1Changes
2=======
3
4v1.2.25 23 May 2022
5[Bug Fixes][Security]
6 * [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding,
7 where the unpad operation might remove more bytes than necessary (#744)
8 This affects all jwx code that is available before v2.0.2 and v1.2.25.
9
10v1.2.24 05 May 2022
11[Security]
12 * Upgrade golang.org/x/crypto (#724)
13
14v1.2.23 13 Apr 2022
15[Bug fixes]
16 * [jwk] jwk.AutoRefresh had a race condition when `Configure()` was
17 called concurrently (#686)
18 (It has been patched correctly, but we may come back to revisit
19 the design choices in the near future)
20
21v1.2.22 08 Apr 2022
22[Bug fixes]
23 * [jws] jws.Verify was ignoring the `b64` header when it was present
24 in the protected headers (#681). Now the following should work:
25
26 jws.Sign(..., jws.WithDetachedPayload(payload))
27 // previously payload had to be base64 encoded
28 jws.Verify(..., jws.WithDetachedPayload(payload))
29
30 (note: v2 branch was not affected)
31
32v1.2.21 30 Mar 2022
33[Bug fixes]
34 * [jwk] RSA keys without p and q can now be parsed.
35
36v1.2.20 03 Mar 2022
37[Miscellaneous]
38 * Dependency on golang.org/x/crypto has been upgraded to
39 v0.0.0-20220214200702-86341886e292 to address
40 https://nvd.nist.gov/vuln/detail/CVE-2020-14040 (#598)
41
42v1.2.19 22 Feb 2022
43[New Feature]
44 * [jwk] jwk.Parse (and (jwk.AutoRefresh).Configure) can accept a new
45 option `jwk.WithIgnoreParseError(bool)`, which allows users to ignore
46 errors during parsing of each key contained in the JWKS, allowing
47 you to "skip" invalid keys.
48
49 This option should not be used lightly, as it hides the presence of
50 possibly faulty keys. However, this can be an escape hatch if you are
51 faced with a faulty JWKS that you do not control.
52
53v1.2.18 23 Jan 2022
54[Bug fixes]
55 * [jwe] When presented with jwk.Key with a key ID, the jwe encryption
56 code path did not assign this key ID to the resulting data structure.
57 This has been fixed, and now the key ID is properly applied to the
58 `kid` field.
59 * [jws] Use for `crypto.Signer`s were implemented for signing, but verification was
60 never properly implemented. This has been fixed.
61
62[Miscellaneous]
63 * [jws] Because of fixes to code path that deals with `crypto.Signer`s, we are
64 now able to fully integrate with Cloud services, such as Google's Cloud KMS
65 and AWS KMS, that provide key management and signing payloads
66
67 An implementation for these are available at https://github.com/jwx-go/crypto-signer.
68
69 Suppot `crypto.Signer` in JWE encryption has not been implemented.
70
71v1.2.17 12 Jan 2022
72[Miscellaneous]
73 * Re-release v1.2.16 as v1.2.17 because of an error in the release process.
74 The code is exactly the same as what v1.2.16 intended to release.
75 v1.2.16 has been retracted in go.mod.
76
77v1.2.16 12 Jan 2022
78
79 THIS VERSION HAS BEEN RETRACTED. PLEASE USE v1.2.17
80
81[Bug Fixes]
82 * Peviously, `jws.Sign()` could not create a signed payload with
83 detached and unencoded payload, even when the documentation said it could.
84 Now you may use the `jws.Sign()` in the following way to create
85 a JWS message with detached, unencoded state:
86
87 hdrs := jws.NewHeaders()
88 hdrs.Set("b64", false)
89 hdrs.Set("crit", "b64")
90 jws.Sign(nil, alg, key, jws.WithDetachedPayload(payload), jws.WithHeaders(hdrs))
91
92 Notice the use of `nil` for the first parameter, and the use of
93 `jws.WithDetachedPayload()`.
94
95 We realize this is not exactly a clean API, but this is currently the
96 only way to implement this in a backward-compatible fashion. Most likely
97 this will change in a future major version.
98[Miscellaneous]
99 * `jws.WithDetachedPayload()` is now of type `jws.SignVerifyOption`, which
100 satisfies both `jws.SignOption` and `jws.VerifyOption`
101
102
103v1.2.15 07 Jan 2022
104[New Features]
105 * `(jwk.AutoRefresh).Remove()` has been implemented.
106[Bug Fixes]
107 * ES256K is now included in the list of JWS inferred algorithms, if it's
108 enabled via -tags jwx_es256k
109[Miscellaneous]
110 * `jwt.Parse` has been improved for efficiency and has more tests to
111 cover corner cases.
112 * Documentation fixes
113
114v1.2.14 22 Dec 2021
115[New Features]
116 * `jwk.Fetch()` and `(*jwk.AutoRefresh).Configure()` can now take `jwk.Whitelist`
117 object to check for the validity of a url to be fetched
118 * `jws.VerifyAuto()` has been added to verify payloads that can be verified
119 using the JWK set provided in the "jku" field. This function is purposely
120 separated from the `jws.Verify()` function because 1) the required parameters
121 are different, and 2) Users MUST be aware that they are doing a totally
122 different operation than a regular `jws.Verify()`
123 * `(jwk.AutoRefresh).IsRegistered()` has been added.
124
125[Bug fixes]
126 * `jws.SignMulti()` has been fixed to assign the "kid" field of the key used
127 for signing the payload
128 * `jws.SignMulti()` has been fixed to respect the "kid" field of the protected
129 header, not the public header
130
131v1.2.13 07 Dec 2021
132[New Features]
133 * `jwt` package now has a `Builder` that may make it easier to programmatically
134 create a JWT for some users.
135 * `jwt` errors now can be distinguished between validation errors and others.
136 Use `jwt.IsValidationError()` to check if it's a validation error, and then
137 use `errors.Is()` to check if it's one of the known (oft-used) errors
138
139v1.2.12 01 Dec 2021
140[New Features]
141 * `jwk.Set` can now parse private parameters. For example, after parsing
142 a JWKS serialized as `{"foo": "bar", "keys": [...]}`, users can get to
143 the value of `"foo"` by calling `set.Field("foo")`
144 * `jwk.Set` now has `Set()` method to set field values.
145
146v1.2.11 14 Nov 2021
147[Security Fix]
148 * It was reported that since v1.2.6, it was possible to craft
149 a special JSON object to bypass JWT verification via `jwt.Parse`.
150 If you relied on this module to perform all the verification,
151 upgrade is strongly recommended.
152
153v1.2.10 09 Nov 2021
154[Bug fixes]
155 * Parsing OpenID claims were not working for some fields.
156 This was caused by the same problem as the problem fixed in v1.2.9.
157 Proper tests have been added.
158
159v1.2.9 26 Oct 2021
160[Bug fixes]
161 * Parsing `key_ops` for JWKs which was broken in v1.2.8 has been fixed.
162
163v1.2.8 21 Oct 2021
164[Miscellaneous]
165 * `jws.Message`, `jws.Signature`, `jws.Headers` have been reworked
166 to allow JSON messages to be verified correctly. The problem can
167 be caused when protected headers are serialized one way (perhaps
168 `{"c":3","a":1,"b":2}` was used before being base64-encoded) but
169 the Go serialization differed from it (Go serializes in alphabetical
170 order: `{"a":1,"b":2,"c":3}`)
171
172 Messages serialized in compact form do NOT suffer from the
173 same problem.
174
175 This is close to fixes that went in v1.2.2. It boils down to the
176 fact that once deserialized, the JWS messages lose part of its
177 information (namely, the raw, original protected header value),
178 and neither users nor the developers of this library should
179 rely on it.
180
181 * Code generation has be refactored. The main go.mod should now
182 have slightly less dependencies.
183
184v1.2.7 26 Sep 2021
185[New features]
186 * `jwt.InferAlgorithmFromKey()` option is now available to "guess"
187 the algorithm used to verify the JWS signature on a JWT using
188 a JWKS (key set). This allows you to match JWKs that do not have
189 the `alg` field populated.
190
191 We understand that some providers do not provide the `alg` field,
192 which is a nuisance to users. But from a purely security minded PoV,
193 we don't think that this "try until something works" approach is a
194 good one, even if there are no known exploits. This is why the
195 default `jwt.Parse` mechanism is unchanged, and an explicit option
196 has been added.
197
198 * Types `jwt.KeySetProvider` and `jwk.KeySetProviderFunc` have been
199 added. Along with `jwt.WithKeySetProvider()` option, `jwt.Parse`
200 can now choose the `jwk.Set` to use for signature verification
201 dynamically using the UNVERFIEID token as a clue.
202
203 You should NOT trust the token information too much. For example,
204 DO NOT directly use values from the token as verificatin parameters
205 (such as the signature algorithm)
206
207 * `jwt.WithValidator()` has been added to allow users pass in aribtrary
208 validation code to the `jwt.Validate()` method.
209
210 It is also now possible to pass in a `context.Context` object to
211 `jwt.Validate()` using `jwt.WithContext()` option.
212
213[Miscellaneous]
214 * Make the error messages when `jwt.ParseRequest` fails a bit better.
215 * Moved around documentation within the repository
216 * Validation logic for `jwt.Validate()` has been refactored to use the
217 new `jwt.Validator` mechanism
218
219v1.2.6 24 Aug 2021
220[New features]
221 * Support `crypto.Signer` keys for RSA, ECDSA, and EdDSA family
222 of signatures in `jws.Sign`
223[Miscellaneous]
224 * `jwx.GuessFormat()` now requires the presense of both `payload` and
225 `signatures` keys for it to guess that a JSON object is a JWS message.
226 * Slightly enhance `jwt.Parse()` performance.
227
228v1.2.5 04 Aug 2021
229[New features]
230 * Implement RFC7797. The value of the header field `b64` changes
231 how the payload is treated in JWS
232 * Implement detached payloads for JWS
233 * Implement (jwk.AutoRefresh).ErrorSink() to register a channel
234 where you can receive errors from fetches and parses that occur during
235 JWK(s) retrieval.
236
237v1.2.4 15 Jul 2021
238[Bug fixes]
239 * We had the same off-by-one in another place and jumped the gun on
240 releasing a new version. At least we were making mistakes uniformally :/
241 `(jwk.Set).Remove` should finally be fixed.
242
243[New features]
244 * `(jwk.Set).Clone()` has been added.
245
246v1.2.3 15 Jul 2021
247[Bug fixes]
248 * jwk.Set incorrectly removed 2 elements instead of one.
249
250[Miscellaneous]
251 * github.com/goccy/go-json has been upgraded to v0.7.4
252
253v1.2.2 13 Jul 2021
254[Deprecation notice]
255 * `(jwe.Message).Decrypt()` will be removed from the API upon the next
256 major release.
257
258[Bug Fixes]
259 * `jwe.Decrypt` and `(jwe.Message).Decrypt()` failed to decrypt even
260 with the correct message contents when used along with `jwe.RegisterCustomField`
261
262[New features]
263 JWX
264 * Add GuessFormat() function to guess what the payload is.
265
266 JWT
267 * Options `jwt.WithMinDelta()`, `jwt.WithMaxDelta()` have been added.
268 These can be used to compare time-based fields in the JWT object.
269 * Option `jwt.WithRequiredClaim()` has been added. This can be used
270 to check that JWT contains the given claim.
271 * `jwt.Parse` now understands payloads that have been encrypted _and_ signed.
272 This is more in line with the RFC than the previous implementation, but
273 due to the fact that it requires a couple of extra unmarshaling, it may
274 add some amount of overhead.
275 * `jwt.Serializer` has been added as an easy wrapper to perform multiple
276 levels of serializations (e.g. apply JWS, then JWE)
277
278 JWE
279 * Option `jwe.WithMessage()` has been added. This allows the user to
280 obtain both the decrypted payload _and_ the raw `*jwe.Message` in one
281 go when `jwe.Decrypt()` is called
282 * Option `jwe.WithPostParser()`, along with `jwe.PostParser` and `jwe.PostParseFunc`
283 has been added. This allows advanced users to hook into the `jwe.Decrypt()`
284 process. The hook is called right after the JWE message has been parsed,
285 but before the actual decryption has taken place.
286 * `(jwe.Message).Decrypt()` has been marked for deprecation in a next major release.
287
288 JWS
289 * Option `jwe.WithMessage()` has been added. This allows the user to
290 obtain both the verified payload _and_ the raw `*jws.Message` in one
291 go when `jws.Verify()` is called
292 * Options to `jws.Sign()` are not of type `jws.SignOption`. There should be
293 no user-visible effects unless you were storing these somewhere.
294
295v1.2.1 02 Jun 2021
296[New features]
297 * Option `jwt.WithTypedClaim()` and `jwk.WithTypedField()` have been added.
298 They allow a per-object custom conversion from their JSON representation
299 to a Go object, much like `RegisterCustomField`.
300
301 The difference is that whereas `RegisterCustomField` has global effect,
302 these typed fields only take effect in the call where the option was
303 explicitly passed.
304
305 `jws` and `jwe` does not have these options because
306 (1) JWS and JWE messages don't generally carry much in terms of custom data
307 (2) This requires changes in function signatures.
308
309 Only use these options when you absolutely need to. While it is a powerful
310 tool, they do have many caveats, and abusing these features will have
311 negative effects. See the documentation for details
312
313v1.2.0 30 Apr 2021
314
315This is a security fix release with minor incompatibilities from earlier version
316with regards to the behavior of `jwt.Verify()` function
317
318[Security Fix]
319 * `jwt.Verify()` had improperly used the `"alg"` header from the JWS message
320 when `jwt.WithKeySet()` option was used (potentially allowing exploits
321 described in https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/.
322 This has been fixed by ONLY trusting the keys that you provide and
323 using the `"alg"` header from the keys themselves. (#375, #381)
324
325 As a side effect, `jwt.WithKeySet()` requires that all applicable keys
326 to contain a valid `"alg"` header. Without this we cannot safely choose a key to use,
327 and hence verification will fail.
328
329 The requirement for the `"alg"` header on keys is an INCOMPATIBLE behavior.
330 This may break existing code, if the key does not already have an `"alg"` header.
331
332[New features]
333 * `jwt.Settings()` and `jwt.WithFlattenAudience(bool)` has been added
334 to control how the "aud" claim is serialized into JSON. When this
335 is enabled, all JWTs with a single "aud" claim will serialize
336 the field as a single string, instead of an array of strings with
337 a single element, i.e.:
338
339 // jwt.WithFlattenAudience(true)
340 {"aud": "foo"}
341
342 // jwt.WithFlattenAudience(false)
343 {"aud": ["foo"]}
344
345 This setting has a global effect.
346
347[Buf fixes]
348 * jwt.Validate now returns true if the value in `nbf` field is exactly
349 the same as what the clock returns (e.g. token.nbf == time.Now())
350
351v1.1.7 02 Apr 2021
352[New features]
353 * `jwk.New` `jwk.Parse`, `jwk.ParseKey` can now take a Certificate in
354 ASN.1 DER format in PEM encoding to create a JWK.
355
356[Bug fixes]
357 * Protect `jwk.New()` from invalid RSA/ECDSA keys (#360, #361)
358
359[Miscellaneous]
360 * Removed "internal/blackmagic" and separated it to its own repository.
361 * Removed unused "marshal proxy" objects in jwt
362 * Added FAQ in `jwt` package
363
364v1.1.6 28 Mar 2021
365[Bug fixes]
366 * When an object (e.g. JWT) has a null value and `AsMap()` is called,
367 `github.com/lestrrat-go/iter` would panic.
368 This should be fixed in `github.com/lestrrat-go/iter@v1.0.1` and
369 the dependency has been updated accordingly
370
371[Miscellaneous]
372 * Added How-to style docs under `docs/`
373 * github.com/goccy/go-json dependency has been updated to v0.4.8
374
375v1.1.5 12 Mar 2021
376 This is a security fix release. The JWT validation could be skipped
377 for empty values. Upgrade recommended
378
379[Security Fix]
380 * JWT validation could be skipped for empty fields (#352).
381
382[Bug fixes]
383 * Allow setting JWT "typ" fields to any value (#351).
384 * Remove stray replace directive in cmd/jwx/go.mod (#349)
385
386v1.1.4 02 Mar 2021
387[New features]
388 * jwt.ParseRequest, jwt.ParseHeader, jwt.ParseForm have been added.
389 They are convenience functions to parse JWTs out of a HTTP request.
390
391[Miscellaneous]
392 * Fix jwt.Equals() so that comparison between values containing time.Time
393 actually work
394
395 * ES256K has been made non-default. You must enable it using a build tag
396
397 go build -tags jwx_es256k ...
398
399 Your program will still compile without this tag, but it will return
400 an error during runtime, when ES256K is encountered.
401 This feature is still experimental.
402
403v1.1.3 22 Feb 2021
404[New features]
405 * Implemented ES256K signing (#337)
406 This feature should be considered experimental
407
408[Miscellaneous]
409 * Bump minimum required version to go1.15
410 * Fix examples, bench, and cmd/jwx accidentally requiring go1.16
411 * Dependencies for "github.com/goccy/go-json" has been upgraded to
412 v0.4.7
413
414v1.1.2 16 Feb 2021
415[New features]
416 * `RegisterCustomField()` has been added, which allows users to
417 specify a private claim/field/header to decode into a particular
418 object of choice, instead of map[string]interface{} or []interface{} (#332, #333)
419
420[Bug fixes]
421 * Failures for `jwk.Key.MarshalJSON()` were not properly reported (#330, #331)
422
423[Miscellaneous]
424 * `jwe.Encrypt()` now takes options. This should not matter unless you
425 were somehow depending on its method signature.
426 * Dependencies for "github.com/goccy/go-json" has been upgraded to
427 v0.4.2
428
429v1.1.1 05 Feb 2021
430[New features]
431 * Command line tool `jwx` has ben completely reworked, and it is
432 now actually useful.
433
434 * JWKs can now be serialized into PEM files with ASN.1 DER format
435 data, which is useful when you need to work between JSON and PEM
436 data formats.
437
438 * Constants in jwa package now have can be listed via functions
439 in each category.
440
441 * jwe.Encrypt and jwe.Decrypt can now handle jwk.Key objects
442
443v1.1.0 31 Jan 2021
444 v1.1.0 is a release that attempts to fix as many of the quirky APIs
445 that survived the API breaking change of v0.9.x -> v1.0.0. This is
446 hopefully the last releases that change backwards compatibility
447 in a major way, at least for some time to come.
448
449 It is unfortunate that we need to introduce API changes, but we
450 keep learning how the library is being used and the pain points
451 of using this library. Most of the times these pain points are
452 things that we initially did not think about, which in turn
453 requires us to rethink of the API.
454
455 If you do not wish to spend the time fixing your usage, make sure
456 you have your go.mod set up to not automatically track the latest
457 changes.
458
459 However, if you do decide to use the latest version, we believe
460 the API is more uniform across packages, and generally is easier
461 to understand. We hope this library helps some of you out there.
462
463[BREAKING CHANGES]
464 * `jwk.Parse(io.Reader)`, `jws.Parse(io.Reader)`, `jwt.Parse(io.Reader)`,
465 have all been changed to `Parse([]byte)`. To use an `io.Reader`,
466 use `ParseReader(io.Reader)`. `jwe.Parse` already took `[]byte`, so
467 has not been changed.
468
469 With this change, all four package `jwe`, `jwk`, `jws`, and `jwt` follow
470 the same API design, which should make things easier to navigate:
471
472 Parse([]byte)
473 ParseString(string)
474 ParseReader(io.Reader)
475
476 * `jwk.Set` is now an interface, not a struct. `jwk.Set` now has a
477 well-defined API to access and modify the `jwk.Key` objects that it holds.
478
479 Add(jwk.Key) bool
480 Clear()
481 Get(int) (jwk.Key, bool)
482 Index(jwk.Key) int
483 Len() int
484 LookupKeyID() (jwk.Key, bool) // Read the section about it below
485 Remove(jwk.Key) bool
486 Iterate(context.Context) KeyIterator
487
488 * `(jwk.Set).LookupKeyID()` no longer returns an array of `jwk.Key`.
489 Instead, only the first key matching the given key ID will be returned.
490 If you need to work with multiple keys, use `(jwk.Set).Iterate()` or
491 `(jwk.Set).Get()` to look for matching keys.
492
493 * `jwk.PublicKeyOf()` has been renamed to `jwk.PublicRawKeyOf()`,
494 which converts raw keys (e.g. `rsa.PrivateKey`) to their public
495 counter part (e.g. `rsa.PublicKey`)
496
497 `jwk.PublicKeyOf()` is now used to get the public counter part of
498 `jwk.Key` objects (e.g. `jwk.RSAPrivateKey` to `jwk.RSAPublicKey`)
499
500 `jwk.PublicSetOf()` has been added to get a new `jwk.Set` but with
501 all keys transformed to public keys via `jwk.PublicKeyOf()`
502
503 * `jwk.FetchXXXX` functions have been removed. `jwk.Fetch()` remains, but
504 it now takes `context.Context`, and doesn't support retrieving files
505 from the local file system. See `ReadFile()` for that.
506
507 * `jws.VerifyWithJKU()`, `jws.VerifyWithJWK()`, `jwk.VerifyWithJWKSet()`
508 have all been removed, but `jwk.VerifySet(jwk.Set)` has been added.
509
510 * `jws.SplitCompact(io.Reader)` has been changd to `jws.SplitCompact([]byte)`
511 Similar to `Parse()`, `SplitCompactReader(io.Reader)` and `SplitCompactString(string)`
512 have been added
513
514 * `jws.SignLiteral` has been removed.
515
516 * `jws.PayloadSigner` has been removed (but should not matter, because
517 this as internal-use only anyways)
518
519 * `jwe.WithPrettyJSONFormat` has been renamed to `jwe.WithPrettyFormat`
520
521 * `jwt.Verify` has been removed. Use `jwt.Parse()` aloing with the `jwt.WithVerify()`
522 option to perform signature verification. Validation of verified data
523 can be performed via `(jwt.Token).Validate()` method, which has been available
524 since v1.0.6
525
526 * Package `buffer` has been removed. This package should have been an internal
527 package to start with, but it was left because it had been incorporated
528 in the public API in our initial versions.
529
530 * `(jwk.Key).Get(jwk.X509CertChainKey)` no longer returns a `jwk.CertificateChain`.
531 Instead it returns a raw []*x509.Certificate.
532
533 * `(jwt.Token).Size() has been removed.
534
535 * `jwt.WithOpenIDClaims()` has been removed. Use `jwt.WithToken(openid.New())` instead.
536
537[New Features]
538 * `jwe.ReadFile(string)`, `jwk.ReadFile(string)`, `jws.ReadFile(string)`, and
539 `jwt.ReadFile(string)` have been added. In the future, we plan to introduce
540 a `WithFS` option so you can read from an arbitrary file system, but this cannot
541 be added while we keep go < 1.16 compatibility. If you want something like that,
542 you will need to put an adapter over the jwx for the time being.
543
544 * `(jwk.Key).PublicKey()` has been added. This method creates a corresponding
545 public key, with all fields (except those that shouldn't be) copied over.
546 This allows you to easily create a public key of a private key with the
547 same "kid" attribute.
548
549 * Both `jws.Verify` and `jws.Sign` methods can now handle `jwk.Key` objects, on
550 top of raw keys (e.g. rsa.PrivateKey). You no longer need to conver the
551 `jwk.Key` objects that you have in to raw keys before using these functions.
552
553 * `(jws.Header).Remove(string)`, `(jwk.Key).Remove(string)`, and
554 `(jwt.Token).Remove(string)` have been added. `jwe.Header` already had a `Remove()`
555 method, so it has not been changed.
556
557 * `(jwk.Key).Clone() has been added.
558
559[Miscellaneous]
560 * Default branch for the repository is now `main`.
561
562 * Options have been reworked. In most instances, option types should now reflect
563 better the contexts in which they can be used. For example, `jwk` now has
564 `AutoRefreshOption` and `FetchOption` instead of a single `Option`.
565
566 * JSON marshaling should be 10~30% faster by default (though they may take
567 more allocations to achieve this).
568
569 However, if performance is really bogging you down, you can try to enable
570 the optional module github.com/goccy/go-json by enabling the "jwx_goccy" tag
571
572 go build -tags jwx_goccy ...
573
574 In some cases you get an extra 40~50% performance improvement in serailization
575 https://github.com/lestrrat-go/jwx/pull/314#issue-560594020
576 https://github.com/lestrrat-go/jwx/pull/314#issuecomment-766343888
577
578 * Location for examples and benchmarks have changed: Now examples/ and bench/
579 are their respective locations, and they are each a standalone module,
580 so that in case we need extra imports (such as the case in examples)
581 they do not interfere with users who just want to include jwx in their projects.
582
583v1.0.8 15 Jan 2021
584[New features]
585 * Fixed `jws.Message` and `jws.Signature` to be properly formatted when
586 marshaled into JSON. In the same manner, `json.Unmarshal` should also
587 work as expected.
588 * Added API to programatically manipulate `jws.Message` and `jws.Signature`
589[Miscellaneous]
590 * The order of keys are now consistent as when used with `json.Marshal`.
591 Previously some objects used their own ordering, but now the code goes
592 through one extra roundtrip of `json.Unmarshal`/`json.Marshal` to preserve
593 compatible behavior. This *may* lead to slightly slower performance if
594 you are performing `json.Marshal` over and over in very quick succession.
595 Please file an issue if you have real world cases where the change
596 causes problems for you.
597 * Added more examples in various places.
598 * Tests runs have been sped up for the most oft used cases
599
600v1.0.7 11 Jan 2021
601[New features]
602 * Added jwk.AutoRefresh, which is a tool to periodically refresh JWKS. (#265)
603 * Added experimental ed25519 support (#252)
604[Bug fixes]
605 * Fix `Set()` method for jwk Keys to properly accept either `jwk.KeyUsageType`
606 or a simple string.
607[Miscellaneous]
608 * Updated dependencies
609 * Changed options to use github.com/lestrrat-go/option
610 * Various typos, unused annotations, etc, have been fixed by contributors
611 * Nobody except for the author really should care, but the underlying
612 `pdebug` utility, which is used for print debugging, has been
613 upgraded to v3, which should stop parallel test execution from throwing
614 an error when run with -race
615
616v1.0.6 17 Dec 2020
617 * Fix ECDHES ciphers where padding in AAD et al was creating
618 incomptabile values with jose tool
619 * Also fix ECDH-ES cek handling (#248)
620 * Implement direct key encoding (#213, #249)
621 * Allow JWT tokens to use default JWK if only one key is given
622 and the JWT does not necessarily specifies a key (#214)
623 * Deprecate jwt.Verify and introduce jwt.Validate. JWS verification
624 used the term Verify, which was confusing when users wanted to
625 validate the JWT token itself. (#220)
626 * JWT library optins have been explicitly typed as ValidationOption
627 and ParseOption (#220, #223)
628 * Add jwx.DecoderSettings and jwx.WithUseNumber option to globally
629 change how jwx parses JSON objects (#222)
630 * Encode x5c field as base64 with padding (#244)
631 * Add more interoperability tests against jose tool.
632 * Special thanks to anatol and imirkin!
633
634v1.0.5 - 28 Sep 2020
635 * Reinstate PrivateParams() method in jws and jwe packages.
636 These used to be available until v1.0.0, but somehow got lost during the
637 big change.
638 As a workaround for users of versions 1.0.0 to 1.0.4, you could have
639 achieved the same thing using AsMap() methods, albeit with a slight
640 performance penality (#205, #206)
641
642v1.0.4 - 15 Aug 2020
643 * Fix jwt.WithOpenIDClaims(). Looks like something got lost along
644 the way, and it never really worked. (#201 #202)
645
646v1.0.3 - 08 Jul 2020
647 * `jws.Sign`, and therefore `jwt.Sign` now accept `jwk.Key` as the
648 key to use for signature. (#199)
649 * `jwt.Sign` could sometimes return a nil error when setting bad
650 values to the protected header failed (#195)
651 * More golangci-lint cleanup (#193)
652
653v1.0.2 - 07 May 2020
654 * Since 1.0.0, we took some time to play the test coverage game.
655 The coverage is around 30% better, and we _did_ uncover some
656 inconsistencies in the API, which got promptly fixed.
657 But I'm tired of the coverage game for the time being. PR's welcome!
658 * Add jwk.AssignKeyID to automatically assign a `kid` field to a JWK
659 * Fix jwe.Encrypt / jwe.Decrypt to properly look at the `zip` field
660 * Change jwe.Message accessors to return []byte, not buffer.Buffer
661
662v1.0.1 - 04 May 2020
663 * Normalize all JWK serialization to use padding-less base64 encoding (#185)
664 * Fix edge case unmarshaling openid.AddressClaim within a openid.Token
665 * Fix edge case unmarshaling jwe.Message
666 * Export JWK key-specific constants, such as jwk.RSANKey, jwk.SymmetricOctetsKey, etc
667 * Remove some unused code
668
669v1.0.0 - 03 May 2020
670 * All packages (`jws`, `jwe`, `jwk`, `jwt`) have all been reworked from
671 the ground-up.
672 * These packages now hide the actual implementation of the main structs behind an interface.
673 * Header/Token structs must now be instantiated using proper constructors
674 (most notably, json.Unmarshal will miserably fail if you just pass
675 and empty interface via `xxx.Token` or similar)
676 * Token/Header interfaces are now more or less standardized.
677 The following API should be consistent between all relevant packages:
678 * New()
679 * Get()
680 * Set()
681 * Remove()
682 * Iterate()
683 * Walk()
684 * AsMap()
685 * Oft-used fields are no longer directly accessible:
686 e.g. `token.KeyID = v` is no longer valid. You must set using `Set`
687 (and `Remove`, if you are removing it), and use either `Get` or
688 one of the utility methods such as `token.KeyID()`
689 * Many helper functions and structs have been unexported. They were never
690 meant to be anything useful for end-users, and hopefully it does not
691 cause any problems.
692 * Most errors type/instances have been removed from the public API
693 * `jwt` package can now work with different token types, such as OpenID tokens.
694 * `token.Sign` and `token.Verify` have been changed from methods to
695 package functions `jwt.Sign` and `jwt.Verify`, to allow different
696 types of tokens to be passed to the same logic.
697 * Added a custom token type in `openid` sub-package to make it easier to
698 work with OpenID claims
699 * `jwt.Parse` (and its siblings) now accept `jwt.WithOpenIDClaims()`
700 * `jwe` API has been reworked:
701 * `MultiEncrypt` has been removed.
702 * Serializer structs have been removed. Now you just need to call
703 `jwe.Compact` or `jwe.JSON`
704 * `jwk` API has been reworked:
705 * `jwk.ParseKey` has been added
706 * `jwk.Materialize` has been renamed to `Raw()`. A new corresponding
707 method to initialize the key from a raw key (RSA/ECDSA/byte keys)
708 called `FromRaw()` has also been added, which makes a nice pair.
709 * `jws` API has been reworked
710 * CI has been changed from Travis CI to Github Actions, and tests now
711 include linting via `golangci-lint`
712
713v0.9.2 - 15 Apr 2020
714 * Maintenance release to protect users from upcoming breaking changes
715
716v0.9.1 - 27 Feb 2020
717 * Fix error wrapping in certain cases
718 * Add Claims(), Walk(), and AsMap() to iterate claims, as well as
719 getting the entire data out as a single map
720 * Work with alternate base64 encodings when decoding
721
722v0.9.0 - 22 May 2019
723 * Start tagging versions for good measure.
View as plain text