Release 0.5.0

=== `webauthn-server-core` ===

New features:

- `PackedAttestationStatementVerifier` now supports SHA256WithRSA
  signatures

Bug fixes:

- `PublicKeyCredentialDescriptor.compareTo` is now consistent with
  equals
- `AuthenticatorData` constructor should now throw more descriptive
  exceptions instead of raw `ArrayIndexOutOfBoundsException`s

=== `webauthn-server-attestation` ===

Breaking changes:

- Interface `MetadataResolver` replaced with interfaces
  `AttestationResolver` and `TrustResolver`
  - Class `SimpleResolver` split into `SimpleAttestationResolver` and
    `SimpleTrustResolver`
    - Both of these classes now take the metadata as a constructor
      parameter instead of exposing `addMetadata` methods
  - Class `CompositeResolver` split into `CompositeAttestationResolver`
    and `CompositeTrustResolver`
- Class `StandardMetadataService` overhauled

COPYING

@@ -1,11 +1,26 @@
-Copyright (c) 2014, Yubico AB
+Copyright (c) 2014-2018, Yubico AB
 All rights reserved.
 
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
 
-Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 -------------------------------
 

NEWS

@@ -1,3 +1,33 @@
+== Version 0.5.0 ==
+
+=== `webauthn-server-core` ===
+
+New features:
+
+* `PackedAttestationStatementVerifier` now supports SHA256WithRSA signatures
+
+Bug fixes:
+
+* `PublicKeyCredentialDescriptor.compareTo` is now consistent with equals
+* `AuthenticatorData` constructor should now throw more descriptive exceptions
+  instead of raw `ArrayIndexOutOfBoundsException`s
+
+
+=== `webauthn-server-attestation` ===
+
+Breaking changes:
+
+* Interface `MetadataResolver` replaced with interfaces `AttestationResolver`
+  and `TrustResolver`
+ ** Class `SimpleResolver` split into `SimpleAttestationResolver` and
+    `SimpleTrustResolver`
+  *** Both of these classes now take the metadata as a constructor parameter
+      instead of exposing `addMetadata` methods
+ ** Class `CompositeResolver` split into `CompositeAttestationResolver` and
+    `CompositeTrustResolver`
+* Class `StandardMetadataService` overhauled
+
+
 == Version 0.4.0 ==
 
 Breaking changes:

README

@@ -14,6 +14,13 @@ for a server to support Web Authentication. This includes registering
 authenticators and authenticating registered authenticators.
 
 
+=== Planned breaking changes
+
+* Update spec version from Candidate Recommendation 2018-03-20 to Proposed
+  Recommendation 2018-11-??. This will involve renaming a couple of classes
+  and methods.
+
+
 === Example Usage
 
 See link:webauthn-server-demo[`webauthn-server-demo`] for a complete demo

build.gradle

@@ -29,8 +29,8 @@ if (publishEnabled) {
   }
 }
 
-task wrapper(type: Wrapper) {
-  gradleVersion = '4.8'
+wrapper {
+  gradleVersion = '4.10'
 }
 
 allprojects  {
@@ -50,6 +50,10 @@ allprojects  {
     options.encoding = 'UTF-8'
   }
 
+  tasks.withType(AbstractArchiveTask) {
+    from(rootProject.file('COPYING'))
+  }
+
   repositories {
     mavenLocal()
 

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-4.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-4.10-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

webauthn-server-attestation/build.gradle

@@ -1,6 +1,6 @@
 description = 'Yubico WebAuthn attestation subsystem'
 
-apply plugin: 'java'
+apply plugin: 'scala'
 
 project.ext.publishMe = true
 
@@ -13,9 +13,14 @@ dependencies {
   )
 
   testCompile(
+    project(':webauthn-server-core').sourceSets.test.output,
+    project(':yubico-util-scala'),
+    'commons-io:commons-io:2.5',
     'org.mockito:mockito-core:2.10.0',
+    'org.scala-lang:scala-library:2.11.3',
+    'org.scalacheck:scalacheck_2.11:1.13.5',
+    'org.scalatest:scalatest_2.11:3.0.4',
   )
-
 }
 
 

webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/AttestationResolver.java

@@ -0,0 +1,44 @@
+// Copyright (c) 2015-2018, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+//    list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+//    this list of conditions and the following disclaimer in the documentation
+//    and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package com.yubico.webauthn.attestation;
+
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+
+public interface AttestationResolver {
+
+    /**
+     * Alias of <code>resolve(attestationCertificate, Collections.emptyList())</code>.
+     */
+    default Optional<Attestation> resolve(X509Certificate attestationCertificate) {
+        return resolve(attestationCertificate, Collections.emptyList());
+    }
+
+    Optional<Attestation> resolve(X509Certificate attestationCertificate, List<X509Certificate> certificateChain);
+    Attestation untrustedFromCertificate(X509Certificate attestationCertificate);
+
+}

webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/DeviceMatcher.java

@@ -1,4 +1,26 @@
-/* Copyright 2015 Yubico */
+// Copyright (c) 2015-2018, Yubico AB
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are met:
+//
+// 1. Redistributions of source code must retain the above copyright notice, this
+//    list of conditions and the following disclaimer.
+//
+// 2. Redistributions in binary form must reproduce the above copyright notice,
+//    this list of conditions and the following disclaimer in the documentation
+//    and/or other materials provided with the distribution.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 package com.yubico.webauthn.attestation;