v1.6.1

Bug Fixes

• properly pad calculated RSA primes (dd121ce)

v1.6.0

Bug Fixes

• use the correct ECPrivateKey version when importing EC JWK (24acd20)

Features

• electron v6.x support (e7ad82c)

Notes

Electron v6.x runtime is supported to the extent of the crypto engine BoringSSL feature parity with standard Node.js OpenSSL. The following is disabled in Electron runtime because of its lack of support.

• JWE A128KW, A192KW and A256KW algs are not available, this also means that other JWAs depending on those are not working, those are ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW)
• OKP curves Ed448, X25519 and X448 are not supported
• EC curve secp256k1 is not supported

v1.5.2

Bug Fixes

• importing x5c in electron requires the input split (181fd09)

v1.5.1

Bug Fixes

• correctly pad integers when importing RSA JWK (1dc7f35)

v1.5.0

Features

• validate JWTs according to a JWT profile - ID Token (6c98b61)

It is now possible to pass a profile to JWT.verify and have the JWT validated according to it. This makes sure you pass all the right options and that required claims are present, prohibited claims are missing and that the right JWT typ is used.

More profiles will be added in the future.

v1.4.1

Bug Fixes

• honour the JWT.sign jti option (36c9ce2), closes #33

v1.4.0

Features

• add secp256k1 EC Key curve and ES256K (211d7af)

v1.3.0

Features

• compute private RSA key p, q, dp, dq, qi when omitted (6e3d6fd), closes #26
• add support for JWK x5c, x5t and x5t#S256 (9d46c48)
• instances of JWKS.KeyStore are now iterable (e.g. for ... of) (2eae293)

Bug Fixes

• limit calculation of missing RSA private components (5b53cb0)
• reject rsa keys without all factors and exponents with a specific message (b0ff436)

Deprecations

• this deprecates the use of JWK.importKey in favor of JWK.asKey
• this deprecates the use of JWKS.KeyStore.fromJWKS in favor of JWKS.asKeyStore

Both JWK.importKey and JWKS.KeyStore.fromJWKS could have resulted in the process getting blocked when large bitsize RSA private keys were missing their components and could also result in an endless calculation loop when the private key's private exponent was outright invalid or tampered with.

The new methods still allow to import private RSA keys with these optimization key parameters missing but its disabled by default and one should choose to enable it when working with keys from trusted sources

It is recommended not to use @panva/jose versions with this feature in its original on-by-default form - v1.1.0 and v1.2.0

v1.0.2

Bug Fixes

• add missing keystore.toJWKS() .d.ts definition (c7a8606), closes #25

v1.0.1

Bug Fixes

• oct key ts "k" type fix (0750d2c)