Initial Release
Validation date can be specified
Throw exception when attestation fails. This way, no logging framework is required to communicate the reason why attestation failed and the library works nicely with pure java
- More idiomatic Kotlin
- cleaner exception handling
- download revocation list only once per chain
- maven publishing
- produce jdk8 compatible build (using
jdk8
classifier)
- Return ParsedAttestationRecord on Success
- Include JavaDoc
- More Java-friendly API
- More detailed toplevel error messages on certificate verification fail
- Kotlin 1.8.0
- ability to ignore timely validity of leaf cert
- more
@JvmOverloads
- MR Jar Release (Java 11 directly uses code from Google, Java 8 version uses adapted one for legacy support)
- Drop
-jdk8
classifier for proper release to maven central
- ability to configure custom trust anchors
- updated upstream sources
- cache revocation list
- ability to add offset to time of verification (thanks @rolicz)
- fix Java 8 builds (thanks @rolicz)
- deprecate MR jar (= remove Java 8 support)
- Build against JDK11
- Kotlin 1.9.22
- Update to latest
android-key-attestation
codebase from Google (2024-01-31) - Dependency updates:
- Bouncy Castle 1.77
- Ktor 2.3.7
- kotlinx.datetime 0.5.0
- Napier 2.7.1
- Guava 33.0.0-jre
- Error Prone 2.24.1
- (NEW) AutoValue 1.10.4
- drop broken java 8 target
- update sources from upstream
- add guava to API for java interop
- kotlin-stdlib API dependency for java interop
This version introduces incompatible changes! Re-read the readme!
Most notably, it now supports configuring multiple applications, introduces optional software-only attestation and a new
hybrid
attestation checker, which caters towards legacy devices, which originally shipped with Android 7 (Nougat).
Most of such devices support hardware attestation only for keys, but not for app/os-related information.
Moreover, a builder is now available for more Java-friendliness
In addition, 1.0.0. introduces a new diagnostics tool (a runnable jar), which takes an attestation certificate and prints out the attestation record.
- introduce builder for
AppData
- introduce well-defined error codes for every way an attestation can fail
- refactor exception hierarchy as a consequence
- make all config classes
data
classes
- make configuration play nicely with file-based config loading (e.g. HopLite)
- reorganized constructors for less confusing file-based config loading
- update to latest conventions plugin
- build against JDK11 as per gradle.properties
- Kotlin 1.9.22
- Update to latest
android-key-attestation
codebase from Google (2024-01-31) - Dependency updates:
- Bouncy Castle 1.77
- Ktor 2.3.7
- kotlinx.datetime 0.5.0
- Napier 2.7.1
- Guava 33.0.0-jre
- Error Prone 2.24.1
- (NEW) AutoValue 1.10.4
- dependency updated
- correctly expose guava as api dependency
- support HTTP proxy for fetching Android Revocation list
- Dependency Updates:
- Java 17
- Kotlin 2.0.0
- bouncycastle: 1.78.1!!
- coroutines: 1.8.1
- datetime: 0.6.0
- kmmresult: 1.6.1
- kotest: 5.9.1!!
- kotlin: 2.0.0
- ksp: 1.0.22
- ktor: 2.3.11
- napier: 2.7.1
- nexus: 1.3.0
- serialization: 1.7.1
- Rebrand to WARDEN-roboto
- Update to latest upstream attestation code
rollbackResistant
->rollbackResistance
- Dependency Updates
- Guava: 33.2.1-jre
- autovalue: 1.11.0
- protobuf-javalite: 4.27.0
Breaking Changes Ahead!
- Add
AttestationValueException.Reason.TIME
to indicate too far off or missing attestation statement creation time inside the attestation statement (in contrast to Certificate validity issues) - Add
attestationStatementValiditySeconds
to Android attestation configuration, to set a custom attestation statement validity. Defaults to 5 minutes (i.e. 300) - Fix verification time calculation