Version 0.8.0

Possibly breaking changes:

• User Presence (UP) is now always required by the spec, not only when UV is not required; implementation updated to reflect this.

New features:

• Added support for android-safetynet attestation statement format
  • Thanks to Ren Lin for the contribution, see #5
• Implementation updated to reflect Proposed Recommendation version of the spec, released 2019-01-17

Bug fixes:

• Fixed validation of zero-valued assertion signature counter
  • Previously, a zero-valued assertion signature counter was always regarded as valid. Now, it is only considered valid if the stored signature counter is also zero.

Version 0.7.0

webauthn-server-attestation

• Added attestation metadata for Security Key NFC by Yubico

webauthn-server-core

Breaking changes:

• Deleted parameter RelyingParty.verifyTypeAttribute. This was added as a workaround while browser implementations were incomplete, and should never be used in production.
• Replaced field RegisteredCredential.publicKey: PublicKey with publicKeyCose: ByteArray. This means the library user no longer needs to parse the public key before passing it back into the library.
• RelyingParty.finishAssertion now throws InvalidSignatureCountException instead of its supertype AssertionFailedException when signature count validation is enabled and the received signature count is invalid.

New features:

• New parameter StartAssertionOptions.userVerification which is forwarded into PublicKeyCredentialRequestOptions by RelyingParty.startAssertion

Version 0.6.0

Breaking changes:

• Classes moved from package com.yubico.webauthn.data to com.yubico.webauthn:
  • AssertionRequest
  • AssertionResult
  • RegistrationResult
• All public classes are now final.
• All builders now enforce mandatory arguments at compile time. Some usages may therefore need to adjust the order of calls on the builder instance.
  • Static method Attestation.trusted(boolean) replaced with .builder() with .trusted(boolean) as builder method instead
  • AuthenticatorAssertionResponse constructor is now private.
  • AuthenticatorAttestationResponse constructor is now private.
  • PublicKeyCredentialDescriptor constructor is now private.
  • PublicKeyCredentialRequestOptions constructor is now private.
• All classes that take collections as constructor (builder) arguments now make shallow copies of those collections, so that mutations of the collections don't propagate into the class instance.
• Deleted interface Crypto and constructor parameter crypto of RelyingParty
• Deleted interface ChallengeGenerator and constructor parameter challengeGenerator of RelyingParty
• Updated implementation to agree with current editor's draft of the spec
  • Renamed class AttestationData to AttestedCredentialData
  • Enum constant TokenBindingStatus.NOT_SUPPORTED deleted; this is now instead signaled by a missing value
  • Parameter RelyingParty.allowMissingTokenBinding therefore removed
  • Enum constant AttestationType.PRIVACY_CA renamed to ATTESTATION_CA
• Renamed class AuthenticationDataFlags to AuthenticatorDataFlags
• Deleted constant UserVerificationRequirement.DEFAULT
• Deleted method AttestationObject.getAuthData()
• Changed type of field RelyingParty.origins from List to Set
• Fixed (reduced) visibility of RegisteredCredential fields
• Class MetadataObject moved to webauthn-server-attestation module
• Updated and greatly expanded Javadoc

0.5.0

webauthn-server-core

New features:

• PackedAttestationStatementVerifier now supports SHA256WithRSA signatures

Bug fixes:

• PublicKeyCredentialDescriptor.compareTo is now consistent with equals
• AuthenticatorData constructor should now throw more descriptive exceptions instead of raw ArrayIndexOutOfBoundsExceptions

webauthn-server-attestation

Breaking changes:

• Interface MetadataResolver replaced with interfaces AttestationResolver and TrustResolver
  • Class SimpleResolver split into SimpleAttestationResolver and SimpleTrustResolver
    • Both of these classes now take the metadata as a constructor parameter instead of exposing addMetadata methods
  • Class CompositeResolver split into CompositeAttestationResolver and CompositeTrustResolver
• Class StandardMetadataService overhauled

0.4.0

Breaking changes:

• Field StartRegistrationOptions.requireResidentKey: boolean replaced with field authenticatorSelection: Optional<AuthenticatorSelectionCriteria>

0.3.0

With this release, the library is getting close to mature enough for a production-ready release. There may be breaking API changes necessary before 1.0, but none are planned.

Changes:

• Major API overhaul; public API changes include but are not limited to:
  • Reorganised package structure
  • CredentialRepository.getCredentialIdsForUsername(String) now returns Set instead of List
  • Most data classes now expose a builder instead of a public constructor
  • Shortcut constants added to COSEAlgorithmIdentifier and PublicKeyCredentialParameters
  • Exception U2fBadConfigurationException renamed to BadConfigurationException
  • RelyingParty.startRegistration now accepts one StartRegistrationOptions parameter instead of several parameters
  • RelyingParty.finishRegistration now accepts one FinishRegistrationOptions parameter instead of several parameters
  • RelyingParty.startAssertion now accepts one StartAssertionOptions parameter instead of several parameters
  • RelyingParty.finishAssertion now accepts one FinishAssertionOptions parameter instead of several parameters
  • RelyingParty.finishRegistration now throws checked RegistrationFailedException instead of IllegalArgumentException on most failures
  • RelyingParty.finishAssertion now throws checked AssertionFailedException instead of IllegalArgumentException on most failures
  • Class MetadataResolver replaced with interface
  • Constructor CollectedClientData(JsonNode) deleted
  • Type of fields StartAssertionOptions.extensions, StartRegistrationOptions.extensions and PublicKeyCredential.clientExtensionOutputs narrowed from JsonNode to ObjectNode
  • Parameters StartRegistrationOptions.excludeCredentials and StartAssertionOptions.allowCredentials deleted; they are now discovered automatically from the CredentialRepository. If custom control over excludeCredentials or allowCredentials is needed, modify the PublicKeyCredentialCreationOptions or PublicKeyCredentialRequestOptions object manually.
  • COSEAlgorithmIdentifier is now an actual enum
  • Extensions are now passed and returned as domain objects instead of as Jackson types
  • Type parameter added to PublicKeyCredential to express extensions type
  • Fields CollectedClientData.authenticatorExtensions and .clientExtensions deleted
• Fixed a bug in AuthenticatorDataFlags that caused the ED (0x80) flag to never be set
• All classes in com.yubico.webauthn.data can now be serialized and deserialized using Jackson
  • JSON output has been slightly changed:
    • AttestationObject, AuthenticatorData and CollectedClientData now serialize back to Base64Url encoded bytes instead of to JSON objects
    • Member _attestationObject removed from serialized AuthenticatorAttestationResponse
    • Member authenticatorData removed from serialized AuthenticatorAttestationResponse
• New methods ByteArray.size(): int and .isEmpty(): boolean
• ByteArray is now Comparable to itself
• Added support for appid extension