RubyGems - jose - Versions diffs - 0.1.0 - Mend

jose 0.1.0

Files changed (49) hide show

checksums.yaml +7 -0
data/.editorconfig +20 -0
data/.gitignore +9 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +4 -0
data/CODE_OF_CONDUCT.md +13 -0
data/Gemfile +20 -0
data/LICENSE.txt +373 -0
data/README.md +41 -0
data/Rakefile +10 -0
data/bin/console +14 -0
data/bin/setup +7 -0
data/jose.gemspec +36 -0
data/lib/jose.rb +61 -0
data/lib/jose/jwa.rb +21 -0
data/lib/jose/jwa/aes_kw.rb +105 -0
data/lib/jose/jwa/concat_kdf.rb +50 -0
data/lib/jose/jwa/pkcs1.rb +269 -0
data/lib/jose/jwa/pkcs7.rb +23 -0
data/lib/jose/jwe.rb +290 -0
data/lib/jose/jwe/alg.rb +12 -0
data/lib/jose/jwe/alg_aes_gcm_kw.rb +98 -0
data/lib/jose/jwe/alg_aes_kw.rb +57 -0
data/lib/jose/jwe/alg_dir.rb +40 -0
data/lib/jose/jwe/alg_ecdh_es.rb +123 -0
data/lib/jose/jwe/alg_pbes2.rb +90 -0
data/lib/jose/jwe/alg_rsa.rb +63 -0
data/lib/jose/jwe/enc.rb +8 -0
data/lib/jose/jwe/enc_aes_cbc_hmac.rb +80 -0
data/lib/jose/jwe/enc_aes_gcm.rb +68 -0
data/lib/jose/jwe/zip.rb +7 -0
data/lib/jose/jwe/zip_def.rb +28 -0
data/lib/jose/jwk.rb +347 -0
data/lib/jose/jwk/kty.rb +34 -0
data/lib/jose/jwk/kty_ec.rb +179 -0
data/lib/jose/jwk/kty_oct.rb +104 -0
data/lib/jose/jwk/kty_rsa.rb +185 -0
data/lib/jose/jwk/pem.rb +19 -0
data/lib/jose/jwk/set.rb +2 -0
data/lib/jose/jws.rb +242 -0
data/lib/jose/jws/alg.rb +10 -0
data/lib/jose/jws/alg_ecdsa.rb +41 -0
data/lib/jose/jws/alg_hmac.rb +41 -0
data/lib/jose/jws/alg_rsa_pkcs1_v1_5.rb +41 -0
data/lib/jose/jws/alg_rsa_pss.rb +41 -0
data/lib/jose/jwt.rb +145 -0
data/lib/jose/version.rb +3 -0
metadata +162 -0

data/lib/jose/jwa/pkcs7.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module JOSE::JWA::PKCS7
+  extend self
+  def pad(binary)
+    size = 16 - (binary.bytesize % 16)
+    return [binary, *([size] * size)].pack('a*C*')
+  end
+  def unpad(binary)
+    p = binary.getbyte(-1)
+    size = binary.bytesize - p
+    binary_s = StringIO.new(binary)
+    result = binary_s.read(size)
+    p.times do
+      if binary_s.getbyte != p
+        raise ArgumentError, "unrecognized padding"
+      end
+    end
+    return result
+  end
+end

data/lib/jose/jwe.rb ADDED Viewed

@@ -0,0 +1,290 @@
+module JOSE
+  class EncryptedBinary < ::String
+    def expand
+      return JOSE::JWE.expand(self)
+    end
+  end
+  class EncryptedMap < JOSE::Map
+    def compact
+      return JOSE::JWE.compact(self)
+    end
+  end
+  class JWE < Struct.new(:alg, :enc, :zip, :fields)
+    # Decode API
+    def self.from(object, modules = {})
+      case object
+      when JOSE::Map, Hash
+        return from_map(object, modules)
+      when String
+        return from_binary(object, modules)
+      when JOSE::JWE
+        return object
+      else
+        raise ArgumentError, "'object' must be a Hash, String, or JOSE::JWE"
+      end
+    end
+    def self.from_binary(object, modules = {})
+      case object
+      when String
+        return from_map(JOSE.decode(object), modules)
+      else
+        raise ArgumentError, "'object' must be a String"
+      end
+    end
+    def self.from_file(file, modules = {})
+      return from_binary(File.binread(file), modules)
+    end
+    def self.from_map(object, modules = {})
+      case object
+      when JOSE::Map, Hash
+        return from_fields(JOSE::JWE.new(nil, nil, nil, JOSE::Map.new(object)), modules)
+      else
+        raise ArgumentError, "'object' must be a Hash"
+      end
+    end
+    # Encode API
+    def self.to_binary(jwe)
+      return from(jwe).to_binary
+    end
+    def to_binary
+      return JOSE.encode(to_map)
+    end
+    def self.to_file(jwe, file)
+      return from(jwe).to_file(file)
+    end
+    def to_file(file)
+      return File.binwrite(file, to_binary)
+    end
+    def self.to_map(jwe)
+      return from(jwe).to_map
+    end
+    def to_map
+      if zip.nil?
+        return alg.to_map(enc.to_map(fields))
+      else
+        return alg.to_map(enc.to_map(zip.to_map(fields)))
+      end
+    end
+    # API
+    def self.block_decrypt(key, encrypted)
+      if encrypted.is_a?(String)
+        encrypted = JOSE::JWE.expand(encrypted)
+      end
+      if encrypted.is_a?(Hash)
+        encrypted = JOSE::EncryptedMap.new(encrypted)
+      end
+      if encrypted.is_a?(JOSE::Map) and encrypted['ciphertext'].is_a?(String) and encrypted['encrypted_key'].is_a?(String) and encrypted['iv'].is_a?(String) and encrypted['protected'].is_a?(String) and encrypted['tag'].is_a?(String)
+        jwe = from_binary(JOSE.urlsafe_decode64(encrypted['protected']))
+        encrypted_key = JOSE.urlsafe_decode64(encrypted['encrypted_key'])
+        iv = JOSE.urlsafe_decode64(encrypted['iv'])
+        cipher_text = JOSE.urlsafe_decode64(encrypted['ciphertext'])
+        cipher_tag = JOSE.urlsafe_decode64(encrypted['tag'])
+        if encrypted['aad'].is_a?(String)
+          concat_aad = [encrypted['protected'], '.', encrypted['aad']].join
+          return jwe.block_decrypt(key, concat_aad, cipher_text, cipher_tag, encrypted_key, iv), jwe
+        else
+          return jwe.block_decrypt(key, encrypted['protected'], cipher_text, cipher_tag, encrypted_key, iv), jwe
+        end
+      else
+        raise ArgumentError, "'encrypted' is not a valid encrypted String, Hash, or JOSE::Map"
+      end
+    end
+    def block_decrypt(key, aad, cipher_text, cipher_tag, encrypted_key, iv)
+      cek = key_decrypt(key, encrypted_key)
+      return uncompress(enc.block_decrypt([aad, cipher_text, cipher_tag], cek, iv))
+    end
+    def self.block_encrypt(key, block, jwe, cek = nil, iv = nil)
+      return from(jwe).block_encrypt(key, block, cek, iv)
+    end
+    def block_encrypt(key, block, cek = nil, iv = nil)
+      cek ||= next_cek(key)
+      iv ||= next_iv
+      aad, plain_text = block
+      if plain_text.nil?
+        plain_text = aad
+        aad = nil
+      end
+      encrypted_key, jwe = key_encrypt(key, cek)
+      protected_binary = JOSE.urlsafe_encode64(jwe.to_binary)
+      if aad.nil?
+        cipher_text, cipher_tag = enc.block_encrypt([protected_binary, jwe.compress(plain_text)], cek, iv)
+        return JOSE::EncryptedMap[
+          'ciphertext'    => JOSE.urlsafe_encode64(cipher_text),
+          'encrypted_key' => JOSE.urlsafe_encode64(encrypted_key),
+          'iv'            => JOSE.urlsafe_encode64(iv),
+          'protected'     => protected_binary,
+          'tag'           => JOSE.urlsafe_encode64(cipher_tag)
+        ]
+      else
+        aad_b64 = JOSE.urlsafe_encode64(aad)
+        concat_aad = [protected_binary, '.', aad_b64].join
+        cipher_text, cipher_tag = enc.block_encrypt([aad_b64, jwe.compress(plain_text)], cek, iv)
+        return JOSE::EncryptedMap[
+          'aad'           => aad_b64,
+          'ciphertext'    => JOSE.urlsafe_encode64(cipher_text),
+          'encrypted_key' => JOSE.urlsafe_encode64(encrypted_key),
+          'iv'            => JOSE.urlsafe_encode64(iv),
+          'protected'     => protected_binary,
+          'tag'           => JOSE.urlsafe_encode64(cipher_tag)
+        ]
+      end
+    end
+    def self.compact(map)
+      if map.is_a?(Hash) or map.is_a?(JOSE::Map)
+        if map.has_key?('aad')
+          raise ArgumentError, "'map' with 'aad' cannot be compacted"
+        end
+        return JOSE::EncryptedBinary.new([
+          map['protected'] || '',
+          '.',
+          map['encrypted_key'] || '',
+          '.',
+          map['iv'] || '',
+          '.',
+          map['ciphertext'] || '',
+          '.',
+          map['tag'] || ''
+        ].join)
+      else
+        raise ArgumentError, "'map' must be a Hash or a JOSE::Map"
+      end
+    end
+    def compress(plain_text)
+      if zip.nil?
+        return plain_text
+      else
+        return zip.compress(plain_text)
+      end
+    end
+    def self.expand(binary)
+      if binary.is_a?(String)
+        parts = binary.split('.')
+        if parts.length == 5
+          protected_binary, encrypted_key, initialization_vector, cipher_text, authentication_tag = parts
+          return JOSE::EncryptedMap[
+            'ciphertext'    => cipher_text,
+            'encrypted_key' => encrypted_key,
+            'iv'            => initialization_vector,
+            'protected'     => protected_binary,
+            'tag'           => authentication_tag
+          ]
+        else
+          raise ArgumentError, "'binary' is not a valid encrypted String"
+        end
+      else
+        raise ArgumentError, "'binary' must be a String"
+      end
+    end
+    def key_decrypt(key, encrypted_key)
+      return alg.key_decrypt(key, enc, encrypted_key)
+    end
+    def key_encrypt(key, decrypted_key)
+      encrypted_key, new_alg = alg.key_encrypt(key, enc, decrypted_key)
+      new_jwe = JOSE::JWE.from_map(to_map)
+      new_jwe.alg = new_alg
+      return encrypted_key, new_jwe
+    end
+    def next_cek(key)
+      return alg.next_cek(key, enc)
+    end
+    def next_iv
+      return enc.next_iv
+    end
+    def self.peek_protected(encrypted)
+      if encrypted.is_a?(String)
+        encrypted = expand(encrypted)
+      end
+      return JOSE::Map.new(JOSE.decode(JOSE.urlsafe_decode64(encrypted['protected'])))
+    end
+    def uncompress(cipher_text)
+      if zip.nil?
+        return cipher_text
+      else
+        return zip.uncompress(cipher_text)
+      end
+    end
+  private
+    def self.from_fields(jwe, modules)
+      if jwe.fields.has_key?('alg')
+        alg = modules[:alg] || case jwe.fields['alg']
+        when 'A128KW', 'A192KW', 'A256KW'
+          JOSE::JWE::ALG_AES_KW
+        when 'A128GCMKW', 'A192GCMKW', 'A256GCMKW'
+          JOSE::JWE::ALG_AES_GCM_KW
+        when 'dir'
+          JOSE::JWE::ALG_dir
+        when 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'
+          JOSE::JWE::ALG_ECDH_ES
+        when 'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW'
+          JOSE::JWE::ALG_PBES2
+        when 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256'
+          JOSE::JWE::ALG_RSA
+        else
+          raise ArgumentError, "unknown 'alg': #{jwe.fields['alg'].inspect}"
+        end
+        jwe.alg, jwe.fields = alg.from_map(jwe.fields)
+        return from_fields(jwe, modules)
+      elsif jwe.fields.has_key?('enc')
+        enc = modules[:enc] || case jwe.fields['enc']
+        when 'A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512'
+          JOSE::JWE::ENC_AES_CBC_HMAC
+        when 'A128GCM', 'A192GCM', 'A256GCM'
+          JOSE::JWE::ENC_AES_GCM
+        else
+          raise ArgumentError, "unknown 'enc': #{jwe.fields['enc'].inspect}"
+        end
+        jwe.enc, jwe.fields = enc.from_map(jwe.fields)
+        return from_fields(jwe, modules)
+      elsif jwe.fields.has_key?('zip')
+        zip = modules[:zip] || case jwe.fields['zip']
+        when 'DEF'
+          JOSE::JWE::ZIP_DEF
+        else
+          raise ArgumentError, "unknown 'zip': #{jwe.fields['zip'].inspect}"
+        end
+        jwe.zip, jwe.fields = zip.from_map(jwe.fields)
+        return from_fields(jwe, modules)
+      elsif jwe.alg.nil? and jwe.enc.nil?
+        raise ArgumentError, "missing required keys: 'alg' and 'enc'"
+      else
+        return jwe
+      end
+    end
+  end
+end
+require 'jose/jwe/alg'
+require 'jose/jwe/enc'
+require 'jose/jwe/zip'

data/lib/jose/jwe/alg.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module JOSE::JWE::ALG
+  extend self
+end
+require 'jose/jwe/alg_aes_gcm_kw'
+require 'jose/jwe/alg_aes_kw'
+require 'jose/jwe/alg_dir'
+require 'jose/jwe/alg_ecdh_es'
+require 'jose/jwe/alg_pbes2'
+require 'jose/jwe/alg_rsa'

data/lib/jose/jwe/alg_aes_gcm_kw.rb ADDED Viewed

@@ -0,0 +1,98 @@
+class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
+  # JOSE::JWE callbacks
+  def self.from_map(fields)
+    bits = nil
+    cipher_name = nil
+    case fields['alg']
+    when 'A128GCMKW'
+      bits = 128
+      cipher_name = 'aes-128-gcm'
+    when 'A192GCMKW'
+      bits = 192
+      cipher_name = 'aes-192-gcm'
+    when 'A256GCMKW'
+      bits = 256
+      cipher_name = 'aes-256-gcm'
+    else
+      raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
+    end
+    iv = nil
+    if fields.has_key?('iv')
+      iv = JOSE.urlsafe_decode64(fields['iv'])
+    end
+    tag = nil
+    if fields.has_key?('tag')
+      tag = JOSE.urlsafe_decode64(fields['tag'])
+    end
+    return new(cipher_name, bits, iv, tag), fields.except('alg', 'iv', 'tag')
+  end
+  def to_map(fields)
+    alg = case bits
+    when 128
+      'A128GCMKW'
+    when 192
+      'A192GCMKW'
+    when 256
+      'A256GCMKW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
+    end
+    fields = fields.put('alg', alg)
+    if iv
+      fields = fields.put('iv', JOSE.urlsafe_encode64(iv))
+    end
+    if tag
+      fields = fields.put('tag', JOSE.urlsafe_encode64(tag))
+    end
+    return fields
+  end
+  # JOSE::JWE::ALG callbacks
+  def key_decrypt(key, enc, encrypted_key)
+    if iv.nil? or tag.nil?
+      raise ArgumentError, "missing required fields for decryption: 'iv' and 'tag'"
+    end
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    derived_key = key
+    aad = ''
+    cipher_text = encrypted_key
+    cipher_tag = tag
+    cipher = OpenSSL::Cipher.new(cipher_name)
+    cipher.decrypt
+    cipher.key = derived_key
+    cipher.iv = iv
+    cipher.auth_data = aad
+    cipher.auth_tag = cipher_tag
+    plain_text = cipher.update(cipher_text) + cipher.final
+    return plain_text
+  end
+  def key_encrypt(key, enc, decrypted_key)
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    new_alg = JOSE::JWE::ALG_AES_GCM_KW.new(cipher_name, bits, iv || SecureRandom.random_bytes(12))
+    derived_key = key
+    aad = ''
+    plain_text = decrypted_key
+    cipher = OpenSSL::Cipher.new(new_alg.cipher_name)
+    cipher.encrypt
+    cipher.key = derived_key
+    cipher.iv = new_alg.iv
+    cipher.auth_data = aad
+    cipher_text = cipher.update(plain_text) + cipher.final
+    new_alg.tag = cipher.auth_tag
+    return cipher_text, new_alg
+  end
+  def next_cek(key, enc)
+    return enc.next_cek
+  end
+end

data/lib/jose/jwe/alg_aes_kw.rb ADDED Viewed

@@ -0,0 +1,57 @@
+class JOSE::JWE::ALG_AES_KW < Struct.new(:bits)
+  # JOSE::JWE callbacks
+  def self.from_map(fields)
+    bits = case fields['alg']
+    when 'A128KW'
+      128
+    when 'A192KW'
+      192
+    when 'A256KW'
+      256
+    else
+      raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
+    end
+    return new(bits), fields.except('alg')
+  end
+  def to_map(fields)
+    alg = case bits
+    when 128
+      'A128KW'
+    when 192
+      'A192KW'
+    when 256
+      'A256KW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
+    end
+    return fields.put('alg', alg)
+  end
+  # JOSE::JWE::ALG callbacks
+  def key_decrypt(key, enc, encrypted_key)
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    derived_key = key
+    decrypted_key = JOSE::JWA::AES_KW.unwrap(encrypted_key, derived_key)
+    return decrypted_key
+  end
+  def key_encrypt(key, enc, decrypted_key)
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    derived_key = key
+    encrypted_key = JOSE::JWA::AES_KW.wrap(decrypted_key, derived_key)
+    return encrypted_key, self
+  end
+  def next_cek(key, enc)
+    return enc.next_cek
+  end
+end