Releases: panva/jose
Releases · panva/jose
v1.3.0
Features
- compute private RSA key p, q, dp, dq, qi when omitted (6e3d6fd), closes #26
- add support for JWK x5c, x5t and x5t#S256 (9d46c48)
- instances of JWKS.KeyStore are now iterable (e.g. for ... of) (2eae293)
Bug Fixes
- limit calculation of missing RSA private components (5b53cb0)
- reject rsa keys without all factors and exponents with a specific message (b0ff436)
Deprecations
- this deprecates the use of
JWK.importKeyin favor ofJWK.asKey - this deprecates the use of
JWKS.KeyStore.fromJWKSin favor ofJWKS.asKeyStore
Both JWK.importKey and JWKS.KeyStore.fromJWKS could have resulted in the process getting blocked when large bitsize RSA private keys were missing their components and could also result in an endless calculation loop when the private key's private exponent was outright invalid or tampered with.
The new methods still allow to import private RSA keys with these optimization key parameters missing but its disabled by default and one should choose to enable it when working with keys from trusted sources
It is recommended not to use @panva/jose versions with this feature in its original on-by-default form - v1.1.0 and v1.2.0
v1.0.2
v1.0.1
v1.0.0
Bug Fixes
- fail to import invalid PEM formatted strings and buffers (857dc2b)
Features
- add JWK key_ops support, fix .algorithms() op returns (23b874c)
- add key.toPEM() export function with optional encryption (1159b0d)
- add OKP Key and EdDSA sign/verify support (2dbd3ed), closes #12
BREAKING CHANGES
- key.algorithms(op) un+wrapKey was split into correct wrapKey/unwrapKey/deriveKey returns
- keystore.all and keystore.get
operationoption was removed,key_ops: string[]supersedes it - node.js minimal version is now v12.0.0 due to its added EdDSA support (crypto.sign, crypto.verify and eddsa key objects)