Kinegram Document Validation Service - Change Log

1.15.5

• Internal changes for our SaaS deployment (no changes for on-premise users)

1.15.4

• Fix issue with empty RESULT_SERVER_URLS

1.15.3

• Internal changes for our SaaS deployment (no changes for on-premise users)

1.15.2

• Fix DG2 face image extraction of malformed Qatar passports

1.15.1

• Fix monitoring logs not having validation_id MDC field

1.15.0

• Add MDC (Mapped Diagnostic Context) fields to log messages
  • trace_id: OpenTelemetry trace ID
  • validation_id: The validation ID from the client’s start message
• Update default Logback configuration to display MDC fields conditionally
• Remove hardcoded Session <id>: from logs in favor of MDC fields

1.14.3

• Fix handling access control failures on v1

1.14.2

• Improve access key validation

1.14.1

• Improve access key validation

1.14.0

• Add support for Prometheus metrics (see Telemetry documentation for more information)

1.13.3

• Fix a bug introduced in 1.13.2 that the server always responds with a POST_TO_RESULT_SERVER_FAILED when no result server is configured.

1.13.2

• Include missing CLOSE message in OTEL traces
• Update CSCA Master List

1.13.1

• Update version of internal dependencies
• Switch Docker base image from eclipse-temurin:17-jre-alpine to amazoncorretto:17-alpine

1.13.0

• Add support for new new ISO/IEC 39794-5 DG2 format

1.12.0

• Logstash Logback Encoder is now available when using custom logback configurations

1.11.3

• Fix PA on passports with malformed certificate (e.g., lebanese passports)
• Update CSCA Master List

1.11.2

• Fallback to non-SFI mode on errors when reading DG1 in SFI mode
• Extend data captured during diagnostic sessions

1.11.1

• Increase idle timeout for websocket

1.11.0

• Introduce retry and timeout mechanic for result messages
  • Posting to the result server now has a timeout of 3s instead of waiting indefinitely
  • Failed requests are retried on connection errors as well as 408, 429, and 5xx response codes
• Extend data captured during diagnostic sessions

1.10.5

• Use SFI mode to read DG1

1.10.4

• Fix failing Chip Authentication on certain passports
• Update CSCA Master List

1.10.3

• Add Vietnam ID master file selection fallback
• Update CSCA Master List

1.10.2

• Update CSCA Master List

1.10.1

• Fix OTEL logs being logged twice
• Fix support for multiple Master Lists
• Update CSCA Master List

1.10.0

• Extend information in GET /certificate-list endpoint

1.9.3

• Update CSCA Master List

1.9.2

• Fix active_authentication_result in result message not being sent when unavailable

1.9.1

• Update CSCA Master List

1.9.0

• Add new monitoring messages to WebSocket v2 protocol for diagnostic sessions

1.8.0

• Add new WebSocket v2 API
  • Significantly improves reading speed on high-latency internet connections
  • Requires version 2.x of mobile SDKs
• Deprecate WebSocket v1 API
  • Still available for backwards compatibility with 1.x mobile SDKs

1.7.2

• Fix duplicate calls to websocket handshake authorization validation endpoint

1.7.1

• Fix WS_HANDSHAKE_AUTHORIZATION_VALIDATION_ENABLED environment variable not working due to wrong name
• Update 3rd-party dependencies to their latest version
• Switch Docker base image from Ubuntu Focal (20) to Alpine Linux
• Update CSCA Master List

1.7.0

• Add new enable_diagnostics option to websocket start message (supported by the latest versions of the eMRTD Connector SDKs). When enabled, attaches additional diagnostic data to OpenTelemetry traces.

1.6.3

• Fix InvalidKeyException when reading certain passports

1.6.2

• Update dependency versions (BouncyCastle)

1.6.1

• Fix reading of Moroccan, Latvian and probably other national ID cards

1.6.0

• Add new optional feature to handle Authorization header during websocket handshake (see installation guide for more information).
• Update CSCA Master List

1.5.0

• Add support and documentation for OpenTelemetry
• Improve and extend logging, tracing and metrics
• Remove undocumented logging into validation_web_socket.log file if a log directory is mounted. If you relied on this feature, please refer to the new logging documentation for alternatives.

1.4.9

• Fix optional_data_1 field in MRZ info containing duplicate content

1.4.8

• Fix issue with Australian ePassports series R from 2023 and newer

1.4.7

• Add new optional SERVER_NAME environment variable to configure a server name
• Add new GET /server-info endpoint to get server information (name and version)
• Deprecate GET /version endpoint

1.4.6

• Simplify CA certificate configuration with new TRUST_STORE_PATH and TRUST_STORE_PASSWORD environment variables

1.4.5

• Fix a bug introduced in 1.4.4 where BAC fails on some passports

1.4.4

• Optimize communication with chip (improves speed)

1.4.3

• Update CSCA Master List
• Add support for OpenAPI and Swagger (see Install Guide on how to enable them)
• Add HTTP API endpoint ‘/actuator/health’ for health-checks

1.4.2

• Add logging for demo clients in on-premise installation

1.4.1

• Fix NullPointerException when DG14 is not present

1.4.0

• Update CSCA Master List
• Update JMRTD dependency to the latest version
• Major internal refactorings

1.3.5

• Allow overwriting of default trusted certificates for on-premise

1.3.4

• Set the response headers of the HTTP API endpoint ‘/version’ to allow cross-origin access

1.3.3

• Verify Not Before date of CSCA certificates
• Add HTTP API endpoint ‘/certificate-list’ to show supported countries and organizations in documentation

1.3.2

• Also try SHA1 for Active Authentication ECDSA Signature verification if DG14 includes no ActiveAuthenticationInfo and SHA256 failed (Ukraine passports)
• Fix invalid ECDSA signature algorithms for Active Authentication
• Update CSCA Master List

1.3.1

• Default to SHA256 for Active Authentication ECDSA signature verification if DG14 includes no ActiveAuthenticationInfo
• Update CSCA Master List

1.3.0

• MRZ-Info (TD3 documents): optional_data1 will no longer contain the trailing check digit!
• Verify SODs with ECDSA-signatures where ASN1-DER-encoded Integers (R / S) have 9+ (instead of 1-8) leading 0 bits.
• Update CSCA Master List
• Update Dependencies (JMRTD, Bouncy-Castle, Spring-Boot) to their latest version

1.2.39

• Update CSCA Master List

1.2.38

• Actually include missing JP2-Decoder

1.2.37

• Parse all kinds of JPEG2000 (JP2) images (face photo)
• Do not re-encode images that are already in JPEG format
• Update to Spring-Boot framework to version 3.2.2

1.2.36

• Update CSCA Master List

1.2.35

• Fix /version endpoint

1.2.34

• Update CSCA Master List
• Support eMRTDs without Access Control
• Update to Spring-Boot framework to version 3.2.1

1.2.33

• Update CSCA Master List

1.2.32

• Update CSCA Master List

1.2.31

• Update CSCA Master List
• Fix Active Authentication (with RSA) bug

1.2.30

• Update CSCA Master List
• Avoid internal server error if Active Authentication (RSA) fails

1.2.29

• Update CSCA Master List

1.2.28

• Update CSCA Master List

1.2.27

• Include validationID in server log messages

1.2.26

• Extend and save logging for WebSocket service
• Update CSCA Master List
• Update documentation

1.2.25

• Update CSCA Master List
• Update to Spring-Boot framework to version 3.0.5

1.2.24

• Update CSCA Master List
• Update to Spring-Boot framework to version 3.0.3

1.2.23

• Update CSCA Master List
• Use eclipse-temurin:17-jre-focal as base image
• Update to Spring-Boot framework to version 3.0.2

1.2.21

• Increase StartMessage-Timeout to 5 seconds

1.2.20

• Update CSCA Master List

1.2.19

• Update CSCA Master List

1.2.18

• Fix bug in Active Authentication Protocol (WebSocket API)

1.2.17

• Set Parameter Reference during PACE if Domain Parameters are ambiguous (ICAO 9303 Part 11 Chapter 4.4.4)

1.2.16

• Update CSCA Master List

1.2.15

• Include binary files (SOD and DataGroups) base64 encoded in the Result JSON Only when WebSocket API is used. Configurable via environment variable.

1.2.14

• Docker Image has no changes compared to 1.2.13
• Internal CI and Deployment configuration for the KURZ datacenter “LKIS” was updated

1.2.13

• Update CSCA Master List

1.2.12

• Update CSCA Master List

1.2.11

• AccessLog: Do not log requests with path “/”

1.2.10

• Use openjdk:11-jre as base image for Docker container
• Fix typos in documentation
• Increase max-idle-time for WebSocket connection

1.2.9

• Minor improvements to container entrypoint script (start.sh)

1.2.8

• Configure proxy with environment variables

1.2.7

• Update CSCA Master List

1.2.6

• Minor additions to the documentation

1.2.5

• Close WebSocket Connection with proper Close Code if provided Access Key is empty

1.2.4

• Update and extend documentation
• Improve WebSocket Interface “ws1/validate”

1.2.3

• Fix bug that could have resulted in expired document certificates being considered as valid
• Update CSCA Master List
• Improve Description of CA / AA in Documentation
• Explicitly mention the Date of Expiry from the MRZ/DG1 in the documentation
• Add section “Additional JSON Fields may be added in the future” to emrtd_result.md
• Improve formatting in Documentation
• Improvements to WebSocket Interface that connects to eMRTD NFC Chips

1.2.2

• Enable TomCat Access Log
• Improve Exception handling during “ws1/validate”

1.2.1

• Add “SIGNATURE_VERIFY_EXCEPTION” as a possible error to passive_authentication_details

1.2.0

• Add WebSocket Interface for Full Server Verification of eMRTDs
• Re-encode JPEG2000 Images as normal JPEGs
• Update CSCA Master List

1.1.8

• Initial version