RubyGems - json-jwt - Versions diffs - 0.5.0 → 0.5.1 - Mend

json-jwt 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of json-jwt might be problematic. Click here for more details.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7fc22bebad1c3924998f637b07f91089ba1d365f
-  data.tar.gz: 8f969eba9420ffccaeb0053096e039c02fbcfb89
+  metadata.gz: 86380eefda874cbe7e7939e70fdfcffe379395e4
+  data.tar.gz: d2f3fc1ba0a60787927dac2d0b21d8a151488218
 SHA512:
-  metadata.gz: a32887bed2783fb91c98776c70e6a471a6640f59b336b56d4a5576019ab79cdbdbb25bcf149bf26d4710006f03a0699c4dae0137ab61d3895ded29dbd38cdfa2
-  data.tar.gz: 44ee98be92413ef444c90d93529566802a0725a182e55517d5ecea8e8b7b66b5d3386e3dccf7d3b67e728c038ca336f42a2bcf3837ffd2c5c20a2f73b5f0bcfc
+  metadata.gz: 2257bab98f399a6b5da81de323eead584846a68064024655bd58cc06c29305be08ee173b32816fb2d848b47f633c9382d6d1929bf83b2171c159f07a04ad4854
+  data.tar.gz: f4721c5653fd40b4895b9086ca4291e78317a135c9ec22005d9fda471cb9c07a06f278fc9d787b295345ce88f9fa09e569b1430003795e95e394d0bb3a9b33e6

data/.gitignore CHANGED Viewed

@@ -17,6 +17,7 @@ tmtags
 coverage*
 rdoc
 pkg
+Gemfile.lock
 ## PROJECT::SPECIFIC
 .class

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.5.0
1	+ 0.5.1

data/lib/json/jwe.rb CHANGED Viewed

@@ -7,16 +7,22 @@ module JSON
     class DecryptionFailed < JWT::VerificationFailed; end
     class UnexpectedAlgorithm < JWT::UnexpectedAlgorithm; end
-    attr_accessor :public_key_or_secret, :plain_text, :master_key, :encrypted_master_key, :encryption_key, :integrity_key, :integrity_value, :iv, :cipher_text
+    attr_accessor(
+      :public_key_or_secret, :private_key_or_secret, :mode,
+      :input, :plain_text, :cipher_text, :integrity_value, :iv,
+      :master_key, :encrypted_master_key, :encryption_key, :integrity_key
+    )
     register_header_keys :enc, :epk, :zip, :jku, :jwk, :x5u, :x5t, :x5c, :kid, :typ, :cty, :apu, :apv, :epu, :epv
     alias_method :encryption_method, :enc
-    def initialize(jwt_or_plain_text)
-      self.plain_text = jwt_or_plain_text.to_s
+    def initialize(input)
+      self.input = input.to_s
     end
     def encrypt!(public_key_or_secret)
+      self.mode = :encyption
+      self.plain_text = input
       self.public_key_or_secret = public_key_or_secret
       cipher.encrypt
       generate_cipher_keys!
@@ -24,24 +30,37 @@ module JSON
       self
     end
-    def decrypt!
-      raise NotImplementedError.new('JWE decryption not supported yet')
+    def decrypt!(private_key_or_secret)
+      self.mode = :decryption
+      self.private_key_or_secret = private_key_or_secret
+      decode_segments!
+      cipher.decrypt
+      restore_cipher_keys!
+      self.plain_text = cipher.update(cipher_text) + cipher.final
+      verify_cbc_integirity_value! if cbc?
+      self
     end
     def to_s
-      [
-        header.to_json,
-        encrypted_master_key,
-        iv,
-        cipher_text,
-        integrity_value
-      ].collect do |segment|
-        UrlSafeBase64.encode64 segment.to_s
-      end.join('.')
+      if mode == :encyption
+        [
+          header.to_json,
+          encrypted_master_key,
+          iv,
+          cipher_text,
+          integrity_value
+        ].collect do |segment|
+          UrlSafeBase64.encode64 segment.to_s
+        end.join('.')
+      else
+        plain_text
+      end
     end
     private
+    # common
     def gcm_supported?
       RUBY_VERSION >= '2.0.0' && OpenSSL::OPENSSL_VERSION >= 'OpenSSL 1.0.1c'
     end
@@ -96,6 +115,44 @@ module JSON
       OpenSSL::Digest::Digest.new "SHA#{sha_size}"
     end
+    def derive_cbc_encryption_and_integirity_keys!
+      encryption_key_size = sha_size / 2
+      integrity_key_size = sha_size
+      encryption_segments = [
+        1,
+        master_key,
+        encryption_key_size,
+        encryption_method,
+        epu || 0,
+        epv || 0,
+        'Encryption'
+      ]
+      integrity_segments = [
+        1,
+        master_key,
+        integrity_key_size,
+        encryption_method,
+        epu || 0,
+        epv || 0,
+        'Integrity'
+      ]
+      encryption_hash_input, integrity_hash_input = [encryption_segments, integrity_segments].collect do |segments|
+        segments.collect do |segment|
+          case segment
+          when Integer
+            BinData::Int32be.new(segment).to_binary_s
+          else
+            segment.to_s
+          end
+        end.join
+      end
+      self.encryption_key = sha_digest.digest(encryption_hash_input)[0, encryption_key_size / 8]
+      self.integrity_key = sha_digest.digest integrity_hash_input
+      self
+    end
+    # encyption
     def encrypted_master_key
       @encrypted_master_key ||= case algorithm.to_s
       when :RSA1_5.to_s
@@ -126,8 +183,8 @@ module JSON
       when cbc?
         generate_cbc_keys!
       end
-      @cipher.key = encryption_key
-      self.iv = @cipher.random_iv
+      cipher.key = encryption_key
+      self.iv = cipher.random_iv
       if gcm?
         cipher.auth_data = [header.to_json, encrypted_master_key, iv].collect do |segment|
           UrlSafeBase64.encode64 segment.to_s
@@ -140,7 +197,7 @@ module JSON
       self.master_key ||= if dir?
         public_key_or_secret
       else
-        @cipher.random_key
+        cipher.random_key
       end
       self.encryption_key = master_key
       self.integrity_key = :wont_be_used
@@ -148,50 +205,19 @@ module JSON
     end
     def generate_cbc_keys!
-      encryption_key_size = sha_size / 2
-      integrity_key_size = master_key_size = sha_size
       self.master_key ||= if dir?
         public_key_or_secret
       else
-        SecureRandom.random_bytes master_key_size / 8
+        SecureRandom.random_bytes sha_size / 8
       end
-      encryption_segments = [
-        1,
-        master_key,
-        encryption_key_size,
-        encryption_method,
-        epu || 0,
-        epv || 0,
-        'Encryption'
-      ]
-      integrity_segments = [
-        1,
-        master_key,
-        integrity_key_size,
-        encryption_method,
-        epu || 0,
-        epv || 0,
-        'Integrity'
-      ]
-      encryption_hash_input, integrity_hash_input = [encryption_segments, integrity_segments].collect do |segments|
-        segments.collect do |segment|
-          case segment
-          when Integer
-            BinData::Int32be.new(segment).to_binary_s
-          else
-            segment.to_s
-          end
-        end.join
-      end
-      self.encryption_key = sha_digest.digest(encryption_hash_input)[0, encryption_key_size / 8]
-      self.integrity_key = sha_digest.digest integrity_hash_input
-      self
+      derive_cbc_encryption_and_integirity_keys!
     end
     def integrity_value
-      @integrity_value ||= if gcm?
+      @integrity_value ||= case
+      when gcm?
         cipher.auth_tag
-      else
+      when cbc?
         secured_input = [
           header.to_json,
           encrypted_master_key,
@@ -202,7 +228,59 @@ module JSON
         end.join('.')
         OpenSSL::HMAC.digest sha_digest, integrity_key, secured_input
       end
-      @integrity_value
+    end
+    # decryption
+    def decode_segments!
+      _header_json_, self.encrypted_master_key, self.iv, self.cipher_text, self.integrity_value = input.split('.').collect do |segment|
+        UrlSafeBase64.decode64 segment
+      end
+      self
+    end
+    def decrypt_master_key
+      case algorithm.to_s
+      when :RSA1_5.to_s
+        private_key_or_secret.private_decrypt encrypted_master_key
+      when :'RSA-OAEP'.to_s
+        private_key_or_secret.private_decrypt encrypted_master_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+      when :A128KW .to_s
+        raise NotImplementedError.new('A128KW not supported yet')
+      when :A256KW.to_s
+        raise NotImplementedError.new('A256KW not supported yet')
+      when :dir.to_s
+        private_key_or_secret
+      when :'ECDH-ES'.to_s
+        raise NotImplementedError.new('ECDH-ES not supported yet')
+      when :'ECDH-ES+A128KW'.to_s
+        raise NotImplementedError.new('ECDH-ES+A128KW not supported yet')
+      when :'ECDH-ES+A256KW'.to_s
+        raise NotImplementedError.new('ECDH-ES+A256KW not supported yet')
+      else
+        raise UnexpectedAlgorithm.new('Unknown Encryption Algorithm')
+      end
+    end
+    def restore_cipher_keys!
+      self.master_key = decrypt_master_key
+      case
+      when gcm?
+        self.encryption_key = master_key
+        self.integrity_key = :wont_be_used
+      when cbc?
+        derive_cbc_encryption_and_integirity_keys!
+      end
+      cipher.key = encryption_key
+      cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
+      if gcm?
+        cipher.auth_tag = integrity_value
+        cipher.auth_data = input.split('.')[0, 3].join('.')
+      end
+    end
+    def verify_cbc_integirity_value!
+      # raise UnexpectedAlgorithm.new('TODO')
     end
   end
 end

data/spec/json/jwe_spec.rb CHANGED Viewed

@@ -154,4 +154,106 @@ describe JSON::JWE do
       end
     end
   end
+  describe 'decrypt!' do
+    let(:plain_text) { 'Hello World' }
+    let(:input) do
+      _jwe_ = JSON::JWE.new plain_text
+      _jwe_.alg, _jwe_.enc = alg, enc
+      _jwe_.encrypt! key
+      _jwe_.to_s
+    end
+    let(:jwe) do
+      _jwe_ = JSON::JWE.new input
+      _jwe_.alg, _jwe_.enc = alg, enc
+      _jwe_
+    end
+    shared_examples_for :decryptable do
+      it do
+        jwe.decrypt! key
+        jwe.to_s.should == plain_text
+      end
+    end
+    shared_examples_for :gcm_decryption_unsupported do
+      it do
+        expect do
+          jwe.decrypt! key
+        end.to raise_error JSON::JWE::UnexpectedAlgorithm
+      end
+    end
+    context 'when alg=RSA1_5' do
+      let(:alg) { :RSA1_5 }
+      let(:key) { private_key }
+      context 'when enc=A128GCM' do
+        let(:enc) { :A128GCM }
+        if gcm_supported?
+          it_behaves_like :decryptable
+        else
+          it_behaves_like :gcm_decryption_unsupported
+        end
+      end
+      context 'when enc=A256GCM' do
+        let(:enc) { :A256GCM }
+        if gcm_supported?
+          it_behaves_like :decryptable
+        else
+          it_behaves_like :gcm_decryption_unsupported
+        end
+      end
+      context 'when enc=A128CBC+HS256' do
+        let(:enc) { :'A128CBC+HS256' }
+        it_behaves_like :decryptable
+      end
+      context 'when enc=A256CBC+HS512' do
+        let(:enc) { :'A256CBC+HS512' }
+        it_behaves_like :decryptable
+      end
+    end
+    context 'when alg=RSA-OAEP' do
+      let(:alg) { :'RSA-OAEP' }
+      let(:key) { private_key }
+      context 'when enc=A128GCM' do
+        let(:enc) { :A128GCM }
+        if gcm_supported?
+          it_behaves_like :decryptable
+        else
+          it_behaves_like :gcm_decryption_unsupported
+        end
+      end
+      context 'when enc=A256GCM' do
+        let(:enc) { :A256GCM }
+        if gcm_supported?
+          it_behaves_like :decryptable
+        else
+          it_behaves_like :gcm_decryption_unsupported
+        end
+      end
+      context 'when enc=A128CBC+HS256' do
+        let(:enc) { :'A128CBC+HS256' }
+        it_behaves_like :decryptable
+      end
+      context 'when enc=A256CBC+HS512' do
+        let(:enc) { :'A256CBC+HS512' }
+        it_behaves_like :decryptable
+      end
+    end
+    context 'when alg=dir' do
+      let(:alg) { :dir }
+      let(:key) { 'todo' }
+      it :TODO
+    end
+  end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.1
 platform: ruby
 authors:
 - nov matake
@@ -135,7 +135,6 @@ files:
 - .rspec
 - .travis.yml
 - Gemfile
-- Gemfile.lock
 - LICENSE
 - README.rdoc
 - Rakefile
@@ -182,7 +181,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.0
+rubygems_version: 2.0.3
 signing_key:
 specification_version: 4
 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and
@@ -205,4 +204,3 @@ test_files:
 - spec/json/jws_spec.rb
 - spec/json/jwt_spec.rb
 - spec/spec_helper.rb
-has_rdoc:

data/Gemfile.lock DELETED Viewed

@@ -1,44 +0,0 @@
-PATH
-  remote: .
-  specs:
-    json-jwt (0.4.3)
-      activesupport (>= 2.3)
-      i18n
-      multi_json (>= 1.3)
-      url_safe_base64
-GEM
-  remote: http://rubygems.org/
-  specs:
-    activesupport (3.2.12)
-      i18n (~> 0.6)
-      multi_json (~> 1.0)
-    configatron (2.10.0)
-      yamler (>= 0.1.0)
-    cover_me (1.2.0)
-      configatron
-      hashie
-    diff-lcs (1.2.1)
-    hashie (2.0.2)
-    i18n (0.6.4)
-    multi_json (1.6.1)
-    rake (10.0.3)
-    rspec (2.13.0)
-      rspec-core (~> 2.13.0)
-      rspec-expectations (~> 2.13.0)
-      rspec-mocks (~> 2.13.0)
-    rspec-core (2.13.0)
-    rspec-expectations (2.13.0)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.13.0)
-    url_safe_base64 (0.2.1)
-    yamler (0.1.0)
-PLATFORMS
-  ruby
-DEPENDENCIES
-  cover_me (>= 1.2.0)
-  json-jwt!
-  rake (>= 0.8)
-  rspec (>= 2)