Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-24 13:02:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Deprecate the X5T JOSE Header name

Browse Source 
Closes gh-16979

Signed-off-by: Pat McCusker <patmccusker14@gmail.com>
This commit is contained in:
Pat McCusker 2025-05-16 18:33:36 -04:00 committed by Josh Cummings
parent fd4f06a66e
commit 5517d8fe3a
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeader.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -119,7 +119,15 @@ class JoseHeader {
* thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate * thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate
* corresponding to the key used to digitally sign the JWS or encrypt the JWE. * corresponding to the key used to digitally sign the JWS or encrypt the JWE.
* @return the X.509 certificate SHA-1 thumbprint * @return the X.509 certificate SHA-1 thumbprint
* @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision
* attacks and should not be used. See the <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google
* Security Blog</a> for more info.
* @see <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing
* the first SHA1 collision</a>
*/ */
@Deprecated
public String getX509SHA1Thumbprint() { public String getX509SHA1Thumbprint() {
return getHeader(JoseHeaderNames.X5T); return getHeader(JoseHeaderNames.X5T);
} }
@ -271,7 +279,15 @@ class JoseHeader {
* corresponding to the key used to digitally sign the JWS or encrypt the JWE. * corresponding to the key used to digitally sign the JWS or encrypt the JWE.
* @param x509SHA1Thumbprint the X.509 certificate SHA-1 thumbprint * @param x509SHA1Thumbprint the X.509 certificate SHA-1 thumbprint
* @return the {@link AbstractBuilder} * @return the {@link AbstractBuilder}
* @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision
* attacks and should not be used. See the <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google
* Security Blog</a> for more info.
* @see <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing
* the first SHA1 collision</a>
*/ */
@Deprecated
public B x509SHA1Thumbprint(String x509SHA1Thumbprint) { public B x509SHA1Thumbprint(String x509SHA1Thumbprint) {
return header(JoseHeaderNames.X5T, x509SHA1Thumbprint); return header(JoseHeaderNames.X5T, x509SHA1Thumbprint);
} }

10
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeaderNames.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -76,7 +76,15 @@ public final class JoseHeaderNames {
* {@code x5t} - the X.509 certificate SHA-1 thumbprint header is a base64url-encoded * {@code x5t} - the X.509 certificate SHA-1 thumbprint header is a base64url-encoded
* SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate * SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate
* corresponding to the key used to digitally sign a JWS or encrypt a JWE * corresponding to the key used to digitally sign a JWS or encrypt a JWE
* @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision
* attacks and should not be used. See the <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google
* Security Blog</a> for more info.
* @see <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing
* the first SHA1 collision</a>
*/ */
@Deprecated
public static final String X5T = "x5t"; public static final String X5T = "x5t";
/** /**