Release 2.6.0

`webauthn-server-core`:

New features:

- Added method `getParsedPublicKey(): java.security.PublicKey` to
  `RegistrationResult` and `RegisteredCredential`.
  - Thanks to Jakob Heher (A-SIT) for the contribution, see
    #299
- Added enum parsing functions:
  - `AuthenticatorAttachment.fromValue(String): Optional<AuthenticatorAttachment>`
  - `PublicKeyCredentialType.fromId(String): Optional<PublicKeyCredentialType>`
  - `ResidentKeyRequirement.fromValue(String): Optional<ResidentKeyRequirement>`
  - `TokenBindingStatus.fromValue(String): Optional<TokenBindingStatus>`
  - `UserVerificationRequirement.fromValue(String): Optional<UserVerificationRequirement>`
- Added public builder to `CredentialPropertiesOutput`.
- Added public factory function
  `LargeBlobRegistrationOutput.supported(boolean)`.
- Added public factory functions to `LargeBlobAuthenticationOutput`.
- Added `hints` property to `StartRegistrationOptions`, `StartAssertionOptions`,
  `PublicKeyCredentialCreationOptions` and `PublicKeyCredentialRequestOptions`,
  and class `PublicKeyCredentialHint` to support them, to support the `hints`
  parameter introduced in WebAuthn L3:
  https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-publickeycredentialcreationoptions-hints
- (Experimental) Added option `isSecurePaymentConfirmation(boolean)` to
  `FinishAssertionOptions`. When set, `RelyingParty.finishAssertion()` will
  adapt the validation logic for a Secure Payment Confirmation (SPC) response
  instead of an ordinary WebAuthn response. See the JavaDoc for details.
  - NOTE: Experimental features may receive breaking changes without a major
    version increase.

`webauthn-server-attestation`:

New features:

- `FidoMetadataDownloader` now parses the CRLDistributionPoints extension on the
  application level, so the `com.sun.security.enableCRLDP=true` system property
  setting is no longer necessary.
- Added helper function `CertificateUtil.parseFidoSernumExtension` for parsing
  serial number from enterprise attestation certificates.

Author: emlun

.github/dependabot.yml

@@ -11,6 +11,8 @@ updates:
       # Spotless patch updates are too noisy
       - dependency-name: "spotless-plugin-gradle"
         update-types: ["version-update:semver-patch"]
+      - dependency-name: "com.diffplug.spotless:spotless-plugin-gradle"
+        update-types: ["version-update:semver-patch"]
 
   - package-ecosystem: "github-actions"
     directory: "/"

.github/workflows/build.yml

@@ -33,10 +33,10 @@ jobs:
 
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Set up JDK 17
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: 17
         distribution: ${{ matrix.distribution }}
@@ -45,7 +45,7 @@ jobs:
       run: ./gradlew clean testClasses
 
     - name: Set up JDK ${{ matrix.java }}
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: ${{ matrix.java }}
         distribution: ${{ matrix.distribution }}
@@ -55,7 +55,7 @@ jobs:
 
     - name: Archive HTML test report on failure
       if: ${{ failure() }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: test-reports-java17-java${{ matrix.java }}-${{ matrix.distribution }}-html
         path: "*/build/reports/**"
@@ -68,14 +68,14 @@ jobs:
 
     - name: Archive HTML test report
       if: ${{ always() }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: test-reports-java${{ matrix.java }}-${{ matrix.distribution }}-html
         path: "*/build/reports/**"
 
     - name: Archive JUnit test report
       if: ${{ always() }}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: test-reports-java${{ matrix.java }}-${{ matrix.distribution }}-xml
         path: "*/build/test-results/**/*.xml"
@@ -100,7 +100,7 @@ jobs:
 
     steps:
     - name: Download artifacts
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: test-reports-java${{ needs.test.outputs.report-java }}-${{ needs.test.outputs.report-dist }}-xml
 

.github/workflows/code-formatting.yml

@@ -21,10 +21,10 @@ jobs:
 
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Set up JDK
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: ${{ matrix.java }}
         distribution: ${{ matrix.distribution }}

.github/workflows/codeql-analysis.yml

@@ -21,16 +21,16 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
-    - uses: actions/setup-java@v3
+    - uses: actions/setup-java@v4
       with:
         java-version: 17
         distribution: temurin
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: java
 
@@ -39,4 +39,4 @@ jobs:
         ./gradlew jar
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/coverage.yml

@@ -4,8 +4,9 @@ name: Test coverage
 on:
   push:
     branches:
-    - main
-    - 'release-*'
+      - main
+      - dependabot/gradle/info.solidsoft.gradle.pitest-gradle-pitest-plugin-*
+      - 'release-*'
 
 jobs:
   test:
@@ -18,10 +19,10 @@ jobs:
 
     steps:
     - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     - name: Set up JDK
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: 17
         distribution: temurin
@@ -30,7 +31,7 @@ jobs:
       run: ./gradlew pitestMerge
 
     - name: Archive test reports
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: pitest-reports-${{ github.sha }}
         path: "*/build/reports/pitest/**"
@@ -46,16 +47,8 @@ jobs:
         done
         sed "s/{shortcommit}/${GITHUB_SHA:0:8}/g;s/{commit}/${GITHUB_SHA}/g;s#{repo}#${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}#g" .github/workflows/coverage/index.html.template > build/gh-pages/index.html
 
-    - name: Create coverage badge
-      if: ${{ github.ref == 'refs/heads/main' }}
-      # This creates a file that defines a [Shields.io endpoint badge](https://shields.io/endpoint)
-      # which we can then include in the project README.
-      uses: ./.github/actions/pit-results-badge
-      with:
-        output-file: build/gh-pages/coverage-badge.json
-
     - name: Check out GitHub Pages branch
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         ref: gh-pages
         clean: false
@@ -71,6 +64,14 @@ jobs:
         prev-commit: ${{ env.PREV_COMMIT }}
         prev-mutations-file: prev-mutations.xml
 
+    - name: Create coverage badge
+      if: ${{ github.ref == 'refs/heads/main' }}
+      # This creates a file that defines a [Shields.io endpoint badge](https://shields.io/endpoint)
+      # which we can then include in the project README.
+      uses: ./.github/actions/pit-results-badge
+      with:
+        output-file: build/gh-pages/coverage-badge.json
+
     - name: Push to GitHub Pages
       if: ${{ github.ref == 'refs/heads/main' }}
       run: |

.github/workflows/release-verify-signatures.yml

@@ -24,7 +24,7 @@ jobs:
         until wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${{ github.ref_name }}/webauthn-server-core-${{ github.ref_name }}.jar.asc; do sleep 180; done
 
     - name: Store keyring and signatures as artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: keyring-and-signatures
         retention-days: 1
@@ -44,12 +44,12 @@ jobs:
 
     steps:
     - name: check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         ref: ${{ github.ref_name }}
 
     - name: Set up JDK
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         java-version: ${{ matrix.java }}
         distribution: ${{ matrix.distribution }}
@@ -68,7 +68,7 @@ jobs:
         done
 
     - name: Retrieve keyring and signatures
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: keyring-and-signatures
 
@@ -87,7 +87,7 @@ jobs:
 
     steps:
     - name: Retrieve signatures
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: keyring-and-signatures
 

.gitignore

@@ -11,6 +11,9 @@ out/
 *.iws
 .attach_pid*
 
+# VS Code
+.vscode/
+
 # Mac
 .DS_Store
 

NEWS

@@ -1,3 +1,46 @@
+== Version 2.6.0 ==
+
+`webauthn-server-core`:
+
+New features:
+
+* Added method `getParsedPublicKey(): java.security.PublicKey` to
+  `RegistrationResult` and `RegisteredCredential`.
+ ** Thanks to Jakob Heher (A-SIT) for the contribution, see
+    https://github.com/Yubico/java-webauthn-server/pull/299
+* Added enum parsing functions:
+ ** `AuthenticatorAttachment.fromValue(String): Optional<AuthenticatorAttachment>`
+ ** `PublicKeyCredentialType.fromId(String): Optional<PublicKeyCredentialType>`
+ ** `ResidentKeyRequirement.fromValue(String): Optional<ResidentKeyRequirement>`
+ ** `TokenBindingStatus.fromValue(String): Optional<TokenBindingStatus>`
+ ** `UserVerificationRequirement.fromValue(String): Optional<UserVerificationRequirement>`
+* Added public builder to `CredentialPropertiesOutput`.
+* Added public factory function
+  `LargeBlobRegistrationOutput.supported(boolean)`.
+* Added public factory functions to `LargeBlobAuthenticationOutput`.
+* Added `hints` property to `StartRegistrationOptions`, `StartAssertionOptions`,
+  `PublicKeyCredentialCreationOptions` and `PublicKeyCredentialRequestOptions`,
+  and class `PublicKeyCredentialHint` to support them, to support the `hints`
+  parameter introduced in WebAuthn L3:
+  https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-publickeycredentialcreationoptions-hints
+* (Experimental) Added option `isSecurePaymentConfirmation(boolean)` to
+  `FinishAssertionOptions`. When set, `RelyingParty.finishAssertion()` will
+  adapt the validation logic for a Secure Payment Confirmation (SPC) response
+  instead of an ordinary WebAuthn response. See the JavaDoc for details.
+ ** NOTE: Experimental features may receive breaking changes without a major
+    version increase.
+
+`webauthn-server-attestation`:
+
+New features:
+
+* `FidoMetadataDownloader` now parses the CRLDistributionPoints extension on the
+  application level, so the `com.sun.security.enableCRLDP=true` system property
+  setting is no longer necessary.
+* Added helper function `CertificateUtil.parseFidoSernumExtension` for parsing
+  serial number from enterprise attestation certificates.
+
+
 == Version 2.5.4 ==
 
 `webauthn-server-attestation`: