RubyGems - jose - Versions diffs - 0.2.0 → 0.3.0 - Mend

jose 0.2.0 → 0.3.0

Files changed (40) hide show

checksums.yaml +4 -4
data/.ruby-version +1 -1
data/.travis.yml +2 -2
data/CHANGELOG.md +42 -0
data/README.md +19 -2
data/jose.gemspec +2 -2
data/lib/jose.rb +13 -0
data/lib/jose/jwa/curve25519.rb +5 -4
data/lib/jose/jwa/curve448.rb +5 -4
data/lib/jose/jwe.rb +27 -1
data/lib/jose/jwe/alg.rb +8 -0
data/lib/jose/jwe/alg_aes_gcm_kw.rb +22 -10
data/lib/jose/jwe/alg_aes_kw.rb +20 -11
data/lib/jose/jwe/alg_dir.rb +4 -0
data/lib/jose/jwe/alg_ecdh_es.rb +8 -0
data/lib/jose/jwe/alg_pbes2.rb +51 -16
data/lib/jose/jwe/alg_rsa.rb +23 -15
data/lib/jose/jwe/enc_aes_cbc_hmac.rb +6 -4
data/lib/jose/jwe/enc_aes_gcm.rb +2 -0
data/lib/jose/jwk.rb +37 -3
data/lib/jose/jwk/kty_ec.rb +47 -8
data/lib/jose/jwk/kty_oct.rb +45 -19
data/lib/jose/jwk/kty_okp_ed25519.rb +8 -2
data/lib/jose/jwk/kty_okp_ed25519ph.rb +8 -2
data/lib/jose/jwk/kty_okp_ed448.rb +8 -2
data/lib/jose/jwk/kty_okp_ed448ph.rb +8 -2
data/lib/jose/jwk/kty_okp_x25519.rb +22 -5
data/lib/jose/jwk/kty_okp_x448.rb +22 -5
data/lib/jose/jwk/kty_rsa.rb +16 -7
data/lib/jose/jws.rb +27 -3
data/lib/jose/jws/alg.rb +8 -0
data/lib/jose/jws/alg_ecdsa.rb +13 -0
data/lib/jose/jws/alg_eddsa.rb +4 -0
data/lib/jose/jws/alg_hmac.rb +13 -0
data/lib/jose/jws/alg_none.rb +44 -0
data/lib/jose/jws/alg_rsa_pkcs1_v1_5.rb +13 -0
data/lib/jose/jws/alg_rsa_pss.rb +13 -0
data/lib/jose/jwt.rb +20 -2
data/lib/jose/version.rb +1 -1
metadata +7 -6

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7376ae594edf0f6ec851ffe557de7d6f0f1680cd
-  data.tar.gz: 9a65bee349e4419c92c7b1bd01e08008ae82a2b3
+  metadata.gz: c8b3820a104b8d8b71e1e8557f70aede232595e2
+  data.tar.gz: 3fdaa67a5ed08f9d6f6f8e5249737b3dc22ebe89
 SHA512:
-  metadata.gz: ee8d43fd9d51f20753b853d1da36e8d2dc0cb8f725f20b88f825f5c8f369cb365027654f97bd0ac06f3865afc3119a5b9bbffb0d58e8353ae775b00221138c6b
-  data.tar.gz: 8700bb7d9c63aae53281e3619067d503b35d4ca6691bf7e1782d33709e4c14122a23598dc474e49601d9575fd09d6394c246723a42dca6a0a7758fad90aae39d
+  metadata.gz: dbe1b64dc34bad69cfb2250a54e30eeb5f7ac864431d7d39463dbeaddec4ea3e2975e7a3f09a0c4ba9d82a06e02e4ce0934e2cf97f7ae0782f8c58a78a1d56d5
+  data.tar.gz: 4b96226504359839de7fb9d932b929abf58cf959ccf89ac2d6b6ca045c4ab148e4cfcb7f7b8592fecb8d2313bc6b687fba7789edfddb9fe96a0ef366c4bb7d13

data/.ruby-version CHANGED

	@@ -1 +1 @@
1	- 2.3.0
1	+ 2.3.1

data/.travis.yml CHANGED

@@ -4,10 +4,10 @@ sudo: required
 dist: trusty
 rvm:
-  - 2.3.0
+  - 2.3.1
 notifications:
   email: false
 before_install:
-  - "gem install bundler -v 1.11.2"
+  - "gem install bundler -v 1.12.2"

data/CHANGELOG.md CHANGED

@@ -1,5 +1,47 @@
 # Changelog
+## 0.3.0 (2016-05-05)
+* Enhancements
+  * Added merge functions:
+    * `JOSE::JWE#merge`
+    * `JOSE::JWK#merge`
+    * `JOSE::JWS#merge`
+    * `JOSE::JWT#merge`
+  * Added block_encryptor and signer functions:
+    * `JOSE::JWK#block_encryptor`
+    * `JOSE::JWK#signer`
+  * Support for `"alg"`, `"enc"`, and `"use"` on keys.
+Examples of new functionality:
+```ruby
+# Let's generate a 64 byte octet key
+jwk = JOSE::JWK.generate_key([:oct, 64])
+# => {"k"=>"FXSy7PufOayusvfyKQzdxCegm7yWIMp1b0LD13v57Nq2wF_B-fcr7LDOkufDikmFFsVYWLgrA2zEB--_qqDn3g", "kty"=>"oct"}
+# Based on the key's size and type, a default signer (JWS) can be determined
+jwk.signer
+# => {"alg"=>"HS512"}
+# Based on the key's size and type, a default encryptor (JWE) can be determined
+jwk.block_encryptor
+# => {"alg"=>"dir", "enc"=>"A256CBC-HS512"}
+# Keys can be generated based on the signing algorithm (JWS)
+JOSE::JWS.generate_key({'alg' => 'HS256'})
+# => {"alg"=>"HS256", "k"=>"UuP3Tw2xbGV5N3BGh34cJNzzC2R1zU7i4rOnF9A8nqY", "kty"=>"oct", "use"=>"sig"}
+# Keys can be generated based on the encryption algorithm (JWE)
+JOSE::JWE.generate_key({'alg' => 'dir', 'enc' => 'A128GCM'})
+# => {"alg"=>"dir", "enc"=>"A128GCM", "k"=>"8WNdBjXXwg6QTwrrOnvEPw", "kty"=>"oct", "use"=>"enc"}
+# Example of merging a map into an existing JWS (also works with JWE, JWK, and JWT)
+jws = JOSE::JWS.from({'alg' => 'HS256'})
+jws.merge({'typ' => 'JWT'})
+# => {"alg"=>"HS256", "typ"=>"JWT"}
+```
 ## 0.2.0 (2016-02-25)
 * Enhancements

data/README.md CHANGED

@@ -24,7 +24,25 @@ Or install it yourself as:
 ## Usage
-TODO: Write usage instructions here
+Better documentation is in progress, but the [erlang-jose documentation](https://hexdocs.pm/jose/) can provide an idea of the functionality available in this gem.
+```ruby
+# Let's use our secret key "symmetric key" for use with
+# the HMAC using SHA-256 (HS256) algorithm.
+jwk = JOSE::JWK.from_oct('symmetric key')
+# Here is the JSON format of our JWK.
+jwk.to_binary
+# => "{\"k\":\"c3ltbWV0cmljIGtleQ\",\"kty\":\"oct\"}"
+# Now let's sign our message using HS256.
+signed = jwk.sign('test', { 'alg' => 'HS256' }).compact
+# => "eyJhbGciOiJIUzI1NiJ9.dGVzdA.VlZz7pJCnos0k-WUL9O9RoT9N--2kHSakNIdOg-MIro"
+# We use the same key for verification.
+verified, message, = jwk.verify(signed)
+# => [true, "test"]
+```
 ## Development
@@ -36,7 +54,6 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 Bug reports and pull requests are welcome on GitHub at https://github.com/potatosalad/ruby-jose. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](contributor-covenant.org) code of conduct.
 ## License
 The gem is available as open source under the terms of the [MPL-2.0 License](http://opensource.org/licenses/MPL-2.0).

data/jose.gemspec CHANGED

@@ -29,8 +29,8 @@ Gem::Specification.new do |spec|
   spec.add_dependency "hamster"
-  spec.add_development_dependency "bundler", "~> 1.11"
-  spec.add_development_dependency "rake", "~> 10.5"
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 11.1"
   spec.add_development_dependency "minitest"
   spec.add_development_dependency "json"
   spec.add_development_dependency "rbnacl-libsodium"

data/lib/jose.rb CHANGED

@@ -17,6 +17,7 @@ module JOSE
   MUTEX = Mutex.new
   @__crypto_fallback__ = ENV['JOSE_CRYPTO_FALLBACK'] ? true : false
+  @__unsecured_signing__ = ENV['JOSE_UNSECURED_SIGNING'] ? true : false
   def __crypto_fallback__
     return @__crypto_fallback__
@@ -54,6 +55,18 @@ module JOSE
     return JSON.dump(sort_maps(term))
   end
+  def __unsecured_signing__
+    return @__unsecured_signing__
+  end
+  def __unsecured_signing__=(boolean)
+    boolean = !!boolean
+    MUTEX.synchronize {
+      @__unsecured_signing__ = boolean
+      __config_change__
+    }
+  end
   def urlsafe_decode64(binary)
     case binary.bytesize % 4
     when 2

data/lib/jose/jwa/curve25519.rb CHANGED

@@ -29,6 +29,7 @@ module JOSE::JWA::Curve25519
   def __config_change__(lock = true)
     MUTEX.lock if lock
+    @__implementation__ ||= nil
     @__implementation__ = __pick_best_implementation__ if @__implementation__.nil? or @__implementation__.__ruby__? or not @__implementation__.__supported__?
     MUTEX.unlock if lock
   end
@@ -80,11 +81,11 @@ module JOSE::JWA::Curve25519
 private
   def __pick_best_implementation__
     implementation = nil
-    implementation = @__implementations__.detect do |implementation|
-      next implementation.__supported__?
+    implementation = @__implementations__.detect do |mod|
+      next mod.__supported__?
     end
-    implementation ||= @__ruby_implementations__.detect do |implementation|
-      next implementation.__supported__?
+    implementation ||= @__ruby_implementations__.detect do |mod|
+      next mod.__supported__?
     end
     implementation ||= JOSE::JWA::Curve25519_Unsupported
     return implementation

data/lib/jose/jwa/curve448.rb CHANGED

@@ -29,6 +29,7 @@ module JOSE::JWA::Curve448
   def __config_change__(lock = true)
     MUTEX.lock if lock
+    @__implementation__ ||= nil
     @__implementation__ = __pick_best_implementation__ if @__implementation__.nil? or @__implementation__.__ruby__? or not @__implementation__.__supported__?
     MUTEX.unlock if lock
   end
@@ -80,11 +81,11 @@ module JOSE::JWA::Curve448
 private
   def __pick_best_implementation__
     implementation = nil
-    implementation = @__implementations__.detect do |implementation|
-      next implementation.__supported__?
+    implementation = @__implementations__.detect do |mod|
+      next mod.__supported__?
     end
-    implementation ||= @__ruby_implementations__.detect do |implementation|
-      next implementation.__supported__?
+    implementation ||= @__ruby_implementations__.detect do |mod|
+      next mod.__supported__?
     end
     implementation ||= JOSE::JWA::Curve448_Unsupported
     return implementation

data/lib/jose/jwe.rb CHANGED

@@ -138,7 +138,7 @@ module JOSE
       else
         aad_b64 = JOSE.urlsafe_encode64(aad)
         concat_aad = [protected_binary, '.', aad_b64].join
-        cipher_text, cipher_tag = enc.block_encrypt([aad_b64, jwe.compress(plain_text)], cek, iv)
+        cipher_text, cipher_tag = enc.block_encrypt([concat_aad, jwe.compress(plain_text)], cek, iv)
         return JOSE::EncryptedMap[
           'aad'           => aad_b64,
           'ciphertext'    => JOSE.urlsafe_encode64(cipher_text),
@@ -199,6 +199,14 @@ module JOSE
       end
     end
+    def self.generate_key(object, modules = {})
+      return from(object, modules).generate_key
+    end
+    def generate_key
+      return alg.generate_key(fields, enc)
+    end
     def key_decrypt(key, encrypted_key)
       return alg.key_decrypt(key, enc, encrypted_key)
     end
@@ -210,6 +218,24 @@ module JOSE
       return encrypted_key, new_jwe
     end
+    def self.merge(left, right)
+      return from(left).merge(right)
+    end
+    def merge(object)
+      object = case object
+      when JOSE::Map, Hash
+        object
+      when String
+        JOSE.decode(object)
+      when JOSE::JWE
+        object.to_map
+      else
+        raise ArgumentError, "'object' must be a Hash, String, or JOSE::JWE"
+      end
+      return JOSE::JWE.from_map(self.to_map.merge(object))
+    end
     def next_cek(key)
       return alg.next_cek(key, enc)
     end

data/lib/jose/jwe/alg.rb CHANGED

@@ -2,6 +2,14 @@ module JOSE::JWE::ALG
   extend self
+  def generate_key(parameters, algorithm, encryption)
+    return JOSE::JWK.generate_key(parameters).merge({
+      'alg' => algorithm,
+      'enc' => encryption,
+      'use' => 'enc'
+    })
+  end
 end
 require 'jose/jwe/alg_aes_gcm_kw'

data/lib/jose/jwe/alg_aes_gcm_kw.rb CHANGED

@@ -30,16 +30,7 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
   end
   def to_map(fields)
-    alg = case bits
-    when 128
-      'A128GCMKW'
-    when 192
-      'A192GCMKW'
-    when 256
-      'A256GCMKW'
-    else
-      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
-    end
+    alg = algorithm
     fields = fields.put('alg', alg)
     if iv
       fields = fields.put('iv', JOSE.urlsafe_encode64(iv))
@@ -52,6 +43,10 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    return JOSE::JWE::ALG.generate_key([:oct, bits.div(8)], algorithm, enc.algorithm)
+  end
   def key_decrypt(key, enc, encrypted_key)
     if iv.nil? or tag.nil?
       raise ArgumentError, "missing required fields for decryption: 'iv' and 'tag'"
@@ -67,6 +62,7 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
     cipher.decrypt
     cipher.key = derived_key
     cipher.iv = iv
+    cipher.padding = 0
     cipher.auth_data = aad
     cipher.auth_tag = cipher_tag
     plain_text = cipher.update(cipher_text) + cipher.final
@@ -85,6 +81,7 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
     cipher.encrypt
     cipher.key = derived_key
     cipher.iv = new_alg.iv
+    cipher.padding = 0
     cipher.auth_data = aad
     cipher_text = cipher.update(plain_text) + cipher.final
     new_alg.tag = cipher.auth_tag
@@ -95,4 +92,19 @@ class JOSE::JWE::ALG_AES_GCM_KW < Struct.new(:cipher_name, :bits, :iv, :tag)
     return enc.next_cek
   end
+  # API functions
+  def algorithm
+    case bits
+    when 128
+      'A128GCMKW'
+    when 192
+      'A192GCMKW'
+    when 256
+      'A256GCMKW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
+    end
+  end
 end

data/lib/jose/jwe/alg_aes_kw.rb CHANGED

@@ -17,21 +17,15 @@ class JOSE::JWE::ALG_AES_KW < Struct.new(:bits)
   end
   def to_map(fields)
-    alg = case bits
-    when 128
-      'A128KW'
-    when 192
-      'A192KW'
-    when 256
-      'A256KW'
-    else
-      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
-    end
-    return fields.put('alg', alg)
+    return fields.put('alg', algorithm)
   end
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    return JOSE::JWE::ALG.generate_key([:oct, bits.div(8)], algorithm, enc.algorithm)
+  end
   def key_decrypt(key, enc, encrypted_key)
     if key.is_a?(JOSE::JWK)
       key = key.kty.derive_key
@@ -54,4 +48,19 @@ class JOSE::JWE::ALG_AES_KW < Struct.new(:bits)
     return enc.next_cek
   end
+  # API functions
+  def algorithm
+    case bits
+    when 128
+      'A128KW'
+    when 192
+      'A192KW'
+    when 256
+      'A256KW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_AES_KW bits: #{bits.inspect}"
+    end
+  end
 end

data/lib/jose/jwe/alg_dir.rb CHANGED

@@ -17,6 +17,10 @@ class JOSE::JWE::ALG_dir
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    return JOSE::JWE::ALG.generate_key([:oct, enc.bits.div(8)], 'dir', enc.algorithm)
+  end
   def key_decrypt(key, enc, encrypted_key)
     if key.is_a?(String)
       return key

data/lib/jose/jwe/alg_ecdh_es.rb CHANGED

@@ -47,6 +47,14 @@ class JOSE::JWE::ALG_ECDH_ES < Struct.new(:bits, :epk, :apu, :apv)
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    if not epk.nil?
+      return JOSE::JWE::ALG.generate_key(epk, algorithm, enc.algorithm)
+    else
+      return JOSE::JWE::ALG.generate_key([:ec, 'P-521'], algorithm, enc.algorithm)
+    end
+  end
   def key_decrypt(box_keys, enc, encrypted_key)
     other_public_key, my_private_key = box_keys
     if my_private_key and epk and epk.to_key != other_public_key.to_key

data/lib/jose/jwe/alg_pbes2.rb CHANGED

@@ -19,13 +19,17 @@ class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
       raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
     end
     iter = nil
-    if fields['p2c'].is_a?(Integer) and fields['p2c'] >= 0
+    if not fields.has_key?('p2c')
+      iter = 1000
+    elsif fields['p2c'].is_a?(Integer) and fields['p2c'] >= 0
       iter = fields['p2c']
     else
       raise ArgumentError, "invalid 'p2c' for JWE: #{fields['p2c'].inspect}"
     end
     salt = nil
-    if fields.has_key?('p2s') and fields['p2s'].is_a?(String)
+    if not fields.has_key?('p2s')
+      salt = nil
+    elsif fields['p2s'].is_a?(String)
       salt = wrap_salt(fields['alg'], JOSE.urlsafe_decode64(fields['p2s']))
     else
       raise ArgumentError, "invalid 'p2s' for JWE: #{fields['p2s'].inspect}"
@@ -34,22 +38,29 @@ class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
   end
   def to_map(fields)
-    alg = if hmac == OpenSSL::Digest::SHA256
-      'PBES2-HS256+A128KW'
-    elsif hmac == OpenSSL::Digest::SHA384
-      'PBES2-HS384+A192KW'
-    elsif hmac == OpenSSL::Digest::SHA512
-      'PBES2-HS512+A256KW'
+    alg = algorithm
+    p2c = iter
+    if salt.nil?
+      return fields.put('alg', alg).put('p2c', p2c)
     else
-      raise ArgumentError, "unhandled JOSE::JWE::ALG_PBES2 hmac: #{hmac.inspect}"
+      p2s = JOSE.urlsafe_encode64(unwrap_salt(alg, salt))
+      return fields.put('alg', alg).put('p2c', p2c).put('p2s', p2s)
     end
-    p2c = iter
-    p2s = JOSE.urlsafe_encode64(unwrap_salt(alg, salt))
-    return fields.put('alg', alg).put('p2c', p2c).put('p2s', p2s)
   end
   # JOSE::JWE::ALG callbacks
+  def generate_key(fields, enc)
+    alg = algorithm
+    extra_fields = {
+      'p2c' => iter
+    }
+    if not salt.nil?
+      extra_fields['p2s'] = JOSE.urlsafe_encode64(unwrap_salt(alg, salt))
+    end
+    return JOSE::JWE::ALG.generate_key([:oct, 16], alg, enc.algorithm).merge(extra_fields)
+  end
   def key_decrypt(key, enc, encrypted_key)
     if key.is_a?(JOSE::JWK)
       key = key.kty.derive_key
@@ -63,18 +74,34 @@ class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
     if key.is_a?(JOSE::JWK)
       key = key.kty.derive_key
     end
-    derived_key = OpenSSL::PKCS5.pbkdf2_hmac(key, salt, iter, bits.div(8) + (bits % 8), hmac.new)
+    new_alg = self
+    if new_alg.salt.nil?
+      new_alg = JOSE::JWE::ALG_PBES2.new(hmac, bits, wrap_salt(SecureRandom.random_bytes(8)), iter)
+    end
+    derived_key = OpenSSL::PKCS5.pbkdf2_hmac(key, new_alg.salt, new_alg.iter, new_alg.bits.div(8) + (new_alg.bits % 8), new_alg.hmac.new)
     encrypted_key = JOSE::JWA::AES_KW.wrap(decrypted_key, derived_key)
-    return encrypted_key, self
+    return encrypted_key, new_alg
   end
   def next_cek(key, enc)
     return enc.next_cek
   end
-private
+  # API functions
-  def unwrap_salt(algorithm, salt)
+  def algorithm
+    if hmac == OpenSSL::Digest::SHA256
+      'PBES2-HS256+A128KW'
+    elsif hmac == OpenSSL::Digest::SHA384
+      'PBES2-HS384+A192KW'
+    elsif hmac == OpenSSL::Digest::SHA512
+      'PBES2-HS512+A256KW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_PBES2 hmac: #{hmac.inspect}"
+    end
+  end
+  def self.unwrap_salt(algorithm, salt)
     salt_s = StringIO.new(salt)
     if salt_s.read(algorithm.length) != algorithm or salt_s.getbyte != 0
       raise ArgumentError, "unrecognized salt value"
@@ -83,8 +110,16 @@ private
     end
   end
+  def unwrap_salt(salt)
+    return JOSE::JWE::ALG_PBES2.unwrap_salt(algorithm, salt)
+  end
   def self.wrap_salt(algorithm, salt_input)
     return [algorithm, 0x00, salt_input].pack('a*Ca*')
   end
+  def wrap_salt(salt_input)
+    return JOSE::JWE::ALG_PBES2.wrap_salt(algorithm, salt_input)
+  end
 end