5.2.0

• Remote qualified electronic signatures:
  • New Initializer object in vck-openid which needs to be called at the start of the project if artifact is used
  • New artifacts rqes-data-classes and vck-rqes which allow handling of remote signature requests as described by the draft of POTENTIAL use-case 5 which is based on the CSC API v2.0.0.2
  • To use vck-rqes the new Initializer object in vck-rqes which needs to be called at the start of the project if artifact is used
  • It fully overrides and replaces the effect of the initializer in vck-openid
  • Change class InputDescriptor to DifInputDescriptor which now implements new interface InputDescriptor
  • New class QesInputDescriptor implements InputDescriptor
  • Refactor sealed class AuthorizationDetails to interface
    • Refactor subclass OpenIdCredential to class OpenIdAuthorizationDetails which implements AuthrorizationDetails
    • Refactor subclass CSCCredential to class CscAuthorizationDetails which implements AuthorizationDetails
  • New interface RequestParameters
  • Remove RQES components from AuthenticationRequestParameters
  • New class CscAuthenticationRequestParameters which now holds the RQES components
  • New class SignatureRequestParameters
  • Refactor AuthenticationRequestParametersFrom to generic sealed class RequestParametersFrom
  • Refactor AuthenticationRequestParser to open class RequestParser
• Selective Disclosure JWT:
  • Validate confirmation claims correctly
• ISO 18013-5 credentials:
  • Serialize and deserialize device signed items correctly (i.e. considering the namespace of the element)
• Refactorings:
  • Adapt to changes in signum, i.e. the classes JwsSigned, JweDecrypted, CoseSigned are now typed to their payload, leading to changes in CoseService and JwsService to add overloads for typed payloads, as well as members in data classes containing e.g. JwsSigned<*>
  • Add constructor parameter identifier to IssuerAgent, to be used as the issuer property in issued credentials
  • Remove function verifyPresentationContainsAttributes() from Verifier, and VerifierAgent
  • Remove function verifyVcJws(it: String): VerifyCredentialResult from VerifierAgent, was only forwarding call to Validator anyway
  • Remove secondary constructor from OidcSiopVerifier
  • Remove keyMaterial from interface Verifier
  • Add option to request optional attributes in OidcSiopVerifier.RequestOptionsCredential
  • In subclasses of SubjectCredentialStore.StoreEntry replace scheme: ConstantIndex.CredentialScheme with schemaUri: String to actually make it serializable
• Key material:
  • Refactor extracting the audience of a verifiable presentation from an OpenID Authn Request (now uses the client_id or audience before extracting key identifiers)
  • Add customKeyId to KeyMaterial to not use the DID encoding as the identifier for keys
  • Do not expect the audience of a verifiable presentation to always incude the identifier of a key, but the identifier of the verifier (which may be anything)
  • Remove additional constructors of VerifierAgent, add the required constructor parameter identifier
• OpenID for Verifiable Credential Issuance:
  • Add issuerState to OAuth2Client.createAuthRequest for OID4VCI flows
  • Add extension functions to JwsService to create JWTs for OAuth 2.0 Attestation-Based Client Authentication
  • New artefact vck-openid-ktor implements a ktor client for OpenID for Verifiable Credential Issuance and OpenID for Verifiable Presentations
  • Remove scopePresentationDefinitionRetriever from OidcSiopWallet to keep implementation simple
• Dependency Updates:
  • Signum 3.11.1
  • Kotlin 2.1.0 through Conventions 2.1.0+20241204

5.1.0

• Drop ARIES protocol implementation, and the vck-aries artifact
• Add credentialScheme and subjectPublicKey to internal CredentialToBeIssued
• Refactor issueCredential of Issuer to directly get the credential-to-be-issued
• Remove now useless interface IssuerCredentialDataProvider
• Replace buildIssuerCredentialDataProviderOverride in CredentialIssuer with credentialProvider to extract user information into a credential
• Remove dataProvider from IssuerAgents constructor, as it is not needed with the new issuing interface anyway
• Replace relyingPartyUrl with clientIdScheme on OidcSiopVerifiers constructor, to clarify use of client_id in requests
• Rename objects in OpenIdConstants.ProofType, OpenIdConstants.CliendIdScheme and OpenIdConstants.ResponseMode
• In all OpenID data classes, serialize strings only, and parse them to crypto data classes (from signum) in a separate property (this increases interop, as we can deserialize unsupported algorithms too)
• Add publicKeyLookup function to DefaultVerifierJwsService to provide valid keys for JWS objects out-of-band (e.g. when they're not included in the header of the JWS)
• OID4VCI:
  • WalletService supports building multiple authorization details to request a token for more than one credential
  • Remove buildAuthorizationDetails(RequestOptions) for WalletService, please migrate to buildScope(RequestOptions)
  • Note that multiple scope values may be joined with a whitespace
• ISO: Fix deserializing issuer signed items when element identifiers are read after the element values
• SD-JWT:
  • Add implementation of JWT VC issuer metadata, see JwtVcIssuerMetadata
  • Pass around decoded data with SdJwtSigned in several result classes like VerifyPresentationResult.SuccessSdJwt
  • Rename disclosures to reconstructedJsonObject in several result classes like AuthnResponseResult.SuccessSdJwt
  • Correctly implement confirmation claim in VerifiableCredentialSdJwt, migrating from JsonWebKey to ConfirmationClaim
  • Change type of claimValue in SelectiveDisclosureItem from JsonPrimitive to JsonElement to be able to process nested disclosures
  • Implement deserialization of complex objects, including array claims
  • Add option to issue nested disclosures, by using ClaimToBeIssued recursively, see documentation there

5.0.1

5.0.1:

• Update JsonPath4K to 2.4.0
• Fix XCF export with transitive dependencies
• Fix verifiable presentation of ISO credentials to contain DeviceResponse instead of a Document
• Data classes for verification result of ISO structures now may contain more than one document

5.0.0

Release 5.0.0:

• Update dependencies to have everything aligned with Kotlin 2.0.20:
  • Kotlin 2.0.20
  • EU PID + MDL Credentials in test scope
  • Serialization 1.7.2 proper
  • JsonPath4K 2.3.0 (with proper Kotlin 2.0.20 support)
  • Signum 3.7.0 (only dependency updates to align everything, no alignments in code)

• Refactorings:
  • Remove OidcSiopWallet.newDefaultInstance() and replace it with a constructor
  • Remove OidcSiopVerifier.newInstance() methods and replace them with constructors
  • Remove Validator.newDefaultInstance() methods and replace them with constructors
  • Remove WalletService.newDefaultInstance() methods and replace them with constructors
• API changes
  • Disclosures for SD-JWT (in class SelectiveDisclosureItem) now contain a JsonPrimitive for the value, so that implementers can deserialize the value accordingly
  • Proper registration of serializers for ISO credentials (breaking change), see API in LibraryInitializer
  • Add KeyStoreMaterial to JVM target for convenience
• Add classes for handling qualified electronic signatures in OpenID flows, acc. to the Cloud Signature Consortium
  • Add TransactionDataEntry class
  • Add DocumentDigestEntry class
  • Add DocumentDigestEntryCSC class
  • Add DocumentLocationsEntry class
  • Add Method class
  • Update InputDescriptors: New member transaction_data, removed member schema
  • Update AuthorizationDetails: Now sealed class with subclasses OpenIdCredential and CSCCredential
  • Extend AuthenticationRequestParameters
  • Extend TokenRequestParameters
  • Extend TokenResponseParameters
• Update implementation of OpenID for Verifiable Credential Issuance to draft 14 from 2024-08-21
  • In TokenRequestParameters, change transactionCode to String, as it needs to be entered by the user potentially
  • Add extension method to build DPoP headers acc. to RFC 9449, see WalletService
  • Move some fields from IssuerMetadata to OAuth2AuthorizationServerMetadata to match the semantics
  • Remove proof type cwt for OpenID for Verifiable Credential Issuance, as per draft 14, but keep parsing it for a bit of backwards-compatibility
  • Remove binding method for did:key, as it was never completely implemented, but add binding method jwk for JSON Web Keys.
  • Rework interface of WalletService to make selecting the credential configuration by its ID more explicit
  • Support requesting issuance of credential using scope values
  • Introudce OAuth2Client to extract creating authentication requests and token requests from OID4VCI WalletService
  • Refactor SimpleAuthorizationService to extract actual authentication and authorization into AuthorizationServiceStrategy
• Implement JWE encryption with AES-CBC-HMAC algorithms
• SIOPv2/OpenID4VP: Support requesting and receiving claims from different credentials, i.e. a combined presentation
  • Require request options on every method in OidcSiopVerifier
  • Move credentialScheme, representation, requestedAttributes from RequestOptions to RequestOptionsCredentials
  • In OidcSiopVerifier move responseUrl from constructor parameter to RequestOptions
  • Add IdToken as result case to OidcSiopVerifier.AuthnResponseResult, when only an id_token is requested and received

4.1.1: VC-K

• Rebrand
  • Project name: KMM VC Library -> VC-K
  • Artifact names:
    • vclib -> vck
    • vclib-aries -> vck-aries
    • vclib-openid -> vck-openid
• Rename serializers to avoid ambiguities and kotlin bugs
  • cborSerializer -> vckCborSerializer
  • jsonSerializer -> vckJsonSerializer
  • Introduce jsonSerializer and cborSerilaizer with deprecation annotation for easier migration in projects consuming VC-K
• rename kmp-crypto submodule to signum and update all references
  • this changes the identifier in the version catalog!
• Update Dependencies
  • Signum (formerly KMP Crypto): 3.6.0
  • Jsonpath4K (formerly Jsonpath): 2.2.0
  • Kotlinx-Serialization 1.8.0-SNAPSHOT from upstream

4.0.0

• Add SubmissionRequirement.evaluate: Evaluates, whether a given submission requirement is satisfied.
• Add PresentationSubmissionValidator:
  • Add isValidSubmission: Evaluates, whether all submission requirements is satisfied, and fails on redundantly submitted credentials.
  • Add findUnnecessaryInputDescriptorSubmissions: Returns a list of redundantly submitted credentials.
• Rename BaseInputEvaluator -> InputEvaluator
  • Change evaluateFieldQueryResults -> evaluateConstraintFieldMatches: Returns all matching fields now, not just the first match
• Change Holder.matchInputDescriptorsAgainstCredentialStore: Returns all matching credentials now, not just the first match
• Do not use or assume DID as key identifiers and subjects in credentials
• Replace list of attribute types in Issuer.issueCredentials with one concrete CredentialScheme to be passed
• Remove functionality related to "attachments" to verifable credentials in JWT format
• Replace list of credentials to be issued with a single credential that will be issued per call to implementations of IssuerCredentialDataProvider
• Get rid of class Issuer.IssuedCredentialResult, replacing it with KmmResult<Issuer.IssuedCredential>
• Add return types to function calls to SubjectCredentialStore
• Change from list to single credential in parameter for Holder.storeCredentials(), changing name to storeCredential()
• Refactor AuthenticationRequestParametersFrom used in OidcSiopWallet to be serializable
• Add AuthenticationResponseFactory: Builds an authentication response from request and response parameters
• Change OidcSiopWallet:
  • Add startAuthorizationResponsePreparation(): Gathers data necessary for presentation building and yields a AuthorizationResponsePreparationState
  • Add finalizeAuthorizationResponseParameters(): Returns what createAuthenticationParams returned before, but also takes in AuthorizationResponsePreparationState and an optional non-default submission
  • Add finalizeAuthorizationResponse(): Returns what createAuthenticationResponse() did before
• Change OidcSiopVerifier:
  • Add createAuthnRequestUrlWithRequestObjectByReference() to offer authentication requests by reference to the Wallet
• Add AuthorizationResponsePreparationState: Holds data necessary for presentation building
• Add AuthenticationRequestParser: Extracted presentation request parsing logic from OidcSiopWallet and put it here
• Add AuthorizationRequestValidator: Extracted presentation request validation logic from OidcSiopWallet and put it here
• Add PresentationFactory: Extracted presentation response building logic from OidcSiopWallet and put it here
  • Also added some code for presentation submission validation
• Update implementation of OpenID 4 Verifiable Credential Issuance, draft 13
• Replace createCredentialRequestJwt() and createCredentialRequestCwt() with createCredentialRequest() in WalletService for OID4VCI
• Refactor createTokenRequestParameters() in WalletService for OID4VCI to account for authorization code or pre-auth code

3.8.0

Release 3.8.0:

• Kotlin 2.0.0
• Gradle 8.8
• Bouncy Castle 1.78.1
• Kotest 5.9.1
• Ktor 2.3.11
• kotlinx.datetime 0.6.0
• kotlinx.coroutines 1.8.1
• KmmResult 1.6.0
• Serialization 1.7.1-SNAPSHOT
• Extract credential classes for Mobile Driving Licence according to ISO 18013-5 into separate library, see https://github.com/a-sit-plus/mobile-driving-licence-credential
• Implementers need to specify supported credential representations in CredentialScheme
• Update CredentialScheme to split up properties for representations
• Refactor methods in LibraryInitializer, deprecating the old ones, to accomodate additional parameters for serializing ISO credentials
• Update SD-JWT implementation to include sd_hash
• Update SIOPv2 implementation to increase interoperability

3.7.0

• Add OAuth2AuthorizationServerMetadata data class which implements RFC8414
• Change usage of OidcUserInfo in interfaces to OidcUserInfoExtended, to also deserialize unknown properties
• OID4VCI: WalletService: Replace parameters containing whole authentication parameters with single parameters holding code and state
• Change several integer properties to durations, e.g. expirations (in seconds) for OIDC data classes
• In SupportedCredentialFormat replace claims with isoClaims and sdJwtClaims to be able to handle both formats defined in OID4VCI Draft 13
• Wrap exceptions during deserialization in KmmResult, i.e. changing all deserialize() methods in companion objects
• OidcSiopWallet: Rename newInstance() to newDefaultInstance(), to align it with other factory methods
• OidcSiopWallet: Rename retrieveAuthenticationRequestParameters() to parseAuthenticationRequestParameters(), changing result type to KmmResult<AuthenticationRequestParameters>
• OidcSiopWallet: Support getting presentation definition remotely, with presentation_definition_uri from OpenId4VP
• Be more lenient when parsing several authentication request parameters
• Add VerifiablePresentationFactory: Used to have a separate place for creating verifiable presentations, HolderAgent got a little cramped
• Change OidcSiopVerifier.validateAuthnResponse: Supports new presentation semantics, where the vp_token may be a array of verifiable presentations.
• Change OidcSiopWallet.createAuthnResponseParams: Feed the newly required parameters to Holder.createPresentation; Changed output semantics to potentially submit a list of verifiable presentations
• Change HolderAgent.createPresentation: Changed function signature; Changed output semantics.
• Add BaseInputEvaluator: Input evaluator according to DIF.PresentationExchange 2.0.0
• Refactor AuthenticationRequestParameters → AuthenticationRequestParametersFrom to contain parsed parameters and their source
• Update KMP-Crypto to 3.1.0, to support JWE and ECDH-ES
• SIOPv2: Implement x509_san_dns and x509_san_uri client ID schemes
• Refactor OpenIdConstants to contain sealed classes, where appropriate

3.6.1

• Update to KMP-Crypto 2.6.0

3.6.0

• Self-Issued OpenID Provider v2:
  • OidcSiopWallet.AuthenticationResponseResult.Post: Replace property body: String with params: Map<String, String>, to be posted to the Relying Party. Clients may call extension function at.asitplus.wallet.lib.oidvci.formUrlEncode on params to get the encoded body for HTTP calls.
  • Move JsonWebKeySet to library at.asitplus.crypto:datatypes-jws
  • DefaultVerifierJwsService may load public keys for verifying JWS from a JWK Set URL in the header, see constructor argument jwkSetRetriever (cf. to OidcSiopWallet)
  • OidcSiopWallet and OidcSiopVerifier implement response mode direct_post.jwt, as per OpenID for Verifiable Presentations draft 20
  • OidcSiopVerifier: Add constructor parameter attestationJwt to create authentication requests as JWS with an Verifier Attestation JWT in header jwt (see OpenId4VP draft 20)
  • OidcSiopVerifier: Rename createAuthnRequestAsRequestObject() to createAuthnRequestAsSignedRequestObject(), also changing the return type
  • OidcSiopVerifier: Add option to set client_metadata_uri instead of embedding client metadata in authentication requests
  • OidcSiopVerifier: Refactor list of parameters for customizing authentication requests to single data class RequestOptions
  • OidcSiopWallet: Rename constructor parameter jwkSetRetriever to a more general remoteResourceRetriever, to use it for various parameters defined by reference
  • OidcSiopWallet: Replace constructor parameter verifierJwsService with requestObjectJwsVerifier to allow callers to verify JWS objects with a pre-registered key (as in the OpenId4VP client ID scheme "pre-registered")
  • Get rid of collections in serializable types and use sets instead
• OpenID for Verifiable Credential Issuance:
  • Implement OpenID for Verifiable Credential Issuance draft 13, from 2024-02-08
  • Rename IssuerService to CredentialIssuer
  • Implement RFC 7636 Proof Key for Code Exchange for OpenID for Verifiable Credential Issuance implementations, i.e. IssuerService/CredentialIssuer and WalletService
  • IssuerService/CredentialIssuer: Make public API functions suspending, also return KmmResult to transport exceptions
  • IssuerService/CredentialIssuer: Change parameter of credential() from authorizationHeader to accessToken, requiring the plain access token
  • IssuerService/CredentialIssuer: Extract responsibilities of an OAuth Authorizaiton Server into AuthorizationService
  • WalletService: Make public API functions suspending
  • WalletService: Implement proving possesion of private key with CBOR Web Tokens
  • WalletService: Move constructor parameters to requestOptions for every method call
  • Get rid of collections in serializable types and use sets instead
• Dependency updates
  • Conventions 1.9.23+20240410
    • Ktor 2.3.10
    • Auto-publish version catalogs
• Issuer: Change cryptoAlgorithms from Collection to Set