Yubico
diff --git a/‎.github/workflows/release-verify-signatures.yml
Lines changed: 2 additions & 6 deletions b/‎.github/workflows/release-verify-signatures.yml
Lines changed: 2 additions & 6 deletions
diff --git a/‎NEWS
Lines changed: 82 additions & 0 deletions b/‎NEWS
Lines changed: 82 additions & 0 deletions
diff --git a/‎README
Lines changed: 43 additions & 13 deletions b/‎README
Lines changed: 43 additions & 13 deletions
diff --git a/‎build.gradle
Lines changed: 4 additions & 13 deletions b/‎build.gradle
Lines changed: 4 additions & 13 deletions
@@ -36,20 +36,16 @@ jobs:
 
         wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
         wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-core-minimal-${TAGNAME}.jar.asc
 
         gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.asc webauthn-server-core-bundle/build/libs/webauthn-server-core-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-minimal-${TAGNAME}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-minimal-${TAGNAME}.jar
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
 
     - name: Verify signatures from Maven Central
       run: |
         export TAGNAME=${GITHUB_REF#refs/tags/}
 
         wget -O webauthn-server-core-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
-        wget -O webauthn-server-core-minimal-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-core-minimal/${TAGNAME}/webauthn-server-core-minimal-${TAGNAME}.jar.asc
         wget -O webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
 
         gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.mavencentral.asc webauthn-server-core-bundle/build/libs/webauthn-server-core-${TAGNAME}.jar
-        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-minimal-${TAGNAME}.jar.mavencentral.asc webauthn-server-core/build/libs/webauthn-server-core-minimal-${TAGNAME}.jar
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.mavencentral.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
@@ -1,3 +1,85 @@
+== Version 2.0.0 ==
+
+This release removes deprecated APIs and changes some defaults to better align
+with the L2 version of the WebAuthn spec. It also adds a new major feature:
+optional integration with the FIDO Metadata Service for retrieving authenticator
+metadata and attestation trust roots. See below for details.
+
+`webauthn-server-core`:
+
+Breaking changes:
+
+* Deleted deprecated `icon` field in `RelyingPartyIdentity` and `UserIdentity`,
+  and its associated methods.
+* Deleted deprecated `AuthenticatorSelectionCriteria` methods
+  `builder().requireResidentKey(boolean)` and `isRequireResidentKey()`.
+* `RelyingParty` parameter `allowUnrequestedExtensions` removed. The library
+  will now always accept unrequested extensions.
+* Class `ClientAssertionExtensionOutputs` now silently ignores unknown
+  extensions instead of rejecting them.
+* `webauthn-server-core-minimal` module deleted.
+* `webauthn-server-core` no longer depends on BouncyCastle and will no longer
+  attempt to automatically fall back to it. Therefore, EdDSA keys are no longer
+  supported by default in JDK 14 and earlier. The library will log warnings if
+  configured for algorithms with no JCA provider available, in which case the
+  dependent project may need to add additional dependencies and configure JCA
+  providers externally.
+* Enum value `AttestationType.ECDAA` removed without replacement.
+* Deleted methods `RegistrationResult.getWarnings()` and
+  `AssertionResult.getWarnings()` since they are now always empty.
+* Framework for attestation metadata has been fully overhauled. See the
+  `webauthn-server-attestation` module documentation for the new ways to work
+  with attestation metadata:
+ ** Deleted method `RegistrationResult.getAttestationMetadata()`.
+ ** Interface `MetadataService` replaced with `AttestationTrustSource`, and
+    optional `RelyingParty` setting `.metadataService(MetadataService)` replaced
+    with `.attestationTrustSource(AttestationTrustSource)`.
+ ** Deleted types `Attestation` and `Transport`.
+ ** Deleted method `AuthenticatorTransport.fromU2fTransport`.
+* `RelyingParty.finishRegistration()` now uses a JCA `CertPathValidator` to
+  validate attestation certificate paths, if an attestation trust source has
+  been configured. This requires a compatible JCA provider, but should already
+  be available in most environments.
+* Classes in package `com.yubico.fido.metadata` moved to
+  `com.yubico.webauthn.extension.uvm` to avoid name clash with
+  `webauthn-server-attestation` module in JPMS.
+* Changed return type of
+  `PublicKeyCredentialRequestOptions.getUserVerification()`,
+  `AuthenticatorSelectionCriteria.getUserVerification()` and
+  `AuthenticatorSelectionCriteria.getResidentKey()` to `Optional`, and changed
+  defaults for `userVerification` and `residentKey` to empty. This means we
+  won't inadvertently suppress warnings that browsers might issue in the browser
+  console if for example `userVerification` is not set explicitly.
+
+New features:
+
+* Method `getAaguid()` added to `RegistrationResult`.
+* Method `getAttestationTrustPath()` added to `RegistrationResult`.
+* Setting `.clock(Clock)` added to `RelyingParty`. It is used for attestation
+  path validation if an `attestationTrustSource` is configured.
+
+
+`webauthn-server-attestation`:
+
+Breaking changes:
+
+* Types `AttestationResolver`, `CompositeAttestationResolver`,
+  `CompositeTrustResolver`, `DeviceMatcher`, `ExtensionMatcher`,
+  `FingerprintMatcher`, `MetadataObject`, `SimpleAttestationResolver`,
+  `SimpleTrustResolver`, `StandardMetadataService` and `TrustResolver` deleted
+  in favour of a new attestation metadata framework. Some of the functionality
+  is retained as the new `YubicoJsonMetadataService` class in the
+  `webauthn-server-demo` subproject in the library sources, but no longer
+  exposed in either library module.
+* Library no longer contains a `/metadata.json` resource.
+
+New features:
+
+* New types `FidoMetadataService` and `FidoMetadataDownloader` which integrate
+  with the FIDO Metadata Service for retrieving authenticator metadata and
+  attestation trust roots.
+
+
 == Version 1.12.4 ==
 
 Deprecated features:
 
@@ -14,6 +14,19 @@ for a server to support Web Authentication. This includes registering
 authenticators and authenticating registered authenticators.
 
 
+[WARNING]
+.*Psychic signatures in Java*
+==========
+In April 2022, link:https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/[CVE-2022-21449]
+was disclosed in Oracle's OpenJDK (and other JVMs derived from it) which can impact applications using java-webauthn-server.
+The impact is that for the most common type of WebAuthn credential, invalid signatures are accepted as valid,
+allowing authentication bypass for users with such a credential.
+Please read link:https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19[Oracle's advisory]
+and make sure you are not using one of the impacted OpenJDK versions.
+If you are, we urge you to upgrade your Java deployment to a version that is safe.
+==========
+
+
 toc::[]
 
 
@@ -25,17 +38,22 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.12.4</version>
+  <version>2.0.0</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.12.4'
+compile 'com.yubico:webauthn-server-core:2.0.0'
 ----------
 
+NOTE: You may need additional dependencies with JCA providers to support some signature algorithms.
+In particular, OpenJDK 14 and earlier does not include providers for the EdDSA family of algorithms.
+The library will log warnings if you try to configure it for algorithms with no JCA provider available.
+
+
 === Semantic versioning
 
 This library uses link:https://semver.org/[semantic versioning].
@@ -50,16 +68,11 @@ Breaking changes to these will NOT be reflected in version numbers.
 
 === Additional modules
 
-In addition to the main `webauthn-server-core` module, there are also:
-
-- `webauthn-server-attestation`: A simple implementation of the
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core-minimal/latest/com/yubico/webauthn/attestation/MetadataService.html[`MetadataService`]
-  interface, which by default comes preloaded with attestation metadata for Yubico devices.
+In addition to the main `webauthn-server-core` module, there is also:
 
-- `webauthn-server-core-minimal`: Alternative distribution of `webauthn-server-core`,
-  not dependent on BouncyCastle.
-  Using it means you may have to add your own JCA providers to support some signature algorithms.
-  In particular, OpenJDK 14 and earlier does not include providers for the EdDSA family of algorithms.
+- `webauthn-server-attestation`: Integration with the https://fidoalliance.org/metadata/[FIDO Metadata Service]
+  for retrieving and selecting trust roots to use for verifying
+  https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-attestation[attestation statements].
 
 
 == Features
@@ -70,9 +83,8 @@ In addition to the main `webauthn-server-core` module, there are also:
   https://www.w3.org/TR/webauthn/#sctn-rp-operations[validation logic] on the
   response from the client
 - No mutable state or side effects - everything (except builders) is thread safe
-- Optionally integrates with a "metadata service" to verify
+- Optionally integrates with an "attestation trust source" to verify
   https://www.w3.org/TR/webauthn/#sctn-attestation[authenticator attestations]
-  and annotate responses with additional authenticator metadata
 - Reproducible builds: release signatures match fresh builds from source. See
   link:#reproducible-builds[Reproducible builds] below.
 
@@ -93,6 +105,11 @@ link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-
 for in-depth API documentation.
 
 
+== Migrating from version `1.x`
+
+See link:doc/Migrating_from_v1.adoc[the migration guide].
+
+
 == Getting started
 
 Using this library comes in two parts: the server side and the client side.
@@ -557,6 +574,19 @@ credentials.
 . Finally, the application reports success and resumes its business logic.
 
 
+== Using attestation
+
+WebAuthn supports
+link:https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-attestation[authenticator attestation],
+which provides a way for the web service
+to request cryptographic proof of what authenticator the user is using.
+Most services do not need this, and it is disabled by default.
+
+The link:webauthn-server-attestation[`webauthn-server-attestation` module]
+provides optional additional features for working with attestation.
+See the module documentation for more details.
+
+
 == Building
 
 Use the included
 
@@ -4,7 +4,7 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
-    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.3.0'
+    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.5.1'
     classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.13'
   }
 }
@@ -40,7 +40,7 @@ if (publishEnabled) {
 }
 
 wrapper {
-  gradleVersion = '7.2'
+  gradleVersion = '7.3'
 }
 
 dependencies {
@@ -49,6 +49,7 @@ dependencies {
     api('com.fasterxml.jackson.core:jackson-databind:[2.13.2.1,3)')
     api('com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:[2.13.2,3)')
     api('com.fasterxml.jackson.datatype:jackson-datatype-jdk8:[2.13.2,3)')
+    api('com.fasterxml.jackson.datatype:jackson-datatype-jsr310:[2.13.2,3)')
     api('com.fasterxml.jackson:jackson-bom') {
       version {
         strictly '[2.13.2.1,3)'
@@ -72,6 +73,7 @@ dependencies {
     api('org.scalacheck:scalacheck_2.13:[1.14.0,2)')
     api('org.scalatest:scalatest_2.13:[3.0.8,3.1)')
     api('org.slf4j:slf4j-api:[1.7.25,2)')
+    api('uk.org.lidalia:slf4j-test:[1.1.0,2)')
   }
 }
 
@@ -217,17 +219,6 @@ subprojects { project ->
       archiveClassifier = 'javadoc'
       from javadoc
     }
-
-    // TODO: Revert this if statement in the next major release
-    if (project.projectDir.name != "webauthn-server-core-bundle") {
-      rootProject.tasks.assembleJavadoc {
-        dependsOn javadoc
-        inputs.dir javadoc.destinationDir
-        from(javadoc.destinationDir) {
-          into project.projectDir.name
-        }
-      }
-    }
   }
 
   if (project.hasProperty('publishMe') && project.publishMe) {
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ buildscript {`
`4`	`4`	`}`
`5`	`5`	`dependencies {`
`6`	`6`	`classpath 'com.cinnober.gradle:semver-git:2.5.0'`
`7`		`- classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.3.0'`
	`7`	`+ classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.5.1'`
`8`	`8`	`classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.13'`
`9`	`9`	`}`
`10`	`10`	`}`
`@@ -40,7 +40,7 @@ if (publishEnabled) {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`wrapper {`
`43`		`- gradleVersion = '7.2'`
	`43`	`+ gradleVersion = '7.3'`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`dependencies {`
`@@ -49,6 +49,7 @@ dependencies {`
`49`	`49`	`api('com.fasterxml.jackson.core:jackson-databind:[2.13.2.1,3)')`
`50`	`50`	`api('com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:[2.13.2,3)')`
`51`	`51`	`api('com.fasterxml.jackson.datatype:jackson-datatype-jdk8:[2.13.2,3)')`
	`52`	`+ api('com.fasterxml.jackson.datatype:jackson-datatype-jsr310:[2.13.2,3)')`
`52`	`53`	`api('com.fasterxml.jackson:jackson-bom') {`
`53`	`54`	`version {`
`54`	`55`	`strictly '[2.13.2.1,3)'`
`@@ -72,6 +73,7 @@ dependencies {`
`72`	`73`	`api('org.scalacheck:scalacheck_2.13:[1.14.0,2)')`
`73`	`74`	`api('org.scalatest:scalatest_2.13:[3.0.8,3.1)')`
`74`	`75`	`api('org.slf4j:slf4j-api:[1.7.25,2)')`
	`76`	`+ api('uk.org.lidalia:slf4j-test:[1.1.0,2)')`
`75`	`77`	`}`
`76`	`78`	`}`
`77`	`79`
`@@ -217,17 +219,6 @@ subprojects { project ->`
`217`	`219`	`archiveClassifier = 'javadoc'`
`218`	`220`	`from javadoc`
`219`	`221`	`}`
`220`		`-`
`221`		`- // TODO: Revert this if statement in the next major release`
`222`		`- if (project.projectDir.name != "webauthn-server-core-bundle") {`
`223`		`- rootProject.tasks.assembleJavadoc {`
`224`		`- dependsOn javadoc`
`225`		`- inputs.dir javadoc.destinationDir`
`226`		`- from(javadoc.destinationDir) {`
`227`		`- into project.projectDir.name`
`228`		`- }`
`229`		`- }`
`230`		`- }`
`231`	`222`	`}`
`232`	`223`
`233`	`224`	`if (project.hasProperty('publishMe') && project.publishMe) {`