Release 1.12.3

Fixes:

- Fixed `PublicKeyCredential` failing to parse from JSON if an
  `"authenticatorAttachment"` attribute was present.
- Bumped Jackson dependency to version [2.13.2.1,3) in response to
  CVE-2020-36518
- Fixed bug in `RelyingParty.finishAssertion` that would throw a nondescript
  `NoSuchElementException` if username and user handle are both absent, instead
  of an `IllegalArgumentException` with a better error message.

Author: emlun

NEWS

@@ -1,3 +1,16 @@
+== Version 1.12.3 ==
+
+Fixes:
+
+* Fixed `PublicKeyCredential` failing to parse from JSON if an
+  `"authenticatorAttachment"` attribute was present.
+* Bumped Jackson dependency to version [2.13.2.1,3) in response to
+  CVE-2020-36518
+* Fixed bug in `RelyingParty.finishAssertion` that would throw a nondescript
+  `NoSuchElementException` if username and user handle are both absent, instead
+  of an `IllegalArgumentException` with a better error message.
+
+
 == Version 1.12.2 ==
 
 Fixes:

README

@@ -25,15 +25,15 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.12.2</version>
+  <version>1.12.3</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.12.2'
+compile 'com.yubico:webauthn-server-core:1.12.3'
 ----------
 
 === Semantic versioning

build.gradle

@@ -4,7 +4,7 @@ buildscript {
   }
   dependencies {
     classpath 'com.cinnober.gradle:semver-git:2.5.0'
-    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.2.0'
+    classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.3.0'
     classpath 'io.github.cosmicsilence:gradle-scalafix:0.1.8'
   }
 }
@@ -45,11 +45,17 @@ wrapper {
 
 dependencies {
   constraints {
-    api('ch.qos.logback:logback-classic:[1.2.3,2)')
     api('com.augustcellars.cose:cose-java:[1.0.0,2)')
-    api('com.fasterxml.jackson.core:jackson-databind:[2.11.0,3)')
-    api('com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:[2.11.0,3)')
-    api('com.fasterxml.jackson.datatype:jackson-datatype-jdk8:[2.11.0,3)')
+    api('com.fasterxml.jackson.core:jackson-databind:[2.13.2.1,3)')
+    api('com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:[2.13.2,3)')
+    api('com.fasterxml.jackson.datatype:jackson-datatype-jdk8:[2.13.2,3)')
+    api('com.fasterxml.jackson:jackson-bom') {
+      version {
+        strictly '[2.13.2.1,3)'
+        reject '2.13.2.1'
+      }
+      because 'jackson-databind 2.13.2.1 references nonexistent BOM'
+    }
     api('com.google.guava:guava:[24.1.1,31)')
     api('com.upokecenter:cbor:[4.5.1,5)')
     api('javax.ws.rs:javax.ws.rs-api:[2.1,3)')

webauthn-server-attestation/build.gradle

@@ -40,17 +40,10 @@ dependencies {
     'org.scalatest:scalatest_2.13',
   )
 
-  testRuntimeOnly(
-    'ch.qos.logback:logback-classic',
-  )
   testRuntimeOnly(
     // Transitive dependency from :webauthn-server-core:test
     'org.bouncycastle:bcpkix-jdk15on',
   )
-
-  testRuntimeOnly(
-    'ch.qos.logback:logback-classic',
-  )
 }
 
 

webauthn-server-attestation/src/test/resources/logback.xml

@@ -46,10 +46,6 @@ dependencies {
     'org.scalacheck:scalacheck_2.13',
     'org.scalatest:scalatest_2.13',
   )
-
-  testRuntimeOnly(
-    'ch.qos.logback:logback-classic',
-  )
 }
 
 jar {

webauthn-server-core/build.gradle

@@ -124,16 +124,19 @@ class Step0 implements Step<Step1> {
             .getUserHandle()
             .map(Optional::of)
             .orElseGet(
-                () -> credentialRepository.getUserHandleForUsername(request.getUsername().get()));
+                () ->
+                    request.getUsername().flatMap(credentialRepository::getUserHandleForUsername));
 
     private final Optional<String> username =
         request
             .getUsername()
             .map(Optional::of)
             .orElseGet(
                 () ->
-                    credentialRepository.getUsernameForUserHandle(
-                        response.getResponse().getUserHandle().get()));
+                    response
+                        .getResponse()
+                        .getUserHandle()
+                        .flatMap(credentialRepository::getUsernameForUserHandle));
 
     @Override
     public Step1 nextStep() {
@@ -147,12 +150,12 @@ public void validate() {
           "At least one of username and user handle must be given; none was.");
       assure(
           userHandle.isPresent(),
-          "No user found for username: %s, userHandle: %s",
+          "User handle not found for username: %s",
           request.getUsername(),
           response.getResponse().getUserHandle());
       assure(
           username.isPresent(),
-          "No user found for username: %s, userHandle: %s",
+          "Username not found for userHandle: %s",
           request.getUsername(),
           response.getResponse().getUserHandle());
     }

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java

@@ -25,6 +25,7 @@
 package com.yubico.webauthn.data;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.yubico.internal.util.JacksonCodecs;
@@ -45,6 +46,7 @@
  */
 @Value
 @Builder(toBuilder = true)
+@JsonIgnoreProperties({"authenticatorAttachment"})
 public class PublicKeyCredential<
     A extends AuthenticatorResponse, B extends ClientExtensionOutputs> {
 

webauthn-server-core/src/main/java/com/yubico/webauthn/data/PublicKeyCredential.java

@@ -101,7 +101,6 @@ class OriginMatcherSpec
     it("accepts nothing if no allowed origins are given.") {
       forAll(urlOrArbitraryString, arbitrary[Boolean], arbitrary[Boolean]) {
         (origin, allowPort, allowSubdomain) =>
-          println(origin)
           OriginMatcher.isAllowed(
             origin,
             Set.empty[String].asJava,
@@ -114,7 +113,6 @@ class OriginMatcherSpec
     it("always accepts string equality even for invalid URLs.") {
       forAll(urlOrArbitraryString, arbitrary[Boolean], arbitrary[Boolean]) {
         (origin, allowPort, allowSubdomain) =>
-          println(origin)
           OriginMatcher.isAllowed(
             origin,
             Set(origin).asJava,
@@ -127,7 +125,6 @@ class OriginMatcherSpec
     it("does not accept superdomains.") {
       forAll(superAndSubdomain) {
         case (origin: URL, allowedOrigin: URL) =>
-          println(allowedOrigin, origin)
           OriginMatcher.isAllowed(
             origin.toExternalForm,
             Set(allowedOrigin.toExternalForm).asJava,
@@ -141,7 +138,6 @@ class OriginMatcherSpec
       it("by default.") {
         forAll(superAndSubdomain, arbitrary[Boolean]) { (origins, allowPort) =>
           val (allowedOrigin: URL, origin: URL) = origins
-          println(allowedOrigin, origin)
 
           OriginMatcher.isAllowed(
             origin.toExternalForm,
@@ -156,8 +152,6 @@ class OriginMatcherSpec
         forAll(superAndSubdomain) {
           case (allowedOrigin: URL, origin: URL) =>
             val invalidAllowedOrigin = invalidize(allowedOrigin)
-            println(allowedOrigin, origin, invalidAllowedOrigin)
-
             OriginMatcher.isAllowed(
               origin.toExternalForm,
               Set(invalidAllowedOrigin).asJava,
@@ -171,8 +165,6 @@ class OriginMatcherSpec
         forAll(superAndSubdomain) {
           case (allowedOrigin: URL, origin: URL) =>
             val invalidOrigin = invalidize(origin)
-            println(allowedOrigin, origin, invalidOrigin)
-
             OriginMatcher.isAllowed(
               invalidOrigin,
               Set(allowedOrigin.toExternalForm).asJava,
@@ -185,8 +177,6 @@ class OriginMatcherSpec
       it("unless configured to.") {
         forAll(superAndSubdomain, arbitrary[Boolean]) { (origins, allowPort) =>
           val (allowedOrigin: URL, origin: URL) = origins
-          println(allowedOrigin, origin)
-
           OriginMatcher.isAllowed(
             origin.toExternalForm,
             Set(allowedOrigin.toExternalForm).asJava,
@@ -203,8 +193,6 @@ class OriginMatcherSpec
           (allowedOrigin, port, allowSubdomain) =>
             whenever(port > 0) {
               val origin = replacePort(allowedOrigin, port)
-              println(allowedOrigin, origin)
-
               OriginMatcher.isAllowed(
                 origin.toExternalForm,
                 Set(allowedOrigin.toExternalForm).asJava,
@@ -218,8 +206,6 @@ class OriginMatcherSpec
       it("unless the same port is specified in an allowed origin.") {
         forAll(urlWithPort, arbitrary[Boolean]) {
           (origin: URL, allowSubdomain: Boolean) =>
-            println(origin)
-
             OriginMatcher.isAllowed(
               origin.toExternalForm,
               Set(origin.toExternalForm).asJava,
@@ -242,8 +228,6 @@ class OriginMatcherSpec
               port,
               allowedOrigin.getFile,
             )
-            println(allowedOrigin, origin)
-
             OriginMatcher.isAllowed(
               origin.toExternalForm,
               Set(allowedOrigin.toExternalForm).asJava,
@@ -258,8 +242,6 @@ class OriginMatcherSpec
     it("accepts subdomains and arbitrary ports when configured to.") {
       forAll(superAndSubdomainWithPorts) {
         case (allowedOrigin, origin) =>
-          println(allowedOrigin, origin)
-
           OriginMatcher.isAllowed(
             origin.toExternalForm,
             Set(allowedOrigin.toExternalForm).asJava,