Version 2.4.0

webauthn-server-core:

New features:

• Added support for RS384 and RS512 signature algorithms.
  • Thanks to GitHub user JohnnyJayJay for the contribution, see #235
• Added userHandle field to AssertionRequest as part of the second bug fix below. userHandle is mutually exclusive with username. This was originally released in pre-release 1.12.3-RC3, but was accidentally left out of the 1.12.3 release.

Fixes:

• During RelyingParty.finishRegistration() if an attestationTrustSource is configured, if the aaguid in the authenticator data is zero, the call to AttestationTrustSource.findTrustRoots will fall back to reading the AAGUID from the attestation certificate if possible.
• Fixed bug in RelyingParty.finishAssertion where if StartAssertionOptions.userHandle was set, it did not propagate to RelyingParty.finishAssertion and caused an error saying username and user handle are both absent unless a user handle was returned by the authenticator. This was originally released in pre-release 1.12.3-RC3, but was accidentally left out of the 1.12.3 release.
• Fixed regression in PublicKeyCredentialCreationOptions.toCredentialsCreateJson(), which has not been emitting a requireResidentKey member since version 2.0.0. This meant the JSON output was not backwards compatible with browsers that only support the Level 1 version of the WebAuthn spec.

webauthn-server-attestation:

Fixes:

• findEntries and findTrustRoots methods in FidoMetadataService now attempt to read AAGUID from the attestation certificate if the aaguid argument is absent or zero.
• Method FidoMetadataService.Filters.allOf now has @SafeVarargs annotation.

Artifacts built with openjdk 17.0.6 2023-01-17.