jose 0.1.0

data/README.md

@@ -0,0 +1,41 @@
+# JOSE
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/jose`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'jose'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install jose
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/jose. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](contributor-covenant.org) code of conduct.
+
+
+## License
+
+The gem is available as open source under the terms of the [MPL-2.0 License](http://opensource.org/licenses/MPL-2.0).
+

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task :default => :test

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "jose"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+require "pry"
+Pry.start
+
+# require "irb"
+# IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/jose.gemspec

@@ -0,0 +1,36 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'jose/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "jose"
+  spec.version       = JOSE::VERSION
+  spec.authors       = ["Andrew Bennett"]
+  spec.email         = ["andrew@pixid.com"]
+
+  spec.summary       = %q{JSON Object Signing and Encryption}
+  spec.description   = %q{JSON Object Signing and Encryption}
+  spec.homepage      = "https://github.com/potatosalad/ruby-jose"
+  spec.license       = "MPL-2.0"
+
+  # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or
+  # delete this section to allow pushing this gem to any host.
+  # if spec.respond_to?(:metadata)
+  #   spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
+  # else
+  #   raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
+  # end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "hamster"
+
+  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "json"
+end

data/lib/jose.rb

@@ -0,0 +1,61 @@
+require 'jose/version'
+
+require 'base64'
+require 'hamster/hash'
+require 'json'
+require 'openssl'
+
+module JOSE
+  class Map < Hamster::Hash; end
+end
+
+require 'jose/jwa'
+require 'jose/jwe'
+require 'jose/jwk'
+require 'jose/jws'
+require 'jose/jwt'
+
+module JOSE
+
+  extend self
+
+  def decode(binary)
+    return JSON.load(binary)
+  end
+
+  def encode(term)
+    return JSON.dump(sort_maps(term))
+  end
+
+  def urlsafe_decode64(binary)
+    case binary.bytesize % 4
+    when 2
+      binary += '=='
+    when 3
+      binary += '='
+    end
+    return Base64.urlsafe_decode64(binary)
+  end
+
+  def urlsafe_encode64(binary)
+    return Base64.urlsafe_encode64(binary).tr('=', '')
+  end
+
+private
+
+  def sort_maps(term)
+    case term
+    when Hash, JOSE::Map
+      return term.keys.sort.each_with_object(Hash.new) do |key, hash|
+        hash[key] = sort_maps(term[key])
+      end
+    when Array
+      return term.map do |item|
+        sort_maps(item)
+      end
+    else
+      return term
+    end
+  end
+
+end

data/lib/jose/jwa.rb

@@ -0,0 +1,21 @@
+module JOSE
+  module JWA
+
+    extend self
+
+    def constant_time_compare(a, b)
+      return false if a.empty? || b.empty? || a.bytesize != b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      return res == 0
+    end
+
+  end
+end
+
+require 'jose/jwa/aes_kw'
+require 'jose/jwa/concat_kdf'
+require 'jose/jwa/pkcs1'
+require 'jose/jwa/pkcs7'

data/lib/jose/jwa/aes_kw.rb

@@ -0,0 +1,105 @@
+module JOSE::JWA::AES_KW
+
+  extend self
+
+  DEFAULT_IV = OpenSSL::BN.new(0xA6A6A6A6A6A6A6A6).to_s(2)
+
+  def unwrap(cipher_text, kek, iv = nil)
+    iv ||= DEFAULT_IV
+    bits = kek.bytesize * 8
+    if cipher_text.bytesize % 8 == 0 and (bits == 128 or bits == 192 or bits == 256)
+      block_count = cipher_text.bytesize.div(8) - 1
+      buffer = do_unwrap(cipher_text, 5, block_count, kek, bits)
+      buffer_s = StringIO.new(buffer)
+      if buffer_s.read(iv.bytesize) != iv
+        raise ArgumentError, "iv does not match"
+      else
+        plain_text = buffer_s.read
+        return plain_text
+      end
+    else
+      raise ArgumentError, "bad cipher_text, kek, or iv"
+    end
+  end
+
+  def wrap(plain_text, kek, iv = nil)
+    iv ||= DEFAULT_IV
+    bits = kek.bytesize * 8
+    if plain_text.bytesize % 8 == 0 and (bits == 128 or bits == 192 or bits == 256)
+      buffer = [iv, plain_text].join
+      block_count = buffer.bytesize.div(8) - 1
+      return do_wrap(buffer, 0, block_count, kek, bits)
+    else
+      raise ArgumentError, "bad plain_text, kek, or iv"
+    end
+  end
+
+private
+
+  def aes_ecb_decrypt(bits, key, cipher_text)
+    cipher = OpenSSL::Cipher::AES.new(bits, :ECB)
+    cipher.decrypt
+    cipher.key = key
+    cipher.padding = 0
+    return cipher.update(cipher_text) + cipher.final
+  end
+
+  def aes_ecb_encrypt(bits, key, plain_text)
+    cipher = OpenSSL::Cipher::AES.new(bits, :ECB)
+    cipher.encrypt
+    cipher.key = key
+    cipher.padding = 0
+    return cipher.update(plain_text) + cipher.final
+  end
+
+  def do_unwrap(buffer, j, block_count, kek, bits)
+    if j < 0
+      return buffer
+    else
+      return do_unwrap(do_unwrap_step(buffer, j, block_count, block_count, kek, bits), j - 1, block_count, kek, bits)
+    end
+  end
+
+  def do_unwrap_step(buffer, j, i, block_count, kek, bits)
+    if i < 1
+      return buffer
+    end
+    buffer_s = StringIO.new(buffer)
+    a0, = buffer_s.read(8).unpack('Q>')
+    head_size = (i - 1) * 8
+    head = buffer_s.read(head_size)
+    b0 = buffer_s.read(8)
+    tail = buffer_s.read
+    round = (block_count * j) + i
+    a1 = a0 ^ round
+    data = [a1, b0].pack('Q>a*')
+    a2, b1 = aes_ecb_decrypt(bits, kek, data).unpack('Q>a*')
+    return do_unwrap_step([a2, head, b1, tail].pack('Q>a*a*a*'), j, i - 1, block_count, kek, bits)
+  end
+
+  def do_wrap(buffer, j, block_count, kek, bits)
+    if j == 6
+      return buffer
+    else
+      return do_wrap(do_wrap_step(buffer, j, 1, block_count, kek, bits), j + 1, block_count, kek, bits)
+    end
+  end
+
+  def do_wrap_step(buffer, j, i, block_count, kek, bits)
+    if i > block_count
+      return buffer
+    end
+    buffer_s = StringIO.new(buffer)
+    a0 = buffer_s.read(8)
+    head_size = (i - 1) * 8
+    head = buffer_s.read(head_size)
+    b0 = buffer_s.read(8)
+    tail = buffer_s.read
+    round = (block_count * j) + i
+    data = [a0, b0].join
+    a1, b1 = aes_ecb_encrypt(bits, kek, data).unpack('Q>a*')
+    a2 = a1 ^ round
+    return do_wrap_step([a2, head, b1, tail].pack('Q>a*a*a*'), j, i + 1, block_count, kek, bits)
+  end
+
+end

data/lib/jose/jwa/concat_kdf.rb

@@ -0,0 +1,50 @@
+module JOSE::JWA::ConcatKDF
+
+  extend self
+
+  def kdf(hash, z, other_info, key_data_len = nil)
+    if hash.is_a?(String)
+      hash = OpenSSL::Digest.new(hash)
+    end
+    if key_data_len.nil?
+      key_data_len = hash.digest('').bytesize * 8
+    end
+    if other_info.is_a?(Array)
+      algorithm_id, party_u_info, party_v_info, supp_pub_info, supp_priv_info = other_info
+      supp_pub_info ||= ''
+      supp_priv_info ||= ''
+      other_info = [
+        algorithm_id.bytesize, algorithm_id,
+        party_u_info.bytesize, party_u_info,
+        party_v_info.bytesize, party_v_info,
+        supp_pub_info,
+        supp_priv_info
+      ].pack('Na*Na*Na*a*a*')
+    end
+    hash_len = hash.digest('').bytesize * 8
+    reps = (key_data_len / hash_len.to_f).ceil
+    if reps == 1
+      concatenation = [ 0, 0, 0, 1, z, other_info ].pack('C4a*a*')
+      derived_key = [hash.digest(concatenation).unpack('B*')[0][0...key_data_len]].pack('B*')
+      return derived_key
+    elsif reps > 0xFFFFFFFF
+      raise ArgumentError, "too many reps"
+    else
+      return derive_key(hash, 1, reps, key_data_len, [z, other_info].join, '')
+    end
+  end
+
+private
+
+  def derive_key(hash, counter, reps, key_data_len, z_other_info, derived_keying_material)
+    if counter == reps
+      concatenation = [counter, z_other_info].pack('Na*')
+      derived_key = [[derived_keying_material, hash.digest(concatenation)].join.unpack('B*')[0][0...key_data_len]].pack('B*')
+      return derived_key
+    else
+      concatenation = [counter, z_other_info].pack('Na*')
+      return derive_key(hash, counter + 1, reps, key_data_len, z_other_info, [derived_keying_material, hash.digest(concatenation)].join)
+    end
+  end
+
+end

data/lib/jose/jwa/pkcs1.rb

@@ -0,0 +1,269 @@
+module JOSE::JWA::PKCS1
+
+  extend self
+
+  def eme_oaep_decode(hash, em, label, k)
+    if hash.is_a?(String)
+      hash = OpenSSL::Digest.new(hash)
+    end
+    h_len = hash.digest('').bytesize
+    l_hash = hash.digest(label)
+    masked_db_len = k - h_len - 1
+    em_s = StringIO.new(em)
+    y = em_s.getbyte
+    if y != 0x00
+      raise ArgumentError, "decryption_error"
+    end
+    masked_seed = em_s.read(h_len)
+    masked_db = em_s.read(masked_db_len)
+    seed_mask = mgf1(hash, masked_db, h_len)
+    seed = exor(masked_seed, seed_mask)
+    db_mask = mgf1(hash, seed, k - h_len - 1)
+    db = exor(masked_db, db_mask)
+    db_s = StringIO.new(db)
+    l_hash_prime = db_s.read(h_len)
+    if l_hash != l_hash_prime
+      raise ArgumentError, "decryption_error"
+    end
+    db_right = db_s.read
+    sep, m = unpad_zero(db_right).unpack('Ca*')
+    if sep != 0x01
+      raise ArgumentError, "decryption_error"
+    end
+    return m
+  end
+
+  def eme_oaep_encode(hash, dm, label, seed, k)
+    if hash.is_a?(String)
+      hash = OpenSSL::Digest.new(hash)
+    end
+    h_len = hash.digest('').bytesize
+    m_len = dm.bytesize
+    l_hash = hash.digest(label)
+    ps_len = (k - m_len - (2 * h_len) - 2)
+    ps = if ps_len > 0
+      ([0] * ps_len).pack('C*')
+    else
+      ''
+    end
+    db = [l_hash, ps, 0x01, dm].pack('a*a*Ca*')
+    db_mask = mgf1(hash, seed, k - h_len - 1)
+    masked_db = exor(db, db_mask)
+    seed_mask = mgf1(hash, masked_db, h_len)
+    masked_seed = exor(seed, seed_mask)
+    em = [0x00, masked_seed, masked_db].pack('Ca*a*')
+    return em
+  end
+
+  def emsa_pss_encode(hash, message, salt, em_bits)
+    if hash.is_a?(String)
+      hash = OpenSSL::Digest.new(hash)
+    end
+    salt ||= -2
+    if salt.is_a?(Integer)
+      salt_len = salt
+      if salt_len == -2
+        hash_len = hash.digest('').bytesize
+        em_len = (em_bits / 8.0).ceil
+        salt_len = em_len - hash_len - 2
+        if salt_len < 0
+          raise ArgumentError, "encoding_error"
+        end
+      elsif salt_len == -1
+        hash_len = hash.digest('').bytesize
+        salt_len = hash_len
+      end
+      if salt_len < 0
+        raise ArgumentError, "unhandled salt length: #{salt_len.inspect}"
+      end
+      salt = SecureRandom.random_bytes(salt_len)
+    end
+    m_hash = hash.digest(message)
+    hash_len = m_hash.bytesize
+    salt_len = salt.bytesize
+    em_len = (em_bits / 8.0).ceil
+    if em_len < (hash_len + salt_len + 2)
+      raise ArgumentError, "encoding_error"
+    else
+      m_prime = [0x00].pack('Q').concat(m_hash).concat(salt)
+      h = hash.digest(m_prime)
+      ps = ([0x00] * (em_len - salt_len - hash_len - 2)).pack('C*')
+      db = [ps, 0x01, salt].pack('a*Ca*')
+      db_mask = mgf1(hash, h, em_len - hash_len - 1)
+      left_bits = (em_len * 8) - em_bits
+      masked_db_right = exor(db, db_mask).unpack('B*')[0][left_bits..-1]
+      masked_db = [('0' * left_bits).concat(masked_db_right)].pack('B*')
+      em = [masked_db, h, 0xBC].pack('a*a*C')
+      return em
+    end
+  end
+
+  def emsa_pss_verify(hash, message, em, salt_len, em_bits)
+    if hash.is_a?(String)
+      hash = OpenSSL::Digest.new(hash)
+    end
+    salt_len ||= -2
+    if salt_len == -2
+      hash_len = hash.digest('').bytesize
+      em_len = (em_bits / 8.0).ceil
+      salt_len = em_len - hash_len - 2
+      if salt_len < 0
+        return false
+      end
+    elsif salt_len == -1
+      hash_len = hash.digest('').bytesize
+      salt_len = hash_len
+    end
+    if salt_len < 0
+      raise ArgumentError, "unhandled salt length: #{salt_len.inspect}"
+    end
+    m_hash = hash.digest(message)
+    hash_len = m_hash.bytesize
+    em_len = (em_bits / 8.0).ceil
+    masked_db_len = (em_len - hash_len - 1)
+    if (em.bytesize != em_len) or (em_len < (hash_len + salt_len + 2))
+      return false
+    else
+      em_s = StringIO.new(em)
+      masked_db = em_s.read(masked_db_len)
+      h = em_s.read(hash_len)
+      if em_s.getbyte != 0xBC
+        return false
+      end
+      left_bits = ((em_len * 8) - em_bits)
+      if (left_bits > 0) and (masked_db.unpack("B#{left_bits}").pack('B*').unpack('C')[0] != 0x00)
+        return false
+      end
+      db_mask = mgf1(hash, h, em_len - hash_len - 1) rescue nil
+      if db_mask.nil?
+        return false
+      end
+      db_right = exor(masked_db, db_mask).unpack('B*')[0][left_bits..-1]
+      db = [('0' * left_bits).concat(db_right)].pack('B*')
+      ps_len = (em_len - hash_len - salt_len - 2)
+      db_s = StringIO.new(db)
+      ps = OpenSSL::BN.new(db_s.read(ps_len), 2)
+      if ps != 0
+        return false
+      end
+      sep = db_s.getbyte
+      if sep != 0x01
+        return false
+      end
+      salt = db_s.read(salt_len)
+      m_prime = [0x00].pack('Q').concat(m_hash).concat(salt)
+      h_prime = hash.digest(m_prime)
+      return h == h_prime
+    end
+  end
+
+  def mgf1(hash, seed, mask_len)
+    hash_len = hash.digest('').bytesize
+    if mask_len > (0xFFFFFFFF * hash_len)
+      raise ArgumentError, "mask_too_long"
+    else
+      reps = (mask_len / hash_len.to_f).ceil
+      return derive_mgf1(hash, 0, reps, seed, mask_len, '')
+    end
+  end
+
+  def rsaes_oaep_decrypt(hash, cipher_text, rsa_private_key, label = nil)
+    if hash.is_a?(String)
+      hash = OpenSSL::Digest.new(hash)
+    end
+    label ||= ''
+    h_len = hash.digest('').bytesize
+    k = rsa_private_key.n.num_bytes
+    if cipher_text.bytesize != k or k < ((2 * h_len) + 2)
+      raise ArgumentError, "decryption_error"
+    end
+    em = pad_to_key_size(k, dp(OpenSSL::BN.new(cipher_text, 2), rsa_private_key).to_s(2))
+    return eme_oaep_decode(hash, em, label, k)
+  end
+
+  def rsaes_oaep_encrypt(hash, plain_text, rsa_public_key, label = nil, seed = nil)
+    if hash.is_a?(String)
+      hash = OpenSSL::Digest.new(hash)
+    end
+    label ||= ''
+    h_len = hash.digest('').bytesize
+    seed ||= SecureRandom.random_bytes(h_len)
+    m_len = plain_text.bytesize
+    k = rsa_public_key.n.num_bytes
+    if m_len > (k - (2 * h_len) - 2)
+      raise ArgumentError, "message_too_long"
+    else
+      em = eme_oaep_encode(hash, plain_text, label, seed, k)
+      c = pad_to_key_size(k, ep(OpenSSL::BN.new(em, 2), rsa_public_key).to_s(2))
+      return c
+    end
+  end
+
+  def rsassa_pss_sign(hash, message, rsa_private_key, salt = nil)
+    mod_bits = rsa_private_key.n.num_bits
+    em = emsa_pss_encode(hash, message, salt, mod_bits - 1)
+    mod_bytes = rsa_private_key.n.num_bytes
+    s = pad_to_key_size(mod_bytes, dp(OpenSSL::BN.new(em, 2), rsa_private_key).to_s(2))
+    return s
+  end
+
+  def rsassa_pss_verify(hash, message, signature, rsa_public_key, salt_len = nil)
+    mod_bytes = rsa_public_key.n.num_bytes
+    if signature.bytesize != mod_bytes
+      return false
+    else
+      mod_bits = rsa_public_key.n.num_bits
+      em = pad_to_key_size(((mod_bits - 1) / 8.0).ceil, ep(OpenSSL::BN.new(signature, 2), rsa_public_key).to_s(2))
+      return emsa_pss_verify(hash, message, em, salt_len, mod_bits - 1)
+    end
+  end
+
+private
+
+  def derive_mgf1(hash, counter, reps, seed, mask_len, t)
+    if counter == reps
+      return t[0...mask_len]
+    else
+      counter_bin = [counter].pack('N')
+      new_t = [t, hash.digest([seed, counter_bin].pack('a*a*'))].pack('a*a*')
+      return derive_mgf1(hash, counter + 1, reps, seed, mask_len, new_t)
+    end
+  end
+
+  def dp(b, rsa)
+    return b.mod_exp(rsa.d, rsa.n)
+  end
+
+  def ep(b, rsa)
+    return b.mod_exp(rsa.e, rsa.n)
+  end
+
+  def exor(d1, d2)
+    if d1.bytesize != d2.bytesize
+      raise ArgumentError, "'d1' and 'd2' must have the same bytesize"
+    end
+    d1 = d1.unpack('C*')
+    d2 = d2.unpack('C*')
+    d1.length.times do |i|
+      d1[i] ^= d2[i]
+    end
+    return d1.pack('C*')
+  end
+
+  def pad_to_key_size(bytes, data)
+    if data.bytesize < bytes
+      return pad_to_key_size(bytes, [0x00].pack('C').concat(data))
+    else
+      return data
+    end
+  end
+
+  def unpad_zero(binary)
+    if binary.getbyte(0) == 0x00
+      return unpad_zero(binary[1..-1])
+    else
+      return binary
+    end
+  end
+
+end