is jose4j protected against this vulnerability?
Issue #16
resolved
Comments (4)
-
repo owner -
repo owner - marked as task
-
repo owner Unless you are using Bouncy Castle as a Java security provider, in which case the public key as an HMAC secret key attack may be possible. Version 0.4.4 fixes that - https://bitbucket.org/b_c/jose4j/wiki/Release%20Notes. And I've added some info about it at https://bitbucket.org/b_c/jose4j/wiki/04-01-15-Transparency
-
repo owner - changed status to resolved
ce54d81 addressed the one problem when used w/ BC
- Log in to comment
Short answer is yes, jose4j has protections against those vulnerabilities.
More detailed info can be found at https://bitbucket.org/b_c/jose4j/wiki/04-01-15-Transparency