Clone wiki

jose4j / Release Notes

jose4j-0.7.9 - August 18, 2021

  • Fix Issue #189 where the A128KW, A192KW, and A256KW algs were not being recognized as available in Java 17.
  • Add an option to JwksDecryptionKeyResolver to try and disambiguate when more than one eligible key is found via by attempting decryption with each of the candidate keys.

jose4j-0.7.8 - June 9, 2021

  • More robust isAvailable() check for HMAC algs
  • Add getter to InvalidJwtException for the original message without details

jose4j-0.7.7 - April 20, 2021

  • Allow for pluggable Concatenation Key Derivation Function for ​Issue #185
  • Implement limited media type processing directly in TypeValidator so as to remove the dependency on javax.activation.MimeType, which has been removed in Java 11

jose4j-0.7.6 - January 27, 2021

  • Only use a PSSParameterSpec when the RSASSA-PSS algorithm name is used for Issue #178

jose4j-0.7.5 - January 26, 2021

  • Address Issue #177 with a check for a system property "org.jose4j.jws.use-legacy-rsapss-alg-names" that when "true" will use the older style algorithm names (<digest>with<encryption>and<mgf> -> SHA256withRSAandMGF1, SHA384withRSAandMGF1, and SHA512withRSAandMGF1) for the RSASSA-PSS class of JWS algs (PS256, PS384 and PS512) rather than RSASSA-PSS

jose4j-0.7.4 - January 5, 2021

  • Address Issue #123 '[JWE] AndroidKeyStoreRSAPrivateKey cannot be cast to RSAPrivateKey' so that the `setDoKeyValidation(false)` workaround on the JWE is no longer needed

jose4j-0.7.3 - December 17, 2020

  • Address Issue #176 with API updates (prepareForSign/prepareForDecrypt) better allowing for use of AndroidKeyStore key that has .setUserAuthenticationRequired(true) by giving access to the Signature/Mac/Cipher/KeyAgreement underlying the JWS/JWE instance so that its use can be authorized with something like the BiometricPrompt (see a simple example project)
  • Address Issue #175 "RSA-PSS support for both JCA algorithm naming standards" with the introduction of a SignatureAlgorithmOverride on ProviderContext that allows for the caller to specify name and parameter spec to create the underlying signature rather than the normal defaults.
  • Check the length of the CEK against the expected key length of the content encryption algorithm (for Issue #170)

jose4j-0.7.2 - June 25, 2020

  • transition to using more inclusive language for the ConstraintType names in AlgorithmConstraints by adding two new enum values (BLOCK & PERMIT) while marking the old ones as deprecated (for Issue #169)

jose4j-0.7.1 - May 22, 2020

  • No longer include the correct MAC in the error message from integrity check failures with AES-CBC + HMAC-SHA2
  • Use ArrayList rather than LinkedList in a couple places (for Issue #165)

jose4j-0.7.0 - October 24, 2019

  • Improved support for working with the "jwk" header including an EmbeddedJwkVerificationKeyResolver and get/set JwkHeader methods on JsonWebStructure for issue #147
  • Added a setIssuedAtRestrictions() to JwtConsumerBuilder that allows restrictions to be placed on how far from the time of evaluation an iat value can acceptably be (for Issue #144)
  • Added explicit type checking support to the JwtConsumer and Builder (Issue #155)
  • Somewhat better error message when the root of the parsed JSON isn't an object (issue #142)
  • Replaced a few cases of catching ClassCastException with instanceof checks (issue #143 & #137)
  • Fixed RFC 7797 unencoded non-detached payloads with JWS Compact Serialization (issue #156)
  • Improved API support for setting JwtConsumerBuilder algorithm constraints for issue #154
  • Addressed issue #153 by adding object typed get/set header methods to JsonWebStructure
  • More proactively detect and throw exception on (long) integer overflow/underflow when handling numeric dates (for issue #157)
  • Minor reworking of the critical header value type coercion
  • Allow subclassing of HttpsJwksVerificationKeyResolver for #149
  • Added a getStringClaimValue(...) method on JwtClaims as a a best effort to get the claim value as string regardless of underlying JSON type - fixing Issue #145
  • Additional context about the cause with InvalidKeyException messages
  • Added automatic module name `org.jose4j`
  • Fixed issue #135 where IssValidator throws NPE when trying to build the error message when no iss claim is present but its configured to require iss with any value being acceptable

jose4j-0.6.5 - January 17, 2019

  • Updated to work with the RSASSA-PSS support recently available in Java 11 for issue #129

jose4j-0.6.4 - July 13, 2018

  • Addressed Issue #121 with an option on JwtConsumerBuilder/JwtConsumer to require that the JWT have some integrity protection, either a signature/MAC JWS or a JWE using a symmetric key management algorithm.
  • Improved concurrency approach of HttpsJwks (per PR13 and fixes)

jose4j-0.6.3 - January 3, 2018

  • Addressed issue #107 with the addition of an SslSocketFactory setter on org.jose4j.http.Get, which allows more control over creating and configuring the secure sockets.
  • Addressed issue #110 to allow for RSA PSS with a provider that doesn't support parameter spec

jose4j-0.6.2 - November 8, 2017

  • Support for the JWS/JWE 'x5c' header parameter (per PR12)

jose4j-0.6.1 - September 20, 2017

  • Explicit call to .end() on Inflater/Deflater now made in JWE compression (per PR11)

jose4j-0.6.0 - July 24, 2017

  • Addressed issue #76 by providing programatic access to specific reasons for JWT invalidity through error codes on InvalidJwtException
  • Addressed Issue #45 with support for the RFC 7797 b64 header for JSON Web Signature (JWS) Unencoded Payload Option
  • Addressed Issue #99 by allowing the JWS payload to be an arbitrary sequence of bytes (rather than only a string)

jose4j-0.5.8 - July 5, 2017

  • A SignatureException out of JCA Signature verify will now return false for signature verification rather than bubbling up an exception

jose4j-0.5.7 - June 12, 2017

  • Addressed #98 with range checks on byte length to bit length calculation
  • Addressed #97 by using the encoded header value as-is from the message when producing the input into signing/HMAC and AEAD tag calculation

jose4j-0.5.6 - May 12, 2017

  • Addressed #95 by allowing JwtConsumer to skip verification key resolution when alg is none by setting an option on the builder
  • Addressed #94 with an option to attempt verification on all candidate keys when more than one eligible are found with HttpsJwksVerificationKeyResolver and JwksVerificationKeyResolver
  • Addressed #78 such that JWK key_ops can now be a SimpleJwkFilter criteria and will be considered (only if present) in VerificationJwkSelector & DecryptionJwkSelector and the key resolvers that use them (HttpsJwksVerificationKeyResolver, JwksVerificationKeyResolver, and JwksDecryptionKeyResolver)

jose4j-0.5.5 - February 15, 2017

  • Prior to ECDH key agreement when consuming a JWE, now checks whether the ephemeral public key is on the private key's curve
  • Addressed #84 algorithm constraint issue with JwtConsumer and some key resolvers

jose4j-0.5.4 - December 16, 2016

  • Addressed #81 so a JWK parameter that is expected to be a String but is a different type will now result in a JoseException with a somewhat descriptive message rather than a ClassCastException

jose4j-0.5.3 - December 7, 2016

  • Addressed #80 where an NPE was being thrown from JWX.setKey() when using an HSM JCA provider
  • Addressed #77 'EC and RSA Key validations fail with Sun PKCS11 Provider' in the validate key checks by only checking RSA key length and EC curve parameters if the key is an instance of the type that has those methods.
  • Addressed #74 with support for HTTP Proxy servers by allowing org.jose4j.http.Get to be set up with a instance

jose4j-0.5.2 - August 10, 2016

  • Addressed #70 by allowing multiple acceptable/expected issuer values to be specified when building a JwtConsumer

jose4j-0.5.1 - May 9, 2016

  • Addressed #65 so that the "class " prefix is not on the logger names of AlgorithmFactory
  • Addressed #63 with support for additional/arbitrary parameters in JWK
  • Addressed #64 by adding key_ops to JWK
  • Addressed #58 by having JwtClaims getAudience() and getStringListClaimValue(name) return an empty list rather than null when the claim isn’t present

jose4j-0.5.0 - March 4, 2016

  • Addressed #37 with some fairly rudimentary but useful support for PEM encoded public keys
  • Addressed #54 by enabling HttpsJwks.getJsonWebKeys() to continue to use the existing cache when an exception is thrown from refresh(). Default behavior is unchanged and setRetainCacheOnErrorDuration(...) must be called with a value larger than zero to get the new behavior.
  • #36 Added support for RFC 7638 JWK thumbprints
  • Addressed #35 by allowing the caller of various JOSE and JWT functionality to specify a particular JCA provider by name for cryptographic operations
  • Addressed #44 by providing a generic callback to JwtConsumer to customize each JWS/JWE
  • Addressed #43 now supports the 'crit' header
  • Fix ClassCastException with AndroidKeyStoreRSAPrivateKey on Android 6.0 Marshmallow
  • Fix #46 by using the original encoded payload in signature verification rather than a re-encoding of the payload
  • Addressed #48 by providing a method for getting a JWS with detached content
  • Fix #38 by not logging secrets and other info from ConcatKeyDerivationFunction
  • Fix #41 allowing users to specify arbitrary NumericDate values
  • Fix #39 - no more NPE by conditionally avoiding key length checks when raw secret key isn’t available because of non-extractable key data due to PKCS11/HSM provider

jose4j-0.4.4 - July 24, 2015

  • Fixed a potential security vulnerability where, when running with the Bouncy Castle (and presumably Spongy Castle) Java security provider, an HMAC JWS could be tricked into reporting a successful verify when the raw encoding of a public key was used as the secret key (more detailed info can be found here)
  • Addressed Issue #18 - slf4j is now used rather than Commons Logging
  • Log levels of non critical messages lowered to debug
  • Jar is now an OSGi bundle

jose4j-0.4.3 - June 19, 2015

  • Fix #028 with even more aggressive exception catching in initialization and checking algorithm availability so that a throwable/error doesn’t kill everything (enabling use on somewhat older Android versions)
  • Fix #025 so now if an explicit evaluation time isn’t given to the JwtConsumeBuilder, a JwtConsumer can be created once and used many times and in multiple threads

jose4j-0.4.2 - May 26, 2015

  • JwtConsumer[Builder] now can be told to relax validation of the verification or deception key, which will more easily allow for things like verification of JWTs signed with a 1024 bit RSA key (i.e. what Google is doing right now) or an HMAC key that is not the full 256 bits
  • Address #019 with more granular options in skipping default JWT validation(s) and added the ability to specify an expected subject value
  • Fix #022 where JSON serialization of a char array wasn't escaping special characters like quote, backslash, etc.
  • Fix #024 to no longer use StandardCharsets in StringUtil as it isn’t available on Android before API level 19
  • Fix #015 where CompactSerializer.serialize() no longer throws unnecessary JoseException
  • Address #014 with a get/setContentTypeHeaderValue on JsonWebStructure as convenient way of dealing with the cty header

jose4j-0.4.1 - March 12, 2015

  • Additions to the APIs for consuming and validating JSON Web Tokens (JWT) which make it easier and more efficient to do a two-pass validation, which can be useful when you need some info from inside the JWT (i.e. the issuer) in order to set up the validation policy
  • Fix #008 where DirectKeyManagementAlgorithm was retuning ASYMMETRIC Key Persuasion rather than SYMMETRIC
  • Fix #009 where DirectKeyManagementAlgorithm was retuning null Key Type rather than "oct"
  • Fix #010 where the AesKeyWrapManagementAlgorithm and AesGcmKeyEncryptionAlgorithm algorithms were using "AES" for Key Type rather than "oct"
  • Fix #011 where HmacUsingShaAlgorithm was using "HMAC" Key Type rather than "oct"
  • Fix #012 where the [HTTP] Get setTrustedCertificates(...) didn't work properly when more than one trusted certificate is given
  • Added an optional and controllable limit to the number of characters that [HTTP] Get will read from the HTTP response body
  • Introduced a JwksDecryptionKeyResolver that will chose a for decryption from a given list of JWKs using the content of the JWE header (mainly kid and x5t etc)

jose4j-0.4.0 - February 13, 2015

  • Introduced extensive new support for producing, consuming and validating JSON Web Tokens (JWT)
  • New and improved JWK filtering/searching capabilities
  • Added support for easily obtaining (and cacheing) JWKs from an HTTPS endpoint
  • x5c is (again) just base64 encoded DER with no chunking/line separation

jose4j-0.3.9 - November 19, 2014

  • Fix #007 where a runtime exception was being thrown from an HSM backed provider during initialization - algorithm availability checking now better handles runtime exceptions.

jose4j-0.3.8 - September 5, 2014

  • Add a system property check that will enable JsonWebSignature to allow the getPayload() method to be called without validating the signature to help support code written agains versions prior to v0.3.3 but running with newer versions. Setting org.jose4j.jws.getPayload-skip-verify=true will make the JsonWebSignature getPayload() method behave as it did prior to v0.3.3, which is to simply return the payload without attempting to verify the signature or throwing an exception.

jose4j-0.3.7 - August 25, 2014

  • JSON processing code derived from the JSON.simple toolkit pulled directly into the jose4j source code to reduce dependancies and enable modifications to the JSON code (forward slashes no longer escaped and some minor efficiency improvements)
  • Base64 code derived from the Apache Commons Codec project pulled directly into the jose4j source code to reduce dependancies and ensure that the requisite implementation is always available
  • Put back the addSeconds(int) method on IntDate so now there’s both addSeconds(int) and addSeconds(long) - code that was compiled against the int version (using v0.2.7 for example) wouldn’t run against v0.3.4 and would give java.lang.NoSuchMethodError: org.jose4j.jwt.IntDate.addSeconds(I)V
  • Add a system property that will enable JsonWebSignature to allow the 'none' algorithm by default to help support code written agains versions prior to 0.3.4 but running with newer versions. Setting org.jose4j.jws.default-allow-none=true will allow JsonWebSignature to use the none alg without explicitly setting AlgorithmConstraints.NO_CONSTRAINTS
  • Add CompactSerialization class back (it had been renamed to CompactSerializer in v0.3.0)
  • The x5c JWK parameter is now PEM encoded with 64 printable characters per line and \r\n as line break rather rather than just base64 encoding the DER with no chunking/line separation
  • Expand the range of commons-logging dependency

jose4j-0.3.6 - June 6, 2014

  • Added JWE support for RSAES OAEP using SHA-256 and MGF1 with SHA-256 key management (RSA-OAEP-256) which was added to draft -26 of JWA at the end of April '14
  • Now published to the Central Maven Repository with a new groupId of org.bitbucket.b_c - i.e.:

jose4j-0.3.5 - April 22, 2014

  • Added JWE support for AES GCM content encryption (A128GCM, A192GCM & A256GCM)
  • Added JWE support for AES GCM key encryption (A128GCMKW, A192GCMKW & A256GCMKW)
  • Added JWE support for PBES2 Key Encryption (PBES2-HS256+A128KW, PBES2-HS384+A192KW & PBES2-HS512+A256KW)
  • Added JWS support for RSA-PSS signatures (PS256, PS384 & PS512)
  • Fixed issues #005 and #006 where certain parameters of EC JWKs and ECDSA signature values were not the full length required by the specifications.
  • Fixed issue #003 where the A256GCM implementation used the wrong algorithm identifier

jose4j-0.3.4 - November 25, 2013

  • JWS/JWE objects now have the ability to whitelist or blacklist the algorithms that will be accepted
  • Breaking change: by default JsonWebSignature will not accept a Plaintext JWS (i.e. "alg":"none"). Applications can use setAlgorithmConstraints(AlgorithmConstraints.NO_CONSTRAINTS) on JsonWebSignature to indicate that a Plaintext JWS is acceptable.
  • addSeconds(...) on IntDate now takes a long rather than an int (this was unfortunately a breaking change for code compiled against earlier versions but run against 0.3.4)

jose4j-0.3.3 - October 22, 2013

  • JsonWebStructure now has a fromCompactSerialization(...) and get/setPayload(...), which allows for client code to treat JWS/JWE more similarly in some cases
  • As a result of the above, JsonWebSignature.getPayload() now checks the signature and throws an exception, if it's not valid. JsonWebSignature.getUnverifiedPayload() can be used to access the payload without the signature check. This is potentially a breaking change at runtime for some usage of the getPayload() method.
  • Some defect fixes and clean up

jose4j-0.3.2 - October 17, 2013

  • JWK toJson now takes a parameter indicating the level of output to produce (i.e. public only, public+symmetric or public+symmetric+private)
  • Improve awareness of handling of algorithm support in the underlying Java runtime
  • Add a simple OctJwkGenerator utility for generateing symmetric JWKs
  • Added some validation to check that the given key is appropriate for the indicated algorithm and give more helpful error messages when it's not

jose4j-0.3.1 - September 16, 2013

jose4j-0.3.0 - August 23, 2013

Introduction of JWE support

  • Introduction of JWE support of Content Encryption "enc" algorithms: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
  • JEW Key Management "alg" algorithms: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, RSA-OAEP, RSA1_5, A128KW, A192KW, A256KW, dir

jose4j-0.2.7 - July 19, 2013

  • Added private and symmetric key support in JWK
  • Added utilities to generate EC and RSA JWKs

jose4j-0.2.0 - January 8, 2013

  • Added EC "kty" JWK support
  • Added Elliptic Curve support for JWS with Algorithms "alg": ES256, ES384, ES512

jose4j-0.1.0 - October 31, 2012

  • Introduction of JWK support (only RSA "kty" Key Type)
  • Introduction of JWS support for Algorithms "alg": none, HS256, HS384, HS512, RS256, RS384, RS512

Note: this is not necessarily a complete list of changes. The earlier releases just attempt to capture some of the more notable milestones and additions. More granular change lists are given for more recent releases.