Skip to content

Commit

Permalink
Merge pull request #1164 from lestrrat-go/develop/v2
Browse files Browse the repository at this point in the history
merge develop/v2 to v2
  • Loading branch information
lestrrat authored Jul 28, 2024
2 parents b688667 + 8c21ee5 commit 8d1d783
Show file tree
Hide file tree
Showing 96 changed files with 1,418 additions and 401 deletions.
2 changes: 1 addition & 1 deletion .aspect/bazelrc/convenience.bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build --keep_going
test --keep_going

# Output test errors to stderr so users don't have to `cat` or open test failure log files when test
# fail. This makes the log noiser in exchange for reducing the time-to-feedback on test failures for
# fail. This makes the log noisier in exchange for reducing the time-to-feedback on test failures for
# users.
# Docs: https://bazel.build/docs/user-manual#test-output
test --test_output=errors
Expand Down
2 changes: 1 addition & 1 deletion .github/CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ The following is a set of guidelines that we ask you to follow when you contribu
* [Please Be Nice](#please-be-nice)
* [Please Use Correct Medium (GitHub Issues / Discussions)](#please-use-correct-medium-github-issues--discussions)
* [Please Include (Pseudo)code for Any Technical Issues](#please-include-pseudocode-for-any-technical-issues)
* [Reviewer/Reviewee Guidelines](#reviewer-reviewee-guidelines)
* [Reviewer/Reviewee Guidelines](#reviewerreviewee-guidelines)
* [Brown M&M Clause](#brown-mm-clause)
* [Pull Requests](#pull-requests)
* [Branches](#branches)
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
strategy:
matrix:
go_tags: [ 'stdlib', 'goccy', 'es256k', 'secp256k1-pem', 'asmbase64', 'alltags']
go: [ '1.21', '1.20', '1.19' ]
go: [ '1.22', '1.21', '1.20' ]
name: "Test [ Go ${{ matrix.go }} / Tags ${{ matrix.go_tags }} ]"
steps:
- name: Checkout repository
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,11 @@ jobs:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: 1.19
go-version: "1.20"
check-latest: true
- uses: golangci/golangci-lint-action@v6
with:
version: v1.54.2
version: v1.59
- name: Run go vet
run: |
go vet ./...
2 changes: 1 addition & 1 deletion .github/workflows/smoke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
strategy:
matrix:
go_tags: [ 'stdlib', 'goccy', 'es256k', 'alltags' ]
go: [ '1.21', '1.20', '1.19' ]
go: [ '1.22', '1.21', '1.20' ]
name: "Smoke [ Go ${{ matrix.go }} / Tags ${{ matrix.go_tags }} ]"
steps:
- name: Checkout repository
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 7 days.'
stale-pr-message: 'This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 14 days.'
close-issue-message: 'This issue was closed because it has been stalled for 7 days with no activity. This does not mean your issue is rejected, but rather it is done to hide it from the view of the maintains for the time being. Feel free to reopen if you have new comments'
close-pr-message: 'This PR was closed because it has been stalled for 14 days with no activity. This does not mean your PR is rejected, but rather it is done to hide it from the view of the maintainers for the time being. Feel free to reopen if you have new comments or chnages that you would like to include. '
close-pr-message: 'This PR was closed because it has been stalled for 14 days with no activity. This does not mean your PR is rejected, but rather it is done to hide it from the view of the maintainers for the time being. Feel free to reopen if you have new comments or changes that you would like to include. '
days-before-issue-stale: 14
days-before-pr-stale: 14
days-before-issue-close: 7
Expand Down
20 changes: 9 additions & 11 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,11 @@ linters:
enable-all: true
disable:
- cyclop
- deadcode # deprecated
- depguard
- dupl
- exhaustive
- exhaustivestruct
- errorlint
- err113
- funlen
- gci
- gochecknoglobals
Expand All @@ -26,31 +25,26 @@ linters:
- gocyclo
- godot
- godox
- goerr113
- gofumpt
- golint #deprecated
- gomnd
- gosec
- govet
- interfacer # deprecated
- ifshort
- inamedparam # oh, sod off
- ireturn # No, I _LIKE_ returning interfaces
- lll
- maintidx # Do this in code review
- maligned # deprecated
- makezero
- mnd
- nakedret
- nestif
- nlreturn
- nonamedreturns # visit this back later
- nosnakecase
- paralleltest
- scopelint # deprecated
- structcheck # deprecated
- perfsprint
- tagliatelle
- testifylint # TODO: revisit when we have the chance
- testpackage
- thelper # Tests are fine
- varcheck # deprecated
- varnamelen # Short names are ok
- wrapcheck
- wsl
Expand Down Expand Up @@ -92,6 +86,10 @@ issues:
- path: cmd/jwx/jwx.go
linters:
- forbidigo
- path: /*_test.go
text: "var-naming: "
litners:
- revive

# Maximum issues count per one linter. Set to 0 to disable. Default is 50.
max-issues-per-linter: 0
Expand Down
45 changes: 27 additions & 18 deletions Changes
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,15 @@ Changes
v2 has many incompatibilities with v1. To see the full list of differences between
v1 and v2, please read the Changes-v2.md file (https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes-v2.md)

v2.1.1 Jul 28 2024
* Update minimum required go version to go 1.20
* Update tests to work on 32-bit systems.
* [jwa] Add RSA_OAEP_384 and RSA_OAEP_512
* [jwa] `jwa.SignatureAlgorithm` now has a `IsSymmetric` method.
* [jwa] Add `jwa.RegisterSignatureAlgorithmOptions()` to register new algorithms while
specifying extra options. Currently only `jwa.WithSymmetricAlgorithm()` is supported.
* [jws] Clearly mark `jws.WithHeaders()` as deprecated

v2.1.0 18 Jun 2024
[New Features]
* [jwt] Added `jwt.ParseCookie()` function
Expand All @@ -19,13 +28,13 @@ v2.1.0 18 Jun 2024

# previously
jwt.ParseRequest(req) // looks under Authorization
jwt.ParseReuqest(req, jwt.WithFormKey("foo")) // looks under foo AND Authorization
jwt.ParseReuqest(req, jwt.WithHeaderKey("Authorization"), jwt.WithFormKey("foo")) // looks under foo AND Authorization
jwt.ParseRequest(req, jwt.WithFormKey("foo")) // looks under foo AND Authorization
jwt.ParseRequest(req, jwt.WithHeaderKey("Authorization"), jwt.WithFormKey("foo")) // looks under foo AND Authorization

# since this release
jwt.ParseRequest(req) // same as before
jwt.ParseRequest(req, jwt.WithFormKey("foo")) // looks under foo
jwt.ParseReuqest(req, jwt.WithHeaderKey("Authorization"), jwt.WithFormKey("foo")) // looks under foo AND Authorization
jwt.ParseRequest(req, jwt.WithHeaderKey("Authorization"), jwt.WithFormKey("foo")) // looks under foo AND Authorization

* [jwt] Add `jwt.WithResetValidators()` option to `jwt.Validate()`. This option
will allow you to tell `jwt.Validate()` to NOT automatically check the
Expand All @@ -43,13 +52,13 @@ v2.1.0 18 Jun 2024
`jwx_es256k` to enable ES256K/secp256k1, and `jwx_secp256k1_pem` to enable PEM handling.
Not one, but BOTH tags need to be present.

With this change, by suppliying the `WithPEM(true)` option, `jwk.Parse()` is now
With this change, by supplying the `WithPEM(true)` option, `jwk.Parse()` is now
able to read sep256k1 keys. Also, `jwk.Pem()` should be able to handle `jwk.Key` objects
that represent a secp256k1 key.

Please do note that the implementation of this feature is dodgy at best. Currently
Go's crypto/x509 does not allow handling additional EC curves, and thus in order to
accomodate secp256k1 keys in PEM/ASN.1 DER format we need to "patch" the stdlib.
accommodate secp256k1 keys in PEM/ASN.1 DER format we need to "patch" the stdlib.
We do this by copy-and-pasting relevant parts of go 1.22.2's crypto/x509 code and
adding the minimum required code to make secp256k1 keys work.

Expand Down Expand Up @@ -106,7 +115,7 @@ v2.0.20 20 Feb 2024
JWS message.
* [jwt] Add `jwt.WithCompactOnly()` to specify that only compact serialization can
be used for `jwt.Parse()`. Previously, by virtue of `jws.Parse()` allowing either
JSON or Compact serialization format, `jwt.Parse()` also alloed JSON serialization
JSON or Compact serialization format, `jwt.Parse()` also allowed JSON serialization
where as RFC7519 explicitly states that only compact serialization should be
used. For backward compatibility the default behavior is not changed, but you
can set this global option for jwt: `jwt.Settings(jwt.WithCompactOnly(true))`
Expand All @@ -125,7 +134,7 @@ v2.0.19 09 Jan 2024
[Security Fixes]
* [jws] JWS messages formated in full JSON format (i.e. not the compact format, which
consists of three base64 strings concatenated with a '.') with missing "protected"
headers could cause a panic, thereby introducing a possiblity of a DoS.
headers could cause a panic, thereby introducing a possibility of a DoS.

This has been fixed so that the `jws.Parse` function succeeds in parsing a JWS message
lacking a protected header. Calling `jws.Verify` on this same JWS message will result
Expand Down Expand Up @@ -219,7 +228,7 @@ v2.0.14 17 Oct 2023
asymmetric key pair.
[Security]
* golang.org/x/crypto has been updated to 0.14.0. The update contains a fix for HTTP/2
rapid reset DoS vulnerability, which some security scanning softwares may flag.
rapid reset DoS vulnerability, which some security scanning software may flag.
However, do note that this library is NOT affected by the issue, as it does not have
the capability to serve as an HTTP/2 server. This is included in this release
document so that users will be able to tell why this library may be flagged
Expand Down Expand Up @@ -261,7 +270,7 @@ v2.0.10 - 12 Jun 2023

This feature is labeled experimental because the API for the above interfaces have not
been battle tested, and may need to changed yet. Please be aware that until the API
is deemed stable, you may have to adapat our code to these possible changes,
is deemed stable, you may have to adapt your code to these possible changes,
_even_ during minor version upgrades of this library.

[Bug fixes]
Expand All @@ -283,7 +292,7 @@ v2.0.10 - 12 Jun 2023
If you care about this performance improvement, you should probably enable
`goccy` JSON parser as well, by specifying `jwx_goccy,jwx_asmbase64` in your build call.
* Slightly changed the way global variables underneath `jwk.Fetch` are initialized and
configured. `jwk.Fetch` creates an object that spawns wokers to fetch JWKS when it's
configured. `jwk.Fetch` creates an object that spawns workers to fetch JWKS when it's
first called.
You can now also use `jwk.SetGlobalFetcher()` to set a fetcher object which you can
control.
Expand All @@ -304,7 +313,7 @@ v2.0.9 - 21 Mar 2023
Note that there is no way to call
`jws.Verify()` while allowing `{"alg":"none"}` as you wouldn't be _verifying_
the message if we allowed the "none" algorithm. `jws.Parse()` will parse such
messages witout verification.
messages without verification.

`jwt` also allows you to sign using alg="none", but there's no symmetrical
way to verify such messages.
Expand Down Expand Up @@ -373,7 +382,7 @@ v2.0.7 - 15 Nov 2022

[Miscellaneous]
* WithCompact's stringification should have been that of the
internal indentity struct ("WithSerialization"), but it was
internal identity struct ("WithSerialization"), but it was
wrongly producing "WithCompact". This has been fixed.
* Go Workspaces have been enabled within this module.
- When developing, modules will refer to the main jwx module that they
Expand Down Expand Up @@ -410,7 +419,7 @@ v2.0.5 - 11 Aug 2022
v2.0.4 - 19 Jul 2022
[Bug Fixes]
* [jwk] github.com/lestrrat-go/httprc, which jwk.Cache depends on,
had a problem with inserting URLs to be re-fetched into its queue.
had a problem with inserting URLs to be refetched into its queue.
As a result it could have been the case that some JWKS were not
updated properly. Please upgrade if you use jwk.Cache.

Expand All @@ -419,20 +428,20 @@ v2.0.4 - 19 Jul 2022
* [jwk] Fix doc buglet in `KeyType()` method

[New Features]
* [jws] Add `jws.WithMultipleKeysPerKeyID()` sub-option to allow non-unique
* [jws] Add `jws.WithMultipleKeysPerKeyID()` suboption to allow non-unique
key IDs in a given JWK set. By default we assume that a key ID is unique
within a key set, but enabling this option allows you to handle JWK sets
that contain multiple keys that contain the same key ID.

* [jwt] Before v2.0.1, sub-second accuracy for time based fields
(i.e. `iat`, `exp`, `nbf`) were not respected. Because of this the code
to evaluate this code had always truncated any-subsecond portion
to evaluate this code had always truncated any sub-second portion
of these fields, and therefore no sub-second comparisons worked.
A new option for validation `jwt.WithTruncation()` has been added
to workaround this. This option controls the value used to truncate
the time fields. When set to 0, sub-second comparison would be
possible.
FIY, truncatation will still happen because we do not want to
FIY, truncation will still happen because we do not want to
use the monotonic clocks when making comparisons. It's just that
truncating using `0` as its argument effectively only strips out
the monotonic clock
Expand All @@ -450,14 +459,14 @@ v2.0.2 - 23 May 2022

[New Features]
* [jwt] RFC3339 timestamps are also accepted for Numeric Date types in JWT tokens.
This allows users to parse servers that errnously use RFC3339 timestamps in
This allows users to parse servers that erroneously use RFC3339 timestamps in
some pre-defined fields. You can change this behavior by setting
`jwt.WithNumericDateParsePedantic` to `false`
* [jwt] `jwt.WithNumericDateParsePedantic` has been added. This is a global
option that is set using `jwt.Settings`

v2.0.1 - 06 May 2022
* [jwk] `jwk.Set` had erronously been documented as not returning an error
* [jwk] `jwk.Set` had erroneously been documented as not returning an error
when the same key already exists in the set. This is a behavior change
since v2, and it was missing in the docs (#730)
* [jwt] `jwt.ErrMissingRequiredClaim` has been deprecated. Please use
Expand Down
12 changes: 6 additions & 6 deletions Changes-v2.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ key, err := jwk.FromRaw(rawKey)
// Algorithm() now returns jwa.KeyAlgorithm type. `jws.Sign()`
// and other function that receive JWK algorithm names accept
// this new type, so you can use the same key and do the following
// (previosly you needed to type assert)
// (previously you needed to type assert)
jws.Sign(payload, jws.WithKey(key.Algorithm(), key))

// If you need the specific type, type assert
Expand Down Expand Up @@ -73,7 +73,7 @@ jws.Verify(signed, jws.WithKeySet(jwks), jws.WithKeyUsed(&keyUsed))

```go
// basic
jwe.Encrypt(payload, jwe.WithKey(alg, key)) // other defaults are infered
jwe.Encrypt(payload, jwe.WithKey(alg, key)) // other defaults are inferred
jwe.Encrypt(payload, jwe.WithKey(alg, key), jwe.WithKey(alg, key), jwe.WithJSON(true))
jwe.Decrypt(encrypted, jwe.WithKey(alg, key))

Expand All @@ -92,7 +92,7 @@ jwe.Verify(signed, jwe.WithKeySet(jwks), jwe.WithKeyUsed(&keyUsed))

* Module now requires go 1.16

* Use of github.com/pkg/errors is no more. If you were relying on bevaior
* Use of github.com/pkg/errors is no more. If you were relying on behavior
that depends on the errors being an instance of github.com/pkg/errors
then you need to change your code

Expand Down Expand Up @@ -243,8 +243,8 @@ jws.Verify(signed, jws.WithKeySet(cachedSet))
but this has been removed. This is to avoid unwanted clogging of the fetch workers
which is the default processing mode in `github.com/lestrrat-go/httprc`.

If you are using backoffs, you need to control your inputs more carefully so as to
not clog your fetch queue, and therefore you should be writing custom code that
If you are using backoffs, you need to control your inputs more carefully so as
not to clog your fetch queue, and therefore you should be writing custom code that
suits your needs

## JWS
Expand Down Expand Up @@ -306,7 +306,7 @@ jws.Parse(serialized,
The rest of the arguments are treated as options passed to the
`(jwk.Fetcher).Fetch()` function.

* Remove `jws.WithPayloadSigner()`. This should be completely repleceable
* Remove `jws.WithPayloadSigner()`. This should be completely replaceable
using `jws.WithKey()`

* jws.WithKeyProvider() has been added to specify arbitrary
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@ Please try [discussions](https://github.com/lestrrat-go/jwx/tree/v2/discussions)

# Related Modules

* [github.com/lestrrat-go/echo-middileware-jwx](https://github.com/lestrrat-go/echo-middleware-jwx) - Sample Echo middleware
* [github.com/lestrrat-go/echo-middleware-jwx](https://github.com/lestrrat-go/echo-middleware-jwx) - Sample Echo middleware
* [github.com/jwx-go/crypto-signer/gcp](https://github.com/jwx-go/crypto-signer/tree/main/gcp) - GCP KMS wrapper that implements [`crypto.Signer`](https://pkg.go.dev/crypto#Signer)
* [github.com/jwx-go/crypto-signer/aws](https://github.com/jwx-go/crypto-signer/tree/main/aws) - AWS KMS wrapper that implements [`crypto.Signer`](https://pkg.go.dev/crypto#Signer)

Expand Down
2 changes: 1 addition & 1 deletion WORKSPACE
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ go_dependencies()

go_rules_dependencies()

go_register_toolchains(version = "1.19.5")
go_register_toolchains(version = "1.20.14")

gazelle_dependencies()

Expand Down
2 changes: 1 addition & 1 deletion cmd/jwx/jwe.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ func keyEncryptionFlag(required bool) cli.Flag {
func makeJweEncryptCmd() *cli.Command {
var cmd cli.Command
cmd.Name = "encrypt"
cmd.Usage = "Encrypt payload to generage JWE message"
cmd.Usage = "Encrypt payload to generate JWE message"
cmd.UsageText = `jwx jwe encrypt [command options] FILE
Encrypt contents of FILE and generate a JWE message using
Expand Down
12 changes: 7 additions & 5 deletions cmd/jwx/jws.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ func makeJwsCmd() *cli.Command {
func makeJwsParseCmd() *cli.Command {
var cmd cli.Command
cmd.Name = "parse"
cmd.Usage = "Parse JWS mesage"
cmd.Usage = "Parse JWS message"
cmd.UsageText = `jwx jws parse [command options] FILE
Parse FILE and display information about a JWS message.
Expand Down Expand Up @@ -203,7 +203,7 @@ func makeJwsSignCmd() *cli.Command {
var cmd cli.Command
cmd.Name = "sign"
cmd.Aliases = []string{"sig"}
cmd.Usage = "Verify JWS mesage"
cmd.Usage = "Verify JWS message"
cmd.UsageText = `jwx jws sign [command options] FILE
Signs the payload in FILE and generates a JWS message in compact format.
Expand Down Expand Up @@ -258,16 +258,18 @@ func makeJwsSignCmd() *cli.Command {
return fmt.Errorf(`invalid alg %s`, givenalg)
}

var options []jws.SignOption
// headers must go to WithKeySuboptions
var suboptions []jws.WithKeySuboption
if hdrbuf := c.String("header"); hdrbuf != "" {
h := jws.NewHeaders()
if err := json.Unmarshal([]byte(hdrbuf), h); err != nil {
return fmt.Errorf(`failed to parse header: %w`, err)
}
options = append(options, jws.WithHeaders(h))
suboptions = append(suboptions, jws.WithProtectedHeaders(h))
}

options = append(options, jws.WithKey(alg, key))
var options []jws.SignOption
options = append(options, jws.WithKey(alg, key, suboptions...))
signed, err := jws.Sign(buf, options...)
if err != nil {
return fmt.Errorf(`failed to sign payload: %w`, err)
Expand Down
Loading

0 comments on commit 8d1d783

Please sign in to comment.