Releases · benmcollins/libjwt

11 Feb 13:43

v3.0.0

97bb1e5

v3.0.0 - A new way Latest

Latest

This is a major overhaul of LibJWT. The previous version was clumsy in that a jwt_t object could be used for creating a new token, or be the result of verifying. The ambiguity led to a lot of possible errors.

The key handling was not very well done and was confusing.

The new methods has a factory paradigm in that you create either a builder or checker object, configure it for your purposes, and then either generate tokens (builder) or verify tokens (checker) based on the rules you've established. This means you don't have to create an instance for every time you want to perform one of these actions.

One of the other new features is a complete JWK and JWKS backend for keys. It is now the only method with which you can load and use keys in LibJWT. There are command line tools for converting PEM type keys into JWK(S) JSON files (and back again).

There are also two convenient command line tools for generating and verifying JWT tokens.

Please see the documentation for a complete overview of the functionality.

Assets 3

21 Dec 13:48

benmcollins

v2.1.1

f5eef78

Security release for v2.1.1

jwt_decode_2(): Security vulnerability

This function had faulty logic based on some assumptions that it could trust the JWT in that if it was alg:none, it would not run the callback.

The assumption would allow an attacker to modify the JWT header and body and trick the function into returning without having retrieved a key from the cb, meaning no verification of the signature was done, and it retuned as if everything was successful.

The caller of jwt_decode_2 has no real way to know that their cb was never run.

As an aside, it was found that some of the test cases were assuming that you could call jwt_decode_2 with key_provider == NULL. This doesn't make much sense, considering there's no way to pass a key without a key_provider.

In this instance, if passed a JWT with alg:none, this was fine. If called with any other alg type, the code would attempt to run the NULL ``key_provider` and produce a SEGV.

RESOLUTION

jwt_decode_2 will always run the key_provider if passed, assuming there was not a previous error.
Always check key_provider for NULL before using it
If no key_provider, but JWT had alg != none, processing fails

NOTES:

jwt_decode() and jwt_decode_2() are being deprecated in favor more robust functionality.

Pre-built packages

Ubuntu ppa

Assets 3

10 Dec 16:25

benmcollins

v2.1.0

2863d88

v2.1.0

Full Changelog: v2.0.0...v2.1.0

Replaces Apple licensed internal base64 support with public domain code from libb64. It can still use the system libb64 if it's new enough. Reworked internal usage of the base64uri functions.

Rework a lot of the test cases to run across all available crypto ops.

Assets 3

09 Dec 13:52

benmcollins

v2.0.0

d5fb24d

v2.0.0

Full Changelog: v1.18.3...v2.0.0

Primary changes:

Use of libb64 for base64 if the library is detected
OpenSSL and GnuTLS support can be compiled together. New functions allow selecting which to use at runtime.

Assets 3