jose - Javascript Object Signing and Encryption & JWT (JSON Web Token)
jose is a Haskell implementation of Javascript Object Signing and
Encryption and JSON Web
Token.
The JSON Web Signature (JWS; RFC 7515) implementation is complete.
JSON Web Encryption (JWE; RFC 7516) is not yet implemented.
EdDSA signatures (RFC 8037) are supported (Ed25519 only).
JWK Thumbprint (RFC 7638) is supported (requires aeson >= 0.10).
Contributions are welcome.
Security
If you discover a security issue in this library, please email me
the details, ideally with a proof of concept (frase @ frase.id.au
; PGP key).
Before reporting an issue, please note the following known
vulnerabilities:
- The ECDSA implementation is vulnerable to timing attacks and
should therefore only be used for verification.
and the following known not-vulnerabilities:
Interoperability issues
The following known interoperability issues will not be addressed,
so please do not open issues:
-
Some JOSE tools and libraries permit the use of short keys, in
violation of the RFCs. This implementation reject JWS or JWT
objects minted with short keys, as required by the RFCs.
-
The Auth0 software produces objects with an invalid "x5t"
parameter.
The datum should be a base64url-encoded SHA-1 digest, but Auth0
produces a base64url-encoded hex-encoded SHA-1 digest. The object
can be repaired so that this library will admit it, unless the
offending parameter is part of the JWS Protected Header in which
case you are out of luck until Auth0 bring their implementation
into compliance.
Contributing
Bug reports, patches, feature requests, code review, crypto review,
examples and documentation are welcome.
If you are wondering about how or whether to implement some feature
or fix, please open an issue where it can be discussed. I
appreciate your efforts, but I do not wish such efforts to be
misplaced.
To submit a patch, please use git send-email
or open a pull
request. Write a well formed commit message.
If your patch is nontrivial, update the copyright notice at the top
of the modified files