Version 2.2.0

webauthn-server-core:

Changes:

• Changed internal structure of RegistrationResult and AssertionResult. This may affect you if you use Jackson or similar tools to serialize these values to JSON, for example. This is not an officially supported use case and thus does not warrant a major version bump.
• Removed methods RegistrationResult.toBuilder() and AssertionResult.toBuilder(). Both had package-private return types, and thus were not usable by outside callers.

New features:

• (Experimental) Added support for the new BE (backup eligible) and BS (backup state) flags in authenticator data:
  • NOTE: Experimental features may receive breaking changes without a major version increase.
  • Added BE and BS properties to AuthenticatorDataFlags, reflecting the respective flags (bits 0x08 and 0x10).
  • Added methods isBackupEligible() and isBackedUp() to RegistrationResult and AssertionResult, reflecting respectively the BE and BS flags.
  • Added properties backupEligible and backupState, getters isBackupEligible() and isBackedUp(), and corresponding builder methods to RegisteredCredential. RelyingParty.finishAssertion(...) will now validate that if RegisteredCredential.isBackupEligible() is present, then the BE flag of any assertion of that credential must match the stored value.

Fixes:

• Fixed TPM attestation verification rejecting attestation certificates with TPM Device Attributes split between multiple RelativeDistinguishedName structures in the Subject Alternative Names extension.
  • Thanks to Oussama Zgheb for the contribution, see #241
• Fixed various errors in JavaDoc.

webauthn-server-attestation:

Fixes:

• Improved documentation of guarantees provided by FidoMetadataDownloader and required of its parameters.

Artifacts built with openjdk 17.0.5 2022-10-18.