Comparing changes
Open a pull request
- 11 commits
- 11 files changed
- 4 contributors
Commits on Nov 13, 2023
-
build(deps): bump github.com/go-jose/go-jose/v3 from v3.0.0 to v3.0.1
To avoid a potential DoS vulnerability in v3.0.0 update to v3.0.1. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commits on Dec 28, 2023
-
build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. - [Commits](golang/crypto@v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
-
jwe: Support overriding the algorithm when supplying a JWK
Now, passing a JWK (via EncryptWithJwe / JSONWebKey.MarshalJSON) will allow for ECDSA keys and for customizing the algorithm used with a particular key. Previously, the code made it impossible to supply a JWK-encoded ECDSA public key in the encryption config, as all keys passed as JSONWebKey-s were treated as RSA_OAEP keys, since utils.ParsePublicKey delegates to parseJWKPublicKey which returns the JWK itself; and hence the switch in the JWE keywrap failed to detect those as an ecdsa public key. A simpler patch here would have been to change parseJWKPublicKey to return the key contained inside the JWK directly, however, as pointed out by stefanberger, this would have broken backwards compatibility of the public API. Plus, using the algorithm encoded in the JWK allows us to more easily extend the JWE encoder to new algorithms. Risks: JWK-s containing RSA keys but with .Algorithm not set to "" (the default value) or string(jose.RSA_OLAP) will end up erroring or producing different encryptions than before. However, such keys would have failed to decrypt the contents regardless, so it should be fine to consider this a correction rather than breakage of old behavior. (Hyrum's law notwithstanding) Signed-off-by: Bojidar Marinov <bojidar.marinov.bg@gmail.com>
Commits on Mar 11, 2024
-
build(deps): bump github.com/go-jose/go-jose/v3 from v3.0.1 to v3.0.3
To avoid a potential DoS vulnerability in v3.0.0 update to v3.0.3. Resolves: Issue #104 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commits on Mar 14, 2024
-
build(deps): bump github.com/golang/protobuf from v1.5.3 to v1.5.4
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commits on May 21, 2024
Commits on Jun 11, 2024
-
github: Test with go 1.22 and go 1.21
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
-
Refactor conditionless else branches with return statementes (govet)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
-
github: Use golangci-lint v1.59.1 and adjust config file
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commits on Jun 30, 2024
-
The main change in go-jose/v4 is the requirement to specify accepted "alg" and "enc" parameters. This is to enhance security, like for instance "the billion hashes attach" presented at BlackHat 2023. Note that go-jose/v4 requires go 1.21 References: go-jose/go-jose#64 (comment) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Commits on Jul 1, 2024
-
build(deps): Update several dependencies to latest package versions
Update the following packages: - github.com/opencontainers/image-spec: v1.1.0 - github.com/sirupsen/logrus: v1.9.3 - github.com/stretchr/testify: v1.9.0 - golang.org/x/crypto: v0.24.0 - golang.org/x/term: v0.21.0 - google.golang.org/grpc: v1.64.0 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v1.1.9...v1.2.0