Changelog
3.0
3.12.0 (Supreme 0.6.2)
- Fix COSE signature verification (this is breaking change in
indispensable-cosef
):- Introduce class
CoseSignedBytes
which holds the bytes as transmitted on the wire - Add property
wireFormat
toCoseSigned
to hold those bytes - Create new
CoseSigned
objects by callingCoseSigned.create()
instead of using a constructor - Prepare COSE signature input by calling
CoseSigned.prepare()
- In
CoseSigned
, memberprotectedHeader
is now aCoseHeader
, not aByteStringWrapper<CoseHeader>
- In
CoseSigned
, memberrawSignature
(ByteArray
) is nowsignature
(CryptoSignature.RawByteEncodable
)
- Introduce class
3.11.1 (Supreme 0.6.1)
- Fix
CoseSigned
JSON serialization
3.11.0 (Supreme 0.6.0)
- Kotlin 2.1.0
- Bouncy Castle 1.79!! for JVM targets
- Implement members in
JsonWebToken
andConfirmationClaim
for OpenID4VC High Assurance Interoperability Profile with SD-JWT VC - Add utility methods to
Asn1Integer
- Additional constructor methods:
fromByteArray
,fromUnsignedByteArray
- Additional instance methods:
isZero
,magnitude
,bitLength
- Additional conversion methods for Java BigInteger and iospin BigInteger
- Additional constructor methods:
- Refactor
CryptoPublicKey.Rsa
to useAsn1Integer
- Fixes JWS/COSE encoding for non-standard exponents (with MSBit 1)
- Add type parameter to
CoseSigned
for its payload (tagging with tag 24 when necessary) - Changes primary constructor visibility to
internal
to check forByteStringWrapper
as payload type, which shall be rejected - Fix serialization with Json
- Do not use DID key identifiers as keyId for
CoseKey
- Fix BitSet iterator
- Add cose header
typ
- Allow
assertTag
override also forAsn1Integer
(was missing before) - Sanitized
Asn1OctetString
inheritors' equality behavior - Two
Asn1OctetString
s are always equal if their contents are equal - Make
Asn1Integer
anAsn1Encodable<String>
- PEM Encoding
- Introduce
PemEncodable
interface, derived fromAsn1Encodable
- Introduce
PemDecodable
interface, derived fromAsn1Decodable
- Introduce
- Add Private Key
- Add Private Key Representation to
indispensable
- Parsing of PEM and DER-encoded private keys in
indispensable
- Introduce
SignatureAlgorithm.signerFor(privateKey)
insupreme
to create signers backed by (previously parsed, or manually constructed) private keys - Export of private keys from ephemeral signers (and only ephemeral signers) in combination with a new
@SecretExposure
annotation insupreme
- Add Private Key Representation to
- Add helpers for smoother iOS interop:
ECCurve.iosEncodedPublicKeyLength
ECCurve.iosEncodedPrivateKeyLength
ECCurve.Companion.fromIosEncodedPublicKeyLength
ECCurve.Companion.fromIosEncodedPrivateKeyLength
- Renames (old names are kept with a deprecation warning):
getJcaPublicKey()
->toJcaPublicKey()
- Support RSA8192
3.10.0 (Supreme 0.5.0) More cowbell targets!
A new artifact, minor breaking changes and a lot more targets ahead!
The public API remains almost unchanged. Breaking API changes are:
- Some parsing methods migrating from a
ByteIterator
to kotlinx-ioSource
- Move
ensureSize
from packageasn1
tomisc
- Change CSR to take an actual
CryptoSignature
instead of a ByteArray - Remove Legacy iOS Attestation
- Add type parameter to
JwsSigned
for its payload - Add type parameter to
JweDecrypted
for its payload JwsSigned.prepareSignatureInput
now returns a raw ByteArray- Move
BitSet
fromio
toasn1
package
The internals have changed substantially, however, and some fixes lead to behavioural changes.
Therefore, be sure to match Signum versions if multiple libraries pull it in as transitive dependency.
Better safe than sorry!
The full list of changes is:
- Discrete ASN.1 module
indispensable-asn1
supporting the following platforms:- JVM
- Android
- iOS
- watchOS
- tvOS
- JS
- wasm/JS
- Linux X64
- Linux AARCH64
- MinGw X64
- More targets for
indispensable
,indispensable-josef
,indispensable-cosef
- JVM
- Android
- iOS
- watchOS
- tvOS
- JS
- wasm/JS
- Linux X64
- Linux AARCH64
- MinGw X64
- KmmResult 1.9.0
- Multibase 1.2.1
- Introduce generic tag assertion to
Asn1Element
- Change CSR to take an actual
CryptoSignature
instead of a ByteArray - Introduce shorthand to create CSR from TbsCSR
- Introduce shorthand to create certificate from TbsCertificate
- Remove requirement from CSR to have certificate extensions
- Fix CoseSigned equals
- Base OIDs on unsigned varint instead of UInt
- Directly support UUID-based OID creation
- Implement hash-to-curve and hash-to-scalar as per RFC9380
- Rename
decodeFromDerHexString
toparseFromDerHexString
- Move
ensureSize
from packageasn1
tomisc
- Move
BitSet
fromio
toasn1
package - Use kotlinx-io as primary source for parsing
- Base number encoding/decoding on kotlinx-io
- Remove parsing from iterator
- Base ASN.1 encoding and decoding on kotlinx-io
- Remove single element decoding from Iterator
- Base number encoding/decoding on kotlinx-io
- Introduce
prepareDigestInput()
toIosHomebrewAttestation
- Remove Legacy iOS Attestation
- Add type parameter to
JwsSigned
for its payload - Add type parameter to
JweDecrypted
for its payload JwsSigned.prepareSignatureInput
now returns a raw ByteArray- Tests that do not depend on BouncyCastle/JCA are now performed for all targets
- Remove Napier dependency
3.9.0 (Supreme 0.4.0)
- Move
Attestation
from Supreme to Indispensable - Rename
parse()
todeserialize()
inJwsSigned
andJweEncrypted
to align with COSE - Rename
CryptoPublicKey.Rsa
->CryptoPublicKey.RSA
for consistency reasons - Add HMAC JCA names, properties used in JSON Web Encryption
3.8.2 (Supreme 0.3.2)
- Less destructive Hotfix for KT-71650
- Re-enables export of
Asn1Element.Tag
class to ObjC.
3.8.1 (Supreme 0.3.1)
- Hotfix for KT-71650
- Disables export of
Asn1Element.Tag
class to ObjC. Signum remains usable for KMP projects, the Tag class just cannot be directly accessed from Swift and ObjC any more.
3.8.0 (Supreme 0.3.0) Breaking Changes Ahead!
- Completely revamped ASN.1 Tag Handling
- Properly handle multi-byte tags
- Introduce a new data structure
TLV.Tag
with an accompanyingTagClass
enum and aconstructed
flag to accurately represent arbitrary tags up toULong.MAX_VALUE
- Make all
tag
parametersULong
to reflect support for multi-byte tags - Remove
DERTags
- Revamp implicit tagging (there is still work to be done, but at least it supports CONSTRUCTED ASN.1 elements)
- Refactor
Int.Companion.decodeFromDer
->Int.Companion.decodeFromDerValue()
- Refactor
Long.Companion.decodeFromDer
->Long.Companion.decodeFromDerValue()
- Introduce
ULong.Companion.decodeFromDer
which can handle overlong inputs, as long as they start with a valid ULong encoding - Changed return type of
Verifier::verify
fromKmmResult<Unit>
toKmmResult<Success>
. Usage is unchanged. - Add
ConfirmationClaim
to represent Proof-of-Possesion Key Semantics for JWTs - Add claims to
JsonWebToken
to implement Demonstrating Proof of Possession - Replace
JsonWebToken.confirmationKey
byJsonWebToken.confirmationClaim
, the implementation was wrong - Introduce
ULong.toAsn1VarInt()
to encode ULongs into ASN.1 unsigned VarInts (not to be confused with multi^2_base'sUVarInt
!) - Introduce
decodeAsn1VarULong()
anddecodeAsn1VarUInt()
which can handle overlong inputs, as long as they start with a valid unsigned number encoding.- Comes in three ULong flavours:
Iterator<Byte>.decodeAsn1VarULong()
Iterable<Byte>.decodeAsn1VarULong()
ByteArray.decodeAsn1VarULong()
- and three UInt flavours:
Iterator<Byte>.decodeAsn1VarUInt()
Iterable<Byte>.decodeAsn1VarUInt()
ByteArray.decodeAsn1VarUInt()
- Comes in three ULong flavours:
- Revamp implicit tagging
- Revamp
Asn1Element.parse()
, introducing new variants. This yields:Asn1Element.parse()
with the same semantics as beforeAsn1Element.parse()
alternative introduced, which takes aByteIterator
instead of aByteArray
Asn1Element.parseAll()
introduced, which consumes all bytes and returns a list of all ASN.1 elements (if parsing works)- Variant 1 takes a
ByteIterator
- Variant 2 takes a
ByteArray
- Variant 1 takes a
Asn1Element.parseFirst()
introduced, which tries to only parse a single ASN.1 element from the input and leaves the rest untouched.- Variant 1 takes a
ByteIterator
and returns the element; theByteIterator
is advanced accordingly - Variant 2 takes a
ByteArray
and returns aPair
of(element, remainingBytes)
- Variant 1 takes a
- More consistent low-level encoding and decoding function names:
encodeToAsn1Primitive
to produce anAsn1Primitive
that can directly be DER-encodedencodeToAsn1ContentBytes
to produce the content bytes of a TLV primitive (the V in TLV)decodeToXXX
to be invoked on anAsn1Primitive
to decode a DER-encoded primitive into the target typedecodeFromAsn1ContentBytes
to be invoked on the companion of the target type to decode the content bytes of a TLV primitive (the V in TLV)
- Update conventions -> Coroutines 1.9.0
- replace
runCatching
withcatching
to be extra-safe
3.7.0 (Supreme 0.2.0)
- Remove Swift verifier logic to obtain a general speed-up
- Implement supreme signing capabilities
- Introduce Attestation Data Structure
- Dependency Updates:
- Kotlin 2.0.20
- kotlinx.serialization 1.7.2 stable (bye, bye unofficial snapshot dependency!)
- kotlinx-datetime 0.6.1
3.6.1
- Externalise
UVarInt
to multibase
3.6.0
- Rebranding to Signum
- maven coordinates:
at.asitplus.signum:$module
- modules
- datatypes -> indispensable
- datatypes-jws -> indispensable-josef
- datatypes-cose -> indispensable-cosef
- provider -> supreme
- package renames
crypto
->signum
datatypes
->indispensable
jws
->josef
cose
->cosef
provider
->supreme
- maven coordinates:
3.5.1
** Fixes **
- Publish provider pre-release to maven central
** Changes **
- Depend on newer conventions, which don't pull serialization snapshots in:
datatypes
,datatypes-jws
, andprovider
depend on stable serialization WITHOUT COSE SUPPORTdatatypes-cose
pulls in latest 1.8.0 serialization SNAPSHOT from upstream
ByteStringWrapper
is not part of upstream snapshot cose serialization anymore, but implemented as part ofdatatypes-cose
in packageat.asitplus.crypto.datatypes.cose.io
3.5.0
Fixes
- Fix calculation of JWK thumbprints according to RFC7638
Changes
- Add
provider
module that actually implements cryptography! (Currently in preview, signature verification only) - Add
COSE_Key
header toCoseHeader
, defined in OpenID for Verifiable Credential Issuance draft 13 - Fix serialization of COSE signature structures
- Refactor
JsonWebKey
:- Remove
identifier
, please usekeyId
orjwkThumbprint
directly - Add
equalsCryptographically()
to compare two keys by their cryptographic properties only
- Remove
- Externalise multibase implementation
3.2.2
- KmmResult 1.7.0
- Bignum 0.3.10 stable
- okio 3.9.0
3.2.1
Fixes * Correct serialization of COSE signature structures
3.2.0
- Kotlin 2.0
- Gradle 8.8
- Bouncy Castle 1.78.1
- Kotest 5.9.1
- Coroutines 1.8.1
- Serialization 1.7.1-SNAPSHOT
- KmmResult 1.6.2
Fixes
- Move
curve
fromCryptoAlgorithm
toJwsAlgorithm
- Don't assume curve information for the X.509 signature when, in fact, none exists
CryptoSignature
s in X.509 are now indefinite length
Changes
- Always DID-encode keys in compressed form (but keep decoding support)
- Rename
CryptoAlgorithm
toX509SignatureAlgorithm
to better describe what it is- Rename
toCryptoAlgorithm
totoX509SignatureAlgorithm
accordingly
- Rename
- Rework CryptoSignature to two-dimensional interface:
- CryptoSignature <- {EC <- {IndefiniteLength, DefiniteLength}, RsaOrHmac}
- CryptoSignature <- {RawByteEncodable <- {EC.DefiniteLength, RsaOrHmac}, NotRawByteEncodable <- EC.IndefiniteLength}
3.1.0
Fixes
- Standardize class names:
Ec
->EC
everywhere - Fix an edge case where very small
r
/s
inCryptoSignature.EC
would be corrupted - Remove bogus ASN.1 encoding from JWS Algorithms
CryptoSignature.EC
now requires specification of a curve or size when reading raw bytes
Features
- Support ASN.1 encoding/decoding for
BigInteger
- Expose
generator
,order
andcofactor
ofECCurve
- Extend list of values in
JweAlgorithm
andJweEncryption
- Extend properties in
JweHeader
- Extend properties in
JwsHeader
- BREAKING CHANGE: Completely revamp the ASN.1 builder DSL
- explicitly require
+
to add some ASN.1 element to a builder - Make convenience functions like
Bool(<boolean value>)
work stand-alone
- explicitly require
- Introduce common interface
JsonWebAlgorithm
for Jw{s,e}Algorithm - JsonWebKey Changes:
- do not generate kid when there is none and allow removing it
- reference
JsonWebAlgorithm
instead ofJwsAlgorithm
- add
.didEncoded
, which may return null, if encoding fails
- add
.curve
to EC CryptoAlgorithms - Change JweAlgorithm to sealed class to support unknown algorithms
- Add generic
ECPoint
class - Implement elliptic-curve arithmetic
3.0.0
Fixes
- Restructure and fix
RelativeDistinguishedName
. THIS IS A BREAKING CHANGE - Fix
Asn1Time
not truncating to seconds - Fix parsing of CryptoSignature when decoding Certificates
- Remove bogus
serialize()
function fromCryptoSignature
THIS IS A BREAKING CHANGE
Features
- Wrap exceptions during deserialization in
KmmResult
, i.e. changing alldeserialize()
methods in companion objects THIS IS A BREAKING CHANGE - Move class
JweDecrypted
from packageat.asitplus.wallet.lib.jws
toat.asitplus.crypto.datatypes.jws
THIS IS A BREAKING CHANGE - Support more JWE algorithms, e.g. AES
- Add
header
to constructor parameters ofJweEncrypted
- Extend properties of
JsonWebKey
- Introduce
CertificateChain
typealias with.leaf
and.root
convenience properties - Use
CertificateChain
insideJwsHeader
instead of `Array' -
Use
CertificateChain
insideJsonWebKey
instead of `Array' -
SubjectAltNames and IssuerAltNames:
- Perform some structural validations on SAN and IAN
- Expose
TbsCertificate.issuerAltNames
andTbsCertificte.subjectAltnames
, which contain (somewhat) parsedAlternativeNames
structures for easy access todnsName
.iPAddress
, etc.
2.0
2.6.0
- Pull in
JsonWebKeySet
fromvclib
- Implement JWK Set Url (
jku
) in JWS headers - Implement Attestation JWT (
jwt
) in JWS headers - Implement Confirmation keys (
cnf
) in JWT - Implement
CborWebToken
(RFC 8392) - Boolean ASN.1 decoding helper function
- Certificate to/from JCA certificate conversion functions
2.5.0
- Parse more certificates from
x5c
in JWS headers - Kotlin 1.9.23 thanks to updated conventions
- Generate
KnownOIDs
using KotlinPoet - Work around KT-65315 thanks to updated conventions
- BigNum as API dependency and iOS export (seems nonsensical, but is somehow required when using this inside a compose multiplatform app)
- Rename
BERTags.NULL
toBERTags.ASN1_NULL
to fix broken ObjC export
2.4.0
- Add Support for EC Point compression
- Add Support for full Cose-Key Spec
- Correct Multibase Encoding
- Change
DID:KEY
encoding to Base58_BTC to comply with draft - Add Multibase Encoder/Decoder
- Add UVarInt datatype (63 bit max)
- Remove MultibaseHelper
- Finally make
CoseKey
's EC Point compression play nicely with kotlinx.serialization - Rename
CoseKey.fromKeyId
toCoseKey.fromDid
- Rename
JsonWebKey.fromKeyId
toJsonWebKey.fromDid
2.3.0
- Change
CryptoPublicKey.toJsonWebKey()
return type fromKmmResult<JsonWebKey>
toJsonWebKey
- Add
CryptoSignature.parseFromJca
function - Refactor
CryptoPublicKey.keyID
toCryptoPublicKey.didEncoded
to better reflect what it actually is - Rename
CryptoPublicKey.fromKeyId
toCryptoPublicKey.fromDid
2.2.1
- Update conventions
- Rename CBOR annotations
- Target Java 17
2.2.0
- Dependency Updates
- KmmResult 1.5.4
- Refactor
MultiBaseHelper
to only handle conversion - Change
JwsHeader.publicKey
from JsonWebKey to CryptoPublicKey - Remove
SignatureValueLength
parameters from JWS & COSE Algorithm Enum class - Remove deprecated functions
- Rename
Jws
classes- New
CryptoAlgorithm
class - New
CryptoSignature
class for easy Asn1 - RawByteArray conversion
- New
- Rename function in file
JcaExtensions.kt
from.toPublicKey
to.toJcaPublicKey
to reflect connection to JVM - Remove VcLib-specific constants
2.1.0
- Kotlin 1.9.20
- COSE Support
- Full RSA and HMAC Support
- New interface
Asn1OctetString
to unify both ASN.1 OCTET STREAM classes - Fix broken
content
property ofAsn1EncapsulatingOctetString
- Refactor
.derEncoded
property ofAsn1Encodable
interface to function.encodeToDer()
- Consistent exception handling behaviour
- Throw new type
Asn1Exception
for ASN.1-related errors - Throw
IllegalArgumentException
for input-related errors - Add
xxxOrNull()
functions for all encoding/decoding/parsing functions - Add
xxxSafe()
functions to encapsulate encoding/decoding inKmmResult
- Return
KmmResult
for conversions between different key representations ( i.e.CryptoPublicKey
,CoseKey
andJsonWebKey
)
- Throw new type
2.0.0
- JWS Support
- Bugfixes and streamlining all over the place
- Proper BIT STRING
- BitSet (100% Kotlin BitSet implementation)
- Recursively parsing (and encapsulating) ASN.1 structures in OCTET Strings
- Initial pretty-printing of ASN.1 Strucutres
- Massive ASN.1 builder DSL streamlining
- More convenient explicit tagging
1.0
1.0.0
First public release