NEWS

== Version 1.0.0 ==

* Fixed URL in artifact POM
* Improved a few javadoc wordings


== Version 0.8.0 ==

Possibly breaking changes:

* User Presence (UP) is now always required by the spec, not only when UV is not
  required; implementation updated to reflect this.


New features:

* Added support for `android-safetynet` attestation statement format
 ** Thanks to Ren Lin for the contribution, see https://github.com/Yubico/java-webauthn-server/pull/5
* Implementation updated to reflect Proposed Recommendation version of the spec,
  released 2019-01-17

Bug fixes:

* Fixed validation of zero-valued assertion signature counter
 ** Previously, a zero-valued assertion signature counter was always regarded as
    valid. Now, it is only considered valid if the stored signature counter is
    also zero.


== Version 0.7.0 ==

=== `webauthn-server-attestation` ===

* Added attestation metadata for Security Key NFC by Yubico

=== `webauthn-server-core` ===

Breaking changes:

* Deleted parameter `RelyingParty.verifyTypeAttribute`. This was added as a
  workaround while browser implementations were incomplete, and should never be
  used in production.
* Replaced field `RegisteredCredential.publicKey: PublicKey` with
  `publicKeyCose: ByteArray`. This means the library user no longer needs to
  parse the public key before passing it back into the library.
* `RelyingParty.finishAssertion` now throws `InvalidSignatureCountException`
  instead of its supertype `AssertionFailedException` when signature count
  validation is enabled and the received signature count is invalid.

New features:

* New parameter `StartAssertionOptions.userVerification` which is forwarded into
  `PublicKeyCredentialRequestOptions` by `RelyingParty.startAssertion`


== Version 0.6.0 ==

Breaking changes:

* Classes moved from package `com.yubico.webauthn.data` to `com.yubico.webauthn`:
 **  `AssertionRequest`
 **  `AssertionResult`
 **  `RegistrationResult`
* All public classes are now final.
* All builders now enforce mandatory arguments at compile time. Some usages may
  therefore need to adjust the order of calls on the builder instance.
 ** Static method `Attestation.trusted(boolean)` replaced with `.builder()` with
    `.trusted(boolean)` as builder method instead
 ** `AuthenticatorAssertionResponse` constructor is now private.
 ** `AuthenticatorAttestationResponse` constructor is now private.
 ** `PublicKeyCredentialDescriptor` constructor is now private.
 ** `PublicKeyCredentialRequestOptions` constructor is now private.
* All classes that take collections as constructor (builder) arguments now make
  shallow copies of those collections, so that mutations of the collections
  don't propagate into the class instance.
* Deleted interface `Crypto` and constructor parameter `crypto` of `RelyingParty`
* Deleted interface `ChallengeGenerator` and constructor parameter
  `challengeGenerator` of `RelyingParty`
* Updated implementation to agree with current editor's draft of the spec
 ** Renamed class `AttestationData` to `AttestedCredentialData`
 ** Enum constant `TokenBindingStatus.NOT_SUPPORTED` deleted; this is now
    instead signaled by a missing value
 ** Parameter `RelyingParty.allowMissingTokenBinding` therefore removed
 ** Enum constant `AttestationType.PRIVACY_CA` renamed to `ATTESTATION_CA`
* Renamed class `AuthenticationDataFlags` to `AuthenticatorDataFlags`
* Deleted constant `UserVerificationRequirement.DEFAULT`
* Deleted method `AttestationObject.getAuthData()`
* Changed type of field `RelyingParty.origins` from `List` to `Set`
* Fixed (reduced) visibility of `RegisteredCredential` fields
* Class `MetadataObject` moved to `webauthn-server-attestation` module
* Updated and greatly expanded Javadoc

New features:

* Constructor parameter `pubKeyCredParams` of `RelyingParty` is now optional
  with a default value.
* Constructor parameter `origins` of `RelyingParty` is now optional and defaults
  to a list whose only element is the RP ID prefixed with `https://`.
* All classes with a builder now also have a `.toBuilder()` method.


== Version 0.5.0 ==

=== `webauthn-server-core` ===

New features:

* `PackedAttestationStatementVerifier` now supports SHA256WithRSA signatures

Bug fixes:

* `PublicKeyCredentialDescriptor.compareTo` is now consistent with equals
* `AuthenticatorData` constructor should now throw more descriptive exceptions
  instead of raw `ArrayIndexOutOfBoundsException`s


=== `webauthn-server-attestation` ===

Breaking changes:

* Interface `MetadataResolver` replaced with interfaces `AttestationResolver`
  and `TrustResolver`
 ** Class `SimpleResolver` split into `SimpleAttestationResolver` and
    `SimpleTrustResolver`
  *** Both of these classes now take the metadata as a constructor parameter
      instead of exposing `addMetadata` methods
 ** Class `CompositeResolver` split into `CompositeAttestationResolver` and
    `CompositeTrustResolver`
* Class `StandardMetadataService` overhauled


== Version 0.4.0 ==

Breaking changes:

* Field `StartRegistrationOptions.requireResidentKey: boolean` replaced with
  field `authenticatorSelection: Optional<AuthenticatorSelectionCriteria>`


== Version 0.3.0 ==

* Major API overhaul; public API changes include but are not limited to:
 ** Reorganised package structure
 ** `CredentialRepository.getCredentialIdsForUsername(String)` now returns `Set`
    instead of `List`
 ** Most data classes now expose a builder instead of a public constructor
 ** Shortcut constants added to `COSEAlgorithmIdentifier` and
    `PublicKeyCredentialParameters`
 ** Exception `U2fBadConfigurationException` renamed to
    `BadConfigurationException`
 ** `RelyingParty.startRegistration` now accepts one `StartRegistrationOptions`
    parameter instead of several parameters
 ** `RelyingParty.finishRegistration` now accepts one
    `FinishRegistrationOptions` parameter instead of several parameters
 ** `RelyingParty.startAssertion` now accepts one `StartAssertionOptions`
    parameter instead of several parameters
 ** `RelyingParty.finishAssertion` now accepts one `FinishAssertionOptions`
    parameter instead of several parameters
 ** `RelyingParty.finishRegistration` now throws checked
    `RegistrationFailedException` instead of `IllegalArgumentException` on most
    failures
 ** `RelyingParty.finishAssertion` now throws checked
    `AssertionFailedException` instead of `IllegalArgumentException` on most
    failures
 ** Class `MetadataResolver` replaced with interface
 ** Constructor `CollectedClientData(JsonNode)` deleted
 ** Parameters `StartRegistrationOptions.excludeCredentials` and
    `StartAssertionOptions.allowCredentials` deleted; they are now discovered
    automatically from the `CredentialRepository`. If custom control over
    `excludeCredentials` or `allowCredentials` is needed, modify the
    `PublicKeyCredentialCreationOptions` or `PublicKeyCredentialRequestOptions`
    object manually.
 ** `COSEAlgorithmIdentifier` is now an actual enum
 ** Extensions are now passed and returned as domain objects instead of as Jackson
    types
 ** Type parameter added to `PublicKeyCredential` to express extensions type
 ** Fields `CollectedClientData.authenticatorExtensions` and `.clientExtensions`
    deleted
* Fixed a bug in `AuthenticatorDataFlags` that caused the `ED` (0x80) flag to
  never be set
* All classes in `com.yubico.webauthn.data` can now be serialized and
  deserialized using Jackson
 ** JSON output has been slightly changed:
  *** `AttestationObject`, `AuthenticatorData` and `CollectedClientData` now serialize back to
    Base64Url encoded bytes instead of to JSON objects
  *** Member `_attestationObject` removed from serialized
      `AuthenticatorAttestationResponse`
  *** Member `authenticatorData` removed from serialized
      `AuthenticatorAttestationResponse`
* New methods `ByteArray.size(): int` and `.isEmpty(): boolean`
* `ByteArray` is now `Comparable` to itself
* Added support for `appid` extension


== Version 0.2.0 ==

* Core library now recognises username as an internally relevant concept
* Source code translated from Scala to Java
* Too many other changes to count


== Version 0.1.0 ==

* First release of https://www.w3.org/TR/webauthn/[Web Authentication] support
* Merged U2F subprojects into webauthn-server-core and deleted lots of unused code


== java-u2flib-server version history ==

This project was forked from https://developers.yubico.com/java-u2flib-server/[java-u2flib-server]. Below is the version history from before the fork.


== Version 0.19.0 ==

Breaking changes:

* Overhauled exception hierarchy
 ** New exception class: `U2fCeremonyException`
 ** New exception class: `U2fRegistrationException extends U2fCeremonyException`
 ** New exception class: `U2fAuthenticationException extends U2fCeremonyException`
 ** The following exception classes now extend `U2fAuthenticationException`:
  *** `DeviceCompromisedException`
  *** `InvalidDeviceCounterException`
  *** `NoEligableDevicesException`
  *** `NoEligibleDevicesException`
 ** `U2fBadConfigurationException` is now a checked exception
 ** `U2fBadInputException` is now a checked exception, and is no longer thrown directly by the methods of `U2F`.
  *** Methods of `U2F` now catch this exception and wrap it in a `U2fRegistrationException` or ``U2fAuthenticationException`.
* `DeviceRegistration.getAttestationCertificate()` now returns `null` instead of throwing `NoSuchFieldException`
* `static ClientData.getString(JsonNode, String)` now throws `U2fBadInputException` instead of `NullPointerException`, or if the returned field is not a `String` value
* Some `AssertionError`s and `IllegalArgumentException`s are now `U2fBadInputException`s instead


Improvements:

* `BouncyCastleCrypto` now throws more descriptive exceptions


Bug fixes:

* Improved error handling in client data input validation
 ** Thanks to Nicholas Wilson for the contribution, see https://github.com/Yubico/java-u2flib-server/pull/25


== Version 0.18.1 ==

* Lombok now longer leaks into runtime dependencies


== Version 0.18.0 ==

=== u2flib-server-core ===

Breaking changes:

* "Authenticate" renamed to "sign" everywhere in `u2flib-server-core`
** Classes `AuthenticateRequest` renamed to `SignRequest`
** Class `AuthenticateRequestData` renamed to `SignRequestData`
** Class `AuthenticateResponse` renamed to `SignResponse`
** Method `Client.authenticate` renamed to `sign`
** Class `RawAuthenticateResponse` renamed to `RawSignResponse`
** Method `SoftKey.authenticate` renamed to `sign`
** Method `U2F.finishAuthentication` renamed to `finishSignature`
** Method `U2F.startAuthentication` renamed to `startSignature`
** Method `U2fPrimitives.finishAuthentication` renamed to `finishSignature`
** Method `U2fPrimitives.startAuthenticateion` renamed to `startSignature`
* Constants `AUTHENTICATE_TYP` and `REGISTER_TYPE` in `U2fPrimitives` are
  now private

== Version 0.17.1 ==

* u2flib-server-attestation module now uses SLF4J logging instead of
  `Throwable.printStackTrace`


== Version 0.17.0 ==

=== u2flib-server-core ===

Breaking changes:

* Field `RegisterRequestData.authenticateRequests: List<AuthenticateRequest>`
 replaced by field `registeredKeys: List<RegisteredKey>`

Additions:

* Fields added to class `AuthenticateRequestData`:
  * `challenge: String`
  * `appId: String`
* New class `RegisteredKey`
* Field `appId: String` added to `RegisterRequestData`

=== u2flib-server-demo ===

* `u2f-api.js` upgraded from version 1.0 to 1.1
* JS calls in views updated to work with version 1.1 of the JS API
* All views except `loginIndex` and `registerIndex` are now rendered via
  templates
* Navigation links added to all views
* Error feedback improved


== Version 0.13.1 (unreleased) ==

* Changed demo server URL to `localhost:8080`.
* Added the method `ClientData.getString` to get arbitrary clientData fields.
* Added u2flib-server-attestation for device attestation and metadata.


== Version 0.13.0 ==

* Added built-in support for multiple devices per user.
* Fixed demo server bug when running from jar. Thanks to axianx.