Skip to content

Releases: MicahParks/jwkset

Fix potential race condition

10 Jan 01:33
c8d5ec7
Compare
Choose a tag to compare

The purpose of this release is to fix a potential race condition.

Relevant pull requests:

v0.6.0

09 Jan 13:20
01db49a
Compare
Choose a tag to compare

The purpose of this release is to fix a bug pointed out by @rohitkoul in #7 (comment). There is a bug in the refresh goroutine related to key replacement.

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Regardless of this bug, please note that removing a key from a JWK Set does not equate to instant revocation for most use cases as it takes time for JWK Set updates to propagate to all clients.

Relevant issues:

Relevant pull requests:

Less strict validation

12 Mar 00:10
7091ac8
Compare
Choose a tag to compare

The purpose of this release is to use less strict validation for JWK. This will allow users to work with non-RFC compliant JWK Sets for small padding mistakes.

Two padding related reasons for this are:

  1. Mandatory leading padding for ECDSA JWK parameters.
  2. A common mistake adding leading padding to RSA JWK parameter "n".

For padding specifically, this project is only comparing integers after they are parsed from Base64 raw URL encoding by default. To turn on strict validation, there will be a new field on jwkset.ValidateOptions named StrictPadding.

An example for 1 would be a bug in this project were mandatory leading padding was absent: #18

An example for 2 would be a Firebase service that was reported to be incompatible with this project: #23

Relevant issues:

Relevant pull requests:

v0.5.13

04 Mar 22:54
a0de971
Compare
Choose a tag to compare

The purpose of this release is to correctly pad EC JWK parameters with leading zeros where required by RFC 7518.

For "x" and "y":

The length of this octet string MUST be the full size of a coordinate for the curve specified in the "crv" parameter. For example, if the value of "crv" is "P-521", the octet string must be 66 octets long.

For "d":

The length of this octet string MUST be ceiling(log-base-2(n)/8) octets (where n is the order of the curve).

This is to bring the project into RFC compliance with RFC 7518 Section 6.2.1.2, 6.2.1.3, and 6.2.2.1.

Relevant issues:

What's Changed

Full Changelog: v0.5.12...v0.5.13

jwksetinfer tool multi-PEM bug

25 Jan 03:06
ece0023
Compare
Choose a tag to compare

A bug in the cmd/jwksetinfer tool caused multiple PEM file inputs to only output the final PEM key as a JWK Set. This is because the metadata wasn't being passed in and the all key IDs were the same empty string.

Thank you @aarnaud for discovering the bug and fixing it!

Relevant pull requests:

Refresh on unknown key ID

10 Jan 01:42
2c65b0a
Compare
Choose a tag to compare

The purpose of this release is to change the default HTTP client to add a feature that refreshes remote JWK Set resources when trying to read a key ID kid that has not been found in the local cache.

This requires rate limiting and the pkg.go.dev/golang.org/x/time/rate has been added as a dependency for that.

Related pull requests:

Consistent optional behavior for X.509 certificate thumbprints

04 Jan 00:50
5f893b0
Compare
Choose a tag to compare

This release fixes a bug where X.509 certificate thumbprints were not optional when a JWKMarshal without these fields was used in NewJWKFromMarshal.

Thank you, @joshkaplinsky, for reporting this bug!

Relevant pull requests:

Relevant issues:

Add HTTP Client

11 Dec 01:22
cb01b09
Compare
Choose a tag to compare

This release contains a Golang HTTP client for JWK Sets.

Add website and X.509 support

06 Dec 01:08
30b57c3
Compare
Choose a tag to compare

This project now supports all standardized JSON Web Key parameters, including X.509 assets that I could find. Please open an issue if you find some that are not supported.

Additionally, I made a website for this project. The website is mostly for generating and inspecting JSON Web Keys. Check it out at https://jwkset.com

Bug fix for RSA multi-prime keys

16 Oct 21:36
Compare
Choose a tag to compare

This release fixes a bug in marshaling and unmarshaling RSA multi-prime keys. It also adds a check to validate an RSA key before returning it from an unmarshal.

Relevant issues: