Nimbus JOSE + JWT 2.26.1

14 July 2014

A new maintenance release of the Nimbus JOSE + JWT library was pushed to Maven Central today. It bears the version number 2.26.1

What’s in it?

1. Hardened RSA PKCS#1 v1.5 decryption

RSA PKCS#1 v1.5 decryption was tweaked to limit exposure to timing attacks by replacing the Java exception signalling content encryption key (CEK) length mismatch with a simple null return.

The credits for this improvement go to Juraj Somorovsky. You can read the related article that provoked this security update.

2. More robust BASE64 and BASE64URL decoding

The BASE64 and BASE64URL decoder can now successfully handle separator characters (\r, \n) as well as other illegal characters. With that you should be able to parse JOSE and JWT objects that for some reason contain unexpected characters.

A new major 3.0 Nimbus JOSE+JWT release is on the horizon

It will be a braking change, introducing immutable JOSE headers to make the library API more robust and also to enable encryption algorithm providers to insert additional parameters into the header during encryption (required by the AxxxGCM family of algorithms).

The 3.0 release will also include support for the AES/GCM key encryption algorithms mentioned above. These were contributed by Melisa Halsband from CertiVox UK. If resources permit another one or two of the remaining JWE algorithms for AES key wrap and ECDH-ES may also make it into the third release.

JSON serialisation has been deferred to 4.0 due to low developer interest, but feel free to vote for it, or better, contribute a pull request, if that’s important to you.

Download

The Maven Dependency for the new maintenance release:

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>2.26.1</version>
</dependency>

For other methods check out the downloads page.