GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Deprecate the X5T JOSE Header name 

Closes gh-16979

Signed-off-by: Pat McCusker <patmccusker14@gmail.com>
pull/17190/head
Pat McCusker 10 months ago committed by Josh Cummings
parent
fd4f06a66e
commit
5517d8fe3a
2 changed files with 26 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 18
      oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeader.java
  2. 10
      oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeaderNames.java

18
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeader.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -119,7 +119,15 @@ class JoseHeader {
* thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate * thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate
* corresponding to the key used to digitally sign the JWS or encrypt the JWE. * corresponding to the key used to digitally sign the JWS or encrypt the JWE.
* @return the X.509 certificate SHA-1 thumbprint * @return the X.509 certificate SHA-1 thumbprint
* @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision
* attacks and should not be used. See the <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google
* Security Blog</a> for more info.
* @see <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing
* the first SHA1 collision</a>
*/ */
@Deprecated
public String getX509SHA1Thumbprint() { public String getX509SHA1Thumbprint() {
return getHeader(JoseHeaderNames.X5T); return getHeader(JoseHeaderNames.X5T);
} }
@ -271,7 +279,15 @@ class JoseHeader {
* corresponding to the key used to digitally sign the JWS or encrypt the JWE. * corresponding to the key used to digitally sign the JWS or encrypt the JWE.
* @param x509SHA1Thumbprint the X.509 certificate SHA-1 thumbprint * @param x509SHA1Thumbprint the X.509 certificate SHA-1 thumbprint
* @return the {@link AbstractBuilder} * @return the {@link AbstractBuilder}
* @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision
* attacks and should not be used. See the <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google
* Security Blog</a> for more info.
* @see <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing
* the first SHA1 collision</a>
*/ */
@Deprecated
public B x509SHA1Thumbprint(String x509SHA1Thumbprint) { public B x509SHA1Thumbprint(String x509SHA1Thumbprint) {
return header(JoseHeaderNames.X5T, x509SHA1Thumbprint); return header(JoseHeaderNames.X5T, x509SHA1Thumbprint);
} }

10
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeaderNames.java
Unescape View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -76,7 +76,15 @@ public final class JoseHeaderNames {
* {@code x5t} - the X.509 certificate SHA-1 thumbprint header is a base64url-encoded * {@code x5t} - the X.509 certificate SHA-1 thumbprint header is a base64url-encoded
* SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate * SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate
* corresponding to the key used to digitally sign a JWS or encrypt a JWE * corresponding to the key used to digitally sign a JWS or encrypt a JWE
* @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision
* attacks and should not be used. See the <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google
* Security Blog</a> for more info.
* @see <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing
* the first SHA1 collision</a>
*/ */
@Deprecated
public static final String X5T = "x5t"; public static final String X5T = "x5t";
/** /**

Write Preview
Loading…
Cancel
Save