Commit 5517d8f

pat-mccuskerjzheaux

authored and

committed

Deprecate the X5T JOSE Header name

Closes gh-16979 Signed-off-by: Pat McCusker <patmccusker14@gmail.com>

1 parent fd4f06a commit 5517d8fCopy full SHA for 5517d8f

File tree

2 files changed

+26

-2

lines changed

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt
- JoseHeader.java
- JoseHeaderNames.java

2 files changed

+26

-2

lines changed

`‎oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeader.java`

Lines changed: 17 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2002-2023 the original author or authors.`
	`2`	`+ * Copyright 2002-2025 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`
`@@ -119,7 +119,15 @@ public List<String> getX509CertificateChain() {`
`119`	`119`	`* thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate`
`120`	`120`	`* corresponding to the key used to digitally sign the JWS or encrypt the JWE.`
`121`	`121`	`* @return the X.509 certificate SHA-1 thumbprint`
	`122`	`+ * @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision`
	`123`	`+ * attacks and should not be used. See the <a target="_blank" href=`
	`124`	`+ * "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google`
	`125`	`+ * Security Blog</a> for more info.`
	`126`	`+ * @see <a target="_blank" href=`
	`127`	`+ * "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing`
	`128`	`+ * the first SHA1 collision</a>`
`122`	`129`	`*/`
	`130`	`+ @Deprecated`
`123`	`131`	`public String getX509SHA1Thumbprint() {`
`124`	`132`	`return getHeader(JoseHeaderNames.X5T);`
`125`	`133`	`}`
`@@ -271,7 +279,15 @@ public B x509CertificateChain(List<String> x509CertificateChain) {`
`271`	`279`	`* corresponding to the key used to digitally sign the JWS or encrypt the JWE.`
`272`	`280`	`* @param x509SHA1Thumbprint the X.509 certificate SHA-1 thumbprint`
`273`	`281`	`* @return the {@link AbstractBuilder}`
	`282`	`+ * @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision`
	`283`	`+ * attacks and should not be used. See the <a target="_blank" href=`
	`284`	`+ * "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google`
	`285`	`+ * Security Blog</a> for more info.`
	`286`	`+ * @see <a target="_blank" href=`
	`287`	`+ * "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing`
	`288`	`+ * the first SHA1 collision</a>`
`274`	`289`	`*/`
	`290`	`+ @Deprecated`
`275`	`291`	`public B x509SHA1Thumbprint(String x509SHA1Thumbprint) {`
`276`	`292`	`return header(JoseHeaderNames.X5T, x509SHA1Thumbprint);`
`277`	`293`	`}`

`‎oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeaderNames.java`

Lines changed: 9 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2002-2021 the original author or authors.`
	`2`	`+ * Copyright 2002-2025 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`
`@@ -76,7 +76,15 @@ public final class JoseHeaderNames {`
`76`	`76`	`* {@code x5t} - the X.509 certificate SHA-1 thumbprint header is a base64url-encoded`
`77`	`77`	`* SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate`
`78`	`78`	`* corresponding to the key used to digitally sign a JWS or encrypt a JWE`
	`79`	`+ * @deprecated The SHA-1 algorithm has been proven to be vulnerable to collision`
	`80`	`+ * attacks and should not be used. See the <a target="_blank" href=`
	`81`	`+ * "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Google`
	`82`	`+ * Security Blog</a> for more info.`
	`83`	`+ * @see <a target="_blank" href=`
	`84`	`+ * "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">Announcing`
	`85`	`+ * the first SHA1 collision</a>`
`79`	`86`	`*/`
	`87`	`+ @Deprecated`
`80`	`88`	`public static final String X5T = "x5t";`
`81`	`89`
`82`	`90`	`/**`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 5517d8f

File tree

2 files changed

2 files changed

`‎oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeader.java`

`‎oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JoseHeaderNames.java`

0 commit comments