Crypt-JWT-0.038

Changes for version 0.038 - 2026-05-16

SECURITY:
- constant-time MAC compare;
- enforce JWK alg/use/key_ops and EC alg/crv consistency;
- reject mixed-symmetry or duplicate-kid keysets;
- cap PBES2 p2c and inflated payload size;
- new $MIN_HMAC_KEY_LEN (4) and $MIN_RSA_BITS (2048);
- new section SECURITY CONSIDERATIONS in POD
fix: ConcatKDF: INTEROP BREAK with <=0.037 for ECDH-ES + A192CBC-HS384 / A256CBC-HS512 only
fix: ECDH-ES apu/apv header values are base64url-decoded before KDF input
fix: AAD bit-length encoding (only diverged at AAD >= 512 MB)
fix: accepted_alg / accepted_enc now croak on unsupported types
aes_key_wrap/unwrap:
- strict RFC 3394 (KW) vs RFC 5649 (KWP) modes;
- ct length validation
- fix unwrap of aligned KWP messages
require Compress::Raw::Zlib >= 2.057
new author-only Wycheproof harness t/wycheproof.t (AUTHOR_MODE=1)

JSON Web Token (JWT, JWS, JWE) as defined by RFC7519, RFC7515, RFC7516

Key management/wrapping algorithms defined in RFC7518 (JWA)

To install Crypt::JWT, copy and paste the appropriate command in to your terminal.

cpanm Crypt::JWT

perl -MCPAN -e shell
install Crypt::JWT

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)