Skip to content

Latest commit

 

History

History
1933 lines (882 loc) · 71.2 KB

CHANGELOG.md

File metadata and controls

1933 lines (882 loc) · 71.2 KB

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.6.2 (2024-06-27)

Refactor

  • CryptoKey normalization is not always async (b7751f5)
  • weak cache normalized CryptoKey instances (32b25a5)

Fixes

  • ensure KeyObject type in Web API encrypt/decrypt (b7920bd)

5.6.1 (2024-06-27)

Refactor

  • normalize is always defined for Web API runtimes (7bcb103)

Fixes

  • workaround turbo's eager optimizations (723a042), closes #690

5.6.0 (2024-06-27)

Features

  • support KeyObject inputs in WebCryptoAPI runtimes given compatibility (e178b8f)

5.5.0 (2024-06-26)

Features

5.4.1 (2024-06-18)

Fixes

  • ensure latest release on npm is v5.x (a9b2a30)

5.4.0 (2024-06-03)

Features

  • expose JWT's payload in JWTClaimValidationFailed instances (58bcffb), closes #680

Refactor

  • add explicit return types everywhere (cc2b2d7)

5.3.0 (2024-05-10)

Features

  • allow observing remote JWKS resolver state and its manual reload (fa8b639)

Refactor

  • if should not be the only statement in else blocks (a6b716b)

5.2.4 (2024-04-07)

Refactor

  • use createLocalJWKSet instead of LocalJWKSet in createRemoteJWKSet (a7c566c)

5.2.3 (2024-03-07)

Refactor

  • move iv generation and optional outputs around (05c4351)

5.2.2 (2024-02-11)

Fixes

  • types: iv and tag is optional in JSON serializations (53019cd)

5.2.1 (2024-02-03)

Fixes

  • build: refactor export targets for browser, node cjs, and node esm builds (50cbc65)

5.2.0 (2023-12-24)

Features

  • extend JWT NumericDate setter syntax (ae363c3)

5.1.3 (2023-11-30)

5.1.2 (2023-11-27)

Fixes

  • do not mutate JWTVerifyOptions.requiredClaims (1bf9cec), closes #610

5.1.1 (2023-11-14)

Refactor

  • deprecate the RSA1_5 JWE Algorithm (f746da1)

5.1.0 (2023-11-03)

Features

  • add payload generics to jose.decodeJwt (9de49e2), closes #604

5.0.2 (2023-11-02)

Fixes

  • createRemoteJWKSet: ensure a default user-agent header is present (887dd3c), closes #600

5.0.1 (2023-10-25)

Fixes

  • also use ES2020 in the CDN bundles (8c4d390)

5.0.0 (2023-10-25)

⚠ BREAKING CHANGES

  • Node.js: return Uint8Array (not a Buffer) from base64url.decode
  • Browser distribution is now built using ES2020 as a target
  • Node.js distribution is now built using ES2022 as a target
  • types: jwtVerify and jwtDecrypt type argument for the resolved KeyLike type is now a second optional type argument following a type for the JWT Claims Set (aka payload)
  • PBES2 Key Management Algorithms' use in decrypt functions now requires the use of the keyManagementAlgorithms option to explicitly opt-in for their use.
  • importJWK "octAsKeyObject" option was removed. importJWK will no longer return CryptoKey or KeyObject for "oct" (octet sequence) JWK key types, it will instead always return a Uint8Array formed from the "k" (Key Value) Parameter regardless of the other JWK Parameters that may be present.
  • End-Of-Life versions of Node.js as of October 2023 are no longer supported. Node.js 18, 20, and 21 and future releases are the ones that remain supported.
  • The JWE "zip" (Compression Algorithm) Header Parameter is no longer supported by this JOSE implementation.

Features

  • add Date as valid input to timestamp setting functions (bd830a4)
  • default to an empty payload in JWT producing constructors (98d6ca1)
  • types: add optional Generics for JWT verify and decrypt (61bd2a0), closes #568

Reverts

  • Revert "test: fix test under lts/erbium" (b64b6c7)

Refactor

  • Browser distribution is now built using ES2020 as a target (1836684)
  • drop support for EOL Node.js versions (b5aee54)
  • importJWK always returns a Uint8Array for symmetric key inputs (163e1b0)
  • Node.js distribution is now built using ES2022 as a target (239697a)
  • Node.js: return Uint8Array (not a Buffer) from base64url.decode (02d5182)
  • PBES2 Algorithms require explicit opt-in during verification (e2da031)
  • remove support for JWE "zip" (Compression Algorithm) Header Parameter (16998b1)
  • types: rename type parameters for the KeyLike returns (eddd400)
  • update allow list error messages (fe8114c)

4.15.4 (2023-10-14)

Fixes

4.15.3 (2023-10-11)

4.15.2 (2023-10-04)

Fixes

  • build: add a node target for jose-browser-runtime releases (abb63d0)

4.15.1 (2023-10-02)

Fixes

  • resolve missing types for the cryptoRuntime const (1627965)

4.15.0 (2023-10-02)

Features

  • export the used crypto runtime as a constant (0681dda)

4.14.6 (2023-09-04)

Fixes

  • build: publish bundle and umd files with jose-browser-runtime module (62fcbcc), closes #571

4.14.5 (2023-09-02)

Refactor

  • catch type error when decoding base64url signature (#569) (935e920)
  • catch type errors when decoding various base64url strings (9024e87)

4.14.4 (2023-04-30)

Refactor

  • cleanup NODE-ED25519 workerd workarounds (072e83d)

4.14.3 (2023-04-27)

Reverts

  • Revert "fix(types): headers and payloads may only be JSON values and primitives" (06d8101), closes #534

4.14.2 (2023-04-26)

Fixes

  • types: headers and payloads may only be JSON values and primitives (24f306e)

4.14.1 (2023-04-20)

4.14.0 (2023-04-14)

Features

  • add requiredClaims JWT validation option (eeea91d)

4.13.2 (2023-04-12)

Refactor

  • src/util/decode_protected_header.ts (5716725)

4.13.1 (2023-03-02)

Fixes

  • workerd: avoid "The script will never generate a response" edge cases completely (96a8c99), closes #355 #509

4.13.0 (2023-02-27)

Features

  • types: allow generics to aid in CryptoKey or KeyObject narrowing of KeyLike (6effa4d)

Fixes

  • make jose.EmbeddedJWK arguments optional (20610a9)

4.12.2 (2023-02-27)

Fixes

  • types: declare explicit return from EmbeddedJWK (46934ac)

4.12.1 (2023-02-27)

Refactor

  • clarify when alg is used and required on key imports (19e525f)
  • node: have node:crypto deal with x509 parsing (45bb45d)

4.12.0 (2023-02-15)

Features

  • enable key iteration over JWKSMultipleMatchingKeys (a278acd)

4.11.4 (2023-02-07)

Fixes

  • build: ignore deno files in npm publishes (b3d6a11)

4.11.3 (2023-02-07)

Fixes

  • CF Workers: improve miniflare compat with different Node.js versions, get ready for future non-proprietary support (3406b9f), closes #446 #495 #497

4.11.2 (2023-01-01)

Refactor

  • node: dry node version checks (aff2f7c)

4.11.1 (2022-11-22)

4.11.0 (2022-11-08)

Features

  • add bun as a supported runtime (3a63631)

Fixes

  • respect JWK ext for symmetric keys (20557fc)

4.10.4 (2022-10-28)

Fixes

  • typo in importPKSC8 error message (#468) (746bc64)
  • workaround for invalid use checks on CF Workers and Deno (e4d04eb)

4.10.3 (2022-10-20)

4.10.2 (2022-10-20)

4.10.1 (2022-10-20)

4.10.0 (2022-09-27)

Features

  • Curve25519, and Curve448 support for WebCryptoAPI runtimes (fea359a)

Fixes

  • importX509: handle length encodings better (47d0d77), closes #459

4.9.3 (2022-09-15)

Refactor

  • update CEK length validation error message (81a92a9)
  • update key input validation error messages (2eac34a)
  • update keylike description for WinterCG (6741679)

4.9.2 (2022-09-01)

Fixes

  • limit default PBES2 alg's computational expense (03d6d01)

4.9.1 (2022-08-29)

Fixes

  • deno: add a Deno package entrypoint (9f3c459)

4.9.0 (2022-08-17)

Features

  • add support for RFC 9278 - JWK Thumbprint URI (d06ce65)

Refactor

  • consume some base64url decode errors (#436) (caaf2c3)
  • unify JOSENotSupported throw on key export (fe5d093)

4.8.3 (2022-06-29)

4.8.1 (2022-05-02)

Fixes

  • typescript: add types export for nodenext module resolution (#406) (5a6d8f0)

4.8.0 (2022-04-26)

Features

  • add "worker" export in package.json (#400) (c58c80a)
  • optional headers options for createRemoteJWKSet (#397) (b4612f5)

4.7.0 (2022-04-21)

Features

  • add createRemoteJWKSet cacheMaxAge option (5017d95), closes #394

4.6.2 (2022-04-19)

Fixes

  • dont check JWT iat is in the past unless maxTokenAge is used (96d85c7)

4.6.1 (2022-04-11)

4.6.0 (2022-03-06)

Features

  • mark APIs and parameters that can lead to footguns as deprecated (0ddbcc6)
  • types: include JSDoc in the types (74187a9)

4.5.3 (2022-03-05)

Fixes

  • web api runtime: rely on default fetch init values (df6d966)

4.5.2 (2022-03-04)

Fixes

  • decrypting empty ciphertext compact JWEs (#374) (95fe597)

4.5.1 (2022-02-22)

Fixes

  • typescript: allow synchronous get key functions (7c99153)

4.5.0 (2022-02-07)

Features

  • add jose.decodeJwt utility (3d2a2b8)

Fixes

  • concurrent fetch await in cloudflare (e44cd18), closes #355

4.4.0 (2022-01-24)

Features

  • add createLocalJWKSet, resolver to verify using a local JWKSet (bd7bf37)

4.3.9 (2022-01-22)

Fixes

  • only add y to the epk header parameter when EC keys are used (dd6775e), closes #348

4.3.8 (2022-01-09)

4.3.7 (2021-11-18)

Fixes

  • typescript: b64: true is fine to use in JWT, its useless, but allowed (#324) (ee401c9)

4.3.6 (2021-11-16)

Fixes

  • electron: rsa-pss keys are never supported (188c1f7)

4.3.5 (2021-11-12)

Fixes

4.3.4 (2021-11-12)

Fixes

  • Compact JWS verification handles a zero-length payload string (7c70e7b)

4.3.3 (2021-11-11)

Fixes

  • typescript: apply updated compact and jwt headers to compact/jwt verify and decrypt results (0c1946c)

4.3.2 (2021-11-11)

Fixes

  • createRemoteJWKSet handles all JWS syntaxes (aaba8f3)
  • typescript: Compact JWS Header Parameters has alg and enc as required (0fa87af)
  • typescript: Compact JWS Header Parameters has alg as required (c7fabd0)
  • typescript: Signed JWT Header Parameters has alg as required and b64 as never (79cbd82)

4.3.0 (2021-11-11)

Features

  • add GeneralSign signature and GeneralEncrypt recipient builder chaining (cfc93f5)

4.2.1 (2021-11-09)

Fixes

  • node: dont mention CryptoKey in versions without webcrypto (401cabf)

4.2.0 (2021-11-08)

Features

4.1.5 (2021-11-05)

Fixes

  • importX509 certificate values that do not include a version number (51a18b6), closes #308

4.1.4 (2021-11-01)

Fixes

  • allow shorter HMAC secrets (57126f1)

4.1.3 (2021-11-01)

Fixes

  • edge-functions: don't use globalThis (3952030)

4.1.2 (2021-10-25)

Fixes

  • build: ensure cjs/esm specific packages have the right main entry (2f4526a)

4.1.1 (2021-10-21)

Fixes

  • typescript: work around potentially missing global URL from DOM lib (7ed731c), closes #295

4.1.0 (2021-10-18)

Features

  • web: publish umd and bundle files to cdnjs.com (3b3100a)

4.0.4 (2021-10-17)

Fixes

  • web: check Uint8Array CEK lengths, refactor for better tree-shaking (e8299f2)

4.0.3 (2021-10-16)

Fixes

  • web: checking cryptokey applicability early (89dc2aa)

4.0.2 (2021-10-15)

Fixes

4.0.1 (2021-10-14)

Fixes

  • typescript: re-export all types from index.d.ts (d68f104)

4.0.0 (2021-10-14)

⚠ BREAKING CHANGES

  • All module named exports have moved from subpaths to just "jose". For example, import { jwtVerify } from 'jose/jwt/verify' is now just import { jwtVerify } from 'jose'.
  • All submodule default exports and named have been removed in favour of just "jose" named exports.
  • typescript: remove repeated type re-exports
  • The undocumented jose/util/random was removed.
  • The jose/jwk/thumbprint named export is renamed to calculateJwkThumbprint, now import { calculateJwkThumbprint } from 'jose'
  • The deprecated jose/jwk/parse module was removed, use import { importJWK } from 'jose' instead.
  • The deprecated jose/jwk/from_key_like module was removed, use import { exportJWK } from 'jose' instead.

Refactor

  • redo exports to support broader tooling (dd2cf9e)
  • remove util/random (914e47f)
  • removed the deprecated jwk/from_key_like module (ec1d0e7)
  • removed the deprecated jwk/parse module (8d3cc3b)
  • rename calculateThumprint to calculateJwkThumbprint (5afb713)
  • typescript: remove repeated type re-exports (3e137d2)

3.20.3 (2021-10-14)

Fixes

  • remove clutter when tree shaking browser dist (73ba370)
  • typescript: JWTExpired error TS2417 (373e0e4)

3.20.2 (2021-10-13)

Fixes

  • allow tree-shaking of errors (0824301)

3.20.1 (2021-10-06)

Fixes

  • typescript: PEM import functions always resolve a KeyLike, never a Uint8Array (8ef3a8e)

3.20.0 (2021-10-06)

Features

  • improve key input type errors, remove dependency on @types/node (a13eb04)

Fixes

  • proper createRemoteJWKSet timeoutDuration handling (efa1619), closes #277

3.19.0 (2021-09-26)

Features

  • return resolved key when verify and decrypt resolve functions are used (49fb62c)

3.18.0 (2021-09-22)

Features

  • add X.509/SPKI/PKCS8 key import and SPKI/PKCS8 export functions (a2af0f4)

3.17.0 (2021-09-10)

Features

  • cloudflare workers: add support for EdDSA using Ed25519 (0967369)

3.16.1 (2021-09-08)

Fixes

  • guard Sign payloads and Encrypt plaintext argument types (10a18f2)

3.16.0 (2021-09-07)

Features

  • node: support rsa-pss keys in Node.js >= 16.9.0 for sign/verify (0b112cf)

3.15.5 (2021-09-02)

Fixes

  • omit some fetch options when running in Cloudflare Workers env (ced065a), closes #255

3.15.4 (2021-08-20)

Fixes

  • deno: ignore incomplete webcrypto api type errors (c5f2262)
  • typescript: generateKeyPair never returns Uint8Array (73adc01)

3.15.3 (2021-08-20)

Fixes

  • typescript: GeneralJWSInput and GeneralJWS omit (bc0b42f)

3.15.2 (2021-08-20)

3.15.1 (2021-08-20)

Fixes

  • typescript: remove file extensions from types/**/*.d.ts files (0c432e5), closes #222

3.15.0 (2021-08-20)

Features

  • experimental Deno build & publish (5c7d265)

Fixes

  • typescript: allow sign results to be passed to verify (59aa96d)

3.14.4 (2021-08-16)

Fixes

  • throw JWEInvalid when jwe protected header is invalid (991d435)
  • throw JWSInvalid when jws protected header is invalid (#244) (1fc79aa)

3.14.3 (2021-07-21)

Fixes

  • docs: update doc links again (26c4361)

3.14.2 (2021-07-21)

Fixes

3.14.1 (2021-07-21)

Fixes

  • typescript: export generate key pair result interface (2b5cc28)

3.14.0 (2021-07-02)

Features

  • add verbose key type error messages (df56b94)

Fixes

  • typescript: remove file extensions from .d.ts files (e091f0f), closes #222
  • AES Key Wrap input type check (b83821b)
  • guard SignJWT.prototype.sign() from missing protected header (4103719), closes #221
  • typescript: add "jku" header to JoseHeaderParameters (#220) (72a72db)

3.13.0 (2021-06-22)

Features

  • typescript: export consume module interface types (#213) (13fa3d8)

3.12.3 (2021-06-02)

Fixes

  • browser: remove the use of a node std-lib in decodeProtectedHeader (d9d4a5f), closes #206

3.12.2 (2021-05-19)

Performance

  • node: use util.types.is* helpers when available (d36311d)

3.12.1 (2021-05-14)

Fixes

  • browser: avoid global-conflicting variable name fetch (#199) (b2c6273)

3.12.0 (2021-05-12)

Features

  • webcrypto: allow generate* modules extractable: false override (afae428)

3.11.6 (2021-04-30)

Fixes

  • swallow promisified crypto.verify errors (d512ede)

3.11.5 (2021-04-13)

Fixes

  • isObject helper in different vm contexts or jest re-assigned globals (7819df7), closes #178

3.11.4 (2021-04-09)

Fixes

  • defer AES CBC w/ HMAC decryption after tag verification passes (579485c)

3.11.3 (2021-04-01)

Fixes

  • node: check CryptoKey algorithm & usage before exporting KeyObject (dab4b2f)

3.11.2 (2021-03-30)

Fixes

  • assert KeyLike input types, change "any" types to "unknown" (edb83a8)

3.11.1 (2021-03-26)

Fixes

  • node: crypto.verify callback invocation with a private keyobject (d3d4acd)

3.11.0 (2021-03-24)

Features

  • export error codes as static properties (89d8003), closes #170

3.10.0 (2021-03-18)

Features

  • node: use libuv threadpool to sign in node >= 15.12.0 (cf5074e)
  • node: use libuv threadpool to verify in node >= 15.12.0 (ae9a7f4)
  • node: use native JWK export in node >= 15.9.0 (7f3cc44)
  • node: use native JWK import in node >= 15.12.0 (f0c2a64)

3.9.0 (2021-03-15)

Features

  • add named exports for all modules (5cba6b0)

3.8.0 (2021-03-12)

Features

  • publish alternative Node.js and Browser specific distributions (7856dad)

3.7.1 (2021-03-11)

Fixes

  • swallow invalid signature encoding errors (e0adf49)

3.7.0 (2021-03-02)

Features

  • electron >=12.0.0 is now supported (and tested on ci) (8fffd3e)

Fixes

  • electron: only call (de)cipher.setAAD() when aad is not empty (a5a6c4d)
  • electron: properly ASN.1 encode [0x00] when converting RSA JWKs (433f020)

3.6.2 (2021-02-16)

Fixes

  • typescript: update maxTokenAge type and examples (2c358e0)

3.6.1 (2021-02-10)

Fixes

  • node runtime json fetch handles connection errors properly (fc584b2)

3.6.0 (2021-02-04)

Features

  • allow CryptoKey instances in a regular non-webcrypto node runtime (e8d41a9)

3.5.4 (2021-01-26)

Fixes

3.5.3 (2021-01-20)

Fixes

  • workaround downstream dependency issues messing with http (2e58005), closes #154

3.5.2 (2021-01-18)

Performance

  • use 'base64url' encoding when available in Node.js runtime (808f06c)
  • use KeyObject.prototype asymmetricKeyDetails when available (ad88ee2)

3.5.1 (2021-01-10)

Fixes

  • workaround for RangeError in browser runtime base64url (ed32b0d)

3.5.0 (2020-12-17)

Features

  • added JWE General JSON Serialization decryption (16dea9e)

3.4.0 (2020-12-16)

Features

  • added JWS General JSON Serialization signing (6fb862c), closes #129
  • added JWS General JSON Serialization verification (55b7781), closes #129
  • added utility function for decoding token's protected header (fa29d68)

3.3.2 (2020-12-14)

Fixes

  • typescript: ref dom lib via triple-slash to fix some compile issues (175f273), closes #126

3.3.1 (2020-12-06)

Fixes

3.3.0 (2020-12-06)

Features

  • support recognizing proprietary crit header parameters (5163116), closes #123

Fixes

  • reject JWTs with b64: false (691b44a)

3.2.0 (2020-12-02)

Features

  • allow specifying modulusLength when generating RSA Key Pairs (5f7a0e9), closes #121

3.1.3 (2020-11-26)

Fixes

  • typescript: refactored how types are published (2937363), closes #119

3.1.2 (2020-11-24)

Fixes

  • handle globalThis undefined in legacy browsers (b83c59b)

3.1.1 (2020-11-24)

Fixes

  • global detection in a browser worker runtime (56ff8fa)

3.1.0 (2020-11-22)

Features

  • added "KeyLike to JWK" module (7a8418e), closes #109
  • allow compact verify/decrypt tokens to be uint8array encoded (e39c3db)
  • allow http.Agent and https.Agent passed in remote JWK Set (38494a8)

3.0.2 (2020-11-15)

Fixes

3.0.1 (2020-11-15)

Fixes

  • typescript: fix compiling by adding .d.ts files for runtime modules (d9cb573)

3.0.0 (2020-11-14)

⚠ BREAKING CHANGES

  • Revised, Promise-based API
  • No dependencies
  • Browser support (using Web Cryptography API)
  • Support for verification using a remote JWKS endpoint

Features

  • Revised API, No dependencies, Browser Support, Promises (357fe0b)

2.0.3 (2020-10-29)

Fixes

  • allow stubbing of the JWT.decode function (6c3b92f)

2.0.2 (2020-09-14)

Fixes

  • esm: include esm files in the published package (1956746)

2.0.1 (2020-09-10)

Fixes

  • allow plugins such as jose-chacha to work in newer node runtime (30f1dc2)

2.0.0 (2020-09-08)

⚠ BREAKING CHANGES

  • the JWE.decrypt option algorithms was removed and replaced with contentEncryptionAlgorithms (handles enc allowlist) and keyManagementAlgorithms (handles alg allowlist)
  • the JWT.verify profile option was removed, use e.g. JWT.IdToken.verify instead.
  • removed the maxAuthAge JWT.verify option, this option is now only present at the specific JWT profile APIs where the auth_time property applies.
  • removed the nonce JWT.verify option, this option is now only present at the specific JWT profile APIs where the nonce property applies.
  • the acr, amr, nonce and azp claim value types will only be checked when verifying a specific JWT profile using its dedicated API.
  • using the draft implementing APIs will emit a one-time warning per process using process.emitWarning
  • JWT.sign function options no longer accept a nonce property. To create a JWT with a nonce just pass the value to the payload.
  • due to added ESM module support Node.js version with ESM implementation bugs are no longer supported, this only affects early v13.x versions. The resulting Node.js semver range is >=10.13.0 < 13 || >=13.7.0
  • deprecated method JWK.importKey was removed
  • deprecated method JWKS.KeyStore.fromJWKS was removed
  • the use of unregistered curve name P-256K for secp256k1 was removed
  • jose.JWE.Encrypt constructor aad and unprotectedHeader arguments swapped places
  • jose.JWE.encrypt.flattened header (unprotectedHeader) and aad arguments swapped places
  • jose.JWE.encrypt.general header (unprotectedHeader) and aad arguments swapped places
  • JWS.verify returned payloads are now always buffers
  • JWS.verify options encoding and parse were removed

Features

  • added support for ESM (ECMAScript modules) (1aa9035)
  • decrypt allowlists for both key management and content encryption (30e5c46)

Fixes

  • typescript: allow Buffer when verifying detached signature (cadbd04)
  • typescript: properly type all decode/verify/decrypt fn options (4c23bd6)

Refactor

  • encrypt APIs unprotectedHeader and aad arguments swapped (70bd4ae)
  • move JWT profile specifics outside of generic JWT (fd69d7f)
  • removed nonce option from JWT.sign (c4267cc)
  • removed deprecated methods and utilities (6c35c51)
  • removed payload parsing from JWS.verify (ba5c897)

1.28.0 (2020-08-10)

Features

  • support for validating issuer from a list of values (#91) (ce6836a)

1.27.3 (2020-08-04)

Fixes

  • do not mutate unencoded payload when signing for multiple parties (1695423), closes #89
  • ensure "b64" is the same for all recipients edge cases (d56ec9f)

1.27.2 (2020-07-01)

Fixes

  • handle private EC keys without public component (#86) (e8ad389), closes #85

1.27.1 (2020-06-01)

Fixes

  • allow any JSON numeric value for timestamp values (7ba4922)

1.27.0 (2020-05-05)

Features

  • add opt-in objects to verify using embedded JWS Header public keys (7c1cab1)

1.26.1 (2020-04-27)

Fixes

  • typescript: types of key generate functions without overloads (7e60722), closes #80
  • "typ" content-type validation, case insensitive and handled prefix (0691586)

1.26.0 (2020-04-16)

Features

  • update JWT Profile for OAuth 2.0 Access Tokens to latest draft (8c0a8a9)

BREAKING CHANGES

  • at+JWT JWT draft profile - in the draft's Section 2.2 the claims iat and jti are now REQUIRED (was RECOMMENDED).

1.25.2 (2020-04-15)

Fixes

  • build: don't publish junk files (6e98c1a)

1.25.1 (2020-04-15)

Fixes

  • use native openssl AES Key Wrap 🤦 (dcf8d75)

1.25.0 (2020-03-11)

Features

  • update JWT Profile for OAuth 2.0 Access Tokens to latest draft (bc77a15)

1.24.1 (2020-03-05)

Fixes

  • allow importing simpler passphrases as oct keys (f86bda3)

1.24.0 (2020-02-25)

Features

  • add JWT.verify "typ" option for checking JWT Type Header parameter (fc08426)

1.23.0 (2020-02-18)

Fixes

  • typescript: add optional JWK.Key props and make them readonly (b92079c), closes #67

Features

  • add ECDH-ES with X25519 and X448 OKP keys (38369ea)
  • add RSA-OAEP-384 and RSA-OAEP-512 JWE Key Management Algorithms (7477f08)

1.22.2 (2020-02-06)

Performance Improvements

  • various codepaths refactored (3e3d7dd)

1.22.1 (2020-02-03)

Fixes

  • actually remove the base64url proper encoding check (eae01b5)

1.22.0 (2020-01-29)

Features

  • keystore filtering by JWK Key thumbprint (a9f6f71)

Performance Improvements

  • base64url decode, JWT.verify, JWK.Key instance re-use (470b4c7)

1.21.1 (2020-01-25)

Fixes

  • contactKDF iteration count fixed for key sizes larger than 256 bits (70ff222)

1.21.0 (2020-01-23)

Fixes

  • typescript: don't expose non existant classes, fix decode key (0f8bf88)

Features

  • add opt-in support for Unsecured JWS algorithm "none" (3a6d17f)

1.20.0 (2020-01-16)

Features

  • add JWTExpired error and JWTClaimInvalid claim and reason props (a0c0c7a), closes #62

1.19.0 (2020-01-13)

Features

  • exposed shorthands for JWT verification profiles (b1864e3)

1.18.2 (2020-01-08)

Fixes

  • ensure asn1.js version to remove Buffer deprecation notice (13b1106)
  • expose JOSENotSupported key import errors on unsupported runtimes (bc81e5d)
  • typo in JOSENotSupported error when x509 certs are not supported (bb58c9c)

1.18.1 (2020-01-01)

Fixes

  • force iat past check when maxTokenAge option is used + JWT refactor (828ad5a)

1.18.0 (2019-12-31)

Features

  • add JWT validation profiles for Access Tokens and Logout Tokens (7bb5c95)

1.17.2 (2019-12-17)

Fixes

  • skip validating iat is in the past when exp is present (0ed5025)

1.17.1 (2019-12-10)

Fixes

  • properly fail to import unsupported openssh keys (bee5744)

1.17.0 (2019-12-10)

Features

  • importing a certificate populates x5c and x5t thumbprints (25a7a71), closes #59

1.16.2 (2019-12-05)

Fixes

  • handle Unencoded Payload (b64:false) with arbitrary buffer payloads (daabedc), closes #57

1.16.1 (2019-12-05)

Fixes

  • allow PBES2 for the correct JWK use values (f0d7194)

1.16.0 (2019-12-04)

Features

  • two official jose plugins/extensions for those living on the edge (5b27c97), closes #56

1.15.1 (2019-11-30)

Fixes

  • typescript: export Key Input types (0277fcd)

1.15.0 (2019-11-27)

Fixes

  • default JWT.sign kid option value is false for HMAC signatures (ce77388)

Features

  • allow JWK.asKey inputs for sign/verify/encrypt/decrypt operations (5e1009a)

1.14.0 (2019-11-26)

Features

  • allow JWKS.KeyStore .all and .get to filter for key curves (ea60338)

1.13.0 (2019-11-23)

Features

  • return the CEK from JWE.decrypt operation with { complete: true } (c3eb845)

1.12.1 (2019-11-14)

1.12.0 (2019-11-05)

Features

  • add JWS.verify encoding and parsing options (6bb66d4)

1.11.0 (2019-11-03)

Features

  • expose crypto.KeyObject instances in supported runtimes (8ea9683)

1.10.2 (2019-10-29)

Fixes

  • only use secp256k1 keys for signing/verification (9588223)

1.10.1 (2019-10-04)

Fixes

  • throw proper error when runtime doesn't support OKP (0a16efb), closes #48

1.10.0 (2019-10-01)

Features

1.9.2 (2019-09-16)

Fixes

  • keystore.toJWKS(true) does not throw on public keys (81abdfa), closes #42

1.9.1 (2019-09-10)

1.9.0 (2019-08-24)

Features

  • allow JWKS.asKeyStore to swallow errors (78398d3)

1.8.0 (2019-08-22)

Features

  • added Node.js lts/dubnium support for runtime supported features (67a8601)

1.7.0 (2019-08-20)

Features

  • add RSA-OAEP-256 support (when a node version supports it) (28d7cf8), closes #29

1.6.1 (2019-07-29)

Fixes

  • properly pad calculated RSA primes (dd121ce)

1.6.0 (2019-07-27)

Fixes

  • use the correct ECPrivateKey version when importing EC JWK (24acd20)

Features

1.5.2 (2019-07-27)

Fixes

  • importing x5c in electron requires the input split (181fd09)

1.5.1 (2019-07-27)

Fixes

  • correctly pad integers when importing RSA JWK (1dc7f35)

1.5.0 (2019-07-23)

Features

  • validate JWTs according to a JWT profile - ID Token (6c98b61)

1.4.1 (2019-07-14)

Fixes

  • honour the JWT.sign jti option (36c9ce2), closes #33

1.4.0 (2019-07-08)

Features

  • add secp256k1 EC Key curve and ES256K (211d7af)

1.3.0 (2019-06-21)

Features

  • compute private RSA key p, q, dp, dq, qi when omitted (6e3d6fd), closes #26
  • add support for JWK x5c, x5t and x5t#S256 (9d46c48)
  • instances of JWKS.KeyStore are now iterable (e.g. for ... of) (2eae293)

Fixes

  • limit calculation of missing RSA private components (5b53cb0)
  • reject rsa keys without all factors and exponents with a specific message (b0ff436)

Deprecations

  • this deprecates the use of JWK.importKey in favor of JWK.asKey
  • this deprecates the use of JWKS.KeyStore.fromJWKS in favor of JWKS.asKeyStore

Both JWK.importKey and JWKS.KeyStore.fromJWKS could have resulted in the process getting blocked when large bitsize RSA private keys were missing their components and could also result in an endless calculation loop when the private key's private exponent was outright invalid or tampered with.

The new methods still allow to import private RSA keys with these optimization key parameters missing but it is disabled by default and one should choose to enable it when working with keys from trusted sources

It is recommended not to use jose versions with this feature in its original on-by-default form - v1.1.0 and v1.2.0

1.0.2 (2019-05-13)

Fixes

  • add missing keystore.toJWKS() .d.ts definition (c7a8606), closes #25

1.0.1 (2019-04-27)

Fixes

  • oct key ts "k" type fix (0750d2c)

1.0.0 (2019-04-23)

Fixes

  • fail to import invalid PEM formatted strings and buffers (857dc2b)

Features

  • add JWK key_ops support, fix .algorithms() op returns (23b874c)
  • add key.toPEM() export function with optional encryption (1159b0d)
  • add OKP Key and EdDSA sign/verify support (2dbd3ed), closes #12

BREAKING CHANGES

  • key.algorithms(op) un+wrapKey was split into correct wrapKey/unwrapKey/deriveKey returns
  • keystore.all and keystore.get operation option was removed, key_ops: string[] supersedes it
  • Node.js minimal version is now v12.0.0 due to its added EdDSA support (crypto.sign, crypto.verify and eddsa key objects)

0.12.0 (2019-04-07)

Reverts

  • add EC P-256K JWK and ES256K sign/verify support (e21fea1)

BREAKING CHANGES

  • removing ES256K alg and EC P-256K crv support until the IETF WG decides on what the final names will be.

0.11.5 (2019-04-04)

Features

  • add key.secret and key.type for completeness (2dd7053)
  • add key.thumbprint always returning the JWK Thumbprint (RFC7638) (65db7e0)

0.11.4 (2019-03-28)

Fixes

  • properly restrict EC curves in generate(Sync) (764b863)
  • remove unintended exposure of private material via enumerables (946d9df)

0.11.3 (2019-03-27)

Fixes

  • throw on unsupported EC curves (cfa4222)

Features

  • add EC P-256K JWK and ES256K sign/verify support (2e33e1c)

0.11.2 (2019-03-19)

Fixes

  • internal symbol method is now really a symbol (925d47c)
  • key.toJWK() fixed on windows (57f1692), closes #17

0.11.1 (2019-03-17)

Fixes

  • restrict RS key algorithms by the key's bit size (9af295b)

0.11.0 (2019-03-16)

Fixes

  • all JWA defined RSA operations require key of 2048 or more (cc70c5d)
  • use correct salt length for RSASSA-PSS (e936d54)

BREAKING CHANGES

  • all JWA defined RSA based operations require key size of 2048 bits or more.

0.10.0 (2019-03-12)

Fixes

  • do not list "dir" under wrap/unwrapKey operations (17b37d3)

Features

  • keystore .all and .get operation option (d349ba9)

BREAKING CHANGES

  • "dir" is no longer returned as wrap/unwrapKey key operation

0.9.2 (2019-03-05)

Fixes

  • "dir" is only available on keys with correct lengths (6854860)
  • do not 'in' operator when importing keys as string (be3f4e4)

0.9.1 (2019-03-02)

Fixes

  • only import RSA, EC and oct successfully (e5e02fc)

0.9.0 (2019-03-02)

Initial release

Implemented Features

  • JSON Web Signature (JWS) - RFC7515
  • JSON Web Encryption (JWE) - RFC7516
  • JSON Web Key (JWK) - RFC7517
  • JSON Web Algorithms (JWA) - RFC7518
  • JSON Web Token (JWT) - RFC7519
  • JSON Web Key (JWK) Thumbprint - RFC7638
  • JWS Unencoded Payload Option - RFC7797
JWK Key Types Supported
RSA RSA
Elliptic Curve EC
Octet sequence oct
Serialization JWS Sign JWS Verify JWE Encrypt JWE Decrypt
Compact
General JSON
Flattened JSON
JWS Algorithms Supported
RSASSA-PKCS1-v1_5 RS256, RS384, RS512
RSASSA-PSS PS256, PS384, PS512
ECDSA ES256, ES384, ES512
HMAC with SHA-2 HS256, HS384, HS512
JWE Key Management Algorithms Supported
AES A128KW, A192KW, A256KW
AES GCM A128GCMKW, A192GCMKW, A256GCMKW
Direct Key Agreement dir
RSAES OAEP * RSA-OAEP (*RSA-OAEP-256 is not supported due to its lack of support in Node.js)
RSAES-PKCS1-v1_5 RSA1_5
PBES2 PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW
ECDH-ES ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
JWE Content Encryption Algorithms Supported
AES GCM A128GCM, A192GCM, A256GCM
AES_CBC_HMAC_SHA2 A128CBC-HS256, A192CBC-HS384, A256CBC-HS512