JOSE articles

Multi-level defence against invalid curve attacks

Posted on 2017-04-15

Reliable defences work on multiple levels. The latest release of the Nimbus JOSE + JWT library adds an extra protection against invalid curve attacks by preventing construction and parsing of public EC JSON Web Keys whose public coordinates don’t fit the specified curve. With that the number of checks is increased to three:

  • First level: Preventing parsing and construction of EC JWK instances with invalid curve.

  • Second level: A curve check is performed prior to ECDH-ES decryption or ECDSA signature validation.

  • Third level: Curve check performed by the underlying JCA provider, where available (the default SUN provider after v 1.8.0_51, BouncyCastle).

The invalid curve attack targets ECDH-ES encryption, with the aim to recover the private EC key.

Release notes

version 4.36 (2017-04-13)

  • Adds a check at ECKey construction time to ensure the public ‘x’ and ‘y’ coordinates are on the specified curve (iss #217).
  • Adds a check at ECDSAVerifier construction time to ensure the public key is on the specified curve (iss #217).
  • Adds a new ECDSAProvider.supportedECDSAAlgorithm() method that returns the name of the supported ECDSA algorithm (ES256, ES384 or ES512).

Nimbus JOSE+JWT 4.35 deprecates use of SHA-1 and RSA encryption with PKCS1v1.5 padding

Posted on 2017-04-10

Deprecates use of SHA-1

CWI and Google’s announcement of a practical technique for producing SHA-1 collisions served a wake-up call to the industry to finally commit to phasing out the 22 year old hash algorithm and move to the newer and more secure SHA-2 and SHA-3.

Today’s 4.35 release of the the Nimbus JOSE+JWT library encourages developers to do just that:

  • Use of the x5t certificate SHA-1 thumbprint parameter in JWS and JWE headers is deprecated now, use x5t#S256 (SHA-256) instead.

  • Use of the x5t certificate SHA-1 thumbprint parameter in JWK objects is also marked as deprecated, use x5t#S256 instead.

  • The RSA-OAEP JWE algorithm that uses SHA-1 as the hash function is deprecated, use RSA-OAEP-256 instead.

Deprecates use of RSA encryption with PKCS#1v1.5 padding

RSA encryption with PKCS#1v1.5 padding was another long-time candidate for phasing out, due to its timing attack vulnerability. Its RSA1_5 JWE algorithm identifier is marked as deprecated now. Developers should consider using RSA-OAEP-256 or the ECDH-ES family of JWE algorithms.

Release notes

version 4.35 (2017-04-09)

  • Adds support for JWK x5t#S256 header parameter (iss #205).
  • Deprecates use of RSA1_5 JWE algorithm as security measure to encourage use of RSA-OEAP-256 (iss #215).
  • Deprecates use of JWK x5t header parameter as part of security measure to move away from SHA-1 and encourage use of SHA-256 (iss #214).
  • Deprecates use of JWS and JWE x5t header parameter as part of security measure to move away from SHA-1 and encourage use of SHA-256 (iss #214).
  • Deprecates use of RSA-OAEP JWE algorithm as part of security measure to move away from SHA-1 and encourage use of SHA-256 (iss #214).
  • Upgraded JSON Smart dependency to support version range from 1.3.1 to 2.3.
  • Refines exception messages of DefaultJOSEProcessor and DefaultJWTProcessor.

JSON Web Tokens (JWT) with Java 6

Posted on 2016-01-19

You want to develop with JSON Web Tokens (JWT), but your Java project is still stuck in 2006? We’ve got good news for you: support for Java 6 was restored in the latest release of the Connect2id library for JWT signing and encryption.

From version 4.11.2 on you’ll be able to use with library with Java 6. To do that just add the jdk16 qualifier to the Maven coordinates:

    <version>[ version ]</version>

where [ version ] should be the latest stable release.

The current stable release is 4.11.2.

You can find more information in the download section of the JWT library.

Why choose the Connect2id library for JWTs?

  • It’s got complete algorithm support - signing, encryption, integration with JCA providers and HSMs - you name it.

  • Huge test suite, and soon a comprehensive benchmarking suite too, so you can make an informed decision when crypto performance is critical for your project.

  • Comprehensive JavaDocs where every single class and method is documented.

  • Tonnes of examples.

Questions? Post a comment or drop us an email.

Nimbus JOSE + JWT 4.1 adds support for JWK thumbprints

Posted on 2015-09-21

The latest 4.1 release of the Nimbus JOSE + JWT library library adds support for computing JSON Web Key (JWK) thumbprints as specified in RFC 7638.

JWK thumbprints are intended to provide unique hashes of RSA, EC and shared secret key material. These may for example be used as key ID (kid) header parameters in JWS and JWE objects. OpenID Connect also uses them for self-issued identity providers.

Example usage:

// Create or parse RSA JWK
RSAKey rsaJWK = new RSAKey.Builder(...).build();

// SHA-256 is the default hash for JWK thumbprints
Base64URL thumbprintSHA256 = rsaJWK.computeThumbprint();

// The hash algorithm may be specified explicitly
Base64URL thumbprintSHA1 = rsaJWK.computeThumbprint("SHA-1");

The thumbprints are returned as a BASE64URL encoded byte array.

To get the string representation of the BASE64URL:

String b64URLString = thumbprintSHA256.toString();

To get the underlying byte array:

byte[] bytes = thumbprintSHA256.decode();

To get the thumbprint as a big integer:

BigInteger bigInt = thumbprintSHA256.decodeToBigInteger();


Update 2015-09-21 The original thumbprint routine for octet sequence keys contained a bug which was fixed in 4.1.1. Thanks to Brian Campbell for spotting this.

The Maven Dependency for the 4.1.1 release:


For other methods check out the downloads page.


Leave your comments below or contact Connect2id support.