lestrrat-go/jwx v3.1.0

on GitHub

See Changes file for curated list of changes

What's Changed

• Appease linter by @lestrrat in #1543
• Bump kentaro-m/auto-assign-action from 2.0.0 to 2.0.1 by @dependabot[bot] in #1538
• Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #1542
• Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #1536
• Bump actions/cache from 5.0.1 to 5.0.2 by @dependabot[bot] in #1539
• Add AGENTS.md by @lestrrat in #1546
• exclude AGENTS.md by @lestrrat in #1548
• Bump actions/cache from 5.0.2 to 5.0.3 by @dependabot[bot] in #1545
• Bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @dependabot[bot] in #1535
• Add symlink by @lestrrat in #1549
• Fix jwk.Cache worker issues by @lestrrat in #1552
• Exclude CLAUDE.md from autodoc by @lestrrat in #1555
• Bump github.com/valyala/fastjson from 1.6.7 to 1.6.9 by @dependabot[bot] in #1561
• Bump actions/stale from 10.1.1 to 10.2.0 by @dependabot[bot] in #1559
• Bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @dependabot[bot] in #1557
• Reduce allocations in concatkdf Read by @lestrrat in #1562
• Eliminate redundant lock acquisitions in LookupKeyID by @lestrrat in #1563
• Replace make+copy with bytes.Clone by @lestrrat in #1564
• Use base64.Encode instead of EncodeToString in JWS marshal by @lestrrat in #1565
• Cache keyalg/ctalg String() in JWE encrypt/decrypt by @lestrrat in #1566
• Inline ndata() in concatkdf New by @lestrrat in #1567
• Fix dependabot workflow by @lestrrat in #1574
• Bump github.com/valyala/fastjson from 1.6.9 to 1.6.10 by @dependabot[bot] in #1568
• Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.4.0 to 4.4.1 by @dependabot[bot] in #1570
• Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /examples by @dependabot[bot] in #1571
• Bump actions/setup-go from 6.2.0 to 6.3.0 by @dependabot[bot] in #1573
• harden dependabot workflow by @lestrrat in #1575
• fix inverted rlocker condition in RSA key export by @lestrrat in #1576
• Fix jwe decrypt typo by @lestrrat in #1577
• Fix example naming by @lestrrat in #1578
• Chore remove unused blank assigns by @lestrrat in #1579
• add WhitelistError sentinel, use errors.Is in test by @lestrrat in #1581
• standardize error helpers in jws and jwe by @lestrrat in #1582
• add fuzz testing infrastructure for jwt/jws/jwe/jwk by @lestrrat in #1583
• fix flaky cache and jwt validation tests by @lestrrat in #1585
• add .claude/docs and pre-read rules to AGENTS.md by @lestrrat in #1584
• Bump golang.org/x/crypto from 0.48.0 to 0.49.0 by @dependabot[bot] in #1587
• Bump github.com/emmansun/gmsm from 0.21.5 to 0.41.1 in /examples by @dependabot[bot] in #1590
• Bump actions/cache from 5.0.3 to 5.0.4 by @dependabot[bot] in #1593
• Bump github.com/goccy/go-json from 0.10.3 to 0.10.6 by @dependabot[bot] in #1589
• Bump kentaro-m/auto-assign-action from 2.0.1 to 2.0.2 by @dependabot[bot] in #1595
• use standard go deprecation markers in jws by @lestrrat in #1596
• fix probe field name in panic message by @lestrrat in #1597
• Bump github.com/lestrrat-go/httprc/v3 from 3.0.4 to 3.0.5 by @dependabot[bot] in #1599
• Bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #1600
• enforce crit header validation in jws.Verify per RFC 7515 by @lestrrat in #1601
• validate crit header in VerifyCompactFast by @lestrrat in #1602
• fix X25519 ECDH-ES to include apu/apv in KDF by @lestrrat in #1603
• enforce minimum PBES2 iteration count by @lestrrat in #1604
• reject null JSON values for string claims (#1484) by @lestrrat in #1605
• add RFC 9864 fully-specified EdDSA signature algorithms by @lestrrat in #1606
• add extension APIs and KeyKind dispatch for external algorithm modules by @lestrrat in #1607
• add jwkunsafe package docs and tests by @lestrrat in #1609
• delegate custom algorithm registration to dsig by @lestrrat in #1610
• autodoc updates by @github-actions[bot] in #1611
• pin ed448 module to latest jwx by @lestrrat in #1612
• move ed448 to external jwx-circl-ed448 repo by @lestrrat in #1613
• autodoc updates by @github-actions[bot] in #1614
• pin jwx-circl-ed448 to latest commit by @lestrrat in #1615
• update Changes for v3.0.14 by @lestrrat in #1616
• use jwk.Import fallback in AlgorithmsForKey by @lestrrat in #1617
• fix OKP key export dispatch for Ed448 by @lestrrat in #1618
• fix misleading Ed448 dispatch comments in jwsbb by @lestrrat in #1619
• add RegisterAlgorithmForCurve, filter AlgorithmsForKey by curve by @lestrrat in #1620
• pin jwx-circl-ed448 to ce28e4bb in examples by @lestrrat in #1621
• add WithMaxFetchBodySize to limit Fetch response body by @lestrrat in #1622
• add per-call PBES2 count overrides to jwe.Decrypt by @lestrrat in #1623
• fix X509CertChain() to return false when chain is nil by @lestrrat in #1624
• fix data race in x509 decoder registry iteration by @lestrrat in #1625
• add max key count limit to PEM parsing loop by @lestrrat in #1626
• reject negative WithAcceptableSkew in jwt.Validate by @lestrrat in #1627
• accept year 0000 in OIDC birthdate per spec by @lestrrat in #1628
• update Changes for #1620-#1628 by @lestrrat in #1629
• add max input size limit to jwt/jwe ParseReader by @lestrrat in #1630
• add global default for MaxFetchBodySize by @lestrrat in #1631
• fix parse size limit race, validation, and jws coverage by @lestrrat in #1632
• add max recipients limit for JWE messages by @lestrrat in #1633
• add default HTTP timeout for jwk.Fetch by @lestrrat in #1634
• document jti replay protection as caller responsibility by @lestrrat in #1635
• add max signatures limit for JWS messages by @lestrrat in #1636
• add default redirect policy for jwk.Fetch by @lestrrat in #1637
• add jwk.DefaultHTTPClient by @lestrrat in #1638
• check redirect scheme downgrade at every hop by @lestrrat in #1639
• apply default redirect policy to jwk.Cache by @lestrrat in #1640
• make null string claim rejection opt-in by @lestrrat in #1641
• add jwk.WrapHTTPClientDefaults by @lestrrat in #1642
• update Changes for #1630-#1640 by @lestrrat in #1643
• document WithHTTPClient bypass of defaults by @lestrrat in #1646
• use atomic wrappers for global settings by @lestrrat in #1647
• reuse shared HTTP client in Cache.Register by @lestrrat in #1648
• accept ParseOption in jws.ParseString by @lestrrat in #1650
• validate maxSignatures is positive by @lestrrat in #1649
• document body size limit approach in jwk.Fetch by @lestrrat in #1651
• remove minor entries from Changes by @lestrrat in #1653
• make WithStrictStringClaims per-call only by @lestrrat in #1654
• add per-call opt-out for crit header validation by @lestrrat in #1655
• protect global settings with mutex by @lestrrat in #1656
• document WithStrictStringClaims scope to JWT only by @lestrrat in #1657
• document WithStrictStringClaims scope includes JWK by @lestrrat in #1658
• deep-copy slice fields in generated Set methods by @lestrrat in #1659
• zero private key fields on UnmarshalJSON error by @lestrrat in #1660
• document x509 validation as out of scope by @lestrrat in #1661
• update Changes for #1659 and #1660 by @lestrrat in #1662
• fix inconsistent mutex locking in data structures by @lestrrat in #1666
• replace intermediate map in MarshalJSON with pair+pool by @lestrrat in #1667
• validate algorithm-key compatibility in WithKey by @lestrrat in #1668
• reduce allocations in JWE encrypt path by @lestrrat in #1676
• Bump golang.org/x/crypto from 0.49.0 to 0.50.0 by @dependabot[bot] in #1684
• clean up jws sign/verify code for legibility by @lestrrat in #1687
• clean up jws sign/verify key selection code by @lestrrat in #1689
• fix dependabot workflow for develop/v2 bazel by @lestrrat in #1691
• use squash merge in dependabot workflow by @lestrrat in #1692
• remove auto-approve and auto-merge from dependabot workflow by @lestrrat in #1693
• scrub full backing array in byte slice pool by @lestrrat in #1729
• clear fieldPair list before returning to pool by @lestrrat in #1732
• rework jws crit header validation by @lestrrat in #1733
• add jwe crit header validation by @lestrrat in #1735
• clone per-recipient headers, recycle via headerPool by @lestrrat in #1739
• reject ecdh keys in AlgorithmsForKey by @lestrrat in #1741
• stop pooling escaping big.Int in buildRSAPublicKey by @lestrrat in #1745
• auto-declare b64 crit when WithDetachedPayload is set by @lestrrat in #1748
• fail loudly on rand.Reader errors in key gen helpers by @lestrrat in #1751
• drop big.Int pool by @lestrrat in #1754
• fix race in jwk/ecdsa lookup functions by @lestrrat in #1756
• clone protected headers in signatureBuilder.Build by @lestrrat in #1759
• fix ValidationCtx extractors panicking on uninitialized contexts by @lestrrat in #1761
• docs: note ES256K low-S non-enforcement by @lestrrat in #1763
• reject empty ciphertext/iv/tag in jwe.Message.UnmarshalJSON by @lestrrat in #1768
• drop unprotected header merge from jwe.Decrypt by @lestrrat in #1770
• document VerifyCompactFast b64:true assumption by @lestrrat in #1773
• pin unprotected header merge fix with regression test by @lestrrat in #1776
• validate AES-CBC IV length in aescbc.Hmac.Open by @lestrrat in #1778
• reslice pooled jwe buffers before defer by @lestrrat in #1781
• reject sub-minimum input in RFC 3394 keywrap primitives by @lestrrat in #1784
• add jwe.WithPBES2Count encrypt option by @lestrrat in #1782
• jwe: use privkey.Size() for RSA PKCS1v1.5 length check by @lestrrat in #1788
• document default InsecureWhitelist on jwk.Fetch (JWK-001) by @lestrrat in #1790
• reject crit-bearing messages in jws.VerifyCompactFast by @lestrrat in #1793
• jwe: stop aliasing AAD backing slices when concatenating external aad by @lestrrat in #1796
• validate ECDSA point on curve (JWK-003) by @lestrrat in #1797
• copy recipientKey in KeyDecryptAESGCMKW to avoid caller aliasing (JWE-002) by @lestrrat in #1800
• strip key options in jwt.ParseInsecure by @lestrrat in #1802
• Bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in #1795
• enforce jws signatures cap before decoding entries by @lestrrat in #1804
• cap SplitCompactReader non-finite reads at 10 MiB by @lestrrat in #1806
• copy rawKey in symmetricKey.Import to avoid caller aliasing by @lestrrat in #1808
• enforce max parse input size in jws.Parse and jwe.Parse by @lestrrat in #1809
• fix cert.Chain.Add to strip real PEM markers by @lestrrat in #1814
• fix jwk x509 decoder unregister index and race by @lestrrat in #1812
• fix jwt fast path json injection via unescaped kid by @lestrrat in #1817
• fix nil-aware ok return in jws header accessors by @lestrrat in #1818
• fix: jwk.PublicSetOf rejects symmetric keys by default (v3.1.0) by @lestrrat in #1829
• autodoc updates by @github-actions[bot] in #1832
• fix jwk rsa exponent truncation and thumbprint collision by @lestrrat in #1833
• fix cert.Chain MarshalJSON and validate Add input by @lestrrat in #1836
• fix jwt fast path json injection via unescaped alg by @lestrrat in #1838
• track aes-cbc-hmac tag length independently of key size by @lestrrat in #1841
• fix jwe aescbc open opaque errors by @lestrrat in #1843
• fix jwe keyset selecting keys without alg field by @lestrrat in #1845
• fix jwe ecdh-es invalid-curve attack surface by @lestrrat in #1847
• fix jwk.Set.AddKey panic on nil or struct keys by @lestrrat in #1852
• fix jwk parser to validate keys after unmarshal by @lestrrat in #1854
• wrap underlying error in jwk set single-key fallback by @lestrrat in #1856
• fix cmd/jwx output file mode and truncation by @lestrrat in #1858
• fix jwt.ParseHeader bearer scheme per rfc 6750 by @lestrrat in #1859
• make MissingRequiredClaimError.Is type-only by @lestrrat in #1862
• document WithUseNumber concurrency contract as startup-only by @lestrrat in #1864
• reject key-bearing options in jwt.ParseInsecure by @lestrrat in #1867
• bound jws keyset verification fan-out by header alg by @lestrrat in #1869
• add jwk.WithForceAssign to overwrite existing kid by @lestrrat in #1874
• tighten HeaderGetStringBytes lifetime doc by @lestrrat in #1876
• fix jwxio limited reader detection by @lestrrat in #1877
• fix jwa error truncation by @lestrrat in #1880
• fix jwa registry snapshots by @lestrrat in #1883
• tighten jws validateAlgorithmForKey escape by @lestrrat in #1887
• fix jws jku kid-miss silent nil by @lestrrat in #1888
• surface jku kid-miss error from jkuProvider by @lestrrat in #1891
• fix jws VerifyCompactFast header alg cross-check by @lestrrat in #1893
• fix okp key length checks by @lestrrat in #1896
• fix jwa builtin protection by @lestrrat in #1899
• fix v3 rsa jwk validation by @lestrrat in #1895
• fix compact sign errors by @lestrrat in #1902
• zero bytes.Buffer backing array on pool return by @lestrrat in #1905
• remove internal/json.Dump debug helper by @lestrrat in #1907
• fix SplitCompactReader LimitedReader size bypass by @lestrrat in #1909
• fix jwe godoc references by @lestrrat in #1911
• fix v3 jwt package docs by @lestrrat in #1915
• fix v3 jwe cek length checks by @lestrrat in #1918
• make x5c cert limits configurable by @lestrrat in #1919
• document v3 transform.AsMap aliasing by @lestrrat in #1920
• fix v3 ecdsa algorithms snapshot by @lestrrat in #1923
• fix jwxio limitedreader bounds by @lestrrat in #1924
• warn about jws WithKey misuse in v3 by @lestrrat in #1930
• fix v3 jws parse autodetect by @lestrrat in #1927
• fix empty compact jws signature by @lestrrat in #1933
• fix v3 jwe p2c validation by @lestrrat in #1935
• fix v3 jwe gcmkw header typing by @lestrrat in #1939
• fix v3 jwe aescbc append by @lestrrat in #1937
• document jwe compression caveats by @lestrrat in #1941
• warn about jwe rsa1_5 by @lestrrat in #1943
• document jwe WithKey pairs in v3 by @lestrrat in #1945
• fix PublicSetOf oct bypass in v3 by @lestrrat in #1946
• docs: warn about short symmetric keys by @lestrrat in #1949
• add jws.WithDetachedPayloadReader for streaming detached payloads by @lestrrat in #1663
• jws: return non-nil empty []byte from streaming Verify by @lestrrat in #1979
• clarify jwe decrypt unprotected-header scope by @lestrrat in #1983
• drop raw input-byte caps from parse apis by @lestrrat in #1985
• fix ClaimValueIs panic on non-comparable values by @lestrrat in #1987
• clarify EncryptStatic CEK for direct-CEK algs by @lestrrat in #1990
• jwk: add WithMaxKeys cap on JWKS entries by @lestrrat in #1991
• jws: expand WithDetachedPayloadReader encoder-missing error with install hint by @lestrrat in #1993
• jws: document goroutine-safety for WithDetachedPayloadReader by @lestrrat in #1997
• jws: explain RFC 8032 EdDSA streaming incompatibility in error message by @lestrrat in #1995
• jws: align streaming HMAC key-type error with non-streaming path by @lestrrat in #2000
• jwe: fix grammar in ECDH-ES/DIRECT multi-recipient error by @lestrrat in #2002
• jws: drop double-wrap on compact parse errors by @lestrrat in #2004
• jwt: guard Validate against nil token by @lestrrat in #2007
• jws: make jkuProvider surface missing-alg error by @lestrrat in #2009
• jws: surface per-key selectKey errors in keySetProvider by @lestrrat in #2011
• jws: surface use=enc mismatch as explicit error by @lestrrat in #2013
• jwt: stop using dynamic fmt.Errorf format string in ParseRequest by @lestrrat in #2017
• jws: document kid precedence on WithProtectedHeaders by @lestrrat in #2024
• jwk: add WithRejectDuplicateKID parse option by @lestrrat in #2027
• jwk: replace misleading RegisterKeyImporter godoc by @lestrrat in #2029
• jwt: wrap unsupported-time-claim error as ValidateError by @lestrrat in #2015
• changes: add jwk.WithRejectDuplicateKID entry by @lestrrat in #2033
• fix v3.1.0 changelog inaccuracies and add missing entries by @lestrrat in #2037

Full Changelog: v3.0.13...v3.1.0