All Versions
10
Latest Version
Avg Release Cycle
37 days
Latest Release
159 days ago

Changelog History

  • v2.3.1

    April 10, 2019

    🛠 Fixes a bug in the serialization of ED25519 keys to JWK (JSON), where X/D values ended up being switched for one another in the serialized output (see #224). Reading a serialized private key would also end up switching the X/D values for another, so keys that were serialized/deserialized with old versions of go-jose would work fine (values should end up in the correct place again). However, sharing a private key with another library would have caused problems. If you have private keys that were previously serialized to JWK using this library, the X/D values will be incorrect and will need to be switched in the JSON serialization before the key can be deserialized with an updated version of go-jose.

  • v2.3.0

    February 27, 2019

    New Features

    • Add support for unwrapping JSON Web Key Set in the jwt sub-package. This means the key passed to Claims or Decrypt can now be a set of keys (of type *jose.JSONWebKeySet), and the key will be selected automatically based on the key id in the header of the token.

    🐛 Bug Fixes

    • 👌 Improves handling of exp, iat and nbf claims. This means proper handling for zero dates (#214), don't error if optional exp and nbf claims are missing from the token (#220), and perform an extra check on iat if it is present (#217). Note that expiration in tokens is optional per standard, if you want to require expiration or other claims to be absolutely present in a token be sure to check the claim is present.

    🚀 Note this release also drops support for Go 1.5 and Go 1.6, we now require Go 1.7 or later.

  • v2.2.2

    January 02, 2019

    ✅ Exports the random reader used for internal randomness to make deterministic tests possible (#212). This allows consumers of the library to add tests that can compare known inputs/outputs deterministically.

  • v2.2.1

    December 05, 2018

    🚀 This release adds stricter checks (#210) for handling JWKs with elliptic keys. As per RFC 7518, Section 6.2.1.2 to 6.2.2.1 the length of this octet strings for X/Y/D values in JWKs MUST be the full size of a coordinate for the curve specified in the "crv" parameter. As a result, invalid JWKs that were previously accepted (e.g. a JWK where the padding was missing on X/Y coordinates) will now be rejected when parsing them.

  • v2.2.0

    November 30, 2018

    Bug Fixes

    • Check that key size when matches cipher for DIRECT encryption mode (issue #204, fix in #205)
    • 🛠 Fix auth tag length for A192CBC-HS384, A256CBC-HS512 to match spec (issue #206, fix in #207)

    Note : We bumped the minor version in this release because the changes in #207 fixes a compatibility issue with the implementations of the A192CBC-HS384 and A256CBC-HS512 ciphers. The library didn't correctly follow the JOSE specification (RFC 7518) when encrypting and as a result ciphertexts produced with square/go-jose were incompatible with other JOSE implementations. Ciphertexts produced from other libraries with those ciphers would still decrypt correctly. If you were encrypting with A192CBC-HS384 and A256CBC-HS512 using old versions of this library there might be compatibility concerns when upgrading.

  • v2.1.9

    September 23, 2018

    🚀 This release contains a small change to emit pre-computed values on RSA keys when serializing to a JWK, see pull request #203. This fixes issue #202.

  • v2.1.8

    August 08, 2018

    🚀 This release adds support for PBES2 algorithms (#190).

  • v2.1.7

    July 25, 2018

    New Features

    • ➕ Added new cryptosigner sub-package to sign using crypto.Signer implementations (#179).
    • ➕ Added new OpaqueSigner (et al) interfaces for implementing custom, opaque signers (#179).

    🚀 This release also contains several minor bug fixes and makes unit tests pass in Go 1.11.

  • v2.1.6

    March 29, 2018

    🚀 This release adds support for parsing certificate chains from x5c headers in messages, and expose a function to verify & read them through a new jose.Header#Certificates(opts x509.VerifyOptions) function (see #178).

  • v1.1.2

    July 25, 2018

    🚀 This release contains several minor bug fixes and makes unit tests pass in Go 1.10 and 1.11.