Version 1.10.0

webauthn-server-attestation:

- Added attestation metadata for YubiKey Bio.

Author: emlun

NEWS

@@ -1,3 +1,10 @@
+== Version 1.10.0 ==
+
+webauthn-server-attestation:
+
+* Added attestation metadata for YubiKey Bio.
+
+
 == Version 1.9.1 ==
 
 * Added missing `<dependencyManagement>` declaration to

README

@@ -25,15 +25,15 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.9.1</version>
+  <version>1.10.0</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.9.1'
+compile 'com.yubico:webauthn-server-core:1.10.0'
 ----------
 
 === Semantic versioning
@@ -74,6 +74,8 @@ In addition to the main `webauthn-server-core` module, there are also:
 - Optionally integrates with a "metadata service" to verify
   https://www.w3.org/TR/webauthn/#sctn-attestation[authenticator attestations]
   and annotate responses with additional authenticator metadata
+- Reproducible builds: release signatures match fresh builds from source. See
+  link:#Building[Building] below.
 
 
 === Non-features
@@ -340,18 +342,25 @@ will have a plain `x.y.z` version number, while a build on any other commit will
 result in a version number containing the abbreviated commit hash.
 
 Starting in version `1.4.0-RC2`, artifacts are built reproducibly. Fresh builds from
-tagged commits should therefore be verifiable by signatures from Maven Central:
+tagged commits should therefore be verifiable by signatures from Maven Central
+and GitHub releases:
 
 ```
 $ git checkout 1.4.0-RC2
 $ ./gradlew :webauthn-server-core:jar
+
 $ wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/1.4.0-RC2/webauthn-server-core-1.4.0-RC2.jar.asc
 $ gpg --verify webauthn-server-core-1.4.0-RC2.jar.asc webauthn-server-core/build/libs/webauthn-server-core-1.4.0-RC2.jar
+
+$ wget https://github.com/Yubico/java-webauthn-server/releases/download/1.4.0-RC2/webauthn-server-core-1.4.0-RC2.jar.asc
+$ gpg --verify webauthn-server-core-1.4.0-RC2.jar.asc webauthn-server-core/build/libs/webauthn-server-core-1.4.0-RC2.jar
 ```
 
 Note that building with a different JDK may produce a different artifact. To
 ensure binary reproducibility, please build with the same JDK as specified in
-the release notes.
+the release notes. Reproducible builds also require building from a Git
+repository, since the build embeds version number and Git commit ID into the
+built artifacts.
 
 Official Yubico software signing keys are listed on the
 https://developers.yubico.com/Software_Projects/Software_Signing.html[Yubico

build.gradle

@@ -4,7 +4,7 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
-    classpath 'com.diffplug.spotless:spotless-plugin-gradle:5.12.5'
+    classpath 'com.diffplug.spotless:spotless-plugin-gradle:5.14.1'
     classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.8'
   }
 }
@@ -100,8 +100,7 @@ subprojects {
 
   repositories {
     mavenLocal()
-
-    maven { url "https://repo.maven.apache.org/maven2" }
+    mavenCentral()
   }
 
   spotless {
@@ -220,7 +219,7 @@ subprojects { project ->
     }
   }
 
-  if (publishEnabled && project.hasProperty('publishMe') && project.publishMe) {
+  if (project.hasProperty('publishMe') && project.publishMe) {
 
     apply plugin: 'maven-publish'
     apply plugin: 'signing'
@@ -267,56 +266,59 @@ subprojects { project ->
       }
     }
 
-    signing {
-      useGpgCmd()
-      sign publishing.publications.jars
+    if (publishEnabled) {
+      signing {
+        useGpgCmd()
+        sign publishing.publications.jars
+      }
     }
   }
+
 }
 
 // The root project has no sources, but the dependency platform also needs to be published as an artifact
 // See https://docs.gradle.org/current/userguide/java_platform_plugin.html
 // See https://github.com/Yubico/java-webauthn-server/issues/93#issuecomment-822806951
-if (publishEnabled) {
-  apply plugin: 'maven-publish'
-  apply plugin: 'signing'
-
-  publishing {
-    publications {
-      jars(MavenPublication) {
-        from components.javaPlatform
-
-        pom {
-          name = project.name
-          description = project.description
-          url = 'https://developers.yubico.com/java-webauthn-server/'
-
-          developers {
-            developer {
-              id = 'emil'
-              name = 'Emil Lundberg'
-              email = '[email protected]'
-            }
+apply plugin: 'maven-publish'
+apply plugin: 'signing'
+
+publishing {
+  publications {
+    jars(MavenPublication) {
+      from components.javaPlatform
+
+      pom {
+        name = project.name
+        description = project.description
+        url = 'https://developers.yubico.com/java-webauthn-server/'
+
+        developers {
+          developer {
+            id = 'emil'
+            name = 'Emil Lundberg'
+            email = '[email protected]'
           }
+        }
 
-          licenses {
-            license {
-              name = 'BSD-license'
-              comments = 'Revised 2-clause BSD license'
-            }
+        licenses {
+          license {
+            name = 'BSD-license'
+            comments = 'Revised 2-clause BSD license'
           }
+        }
 
-          scm {
-            url = 'scm:git:git://github.com/Yubico/java-webauthn-server.git'
-            connection = 'scm:git:git://github.com/Yubico/java-webauthn-server.git'
-            developerConnection = 'scm:git:ssh://[email protected]/Yubico/java-webauthn-server.git'
-            tag = 'HEAD'
-          }
+        scm {
+          url = 'scm:git:git://github.com/Yubico/java-webauthn-server.git'
+          connection = 'scm:git:git://github.com/Yubico/java-webauthn-server.git'
+          developerConnection = 'scm:git:ssh://[email protected]/Yubico/java-webauthn-server.git'
+          tag = 'HEAD'
         }
       }
     }
   }
+}
 
+if (publishEnabled) {
   signing {
     useGpgCmd()
     sign publishing.publications.jars

webauthn-server-attestation/src/main/resources/metadata.json

@@ -1,6 +1,6 @@
 {
   "identifier": "2fb54029-7613-4f1d-94f1-fb876c14a6fe",
-  "version": 15,
+  "version": 16,
   "vendorInfo": {
     "url": "https://yubico.com",
     "imageUrl": "https://developers.yubico.com/U2F/Images/yubico.png",
@@ -302,6 +302,24 @@
           }
         }
       ]
+    },
+
+    {
+      "deviceId": "1.3.6.1.4.1.41482.1.9",
+      "displayName": "YubiKey Bio",
+      "transports": 4,
+      "selectors": [
+        {
+          "type": "x509Extension",
+          "parameters": {
+            "key": "1.3.6.1.4.1.45724.1.1.4",
+            "value": {
+              "type": "hex",
+              "value": "d8522d9f575b486688a9ba99fa02f35b"
+            }
+          }
+        }
+      ]
     }
   ]
 }

webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/DeviceIdentificationSpec.scala

@@ -169,6 +169,14 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
           Set(USB, LIGHTNING),
         )
       }
+
+      it("a YubiKey Bio.") {
+        check(
+          "YubiKey Bio",
+          RealExamples.YubikeyBio_5_5_4,
+          Set(USB),
+        )
+      }
     }
 
     describe("fails to identify") {
@@ -293,6 +301,14 @@ class DeviceIdentificationSpec extends FunSpec with Matchers {
           Set(USB, LIGHTNING),
         )
       }
+
+      it("a YubiKey Bio.") {
+        check(
+          "YubiKey Bio",
+          RealExamples.YubikeyBio_5_5_4,
+          Set(USB),
+        )
+      }
     }
   }
 

webauthn-server-attestation/src/test/scala/com/yubico/webauthn/attestation/StandardMetadataServiceSpec.scala

@@ -24,7 +24,6 @@
 
 package com.yubico.webauthn.attestation
 
-import com.fasterxml.jackson.databind.node.JsonNodeFactory
 import com.yubico.internal.util.JacksonCodecs
 import com.yubico.internal.util.scala.JavaConverters._
 import com.yubico.webauthn.TestAuthenticator
@@ -46,8 +45,6 @@ import scala.jdk.CollectionConverters._
 @RunWith(classOf[JUnitRunner])
 class StandardMetadataServiceSpec extends FunSpec with Matchers {
 
-  private def jsonFactory: JsonNodeFactory = JsonNodeFactory.instance
-
   private val TRANSPORTS_EXT_OID = "1.3.6.1.4.1.45724.2.1.1"
 
   private val ooidA = "1.3.6.1.4.1.41482.1.1"
@@ -109,10 +106,6 @@ class StandardMetadataServiceSpec extends FunSpec with Matchers {
         caCertAndKey = Some((caCert, caKey)),
         extensions = List((ooidB, false, new DEROctetString(Array[Byte]()))),
       )
-      val (unknownCert, _) = TestAuthenticator.generateAttestationCertificate(
-        name = new X500Name("CN=Unknown Cert"),
-        extensions = List((ooidA, false, new DEROctetString(Array[Byte]()))),
-      )
 
       val metadataJson =
         s"""{

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala

@@ -121,18 +121,18 @@ class RelyingPartyAssertionSpec
 
   }
 
-  private def getUserHandleIfDefault(
+  private def getUserHandleIfDefaultUsername(
       username: String,
-      userHandle: ByteArray = Defaults.userHandle,
+      userHandle: ByteArray,
   ): Optional[ByteArray] =
     if (username == Defaults.username)
       Some(userHandle).asJava
     else
       ???
 
-  private def getUsernameIfDefault(
+  private def getUsernameIfDefaultUserHandle(
       userHandle: ByteArray,
-      username: String = Defaults.username,
+      username: String,
   ): Optional[String] =
     if (userHandle == Defaults.userHandle)
       Some(username).asJava
@@ -242,10 +242,16 @@ class RelyingPartyAssertionSpec
           override def getCredentialIdsForUsername(username: String) = ???
           override def getUserHandleForUsername(username: String)
               : Optional[ByteArray] =
-            getUserHandleIfDefault(username, userHandle = userHandleForUser)
+            getUserHandleIfDefaultUsername(
+              username,
+              userHandle = userHandleForUser,
+            )
           override def getUsernameForUserHandle(userHandle: ByteArray)
               : Optional[String] =
-            getUsernameIfDefault(userHandle, username = usernameForUser)
+            getUsernameIfDefaultUserHandle(
+              userHandle,
+              username = usernameForUser,
+            )
         }
       )
       .preferredPubkeyParams(Nil.asJava)