Pre-release 1.3.0-RC1

New features:

• New optional parameter timeout added to StartRegistrationOptions and StartAssertionOptions

Version 1.2.0

New features:

• RSA keys are now supported.
• New constructor functions PublicKeyCredential.parseRegistrationResponseJson and .parseAssertionResponseJson
  • So users don't have to deal with the TypeReferences imposed by the generics, unless they want to.

Bug fixes:

• android-key attestation statements now don't throw an exception if allowUntrustedAttestation is set to true.
• tpm attestation statements now don't throw an exception if allowUntrustedAttestation is set to true.

Pre-release 1.2.0-RC1

New features:

• RSA keys are now supported.

Pre-release 1.1.1-RC1

Bug fixes:

• android-key attestation statements now don't throw an exception if allowUntrustedAttestation is set to true.
• tpm attestation statements now don't throw an exception if allowUntrustedAttestation is set to true.

Version 1.1.0

Changed behaviours:

• AssertionExtensionInputsBuilder.appid(Optional<AppId>) now fails fast if the argument is null
  • ClientAssertionExtensionOutputsBuilder.appid(Optional<Boolean>) now fails fast if the argument is null

New features:

• Public API methods that take Optional parameters now come with Optional-less aliases.

Differences are compared to version 1.0.0, including all prerelease versions in between.

Pre-release 1.1.0-RC1

Changed behaviours:

• AssertionExtensionInputsBuilder.appid(Optional<AppId>) now fails fast if the argument is null.
• ClientAssertionExtensionOutputsBuilder.appid(Optional<Boolean>) now fails fast if the argument is null.

New features:

• Public API methods that take Optional parameters now come with Optional-less aliases.

Version 1.0.1

Bugfixes:

• Registration no longer fails for unimplemented attestation statement formats if allowUnknownAttestation is set to true.
  • Registration still fails for attestation statement formats not defined in the WebAuthn Level 1 spec.

Version 1.0.0

• Fixed URL in artifact POM
• Improved a few javadoc wordings

Version 0.8.0

Possibly breaking changes:

• User Presence (UP) is now always required by the spec, not only when UV is not required; implementation updated to reflect this.

New features:

• Added support for android-safetynet attestation statement format
  • Thanks to Ren Lin for the contribution, see #5
• Implementation updated to reflect Proposed Recommendation version of the spec, released 2019-01-17

Bug fixes:

• Fixed validation of zero-valued assertion signature counter
  • Previously, a zero-valued assertion signature counter was always regarded as valid. Now, it is only considered valid if the stored signature counter is also zero.

Version 0.7.0

webauthn-server-attestation

• Added attestation metadata for Security Key NFC by Yubico

webauthn-server-core

Breaking changes:

• Deleted parameter RelyingParty.verifyTypeAttribute. This was added as a workaround while browser implementations were incomplete, and should never be used in production.
• Replaced field RegisteredCredential.publicKey: PublicKey with publicKeyCose: ByteArray. This means the library user no longer needs to parse the public key before passing it back into the library.
• RelyingParty.finishAssertion now throws InvalidSignatureCountException instead of its supertype AssertionFailedException when signature count validation is enabled and the received signature count is invalid.

New features:

• New parameter StartAssertionOptions.userVerification which is forwarded into PublicKeyCredentialRequestOptions by RelyingParty.startAssertion