Commit Graph

534 Commits

Author SHA1 Message Date
Les Hazlewood 55fcf190cc Merge pull request #162 from maurociancio/patch-2
Fix typo.
2016-09-11 12:49:44 -07:00
Les Hazlewood 79e95856a4 161: upgraded library versions to latest stable 2016-09-11 12:48:48 -07:00
Mauro Ciancio 77dcd9a9b3 Fix typo 2016-09-08 11:56:17 -03:00
Les Hazlewood f522abe2cb Merge pull request #158 from benbenw/parser-perf
improve jwt parser memory allocation
2016-08-31 12:23:20 -04:00
Les Hazlewood 8e26b937f6 Merge pull request #159 from benbenw/ignore-eclipse
add eclipse files to gitignore
2016-08-31 12:21:53 -04:00
benoit d13d2eeffe add eclipse files to gitignore 2016-08-31 16:54:10 +02:00
benoit 9735d1ad98 improve jwt parser memory allocation
re-use buffer instead of creating new ones
avoid creating unneeded buffers in the Strings util methods
Stop continuously copying array with StringBuilder#deleteCharAt
work directly on StringBuilder instead of creating a temporary String

test added to cover the modified methods
2016-08-31 16:39:42 +02:00
Michael Sims 3fb794ee91 #61: Add support for clock skew to JwtParser for exp and nbf claims 2016-08-29 16:34:00 -05:00
Les Hazlewood 0408313d3f Merge pull request #150 from mike9005/patch-1
Fix ES512 description typo in README
2016-07-21 13:08:54 -07:00
Michael Collis c5ae6f53f1 Fix ES512 description typo in README 2016-07-21 15:30:36 -04:00
brentstormpath ab76c850db Readme Update 2016-07-12 17:24:26 -07:00
brentstormpath 007b82c6ad Merge pull request #1 from jwtk/master
Merge Updates from Upstream Master
2016-07-12 17:19:12 -07:00
Les Hazlewood 3bd425a63d updated coveralls logo 2016-07-04 12:16:16 -07:00
Les Hazlewood e55ea34e95 Merge pull request #105 from aarondav/patch-2
Avoid potentially critical vulnerability in ECDSA signature validation
2016-07-04 11:56:48 -07:00
Les Hazlewood 8e6e165c1d Merge pull request #141 from jwtk/coveralls_jacoco
updated to jacoco as only jacoco supports java 8
2016-07-04 11:52:20 -07:00
Les Hazlewood 07534487d3 Merge pull request #132 from alexanderkjall/patch-1
javadoc typo
2016-07-04 11:51:28 -07:00
Micah Silverman 82f4b0a696 updated to jacoco as only jacoco supports java 8 per: https://github.com/trautonen/coveralls-maven-plugin#faq 2016-07-04 01:01:42 -04:00
Les Hazlewood 09c96ce305 Merge pull request #140 from jwtk/readme_update
Readme update and move Changelog to its own file
2016-07-03 12:36:53 -07:00
Micah Silverman 7a2808af12 Expanded on intro section. 2016-07-03 12:29:13 -04:00
Micah Silverman b053834dae Updated README with more examples 2016-07-03 12:29:13 -04:00
Micah Silverman 78cb1707d7 moved older jackson section back into readme 2016-07-03 12:29:13 -04:00
Micah Silverman 0899261074 Separated CHANGELOG from README 2016-07-03 12:29:13 -04:00
Les Hazlewood ceac032f11 Merge pull request #137 from martintreurnicht/master
Fixed ECDSA Signing and verification
2016-06-30 14:11:08 -07:00
Martin Treurnicht c3e5f95242 Added more descriptive backwards compatibility information 2016-06-30 13:46:07 -07:00
Martin Treurnicht 174e1b13b8 Add back swarm test for 100% coverage 2016-06-28 12:19:54 -07:00
Martin Treurnicht 61510dfca5 Cleanup as per request of https://github.com/lhazlewood 2016-06-28 12:12:40 -07:00
Martin Treurnicht c60deebb64 Removed java 8 dependencies in test 2016-06-27 16:02:06 -07:00
Martin Treurnicht a73e0044b8 Fixed ECDSA Signing and verification to use R + S curve points as per spec https://tools.ietf.org/html/rfc7515#page-45 2016-06-27 15:43:35 -07:00
Alexander Kjäll 26a14fd3c3 javadoc typo
Updated the number of bits for the HS512 algorithm in the javadoc comment.
2016-06-13 14:40:35 +02:00
Brian Matzon f08386c63b formatting 2016-06-08 00:20:23 +02:00
Brian Matzon 4be4912cb2 moved Java test into groovy 2016-06-06 23:43:52 +02:00
Brian Matzon 39ee58a511 implement hashCode and equals in JwtMap 2016-04-27 12:15:36 +02:00
Les Hazlewood 29f980c5c9 coverage improvements. Removed unnecessary line from DefaultClaims 2016-04-17 14:26:28 -07:00
Les Hazlewood e392524919 cherry pick from c62d012cf80341747f3f3aa8b43127cde0ab4dce: javadoc cleanup, compression backwards compatibility change
cherry pick from c62d012cf80341747f3f3aa8b43127cde0ab4dce: javadoc cleanup, compression backwards compatibility change

113: increased code coverage threshold for DefaultJwtParser and DefaultJwtBuilder
2016-04-17 13:51:30 -07:00
Les Hazlewood 3dfae9a31d 109: removed implementation coupling from Clock interface. DefaultClock.INSTANCE achieves the same thing without coupling. 2016-04-01 18:26:59 -07:00
Les Hazlewood 9e1ee67582 Clock time source for parsing
Clock source
2016-04-01 18:23:47 -07:00
Les Hazlewood 72e0e3b23c 109: enabled injection of a time source - a 'Clock' 2016-04-01 18:15:37 -07:00
Les Hazlewood 13d2e8370a Merge branch 'master' of https://github.com/Blackbaud-MitchellMorris/jjwt into Blackbaud-MitchellMorris-master 2016-04-01 17:42:32 -07:00
Aaron Davidson 707f7bc046 Change assert to require hmac 2016-03-26 12:17:26 -07:00
Aaron Davidson 5385e0d7d3 Avoid potentially critical vulnerability in ECDSA signature validation
Quite possible we're missing something here, so please forgive if so. After seeing [this article](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/) (see "RSA or HMAC?" section), we did a quick scan through the JJWT implementation to see if it was vulnerable. While it seems like the RSA check should work, no such check seemed to exist for ECDSA signatures.

As a result, it may be possible for users of this library to use `setSigningKey(byte[] key)` while intending to use ECDSA, but have the client alter the algorithm and signature to use HMAC with the public key as the "secret key", allowing the client to inject arbitrary payloads.

cc @thomaso-mirodin
2016-03-19 22:40:44 -07:00
Les Hazlewood 0534120f9c Merge pull request #104 from brentstormpath/master
Update Readme
2016-03-16 17:43:36 -07:00
brentstormpath 42f89d283c Moving change log notes back into readme 2016-03-16 17:30:58 -07:00
brentstormpath 7201704e94 Fixing a link and moving the author section down 2016-03-15 16:16:18 -07:00
Les Hazlewood 7686d43366 Merge pull request #102 from jwtk/101-update-jackson
Upgraded Jackson to 2.7.0
2016-03-08 19:42:33 -08:00
Les Hazlewood 1cb8568664 upgraded Jackson to 2.7.0 2016-03-08 19:38:00 -08:00
Les Hazlewood d747f09662 Merge pull request #99 from jwtk/95-osgi
Enabled OSGi bundle
2016-03-08 19:35:31 -08:00
Les Hazlewood 76b1263b05 Merge branch 'master' into 95-osgi 2016-03-08 19:24:04 -08:00
Les Hazlewood a5fe1b961b Merge pull request #98 from jwtk/97-openjdk7
Removed openjdk7 from travis build.
2016-03-08 19:17:37 -08:00
Les Hazlewood cbf9ff4e64 97: removed openjdk7 from travis build. Oracle JDK 7 works fine and JDK 7 is end-of-life anyway 2016-03-08 19:10:25 -08:00
Dave LeBlanc 312763a00b Made the android dep optional in OSGi
Changed the packaging type to bundle - required
by the bundle plugin.

Upgraded to the latest version of the maven
bundle plugin.
2016-02-26 19:08:01 -08:00