jwt-compact 0.8.0

Minimalistic JWT implementation with focus on type safety and secure cryptographic primitives
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209

# Changelog


All notable changes to this project will be documented in this file.
The project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [Unreleased]


## 0.8.0 - 2023-10-12


*(All changes are relative compared to [the 0.8.0-beta.1 release](#080-beta1---2023-06-09))*

### Added


- Support floating-point timestamps in claims.

### Security


- Update `ed25519-dalek` dependency, fixing a potential vulnerability as described in [RUSTSEC-2022-0093](https://rustsec.org/advisories/RUSTSEC-2022-0093).
- Replace unmaintained `serde_cbor` dependency with `ciborium`.

## 0.8.0-beta.1 - 2023-06-09


### Added


- Support padding in base64url encoding of certificate thumbprints in the JWT header.

### Changed


- Update `secp256k1` and `rsa` dependencies.
- Make JWT `Header` generic similar to `Claims`, so that it contain custom fields
  as per [Section 4.2 of RFC 7515](https://www.rfc-editor.org/rfc/rfc7515#section-4.2).
  Since `Default` is now implemented for all `Header<T: Default>`, one should use
  a new `Header::empty()` method to create an empty header, and `Header::new()` to create
  a header with custom fields.
- Take `Header<_>` by reference in `AlgorithmExt` methods creating tokens (previously,
  it was taken by value).
- Support custom-encoded certificate thumbprints in JWT `Header` by replacing types
  of the corresponding fields with a new `Thumbprint` enum. As an example,
  this allows hex-encoded thumbprints (which are then additionally base64url-encoded)
  produced by some software.

### Deprecated


- Deprecate `validate_integrity` and `validate_for_signed_token` methods in `AlgorithmExt`.
  An extended version of this functionality, which can validate tokens with custom headers,
  is now encapsulated in the new `Validator` type, which is returned
  by the new `AlgorithmExt::validator()` method.

## 0.7.0 - 2023-03-14


### Changed


- Update dependencies and bump minimum supported Rust version to 1.65.
- Rename the `with_rsa` feature to `rsa`.

## 0.6.0 - 2022-11-01


### Added


- Add ES256 implementation using pure-Rust [`p256`] crate.

### Changed


- Update dependencies, bump minimum supported Rust version to 1.60 and switch to 2021 Rust edition.

## 0.5.0 - 2021-12-29


*(All changes are relative compared to [the 0.5.0-beta.1 release](#050-beta1---2021-10-21))*

### Added


- Add `UntrustedToken::into_owned()` method to extend the token lifetime to static.
  This is useful if an `UntrustedToken` needs to be stashed / passed across threads.

- Add `UntrustedToken::deserialize_claims_unchecked()` to extract claims from a token
  without verification. As the name length implies, the method should only be used
  in exceptional cases.

- Implement `FromStr` and some standard traits (`Clone`, `Copy`, `PartialEq`) for `Rsa`.

- Introduce `AlgorithmSignature::LENGTH` constant for specifying the expected 
  signature length. The new `ValidationError::InvalidSignatureLen` variant provides
  more specific errors if the signature length is not as specified.

- Allow opting out from CBOR claims encoding by making `serde_cbor` dependency optional
  and using it as a crate feature. The relevant functionality (`AlgorithmExt::compact_token`,
  some error variants, etc.) is now gated behind this feature.
  This change is motivated by the fact that supporting verification of CBOR-encoded tokens 
  has non-zero cost for library users (e.g., in terms of code size or security analysis).

## 0.5.0-beta.1 - 2021-10-21


### Changed


- Update dependencies.

### Fixed


- Fix datetime overflow when validating the expiration claim.

- Fix `no_std` support for RSA-based JWS algorithms. As a part of the fix,
  to enable RSA, you should now use the `rsa` feature instead of `rsa`.

### Security


- Use constant-time base64 encoding / decoding from the [`base64ct`] crate.

## 0.4.0 - 2021-05-24


### Added


- Add `new()` constructor for `HS*` keys that accepts any type implementing
  `AsRef<[u8]>`. This simplifies key loading.

- Add `new()` constructor for `UntrustedToken` that accepts any type implementing
  `AsRef<str>`. This simplifies token processing.

- Add basic JSON Web Key (JWK) support. This allows (de)serializing keys from / into
  a uniform format and computing key thumbprints.

- Add ES256K implementation using pure-Rust [`k256`] crate.

### Changed


- Update dependencies.

- Rename `Header.signature_type` field to `token_type` to be more in line with JWT spec.

- Rename `Claims.expiration_date` to `expiration` to be more precise.

- Encapsulate `hmac` and `sha2` dependencies by introducing signature types 
  for `HS*` algorithms. The `digest` dependency is still public.

- `exonum-crypto` feature is no longer enabled by default.

- Change return type of `SigningKey::as_bytes()` to securely zeroize owned values on drop.

### Fixed


- Fix ES256K signature verification by accepting high-S signatures, which are still produced
  by some third-party implementations (e.g., OpenSSL).

## 0.3.0 - 2020-11-30


No substantial changes compared to the 0.3.0-beta.2 release.

## 0.3.0-beta.2 - 2020-11-09


*(All changes are relative compared to [the 0.3.0-beta.1 release](#030-beta1---2020-11-08))*

### Changed


- Make `CreationError` non-exhaustive.

- Rename `StrongKey::inner()` method to `into_inner`.

### Fixed


- Fix `docs.rs` configuration.

## 0.3.0-beta.1 - 2020-11-08


### Added


- Add signature getters for untrusted and trusted tokens.

- Add the [`ed25519-compact`] backend for Ed25519-based tokens.

- Add `SigningKey` and `VerifyingKey` traits for generic access to cryptographic keys.

- Support RSA algorithms using pure-Rust [`rsa`] crate.

- Add `no_std` mode and check `no_std` / WASM compatibility via dedicated aux crates.
  Introduce two relevant crate features, `clock` and `std`.

- Add wrapper types for strong keys / JWT algorithms.

- Add details to some `ValidationError` variants.

### Changed


- Update dependencies.

- Update minimum supported Rust version due to dependencies.

- `es256k` feature should now be used for access to libsecp256k1 backend instead of
  `secp256k1`.

- Rework time-related token creation / validation logic. It is now possible to
  use a custom clock, which could be useful for testing or if there is no access
  to the system clock.

- Make `Header`, `Claims`, `TimeOptions`, and error types non-exhaustive.

## 0.2.0 - 2020-05-11


### Changed


- Update dependencies; replace `failure` error handling with `anyhow`.

## 0.1.0 - 2019-07-01


The initial release of `jwt-compact`.

[`ed25519-compact`]: https://crates.io/crates/ed25519-compact
[`rsa`]: https://crates.io/crates/rsa
[`k256`]: https://crates.io/crates/k256
[`p256`]: https://crates.io/crates/p256
[`base64ct`]: https://crates.io/crates/base64ct