An implementation of JOSE standards (JWE, JWS, JWT) in Go
Contains fix for bug #142: preserves integers when normalizing JWT claims (fixed in #143).
Notable changes
Support for custom/extra header values (#136) thanks to @hlandau. This is a slight change to the v2
interface, so the minor version has been bumped. Also includes a bug fix for symmetric keys to produce JWS objects (#139) thanks to @b1v1r.
Notable changes Support for nested (encrypted and signed) tokens in jwt package (#125) Support for non-pointer JSONWebKey in base package (#124)
Cleaner interface The API for the base package has been reworked. In particular, encrypter/signer/decrypter/verifier objects are now immutable. An options struct can be passed to set various options when creating the object now. This is a bit more flexible and should make it easier to add new things in the future.
Support for JWT
Thanks to @shaxbee, go-jose now includes a new jwt
sub-package with functions for dealing with encrypted/signed JWTs. See the documentation for the jwt
package for more information.
Fixes and improvements
VerifyMulti
function to verify multi-signature JWS objects. The existing Verify
function has been changed to only accept single-signature objects. This ensures that callers do not accidentally accept multi-signature objects in contexts where they are not expected (#111, 2c5656a).DecryptMulti
function to decrypt multi-recipient JWE messages. The existing Decrypt
function has been changed to only accept single-recipient messages. This ensures callers do not accidentally accept multi-recipient messages in contexts where they are not expected (#111, 2c5656a).Note that this represents a subtle API change, as the Decrypt
and Verify
functions are now stricter than before and only accept single-signature/single-recipient inputs. To reflect this change, the minor version has been bumped.
Security fixes Cast all size calculations to uint64 to avoid int overflows on 32-bit architectures (789a4c4)
Other changes Proper import paths on v1 branch to fix build (3bd67f4)
Security fixes For ECDH-ES key derivation (in JWE), ensure that received public key (from an "epk" header field on an encrypted message) is on expected elliptic curve before performing any cryptographic operations. This also adds various sanity checks for EC keys other places, e.g. when parsing JWK blobs with embedded EC keys. See commits c758193, 03c5c6e, d163d44.
Other changes Fix expand command in jose-util (c18180c) Remove support for std_json build tag (1f36a88)
Notable changes Added basic support for x5c header in JWKs (7cd6062)
Notable changes
Switch jose-util
to use alecthomas/kingpin
for flag parsing (15af859)
Add JsonWebKey.Valid
method to check key validity (h/t @rolandshoemaker, d2a8471)
Notable changes Allow setting kid header for symmetric signers (860ab58, see also #85)