YubiKit 3.0.1

This release includes bug fixes and improvements for certificate handling, device identification, and build configuration.

New in this release:

• piv module:
  • Support for additional compressed certificate formats (zlib with custom header) (#278)
  • Deprecated GzipUtils (will become package-private in a future release)
• support module:
  • Fixed device naming for FIDO Edition devices with explicit capability checks (#281)
• build system:
  • Adjusted spotbugs-annotations to compileOnly scope (#255)
  • Updated dependencies and GitHub Actions workflows

Full Changelog: 3.0.0...3.0.1

YubiKit 3.0.0

This release brings major breaking API changes, new USB and FIDO features, CTAP2.3 & CTAP1 support, and enhanced null-safety.

New in this release:

• android module:
  • Minimum supported Android API level is now 21 (was 19) (breaking change)
• core module:
  • All previously deprecated APIs have been removed (breaking change) (#237)
  • Renamed all ALL CAPS abbreviations in public API identifiers to CamelCase (breaking change) (#230)
  • Added unified, configurable USB device filtering using DeviceFilter (#241)
  • Adopted JSpecify nullness annotations for improved null-safety
    Kotlin generics now require non-nullable type arguments (<T : Any>) (breaking change) (#231)
• fido module:
  • Replaced BasicWebAuthnClient with new WebAuthnClient (breaking change) (#240)
  • Client data must now be provided via ClientDataProvider, not as raw byte arrays (breaking change) (#233)
  • Added support for CTAP2.3 (encCredStoreState, authenticatorConfigCommands) (#229)
  • Initial support for CTAP1 flows (via new clients and session classes) (#240)
  • Added human-readable error names to CtapException (#238)
  • WebAuthnClient now supports user verification (fingerprints) (#234)
  • Replaced PinInvalidClientError with new AuthInvalidClientError for PIN/UV errors (breaking change) (#234)
• openpgp module:
  • Fixed implementation of parseFingerprints (#221)
• testing modules:
  • Improved testability of ApplicationSessions (#243)

Breaking changes summary:

• Minimum supported Android API is now 21 (was 19)
• All previously deprecated APIs have been removed
• Method/class names with ALL CAPS abbreviations have been updated to CamelCase, requiring updates to any old references
• Major FIDO/WebAuthn flow changes — see migration guide!

See the 3.0 Migration Guide for complete upgrade details.

Full Changelog: 2.9.0...3.0.0

YubiKit 2.9.0

This release brings targetSdk 36 support, new CTAP 2.2 features, and multiple bug fixes.

New in this release:

• android module:
  • Updated targetSdk to 36 (#202)
• core module:
  • Fixed a bug in formatting short APDUs (#199)
• fido module:
  • Added support for following CTAP 2.2 features (#176)
    • New getInfo members
    • persistentPinUvAuthToken
    • Processing of hmac-secret-mc and thirdPartyPayments extensions
  • Added support for NFCCTAP_GETRESPONSE (#204)
  • Fixed credential list pre-flight (#193)
• openpgp module:
  • Fixed implementation of verifyUserPin (#196)

Full Changelog: 2.8.2...2.9.0

YubiKit 2.8.2

• core module:
  • fixed SCP processing (#188)
• oath module:
  • fixed parsing OATH URI where issuer contains ampersand character (#186)
• yubiotp module:
  • fixed programming sequence update evaluation (#190)
• fido modules:
  • added support for using SCP over CCID (#188)
  • fixed largeBlob extension authenticator inputs naming (#183)
• test modules:
  • added support for test device serial number allow list (#184)
• build system:
  • migrated publishing to ossrh-staging-api service (#191)

Full Changelog: 2.8.1...2.8.2

YubiKit 2.8.1

• fido module:
  • Handle allowList without existing credentials (#170)
• general improvements:
  • better support of legacy Yubico devices (#169)
  • Treat FUNCTION_NOT_SUPPORTED as ApplicationNotAvailableException (#175)
  • Added support for Version Qualifier (#174)
  • Added support for using SmartCardConnection only with short APDUs (#177)

Full Changelog: 2.8.0...2.8.1

YubiKit 2.8.0

• fido module:
  • added updateUserInformation subcommand in credential management
  • added extensible support for FIDO extensions
  • added processing of defined FIDO extensions:
    • credBlob
    • credProps
    • credProtect
    • hmac-secret / prf
    • largeBlob
    • minPinLength
• general updates:
  • updated targetSdk to 35
  • new experimental desktop support
  • integrated spotless plugin for java source code formatting
  • improved integration tests to run on older YubiKeys
  • improved javadoc
  • updated build dependencies and libraries

YubiKit 2.7.0

• support module:
  • fixed missing property values for DeviceInfo in DeviceUtil.readInfo()
• general updates:
  • new support for communication over SCP03 and SCP11 protocols
  • new support for managing SCP03 and SCP11 keys through Security Domain session
  • improved integration tests with support to run over SCP
  • updated build dependencies and libraries

YubiKit 2.6.0

• piv module:
  • support for RSA3072 and RSA4096 (keys with FW 5.7+)
  • support for Ed25519 and X25519 (keys with FW 5.7+)
  • support for move/delete private key (keys with FW 5.7+)
  • support for metadata and verify extensions (Bio multi-protocol keys)
  • new verification policies PIN_OR_MATCH_ONCE/ALWAYS (Bio multi-protocol keys)
• general updates:
  • updated build dependencies and libraries

YubiKit 2.5.0

• fido module:
  • added support for authenticatorBioEnrollment
  • fixed setMinPinLength() implementation
  • fixed handling of UserVerificationRequirement.DISCOURAGED
• management module:
  • deprecated constructors of DeviceInfo
  • added DeviceInfo.Builder which replaces deprecated constructors
  • added support for reading all pages of YubiKey configuration
  • added support for device wide reset
• general:
  • updated build dependencies and libraries

YubiKit 2.4.0

• new fido module:
  • implemented WebAuthn specification Level 2
  • implemented following CTAP2.1 features
    • supports FIDO_2_0, FIDO_2_1_PRE, FIDO_2_1
    • Credential management
    • Client pin with Pin UV Auth Protocols One and Two
    • Config
    • Enterprise Attestation
  • implemented basic version of WebAuthn client
• new openpgp module:
  • implemented openpgp PIN operations
    • PIN verification, status querying and changing
  • core openpgp key operations
    • key import and generation
    • signature/signature verification
    • encryption/decryption
• android module:
  • targetSdk is now 34 (Android 14)
• core module:
  • added support for Le in APDU
  • added PublicKeyValues and PrivateKeyValues classes for unified handling of asymmetric keys
• PIV module:
  • deprecated classes: InvalidPinException, Padding
  • deprecated methods: SlotMetadata.getPublicKey(), PivSession.generateKey(), PivSession.putKey()