Release 0.6.0

Breaking changes:

- Classes moved from package `com.yubico.webauthn.data` to
  `com.yubico.webauthn`:
  -  `AssertionRequest`
  -  `AssertionResult`
  -  `RegistrationResult`
- All public classes are now final.
- All builders now enforce mandatory arguments at compile time. Some
  usages may therefore need to adjust the order of calls on the builder
  instance.
  - Static method `Attestation.trusted(boolean)` replaced with
    `.builder()` with `.trusted(boolean)` as builder method instead
  - `AuthenticatorAssertionResponse` constructor is now private.
  - `AuthenticatorAttestationResponse` constructor is now private.
  - `PublicKeyCredentialDescriptor` constructor is now private.
  - `PublicKeyCredentialRequestOptions` constructor is now private.
- All classes that take collections as constructor (builder) arguments
  now make shallow copies of those collections, so that mutations of the
  collections don't propagate into the class instance.
- Deleted interface `Crypto` and constructor parameter `crypto` of
  `RelyingParty`
- Deleted interface `ChallengeGenerator` and constructor parameter
  `challengeGenerator` of `RelyingParty`
- Updated implementation to agree with current editor's draft of the
  spec
  - Renamed class `AttestationData` to `AttestedCredentialData`
  - Enum constant `TokenBindingStatus.NOT_SUPPORTED` deleted; this is
    now instead signaled by a missing value
  - Parameter `RelyingParty.allowMissingTokenBinding` therefore removed
  - Enum constant `AttestationType.PRIVACY_CA` renamed to
    `ATTESTATION_CA`
- Renamed class `AuthenticationDataFlags` to `AuthenticatorDataFlags`
- Deleted constant `UserVerificationRequirement.DEFAULT`
- Deleted method `AttestationObject.getAuthData()`
- Changed type of field `RelyingParty.origins` from `List` to `Set`
- Fixed (reduced) visibility of `RegisteredCredential` fields
- Class `MetadataObject` moved to `webauthn-server-attestation` module
- Updated and greatly expanded Javadoc

New features:

- Constructor parameter `pubKeyCredParams` of `RelyingParty` is now
  optional with a default value.
- Constructor parameter `origins` of `RelyingParty` is now optional and
  defaults to a list whose only element is the RP ID prefixed with
  `https://`.
- All classes with a builder now also have a `.toBuilder()` method.

.gitmodules

@@ -0,0 +1,4 @@
+[submodule "lombok"]
+	path = lombok
+	url = https://github.com/emlun/lombok.git
+	branch = builder-javadoc

.travis.yml

@@ -1,11 +1,23 @@
 language: java
+
+env:
+  global:
+    secure: sX5sJd2EUgzIT7uQN0YxA3faVHymBG/QPZ/St5IPqoQIXjZAMYBM0D1MrVOYaSOhgVKOJt+5vwCYU7MlY9Ha0rUPJgUPT+6CkVgUVCsQ1e8srAzaYp4ceIYaW2XpUIwhKHPBezulV3nLANRs0FibEN+eqTgL5A/qKtsU49BtQ1iUAVFFOzGcR48avo1UYxS0FLw+7MRLgH5NA6KJVHiGChx9P3oLYAhPylgDzRv6iFf5H5v9azQI4eLo6bSQwm++j0UpH4t8m+at7eGuzNsadYY0M9SoUwuJxQZiwtImYJJtGJD92QtV9m+yny4+RocXchgZDj3e9vx06ZqXaeF3U3o49YUX5ACerVV12yOxGZsuuxfevaQa9Mk4xEOwGkhva5I+8vfo8MRxm7ymelExn25zpsMlmj6GjBio3z1q/FGYdyXrcGoVNrvAgozs+0yW2jYtDVo7DNu8J2mur/C/gmi+xA6rkuEJQIQ3hWuWYVe7DUzdii5MG9/9AdwI14b3uyezh1EJ8tza5MScDQijTvD9sGxarruKS59VuJapqrJSU5E87CnlU6gQx7qXJVGvpTXZOw7ZzsdszSDQ3Jc9uNBSdtBQ2i7egEyTE+RQWsdtje/H0s3ZYyIw8qrQ1kIUDQKk7jl8Uvwf+zn/36JBgZMVIIO0hmDFnyB9wBGd7lk=
+
 jdk:
   - openjdk8
   - oraclejdk8
+
+script:
+  - ./gradlew check assembleJavadoc
+
 after_success:
   - ./gradlew coveralls
 
-addons:
-  hosts:
-    - travis-issue-5227-workaround
-  hostname: travis-issue-5227-workaround
+deploy:
+  provider: pages
+  skip-cleanup: true
+  github-token: $PAGES_DEPLOY_KEY
+  on:
+    branch: master
+  local-dir: 'build/javadoc'

NEWS

@@ -1,3 +1,51 @@
+== Version 0.6.0 (unreleased) ==
+
+=== `webauthn-server-core` ===
+
+Breaking changes:
+
+* Classes moved from package `com.yubico.webauthn.data` to `com.yubico.webauthn`:
+ **  `AssertionRequest`
+ **  `AssertionResult`
+ **  `RegistrationResult`
+* All public classes are now final.
+* All builders now enforce mandatory arguments at compile time. Some usages may
+  therefore need to adjust the order of calls on the builder instance.
+ ** Static method `Attestation.trusted(boolean)` replaced with `.builder()` with
+    `.trusted(boolean)` as builder method instead
+ ** `AuthenticatorAssertionResponse` constructor is now private.
+ ** `AuthenticatorAttestationResponse` constructor is now private.
+ ** `PublicKeyCredentialDescriptor` constructor is now private.
+ ** `PublicKeyCredentialRequestOptions` constructor is now private.
+* All classes that take collections as constructor (builder) arguments now make
+  shallow copies of those collections, so that mutations of the collections
+  don't propagate into the class instance.
+* Deleted interface `Crypto` and constructor parameter `crypto` of `RelyingParty`
+* Deleted interface `ChallengeGenerator` and constructor parameter
+  `challengeGenerator` of `RelyingParty`
+* Updated implementation to agree with current editor's draft of the spec
+ ** Renamed class `AttestationData` to `AttestedCredentialData`
+ ** Enum constant `TokenBindingStatus.NOT_SUPPORTED` deleted; this is now
+    instead signaled by a missing value
+ ** Parameter `RelyingParty.allowMissingTokenBinding` therefore removed
+ ** Enum constant `AttestationType.PRIVACY_CA` renamed to `ATTESTATION_CA`
+* Renamed class `AuthenticationDataFlags` to `AuthenticatorDataFlags`
+* Deleted constant `UserVerificationRequirement.DEFAULT`
+* Deleted method `AttestationObject.getAuthData()`
+* Changed type of field `RelyingParty.origins` from `List` to `Set`
+* Fixed (reduced) visibility of `RegisteredCredential` fields
+* Class `MetadataObject` moved to `webauthn-server-attestation` module
+* Updated and greatly expanded Javadoc
+
+New features:
+
+* Constructor parameter `pubKeyCredParams` of `RelyingParty` is now optional
+  with a default value.
+* Constructor parameter `origins` of `RelyingParty` is now optional and defaults
+  to a list whose only element is the RP ID prefixed with `https://`.
+* All classes with a builder now also have a `.toBuilder()` method.
+
+
 == Version 0.5.0 ==
 
 === `webauthn-server-core` ===

README

@@ -17,8 +17,10 @@ authenticators and authenticating registered authenticators.
 === Planned breaking changes
 
 * Update spec version from Candidate Recommendation 2018-03-20 to Proposed
-  Recommendation 2018-11-??. This will involve renaming a couple of classes
-  and methods.
+  Recommendation 2018-12-??. This will include at least:
+ ** Renaming class `AttestationData` to `AttestedCredentialData`
+ ** Deleting enum value `TokenBindingStatus.NOT_SUPPORTED` and constructor
+    `TokenBindingInfo.notSupported()`
 
 
 === Example Usage

build.gradle

@@ -12,9 +12,12 @@ buildscript {
 plugins {
   id 'com.github.kt3k.coveralls' version '2.8.1'
   id 'io.codearte.nexus-staging' version '0.9.0'
-  id 'net.researchgate.release' version '2.4.0'
+  id 'io.franzbecker.gradle-lombok' version '1.14'
 }
 
+import io.franzbecker.gradle.lombok.LombokPlugin
+import io.franzbecker.gradle.lombok.task.DelombokTask
+
 project.ext.isCiBuild = System.env.CI == 'true'
 
 project.ext.publishEnabled = !isCiBuild &&
@@ -40,12 +43,25 @@ allprojects  {
   apply plugin: 'com.cinnober.gradle.semver-git'
   apply plugin: 'java'
   apply plugin: 'idea'
+  apply plugin: LombokPlugin
 
   group = 'com.yubico'
 
   sourceCompatibility = 1.8
   targetCompatibility = 1.8
 
+  lombok {
+    version '1.18.4'
+    sha256 = '39f3922deb679b1852af519eb227157ef2dd0a21eec3542c8ce1b45f2df39742'
+  }
+  configurations.all {
+    resolutionStrategy {
+      dependencySubstitution {
+        substitute module('org.projectlombok:lombok') with module('com.yubico:lombok:1.18.5-custom')
+      }
+    }
+  }
+
   tasks.withType(JavaCompile) {
     options.encoding = 'UTF-8'
   }
@@ -57,6 +73,7 @@ allprojects  {
   repositories {
     mavenLocal()
 
+    maven { url uri("${rootProject.projectDir}/lib") }
     maven { url "http://repo.maven.apache.org/maven2" }
   }
 
@@ -74,23 +91,55 @@ allprojects  {
 
 evaluationDependsOnChildren()
 
-subprojects {
+task assembleJavadoc(type: Sync) {
+  from("docs/index.html") {
+    expand project.properties
+  }
+  destinationDir = file("${rootProject.buildDir}/javadoc")
+}
+
+subprojects { project ->
   task packageSources(type: Jar) {
     classifier = 'sources'
     from sourceSets.main.allSource
   }
   artifacts.archives packageSources
 
+  task delombok(type: DelombokTask, dependsOn: classes) {
+    ext.outputDir = file("${buildDir}/delombok")
+    outputs.dir outputDir
+    sourceSets.main.java.srcDirs.each {
+      inputs.dir it
+      args(it, '-d', outputDir)
+    }
+    doFirst {
+      outputDir.deleteDir()
+    }
+  }
+
+  javadoc {
+    dependsOn delombok
+    source = delombok.outputDir
+    options.encoding = 'UTF-8'
+    options.addStringOption('charset', 'UTF-8')
+  }
+
   task packageJavadoc(type: Jar) {
     classifier = 'javadoc'
     inputs.files javadoc.outputs
     from javadoc.destinationDir
   }
   artifacts.archives packageJavadoc
 
-  dependencies {
+  rootProject.tasks.assembleJavadoc {
+    dependsOn javadoc
+    inputs.dir javadoc.destinationDir
+    from(javadoc.destinationDir) {
+      into project.name
+    }
+  }
 
-    compileOnly 'org.projectlombok:lombok:1.18.2'
+  dependencies {
 
     compile(
       'org.slf4j:slf4j-api:1.7.25',

docs/index.html

@@ -0,0 +1,15 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Javadoc index - java-webauthn-server ${version}</title>
+<link rel="stylesheet" type="text/css" href="webauthn-server-core/stylesheet.css" title="Style">
+</head>
+<body style="padding: 1em 2em">
+  <h2>Modules:</h2>
+  <ul>
+    <li><a href="webauthn-server-attestation/">webauthn-server-attestation</a></li>
+    <li><a href="webauthn-server-core/">webauthn-server-core</a></li>
+  </ul>
+</body>
+</html>

lib/com/yubico/lombok/1.18.5-custom/README.md

@@ -0,0 +1,17 @@
+Custom Lombok build that also copies javadoc from field definitions to builder
+setters.
+
+Build using the `lombok` submodule. Building Lombok requires JDK 10, therefore
+it is not integrated directly into the Gradle build. It is built as such:
+
+```
+$ git submodule update --init
+$ cd lombok
+$ ant setupJavaOracle8TestEnvironment
+$ rm ../lombok.config
+$ ant test
+$ ant dist
+$ cp dist/lombok-1.18.5.jar ../lib/com/yubico/lombok/1.18.5-custom/lombok-1.18.5-custom.jar
+$ cd ..
+$ git checkout -- lombok.config
+```

webauthn-server-core/src/main/java/com/yubico/webauthn/attestation/MetadataObject.java → webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/MetadataObject.java

@@ -49,7 +49,7 @@
 @Slf4j
 @JsonIgnoreProperties(ignoreUnknown = true)
 @EqualsAndHashCode(of = { "data" }, callSuper = false)
-public class MetadataObject {
+public final class MetadataObject {
     private static final ObjectMapper OBJECT_MAPPER = WebAuthnCodecs.json();
 
     private static final TypeReference<Map<String, String>> MAP_STRING_STRING_TYPE = new TypeReference<Map<String, String>>() {

webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/StandardMetadataService.java

@@ -40,10 +40,10 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class StandardMetadataService implements MetadataService {
+public final class StandardMetadataService implements MetadataService {
     private static final Logger logger = LoggerFactory.getLogger(StandardMetadataService.class);
 
-    private final Attestation unknownAttestation = Attestation.builder(false).build();
+    private final Attestation unknownAttestation = Attestation.empty();
     private final AttestationResolver attestationResolver;
     private final Cache<String, Attestation> cache;
 

webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/ExtensionMatcher.java

@@ -36,7 +36,7 @@
 import org.bouncycastle.asn1.DEROctetString;
 
 @Slf4j
-public class ExtensionMatcher implements DeviceMatcher {
+public final class ExtensionMatcher implements DeviceMatcher {
     private static final Charset CHARSET = Charset.forName("UTF-8");
 
     public static final String SELECTOR_TYPE = "x509Extension";

webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/matcher/FingerprintMatcher.java

@@ -30,7 +30,7 @@
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 
-public class FingerprintMatcher implements DeviceMatcher {
+public final class FingerprintMatcher implements DeviceMatcher {
     public static final String SELECTOR_TYPE = "fingerprint";
 
     private static final String FINGERPRINTS_KEY = "fingerprints";

webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeAttestationResolver.java

@@ -24,10 +24,10 @@
 
 package com.yubico.webauthn.attestation.resolver;
 
+import com.yubico.internal.util.CollectionUtil;
 import com.yubico.webauthn.attestation.Attestation;
 import com.yubico.webauthn.attestation.AttestationResolver;
 import java.security.cert.X509Certificate;
-import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
 
@@ -37,12 +37,12 @@
  * each of the subordinate {@link AttestationResolver}s in turn, and returns
  * the first non-<code>null</code> result.
  */
-public class CompositeAttestationResolver implements AttestationResolver {
+public final class CompositeAttestationResolver implements AttestationResolver {
 
     private final List<AttestationResolver> resolvers;
 
     public CompositeAttestationResolver(List<AttestationResolver> resolvers) {
-        this.resolvers = Collections.unmodifiableList(resolvers);
+        this.resolvers = CollectionUtil.immutableList(resolvers);
     }
 
     @Override

webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/CompositeTrustResolver.java

@@ -24,9 +24,9 @@
 
 package com.yubico.webauthn.attestation.resolver;
 
+import com.yubico.internal.util.CollectionUtil;
 import com.yubico.webauthn.attestation.TrustResolver;
 import java.security.cert.X509Certificate;
-import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
 
@@ -36,12 +36,12 @@
  * List)} on each of the subordinate {@link TrustResolver}s in turn, and
  * returns the first non-<code>null</code> result.
  */
-public class CompositeTrustResolver implements TrustResolver {
+public final class CompositeTrustResolver implements TrustResolver {
 
     private final List<TrustResolver> resolvers;
 
     public CompositeTrustResolver(List<TrustResolver> resolvers) {
-        this.resolvers = Collections.unmodifiableList(resolvers);
+        this.resolvers = CollectionUtil.immutableList(resolvers);
     }
 
     @Override

webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleAttestationResolver.java

@@ -29,6 +29,7 @@
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import com.yubico.internal.util.CertificateParser;
+import com.yubico.internal.util.CollectionUtil;
 import com.yubico.internal.util.ExceptionUtil;
 import com.yubico.webauthn.attestation.Attestation;
 import com.yubico.webauthn.attestation.AttestationResolver;
@@ -41,7 +42,6 @@
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -50,7 +50,7 @@
 import lombok.NonNull;
 
 
-public class SimpleAttestationResolver implements AttestationResolver {
+public final class SimpleAttestationResolver implements AttestationResolver {
 
     private static final String SELECTORS = "selectors";
     private static final String SELECTOR_TYPE = "type";
@@ -81,7 +81,7 @@ public SimpleAttestationResolver(
         }
 
         this.trustResolver = trustResolver;
-        this.matchers = Collections.unmodifiableMap(matchers);
+        this.matchers = CollectionUtil.immutableMap(matchers);
     }
 
     public SimpleAttestationResolver(Collection<MetadataObject> objects, TrustResolver trustResolver) throws CertificateException {
@@ -122,7 +122,8 @@ public Optional<Attestation> resolve(X509Certificate attestationCertificate, Lis
                 }
             }
 
-            return Attestation.builder(true)
+            return Attestation.builder()
+                .trusted(true)
                 .metadataIdentifier(Optional.ofNullable(identifier))
                 .vendorProperties(Optional.of(vendorProperties))
                 .deviceProperties(Optional.ofNullable(deviceProperties))
@@ -182,7 +183,8 @@ private static int getTransports(X509Certificate cert) {
 
     @Override
     public Attestation untrustedFromCertificate(X509Certificate attestationCertificate) {
-        return Attestation.builder(false)
+        return Attestation.builder()
+            .trusted(false)
             .transports(Optional.of(Transport.fromInt(getTransports(attestationCertificate))))
             .build();
     }

webauthn-server-attestation/src/main/java/com/yubico/webauthn/attestation/resolver/SimpleTrustResolver.java

@@ -51,7 +51,7 @@
  * Assesses whether an argument certificate can be trusted, and if so, by what
  * trusted root certificate.
  */
-public class SimpleTrustResolver implements TrustResolver {
+public final class SimpleTrustResolver implements TrustResolver {
 
     private static final Logger logger = LoggerFactory.getLogger(SimpleTrustResolver.class);