Skip to content

Releases: Yubico/java-webauthn-server

Experimental release 2.7.0-alpha1

30 Jan 14:16
@emlun emlun
2.7.0-alpha1
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: C81FDCBBE03F92DF
Verified
Learn about vigilant mode.
b1fa6ca
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: C81FDCBBE03F92DF
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Experimental release 2.7.0-alpha1 Pre-release
Pre-release

Re-introduced changes that were reverted between 2.6.0-alpha8 and 2.6.0-RC1:

  • (Experimental) Added a new suite of interfaces, starting with CredentialRepositoryV2. RelyingParty can now be configured with a CredentialRepositoryV2 instance instead of a CredentialRepository instance. This changes the result of the RelyingParty builder to RelyingPartyV2. CredentialRepositoryV2 and RelyingPartyV2 enable a suite of new features:
    • CredentialRepositoryV2 does not assume that the application has usernames, instead username support is modular. In addition to the CredentialRepositoryV2, RelyingPartyV2 can be optionally configured with a UsernameRepository as well. If a UsernameRepository is not set, then RelyingPartyV2.startAssertion(StartAssertionOptions) will fail at runtime if StartAssertionOptions.username is set.
    • CredentialRepositoryV2 uses a new interface CredentialRecord to represent registered credentials, instead of the concrete RegisteredCredential class (although RegisteredCredential also implements CredentialRecord). This provides implementations greater flexibility while also automating the type conversion to PublicKeyCredentialDescriptor needed in startRegistration() and startAssertion().
    • RelyingPartyV2.finishAssertion() returns a new type AssertionResultV2 with a new method getCredential(), which returns the CredentialRecord that was verified. The return type of getCredential() is generic and preserves the concrete type of CredentialRecord returned by the CredentialRepositoryV2 implementation.
    • NOTE: Experimental features may receive breaking changes without a major version increase.
  • (Experimental) Added property RegisteredCredential.transports.
    • NOTE: Experimental features may receive breaking changes without a major version increase.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Assets 4
Loading

Version 2.6.0

30 Jan 10:41
@emlun emlun
2.6.0
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: C81FDCBBE03F92DF
Verified
Learn about vigilant mode.
47ceee8
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: C81FDCBBE03F92DF
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.6.0 Latest
Latest

webauthn-server-core:

New features:

  • Added method getParsedPublicKey(): java.security.PublicKey to
    RegistrationResult and RegisteredCredential.
    • Thanks to Jakob Heher (A-SIT) for the contribution, see
      #299
  • Added enum parsing functions:
    • AuthenticatorAttachment.fromValue(String): Optional<AuthenticatorAttachment>
    • PublicKeyCredentialType.fromId(String): Optional<PublicKeyCredentialType>
    • ResidentKeyRequirement.fromValue(String): Optional<ResidentKeyRequirement>
    • TokenBindingStatus.fromValue(String): Optional<TokenBindingStatus>
    • UserVerificationRequirement.fromValue(String): Optional<UserVerificationRequirement>
  • Added public builder to CredentialPropertiesOutput.
  • Added public factory function
    LargeBlobRegistrationOutput.supported(boolean).
  • Added public factory functions to LargeBlobAuthenticationOutput.
  • Added hints property to StartRegistrationOptions, StartAssertionOptions,
    PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions,
    and class PublicKeyCredentialHint to support them, to support the hints
    parameter introduced in WebAuthn L3:
    https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-publickeycredentialcreationoptions-hints
  • (Experimental) Added option isSecurePaymentConfirmation(boolean) to
    FinishAssertionOptions. When set, RelyingParty.finishAssertion() will
    adapt the validation logic for a Secure Payment Confirmation (SPC) response
    instead of an ordinary WebAuthn response. See the JavaDoc for details.
    • NOTE: Experimental features may receive breaking changes without a major
      version increase.

webauthn-server-attestation:

New features:

  • FidoMetadataDownloader now parses the CRLDistributionPoints extension on the
    application level, so the com.sun.security.enableCRLDP=true system property
    setting is no longer necessary.
  • Added helper function CertificateUtil.parseFidoSernumExtension for parsing
    serial number from enterprise attestation certificates.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Assets 4
Loading

Pre-release 2.6.0-RC1

16 Jan 14:48
@emlun emlun
2.6.0-RC1
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Verified
Learn about vigilant mode.
0cbba57
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.6.0-RC1 Pre-release
Pre-release

Changes since 2.6.0-alpha8

webauthn-server-core:

Breaking changes:

  • Removed the suite of experimental interfaces related with CredentialRepositoryV2. These will be postponed to minor release 2.7 instead.
  • Removed property RegisteredCredential.transports.
  • Removed property credProps.authenticatorDisplayName.
  • Removed credProps extension from assertion extension outputs.

webauthn-server-attestation:

New features:

  • FidoMetadataDownloader now parses the CRLDistributionPoints extension on the application level, so the com.sun.security.enableCRLDP=true system property setting is no longer necessary.
  • Added helper function CertificateUtil.parseFidoSernumExtension for parsing serial number from enterprise attestation certificates.

Changes since 2.5.4

webauthn-server-core:

New features:

  • Added method getParsedPublicKey(): java.security.PublicKey to RegistrationResult and RegisteredCredential.
    • Thanks to Jakob Heher (A-SIT) for the contribution, see #299
  • Added enum parsing functions:
    • AuthenticatorAttachment.fromValue(String): Optional<AuthenticatorAttachment>
    • PublicKeyCredentialType.fromId(String): Optional<PublicKeyCredentialType>
    • ResidentKeyRequirement.fromValue(String): Optional<ResidentKeyRequirement>
    • TokenBindingStatus.fromValue(String): Optional<TokenBindingStatus>
    • UserVerificationRequirement.fromValue(String): Optional<UserVerificationRequirement>
  • Added public builder to CredentialPropertiesOutput.
  • Added public factory function LargeBlobRegistrationOutput.supported(boolean).
  • Added public factory functions to LargeBlobAuthenticationOutput.
  • Added hints property to StartRegistrationOptions, StartAssertionOptions, PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions, and class PublicKeyCredentialHint to support them, to support the hints parameter introduced in WebAuthn L3: https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-publickeycredentialcreationoptions-hints
  • (Experimental) Added option isSecurePaymentConfirmation(boolean) to FinishAssertionOptions. When set, RelyingParty.finishAssertion() will adapt the validation logic for a Secure Payment Confirmation (SPC) response instead of an ordinary WebAuthn response. See the JavaDoc for details.
    • NOTE: Experimental features may receive breaking changes without a major version increase.

webauthn-server-attestation:

New features:

  • FidoMetadataDownloader now parses the CRLDistributionPoints extension on the application level, so the com.sun.security.enableCRLDP=true system property setting is no longer necessary.
  • Added helper function CertificateUtil.parseFidoSernumExtension for parsing serial number from enterprise attestation certificates.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Assets 4
Loading

Experimental release 2.6.0-alpha8

02 Dec 15:35
@emlun emlun
2.6.0-alpha8
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Verified
Learn about vigilant mode.
45a4ca6
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Experimental release 2.6.0-alpha8 Pre-release
Pre-release

Ported changes from release 2.5.4:

webauthn-server-attestation:

Fixes:

  • AuthenticatorGetInfo.algorithms now silently ignores unknown COSEAlgorithmIdentifier and PublicKeyCredentialType values instead of rejecting the MDS BLOB.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Assets 4
Loading

Version 2.5.4

02 Dec 14:32
@emlun emlun
2.5.4
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Verified
Learn about vigilant mode.
504a8e8
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.5.4

webauthn-server-attestation:

Fixes:

  • AuthenticatorGetInfo.algorithms now silently ignores unknown COSEAlgorithmIdentifier and PublicKeyCredentialType values instead of rejecting the MDS BLOB.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Assets 4
Loading

Pre-release 2.5.4-RC1

25 Nov 14:26
@emlun emlun
2.5.4-RC1
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Verified
Learn about vigilant mode.
e562c01
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.5.4-RC1 Pre-release
Pre-release

webauthn-server-attestation:

Fixes:

  • AuthenticatorGetInfo.algorithms now silently ignores unknown COSEAlgorithmIdentifier and PublicKeyCredentialType values instead of rejecting the MDS BLOB.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Assets 4
Loading

Experimental release 2.6.0-alpha7

06 Sep 09:37
@emlun emlun
2.6.0-alpha7
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Verified
Learn about vigilant mode.
49f0aeb
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Experimental release 2.6.0-alpha7 Pre-release
Pre-release

Ported changes from release 2.5.3:

webauthn-server-attestation:

Fixes:

  • FidoMetadataDownloader no longer rejects FIDO MDS metadata BLOBs with unknown properties.

Artifacts built with openjdk version "17.0.12" 2024-07-16.

Assets 4
Loading

Version 2.5.3

05 Sep 11:01
@emlun emlun
2.5.3
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Verified
Learn about vigilant mode.
5d510c5
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: 0F47E61493A9B8E5
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Version 2.5.3

webauthn-server-attestation:

Fixes:

  • FidoMetadataDownloader no longer rejects FIDO MDS metadata BLOBs with unknown properties.

Artifacts built with openjdk version "17.0.12" 2024-07-16.

Assets 4
Loading

Pre-release 2.5.3-RC2

03 Sep 15:46
@emlun emlun
2.5.3-RC2
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Verified
Learn about vigilant mode.
76f9f1a
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.5.3-RC2 Pre-release
Pre-release

Re-release with no code changes to fix the reproducible binary workflow on GitHub Actions.

Artifacts built with openjdk version "17.0.12" 2024-07-16.

Assets 4
Loading

Pre-release 2.5.3-RC1

03 Sep 15:18
@emlun emlun
2.5.3-RC1
This tag was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Verified
Learn about vigilant mode.
a65bb2f
This commit was signed with the committer’s verified signature.
emlun Emil Lundberg
GPG key ID: DE6C235E14566398
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Pre-release 2.5.3-RC1 Pre-release
Pre-release

webauthn-server-attestation:

Fixes:

  • FidoMetadataDownloader no longer rejects FIDO MDS metadata BLOBs with unknown properties.

Artifacts built with openjdk version "17.0.12" 2024-07-16

Assets 4
Loading