mirror of https://github.com/jwtk/jjwt.git
Merge branch '0.10.x'
This commit is contained in:
commit
31b4386b64
|
@ -1,5 +1,11 @@
|
|||
## Release Notes
|
||||
|
||||
### 0.10.3
|
||||
|
||||
This is a minor patch release that fixed a key length assertion for `SignatureAlgorithm.forSigningKey` that was
|
||||
failing in Android environments. The Android dependencies and ProGuard exclusions documentation was updated as
|
||||
well to reflect Android Studio 3.0 conventions.
|
||||
|
||||
### 0.10.2
|
||||
|
||||
This is a minor patch release that ensures the `OrgJsonSerializer` and `OrgJsonDeserializer` implementations are
|
||||
|
|
26
README.md
26
README.md
|
@ -179,18 +179,18 @@ If you're building a (non-Android) JDK project, you will want to define the foll
|
|||
<dependency>
|
||||
<groupId>io.jsonwebtoken</groupId>
|
||||
<artifactId>jjwt-api</artifactId>
|
||||
<version>0.10.2</version>
|
||||
<version>0.10.3</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>io.jsonwebtoken</groupId>
|
||||
<artifactId>jjwt-impl</artifactId>
|
||||
<version>0.10.2</version>
|
||||
<version>0.10.3</version>
|
||||
<scope>runtime</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>io.jsonwebtoken</groupId>
|
||||
<artifactId>jjwt-jackson</artifactId>
|
||||
<version>0.10.2</version>
|
||||
<version>0.10.3</version>
|
||||
<scope>runtime</scope>
|
||||
</dependency>
|
||||
<!-- Uncomment this next dependency if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
|
||||
|
@ -209,11 +209,11 @@ If you're building a (non-Android) JDK project, you will want to define the foll
|
|||
|
||||
```groovy
|
||||
dependencies {
|
||||
compile 'io.jsonwebtoken:jjwt-api:0.10.2'
|
||||
runtime 'io.jsonwebtoken:jjwt-impl:0.10.2',
|
||||
compile 'io.jsonwebtoken:jjwt-api:0.10.3'
|
||||
runtime 'io.jsonwebtoken:jjwt-impl:0.10.3',
|
||||
// Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
|
||||
//'org.bouncycastle:bcprov-jdk15on:1.60',
|
||||
'io.jsonwebtoken:jjwt-jackson:0.10.2'
|
||||
'io.jsonwebtoken:jjwt-jackson:0.10.3'
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -229,13 +229,13 @@ Add the dependencies to your project:
|
|||
|
||||
```groovy
|
||||
dependencies {
|
||||
compile 'io.jsonwebtoken:jjwt-api:0.10.2'
|
||||
runtime 'io.jsonwebtoken:jjwt-impl:0.10.2'
|
||||
runtime('io.jsonwebtoken:jjwt-orgjson:0.10.2') {
|
||||
api 'io.jsonwebtoken:jjwt-api:0.10.3'
|
||||
runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.10.3'
|
||||
runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.10.3') {
|
||||
exclude group: 'org.json', module: 'json' //provided by Android natively
|
||||
}
|
||||
// Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
|
||||
//runtime 'org.bouncycastle:bcprov-jdk15on:1.60'
|
||||
//runtimeOnly 'org.bouncycastle:bcprov-jdk15on:1.60'
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -250,6 +250,8 @@ You can use the following [Android Proguard](https://developer.android.com/studi
|
|||
-keep class io.jsonwebtoken.** { *; }
|
||||
-keepnames class io.jsonwebtoken.* { *; }
|
||||
-keepnames interface io.jsonwebtoken.* { *; }
|
||||
-dontwarn org.json.JSONString
|
||||
-dontwarn org.json.JSONWriter
|
||||
|
||||
-keep class org.bouncycastle.** { *; }
|
||||
-keepnames class org.bouncycastle.** { *; }
|
||||
|
@ -1192,7 +1194,7 @@ scope which is the typical JJWT default). That is:
|
|||
<dependency>
|
||||
<groupId>io.jsonwebtoken</groupId>
|
||||
<artifactId>jjwt-jackson</artifactId>
|
||||
<version>0.10.2</version>
|
||||
<version>0.10.3</version>
|
||||
<scope>compile</scope> <!-- Not runtime -->
|
||||
</dependency>
|
||||
```
|
||||
|
@ -1201,7 +1203,7 @@ scope which is the typical JJWT default). That is:
|
|||
|
||||
```groovy
|
||||
dependencies {
|
||||
compile 'io.jsonwebtoken:jjwt-jackson:0.10.2'
|
||||
compile 'io.jsonwebtoken:jjwt-jackson:0.10.3'
|
||||
}
|
||||
```
|
||||
|
||||
|
|
|
@ -554,18 +554,20 @@ public enum SignatureAlgorithm {
|
|||
if (key instanceof SecretKey) {
|
||||
|
||||
SecretKey secretKey = (SecretKey)key;
|
||||
String secretKeyAlg = secretKey.getAlgorithm();
|
||||
int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;
|
||||
|
||||
for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
|
||||
if (alg.jcaName.equals(secretKeyAlg)) {
|
||||
alg.assertValidSigningKey(key);
|
||||
// ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
|
||||
if (bitLength >= alg.minKeyLength) {
|
||||
return alg;
|
||||
}
|
||||
}
|
||||
|
||||
String msg = "The specified SecretKey algorithm did not equal one of the three required JCA " +
|
||||
"algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.";
|
||||
throw new InvalidKeyException(msg);
|
||||
String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
|
||||
"algorithms. The JWT specification requires HMAC keys to be >= 256 bits long. The specified " +
|
||||
"key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
|
||||
"information.";
|
||||
throw new WeakKeyException(msg);
|
||||
}
|
||||
|
||||
if (key instanceof RSAKey) {
|
||||
|
|
|
@ -186,17 +186,6 @@ class SignatureAlgorithmTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void testForSigningKeySecretKeyInvalidAlgName() {
|
||||
try {
|
||||
SignatureAlgorithm.forSigningKey(new SecretKeySpec(new byte[1], 'AES'))
|
||||
fail()
|
||||
} catch (InvalidKeyException e) {
|
||||
assertEquals "The specified SecretKey algorithm did not equal one of the three required JCA " +
|
||||
"algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.", e.message
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void testForSigningKeySecretKeyWeakKey() {
|
||||
try {
|
||||
|
|
|
@ -32,6 +32,9 @@ class KeysImplTest {
|
|||
SecretKey key = Keys.secretKeyFor(alg)
|
||||
assertEquals alg.minKeyLength, key.getEncoded().length * 8 //convert byte count to bit count
|
||||
assertEquals alg.jcaName, key.algorithm
|
||||
alg.assertValidSigningKey(key)
|
||||
alg.assertValidVerificationKey(key)
|
||||
assertEquals alg, SignatureAlgorithm.forSigningKey(key) // https://github.com/jwtk/jjwt/issues/381
|
||||
} else {
|
||||
try {
|
||||
Keys.secretKeyFor(alg)
|
||||
|
|
Loading…
Reference in New Issue