Merge branch 'release-2.1.0'

.github/workflows/release-verify-signatures.yml

@@ -1,14 +1,42 @@
 name: Reproducible binary
 
+# This workflow waits for release signatures to appear on Maven Central,
+# then rebuilds the artifacts and verifies them against those signatures,
+# and finally uploads the signatures to the GitHub release.
+
 on:
   release:
-    types: [published, created, edited, prereleased]
+    types: [published, edited]
 
 jobs:
-  verify:
-    name: Verify signatures (JDK ${{matrix.java}})
+  download:
+    name: Download keys and signatures
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Fetch keys
+      run: gpg --no-default-keyring --keyring ./yubico.keyring --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
 
+    - name: Download signatures from Maven Central
+      timeout-minutes: 60
+      run: |
+        until wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${{ github.ref_name }}/webauthn-server-attestation-${{ github.ref_name }}.jar.asc; do sleep 180; done
+        until wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${{ github.ref_name }}/webauthn-server-core-${{ github.ref_name }}.jar.asc; do sleep 180; done
+
+    - name: Store keyring and signatures as artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: keyring-and-signatures
+        retention-days: 1
+        path: |
+          yubico.keyring
+          *.jar.asc
+
+  verify:
+    name: Verify signatures (JDK ${{ matrix.java }} ${{ matrix.distribution }})
+    needs: download
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
         java: [17]
@@ -17,6 +45,8 @@ jobs:
     steps:
     - name: check out code
       uses: actions/checkout@v3
+      with:
+        ref: ${{ github.ref_name }}
 
     - name: Set up JDK
       uses: actions/setup-java@v3
@@ -29,25 +59,34 @@ jobs:
         java --version
         ./gradlew jar
 
-    - name: Fetch keys
-      run: gpg --no-default-keyring --keyring yubico --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+    - name: Retrieve keyring and signatures
+      uses: actions/download-artifact@v3
+      with:
+        name: keyring-and-signatures
 
-    - name: Verify signatures from GitHub release
+    - name: Verify signatures from Maven Central
       run: |
-        export TAGNAME=${GITHUB_REF#refs/tags/}
+        gpg --no-default-keyring --keyring ./yubico.keyring --verify webauthn-server-attestation-${{ github.ref_name }}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${{ github.ref_name }}.jar
+        gpg --no-default-keyring --keyring ./yubico.keyring --verify webauthn-server-core-${{ github.ref_name }}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${{ github.ref_name }}.jar
 
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
+  upload:
+    name: Upload signatures to GitHub
+    needs: verify
+    runs-on: ubuntu-latest
 
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
+    permissions:
+      contents: write  # Allow uploading release artifacts
 
-    - name: Verify signatures from Maven Central
-      run: |
-        export TAGNAME=${GITHUB_REF#refs/tags/}
+    steps:
+    - name: Retrieve signatures
+      uses: actions/download-artifact@v3
+      with:
+        name: keyring-and-signatures
 
-        wget -O webauthn-server-core-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
-        wget -O webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
+    - name: Upload signatures to GitHub
+      run: |
+        RELEASE_DATA=$(curl -H "Authorization: Bearer ${{ github.token }}" ${{ github.api_url }}/repos/${{ github.repository }}/releases/tags/${{ github.ref_name }})
+        UPLOAD_URL=$(jq -r .upload_url <<<"${RELEASE_DATA}" | sed 's/{?name,label}//')
 
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.mavencentral.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
+        curl -X POST -H "Authorization: Bearer ${{ github.token }}" -H 'Content-Type: text/plain' --data-binary @webauthn-server-attestation-${{ github.ref_name }}.jar.asc "${UPLOAD_URL}?name=webauthn-server-attestation-${{ github.ref_name }}.jar.asc"
+        curl -X POST -H "Authorization: Bearer ${{ github.token }}" -H 'Content-Type: text/plain' --data-binary @webauthn-server-core-${{ github.ref_name }}.jar.asc "${UPLOAD_URL}?name=webauthn-server-core-${{ github.ref_name }}.jar.asc"

NEWS

@@ -1,15 +1,63 @@
 == Version 2.1.0 (unreleased) ==
 
+`webauthn-server-core`:
+
 Changes:
 
 * Log messages on attestation certificate path validation failure now include
   the attestation object.
 
+Deprecations:
+
+* Deprecated method `AssertionResult.getCredentialId(): ByteArray`. Use
+  `.getCredential().getCredentialId()` instead.
+* Deprecated method `AssertionResult.getUserHandle(): ByteArray`. Use
+  `.getCredential().getUserHandle()` instead.
+
+New features:
+
+* Added method `FidoMetadataDownloader.refreshBlob()`.
+* Added function `COSEAlgorithmIdentifier.fromPublicKey(ByteArray)`.
+* Added method `AssertionResult.getCredential(): RegisteredCredential`.
+* Added support for the `"tpm"` attestation statement format.
+* Added support for ES384 and ES512 signature algorithms.
+* Added property `policyTreeValidator` to `TrustRootsResult`. If set, the given
+  predicate function will be used to validate the certificate policy tree after
+  successful attestation certificate path validation. This may be required for
+  some JCA providers to accept attestation certificates with critical
+  certificate policy extensions. See the JavaDoc for
+  `TrustRootsResultBuilder.policyTreeValidator(Predicate)` for more information.
+* Added enum value `AttestationConveyancePreference.ENTERPRISE`.
+* (Experimental) Added constant `AuthenticatorTransport.HYBRID`.
+
 Fixes:
 
 * Fixed various typos and mistakes in JavaDocs.
 * Moved version constraints for test dependencies from meta-module
   `webauthn-server-parent` to unpublished test meta-module.
+* `yubico-util` dependency removed from downstream compile scope.
+* Fixed missing JavaDoc on `TrustRootsResult` getters and builder setters.
+
+
+`webauthn-server-attestation`:
+
+Changes:
+
+* The `AuthenticatorToBeFiltered` argument of the `FidoMetadataService` runtime
+  filter now omits zero AAGUIDs.
+* Promoted log messages in `FidoMetadataDownloader` about BLOB signature failure
+  and cache corruption from DEBUG level to WARN level.
+
+Fixes:
+
+* Fixed various typos and mistakes in JavaDocs.
+* `FidoMetadataDownloader` now verifies the SHA-256 hash of the cached trust
+  root certificate, as promised in the JavaDoc of `useTrustRootCacheFile` and
+  `useTrustRootCache`.
+* BouncyCastle dependency dropped.
+* Guava dependency dropped (but still remains in core module).
+* If BLOB download fails, `FidoMetadataDownloader` now correctly falls back to
+  cache if available.
 
 
 == Version 2.0.0 ==

README

@@ -60,7 +60,8 @@ The library will log warnings if you try to configure it for algorithms with no
 This library uses link:https://semver.org/[semantic versioning].
 The public API consists of all public classes, methods and fields in the `com.yubico.webauthn` package and its subpackages,
 i.e., everything covered by the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/package-summary.html[Javadoc].
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/package-summary.html[Javadoc],
+*with the exception* of things annotated with `@Deprecated`.
 
 Package-private classes and methods are NOT part of the public API.
 The `com.yubico:yubico-util` module is NOT part of the public API.
@@ -624,6 +625,21 @@ The link:webauthn-server-attestation[`webauthn-server-attestation` module]
 provides optional additional features for working with attestation.
 See the module documentation for more details.
 
+Alternatively, you can use the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
+interface to implement your own source of attestation root certificates
+and set it as the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#attestationTrustSource(com.yubico.webauthn.attestation.AttestationTrustSource)[`attestationTrustSource`]
+for your
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
+instance.
+Note that depending on your JCA provider configuration, you may need to set the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.TrustRootsResult.TrustRootsResultBuilder.html#enableRevocationChecking(boolean)[`enableRevocationChecking`]
+and/or
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.TrustRootsResult.TrustRootsResultBuilder.html#policyTreeValidator(java.util.function.Predicate)[`policyTreeValidator`]
+settings for compatibility with some authenticators' attestation certificates.
+See the JavaDoc for these settings for more information.
+
 
 == Building
 

build.gradle

@@ -18,7 +18,7 @@ plugins {
 
 import io.franzbecker.gradle.lombok.LombokPlugin
 import io.franzbecker.gradle.lombok.task.DelombokTask
-import com.yubico.gradle.GitUtils;
+import com.yubico.gradle.GitUtils
 
 rootProject.description = "Metadata root for the com.yubico:webauthn-server-* module family"
 
@@ -52,12 +52,10 @@ dependencies {
     api('com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:[2.13.2,3)')
     api('com.fasterxml.jackson.datatype:jackson-datatype-jdk8:[2.13.2,3)')
     api('com.fasterxml.jackson.datatype:jackson-datatype-jsr310:[2.13.2,3)')
-    api('com.google.guava:guava:[24.1.1,31)')
+    api('com.google.guava:guava:[24.1.1,32)')
     api('com.upokecenter:cbor:[4.5.1,5)')
-    api('org.apache.httpcomponents:httpclient:[4.5.2,5)')
-    api('org.bouncycastle:bcpkix-jdk15on:[1.62,2)')
-    api('org.bouncycastle:bcprov-jdk15on:[1.62,2)')
-    api('org.slf4j:slf4j-api:[1.7.25,2)')
+    api('org.apache.httpcomponents.client5:httpclient5:[5.0.0,6)')
+    api('org.slf4j:slf4j-api:[1.7.25,3)')
   }
 }
 
@@ -94,7 +92,8 @@ subprojects {
     mavenCentral()
   }
 
-  if (project.plugins.hasPlugin('com.diffplug.spotless')) {
+  if (project !== project(':test-platform')) {
+    apply plugin: 'com.diffplug.spotless'
     spotless {
       java {
         googleJavaFormat()
@@ -117,9 +116,17 @@ task assembleJavadoc(type: Sync) {
   destinationDir = file("${rootProject.buildDir}/javadoc")
 }
 
+task checkJavaVersionBeforeRelease {
+  doFirst {
+    if (JavaVersion.current() != JavaVersion.VERSION_17) {
+      throw new RuntimeException('Release must be built using JDK 17. Current JDK version: ' + JavaVersion.current())
+    }
+  }
+}
+
 subprojects { project ->
 
-  if (project.plugins.hasPlugin('scala') && project.plugins.hasPlugin('com.diffplug.spotless')) {
+  if (project.plugins.hasPlugin('scala')) {
     project.scalafix {
       configFile = rootProject.file('scalafix.conf')
 
@@ -149,16 +156,19 @@ subprojects { project ->
     reproducibleFileOrder = true
   }
 
-  tasks.withType(Sign) {
-    it.dependsOn check
-  }
-
   tasks.withType(AbstractTestTask) {
     testLogging {
       showStandardStreams = isCiBuild
     }
   }
 
+  tasks.withType(AbstractCompile) { shouldRunAfter checkJavaVersionBeforeRelease }
+  tasks.withType(AbstractTestTask) { shouldRunAfter checkJavaVersionBeforeRelease }
+  tasks.withType(Sign) {
+    it.dependsOn check
+    dependsOn checkJavaVersionBeforeRelease
+  }
+
   if (project.hasProperty('publishMe') && project.publishMe) {
     task sourcesJar(type: Jar) {
       archiveClassifier = 'sources'
@@ -196,7 +206,7 @@ subprojects { project ->
   if (project.hasProperty('publishMe') && project.publishMe) {
 
     if (GitUtils.getGitCommit(projectDir) == null) {
-      throw new RuntimeException("Failed to get git commit ID");
+      throw new RuntimeException("Failed to get git commit ID")
     }
 
     publishing {

buildSrc/src/main/groovy/com/yubico/gradle/GitUtils.groovy

@@ -1,4 +1,4 @@
-package com.yubico.gradle;
+package com.yubico.gradle
 
 public class GitUtils {
 

buildSrc/src/main/groovy/com/yubico/gradle/pitest/tasks/PitestMergeTask.groovy

@@ -14,7 +14,7 @@ import org.gradle.api.tasks.TaskAction
 class PitestMergeTask extends DefaultTask {
 
   @OutputFile
-  def File destinationFile = project.file("${project.buildDir}/reports/pitest/mutations.xml")
+  File destinationFile = project.file("${project.buildDir}/reports/pitest/mutations.xml")
 
   PitestMergeTask() {
     project.subprojects.each { subproject ->
@@ -24,7 +24,7 @@ class PitestMergeTask extends DefaultTask {
     }
   }
 
-  def Set<File> findMutationsXmlFiles(File f, Set<File> found) {
+  Set<File> findMutationsXmlFiles(File f, Set<File> found) {
     if (f.isDirectory()) {
       Set<File> result = found
       for (File child : f.listFiles()) {