Commit Graph

124 Commits

Author SHA1 Message Date
lhazlewood 12a4a2e859
Immutable jwtparser (#791)
* - JwtParser is now immutable (no mutation methods, `final` internal state, etc).
- Jwts.parser() has been changed to return a `JwtParserBuilder`, Jwts.parserBuilder() has been removed since it's now superfluous.
- LegacyServices.java has been deleted since DefaultJwtParser is no longer mutable (it was used in the parse() method. This logic is now only performed via the Services.java implementation used by the JwtParserBuilder).
- ImmutableJwtParser.java has been deleted since it was a wrapper around a mutable DefaultJwtParser implementation.  Now that DefaultJwtParser is immutable, ImmutableJwtParser.java is no longer necessary.
2023-08-04 16:42:35 -07:00
lhazlewood 529f04dd90
Immutables (#790)
* Jwts#header() and JwtBuilder#header() API cleanup

* added license headers, removed unused Conjunctor interface concept

* impl checkpoint for Registry-to-Map implementation change

* Jwts.SIG and Jwts.ENC conversion checkpoint (complete)

* Jwts.KEY and Jwks.HASH conversion checkpoint (complete)

* File header and Javadoc cleanup.  Removed unused SignatureRequest.java concept.

* Changed deprecated API usage in test case

* - Removed *Accessor concepts where possible, just using the *Header interfaces was sufficient
- KeyAlgorithm#getEncryptionKey now accepts a JweHeader that is mutable. Implementations can just use Map#put to modify the header state if desired.

* MapMutator method renaming to avoid odd conventions

* introduced ProtectedJwt concept and intermediate DefaultProtectedJwt implementation

* Removed all usages of CompressionCodecs.java in favor of a new Jwts.ZIP entry.
Renamed all Standard***AlgorithmsBridge to Standard***Algorithms

* CompressionCodec to CompressionAlgorithm transition (complete, code coverage 100%)
2023-08-04 12:35:33 -07:00
lhazlewood 760c542a0b
JWE support (#279)
* JWE support. Resolves #113

Huge feature/code change - see CHANGELOG.MD for an in-depth review of changes.

Commit note log:

- Added JWE AeadAlgorithm and KeyAlgorithm and supporting interfaces/implementations, and refactored SignatureAlgorithm to be an interface instead of an enum to enable custom algorithms
- NoneSignatureAlgorithm cleanup. Added UnsupportedKeyExceptionTest.
- Added JWK support!

* Removed the previous SignatureAlgorithm implementation concepts (Provider/Signer/Validator implementations).  Implementations are now interface-driven and fully pluggable.

* adding tests, working towards 100% coverage.  Moved api static factory class tests to impl module to avoid mocking static calls due to bridge/reflection logic.

* adding tests, removed unused class

* implementation checkpoint (safety save)

* clean build checkpoint

* continued testing w/ more coverage.  Replaced PbeKey concept with PasswordKey

* fixed erroneous optimize imports

* Added ECDH-ES key algorithms + RFC tests

* 1. Enabled targeted/limited use of BouncyCastle only when required by eliminating use of RuntimeEnvironment in favor of new Providers implementation.  JJWT will no longer modify the system providers list.
2. Changed SecretKeyGenerator.generateKey() to KeyBuilderSupplier.keyBuilder() and a new SecretKeyBuilder interface.  This allows users to customize the Provider and SecureRandom used during key generation if desired.
3. Added KeyLengthSupplier to allow certain algorithms the ability to determine a key bit length without forcing a key generation.
4. Ensured Pbes2 algorithms defaulted to OWASP-recommended iteration counts if not specified by the user.

* 1. EcdhKeyAlgorithm: consolidated duplicate logic to a single private helper method
2. Updated RequiredTypeConverter exception message to represent the expected type as well as the found type

* Minor javadoc update

* 1. Javadoc cleanup.
2. Ensured CompressionException extends from io.jsonwebtoken.io.IOException
3. Deleted old POC unused JwkParser interface
4. Ensured NoneSignatureAlgorithm reflected the correct exception message for `sign`

* Fixed erroneous JavaDoc, enhanced code coverage for DefaultClaims

* Added jwe compression test

* Added TestKeys concept for Groovy test authoring

* Added tests, cleaned up state assertions for code coverage

* Added tests, cleaned up state assertions for code coverage

* Removed unused code

* Merge branch 'master' into jwe-merge

* using groovy syntax to avoid conflict with legacy SignatureAlgorithm type

* JavaDoc fixes

* JavaDoc fixes, test additions to work on JDK >= 15

* JavaDoc fixes, test additions to work on JDK 7 and JDK >= 15

* Test adjustment to work on Java 7

* Test adjustment to work on Java 7

* code coverage work cont'd

* code coverage work cont'd

* JavaDoc fix

* Update impl/src/main/java/io/jsonwebtoken/impl/JwtTokenizer.java

Co-authored-by: sonatype-lift[bot] <37194012+sonatype-lift[bot]@users.noreply.github.com>

* lift edits

* lift edits

* lift edits

* code coverage testing cont'd

* PayloadSupplier renamed to Message

* Added new KeyPairBuilder/KeyPairBuilderSupplier for parity with KeyBuilder/KeyBuilderSupplier.  Switched all generate* calls to use the new API methods.

* - Added lots of JavaDoc
- JwtMap: Ensured Groovy GString implementations that invoke Groovy's InvokerHelper on a JwtMap implementation will print redacted values instead of the actual secret values.

* - JavaDoc additions cont'd

* - JavaDoc additions and syntax cleanup cont'd
- Minor work to fix compilation errors on a few Groovy test classes

* - JavaDoc additions and syntax cleanup cont'd
- Minor work to fix compilation errors on a few Groovy test classes

* - JavaDoc additions and syntax cleanup cont'd
- Minor work to fix compilation errors on a few Groovy test classes

* - JavaDoc additions and syntax cleanup cont'd
- Minor work to fix compilation errors on a few Groovy test classes

* - JavaDoc cont'd

* Code coverage updates cont'd

* Propagating exception wrapper function enhancements

* 100% code coverage!

* Minor test changes to work with JDK >= 11

* Ensured all JWK secret or private values were wrapped in a RedactedSupplier instance to prevent accidental printing of secure values

* - Updated JavaDoc to reflect JWK toString safety and property access
- Updated README to reflect new GsonSerializer requirements for io.jsonwebtoken.lang.Supplier

* Documentation enhancements

* Fixed erroneous JavaDoc element

* Fixed LocatorAdapter usage now that it's abstract

* Minor JavaDoc fix

* JavaDoc is now complete (no warnings) for api module

* Ensured JWS signatures are computed first before deserializing the body if no SigningKeyResolver has been configured.

* Removed EllipticCurveSignatureAlgorithm and RsaSignatureAlgorithm concepts due to some PKCS11 and HSM security providers that cannot provide keys that implement the ECKey or RSAKey interfaces.

* Removed reliance on io.jsonwebtoken.security.KeyPair now that KeyPairBuilder implementations cannot guarantee RSAKey or ECKey types

* Ensured RsaKeyAlgorithm used PublicKey and PrivateKey parameters due to PKCS11 and HSM key stores that may not expose the RSAKey interface on their RSA key implementations

* cleaned up EC point addition/doubling logic to be more readable and match equations in literature

* Deprecated JwtParserBuilder setSigningKey* methods in favor of verifyWith for name accuracy and congruence with decryptWith

* Added PositiveIntegerConverter and PublicJwkConverter for JWE Header "p2c" and "jwk" fields

* Ensured CompressionCodec inherited Identifiable for consistency w/ all other algorithms

* Ensured CompressionCodec inherited Identifiable for consistency w/ all other algorithms

* Ensured CompressionCodec inherited Identifiable for consistency w/ all other algorithms

* JavaDoc enhancement

* Added Jwks.parserBuilder(), JwkParserBuilder and JwkParser concepts

* Ensured ProtoJwkBuilder method names were all congruent (remaining set* methods were renamed to for*)

* Minor JavaDoc organization change

* Changed JweBuilder to have only two encryptWith* methods for consistency with JwtBuilder signWith* methods.  Also prevents incorrect configuration by forgetting to call follow-up methods.

* Removed DefaultValueGetter in favor of new FieldReadable concept to leverage Field instances instead of duplicating logic.

* Adding copyright headers

* Deprecated CompressionCodecResolver in favor of Locator<CompressionCodec>

* Deprecated CompressionCodecResolver in favor of Locator<CompressionCodec>

* Folded in JweBuilder concept and implementation into the existing JwtBuilder

* Cleanup to reduce duplicate logic

* Changed plaintext JWT payload type from String to byte[]

* Minor internal doc fixes

* - Added UnprotectedHeader interface
- Renamed DefaultHeader to AbstractHeader
- Renamed JwtParser 'plaintext'* methods to 'payload'* methods to more accurately reflect the JWT nomenclature

* Updated changelog to reflect the following changes:
- Added UnprotectedHeader interface
- Renamed DefaultHeader to AbstractHeader
- Renamed JwtParser 'plaintext'* methods to 'payload'* methods to more accurately reflect the JWT nomenclature

* Adding RFC 7520 test cases.

* Changed JwtBuilder/JwtParser/JwtHandler/JwtHandlerAdapter `payload` concept to `content` concept

* JavaDoc error fix

* Added JwtParserBuilder#addCompressionCodecs method and supporting tests

* Updated changelog to reflect recent changes

* doc updates

* Fixed minor types in JWE related change log

* Enabled Mutator and HeaderBuilder interfaces and implementations

* Fixed erroneous JavaDoc

* Added additional .pem files for testing PEM parsing (TBD at a later date)

* Updating documentation to prepare for JWE release

* more docs

* docs cont'd

* Update README.md

Trying to prevent table wrap

* Update README.md

testing table whitespace wrap

* Update README.md

formatting testing

* Update README.md

formatting testing cont'd

* docs cont'd

* docs cont'd

* docs cont'd

* documentation checkpoint

* documentation checkpoint, still work in progress

* added extra info about Android BouncyCastle registration

* added extra info about Android BouncyCastle registration

* added extra info about Android BouncyCastle registration

* documentation cont'd

* documentation cont'd

* documentation cont'd

* documentation cont'd

* documentation cont'd

* Upgraded Jackson to 2.12.7 due to Jackson CVE

* trying to get sonatype lift working again

* Removed unnecessary println statement in test

* Added JDK 19

* Removing JDK 19 until we can resolve incompatible groovy version

* doc formatting test

* Update README.md

Fixed 'JWE Encryption Algorithms' table formatting

* renamed PasswordKey to just Password, removed unnecessary WrappedSecretKey class and its one usage in favor of JDK-standard SecretKeySpec

* Updated PasswordKey references to Password

* Renamed DefaultPassword to PasswordSpec while also implementing KeySpec per JDK conventions.

* documentation cont'd

* documentation cont'd

* documentation cont'd

* JWT expired exception is now shows difference as now - expired

Instead of now + skew - expired

Fixes: #660

* documentation cont'd

* Fixed erroneous error message (should be '521' not '512').

* - Removed EcKeyAlgorithm and RsaKeyAlgorithm in favor of KeyAlgorithm<PublicKey, PrivateKey> due to HSM key types unable to conform to respective ECKey or RSAKey types
- added Curve concept with DefaultCurve and ECCurve implementations for use across EC/EdEC SignatureAlgorithm and KeyAlgorithm implementations
- disabled Zulu JDK 10 - compiler was failing, and that is a short-term-supported version anyway
- added Temurin JDK 19 and Zulu JDK 19 to the build

* Removed JDK 19 builds due to error with Groovy compiler version compatibility

* removed unused test, created https://github.com/jwtk/jjwt/issues/765 to address later

* updated test case to reflect Edwards keys algorithm name differences between BouncyCastle and JDK 11/15

* - Reordered JwtBuilder .encryptWith method arguments to match signWith conventions
- Added key validation logic to DefaultRsaKeyAlgorithm

* - Reordered JwtBuilder .encryptWith method arguments to match signWith conventions
- Added key validation logic to DefaultRsaKeyAlgorithm
- Removed mutation methods on InvalidClaimException and its subclasses, IncorrectClaimException and MissingClaimException
- renamed Jwks.parserBuilder() to Jwks.parser() to reduce verbosity since we'll never likely offer a Jwts.parser() that returns a Parser instance directly.

* Documentation updates

* Documentation updates

* Documentation updates

* Adding Java-based tests for README.md code snippets (e.g. new Examples section).

* Testing README code snippet in examples

* Testing README code snippet in examples

* Testing README code snippet in examples

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Ensured README.md examples would compile/run by testing code in a JavaReadmeTest.java class

* Testing coveralls failure fix for JavaReadmeTest (unnecessary for coverage)

* Message* API refactoring cleanup

* Refactored SignatureAlgorithm(s) concept as a new DigestAlgorithm hierarchy to support non-keyed digests, as well as to reflect correct cryptographic taxonomy.  Renamed SignatureAlgorithms utility class to JwsAlgorithms.

* - Added JwkThumbprint and JWK Thumbprint URI support
- Fixed various copyright headers

* Updated README with JWK examples

* - Added logic and test to ensure Parser builder does not allow both a signature verification key and SigningKeyResolver to be configured.
- Updated README code example, and added test for verification

* - Added proactive checks to ensure PublicKey instances cannot be specified on JwtBuilder to create digital signatures
- Added additional tests to ensure that Password instances cannot be used with Mac algorithm instances (HS256, HS384, HS512, etc)

* minor edit to reflect latest # of test cases

* Minor JavaDoc improvement

* Disabled parsing of unsecured compressed payloads by default, with a JwtParserBuilder#enableUnsecuredDecompression method added for override if necessary.

* Refactored JcaTemplate to avoid reflection

* minor readme clarification

* Edwards Curve keys checkpoint

* Edwards Curve keys and related functionality checkpoint.  Added lots of tests.

* Edwards Curve keys and related functionality checkpoint.  Reached 100% code coverage.

* Addressed EdwardsCurve differences (and a JDK 11 PKCS8 encoding bug) between JDK versions (1.7 through 15+).

* Addressed EdwardsCurve differences (and a JDK 11 PKCS8 encoding bug) between JDK versions (1.7 through 18).

* Adding --add-opens lines to surefire/test config to avoid unnecessary build warnings

* Improved Edwards Key encoding error checks

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* added some code to test errors in CI

* Improved Field/FieldBuilder implementation to make it more robust and catch type errors.  JwkBuilder/Factory refactoring is likely to follow on subsequent commits.

* Updating CI config to use the Oracle no-fee JDK builds

* Updating CI config to use the Oracle no-fee JDK builds

* Updating CI config to use the Oracle no-fee JDK builds

* JavaDoc fixes

* JavaDoc fixes

* JavaDoc fixes

* Ensured license headers are updated with correct dates based on git history, as well as ensured this is enforced in CI

* fixed various build warnings and javadoc errors

* Maven license plugin config cleanup. Removed now-unused header_format.xml file.

* fixed javadoc error causing build failures

* Changed Algorithms + Bridge concept to allow nested inner classes for simpler authoring all stemming from an 'Algorithms' class (easier to find algorithms via code completion than knowing off the top of your head which *Algorithms classes to reference).

* Added license headers

* Moved JwsAlgorithms to an inner class of Algorithms.  Will rename to `StandardSecureDigestAlgorithms` to maintain the convention used with the other Algorithms inner classes.

* Extracting Algorithms inner classes up a level - cleaner/easier to maintain, document and reference as JavaDoc links.

* Extracting Algorithms inner classes up a level - cleaner/easier to maintain, document and reference as JavaDoc links.  Renamed JwsAlgorithms to StandardSecureDigestAlgorithms to retain the JDK 'Standard*' convention.

* Removed Algorithms class in favor of direct `Standard*` `Registry` references in `Jwts` and `Jwks` helper classes to keep the references 'close' to where they are used the most.

* Minor README.md documentation updates.

* Copying over 6e74486 to test on the jwe branch

* Ensured CI license-check build pulls full (non-shallow) git history to perform full year checks.

* JavaDoc + impl + test checkpoint

* JavaDoc + impl + test checkpoint. Returned to 100% code coverage

* JavaDoc + impl + test checkpoint. Returned to 100% code coverage

* - Ensured Edwards Curve keys (X25519 and X448) worked with ECDH-ES algorithms
- Ensured JWT Header ephemeral PublicKey ('epk' field) could be any Public JWK, not just an EcPublicJwk
- Updated README.md to ensure the installation instructions for uncommenting BouncyCastle were a little less confusing (having commented out stuff be at the end of the code block so it couldn't be confused with other lines)

* Ensured correct message assertion on all JDKs (value was different on JDK 15 and later)

* Ensured correct message assertion on all JDKs (value was different on JDK 15 and later)

* - enabled more IANA algorithms in StandardHashAlgorithms
- JavaDoc update

* - JavaDoc fixes/enhancements
- Fixed erroneous README.md method name reference
- ensured DefaultJwkContext#getName() supports Octet keys as well.

* - JavaDoc fixes/enhancements

* - JavaDoc fixes/enhancements required to pass the build on later JDKs

* Minor JavaDoc typo fix

* Finished implementing all [RFC 8037](https://www.rfc-editor.org/rfc/rfc8037) test vectors in the Appendix

* Removed accidentally-committed visibility modifier

* Added copyright header

* Enabled PublicKey derivation from Edwards curve PrivateKey

* Enabled PublicKey derivation from Edwards curve PrivateKey.  Updated documentation and code example showing this.

* Enabled PublicKey derivation from Edwards curve PrivateKey.  Updated documentation and code example showing this.

* Doc update to reference Octet JWK RFC.

* Minor JavaDoc fix

* Fixed OctetPrivateJwk discrepancy with generic parameter ordering (compared to other PrivateJwk interfaces)

* Changed Jwts.header to Jwts.unprotectedHeader, and Jwts.headerBuilder is now Jwts.header

---------

Co-authored-by: sonatype-lift[bot] <37194012+sonatype-lift[bot]@users.noreply.github.com>
Co-authored-by: Brian Demers <bdemers@apache.org>
2023-05-18 15:21:17 -07:00
Brian Demers a858153518
Adds new convenience module using the old package name (#629)
* Adds new connivence module, in place of the old io.jsonwebtoken:jjwt module

Some folks are unaware of newer JJWT versions because they are still using the old io.jsonwebtoken:jjwt module. This makes automatic version updates tools "just work" for them

NOTE: This new module is _basically_ an empty jar, that adds `jjwt-api` (compile scope), `jjwt-impl` (runtime scope), and `jjwt-jackson` (runtime scope) transitive dependencies.

* Minor cleanup before changing `all` directory name

* Renamed `all` to `tdjar` (transitive dependency jar)

Co-authored-by: Les Hazlewood <121180+lhazlewood@users.noreply.github.com>
2022-06-11 15:53:17 -07:00
Thomas M. DuBuisson 19db6e1279
Fix an inefficient keyset iterator (#690)
Found via infer on Lift, an inefficient keyset iterator is in the form:

```
for key in mapping:
    entry = mapping.find(key)
```

Which is linear-log instead of the more optimal linear solution.
2022-04-30 15:41:19 -04:00
Les Hazlewood eb20914fa7
0.11.5 release (#735)
* Changed README references from 0.11.4 to 0.11.5
* [maven-release-plugin] prepare release 0.11.5
* [maven-release-plugin] prepare for next development iteration
2022-04-28 12:24:56 -04:00
Les Hazlewood 877960fe04
Added additional guards for JVM CVE-2022-21449 per review, accompanied by corresponding regression tests (#733) 2022-04-28 12:11:36 -04:00
Les Hazlewood 9c0ea0d0eb
Prep for 0.11.4 release (#732)
- Updated README.md version numbers to reflect the 0.11.4 release
- Added 0.11.4 release/changelog notes to CHANGELOG.md
2022-04-26 19:16:04 -04:00
Les Hazlewood 451c8d44dd
Clean build on all available JDK versions (#729)
- POM and JavaDoc updates to get a clean (warning free) build, remove duplicates, etc
- Ensured CI uses the release build profile (i.e. 'ossrh') to ensure we can execute all things necessary for a release.  This will not deploy to ossrh however, as we do that manually during a release per https://github.com/jwtk/jjwt/wiki#release-instructions
- Fixing JavaDoc lint errors surfacing on JDK 14
- Enable html5 for JavaDoc on JDK >= 9
- Used version properties and Maven profiles to allow the japicmp-maven-plugin to work with JDK 7 through 18
- Minor CI job name fixes, added additional zulu JDK versions
- Fixed build to run on all JDKs, from 7 to 18 inclusive
2022-04-25 21:51:28 -04:00
Les Hazlewood b78473262d
0.11.3 to master (#728)
Merged 0.11.3 patch release into mainline development branch
2022-04-23 17:32:28 -04:00
TK-one 6fe3759d64
Fixed Javadoc and comment typos
Fixes: #294
2021-07-20 10:51:56 -04:00
Brian Demers 6b2843bded Fix name of tests in DefaultJwtParserBuilder
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-07-09 17:08:56 -04:00
Brian Demers 04762e4d4e Add and cleanup tests based on review feedback
* Add tests to verify the DefaultJwtParserBuilder will correctly wrap Deserializer implementations
* Cleanup string handling in JwtDeserializerTest
2021-07-09 17:08:56 -04:00
Brian Demers 52b2ab13d1 Apply suggestions from code review
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
2021-07-09 17:08:56 -04:00
Brian Demers 8a11a4ed18 Adds handling for common JSON parsing exceptions and wraps them in a `JwtException`
Move the parser error handling logic out of DefaultJwtParser into the new JwtDeserializer and wraps them with developer freiendly exceptions
Add check for common JSON parsing exceptions like stack overflow when parsing deeply nested (or malformed) JSON
2021-07-09 17:08:56 -04:00
Tomasz Zarna a4130dd1ec Remove unused import of java.util.Arrays in RsaSignatureValidator 2021-03-10 10:14:13 -05:00
Brian Demers 901048aeac Removes eager initialization of the CompressionCodecResolver in the JwtParserBuilder
This removes a potential service loader issue with OSGi runtimes.

Fixes: #578
2020-07-13 12:56:05 -04:00
Les Hazlewood 14b2f19b29 [maven-release-plugin] prepare for next development iteration 2020-06-11 15:50:09 -04:00
Les Hazlewood 274749373f [maven-release-plugin] prepare release 0.11.2 2020-06-11 15:50:00 -04:00
Les Hazlewood 26527bd43c Updated the pom snapshot versions to prepare for the upcoming 0.11.2 release 2020-06-11 14:16:29 -04:00
Les Hazlewood 72973f9b9b
Argument validation for allowedClockSkewSeconds (#601)
* 583: ensured setting allowedClockSkewSeconds to be greater than (Long.MAX_VALUE / 1000) will throw an IllegalArgumentException.
2020-06-11 13:46:03 -04:00
Philipp Zormeier 2b00ed1819
Add DefaultJwtParser functionality to parse JWSs with empty body. (#540)
* Add DefaultJwtParser functionality to parse JWSs with empty body.

* Review Fix: Change allowEmptyBody(boolean) to requirePayload(boolean). Set payloadRequired true for each require*() method in JwtParser and JwtParserBuilder.

* Add missing ImmutableJwtParserTest.

* Review changes: Moving to solution without payload requirement flag.

* Review changes: Allow empty Jwt payload

* Remove unused imports

Co-authored-by: Philipp Zormeier <philipp.zormeier@thoughtworks.com>
2020-06-08 14:07:10 -04:00
Carsten Ziegeler 403e1895e3
Attach implementation bundles as fragments to the API bundle to make them visible to the API bundle. This fixes jwtk#578 (jwtk#578) (#580) 2020-04-27 17:40:02 -04:00
Les Hazlewood 5616ba769a [maven-release-plugin] prepare for next development iteration 2020-03-12 16:59:12 -04:00
Les Hazlewood c09deaa5f3 [maven-release-plugin] prepare release 0.11.1 2020-03-12 16:59:05 -04:00
Les Hazlewood c563365b97 Prepping for the 0.11.0 --> 0.11.1 release 2020-03-12 16:56:17 -04:00
Brian Demers 9e65ab7be0 Services now checks the contextClassLoader, Services.class.classLoader, and the system classloader
Fixes: #568
2020-03-12 15:43:37 -04:00
Les Hazlewood 23743f5a59 [maven-release-plugin] prepare for next development iteration 2020-02-05 12:29:05 -08:00
Les Hazlewood 3cd48fade7 [maven-release-plugin] prepare release 0.11.0 2020-02-05 12:28:58 -08:00
Les Hazlewood c38f4af239
Ensured DeflateCompressionCodec could fallback to <= 0.10.6 implementation if encountering an IOException. This allows compressed JWTs created before 0.10.7 to still work. Fixes #536 (#556) (#557) 2020-02-04 14:29:16 -08:00
Les Hazlewood 950e6fbcc7
cherry-pick 4821395c06b0786e19b1a3153be65f39a2a524d9: Ensured SignatureAlgorithm `PS256`, `PS384`, and `PS512` worked properly on JDK 11 and later without requiring BouncyCastle. (#555) 2020-02-04 00:10:39 -08:00
Brian Demers 2fd3f06b7b
Update SignatureValidator to use MessageDigest (#548) 2020-01-27 14:20:21 -05:00
Micah Silverman dacdb2ce25
relocated Service.java to impl module (along with tests). (#529) 2019-10-27 17:13:49 -04:00
Brian Demers 7037d64d24 Reduce scope of Service Loader work to CompressionCodecs and JsonSerializers
Fixes: #458
2019-10-23 09:14:08 -07:00
Jaap Coomans ef32a1386d Use ServiceLoader instead of reflection to resolve implementation classes.
By using ServiceLoader the hardcoded dependency of implementation classes becomes obsolete, so that the API will be truly independent from the implementation. Also this approach paves the way for migration to JPMS modules, as these also leverage the ServiceLoader API.

Use ServiceLoader instead of reflection to resolve CompressionCodec implementation classes.

Isolate key- and key-pair generators and use ServiceLoader instead of reflection to invert dependencies.

Move FactoryLoader logic to Services class and improve package layout.

Resolve Deserializer using the ServiceLoader instead of reflection and hardcoded reference.

Resolve Serializer using the ServiceLoader instead of reflection and hardcoded reference.
2019-10-23 09:13:58 -07:00
Brian Demers ebdb4426f6
Update version to 0.11.0-SNAPSHOT (#506)
via: `mvn versions:set -DnewVersion=0.11.0-SNAPSHOT -DgenerateBackupPoms=false`
2019-10-03 12:09:48 -04:00
Brian Demers 7eb9c514b0
Fixes test error caused by groovy type coercion (#509)
* Fixes test error caused by groovy type coercion

A long was being treated as a float

* Fixes test error caused by groovy type coercion

A long was being treated as a float
2019-10-03 12:09:23 -04:00
Brian Demers 94d151129d
Add JwtParserBuilder as the preferred way to create a JwtParser instance (#486)
- Added new JwtParserBuilder
- Copied mutator methods from JwtParser into new JwtParserBuilder
- Marked said methods as deprecated in JwtParser
- Copied JwtParserTest and JwtsTest to Deprecated*, as to retain coverage on methods that will be removed in 1.0
- Added ImmutableJwtParser
  This is a stop gap until 1.0, all of the mutable methods will now throw a IllegalStateException.
  NOTE: this only comes into place when using the new Jwts.parserBuilder(), Jwts.parser() is unchanged.

Fixes: #473
2019-10-01 12:03:20 -04:00
Brian Demers 7090bf39c3
Add support for custom type deserialization with Jackson (#495)
- Adds new constructor JacksonDeserializer(Map<String, Class> claimTypeMap), which will enable later calls Claims.get("key", CustomType.class) to work as expectd
 - Adds new Maps utility class to make map creation fluent

Fixes: #369
2019-09-30 17:24:57 -04:00
Brian Demers 6e74be0b8d
Fix split package issue in extensions/jackson and extensions/orgjson (#488)
* Fix split package issue in extensions/jackson and extensions/orgjson

This moves the implementation specific classes:
- `io.jsonwebtoken.io.Jackson*` to `io.jsonwebtoken.jackson.io.Jackson*`
- `io.jsonwebtoken.io.OrgJson*` to `io.jsonwebtoken.orgjson.io.OrgJson*`

* Add Backwards Compatibility Warning to CHANGELOG
* Add `jjwt-jackson:deprecated` and `jjwt-orgjson:deprecated` modules to retain backward-compatible versions of the Jackson and OrgJson Serializers (this is built with the shade plugin and binary compatibility validated with japicmp)

Fixes: #399
2019-09-27 17:11:19 -04:00
Brian Demers 5339faf87f
Add license-maven-plugin to mange headers
and apply missing headers

usage:
# validate license headers exist
mvn license:check

# apply headers (to files without headers)
mvn license:format
2019-09-17 16:19:07 -04:00
Les Hazlewood ff8a6bfe58
Merge pull request #414 from patton73/master
Added Gson serialization/deserialization Extension
2019-07-17 22:13:58 -04:00
patton73 73f7f9915b Fixes for reviews. Hope i did not forget something. 2019-07-17 22:51:18 +02:00
patton73 2bb8e4d02e Fixes for reviews. Hope i did not forget something. 2019-07-17 22:46:18 +02:00
Andrea Paternesi e3a172b93d Fix to pom file. 2019-07-16 16:41:58 +02:00
Andrea Paternesi 222032a208 Final fix. Typo fixes. And test coverage. 2019-07-16 16:36:12 +02:00
Andrea Paternesi 134f25b536 Fix locator paths and added tests. 2019-07-16 16:19:13 +02:00
patton73 fd52e0ffc2 Merge remote-tracking branch 'upstream/master' 2019-07-15 20:51:57 +02:00
Paul Polishchuk dd638c2b3a JwtBuilder.setClaims() now accepts `Map<String, ?> claims`
This would allow to pass `Map<String,String>`
2019-07-15 10:46:02 +03:00
Les Hazlewood caa7b0e942 [maven-release-plugin] prepare for next development iteration 2019-07-11 20:12:25 -04:00
Les Hazlewood b292b891ca [maven-release-plugin] prepare release 0.10.7 2019-07-11 20:12:20 -04:00
patton73 9bf487f0b7 Updated RuntimeClasspath Serializer/Deserializer 2019-06-21 19:55:05 +02:00
Les Hazlewood af72fabbf3 Refactored DeflateCompressionCodec to eliminate memory leak. Refactored GzipCompressionCodec and AbstractCompressionCodec to utilize consistent logic across compression algorithms. Resolves #392. 2019-03-10 12:01:37 -04:00
Francois JACQUES 1b5b89304a Fixes #397 : avoid dependency side effect to affect choice of json serializer/deserializer. 2019-03-10 11:59:31 -04:00
Les Hazlewood 70e6845b82 Ensure version is 0.10.7-SNAPSHOT to prep for the next release. 2019-03-10 11:59:31 -04:00
Micah Silverman af73a02786 [maven-release-plugin] prepare for next development iteration 2019-02-25 13:33:47 -05:00
Micah Silverman d29d6da989 [maven-release-plugin] prepare release jjwt-root-0.10.6 2019-02-25 13:33:39 -05:00
Les Hazlewood bcfc0655e4 [maven-release-plugin] prepare for next development iteration 2018-08-13 20:28:38 -04:00
Les Hazlewood 2ceae3bc37 [maven-release-plugin] prepare release 0.10.3 2018-08-13 20:28:32 -04:00
Les Hazlewood 85d8920d79 Ensured symmetric logic between the Keys and SignatureAlgorithm helper methods for hmac key lengths.
Updated Android dependencies and ProGuard exclusion definitions
Updating docs to reflect 0.10.3 release
Resolves #381, #382
2018-08-13 20:26:14 -04:00
Les Hazlewood d7071faeae [maven-release-plugin] prepare release 0.10.2 2018-08-07 13:43:48 -04:00
Les Hazlewood f19c34a763 Ensured JJWT's org.json use is compatible with Android's org.json API as defined in https://developer.android.com/reference/org/json/package-summary. Resolves #380. 2018-08-07 13:32:20 -04:00
Les Hazlewood 5e5f29d8b1 [maven-release-plugin] prepare release 0.10.1 2018-08-02 17:30:09 -04:00
Les Hazlewood 7f662627cc Ensured BouncyCastle was optional. Also ensured EllipticCurve algorithms could be used without BouncyCastle since the JDK supports EC by default. Moved RuntimeEnvironment.enableBouncyCastleIfPossible() call out of SignatureAlgorithm into RsaProvider since BC is only necessary for RSASSA-PSS algorithms (PS256, PS384, PS512) and nothing else in JJWT's codebase.
Resolves #372
2018-08-02 16:59:59 -04:00
Les Hazlewood b58e1b6dc5 [maven-release-plugin] prepare for next development iteration 2018-08-01 18:10:41 -04:00
Les Hazlewood 6b980553cf [maven-release-plugin] prepare release 0.10.0 2018-08-01 18:10:34 -04:00
Les Hazlewood 17af933665 [maven-release-plugin] rollback the release of 0.10.0 2018-08-01 18:02:51 -04:00
Les Hazlewood 9cfd861250 [maven-release-plugin] prepare for next development iteration 2018-08-01 18:00:33 -04:00
Les Hazlewood cd62ed1bbf [maven-release-plugin] prepare release 0.10.0 2018-08-01 18:00:27 -04:00
Les Hazlewood a669cad29b - Added JwtBuilder#signWith(Key) with tests and refactoring. Deprecated additional signWith methods that can lead to confusion.
- Made some tests more deterministic with mocks instead of relying on Random number generator - BigInteger values were non-deterministic because of a random leading sign bit being there (or not) during test runs.

Resolves #366
2018-07-27 23:57:22 -04:00
Les Hazlewood 9189253668 334: key strength assertions and signature validation. Resolves #334 2018-07-27 15:17:01 -04:00
Les Hazlewood 9d244b9fca Added new io.jsonwebtoken.crypto.Keys utility class for generating SecretKeys and KeyPairs. Resolves #350 2018-07-24 22:55:02 -04:00
Les Hazlewood d330f2d4cc Updated Claims implementation as well as put/putAll to better handle specification dates. 2018-07-23 17:08:00 -04:00
Les Hazlewood 439c027c2e 348: Reorganize into a multi-module project. Includes test enhancements and code reorganization 2018-07-20 12:18:40 -04:00