jose 0.3.1 → 1.0.0

data/lib/jose/jwe/alg_aes_gcm_kw.rb

@@ -89,7 +89,7 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
   end
 
   def next_cek(key, enc)
-    return enc.next_cek
+    return enc.next_cek, self
   end
 
   # API functions

data/lib/jose/jwe/alg_aes_kw.rb

@@ -45,7 +45,7 @@ class JOSE::JWE::ALG_AES_KW < Struct.new(:bits)
   end
 
   def next_cek(key, enc)
-    return enc.next_cek
+    return enc.next_cek, self
   end
 
   # API functions

data/lib/jose/jwe/alg_dir.rb

@@ -1,11 +1,11 @@
-class JOSE::JWE::ALG_dir
+class JOSE::JWE::ALG_dir < Struct.new(:direct)
 
   # JOSE::JWE callbacks
 
   def self.from_map(fields)
     case fields['alg']
     when 'dir'
-      return new(), fields.delete('alg')
+      return new(true), fields.delete('alg')
     else
       raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
     end
@@ -35,9 +35,9 @@ class JOSE::JWE::ALG_dir
 
   def next_cek(key, enc)
     if key.is_a?(String)
-      return key
+      return key, self
     else
-      return key.kty.derive_key
+      return key.kty.derive_key, self
     end
   end
 

data/lib/jose/jwe/alg_ecdh_es.rb

@@ -57,26 +57,31 @@ class JOSE::JWE::ALG_ECDH_ES < Struct.new(:bits, :epk, :apu, :apv)
 
   def key_decrypt(box_keys, enc, encrypted_key)
     other_public_key, my_private_key = box_keys
-    if my_private_key and epk and epk.to_key != other_public_key.to_key
-      raise ArgumentError, "other and ephemeral public key mismatch"
-    elsif epk and my_private_key.nil?
+    if my_private_key.nil?
       my_private_key = other_public_key
-      other_public_key = epk
-    else
-      raise ArgumentError, "missing 'epk' or my_private_key"
+      other_public_key = nil
+    end
+    if epk.nil? and other_public_key.nil?
+      raise ArgumentError, "missing 'epk' and 'other_public_key'"
+    elsif epk and other_public_key and epk.thumbprint != other_public_key.thumbprint
+      raise ArgumentError, "other and ephemeral public key mismatch"
+    end
+    new_alg = self
+    if epk.nil?
+      new_alg = JOSE::JWE::ALG_ECDH_ES.new(bits, other_public_key.to_public, apu, apv)
     end
-    z = other_public_key.derive_key(my_private_key)
+    z = new_alg.epk.derive_key(my_private_key)
     if bits.nil?
       algorithm_id = enc.algorithm
       key_data_len = enc.bits
       supp_pub_info = [key_data_len].pack('N')
-      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, apu, apv, supp_pub_info], key_data_len)
+      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, new_alg.apu, new_alg.apv, supp_pub_info], key_data_len)
       return derived_key
     else
-      algorithm_id = algorithm
-      key_data_len = bits
+      algorithm_id = new_alg.algorithm
+      key_data_len = new_alg.bits
       supp_pub_info = [key_data_len].pack('N')
-      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, apu, apv, supp_pub_info], key_data_len)
+      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, new_alg.apu, new_alg.apv, supp_pub_info], key_data_len)
       decrypted_key = JOSE::JWA::AES_KW.unwrap(encrypted_key, derived_key)
       return decrypted_key
     end
@@ -87,27 +92,49 @@ class JOSE::JWE::ALG_ECDH_ES < Struct.new(:bits, :epk, :apu, :apv)
       return '', self
     else
       other_public_key, my_private_key = box_keys
+      if my_private_key.nil?
+        raise ArgumentError, "missing 'my_private_key'"
+      elsif other_public_key.nil?
+        raise ArgumentError, "missing 'other_public_key'"
+      elsif epk and my_private_key and epk.thumbprint != my_private_key.thumbprint
+        raise ArgumentError, "private and ephemeral public key mismatch"
+      end
+      new_alg = self
+      if epk.nil?
+        new_alg = JOSE::JWE::ALG_ECDH_ES.new(bits, my_private_key.to_public, apu, apv)
+      end
       z = other_public_key.derive_key(my_private_key)
-      algorithm_id = algorithm
-      key_data_len = bits
+      algorithm_id = new_alg.algorithm
+      key_data_len = new_alg.bits
       supp_pub_info = [key_data_len].pack('N')
-      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, apu, apv, supp_pub_info], key_data_len)
+      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, new_alg.apu, new_alg.apv, supp_pub_info], key_data_len)
       encrypted_key = JOSE::JWA::AES_KW.wrap(decrypted_key, derived_key)
-      return encrypted_key, self
+      return encrypted_key, new_alg
     end
   end
 
   def next_cek(box_keys, enc)
     if bits.nil?
       other_public_key, my_private_key = box_keys
+      if my_private_key.nil?
+        raise ArgumentError, "missing 'my_private_key'"
+      elsif other_public_key.nil?
+        raise ArgumentError, "missing 'other_public_key'"
+      elsif epk and my_private_key and epk.thumbprint != my_private_key.thumbprint
+        raise ArgumentError, "private and ephemeral public key mismatch"
+      end
+      new_alg = self
+      if epk.nil?
+        new_alg = JOSE::JWE::ALG_ECDH_ES.new(bits, my_private_key.to_public, apu, apv)
+      end
       z = other_public_key.derive_key(my_private_key)
       algorithm_id = enc.algorithm
       key_data_len = enc.bits
       supp_pub_info = [key_data_len].pack('N')
-      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, apu, apv, supp_pub_info], key_data_len)
-      return derived_key
+      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, new_alg.apu, new_alg.apv, supp_pub_info], key_data_len)
+      return derived_key, new_alg
     else
-      return enc.next_cek
+      return enc.next_cek, self
     end
   end
 

data/lib/jose/jwe/alg_pbes2.rb

@@ -20,7 +20,7 @@ class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
     end
     iter = nil
     if not fields.has_key?('p2c')
-      iter = 1000
+      iter = bits * 32
     elsif fields['p2c'].is_a?(Integer) and fields['p2c'] >= 0
       iter = fields['p2c']
     else
@@ -76,7 +76,7 @@ class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
     end
     new_alg = self
     if new_alg.salt.nil?
-      new_alg = JOSE::JWE::ALG_PBES2.new(hmac, bits, wrap_salt(SecureRandom.random_bytes(8)), iter)
+      new_alg = JOSE::JWE::ALG_PBES2.new(hmac, bits, wrap_salt(SecureRandom.random_bytes(bits.div(8))), iter)
     end
     derived_key = OpenSSL::PKCS5.pbkdf2_hmac(key, new_alg.salt, new_alg.iter, new_alg.bits.div(8) + (new_alg.bits % 8), new_alg.hmac.new)
     encrypted_key = JOSE::JWA::AES_KW.wrap(decrypted_key, derived_key)
@@ -84,7 +84,7 @@ class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
   end
 
   def next_cek(key, enc)
-    return enc.next_cek
+    return enc.next_cek, self
   end
 
   # API functions

data/lib/jose/jwe/alg_rsa.rb

@@ -47,7 +47,7 @@ class JOSE::JWE::ALG_RSA < Struct.new(:rsa_padding, :rsa_oaep_md)
   end
 
   def next_cek(key, enc)
-    return enc.next_cek
+    return enc.next_cek, self
   end
 
   # API functions

data/lib/jose/jwk.rb

@@ -1,8 +1,45 @@
 module JOSE
+  # JWK stands for JSON Web Key which is defined in [RFC 7517](https://tools.ietf.org/html/rfc7517).
   class JWK < Struct.new(:keys, :kty, :fields)
 
     # Decode API
 
+    # Converts a binary or map into a `JOSE.JWK`.
+    #
+    #     !!!ruby
+    #     JOSE::JWK.from({"k" => "", "kty" => "oct"})
+    #     # => #<struct JOSE::JWK keys=nil, kty=#<struct JOSE::JWK::KTY_oct oct="">, fields=JOSE::Map[]>
+    #     JOSE::JWK.from("{\"k\":\"\",\"kty\":\"oct\"}")
+    #     # => #<struct JOSE::JWK keys=nil, kty=#<struct JOSE::JWK::KTY_oct oct="">, fields=JOSE::Map[]>
+    #
+    # The `"kty"` field may be overridden with a custom module that implements the {JOSE::JWK::KTY JOSE::JWK::KTY} behaviours.
+    #
+    # For example:
+    #
+    #     !!!ruby
+    #     JOSE::JWK.from({ "kty" => "custom" }, { kty: MyCustomKey })
+    #     # => #<struct JOSE::JWK keys=nil, kty=#<MyCustomKey:0x007f8c5419ff68>, fields=JOSE::Map[]>
+    #
+    # If a `key` has been specified, it will decrypt an encrypted binary or map into a {JOSE::JWK JOSE::JWK} using the specified `key`.
+    #
+    #     !!!ruby
+    #     JOSE::JWK.from("eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkExMjhHQ00iLCJwMmMiOjQwOTYsInAycyI6Im5OQ1ZNQUktNTU5UVFtbWRFcnBsZFEifQ.Ucye69ii4dxd1ykNFlJyBVeA6xeNu4aV.2pZ4nBoxBjmdrneS.boqwdFZVNAFHk1M5P6kPYgBUgGwW32QuKzHuFA.wL9Hy6dcE_DPkUW9s5iwKA", "password")
+    #     # => [#<struct JOSE::JWK keys=nil, kty=#<struct JOSE::JWK::KTY_oct oct="secret">, fields=JOSE::Map[]>,
+    #     #  #<struct JOSE::JWE
+    #     #   alg=
+    #     #    #<struct JOSE::JWE::ALG_PBES2
+    #     #     hmac=OpenSSL::Digest::SHA256,
+    #     #     bits=128,
+    #     #     salt="PBES2-HS256+A128KW\x00\x9C\xD0\x950\x02>\xE7\x9FPBi\x9D\x12\xBAeu",
+    #     #     iter=4096>,
+    #     #   enc=#<struct JOSE::JWE::ENC_AES_GCM cipher_name="aes-128-gcm", bits=128, cek_len=16, iv_len=12>,
+    #     #   zip=nil,
+    #     #   fields=JOSE::Map["cty" => "jwk+json"]>]
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] object
+    # @param [Hash] modules
+    # @param [String] key
+    # @return [JOSE::JWK, Array<JOSE::JWK>]
     def self.from(object, modules = nil, key = nil)
       case object
       when JOSE::Map, Hash
@@ -11,11 +48,19 @@ module JOSE
         return from_binary(object, modules, key)
       when JOSE::JWK
         return object
+      when Array
+        return object.map { |obj| from(obj, modules, key) }
       else
-        raise ArgumentError, "'object' must be a Hash, String, or JOSE::JWK"
+        raise ArgumentError, "'object' must be a Hash, String, JOSE::JWK, or Array"
       end
     end
 
+    # Converts a binary into a {JOSE::JWK JOSE::JWK}.
+    #
+    # @param [String, Array<String>] object
+    # @param [Hash] modules
+    # @param [String] key
+    # @return [JOSE::JWK, Array<JOSE::JWK>]
     def self.from_binary(object, modules = nil, key = nil)
       if (modules.is_a?(String) or modules.is_a?(JOSE::JWK)) and key.nil?
         key = modules
@@ -30,20 +75,39 @@ module JOSE
         else
           return from_map(JOSE.decode(object), modules)
         end
+      when Array
+        return object.map { |obj| from_binary(obj, modules, key) }
       else
-        raise ArgumentError, "'object' must be a String"
+        raise ArgumentError, "'object' must be a String or Array"
       end
     end
 
+    # Reads file and calls {.from_binary} to convert into a {JOSE::JWK JOSE::JWK}.
+    #
+    # @param [String] file
+    # @param [Hash] modules
+    # @param [String] key
+    # @return [JOSE::JWK]
     def self.from_file(file, modules = nil, key = nil)
       return from_binary(File.binread(file), modules, key)
     end
 
+    # Converts Ruby records for EC and RSA keys into a {JOSE::JWK JOSE::JWK}.
+    #
+    # @param [OpenSSL::PKey] object
+    # @param [Hash] modules
+    # @return [JOSE::JWK]
     def self.from_key(object, modules = {})
       kty = modules[:kty] || JOSE::JWK::KTY
       return JOSE::JWK.new(nil, *kty.from_key(object))
     end
 
+    # Converts a map into a {JOSE::JWK JOSE::JWK}.
+    #
+    # @param [JOSE::Map, Hash, Array<JOSE::Map, Hash>] object
+    # @param [Hash] modules
+    # @param [String] key
+    # @return [JOSE::JWK, Array<JOSE::JWK>]
     def self.from_map(object, modules = nil, key = nil)
       if (modules.is_a?(String) or modules.is_a?(JOSE::JWK)) and key.nil?
         key = modules
@@ -58,34 +122,37 @@ module JOSE
         else
           return from_fields(JOSE::JWK.new(nil, nil, JOSE::Map.new(object)), modules)
         end
+      when Array
+        return object.map { |obj| from_map(obj, modules, key) }
       else
-        raise ArgumentError, "'object' must be a String"
-      end
-    end
-
-    def self.from_pem(object, modules = nil, password = nil)
-      if modules.is_a?(String) and password.nil?
-        password = modules
-        modules  = {}
+        raise ArgumentError, "'object' must be a JOSE::Map, Hash, or Array"
       end
-      modules ||= {}
-      kty = modules[:kty] || JOSE::JWK::PEM
-      return JOSE::JWK.new(nil, *kty.from_binary(object, password))
-    end
-
-    def self.from_pem_file(file, modules = nil, password = nil)
-      return from_pem(File.binread(file), modules, password)
     end
 
+    # Converts an arbitrary binary into a {JOSE::JWK JOSE::JWK} with `"kty"` of `"oct"`.
+    #
+    # @param [String] object
+    # @param [Hash] modules
+    # @return [JOSE::JWK]
     def self.from_oct(object, modules = {})
       kty = modules[:kty] || JOSE::JWK::KTY_oct
       return JOSE::JWK.new(nil, *kty.from_oct(object))
     end
 
+    # Reads file and calls {JOSE::JWK.from_oct JOSE::JWK.from_oct} to convert into a {JOSE::JWK JOSE::JWK}.
+    #
+    # @param [String] file
+    # @param [Hash] modules
+    # @return [JOSE::JWK]
     def self.from_oct_file(file, modules = {})
       return from_oct(File.binread(file), modules)
     end
 
+    # Converts an octet key pair into a {JOSE::JWK JOSE::JWK} with `"kty"` of `"OKP"`.
+    #
+    # @param [Array] object
+    # @param [Hash] modules
+    # @return [JOSE::JWK]
     def self.from_okp(object, modules = {})
       raise ArgumentError, "object must be an Array of length 2" if not object.is_a?(Array) or object.length != 2
       kty = modules[:kty] || case object[0]
@@ -107,12 +174,100 @@ module JOSE
       return JOSE::JWK.new(nil, *kty.from_okp(object))
     end
 
+    # Converts an openssh key into a {JOSE::JWK JOSE::JWK} with `"kty"` of `"OKP"`.
+    #
+    # @param [String, Array] object
+    # @param [Hash] modules
+    # @return [JOSE::JWK]
+    def self.from_openssh_key(object, modules = {})
+      raise ArgumentError, "object must be a String or Array" if not object.is_a?(String) and not object.is_a?(Array)
+      keys = object
+      if object.is_a?(String)
+        keys = JOSE::JWK::OpenSSHKey.from_binary(object)
+      end
+      ((pk_type, pk), key), = keys[0]
+      sk_type, sk_pk, = key
+      if pk_type and pk and key and sk_type and sk_pk and pk_type == sk_type and pk == sk_pk
+        kty = modules[:kty] || case pk_type
+        when 'ssh-ed25519'
+          JOSE::JWK::KTY_OKP_Ed25519
+        when 'ssh-ed25519ph'
+          JOSE::JWK::KTY_OKP_Ed25519ph
+        when 'ssh-ed448'
+          JOSE::JWK::KTY_OKP_Ed448
+        when 'ssh-ed448ph'
+          JOSE::JWK::KTY_OKP_Ed448ph
+        when 'ssh-x25519'
+          JOSE::JWK::KTY_OKP_X25519
+        when 'ssh-x448'
+          JOSE::JWK::KTY_OKP_X448
+        else
+          raise ArgumentError, "unrecognized openssh key type: #{pk_type.inspect}"
+        end
+        return JOSE::JWK.new(nil, *kty.from_openssh_key(key))
+      else
+        raise ArgumentError, "unrecognized openssh key format"
+      end
+    end
+
+    # Reads file and calls {JOSE::JWK.from_openssh_key JOSE::JWK.from_openssh_key} to convert into a {JOSE::JWK JOSE::JWK}.
+    #
+    # @param [String] file
+    # @param [Hash] modules
+    # @return [JOSE::JWK]
+    def self.from_openssh_key_file(file, modules = {})
+      return from_openssh_key(File.binread(file), modules)
+    end
+
+    # Converts a PEM (Privacy Enhanced Email) binary into a {JOSE::JWK JOSE::JWK}.
+    #
+    # If `password` is present, decrypts an encrypted PEM (Privacy Enhanced Email) binary into a {JOSE::JWK JOSE::JWK} using `password`.
+    #
+    # @param [String] object
+    # @param [Hash] modules
+    # @param [String] password
+    # @return [JOSE::JWK]
+    def self.from_pem(object, modules = nil, password = nil)
+      if modules.is_a?(String) and password.nil?
+        password = modules
+        modules  = {}
+      end
+      modules ||= {}
+      kty = modules[:kty] || JOSE::JWK::PEM
+      return JOSE::JWK.new(nil, *kty.from_binary(object, password))
+    end
+
+    # Reads file and calls {JOSE::JWK.from_pem JOSE::JWK.from_pem} to convert into a {JOSE::JWK JOSE::JWK}.
+    #
+    # @param [String] file
+    # @param [Hash] modules
+    # @param [String] password
+    # @return [JOSE::JWK]
+    def self.from_pem_file(file, modules = nil, password = nil)
+      return from_pem(File.binread(file), modules, password)
+    end
+
     # Encode API
 
+    # Converts a {JOSE::JWK JOSE::JWK} into a binary.
+    #
+    # @param [JOSE::JWK, Array<JOSE::JWK>] jwk
+    # @param [String] key
+    # @param [JOSE::JWE] jwe
+    # @return [String, JOSE::EncryptedBinary, Array<String, JOSE::EncryptedBinary>]
     def self.to_binary(jwk, key = nil, jwe = nil)
-      return from(jwk).to_binary(key, jwe)
+      if jwk.is_a?(Array)
+        return jwk.map { |obj| from(obj).to_binary(key, jwe) }
+      else
+        return from(jwk).to_binary(key, jwe)
+      end
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into a binary.
+    #
+    # @param [String] key
+    # @param [JOSE::JWE] jwe
+    # @return [String, JOSE::EncryptedBinary]
     def to_binary(key = nil, jwe = nil)
       if not key.nil?
         jwe ||= kty.key_encryptor(fields, key)
@@ -124,26 +279,61 @@ module JOSE
       end
     end
 
+    # Calls {JOSE::JWK.to_binary JOSE::JWK.to_binary} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK] jwk
+    # @param [String] file
+    # @param [String] key
+    # @param [JOSE::JWE] jwe
+    # @return [Fixnum] bytes written
     def self.to_file(jwk, file, key = nil, jwe = nil)
       return from(jwk).to_file(file, key, jwe)
     end
 
+    # Calls {JOSE::JWK.to_binary JOSE::JWK.to_binary} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [String] file
+    # @param [String] key
+    # @param [JOSE::JWE] jwe
+    # @return [Fixnum] bytes written
     def to_file(file, key = nil, jwe = nil)
       return File.binwrite(file, to_binary(key, jwe))
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into the raw key format.
+    #
+    # @param [JOSE::JWK] jwk
+    # @return [OpenSSL::PKey, Object]
     def self.to_key(jwk)
       return from(jwk).to_key
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into the raw key format.
+    #
+    # @return [OpenSSL::PKey, Object]
     def to_key
       return kty.to_key
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into a map.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] jwk
+    # @param [String] key
+    # @param [JOSE::JWE] jwe
+    # @return [JOSE::Map, Array<JOSE::Map>]
     def self.to_map(jwk, key = nil, jwe = nil)
-      return from(jwk).to_map(key, jwe)
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.to_map(key, jwe) }
+      else
+        return from(jwk).to_map(key, jwe)
+      end
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into a map.
+    #
+    # @param [String] key
+    # @param [JOSE::JWE] jwe
+    # @return [JOSE::Map]
     def to_map(key = nil, jwe = nil)
       if not key.nil?
         jwe ||= kty.key_encryptor(fields, key)
@@ -155,98 +345,363 @@ module JOSE
       end
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into a raw binary octet.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] jwk
+    # @return [String, Array<String>]
     def self.to_oct(jwk)
-      return from(jwk).to_oct
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.to_oct }
+      else
+        return from(jwk).to_oct
+      end
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into a raw binary octet.
+    #
+    # @return [String]
     def to_oct
       return kty.to_oct
     end
 
+    # Calls {JOSE::JWK.to_oct JOSE::JWK.to_oct} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK] jwk
+    # @param [String] file
+    # @return [Fixnum] bytes written
+    def self.to_oct_file(jwk, file)
+      return from(jwk).to_file(file)
+    end
+
+    # Calls {JOSE::JWK#to_oct JOSE::JWK#to_oct} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [String] file
+    # @return [Fixnum] bytes written
+    def to_oct_file(file)
+      return File.binwrite(file, to_oct)
+    end
+
+    # Converts a {JOSE::JWK JOSE::JWK} into an octet key pair.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] jwk
+    # @return [Object, Array<Object>]
     def self.to_okp(jwk)
-      return from(jwk).to_okp
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.to_okp }
+      else
+        return from(jwk).to_okp
+      end
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into an octet key pair.
+    #
+    # @return [String]
     def to_okp
       return kty.to_okp
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into an OpenSSH key binary.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] jwk
+    # @return [Object, Array<Object>]
+    def self.to_openssh_key(jwk)
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.to_openssh_key }
+      else
+        return from(jwk).to_openssh_key
+      end
+    end
+
+    # Converts a {JOSE::JWK JOSE::JWK} into an OpenSSH key binary.
+    #
+    # @return [Object]
+    def to_openssh_key
+      return kty.to_openssh_key(fields)
+    end
+
+    # Calls {JOSE::JWK.to_openssh_key JOSE::JWK.to_openssh_key} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK] jwk
+    # @param [String] file
+    # @return [Fixnum] bytes written
+    def self.to_openssh_key_file(jwk, file)
+      return from(jwk).to_file(file)
+    end
+
+    # Calls {JOSE::JWK#to_openssh_key JOSE::JWK#to_openssh_key} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [String] file
+    # @return [Fixnum] bytes written
+    def to_openssh_key_file(file)
+      return File.binwrite(file, to_openssh_key)
+    end
+
+    # Converts a {JOSE::JWK JOSE::JWK} into a PEM (Privacy Enhanced Email) binary.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] jwk
+    # @param [String] password
+    # @return [String, Array<String>]
     def self.to_pem(jwk, password = nil)
-      return from(jwk).to_pem(password)
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.to_pem(password) }
+      else
+        return from(jwk).to_pem(password)
+      end
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into a PEM (Privacy Enhanced Email) binary.
+    #
+    # @param [String] password
+    # @return [String]
     def to_pem(password = nil)
       return kty.to_pem(password)
     end
 
+    # Calls {JOSE::JWK.to_pem JOSE::JWK.to_pem} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK] jwk
+    # @param [String] file
+    # @param [String] password
+    # @return [Fixnum] bytes written
+    def self.to_pem_file(jwk, file, password = nil)
+      return from(jwk).to_file(file, password)
+    end
+
+    # Calls {JOSE::JWK#to_pem JOSE::JWK#to_pem} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [String] file
+    # @param [String] password
+    # @return [Fixnum] bytes written
+    def to_pem_file(file, password = nil)
+      return File.binwrite(file, to_pem(password))
+    end
+
+    # Converts a private {JOSE::JWK JOSE::JWK} into a public {JOSE::JWK JOSE::JWK}.
+    #
+    #     !!!ruby
+    #     jwk_rsa = JOSE::JWK.generate_key([:rsa, 256]).to_map
+    #     # => JOSE::Map[
+    #     #  "dq" => "Iv_BghpjRyv8hk4AgsX_3w",
+    #     #  "e" => "AQAB",
+    #     #  "d" => "imiCh2gK77pDAa_NuQbHN1hZdLY0eTl8tp4WLfe1uQ0",
+    #     #  "p" => "-eKE_wk7O5JWw_1fw-rciw",
+    #     #  "qi" => "MqCwIoTTCkYmGQHsOM7IuA",
+    #     #  "n" => "vj2WbxlGF1yU9SoQJMqKw6c2asTks_cVuXEAO3x_yOU",
+    #     #  "kty" => "RSA",
+    #     #  "q" => "wuVog_0-60w7_56y8wZuTw",
+    #     #  "dp" => "lU_9GEdz1UzD-6hSqMaVsQ"]
+    #     JOSE::JWK.to_public(jwk_rsa).to_map
+    #     # => JOSE::Map[
+    #     #  "e" => "AQAB",
+    #     #  "n" => "vj2WbxlGF1yU9SoQJMqKw6c2asTks_cVuXEAO3x_yOU",
+    #     #  "kty" => "RSA"]
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] jwk
+    # @return [JOSE::JWK, Array<JOSE::JWK>]
     def self.to_public(jwk)
-      return from(jwk).to_public
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.to_public }
+      else
+        return from(jwk).to_public
+      end
     end
 
+    # Converts a private {JOSE::JWK JOSE::JWK} into a public {JOSE::JWK JOSE::JWK}.
+    #
+    # @see JOSE::JWK.to_public
+    # @return [JOSE::JWK]
     def to_public
       return JOSE::JWK.from_map(to_public_map)
     end
 
+    # Calls {JOSE::JWK.to_binary JOSE::JWK.to_binary} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK] jwk
+    # @param [String] file
+    # @return [Fixnum] bytes written
+    def self.to_public_file(jwk, file)
+      return from(jwk).to_public_file(file)
+    end
+
+    # Calls {JOSE::JWK.to_public JOSE::JWK.to_public} on a {JOSE::JWK JOSE::JWK} and then writes the binary to `file`.
+    #
+    # @param [String] file
+    # @return [Fixnum] bytes written
+    def to_public_file(file)
+      return File.binwrite(file, to_public.to_binary)
+    end
+
+    # Calls {JOSE::JWK.to_public JOSE::JWK.to_public} and then {JOSE::JWK.to_key JOSE::JWK.to_key} on a {JOSE::JWK JOSE::JWK}.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] jwk
+    # @return [OpenSSL::PKey, Object, Array<OpenSSL::PKey, Object>]
     def self.to_public_key(jwk)
-      return from(jwk).to_public_key
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.to_public_key }
+      else
+        return from(jwk).to_public_key
+      end
     end
 
+    # Calls {JOSE::JWK#to_public JOSE::JWK#to_public} and then {JOSE::JWK#to_key JOSE::JWK#to_key} on a {JOSE::JWK JOSE::JWK}.
+    #
+    # @return [OpenSSL::PKey, Object]
     def to_public_key
       return to_public.to_key
     end
 
+    # Calls {JOSE::JWK.to_public JOSE::JWK.to_public} and then {JOSE::JWK.to_map JOSE::JWK.to_map} on a {JOSE::JWK JOSE::JWK}.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] jwk
+    # @return [JOSE::Map, Array<JOSE::Map>]
     def self.to_public_map(jwk)
-      return from(jwk).to_public_map
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.to_public_map }
+      else
+        return from(jwk).to_public_map
+      end
     end
 
+    # Calls {JOSE::JWK#to_public JOSE::JWK#to_public} and then {JOSE::JWK#to_map JOSE::JWK#to_map} on a {JOSE::JWK JOSE::JWK}.
+    #
+    # @return [JOSE::Map]
     def to_public_map
       return kty.to_public_map(fields)
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into a map that can be used by {JOSE::JWK.thumbprint JOSE::JWK.thumbprint}.
+    #
+    # @param [JOSE::Map, Hash, String, JOSE::JWK, Array<JOSE::Map, Hash, String, JOSE::JWK>] jwk
+    # @return [JOSE::Map, Array<JOSE::Map>]
     def self.to_thumbprint_map(jwk)
-      return from(jwk).to_thumbprint_map
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.to_thumbprint_map }
+      else
+        return from(jwk).to_thumbprint_map
+      end
     end
 
+    # Converts a {JOSE::JWK JOSE::JWK} into a map that can be used by {JOSE::JWK.thumbprint JOSE::JWK.thumbprint}.
+    #
+    # @return [JOSE::Map]
     def to_thumbprint_map
       return kty.to_thumbprint_map(fields)
     end
 
     # API
 
+    # Decrypts the `encrypted` binary or map using the `jwk`.
+    #
+    # @see JOWE::JWE.block_decrypt
+    # @param [JOSE::JWK] jwk
+    # @param [JOSE::EncryptedBinary, JOSE::EncryptedMap] encrypted
+    # @return [[String, JOSE::JWE]]
     def self.block_decrypt(jwk, encrypted)
       return from(jwk).block_decrypt(encrypted)
     end
 
+    # Decrypts the `encrypted` binary or map using the `jwk`.
+    #
+    # @see JOWE::JWE.block_decrypt
+    # @param [JOSE::EncryptedBinary, JOSE::EncryptedMap] encrypted
+    # @return [[String, JOSE::JWE]]
     def block_decrypt(encrypted)
       return JOSE::JWE.block_decrypt(self, encrypted)
     end
 
+    # Encrypts the `plain_text` using the `jwk` and algorithms specified by the `jwe`.
+    #
+    # @see JOSE::JWE.block_encrypt
+    # @param [JOSE::JWK] jwk
+    # @param [String] plain_text
+    # @param [JOSE::JWE] jwe
+    # @return [JOSE::EncryptedMap]
     def self.block_encrypt(jwk, plain_text, jwe = nil)
       return from(jwk).block_encrypt(plain_text, jwe)
     end
 
+    # Encrypts the `plain_text` using the `jwk` and algorithms specified by the `jwe`.
+    #
+    # @see JOSE::JWE.block_encrypt
+    # @param [String] plain_text
+    # @param [JOSE::JWE] jwe
+    # @return [JOSE::EncryptedMap]
     def block_encrypt(plain_text, jwe = nil)
       jwe ||= block_encryptor
       return JOSE::JWE.block_encrypt(self, plain_text, jwe)
     end
 
-    def self.block_encryptor(jwe)
-      return from(jwe).block_encryptor
+    # Returns a block encryptor map for the key type.
+    #
+    # @param [JOSE::JWK, Array<JOSE::JWK>] jwk
+    # @return [JOSE::Map, Array<JOSE::Map>]
+    def self.block_encryptor(jwk)
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.block_encryptor }
+      else
+        return from(jwk).block_encryptor
+      end
     end
 
+    # Returns a block encryptor map for the key type.
+    #
+    # @return [JOSE::Map]
     def block_encryptor
       return kty.block_encryptor(fields)
     end
 
-    def self.box_decrypt(jwk, encrypted)
-      return from(jwk).box_decrypt(encrypted)
+    # Key Agreement decryption of the `encrypted` binary or map using `my_private_jwk`.
+    #
+    # @see JOSE::JWK.box_encrypt
+    # @see JOSE::JWE.block_decrypt
+    # @param [JOSE::JWK] jwk
+    # @param [JOSE::EncryptedBinary, JOSE::EncryptedMap] encrypted
+    # @param [JOSE::JWK] public_jwk
+    # @return [[String, JOSE::JWE]]
+    def self.box_decrypt(jwk, encrypted, public_jwk = nil)
+      return from(jwk).box_decrypt(encrypted, public_jwk)
     end
 
-    def box_decrypt(encrypted)
-      return JOSE::JWE.block_decrypt(self, encrypted)
+    # Key Agreement decryption of the `encrypted` binary or map using `my_private_jwk`.
+    #
+    # @see JOSE::JWK.box_encrypt
+    # @see JOSE::JWE.block_decrypt
+    # @param [JOSE::EncryptedBinary, JOSE::EncryptedMap] encrypted
+    # @param [JOSE::JWK] public_jwk
+    # @return [[String, JOSE::JWE]]
+    def box_decrypt(encrypted, public_jwk = nil)
+      if public_jwk
+        return JOSE::JWE.block_decrypt([public_jwk, self], encrypted)
+      else
+        return JOSE::JWE.block_decrypt(self, encrypted)
+      end
     end
 
-    # Generates an ephemeral private key based on other public key curve.
+    # Key Agreement encryption of `plain_text` by generating an ephemeral private key based on `other_public_jwk` curve.
+    #
+    # If no private key has been specified in `box_keys`, it generates an ephemeral private key based on other public key curve.
+    #
+    # @see JOSE::JWK.box_decrypt
+    # @see JOSE::JWE.block_encrypt
+    # @param [String] plain_text
+    # @param [JOSE::JWK, [JOSE::JWK, JOSE::JWK]] box_keys
+    # @param [JOSE::JWE] jwe
+    # @return [JOSE::EncryptedMap, [JOSE::EncryptedMap, JOSE::JWK]]
+    def self.box_encrypt(plain_text, box_keys, jwe = nil)
+      other_public_key, my_private_key = box_keys
+      return from(other_public_key).box_encrypt(plain_text, my_private_jwk, jwe)
+    end
+
+    # Key Agreement encryption of `plain_text` by generating an ephemeral private key based on `other_public_jwk` curve.
+    #
+    # If no private key has been specified in `my_private_key`, it generates an ephemeral private key based on other public key curve.
+    #
+    # @see JOSE::JWK.box_decrypt
+    # @see JOSE::JWE.block_encrypt
+    # @param [String] plain_text
+    # @param [JOSE::JWK] my_private_jwk
+    # @param [JOSE::JWE] jwe
+    # @return [JOSE::EncryptedMap, [JOSE::EncryptedMap, JOSE::JWK]]
     def box_encrypt(plain_text, my_private_jwk = nil, jwe = nil)
       generated_jwk = nil
       other_public_jwk = self
@@ -280,10 +735,32 @@ module JOSE
       end
     end
 
+    # Derives a key (typically just returns a binary representation of the key).
+    #
+    # @param [*Object] args
+    # @return [String]
     def derive_key(*args)
       return kty.derive_key(*args)
     end
 
+    # Generates a new {JOSE::JWK JOSE::JWK} based on another {JOSE::JWK JOSE::JWK} or from initialization params provided.
+    #
+    # Passing another {JOSE::JWK JOSE::JWK} results in different behavior depending on the `"kty"`:
+    #
+    #   * `"EC"` - uses the same named curve to generate a new key
+    #   * `"oct"` - uses the byte size to generate a new key
+    #   * `"OKP"` - uses the named curve to generate a new key
+    #   * `"RSA"` - uses the same modulus and exponent sizes to generate a new key
+    #
+    # The following initialization params may also be used:
+    #
+    #   * `[:ec, "P-256" | "P-384" | "P-521"]` - generates an `"EC"` key using the `"P-256"`, `"P-384"`, or `"P-521"` curves
+    #   * `[:oct, bytes]` - generates an `"oct"` key made of a random `bytes` number of bytes
+    #   * `[:okp, :Ed25519 | :Ed25519ph | :Ed448 | :Ed448ph | :X25519 | :X448]` - generates an `"OKP"` key using the specified curve
+    #   * `[:rsa, modulus_size] | [:rsa, modulus_size, exponent_size]` - generates an `"RSA"` key using the `modulus_size` and `exponent_size`
+    #
+    # @param [Array] params
+    # @return [JOSE::JWK]
     def self.generate_key(params)
       if params.is_a?(Array) and (params.length == 2 or params.length == 3)
         case params[0]
@@ -322,14 +799,24 @@ module JOSE
       end
     end
 
+    # Generates a new key based on the current one.
+    #
+    # @return [JOSE::JWK]
     def generate_key
       return JOSE::JWK.new(nil, *kty.generate_key(fields))
     end
 
+    # Merges map on right into map on left.
+    # @param [JOSE::Map, Hash, String, JOSE::JWK] left
+    # @param [JOSE::Map, Hash, String, JOSE::JWK] right
+    # @return [JOSE::JWK]
     def self.merge(left, right)
       return from(left).merge(right)
     end
 
+    # Merges object into current map.
+    # @param [JOSE::Map, Hash, String, JOSE::JWK] object
+    # @return [JOSE::JWK]
     def merge(object)
       object = case object
       when JOSE::Map, Hash
@@ -344,10 +831,23 @@ module JOSE
       return JOSE::JWK.from_map(self.to_map.merge(object))
     end
 
+    # Computes the shared secret between two keys.
+    #
+    # Currently only works for `"EC"` keys and `"OKP"` keys with `"crv"` set to `"X25519"` or `"X448"`.
+    #
+    # @param [JOSE::JWK] your_jwk
+    # @param [JOSE::JWK] my_jwk
+    # @return [String]
     def self.shared_secret(your_jwk, my_jwk)
       return from(your_jwk).shared_secret(from(my_jwk))
     end
 
+    # Computes the shared secret between two keys.
+    #
+    # Currently only works for `"EC"` keys and `"OKP"` keys with `"crv"` set to `"X25519"` or `"X448"`.
+    #
+    # @param [JOSE::JWK] other_jwk
+    # @return [String]
     def shared_secret(other_jwk)
       other_jwk = from(other_jwk) if not other_jwk.is_a?(JOSE::JWK)
       raise ArgumentError, "key types must match" if other_jwk.kty.class != kty.class
@@ -355,54 +855,144 @@ module JOSE
       return kty.derive_key(other_jwk)
     end
 
+    # Signs the `plain_text` using the `jwk` and the default signer algorithm `jws` for the key type.
+    #
+    # @see JOSE::JWS.sign
+    # @param [JOSE::JWK] jwk
+    # @param [String] plain_text
+    # @param [JOSE::JWS] jws
+    # @param [JOSE::Map] header
+    # @return [JOSE::SignedMap]
     def self.sign(jwk, plain_text, jws = nil, header = nil)
       return from(jwk).sign(plain_text, jws, header)
     end
 
+    # Signs the `plain_text` using the `jwk` and the default signer algorithm `jws` for the key type.
+    #
+    # @see JOSE::JWS.sign
+    # @param [String] plain_text
+    # @param [JOSE::JWS] jws
+    # @param [JOSE::Map] header
+    # @return [JOSE::SignedMap]
     def sign(plain_text, jws = nil, header = nil)
       jws ||= signer
       return JOSE::JWS.sign(self, plain_text, jws, header)
     end
 
+    # Returns a signer map for the key type.
+    #
+    # @param [JOSE::JWK] jwk
+    # @return [JOSE::Map]
     def self.signer(jwk)
       return from(jwk).signer
     end
 
+    # Returns a signer map for the key type.
+    #
+    # @return [JOSE::Map]
     def signer
       return kty.signer(fields)
     end
 
+    # Returns the unique thumbprint for a {JOSE::JWK JOSE::JWK} using the `digest_type`.
+    #
+    #     !!!ruby
+    #     # let's define two different keys that will have the same thumbprint
+    #     jwk1 = JOSE::JWK.from_oct("secret")
+    #     jwk2 = JOSE::JWK.from({ "use" => "sig", "k" => "c2VjcmV0", "kty" => "oct" })
+    #
+    #     JOSE::JWK.thumbprint(jwk1)
+    #     # => "DWBh0SEIAPYh1x5uvot4z3AhaikHkxNJa3Ada2fT-Cg"
+    #     JOSE::JWK.thumbprint(jwk2)
+    #     # => "DWBh0SEIAPYh1x5uvot4z3AhaikHkxNJa3Ada2fT-Cg"
+    #     JOSE::JWK.thumbprint('MD5', jwk1)
+    #     # => "Kldz8k5PQm7y1E3aNBlMiA"
+    #     JOSE::JWK.thumbprint('MD5', jwk2)
+    #     # => "Kldz8k5PQm7y1E3aNBlMiA"
+    #
+    # @see https://tools.ietf.org/html/rfc7638 RFC 7638 - JSON Web Key (JWK) Thumbprint
+    # @param [String] digest_type
+    # @param [JOSE::JWK] jwk
+    # @return [String]
+    def self.thumbprint(digest_type, jwk = nil)
+      if jwk.nil?
+        jwk = digest_type
+        digest_type = nil
+      end
+      return from(jwk).thumbprint(digest_type)
+    end
+
+    # Returns the unique thumbprint for a {JOSE::JWK JOSE::JWK} using the `digest_type`.
+    #
+    # @see JOSE::JWK.thumbprint
+    # @see https://tools.ietf.org/html/rfc7638 RFC 7638 - JSON Web Key (JWK) Thumbprint
+    # @param [String] digest_type
+    # @return [String]
+    def thumbprint(digest_type = nil)
+      digest_type ||= 'SHA256'
+      thumbprint_binary = JOSE.encode(to_thumbprint_map)
+      return JOSE.urlsafe_encode64(OpenSSL::Digest.new(digest_type).digest(thumbprint_binary))
+    end
+
+    # Returns a verifier algorithm list for the key type.
+    #
+    # @param [JOSE::JWK] jwk
+    # @return [Array<String>]
+    def self.verifier(jwk)
+      if jwk.is_a?(Array)
+        return from(jwk).map { |obj| obj.verifier }
+      else
+        return from(jwk).verifier
+      end
+    end
+
+    # Returns a verifier algorithm list for the key type.
+    #
+    # @return [Array<String>]
+    def verifier
+      return kty.verifier(fields)
+    end
+
+    # Verifies the `signed` using the `jwk`.
+    #
+    # @see JOSE::JWS.verify
+    # @param [JOSE::SignedBinary, JOSE::SignedMap] signed
+    # @param [JOSE::JWK] jwk
+    # @return [[Boolean, String, JOSE::JWS]]
     def self.verify(signed, jwk)
       return from(jwk).verify(signed)
     end
 
+    # Verifies the `signed` using the `jwk`.
+    #
+    # @see JOSE::JWS.verify
+    # @param [JOSE::SignedBinary, JOSE::SignedMap] signed
+    # @return [[Boolean, String, JOSE::JWS]]
     def verify(signed)
       return JOSE::JWS.verify(self, signed)
     end
 
+    # Verifies the `signed` using the `jwk` and whitelists the `"alg"` using `allow`.
+    #
+    # @see JOSE::JWS.verify_strict
+    # @param [JOSE::SignedBinary, JOSE::SignedMap] signed
+    # @param [Array<String>] allow
+    # @param [JOSE::JWK] jwk
+    # @return [[Boolean, String, JOSE::JWS]]
     def self.verify_strict(signed, allow, jwk)
       return from(jwk).verify_strict(signed, allow)
     end
 
+    # Verifies the `signed` using the `jwk` and whitelists the `"alg"` using `allow`.
+    #
+    # @see JOSE::JWS.verify_strict
+    # @param [JOSE::SignedBinary, JOSE::SignedMap] signed
+    # @param [Array<String>] allow
+    # @return [[Boolean, String, JOSE::JWS]]
     def verify_strict(signed, allow)
       return JOSE::JWS.verify_strict(self, allow, signed)
     end
 
-    # See https://tools.ietf.org/html/rfc7638
-    def self.thumbprint(digest_type, jwk = nil)
-      if jwk.nil?
-        jwk = digest_type
-        digest_type = nil
-      end
-      return from(jwk).thumbprint(digest_type)
-    end
-
-    def thumbprint(digest_type = nil)
-      digest_type ||= 'SHA256'
-      thumbprint_binary = JOSE.encode(to_thumbprint_map)
-      return JOSE.urlsafe_encode64(OpenSSL::Digest.new(digest_type).digest(thumbprint_binary))
-    end
-
   private
 
     def self.from_fields(jwk, modules)
@@ -451,5 +1041,6 @@ module JOSE
 end
 
 require 'jose/jwk/pem'
+require 'jose/jwk/openssh_key'
 require 'jose/jwk/set'
 require 'jose/jwk/kty'