pkgsrc.se | The NetBSD package collection

./security/libjwt, JWT C library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 3.2.0, Package name: libjwt-3.2.0, Maintainer: pkgsrc-users

JWT C Library.

Master sites:

https://github.com/benmcollins/ (Download)

Filesize: 507.074 KB

Version history: (Expand)

(2025-02-21) Updated to version: libjwt-3.2.0
(2025-01-29) Updated to version: libjwt-2.1.1
(2024-09-13) Package added to pkgsrc.se, version libjwt-1.17.2 (created)

CVS history: (Expand)

2025-02-21 17:20:50 by Adam Ciarcinski | Files touched by this commit (3) | Package updated

Log message:
libjwt: updated to 3.2.0

3.2.0
libcurl for jwks and other things

3.1.0
Windows Build and a few fixes + coverage

3.0.0
A new way
This is a major overhaul of LibJWT. The previous version was clumsy in that a \ 
jwt_t object could be used for creating a new token, or be the result of \ 
verifying. The ambiguity led to a lot of possible errors.

The key handling was not very well done and was confusing.

The new methods has a factory paradigm in that you create either a builder or \ 
checker object, configure it for your purposes, and then either generate tokens \ 
(builder) or verify tokens (checker) based on the rules you've established. This \ 
means you don't have to create an instance for every time you want to perform \ 
one of these actions.

One of the other new features is a complete JWK and JWKS backend for keys. It is \ 
now the only method with which you can load and use keys in LibJWT. There are \ 
command line tools for converting PEM type keys into JWK(S) JSON files (and back \ 
again).

There are also two convenient command line tools for generating and verifying \ 
JWT tokens.

2025-01-29 19:17:24 by Adam Ciarcinski | Files touched by this commit (2) | Package updated

Log message:
libjwt: updated to 2.1.1

2.1.1

jwt_decode_2(): Security vulnerability

This function had faulty logic based on some assumptions that it could trust the \ 
JWT in that if it was alg:none, it would not run the callback.

The assumption would allow an attacker to modify the JWT header and body and \ 
trick the function into returning without having retrieved a key from the cb, \ 
meaning no verification of the signature was done, and it retuned as if \ 
everything was successful.

The caller of jwt_decode_2 has no real way to know that their cb was never run.

As an aside, it was found that some of the test cases were assuming that you \ 
could call jwt_decode_2 with key_provider == NULL. This doesn't make much sense, \ 
considering there's no way to pass a key without a key_provider.

In this instance, if passed a JWT with alg:none, this was fine. If called with \ 
any other alg type, the code would attempt to run the NULL ``key_provider` and \ 
produce a SEGV.

RESOLUTION

jwt_decode_2 will always run the key_provider if passed, assuming there was not \ 
a previous error.
Always check key_provider for NULL before using it
If no key_provider, but JWT had alg != none, processing fails
NOTES:

jwt_decode() and jwt_decode_2() are being deprecated in favor more robust \ 
functionality.

2024-09-13 21:35:16 by Adam Ciarcinski | Files touched by this commit (5)

Log message:
libjwt: added version 1.17.2

JWT C Library.