Release 0.5.0

v0.5.0

Release 0.5.0

Release 0.4.2

• Fix bytes/str comparison in JWE
• Test under Python 3.6

Release 0.4.1

• compatibility with cryptography 2.0

Bugfix release v0.4.0

• Fixed nbf incorrect validation #71
• Add 'cryptography' to requirements in setup.py #69

Security Release CVE-2016-6298

The jwcrypto implementation of the RSA1_5 algorithm was found vulnerable to the Million Message Attack described in RFC 3128.

A timing attack could be leveraged against the implementation to detect when a chosen ciphertext generates a valid header and padding because invalid header/padding generates a code exception and cryptographic operations are terminated earlier resulting in faster processing measurable over the network.

Many thanks to Dennis Detering [email protected] for discovering and reporting this vulnerability.

Bugfix release

A regression was introduced in 0.3.0 that caused issues in FreeIPA and Custodia projects.
Also docs version and tox/travis configurations were improved to test Python 3.4 and 3.5
Python 3.3 is not officially supported anymore

New algorithms support and new interfaces

This version completes the support for all algorithms specified by the JOSE RFCs, as well as adds better interfaces to deal with JWKs and implements the JWK Thumbprint standard too.

Some interfaces have also been deprecated, and marked as such in the documentation, they may be removed in a future release.

Bugfix release

Fixed a few issues with symmetric and EC keys generation.
Added more tests and Travis CI integration.

Standards released

Now that the JOSE working group has produced official RFC it is time for a new release that updates all references and fixes a few bugs recently discovered while using the library