Releases: Yubico/java-webauthn-server
Releases · Yubico/java-webauthn-server
Version 1.6.3
webauthn-server-attestation
:
- Added new YubiKey AAGUIDs to
metadata.json
webauthn-server-core
:
- Bumped Jackson dependency to version 2.11.0 in response to CVEs:
- Fixed incorrect JavaDoc on AssertionResult.isSignatureCounterValid(): it will also return true if both counters are zero.
Artifacts built with openjdk 11.0.6 2020-01-14
.
Pre-release 1.6.3-RC1
webauthn-server-attestation
:
- Added new YubiKey AAGUIDs to metadata.json
webauthn-server-core
:
- Bumped Jackson dependency to version 2.11.0 in response to CVEs:
- Fixed incorrect JavaDoc on
AssertionResult.isSignatureCounterValid()
: it will also return true if both counters are zero.
Artifacts built with openjdk 11.0.6 2020-01-14
.
Version 1.6.2
- Fixed dependencies missing from release POM metadata
Artifacts built with openjdk 11.0.6 2020-01-14
.
Version 1.6.1
Security fixes:
- Bumped Jackson dependency to version 2.9.10.3 in response to CVE-2019-20330 and CVE-2020-8840
Artifacts built with openjdk 11.0.6 2020-01-14
.
Version 1.6.0
Security fixes:
- Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942
webauthn-server-core
:
Bug fixes:
- Fixed bug introduced in 1.4.0, which caused
RegistrationResult.attestationMetadata
to always be empty.
webauthn-server-attestation
:
- New enum constant
Transport.LIGHTNING
- Fixed transports field of YubiKey NEO/NEO-n in
metadata.json
. - Added YubiKey 5Ci to
metadata.json
. - Most
deviceUrl
fields inmetadata.json
changed to point to stable addresses in Yubico knowledge base instead of dead redirects in store.
Artifacts built with JDK 11.
Pre-release 1.6.0-RC1
Security fixes:
- Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942
webauthn-server-core
:
Bug fixes:
- Fixed bug introduced in 1.4.0, which caused
RegistrationResult.attestationMetadata
to always be empty.
webauthn-server-attestation
:
- New enum constant
Transport.LIGHTNING
- Fixed transports field of YubiKey NEO/NEO-n in
metadata.json
. - Added YubiKey 5Ci to
metadata.json
. - Most
deviceUrl
fields inmetadata.json
changed to point to stable addresses in Yubico knowledge base instead of dead redirects in store.
Artifacts built with JDK 11.
Version 1.5.0
Changes:
RelyingParty
now makes an immutable copy of theorigins
argument, instead of storing a reference to a possibly mutable value.- The enum
AuthenticatorTransport
has been replaced by a value class containing methods and value constants equivalent to the previous enum. - The return type of
PublicKeyCredentialDescriptor.getTransports()
is now aSortedSet
instead ofSet
. The builder still accepts a plainSet
. - Registration ceremony now verifies that the returned credential public key matches one of the algorithms specified in
RelyingParty.preferredPubkeyParams
and can be successfully parsed.
New features:
- Origin matching can now be relaxed via two new
RelyingParty
options:allowOriginPort
(defaultfalse
): Allow any port number in the originallowOriginSubdomain
(defaultfalse
): Allow any subdomain of any origin listed inRelyingParty.origins
- See JavaDoc for details and examples.
- The new
AuthenticatorTransport
can now contain any string value as the transport identifier, as required in the editor's draft of the L2 spec. See: w3c/webauthn#1275 - Added support for RS1 credentials. Registration of RS1 credentials is not enabled by default, but can be enabled by setting
RelyingParty.preferredPubKeyCredParams
to a list containingPublicKeyCredentialParameters.RS1
.- New constant
PublicKeyCredentialParameters.RS1
- New constant
COSEAlgorithmIdentifier.RS1
- New constant
Artifacts built with JDK 11.
Pre-release 1.5.0-RC2
Changes:
- Bumped version of
com.upokecenter:cbor
dependency to agree with transitives.
Artifacts built with JDK 11.
Pre-release 1.5.0-RC1
Changes:
RelyingParty
now makes an immutable copy of theorigins
argument, instead of storing a reference to a possibly mutable value.- The enum
AuthenticatorTransport
has been replaced by a value class containing methods and value constants equivalent to the previous enum. - The return type of
PublicKeyCredentialDescriptor.getTransports()
is now aSortedSet
instead ofSet
. The builder still accepts a plainSet
. - Registration ceremony now verifies that the returned credential public key matches one of the algorithms specified in
RelyingParty.preferredPubkeyParams
and can be successfully parsed.
New features:
- Origin matching can now be relaxed via two new
RelyingParty
options:allowOriginPort
(defaultfalse
): Allow any port number in the originallowOriginSubdomain
(defaultfalse
): Allow any subdomain of any origin listed inRelyingParty.origins
- See JavaDoc for details and examples.
- The new
AuthenticatorTransport
can now contain any string value as the transport identifier, as required in the editor's draft of the L2 spec. See: w3c/webauthn#1275 - Added support for RS1 credentials. Registration of RS1 credentials is not enabled by default, but can be enabled by setting
RelyingParty.preferredPubKeyCredParams
to a list containingPublicKeyCredentialParameters.RS1
.- New constant
PublicKeyCredentialParameters.RS1
- New constant
COSEAlgorithmIdentifier.RS1
- New constant
Artifacts built with JDK 11.
Version 1.4.1
Packaging fixes:
- Fixed dependency declarations so API dependencies are correctly propagated as compile-time dependencies of dependent projects.
- Fixed Specification-Version release date in webauthn-server-core jar manifest.
Artifacts built with JDK 8.