Skip to content

Commit 4ddf825

Browse files
committed
Merge branch 'release-2.1.0'
2 parents 70d6d17 + 85a4148 commit 4ddf825

File tree

60 files changed

+5270
-1958
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

60 files changed

+5270
-1958
lines changed
Lines changed: 57 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,42 @@
11
name: Reproducible binary
22

3+
# This workflow waits for release signatures to appear on Maven Central,
4+
# then rebuilds the artifacts and verifies them against those signatures,
5+
# and finally uploads the signatures to the GitHub release.
6+
37
on:
48
release:
5-
types: [published, created, edited, prereleased]
9+
types: [published, edited]
610

711
jobs:
8-
verify:
9-
name: Verify signatures (JDK ${{matrix.java}})
12+
download:
13+
name: Download keys and signatures
14+
runs-on: ubuntu-latest
15+
16+
steps:
17+
- name: Fetch keys
18+
run: gpg --no-default-keyring --keyring ./yubico.keyring --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
1019

20+
- name: Download signatures from Maven Central
21+
timeout-minutes: 60
22+
run: |
23+
until wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${{ github.ref_name }}/webauthn-server-attestation-${{ github.ref_name }}.jar.asc; do sleep 180; done
24+
until wget https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${{ github.ref_name }}/webauthn-server-core-${{ github.ref_name }}.jar.asc; do sleep 180; done
25+
26+
- name: Store keyring and signatures as artifact
27+
uses: actions/upload-artifact@v3
28+
with:
29+
name: keyring-and-signatures
30+
retention-days: 1
31+
path: |
32+
yubico.keyring
33+
*.jar.asc
34+
35+
verify:
36+
name: Verify signatures (JDK ${{ matrix.java }} ${{ matrix.distribution }})
37+
needs: download
1138
runs-on: ubuntu-latest
39+
1240
strategy:
1341
matrix:
1442
java: [17]
@@ -17,6 +45,8 @@ jobs:
1745
steps:
1846
- name: check out code
1947
uses: actions/checkout@v3
48+
with:
49+
ref: ${{ github.ref_name }}
2050

2151
- name: Set up JDK
2252
uses: actions/setup-java@v3
@@ -29,25 +59,34 @@ jobs:
2959
java --version
3060
./gradlew jar
3161
32-
- name: Fetch keys
33-
run: gpg --no-default-keyring --keyring yubico --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
62+
- name: Retrieve keyring and signatures
63+
uses: actions/download-artifact@v3
64+
with:
65+
name: keyring-and-signatures
3466

35-
- name: Verify signatures from GitHub release
67+
- name: Verify signatures from Maven Central
3668
run: |
37-
export TAGNAME=${GITHUB_REF#refs/tags/}
69+
gpg --no-default-keyring --keyring ./yubico.keyring --verify webauthn-server-attestation-${{ github.ref_name }}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${{ github.ref_name }}.jar
70+
gpg --no-default-keyring --keyring ./yubico.keyring --verify webauthn-server-core-${{ github.ref_name }}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${{ github.ref_name }}.jar
3871
39-
wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
40-
wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
72+
upload:
73+
name: Upload signatures to GitHub
74+
needs: verify
75+
runs-on: ubuntu-latest
4176

42-
gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
43-
gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
77+
permissions:
78+
contents: write # Allow uploading release artifacts
4479

45-
- name: Verify signatures from Maven Central
46-
run: |
47-
export TAGNAME=${GITHUB_REF#refs/tags/}
80+
steps:
81+
- name: Retrieve signatures
82+
uses: actions/download-artifact@v3
83+
with:
84+
name: keyring-and-signatures
4885

49-
wget -O webauthn-server-core-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
50-
wget -O webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
86+
- name: Upload signatures to GitHub
87+
run: |
88+
RELEASE_DATA=$(curl -H "Authorization: Bearer ${{ github.token }}" ${{ github.api_url }}/repos/${{ github.repository }}/releases/tags/${{ github.ref_name }})
89+
UPLOAD_URL=$(jq -r .upload_url <<<"${RELEASE_DATA}" | sed 's/{?name,label}//')
5190
52-
gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
53-
gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.mavencentral.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
91+
curl -X POST -H "Authorization: Bearer ${{ github.token }}" -H 'Content-Type: text/plain' --data-binary @webauthn-server-attestation-${{ github.ref_name }}.jar.asc "${UPLOAD_URL}?name=webauthn-server-attestation-${{ github.ref_name }}.jar.asc"
92+
curl -X POST -H "Authorization: Bearer ${{ github.token }}" -H 'Content-Type: text/plain' --data-binary @webauthn-server-core-${{ github.ref_name }}.jar.asc "${UPLOAD_URL}?name=webauthn-server-core-${{ github.ref_name }}.jar.asc"

NEWS

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,63 @@
11
== Version 2.1.0 (unreleased) ==
22

3+
`webauthn-server-core`:
4+
35
Changes:
46

57
* Log messages on attestation certificate path validation failure now include
68
the attestation object.
79

10+
Deprecations:
11+
12+
* Deprecated method `AssertionResult.getCredentialId(): ByteArray`. Use
13+
`.getCredential().getCredentialId()` instead.
14+
* Deprecated method `AssertionResult.getUserHandle(): ByteArray`. Use
15+
`.getCredential().getUserHandle()` instead.
16+
17+
New features:
18+
19+
* Added method `FidoMetadataDownloader.refreshBlob()`.
20+
* Added function `COSEAlgorithmIdentifier.fromPublicKey(ByteArray)`.
21+
* Added method `AssertionResult.getCredential(): RegisteredCredential`.
22+
* Added support for the `"tpm"` attestation statement format.
23+
* Added support for ES384 and ES512 signature algorithms.
24+
* Added property `policyTreeValidator` to `TrustRootsResult`. If set, the given
25+
predicate function will be used to validate the certificate policy tree after
26+
successful attestation certificate path validation. This may be required for
27+
some JCA providers to accept attestation certificates with critical
28+
certificate policy extensions. See the JavaDoc for
29+
`TrustRootsResultBuilder.policyTreeValidator(Predicate)` for more information.
30+
* Added enum value `AttestationConveyancePreference.ENTERPRISE`.
31+
* (Experimental) Added constant `AuthenticatorTransport.HYBRID`.
32+
833
Fixes:
934

1035
* Fixed various typos and mistakes in JavaDocs.
1136
* Moved version constraints for test dependencies from meta-module
1237
`webauthn-server-parent` to unpublished test meta-module.
38+
* `yubico-util` dependency removed from downstream compile scope.
39+
* Fixed missing JavaDoc on `TrustRootsResult` getters and builder setters.
40+
41+
42+
`webauthn-server-attestation`:
43+
44+
Changes:
45+
46+
* The `AuthenticatorToBeFiltered` argument of the `FidoMetadataService` runtime
47+
filter now omits zero AAGUIDs.
48+
* Promoted log messages in `FidoMetadataDownloader` about BLOB signature failure
49+
and cache corruption from DEBUG level to WARN level.
50+
51+
Fixes:
52+
53+
* Fixed various typos and mistakes in JavaDocs.
54+
* `FidoMetadataDownloader` now verifies the SHA-256 hash of the cached trust
55+
root certificate, as promised in the JavaDoc of `useTrustRootCacheFile` and
56+
`useTrustRootCache`.
57+
* BouncyCastle dependency dropped.
58+
* Guava dependency dropped (but still remains in core module).
59+
* If BLOB download fails, `FidoMetadataDownloader` now correctly falls back to
60+
cache if available.
1361

1462

1563
== Version 2.0.0 ==

README

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,8 @@ The library will log warnings if you try to configure it for algorithms with no
6060
This library uses link:https://semver.org/[semantic versioning].
6161
The public API consists of all public classes, methods and fields in the `com.yubico.webauthn` package and its subpackages,
6262
i.e., everything covered by the
63-
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/package-summary.html[Javadoc].
63+
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/package-summary.html[Javadoc],
64+
*with the exception* of things annotated with `@Deprecated`.
6465

6566
Package-private classes and methods are NOT part of the public API.
6667
The `com.yubico:yubico-util` module is NOT part of the public API.
@@ -624,6 +625,21 @@ The link:webauthn-server-attestation[`webauthn-server-attestation` module]
624625
provides optional additional features for working with attestation.
625626
See the module documentation for more details.
626627

628+
Alternatively, you can use the
629+
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
630+
interface to implement your own source of attestation root certificates
631+
and set it as the
632+
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RelyingParty.RelyingPartyBuilder.html#attestationTrustSource(com.yubico.webauthn.attestation.AttestationTrustSource)[`attestationTrustSource`]
633+
for your
634+
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
635+
instance.
636+
Note that depending on your JCA provider configuration, you may need to set the
637+
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.TrustRootsResult.TrustRootsResultBuilder.html#enableRevocationChecking(boolean)[`enableRevocationChecking`]
638+
and/or
639+
link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.TrustRootsResult.TrustRootsResultBuilder.html#policyTreeValidator(java.util.function.Predicate)[`policyTreeValidator`]
640+
settings for compatibility with some authenticators' attestation certificates.
641+
See the JavaDoc for these settings for more information.
642+
627643

628644
== Building
629645

build.gradle

Lines changed: 23 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ plugins {
1818

1919
import io.franzbecker.gradle.lombok.LombokPlugin
2020
import io.franzbecker.gradle.lombok.task.DelombokTask
21-
import com.yubico.gradle.GitUtils;
21+
import com.yubico.gradle.GitUtils
2222

2323
rootProject.description = "Metadata root for the com.yubico:webauthn-server-* module family"
2424

@@ -52,12 +52,10 @@ dependencies {
5252
api('com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:[2.13.2,3)')
5353
api('com.fasterxml.jackson.datatype:jackson-datatype-jdk8:[2.13.2,3)')
5454
api('com.fasterxml.jackson.datatype:jackson-datatype-jsr310:[2.13.2,3)')
55-
api('com.google.guava:guava:[24.1.1,31)')
55+
api('com.google.guava:guava:[24.1.1,32)')
5656
api('com.upokecenter:cbor:[4.5.1,5)')
57-
api('org.apache.httpcomponents:httpclient:[4.5.2,5)')
58-
api('org.bouncycastle:bcpkix-jdk15on:[1.62,2)')
59-
api('org.bouncycastle:bcprov-jdk15on:[1.62,2)')
60-
api('org.slf4j:slf4j-api:[1.7.25,2)')
57+
api('org.apache.httpcomponents.client5:httpclient5:[5.0.0,6)')
58+
api('org.slf4j:slf4j-api:[1.7.25,3)')
6159
}
6260
}
6361

@@ -94,7 +92,8 @@ subprojects {
9492
mavenCentral()
9593
}
9694

97-
if (project.plugins.hasPlugin('com.diffplug.spotless')) {
95+
if (project !== project(':test-platform')) {
96+
apply plugin: 'com.diffplug.spotless'
9897
spotless {
9998
java {
10099
googleJavaFormat()
@@ -117,9 +116,17 @@ task assembleJavadoc(type: Sync) {
117116
destinationDir = file("${rootProject.buildDir}/javadoc")
118117
}
119118

119+
task checkJavaVersionBeforeRelease {
120+
doFirst {
121+
if (JavaVersion.current() != JavaVersion.VERSION_17) {
122+
throw new RuntimeException('Release must be built using JDK 17. Current JDK version: ' + JavaVersion.current())
123+
}
124+
}
125+
}
126+
120127
subprojects { project ->
121128

122-
if (project.plugins.hasPlugin('scala') && project.plugins.hasPlugin('com.diffplug.spotless')) {
129+
if (project.plugins.hasPlugin('scala')) {
123130
project.scalafix {
124131
configFile = rootProject.file('scalafix.conf')
125132

@@ -149,16 +156,19 @@ subprojects { project ->
149156
reproducibleFileOrder = true
150157
}
151158

152-
tasks.withType(Sign) {
153-
it.dependsOn check
154-
}
155-
156159
tasks.withType(AbstractTestTask) {
157160
testLogging {
158161
showStandardStreams = isCiBuild
159162
}
160163
}
161164

165+
tasks.withType(AbstractCompile) { shouldRunAfter checkJavaVersionBeforeRelease }
166+
tasks.withType(AbstractTestTask) { shouldRunAfter checkJavaVersionBeforeRelease }
167+
tasks.withType(Sign) {
168+
it.dependsOn check
169+
dependsOn checkJavaVersionBeforeRelease
170+
}
171+
162172
if (project.hasProperty('publishMe') && project.publishMe) {
163173
task sourcesJar(type: Jar) {
164174
archiveClassifier = 'sources'
@@ -196,7 +206,7 @@ subprojects { project ->
196206
if (project.hasProperty('publishMe') && project.publishMe) {
197207

198208
if (GitUtils.getGitCommit(projectDir) == null) {
199-
throw new RuntimeException("Failed to get git commit ID");
209+
throw new RuntimeException("Failed to get git commit ID")
200210
}
201211

202212
publishing {

buildSrc/src/main/groovy/com/yubico/gradle/GitUtils.groovy

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
package com.yubico.gradle;
1+
package com.yubico.gradle
22

33
public class GitUtils {
44

buildSrc/src/main/groovy/com/yubico/gradle/pitest/tasks/PitestMergeTask.groovy

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ import org.gradle.api.tasks.TaskAction
1414
class PitestMergeTask extends DefaultTask {
1515

1616
@OutputFile
17-
def File destinationFile = project.file("${project.buildDir}/reports/pitest/mutations.xml")
17+
File destinationFile = project.file("${project.buildDir}/reports/pitest/mutations.xml")
1818

1919
PitestMergeTask() {
2020
project.subprojects.each { subproject ->
@@ -24,7 +24,7 @@ class PitestMergeTask extends DefaultTask {
2424
}
2525
}
2626

27-
def Set<File> findMutationsXmlFiles(File f, Set<File> found) {
27+
Set<File> findMutationsXmlFiles(File f, Set<File> found) {
2828
if (f.isDirectory()) {
2929
Set<File> result = found
3030
for (File child : f.listFiles()) {

0 commit comments

Comments
 (0)