Version 1.6.3

webauthn-server-attestation:

• Added new YubiKey AAGUIDs to metadata.json

webauthn-server-core:

• Bumped Jackson dependency to version 2.11.0 in response to CVEs:
  • CVE-2020-9546
  • CVE-2020-10672
  • CVE-2020-10969
  • CVE-2020-11620
• Fixed incorrect JavaDoc on AssertionResult.isSignatureCounterValid(): it will also return true if both counters are zero.

Artifacts built with openjdk 11.0.6 2020-01-14.

Pre-release 1.6.3-RC1

webauthn-server-attestation:

• Added new YubiKey AAGUIDs to metadata.json

webauthn-server-core:

• Bumped Jackson dependency to version 2.11.0 in response to CVEs:
  • CVE-2020-9546
  • CVE-2020-10672
  • CVE-2020-10969
  • CVE-2020-11620
• Fixed incorrect JavaDoc on AssertionResult.isSignatureCounterValid(): it will also return true if both counters are zero.

Artifacts built with openjdk 11.0.6 2020-01-14.

Version 1.6.2

• Fixed dependencies missing from release POM metadata

Artifacts built with openjdk 11.0.6 2020-01-14.

Version 1.6.1

Security fixes:

• Bumped Jackson dependency to version 2.9.10.3 in response to CVE-2019-20330 and CVE-2020-8840

Artifacts built with openjdk 11.0.6 2020-01-14.

Version 1.6.0

Security fixes:

• Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942

webauthn-server-core:

Bug fixes:

• Fixed bug introduced in 1.4.0, which caused RegistrationResult.attestationMetadata to always be empty.

webauthn-server-attestation:

• New enum constant Transport.LIGHTNING
• Fixed transports field of YubiKey NEO/NEO-n in metadata.json.
• Added YubiKey 5Ci to metadata.json.
• Most deviceUrl fields in metadata.json changed to point to stable addresses in Yubico knowledge base instead of dead redirects in store.

Artifacts built with JDK 11.

Pre-release 1.6.0-RC1

Security fixes:

• Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942

webauthn-server-core:

Bug fixes:

• Fixed bug introduced in 1.4.0, which caused
  RegistrationResult.attestationMetadata to always be empty.

webauthn-server-attestation:

• New enum constant Transport.LIGHTNING
• Fixed transports field of YubiKey NEO/NEO-n in metadata.json.
• Added YubiKey 5Ci to metadata.json.
• Most deviceUrl fields in metadata.json changed to point to stable addresses in Yubico knowledge base instead of dead redirects in store.

Artifacts built with JDK 11.

Version 1.5.0

Changes:

• RelyingParty now makes an immutable copy of the origins argument, instead of storing a reference to a possibly mutable value.
• The enum AuthenticatorTransport has been replaced by a value class containing methods and value constants equivalent to the previous enum.
• The return type of PublicKeyCredentialDescriptor.getTransports() is now a SortedSet instead of Set. The builder still accepts a plain Set.
• Registration ceremony now verifies that the returned credential public key matches one of the algorithms specified in RelyingParty.preferredPubkeyParams and can be successfully parsed.

New features:

• Origin matching can now be relaxed via two new RelyingParty options:
  • allowOriginPort (default false): Allow any port number in the origin
  • allowOriginSubdomain (default false): Allow any subdomain of any origin listed in RelyingParty.origins
  • See JavaDoc for details and examples.
• The new AuthenticatorTransport can now contain any string value as the transport identifier, as required in the editor's draft of the L2 spec. See: w3c/webauthn#1275
• Added support for RS1 credentials. Registration of RS1 credentials is not enabled by default, but can be enabled by setting RelyingParty.preferredPubKeyCredParams to a list containing PublicKeyCredentialParameters.RS1.
  • New constant PublicKeyCredentialParameters.RS1
  • New constant COSEAlgorithmIdentifier.RS1

Artifacts built with JDK 11.

Pre-release 1.5.0-RC2

Changes:

• Bumped version of com.upokecenter:cbor dependency to agree with transitives.

Artifacts built with JDK 11.

Pre-release 1.5.0-RC1

Changes:

• RelyingParty now makes an immutable copy of the origins argument, instead of storing a reference to a possibly mutable value.
• The enum AuthenticatorTransport has been replaced by a value class containing methods and value constants equivalent to the previous enum.
• The return type of PublicKeyCredentialDescriptor.getTransports() is now a SortedSet instead of Set. The builder still accepts a plain Set.
• Registration ceremony now verifies that the returned credential public key matches one of the algorithms specified in RelyingParty.preferredPubkeyParams and can be successfully parsed.

New features:

• Origin matching can now be relaxed via two new RelyingParty options:
  • allowOriginPort (default false): Allow any port number in the origin
  • allowOriginSubdomain (default false): Allow any subdomain of any origin listed in RelyingParty.origins
  • See JavaDoc for details and examples.
• The new AuthenticatorTransport can now contain any string value as the transport identifier, as required in the editor's draft of the L2 spec. See: w3c/webauthn#1275
• Added support for RS1 credentials. Registration of RS1 credentials is not enabled by default, but can be enabled by setting RelyingParty.preferredPubKeyCredParams to a list containing PublicKeyCredentialParameters.RS1.
  • New constant PublicKeyCredentialParameters.RS1
  • New constant COSEAlgorithmIdentifier.RS1

Artifacts built with JDK 11.

Version 1.4.1

Packaging fixes:

• Fixed dependency declarations so API dependencies are correctly propagated as compile-time dependencies of dependent projects.
• Fixed Specification-Version release date in webauthn-server-core jar manifest.

Artifacts built with JDK 8.