Release 1.5.0

Changes:

- `RelyingParty` now makes an immutable copy of the `origins` argument,
  instead of storing a reference to a possibly mutable value.
- The enum `AuthenticatorTransport` has been replaced by a value class
  containing methods and value constants equivalent to the previous
  enum.
- The return type of `PublicKeyCredentialDescriptor.getTransports()` is
  now a `SortedSet` instead of `Set`. The builder still accepts a plain
  `Set`.
- Registration ceremony now verifies that the returned credential public
  key matches one of the algorithms specified in
  `RelyingParty.preferredPubkeyParams` and can be successfully parsed.

New features:

- Origin matching can now be relaxed via two new `RelyingParty` options:
  - `allowOriginPort` (default `false`): Allow any port number in the
    origin
  - `allowOriginSubdomain` (default `false`): Allow any subdomain of any
    origin listed in `RelyingParty.origins`
  - See JavaDoc for details and examples.
- The new `AuthenticatorTransport` can now contain any string value as
  the transport identifier, as required in the editor's draft of the L2
  spec. See: w3c/webauthn#1275
- Added support for RS1 credentials. Registration of RS1 credentials is
  not enabled by default, but can be enabled by setting
  `RelyingParty.preferredPubKeyCredParams` to a list containing
  `PublicKeyCredentialParameters.RS1`.
  - New constant `PublicKeyCredentialParameters.RS1`
  - New constant `COSEAlgorithmIdentifier.RS1`

.github/workflows/master.yml → .github/workflows/build.yml

@@ -1,10 +1,7 @@
 # This name is shown in the status badge in the README
 name: build
 
-on:
-  push:
-    branches:
-      - master
+on: [push, pull_request]
 
 jobs:
   test:
@@ -13,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [8, 10, 11, 12]
+        java: [8, 11]
 
     steps:
     - name: Check out code

.github/workflows/release-verify-signatures.yml

@@ -11,14 +11,9 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [10, 11, 12]
+        java: [11]
 
     steps:
-    - name: Download signatures
-      run: |
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${GITHUB_REF}/webauthn-server-attestation-${GITHUB_REF}.jar.asc
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${GITHUB_REF}/webauthn-server-core-${GITHUB_REF}.jar.asc
-
     - name: check out code
       uses: actions/checkout@v1
 
@@ -31,9 +26,24 @@ jobs:
       run: ./gradlew jar
 
     - name: Fetch keys
-      run: gpg --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+      run: gpg --no-default-keyring --keyring yubico --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+
+    - name: Verify signatures from GitHub release
+      run: |
+        export TAGNAME=${GITHUB_REF#refs/tags/}
 
-    - name: Verify signatures
+        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
+        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
+
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
+
+    - name: Verify signatures from Maven Central
       run: |
-        gpg --verify webauthn-server-attestation-${GITHUB_REF}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${GITHUB_REF}.jar
-        gpg --verify webauthn-server-core-${GITHUB_REF}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${GITHUB_REF}.jar
+        export TAGNAME=${GITHUB_REF#refs/tags/}
+
+        wget -O webauthn-server-core-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
+        wget -O webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
+
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.mavencentral.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar

.gitignore

@@ -9,6 +9,7 @@ out/
 *.iml
 *.iws
 */out/
+.attach_pid*
 
 # Mac
 .DS_Store
@@ -19,5 +20,4 @@ target/
 
 # Gradle
 .gradle/
-/build/
-/*/build/
+build/

.travis.yml

@@ -7,7 +7,6 @@ branches:
 jdk:
   - oraclejdk11
   - openjdk8
-  - openjdk10
   - openjdk11
 
 script:

NEWS

@@ -1,3 +1,44 @@
+== Version 1.5.0 ==
+
+Changes:
+
+* `RelyingParty` now makes an immutable copy of the `origins` argument, instead
+  of storing a reference to a possibly mutable value.
+* The enum `AuthenticatorTransport` has been replaced by a value class
+  containing methods and value constants equivalent to the previous enum.
+* The return type of `PublicKeyCredentialDescriptor.getTransports()` is now a
+  `SortedSet` instead of `Set`. The builder still accepts a plain `Set`.
+* Registration ceremony now verifies that the returned credential public key
+  matches one of the algorithms specified in
+  `RelyingParty.preferredPubkeyParams` and can be successfully parsed.
+
+New features:
+
+* Origin matching can now be relaxed via two new `RelyingParty` options:
+  * `allowOriginPort` (default `false`): Allow any port number in the origin
+  * `allowOriginSubdomain` (default `false`): Allow any subdomain of any origin
+    listed in `RelyingParty.origins`
+  * See JavaDoc for details and examples.
+* The new `AuthenticatorTransport` can now contain any string value as the
+  transport identifier, as required in the editor's draft of the L2 spec. See:
+  https://github.com/w3c/webauthn/pull/1275
+* Added support for RS1 credentials. Registration of RS1 credentials is not
+  enabled by default, but can be enabled by setting
+  `RelyingParty.preferredPubKeyCredParams` to a list containing
+  `PublicKeyCredentialParameters.RS1`.
+  * New constant `PublicKeyCredentialParameters.RS1`
+  * New constant `COSEAlgorithmIdentifier.RS1`
+
+
+== Version 1.4.1 ==
+
+Packaging fixes:
+
+* Fixed dependency declarations so API dependencies are correctly propagated as
+  compile-time dependencies of dependent projects.
+* Fixed Specification-Version release date in webauthn-server-core jar manifest.
+
+
 == Version 1.4.0 ==
 
 Changes:

README

@@ -26,15 +26,15 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.3.0</version>
+  <version>1.5.0</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.3.0'
+compile 'com.yubico:webauthn-server-core:1.5.0'
 ----------
 
 

build.gradle

@@ -7,9 +7,9 @@ buildscript {
   }
 }
 plugins {
-  id 'com.github.kt3k.coveralls' version '2.8.2'
+  id 'com.github.kt3k.coveralls' version '2.8.4'
   id 'io.codearte.nexus-staging' version '0.9.0'
-  id 'io.franzbecker.gradle-lombok' version '1.14'
+  id 'io.franzbecker.gradle-lombok' version '3.1.0'
 }
 
 import io.franzbecker.gradle.lombok.LombokPlugin
@@ -34,20 +34,48 @@ wrapper {
 }
 
 allprojects {
+  ext.snapshotSuffix = "<count>.g<sha>-SNAPSHOT<dirty>"
+  ext.dirtyMarker = "-DIRTY"
+
   apply plugin: 'com.cinnober.gradle.semver-git'
   apply plugin: 'idea'
 
   group = 'com.yubico'
 
-  ext.snapshotSuffix = "<count>.g<sha>-SNAPSHOT<dirty>"
-  ext.dirtyMarker = "-DIRTY"
-
   idea.module {
     downloadJavadoc = true
     downloadSources = true
   }
 }
 
+Map<String, String> dependencyVersions = [
+  'ch.qos.logback:logback-classic:1.2.3',
+  'com.augustcellars.cose:cose-java:1.0.0',
+  'com.fasterxml.jackson.core:jackson-databind:2.9.9.3',
+  'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.9.9',
+  'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.9',
+  'com.google.guava:guava:19.0',
+  'com.upokecenter:cbor:4.0.1',
+  'javax.activation:activation:1.1.1',
+  'javax.ws.rs:javax.ws.rs-api:2.1',
+  'javax.xml.bind:jaxb-api:2.3.0',
+  'junit:junit:4.12',
+  'org.apache.httpcomponents:httpclient:4.5.2',
+  'org.bouncycastle:bcpkix-jdk15on:1.62',
+  'org.bouncycastle:bcprov-jdk15on:1.62',
+  'org.eclipse.jetty:jetty-server:9.4.9.v20180320',
+  'org.eclipse.jetty:jetty-servlet:9.4.9.v20180320',
+  'org.glassfish.jersey.containers:jersey-container-servlet-core:2.26',
+  'org.glassfish.jersey.containers:jersey-container-servlet:2.26',
+  'org.glassfish.jersey.inject:jersey-hk2:2.26',
+  'org.mockito:mockito-core:2.27.0',
+  'org.scala-lang:scala-library:2.12.8',
+  'org.scalacheck:scalacheck_2.12:1.14.0',
+  'org.scalatest:scalatest_2.12:3.0.4',
+  'org.slf4j:slf4j-api:1.7.25',
+].collectEntries { [(it.split(':')[0..1].join(':')): it] }
+rootProject.ext.addVersion = { dep -> dependencyVersions[dep] }
+
 subprojects {
   apply plugin: LombokPlugin
 
@@ -63,7 +91,9 @@ subprojects {
   }
 }
 
-evaluationDependsOnChildren()
+allprojects {
+  evaluationDependsOnChildren()
+}
 
 task assembleJavadoc(type: Sync) {
   from("docs/index.html") {
@@ -72,6 +102,15 @@ task assembleJavadoc(type: Sync) {
   destinationDir = file("${rootProject.buildDir}/javadoc")
 }
 
+String getGitCommit() {
+  def proc = "git rev-parse HEAD".execute(null, projectDir)
+  proc.waitFor()
+  if (proc.exitValue() != 0) {
+    throw new RuntimeException("Failed to get git commit ID");
+  }
+  return proc.text.trim()
+}
+
 subprojects { project ->
 
   sourceCompatibility = 1.8
@@ -88,6 +127,10 @@ subprojects { project ->
     reproducibleFileOrder = true
   }
 
+  tasks.withType(Sign) {
+    it.dependsOn check
+  }
+
   test {
     testLogging {
       showStandardStreams = isCiBuild