honeymoose
/
jjwt
mirror of https://github.com/jwtk/jjwt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ensured symmetric logic between the Keys and SignatureAlgorithm helper methods for hmac key lengths. 

Updated Android dependencies and ProGuard exclusion definitions
Updating docs to reflect 0.10.3 release
Resolves #381, #382
This commit is contained in:
Les Hazlewood 2018-08-02 17:30:18 -04:00
parent d7071faeae
commit 85d8920d79
11 changed files with 38 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@ -1,5 +1,11 @@
## Release Notes
### 0.10.3
This is a minor patch release that fixed a key length assertion for `SignatureAlgorithm.forSigningKey` that was
failing in Android environments. The Android dependencies and ProGuard exclusions documentation was updated as
well to reflect Android Studio 3.0 conventions.
### 0.10.2
This is a minor patch release that ensures the `OrgJsonSerializer` and `OrgJsonDeserializer` implementations are

26
README.md
View File

@ -179,18 +179,18 @@ If you're building a (non-Android) JDK project, you will want to define the foll
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
<scope>runtime</scope>
</dependency>
<!-- Uncomment this next dependency if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
@ -209,11 +209,11 @@ If you're building a (non-Android) JDK project, you will want to define the foll
```groovy
dependencies {
compile 'io.jsonwebtoken:jjwt-api:0.10.2'
runtime 'io.jsonwebtoken:jjwt-impl:0.10.2',
compile 'io.jsonwebtoken:jjwt-api:0.10.3'
runtime 'io.jsonwebtoken:jjwt-impl:0.10.3',
// Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
//'org.bouncycastle:bcprov-jdk15on:1.60',
'io.jsonwebtoken:jjwt-jackson:0.10.2'
'io.jsonwebtoken:jjwt-jackson:0.10.3'
}
```
@ -229,13 +229,13 @@ Add the dependencies to your project:
```groovy
dependencies {
compile 'io.jsonwebtoken:jjwt-api:0.10.2'
runtime 'io.jsonwebtoken:jjwt-impl:0.10.2'
runtime('io.jsonwebtoken:jjwt-orgjson:0.10.2') {
api 'io.jsonwebtoken:jjwt-api:0.10.3'
runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.10.3'
runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.10.3') {
exclude group: 'org.json', module: 'json' //provided by Android natively
}
// Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
//runtime 'org.bouncycastle:bcprov-jdk15on:1.60'
//runtimeOnly 'org.bouncycastle:bcprov-jdk15on:1.60'
}
```
@ -250,6 +250,8 @@ You can use the following [Android Proguard](https://developer.android.com/studi
-keep class io.jsonwebtoken.** { *; }
-keepnames class io.jsonwebtoken.* { *; }
-keepnames interface io.jsonwebtoken.* { *; }
-dontwarn org.json.JSONString
-dontwarn org.json.JSONWriter
-keep class org.bouncycastle.** { *; }
-keepnames class org.bouncycastle.** { *; }
@ -1192,7 +1194,7 @@ scope which is the typical JJWT default). That is:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
<scope>compile</scope> <!-- Not runtime -->
</dependency>
```
@ -1201,7 +1203,7 @@ scope which is the typical JJWT default). That is:
```groovy
dependencies {
compile 'io.jsonwebtoken:jjwt-jackson:0.10.2'
compile 'io.jsonwebtoken:jjwt-jackson:0.10.3'
}
```

2
api/pom.xml
View File

@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.10.3-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

14
api/src/main/java/io/jsonwebtoken/SignatureAlgorithm.java
View File

@ -554,18 +554,20 @@ public enum SignatureAlgorithm {
if (key instanceof SecretKey) {
SecretKey secretKey = (SecretKey)key;
String secretKeyAlg = secretKey.getAlgorithm();
int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;
for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
if (alg.jcaName.equals(secretKeyAlg)) {
alg.assertValidSigningKey(key);
// ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
if (bitLength >= alg.minKeyLength) {
return alg;
}
}
String msg = "The specified SecretKey algorithm did not equal one of the three required JCA " +
"algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.";
throw new InvalidKeyException(msg);
String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
"algorithms. The JWT specification requires HMAC keys to be >= 256 bits long. The specified " +
"key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
"information.";
throw new WeakKeyException(msg);
}
if (key instanceof RSAKey) {

11
api/src/test/groovy/io/jsonwebtoken/SignatureAlgorithmTest.groovy
View File

@ -186,17 +186,6 @@ class SignatureAlgorithmTest {
}
}
@Test
void testForSigningKeySecretKeyInvalidAlgName() {
try {
SignatureAlgorithm.forSigningKey(new SecretKeySpec(new byte[1], 'AES'))
fail()
} catch (InvalidKeyException e) {
assertEquals "The specified SecretKey algorithm did not equal one of the three required JCA " +
"algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.", e.message
}
}
@Test
void testForSigningKeySecretKeyWeakKey() {
try {

2
extensions/jackson/pom.xml
View File

@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.10.3-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>

2
extensions/orgjson/pom.xml
View File

@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.10.3-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>

2
extensions/pom.xml
View File

@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.10.3-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

2
impl/pom.xml
View File

@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.10.3-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

3
impl/src/test/groovy/io/jsonwebtoken/security/KeysImplTest.groovy
View File

@ -32,6 +32,9 @@ class KeysImplTest {
SecretKey key = Keys.secretKeyFor(alg)
assertEquals alg.minKeyLength, key.getEncoded().length * 8 //convert byte count to bit count
assertEquals alg.jcaName, key.algorithm
alg.assertValidSigningKey(key)
alg.assertValidVerificationKey(key)
assertEquals alg, SignatureAlgorithm.forSigningKey(key) // https://github.com/jwtk/jjwt/issues/381
} else {
try {
Keys.secretKeyFor(alg)

4
pom.xml
View File

@ -25,7 +25,7 @@
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.10.3-SNAPSHOT</version>
<name>JJWT</name>
<description>JSON Web Token support for the JVM and Android</description>
<packaging>pom</packaging>
@ -43,7 +43,7 @@
<connection>scm:git:https://github.com/jwtk/jjwt.git</connection>
<developerConnection>scm:git:git@github.com:jwtk/jjwt.git</developerConnection>
<url>git@github.com:jwtk/jjwt.git</url>
<tag>0.10.2</tag>
<tag>HEAD</tag>
</scm>
<issueManagement>
<system>GitHub Issues</system>