5.3.3

• ISO: Fix serialization of device authentication bytes
• ISO: Fix generating mdocGeneratedNonce for device authentication acc. to ISO 18013-7
• OpenID4VP: Support extracting authentication response from JWS inside JWE

5.3.2

• ISO: Do not tag instants in CBOR with tag 1004
• ISO: Fix calcluation of value digests

5.3.1

• Add optional parameter issuerUri to ClientIdScheme.PreRegistered
• Fix validation of KB-JWT for SD-JWT presentations
• Fix AES GCM IV length for JWE

5.3.0

Main features:

• Implement token-status-list-06, replacing implementation of Revocation List 2020
• Implement device response including session transcript and handover structure acc. to ISO/IEC 18013-7 Annex B for mDoc responses
• Update implementation of OpenID4VP to draft 23

Details:

• Implement token-status-list-06, replacing implementation of Revocation List 2020:
  • Holder:
    • Remove setRevocationList
    • Change StoredCredential revocation status to token status
  • InMemoryIssuerCredentialStore:
    • Change revoke semantics to token status semantics
    • Add token status bitsize
    • Change iso credential identifier to make it deterministic
  • Issuer:
    • Change buildRevocationList to buildStatusList
    • Add functions for issuing status lists and status list tokens
    • Remove compileCurrentRevocationLists
    • Add inheritance from token status agent interfaces
  • IssuerAgent
    • Add revocation status for iso credentials
    • Change revocation status to token status
  • IssuerCredentialStore
    • Change revocation status semantics to token status semantics
  • Validator:
    • Change revocation status to token status
    • Change revocation check to token status invalid check by using new status mechanism
    • Add validation for status list tokens
  • Verifier:
    • Remove setRevocationList
    • Add verifyRevocationStatusListJwtIntegrity and verifyRevocationStatusListCwtIntegrity
  • CoseService:
    • Add check without specifying signer (using cose signed public key or trust store)
  • VerifiableCredential: Change credentialStatus to status and using new status mechanism
  • VerifiableCredentialSdJwt: Change credentialStatus to use new status mechanism
  • MobileSecurityObject: Add status mechanism
  • iosMain/DefaultZlibService: Verify compression method was deflate when inflating
• Implement device response including session transcript and handover structure acc. to ISO/IEC 18013-7 Annex B for mDoc responses:
  • CoseService adds method createSignedCoseWithDetachedPayload to not serialize the payload in the CoseSigned structure
  • Move at.asitplus.wallet.lib.agent.Holder.PresentationResponseParameters to at.asitplus.wallet.lib.agent.PresentationResponseParameters
  • Move at.asitplus.wallet.lib.agent.Holder.CreatePresentationResult to at.asitplus.wallet.lib.agent.CreatePresentationResult
  • In Holder.createPresentation() replace parameters challenge and audience with PresentationRequestParameters, extending the possible inputs for calculating the verifiable presentation
  • In Verifier and VerifierAgent add methods verifyPresentationVcJwt(), verifyPresentationSdJwt() and verifyPresentationIsoMdoc() to directly verify typed objects
  • For verification of credentials and presentations add ValidationError cases to sealed classes
  • In OidcSiopVerifier replace stateToNonceStore and stateToResponseTypeStore with stateToAuthnRequestStore
• OpenID4VP refactorings:
  • Deprecate OidcSiopVerifier, use at.asitplus.wallet.lib.openid.OpenId4VpVerifier instead
  • Move classes ClientIdScheme, RequestOptions, AuthResponseResult out of OpenId4VpVerifier
  • Change type of RequestOptionsCredential.requestedAttributes from List to Set
  • Change type of RequestOptionsCredential.requestedOptionalAttributes from List to Set
  • Deprecate OidcSiopWallet, use at.asitplus.wallet.lib.openid.OpenId4VpHolder instead
  • Move RequestObjectJwsVerifier from at.asitplus.wallet.lib.oidc to at.asitplus.wallet.lib.openid
  • Move RemoteResourceRetrieverFunction from at.asitplus.wallet.lib.oidc to at.asitplus.wallet.lib
  • Move AuthorizationResponsePreparationState from at.asitplus.wallet.lib.oidc.helpers to at.asitplus.wallet.lib.openid
• Update implementation of OpenID4VP to draft 23:
  • Support credential format identifier dc+sd-jwt in addition to vc+sd-jwt
  • Drop client_id_scheme and encode it as a prefix to client_id
  • Set vp_formats_supported in wallet's metadata
  • Remove OpenId4VpVerifier.createSignedMetadata(), as signed metadata is not covered by any spec
  • Remove OpenId4VpVerifier.createQrCodeUrl(), replace with createAutnRequest(requestOptions, creationOptions) and CreationOptions.RequestByReference
  • Remove OpenId4VpVerifier.createAuthnRequestUrl(), replace with createAutnRequest(requestOptions, creationOptions) and CreationOptions.Query
  • Remove OpenId4VpVerifier.createAuthnRequestUrlWithRequestObject(), replace with createAutnRequest(requestOptions, creationOptions) and CreationOptions.RequestByValue
  • Remove OpenId4VpVerifier.createAuthnRequestUrlWithRequestObjectByReference(), replace with createAutnRequest(requestOptions, creationOptions) and CreationOptions.RequestByReference
  • Add explicit redirect_uri to all ClientIdSchemes for OpenId4VpVerifier
  • Sub classes of ClientIdScheme are not data classes, to allow passing parameters with the same names as the sealed base class
  • Verify requirements whether requests must or must not be signed acc. to the client identifier scheme
  • Support wallet_nonce and request_uri_method for replay detection on Wallet side
• General cleanup:
  • Remove SchemaIndex
  • Remove VcLibException
• Dependency updates:
  • Update signum to 3.12.1

5.2.3

• Be more lenient in parsing OpenId authentication requests
• OpenID4VP: Use correct format of algorithms in metadata for vp_formats.vc+sd-jwt
• SD-JWT: Support creating SD-JWT with nested structures by passing . in the claim names, e.g. address.region, see SdJwtCreator and ClaimToBeIssued

5.2.2

• Remote qualified electronic signatures:
  • Add request, response and auxiliary data classes defined in CSC API v2.0.0.2 Ch. 11.4 credentials/list and Ch. 11.5 credentials/info
• Fix serialization of device signed items in ISO credentials

5.2.1

Fix COSE signature deserialization and verification, due to signum 3.12.0

5.2.0

• Remote qualified electronic signatures:
  • New Initializer object in vck-openid which needs to be called at the start of the project if artifact is used
  • New artifacts rqes-data-classes and vck-rqes which allow handling of remote signature requests as described by the draft of POTENTIAL use-case 5 which is based on the CSC API v2.0.0.2
  • To use vck-rqes the new Initializer object in vck-rqes which needs to be called at the start of the project if artifact is used
  • It fully overrides and replaces the effect of the initializer in vck-openid
  • Change class InputDescriptor to DifInputDescriptor which now implements new interface InputDescriptor
  • New class QesInputDescriptor implements InputDescriptor
  • Refactor sealed class AuthorizationDetails to interface
    • Refactor subclass OpenIdCredential to class OpenIdAuthorizationDetails which implements AuthrorizationDetails
    • Refactor subclass CSCCredential to class CscAuthorizationDetails which implements AuthorizationDetails
  • New interface RequestParameters
  • Remove RQES components from AuthenticationRequestParameters
  • New class CscAuthenticationRequestParameters which now holds the RQES components
  • New class SignatureRequestParameters
  • Refactor AuthenticationRequestParametersFrom to generic sealed class RequestParametersFrom
  • Refactor AuthenticationRequestParser to open class RequestParser
• Selective Disclosure JWT:
  • Validate confirmation claims correctly
• ISO 18013-5 credentials:
  • Serialize and deserialize device signed items correctly (i.e. considering the namespace of the element)
• Refactorings:
  • Adapt to changes in signum, i.e. the classes JwsSigned, JweDecrypted, CoseSigned are now typed to their payload, leading to changes in CoseService and JwsService to add overloads for typed payloads, as well as members in data classes containing e.g. JwsSigned<*>
  • Add constructor parameter identifier to IssuerAgent, to be used as the issuer property in issued credentials
  • Remove function verifyPresentationContainsAttributes() from Verifier, and VerifierAgent
  • Remove function verifyVcJws(it: String): VerifyCredentialResult from VerifierAgent, was only forwarding call to Validator anyway
  • Remove secondary constructor from OidcSiopVerifier
  • Remove keyMaterial from interface Verifier
  • Add option to request optional attributes in OidcSiopVerifier.RequestOptionsCredential
  • In subclasses of SubjectCredentialStore.StoreEntry replace scheme: ConstantIndex.CredentialScheme with schemaUri: String to actually make it serializable
• Key material:
  • Refactor extracting the audience of a verifiable presentation from an OpenID Authn Request (now uses the client_id or audience before extracting key identifiers)
  • Add customKeyId to KeyMaterial to not use the DID encoding as the identifier for keys
  • Do not expect the audience of a verifiable presentation to always incude the identifier of a key, but the identifier of the verifier (which may be anything)
  • Remove additional constructors of VerifierAgent, add the required constructor parameter identifier
• OpenID for Verifiable Credential Issuance:
  • Add issuerState to OAuth2Client.createAuthRequest for OID4VCI flows
  • Add extension functions to JwsService to create JWTs for OAuth 2.0 Attestation-Based Client Authentication
  • New artefact vck-openid-ktor implements a ktor client for OpenID for Verifiable Credential Issuance and OpenID for Verifiable Presentations
  • Remove scopePresentationDefinitionRetriever from OidcSiopWallet to keep implementation simple
• Dependency Updates:
  • Signum 3.11.1
  • Kotlin 2.1.0 through Conventions 2.1.0+20241204

5.1.0

• Drop ARIES protocol implementation, and the vck-aries artifact
• Add credentialScheme and subjectPublicKey to internal CredentialToBeIssued
• Refactor issueCredential of Issuer to directly get the credential-to-be-issued
• Remove now useless interface IssuerCredentialDataProvider
• Replace buildIssuerCredentialDataProviderOverride in CredentialIssuer with credentialProvider to extract user information into a credential
• Remove dataProvider from IssuerAgents constructor, as it is not needed with the new issuing interface anyway
• Replace relyingPartyUrl with clientIdScheme on OidcSiopVerifiers constructor, to clarify use of client_id in requests
• Rename objects in OpenIdConstants.ProofType, OpenIdConstants.CliendIdScheme and OpenIdConstants.ResponseMode
• In all OpenID data classes, serialize strings only, and parse them to crypto data classes (from signum) in a separate property (this increases interop, as we can deserialize unsupported algorithms too)
• Add publicKeyLookup function to DefaultVerifierJwsService to provide valid keys for JWS objects out-of-band (e.g. when they're not included in the header of the JWS)
• OID4VCI:
  • WalletService supports building multiple authorization details to request a token for more than one credential
  • Remove buildAuthorizationDetails(RequestOptions) for WalletService, please migrate to buildScope(RequestOptions)
  • Note that multiple scope values may be joined with a whitespace
• ISO: Fix deserializing issuer signed items when element identifiers are read after the element values
• SD-JWT:
  • Add implementation of JWT VC issuer metadata, see JwtVcIssuerMetadata
  • Pass around decoded data with SdJwtSigned in several result classes like VerifyPresentationResult.SuccessSdJwt
  • Rename disclosures to reconstructedJsonObject in several result classes like AuthnResponseResult.SuccessSdJwt
  • Correctly implement confirmation claim in VerifiableCredentialSdJwt, migrating from JsonWebKey to ConfirmationClaim
  • Change type of claimValue in SelectiveDisclosureItem from JsonPrimitive to JsonElement to be able to process nested disclosures
  • Implement deserialization of complex objects, including array claims
  • Add option to issue nested disclosures, by using ClaimToBeIssued recursively, see documentation there

5.0.1

5.0.1:

• Update JsonPath4K to 2.4.0
• Fix XCF export with transitive dependencies
• Fix verifiable presentation of ISO credentials to contain DeviceResponse instead of a Document
• Data classes for verification result of ISO structures now may contain more than one document