root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 34 Packages Projects Releases Wiki Activity

Deprecate the X5T JOSE Header name
CodeQL Advanced / codeql-analysis-call (push) Waiting to run Details
CI / Build (17, ubuntu-latest) (push) Waiting to run Details
CI / Build (17, windows-latest) (push) Waiting to run Details
CI / Test Against Snapshots (17, 17) (push) Waiting to run Details
CI / Test Against Snapshots (21-ea, 21) (push) Waiting to run Details
CI / Deploy Artifacts (push) Blocked by required conditions Details
CI / Deploy Docs (push) Blocked by required conditions Details
CI / Deploy Schema (push) Blocked by required conditions Details
CI / Perform Release (push) Blocked by required conditions Details
CI / Send Notification (push) Blocked by required conditions Details
Deploy Docs / build (push) Has been cancelled Details 

Closes gh-16979

Signed-off-by: Pat McCusker <patmccusker14@gmail.com>
This commit is contained in:
Pat McCusker 2025-05-16 18:33:36 -04:00 committed by Josh Cummings
parent fd4f06a66e
commit 5517d8fe3a
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeader.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -119,7 +119,15 @@ class JoseHeader {
* thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate
* corresponding to the key used to digitally sign the JWS or encrypt the JWE.
* @return the X.509 certificate SHA-1 thumbprint
* @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision
* attacks and should not be used. See the <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google
* Security Blog</a> for more info.
* @see <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing
* the first SHA1 collision</a>
*/
@Deprecated
public String getX509SHA1Thumbprint() {
return getHeader(JoseHeaderNames.X5T);
}
@ -271,7 +279,15 @@ class JoseHeader {
* corresponding to the key used to digitally sign the JWS or encrypt the JWE.
* @param x509SHA1Thumbprint the X.509 certificate SHA-1 thumbprint
* @return the {@link AbstractBuilder}
* @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision
* attacks and should not be used. See the <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google
* Security Blog</a> for more info.
* @see <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing
* the first SHA1 collision</a>
*/
@Deprecated
public B x509SHA1Thumbprint(String x509SHA1Thumbprint) {
return header(JoseHeaderNames.X5T, x509SHA1Thumbprint);
}

10
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeaderNames.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -76,7 +76,15 @@ public final class JoseHeaderNames {
* {@code x5t} - the X.509 certificate SHA-1 thumbprint header is a base64url-encoded
* SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate
* corresponding to the key used to digitally sign a JWS or encrypt a JWE
* @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision
* attacks and should not be used. See the <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google
* Security Blog</a> for more info.
* @see <a target="_blank" href=
* "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing
* the first SHA1 collision</a>
*/
@Deprecated
public static final String X5T = "x5t";
/**