Merge branch 'master' into convenience-jar. Only conflict was CHANGEL…

…OG.md - simple fix.

CHANGELOG.md

@@ -1,5 +1,10 @@
 ## Release Notes
 
+### 0.11.6
+
+* Adds a simplified "starter" jar that automatically pulls in `jjwt-api`, `jjwt-impl` and `jjwt-jackson`, useful when 
+  upgrading from the older `io.jsonwebtoken:jjwt:*` to the project's current flexible module structure.
+
 ### 0.11.5
 
 This patch release adds additional security guards against an ECDSA bug in Java SE versions 15-15.0.6, 17-17.0.2, and 18
@@ -32,8 +37,62 @@ provided the JJWT team.
 This patch release:
 
 * Adds additional handling for rare JSON parsing exceptions and wraps them in a `JwtException` to allow the application to handle these conditions as JWT concerns.
-* Upgrades the `jjwt-jackson` module's Jackson dependency to `2.9.10.7`.
-* Adds a simplified "starter" jar that automatically pulls in `jjwt-api`, `jjwt-impl` and `jjwt-jackson`, useful when upgrading from the older `io.jsonwebtoken:jjwt:*` to the project's current flexible module structure.
+* Upgrades the `jjwt-jackson` module's Jackson dependency to `2.12.6.1`.
+* Upgrades the `jjwt-orgjson` module's org.json:json dependency to `20220320`.
+* Upgrades the `jjwt-gson` module's gson dependency to `2.9.0`.
+* Upgrades the internal testing BouncyCastle version and any references in README documentation examples to `1.70`.
+* Contains various documentation and typo fixes.
+
+The patch also makes various internal project POM and build enhancements to reduce repetition and the chance for 
+stale references, and overall create a cleaner build with less warnings.  It also ensures that CI testing builds
+and executes on all latest OpenJDK versions from Java 7 to Java 18 (inclusive).
+
+Issues included in this patch are listed in the [JJWT 0.11.4 milestone](https://github.com/jwtk/jjwt/milestone/25?closed=1).
+
+### 0.11.3
+
+This patch release adds security guards against an ECDSA bug in Java SE versions 15-15.0.6, 17-17.0.2, and 18
+([CVE-2022-21449](https://nvd.nist.gov/vuln/detail/CVE-2022-21449)). Note: if your application does not use these 
+JVM versions, you are not exposed to the JVM vulnerability.
+
+Note that the CVE is not a bug within JJWT itself - it is a bug within the above listed JVM versions.  However, even 
+with these additional JJWT security guards, the root cause of the issue is the JVM, so it **strongly 
+recommended** to upgrade your JVM to version 15.0.7, 17.0.3, or 18.0.1 or later to ensure the bug does not surface 
+elsewhere in your application code or any other third party library in your application that may not contain similar 
+security guards.
+
+Issues included in this patch are listed in the [JJWT 0.11.3 milestone](https://github.com/jwtk/jjwt/milestone/24).
+
+#### Backwards Compatibility Warning
+
+In addition to additional protections against 
+[r or s values of zero in ECDSA signatures](https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/), this 
+release also disables by default legacy DER-encoded signatures that might be included in an ECDSA-signed JWT. 
+(DER-encoded signatures are not supported by the JWT RFC specifications, so they are not frequently encountered.)
+
+However, if you are using an application that needs to consume such legacy JWTs (either produced by a very 
+early version of JJWT, or a different JWT library), you may re-enable DER-encoded ECDSA signatures by setting the 
+`io.jsonwebtoken.impl.crypto.EllipticCurveSignatureValidator.derEncodingSupported` System property to the _exact_ 
+`String` value `true`.  For example:
+
+```java
+System.setProperty("io.jsonwebtoken.impl.crypto.EllipticCurveSignatureValidator.derEncodingSupported", "true");
+```
+
+*BUT BE CAREFUL*:  **DO NOT** set this System property if your application may run on one of the vulnerable JVMs
+noted above (Java SE versions 15-15.0.6, 17-17.0.2, and 18).
+
+You may safely set this property to a `String` value of `true` on all other versions of the JVM if you need to 
+support these legacy JWTs, *otherwise it is best to ignore (not set) the property entirely*.
+
+#### Credits
+
+Thank you to [Neil Madden](https://neilmadden.blog), the security researcher that first discovered the JVM
+vulnerability as covered in his [Psychic Signatures in Java](https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/) blog post.
+
+We'd also like to thank Toshiki Sasazaki, a member of [LINE Corporation](https://linecorp.com)'s Application Security 
+Team as the first person to report the concern directly to the JJWT team, as well as for working with us during testing 
+leading to our conclusions and subsequent 0.11.3 patch release.
 
 ### 0.11.2
 

all/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.11.3-SNAPSHOT</version>
+        <version>0.11.6-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

api/src/main/java/io/jsonwebtoken/lang/Collections.java

@@ -15,8 +15,14 @@
  */
 package io.jsonwebtoken.lang;
 
+import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.*;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
 
 public final class Collections {
 

api/src/main/java/io/jsonwebtoken/lang/Strings.java

@@ -16,8 +16,18 @@
 package io.jsonwebtoken.lang;
 
 import java.nio.charset.Charset;
+import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.*;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Properties;
+import java.util.Set;
+import java.util.StringTokenizer;
+import java.util.TreeSet;
 
 public final class Strings {
 

impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtBuilder.java

@@ -15,11 +15,21 @@
  */
 package io.jsonwebtoken.impl;
 
-import io.jsonwebtoken.*;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.CompressionCodec;
+import io.jsonwebtoken.Header;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.JwtBuilder;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.SignatureAlgorithm;
 import io.jsonwebtoken.impl.crypto.DefaultJwtSigner;
 import io.jsonwebtoken.impl.crypto.JwtSigner;
 import io.jsonwebtoken.impl.lang.LegacyServices;
-import io.jsonwebtoken.io.*;
+import io.jsonwebtoken.io.Decoders;
+import io.jsonwebtoken.io.Encoder;
+import io.jsonwebtoken.io.Encoders;
+import io.jsonwebtoken.io.SerializationException;
+import io.jsonwebtoken.io.Serializer;
 import io.jsonwebtoken.lang.Assert;
 import io.jsonwebtoken.lang.Collections;
 import io.jsonwebtoken.lang.Strings;

impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java

@@ -15,7 +15,27 @@
  */
 package io.jsonwebtoken.impl;
 
-import io.jsonwebtoken.*;
+import io.jsonwebtoken.ClaimJwtException;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Clock;
+import io.jsonwebtoken.CompressionCodec;
+import io.jsonwebtoken.CompressionCodecResolver;
+import io.jsonwebtoken.ExpiredJwtException;
+import io.jsonwebtoken.Header;
+import io.jsonwebtoken.IncorrectClaimException;
+import io.jsonwebtoken.InvalidClaimException;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.Jwt;
+import io.jsonwebtoken.JwtHandler;
+import io.jsonwebtoken.JwtHandlerAdapter;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.MalformedJwtException;
+import io.jsonwebtoken.MissingClaimException;
+import io.jsonwebtoken.PrematureJwtException;
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.SigningKeyResolver;
+import io.jsonwebtoken.UnsupportedJwtException;
 import io.jsonwebtoken.impl.compression.DefaultCompressionCodecResolver;
 import io.jsonwebtoken.impl.crypto.DefaultJwtSignatureValidator;
 import io.jsonwebtoken.impl.crypto.JwtSignatureValidator;

impl/src/main/java/io/jsonwebtoken/impl/JwtMap.java

@@ -19,7 +19,12 @@
 import io.jsonwebtoken.lang.DateFormats;
 
 import java.text.ParseException;
-import java.util.*;
+import java.util.Calendar;
+import java.util.Collection;
+import java.util.Date;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Set;
 
 public class JwtMap implements Map<String, Object> {
 

impl/src/main/java/io/jsonwebtoken/impl/compression/DefaultCompressionCodecResolver.java

@@ -15,8 +15,11 @@
  */
 package io.jsonwebtoken.impl.compression;
 
+import io.jsonwebtoken.CompressionCodec;
+import io.jsonwebtoken.CompressionCodecResolver;
 import io.jsonwebtoken.CompressionCodecs;
-import io.jsonwebtoken.*;
+import io.jsonwebtoken.CompressionException;
+import io.jsonwebtoken.Header;
 import io.jsonwebtoken.impl.lang.Services;
 import io.jsonwebtoken.lang.Assert;
 import io.jsonwebtoken.lang.Strings;