search

Yubico / java-webauthn-server

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
Other
443 stars 139 forks source link

Compatibility with java 8 #267

Closed ionelMihai closed 1 year ago

ionelMihai commented 1 year ago

The library doesn't seem to be fully compatible with java 8.

I'm using the library version 2.1.0 on a java 8 monolith and i'm getting the following exception when trying to enrol a passkey from Microsoft Windows.

Caused by: java.lang.NoSuchMethodError: java.nio.ByteBuffer.rewind()Ljava/nio/ByteBuffer; at com.yubico.internal.util.BinaryUtil.encodeUint16(BinaryUtil.java:120) ~[yubico-util-2.1.0.jar:2.1.0] at com.yubico.webauthn.TpmAttestationStatementVerifier$TpmtPublic.name(TpmAttestationStatementVerifier.java:461) ~[webauthn-server-core-2.1.0.jar:2.1.0] at com.yubico.webauthn.TpmAttestationStatementVerifier$TpmtPublic.access$300(TpmAttestationStatementVerifier.java:371) ~[webauthn-server-core-2.1.0.jar:2.1.0] at com.yubico.webauthn.TpmAttestationStatementVerifier.validateCertInfo(TpmAttestationStatementVerifier.java:245) ~[webauthn-server-core-2.1.0.jar:2.1.0] at com.yubico.webauthn.TpmAttestationStatementVerifier.verifyAttestationSignature(TpmAttestationStatementVerifier.java:191) ~[webauthn-server-core-2.1.0.jar:2.1.0] at com.yubico.webauthn.FinishRegistrationSteps$Step19.lambda$validate$0(FinishRegistrationSteps.java:398) ~[webauthn-server-core-2.1.0.jar:2.1.0]

After digging a bit on this, it looks like the issue i have is best described here

Basically, code compiled with a java version higher than 8, may not be fully compatible with running on java 8, that's because some backwards compatibility was break in java 9 for ByteBuffer class. I suppose that this library is compiled with a java version higher than 8.

ionelMihai commented 1 year ago

i've actually found that it was built with openjdk 17.0.4.1. Can we have it compatible with java 8?

ionelMihai commented 1 year ago

i've added a pull request for this https://github.com/Yubico/java-webauthn-server/pull/268 @emlun can you take a look?

emlun commented 1 year ago

Thanks for the report! I've reproduced the issue and intend to release a fixed build tomorrow.

This issue was a bit surprising as we do run the tests in Java 8 as well as 17 - but of course in that case the tests and the library are both compiled and run with JDK 8, so there's no linking mismatch. Stranger still is that ByteBuffer has had a rewind() method since at least Java 8... but it seems like the signature has changed subtly between then and [Java 17](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/nio/ByteBuffer.html#rewind() ). In 17 the method is no longer inherited, and the return type has changed from Buffer to ByteBuffer. That seems to be the cause of the linking mismatch.

emlun commented 1 year ago

The release will slip one or a few days due to some issues with the build configuration. I'll update as soon as I have something to share.

emlun commented 1 year ago

This should be fixed in pre-release 2.4.1-RC1, available now on Maven Central. @ionelMihai could you please check that this version works in your use case? We'll promote this to a proper 2.4.1 release once you've confirmed it's good or in about 2 weeks, whichever comes first.

emlun commented 1 year ago

@ionelMihai Have you had a chance to test the 2.4.1-RC1 build?

ionelMihai commented 1 year ago

@emlun sorry for the late response, i didn't see your previous comment. I've tested 2.4.1-RC1 after it was published. I confirm that it works as expected with java 8.

emlun commented 1 year ago

Great, thanks! We'll go ahead and promote it to the proper 2.4.1 release in the coming few days, then.