Version 0.19.12

  • Deprecated all classes with note that the library is obsolete. This is planned to be the final release of java-u2flib-server.

Version 0.19.11

  • Bumped Guava dependency to version [24.1.1,30) in response to CVE-2018-10237

Version 0.19.10

  • Bumped Jackson dependency to version 2.11.0 in response to CVEs:

    • CVE-2020-9546

    • CVE-2020-10672

    • CVE-2020-10969

    • CVE-2020-11620

Version 0.19.9

  • Bumped Jackson dependency to version in response to CVE-2019-20330 and CVE-2020-8840

Version 0.19.8

  • Bumped Jackson dependency to version which has patched CVE-2019-16942

Version 0.19.7

  • Bumped Jackson dependency to version 2.9.10 which has patched CVE-2019-16335, CVE-2019-14540

Version 0.19.6

  • Bumped Jackson dependency to version which fixes a regression in

Version 0.19.5

  • Bumped Jackson dependency to version which has patched CVE-2019-12814, CVE-2019-14439, CVE-2019-14379

Version 0.19.4

  • Bumped Jackson dependency to version 2.9.9 which has patched CVE-2019-12086

Version 0.19.3

Bug fixes:

  • Use BouncyCastle security provider explicitly

Version 0.19.2

  • Bumped Jackson dependency version to 2.9.8 which has patched CVE-2018-19360, CVE-2018-19362 and CVE-2018-19361

Version 0.19.1

  • Bumped Jackson dependency version to 2.9.7 which has patched CVE-2018-7489 and CVE-2017-7525

Version 0.19.0

Breaking changes:

  • Overhauled exception hierarchy

    • New exception class: U2fCeremonyException

    • New exception class: U2fRegistrationException extends U2fCeremonyException

    • New exception class: U2fAuthenticationException extends U2fCeremonyException

    • The following exception classes now extend U2fAuthenticationException:

      • DeviceCompromisedException

      • InvalidDeviceCounterException

      • NoEligableDevicesException

      • NoEligibleDevicesException

    • U2fBadConfigurationException is now a checked exception

    • U2fBadInputException is now a checked exception, and is no longer thrown directly by the methods of U2F.

      • Methods of U2F now catch this exception and wrap it in a U2fRegistrationException or ``U2fAuthenticationException`.

  • DeviceRegistration.getAttestationCertificate() now returns null instead of throwing NoSuchFieldException

  • static ClientData.getString(JsonNode, String) now throws U2fBadInputException instead of NullPointerException, or if the returned field is not a String value

  • Some `AssertionError`s and `IllegalArgumentException`s are now `U2fBadInputException`s instead


  • BouncyCastleCrypto now throws more descriptive exceptions

Bug fixes:

Version 0.18.1

  • Lombok now longer leaks into runtime dependencies

Version 0.18.0


Breaking changes:

  • "Authenticate" renamed to "sign" everywhere in u2flib-server-core

    • Classes AuthenticateRequest renamed to SignRequest

    • Class AuthenticateRequestData renamed to SignRequestData

    • Class AuthenticateResponse renamed to SignResponse

    • Method Client.authenticate renamed to sign

    • Class RawAuthenticateResponse renamed to RawSignResponse

    • Method SoftKey.authenticate renamed to sign

    • Method U2F.finishAuthentication renamed to finishSignature

    • Method U2F.startAuthentication renamed to startSignature

    • Method U2fPrimitives.finishAuthentication renamed to finishSignature

    • Method U2fPrimitives.startAuthenticateion renamed to startSignature

  • Constants AUTHENTICATE_TYP and REGISTER_TYPE in U2fPrimitives are now private

Version 0.17.1

  • u2flib-server-attestation module now uses SLF4J logging instead of Throwable.printStackTrace

Version 0.17.0


Breaking changes:

  • Field RegisterRequestData.authenticateRequests: List<AuthenticateRequest> replaced by field registeredKeys: List<RegisteredKey>


  • Fields added to class AuthenticateRequestData:

  • challenge: String

  • appId: String

  • New class RegisteredKey

  • Field appId: String added to RegisterRequestData


  • u2f-api.js upgraded from version 1.0 to 1.1

  • JS calls in views updated to work with version 1.1 of the JS API

  • All views except loginIndex and registerIndex are now rendered via templates

  • Navigation links added to all views

  • Error feedback improved

Version 0.13.1 (unreleased)

  • Changed demo server URL to localhost:8080.

  • Added the method ClientData.getString to get arbitrary clientData fields.

  • Added u2flib-server-attestation for device attestation and metadata.

Version 0.13.0

  • Added built-in support for multiple devices per user.

  • Fixed demo server bug when running from jar. Thanks to axianx.