RubyGems - jose - Versions diffs - 0.2.0 → 0.3.0 - Mend

jose 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

checksums.yaml +4 -4
data/.ruby-version +1 -1
data/.travis.yml +2 -2
data/CHANGELOG.md +42 -0
data/README.md +19 -2
data/jose.gemspec +2 -2
data/lib/jose.rb +13 -0
data/lib/jose/jwa/curve25519.rb +5 -4
data/lib/jose/jwa/curve448.rb +5 -4
data/lib/jose/jwe.rb +27 -1
data/lib/jose/jwe/alg.rb +8 -0
data/lib/jose/jwe/alg_aes_gcm_kw.rb +22 -10
data/lib/jose/jwe/alg_aes_kw.rb +20 -11
data/lib/jose/jwe/alg_dir.rb +4 -0
data/lib/jose/jwe/alg_ecdh_es.rb +8 -0
data/lib/jose/jwe/alg_pbes2.rb +51 -16
data/lib/jose/jwe/alg_rsa.rb +23 -15
data/lib/jose/jwe/enc_aes_cbc_hmac.rb +6 -4
data/lib/jose/jwe/enc_aes_gcm.rb +2 -0
data/lib/jose/jwk.rb +37 -3
data/lib/jose/jwk/kty_ec.rb +47 -8
data/lib/jose/jwk/kty_oct.rb +45 -19
data/lib/jose/jwk/kty_okp_ed25519.rb +8 -2
data/lib/jose/jwk/kty_okp_ed25519ph.rb +8 -2
data/lib/jose/jwk/kty_okp_ed448.rb +8 -2
data/lib/jose/jwk/kty_okp_ed448ph.rb +8 -2
data/lib/jose/jwk/kty_okp_x25519.rb +22 -5
data/lib/jose/jwk/kty_okp_x448.rb +22 -5
data/lib/jose/jwk/kty_rsa.rb +16 -7
data/lib/jose/jws.rb +27 -3
data/lib/jose/jws/alg.rb +8 -0
data/lib/jose/jws/alg_ecdsa.rb +13 -0
data/lib/jose/jws/alg_eddsa.rb +4 -0
data/lib/jose/jws/alg_hmac.rb +13 -0
data/lib/jose/jws/alg_none.rb +44 -0
data/lib/jose/jws/alg_rsa_pkcs1_v1_5.rb +13 -0
data/lib/jose/jws/alg_rsa_pss.rb +13 -0
data/lib/jose/jwt.rb +20 -2
data/lib/jose/version.rb +1 -1
metadata +7 -6

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7376ae594edf0f6ec851ffe557de7d6f0f1680cd
-  data.tar.gz: 9a65bee349e4419c92c7b1bd01e08008ae82a2b3
+  metadata.gz: c8b3820a104b8d8b71e1e8557f70aede232595e2
+  data.tar.gz: 3fdaa67a5ed08f9d6f6f8e5249737b3dc22ebe89
 SHA512:
-  metadata.gz: ee8d43fd9d51f20753b853d1da36e8d2dc0cb8f725f20b88f825f5c8f369cb365027654f97bd0ac06f3865afc3119a5b9bbffb0d58e8353ae775b00221138c6b
-  data.tar.gz: 8700bb7d9c63aae53281e3619067d503b35d4ca6691bf7e1782d33709e4c14122a23598dc474e49601d9575fd09d6394c246723a42dca6a0a7758fad90aae39d
+  metadata.gz: dbe1b64dc34bad69cfb2250a54e30eeb5f7ac864431d7d39463dbeaddec4ea3e2975e7a3f09a0c4ba9d82a06e02e4ce0934e2cf97f7ae0782f8c58a78a1d56d5
+  data.tar.gz: 4b96226504359839de7fb9d932b929abf58cf959ccf89ac2d6b6ca045c4ab148e4cfcb7f7b8592fecb8d2313bc6b687fba7789edfddb9fe96a0ef366c4bb7d13

data/.ruby-version CHANGED

	@@ -1 +1 @@
1	- 2.3.0
1	+ 2.3.1

data/.travis.yml CHANGED

@@ -4,10 +4,10 @@ sudo: required
 dist: trusty
 rvm:
-  - 2.3.0
+  - 2.3.1
 notifications:
   email: false
 before_install:
-  - "gem install bundler -v 1.11.2"
+  - "gem install bundler -v 1.12.2"

data/CHANGELOG.md CHANGED

@@ -1,5 +1,47 @@
 # Changelog
+## 0.3.0 (2016-05-05)
+* Enhancements
+  * Added merge functions:
+    * `JOSE::JWE#merge`
+    * `JOSE::JWK#merge`
+    * `JOSE::JWS#merge`
+    * `JOSE::JWT#merge`
+  * Added block_encryptor and signer functions:
+    * `JOSE::JWK#block_encryptor`
+    * `JOSE::JWK#signer`
+  * Support for `"alg"`, `"enc"`, and `"use"` on keys.
+Examples of new functionality:
+```ruby
+# Let's generate a 64 byte octet key
+jwk = JOSE::JWK.generate_key([:oct, 64])
+# => {"k"=>"FXSy7PufOayusvfyKQzdxCegm7yWIMp1b0LD13v57Nq2wF_B-fcr7LDOkufDikmFFsVYWLgrA2zEB--_qqDn3g", "kty"=>"oct"}
+# Based on the key's size and type, a default signer (JWS) can be determined
+jwk.signer
+# => {"alg"=>"HS512"}
+# Based on the key's size and type, a default encryptor (JWE) can be determined
+jwk.block_encryptor
+# => {"alg"=>"dir", "enc"=>"A256CBC-HS512"}
+# Keys can be generated based on the signing algorithm (JWS)
+JOSE::JWS.generate_key({'alg' => 'HS256'})
+# => {"alg"=>"HS256", "k"=>"UuP3Tw2xbGV5N3BGh34cJNzzC2R1zU7i4rOnF9A8nqY", "kty"=>"oct", "use"=>"sig"}
+# Keys can be generated based on the encryption algorithm (JWE)
+JOSE::JWE.generate_key({'alg' => 'dir', 'enc' => 'A128GCM'})
+# => {"alg"=>"dir", "enc"=>"A128GCM", "k"=>"8WNdBjXXwg6QTwrrOnvEPw", "kty"=>"oct", "use"=>"enc"}
+# Example of merging a map into an existing JWS (also works with JWE, JWK, and JWT)
+jws = JOSE::JWS.from({'alg' => 'HS256'})
+jws.merge({'typ' => 'JWT'})
+# => {"alg"=>"HS256", "typ"=>"JWT"}
+```
 ## 0.2.0 (2016-02-25)
 * Enhancements

data/README.md CHANGED

@@ -24,7 +24,25 @@ Or install it yourself as:
 ## Usage
-TODO: Write usage instructions here
+Better documentation is in progress, but the [erlang-jose documentation](https://hexdocs.pm/jose/) can provide an idea of the functionality available in this gem.
+```ruby
+# Let's use our secret key "symmetric key" for use with
+# the HMAC using SHA-256 (HS256) algorithm.
+jwk = JOSE::JWK.from_oct('symmetric key')
+# Here is the JSON format of our JWK.
+jwk.to_binary
+# => "{\"k\":\"c3ltbWV0cmljIGtleQ\",\"kty\":\"oct\"}"
+# Now let's sign our message using HS256.
+signed = jwk.sign('test', { 'alg' => 'HS256' }).compact
+# => "eyJhbGciOiJIUzI1NiJ9.dGVzdA.VlZz7pJCnos0k-WUL9O9RoT9N--2kHSakNIdOg-MIro"
+# We use the same key for verification.
+verified, message, = jwk.verify(signed)
+# => [true, "test"]
+```
 ## Development
@@ -36,7 +54,6 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 Bug reports and pull requests are welcome on GitHub at https://github.com/potatosalad/ruby-jose. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](contributor-covenant.org) code of conduct.
 ## License
 The gem is available as open source under the terms of the [MPL-2.0 License](http://opensource.org/licenses/MPL-2.0).

data/jose.gemspec CHANGED

@@ -29,8 +29,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency "hamster"
-  spec.add_development_dependency "bundler", "~> 1.11"
-  spec.add_development_dependency "rake", "~> 10.5"
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 11.1"
   spec.add_development_dependency "minitest"
   spec.add_development_dependency "json"
   spec.add_development_dependency "rbnacl-libsodium"

data/lib/jose.rb CHANGED

@@ -17,6 +17,7 @@ module JOSE
   MUTEX = Mutex.new
   @__crypto_fallback__ = ENV['JOSE_CRYPTO_FALLBACK'] ? true : false
+  @__unsecured_signing__ = ENV['JOSE_UNSECURED_SIGNING'] ? true : false
   def __crypto_fallback__
     return @__crypto_fallback__
@@ -54,6 +55,18 @@ module JOSE
     return JSON.dump(sort_maps(term))
   end
+  def __unsecured_signing__
+    return @__unsecured_signing__
+  end
+  def __unsecured_signing__=(boolean)
+    boolean = !!boolean
+    MUTEX.synchronize {
+      @__unsecured_signing__ = boolean
+      __config_change__
+    }
+  end
   def urlsafe_decode64(binary)
     case binary.bytesize % 4
     when 2

data/lib/jose/jwa/curve25519.rb CHANGED

@@ -29,6 +29,7 @@ module JOSE::JWA::Curve25519
   def __config_change__(lock = true)
     MUTEX.lock if lock
+    @__implementation__ ||= nil
     @__implementation__ = __pick_best_implementation__ if @__implementation__.nil? or @__implementation__.__ruby__? or not @__implementation__.__supported__?
     MUTEX.unlock if lock
   end
@@ -80,11 +81,11 @@ module JOSE::JWA::Curve25519
 private
   def __pick_best_implementation__
     implementation = nil
-    implementation = @__implementations__.detect do |implementation|
-      next implementation.__supported__?
+    implementation = @__implementations__.detect do |mod|
+      next mod.__supported__?
     end
-    implementation ||= @__ruby_implementations__.detect do |implementation|
-      next implementation.__supported__?
+    implementation ||= @__ruby_implementations__.detect do |mod|
+      next mod.__supported__?
     end
     implementation ||= JOSE::JWA::Curve25519_Unsupported
     return implementation

data/lib/jose/jwa/curve448.rb CHANGED

@@ -29,6 +29,7 @@ module JOSE::JWA::Curve448
   def __config_change__(lock = true)
     MUTEX.lock if lock
+    @__implementation__ ||= nil
     @__implementation__ = __pick_best_implementation__ if @__implementation__.nil? or @__implementation__.__ruby__? or not @__implementation__.__supported__?
     MUTEX.unlock if lock
   end
@@ -80,11 +81,11 @@ module JOSE::JWA::Curve448
 private
   def __pick_best_implementation__
     implementation = nil
-    implementation = @__implementations__.detect do |implementation|
-      next implementation.__supported__?
+    implementation = @__implementations__.detect do |mod|
+      next mod.__supported__?
     end
-    implementation ||= @__ruby_implementations__.detect do |implementation|
-      next implementation.__supported__?
+    implementation ||= @__ruby_implementations__.detect do |mod|
+      next mod.__supported__?
     end
     implementation ||= JOSE::JWA::Curve448_Unsupported
     return implementation

data/lib/jose/jwe.rb CHANGED

@@ -138,7 +138,7 @@ module JOSE
       else
         aad_b64 = JOSE.urlsafe_encode64(aad)
         concat_aad = [protected_binary, '.', aad_b64].join
-        cipher_text, cipher_tag = enc.block_encrypt([aad_b64, jwe.compress(plain_text)], cek, iv)
+        cipher_text, cipher_tag = enc.block_encrypt([concat_aad, jwe.compress(plain_text)], cek, iv)
         return JOSE::EncryptedMap[
           'aad'           => aad_b64,
           'ciphertext'    => JOSE.urlsafe_encode64(cipher_text),
@@ -199,6 +199,14 @@ module JOSE
       end
     end
+    def self.generate_key(object, modules = {})
+      return from(object, modules).generate_key
+    end
+    def generate_key
+      return alg.generate_key(fields, enc)
+    end
     def key_decrypt(key, encrypted_key)
       return alg.key_decrypt(key, enc, encrypted_key)
     end
@@ -210,6 +218,24 @@ module JOSE
       return encrypted_key, new_jwe
     end
+    def self.merge(left, right)
+      return from(left).merge(right)
+    end
+    def merge(object)
+      object = case object
+      when JOSE::Map, Hash
+        object
+      when String
+        JOSE.decode(object)
+      when JOSE::JWE
+        object.to_map
+      else
+        raise ArgumentError, "'object' must be a Hash, String, or JOSE::JWE"
+      end
+      return JOSE::JWE.from_map(self.to_map.merge(object))
+    end
     def next_cek(key)
       return alg.next_cek(key, enc)
     end

data/lib/jose/jwe/alg.rb CHANGED

@@ -2,6 +2,14 @@ module JOSE::JWE::ALG
   extend self
+  def generate_key(parameters, algorithm, encryption)
+    return JOSE::JWK.generate_key(parameters).merge({
+      'alg' => algorithm,
+      'enc' => encryption,
+      'use' => 'enc'
+    })
+  end
 end
 require 'jose/jwe/alg_aes_gcm_kw'

data/lib/jose/jwe/alg_aes_gcm_kw.rb CHANGED

@@ -30,16 +30,7 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
   end
   def to_map(fields)
-    alg = case bits
-    when 128
-      'A128GCMKW'
-    when 192
-      'A192GCMKW'
-    when 256
-      'A256GCMKW'
-    else
-      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
-    end
+    alg = algorithm
     fields = fields.put('alg', alg)
     if iv
       fields = fields.put('iv', JOSE.urlsafe_encode64(iv))
@@ -52,6 +43,10 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    return JOSE::JWE::ALG.generate_key([:oct, bits.div(8)], algorithm, enc.algorithm)
+  end
   def key_decrypt(key, enc, encrypted_key)
     if iv.nil? or tag.nil?
       raise ArgumentError, "missing required fields for decryption: 'iv' and 'tag'"
@@ -67,6 +62,7 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
     cipher.decrypt
     cipher.key = derived_key
     cipher.iv = iv
+    cipher.padding = 0
     cipher.auth_data = aad
     cipher.auth_tag = cipher_tag
     plain_text = cipher.update(cipher_text) + cipher.final
@@ -85,6 +81,7 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
     cipher.encrypt
     cipher.key = derived_key
     cipher.iv = new_alg.iv
+    cipher.padding = 0
     cipher.auth_data = aad
     cipher_text = cipher.update(plain_text) + cipher.final
     new_alg.tag = cipher.auth_tag
@@ -95,4 +92,19 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
     return enc.next_cek
   end
+  # API functions
+  def algorithm
+    case bits
+    when 128
+      'A128GCMKW'
+    when 192
+      'A192GCMKW'
+    when 256
+      'A256GCMKW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
+    end
+  end
 end

data/lib/jose/jwe/alg_aes_kw.rb CHANGED

@@ -17,21 +17,15 @@ class JOSE::JWE::ALG_AES_KW < Struct.new(:bits)
   end
   def to_map(fields)
-    alg = case bits
-    when 128
-      'A128KW'
-    when 192
-      'A192KW'
-    when 256
-      'A256KW'
-    else
-      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
-    end
-    return fields.put('alg', alg)
+    return fields.put('alg', algorithm)
   end
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    return JOSE::JWE::ALG.generate_key([:oct, bits.div(8)], algorithm, enc.algorithm)
+  end
   def key_decrypt(key, enc, encrypted_key)
     if key.is_a?(JOSE::JWK)
       key = key.kty.derive_key
@@ -54,4 +48,19 @@ class JOSE::JWE::ALG_AES_KW < Struct.new(:bits)
     return enc.next_cek
   end
+  # API functions
+  def algorithm
+    case bits
+    when 128
+      'A128KW'
+    when 192
+      'A192KW'
+    when 256
+      'A256KW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
+    end
+  end
 end

data/lib/jose/jwe/alg_dir.rb CHANGED

@@ -17,6 +17,10 @@ class JOSE::JWE::ALG_dir
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    return JOSE::JWE::ALG.generate_key([:oct, enc.bits.div(8)], 'dir', enc.algorithm)
+  end
   def key_decrypt(key, enc, encrypted_key)
     if key.is_a?(String)
       return key

data/lib/jose/jwe/alg_ecdh_es.rb CHANGED

@@ -47,6 +47,14 @@ class JOSE::JWE::ALG_ECDH_ES < Struct.new(:bits, :epk, :apu, :apv)
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    if not epk.nil?
+      return JOSE::JWE::ALG.generate_key(epk, algorithm, enc.algorithm)
+    else
+      return JOSE::JWE::ALG.generate_key([:ec, 'P-521'], algorithm, enc.algorithm)
+    end
+  end
   def key_decrypt(box_keys, enc, encrypted_key)
     other_public_key, my_private_key = box_keys
     if my_private_key and epk and epk.to_key != other_public_key.to_key

data/lib/jose/jwe/alg_pbes2.rb CHANGED

@@ -19,13 +19,17 @@ class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
       raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
     end
     iter = nil
-    if fields['p2c'].is_a?(Integer) and fields['p2c'] >= 0
+    if not fields.has_key?('p2c')
+      iter = 1000
+    elsif fields['p2c'].is_a?(Integer) and fields['p2c'] >= 0
       iter = fields['p2c']
     else
       raise ArgumentError, "invalid 'p2c' for JWE: #{fields['p2c'].inspect}"
     end
     salt = nil
-    if fields.has_key?('p2s') and fields['p2s'].is_a?(String)
+    if not fields.has_key?('p2s')
+      salt = nil
+    elsif fields['p2s'].is_a?(String)
       salt = wrap_salt(fields['alg'], JOSE.urlsafe_decode64(fields['p2s']))
     else
       raise ArgumentError, "invalid 'p2s' for JWE: #{fields['p2s'].inspect}"
@@ -34,22 +38,29 @@ class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
   end
   def to_map(fields)
-    alg = if hmac == OpenSSL::Digest::SHA256
-      'PBES2-HS256+A128KW'
-    elsif hmac == OpenSSL::Digest::SHA384
-      'PBES2-HS384+A192KW'
-    elsif hmac == OpenSSL::Digest::SHA512
-      'PBES2-HS512+A256KW'
+    alg = algorithm
+    p2c = iter
+    if salt.nil?
+      return fields.put('alg', alg).put('p2c', p2c)
     else
-      raise ArgumentError, "unhandled JOSE::JWE::ALG_PBES2 hmac: #{hmac.inspect}"
+      p2s = JOSE.urlsafe_encode64(unwrap_salt(alg, salt))
+      return fields.put('alg', alg).put('p2c', p2c).put('p2s', p2s)
     end
-    p2c = iter
-    p2s = JOSE.urlsafe_encode64(unwrap_salt(alg, salt))
-    return fields.put('alg', alg).put('p2c', p2c).put('p2s', p2s)
   end
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    alg = algorithm
+    extra_fields = {
+      'p2c' => iter
+    }
+    if not salt.nil?
+      extra_fields['p2s'] = JOSE.urlsafe_encode64(unwrap_salt(alg, salt))
+    end
+    return JOSE::JWE::ALG.generate_key([:oct, 16], alg, enc.algorithm).merge(extra_fields)
+  end
   def key_decrypt(key, enc, encrypted_key)
     if key.is_a?(JOSE::JWK)
       key = key.kty.derive_key
@@ -63,18 +74,34 @@ class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
     if key.is_a?(JOSE::JWK)
       key = key.kty.derive_key
     end
-    derived_key = OpenSSL::PKCS5.pbkdf2_hmac(key, salt, iter, bits.div(8) + (bits % 8), hmac.new)
+    new_alg = self
+    if new_alg.salt.nil?
+      new_alg = JOSE::JWE::ALG_PBES2.new(hmac, bits, wrap_salt(SecureRandom.random_bytes(8)), iter)
+    end
+    derived_key = OpenSSL::PKCS5.pbkdf2_hmac(key, new_alg.salt, new_alg.iter, new_alg.bits.div(8) + (new_alg.bits % 8), new_alg.hmac.new)
     encrypted_key = JOSE::JWA::AES_KW.wrap(decrypted_key, derived_key)
-    return encrypted_key, self
+    return encrypted_key, new_alg
   end
   def next_cek(key, enc)
     return enc.next_cek
   end
-private
+  # API functions
-  def unwrap_salt(algorithm, salt)
+  def algorithm
+    if hmac == OpenSSL::Digest::SHA256
+      'PBES2-HS256+A128KW'
+    elsif hmac == OpenSSL::Digest::SHA384
+      'PBES2-HS384+A192KW'
+    elsif hmac == OpenSSL::Digest::SHA512
+      'PBES2-HS512+A256KW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_PBES2 hmac: #{hmac.inspect}"
+    end
+  end
+  def self.unwrap_salt(algorithm, salt)
     salt_s = StringIO.new(salt)
     if salt_s.read(algorithm.length) != algorithm or salt_s.getbyte != 0
       raise ArgumentError, "unrecognized salt value"
@@ -83,8 +110,16 @@ private
     end
   end
+  def unwrap_salt(salt)
+    return JOSE::JWE::ALG_PBES2.unwrap_salt(algorithm, salt)
+  end
   def self.wrap_salt(algorithm, salt_input)
     return [algorithm, 0x00, salt_input].pack('a*Ca*')
   end
+  def wrap_salt(salt_input)
+    return JOSE::JWE::ALG_PBES2.wrap_salt(algorithm, salt_input)
+  end
 end