#0.20

#0.20.1

#Highlights

• Implemented issuer2 SD-JWT fixes with updated profile handling, service configuration, and examples for selective disclosure credentials.
• Enhanced security with role management fixes and additional user permission tests covering host alias API permissions.
• Added APP_VERSION display in Docker builds and admin navigation for better deployment visibility.

#Features

Issuer2 Enhancements

• Fixed issuer2 SD-JWT profile handling and service configuration.
• Updated issuer2 examples for selective disclosure credentials.
• Added Auth Provider configuration for issuer2.
• Updated issuer2 client authentication config and metadata.
• Updated issuer2 client verification logic.
• Added preAuthorizedGrantAnonymousAccessSupported in the default metadata.

Platform and UI

• Added APP_VERSION to Docker builds and display version in admin navigation.
• Moved X.509 service and X.509 store management pages with updated navigation links.
• Removed unused certificate details and formatDate function.

#Fixes and improvements

• Fixed Wallet showing all keys in all KMS instances.
• Fixed move APP_VERSION ARG and ENV to the release stage in Dockerfile.
• Security fixes for Role Management.
• Fixed duplicate imports after merge.
• Fixed keycloak test.
• Fixed issuerSigningKey handling.
• Fixed renaming and missing issuer2 package issues.
• Removed println and made verifyCertificateChain suspend.
• Simplified ServiceDependencies component.
• Fixed TypeScript errors in UI components.
• Added regression guard for previous fixes.

#Breaking Changes

#DID Documents response is now conforming with the (specification)https://w3c-ccg.github.io/did-method-web. The response was previously wrapped in a content object. This has been removed

Before:

{
  "content": {
    "context": [
      "https://www.w3.org/ns/did/v1",
      "https://w3id.org/security/suites/jws-2020/v1"
    ],
    "id": "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new",
    "verificationMethod": [
      {
        "id": "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key",
        "type": "JsonWebKey2020",
        "controller": "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new",
        "publicKeyJwk": {
          "kty": "EC",
          "crv": "P-256",
          "kid": "issuer-test-2-secp256r1-key",
          "x": "zzM9z4mHthO8fkNZGzSzuJbFVeyElVjmCOMt38pdvbo",
          "y": "Dgn8HiW8NdQhjgVgE_ux8YRxAwKmdDl9FxTq0wbDewc"
        }
      }
    ],
    "assertionMethod": [
      "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ],
    "authentication": [
      "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ],
    "capabilityDelegation": [
      "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ],
    "capabilityInvocation": [
      "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ],
    "keyAgreement": [
      "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ]
  }
}

After:

{
    "context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1"
    ],
    "id": "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new",
    "verificationMethod": [
        {
        "id": "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key",
        "type": "JsonWebKey2020",
        "controller": "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new",
        "publicKeyJwk": {
            "kty": "EC",
            "crv": "P-256",
            "kid": "issuer-test-2-secp256r1-key",
            "x": "zzM9z4mHthO8fkNZGzSzuJbFVeyElVjmCOMt38pdvbo",
            "y": "Dgn8HiW8NdQhjgVgE_ux8YRxAwKmdDl9FxTq0wbDewc"
        }
        }
    ],
    "assertionMethod": [
        "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ],
    "authentication": [
        "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ],
    "capabilityDelegation": [
        "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ],
    "capabilityInvocation": [
        "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ],
    "keyAgreement": [
        "did:web:nec.enterprise-demo.dev-quantum.necdp.com:nec.TestMobile2.test2.test2-did-registry:issuer-test-2-new#issuer-test-2-secp256r1-key"
    ]
}

#Client Attestation configuration in the Issuer2 API has been updated:

Before:

clientAttestationConfig = {
    required: true,
    verificationMethod: {
        type: 'static-jwk',
        jwk: { ... },
    },
    clockSkewSeconds: 300,
    replayWindowSeconds: 300,
}

After:

clientAuthenticationConfig = {
    supportedMethods: [
        {
        type: "client-attestation",
        config: {
            verificationMethod: {
                type: 'static-jwk',
                jwk: { ... }
            },
        }
        }
    ]
    }

#0.20.0

#Highlights

• New Trust Registry Service for managing ETSI trust lists (TSL, LoTE) for credential verification against official trust frameworks.
• New Client Attestation Service for issuing and verifying wallet attestations for secure credential issuance flows.
• OpenIDVCI 1.0 Support in the Wallet Service marking the completion of our 1.0 support across all services.
• Improved external IAM integration to connect with external OIDC providers for authentication.
• External role mapping API with database-backed mappings, RESTful endpoints, and demo app UI for enterprise authentication flows. Supports dynamic redirect URLs and RP-initiated logout.
• Enterprise Service security refactoring for Issuer 1/2, Verifier 1/2, and Wallet services with interface-based implementations, automatic dependency detection, and granular permission control. Major architectural improvement enabling better testability and security isolation.
• X.509 Store and VICAL services rebuilt with proper persistence, user-permission proxies, and service-level certificate storage with cross-store linking support. Certificate IDs are now derived from target paths with full delete support.

#Features

Enterprise Service Security

• Secured Issuer 1 and Issuer 2 Enterprise Services with interface-based implementation pattern and automatic KMS dependency detection.
• Refactored Verifier 1/2 Services to follow the same secure pattern with dedicated interface and implementation classes.
• Implemented Enterprise Service Wallet split into legacy and new v2 OpenID4VCI flows with mDoc support.
• Added user permission proxy implementations for credential stores, policy stores, and client attesters.
• Added comprehensive wallet permission tests to validate the security model.

X.509 Store and VICAL Services

• Fixed X.509 store persistence with service-side repository logic and proper certificate ID handling.
• Updated X.509 service certificate creation to accept optional storedCertificateId and store issued certificates across linked X.509 stores.
• Added delete support and completed user-permission proxy coverage for X.509 store operations.
• Moved VICAL storage logic into private service-local repository and added VICAL service user-permission proxy support.
• Adjusted VICAL registry/publication controllers for response status and artifact format parsing.

Issuer2 and OpenID4VCI

• Added issuanceSessionId to credential offer requests and access tokens for O(1) credential endpoint lookups.
• Added correlationId (callId) to callback events for session tracking.
• Enriched issuance session with id, format, and status information.
• Added support for issuer state forwarding.
• Improved profile update to ignore certain keys (profileId, status, version, createdAt, updatedAt) for better developer experience.

Client Attestation and EUDI Compatibility

• Implemented client attestation support with configurable validation.
• Extended lenient mode to gracefully skip verification when signature validation fails.
• Added issuer state in redirect for EUDI wallet compatibility.
• Ensured clientAttestationConfig is properly copied during config updates.
• Updated swagger example with lenient configuration for EUDI wallet demos.

Credential Status

• Added test coverage for multiple status values.
• Resolved hex and binary mixed usage in CWT credentials.
• Added TSL CWT to the e2e journey.
• Added support for DID-based header in token status lists.

Trust Registry

• Added a trust registry service and policy allowing for credential verification against official trust frameworks.
• Fixed trust registry sourceId handling by moving to target path (consistent with KMS, X.509-store patterns).
• Fixed Unit body handling in documentedPost for no-body POST endpoints.
• Added trust registry support aligned with OSS trust registry library.

Auth and External Role Mapping

• Implemented database-backed external role mappings with RESTful API.
• Added external role mapping UI to demo app with payload editor and field documentation.
• Fixed external role mapping resolution during auth.
• Added allowedRedirectUrls to auth config documentation.
• Added Keycloak package for Enterprise authentication with setup guides.

Wallet Service

• Added support for OpenID4VCI 1.0 to the Wallet API.
• Added DID Service support in wallet creation process.
• Fixed wallet init to return created resources (keyId and didId).
• Added swagger examples for new wallet routes.

Platform

• Migrated HTTP clients to unified web data fetching abstraction with CIO engine.
• Added load testing scripts and infrastructure improvements.

#Fixes and improvements

• Fixed BSON issue in enterprise services.
• Fixed credential metadata display.
• Fixed assignRoleToApiKey double-stringify in demo app.
• Fixed coroutine context conflict in tenant permissions listing.
• Fixed old reference in credential status.
• Added Swagger examples for creating plain KMS and generating keys.
• Updated OpenAPI docs and examples for X.509 service and VICAL storage behavior.
• Fixed integration tests workflows.

#Breaking changes

• X.509 Store API: The X.509 store add/update flows now use service-level targets with certificate IDs derived from the target path. Clients using the old certificate store APIs must migrate to the new request models.