CHANGES

FusionAuth JWT Changes

Changes in 5.3.3

 * Upgraded com.fasterxml.jackson.core:jackson-* to 2.15.4.
 * Upgraded test dependency org.bouncycastle.bc-fips to 1.0.2.5

Changes in 5.3.2

 * Correct the padding when extracting the r and s components from a DER encoded public key.
   This bug may cause some signatures to be invalid when using ES512.

   Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/57

Changes in 5.3.1

 * Upgraded Jackson Core to 2.15.2.

Changes in 5.3.0

 * Add support for providing your own JWT header. This will enable you to customize the header property order for example.

  Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/52
  Thanks to @mdemille for the request and the PR!

Changes in 5.2.4

 * Bind a deserializer using @JsonDeserialize the JWT object for all ZoneDateTime objects. This allows
   you to use any Jackson Object Mapper w/out explicitly binding these deserializers.

Changes in 5.2.3

 * Upgraded Jackson Core to 2.14.0

Changes in 5.2.2

 * Upgraded Jackson Core to 2.13.4.

Changes in 5.2.1

 * Upgraded Jackson Core to 2.13.3.

Changes in 5.2.0

 * Add JWTDecoder.decode that takes a Function<String, Verifier>.

  Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/47
  Thanks to @agentgt for the request.

Changes in 5.1.2

 * Proactive patch for CVE-2022-21449 ahead of the fix that should be coming for the JDK.
   Check ECDSA signature to ensure that r and s are > 0.

   See https://nvd.nist.gov/vuln/detail/CVE-2022-21449

Changes in 5.1.1

  * Allow for a 2047 bit RSA key, turns out this is a thing.

  Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/41
  Thanks to @paul-eeoc for opening the issue.

Changes in 5.1.0

  * Added access to the JWT header in the JWT object.

Changes in 5.0.0

  * Correct JWT header to be a String, Object map to support embedded JWK.
    This is a potentially a breaking change.

   Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/38
   Thanks to @tommed for opening the issue.

Changes in 4.3.1

 * Modify `JSONWebKeySetResponse` to be public in support of JPMS.

   Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/36
   Thanks to @XakepSDK for raising the issue.

Changes in 4.3.0

 * Take PublicKey instead of RSAPublicKey or ECPublicKey on verifier methods and then validate the key to ensure the correct type.
 * Support taking a PrivateKey object when building a signer in addition to a PEM.

   Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/35
   Thanks to @tommed for the request.

Changes in 4.2.2

 * Bump optional dep bc-fips to 1.0.2.1 (1.0.2+P1)

    See https://github.com/advisories/GHSA-6xx3-rg99-gc3p
    See https://nvd.nist.gov/vuln/detail/CVE-2020-15522

Changes in 4.2.1

 * Bump optional dep bc-fips to 1.0.2

Changes in 4.2.0

 * Upgraded Jackson Core to 2.12.2.

 * Added additional methods for JSONWebKeySetHelper to modify the HTTP connection allowing you to modify timeout values.

   Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/31
   Thanks to @alienintheheights for the suggestion.

 * Increased default timeouts in AbstractHttpHelper

Changes in 4.1.0

 * Upgraded Jackson Core to 2.12.1. This upgrade addresses CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195 and CVE-2020-24616 and CVE-2020-24750.

    See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14060
    See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14061
    See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14062
    See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14195
    See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24616
    See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24750

    Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/29
    Thanks to @rvillane for opening the issue.

  * Initial support for OAuth2 Authorization Server Metadata.

    Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/23
    Thanks to @jamietanna for his contribution.

Changes in 4.0.1

  * Added ability to provide your own HttpURLConnection to the JSONWebKeySetHelper helper methods.

    Thanks to @rsatrio for the PR. https://github.com/FusionAuth/fusionauth-jwt/pull/27

Changes in 4.0.0

  * Change the JWT header type from a enum to a string to support other JWT types. This is a breaking
    change so the major version has been incremented to version 4.0.0.

    Thanks to @rsatrio for the PR. See https://github.com/FusionAuth/fusionauth-jwt/pull/26

Changes in 3.6.0

 * Add the x5c to the JSON Web Key Builder
 * When provided, use the x5c JSON Web Key property to verify the public key modulus and exponent.
 * Improve KeyUtils.getKeyLength to report the correct key length for some EC keys.
 * Add support for clock skew in the JWT Decoder. See JWTDecoder.withClockSkew.
 * Add TimeMachineJWTDecoder to support adjusting 'now' which may be helpful in tests to verify old JWTs.

   Thanks to to @RockyMM and @jarekratajski for their help and contribution!

Changes in 3.5.3

 * Add JWK Thumbprint
   Added via https://github.com/FusionAuth/fusionauth-jwt/issues/18, thanks to @jamietanna for the PR.

Changes in 3.5.2

 * Fix JWK parsing to use the kty field instead of the alg field.
   Resolves https://github.com/FusionAuth/fusionauth-jwt/issues/22

Changes in 3.5.1

 * Add time constant HMAC equality check.

  See https://github.com/FusionAuth/fusionauth-jwt/issues/17
  See https://github.com/FusionAuth/fusionauth-jwt/pull/20

Changes in 3.5.0

 * Initial support for RSA Probabilistic Signature Schema (RSASSA-PSS) algorithms PS256, PS384 and PS512.

Changes in 3.4.1

 * Modify JSONWebKeyBuilder.build when taking a PEM to prefer a certificate over a public key to ensure we get the x5t in the output.

Changes in 3.4.0

 * Add JSON Web Key Set helpers to download keys from JWKS endpoints. See JSONWebKeySetHelper.

Changes in 3.3.1

 * Add static method on JSONWebKey to use new JSONWebKeyParser class.

Changes in 3.3.0

 * Add JSONWebKeyParser to extract public keys from a JSON Web key. This allows you to build JWT verifiers from publicly available JWKS endpoints.

Changes in 3.2.0

 * Add new HMAC signer methods to take bytes.

Changes in 3.1.7

 * Add option to provide your own crypto provider to support BC FIPS or other options.

Changes in 3.1.6

 * Support taking an ECPublicKey or RSAPublicKey object on the Verifier builders.

Changes in 3.1.5

 * Add explicit Jackson serializer configuration for ZonedDateTime fields in case anyone wants to serialize the object directly with a Jackson ObjectMapper.

Changes in 3.1.4

 * Upgraded Jackson Core, Databind and Annotations to 2.10.0.

Changes in 3.1.3

 * Upgraded Jackson Databind to 2.9.9.2. This upgrade addresses CVE-2019-14379, CVE-2019-14439 and CVE-2019-12814.

  See https://nvd.nist.gov/vuln/detail/CVE-2019-14379
  See https://nvd.nist.gov/vuln/detail/CVE-2019-14439
  See https://nvd.nist.gov/vuln/detail/CVE-2019-12814

Changes in 3.1.2

 * Upgraded Jackson Databind to 2.9.9.1. This upgrade addresses CVE-2019-12814.

Changes in 3.1.1

 * Add .equals(), .hashCode() and .toString() to io.fusionauth.jwt.domain.Header
 * Upgraded Jackson to 2.9.9. This upgrade addresses CVE-2019-12086.

   If you are unable to upgrade to 3.1.1, simply explicitly depend upon version 2.9.9 in your own application, this will be compatible with
   this library.

   See https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9
   See https://nvd.nist.gov/vuln/detail/CVE-2019-12086

Changes in 3.1.0

 * Added Signer.getKid() with a default impl to throw UnsupportedOperationException(), this allows the JWTEncoder.encode to add a 'kid' by default. This makes it more consistent with the JWTDecoder.

Changes in 3.0.4

 * Add PEM.encode(Certificate certificate) and PEMEncoder.encode(Certificate certificate)

Changes in 3.0.3

 * Remove throws from OpenIDConnect utility methods

Changes in 3.0.2

 * Add JWTUtils.decodePayload and decodeHeader as a utility to decode a JWT, this is an unsafe and should only be used for utility not to verify the JWT.

Changes in 3.0.1

 * Remove un-needed line return at the end of the PEM when encoding a PEM string.

Changes in 3.0.0

 This major version of fusionauth-jwt contains breaking changes.

 * Elliptic Support, ES256, ES384 and ES512
 * JWK Support
 * Some minor breakages
 * Upgraded Jackson from 2.9.6 to 2.9.8. This upgrade addresses CVE-2018-19360, CVE-2018-19361, CVE-2018-19362 and CVE-2018-1000873.

   If you are unable to upgrade to 3.0.0, simply explicitly depend upon version 2.9.8 in your own application, this will be compatible with
   this library.

   See https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
   See https://nvd.nist.gov/vuln/detail/CVE-2018-19360
   See https://nvd.nist.gov/vuln/detail/CVE-2018-19361
   See https://nvd.nist.gov/vuln/detail/CVE-2018-19362
   See https://nvd.nist.gov/vuln/detail/CVE-2018-1000873

Changes in 2.1.1

 * Ignore null values when calling JWT.addClaim

Changes in 2.1.0

 * Rename packages from org.primeframework to io.fusionauth
 * Rename project from prime-jwt to fusionauth-jwt

Changes in 2.0.0

 This major version of prime-jwt contains breaking changes to the JWT class to make the behavior more consistent and predictable.

 * JWT parsing now uses BigDecimal and BigInteger for all numeric values. There are helper methods to convert these to Integer, Long, Double and Float.
 * JWT object stores all known claims as top level properties and all other claims in a Map
 * Added helper methods to JWT to get all claims in a Map (including known claims). One is the original JWT values and one provides rich Java types (i.e. ZonedDateTime)
 * Added RSAUtils.convertFingerprintToThumbprint
 * Added RSAUtils.convertThumbprintToFingerprint
 * Added HEXUtils.fromBytes
 * Added HEXUtils.toBytes
 * Upgraded Jackson from 2.8.8 to 2.9.6. This upgrade addresses CVE-2018-7489 and CVE-2017-7525 for jackson-databind.
   See https://nvd.nist.gov/vuln/detail/CVE-2018-7489
   See https://nvd.nist.gov/vuln/detail/CVE-2017-7525

Changes in 1.3.1

 * Fixed potential security issue that may allow a JWT to be decoded without a valid signature. Thanks to @rcadob.

Changes in 1.3.0

 * Added OpenIDConnect.at_hash
 * Added OpenIDConnect.c_hash
 * Fixed potential security issue that may allow a JWT to be decoded without a valid signature. Thanks to @dmak.
   See CVE-2018-1000125 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000125

Changes in 1.2.1

 * Better handle invalid Base64 encoded JWTs

Changes in 1.2.0

 * Added JWT.getRawClaims()

Changes in 1.1.0

 * Support for x5t (X.509 thumbprints)
 * Additional helper methods in PEMUtils and RSAUtils

Changes in 1.0.0

 * Add support for X.509 certificates

Changes in 0.2.1

 * Add POM to release to maven as well as savent

Changes in 0.2.0

 * Change "keyId" to "kid".

Changes in 0.1.6

 * Renamed JWT.audience --> JWT.setAudience
 * Renamed JWT.claim --> JWT.addClaim
 * Renamed JWT.expiration --> JWT.setExpiration
 * Renamed JWT.issuedAt --> JWT.setIssuedAt
 * Renamed JWT.issuer --> JWT.setIssuer
 * Renamed JWT.notBefore --> JWT.setNotBefore
 * Renamed JWT.subject --> JWT.setSubject
 * Renamed JWT.uniqueId --> JWT.setUniqueId

Changes in 0.1.5

 * Removed RefreshToken domain object.

Changes in 0.1.4

 * Add helper to generate an ideal HMAC secret for SHA-384

Changes in 0.1.3

 * Add support for HS384 and RS384

Changes in 0.1.2

 * Added JavaDoc
 * Better parsing support for PKCS#1 and PKCS#8 key formats
 * Enforce minimum RSA key key length of 2048

Changes in 0.1.1

 * Added validation for JWT Expired (exp) and JWT Not Available for Processing (nbf)
 * Added helpers to generate HMAC keys and RSA Key Pairs
 * Add JWTException that all other exceptions extend
 * Add tests

Changes in 0.1.0

 * Initial release.