Pre-release 1.5.0-RC2

Changes:

• Bumped version of com.upokecenter:cbor dependency to agree with transitives.

Artifacts built with JDK 11.

Pre-release 1.5.0-RC1

Changes:

• RelyingParty now makes an immutable copy of the origins argument, instead of storing a reference to a possibly mutable value.
• The enum AuthenticatorTransport has been replaced by a value class containing methods and value constants equivalent to the previous enum.
• The return type of PublicKeyCredentialDescriptor.getTransports() is now a SortedSet instead of Set. The builder still accepts a plain Set.
• Registration ceremony now verifies that the returned credential public key matches one of the algorithms specified in RelyingParty.preferredPubkeyParams and can be successfully parsed.

New features:

• Origin matching can now be relaxed via two new RelyingParty options:
  • allowOriginPort (default false): Allow any port number in the origin
  • allowOriginSubdomain (default false): Allow any subdomain of any origin listed in RelyingParty.origins
  • See JavaDoc for details and examples.
• The new AuthenticatorTransport can now contain any string value as the transport identifier, as required in the editor's draft of the L2 spec. See: w3c/webauthn#1275
• Added support for RS1 credentials. Registration of RS1 credentials is not enabled by default, but can be enabled by setting RelyingParty.preferredPubKeyCredParams to a list containing PublicKeyCredentialParameters.RS1.
  • New constant PublicKeyCredentialParameters.RS1
  • New constant COSEAlgorithmIdentifier.RS1

Artifacts built with JDK 11.

Version 1.4.1

Packaging fixes:

• Fixed dependency declarations so API dependencies are correctly propagated as compile-time dependencies of dependent projects.
• Fixed Specification-Version release date in webauthn-server-core jar manifest.

Artifacts built with JDK 8.

Pre-release 1.4.1-RC1

Packaging fixes:

• Fixed dependency declarations so API dependencies are correctly propagated as compile-time dependencies of dependent projects.
• Fixed Specification-Version release date in webauthn-server-core jar manifest.

Artifacts built with JDK 11.

Version 1.4.0

Changes:

• Class com.yubico.internal.util.WebAuthnCodecs is no longer public. The package com.yubico.internal.util was already declared non-public in JavaDoc, but this is now also enforced via Java visibility rules.
• Class com.yubico.webauthn.meta.Specification.SpecificationBuilder is no longer public. It was never intended to be, although this was not documented explicitly.
• Default value for RelyingParty.preferredPubKeyParams changed from [ES256, RS256] to [ES256, EdDSA, RS256]
• Data classes no longer use Optional internally in field types. This should not meaningfully affect the public API, but might improve compatibility with frameworks that use reflection.

New features:

• Added support for Ed25519 signatures.
• New constants COSEAlgorithmIdentifier.EdDSA and PublicKeyCredentialParameters.EdDSA
• Artifacts are now built reproducibly; fresh builds from source should now be verifiable by signature files from Maven Central.

Security fixes:

• Bumped Jackson dependency to version 2.9.9.3 which has patched CVE-2019-12814, CVE-2019-14439, CVE-2019-14379

Artifacts built with JDK 11.

Pre-release 1.4.0-RC2

Published artifacts built with JDK 11.

The build of 1.4.0-RC1 published to Maven Central was built with lombok.config files in the working directory that are not tracked by Git, which breaks signature verification for the reproducible build. The 1.4.0-RC2 build is built from the same commit but without those untracked lombok.config files, so a fresh build from source produces the same artifacts.

Pre-release 1.4.0-RC1

Changes:

• Class com.yubico.internal.util.WebAuthnCodecs is no longer public. The package com.yubico.internal.util was already declared non-public in JavaDoc, but this is now also enforced via Java visibility rules.
• Class com.yubico.webauthn.meta.Specification.SpecificationBuilder is no longer public. It was never intended to be, although this was not documented explicitly.
• Default value for RelyingParty.preferredPubKeyParams changed from [ES256, RS256] to [ES256, EdDSA, RS256]

New features:

• Added support for Ed25519 signatures.
• New constants COSEAlgorithmIdentifier.EdDSA and PublicKeyCredentialParameters.EdDSA
• Artifacts are now built reproducibly; fresh builds from source should now be verifiable by signature files from Maven Central.

Security fixes:

• Bumped Jackson dependency to version 2.9.9.3 which has patched CVE-2019-12814, CVE-2019-14439, CVE-2019-14379

Version 1.3.0

Security fixes:

• Bumped Jackson dependency to version 2.9.9 which has patched CVE-2019-12086

New features:

• New optional parameter timeout added to StartRegistrationOptions and StartAssertionOptions

Bug fixes:

• Fixed polarity error in javadoc for RelyingParty.allowUntrustedAttestation

Pre-release 1.3.0-RC2

Security fixes:

• Bumped Jackson dependency to version 2.9.9 which has patched CVE-2019-12086

Pre-release 1.3.0-RC1

New features:

• New optional parameter timeout added to StartRegistrationOptions and StartAssertionOptions