v3.3.0

What's Changed

JSON Backend Abstraction with json-c Support

A new JSON abstraction layer (jwt-json-ops.h) decouples libjwt from any specific JSON library. Two backends are now available:

• Jansson (default, as before)
• json-c — select at build time with cmake -DWITH_JSON_C=ON

All library source, crypto backends, and CLI tools have been converted to the new abstraction. A new build-linux-json-c CI job ensures the json-c backend is continuously tested.

Security Hardening

A comprehensive security audit addressed multiple issues across the library:

• Volatile qualifier on timing-safe comparison to prevent compiler optimization
• Scrub sensitive key material (HMAC keys, PEM data) before freeing
• NULL/bounds validation in JWK octet and RSA PSS parsing
• Replace atol() with strtol() and add Content-Length bounds checking in JWKS curl
• Use secure_getenv() on glibc systems for JWT_CRYPTO provider selection
• Fix memory leak in builder/checker when JSON allocation fails
• Sanitize kid and curve name in jwk2key to prevent path traversal
• Fix strcpy to strncpy in error copy macro
• Various NULL safety improvements across JWKS functions

A new jwt_security test suite with 76 test cases covers malformed JWK/JWT input, type confusion, partial keys, and NULL safety.

Reported-By: Akshay Jain akshaythe@gmail.com

Bug Fixes

• Fix allocator mismatch in key2jwk — use jwt_freemem() instead of free() for strings from jwt_json_serialize()
• Avoid symbol collision with aklomp/base64 by making base64 functions static
• Remove unused jwt_json_retain() and jwt_json_is_object() functions

Full Changelog: v3.2.3...v3.3.0