Merge pull request #98 from travisspencer/issue-97-remove-bouncy-castle

issue #97 - remove dependence on Bouncy Castle

Author: emlun

.github/workflows/build.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [8, 11, 13]
+        java: [8, 11, 15]
 
     steps:
     - name: Check out code
@@ -22,7 +22,14 @@ jobs:
         java-version: ${{ matrix.java }}
 
     - name: Run tests
-      run: ./gradlew check
+      run: ./gradlew cleanTest check
+
+    - name: Archive test report
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v2
+      with:
+        name: test-reports
+        path: "*/build/reports/**"
 
     - name: Build JavaDoc
       run: ./gradlew assembleJavadoc

NEWS

@@ -1,3 +1,15 @@
+== Version 1.8.0 (unreleased) ==
+
+Changes:
+
+* BouncyCastle dependency is now optional.
+
+  In order to opt out, depend on `webauthn-server-core-minimal` instead of `webauthn-server-core`.
+  This is not recommended unless you know your JVM includes JCA providers for all signature algorithms.
+
+  Note that `webauthn-server-attestation` still depends on BouncyCastle.
+
+
 == Version 1.7.0 ==
 
 webauthn-server-attestation:

README

@@ -36,6 +36,32 @@ Gradle:
 compile 'com.yubico:webauthn-server-core:1.7.0'
 ----------
 
+=== Semantic versioning
+
+This library uses link:https://semver.org/[semantic versioning].
+The public API consists of all public classes, methods and fields in the `com.yubico.webauthn` package and its subpackages,
+i.e., everything covered by the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/latest/com/yubico/webauthn/package-summary.html[Javadoc].
+
+Package-private classes and methods are NOT part of the public API.
+The `com.yubico:yubico-util` module is NOT part of the public API.
+Breaking changes to these will NOT be reflected in version numbers.
+
+
+=== Additional modules
+
+In addition to the main `webauthn-server-core` module, there are also:
+
+- `webauthn-server-attestation`: A simple implementation of the
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/latest/com/yubico/webauthn/attestation/MetadataService.html[`MetadataService`]
+  interface, which by default comes preloaded with attestation metadata for Yubico devices.
+
+- `webauthn-server-core-minimal`: Alternative distribution of `webauthn-server-core`,
+  without a dependency on BouncyCastle.
+  If depending on this module instead of `webauthn-server-core`,
+  you may have to add your own JCA providers to support some signature algorithms.
+  In particular, OpenJDK 14 and earlier does not include providers for the EdDSA family of algorithms.
+
 
 == Features
 

build.gradle

@@ -30,7 +30,7 @@ if (publishEnabled) {
 }
 
 wrapper {
-  gradleVersion = '6.1'
+  gradleVersion = '6.8'
 }
 
 allprojects {
@@ -80,8 +80,8 @@ subprojects {
   apply plugin: LombokPlugin
 
   lombok {
-    version '1.18.10'
-    sha256 = '2836e954823bfcbad45e78c18896e3d01058e6f643749810c608b7005ee7b2fa'
+    version '1.18.18'
+    sha256 = '601ec46206e0f9cac2c0583b3350e79f095419c395e991c761640f929038e9cc'
   }
   tasks.withType(AbstractCompile) {
     if (tasks.findByName('verifyLombok')) {
@@ -175,11 +175,14 @@ subprojects { project ->
       from javadoc
     }
 
-    rootProject.tasks.assembleJavadoc {
-      dependsOn javadoc
-      inputs.dir javadoc.destinationDir
-      from(javadoc.destinationDir) {
-        into project.name
+    // TODO: Revert this if statement in the next major release
+    if (project.projectDir.name != "webauthn-server-core-bundle") {
+      rootProject.tasks.assembleJavadoc {
+        dependsOn javadoc
+        inputs.dir javadoc.destinationDir
+        from(javadoc.destinationDir) {
+          into project.projectDir.name
+        }
       }
     }
   }

doc/development.md

@@ -0,0 +1,16 @@
+Developer docs
+===
+
+Inconsistent directory naming
+---
+
+In resolving [issue #97](https://github.com/Yubico/java-webauthn-server/issues/97),
+we opted to split the `webauthn-server-core` module into one `webauthn-server-core` meta-module
+and one `webauthn-server-core-minimal` module with the code and all dependencies except BouncyCastle.
+However, to avoid file renames and since this is intended as a temporary change,
+the source code for the `webauthn-server-core` module is hosted in the `webauthn-server-core-bundle/` subproject
+and the `webauthn-server-core-minimal` module is hosted in `webauthn-server-core/`.
+
+We intend to eliminate the `webauthn-server-core-bundle` subproject in the next major version release,
+and return the current `webauthn-server-core-minimal` module to the `webauthn-server-core` module name.
+This naming inconsistency should be fixed along with this.

gradle/wrapper/gradle-wrapper.jar

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.8-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

gradle/wrapper/gradle-wrapper.properties

@@ -82,6 +82,7 @@ esac
 
 CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 
+
 # Determine the Java command to use to start the JVM.
 if [ -n "$JAVA_HOME" ] ; then
     if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
@@ -129,6 +130,7 @@ fi
 if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
     APP_HOME=`cygpath --path --mixed "$APP_HOME"`
     CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+
     JAVACMD=`cygpath --unix "$JAVACMD"`
 
     # We build the pattern for arguments to be converted via cygpath

gradlew

@@ -29,6 +29,9 @@ if "%DIRNAME%" == "" set DIRNAME=.
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
 @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
 
@@ -37,7 +40,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome
 
 set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
-if "%ERRORLEVEL%" == "0" goto init
+if "%ERRORLEVEL%" == "0" goto execute
 
 echo.
 echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
@@ -51,7 +54,7 @@ goto fail
 set JAVA_HOME=%JAVA_HOME:"=%
 set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 
-if exist "%JAVA_EXE%" goto init
+if exist "%JAVA_EXE%" goto execute
 
 echo.
 echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
@@ -61,28 +64,14 @@ echo location of your Java installation.
 
 goto fail
 
-:init
-@rem Get command-line arguments, handling Windows variants
-
-if not "%OS%" == "Windows_NT" goto win9xME_args
-
-:win9xME_args
-@rem Slurp the command line arguments.
-set CMD_LINE_ARGS=
-set _SKIP=2
-
-:win9xME_args_slurp
-if "x%~1" == "x" goto execute
-
-set CMD_LINE_ARGS=%*
-
 :execute
 @rem Setup the command line
 
 set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
+
 @rem Execute Gradle
-"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
 
 :end
 @rem End local scope for the variables with windows NT shell

gradlew.bat

@@ -1,10 +1,15 @@
 rootProject.name = 'webauthn-server-parent'
 include ':webauthn-server-attestation'
 include ':webauthn-server-core'
+include ':webauthn-server-core-bundle'
 include ':webauthn-server-demo'
 include ':yubico-util'
 include ':yubico-util-scala'
 
 include ':test-dependent-projects:java-dep-webauthn-server-attestation'
 include ':test-dependent-projects:java-dep-webauthn-server-core'
+include ':test-dependent-projects:java-dep-webauthn-server-core-minimal'
 include ':test-dependent-projects:java-dep-yubico-util'
+
+project(':webauthn-server-core').name = 'webauthn-server-core-minimal'
+project(':webauthn-server-core-bundle').name = 'webauthn-server-core'