Drop dependency on COSE-Java

build.gradle

@@ -34,7 +34,6 @@ dependencies {
   constraints {
     api(constraintLibs.bundles.jackson)
     api(constraintLibs.cbor)
-    api(constraintLibs.cose)
     api(constraintLibs.guava)
     api(constraintLibs.httpclient5)
     api(constraintLibs.slf4j)

settings.gradle.kts

@@ -15,7 +15,6 @@ dependencyResolutionManagement {
     versionCatalogs {
         create("constraintLibs") {
             library("cbor", "com.upokecenter:cbor:[4.5.1,5)")
-            library("cose", "com.augustcellars.cose:cose-java:[1.0.0,2)")
             library("guava", "com.google.guava:guava:[24.1.1,33)")
             library("httpclient5", "org.apache.httpcomponents.client5:httpclient5:[5.0.0,6)")
             library("slf4j", "org.slf4j:slf4j-api:[1.7.25,3)")

test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/build.gradle.kts

@@ -12,9 +12,6 @@ dependencies {
     testImplementation("junit:junit:4.12")
     testImplementation("org.mockito:mockito-core:[2.27.0,3)")
 
-    // Runtime-only internal dependency of webauthn-server-core
-    testImplementation("com.augustcellars.cose:cose-java:[1.0.0,2)")
-
     // Transitive dependencies from coreTestOutput
     testImplementation("org.scala-lang:scala-library:[2.13.1,3)")
 }

test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java

@@ -2,7 +2,6 @@
 
 import static org.junit.Assert.assertTrue;
 
-import COSE.CoseException;
 import com.yubico.webauthn.data.AttestationObject;
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import java.io.IOException;
@@ -72,7 +71,7 @@ public void bouncyCastleProviderIsNotLoadedAfterInstantiatingRelyingParty() {
 
   @Test
   public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
-      throws IOException, CoseException, InvalidKeySpecException {
+      throws IOException, InvalidKeySpecException {
     try {
       WebAuthnCodecs.importCosePublicKey(
           new AttestationObject(
@@ -92,7 +91,7 @@ public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
 
   @Test(expected = NoSuchAlgorithmException.class)
   public void doesNotFallBackToBouncyCastleAutomatically()
-      throws IOException, CoseException, InvalidKeySpecException, NoSuchAlgorithmException {
+      throws IOException, InvalidKeySpecException, NoSuchAlgorithmException {
     for (Provider prov : Security.getProviders()) {
       Security.removeProvider(prov.getName());
     }

test-dependent-projects/java-dep-webauthn-server-core-and-bouncycastle/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java

@@ -3,7 +3,6 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
-import COSE.CoseException;
 import com.yubico.webauthn.data.AttestationObject;
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import java.io.IOException;
@@ -47,7 +46,7 @@ public void tearDown() {
 
   @Test
   public void importRsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(
@@ -61,7 +60,7 @@ public void importRsa()
 
   @Test
   public void importEcdsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(
@@ -75,7 +74,7 @@ public void importEcdsa()
 
   @Test
   public void importEddsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(

test-dependent-projects/java-dep-webauthn-server-core/build.gradle.kts

@@ -11,9 +11,6 @@ dependencies {
     testImplementation("junit:junit:4.12")
     testImplementation("org.mockito:mockito-core:[2.27.0,3)")
 
-    // Runtime-only internal dependency of webauthn-server-core
-    testImplementation("com.augustcellars.cose:cose-java:[1.0.0,2)")
-
     // Transitive dependencies from coreTestOutput
     testImplementation("org.scala-lang:scala-library:[2.13.1,3)")
 }

test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/BouncyCastleProviderPresenceTest.java

@@ -2,7 +2,6 @@
 
 import static org.junit.Assert.assertTrue;
 
-import COSE.CoseException;
 import com.yubico.webauthn.data.AttestationObject;
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import java.io.IOException;
@@ -51,7 +50,7 @@ public void bouncyCastleProviderIsNotLoadedAfterInstantiatingRelyingParty() {
 
   @Test
   public void bouncyCastleProviderIsNotLoadedAfterAttemptingToLoadEddsaKey()
-      throws IOException, CoseException, InvalidKeySpecException {
+      throws IOException, InvalidKeySpecException {
     try {
       WebAuthnCodecs.importCosePublicKey(
           new AttestationObject(

test-dependent-projects/java-dep-webauthn-server-core/src/test/java/com/yubico/webauthn/CryptoAlgorithmsTest.java

@@ -2,7 +2,6 @@
 
 import static org.junit.Assert.assertEquals;
 
-import COSE.CoseException;
 import com.yubico.webauthn.data.AttestationObject;
 import com.yubico.webauthn.data.RelyingPartyIdentity;
 import java.io.IOException;
@@ -45,7 +44,7 @@ public void tearDown() {
 
   @Test
   public void importRsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(
@@ -59,7 +58,7 @@ public void importRsa()
 
   @Test
   public void importEcdsa()
-      throws IOException, CoseException, NoSuchAlgorithmException, InvalidKeySpecException {
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         WebAuthnCodecs.importCosePublicKey(
             new AttestationObject(

webauthn-server-core/build.gradle.kts

@@ -16,7 +16,6 @@ dependencies {
   api(platform(rootProject))
 
   implementation(project(":yubico-util"))
-  implementation("com.augustcellars.cose:cose-java")
   implementation("com.fasterxml.jackson.core:jackson-databind")
   implementation("com.google.guava:guava")
   implementation("com.upokecenter:cbor")

webauthn-server-core/src/main/java/com/yubico/webauthn/AttestationStatementVerifier.java

@@ -24,7 +24,6 @@
 
 package com.yubico.webauthn;
 
-import COSE.CoseException;
 import com.yubico.webauthn.data.AttestationObject;
 import com.yubico.webauthn.data.AttestationType;
 import com.yubico.webauthn.data.ByteArray;
@@ -34,7 +33,7 @@
 interface AttestationStatementVerifier {
 
   AttestationType getAttestationType(AttestationObject attestation)
-      throws IOException, CoseException, CertificateException;
+      throws IOException, CertificateException;
 
   boolean verifyAttestationSignature(
       AttestationObject attestationObject, ByteArray clientDataJsonHash);

webauthn-server-core/src/main/java/com/yubico/webauthn/FidoU2fAttestationStatementVerifier.java

@@ -26,7 +26,6 @@
 
 import static com.yubico.webauthn.Crypto.isP256;
 
-import COSE.CoseException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.yubico.internal.util.ExceptionUtil;
 import com.yubico.webauthn.data.AttestationObject;
@@ -76,7 +75,7 @@ private static boolean validSelfSignature(X509Certificate cert) {
   }
 
   private static ByteArray getRawUserPublicKey(AttestationObject attestationObject)
-      throws IOException, CoseException {
+      throws IOException {
     final ByteArray pubkeyCose =
         attestationObject
             .getAuthenticatorData()
@@ -102,7 +101,7 @@ private static ByteArray getRawUserPublicKey(AttestationObject attestationObject
 
   @Override
   public AttestationType getAttestationType(AttestationObject attestationObject)
-      throws CoseException, IOException, CertificateException {
+      throws IOException, CertificateException {
     X509Certificate attestationCertificate = getAttestationCertificate(attestationObject);
 
     if (attestationCertificate.getPublicKey() instanceof ECPublicKey
@@ -153,7 +152,7 @@ && isP256(((ECPublicKey) attestationCertificate.getPublicKey()).getParams()))) {
 
                 try {
                   userPublicKey = getRawUserPublicKey(attestationObject);
-                } catch (IOException | CoseException e) {
+                } catch (IOException e) {
                   RuntimeException err =
                       new RuntimeException(
                           String.format(

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java

@@ -26,7 +26,6 @@
 
 import static com.yubico.internal.util.ExceptionUtil.assertTrue;
 
-import COSE.CoseException;
 import com.yubico.internal.util.OptionalUtil;
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
 import com.yubico.webauthn.data.ByteArray;
@@ -508,7 +507,7 @@ public void validate() {
 
       try {
         key = WebAuthnCodecs.importCosePublicKey(cose);
-      } catch (CoseException | IOException | InvalidKeySpecException e) {
+      } catch (IOException | InvalidKeySpecException e) {
         throw new IllegalArgumentException(
             String.format(
                 "Failed to decode public key: Credential ID: %s COSE: %s",

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java

@@ -27,7 +27,6 @@
 import static com.yubico.internal.util.ExceptionUtil.assertTrue;
 import static com.yubico.internal.util.ExceptionUtil.wrapAndLog;
 
-import COSE.CoseException;
 import com.upokecenter.cbor.CBORObject;
 import com.yubico.internal.util.CertificateParser;
 import com.yubico.internal.util.OptionalUtil;
@@ -345,7 +344,7 @@ public void validate() {
               .collect(Collectors.toList()));
       try {
         WebAuthnCodecs.importCosePublicKey(publicKeyCose);
-      } catch (CoseException | IOException | InvalidKeySpecException | NoSuchAlgorithmException e) {
+      } catch (IOException | InvalidKeySpecException | NoSuchAlgorithmException e) {
         throw wrapAndLog(log, "Failed to parse credential public key", e);
       }
     }
@@ -431,7 +430,7 @@ public AttestationType attestationType() {
               return AttestationType.UNKNOWN;
           }
         }
-      } catch (IOException | CoseException | CertificateException e) {
+      } catch (IOException | CertificateException e) {
         throw new IllegalArgumentException("Failed to resolve attestation type.", e);
       }
     }

webauthn-server-core/src/main/java/com/yubico/webauthn/PackedAttestationStatementVerifier.java

@@ -24,7 +24,6 @@
 
 package com.yubico.webauthn;
 
-import COSE.CoseException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.upokecenter.cbor.CBORObject;
 import com.yubico.internal.util.CertificateParser;
@@ -95,7 +94,7 @@ private boolean verifySelfAttestationSignature(
                   .getAttestedCredentialData()
                   .get()
                   .getCredentialPublicKey());
-    } catch (IOException | CoseException | InvalidKeySpecException e) {
+    } catch (IOException | InvalidKeySpecException e) {
       throw ExceptionUtil.wrapAndLog(
           log,
           String.format(

webauthn-server-core/src/main/java/com/yubico/webauthn/RegisteredCredential.java

@@ -24,7 +24,6 @@
 
 package com.yubico.webauthn;
 
-import COSE.CoseException;
 import com.fasterxml.jackson.annotation.JsonAlias;
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonIgnore;
@@ -99,7 +98,7 @@ public final class RegisteredCredential {
   @NonNull
   @JsonIgnore
   public PublicKey getParsedPublicKey()
-      throws InvalidKeySpecException, NoSuchAlgorithmException, CoseException, IOException {
+      throws InvalidKeySpecException, NoSuchAlgorithmException, IOException {
     return WebAuthnCodecs.importCosePublicKey(getPublicKeyCose());
   }
 

webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java

@@ -24,7 +24,6 @@
 
 package com.yubico.webauthn;
 
-import COSE.CoseException;
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
@@ -299,7 +298,7 @@ public ByteArray getPublicKeyCose() {
   @NonNull
   @JsonIgnore
   public PublicKey getParsedPublicKey()
-      throws InvalidKeySpecException, NoSuchAlgorithmException, CoseException, IOException {
+      throws InvalidKeySpecException, NoSuchAlgorithmException, IOException {
     return WebAuthnCodecs.importCosePublicKey(getPublicKeyCose());
   }
 

webauthn-server-core/src/main/java/com/yubico/webauthn/TpmAttestationStatementVerifier.java

@@ -24,7 +24,6 @@
 
 package com.yubico.webauthn;
 
-import COSE.CoseException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.upokecenter.cbor.CBORObject;
@@ -178,7 +177,7 @@ public boolean verifyAttestationSignature(
     // is identical to the credentialPublicKey in the attestedCredentialData in authenticatorData.
     try {
       verifyPublicKeysMatch(attestationObject, pubArea);
-    } catch (CoseException | IOException | InvalidKeySpecException | NoSuchAlgorithmException e) {
+    } catch (IOException | InvalidKeySpecException | NoSuchAlgorithmException e) {
       throw new RuntimeException(
           "Failed to verify that public key in TPM attestation matches public key in authData.", e);
     }
@@ -267,7 +266,7 @@ private void validateCertInfo(
   }
 
   private void verifyPublicKeysMatch(AttestationObject attestationObject, TpmtPublic pubArea)
-      throws CoseException, IOException, InvalidKeySpecException, NoSuchAlgorithmException {
+      throws IOException, InvalidKeySpecException, NoSuchAlgorithmException {
     final PublicKey credentialPubKey =
         WebAuthnCodecs.importCosePublicKey(
             attestationObject

webauthn-server-core/src/main/java/com/yubico/webauthn/WebAuthnCodecs.java

@@ -24,7 +24,6 @@
 
 package com.yubico.webauthn;
 
-import COSE.CoseException;
 import com.google.common.primitives.Bytes;
 import com.upokecenter.cbor.CBORObject;
 import com.yubico.webauthn.data.ByteArray;
@@ -133,7 +132,7 @@ static ByteArray rawEcKeyToCose(ByteArray key) {
   }
 
   static PublicKey importCosePublicKey(ByteArray key)
-      throws CoseException, IOException, InvalidKeySpecException, NoSuchAlgorithmException {
+      throws IOException, InvalidKeySpecException, NoSuchAlgorithmException {
     CBORObject cose = CBORObject.DecodeFromBytes(key.getBytes());
     final int kty = cose.get(CBORObject.FromObject(1)).AsInt32();
     switch (kty) {