UNCLASSIFIED - NO CUI

Skip to content

Update dependency go-jose/go-jose to v4

This MR contains the following updates:

Package Type Update Change
go-jose/go-jose ironbank-github major v2.6.3 -> v4.0.2

Release Notes

go-jose/go-jose (go-jose/go-jose)

v4.0.2: Version 4.0.2

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/go-jose/go-jose/compare/v4.0.1...v4.0.2

v4.0.1

Compare Source

Fixed

  • An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj) for reporting.

v4.0.0

Compare Source

This release makes some breaking changes in order to more thoroughly address the vulnerabilities discussed in Three New Attacks Against JSON Web Tokens, "Sign/encrypt confusion", "Billion hash attack", and "Polyglot token".

Changed

  • Limit JWT encryption types (exclude password or public key types) (#​78)
  • Enforce minimum length for HMAC keys (#​85)
  • jwt: match any audience in a list, rather than requiring all audiences (#​81)
  • jwt: accept only Compact Serialization (#​75)
  • jws: Add expected algorithms for signatures (#​74)
  • Require specifying expected algorithms for ParseEncrypted, ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned, jwt.ParseSignedAndEncrypted (#​69, #​74)
    • Usually there is a small, known set of appropriate algorithms for a program to use and it's a mistake to allow unexpected algorithms. For instance the "billion hash attack" relies in part on programs accepting the PBES2 encryption algorithm and doing the necessary work even if they weren't specifically configured to allow PBES2.
  • Revert "Strip padding off base64 strings" (#​82)
  • The specs require base64url encoding without padding.
  • Minimum supported Go version is now 1.21

Added

  • ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
    • These allow parsing a specific serialization, as opposed to ParseSigned and ParseEncrypted, which try to automatically detect which serialization was provided. It's common to require a specific serialization for a specific protocol - for instance JWT requires Compact serialization.

v3.0.3: Version 3.0.3

Compare Source

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2

Compare Source

Fixed

  • DecryptMulti: handle decompression error (#​19)

Changed

  • jwe/CompactSerialize: improve performance (#​67)
  • Increase the default number of PBKDF2 iterations to 600k (#​48)
  • Return the proper algorithm for ECDSA keys (#​45)

Added

  • Add Thumbprint support for opaque signers (#​38)

v3.0.1

Compare Source

Fixed

v3.0.0: Version 3.0.0

Compare Source

First release after moving from square/go-jose to the new go-jose/go-jose repository.

Fixes & Improvements a10ff54 - Fix for EC thumbprint template so we compute EC thumbprints correctly 30f4a6a - Treat zero Expected.Time as now in Claims.Validate when verifying JWTs 4ac8eda - Fix handling of the x5u header (X.509 certificate URL) in JWKs d7b900b - Strip padding off base64 strings, to match spec per RFC7515 Appendix C 7f81482 - Extract key from JWKs to ensure you can use it when verifying a detached signature e225b2d - Support non-pointer JWKs to match behavior for other key types 94cbec2 - Use ed25519 from the stdlib instead of the golang.org/x/crypto version eae0da4 - Export jose-util helpers as they might be useful for others 4bac79d - Fix issue square#182 that caused panic on claims with invalid JWT payload 60a6e9d - Use string.Builder to remove whitespace, instead of a regexp to improve performance 2009556 - Better error handling to avoid panic that can be caused by invalid headers

This release also cleans up a number of module references for the new repo migration, fixed some typos in comments, and more.


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports