Merge branch '0.10.x'

This commit is contained in:
Les Hazlewood 2018-08-13 20:32:36 -04:00
commit 31b4386b64
5 changed files with 31 additions and 29 deletions

View File

@ -1,5 +1,11 @@
## Release Notes
### 0.10.3
This is a minor patch release that fixed a key length assertion for `SignatureAlgorithm.forSigningKey` that was
failing in Android environments. The Android dependencies and ProGuard exclusions documentation was updated as
well to reflect Android Studio 3.0 conventions.
### 0.10.2
This is a minor patch release that ensures the `OrgJsonSerializer` and `OrgJsonDeserializer` implementations are

View File

@ -179,18 +179,18 @@ If you're building a (non-Android) JDK project, you will want to define the foll
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
<scope>runtime</scope>
</dependency>
<!-- Uncomment this next dependency if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
@ -209,11 +209,11 @@ If you're building a (non-Android) JDK project, you will want to define the foll
```groovy
dependencies {
compile 'io.jsonwebtoken:jjwt-api:0.10.2'
runtime 'io.jsonwebtoken:jjwt-impl:0.10.2',
compile 'io.jsonwebtoken:jjwt-api:0.10.3'
runtime 'io.jsonwebtoken:jjwt-impl:0.10.3',
// Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
//'org.bouncycastle:bcprov-jdk15on:1.60',
'io.jsonwebtoken:jjwt-jackson:0.10.2'
'io.jsonwebtoken:jjwt-jackson:0.10.3'
}
```
@ -229,13 +229,13 @@ Add the dependencies to your project:
```groovy
dependencies {
compile 'io.jsonwebtoken:jjwt-api:0.10.2'
runtime 'io.jsonwebtoken:jjwt-impl:0.10.2'
runtime('io.jsonwebtoken:jjwt-orgjson:0.10.2') {
api 'io.jsonwebtoken:jjwt-api:0.10.3'
runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.10.3'
runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.10.3') {
exclude group: 'org.json', module: 'json' //provided by Android natively
}
// Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
//runtime 'org.bouncycastle:bcprov-jdk15on:1.60'
//runtimeOnly 'org.bouncycastle:bcprov-jdk15on:1.60'
}
```
@ -250,6 +250,8 @@ You can use the following [Android Proguard](https://developer.android.com/studi
-keep class io.jsonwebtoken.** { *; }
-keepnames class io.jsonwebtoken.* { *; }
-keepnames interface io.jsonwebtoken.* { *; }
-dontwarn org.json.JSONString
-dontwarn org.json.JSONWriter
-keep class org.bouncycastle.** { *; }
-keepnames class org.bouncycastle.** { *; }
@ -1192,7 +1194,7 @@ scope which is the typical JJWT default). That is:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
<scope>compile</scope> <!-- Not runtime -->
</dependency>
```
@ -1201,7 +1203,7 @@ scope which is the typical JJWT default). That is:
```groovy
dependencies {
compile 'io.jsonwebtoken:jjwt-jackson:0.10.2'
compile 'io.jsonwebtoken:jjwt-jackson:0.10.3'
}
```

View File

@ -554,18 +554,20 @@ public enum SignatureAlgorithm {
if (key instanceof SecretKey) {
SecretKey secretKey = (SecretKey)key;
String secretKeyAlg = secretKey.getAlgorithm();
int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;
for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
if (alg.jcaName.equals(secretKeyAlg)) {
alg.assertValidSigningKey(key);
// ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
if (bitLength >= alg.minKeyLength) {
return alg;
}
}
String msg = "The specified SecretKey algorithm did not equal one of the three required JCA " +
"algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.";
throw new InvalidKeyException(msg);
String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
"algorithms. The JWT specification requires HMAC keys to be >= 256 bits long. The specified " +
"key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
"information.";
throw new WeakKeyException(msg);
}
if (key instanceof RSAKey) {

View File

@ -186,17 +186,6 @@ class SignatureAlgorithmTest {
}
}
@Test
void testForSigningKeySecretKeyInvalidAlgName() {
try {
SignatureAlgorithm.forSigningKey(new SecretKeySpec(new byte[1], 'AES'))
fail()
} catch (InvalidKeyException e) {
assertEquals "The specified SecretKey algorithm did not equal one of the three required JCA " +
"algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.", e.message
}
}
@Test
void testForSigningKeySecretKeyWeakKey() {
try {

View File

@ -32,6 +32,9 @@ class KeysImplTest {
SecretKey key = Keys.secretKeyFor(alg)
assertEquals alg.minKeyLength, key.getEncoded().length * 8 //convert byte count to bit count
assertEquals alg.jcaName, key.algorithm
alg.assertValidSigningKey(key)
alg.assertValidVerificationKey(key)
assertEquals alg, SignatureAlgorithm.forSigningKey(key) // https://github.com/jwtk/jjwt/issues/381
} else {
try {
Keys.secretKeyFor(alg)