From c65d563472e02cdfd2ee64e9048dea837f88a7f3 Mon Sep 17 00:00:00 2001 From: navaneethsnair1 Date: Tue, 2 Sep 2025 12:20:15 +0530 Subject: [PATCH] updates to 25.0.0.9 blog --- posts/2025-09-09-25.0.0.9.adoc | 69 +++++++++++++--------------------- 1 file changed, 27 insertions(+), 42 deletions(-) diff --git a/posts/2025-09-09-25.0.0.9.adoc b/posts/2025-09-09-25.0.0.9.adoc index 4bc6c9fcd..2ab906731 100644 --- a/posts/2025-09-09-25.0.0.9.adoc +++ b/posts/2025-09-09-25.0.0.9.adoc @@ -1,19 +1,19 @@ --- layout: post -title: "ECDH-ES support added to JwtBuilder" +title: "ECDH-ES support added to JwtBuilder in 25.0.0.9" # Do NOT change the categories section categories: blog author_picture: https://avatars3.githubusercontent.com/IsmathBadsha author_github: https://github.com/IsmathBadsha -seo-title: ECDH-ES support added to JwtBuilder - OpenLiberty.io +seo-title: ECDH-ES support added to JwtBuilder in 25.0.0.9 - OpenLiberty.io seo-description: 'This release introduces ECDH-ES support in JwtBuilder.' blog_description: 'This release introduces ECDH-ES support in JwtBuilder.' open-graph-image: https://openliberty.io/img/twitter_card.jpg open-graph-image-alt: Open Liberty Logo --- -= ECDH-ES support added to JwtBuilder += ECDH-ES support added to JwtBuilder in 25.0.0.9 Ismath Badsha -:imagesdir: / +:imagesdir: /s :url-prefix: :url-about: / //Blank line here is necessary before starting the body of the post. @@ -66,16 +66,10 @@ This release introduces ECDH-ES support in JwtBuilder. In link:{url-about}[Open Liberty] 25.0.0.9: -* <> +* <> * <> * <> - -// // // // // // // // -// If there were updates to guides since last release, keep the following, otherwise remove section. -// // // // // // // // -Along with the new features and functions added to the runtime, we’ve also made <>. - // // // // // // // // // In the preceding section: // Replace the TAG_X with a short label for the feature in lower-case, eg: mp3 @@ -161,30 +155,37 @@ image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="cent // Blog issue: https://github.com/OpenLiberty/open-liberty/issues/32660 // Contact/Reviewer: tloodu // // // // // // // // -[#ECDH-ES] +[#ECDH_ES] == Add ECDH-ES support to JwtBuilder -Open Liberty has enhanced its JSON Web Token 1.0 (`jwt-1.0`) feature by introducing support for ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static) as a key management algorithm in the JwtBuilder configuration. This update allows application developers to use Elliptic Curve Cryptography for encrypting the Content Encryption Key (CEK) of a JWE, providing a modern alternative to the previously supported RSA-OAEP with enhanced security.To use ECDH-ES, developers must define an Elliptic Curve public key in the keyManagementKeyAlias attribute.The EC public and private key pair can be generated using securityUtility or keytool, for example: - - `./securityUtility createSSLCertificate --sigAlg=SHA256withECDSA --keySize=256 --server=myServer --validity=3650 --password=password` - - `keytool -genkeypair -alias eccert -keyalg EC -groupname secp256r1 -validity 3650 -storetype pkcs12 -keystore myKeystore.p12 -storepass password` -ECDH-ES can be configured under the `keyManagementKeyAlgorithm` attribute in a JwtBuilder element of `JSON Web Token 1.0` (`jwt-1.0`) feature.The EC public key used for encryption must be referenced by its alias in `keyManagementKeyAlias`, and the keystore must be specified using the `trustStoreRef` attribute. -Sample server.xml configuration: +Open Liberty has enhanced its JSON Web Token 1.0 (`jwt-1.0`) feature by introducing support for ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static) as a key management algorithm in the JwtBuilder configuration. This update allows application developers to use Elliptic Curve Cryptography for encrypting the Content Encryption Key (CEK) of a JWE, providing a modern alternative to the previously supported RSA-OAEP with enhanced security. -[source,xml] +To use ECDH-ES, developers must define an Elliptic Curve public key in the `keyManagementKeyAlias` attribute. The EC public and private key pair can be generated using securityUtility or keytool, for example: ++ +``` +./securityUtility createSSLCertificate --sigAlg=SHA256withECDSA --keySize=256 --server=myServer --validity=3650 --password=password +``` ++ +``` +keytool -genkeypair -alias eccert -keyalg EC -groupname secp256r1 -validity 3650 -storetype pkcs12 -keystore myKeystore.p12 -storepass password +``` + +ECDH-ES can be configured under the `keyManagementKeyAlgorithm` attribute in a JwtBuilder element of `JSON Web Token 1.0` (jwt-1.0) feature. The EC public key used for encryption must be referenced by its alias in `keyManagementKeyAlias`, and the keystore must be specified using the `trustStoreRef` attribute. + +Sample server.xml configuration: ++ +[source, xml] ---- ---- -For more details on configuring `JwtBuilder` and using ECDH-ES, refer to the https://openliberty.io/docs/latest/reference/config/jwtBuilder.html[Open Liberty documentation]. + +For more details on configuring `JwtBuilder` and using ECDH-ES, check the link:https://openliberty.io/docs/latest/reference/config/jwtBuilder.html[Open Liberty documentation]. - // DO NOT MODIFY THIS LINE. - -For more details, check the LINK[LINK_DESCRIPTION]. - // // // // // // // // // In the preceding section: // Replace TAG_X/SUB_TAG_X with the given tag of your secton from the contents list @@ -210,19 +211,19 @@ For more details, check the LINK[LINK_DESCRIPTION]. |5.3 |Denial of service |18.0.0.2-25.0.0.8 -|Affects the `feature:servlet-3.1`, `feature:servlet-4.0`, `feature:servlet-5.0` and `feature:servlet-6.0` features +|Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0` and `servlet-6.0` features |https://www.cve.org/CVERecord?id=CVE-2025-48976[CVE-2025-48976] |7.5 |Denial of service |17.0.0.3-25.0.0.8 -|Affects the `feature:servlet-3.1`, `feature:servlet-4.0`, `feature:servlet-5.0` and `feature:servlet-6.0` features +|Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0` and `servlet-6.0` features |https://www.cve.org/CVERecord?id=CVE-2025-36124[CVE-2025-36124] |5.9 |Bypass security |17.0.0.3-25.0.0.8 -|Affects the `feature:wasJmsServer-1.0`, `feature:wasJmsSecurity-1.0`, `feature:wasJmsClient-2.0`, `feature:messagingServer-3.0`, `feature:messagingSecurity-3.0` and `feature:messagingClient-3.0` features +|Affects the `wasJmsServer-1.0`, `wasJmsSecurity-1.0`, `wasJmsClient-2.0`, `messagingServer-3.0`, `messagingSecurity-3.0` and `messagingClient-3.0` features |=== // // // // // // // // // In the preceding section: @@ -288,22 +289,6 @@ We’ve spent some time fixing bugs. The following sections describe just some o // // // // // // // // -// // // // // // // // -// If there were updates to guides since last release, keep the following, otherwise remove section. -// Check with Gilbert Kwan, otherwise Michal Broz or YK Chang -// // // // // // // // -[#guides] -== New and updated guides since the previous release -As Open Liberty features and functionality continue to grow, we continue to add link:https://openliberty.io/guides/?search=new&key=tag[new guides to openliberty.io] on those topics to make their adoption as easy as possible. Existing guides also receive updates to address any reported bugs/issues, keep their content current, and expand what their topic covers. - -// // // // // // // // -// In the following section, list any new guides, or changes/updates to existing guides. -// The following is an example of how the list can be structured (similar to the bugs section): -// * link:{url-prefix}/guides/[new/updated guide].html[Guide Title] -// ** Description of the guide or the changes made to the guide. -// // // // // // // // - - == Get Open Liberty 25.0.0.9 now Available through <>.