Release 2.4.0

`webauthn-server-core`: New features: - Added support for RS384 and RS512 signature algorithms. - Thanks to GitHub user JohnnyJayJay for the contribution, see #235 - Added `userHandle` field to `AssertionRequest` as part of the second bug fix below. `userHandle` is mutually exclusive with `username`. This was originally released in pre-release `1.12.3-RC3`, but was accidentally left out of the `1.12.3` release. Fixes: - During `RelyingParty.finishRegistration()` if an `attestationTrustSource` is configured, if the `aaguid` in the authenticator data is zero, the call to `AttestationTrustSource.findTrustRoots` will fall back to reading the AAGUID from the attestation certificate if possible. - Fixed bug in `RelyingParty.finishAssertion` where if `StartAssertionOptions.userHandle` was set, it did not propagate to `RelyingParty.finishAssertion` and caused an error saying username and user handle are both absent unless a user handle was returned by the authenticator. This was originally released in pre-release `1.12.3-RC3`, but was accidentally left out of the `1.12.3` release. - Fixed regression in `PublicKeyCredentialCreationOptions.toCredentialsCreateJson()`, which has not been emitting a `requireResidentKey` member since version `2.0.0`. This meant the JSON output was not backwards compatible with browsers that only support the Level 1 version of the WebAuthn spec. `webauthn-server-attestation`: Fixes: - `findEntries` and `findTrustRoots` methods in `FidoMetadataService` now attempt to read AAGUID from the attestation certificate if the `aaguid` argument is absent or zero. - Method `FidoMetadataService.Filters.allOf` now has `@SafeVarargs` annotation.
Yubico · Feb 15, 2023 · 479492c · 479492c · github-actions · Feb 15, 2023
2 parents 424520f + 547389b
commit 479492c
Show file tree

Hide file tree

Showing 66 changed files with 2,400 additions and 1,499 deletions.
diff --git a/.github/actions/pit-results-comment/action.yml b/.github/actions/pit-results-comment/action.yml
@@ -49,7 +49,7 @@ runs:
           cp "${NEW_STATS_FILE}" "${PREV_STATS_FILE}"
         fi
 
-        ./.github/actions/pit-results-comment/stats-to-comment.sh "${PREV_STATS_FILE}" "${NEW_STATS_FILE}" "${{ inputs.prev-commit }}" > "${RESULTS_COMMENT_FILE}"
+        ./.github/actions/pit-results-comment/stats-to-comment.sh "${PREV_STATS_FILE}" "${NEW_STATS_FILE}" "${{ inputs.prev-commit }}" "${{ github.sha }}" > "${RESULTS_COMMENT_FILE}"
 
         curl -X POST \
            -H "Authorization: Bearer ${{ inputs.token }}" \

diff --git a/.github/actions/pit-results-comment/stats-to-comment.sh b/.github/actions/pit-results-comment/stats-to-comment.sh
@@ -63,10 +63,17 @@ EOF
     "${1}" "${2}" --raw-output
 
   if [[ -n "${3}" ]]; then
-    cat << EOF
+    if [[ -n "${4}" ]]; then
+      cat << EOF
+
+Previous run: ${3} - [Diff](/${GITHUB_REPOSITORY}/compare/${3}...${4})
+EOF
+    else
+      cat << EOF
 
 Previous run: ${3}
 EOF
+    fi
 
     cat << EOF
 

diff --git a/NEWS b/NEWS
@@ -1,3 +1,46 @@
+== Version 2.4.0 ==
+
+`webauthn-server-core`:
+
+New features:
+
+* Added support for RS384 and RS512 signature algorithms.
+ ** Thanks to GitHub user JohnnyJayJay for the contribution, see
+    https://github.com/Yubico/java-webauthn-server/pull/235
+* Added `userHandle` field to `AssertionRequest` as part of the second bug fix
+  below. `userHandle` is mutually exclusive with `username`. This was originally
+  released in pre-release `1.12.3-RC3`, but was accidentally left out of the
+  `1.12.3` release.
+
+Fixes:
+
+* During `RelyingParty.finishRegistration()` if an `attestationTrustSource` is
+  configured, if the `aaguid` in the authenticator data is zero, the call to
+  `AttestationTrustSource.findTrustRoots` will fall back to reading the AAGUID
+  from the attestation certificate if possible.
+* Fixed bug in `RelyingParty.finishAssertion` where if
+  `StartAssertionOptions.userHandle` was set, it did not propagate to
+  `RelyingParty.finishAssertion` and caused an error saying username and user
+  handle are both absent unless a user handle was returned by the authenticator.
+  This was originally released in pre-release `1.12.3-RC3`, but was accidentally
+  left out of the `1.12.3` release.
+* Fixed regression in
+  `PublicKeyCredentialCreationOptions.toCredentialsCreateJson()`, which has not
+  been emitting a `requireResidentKey` member since version `2.0.0`. This meant
+  the JSON output was not backwards compatible with browsers that only support
+  the Level 1 version of the WebAuthn spec.
+
+
+`webauthn-server-attestation`:
+
+Fixes:
+
+* `findEntries` and `findTrustRoots` methods in `FidoMetadataService` now
+  attempt to read AAGUID from the attestation certificate if the `aaguid`
+  argument is absent or zero.
+* Method `FidoMetadataService.Filters.allOf` now has `@SafeVarargs` annotation.
+
+
 == Version 2.3.0 ==
 
 New features:

diff --git a/README b/README
diff --git a/build.gradle b/build.gradle
@@ -4,7 +4,7 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
-    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.12.1'
+    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.13.0'
     classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.13'
   }
 }
@@ -144,6 +144,8 @@ subprojects { project ->
   }
 
   tasks.withType(JavaCompile) {
+    options.compilerArgs += '-Xlint:unchecked'
+    options.deprecation = true
     options.encoding = 'UTF-8'
   }
   tasks.withType(ScalaCompile) {

diff --git a/doc/Migrating_from_v1.adoc b/doc/Migrating_from_v1.adoc
@@ -26,10 +26,12 @@ Here is a high-level outline of what needs to be updated:
 - Update `getUserVerification()` and `getResidentKey()` calls
   to expect `Optional` values.
 
-This migration guide is written for version `2.0.0` of the
+Although the next section references version `2.4.0-RC2` for reasons detailed there,
+this migration guide is written for version `2.0.0` of the
 `webauthn-server-core` module. Later `2.x` versions may introduce new features
-but should remain compatible without further changes; consult the release notes
-for a full list of new features.
+but should remain compatible without further changes; please consult the
+link:https://developers.yubico.com/java-webauthn-server/Release_Notes.html[release notes]
+for an up to date list of new features.
 
 
 == Replace dependency on `webauthn-server-core-minimal`
@@ -46,7 +48,7 @@ Maven example:
 -  <artifactId>webauthn-server-core-minimal</artifactId>
 -  <version>1.12.2</version>
 +  <artifactId>webauthn-server-core</artifactId>
-+  <version>2.0.0</version>
++  <version>2.4.0-RC2</version>
    <scope>compile</scope>
  </dependency>
 ----------
@@ -56,10 +58,30 @@ Gradle:
 [source,diff]
 ----------
 -compile 'com.yubico:webauthn-server-core-minimal:1.12.2'
-+compile 'com.yubico:webauthn-server-core:2.0.0'
++compile 'com.yubico:webauthn-server-core:2.4.0-RC2'
 ----------
 
 
+[WARNING]
+.*Backwards-incompatible regression in versions 2.0.0 to 2.4.0-RC1*
+==========
+Versions in the inclusive range `2.0.0` to `2.4.0-RC1` have
+a backwards-incompatible regression in
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/latest/com/yubico/webauthn/data/PublicKeyCredentialCreationOptions.html#toCredentialsCreateJson()[`PublicKeyCredentialCreationOptions.toCredentialsCreateJson()`]:
+When the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.3.0/com/yubico/webauthn/StartRegistrationOptions.StartRegistrationOptionsBuilder.html#authenticatorSelection(com.yubico.webauthn.data.AuthenticatorSelectionCriteria)[`authenticatorSelection`].link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.3.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.AuthenticatorSelectionCriteriaBuilder.html#residentKey(com.yubico.webauthn.data.ResidentKeyRequirement)[`residentKey`]
+parameter is set, a corresponding
+link:https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-requireresidentkey[`requireResidentKey`]
+member is not emitted in the JSON output.
+This is not backwards compatible with browsers that only support the
+link:https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#authenticatorSelection[Level 1 version of the WebAuthn spec].
+The regression is fixed in version `2.4.0-RC2` and greater.
+We therefore urge users to upgrade from versions `1.x` directly to `2.4.0-RC2` or greater to maintain backwards compatibility.
+Please consult the link:https://developers.yubico.com/java-webauthn-server/Release_Notes.html[release notes]
+for an up to date list of additional changes and new features added since version `2.0.0`.
+==========
+
+
 == Add JCA provider for EdDSA
 
 The library no longer depends explicitly on BouncyCastle for cryptography back-ends.

diff --git a/doc/releasing.md b/doc/releasing.md
@@ -54,7 +54,7 @@ Release candidate versions
     - Note which JDK version was used to build the artifacts.
 
  7. Check that the ["Reproducible binary"
-    workflow](/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
+    workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
     runs and succeeds.
 
 
@@ -133,5 +133,5 @@ Release versions
     - Note which JDK version was used to build the artifacts.
 
 12. Check that the ["Reproducible binary"
-    workflow](/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
+    workflow](https://github.com/Yubico/java-webauthn-server/actions/workflows/release-verify-signatures.yml)
     runs and succeeds.
Package	Coverage	Stats	Prev	Prev
Overall	81 % 🔻	1266 🔻 / 1559 🔹	83 %	1299 / 1559
`com.yubico.fido.metadata`	68 % 🔻	217 🔻 / 318 🔹	77 %	248 / 318
`com.yubico.internal.util`	47 % 🔹	57 🔹 / 120 🔹	47 %	57 / 120
`com.yubico.webauthn`	87 % 🔹	558 🔹 / 637 🔹	87 %	558 / 637
`com.yubico.webauthn.attestation`	92 % 🔹	13 🔹 / 14 🔹	92 %	13 / 14
`com.yubico.webauthn.data`	93 % 🔹	396 🔻 / 423 🔹	94 %	398 / 423
`com.yubico.webauthn.extension.appid`	100 % 🏆	13 🔹 / 13 🔹	100 %	13 / 13
`com.yubico.webauthn.extension.uvm`	50 % 🔹	12 🔹 / 24 🔹	50 %	12 / 24
`com.yubico.webauthn.meta`	0 % 🔹	0 🔹 / 10 🔹	0 %	0 / 10