Version 1.2.0

New features:

• RSA keys are now supported.
• New constructor functions PublicKeyCredential.parseRegistrationResponseJson and .parseAssertionResponseJson
  • So users don't have to deal with the TypeReferences imposed by the generics, unless they want to.

Bug fixes:

• android-key attestation statements now don't throw an exception if allowUntrustedAttestation is set to true.
• tpm attestation statements now don't throw an exception if allowUntrustedAttestation is set to true.

Pre-release 1.2.0-RC1

New features:

• RSA keys are now supported.

Pre-release 1.1.1-RC1

Bug fixes:

• android-key attestation statements now don't throw an exception if allowUntrustedAttestation is set to true.
• tpm attestation statements now don't throw an exception if allowUntrustedAttestation is set to true.

Version 1.1.0

Changed behaviours:

• AssertionExtensionInputsBuilder.appid(Optional<AppId>) now fails fast if the argument is null
  • ClientAssertionExtensionOutputsBuilder.appid(Optional<Boolean>) now fails fast if the argument is null

New features:

• Public API methods that take Optional parameters now come with Optional-less aliases.

Differences are compared to version 1.0.0, including all prerelease versions in between.

Pre-release 1.1.0-RC1

Changed behaviours:

• AssertionExtensionInputsBuilder.appid(Optional<AppId>) now fails fast if the argument is null.
• ClientAssertionExtensionOutputsBuilder.appid(Optional<Boolean>) now fails fast if the argument is null.

New features:

• Public API methods that take Optional parameters now come with Optional-less aliases.

Version 1.0.1

Bugfixes:

• Registration no longer fails for unimplemented attestation statement formats if allowUnknownAttestation is set to true.
  • Registration still fails for attestation statement formats not defined in the WebAuthn Level 1 spec.

Version 1.0.0

• Fixed URL in artifact POM
• Improved a few javadoc wordings

Version 0.8.0

Possibly breaking changes:

• User Presence (UP) is now always required by the spec, not only when UV is not required; implementation updated to reflect this.

New features:

• Added support for android-safetynet attestation statement format
  • Thanks to Ren Lin for the contribution, see #5
• Implementation updated to reflect Proposed Recommendation version of the spec, released 2019-01-17

Bug fixes:

• Fixed validation of zero-valued assertion signature counter
  • Previously, a zero-valued assertion signature counter was always regarded as valid. Now, it is only considered valid if the stored signature counter is also zero.

Version 0.7.0

webauthn-server-attestation

• Added attestation metadata for Security Key NFC by Yubico

webauthn-server-core

Breaking changes:

• Deleted parameter RelyingParty.verifyTypeAttribute. This was added as a workaround while browser implementations were incomplete, and should never be used in production.
• Replaced field RegisteredCredential.publicKey: PublicKey with publicKeyCose: ByteArray. This means the library user no longer needs to parse the public key before passing it back into the library.
• RelyingParty.finishAssertion now throws InvalidSignatureCountException instead of its supertype AssertionFailedException when signature count validation is enabled and the received signature count is invalid.

New features:

• New parameter StartAssertionOptions.userVerification which is forwarded into PublicKeyCredentialRequestOptions by RelyingParty.startAssertion

Version 0.6.0

Breaking changes:

• Classes moved from package com.yubico.webauthn.data to com.yubico.webauthn:
  • AssertionRequest
  • AssertionResult
  • RegistrationResult
• All public classes are now final.
• All builders now enforce mandatory arguments at compile time. Some usages may therefore need to adjust the order of calls on the builder instance.
  • Static method Attestation.trusted(boolean) replaced with .builder() with .trusted(boolean) as builder method instead
  • AuthenticatorAssertionResponse constructor is now private.
  • AuthenticatorAttestationResponse constructor is now private.
  • PublicKeyCredentialDescriptor constructor is now private.
  • PublicKeyCredentialRequestOptions constructor is now private.
• All classes that take collections as constructor (builder) arguments now make shallow copies of those collections, so that mutations of the collections don't propagate into the class instance.
• Deleted interface Crypto and constructor parameter crypto of RelyingParty
• Deleted interface ChallengeGenerator and constructor parameter challengeGenerator of RelyingParty
• Updated implementation to agree with current editor's draft of the spec
  • Renamed class AttestationData to AttestedCredentialData
  • Enum constant TokenBindingStatus.NOT_SUPPORTED deleted; this is now instead signaled by a missing value
  • Parameter RelyingParty.allowMissingTokenBinding therefore removed
  • Enum constant AttestationType.PRIVACY_CA renamed to ATTESTATION_CA
• Renamed class AuthenticationDataFlags to AuthenticatorDataFlags
• Deleted constant UserVerificationRequirement.DEFAULT
• Deleted method AttestationObject.getAuthData()
• Changed type of field RelyingParty.origins from List to Set
• Fixed (reduced) visibility of RegisteredCredential fields
• Class MetadataObject moved to webauthn-server-attestation module
• Updated and greatly expanded Javadoc