Commit Graph

594 Commits

Author SHA1 Message Date
dependabot[bot] d14f27b624
Bump org.bouncycastle:bcprov-jdk18on from 1.76 to 1.78 (#941)
* Bumps [org.bouncycastle:bcprov-jdk18on](https://github.com/bcgit/bc-java) from 1.76 to 1.78.
- [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html)
- [Commits](https://github.com/bcgit/bc-java/commits)

updated-dependencies:
- dependency-name: org.bouncycastle:bcprov-jdk18on
  dependency-type: direct:production

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Les Hazlewood <121180+lhazlewood@users.noreply.github.com>
2024-06-17 12:51:20 -07:00
Les Hazlewood 0c2d96c2d0
Fixes #949 (#950)
* Introduced try/finally block to guarantee consumable content InputStream is closed
2024-06-17 12:25:09 -07:00
Les Hazlewood a7de55435b
Fixes #947 (#948) 2024-06-16 16:05:45 -07:00
dependabot[bot] 754324879d
Bump org.bouncycastle:bcpkix-jdk18on from 1.76 to 1.78 (#943)
Bumps [org.bouncycastle:bcpkix-jdk18on](https://github.com/bcgit/bc-java) from 1.76 to 1.78.
- [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html)
- [Commits](https://github.com/bcgit/bc-java/commits)

---
updated-dependencies:
- dependency-name: org.bouncycastle:bcpkix-jdk18on
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-15 11:03:42 -07:00
Mikko Nylén 3489fdb19b
JWE arbitrary content compression (#937)
Closes #938.

* Fix compression being omitted for JWEs with arbitrary content

The JWE content was compressed only when claims was used as payload, but
when using arbitrary content, the compression was omitted, while keeping
the "zip" header field, leading to decompression failing.

* Refactor duplicate payload -> input stream logic from sign()/encrypt()

* Preserve the content name

* Fix name for JWE payload
2024-04-24 19:52:25 -07:00
Mikko Nylén 23d9a33ff6
Allow using GenericSecret for HmacSHA* (#935)
* Extended the pre-existing check for SUN PKCS11 generic secret to allow `SecretKey`s with `getAlgorithm()` names starting with `Generic` (e.g. `GenericSecret` and `Generic Secret`) as valid keys for `HmacSHA*` algorithm name checks in `DefaultMacAlgorithm`.  This matches at least with the Sun PKCS11 and AWS CloudHSM JCE providers, but likely others as well.
2024-04-22 12:49:06 -07:00
Les Hazlewood c673b76ef5
Update SECURITY.md
Reflect latest 0.12.x version support
2024-04-02 19:23:24 -04:00
Brian Demers 26948610fb
Use Acsiidoc as README format (#777)
Performed by running `kramdoc README.md`, then manual tweaks to adjust formatting

Excludes adoc files from license checks
2024-02-06 14:51:33 -05:00
Les Hazlewood efffa86b8d
Released 0.12.5 (#918)
* Preparing for 0.12.5 release
* [maven-release-plugin] prepare release 0.12.5
* [maven-release-plugin] prepare for next development iteration
2024-01-31 18:52:53 -08:00
lhazlewood a0a123e848
PR #917
* Ensured `NestedCollection`s do not need their `.and()` method called to apply collection changes. Instead, changes are applied immediately as they occur (via `.add`, `.remove`, etc), and `.and()` is now purely for returning to the parent builder if necessary/desired.
* Updated associated JavaDoc with code examples to make the `.and()` method's purpose a little clearer.
* Updated CHANGELOG.md

Closes #916
2024-01-31 17:48:38 -08:00
lhazlewood afcd889832
0.12.4 staging (#913)
Released 0.12.4, with the following additional changes:

- Added 0.12.4 release version references
- Added CI 'workflow_dispatch' event trigger
- Changed git url from ssh to https
2024-01-28 16:52:21 -08:00
lhazlewood dd10b12b53
Added JWK Set documentation to README.mdJwkset doc (#912)
Added JWK Set documentation to README.md
2024-01-28 14:49:01 -08:00
lhazlewood 6335381c97
PBES2 decryption maximum iterations (#911)
Ensured there is an upper bound (maximum) iterations enforced for PBES2 decryption to help mitigate potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their work on this!
2024-01-28 13:17:53 -08:00
lhazlewood 2884eb7952
- Updating to GitHub latest actions/checkout and actions/setup-java script versions (#910) 2024-01-27 20:06:20 -08:00
lhazlewood 628bd6f4e8 Secret JWK `k` values larger than HMAC-SHA minimums (#909)
- Ensured Secret JWK 'k' byte arrays for HMAC-SHA algorithms can be larger than the identified HS* algorithm. This is allowed per https://datatracker.ietf.org/doc/html/rfc7518#section-3.2: "A key of the same size as the hash output ... _or larger_ MUST be used with this algorithm"

- Ensured that, when using the JwkBuilder, Secret JWK 'alg' values would automatically be set to 'HS256', 'HS384', or 'HS512' if the specified Java SecretKey algorithm name equals a JCA standard name (HmacSHA256, HmacSHA384, etc) or JCA standard HMAC-SHA OID.

- Updated CHANGELOG.md accordingly.

Fixes #905
2024-01-27 19:55:55 -08:00
Renato Lochetti b12dabf100
Fix small typos (#908) 2024-01-27 11:45:09 -08:00
lhazlewood 26f5dc3dbb
Updating changelog with more information/clarity for the 0.12.4 release (#907) 2024-01-26 21:23:18 -08:00
lhazlewood f61cfa875d
Test case change to reflect accurate assertion for Elliptic Curve 'd' values against the curve order (not the field size) per https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.2.1 (#906) 2024-01-26 17:54:51 -08:00
Ahmad Amiri fd619e0a42
disable FAIL_ON_UNKNOWN_PROPERTIES deserialization feature of Jackson by default (#896) 2024-01-26 16:12:34 -08:00
lhazlewood 07631914c3
NIST Elliptic Curve JWKs: field element byte array padding (#903)
* Ensured NIST Elliptic Curve JWKs pre-pad their X, Y and D byte arrays with zero bytes before Base64URL-encoding if necessary per length requirements defined in:
- https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2
- https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.3
- https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.2.1

Fixes #901.
2024-01-25 21:31:36 -08:00
Philzen 3e8f8a84f5
Fix broken links in "Learn more" section (#898)
All of Stormpath.com consistently responds with 404 ATM, therefore this commit replaces the links with archive.org versions that will hopefully stay available for good.
2024-01-23 12:47:28 -08:00
lhazlewood 86e06559bc
- Ensures that Jackson duplicate property detection/rejection is enabled by default. (#895)
Fixes #877
2024-01-17 16:45:30 -08:00
lhazlewood d878404434
Thread-safe ServiceLoader usage
Blend of pre-0.11.0 behavior that cached implementation instances and post-0.11.0 behavior using the JDK ServiceLoader to find/create instances of an SPI interface.  This change:

- Reinstates the <= 0.10.x behavior of caching application singleton service implementation instances in a thread-safe reference (previously an AtomicReference, but in this change, a ConcurrentMap).  If an app singleton instance is cached and found, it is returned to be (re)used immediately when requested.  This is ok for JJWT's purposes because all service implementations instances must be thread-safe application singletons by API contract/design, so caching them for repeated use is fine.

- Ensures that only if a service implementation instance is not in the app singleton cache, a new instance is located/created using a new JDK ServiceLoader instance, which doesn't require thread-safe considerations since it is used only in a single-threaded model for the short time it is used to discover a service implementation.  This PR/change removes the post-0.11.0 concurrent cache of ServiceLoader instances since they themselves are not designed to be thread-safe.

- Ensures that if a ServiceLoader discovers an implementation and returns a new instance, that instance is then cached as an application singleton in the aforementioned ConcurrentMap for continued reuse.

- Renames Services#loadFirst to Services#get to more accurately reflect calling expectations:  The fact that any 'loading' via the ServiceLoader may occur is not important for Services callers, and the previous method name was unnecessarily exposing internal implementation concepts.  This is safe to do in a point release (0.12.3 -> 0.12.4) because the Services class and its methods, while public, are in the `impl` module, only to be used internally for JJWT's purpose and never intended to be used by application developers.

- Updates all test methods to use the renamed method accordingly.

Fixes #873
2024-01-17 13:35:20 -08:00
lhazlewood 406f2f39df
Ensured a single string `aud` (Audience) claim would be retained (without converting it to a `Set`) when copying/applying a source Claims instance to a destination Claims builder. Updated CHANGELOG.md accordingly. (#891)
Fixes #890.
2024-01-11 13:34:34 -08:00
lhazlewood 584d91c2b4
JSONTokener constructor fallback (#888)
OrgJsonDeserializer: Added fallback implementation for Android when JSONTokener(Reader) constructor is not available.

Closes #882
2024-01-09 18:50:13 -08:00
lhazlewood eae68cddc9
Closes #881. (#887)
Fixed typo.
2024-01-09 15:24:37 -08:00
lhazlewood 917ffbb5d9
Released 0.12.3
* Version reference changes in preparation for the 0.12.3 release (#863)
* [maven-release-plugin] prepare release 0.12.3
* [maven-release-plugin] prepare for next development iteration
2023-10-14 20:19:06 -07:00
lhazlewood 28a2ca716a
Upgraded org.json dependency to 20231013
* Upgrades org.json dependency to 20231013 (#862)
2023-10-14 17:20:25 -07:00
lhazlewood db339704e5
Custom empty claims
Closes #858.

Custom claims can now be empty again (which was the behavior for <= 0.11.5).
2023-10-14 16:59:35 -07:00
lhazlewood 59c9df1231
Released 0.12.2 (#856)
* Released 0.12.2
* [maven-release-plugin] prepare release 0.12.2
* [maven-release-plugin] prepare for next development iteration
2023-10-05 22:43:35 -07:00
lhazlewood a7d3d3197c
854 jdk17 visibility (#855)
* Closes #854.

- Replaced `ByteArrayInputStream` reflection with new `BytesInputStream` implementation. The reflection is what required `--add-opens java.base/java.io=jjwt.api` on JDK 17+.
- Refactored `KeysBridge` to perform our own key length logic instead of delegating to `sun.security.util.KeyUtil`.  The reflection is what required `--add-opens java.base/sun.security.util=jjwt.api` on JDK 17+
- Removed `AddOpens.java` due to above refactoring (no longer needed).
- Returned a test-only `--add-opens` for `sun.security.util` for 3 test cases (added to `test.addOpens` maven property)
2023-10-05 22:13:57 -07:00
lhazlewood fad6e2737d
Released 0.12.1
* Released 0.12.1

* [maven-release-plugin] prepare release 0.12.1

* [maven-release-plugin] prepare for next development iteration
2023-10-04 20:08:53 -07:00
lhazlewood 1625067b85
Closes #849 (#852)
- enabled reflective access to `java.io.ByteArrayInputStream` and `sun.misc.security.KeyUtil` on JDK 17+
- Minor refactor to ServicesTest to avoid the need for PowerMock
2023-10-04 19:39:39 -07:00
lhazlewood 44cd5523e8
Update README.md
fixed leading slash typo error
2023-10-03 13:38:49 -07:00
lhazlewood 0c3040922a
0.12.0 staging complete (#847)
* replaced JJWT_RELEASE_VERSION placeholders with 0.12.0

* [maven-release-plugin] prepare release 0.12.0

* [maven-release-plugin] prepare for next development iteration
2023-10-03 13:27:28 -07:00
lhazlewood b411b19b92
key byte array cleanup as necessary (#846) 2023-10-03 12:27:12 -07:00
lhazlewood e78f3f511f
JwtParser.parse* method renames (#845)
* Closes #834

- Deprecated JwtParser parseContentJwt, parseClaimsJwt, parseContentJws and parseClaimsJws in favor of parseUnprotectedContent, parseUnprotectedClaims, parseSignedContent, and parseSignedClaims

- Renamed the not-yet-released JwtParser parseContentJwe and parseClaimsJwe to parseEncryptedContent and parseEncryptedClaims

- Renamed the not-yet-released JwtParser overloaded unencoded payload parseContentJws and parseClaimsJws methods to parseSignedContent and parseSignedClaims

- Deprecated JwtHandler and JwtHandlerAdapter in favor of JwtVisitor and SupportedJwtVisitor
2023-10-03 10:40:06 -07:00
Brian Demers 3b529ac640 Update maven wrapper
Latest version has an option to remove the need for `MavenWrapperDownloader.java`
2023-10-02 11:13:58 -04:00
lhazlewood 05717d0a18
Expanded Parser method argument support (#844)
Closes #328

- Ensured Parser worked with CharSequence, InputStream and Reader, not just String
- Changed Deserializer#deserialize(InputStream) to deserialize(Reader) 
- JwtParser now extends from Parser to support these additional methods.
- Changed remaining JwtParser.parse* methods to accept CharSequence arguments instead of String args.
2023-09-30 11:46:41 -07:00
lhazlewood 36a6e1383b
README cleanup based on latest API (#843) 2023-09-29 16:00:40 -07:00
lhazlewood 854bb8944c
Builder NestedCollection support (#841)
- Added Conjunctor, CollectionMutator, and NestedCollection
- Added JwkBuilder#operations() NestedCollection builder and removed #operation(KeyOperation) and #operations(Collection<KeyOperation>)
- KeyOperationPolicyBuilder now extends CollectionMutator

- Replaced ProtectedHeaderMutator#critical* methods with critical() NestedCollection

- Replaced JwtParserBuilder#critical* methods with critical() NestedCollection

- Replaced ClaimsMutator#audience* methods with audience() AudienceCollection

- Replaced JwtParserBuilder#add* methods with new collection builder methods: enc(), key(), sig() and zip()
2023-09-29 13:42:36 -07:00
lhazlewood 20b2fa9d50
Name cleanup (#840)
- Renamed X509Mutator#x509CertificateSha1Thumbprint to x509Sha1Thumbprint
- Renamed X509Mutator#x509CertificateSha256Thumbprint to x509Sha256Thumbprint
- Renamed X509Builder#withX509Sha1Thumbprint to x509Sha1Thumbprint
- Renamed X509Builder#withX509Sha256Thumbprint to x509Sha256Thumbprint
- Renamed X509Builder#x509CertificateChain to x509Chain
- Renamed X509Accessor#getX509CertificateChain to getX509Chain
- Renamed X509Accessor#getX509CertificateSha1Thumbprint getX509Sha1Thumbprint
- Renamed X509Accessor#getX509CertificateSha256Thumbprint to getX509Sha256Thumbprint

- Renamed JwtParserBuilder#enableUnsecured() to unsecured()
- Renamed JwtParserBuilder#enableUnsecuredDecompression() to unsecuredDecompression()

- Renamed KeyOperationPolicyBuilder#allowUnrelated(boolean) to unrelated() (removed boolean argument also to be consistent with JwtParserBuilder#unsecured())
2023-09-27 18:36:55 -07:00
lhazlewood b687ca5c72
Replace String/byte[] with (N)IO streams (#838)
Closes #837 

Replaced raw `String` and `byte[]` usages with `CharSequence`, `InputStream`/`OutputStream` and `CharBuffer`/`ByteBuffer` concepts where possible to eliminate unnecessary creation of intermediate byte arrays and/or temporary Strings.

-----
- Changed TokenizedJwt and TokenizedJwe interfaces and implementations to return CharSequences instead of Strings to avoid creating new Strings on the heap
- Changed internal Base64 implementation to work with a CharSequence instead of a raw char[] to reduce need to create new arrays on the heap
- Changed Base64Decoder generics signature from Decoder<String,byte[]> to Decoder<CharSequence,byte[]>
- Decoders.BASE64 and Decoders.BASE64URL now reflect Decoder<CharSequence,byte[]>
- Changed Strings#utf8 implementation to accept a CharSequence instead of a String
- Added new Strings#wrap to wrap a CharSequence into a CharBuffer if necessary
- Renamed not-yet-released JwtBuilder#serializer method with JwtBuilder#json
- Renamed not-yet-released JwtParserBuilder#deserializer method with JwtParserBuilder#json

-----
- Moved JwtDeserializer from io.jsonwebtoken.impl to io.jsonwebtoken.impl.io package, created two new subclass implementations for use with Jwks and JwkSets
- Renamed JwtDeserializer to JsonObjectDeserializer that defaults to throwing MalformedJwtException.  Added two subclasses, JwkDeserializer and JwkSetDeserializer that throws JWK and JWK Set-specific exceptions.

-----
Changed ParserBuilder#deserializer method name to ParserBuilder#jsonReader

-----
Removed all usages of Serializer#serialize and Deserializer#deserialize except for deprecated implementations.  All other usages now use InputStream/OutputStream concepts

-----
Added Jwks#json and Jwks#UNSAFE_JSON for assistance in serializing JWKs to JSON (test cases, README examples, etc)

-----
- Ensured Encoder and CompressionAlgorithm supported streams instead of just byte arrays
- Copied over necessary (Apache-licensed) code from Apache commons-codec to obtain Base64OutputStream and Base64InputStream capability for efficient encoding during compact JWT creation.  Hopefully this is temporary and we can strip out most if not all of this and modify our existing Base64.java class for simpler support since we have many less use cases than what commons-codec supports.  All implementations are now in the `impl` module only.

-----
Converted all DigestAlgorithms to utilize an InputStream for data instead of byte[]

-----
- Added JwtBuilder InputStream payload support: added JwtBuilder#content(InputStream), JwtBuilder#content(InputStream, String contentType), JwtBuilder#content(String, String contentType)
- Added CountingInputStream as a way to check and assert that b64/unencoded payload InputStreams cannot be empty.

------
Renamed Encoder/Decoder and CompressionAlgorithm 'wrap' methods to encode/decode/compress/decompress for better readability and to make clearer the intent of the method. Also to avoid name/text/search collisions with 'wrap' references.

-----
Renamed new JwtBuilder#encoder and JwtParserBuilder#decoder methods to JwtBuilder#b64Url and JwtParserBuilder#b64Url for shorter method chains

-----
- Updated AeadAlgorithm and its AeadRequest/AeadResult concepts to utilize Input/Output Streams
- Renamed InitializationVectorSupplier to IvSupplier (was verbose, and it's a new interface, and it's not commonly referenced in the API, so the extra verbosity isn't needed)
2023-09-27 16:31:11 -07:00
Brian Demers 7fcd652aea Add Java 21 to CI matrix build
* Update groovy patch version to support Java 21.

NOTE: This adds a Maven profile that ups the source/target version to Java 8, but ONLY when building with 21+
2023-09-25 16:25:30 -04:00
Brian Demers 7805e08bff ServiceLoaders are now cached.
The first ServiceLoaders found when looking up a class will be cached. This cache can be reset by calling `Services.reload()`, to help
facilitate testing or instances where a classpaths are dynamically changed at runtime.

Fixes: #752
2023-09-18 11:36:25 -04:00
lhazlewood a920163be4
Closes #773 (#835)
Fixed exception message per recommendation.
2023-09-16 18:49:43 -07:00
lhazlewood a2b65763e9
Closes #816 (#836)
Closes #816

Fixed exception message per recommendation.

Also updated expiration message to be clearer/intuitive.
2023-09-16 18:47:33 -07:00
Micah Silverman e9df2da272
Added snyk open-source ratings badges to readme (#688)
* Added snyk open-source ratings badges to readme
2023-09-16 15:32:31 -07:00
lhazlewood fa1e32bf86
Updated Unencoded Payload Option Table of Contents (#833) 2023-09-16 14:06:50 -07:00
lhazlewood 34aa33421f
RFC7797 implementation (#832)
Closes #515

[RFC 7797)(https://www.rfc-editor.org/rfc/rfc7797.html) support.

JwsHeader:
- Added new JwtHeader#isPayloadEncoded() to check for `b64` in crit values and as parameter value.

JwtBuilder:
- Added new #content(String) method for non-detached unencoded payloads
- Added new #encodePayload(boolean) method to disable payload Base64URL-encoding

JwtParserBuilder:
- Added new #critical(String) convenience method to append to the crit set

JwtParser:
- Added new #parseContentJws(String, byte[]) method to allow supplying detached payloads for signature verification at parse time
- Added new #parseClaimsJws(String, byte[]) method to allow supplying detached serialized JSON claims for signature verification at parse time

- Added all backing implementations and test cases to 100% coverage
- Added RFC7797Test class for bulk of this RFC's tests so they don't get 'lost' in the already-too-large JwtsTest class
- README.md documentation added in JWS section
- CHANGELOG.md updated
2023-09-16 13:56:13 -07:00