Skip to content

v1.3.0
Compare
Choose a tag to compare
@panva panva released this 21 Jun 13:05
v1.3.0
2969e55

Features

  • compute private RSA key p, q, dp, dq, qi when omitted (6e3d6fd), closes #26
  • add support for JWK x5c, x5t and x5t#S256 (9d46c48)
  • instances of JWKS.KeyStore are now iterable (e.g. for ... of) (2eae293)

Bug Fixes

  • limit calculation of missing RSA private components (5b53cb0)
  • reject rsa keys without all factors and exponents with a specific message (b0ff436)

Deprecations

  • this deprecates the use of JWK.importKey in favor of JWK.asKey
  • this deprecates the use of JWKS.KeyStore.fromJWKS in favor of JWKS.asKeyStore

Both JWK.importKey and JWKS.KeyStore.fromJWKS could have resulted in the process getting blocked when large bitsize RSA private keys were missing their components and could also result in an endless calculation loop when the private key's private exponent was outright invalid or tampered with.

The new methods still allow to import private RSA keys with these optimization key parameters missing but its disabled by default and one should choose to enable it when working with keys from trusted sources

It is recommended not to use @panva/jose versions with this feature in its original on-by-default form - v1.1.0 and v1.2.0

Assets 2
Loading