json-jwt 0.5.1 → 0.5.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of json-jwt might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/VERSION +1 -1
  3. data/lib/json/jwe.rb +7 -3
  4. data/lib/json/jwt.rb +1 -1
  5. data/spec/json/jwe_spec.rb +97 -4
  6. data/spec/json/jwt_spec.rb +9 -0
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 86380eefda874cbe7e7939e70fdfcffe379395e4
4
- data.tar.gz: d2f3fc1ba0a60787927dac2d0b21d8a151488218
3
+ metadata.gz: 1a480bc0b191d4a57de3c18aee7e779cbe335523
4
+ data.tar.gz: be9244d6cf17e9b27922c0d71e48e61d29848c55
5
5
  SHA512:
6
- metadata.gz: 2257bab98f399a6b5da81de323eead584846a68064024655bd58cc06c29305be08ee173b32816fb2d848b47f633c9382d6d1929bf83b2171c159f07a04ad4854
7
- data.tar.gz: f4721c5653fd40b4895b9086ca4291e78317a135c9ec22005d9fda471cb9c07a06f278fc9d787b295345ce88f9fa09e569b1430003795e95e394d0bb3a9b33e6
6
+ metadata.gz: 8d87f52f2d640f6eaca57131e351d2cecb4d81533360001960e1be4da0b461efcd0559a5d8d3828db1586fc2774ad38f07ea5d2169eb0fc3b838b7e2b01de166
7
+ data.tar.gz: c0bb0d3ac3f4b972cfc484bb58b794f3b392e60706e379cb819f5b4efae39c9bd7bd0c82d636b418958915442cb56ecba2a471833bad961b445585ec8b5a0d1d
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.5.1
1
+ 0.5.2
data/lib/json/jwe.rb CHANGED
@@ -159,7 +159,7 @@ module JSON
159
159
  public_key_or_secret.public_encrypt master_key
160
160
  when :'RSA-OAEP'.to_s
161
161
  public_key_or_secret.public_encrypt master_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
162
- when :A128KW .to_s
162
+ when :A128KW.to_s
163
163
  raise NotImplementedError.new('A128KW not supported yet')
164
164
  when :A256KW.to_s
165
165
  raise NotImplementedError.new('A256KW not supported yet')
@@ -245,7 +245,7 @@ module JSON
245
245
  private_key_or_secret.private_decrypt encrypted_master_key
246
246
  when :'RSA-OAEP'.to_s
247
247
  private_key_or_secret.private_decrypt encrypted_master_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
248
- when :A128KW .to_s
248
+ when :A128KW.to_s
249
249
  raise NotImplementedError.new('A128KW not supported yet')
250
250
  when :A256KW.to_s
251
251
  raise NotImplementedError.new('A256KW not supported yet')
@@ -280,7 +280,11 @@ module JSON
280
280
  end
281
281
 
282
282
  def verify_cbc_integirity_value!
283
- # raise UnexpectedAlgorithm.new('TODO')
283
+ secured_input = input.split('.')[0, 4].join('.')
284
+ expected_integrity_value = OpenSSL::HMAC.digest sha_digest, integrity_key, secured_input
285
+ unless integrity_value == expected_integrity_value
286
+ raise DecryptionFailed.new('Invalid integrity value')
287
+ end
284
288
  end
285
289
  end
286
290
  end
data/lib/json/jwt.rb CHANGED
@@ -95,7 +95,7 @@ module JSON
95
95
  when 4 # JWE
96
96
  jwe = JWE.new jwt_string
97
97
  jwe.header = MultiJson.load(
98
- jwt_string.split('.').first
98
+ UrlSafeBase64.decode64 jwt_string.split('.').first
99
99
  ).with_indifferent_access
100
100
  jwe.decrypt! key_or_secret
101
101
  else
data/spec/json/jwe_spec.rb CHANGED
@@ -71,6 +71,22 @@ describe JSON::JWE do
71
71
  end
72
72
  end
73
73
 
74
+ shared_examples_for :unexpected_algorithm_for_encryption do
75
+ it do
76
+ expect do
77
+ jwe.encrypt!(key).to_s # NOTE: encrypt! won't raise, but to_s does. might need to fix.
78
+ end.to raise_error JSON::JWE::UnexpectedAlgorithm
79
+ end
80
+ end
81
+
82
+ shared_examples_for :unsupported_algorithm_for_encryption do
83
+ it do
84
+ expect do
85
+ jwe.encrypt!(key).to_s # NOTE: encrypt! won't raise, but to_s does. might need to fix.
86
+ end.to raise_error NotImplementedError
87
+ end
88
+ end
89
+
74
90
  context 'when plaintext given' do
75
91
  let(:plain_text) { 'Hello World' }
76
92
  let(:jwe) { JSON::JWE.new plain_text }
@@ -110,6 +126,30 @@ describe JSON::JWE do
110
126
  context 'when alg=dir' do
111
127
  it :TODO
112
128
  end
129
+
130
+ context 'when unknonw/unsupported algorithm given' do
131
+ let(:key) { public_key }
132
+ let(:alg) { :RSA1_5 }
133
+ let(:enc) { :'A128CBC+HS256' }
134
+ before { jwe.alg, jwe.enc = alg, enc }
135
+
136
+ context 'when alg=unknown' do
137
+ let(:alg) { :unknown }
138
+ it_behaves_like :unexpected_algorithm_for_encryption
139
+ end
140
+
141
+ context 'when enc=unknown' do
142
+ let(:enc) { :unknown }
143
+ it_behaves_like :unexpected_algorithm_for_encryption
144
+ end
145
+
146
+ [:A128KW, :A256KW, :'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
147
+ context "when alg=#{alg}" do
148
+ let(:alg) { alg }
149
+ it_behaves_like :unsupported_algorithm_for_encryption
150
+ end
151
+ end
152
+ end
113
153
  end
114
154
 
115
155
  context 'when jwt given' do
@@ -148,10 +188,6 @@ describe JSON::JWE do
148
188
  it :TODO
149
189
  end
150
190
  end
151
-
152
- context 'when alg=dir' do
153
- it :TODO
154
- end
155
191
  end
156
192
  end
157
193
 
@@ -184,6 +220,37 @@ describe JSON::JWE do
184
220
  end
185
221
  end
186
222
 
223
+ shared_examples_for :verify_cbc_integrity_value do
224
+ let(:input) do
225
+ _jwe_ = JSON::JWE.new plain_text
226
+ _jwe_.alg, _jwe_.enc = alg, enc
227
+ _jwe_.encrypt! key
228
+ _jwe_.to_s + 'tampered'
229
+ end
230
+
231
+ it do
232
+ expect do
233
+ jwe.decrypt! key
234
+ end.to raise_error JSON::JWE::DecryptionFailed
235
+ end
236
+ end
237
+
238
+ shared_examples_for :unexpected_algorithm_for_decryption do
239
+ it do
240
+ expect do
241
+ jwe.decrypt! key
242
+ end.to raise_error JSON::JWE::UnexpectedAlgorithm
243
+ end
244
+ end
245
+
246
+ shared_examples_for :unsupported_algorithm_for_decryption do
247
+ it do
248
+ expect do
249
+ jwe.decrypt! key
250
+ end.to raise_error NotImplementedError
251
+ end
252
+ end
253
+
187
254
  context 'when alg=RSA1_5' do
188
255
  let(:alg) { :RSA1_5 }
189
256
  let(:key) { private_key }
@@ -242,11 +309,13 @@ describe JSON::JWE do
242
309
  context 'when enc=A128CBC+HS256' do
243
310
  let(:enc) { :'A128CBC+HS256' }
244
311
  it_behaves_like :decryptable
312
+ it_behaves_like :verify_cbc_integrity_value
245
313
  end
246
314
 
247
315
  context 'when enc=A256CBC+HS512' do
248
316
  let(:enc) { :'A256CBC+HS512' }
249
317
  it_behaves_like :decryptable
318
+ it_behaves_like :verify_cbc_integrity_value
250
319
  end
251
320
  end
252
321
 
@@ -255,5 +324,29 @@ describe JSON::JWE do
255
324
  let(:key) { 'todo' }
256
325
  it :TODO
257
326
  end
327
+
328
+ context 'when unknonw/unsupported algorithm given' do
329
+ let(:input) { 'whatever' }
330
+ let(:key) { public_key }
331
+ let(:alg) { :RSA1_5 }
332
+ let(:enc) { :'A128CBC+HS256' }
333
+
334
+ context 'when alg=unknown' do
335
+ let(:alg) { :unknown }
336
+ it_behaves_like :unexpected_algorithm_for_decryption
337
+ end
338
+
339
+ context 'when enc=unknown' do
340
+ let(:enc) { :unknown }
341
+ it_behaves_like :unexpected_algorithm_for_decryption
342
+ end
343
+
344
+ [:A128KW, :A256KW, :'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
345
+ context "when alg=#{alg}" do
346
+ let(:alg) { alg }
347
+ it_behaves_like :unsupported_algorithm_for_decryption
348
+ end
349
+ end
350
+ end
258
351
  end
259
352
  end
data/spec/json/jwt_spec.rb CHANGED
@@ -148,6 +148,15 @@ describe JSON::JWT do
148
148
  end
149
149
  end
150
150
 
151
+ context 'when encrypted' do
152
+ let(:input) { jwt.encrypt(public_key).to_s }
153
+ let(:shared_key) { SecureRandom.hex 16 } # default shared key is too short
154
+
155
+ it 'should decryptable' do
156
+ JSON::JWT.decode(input, private_key).should be_a JSON::JWE
157
+ end
158
+ end
159
+
151
160
  context 'when JSON parse failed' do
152
161
  it do
153
162
  expect do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: json-jwt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.1
4
+ version: 0.5.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - nov matake
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2013-04-04 00:00:00.000000000 Z
11
+ date: 2013-04-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: multi_json