honeymoose
/
jjwt
mirror of https://github.com/jwtk/jjwt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
jjwt/extensions
History
lhazlewood 620cc5d97f
Made Curve and Jwks.CRV part of the public API (#797) 
* Made Curve concept part of the public API for key generation, and added Jwks.CRV utility class to reference standard curves

- Ensured PS256, PS384, and PS512 pem-encoded test key files accurately represented the rsassa-pss algorithmId (OID) with appropriate hash/mgf1 properties.
- Removed Jwts.SIG#Ed25519 and Jwts.SIG#Ed448 since they were only there for key generation and those keys can now be generated via the Jwks.CRV#Ed25519 and Jwks.CRV#Ed448 references.
- Consolidated duplicate use/key_ops logic for checking sig/sign/verify between SecretJwkFactory and RsaPrivateJwkFactory into JwkContext.isSigUse()
- Ensured if JwkContext.isSigUse() is true, and a JWK (from values only) is RSA and RSASSA-PSS is available (JDK 11+ or BC enabled), that the JWK's generated RSAPublicKey and RSAPrivateKey use the RSASSA-PSS algorithm instead of just RSA.
- Enforced that RSASSA-PSS keys cannot be used for encryption in the RSA KeyAlgorithm implementation (would be a security risk otherwise).
- Enforced that RSA encryption keys cannot be used to create RSASSA-PSS digital signatures (but can verify them) ala the "robustness principle" (to reduce security exposure).
- Ensured README.md and JavaReadmeTest reflected Jwks.CRV usage for keypair generation.

* Added TestCertificates workaround for https://bugs.openjdk.org/browse/JDK-8242556

* Added JwtX509StringConverter workaround for https://bugs.openjdk.org/browse/JDK-8242556

* Added JwtX509StringConverter workaround for https://bugs.openjdk.org/browse/JDK-8242556

* Reverted to former RsaSignatureAlgorithm logic for PSS key validation (no prevention of rsaEncryption keys with PSS) as RFC 7520 test vectors show using a standard RSA key to compute a PSS signature in https://www.rfc-editor.org/rfc/rfc7520.html#section-4.2.1

* Ensured Jwk tests that used RSASSA-PSS keys (from openssl files) used the BC provider since RSASSA-PSS isn't available natively before JDK 11

* Restored TestCertificates logic needed to address JDK 11 bug during tests https://bugs.openjdk.org/browse/JDK-8213363 (fixed in JDK 12+)
 		2023-08-17 15:21:54 -07:00
..
gson Immutables (#790) 2023-08-04 12:35:33 -07:00
jackson Immutables (#790) 2023-08-04 12:35:33 -07:00
orgjson Made Curve and Jwks.CRV part of the public API (#797) 2023-08-17 15:21:54 -07:00
pom.xml Immutables (#790) 2023-08-04 12:35:33 -07:00