Version 1.6.0

Security fixes:

• Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942

webauthn-server-core:

Bug fixes:

• Fixed bug introduced in 1.4.0, which caused RegistrationResult.attestationMetadata to always be empty.

webauthn-server-attestation:

• New enum constant Transport.LIGHTNING
• Fixed transports field of YubiKey NEO/NEO-n in metadata.json.
• Added YubiKey 5Ci to metadata.json.
• Most deviceUrl fields in metadata.json changed to point to stable addresses in Yubico knowledge base instead of dead redirects in store.

Artifacts built with JDK 11.

Pre-release 1.6.0-RC1

Security fixes:

• Bumped Jackson dependency to version 2.9.10.1 which has patched CVE-2019-16942

webauthn-server-core:

Bug fixes:

• Fixed bug introduced in 1.4.0, which caused
  RegistrationResult.attestationMetadata to always be empty.

webauthn-server-attestation:

• New enum constant Transport.LIGHTNING
• Fixed transports field of YubiKey NEO/NEO-n in metadata.json.
• Added YubiKey 5Ci to metadata.json.
• Most deviceUrl fields in metadata.json changed to point to stable addresses in Yubico knowledge base instead of dead redirects in store.

Artifacts built with JDK 11.

Version 1.5.0

Changes:

• RelyingParty now makes an immutable copy of the origins argument, instead of storing a reference to a possibly mutable value.
• The enum AuthenticatorTransport has been replaced by a value class containing methods and value constants equivalent to the previous enum.
• The return type of PublicKeyCredentialDescriptor.getTransports() is now a SortedSet instead of Set. The builder still accepts a plain Set.
• Registration ceremony now verifies that the returned credential public key matches one of the algorithms specified in RelyingParty.preferredPubkeyParams and can be successfully parsed.

New features:

• Origin matching can now be relaxed via two new RelyingParty options:
  • allowOriginPort (default false): Allow any port number in the origin
  • allowOriginSubdomain (default false): Allow any subdomain of any origin listed in RelyingParty.origins
  • See JavaDoc for details and examples.
• The new AuthenticatorTransport can now contain any string value as the transport identifier, as required in the editor's draft of the L2 spec. See: w3c/webauthn#1275
• Added support for RS1 credentials. Registration of RS1 credentials is not enabled by default, but can be enabled by setting RelyingParty.preferredPubKeyCredParams to a list containing PublicKeyCredentialParameters.RS1.
  • New constant PublicKeyCredentialParameters.RS1
  • New constant COSEAlgorithmIdentifier.RS1

Artifacts built with JDK 11.

Pre-release 1.5.0-RC2

Changes:

• Bumped version of com.upokecenter:cbor dependency to agree with transitives.

Artifacts built with JDK 11.

Pre-release 1.5.0-RC1

Changes:

• RelyingParty now makes an immutable copy of the origins argument, instead of storing a reference to a possibly mutable value.
• The enum AuthenticatorTransport has been replaced by a value class containing methods and value constants equivalent to the previous enum.
• The return type of PublicKeyCredentialDescriptor.getTransports() is now a SortedSet instead of Set. The builder still accepts a plain Set.
• Registration ceremony now verifies that the returned credential public key matches one of the algorithms specified in RelyingParty.preferredPubkeyParams and can be successfully parsed.

New features:

• Origin matching can now be relaxed via two new RelyingParty options:
  • allowOriginPort (default false): Allow any port number in the origin
  • allowOriginSubdomain (default false): Allow any subdomain of any origin listed in RelyingParty.origins
  • See JavaDoc for details and examples.
• The new AuthenticatorTransport can now contain any string value as the transport identifier, as required in the editor's draft of the L2 spec. See: w3c/webauthn#1275
• Added support for RS1 credentials. Registration of RS1 credentials is not enabled by default, but can be enabled by setting RelyingParty.preferredPubKeyCredParams to a list containing PublicKeyCredentialParameters.RS1.
  • New constant PublicKeyCredentialParameters.RS1
  • New constant COSEAlgorithmIdentifier.RS1

Artifacts built with JDK 11.

Version 1.4.1

Packaging fixes:

• Fixed dependency declarations so API dependencies are correctly propagated as compile-time dependencies of dependent projects.
• Fixed Specification-Version release date in webauthn-server-core jar manifest.

Artifacts built with JDK 8.

Pre-release 1.4.1-RC1

Packaging fixes:

• Fixed dependency declarations so API dependencies are correctly propagated as compile-time dependencies of dependent projects.
• Fixed Specification-Version release date in webauthn-server-core jar manifest.

Artifacts built with JDK 11.

Version 1.4.0

Changes:

• Class com.yubico.internal.util.WebAuthnCodecs is no longer public. The package com.yubico.internal.util was already declared non-public in JavaDoc, but this is now also enforced via Java visibility rules.
• Class com.yubico.webauthn.meta.Specification.SpecificationBuilder is no longer public. It was never intended to be, although this was not documented explicitly.
• Default value for RelyingParty.preferredPubKeyParams changed from [ES256, RS256] to [ES256, EdDSA, RS256]
• Data classes no longer use Optional internally in field types. This should not meaningfully affect the public API, but might improve compatibility with frameworks that use reflection.

New features:

• Added support for Ed25519 signatures.
• New constants COSEAlgorithmIdentifier.EdDSA and PublicKeyCredentialParameters.EdDSA
• Artifacts are now built reproducibly; fresh builds from source should now be verifiable by signature files from Maven Central.

Security fixes:

• Bumped Jackson dependency to version 2.9.9.3 which has patched CVE-2019-12814, CVE-2019-14439, CVE-2019-14379

Artifacts built with JDK 11.

Pre-release 1.4.0-RC2

Published artifacts built with JDK 11.

The build of 1.4.0-RC1 published to Maven Central was built with lombok.config files in the working directory that are not tracked by Git, which breaks signature verification for the reproducible build. The 1.4.0-RC2 build is built from the same commit but without those untracked lombok.config files, so a fresh build from source produces the same artifacts.

Pre-release 1.4.0-RC1

Changes:

• Class com.yubico.internal.util.WebAuthnCodecs is no longer public. The package com.yubico.internal.util was already declared non-public in JavaDoc, but this is now also enforced via Java visibility rules.
• Class com.yubico.webauthn.meta.Specification.SpecificationBuilder is no longer public. It was never intended to be, although this was not documented explicitly.
• Default value for RelyingParty.preferredPubKeyParams changed from [ES256, RS256] to [ES256, EdDSA, RS256]

New features:

• Added support for Ed25519 signatures.
• New constants COSEAlgorithmIdentifier.EdDSA and PublicKeyCredentialParameters.EdDSA
• Artifacts are now built reproducibly; fresh builds from source should now be verifiable by signature files from Maven Central.

Security fixes:

• Bumped Jackson dependency to version 2.9.9.3 which has patched CVE-2019-12814, CVE-2019-14439, CVE-2019-14379