Release 1.12.4

Deprecated features:

- Option `RelyingParty.allowUnrequestedExtensions` deprecated. The `false`
  setting (default) is not compatible with WebAuthn Level 2 since authenticators
  are now always allowed to add unsolicited extensions. The next major version
  release will remove this option and always behave as if the option had been
  set to `true`.
- Enum value `AttestationType.ECDAA`. ECDAA was removed in WebAuthn Level 2.
- Function `TokenBindingStatus.fromJsonString(String)` deprecated. It should not
  have been part of the public API to begin with.

Author: emlun

.github/workflows/scan.yml

@@ -1,3 +1,17 @@
+== Version 1.12.4 ==
+
+Deprecated features:
+
+* Option `RelyingParty.allowUnrequestedExtensions` deprecated. The `false`
+  setting (default) is not compatible with WebAuthn Level 2 since authenticators
+  are now always allowed to add unsolicited extensions. The next major version
+  release will remove this option and always behave as if the option had been
+  set to `true`.
+* Enum value `AttestationType.ECDAA`. ECDAA was removed in WebAuthn Level 2.
+* Function `TokenBindingStatus.fromJsonString(String)` deprecated. It should not
+  have been part of the public API to begin with.
+
+
 == Version 1.12.3 ==
 
 Fixes:

NEWS

@@ -25,15 +25,15 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.12.3</version>
+  <version>1.12.4</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.12.3'
+compile 'com.yubico:webauthn-server-core:1.12.4'
 ----------
 
 === Semantic versioning

README

@@ -5,7 +5,7 @@ buildscript {
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
     classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.3.0'
-    classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.8'
+    classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.13'
   }
 }
 plugins {
@@ -148,6 +148,12 @@ subprojects { project ->
   if (project.plugins.hasPlugin('scala')) {
     project.scalafix {
       configFile = rootProject.file('scalafix.conf')
+
+      // Work around dependency resolution issues in April 2022
+      semanticdb {
+        autoConfigure = true
+        version = '4.5.5'
+      }
     }
     dependencies.scalafix('com.github.liancheng:organize-imports_2.13:0.6.0')
     project.tasks.spotlessApply.dependsOn(project.tasks.scalafix)

build.gradle

@@ -319,8 +319,13 @@ public class RelyingParty {
    *
    * @see <a href="https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-extensions">§9. WebAuthn
    *     Extensions</a>
+   * @deprecated The <code>false</code> setting (default) is not compatible with WebAuthn Level 2
+   *     since authenticators are now always allowed to add unsolicited extensions. The next major
+   *     version release will remove this option and always behave as if the option had been set to
+   *     <code>
+   *     true</code>.
    */
-  @Builder.Default private final boolean allowUnrequestedExtensions = false;
+  @Deprecated @Builder.Default private final boolean allowUnrequestedExtensions = false;
 
   /**
    * If <code>false</code>, {@link #finishRegistration(FinishRegistrationOptions)

webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java

@@ -32,6 +32,7 @@
 import java.util.stream.Stream;
 import lombok.AccessLevel;
 import lombok.AllArgsConstructor;
+import lombok.Getter;
 import lombok.NonNull;
 
 /**
@@ -77,25 +78,27 @@ public enum AttestationConveyancePreference implements JsonStringSerializable {
    */
   DIRECT("direct");
 
-  @NonNull private final String id;
+  @Getter @NonNull private final String value;
 
-  private static Optional<AttestationConveyancePreference> fromString(@NonNull String id) {
-    return Stream.of(values()).filter(v -> v.id.equals(id)).findAny();
+  private static Optional<AttestationConveyancePreference> fromString(@NonNull String value) {
+    return Stream.of(values()).filter(v -> v.value.equals(value)).findAny();
   }
 
   @JsonCreator
-  private static AttestationConveyancePreference fromJsonString(@NonNull String id) {
-    return fromString(id)
+  private static AttestationConveyancePreference fromJsonString(@NonNull String value) {
+    return fromString(value)
         .orElseThrow(
             () ->
                 new IllegalArgumentException(
                     String.format(
                         "Unknown %s value: %s",
-                        AttestationConveyancePreference.class.getSimpleName(), id)));
+                        AttestationConveyancePreference.class.getSimpleName(), value)));
   }
 
   @Override
+  @Deprecated
+  /** @deprecated Use {@link #getValue()} instead. */
   public String toJsonString() {
-    return id;
+    return value;
   }
 }

webauthn-server-core/src/main/java/com/yubico/webauthn/data/AttestationConveyancePreference.java

@@ -114,7 +114,9 @@ public enum AttestationType {
    * @see <a href=
    *     "https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-ecdaa-algorithm-v2.0-id-20180227.html">FIDO
    *     ECDAA Algorithm</a>
+   * @deprecated ECDAA was removed in WebAuthn Level 2.
    */
+  @Deprecated
   ECDAA,
 
   /**

webauthn-server-core/src/main/java/com/yubico/webauthn/data/AttestationType.java

@@ -31,6 +31,7 @@
 import java.util.Optional;
 import java.util.stream.Stream;
 import lombok.AllArgsConstructor;
+import lombok.Getter;
 import lombok.NonNull;
 
 /**
@@ -73,25 +74,27 @@ public enum AuthenticatorAttachment implements JsonStringSerializable {
    */
   PLATFORM("platform");
 
-  @NonNull private final String id;
+  @Getter @NonNull private final String value;
 
-  private static Optional<AuthenticatorAttachment> fromString(@NonNull String id) {
-    return Stream.of(values()).filter(v -> v.id.equals(id)).findAny();
+  private static Optional<AuthenticatorAttachment> fromString(@NonNull String value) {
+    return Stream.of(values()).filter(v -> v.value.equals(value)).findAny();
   }
 
   @JsonCreator
-  private static AuthenticatorAttachment fromJsonString(@NonNull String id) {
-    return fromString(id)
+  private static AuthenticatorAttachment fromJsonString(@NonNull String value) {
+    return fromString(value)
         .orElseThrow(
             () ->
                 new IllegalArgumentException(
                     String.format(
                         "Unknown %s value: %s",
-                        AuthenticatorAttachment.class.getSimpleName(), id)));
+                        AuthenticatorAttachment.class.getSimpleName(), value)));
   }
 
   @Override
+  @Deprecated
+  /** @deprecated Use {@link #getValue()} instead. */
   public String toJsonString() {
-    return id;
+    return value;
   }
 }

webauthn-server-core/src/main/java/com/yubico/webauthn/data/AuthenticatorAttachment.java

@@ -152,6 +152,8 @@ public static AuthenticatorTransport fromU2fTransport(Transport transport) {
   }
 
   @Override
+  @Deprecated
+  /** @deprecated Use {@link #getId()} instead. */
   public String toJsonString() {
     return id;
   }

webauthn-server-core/src/main/java/com/yubico/webauthn/data/AuthenticatorTransport.java

@@ -51,21 +51,21 @@ public final class ByteArray implements Comparable<ByteArray>, JsonStringSeriali
 
   @NonNull private final byte[] bytes;
 
-  @NonNull private final String base64;
+  @NonNull private final String base64url;
 
   /** Create a new instance by copying the contents of <code>bytes</code>. */
   public ByteArray(@NonNull byte[] bytes) {
     this.bytes = BinaryUtil.copy(bytes);
-    this.base64 = BASE64URL_ENCODER.encodeToString(this.bytes);
+    this.base64url = BASE64URL_ENCODER.encodeToString(this.bytes);
   }
 
-  private ByteArray(String base64) throws Base64UrlException {
+  private ByteArray(String base64url) throws Base64UrlException {
     try {
-      this.bytes = BASE64URL_DECODER.decode(base64);
+      this.bytes = BASE64URL_DECODER.decode(base64url);
     } catch (IllegalArgumentException e) {
-      throw new Base64UrlException("Invalid Base64Url encoding: " + base64, e);
+      throw new Base64UrlException("Invalid Base64Url encoding: " + base64url, e);
     }
-    this.base64 = base64;
+    this.base64url = base64url;
   }
 
   /** Create a new instance by decoding <code>base64</code> as classic Base64 data. */
@@ -74,13 +74,13 @@ public static ByteArray fromBase64(@NonNull final String base64) {
   }
 
   /**
-   * Create a new instance by decoding <code>base64</code> as Base64Url data.
+   * Create a new instance by decoding <code>base64url</code> as Base64Url data.
    *
-   * @throws Base64UrlException if <code>base64</code> is not valid Base64Url data.
+   * @throws Base64UrlException if <code>base64url</code> is not valid Base64Url data.
    */
   @JsonCreator
-  public static ByteArray fromBase64Url(@NonNull final String base64) throws Base64UrlException {
-    return new ByteArray(base64);
+  public static ByteArray fromBase64Url(@NonNull final String base64url) throws Base64UrlException {
+    return new ByteArray(base64url.split("=")[0]);
   }
 
   /**
@@ -122,9 +122,9 @@ public String getBase64() {
     return BASE64_ENCODER.encodeToString(bytes);
   }
 
-  /** @return the content bytes encoded as Base64Url data. */
+  /** @return the content bytes encoded as Base64Url data, without padding. */
   public String getBase64Url() {
-    return base64;
+    return base64url;
   }
 
   /** @return the content bytes encoded as hexadecimal data. */
@@ -133,10 +133,11 @@ public String getHex() {
     return BinaryUtil.toHex(bytes);
   }
 
-  /** Used by JSON serializer. */
   @Override
+  @Deprecated
+  /** @deprecated Use {@link #getBase64Url()} instead. */
   public String toJsonString() {
-    return base64;
+    return base64url;
   }
 
   @Override