RubyGems - json-jwt - Versions diffs - 0.5.1 → 0.5.2 - Mend

json-jwt 0.5.1 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of json-jwt might be problematic. Click here for more details.

Files changed (7) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 86380eefda874cbe7e7939e70fdfcffe379395e4
-  data.tar.gz: d2f3fc1ba0a60787927dac2d0b21d8a151488218
+  metadata.gz: 1a480bc0b191d4a57de3c18aee7e779cbe335523
+  data.tar.gz: be9244d6cf17e9b27922c0d71e48e61d29848c55
 SHA512:
-  metadata.gz: 2257bab98f399a6b5da81de323eead584846a68064024655bd58cc06c29305be08ee173b32816fb2d848b47f633c9382d6d1929bf83b2171c159f07a04ad4854
-  data.tar.gz: f4721c5653fd40b4895b9086ca4291e78317a135c9ec22005d9fda471cb9c07a06f278fc9d787b295345ce88f9fa09e569b1430003795e95e394d0bb3a9b33e6
+  metadata.gz: 8d87f52f2d640f6eaca57131e351d2cecb4d81533360001960e1be4da0b461efcd0559a5d8d3828db1586fc2774ad38f07ea5d2169eb0fc3b838b7e2b01de166
+  data.tar.gz: c0bb0d3ac3f4b972cfc484bb58b794f3b392e60706e379cb819f5b4efae39c9bd7bd0c82d636b418958915442cb56ecba2a471833bad961b445585ec8b5a0d1d

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.5.1
1	+ 0.5.2

data/lib/json/jwe.rb CHANGED

@@ -159,7 +159,7 @@ module JSON
         public_key_or_secret.public_encrypt master_key
       when :'RSA-OAEP'.to_s
         public_key_or_secret.public_encrypt master_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
-      when :A128KW .to_s
+      when :A128KW.to_s
         raise NotImplementedError.new('A128KW not supported yet')
       when :A256KW.to_s
         raise NotImplementedError.new('A256KW not supported yet')
@@ -245,7 +245,7 @@ module JSON
         private_key_or_secret.private_decrypt encrypted_master_key
       when :'RSA-OAEP'.to_s
         private_key_or_secret.private_decrypt encrypted_master_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
-      when :A128KW .to_s
+      when :A128KW.to_s
         raise NotImplementedError.new('A128KW not supported yet')
       when :A256KW.to_s
         raise NotImplementedError.new('A256KW not supported yet')
@@ -280,7 +280,11 @@ module JSON
     end
     def verify_cbc_integirity_value!
-      # raise UnexpectedAlgorithm.new('TODO')
+      secured_input = input.split('.')[0, 4].join('.')
+      expected_integrity_value = OpenSSL::HMAC.digest sha_digest, integrity_key, secured_input
+      unless integrity_value == expected_integrity_value
+        raise DecryptionFailed.new('Invalid integrity value')
+      end
     end
   end
 end

data/lib/json/jwt.rb CHANGED

@@ -95,7 +95,7 @@ module JSON
         when 4 # JWE
           jwe = JWE.new jwt_string
           jwe.header = MultiJson.load(
-            jwt_string.split('.').first
+            UrlSafeBase64.decode64 jwt_string.split('.').first
           ).with_indifferent_access
           jwe.decrypt! key_or_secret
         else

data/spec/json/jwe_spec.rb CHANGED

@@ -71,6 +71,22 @@ describe JSON::JWE do
       end
     end
+    shared_examples_for :unexpected_algorithm_for_encryption do
+      it do
+        expect do
+          jwe.encrypt!(key).to_s # NOTE: encrypt! won't raise, but to_s does. might need to fix.
+        end.to raise_error JSON::JWE::UnexpectedAlgorithm
+      end
+    end
+    shared_examples_for :unsupported_algorithm_for_encryption do
+      it do
+        expect do
+          jwe.encrypt!(key).to_s # NOTE: encrypt! won't raise, but to_s does. might need to fix.
+        end.to raise_error NotImplementedError
+      end
+    end
     context 'when plaintext given' do
       let(:plain_text) { 'Hello World' }
       let(:jwe) { JSON::JWE.new plain_text }
@@ -110,6 +126,30 @@ describe JSON::JWE do
       context 'when alg=dir' do
         it :TODO
       end
+      context 'when unknonw/unsupported algorithm given' do
+        let(:key) { public_key }
+        let(:alg) { :RSA1_5 }
+        let(:enc) { :'A128CBC+HS256' }
+        before { jwe.alg, jwe.enc = alg, enc }
+        context 'when alg=unknown' do
+          let(:alg) { :unknown }
+          it_behaves_like :unexpected_algorithm_for_encryption
+        end
+        context 'when enc=unknown' do
+          let(:enc) { :unknown }
+          it_behaves_like :unexpected_algorithm_for_encryption
+        end
+        [:A128KW, :A256KW, :'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
+          context "when alg=#{alg}" do
+            let(:alg) { alg }
+            it_behaves_like :unsupported_algorithm_for_encryption
+          end
+        end
+      end
     end
     context 'when jwt given' do
@@ -148,10 +188,6 @@ describe JSON::JWE do
           it :TODO
         end
       end
-      context 'when alg=dir' do
-        it :TODO
-      end
     end
   end
@@ -184,6 +220,37 @@ describe JSON::JWE do
       end
     end
+    shared_examples_for :verify_cbc_integrity_value do
+      let(:input) do
+        _jwe_ = JSON::JWE.new plain_text
+        _jwe_.alg, _jwe_.enc = alg, enc
+        _jwe_.encrypt! key
+        _jwe_.to_s + 'tampered'
+      end
+      it do
+        expect do
+          jwe.decrypt! key
+        end.to raise_error JSON::JWE::DecryptionFailed
+      end
+    end
+    shared_examples_for :unexpected_algorithm_for_decryption do
+      it do
+        expect do
+          jwe.decrypt! key
+        end.to raise_error JSON::JWE::UnexpectedAlgorithm
+      end
+    end
+    shared_examples_for :unsupported_algorithm_for_decryption do
+      it do
+        expect do
+          jwe.decrypt! key
+        end.to raise_error NotImplementedError
+      end
+    end
     context 'when alg=RSA1_5' do
       let(:alg) { :RSA1_5 }
       let(:key) { private_key }
@@ -242,11 +309,13 @@ describe JSON::JWE do
       context 'when enc=A128CBC+HS256' do
         let(:enc) { :'A128CBC+HS256' }
         it_behaves_like :decryptable
+        it_behaves_like :verify_cbc_integrity_value
       end
       context 'when enc=A256CBC+HS512' do
         let(:enc) { :'A256CBC+HS512' }
         it_behaves_like :decryptable
+        it_behaves_like :verify_cbc_integrity_value
       end
     end
@@ -255,5 +324,29 @@ describe JSON::JWE do
       let(:key) { 'todo' }
       it :TODO
     end
+    context 'when unknonw/unsupported algorithm given' do
+      let(:input) { 'whatever' }
+      let(:key) { public_key }
+      let(:alg) { :RSA1_5 }
+      let(:enc) { :'A128CBC+HS256' }
+      context 'when alg=unknown' do
+        let(:alg) { :unknown }
+        it_behaves_like :unexpected_algorithm_for_decryption
+      end
+      context 'when enc=unknown' do
+        let(:enc) { :unknown }
+        it_behaves_like :unexpected_algorithm_for_decryption
+      end
+      [:A128KW, :A256KW, :'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
+        context "when alg=#{alg}" do
+          let(:alg) { alg }
+          it_behaves_like :unsupported_algorithm_for_decryption
+        end
+      end
+    end
   end
 end

data/spec/json/jwt_spec.rb CHANGED

@@ -148,6 +148,15 @@ describe JSON::JWT do
       end
     end
+    context 'when encrypted' do
+      let(:input) { jwt.encrypt(public_key).to_s }
+      let(:shared_key) { SecureRandom.hex 16 } # default shared key is too short
+      it 'should decryptable' do
+        JSON::JWT.decode(input, private_key).should be_a JSON::JWE
+      end
+    end
     context 'when JSON parse failed' do
       it do
         expect do

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.5.2
 platform: ruby
 authors:
 - nov matake
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-04-04 00:00:00.000000000 Z
+date: 2013-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json