v0.5.0

Breaking Change

MessageDetails.KeyID is now *string (was string).

RequestDetails() and ResponseDetails() previously required the keyid signature parameter and returned it as a plain string. RFC 9421 does not mandate keyid, so it is now optional: the field is nil when absent, &value when present.

Migration: any code reading details.KeyID must now nil-check before dereferencing.

Security Fixes

• Signature bypass via missing keyid — verifiers configured with SetKeyID() were vulnerable to bypass: signatures that omitted keyid entirely would pass verification. Now rejected with an error.

• Unbounded body buffering (OOM/DoS) — reading message bodies for Content-Digest computation and trailer parsing had no size cap. Added SetMaxBodySize() to HandlerConfig, ClientConfig, VerifyConfig, SignConfig, and DigestOptions. Default is 0 (no limit) for backward compatibility.

• Opaque verification errors — internal crypto error details are no longer propagated to callers, preventing leakage of cryptographic internals.

• Panic on malformed key — unguarded type assertions in sign() and verify() could panic if a Signer/Verifier was constructed with an incorrect key type. Now returns "malformed key" error.

New Features

• SetNonceValidator on VerifyConfig — callback for application-layer replay prevention; invoked when a signature includes a nonce parameter.
• SetSchemeFromRequest on SignConfig and VerifyConfig — derive @scheme from a custom callback (e.g. X-Forwarded-Proto) for deployments behind TLS-terminating reverse proxies.

v0.4.2 - RSA-PSS RFC 9421 Compliance Fix

What's Changed

Bug Fix: RSA-PSS Salt Length Compliance

Fixed RSA-PSS signature generation to use the correct salt length (64 bytes for SHA-512) as required by RFC 9421 Section 3.3.1. This ensures interoperability with WebCrypto, JavaScript implementations, and other RFC-compliant HTTP Message Signatures libraries.

Details:

• Changed from Go's default PSSSaltLengthAuto (~190 bytes) to PSSSaltLengthEqualsHash (64 bytes)
• Follows TLS 1.3 and IETF CFRG consensus on RSA-PSS parameters
• Verification remains backwards compatible with old signatures (auto-detects salt length)
• Added explicit tests for salt length validation and backwards compatibility

Fixes: #17

Credit: Thanks to @dickhardt for reporting this issue and providing the detailed analysis!

---

Full Changelog: v0.4.1...v0.4.2

Alternative verification API

• Alternative verification API using the Message structure.
• Fix panic in edge case of ed25519.
• Other minor fixes.

Bump JWX and Go version to address a CVE

v0.3.2

Recent JWX possibly broken, quote go version

Documentation fixes

v0.3.1

Documentation fixes

Key ID no longer mandatory

Breaking change: keyid is no longer a Signer/Verifier parameter. Instead if it is needed, include it in SignConfig/VerifyConfig.

Normalize path for @request-target

v0.2.2

Normalize an empty path

Bump JWX library

No change other than addressing CVE-2024-21319 (which does not apply to our code).

RFC 9421

Full implementation of the RFC, including test cases.

Draft -17

Draft -17 made an important change re: encoding of query parameters.