Skip to content

Releases: lestrrat-go/jwx

v1.1.6

28 Mar 07:56
Compare
Choose a tag to compare
v1.1.6 28 Mar 2021
[Bug fixes]
  * When an object (e.g. JWT) has a null value and `AsMap()` is called,
    `github.com/lestrrat-go/iter` would panic.
    This should be fixed in `github.com/lestrrat-go/[email protected]` and
    the dependency has been updated accordingly

[Miscellaneous]
  * Added How-to style docs under `docs/`
  * github.com/goccy/go-json dependency has been updated to v0.4.8

v1.1.5

12 Mar 04:28
b2a7484
Compare
Choose a tag to compare
v1.1.5 12 Mar 2021
  This is a security fix release. The JWT validation could be skipped
  for empty values. Upgrade recommended

[Security Fix]
  * JWT validation could be skipped for empty fields (#352).

[Bug fixes]
  * Allow setting JWT "typ" fields to any value (#351).
  * Remove stray replace directive in cmd/jwx/go.mod (#349)

v1.1.4

01 Mar 21:48
Compare
Choose a tag to compare
v1.1.4 02 Mar 2021
[New features]
  * jwt.ParseRequest, jwt.ParseHeader, jwt.ParseForm have been added.
    They are convenience functions to parse JWTs out of a HTTP request.

[Miscellaneous]
  * Fix jwt.Equals() so that comparison between values containing time.Time
    actually work

  * ES256K has been made non-default. You must enable it using a build tag

     go build -tags jwx_es256k ...

    Your program will still compile without this tag, but it will return
    an error during runtime, when ES256K is encountered.
    This feature is still experimental.

v1.1.3

22 Feb 08:44
Compare
Choose a tag to compare
v1.1.3 22 Feb 2021
[New features]
  * Implemented ES256K signing (#337)
    This feature should be considered experimental

[Miscellaneous]
  * Bump minimum required version to go1.15
  * Fix examples, bench, and cmd/jwx accidentally requiring go1.16
  * Dependencies for "github.com/goccy/go-json" has been upgraded to
    v0.4.7

v1.1.2

16 Feb 10:10
Compare
Choose a tag to compare
v1.1.2 16 Feb 2021
[New features]
  * `RegisterCustomField()` has been added, which allows users to
    specify a private claim/field/header to decode into a particular
    object of choice, instead of map[string]interface{} or []interface{} (#332, #333)

[Bug fixes]
  * Failures for `jwk.Key.MarshalJSON()` were not properly reported (#330, #331)

[Miscellaneous]
  * `jwe.Encrypt()` now takes options. This should not matter unless you
    were somehow depending on its method signature.
  * Dependencies for "github.com/goccy/go-json" has been upgraded to
    v0.4.2

v1.1.1

05 Feb 02:02
451a45c
Compare
Choose a tag to compare
v1.1.1 05 Feb 2021
[New features]
  * Command line tool `jwx` has ben completely reworked, and it is
    now actually useful.

  * JWKs can now be serialized into PEM files with ASN.1 DER format
    data, which is useful when you need to work between JSON and PEM
    data formats.

  * Constants in jwa package now have can be listed via functions
    in each category.

  * jwe.Encrypt and jwe.Decrypt can now handle jwk.Key objects

v1.1.0

31 Jan 07:54
Compare
Choose a tag to compare
v1.1.0 31 Jan 2021

  v1.1.0 is a release that attempts to fix as many of the quirky APIs
  that survived the API breaking change of v0.9.x -> v1.0.0. This is
  hopefully the last releases that change backwards compatibility
  in a major way, at least for some time to come.

  It is unfortunate that we need to introduce API changes, but we
  keep learning how the library is being used and the pain points
  of using this library. Most of the times these pain points are
  things that we initially did not think about, which in turn
  requires us to rethink of the API.

  If you do not wish to spend the time fixing your usage, make sure
  you have your go.mod set up to not automatically track the latest
  changes.

  However, if you do decide to use the latest version, we believe
  the API is more uniform across packages, and generally is easier
  to understand. We hope this library helps some of you out there.

[BREAKING CHANGES]
  * `jwk.Parse(io.Reader)`, `jws.Parse(io.Reader)`, `jwt.Parse(io.Reader)`,
    have all been changed to `Parse([]byte)`. To use an `io.Reader`,
    use `ParseReader(io.Reader)`. `jwe.Parse` already took `[]byte`, so
    has not been changed.

    With this change, all four package `jwe`, `jwk`, `jws`, and `jwt` follow
    the same API design, which should make things easier to navigate:

      Parse([]byte)
      ParseString(string)
      ParseReader(io.Reader)

  * `jwk.Set` is now an interface, not a struct. `jwk.Set` now has a
    well-defined API to access and modify the `jwk.Key` objects that it holds.

      Add(jwk.Key) bool
      Clear()
      Get(int) (jwk.Key, bool)
      Index(jwk.Key) int
      Len() int
      LookupKeyID() (jwk.Key, bool) // Read the section about it below
      Remove(jwk.Key) bool
      Iterate(context.Context) KeyIterator

  * `(jwk.Set).LookupKeyID()` no longer returns an array of `jwk.Key`.
    Instead, only the first key matching the given key ID will be returned.
    If you need to work with multiple keys, use `(jwk.Set).Iterate()` or
    `(jwk.Set).Get()` to look for matching keys.

  * `jwk.PublicKeyOf()` has been renamed to `jwk.PublicRawKeyOf()`,
    which converts raw keys (e.g. `rsa.PrivateKey`) to their public
    counter part (e.g. `rsa.PublicKey`)

    `jwk.PublicKeyOf()` is now used to get the public counter part of
    `jwk.Key` objects (e.g. `jwk.RSAPrivateKey` to `jwk.RSAPublicKey`)

    `jwk.PublicSetOf()` has been added to get a new `jwk.Set` but with
    all keys transformed to public keys via `jwk.PublicKeyOf()`

  * `jwk.FetchXXXX` functions have been removed. `jwk.Fetch()` remains, but
    it now takes `context.Context`, and doesn't support retrieving files
    from the local file system. See `ReadFile()` for that.

  * `jws.VerifyWithJKU()`, `jws.VerifyWithJWK()`, `jwk.VerifyWithJWKSet()`
    have all been removed, but `jwk.VerifySet(jwk.Set)` has been added.

  * `jws.SplitCompact(io.Reader)` has been changd to `jws.SplitCompact([]byte)`
    Similar to `Parse()`, `SplitCompactReader(io.Reader)` and `SplitCompactString(string)`
    have been added

  * `jws.SignLiteral` has been removed.

  * `jws.PayloadSigner` has been removed (but should not matter, because
    this as internal-use only anyways)

  * `jwe.WithPrettyJSONFormat` has been renamed to `jwe.WithPrettyFormat`

  * `jwt.Verify` has been removed. Use `jwt.Parse()` aloing with the `jwt.WithVerify()`
    option to perform signature verification. Validation of verified data
    can be performed via `(jwt.Token).Validate()` method, which has been available
    since v1.0.6

  * Package `buffer` has been removed. This package should have been an internal
    package to start with, but it was left because it had been incorporated
    in the public API in our initial versions.

  * `(jwk.Key).Get(jwk.X509CertChainKey)` no longer returns a `jwk.CertificateChain`.
    Instead it returns a raw []*x509.Certificate.

  * `(jwt.Token).Size() has been removed.

  * `jwt.WithOpenIDClaims()` has been removed. Use `jwt.WithToken(openid.New())` instead.

[New Features]
  * `jwe.ReadFile(string)`, `jwk.ReadFile(string)`, `jws.ReadFile(string)`, and
    `jwt.ReadFile(string)` have been added. In the future, we plan to introduce
    a `WithFS` option so you can read from an arbitrary file system, but this cannot
    be added while we keep go < 1.16 compatibility. If you want something like that,
    you will need to put an adapter over the jwx for the time being.

  * `(jwk.Key).PublicKey()` has been added. This method creates a corresponding
    public key, with all fields (except those that shouldn't be) copied over.
    This allows you to easily create a public key of a private key with the
    same "kid" attribute.
    
  * Both `jws.Verify` and `jws.Sign` methods can now handle `jwk.Key` objects, on
    top of raw keys (e.g. rsa.PrivateKey). You no longer need to conver the
    `jwk.Key` objects that you have in to raw keys before using these functions.
    
  * `(jws.Header).Remove(string)`, `(jwk.Key).Remove(string)`, and
    `(jwt.Token).Remove(string)` have been added. `jwe.Header` already had a `Remove()`
    method, so it has not been changed. 
    
  * `(jwk.Key).Clone() has been added.
  
[Miscellaneous]
  * Default branch for the repository is now `main`.
  
  * Options have been reworked. In most instances, option types should now reflect
    better the contexts in which they can be used. For example, `jwk` now has
    `AutoRefreshOption` and `FetchOption` instead of a single `Option`.
  
  * JSON marshaling should be 10~30% faster by default (though they may take
    more allocations to achieve this).
    
    However, if performance is really bogging you down, you can try to enable
    the optional module github.com/goccy/go-json by enabling the "jwx_goccy" tag

      go build -tags jwx_goccy ... 
    
    In some cases you get an extra 40~50% performance improvement in serailization
    https://github.com/lestrrat-go/jwx/pull/314#issue-560594020
    https://github.com/lestrrat-go/jwx/pull/314#issuecomment-766343888
  
  * Location for examples and benchmarks have changed: Now examples/ and bench/
    are their respective locations, and they are each a standalone module,
    so that in case we need extra imports (such as the case in examples)
    they do not interfere with users who just want to include jwx in their projects.

v1.0.8

14 Jan 23:43
Compare
Choose a tag to compare
v1.0.8 15 Jan 2021
[New features]
  * Fixed `jws.Message` and `jws.Signature` to be properly formatted when
    marshaled into JSON. In the same manner, `json.Unmarshal` should also
    work as expected.
  * Added API to programatically manipulate `jws.Message` and `jws.Signature`
[Miscellaneous]
  * The order of keys are now consistent as when used with `json.Marshal`.
    Previously some objects used their own ordering, but now the code goes
    through one extra roundtrip of `json.Unmarshal`/`json.Marshal` to preserve
    compatible behavior. This *may* lead to slightly slower performance if
    you are performing `json.Marshal` over and over in very quick succession.
    Please file an issue if you have real world cases where the change
    causes problems for you.
  * Added more examples in various places.
  * Tests runs have been sped up for the most oft used cases

v1.0.7

11 Jan 10:54
Compare
Choose a tag to compare
v1.0.7 11 Jan 2021
[New features]
  * Added jwk.AutoRefresh, which is a tool to periodically refresh JWKS. (#265)
  * Added experimental ed25519 support (#252)
[Bug fixes]
  * Fix `Set()` method for jwk Keys to properly accept either `jwk.KeyUsageType`
    or a simple string.
[Miscellaneous]
  * Updated dependencies
  * Changed options to use github.com/lestrrat-go/option
  * Various typos, unused annotations, etc, have been fixed by contributors
  * Nobody except for the author really should care, but the underlying
    `pdebug` utility, which is used for print debugging, has been
    upgraded to v3, which should stop parallel test execution from throwing
    an error when run with -race

v1.0.6

16 Dec 21:37
Compare
Choose a tag to compare
v1.0.6 17 Dec 2020
  * Fix ECDHES ciphers where padding in AAD et al was creating
    incomptabile values with jose tool
  * Also fix ECDH-ES cek handling (#248)
  * Implement direct key encoding (#213, #249)
  * Allow JWT tokens to use default JWK if only one key is given
    and the JWT does not necessarily specifies a key (#214)
  * Deprecate jwt.Verify and introduce jwt.Validate. JWS verification
    used the term Verify, which was confusing when users wanted to
    validate the JWT token itself. (#220)
  * JWT library optins have been explicitly typed as ValidationOption
    and ParseOption (#220, #223)
  * Add jwx.DecoderSettings and jwx.WithUseNumber option to globally
    change how jwx parses JSON objects (#222)
  * Encode x5c field as base64 with padding (#244)
  * Add more interoperability tests against jose tool.
  * Special thanks to anatol and imirkin!