Nimbus JOSE + JWT 2.26.1
A new maintenance release of the Nimbus JOSE + JWT library was pushed to Maven Central today. It bears the version number 2.26.1
What's in it?
1. Hardened RSA PKCS#1 v1.5 decryption
RSA PKCS#1 v1.5 decryption was tweaked to limit exposure to timing attacks by
replacing the Java exception signalling content encryption key (CEK) length
mismatch with a simple null return.
The credits for this improvement go to Juraj Somorovsky. You can read the related article that provoked this security update.
2. More robust BASE64 and BASE64URL decoding
The BASE64 and BASE64URL decoder can now successfully handle separator
characters (\r, \n) as well as other illegal characters. With that you
should be able to parse JOSE and JWT objects that for some reason contain
unexpected characters.
A new major 3.0 Nimbus JOSE+JWT release is on the horizon
It will be a braking change, introducing immutable JOSE headers to make the library API more robust and also to enable encryption algorithm providers to insert additional parameters into the header during encryption (required by the AxxxGCM family of algorithms).
The 3.0 release will also include support for the AES/GCM key encryption algorithms mentioned above. These were contributed by Melisa Halsband from CertiVox UK. If resources permit another one or two of the remaining JWE algorithms for AES key wrap and ECDH-ES may also make it into the third release.
JSON serialisation has been deferred to 4.0 due to low developer interest, but feel free to vote for it, or better, contribute a pull request, if that's important to you.
Download
The Maven Dependency for the new maintenance release:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>2.26.1</version>
</dependency>
For other methods check out the downloads page.