywhere
    • OpenID4VP: Discard option to use deprecated client_id_scheme parameter in ClientIdScheme subclasses
    • OpenID4VP: Do not read the explicit parameter client_id_scheme (it's prefixed in the client_id)
    • OpenID4VP: Do not send signed JWT as authentication responses, but always encrypt them when using direct_post.jwt
    • OpenID4VP: Remove signDeviceAuthFallback in OpenId4VpHolder which has been used for mDoc presentations, but was not part of any spec
    • OpenID4VP: Remove BackwardsCompatibleDCQLQuerySerializer which has been able to parse DCQL queries as strings in addition to the usual JSON object
    • OpenID4VP: Never sign responses, either send it in plain or encrypted (OpenID4VP 1.0 has dropped JARM)
    • DCAPI: Remove (already deprecated) preview data class PreviewDCAPIRequest, either use OpenID4VP or ISO 18013-7 Annex C
  • JWE:
    • Add EncryptJweSymmetricFun and EncryptJweSymmetric and DecryptJweSymmetric
  • OAuth 2.0:
    • Refactor the split between credential issuer (OpenID4VCI) and authorization server (OAuth2.0)
    • SimpleAuthorizationService supports token exchange acc. to RFC 8693
    • SimpleAuthorizationService supports token introspection acc. to RFC 7662
    • Implement RemoteOAuth2AuthorizationServerAdapter so that credential issuers may be connected to external OAuth2.0 authorization servers
    • Implement OAuth2KtorClient to implement a ktor-based client for OAuth 2.0, including OAuth 2.0 Demonstrating Proof of Possession (DPoP)
    • Remove generics from methods in OpenId4VpHolder and work directly with AuthorizationRequestParameters
    • In PresentationFactory replace RequestParameters in function signatures to work directly with AuthorizationRequestParameters
    • Remove all parameters from RequestParameters, moved into their respective implementing class
    • Add data class JarRequestParameters implementing RequestParameters to handle JWT-secured authorization requests explicitly
    • In AuthorizationService and SimpleAuthorizationService deprecate method authorize with AuthenticationRequestParameters, use RequestParameters instead
    • In AuthorizationService and SimpleAuthorizationService deprecate method par with AuthenticationRequestParameters, use RequestParameters instead
    • In OAuth2Client add method createAuthRequestJar to make intent more explicit
    • Allow SimpleAuthorizationService to toggle usage of PAR and JAR with new requirePushedAuthorizationRequests and requestObjectSigningAlgorithms parameters
  • Cryptography:
    • Use secure random for source of nonces by default, but also expose constructor parameters to override it
  • Update implementation of OpenID for Verifiable Credential Issuance to draft 17:
    • Offer signedMetadata in CredentialIssuer
    • In OpenIdAuthorizationDetails deprecate properties that have been dropped from the spec: format, docType, sdJwtVcType and credentialDefinition
    • In SupportedCredentialFormat add new property about CredentialMetadata, moving display and claims
    • In TokenResponseParameters remove clientNonce that has been dropped in OID4VCI draft 14
    • In CredentialRequestParameters deprecate proof, use proofs instead
    • Use correct error values for unknown_credential_configuration and unknown_credential_identifier
    • In CredentialIssuer deprecate constructor parameters encryptCredentialRequest, requireEncryption, supportedJweAlgorithms, supportedJweEncryptionAlgorithms
    • In CredentialIssuer introduce constructor parameter encryptionService which handles credential request decryption and credential response encryption
    • In CredentialIssuer deprecate method nonce()
    • In CredentialIssuer add method nonceWithDpopNonce() to provide a DPoP nonce to clients (only when the AS is internal)
    • In CredentialIssuer use the COSE algorithm identifiers (e.g. -7) for signing algorithm values in the metadata
    • In WalletService deprecate constructor parameters requestEncryption, decryptionKeyMaterial, supportedJweAlgorithm, supportedJweEncryptionAlgorithm
    • In WalletService introduce constructor parameter encryptionService which handles credential request encryption and credential response decryption
    • In WalletService add method parseCredentialResponse to transform the received credential response from the issuer into StoreCredentialInput
    • In WalletService deprecate method createCredentialRequest and replace it with createCredential to handle encryption
  • Presentation classes:
  • In CreatePresentationResult.Signed add property containing JwsSigned<VerifiablePresentationJws>
  • In CreatePresentationResult.SdJwt add property containing SdJwtSigned
  • Deprecate SdJwtSigned.parse(), please migrate to SdJwtSigned.parseCatching()
  • OpenID for Verifiable Presentations: Update implementation to draft 29:
    • In AuthenticationRequestParameters deprecate member client_metadata_uri
    • In RequestOptions deprecate member clientMetadataUrl
    • In OpenIdConstants deprecate member X509SanUri
    • In AuthenticationRequestParameters and AuthorizationResponsePreparationState add VerifierInfo to display to user
    • In RelyingPartyMetadata deprecate vp_formats, replace with vp_formats_supported, using correct algorithm values
    • Change DCQLCredentialQuery.meta to be mandatory
    • Add DCQLEmptyCredentialMetadataAndValidityConstraints
    • In OpenId4VpVerifier add constructor parameter decryptionKeyMaterial to supply a key for decrypting encrypted responses from holders
    • In OAuth2AuthorizationServerMetadata deprecate client_id_schemes_supported, replace with client_id_prefixes_supported
    • Add ClientIdScheme.CertificateHash mapping to client identifier prefix x509_hash from OpenID4VP
    • Use session transcript for mDoc presentations as defined in OpenID4VP
    • Deprecate and refactor methods in OpenId4VpHolder and OpenId4VpWallet to fetch external resources only once, clients need to call startAuthorizationResponsePreparation() and then finalizeAuthorizationResponse()
    • OpenId4VpHolder does not return a KmmResult.failure when building the response fails, but returns AuthenticationResponseResult containing error parameters
    • OpenId4VpWallet does not send an error response to the verifier automatically
    • Extend RequestParametersFrom with sub-classes for DcApiSigned and DcApiUnsigned, removing the parameter dcApiRequest from several methods in OpenId4VpVerifier and OpenId4VpWallet
    • Extend RequestParametersFrom.JwsSigned with a parent member
    • Extend RequestParametersFrom.Json with a parent member
  • SD-JWT:
    • Honour digest defined in _sd_alg parameter to allow for more digests in issuance and verification of selective disclosures items
  • Make it possible to disable all apple targets by setting Gradle property disableAppleTargets=true (either through gradle.properties/local.properties or as env variable)
  • Dependency Updates:
    • Kotlin 2.2.21
    • Signum 3.18.2 / Supreme 0.10.2
  • Build Updates:
    • AGP 8.12.3 with new Android KMP Library Plugin
    • Migrate from Kotest to TestBalloon
    • Remove dodgy Swift-Klib workarounds
Loading

5.8.0

31 Jul 09:04
@nodh nodh
5.8.0
406c1fc

Choose a tag to compare

View all tags
5.8.0
  • Refactor AuthorizationServiceStrategy
    • Allow for general AuthorizationDetails
    • Remove filterAuthorizationDetails function
    • Add validateAuthorizationDetails function
    • Add matchAuthorizationDetails function
    • Add RqesAuthorizationServiceStrategy class
  • Refactor SimpleAuthorizationService and
    • Add SimpleQtspAuthorizationService class
    • Remove AuthorizationDetail matching and validation from class to interface function
  • Code organization:
    • Remove code elements deprecated in 5.7.0
    • Remove all remaining serialize() and deserialize() methods in data classes
    • Move data classes for token status into artifact openid-data-classes, keeping the namespace
    • Move data classes for VC and SD-JWT into artifact openid-data-classes, keeping the namespace
  • Refactoring of ISO data classes:
    • Move data classes from vck to openid-data-classes
    • List of classes moved: MobileSecurityObject, Document, IssuerSigned, DeviceResponse
  • Issuer:
    • Extract interface StatusListIssuer out of Issuer to separate credential issuing and status list management
    • Rework interface IssuerCredentialStore, deprecating methods storeGetNewIndex and class IssuerCredentialStore.Credential
    • In Issuer.IssuedCredential add the typed credentials as properties, add property userInfo
    • In StatusListIssuer deprecate methods revokeCredentials() and revokeCredentialsWithId(), callers should use revokeCredential()
    • In CredentialIssuer deprecate constructor parameter credentialProvider, replace with credentialDataProvider
    • Extend CredentialToBeIssued to contain properties expiration, scheme, subjectPublicKey, userInfo
    • In CredentialIssuer move constructor parameter for loading data to method credential()
    • Extract ProofValidator out of CredentialIssuer
    • Extract CredentialSchemeMapping out of various top-level methods
    • In SimpleAuthorizationService deprecate constructor parameter dataProvider, use authorize() with OAuth2LoadUserFun instead
    • In AuthorizationService deprecate authorize() methods, adding authorize() with OAuth2LoadUserFun
  • Credential schemes:
    • Provide fallback credential schemes, to be used when no matching scheme is registered with this library:
      • SdJwtFallbackCredentialScheme
      • VcFallbackCredentialScheme
      • IsoMdocFallbackCredentialScheme
    • Note that these schemes are not resolved automatically, and need to be used explicitly in client applications
  • SD-JWT:
    • Add data class for SD-JWT VC Type metadata in SdJwtTypeMetadata
    • Update signum to provide SD-JWT VC Type metadata in vctm in the header of a SD-JWT
  • Validation:
    • Remove internal class Parser and data classes ParseVpResult and ParseVcResult
    • Extract ValidatorMdoc, ValidatorSdJwt, ValidatorVcJws from Validator
    • In HolderAgent add constructor parameters for validatorVcJws, validatorSdJwt, validatorMdoc
    • In Validator deprecate constructor parameter resolveStatusListToken, clients shall use tokenStatusResolver instead
    • In Verifier remove parameter challenge from verifyPresentationIsoMdoc()
    • Rename SdJwtValidator to SdJwtDecoded
    • In VerifiablePresentationParsed add the input data too, that is the VerifiablePresentationJws
    • In IsoDocumentParsed add the input data too, that is the Document
  • Respond to failed authentication request with error:
    • In class OpenId4VpWallet add method sendAuthnErrorResponse
    • In data class OAuth2Error add member state
    • In data class AuthenticationResponse add member error, make params optional
    • In class AuthenticationResponseFactory add member signError
    • In class OpenId4VpHolder add member signError, add method createAuthnErrorResponse
  • Dependency Updates:
    • Kotlin 2.2.0
    • Signum 3.17.0 / Supreme 0.9.0
    • kotlinx.datetime 0.7.1.
      • This moves Instant and Clock to stdlib
      • (but introduces typealiases for easier migration)
      • Also forces serialization 1.9.0
    • Update to latest conventions plugin:
      • Bouncy Castle 1.81!!
      • Serialization 1.9.0
      • Coroutines 1.10.2
      • Ktor 3.2.2
      • Kotest 6.0.0.M6
    • Update JsonPath4K to 3.0.0
  • Disable bogus ios X64 test tasks
  • Help XCode to get its act together
  • Add a manual test workflow to try different kotlin/ksp/kotest versions
Loading

5.7.2

16 Jul 08:43
@nodh nodh
5.7.2
298b3ec

Choose a tag to compare

View all tags
5.7.2
  • Presentation Exchange: Fix validation of optional constraint fields
Loading

5.7.1

25 Jun 09:56
@nodh nodh
5.7.1
dea8447

Choose a tag to compare

View all tags
5.7.1
  • Signum 3.16.3/Supreme 0.8.3 to fix certificate encoding in JWS header
  • Remove okio dependency and use Supreme digest calculation instead
  • Set correct header when retrieving authn requests
Loading

5.7.0

17 Jun 08:03
@nodh nodh
5.7.0
280a1de

Choose a tag to compare

View all tags
5.7.0
  • Remote Qualified Electronic Signatures:
    • Remove code elements deprecated in 5.6.0
  • JWS and COSE handling:
    • Remove code elements deprecated in 5.6.0
  • OpenID for Verifiable Credential Issuance:
    • Expose oauth2Client in WalletService
    • Remove code elements deprecated in 5.6.3 in OpenId4VciClient
    • Update transaction_data_hashes according to result from openid/OpenID4VP#621
  • Holder:
    • Replace keyPair with keyMaterial
  • Functions:
    • Replace type aliases with functional interfaces (providing named parameters in implementations)
    • Make cryptographic verification functions suspending
  • Fully integrated crypto functionality based on Signum 3.16.2. This carries over breaking changes:
    • All debug-only kotlinx.serialization for cryptographic datatypes like certificates, public keys, etc. was removed
    • This finally cleans up the RSAorHMAC
      • SignatureAlgorithm.RSAorHMAC is now properly split into SignatureAlgorithm and MessageAuthenticationCode. Both implement DataIntegrityAlgorithm.
      • This split also affects JwsAlgorithm, which now has subtypes: Signature and MAC. Hence, JwsAlgorithm.ES256 -> JwsAlgorithm.Signature.ES256
  • Separate credential timeliness validation from content semantics validation
    • Change Validator constructor to include configuration of the credential timeliness validator
    • Change Validator.verifyVcJws to not perform timeliness validation
    • Change Validator.verifySdJwt to not perform timeliness validation
    • Replace propertyisRevoked with property freshnessSummary in:
      • Verifier.VerifyPresentationResult.SuccessSdJwt
      • IsoDocumentParsed
      • AuthnResponseResult.SuccessSdJwt
    • Change type of VerifiablePresentationParsed.verifiableCredentials and revokedVerifiableCredentials to Collection<VcJwsVerificationResultWrapper>
    • Rename VerifiablePresentationParsed.verifiableCredentials to VerifiablePresentationParsed.freshVerifiableCredentials
    • Rename VerifiablePresentationParsed.revokedVerifiableCredentials to VerifiablePresentationParsed.notVerifiablyFreshVerifiableCredentials
    • Remove Validator.checkRevocationStatus in favor of Validator.checkCredentialFreshness
    • Remove Holder.StoredCredential.status
    • Remove Verifier.VerifyCredentialResult.Revoked
    • Add constructor parameter Validator.acceptedTokenStatuses to allow library client to define token statuses deemed valid
  • Add support for Digital Credentials API as defined in OID4VP draft 28 and ISO 18013-7 Annex C:
    • Implement DCAPIRequest for requests received via the Digital Credentials API, with implementations for OID4VP (Oid4vpDCAPIRequest), ISO 18013-7 Annex C (IsoMdocRequest) and a non-standardised preview protocol (PreviewDCAPIRequest)
    • New property of type Oid4vpDCAPIRequest for requests originating from the Digital Credentials API in AuthorizationResponsePreparationState
    • New parameter of type Oid4vpDCAPIRequest for requests originating from the Digital Credentials API in OpenId4VpHolder.parseAuthenticationRequestParameters, RequestParameters.extractAudience PresentationFactory.createPresentation PresentationFactory.calcDeviceSignature RequestParser.parseRequestParameters RequestParser.extractRequestObject RequestParser.parseRequestObjectJws RequestParser.matchRequestParameterCases HolderAgent.getValidCredentialsByPriority
    • New optional parameter filterById of type String in Holder.matchInputDescriptorsAgainstCredentialStore, HolderAgent.getValidCredentialsByPriority HolderAgent.matchInputDescriptorsAgainstCredentialStore HolderAgent.matchDCQLQueryAgainstCredentialStore to filter credentials by id
    • New method SubjectCredentialStore.getDcApiId to generate an id of type String for a credential
    • New optional property of type DCAPIHandover for SessionTranscript
  • Return member of interface AuthenticationResult instead of AuthenticationSuccess as authorization response in OpenId4VpWallet. Can either be
    • AuthenticationSuccess: contains a redirectUri (same behaviour as in 5.6.x)
    • AuthenticationForward: contains the authenticationResponseResult for responses via the Digital Credentials API
  • Refactoring of ISO data classes:
    • Move data classes from vck to openid-data-classes
    • Remove serialize() and deserialize() methods, please use the preferred serializer directly (e.g. vckCborSerializer)
    • List of classes moved: ClientIdToHash, DeviceAuth, DeviceAuthentication, DeviceKeyInfo, DeviceRequest, DeviceSigned, DeviceSignedItemListSerializer, DeviceSignedList, DocRequest, ItemsRequest, IssuerSignedItem, IssuerSignedItemSerializer, IsserSignedList, IssuerSignedListSerializer, ItemsRequestList, ItemsRequestListSerializer, KeyAuthorization, NamespacedDeviceNameSpacesSerializer, NamespacedIssuerSignedListSerializer, ResponseUriToHash, ServerItemsRequest, ServerRequest, ServerResponse, SessionTranscript, SingleItemsRequest, ValidityInfo, ValueDigest, ValueDigestList, ValueDigestListSerializer
  • Additional:
    • Remove Holder.StoredCredential in favor of SubjectCredentialStore.StoreEntry
    • Update AGP to 8.6.1 for composite builds with Valera
    • Make OAuth2Exception serializable
    • Add data class LocalDateOrInstant to be used by credentials
Loading

5.6.6

16 Jun 15:14
@nodh nodh
5.6.6
5b26a12

Choose a tag to compare

View all tags
5.6.6
  • OpenID for Verifiable Presentations:
    • Fix applying presentation exchange filters to credentials (array and object filters)
  • OpenID for Verifiable Credential Issuance:
    • On issued SD-JWT VC do not validate subject but the confirmation claim
    • Do not require proof_type in proofs in a credential request to be set
Loading