All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Fix for CVE-2024-54150: https://github.com/xmidt-org/cjwt/commit/096ab3e37f73c914b716e7259589179f363265fd
- When using HSxxx signing types, the new option
OPT_ALLOW_ONLY_HS_ALGis required. This ensures that public/private keys can't be mistakenly accepted as symmetric algorithem ciphers.
- Bump the version to trigger a full release.
- Add support for openssl v3 as well as v1 APIs.
- Add support for private jwt headers and the
kidstandard header. - Require meson 0.60.3 or newer.
- Fix a few compiler warnings in the example code.
- Add string to alg type mapping function.
- Allow use of
num_algorithms.
- Upgrade the build system to use meson.
- Improve the CI pipeline.
- Update the interface to not use strlen() for lengths but expect them to be passed in. This reduces the likelihood of this library being exploited by a long string.
- Add the cjwt_printf() function to the interface.
- Remove the alg mapping function that was mistakenly provided in the 1.x.x API.
- Add a few worked examples.
- Move to use internal base64 decoding with stricter processing rules
- Major refactor to use a specified length and not '\0' terminated strings internally.
- A number of failures that may not have been detected now have tests and are covered.
- Bridge the new implementation to use the existing API.
- Move to use Github Actions for building
- Improve the cmake files to support the new build system better
- Bump to a known new version
It is unclear what is exactly in 1.0.0 through 1.0.2.
- Valgrind checking and fixes.
- Algorithms that are unsupported now are not mapped to alg=none to prevent untrusted accidental acceptance of JWT.
- Fixed memory leaks.
- Updated the CONTRIBUTION document.
- Updated the cjwt_decode() documentation to be accurate and consistent.
- First stable release