sd-jwt 0.1.0.0 → 0.1.0.1
raw patch · 5 files changed
+45/−35 lines, 5 filesdep ~bytestringPVP ok
version bump matches the API change (PVP)
Dependency ranges changed: bytestring
API changes (from Hackage documentation)
Files
- CHANGELOG.md +11/−2
- README.md +3/−4
- sd-jwt.cabal +19/−18
- src/SDJWT/Internal/JWT.hs +9/−8
- src/SDJWT/Issuer.hs +3/−3
CHANGELOG.md view
@@ -6,6 +6,15 @@ and this project adheres to the [Haskell Package Versioning Policy](https://pvp.haskell.org/). +## 0.1.0.1 - 2025-01-10++### Fixed+- Corrected documentation regarding RS256 deprecation status: RS256 (RSA-PKCS#1 v1.5) is deprecated for encryption per draft-ietf-jose-deprecate-none-rsa15, but remains valid for signatures. Previous documentation incorrectly stated RS256 was deprecated for signatures.++### Documentation+- Updated README.md, source code comments, and module documentation to clarify RS256 deprecation status+- PS256 (RSA-PSS) remains the recommended default for RSA keys+ ## 0.1.0.0 - 2025-01-09 ### Added@@ -18,7 +27,7 @@ - Multiple hash algorithms: SHA-256 (default), SHA-384, SHA-512 - Multiple signing algorithms: - PS256 (RSA-PSS) - Default for RSA keys, recommended for security- - RS256 (RSA-PKCS#1 v1.5) - Deprecated but supported for backward compatibility+ - RS256 (RSA-PKCS#1 v1.5) - Supported for signatures (deprecated for encryption per draft-ietf-jose-deprecate-none-rsa15) - ES256 (EC P-256) - Elliptic Curve signing - EdDSA (Ed25519) - Recommended for high-security applications - Persona-specific modules: `SDJWT.Issuer`, `SDJWT.Holder`, `SDJWT.Verifier`@@ -31,7 +40,7 @@ ### Security - PS256 (RSA-PSS) is the default algorithm for RSA keys (security best practice)-- RS256 (RSA-PKCS#1 v1.5) is deprecated per draft-ietf-jose-deprecate-none-rsa15 due to padding oracle attack vulnerabilities+- RS256 (RSA-PKCS#1 v1.5) is deprecated for encryption per draft-ietf-jose-deprecate-none-rsa15, but remains valid for signatures - EC signing timing attack warning documented (affects signing only, not verification) - RFC 8725bis compliance: algorithm validation, typ header support, "none" algorithm rejection
README.md view
@@ -2,7 +2,6 @@ [](https://github.com/yaronf/sd-jwt/actions/workflows/ci.yml) [](https://hackage.haskell.org/package/sd-jwt)-[](https://hackage.haskell.org/package/sd-jwt) [](https://hackage.haskell.org/package/sd-jwt/docs) [](LICENSE)@@ -21,7 +20,7 @@ - ✅ Key Binding support (SD-JWT+KB) - ✅ Nested and recursive disclosures - ✅ Multiple hash algorithms (SHA-256, SHA-384, SHA-512)-- ✅ Multiple signing algorithms: PS256 (RSA-PSS, default), RS256 (deprecated), ES256 (EC P-256), EdDSA (Ed25519)+- ✅ Multiple signing algorithms: PS256 (RSA-PSS, default), RS256 (RSA-PKCS#1 v1.5), ES256 (EC P-256), EdDSA (Ed25519) ## Status @@ -62,7 +61,7 @@ ⚠️ **Security Warning**: When using Elliptic Curve (EC) keys (ES256 algorithm), be aware that the underlying `jose` library's EC signing implementation may be vulnerable to timing attacks. This affects signing only, not verification. For applications where timing attacks are a concern, consider using RSA-PSS (PS256, default for RSA keys) or Ed25519 (EdDSA) keys instead. -**Note**: RS256 (RSA-PKCS#1 v1.5) is deprecated per [draft-ietf-jose-deprecate-none-rsa15](https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/) due to padding oracle attack vulnerabilities. PS256 (RSA-PSS) is the recommended RSA algorithm and is used by default for RSA keys.+**Note**: RS256 (RSA-PKCS#1 v1.5) is deprecated for encryption per [draft-ietf-jose-deprecate-none-rsa15](https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/), but remains valid for signatures. PS256 (RSA-PSS) is the recommended RSA algorithm and is used by default for RSA keys. ```haskell import SDJWT.Issuer@@ -222,7 +221,7 @@ ### Signing Algorithms - **PS256 (RSA-PSS)** - Default for RSA keys, recommended for security-- **RS256 (RSA-PKCS#1 v1.5)** - Deprecated per [draft-ietf-jose-deprecate-none-rsa15](https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/), but still supported for backward compatibility+- **RS256 (RSA-PKCS#1 v1.5)** - Supported for signatures (deprecated for encryption per [draft-ietf-jose-deprecate-none-rsa15](https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/), but not for signatures) - **ES256 (EC P-256)** - Elliptic Curve, may be vulnerable to timing attacks during signing - **EdDSA (Ed25519)** - Recommended for high-security applications
sd-jwt.cabal view
@@ -5,10 +5,10 @@ -- see: https://github.com/sol/hpack name: sd-jwt-version: 0.1.0.0+version: 0.1.0.1 synopsis: Selective Disclosure for JSON Web Tokens (RFC 9901) description: Implementation of RFC 9901: Selective Disclosure for JSON Web Tokens (SD-JWT)-category: Security+category: Web homepage: https://github.com/yaronf/sd-jwt#readme bug-reports: https://github.com/yaronf/sd-jwt/issues author: Yaron Sheffer@@ -81,20 +81,20 @@ build-depends: aeson >=2.0 && <2.3 , base >=4.14 && <5- , base64-bytestring >=1.2 && <1.3- , bytestring >=0.11 && <0.13- , containers >=0.6 && <0.7- , cryptonite >=0.30 && <0.31+ , base64-bytestring ==1.2.*+ , bytestring ==0.11.*+ , containers ==0.6.*+ , cryptonite ==0.30.* , directory ==1.3.* , jose >=0.10 && <0.13 , lens >=4.16 && <5.4- , memory >=0.18 && <0.19+ , memory ==0.18.* , mtl >=2.2 && <3- , scientific >=0.3 && <0.4+ , scientific ==0.3.* , sd-jwt- , text >=2.0 && <2.1+ , text ==2.0.* , time >=1.9 && <1.13- , vector >=0.13 && <0.14+ , vector ==0.13.* default-language: Haskell2010 executable sd-jwt-interop-test@@ -105,7 +105,7 @@ TestKeys hs-source-dirs: test/interop- , test+ test ghc-options: -Wall -Wcompat -Widentities -Wincomplete-record-updates -Wincomplete-uni-patterns -Wmissing-export-lists -Wmissing-home-modules -Wpartial-fields -Wredundant-constraints -Wunused-packages -Wmissing-deriving-strategies -Wno-missing-import-lists -Wno-unused-imports -Wunused-type-patterns -Wunused-record-wildcards -Wredundant-record-wildcards -Wtype-defaults -Wunused-do-bind -Wunused-foralls -Wdeprecations -Wnoncanonical-monad-instances -Wall -threaded -rtsopts -with-rtsopts=-N build-depends: aeson >=2.0 && <2.3@@ -167,10 +167,10 @@ QuickCheck >=2.14 , aeson >=2.0 && <2.3 , base >=4.14 && <5- , base64-bytestring >=1.2 && <1.3- , bytestring >=0.11 && <0.13- , containers >=0.6 && <0.7- , cryptonite >=0.30 && <0.31+ , base64-bytestring ==1.2.*+ , bytestring ==0.11.*+ , containers ==0.6.*+ , cryptonite ==0.30.* , directory >=1.3 , doctest >=0.22 , filepath >=1.4@@ -178,11 +178,12 @@ , jose >=0.10 && <0.13 , lens >=4.16 && <5.4 , markdown-unlit >=0.5+ , memory ==0.18.* , mtl >=2.2 && <3 , process >=1.6- , scientific >=0.3 && <0.4+ , scientific ==0.3.* , sd-jwt- , text >=2.0 && <2.1+ , text ==2.0.* , time >=1.9- , vector >=0.13 && <0.14+ , vector ==0.13.* default-language: Haskell2010
src/SDJWT/Internal/JWT.hs view
@@ -71,11 +71,11 @@ if kty == "RSA" then do -- Check if JWK specifies algorithm (RFC 7517 allows optional "alg" field)- -- RS256 is deprecated per draft-ietf-jose-deprecate-none-rsa15 (padding oracle attacks)- -- Default to PS256 (RSA-PSS) for security; RS256 can be explicitly requested but is deprecated+ -- RS256 is deprecated for encryption per draft-ietf-jose-deprecate-none-rsa15, but remains valid for signatures+ -- Default to PS256 (RSA-PSS) as recommended; RS256 can be explicitly requested case KeyMap.lookup (Key.fromText "alg") obj of- Just (Aeson.String "RS256") -> Right "RS256" -- Deprecated but still supported for compatibility- _ -> Right "PS256" -- Default to PS256 (RSA-PSS) for security+ Just (Aeson.String "RS256") -> Right "RS256" -- Supported for signatures+ _ -> Right "PS256" -- Default to PS256 (RSA-PSS) as recommended else if kty == "EC" then do -- Check curve for EC keys (only P-256 is supported)@@ -98,14 +98,15 @@ _ -> Left $ InvalidSignature "Invalid JWK format: expected object" -- | Convert algorithm string to JWA.Alg--- Supports RSA-PSS (PS256, default) and RSA-PKCS#1 v1.5 (RS256, deprecated per draft-ietf-jose-deprecate-none-rsa15).--- RS256 is deprecated due to padding oracle attack vulnerabilities. PS256 (RSA-PSS) is recommended.+-- Supports RSA-PSS (PS256, default) and RSA-PKCS#1 v1.5 (RS256).+-- RS256 is deprecated for encryption per draft-ietf-jose-deprecate-none-rsa15, but remains valid for signatures.+-- PS256 (RSA-PSS) is recommended and used as the default. toJwsAlg :: T.Text -> Either SDJWTError JWA.Alg-toJwsAlg "RS256" = Right JWA.RS256 -- Deprecated: Use PS256 instead (draft-ietf-jose-deprecate-none-rsa15)+toJwsAlg "RS256" = Right JWA.RS256 -- Supported for signatures toJwsAlg "PS256" = Right JWA.PS256 toJwsAlg "EdDSA" = Right JWA.EdDSA toJwsAlg "ES256" = Right JWA.ES256-toJwsAlg alg = Left $ InvalidSignature $ "Unsupported algorithm: " <> alg <> " (supported: PS256 default, RS256 deprecated, EdDSA, ES256)"+toJwsAlg alg = Left $ InvalidSignature $ "Unsupported algorithm: " <> alg <> " (supported: PS256 default, RS256, EdDSA, ES256)" -- | Sign a JWT payload using a private key. --
src/SDJWT/Issuer.hs view
@@ -14,9 +14,9 @@ -- For applications where timing attacks are a concern, consider using RSA-PSS (PS256) -- or Ed25519 (EdDSA) keys instead, which do not have this limitation. ----- Note: RS256 (RSA-PKCS#1 v1.5) is deprecated per draft-ietf-jose-deprecate-none-rsa15--- due to padding oracle attack vulnerabilities. PS256 (RSA-PSS) is the recommended--- RSA algorithm and is used by default for RSA keys.+-- Note: RS256 (RSA-PKCS#1 v1.5) is deprecated for encryption per draft-ietf-jose-deprecate-none-rsa15,+-- but remains valid for signatures. PS256 (RSA-PSS) is the recommended RSA algorithm+-- and is used by default for RSA keys. -- -- == Usage --