license headers, impl checkpoint

2021-10-11 13:34:42 -07:00 · 2021-10-11 13:34:42 -07:00 · 36b450258b
parent 23ef0333a3
commit 36b450258b
69 changed files with 994 additions and 58 deletions
--- a/api/src/main/java/io/jsonwebtoken/Identifiable.java
+++ b/api/src/main/java/io/jsonwebtoken/Identifiable.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken;

 /**
--- a/api/src/main/java/io/jsonwebtoken/Jwe.java
+++ b/api/src/main/java/io/jsonwebtoken/Jwe.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken;

 /**
--- a/api/src/main/java/io/jsonwebtoken/JweBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/JweBuilder.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken;

 import io.jsonwebtoken.security.KeyAlgorithm;
--- a/api/src/main/java/io/jsonwebtoken/JweHeader.java
+++ b/api/src/main/java/io/jsonwebtoken/JweHeader.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken;

 /**
@ -10,57 +25,57 @@ public interface JweHeader extends Header<JweHeader> {
    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.1">Algorithm Header</a> name: the string literal <b><code>alg</code></b>
     */
-    public static final String ALGORITHM = "alg";
+    String ALGORITHM = "alg";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.2">Encryption Algorithm Header</a> name: the string literal <b><code>enc</code></b>
     */
-    public static final String ENCRYPTION_ALGORITHM = "enc";
+    String ENCRYPTION_ALGORITHM = "enc";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.3">Compression Algorithm Header</a> name: the string literal <b><code>zip</code></b>
     */
-    public static final String COMPRESSION_ALGORITHM = "zip";
+    String COMPRESSION_ALGORITHM = "zip";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.4">JWK Set URL Header</a> name: the string literal <b><code>jku</code></b>
     */
-    public static final String JWK_SET_URL = "jku";
+    String JWK_SET_URL = "jku";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.5">JSON Web Key Header</a> name: the string literal <b><code>jwk</code></b>
     */
-    public static final String JSON_WEB_KEY = "jwk";
+    String JSON_WEB_KEY = "jwk";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.6">Key ID Header</a> name: the string literal <b><code>kid</code></b>
     */
-    public static final String KEY_ID = "kid";
+    String KEY_ID = "kid";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.7">X.509 URL Header</a> name: the string literal <b><code>x5u</code></b>
     */
-    public static final String X509_URL = "x5u";
+    String X509_URL = "x5u";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.8">X.509 Certificate Chain Header</a> name: the string literal <b><code>x5c</code></b>
     */
-    public static final String X509_CERT_CHAIN = "x5c";
+    String X509_CERT_CHAIN = "x5c";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.9">X.509 Certificate SHA-1 Thumbprint Header</a> name: the string literal <b><code>x5t</code></b>
     */
-    public static final String X509_CERT_SHA1_THUMBPRINT = "x5t";
+    String X509_CERT_SHA1_THUMBPRINT = "x5t";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.10">X.509 Certificate SHA-256 Thumbprint Header</a> name: the string literal <b><code>x5t#S256</code></b>
     */
-    public static final String X509_CERT_SHA256_THUMBPRINT = "x5t#S256";
+    String X509_CERT_SHA256_THUMBPRINT = "x5t#S256";

    /**
     * JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.13">Critical Header</a> name: the string literal <b><code>crit</code></b>
     */
-    public static final String CRITICAL = "crit";
+    String CRITICAL = "crit";

    /**
     * Returns the JWE <a href="https://tools.ietf.org/html/rfc7516#section-4.1.2"><code>enc</code></a> (Encryption
--- a/api/src/main/java/io/jsonwebtoken/JwsBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/JwsBuilder.java
@ -1,7 +0,0 @@
-package io.jsonwebtoken;
-
-/**
- * @since JJWT_RELEASE_VERSION
- */
-public interface JwsBuilder extends JwtBuilder<JwsBuilder> {
-}
--- a/api/src/main/java/io/jsonwebtoken/Locator.java
+++ b/api/src/main/java/io/jsonwebtoken/Locator.java
@ -1,5 +1,23 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface Locator<H extends Header<H>, R> {

    R locate(H header);
--- a/api/src/main/java/io/jsonwebtoken/security/LocatorAdapter.java
+++ b/api/src/main/java/io/jsonwebtoken/security/LocatorAdapter.java
@ -1,11 +1,25 @@
-package io.jsonwebtoken.security;
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;

-import io.jsonwebtoken.Header;
-import io.jsonwebtoken.JweHeader;
-import io.jsonwebtoken.JwsHeader;
-import io.jsonwebtoken.Locator;
 import io.jsonwebtoken.lang.Assert;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public abstract class LocatorAdapter<H extends Header<H>, R> implements Locator<H, R> {

    @Override
--- a/api/src/main/java/io/jsonwebtoken/SigningKeyResolverAdapter.java
+++ b/api/src/main/java/io/jsonwebtoken/SigningKeyResolverAdapter.java
@ -21,10 +21,19 @@ import javax.crypto.spec.SecretKeySpec;
 import java.security.Key;

 /**
+ * <h4>Deprecation Notice</h4>
+ * <p>As of JJWT JJWT_RELEASE_VERSION, various Resolver concepts (including the {@code SigningKeyResolver}) have been
+ * unified into a single {@link Locator} interface.  For key location, (for both signing and encryption keys),
+ * use the {@link JwtParserBuilder#setKeyLocator(Locator)} to configure a parser with your desired Key locator instead
+ * of using a {@code SigningKeyResolver}. Also see {@link LocatorAdapter} for the Adapter pattern parallel of this
+ * class. <b>This {@code SigningKeyResolverAdapter} class will be removed before the 1.0 release.</b></p>
+ *
+ * <h4>Previous Documentation</h4>
 * An <a href="http://en.wikipedia.org/wiki/Adapter_pattern">Adapter</a> implementation of the
 * {@link SigningKeyResolver} interface that allows subclasses to process only the type of JWS body that
 * is known/expected for a particular case.
 *
+ * <h4>Previous Documentation</h4>
 * <p>The {@link #resolveSigningKey(JwsHeader, Claims)} and {@link #resolveSigningKey(JwsHeader, String)} method
 * implementations delegate to the
 * {@link #resolveSigningKeyBytes(JwsHeader, Claims)} and {@link #resolveSigningKeyBytes(JwsHeader, String)} methods
@ -36,17 +45,22 @@ import java.security.Key;
 * are not overridden, one (or both) of the *KeyBytes variants must be overridden depending on your expected
 * use case.  You do not have to override any method that does not represent an expected condition.</p>
 *
+ * @see io.jsonwebtoken.JwtParserBuilder#setKeyLocator(Locator)
+ * @see LocatorAdapter
 * @since 0.4
+ * @deprecated since JJWT_RELEASE_VERSION. Use {@link LocatorAdapter LocatorAdapter} with
+ * {@link JwtParserBuilder#setKeyLocator(Locator)}
 */
+@Deprecated
 public class SigningKeyResolverAdapter implements SigningKeyResolver {

    @Override
    public Key resolveSigningKey(JwsHeader header, Claims claims) {
        SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
        Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, Claims) implementation cannot be " +
-                                    "used for asymmetric key algorithms (RSA, Elliptic Curve).  " +
-                                    "Override the resolveSigningKey(JwsHeader, Claims) method instead and return a " +
-                                    "Key instance appropriate for the " + alg.name() + " algorithm.");
+            "used for asymmetric key algorithms (RSA, Elliptic Curve).  " +
+            "Override the resolveSigningKey(JwsHeader, Claims) method instead and return a " +
+            "Key instance appropriate for the " + alg.name() + " algorithm.");
        byte[] keyBytes = resolveSigningKeyBytes(header, claims);
        return new SecretKeySpec(keyBytes, alg.getJcaName());
    }
@ -55,9 +69,9 @@ public class SigningKeyResolverAdapter implements SigningKeyResolver {
    public Key resolveSigningKey(JwsHeader header, String plaintext) {
        SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
        Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, String) implementation cannot be " +
-                                    "used for asymmetric key algorithms (RSA, Elliptic Curve).  " +
-                                    "Override the resolveSigningKey(JwsHeader, String) method instead and return a " +
-                                    "Key instance appropriate for the " + alg.name() + " algorithm.");
+            "used for asymmetric key algorithms (RSA, Elliptic Curve).  " +
+            "Override the resolveSigningKey(JwsHeader, String) method instead and return a " +
+            "Key instance appropriate for the " + alg.name() + " algorithm.");
        byte[] keyBytes = resolveSigningKeyBytes(header, plaintext);
        return new SecretKeySpec(keyBytes, alg.getJcaName());
    }
@ -76,9 +90,9 @@ public class SigningKeyResolverAdapter implements SigningKeyResolver {
     */
    public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
        throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
-                                          "Claims JWS signing key resolution.  Consider overriding either the " +
-                                          "resolveSigningKey(JwsHeader, Claims) method or, for HMAC algorithms, the " +
-                                          "resolveSigningKeyBytes(JwsHeader, Claims) method.");
+            "Claims JWS signing key resolution.  Consider overriding either the " +
+            "resolveSigningKey(JwsHeader, Claims) method or, for HMAC algorithms, the " +
+            "resolveSigningKeyBytes(JwsHeader, Claims) method.");
    }

    /**
@ -86,14 +100,14 @@ public class SigningKeyResolverAdapter implements SigningKeyResolver {
     * key bytes.  This implementation simply throws an exception: if the JWS parsed is a plaintext JWS, you must
     * override this method or the {@link #resolveSigningKey(JwsHeader, String)} method instead.
     *
-     * @param header the parsed {@link JwsHeader}
+     * @param header  the parsed {@link JwsHeader}
     * @param payload the parsed String plaintext payload
     * @return the signing key bytes to use to verify the JWS signature.
     */
    public byte[] resolveSigningKeyBytes(JwsHeader header, String payload) {
        throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
-                                          "plaintext JWS signing key resolution.  Consider overriding either the " +
-                                          "resolveSigningKey(JwsHeader, String) method or, for HMAC algorithms, the " +
-                                          "resolveSigningKeyBytes(JwsHeader, String) method.");
+            "plaintext JWS signing key resolution.  Consider overriding either the " +
+            "resolveSigningKey(JwsHeader, String) method or, for HMAC algorithms, the " +
+            "resolveSigningKeyBytes(JwsHeader, String) method.");
    }
 }
--- a/api/src/main/java/io/jsonwebtoken/security/AeadResult.java
+++ b/api/src/main/java/io/jsonwebtoken/security/AeadResult.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 /**
--- a/api/src/main/java/io/jsonwebtoken/security/AssociatedDataSupplier.java
+++ b/api/src/main/java/io/jsonwebtoken/security/AssociatedDataSupplier.java
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 jsonwebtoken.io
+ * Copyright (C) 2021 jsonwebtoken.io
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/api/src/main/java/io/jsonwebtoken/security/AsymmetricJwk.java
+++ b/api/src/main/java/io/jsonwebtoken/security/AsymmetricJwk.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.net.URI;
@ -5,6 +20,9 @@ import java.security.Key;
 import java.security.cert.X509Certificate;
 import java.util.List;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface AsymmetricJwk<K extends Key> extends Jwk<K> {

    String getPublicKeyUse();
--- a/api/src/main/java/io/jsonwebtoken/security/AsymmetricJwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/AsymmetricJwkBuilder.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.net.URI;
@ -5,6 +20,9 @@ import java.security.Key;
 import java.security.cert.X509Certificate;
 import java.util.List;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface AsymmetricJwkBuilder<K extends Key, J extends AsymmetricJwk<K>, T extends AsymmetricJwkBuilder<K, J, T>> extends JwkBuilder<K, J, T> {

    T setPublicKeyUse(String use);
--- a/api/src/main/java/io/jsonwebtoken/security/AsymmetricKeyGenerator.java
+++ b/api/src/main/java/io/jsonwebtoken/security/AsymmetricKeyGenerator.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.KeyPair;
--- a/api/src/main/java/io/jsonwebtoken/security/AsymmetricKeySignatureAlgorithm.java
+++ b/api/src/main/java/io/jsonwebtoken/security/AsymmetricKeySignatureAlgorithm.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.PrivateKey;
--- a/api/src/main/java/io/jsonwebtoken/security/CryptoException.java
+++ b/api/src/main/java/io/jsonwebtoken/security/CryptoException.java
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 jsonwebtoken.io
+ * Copyright (C) 2021 jsonwebtoken.io
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/api/src/main/java/io/jsonwebtoken/security/CryptoRequest.java
+++ b/api/src/main/java/io/jsonwebtoken/security/CryptoRequest.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.Key;
--- a/api/src/main/java/io/jsonwebtoken/security/DigestSupplier.java
+++ b/api/src/main/java/io/jsonwebtoken/security/DigestSupplier.java
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 jsonwebtoken.io
+ * Copyright (C) 2021 jsonwebtoken.io
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
--- a/api/src/main/java/io/jsonwebtoken/security/EcKeyAlgorithm.java
+++ b/api/src/main/java/io/jsonwebtoken/security/EcKeyAlgorithm.java
@ -1,8 +1,26 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.interfaces.ECKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface EcKeyAlgorithm<E extends ECKey & PublicKey, D extends ECKey & PrivateKey> extends KeyAlgorithm<E, D> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/EcPrivateJwk.java
+++ b/api/src/main/java/io/jsonwebtoken/security/EcPrivateJwk.java
@ -1,7 +1,25 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface EcPrivateJwk extends PrivateJwk<ECPrivateKey, ECPublicKey, EcPublicJwk> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/EcPrivateJwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/EcPrivateJwkBuilder.java
@ -1,7 +1,25 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface EcPrivateJwkBuilder extends PrivateJwkBuilder<ECPrivateKey, ECPublicKey, EcPublicJwk, EcPrivateJwk, EcPrivateJwkBuilder> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/EcPublicJwk.java
+++ b/api/src/main/java/io/jsonwebtoken/security/EcPublicJwk.java
@ -1,6 +1,24 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.interfaces.ECPublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface EcPublicJwk extends PublicJwk<ECPublicKey> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/EcPublicJwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/EcPublicJwkBuilder.java
@ -1,7 +1,25 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface EcPublicJwkBuilder extends PublicJwkBuilder<ECPublicKey, ECPrivateKey, EcPublicJwk, EcPrivateJwk, EcPrivateJwkBuilder, EcPublicJwkBuilder> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/EllipticCurveSignatureAlgorithm.java
+++ b/api/src/main/java/io/jsonwebtoken/security/EllipticCurveSignatureAlgorithm.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.PrivateKey;
--- a/api/src/main/java/io/jsonwebtoken/security/EncryptionAlgorithms.java
+++ b/api/src/main/java/io/jsonwebtoken/security/EncryptionAlgorithms.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import io.jsonwebtoken.lang.Assert;
--- a/api/src/main/java/io/jsonwebtoken/security/InitializationVectorSupplier.java
+++ b/api/src/main/java/io/jsonwebtoken/security/InitializationVectorSupplier.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 /**
--- a/api/src/main/java/io/jsonwebtoken/security/Jwk.java
+++ b/api/src/main/java/io/jsonwebtoken/security/Jwk.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import io.jsonwebtoken.Identifiable;
--- a/api/src/main/java/io/jsonwebtoken/security/JwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/JwkBuilder.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.Key;
--- a/api/src/main/java/io/jsonwebtoken/security/Jwks.java
+++ b/api/src/main/java/io/jsonwebtoken/security/Jwks.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import io.jsonwebtoken.lang.Classes;
--- a/api/src/main/java/io/jsonwebtoken/security/KeyAlgorithm.java
+++ b/api/src/main/java/io/jsonwebtoken/security/KeyAlgorithm.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import io.jsonwebtoken.Identifiable;
--- a/api/src/main/java/io/jsonwebtoken/security/KeyAlgorithms.java
+++ b/api/src/main/java/io/jsonwebtoken/security/KeyAlgorithms.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import io.jsonwebtoken.lang.Assert;
--- a/api/src/main/java/io/jsonwebtoken/security/KeyRequest.java
+++ b/api/src/main/java/io/jsonwebtoken/security/KeyRequest.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import io.jsonwebtoken.JweHeader;
--- a/api/src/main/java/io/jsonwebtoken/security/KeyResult.java
+++ b/api/src/main/java/io/jsonwebtoken/security/KeyResult.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import javax.crypto.SecretKey;
--- a/api/src/main/java/io/jsonwebtoken/security/KeySupplier.java
+++ b/api/src/main/java/io/jsonwebtoken/security/KeySupplier.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.Key;
--- a/api/src/main/java/io/jsonwebtoken/security/MalformedKeyException.java
+++ b/api/src/main/java/io/jsonwebtoken/security/MalformedKeyException.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 /**
--- a/api/src/main/java/io/jsonwebtoken/security/PayloadSupplier.java
+++ b/api/src/main/java/io/jsonwebtoken/security/PayloadSupplier.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 /**
--- a/api/src/main/java/io/jsonwebtoken/security/PbeKey.java
+++ b/api/src/main/java/io/jsonwebtoken/security/PbeKey.java
@ -1,7 +1,25 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import javax.crypto.SecretKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface PbeKey extends SecretKey {

    char[] getPassword();
--- a/api/src/main/java/io/jsonwebtoken/security/PbeKeyBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/PbeKeyBuilder.java
@ -1,7 +1,25 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import javax.crypto.interfaces.PBEKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface PbeKeyBuilder<K extends PbeKey> {

    PbeKeyBuilder<K> forKey(PBEKey jcaKey);
--- a/api/src/main/java/io/jsonwebtoken/security/PrivateJwk.java
+++ b/api/src/main/java/io/jsonwebtoken/security/PrivateJwk.java
@ -1,9 +1,27 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.PublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface PrivateJwk<K extends PrivateKey, L extends PublicKey, M extends PublicJwk<L>> extends AsymmetricJwk<K> {

    M toPublicJwk();
--- a/api/src/main/java/io/jsonwebtoken/security/PrivateJwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/PrivateJwkBuilder.java
@ -1,8 +1,26 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.PrivateKey;
 import java.security.PublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface PrivateJwkBuilder<K extends PrivateKey, L extends PublicKey,
    J extends PublicJwk<L>, M extends PrivateJwk<K, L, J>,
    T extends PrivateJwkBuilder<K, L, J, M, T>> extends AsymmetricJwkBuilder<K, M, T> {
--- a/api/src/main/java/io/jsonwebtoken/security/ProtoJwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/ProtoJwkBuilder.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import javax.crypto.SecretKey;
@ -8,6 +23,9 @@ import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface ProtoJwkBuilder<K extends Key, J extends Jwk<K>, T extends JwkBuilder<K, J, T>> extends JwkBuilder<K, J, T> {

    SecretJwkBuilder setKey(SecretKey key);
--- a/api/src/main/java/io/jsonwebtoken/security/PublicJwk.java
+++ b/api/src/main/java/io/jsonwebtoken/security/PublicJwk.java
@ -1,6 +1,24 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.PublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface PublicJwk<K extends PublicKey> extends AsymmetricJwk<K> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/PublicJwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/PublicJwkBuilder.java
@ -1,8 +1,26 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.PrivateKey;
 import java.security.PublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface PublicJwkBuilder<K extends PublicKey, L extends PrivateKey, J extends PublicJwk<K>, M extends PrivateJwk<L, K, J>, P extends PrivateJwkBuilder<L, K, J, M, P>, T extends PublicJwkBuilder<K, L, J, M, P, T>> extends AsymmetricJwkBuilder<K, J, T> {

    P setPrivateKey(L privateKey);
--- a/api/src/main/java/io/jsonwebtoken/security/RsaKeyAlgorithm.java
+++ b/api/src/main/java/io/jsonwebtoken/security/RsaKeyAlgorithm.java
@ -1,8 +1,26 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.interfaces.RSAKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface RsaKeyAlgorithm<EK extends RSAKey & PublicKey, DK extends RSAKey & PrivateKey> extends KeyAlgorithm<EK, DK> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/RsaPrivateJwk.java
+++ b/api/src/main/java/io/jsonwebtoken/security/RsaPrivateJwk.java
@ -1,7 +1,25 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface RsaPrivateJwk extends PrivateJwk<RSAPrivateKey, RSAPublicKey, RsaPublicJwk> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/RsaPrivateJwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/RsaPrivateJwkBuilder.java
@ -1,7 +1,25 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface RsaPrivateJwkBuilder extends PrivateJwkBuilder<RSAPrivateKey, RSAPublicKey, RsaPublicJwk, RsaPrivateJwk, RsaPrivateJwkBuilder> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/RsaPublicJwk.java
+++ b/api/src/main/java/io/jsonwebtoken/security/RsaPublicJwk.java
@ -1,6 +1,24 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.interfaces.RSAPublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface RsaPublicJwk extends PublicJwk<RSAPublicKey> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/RsaPublicJwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/RsaPublicJwkBuilder.java
@ -1,8 +1,26 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface RsaPublicJwkBuilder extends PublicJwkBuilder<RSAPublicKey, RSAPrivateKey, RsaPublicJwk, RsaPrivateJwk, RsaPrivateJwkBuilder, RsaPublicJwkBuilder> {

 }
--- a/api/src/main/java/io/jsonwebtoken/security/RsaSignatureAlgorithm.java
+++ b/api/src/main/java/io/jsonwebtoken/security/RsaSignatureAlgorithm.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.PrivateKey;
--- a/api/src/main/java/io/jsonwebtoken/security/SecretJwk.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SecretJwk.java
@ -1,6 +1,24 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import javax.crypto.SecretKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface SecretJwk extends Jwk<SecretKey> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/SecretJwkBuilder.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SecretJwkBuilder.java
@ -1,6 +1,24 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import javax.crypto.SecretKey;

+/**
+ * @since JJWT_RELEASE_VERSION
+ */
 public interface SecretJwkBuilder extends JwkBuilder<SecretKey, SecretJwk, SecretJwkBuilder> {
 }
--- a/api/src/main/java/io/jsonwebtoken/security/SecretKeyGenerator.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SecretKeyGenerator.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import javax.crypto.SecretKey;
--- a/api/src/main/java/io/jsonwebtoken/security/SecretKeySignatureAlgorithm.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SecretKeySignatureAlgorithm.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import javax.crypto.SecretKey;
--- a/api/src/main/java/io/jsonwebtoken/security/SecurityRequest.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SecurityRequest.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.Provider;
--- a/api/src/main/java/io/jsonwebtoken/security/SignatureAlgorithm.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SignatureAlgorithm.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import io.jsonwebtoken.Identifiable;
--- a/api/src/main/java/io/jsonwebtoken/security/SignatureAlgorithms.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SignatureAlgorithms.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import io.jsonwebtoken.lang.Assert;
--- a/api/src/main/java/io/jsonwebtoken/security/SignatureRequest.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SignatureRequest.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.Key;
--- a/api/src/main/java/io/jsonwebtoken/security/SymmetricAeadAlgorithm.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SymmetricAeadAlgorithm.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import io.jsonwebtoken.Identifiable;
--- a/api/src/main/java/io/jsonwebtoken/security/SymmetricAeadDecryptionRequest.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SymmetricAeadDecryptionRequest.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 /**
--- a/api/src/main/java/io/jsonwebtoken/security/SymmetricAeadRequest.java
+++ b/api/src/main/java/io/jsonwebtoken/security/SymmetricAeadRequest.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import javax.crypto.SecretKey;
--- a/api/src/main/java/io/jsonwebtoken/security/UnsupportedKeyException.java
+++ b/api/src/main/java/io/jsonwebtoken/security/UnsupportedKeyException.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 /**
--- a/api/src/main/java/io/jsonwebtoken/security/VerifySignatureRequest.java
+++ b/api/src/main/java/io/jsonwebtoken/security/VerifySignatureRequest.java
@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.jsonwebtoken.security;

 import java.security.Key;
--- a/impl/src/main/java/io/jsonwebtoken/impl/security/ConstantKeyLocator.java
+++ b/impl/src/main/java/io/jsonwebtoken/impl/security/ConstantKeyLocator.java
@ -4,9 +4,9 @@ import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Header;
 import io.jsonwebtoken.JweHeader;
 import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.LocatorAdapter;
 import io.jsonwebtoken.SigningKeyResolver;
 import io.jsonwebtoken.impl.lang.Function;
-import io.jsonwebtoken.security.LocatorAdapter;

 import java.security.Key;

--- a/impl/src/main/java/io/jsonwebtoken/impl/security/DefaultJwkContext.java
+++ b/impl/src/main/java/io/jsonwebtoken/impl/security/DefaultJwkContext.java
@ -68,7 +68,7 @@ public class DefaultJwkContext<K extends Key> implements JwkContext<K> {

    private final Map<String, Object> values; // canonical values formatted per RFC requirements
    private final Map<String, Object> idiomaticValues; // the values map with any string/encoded values converted to Java type-safe values where possible
-    private final Map<String, Object> redactedValues; // the values map with any sensitive/secret values redacted.  Used in the toString implementation.
+    private final Map<String, Object> redactedValues; // the values map with any sensitive/secret values redacted. Used in the toString implementation.
    private final Set<String> privateMemberNames; // names of values that should be redacted for toString output
    private K key;
    private PublicKey publicKey;
--- a/impl/src/main/java/io/jsonwebtoken/impl/security/KeyAlgorithmsBridge.java
+++ b/impl/src/main/java/io/jsonwebtoken/impl/security/KeyAlgorithmsBridge.java
@ -1,5 +1,6 @@
 package io.jsonwebtoken.impl.security;

+import io.jsonwebtoken.JweHeader;
 import io.jsonwebtoken.UnsupportedJwtException;
 import io.jsonwebtoken.impl.DefaultJweHeader;
 import io.jsonwebtoken.impl.IdRegistry;
@ -121,6 +122,18 @@ public final class KeyAlgorithmsBridge {
        };
    }

+    private static char randomChar() {
+        return (char) Randoms.secureRandom().nextInt(Character.MAX_VALUE);
+    }
+
+    private static char[] randomChars(int length) {
+        char[] chars = new char[length];
+        for(int i = 0; i < length; i++) {
+            chars[i] = randomChar();
+        }
+        return chars;
+    }
+
    public static int estimateIterations(KeyAlgorithm<PbeKey, SecretKey> alg, long desiredMillis) {

        // The number of computational samples that land in our 'sweet spot' timing range matching desiredMillis.
@ -129,17 +142,16 @@ public final class KeyAlgorithmsBridge {
        // reasonably close to desiredMillis:
        final int NUM_SAMPLES = 30;
        final int SKIP = 3;
+        // More important than the actual password (or characters) is the password length.
+        // 8 characters is a commonly-found minimum required length in many systems circa 2021.
+        final int PASSWORD_LENGTH = 8;

-        // This is used by `alg` to generate an encryption key during the PBE attempt.  While technically the time to
-        // generate this key during the alg call is not part of the hashing time and shouldn't be counted towards
-        // desiredMillis, in practice, this is so fast (about ~ 3 milliseconds total aggregated across all
-        // NUM_SAMPLES on a developer laptop), it is in practice negligible, so we won't need to adjust our
-        // timing logic below to account for this.
-        SymmetricAeadAlgorithm encAlg = EncryptionAlgorithms.A128GCM;
+        final JweHeader HEADER = new DefaultJweHeader(); // not used during execution, needed to satisfy API call.
+        final SymmetricAeadAlgorithm ENC_ALG = EncryptionAlgorithms.A128GCM; // not used, needed to satisfy API

-        // Strip away all things that cause time during computation except for the actual hashing algorithm:
        if (alg instanceof Pbes2HsAkwAlgorithm) {
-            alg = lean((Pbes2HsAkwAlgorithm) alg); //strip out everything except for the computation we care about
+            // Strip away all things that cause time during computation except for the actual hashing algorithm:
+            alg = lean((Pbes2HsAkwAlgorithm) alg);
        }

        int workFactor = 1000; // same as iterations for PBKDF2.  Different concept for Bcrypt/Scrypt
@ -147,8 +159,10 @@ public final class KeyAlgorithmsBridge {
        List<Point> points = new ArrayList<>(NUM_SAMPLES);
        for (int i = 0; points.size() < NUM_SAMPLES; i++) {

-            PbeKey pbeKey = Keys.forPbe().setPassword("12345678").setWorkFactor(workFactor).build();
-            KeyRequest<SecretKey, PbeKey> request = new DefaultKeyRequest<>(null, null, null, pbeKey, new DefaultJweHeader(), encAlg);
+            char[] password = randomChars(PASSWORD_LENGTH);
+            PbeKey pbeKey = Keys.forPbe().setPassword(password).setWorkFactor(workFactor).build();
+            KeyRequest<SecretKey, PbeKey> request =
+                new DefaultKeyRequest<>(null, null, null, pbeKey, HEADER, ENC_ALG);

            long start = System.currentTimeMillis();
            alg.getEncryptionKey(request); // <-- Computation occurs here.  Don't need the result, just need to exec
--- a/impl/src/main/java/io/jsonwebtoken/impl/security/Pbes2HsAkwAlgorithm.java
+++ b/impl/src/main/java/io/jsonwebtoken/impl/security/Pbes2HsAkwAlgorithm.java
@ -147,10 +147,11 @@ public class Pbes2HsAkwAlgorithm extends CryptoAlgorithm implements KeyAlgorithm
    }

    private static char[] toChars(byte[] bytes) {
+        // use bytebuffer/charbuffer so we don't create a String that remains in the JVM string memory table (heap)
+        // the respective byte and char arrays will be cleared by the caller
        ByteBuffer buf = ByteBuffer.wrap(bytes);
        CharBuffer cbuf = StandardCharsets.UTF_8.decode(buf);
-        char[] chars = cbuf.compact().array();
-        return chars;
+        return cbuf.compact().array();
    }

    private char[] toPasswordChars(SecretKey key) {
--- a/impl/src/main/java/io/jsonwebtoken/impl/security/Randoms.java
+++ b/impl/src/main/java/io/jsonwebtoken/impl/security/Randoms.java
@ -1,8 +1,5 @@
 package io.jsonwebtoken.impl.security;

-import io.jsonwebtoken.lang.Assert;
-import io.jsonwebtoken.security.CryptoRequest;
-
 import java.security.SecureRandom;

 /**
--- a/impl/src/test/groovy/io/jsonwebtoken/JwtParserTest.groovy
+++ b/impl/src/test/groovy/io/jsonwebtoken/JwtParserTest.groovy
@ -25,7 +25,6 @@ import io.jsonwebtoken.security.SignatureException
 import org.junit.Test

 import javax.crypto.SecretKey
-import javax.crypto.spec.SecretKeySpec
 import java.security.SecureRandom

 import static ClaimJwtException.INCORRECT_EXPECTED_CLAIM_MESSAGE_TEMPLATE
@ -33,6 +32,7 @@ import static ClaimJwtException.MISSING_EXPECTED_CLAIM_MESSAGE_TEMPLATE
 import static io.jsonwebtoken.DateTestUtils.truncateMillis
 import static org.junit.Assert.*

+@SuppressWarnings('GrDeprecatedAPIUsage')
 class JwtParserTest {

    private static final SecureRandom random = new SecureRandom() //doesn't need to be seeded - just testing
--- a/impl/src/test/groovy/io/jsonwebtoken/impl/security/Pbes2HsAkwAlgorithmTest.groovy
+++ b/impl/src/test/groovy/io/jsonwebtoken/impl/security/Pbes2HsAkwAlgorithmTest.groovy
@ -4,18 +4,20 @@ import io.jsonwebtoken.impl.DefaultJweHeader
 import io.jsonwebtoken.security.EncryptionAlgorithms
 import io.jsonwebtoken.security.KeyAlgorithms
 import io.jsonwebtoken.security.Keys
+import org.junit.Ignore
 import org.junit.Test

 import java.nio.charset.StandardCharsets

 class Pbes2HsAkwAlgorithmTest {

+    @Ignore // for manual/developer testing only.  Takes a long time and there is no deterministic output to assert
    @Test
    void test() {

        def alg = KeyAlgorithms.PBES2_HS256_A128KW

-        int desiredMillis = 200
+        int desiredMillis = 100
        int iterations = KeyAlgorithms.estimateIterations(alg, desiredMillis)
        println "Estimated iterations: $iterations"

--- a/impl/src/test/groovy/io/jsonwebtoken/impl/security/RandomsTest.groovy
+++ b/impl/src/test/groovy/io/jsonwebtoken/impl/security/RandomsTest.groovy
@ -2,6 +2,10 @@ package io.jsonwebtoken.impl.security

 import org.junit.Test

+import java.security.SecureRandom
+
+import static org.junit.Assert.assertTrue
+
 /**
 * @since JJWT_RELEASE_VERSION
 */
@ -11,4 +15,10 @@ class RandomsTest {
    void testPrivateCtor() { //for code coverage only
        new Randoms()
    }
+
+    @Test
+    void testSecureRandom() {
+        def random = Randoms.secureRandom()
+        assertTrue random instanceof SecureRandom
+    }
 }