Releases: Yubico/java-webauthn-server
Pre-release 1.12.4-RC2
This pre-release merges the changes from version 1.12.3 into the 1.12.4 release branch.
Artifacts built with openjdk 11.0.15 2022-04-19
.
Version 1.12.3
Fixes:
- Fixed
PublicKeyCredential
failing to parse from JSON if an"authenticatorAttachment"
attribute was present. - Bumped Jackson dependency to version [2.13.2.1,3) in response to CVE-2020-36518
- Fixed bug in
RelyingParty.finishAssertion
that would throw a nondescriptNoSuchElementException
if username and user handle are both absent, instead of anIllegalArgumentException
with a better error message.
Artifacts built with openjdk 11.0.15 2022-04-19
.
Pre-release 1.12.3-RC3
Fixes:
- Fixed bug in
RelyingParty.finishAssertion
where ifStartAssertionOptions.userHandle
was set, it did not propagate toRelyingParty.finishAssertion
and caused an error saying username and user handle are both absent unless a user handle was returned by the authenticator.
New features:
- Added
userHandle
field toAssertionRequest
as part of above bug fix.userHandle
is mutually exclusive withusername
.
Artifacts built with openjdk 11.0.15 2022-04-19
.
Pre-release 1.12.3-RC2
Fixes:
- Bumped Jackson dependency to version [2.13.2.1,3) in response to CVE-2020-36518
- Fixed bug in
RelyingParty.finishAssertion
that would throw a nondescriptNoSuchElementException
if username and user handle are both absent, instead of anIllegalArgumentException
with a better error message.
Artifacts built with openjdk 11.0.15 2022-04-19
.
Pre-release 2.0.0-RC1
This release removes deprecated APIs and changes some defaults to better align with the L2 version of the WebAuthn spec. It also adds a new major feature: optional integration with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots. See below for details.
webauthn-server-core
:
Breaking changes:
- Deleted deprecated
icon
field inRelyingPartyIdentity
andUserIdentity
, and its associated methods. - Deleted deprecated
AuthenticatorSelectionCriteria
methodsbuilder().requireResidentKey(boolean)
andisRequireResidentKey()
. RelyingParty
parameterallowUnrequestedExtensions
removed. The library will now always accept unrequested extensions.- Class
ClientAssertionExtensionOutputs
now silently ignores unknown extensions instead of rejecting them. webauthn-server-core-minimal
module deleted.webauthn-server-core
no longer depends on BouncyCastle and will no longer attempt to automatically fall back to it. Therefore, EdDSA keys are no longer supported by default in JDK 14 and earlier. The library will log warnings if configured for algorithms with no JCA provider available, in which case the dependent project may need to add additional dependencies and configure JCA providers externally.- Enum value
AttestationType.ECDAA
removed without replacement. - Deleted methods
RegistrationResult.getWarnings()
andAssertionResult.getWarnings()
since they are now always empty. - Framework for attestation metadata has been fully overhauled. See the
webauthn-server-attestation
module documentation for the new ways to work with attestation metadata:- Deleted method
RegistrationResult.getAttestationMetadata()
. - Interface
MetadataService
replaced withAttestationTrustSource
, and optionalRelyingParty
setting.metadataService(MetadataService)
replaced with.attestationTrustSource(AttestationTrustSource)
. - Deleted types
Attestation
andTransport
. - Deleted method
AuthenticatorTransport.fromU2fTransport
.
- Deleted method
RelyingParty.finishRegistration()
now uses a JCACertPathValidator
to validate attestation certificate paths, if an attestation trust source has been configured. This requires a compatible JCA provider, but should already be available in most environments.- Classes in package
com.yubico.fido.metadata
moved tocom.yubico.webauthn.extension.uvm
to avoid name clash withwebauthn-server-attestation
module in JPMS. - Changed return type of
PublicKeyCredentialRequestOptions.getUserVerification()
,AuthenticatorSelectionCriteria.getUserVerification()
andAuthenticatorSelectionCriteria.getResidentKey()
toOptional
, and changed defaults foruserVerification
andresidentKey
to empty. This means we won't inadvertently suppress warnings that browsers might issue in the browser console if for exampleuserVerification
is not set explicitly.
New features:
- Method
getAaguid()
added toRegistrationResult
. - Method
getAttestationTrustPath()
added toRegistrationResult
. - Setting
.clock(Clock)
added toRelyingParty
. It is used for attestation path validation if anattestationTrustSource
is configured.
webauthn-server-attestation
:
Breaking changes:
- Types
AttestationResolver
,CompositeAttestationResolver
,CompositeTrustResolver
,DeviceMatcher
,ExtensionMatcher
,FingerprintMatcher
,MetadataObject
,SimpleAttestationResolver
,SimpleTrustResolver
,StandardMetadataService
andTrustResolver
deleted in favour of a new attestation metadata framework. Some of the functionality is retained as the newYubicoJsonMetadataService
class in thewebauthn-server-demo
subproject in the library sources, but no longer exposed in either library module. - Library no longer contains a
/metadata.json
resource.
New features:
- New types
FidoMetadataService
andFidoMetadataDownloader
which integrate with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots.
Artifacts built with openjdk 11.0.15 2022-04-19
.
Pre-release 1.12.4-RC1
Deprecated features:
- Option
RelyingParty.allowUnrequestedExtensions
deprecated. Thefalse
setting (default) is not compatible with WebAuthn Level 2 since authenticators are now always allowed to add unsolicited extensions. The next major version release will remove this option and always behave as if the option had been set totrue
. - Enum value
AttestationType.ECDAA
. ECDAA was removed in WebAuthn Level 2. - Function
TokenBindingStatus.fromJsonString(String)
deprecated. It should not have been part of the public API to begin with.
Artifacts built with openjdk 11.0.15 2022-04-19
.
Pre-release 1.12.3-RC1
Fixes:
- Fixed
PublicKeyCredential
failing to parse from JSON if an"authenticatorAttachment"
attribute was present.
Artifacts built with openjdk 11.0.15 2022-04-19
.
Version 1.12.2
Fixes:
com.upokecenter:cbor
dependency bumped to minimum version 4.5.1 due to a known vulnerability, see: GHSA-fj2w-wfgv-mwq6- Fixed crash in
AuthenticatorData
deserialization withcom.upokecenter:cbor
versions later than 4.0.1
Artifacts built with openjdk 11.0.13 2021-10-19
.
Version 1.12.1
Fixes:
RelyingParty.finishAssertion()
no longer makes multiple (redundant) calls toCredentialRepository.lookup()
.
Artifacts built with openjdk 11.0.13 2021-10-19
.
Pre-release 1.12.1-RC1
Fixes:
RelyingParty.finishAssertion()
no longer makes multiple (redundant) calls toCredentialRepository.lookup()
.
Artifacts built with openjdk 11.0.13 2021-10-19
.