Release 2.2.0

`webauthn-server-core`:

Changes:

- Changed internal structure of `RegistrationResult` and
  `AssertionResult`. This may affect you if you use Jackson or similar
  tools to serialize these values to JSON, for example. This is not an
  officially supported use case and thus does not warrant a major
  version bump.
- Removed methods `RegistrationResult.toBuilder()` and
  `AssertionResult.toBuilder()`. Both had package-private return
  types, and thus were not usable by outside callers.

New features:

- (Experimental) Added support for the new `BE` (backup eligible) and
  `BS` (backup state) flags in authenticator data:
  - NOTE: Experimental features may receive breaking changes without a
    major version increase.
  - Added `BE` and `BS` properties to `AuthenticatorDataFlags`,
    reflecting the respective flags (bits 0x08 and 0x10).
  - Added methods `isBackupEligible()` and `isBackedUp()` to
    `RegistrationResult` and `AssertionResult`, reflecting
    respectively the `BE` and `BS` flags.
  - Added properties `backupEligible` and `backupState`, getters
    `isBackupEligible()` and `isBackedUp()`, and corresponding builder
    methods to `RegisteredCredential`.
    `RelyingParty.finishAssertion(...)` will now validate that if
    `RegisteredCredential.isBackupEligible()` is present, then the
    `BE` flag of any assertion of that credential must match the
    stored value.

Fixes:

- Fixed TPM attestation verification rejecting attestation
  certificates with TPM Device Attributes split between multiple
  RelativeDistinguishedName structures in the Subject Alternative
  Names extension.
  - Thanks to Oussama Zgheb for the contribution, see
    #241
- Fixed various errors in JavaDoc.

`webauthn-server-attestation`:

Fixes:

- Improved documentation of guarantees provided by
  `FidoMetadataDownloader` and required of its parameters.

.github/workflows/release-verify-signatures.yml

@@ -6,7 +6,7 @@ name: Reproducible binary
 
 on:
   release:
-    types: [published, edited]
+    types: [published]
 
 jobs:
   download:

NEWS

@@ -1,3 +1,53 @@
+== Version 2.2.0 ==
+
+`webauthn-server-core`:
+
+Changes:
+
+* Changed internal structure of `RegistrationResult` and `AssertionResult`. This
+  may affect you if you use Jackson or similar tools to serialize these values
+  to JSON, for example. This is not an officially supported use case and thus
+  does not warrant a major version bump.
+* Removed methods `RegistrationResult.toBuilder()` and
+  `AssertionResult.toBuilder()`. Both had package-private return types, and thus
+  were not usable by outside callers.
+
+New features:
+
+* (Experimental) Added support for the new `BE` (backup eligible) and `BS`
+  (backup state) flags in authenticator data:
+ ** NOTE: Experimental features may receive breaking changes without a major
+    version increase.
+ ** Added `BE` and `BS` properties to `AuthenticatorDataFlags`, reflecting the
+    respective flags (bits 0x08 and 0x10).
+ ** Added methods `isBackupEligible()` and `isBackedUp()` to
+    `RegistrationResult` and `AssertionResult`, reflecting respectively the `BE`
+    and `BS` flags.
+ ** Added properties `backupEligible` and `backupState`, getters
+    `isBackupEligible()` and `isBackedUp()`, and corresponding builder methods
+    to `RegisteredCredential`. `RelyingParty.finishAssertion(...)` will now
+    validate that if `RegisteredCredential.isBackupEligible()` is present, then
+    the `BE` flag of any assertion of that credential must match the stored
+    value.
+
+Fixes:
+
+* Fixed TPM attestation verification rejecting attestation certificates with TPM
+  Device Attributes split between multiple RelativeDistinguishedName structures
+  in the Subject Alternative Names extension.
+ ** Thanks to Oussama Zgheb for the contribution, see
+    https://github.com/Yubico/java-webauthn-server/pull/241
+* Fixed various errors in JavaDoc.
+
+
+`webauthn-server-attestation`:
+
+Fixes:
+
+* Improved documentation of guaranteed provided by `FidoMetadataDownloader` and
+  required of its parameters.
+
+
 == Version 2.1.0 ==
 
 `webauthn-server-core`:
@@ -16,7 +66,6 @@ Deprecations:
 
 New features:
 
-* Added method `FidoMetadataDownloader.refreshBlob()`.
 * Added function `COSEAlgorithmIdentifier.fromPublicKey(ByteArray)`.
 * Added method `AssertionResult.getCredential(): RegisteredCredential`.
 * Added support for the `"tpm"` attestation statement format.
@@ -48,6 +97,10 @@ Changes:
 * Promoted log messages in `FidoMetadataDownloader` about BLOB signature failure
   and cache corruption from DEBUG level to WARN level.
 
+New features:
+
+* Added method `FidoMetadataDownloader.refreshBlob()`.
+
 Fixes:
 
 * Fixed various typos and mistakes in JavaDocs.

buildSrc/build.gradle.kts

@@ -7,6 +7,5 @@ repositories {
 }
 
 dependencies {
-  implementation("commons-io:commons-io:2.5")
-  implementation("info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.5.1")
+  implementation("info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.9.0")
 }

doc/Migrating_from_v1.adoc

@@ -21,11 +21,16 @@ Here is a high-level outline of what needs to be updated:
 - Remove uses of removed features.
 - Update uses of renamed and replaced features.
 - Replace any implementations of `MetadataService` with
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`].
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`].
 - Rename imports of classes in `com.yubico.fido.metadata`.
 - Update `getUserVerification()` and `getResidentKey()` calls
   to expect `Optional` values.
 
+This migration guide is written for version `2.0.0` of the
+`webauthn-server-core` module. Later `2.x` versions may introduce new features
+but should remain compatible without further changes; consult the release notes
+for a full list of new features.
+
 
 == Replace dependency on `webauthn-server-core-minimal`
 
@@ -41,7 +46,7 @@ Maven example:
 -  <artifactId>webauthn-server-core-minimal</artifactId>
 -  <version>1.12.2</version>
 +  <artifactId>webauthn-server-core</artifactId>
-+  <version>2.1.0</version>
++  <version>2.0.0</version>
    <scope>compile</scope>
  </dependency>
 ----------
@@ -51,7 +56,7 @@ Gradle:
 [source,diff]
 ----------
 -compile 'com.yubico:webauthn-server-core-minimal:1.12.2'
-+compile 'com.yubico:webauthn-server-core:2.1.0'
++compile 'com.yubico:webauthn-server-core:2.0.0'
 ----------
 
 
@@ -85,7 +90,7 @@ implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
 ----------
 
 Then set up the provider. This should be done before instantiating
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`].
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`].
 
 Example:
 
@@ -102,9 +107,9 @@ Security.addProvider(new BouncyCastleProvider());
 Several fields, methods and settings have been removed:
 
 - The `icon` field in
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/data/RelyingPartyIdentity.html[`RelyingPartyIdentity`]
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/data/RelyingPartyIdentity.html[`RelyingPartyIdentity`]
   and
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/data/UserIdentity.html[`UserIdentity`],
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/data/UserIdentity.html[`UserIdentity`],
   and its associated methods.
   They were removed in WebAuthn Level 2 and have no replacement.
 +
@@ -127,7 +132,7 @@ Example:
 ----------
 
 - The setting `allowUnrequestedExtensions(boolean)` in
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`].
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RelyingParty.html[`RelyingParty`].
 +
 WebAuthn Level 2 now recommends that unrequested extensions should be allowed,
 so this setting has been removed and is now always enabled.
@@ -207,11 +212,11 @@ Example:
 == Update uses of renamed and replaced features
 
 - Methods `requireResidentKey(boolean)` and `isRequireResidentKey()` in
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.html[`AuthenticatorSelectionCriteria`]
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.html[`AuthenticatorSelectionCriteria`]
   have been replaced by
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.AuthenticatorSelectionCriteriaBuilder.html#residentKey(com.yubico.webauthn.data.ResidentKeyRequirement)[`residentKey(ResidentKeyRequirement)`]
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.AuthenticatorSelectionCriteriaBuilder.html#residentKey(com.yubico.webauthn.data.ResidentKeyRequirement)[`residentKey(ResidentKeyRequirement)`]
   and
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.html#getResidentKey()[`getResidentKey()`],
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.html#getResidentKey()[`getResidentKey()`],
   respectively.
 +
 Replace `requireResidentKey(false)`
@@ -262,17 +267,17 @@ Example:
 == Replace implementations of `MetadataService`
 
 The `MetadataService` interface has been replaced with
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`].
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`].
 The new interface has some key differences:
 
 - `MetadataService` implementations were expected to validate
   the attestation certificate path.
   `AttestationTrustSource` implementations are not;
   instead they only need to retrieve the trust root certificates.
   The
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/RelyingParty.html#finishRegistration(com.yubico.webauthn.FinishRegistrationOptions)[`RelyingParty.finishRegistration`]
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RelyingParty.html#finishRegistration(com.yubico.webauthn.FinishRegistrationOptions)[`RelyingParty.finishRegistration`]
   method will perform certificate path validation internally and report the result via
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/RegistrationResult.html#isAttestationTrusted()[`RegistrationResult.isAttestationTrusted()`].
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/RegistrationResult.html#isAttestationTrusted()[`RegistrationResult.isAttestationTrusted()`].
   The `AttestationTrustSource` may also return a `CertStore`
   of untrusted certificates and CRLs that may be needed
   for certificate path validation,
@@ -286,10 +291,10 @@ The new interface has some key differences:
   but `RelyingParty` will not integrate them in the core result types.
 
 See the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[JavaDoc
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/attestation/AttestationTrustSource.html[JavaDoc
 for `AttestationTrustSource`] for details on how to implement it,
 and see the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.1.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.0.0/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
 class in the
 link:../webauthn-server-attestation[`webauthn-server-attestation` module]
 for a reference implementation.
@@ -323,16 +328,16 @@ link:https://github.com/w3c/webauthn/issues/1253[turned out to cause confusion].
 Therefore, browsers have started issuing console warnings
 when `userVerification` is not set explicitly.
 This library has mirrored the defaults for
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/data/PublicKeyCredentialRequestOptions.PublicKeyCredentialRequestOptionsBuilder.html#userVerification(com.yubico.webauthn.data.UserVerificationRequirement)[`PublicKeyCredentialRequestOptions.userVerification`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/data/PublicKeyCredentialRequestOptions.PublicKeyCredentialRequestOptionsBuilder.html#userVerification(com.yubico.webauthn.data.UserVerificationRequirement)[`PublicKeyCredentialRequestOptions.userVerification`]
 and
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.AuthenticatorSelectionCriteriaBuilder.html#userVerification(com.yubico.webauthn.data.UserVerificationRequirement)[`AuthenticatorSelectionCriteria.userVerification`],
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.AuthenticatorSelectionCriteriaBuilder.html#userVerification(com.yubico.webauthn.data.UserVerificationRequirement)[`AuthenticatorSelectionCriteria.userVerification`],
 but this inadvertently suppresses any browser console warnings
 since the library emits parameter objects with an explicit value set,
 even if the value was not explicitly set at the library level.
 The defaults have therefore been removed,
 and the corresponding getters now return `Optional` values.
 For consistency, the same change applies to
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.1.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.AuthenticatorSelectionCriteriaBuilder.html#residentKey(com.yubico.webauthn.data.ResidentKeyRequirement)[`AuthenticatorSelectionCriteria.residentKey`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.0.0/com/yubico/webauthn/data/AuthenticatorSelectionCriteria.AuthenticatorSelectionCriteriaBuilder.html#residentKey(com.yubico.webauthn.data.ResidentKeyRequirement)[`AuthenticatorSelectionCriteria.residentKey`]
 as well.
 
 The setters for these settings remain unchanged,

test-platform/build.gradle.kts

@@ -7,13 +7,14 @@ description = "Dependency constraints for tests"
 dependencies {
   constraints {
     api("junit:junit:4.13.2")
+    api("org.bouncycastle:bcpkix-jdk18on:[1.62,2)")
+    api("org.bouncycastle:bcprov-jdk18on:[1.62,2)")
     api("org.mockito:mockito-core:4.7.0")
     api("org.scalacheck:scalacheck_2.13:1.16.0")
     api("org.scalatest:scalatest_2.13:3.2.13")
     api("org.scalatestplus:junit-4-13_2.13:3.2.13.0")
     api("org.scalatestplus:scalacheck-1-16_2.13:3.2.13.0")
+    api("org.slf4j:slf4j-nop:2.0.3")
     api("uk.org.lidalia:slf4j-test:1.2.0")
-    api("org.bouncycastle:bcpkix-jdk18on:[1.62,2)")
-    api("org.bouncycastle:bcprov-jdk18on:[1.62,2)")
   }
 }