Add EdDSA

CHANGES

@@ -4,6 +4,10 @@ Changes in 6.0.0
  * Move to Java 17 LTS as the minimum requirement.
  * Remove CryptoProvider and just use JCE to use a third party provider such as BouncyCastle.
    * Tested against Bouncy Castle FIPS provider, but any provider could be used.
+ * Added support for EdDSA curves Ed25519 and Ed448.
+   * It is is not advised to use the EdDSA alg header as it has bee deprecated in favor of Ed25519 and Ed448.
+   * In order to use the OpenIDConnect c_hash or at_hash methods with the Ed448 algorithm, you will need to register a crypto provider that can provide the SHAKE256 digest, such as BouncyCastle.
+     * Using these methods with the default Java JCA will throw an exception because the SHAKE256 message digest will not be found.
 
 Changes in 5.3.3
 

README.md

@@ -7,11 +7,11 @@ If you find a vulnerability or other security related bug, [please report the vu
 We are very interested in compensating anyone that can identify a security related bug or vulnerability and properly disclose it to us.
 
 ## Features
- - JWT signing using HMAC, RSA and Elliptic Curve support
-   - `HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`
- - JWT signing using RSA-PSS signatures
-   - `PS256`, `PS384`, `PS512`
-   - Available in versions >= 3.5.0
+ - JWT signing using the following algorithms
+   - `HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`, `PS256`, `PS384`, `PS512`, `Ed25519`, `Ed448`
+     - In order to use the OpenID Connect hashing functions for `at_hash` or `c_hash` with this algorithm, you must register a provider to add support for the `SHAKE256` message digest, such as BouncyCastle as this algorithm is not provided in the default JCA.
+     - When using `Ed25519` or `Ed448`, the `alg` JWT header and the JWK `alg` property will be equal to the algorithm name. The legacy `EdDSA` value has been deprecated in JOSE in favor of the fully-specified algorithm names `Ed25519` and `Ed448`. In practice this means that this library will be unable to accept a JWT using the `EdDSA` value for the `alg` in the JWT header.
+       - https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
  - Support for Bouncy Castle JCE or other third party providers.   
  - PEM decoding / encoding
    - Decode PEM files to PrivateKey or PublicKey
@@ -26,7 +26,9 @@ We are very interested in compensating anyone that can identify a security relat
    - Retrieve JWK from JWKS endpoints
  - Helpers
    - Generate RSA Key Pairs in `2048`, `3072` or `4096` bit sizes
+   - Generate RSA PSS Key Pairs in `2048`, `3072` or `4096` bit sizes
    - Generate EC Key Pairs in `256`, `384` and `521` bit sizes
+   - Generate EdDSA Key Pairs for `Ed2559` and `Ed448` curves
    - Generate `x5t` and `x5t#256` values from X.509 Certificates
    - Generate JWK thumbprint using `SHA-1` or `SHA-256` 
    - Generate ideal HMAC secret lengths for `SHA-256`, `SHA-384` and `SHA-512`
@@ -307,13 +309,12 @@ String json = jwk.toJSON();
 
 ## Building
 
-## Building with Maven
+### Maven
  ```bash
  $ mvn install
  ```
 
-
-## Building with Savant
+### Savant
 
 ```bash
 $ sb int

build.savant

@@ -15,6 +15,7 @@
  */
 
 jacksonVersion = "2.15.4"
+slf4jVersion = "1.7.36"
 
 project(group: "io.fusionauth", name: "fusionauth-jwt", version: "6.0.0", licenses: ["ApacheV2_0"]) {
 
@@ -30,9 +31,6 @@ project(group: "io.fusionauth", name: "fusionauth-jwt", version: "6.0.0", licens
     publish {
       cache()
     }
-    semanticVersions {
-      mapping(id: "org.bouncycastle:bc-fips:1.0.2.6", version: "1.0.2+P6")
-    }
   }
 
   publishWorkflow {
@@ -47,7 +45,12 @@ project(group: "io.fusionauth", name: "fusionauth-jwt", version: "6.0.0", licens
     }
     group(name: "test-compile", export: false) {
       dependency(id: "org.bouncycastle:bc-fips:2.1.2")
-      dependency(id: "org.testng:testng:7.5.1")
+      dependency(id: "org.testng:testng:7.9.0")
+      // Gets rid of SLF warnings on test run
+      //   SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
+      //   SLF4J: Defaulting to no-operation (NOP) logger implementation
+      //   SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
+      dependency(id: "org.slf4j:slf4j-nop:${slf4jVersion}")
     }
   }
 
@@ -72,7 +75,6 @@ release = loadPlugin(id: "org.savantbuild.plugin:release-git:2.0.0")
  */
 java.settings.javaVersion = "17"
 javaTestNG.settings.javaVersion = "17"
-javaTestNG.settings.listeners = ["io.fusionauth.jwt.TestNGAnnotationTransformer"]
 
 /*
  * Targets
@@ -94,9 +96,15 @@ target(name: "test", description: "Runs the project's tests", dependsOn: ["jar"]
   // Example:
   // javaTestNG.settings.jvmArguments += "-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=5005"
 
-  // Run the test suite twice, one with BC fips enabled, and once w/out.
-  [false, true].each { type ->
-    javaTestNG.settings.jvmArguments = "-Dtest.fips=${type}"
+  boolean[] fipsEnabled = [false, true]
+  if (switches.has("fips")) {
+    fipsEnabled = [true]
+  } else if (switches.has("jca")) {
+    fipsEnabled = [false]
+  }
+
+  fipsEnabled.each { enabled ->
+    javaTestNG.settings.jvmArguments = "-Dtest.fips=${enabled}"
     javaTestNG.test()
   }
 }

fusionauth-jwt.iml

@@ -49,55 +49,66 @@
     <orderEntry type="module-library" scope="TEST">
       <library>
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/org/bouncycastle/bc-fips/1.0.2+P6/bc-fips-1.0.2+P6.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/bouncycastle/bc-fips/2.1.2/bc-fips-2.1.2.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/org/bouncycastle/bc-fips/1.0.2+P6/bc-fips-1.0.2+P6-src.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/bouncycastle/bc-fips/2.1.2/bc-fips-2.1.2-src.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>
     <orderEntry type="module-library" scope="TEST">
       <library>
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/org/testng/testng/7.5.1/testng-7.5.1.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/testng/testng/7.9.0/testng-7.9.0.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/org/testng/testng/7.5.1/testng-7.5.1-src.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/testng/testng/7.9.0/testng-7.9.0-src.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>
     <orderEntry type="module-library" scope="TEST">
       <library>
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/com/google/code/findbugs/jsr305/3.0.1/jsr305-3.0.1.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/com/beust/jcommander/1.82.0/jcommander-1.82.0.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/com/google/code/findbugs/jsr305/3.0.1/jsr305-3.0.1-src.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/com/beust/jcommander/1.82.0/jcommander-1.82.0-src.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>
     <orderEntry type="module-library" scope="TEST">
       <library>
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/com/beust/jcommander/1.78.0/jcommander-1.78.0.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/webjars/jquery/3.7.1/jquery-3.7.1.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/com/beust/jcommander/1.78.0/jcommander-1.78.0-src.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/webjars/jquery/3.7.1/jquery-3.7.1-src.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>
     <orderEntry type="module-library" scope="TEST">
       <library>
         <CLASSES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/org/webjars/jquery/3.5.1/jquery-3.5.1.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36.jar!/" />
         </CLASSES>
         <JAVADOC />
         <SOURCES>
-          <root url="jar://$MODULE_DIR$/.savant/cache/org/webjars/jquery/3.5.1/jquery-3.5.1-src.jar!/" />
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36-src.jar!/" />
+        </SOURCES>
+      </library>
+    </orderEntry>
+    <orderEntry type="module-library" scope="TEST">
+      <library>
+        <CLASSES>
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/slf4j/slf4j-nop/1.7.36/slf4j-nop-1.7.36.jar!/" />
+        </CLASSES>
+        <JAVADOC />
+        <SOURCES>
+          <root url="jar://$MODULE_DIR$/.savant/cache/org/slf4j/slf4j-nop/1.7.36/slf4j-nop-1.7.36-src.jar!/" />
         </SOURCES>
       </library>
     </orderEntry>

fusionauth-jwt.ipr

@@ -30,10 +30,12 @@
   <component name="InspectionProjectProfileManager">
     <profile version="1.0">
       <option name="myName" value="Project Default" />
+      <inspection_tool class="ClassCanBeRecord" enabled="false" level="WEAK WARNING" enabled_by_default="false" />
       <inspection_tool class="DuplicatedCode" enabled="true" level="WARNING" enabled_by_default="true" />
       <inspection_tool class="Duplicates" enabled="true" level="WARNING" enabled_by_default="true">
         <option name="minCloneLength" value="35" />
       </inspection_tool>
+      <inspection_tool class="SizeReplaceableByIsEmpty" enabled="false" level="WARNING" enabled_by_default="false" />
     </profile>
     <version value="1.0" />
   </component>
@@ -627,6 +629,11 @@
     <option name="USE_PER_PROJECT_SETTINGS" value="true" />
   </component>
   <component name="ProjectDictionaryState">
+    <dictionary name="project">
+      <words>
+        <w>eddsa</w>
+      </words>
+    </dictionary>
     <dictionary name="degroff">
       <words>
         <w>aand</w>
@@ -765,4 +772,4 @@
       </state>
     </states>
   </component>
-</project>
+</project>