v3.0.0.alpha1 - 2020-06-27
- Ability to define multiple relying parties with the introduction of the
WebAuthn::RelyingParty
class (@padulafacundo, @brauliomartinezlm)
v2.5.0 - 2021-03-14
- Support 'apple' attestation statement format (#343 / @juanarias93, @santiagorodriguez96)
- Allow specifying an array of ids as
allow_credentials:
forFakeClient#get
method (#335 / @kingjan1999)
- No longer accept "removed from the WebAuthn spec" options
rp: { icon: }
anduser: { icon: }
forWebAuthn::Credential.options_for_create
method (#326 / @santiagorodriguez96)
v2.4.1 - 2021-02-15
- Fix verification of new credential if no attestation provided and 'None' type is not among configured
acceptable_attestation_types
. I.e. reject it instead of letting it go through.
v2.4.0 - 2020-09-03
- Support for ES256K credentials
FakeClient#get
acceptsuser_handle:
keyword argument (@lgarron)
v2.3.0 - 2020-06-27
- Ability to access extension outputs with
PublicKeyCredential#client_extension_outputs
andPublicKeyCredential#authenticator_extension_outputs
(@santiagorodriguez96)
v2.2.1 - 2020-06-06
- Fixed compatibility with OpenSSL-C (libssl) v1.0.2 (@santiagorodriguez96)
v2.2.0 - 2020-03-14
- Verification step that checks the received credential public key algorithm during registration matches one of the configured algorithms
- [EXPERIMENTAL] Attestation trustworthiness verification default steps for "tpm", "android-key" and "android-safetynet" (@bdewater, @padulafacundo). Still manual configuration needed for "packed" and "fido-u2f".
Note: Expect possible breaking changes for "EXPERIMENTAL" features.
v2.1.0 - 2019-12-30
- Ability to convert stored credential public key back to a ruby object with
WebAuthn::PublicKey.deserialize(stored_public_key)
, included the validation during de-serialization (@ssuttner, @padulafacundo) - Improved TPM attestation validation by checking "Subject Alternative Name" (@bdewater)
- Improved SafetyNet attestation validation by checking timestamp (@padulafacundo)
- [EXPERIMENTAL] Ability to optionally "Assess the attestation trustworthiness" during registration by setting
acceptable_attestation_types
andattestation_root_certificates_finders
configuration values (@padulafacundo) - Ruby 2.7 support without warnings
Note: Expect possible breaking changes for "EXPERIMENTAL" features.
v2.0.0 - 2019-10-03
- Smarter new public API methods:
WebAuthn.generate_user_id
WebAuthn::Credential.options_for_create
WebAuthn::Credential.options_for_get
WebAuthn::Credential.from_create
WebAuthn::Credential.from_get
- All the above automatically handle encoding/decoding for necessary values. The specific encoding scheme can
be set (or even turned off) in
WebAutnn.configuration.encoding=
. Defaults to:base64url
.
WebAuthn::FakeClient#get
better fakes a real client by includinguserHandle
in the returned hash.- Expose AAGUID and attestationCertificateKey for MDS lookup during attestation (@bdewater)
-
WebAuthn::AuthenticatorAssertionResponse#verify
no longer acceptsallowed_credentials:
keyword argument. Please replace withpublic_key:
andsign_count:
keyword arguments. If you're not performing sign count verification, signal opt-out withsign_count: false
. -
WebAuthn::FakeClient#create
andWebAuthn::FakeClient#get
better fakes a real client by using lowerCamelCase string keys instead of snake_case symbol keys in the returned hash. -
WebAuthn::FakeClient#create
andWebAuthn::FakeClient#get
better fakes a real client by not padding the returned base64url-encodedid
value.
WebAuthn.credential_creation_options
method. Please consider usingWebAuthn::Credential.options_for_create
.WebAuthn.credential_request_options
method. Please consider usingWebAuthn::Credential.options_for_get
.
WebAuthn::AuthenticatorAssertionResponse.new
no longer acceptscredential_id
. No replacement needed, just don't pass it.
-
WebAuthn::AuthenticatorAssertionResponse.new
no longer acceptscredential_id
. No replacement needed, just don't pass it. -
WebAuthn::AuthenticatorAssertionResponse#verify
no longer acceptsallowed_credentials:
keyword argument. Please replace withpublic_key:
andsign_count:
keyword arguments. If you're not performing sign count verification, signal opt-out withsign_count: false
. -
WebAuthn::FakeClient#create
andWebAuthn::FakeClient#get
better fakes a real client by using lowerCamelCase string keys instead of snake_case symbol keys in the returned hash. -
WebAuthn::FakeClient#create
andWebAuthn::FakeClient#get
better fakes a real client by not padding the returned base64url-encodedid
value.
v1.18.0 - 2019-07-27
- Ability to migrate U2F credentials to WebAuthn (#211) (@bdewater + @jdongelmans)
- Ability to skip attestation statement verification (#219) (@MaximeNdutiye)
- Ability to configure default credential options timeout (#243) (@MaximeNdutiye)
- AttestedCredentialData presence verification (#237)
- FakeClient learns how to increment sign count (#225)
- Properly verify SafetyNet certificates from input (#233) (@bdewater)
- FakeClient default origin URL (#242) (@kalebtesfay)
v1.17.0 - 2019-06-18
- Support ES384, ES512, PS384, PS512, RS384 and RS512 credentials. Off by default. Enable by adding any of them to
WebAuthn.configuration.algorithms
array (@bdewater) - Support Signature Counter verification (@bdewater)
v1.16.0 - 2019-06-13
- Ability to enforce user verification with extra argument in the
#verify
method. - Support RS1 (RSA w/ SHA-1) credentials. Off by default. Enable by adding
"RS1"
toWebAuthn.configuration.algorithms
array. - Support PS256 (RSA Probabilistic Signature Scheme w/ SHA-256) credentials. On by default (@bdewater)
v1.15.0 - 2019-05-16
- Ability to configure Origin, RP ID and RP Name via
WebAuthn.configure
v1.14.0 - 2019-04-25
- Support 'tpm' attestation statement
- Support RS256 credential public key
v1.13.0 - 2019-04-09
- Verify 'none' attestation statement is really empty.
- Verify 'packed' attestation statement certificates start/end dates.
- Verify 'packed' attestation statement signature algorithm.
- Verify 'fiod-u2f attestation statement AAGUID is zeroed out (@bdewater)
- Verify 'android-key' attestation statement signature algorithm.
- Verify assertion response signature algorithm.
- Verify collectedClientData.tokenBinding format.
WebAuthn.credential_creation_options
now acceptrp_name
,user_id
,user_name
anddisplay_name
as keyword arguments (@bdewater)
v1.12.0 - 2019-04-03
- Verification of the attestation certificate public key curve for
fido-u2f
attestation statements.
Credential#public_key
now returns the COSE_Key formatted version of the credential public key, instead of the uncompressed EC point format.
Note #1: A Credential
instance is what is returned in WebAuthn::AuthenticatorAttestationResponse#credential
.
Note #2: You don't need to do any convesion before passing the public key in AuthenticatorAssertionResponse#verify
's
allowed_credentials
argument, #verify
is backwards-compatible and will handle both public key formats properly.
v1.11.0 - 2019-03-15
WebAuthn::AuthenticatorAttestationResponse#verify
supportsandroid-key
attestation statements (@bdewater)
- Verify matching AAGUID if needed when verifying
packed
attestation statements (@bdewater)
v1.10.0 - 2019-03-05
- Parse and make AuthenticatorData's extensionData available
v1.9.0 - 2019-02-22
- Added
#verify
, which can be used for getting a meaningful error raised in case of a verification error, as opposed to#valid?
which returnsfalse
v1.8.0 - 2019-01-17
- Make challenge validation inside
#valid?
method resistant to timing attacks (@tomek-bt) - Support for ruby 2.6
- Make current raised exception errors a bit more meaningful to aid debugging
v1.7.0 - 2018-11-08
- Registration ceremony
WebAuthn::AuthenticatorAttestationResponse
exposes attestation type and trust path via#attestation_type
and#attestation_trust_path
methods (@bdewater)
v1.6.0 - 2018-11-01
FakeAuthenticator
object is now exposed to help you test your WebAuthn implementation
v1.5.0 - 2018-10-23
- Works with ruby 2.3 (@bdewater)
v1.4.0 - 2018-10-11
- Registration ceremony
WebAuthn::AuthenticatorAttestationResponse.valid?
supportsandroid-safetynet
attestation statements (@bdewater)
v1.3.0 - 2018-10-11
- Registration ceremony
WebAuthn::AuthenticatorAttestationResponse.valid?
supportspacked
attestation statements (@sorah)
v1.2.0 - 2018-10-08
- Registration ceremony
WebAuthn::AuthenticatorAttestationResponse.valid?
returnstrue
if either UP or UV authenticator flags are present.
- Authentication ceremony
WebAuthn::AuthenticatorAssertionResponse.valid?
returnstrue
if either UP or UV authenticator flags are present.
Note: Both additions should help making it compatible with Chrome for Android 70+/Android Fingerprint pair.
v1.1.0 - 2018-10-04
- Registration ceremony
WebAuthn::AuthenticatorAttestationResponse.valid?
optionally accepts rp_id (@sorah)
- Authentication ceremony
WebAuthn::AuthenticatorAssertionResponse.valid?
optionally accepts rp_id.
v1.0.0 - 2018-09-07
- Authentication ceremony
- Support multiple credentials per user by letting
WebAuthn::AuthenticatorAssertionResponse.valid?
receive multiple allowed credentials
- Support multiple credentials per user by letting
- Registration ceremony
- Use 32-byte challenge instead of 16-byte
- Authentication ceremony
- Use 32-byte challenge instead of 16-byte
v0.2.0 - 2018-06-08
- Registration ceremony
WebAuthn::AuthenticatorAttestationResponse.credential
returns the Credential Public Key for you to store it somehwere for future authentications
- Authentication ceremony
WebAuthn.credential_request_options
returns default options for you to initiate the AuthenticationWebAuthn::AuthenticatorAssertionResponse.valid?
can be used to validate the authenticator assertion. For now it validates:- Signature
- Challenge
- Origin
- User presence
- Ceremony Type
- Relying-Party ID
- Allowed Credential
- Works with ruby 2.4
- Registration ceremony
WebAuthn::AuthenticatorAttestationResponse.valid?
now runs additional validations on the Credential Public Key
- Registration ceremony
WebAuthn::AuthenticatorAttestationResponse.credential_id
(superseded byWebAuthn::AuthenticatorAttestationResponse.credential
)
v0.1.0 - 2018-05-25
- Registration ceremony:
WebAuthn.credential_creation_options
returns default options for you to initiate the RegistrationWebAuthn::AuthenticatorAttestationResponse.valid?
can be used to validate fido-u2f attestations returned by the browser
- Works with ruby 2.5