Version 2.6.0

webauthn-server-core:

New features:

• Added method getParsedPublicKey(): java.security.PublicKey to
  RegistrationResult and RegisteredCredential.
  • Thanks to Jakob Heher (A-SIT) for the contribution, see #299
• Added enum parsing functions:
  • AuthenticatorAttachment.fromValue(String): Optional<AuthenticatorAttachment>
  • PublicKeyCredentialType.fromId(String): Optional<PublicKeyCredentialType>
  • ResidentKeyRequirement.fromValue(String): Optional<ResidentKeyRequirement>
  • TokenBindingStatus.fromValue(String): Optional<TokenBindingStatus>
  • UserVerificationRequirement.fromValue(String): Optional<UserVerificationRequirement>
• Added public builder to CredentialPropertiesOutput.
• Added public factory function LargeBlobRegistrationOutput.supported(boolean).
• Added public factory functions to LargeBlobAuthenticationOutput.
• Added hints property to StartRegistrationOptions, StartAssertionOptions, PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions, and class PublicKeyCredentialHint to support them, to support the hints parameter introduced in WebAuthn L3: https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-publickeycredentialcreationoptions-hints
• (Experimental) Added option isSecurePaymentConfirmation(boolean) to FinishAssertionOptions. When set, RelyingParty.finishAssertion() will adapt the validation logic for a Secure Payment Confirmation (SPC) response instead of an ordinary WebAuthn response. See the JavaDoc for details.
  • NOTE: Experimental features may receive breaking changes without a major version increase.

webauthn-server-attestation:

New features:

• FidoMetadataDownloader now parses the CRLDistributionPoints extension on the application level, so the com.sun.security.enableCRLDP=true system property setting is no longer necessary.
• Added helper function CertificateUtil.parseFidoSernumExtension for parsing serial number from enterprise attestation certificates.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Pre-release 2.6.0-RC1

Changes since 2.6.0-alpha8

webauthn-server-core:

Breaking changes:

• Removed the suite of experimental interfaces related with CredentialRepositoryV2. These will be postponed to minor release 2.7 instead.
• Removed property RegisteredCredential.transports.
• Removed property credProps.authenticatorDisplayName.
• Removed credProps extension from assertion extension outputs.

webauthn-server-attestation:

New features:

• FidoMetadataDownloader now parses the CRLDistributionPoints extension on the application level, so the com.sun.security.enableCRLDP=true system property setting is no longer necessary.
• Added helper function CertificateUtil.parseFidoSernumExtension for parsing serial number from enterprise attestation certificates.

Changes since 2.5.4

webauthn-server-core:

New features:

• Added method getParsedPublicKey(): java.security.PublicKey to RegistrationResult and RegisteredCredential.
  • Thanks to Jakob Heher (A-SIT) for the contribution, see #299
• Added enum parsing functions:
  • AuthenticatorAttachment.fromValue(String): Optional<AuthenticatorAttachment>
  • PublicKeyCredentialType.fromId(String): Optional<PublicKeyCredentialType>
  • ResidentKeyRequirement.fromValue(String): Optional<ResidentKeyRequirement>
  • TokenBindingStatus.fromValue(String): Optional<TokenBindingStatus>
  • UserVerificationRequirement.fromValue(String): Optional<UserVerificationRequirement>
• Added public builder to CredentialPropertiesOutput.
• Added public factory function LargeBlobRegistrationOutput.supported(boolean).
• Added public factory functions to LargeBlobAuthenticationOutput.
• Added hints property to StartRegistrationOptions, StartAssertionOptions, PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions, and class PublicKeyCredentialHint to support them, to support the hints parameter introduced in WebAuthn L3: https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-publickeycredentialcreationoptions-hints
• (Experimental) Added option isSecurePaymentConfirmation(boolean) to FinishAssertionOptions. When set, RelyingParty.finishAssertion() will adapt the validation logic for a Secure Payment Confirmation (SPC) response instead of an ordinary WebAuthn response. See the JavaDoc for details.
  • NOTE: Experimental features may receive breaking changes without a major version increase.

webauthn-server-attestation:

New features:

• FidoMetadataDownloader now parses the CRLDistributionPoints extension on the application level, so the com.sun.security.enableCRLDP=true system property setting is no longer necessary.
• Added helper function CertificateUtil.parseFidoSernumExtension for parsing serial number from enterprise attestation certificates.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Experimental release 2.6.0-alpha8

Ported changes from release 2.5.4:

webauthn-server-attestation:

Fixes:

• AuthenticatorGetInfo.algorithms now silently ignores unknown COSEAlgorithmIdentifier and PublicKeyCredentialType values instead of rejecting the MDS BLOB.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Version 2.5.4

webauthn-server-attestation:

Fixes:

• AuthenticatorGetInfo.algorithms now silently ignores unknown COSEAlgorithmIdentifier and PublicKeyCredentialType values instead of rejecting the MDS BLOB.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Pre-release 2.5.4-RC1

webauthn-server-attestation:

Fixes:

• AuthenticatorGetInfo.algorithms now silently ignores unknown COSEAlgorithmIdentifier and PublicKeyCredentialType values instead of rejecting the MDS BLOB.

Artifacts built with openjdk version "17.0.13" 2024-10-15.

Experimental release 2.6.0-alpha7

Ported changes from release 2.5.3:

webauthn-server-attestation:

Fixes:

• FidoMetadataDownloader no longer rejects FIDO MDS metadata BLOBs with unknown properties.

Artifacts built with openjdk version "17.0.12" 2024-07-16.

Version 2.5.3

webauthn-server-attestation:

Fixes:

• FidoMetadataDownloader no longer rejects FIDO MDS metadata BLOBs with unknown properties.

Artifacts built with openjdk version "17.0.12" 2024-07-16.

Pre-release 2.5.3-RC2

Re-release with no code changes to fix the reproducible binary workflow on GitHub Actions.

Artifacts built with openjdk version "17.0.12" 2024-07-16.

Pre-release 2.5.3-RC1

webauthn-server-attestation:

Fixes:

• FidoMetadataDownloader no longer rejects FIDO MDS metadata BLOBs with unknown properties.

Artifacts built with openjdk version "17.0.12" 2024-07-16

Experimental release 2.6.0-alpha6

Ported changes from release 2.5.2:

• Allow unknown properties in credProps client extension output.

Artifacts built with openjdk version "17.0.10" 2024-01-16.