RubyGems - jose - Versions diffs - 0.1.0 - Mend

jose 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

checksums.yaml +7 -0
data/.editorconfig +20 -0
data/.gitignore +9 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +4 -0
data/CODE_OF_CONDUCT.md +13 -0
data/Gemfile +20 -0
data/LICENSE.txt +373 -0
data/README.md +41 -0
data/Rakefile +10 -0
data/bin/console +14 -0
data/bin/setup +7 -0
data/jose.gemspec +36 -0
data/lib/jose.rb +61 -0
data/lib/jose/jwa.rb +21 -0
data/lib/jose/jwa/aes_kw.rb +105 -0
data/lib/jose/jwa/concat_kdf.rb +50 -0
data/lib/jose/jwa/pkcs1.rb +269 -0
data/lib/jose/jwa/pkcs7.rb +23 -0
data/lib/jose/jwe.rb +290 -0
data/lib/jose/jwe/alg.rb +12 -0
data/lib/jose/jwe/alg_aes_gcm_kw.rb +98 -0
data/lib/jose/jwe/alg_aes_kw.rb +57 -0
data/lib/jose/jwe/alg_dir.rb +40 -0
data/lib/jose/jwe/alg_ecdh_es.rb +123 -0
data/lib/jose/jwe/alg_pbes2.rb +90 -0
data/lib/jose/jwe/alg_rsa.rb +63 -0
data/lib/jose/jwe/enc.rb +8 -0
data/lib/jose/jwe/enc_aes_cbc_hmac.rb +80 -0
data/lib/jose/jwe/enc_aes_gcm.rb +68 -0
data/lib/jose/jwe/zip.rb +7 -0
data/lib/jose/jwe/zip_def.rb +28 -0
data/lib/jose/jwk.rb +347 -0
data/lib/jose/jwk/kty.rb +34 -0
data/lib/jose/jwk/kty_ec.rb +179 -0
data/lib/jose/jwk/kty_oct.rb +104 -0
data/lib/jose/jwk/kty_rsa.rb +185 -0
data/lib/jose/jwk/pem.rb +19 -0
data/lib/jose/jwk/set.rb +2 -0
data/lib/jose/jws.rb +242 -0
data/lib/jose/jws/alg.rb +10 -0
data/lib/jose/jws/alg_ecdsa.rb +41 -0
data/lib/jose/jws/alg_hmac.rb +41 -0
data/lib/jose/jws/alg_rsa_pkcs1_v1_5.rb +41 -0
data/lib/jose/jws/alg_rsa_pss.rb +41 -0
data/lib/jose/jwt.rb +145 -0
data/lib/jose/version.rb +3 -0
metadata +162 -0

data/lib/jose/jwa/pkcs7.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module JOSE::JWA::PKCS7
+  extend self
+  def pad(binary)
+    size = 16 - (binary.bytesize % 16)
+    return [binary, *([size] * size)].pack('a*C*')
+  end
+  def unpad(binary)
+    p = binary.getbyte(-1)
+    size = binary.bytesize - p
+    binary_s = StringIO.new(binary)
+    result = binary_s.read(size)
+    p.times do
+      if binary_s.getbyte != p
+        raise ArgumentError, "unrecognized padding"
+      end
+    end
+    return result
+  end
+end

data/lib/jose/jwe.rb ADDED Viewed

@@ -0,0 +1,290 @@
+module JOSE
+  class EncryptedBinary < ::String
+    def expand
+      return JOSE::JWE.expand(self)
+    end
+  end
+  class EncryptedMap < JOSE::Map
+    def compact
+      return JOSE::JWE.compact(self)
+    end
+  end
+  class JWE < Struct.new(:alg, :enc, :zip, :fields)
+    # Decode API
+    def self.from(object, modules = {})
+      case object
+      when JOSE::Map, Hash
+        return from_map(object, modules)
+      when String
+        return from_binary(object, modules)
+      when JOSE::JWE
+        return object
+      else
+        raise ArgumentError, "'object' must be a Hash, String, or JOSE::JWE"
+      end
+    end
+    def self.from_binary(object, modules = {})
+      case object
+      when String
+        return from_map(JOSE.decode(object), modules)
+      else
+        raise ArgumentError, "'object' must be a String"
+      end
+    end
+    def self.from_file(file, modules = {})
+      return from_binary(File.binread(file), modules)
+    end
+    def self.from_map(object, modules = {})
+      case object
+      when JOSE::Map, Hash
+        return from_fields(JOSE::JWE.new(nil, nil, nil, JOSE::Map.new(object)), modules)
+      else
+        raise ArgumentError, "'object' must be a Hash"
+      end
+    end
+    # Encode API
+    def self.to_binary(jwe)
+      return from(jwe).to_binary
+    end
+    def to_binary
+      return JOSE.encode(to_map)
+    end
+    def self.to_file(jwe, file)
+      return from(jwe).to_file(file)
+    end
+    def to_file(file)
+      return File.binwrite(file, to_binary)
+    end
+    def self.to_map(jwe)
+      return from(jwe).to_map
+    end
+    def to_map
+      if zip.nil?
+        return alg.to_map(enc.to_map(fields))
+      else
+        return alg.to_map(enc.to_map(zip.to_map(fields)))
+      end
+    end
+    # API
+    def self.block_decrypt(key, encrypted)
+      if encrypted.is_a?(String)
+        encrypted = JOSE::JWE.expand(encrypted)
+      end
+      if encrypted.is_a?(Hash)
+        encrypted = JOSE::EncryptedMap.new(encrypted)
+      end
+      if encrypted.is_a?(JOSE::Map) and encrypted['ciphertext'].is_a?(String) and encrypted['encrypted_key'].is_a?(String) and encrypted['iv'].is_a?(String) and encrypted['protected'].is_a?(String) and encrypted['tag'].is_a?(String)
+        jwe = from_binary(JOSE.urlsafe_decode64(encrypted['protected']))
+        encrypted_key = JOSE.urlsafe_decode64(encrypted['encrypted_key'])
+        iv = JOSE.urlsafe_decode64(encrypted['iv'])
+        cipher_text = JOSE.urlsafe_decode64(encrypted['ciphertext'])
+        cipher_tag = JOSE.urlsafe_decode64(encrypted['tag'])
+        if encrypted['aad'].is_a?(String)
+          concat_aad = [encrypted['protected'], '.', encrypted['aad']].join
+          return jwe.block_decrypt(key, concat_aad, cipher_text, cipher_tag, encrypted_key, iv), jwe
+        else
+          return jwe.block_decrypt(key, encrypted['protected'], cipher_text, cipher_tag, encrypted_key, iv), jwe
+        end
+      else
+        raise ArgumentError, "'encrypted' is not a valid encrypted String, Hash, or JOSE::Map"
+      end
+    end
+    def block_decrypt(key, aad, cipher_text, cipher_tag, encrypted_key, iv)
+      cek = key_decrypt(key, encrypted_key)
+      return uncompress(enc.block_decrypt([aad, cipher_text, cipher_tag], cek, iv))
+    end
+    def self.block_encrypt(key, block, jwe, cek = nil, iv = nil)
+      return from(jwe).block_encrypt(key, block, cek, iv)
+    end
+    def block_encrypt(key, block, cek = nil, iv = nil)
+      cek ||= next_cek(key)
+      iv ||= next_iv
+      aad, plain_text = block
+      if plain_text.nil?
+        plain_text = aad
+        aad = nil
+      end
+      encrypted_key, jwe = key_encrypt(key, cek)
+      protected_binary = JOSE.urlsafe_encode64(jwe.to_binary)
+      if aad.nil?
+        cipher_text, cipher_tag = enc.block_encrypt([protected_binary, jwe.compress(plain_text)], cek, iv)
+        return JOSE::EncryptedMap[
+          'ciphertext'    => JOSE.urlsafe_encode64(cipher_text),
+          'encrypted_key' => JOSE.urlsafe_encode64(encrypted_key),
+          'iv'            => JOSE.urlsafe_encode64(iv),
+          'protected'     => protected_binary,
+          'tag'           => JOSE.urlsafe_encode64(cipher_tag)
+        ]
+      else
+        aad_b64 = JOSE.urlsafe_encode64(aad)
+        concat_aad = [protected_binary, '.', aad_b64].join
+        cipher_text, cipher_tag = enc.block_encrypt([aad_b64, jwe.compress(plain_text)], cek, iv)
+        return JOSE::EncryptedMap[
+          'aad'           => aad_b64,
+          'ciphertext'    => JOSE.urlsafe_encode64(cipher_text),
+          'encrypted_key' => JOSE.urlsafe_encode64(encrypted_key),
+          'iv'            => JOSE.urlsafe_encode64(iv),
+          'protected'     => protected_binary,
+          'tag'           => JOSE.urlsafe_encode64(cipher_tag)
+        ]
+      end
+    end
+    def self.compact(map)
+      if map.is_a?(Hash) or map.is_a?(JOSE::Map)
+        if map.has_key?('aad')
+          raise ArgumentError, "'map' with 'aad' cannot be compacted"
+        end
+        return JOSE::EncryptedBinary.new([
+          map['protected'] || '',
+          '.',
+          map['encrypted_key'] || '',
+          '.',
+          map['iv'] || '',
+          '.',
+          map['ciphertext'] || '',
+          '.',
+          map['tag'] || ''
+        ].join)
+      else
+        raise ArgumentError, "'map' must be a Hash or a JOSE::Map"
+      end
+    end
+    def compress(plain_text)
+      if zip.nil?
+        return plain_text
+      else
+        return zip.compress(plain_text)
+      end
+    end
+    def self.expand(binary)
+      if binary.is_a?(String)
+        parts = binary.split('.')
+        if parts.length == 5
+          protected_binary, encrypted_key, initialization_vector, cipher_text, authentication_tag = parts
+          return JOSE::EncryptedMap[
+            'ciphertext'    => cipher_text,
+            'encrypted_key' => encrypted_key,
+            'iv'            => initialization_vector,
+            'protected'     => protected_binary,
+            'tag'           => authentication_tag
+          ]
+        else
+          raise ArgumentError, "'binary' is not a valid encrypted String"
+        end
+      else
+        raise ArgumentError, "'binary' must be a String"
+      end
+    end
+    def key_decrypt(key, encrypted_key)
+      return alg.key_decrypt(key, enc, encrypted_key)
+    end
+    def key_encrypt(key, decrypted_key)
+      encrypted_key, new_alg = alg.key_encrypt(key, enc, decrypted_key)
+      new_jwe = JOSE::JWE.from_map(to_map)
+      new_jwe.alg = new_alg
+      return encrypted_key, new_jwe
+    end
+    def next_cek(key)
+      return alg.next_cek(key, enc)
+    end
+    def next_iv
+      return enc.next_iv
+    end
+    def self.peek_protected(encrypted)
+      if encrypted.is_a?(String)
+        encrypted = expand(encrypted)
+      end
+      return JOSE::Map.new(JOSE.decode(JOSE.urlsafe_decode64(encrypted['protected'])))
+    end
+    def uncompress(cipher_text)
+      if zip.nil?
+        return cipher_text
+      else
+        return zip.uncompress(cipher_text)
+      end
+    end
+  private
+    def self.from_fields(jwe, modules)
+      if jwe.fields.has_key?('alg')
+        alg = modules[:alg] || case jwe.fields['alg']
+        when 'A128KW', 'A192KW', 'A256KW'
+          JOSE::JWE::ALG_AES_KW
+        when 'A128GCMKW', 'A192GCMKW', 'A256GCMKW'
+          JOSE::JWE::ALG_AES_GCM_KW
+        when 'dir'
+          JOSE::JWE::ALG_dir
+        when 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'
+          JOSE::JWE::ALG_ECDH_ES
+        when 'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW'
+          JOSE::JWE::ALG_PBES2
+        when 'RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256'
+          JOSE::JWE::ALG_RSA
+        else
+          raise ArgumentError, "unknown 'alg': #{jwe.fields['alg'].inspect}"
+        end
+        jwe.alg, jwe.fields = alg.from_map(jwe.fields)
+        return from_fields(jwe, modules)
+      elsif jwe.fields.has_key?('enc')
+        enc = modules[:enc] || case jwe.fields['enc']
+        when 'A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512'
+          JOSE::JWE::ENC_AES_CBC_HMAC
+        when 'A128GCM', 'A192GCM', 'A256GCM'
+          JOSE::JWE::ENC_AES_GCM
+        else
+          raise ArgumentError, "unknown 'enc': #{jwe.fields['enc'].inspect}"
+        end
+        jwe.enc, jwe.fields = enc.from_map(jwe.fields)
+        return from_fields(jwe, modules)
+      elsif jwe.fields.has_key?('zip')
+        zip = modules[:zip] || case jwe.fields['zip']
+        when 'DEF'
+          JOSE::JWE::ZIP_DEF
+        else
+          raise ArgumentError, "unknown 'zip': #{jwe.fields['zip'].inspect}"
+        end
+        jwe.zip, jwe.fields = zip.from_map(jwe.fields)
+        return from_fields(jwe, modules)
+      elsif jwe.alg.nil? and jwe.enc.nil?
+        raise ArgumentError, "missing required keys: 'alg' and 'enc'"
+      else
+        return jwe
+      end
+    end
+  end
+end
+require 'jose/jwe/alg'
+require 'jose/jwe/enc'
+require 'jose/jwe/zip'

data/lib/jose/jwe/alg.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module JOSE::JWE::ALG
+  extend self
+end
+require 'jose/jwe/alg_aes_gcm_kw'
+require 'jose/jwe/alg_aes_kw'
+require 'jose/jwe/alg_dir'
+require 'jose/jwe/alg_ecdh_es'
+require 'jose/jwe/alg_pbes2'
+require 'jose/jwe/alg_rsa'

data/lib/jose/jwe/alg_aes_gcm_kw.rb ADDED Viewed

@@ -0,0 +1,98 @@
+class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
+  # JOSE::JWE callbacks
+  def self.from_map(fields)
+    bits = nil
+    cipher_name = nil
+    case fields['alg']
+    when 'A128GCMKW'
+      bits = 128
+      cipher_name = 'aes-128-gcm'
+    when 'A192GCMKW'
+      bits = 192
+      cipher_name = 'aes-192-gcm'
+    when 'A256GCMKW'
+      bits = 256
+      cipher_name = 'aes-256-gcm'
+    else
+      raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
+    end
+    iv = nil
+    if fields.has_key?('iv')
+      iv = JOSE.urlsafe_decode64(fields['iv'])
+    end
+    tag = nil
+    if fields.has_key?('tag')
+      tag = JOSE.urlsafe_decode64(fields['tag'])
+    end
+    return new(cipher_name, bits, iv, tag), fields.except('alg', 'iv', 'tag')
+  end
+  def to_map(fields)
+    alg = case bits
+    when 128
+      'A128GCMKW'
+    when 192
+      'A192GCMKW'
+    when 256
+      'A256GCMKW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
+    end
+    fields = fields.put('alg', alg)
+    if iv
+      fields = fields.put('iv', JOSE.urlsafe_encode64(iv))
+    end
+    if tag
+      fields = fields.put('tag', JOSE.urlsafe_encode64(tag))
+    end
+    return fields
+  end
+  # JOSE::JWE::ALG callbacks
+  def key_decrypt(key, enc, encrypted_key)
+    if iv.nil? or tag.nil?
+      raise ArgumentError, "missing required fields for decryption: 'iv' and 'tag'"
+    end
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    derived_key = key
+    aad = ''
+    cipher_text = encrypted_key
+    cipher_tag = tag
+    cipher = OpenSSL::Cipher.new(cipher_name)
+    cipher.decrypt
+    cipher.key = derived_key
+    cipher.iv = iv
+    cipher.auth_data = aad
+    cipher.auth_tag = cipher_tag
+    plain_text = cipher.update(cipher_text) + cipher.final
+    return plain_text
+  end
+  def key_encrypt(key, enc, decrypted_key)
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    new_alg = JOSE::JWE::ALG_AES_GCM_KW.new(cipher_name, bits, iv || SecureRandom.random_bytes(12))
+    derived_key = key
+    aad = ''
+    plain_text = decrypted_key
+    cipher = OpenSSL::Cipher.new(new_alg.cipher_name)
+    cipher.encrypt
+    cipher.key = derived_key
+    cipher.iv = new_alg.iv
+    cipher.auth_data = aad
+    cipher_text = cipher.update(plain_text) + cipher.final
+    new_alg.tag = cipher.auth_tag
+    return cipher_text, new_alg
+  end
+  def next_cek(key, enc)
+    return enc.next_cek
+  end
+end

data/lib/jose/jwe/alg_aes_kw.rb ADDED Viewed

@@ -0,0 +1,57 @@
+class JOSE::JWE::ALG_AES_KW < Struct.new(:bits)
+  # JOSE::JWE callbacks
+  def self.from_map(fields)
+    bits = case fields['alg']
+    when 'A128KW'
+      128
+    when 'A192KW'
+      192
+    when 'A256KW'
+      256
+    else
+      raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
+    end
+    return new(bits), fields.except('alg')
+  end
+  def to_map(fields)
+    alg = case bits
+    when 128
+      'A128KW'
+    when 192
+      'A192KW'
+    when 256
+      'A256KW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
+    end
+    return fields.put('alg', alg)
+  end
+  # JOSE::JWE::ALG callbacks
+  def key_decrypt(key, enc, encrypted_key)
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    derived_key = key
+    decrypted_key = JOSE::JWA::AES_KW.unwrap(encrypted_key, derived_key)
+    return decrypted_key
+  end
+  def key_encrypt(key, enc, decrypted_key)
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    derived_key = key
+    encrypted_key = JOSE::JWA::AES_KW.wrap(decrypted_key, derived_key)
+    return encrypted_key, self
+  end
+  def next_cek(key, enc)
+    return enc.next_cek
+  end
+end