Skip to content

Releases: linux-credentials/libwebauthn

libwebauthn v0.9.0

libwebauthn v0.9.0 Pre-release
Pre-release

Choose a tag to compare

@AlfioEmanueleFresta AlfioEmanueleFresta released this 01 Jul 21:22
a6bdb70

Highlights

Transports

  • NFC and hybrid (caBLE) transports are now advertised to relying parties (#282)
  • Duplicate USB HID/NFC authenticators are deduplicated (#270)
  • caBLE tunnel redirects are followed and dead links are forgotten instead of left stale (#274)

Extensions

  • credProtect support is now feature-detected from getInfo (#273)
  • prf accepts the evalByCredential JSON key (#277)

Features

  • New authenticatorReset command (#296)
  • Backup eligibility and state flags (BE/BS) are modeled on credentials (#272)

Bugfixes

  • appid/appidExclude and rp.id are now authorized against the caller's actual origin, and IP-literal rp.id values are rejected (#275, #285)
  • attestation=none now actually scrubs the attestation statement and AAGUID (#284)
  • Credential preflight no longer treats transient transport errors as a missing credential (#287)
  • PIN policy is honored and PINs are normalized before use (#281)

Hardening

  • BLE connections fail closed when bluez bonding state can't be confirmed (#283)
  • caBLE linking updates with invalid signatures can no longer evict a known device (#288)
  • getNextAssertion iteration is bounded and validated against a hostile authenticator (#290)
  • Authenticator config subcommands are gated on declared getInfo capabilities (#291)
  • Unknown CTAP status codes are preserved instead of reported as framing errors (#286)
  • Unknown transport values in credential descriptors are tolerated per spec (#289)
  • getInfo request sizes are bounded (#278)

API

  • Transport errors are now per-transport typed via a generic ceremony Error<E>; the previous WebAuthnError name is kept as an alias (#297)
  • Public response and spec types are now #[non_exhaustive] ahead of a future stable release (#293)

What's Changed

Full Changelog: libwebauthn-v0.8.0...libwebauthn-v0.9.0

libwebauthn v0.8.0

libwebauthn v0.8.0 Pre-release
Pre-release

Choose a tag to compare

@AlfioEmanueleFresta AlfioEmanueleFresta released this 15 Jun 20:54
d593d6b

What's Changed

Full Changelog: libwebauthn-v0.7.1...libwebauthn-v0.8.0

libwebauthn v0.7.1

libwebauthn v0.7.1 Pre-release
Pre-release

Choose a tag to compare

@AlfioEmanueleFresta AlfioEmanueleFresta released this 10 Jun 22:36
69ca216

What's Changed

New Contributors

Full Changelog: libwebauthn-v0.7.0...libwebauthn-v0.7.1

libwebauthn v0.7.0

libwebauthn v0.7.0 Pre-release
Pre-release

Choose a tag to compare

@AlfioEmanueleFresta AlfioEmanueleFresta released this 07 Jun 21:42
68ea5db

Highlights

Features

  • largeBlob extension: read, write, and delete (#206, #261)
  • Persistent pinUvAuthToken for read-only credential management, the CTAP 2.2 perCredMgmtRO feature, with a caller-supplied token store and invalidation on rejection or PIN change (#231-#234)
  • Enforce userVerification=required on the shared-secret path (#248)

Fixes

  • base64url-decode excludeCredentials ids (#242)
  • order crossOrigin before topOrigin in clientDataJSON (#241)
  • scope rp.id to the registrable domain under multi-label suffixes (#240)
  • emit makeCredential extensions in canonical CBOR order (#243)
  • preserve raw authenticatorData, rpIDHash, and templateId (#245, #249)
  • decode unsignedExtensionOutputs at GetAssertion (#244)
  • full-length U2F_REGISTER response and preserved APDU status words on NFC (#246, #247)

What's Changed

Full Changelog: libwebauthn-v0.6.0...libwebauthn-v0.7.0

libwebauthn v0.6.0

libwebauthn v0.6.0 Pre-release
Pre-release

Choose a tag to compare

@AlfioEmanueleFresta AlfioEmanueleFresta released this 30 May 17:28
4151e17

Highlights

Features

  • Related origins: assertions can now validate against related origins per WebAuthn L3 §5.11, with an optional reqwest-backed .well-known/webauthn fetcher behind the reqwest-related-origins-source feature.
  • SubjectPublicKeyInfo: getPublicKey() now returns a DER-encoded SubjectPublicKeyInfo.

Bugfixes

  • Credential public keys are stored as opaque COSE bytes, preserving the authenticator's exact encoding.
  • Arbitrary COSE algorithm identifiers are passed through instead of being rejected.

What's Changed

Full Changelog: libwebauthn-v0.5.1...libwebauthn-v0.6.0

libwebauthn v0.5.1

libwebauthn v0.5.1 Pre-release
Pre-release

Choose a tag to compare

@AlfioEmanueleFresta AlfioEmanueleFresta released this 26 May 19:14
7aa0cbf

What's Changed

Full Changelog: libwebauthn-v0.5.0...libwebauthn-v0.5.1

libwebauthn v0.5.0

libwebauthn v0.5.0 Pre-release
Pre-release

Choose a tag to compare

@AlfioEmanueleFresta AlfioEmanueleFresta released this 18 May 19:22
6a0e737

Highlights

Transport

  • CTAP 2.3 hybrid over a direct BLE L2CAP channel (#216)

Extensions

  • appid / appidExclude (#204)
  • hmac-secret-mc (#212)

Features

  • DAFSA-format Public Suffix List reader (#215)

Bugfixes

  • BLE spec conformance: notify, write-with-response, bonded check (#202)
  • Hybrid: omit QR key 6 by default to keep legacy caBLE clients happy (#216)
  • largeBlob.read no longer leaks largeBlobKey to RP (#198)
  • PRF inputs of any length per WebAuthn L3 (#211)

Hardening

  • HID wall-clock timeouts and continuation-packet validation (#205)
  • Broad input hardening against hostile authenticator input (#203, #207)

What's Changed

Full Changelog: libwebauthn-v0.3.0...libwebauthn-v0.5.0

libwebauthn-v0.3.0

libwebauthn-v0.3.0 Pre-release
Pre-release

Choose a tag to compare

@AlfioEmanueleFresta AlfioEmanueleFresta released this 08 May 21:32
1f05a58

See README.md for all features supported in v0.3.0.

We're working towards our first production-ready release. You can track our progress on the GitHub project (Passkeys for the Linux Desktop).

What's Changed

New Contributors

Full Changelog: libwebauthn-v0.2.2...libwebauthn-v0.3.0

libwebauthn v0.2.2

libwebauthn v0.2.2 Pre-release
Pre-release

Choose a tag to compare

@AlfioEmanueleFresta AlfioEmanueleFresta released this 27 Jul 16:03
bdf2823

See README.md for all features supported in v0.2.2.

We're working towards our first production-ready release. You can track our progress on the GitHub project (Passkeys for the Linux Desktop).