CHANGELOG.md

Release Notes

1.1.3 (2019-03-18)

• fail to verify PS signatures with incorrect padding in node (93399b6)

1.1.2 (2019-02-28)

• replaced outdated vulnerable lodash dependencies (b9c4f0e)

1.1.1 (2019-02-01)

• Update node-forge (6b0bc94)

1.1.0 (2018-11-05)

Bug Fixes

• remove setImmediate/nextTick hack (fixes #203) (4e24931)
• correct jws verify input validation check (fixes #210) (be66519)
• [node] use native crypto for RS signing (fixes #202) (59636c3)

Features

• [node] use native crypto for AES-KW Key-Wrapping (f18011f)
• [node] use native crypto for RSA-OAEP and RSA1_5 encryption (bba0a13)
• [node] use native crypto for RSA1_5 decryption (2a9e48a)
• [node] use native crypto for RSA-PSS (8a05f35)
• [node] use native crypto for ECDSA (aa5a48d)

1.0.0 (2018-05-30)

Update

• Create a Key without first creating a KeyStore (#170) (d5971e46253b311ea8a8b1a1967133867f6f6deb), closes #170
• support RSA-PSS in WebCrypto (#171) (f47abe731796c061a80240706a0c21e35062d975), closes #171
• generate and apply header values when key wrapping (#189) (370baa4aeee99dc3e4244fbe3cd92fcf4dff80d8), closes #189
• use safe Buffer allocators instead of unsafe constructor (#184) (0e066babef1d85bcd7066095ba20734b40898f1d), closes #184

Fix

• better error when given key does not support requested algorithms (#186) (70b0d76b48f8ae069c4357d65bb1b44f3a6d8e9a), closes #186

Build

• update supported test platforms (#188) (da9a9f24edb8054c41b1d7090eb4e7003e12aed6), closes #188
• use headless firefox for Travis (#156) (2008bf46ee299d44d164c8a3147e65b5147384bb), closes #156

Package

• Fix wrong repository URL syntax (from @sschuberth) (#160) (0e4dcbaef2cfa66a4520f4510c205c8c4b68707e), closes #160

0.11.1 (2018-05-15)

NOTE: This is a security patch, replacing base64url with b64u to address a vulnerability in the previous dependency.

Chore

• replace base64url with b64u (#179) (7f88049af5de3593adc00d886150bf2fa8f1ecd4), closes #179

0.11.0 (2017-11-30)

NOTICE This release includes a potentially breaking change. The default of jose.JWS.Verifier.verify() before 0.11.0 was to successfully verify if an embedded key was present and verification succeeds. Now the default is to instead fail verification. Applications that rely on embedded keys for JWS verification now must provide an opts Object to either jose.JWS.createVerify() or jose.JWS.Verifier.verify(), with the member allowEmbeddedKeys set to true.

Update

• configure if embedded keys can be used for signature verification; contributed by Fraser Winterborn of BlackBerry's Security Research Group (959a61d707ed2c8cf6582139a5605119283e4acb)
• configure option for allowed algorithm (9a86dd6dac3687ab58c806dfed6deca5a7d73dbb)

Doc

• Enable syntax highlighting on code areas in README (be18233154544cd160c185077cfaf77abea27507)

0.10.0 (2017-09-29)

Update

• alias JWS.createVerify to construct a sentence (2ed035a90c4ff74b210a8341292b3f9d6444a68d)
• Provide PBKDF2-based algorithms publicly (0a6e324eb5d163d69a58c5cf592cde84057faa40)

Fix

• HMAC minimum length checks should be better enforced (859539895b5f63f63c48e1d3871d1e052291af4e)
• prevent JWK.KeyStore#add from modifying jwk input (d1b8d882a1e4735434a317be8e6422bf259eed5d)

Build

• exclude old browsers from SL tests (20fe41ee982368123173995ba667c053608ff0bb)

0.9.5 (2017-08-07)

Update

• prevent embedding 'oct' keys in JWS objects (9e0c4dd81315306dc3e857142c84d69fba5c9519)

Fix

• coerce "kid" during lookup (bbe4d739e04e2b8a9e49c1e9235fc057dc952364), closes #109
• regression errors with Safari (7d8070cba5891506e0b5e978948ef9d1ba98a81f), closes #123 #125

Doc

• Add key hints and status badges to README (57916db0133d5ee97c5a34f32b80a46b6d63cb3a)

Build

• bundle package-lock.json for devel (3491d882b68270091ced996728b669a1c10086ef)
• support node-v8 in travis (60ba1e7312423ab3d1dee1f3f53c997f5b6f0d34)

0.9.4 (2017-04-13)

Update

• Use native RSA/OpenSSL crypto whenever possible (0d1a8cdc351988d74ac42398c3d973902db3d808)
• use npm-published base64url implementation (c6b30c91502ffef9b9d3addc8bdb1b8b0cc36e69), closes #96
• use npm-published node-forge implementation (0f4e0ab57839eaf6dd40c46be511afe3aec9ca44), closes #96
• Use WebCrypto API for PBKDF2 (5e5b9d376f334fa50bb69331e3065e2011c8e9c7)

Doc

• Fix wrong links to JWA and JWK specifications (538829dd4af480989422efec20a2c60f809d8d5c), closes #102

Build

• sourcemaps for karma tests (a571bd107d87df12bd9f076ade2a875c01b4b24d)
• update karma-firefox-launcher to version 1.0.1 (84f5f531783e4e50674532fa5c809dff4e6dc25c)
• update travis-ci for newer environments (55b91bb0b4bb158d9275dfc89c1de688e14163ed)
• update yargs to version 7.0.1 (af24f9e951b1078a088caf50acc13296c0076f68)

0.9.3 (2017-02-20)

Update

• maintain dependencies via Greenkeeper (2fde860746b009b6522fd9a990b4a62c34d034e4)
• update jsbn to version 1.1.0 (8a83b10c860e3c36aa581e890f5eeea7db23ec35)

Fix

• Validate EC public key is on configured curve (f92cffb4a0398b4b1158be98423369233282e0af)

Doc

• note webpack support (b011c001958c2e346b522e87cdb107f01e584da9)

Build

• additional tests on ECDH failures (af19f289811e75522bb8de662e76b1aef15a95fa)
• update gulp-mocha to latest version 🚀 (1e44875e9c1cad370cc44808bddf5fab99226eb0)
• Update webpack to the latest version 🚀 (bb513056143ad2ecf7b44862d3d7ac00e80852eb)

0.9.2 (2016-12-29)

Build

• include browser tests in travis-ci (4005f315f880add9aba33c1cbc7fb2c0a3a7a3d5)

Fix

• improper call to base64url.decode (e15d17c342c5374c8e953a2aa975c1a9daf1766a), closes #80
• node v6+ emits UnhandledPromiseRejectionWarning (6b5dbdfa9e9907ae547a6bce2a918fcc6c25368e), closes #79

0.9.1 (2016-08-23)

Build

• upgrade build environment (8f625984d668c160db0fea7ba48413b3e9320766)

0.9.0 (2016-07-17)

Update

• find keys embedded in JWS header (445381dd628936a9a3d4b8ff59794f96a0f34adb), closes #65

Fix

• incorrect member name for unprotected JWS header (6c6028c1619a500cb098b68fed0b83c52029823f)

0.8.1 (2016-07-13)

Fix

• Documentation typo (c8e27f517ce444ac13a8602f4e83da664c6fb34e)
• Issues with latest browserify-buffer (476e4d7fe743a50b6fd62ef1259d2db03d2313eb)
• Typo in lib/algorithms/constants (480721085b405c24349d5ead321c01d92941bdd2)
• Remove warnings from webpack (5056b6e29168ff147a948da908f305f90b60c45e)

Build

• Further restrict what is published (8e8f779cf84fe4d359123fa502276dfcad47ba0b)
• Reconcile git-prefixed dependencies (2b6bd1ec3f61ae301c9d631c1ff623b480ddd31b)

0.8.0 (2016-04-18)

Update

• support 'crit' header member (2a05a6700b5828a32d5b51e707b4c171a08d3ec4)

Fix

• failures on different browser platforms (d06fe17ae791f14d777e2492cefffd79404e199f)

Build

• integrate travis-ci (7dc80e735579c0f612256db7dd242b415520707f)

0.7.1 (2016-02-09)

Fix

• fix throws and rejects to be error objects and consistent (89325da4b183817a7c412af98f2aa2b9dce97ff9)
• only honor isPrivate in JWK.toJSON() if it is actually a Boolean (9f2f813fc5a10e0d477d5c06e4e719027b6cddbb)

0.7.0 (2016-01-14)

Update

• implement JWK thumbprint support [RFC 7638] (e57384cbf84cc30d8cc0be2b1f881107c4c74577)
• support Microsoft Edge (5ea3c881045388992511f61c9bfc17c8ab62f066)

0.6.0 (2015-12-12)

Update

• export EC keys as PEM (71d382ef06112dd6f71f7feec8c017b72695d20f)
• export RSA keys as PEM (e6ef2ef9aeddb0afc92d55222ae7669c87a3f6f1)
• import EC and RSA keys from "raw" PEM (f7a6dcab643209347b7bf68cb014d12e1698e8ff)
• import EC and RSA "raw" private keys from DER (f3cd2679317cec5a8a80f0634f777e4bc8ace4cd)
• harmonize output from JWE.decrypt and JWS.verify (ed0ea52e4fc4cc70920f2ce39bda11b09c45f214)

0.5.2 (2015-11-30)

Fix

• polyfill should not override native Promise (7ff0d4e6828e9b21ed12f98118a630d195ed7c9b)

Doc

• fix wrong decryption sample code in README.md (733d23f012b90a1b15f5474b7d25b7523d1a6e66)

Build

• add code coverage for node + browsers (4638bd52f81d2163df0aea71e09c4bd564dcee14)
• add code coverage for node + browsers (df7d8cd0e28e6f381194fb27ea9b5df3a2968b60)

0.5.1 (2015-11-19)

Fix

• 'stack exceeded' error on node.js 0.10 (4ad481210adae7cdc2a06a6c25ddcefe33eff395)
• address errors with setImmediate in IE (caa32813dfb059955f0069f76cfee44c40c35c55)

Build

• add CGMKW test (3643a9c5bc476c9ff2423858c772401b0b06557d)
• expand the saucelabs platforms (5eef84db07cfb8069853b2ee072d5888aaf16106)

0.5.0 (2015-10-31)

Update

• Support extra fields and x5t generation when importing a cert (0d52aa5dabe6af29a08c2e299fc6be9ff5e81fca)
• Support deprecated A*CBC+HS* algorithms (aka the "plus" algorithms) (d682e2920eeb9ff6599d7115f2dfbd705104603f)

Fix

• base64url does not work on IE (1ab757265ff2a160e49e870231590b2a47a4537b), closes #16
• When an assumed key is provided, use it over any others (9df51df13c153958661b7f76c7f1f2c3d322c109), fixes #14

0.4.0 (2015-10-12)

Breaking

• Use external implementation of base64url (78009311235006e1a2c76e1dadd78e200d4f954b)

Update

• Import a RSA or EC key from ASN.1 (PEM or DER) (cab7fc1e6e2551e5bebda0ec0ab0e6340ed564f3)
• Include key in JWS.verify result (d1267b29a120499d3a86b7213e7db6855c61d6c3)

0.3.1 (2015-10-06)

Fix

• JWE encryption fails for ECDH keys (3ecb7be38c237b09866b1ab3e7525dd6351e8153), closes #3

• proper name for file header (6364553ddf581c7628f4ea79877fec57545dff92)

Update

• provide a generic parse() method to see header(s) and generically unwrap (ecc859691395114cd7db644171e2c1b2e1015c8b)
• support parsing Buffer (580f763d0dfc63d5f6fdbde3bfec6f52a5218636)

Doc

• fix code blocks to render as blocks consistently (5f1a7ace4c8871065c3a9d09d8f38f09b8096413)
• update readme to reflect NPM publication (936058bc9ff19049327486842335324e34f1d73e)

Build

• browserify is only a devDependency (17880c401daea03f26af6438b2681232e3654a58)

[0.3.0] (2015-09-11)

Initial public release.