Release 2.0.0

This release removes deprecated APIs and changes some defaults to better align with the L2 version of the WebAuthn spec. It also adds a new major feature: optional integration with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots. See below for details. `webauthn-server-core`: Breaking changes: - Deleted deprecated `icon` field in `RelyingPartyIdentity` and `UserIdentity`, and its associated methods. - Deleted deprecated `AuthenticatorSelectionCriteria` methods `builder().requireResidentKey(boolean)` and `isRequireResidentKey()`. - `RelyingParty` parameter `allowUnrequestedExtensions` removed. The library will now always accept unrequested extensions. - Class `ClientAssertionExtensionOutputs` now silently ignores unknown extensions instead of rejecting them. - `webauthn-server-core-minimal` module deleted. - `webauthn-server-core` no longer depends on BouncyCastle and will no longer attempt to automatically fall back to it. Therefore, EdDSA keys are no longer supported by default in JDK 14 and earlier. The library will log warnings if configured for algorithms with no JCA provider available, in which case the dependent project may need to add additional dependencies and configure JCA providers externally. - Enum value `AttestationType.ECDAA` removed without replacement. - Deleted methods `RegistrationResult.getWarnings()` and `AssertionResult.getWarnings()` since they are now always empty. - Framework for attestation metadata has been fully overhauled. See the `webauthn-server-attestation` module documentation for the new ways to work with attestation metadata: - Deleted method `RegistrationResult.getAttestationMetadata()`. - Interface `MetadataService` replaced with `AttestationTrustSource`, and optional `RelyingParty` setting `.metadataService(MetadataService)` replaced with `.attestationTrustSource(AttestationTrustSource)`. - Deleted types `Attestation` and `Transport`. - Deleted method `AuthenticatorTransport.fromU2fTransport`. - `RelyingParty.finishRegistration()` now uses a JCA `CertPathValidator` to validate attestation certificate paths, if an attestation trust source has been configured. This requires a compatible JCA provider, but should already be available in most environments. - Classes in package `com.yubico.fido.metadata` moved to `com.yubico.webauthn.extension.uvm` to avoid name clash with `webauthn-server-attestation` module in JPMS. - Changed return type of `PublicKeyCredentialRequestOptions.getUserVerification()`, `AuthenticatorSelectionCriteria.getUserVerification()` and `AuthenticatorSelectionCriteria.getResidentKey()` to `Optional`, and changed defaults for `userVerification` and `residentKey` to empty. This means we won't inadvertently suppress warnings that browsers might issue in the browser console if for example `userVerification` is not set explicitly. New features: - Method `getAaguid()` added to `RegistrationResult`. - Method `getAttestationTrustPath()` added to `RegistrationResult`. - Setting `.clock(Clock)` added to `RelyingParty`. It is used for attestation path validation if an `attestationTrustSource` is configured. `webauthn-server-attestation`: Breaking changes: - Types `AttestationResolver`, `CompositeAttestationResolver`, `CompositeTrustResolver`, `DeviceMatcher`, `ExtensionMatcher`, `FingerprintMatcher`, `MetadataObject`, `SimpleAttestationResolver`, `SimpleTrustResolver`, `StandardMetadataService` and `TrustResolver` deleted in favour of a new attestation metadata framework. Some of the functionality is retained as the new `YubicoJsonMetadataService` class in the `webauthn-server-demo` subproject in the library sources, but no longer exposed in either library module. - Library no longer contains a `/metadata.json` resource. New features: - New types `FidoMetadataService` and `FidoMetadataDownloader` which integrate with the FIDO Metadata Service for retrieving authenticator metadata and attestation trust roots.
Yubico · May 2, 2022 · 16e0acb · 16e0acb
2 parents e95b7f6 + 012c356
commit 16e0acb
Show file tree

Hide file tree

Showing 179 changed files with 13,431 additions and 5,213 deletions.
diff --git a/.github/workflows/release-verify-signatures.yml b/.github/workflows/release-verify-signatures.yml
@@ -36,20 +36,16 @@ jobs:
 
         wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
         wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-core-minimal-${TAGNAME}.jar.asc
 
         gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.asc webauthn-server-core-bundle/build/libs/webauthn-server-core-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-minimal-${TAGNAME}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-minimal-${TAGNAME}.jar
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
 
     - name: Verify signatures from Maven Central
       run: |
         export TAGNAME=${GITHUB_REF#refs/tags/}
 
         wget -O webauthn-server-core-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
-        wget -O webauthn-server-core-minimal-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-core-minimal/${TAGNAME}/webauthn-server-core-minimal-${TAGNAME}.jar.asc
         wget -O webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
 
         gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.mavencentral.asc webauthn-server-core-bundle/build/libs/webauthn-server-core-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-minimal-${TAGNAME}.jar.mavencentral.asc webauthn-server-core/build/libs/webauthn-server-core-minimal-${TAGNAME}.jar
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.mavencentral.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
diff --git a/NEWS b/NEWS
@@ -1,3 +1,85 @@
+== Version 2.0.0 ==
+
+This release removes deprecated APIs and changes some defaults to better align
+with the L2 version of the WebAuthn spec. It also adds a new major feature:
+optional integration with the FIDO Metadata Service for retrieving authenticator
+metadata and attestation trust roots. See below for details.
+
+`webauthn-server-core`:
+
+Breaking changes:
+
+* Deleted deprecated `icon` field in `RelyingPartyIdentity` and `UserIdentity`,
+  and its associated methods.
+* Deleted deprecated `AuthenticatorSelectionCriteria` methods
+  `builder().requireResidentKey(boolean)` and `isRequireResidentKey()`.
+* `RelyingParty` parameter `allowUnrequestedExtensions` removed. The library
+  will now always accept unrequested extensions.
+* Class `ClientAssertionExtensionOutputs` now silently ignores unknown
+  extensions instead of rejecting them.
+* `webauthn-server-core-minimal` module deleted.
+* `webauthn-server-core` no longer depends on BouncyCastle and will no longer
+  attempt to automatically fall back to it. Therefore, EdDSA keys are no longer
+  supported by default in JDK 14 and earlier. The library will log warnings if
+  configured for algorithms with no JCA provider available, in which case the
+  dependent project may need to add additional dependencies and configure JCA
+  providers externally.
+* Enum value `AttestationType.ECDAA` removed without replacement.
+* Deleted methods `RegistrationResult.getWarnings()` and
+  `AssertionResult.getWarnings()` since they are now always empty.
+* Framework for attestation metadata has been fully overhauled. See the
+  `webauthn-server-attestation` module documentation for the new ways to work
+  with attestation metadata:
+ ** Deleted method `RegistrationResult.getAttestationMetadata()`.
+ ** Interface `MetadataService` replaced with `AttestationTrustSource`, and
+    optional `RelyingParty` setting `.metadataService(MetadataService)` replaced
+    with `.attestationTrustSource(AttestationTrustSource)`.
+ ** Deleted types `Attestation` and `Transport`.
+ ** Deleted method `AuthenticatorTransport.fromU2fTransport`.
+* `RelyingParty.finishRegistration()` now uses a JCA `CertPathValidator` to
+  validate attestation certificate paths, if an attestation trust source has
+  been configured. This requires a compatible JCA provider, but should already
+  be available in most environments.
+* Classes in package `com.yubico.fido.metadata` moved to
+  `com.yubico.webauthn.extension.uvm` to avoid name clash with
+  `webauthn-server-attestation` module in JPMS.
+* Changed return type of
+  `PublicKeyCredentialRequestOptions.getUserVerification()`,
+  `AuthenticatorSelectionCriteria.getUserVerification()` and
+  `AuthenticatorSelectionCriteria.getResidentKey()` to `Optional`, and changed
+  defaults for `userVerification` and `residentKey` to empty. This means we
+  won't inadvertently suppress warnings that browsers might issue in the browser
+  console if for example `userVerification` is not set explicitly.
+
+New features:
+
+* Method `getAaguid()` added to `RegistrationResult`.
+* Method `getAttestationTrustPath()` added to `RegistrationResult`.
+* Setting `.clock(Clock)` added to `RelyingParty`. It is used for attestation
+  path validation if an `attestationTrustSource` is configured.
+
+
+`webauthn-server-attestation`:
+
+Breaking changes:
+
+* Types `AttestationResolver`, `CompositeAttestationResolver`,
+  `CompositeTrustResolver`, `DeviceMatcher`, `ExtensionMatcher`,
+  `FingerprintMatcher`, `MetadataObject`, `SimpleAttestationResolver`,
+  `SimpleTrustResolver`, `StandardMetadataService` and `TrustResolver` deleted
+  in favour of a new attestation metadata framework. Some of the functionality
+  is retained as the new `YubicoJsonMetadataService` class in the
+  `webauthn-server-demo` subproject in the library sources, but no longer
+  exposed in either library module.
+* Library no longer contains a `/metadata.json` resource.
+
+New features:
+
+* New types `FidoMetadataService` and `FidoMetadataDownloader` which integrate
+  with the FIDO Metadata Service for retrieving authenticator metadata and
+  attestation trust roots.
+
+
 == Version 1.12.4 ==
 
 Deprecated features:

diff --git a/README b/README
@@ -14,6 +14,19 @@ for a server to support Web Authentication. This includes registering
 authenticators and authenticating registered authenticators.
 
 
+[WARNING]
+.*Psychic signatures in Java*
+==========
+In April 2022, link:https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/[CVE-2022-21449]
+was disclosed in Oracle's OpenJDK (and other JVMs derived from it) which can impact applications using java-webauthn-server.
+The impact is that for the most common type of WebAuthn credential, invalid signatures are accepted as valid,
+allowing authentication bypass for users with such a credential.
+Please read link:https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19[Oracle's advisory]
+and make sure you are not using one of the impacted OpenJDK versions.
+If you are, we urge you to upgrade your Java deployment to a version that is safe.
+==========
+
+
 toc::[]
 
 
@@ -25,17 +38,22 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.12.4</version>
+  <version>2.0.0</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.12.4'
+compile 'com.yubico:webauthn-server-core:2.0.0'
 ----------
 
+NOTE: You may need additional dependencies with JCA providers to support some signature algorithms.
+In particular, OpenJDK 14 and earlier does not include providers for the EdDSA family of algorithms.
+The library will log warnings if you try to configure it for algorithms with no JCA provider available.
+
+
 === Semantic versioning
 
 This library uses link:https://semver.org/[semantic versioning].
@@ -50,16 +68,11 @@ Breaking changes to these will NOT be reflected in version numbers.
 
 === Additional modules
 
-In addition to the main `webauthn-server-core` module, there are also:
-
-- `webauthn-server-attestation`: A simple implementation of the
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/attestation/MetadataService.html[`MetadataService`]
-  interface, which by default comes preloaded with attestation metadata for Yubico devices.
+In addition to the main `webauthn-server-core` module, there is also:
 
-- `webauthn-server-core-minimal`: Alternative distribution of `webauthn-server-core`,
-  not dependent on BouncyCastle.
-  Using it means you may have to add your own JCA providers to support some signature algorithms.
-  In particular, OpenJDK 14 and earlier does not include providers for the EdDSA family of algorithms.
+- `webauthn-server-attestation`: Integration with the https://fidoalliance.org/metadata/[FIDO Metadata Service]
+  for retrieving and selecting trust roots to use for verifying
+  https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-attestation[attestation statements].
 
 
 == Features
@@ -70,9 +83,8 @@ In addition to the main `webauthn-server-core` module, there are also:
   https://www.w3.org/TR/webauthn/#sctn-rp-operations[validation logic] on the
   response from the client
 - No mutable state or side effects - everything (except builders) is thread safe
-- Optionally integrates with a "metadata service" to verify
+- Optionally integrates with an "attestation trust source" to verify
   https://www.w3.org/TR/webauthn/#sctn-attestation[authenticator attestations]
-  and annotate responses with additional authenticator metadata
 - Reproducible builds: release signatures match fresh builds from source. See
   link:#reproducible-builds[Reproducible builds] below.
 
@@ -93,6 +105,11 @@ link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-
 for in-depth API documentation.
 
 
+== Migrating from version `1.x`
+
+See link:doc/Migrating_from_v1.adoc[the migration guide].
+
+
 == Getting started
 
 Using this library comes in two parts: the server side and the client side.
@@ -557,6 +574,19 @@ credentials.
 . Finally, the application reports success and resumes its business logic.
 
 
+== Using attestation
+
+WebAuthn supports
+link:https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-attestation[authenticator attestation],
+which provides a way for the web service
+to request cryptographic proof of what authenticator the user is using.
+Most services do not need this, and it is disabled by default.
+
+The link:webauthn-server-attestation[`webauthn-server-attestation` module]
+provides optional additional features for working with attestation.
+See the module documentation for more details.
+
+
 == Building
 
 Use the included

diff --git a/build.gradle b/build.gradle
@@ -4,7 +4,7 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
-    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.3.0'
+    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.5.1'
     classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.13'
   }
 }
@@ -40,7 +40,7 @@ if (publishEnabled) {
 }
 
 wrapper {
-  gradleVersion = '7.2'
+  gradleVersion = '7.3'
 }
 
 dependencies {
@@ -49,6 +49,7 @@ dependencies {
     api('com.fasterxml.jackson.core:jackson-databind:[2.13.2.1,3)')
     api('com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:[2.13.2,3)')
     api('com.fasterxml.jackson.datatype:jackson-datatype-jdk8:[2.13.2,3)')
+    api('com.fasterxml.jackson.datatype:jackson-datatype-jsr310:[2.13.2,3)')
     api('com.fasterxml.jackson:jackson-bom') {
       version {
         strictly '[2.13.2.1,3)'
@@ -72,6 +73,7 @@ dependencies {
     api('org.scalacheck:scalacheck_2.13:[1.14.0,2)')
     api('org.scalatest:scalatest_2.13:[3.0.8,3.1)')
     api('org.slf4j:slf4j-api:[1.7.25,2)')
+    api('uk.org.lidalia:slf4j-test:[1.1.0,2)')
   }
 }
 
@@ -217,17 +219,6 @@ subprojects { project ->
       archiveClassifier = 'javadoc'
       from javadoc
     }
-
-    // TODO: Revert this if statement in the next major release
-    if (project.projectDir.name != "webauthn-server-core-bundle") {
-      rootProject.tasks.assembleJavadoc {
-        dependsOn javadoc
-        inputs.dir javadoc.destinationDir
-        from(javadoc.destinationDir) {
-          into project.projectDir.name
-        }
-      }
-    }
   }
 
   if (project.hasProperty('publishMe') && project.publishMe) {