Release 2.5.3

`webauthn-server-attestation`:

Fixes:

- `FidoMetadataDownloader` no longer rejects FIDO MDS metadata BLOBs with
  unknown properties.

Author: emlun

.github/workflows/integration-test.yml

@@ -0,0 +1,52 @@
+# This name is shown in the status badge in the README
+name: integration-test
+
+on:
+  push:
+    branches:
+    - main
+    - 'release-*'
+  schedule:
+    # Run once a week to check compatibility with new FIDO MDS blob contents
+    - cron: '0 0 * * 1'
+
+jobs:
+  test:
+    name: JDK ${{ matrix.java }} ${{ matrix.distribution }}
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [17]
+        distribution: [temurin]
+
+    outputs:
+        report-java: 17
+        report-dist: temurin
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up JDK ${{ matrix.java }}
+      uses: actions/setup-java@v4
+      with:
+        java-version: ${{ matrix.java }}
+        distribution: ${{ matrix.distribution }}
+
+    - name: Run integration tests
+      run: ./gradlew integrationTest
+
+    - name: Archive HTML test report
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: test-reports-java${{ matrix.java }}-${{ matrix.distribution }}-html
+        path: "*/build/reports/**"
+
+    - name: Archive JUnit test report
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: test-reports-java${{ matrix.java }}-${{ matrix.distribution }}-xml
+        path: "*/build/test-results/**/*.xml"

NEWS

@@ -1,3 +1,13 @@
+== Version 2.5.3 ==
+
+`webauthn-server-attestation`:
+
+Fixes:
+
+* `FidoMetadataDownloader` no longer rejects FIDO MDS metadata BLOBs with
+  unknown properties.
+
+
 == Version 2.5.2 ==
 
 Fixes:

README

@@ -10,12 +10,12 @@ repositories {
 }
 
 dependencies {
-  implementation("info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.9.11")
+  implementation("info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.15.0")
   implementation("io.franzbecker:gradle-lombok:5.0.0")
 
   // Spotless dropped Java 8 support in version 2.33.0
   if (JavaVersion.current().isJava11Compatible) {
-    implementation("com.diffplug.spotless:spotless-plugin-gradle:6.19.0")
-    implementation("io.github.cosmicsilence:gradle-scalafix:0.1.14")
+    implementation("com.diffplug.spotless:spotless-plugin-gradle:6.25.0")
+    implementation("io.github.cosmicsilence:gradle-scalafix:0.2.2")
   }
 }

buildSrc/build.gradle.kts

@@ -13,9 +13,10 @@ spotless {
 scalafix {
     configFile.set(project.rootProject.file("scalafix.conf"))
 
-    // Work around dependency resolution issues in April 2022
-    semanticdb.autoConfigure.set(true)
-    semanticdb.version.set("4.5.5")
+    if (project.name != "yubico-util-scala") {
+        // yubico-util-scala is the only subproject with Scala sources in the "main" source set
+        ignoreSourceSets.add("main")
+    }
 }
 
 project.dependencies.scalafix("com.github.liancheng:organize-imports_2.13:0.6.0")

buildSrc/src/main/groovy/project-convention-code-formatting-internal.gradle

@@ -4,7 +4,7 @@ plugins {
 }
 
 pitest {
-    pitestVersion.set("1.9.5")
+    pitestVersion.set("1.15.0")
     timestampedReports.set(false)
 
     outputFormats.set(listOf("XML", "HTML"))

buildSrc/src/main/kotlin/project-convention-pitest.gradle.kts

@@ -9,12 +9,12 @@ dependencies {
     api("junit:junit:4.13.2")
     api("org.bouncycastle:bcpkix-jdk18on:[1.62,2)")
     api("org.bouncycastle:bcprov-jdk18on:[1.62,2)")
-    api("org.mockito:mockito-core:4.7.0")
-    api("org.scalacheck:scalacheck_2.13:1.16.0")
-    api("org.scalatest:scalatest_2.13:3.2.13")
-    api("org.scalatestplus:junit-4-13_2.13:3.2.13.0")
-    api("org.scalatestplus:scalacheck-1-16_2.13:3.2.13.0")
-    api("org.slf4j:slf4j-nop:2.0.3")
+    api("org.mockito:mockito-core:4.11.0")
+    api("org.scalacheck:scalacheck_2.13:1.18.0")
+    api("org.scalatest:scalatest_2.13:3.2.18")
+    api("org.scalatestplus:junit-4-13_2.13:3.2.18.0")
+    api("org.scalatestplus:scalacheck-1-16_2.13:3.2.14.0")
+    api("org.slf4j:slf4j-nop:2.0.13")
     api("uk.org.lidalia:slf4j-test:1.2.0")
   }
 }

test-platform/build.gradle.kts

@@ -25,7 +25,6 @@
 package com.yubico.fido.metadata;
 
 import com.fasterxml.jackson.core.Base64Variants;
-import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.yubico.fido.metadata.FidoMetadataDownloaderException.Reason;
 import com.yubico.internal.util.BinaryUtil;
@@ -1172,9 +1171,7 @@ private static ParseResult parseBlob(ByteArray jwt) throws IOException, Base64Ur
     final ByteArray jwtSignature = ByteArray.fromBase64Url(s.next());
 
     final ObjectMapper headerJsonMapper =
-        com.yubico.internal.util.JacksonCodecs.json()
-            .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true)
-            .setBase64Variant(Base64Variants.MIME_NO_LINEFEEDS);
+        JacksonCodecs.json().setBase64Variant(Base64Variants.MIME_NO_LINEFEEDS);
 
     return new ParseResult(
         new MetadataBLOB(

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/FidoMetadataDownloader.java

@@ -5,8 +5,13 @@
 
 class JacksonCodecs {
 
-  static ObjectMapper jsonWithDefaultEnums() {
+  static ObjectMapper json() {
     return com.yubico.internal.util.JacksonCodecs.json()
+        .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+  }
+
+  static ObjectMapper jsonWithDefaultEnums() {
+    return json()
         .configure(DeserializationFeature.READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE, true);
   }
 }

webauthn-server-attestation/src/main/java/com/yubico/fido/metadata/JacksonCodecs.java

@@ -44,7 +44,7 @@ layer.
 This layer manages the general architecture of the system, and is where most
 business logic and integration code would go. The demo server implements the
 "persistent" storage of users and credential registrations - the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.3/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
 integration point - as the
 link:src/main/java/demo/webauthn/InMemoryRegistrationStorage.java[`InMemoryRegistrationStorage`]
 class, which simply keeps them stored in memory for a limited time. The
@@ -58,7 +58,7 @@ would be specific to a particular Relying Party (RP) would go in this layer.
 - The server layer in turn calls the *library layer*, which is where the
   link:../webauthn-server-core/[`webauthn-server-core`]
   library gets involved. The entry point into the library is the
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.3/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
   class.
 +
 This layer implements the Web Authentication
@@ -69,11 +69,11 @@ and exposes integration points for storage of challenges and credentials. Some
 notable integration points are:
 +
 ** The library user must provide an implementation of the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.3/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
 interface to use for looking up stored public keys, user handles and signature
 counters.
 ** The library user can optionally provide an instance of the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.3/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
 interface to enable identification and validation of authenticator models. This
 instance is then used to look up trusted attestation root certificates. The
 link:../webauthn-server-attestation/[`webauthn-server-attestation`]
@@ -158,7 +158,7 @@ correct environment.
     Authentication demo'`
 
   - `YUBICO_WEBAUTHN_USE_FIDO_MDS`: If set to `true` (case-insensitive), use
-    https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.2/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
+    https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.3/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
     from the link:../webauthn-server-attestation[`webauthn-server-attestation`]
     module as a source of attestation data in addition to the static JSON file
     bundled with the demo. This will write cache files to the