json-jwt 1.10.0 → 1.13.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of json-jwt might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.travis.yml +4 -4
- data/VERSION +1 -1
- data/json-jwt.gemspec +4 -3
- data/lib/json/jose.rb +4 -2
- data/lib/json/jwe.rb +11 -10
- data/lib/json/jwk.rb +14 -12
- data/lib/json/jwk/jwkizable.rb +2 -0
- data/lib/json/jws.rb +20 -22
- metadata +5 -48
- data/spec/fixtures/ecdsa/256/private_key.pem +0 -5
- data/spec/fixtures/ecdsa/256/public_key.pem +0 -4
- data/spec/fixtures/ecdsa/384/private_key.pem +0 -6
- data/spec/fixtures/ecdsa/384/public_key.pem +0 -5
- data/spec/fixtures/ecdsa/512/private_key.pem +0 -7
- data/spec/fixtures/ecdsa/512/public_key.pem +0 -6
- data/spec/fixtures/rsa/private_key.der +0 -0
- data/spec/fixtures/rsa/private_key.pem +0 -30
- data/spec/fixtures/rsa/public_key.pem +0 -8
- data/spec/helpers/nimbus_spec_helper.rb +0 -22
- data/spec/helpers/sign_key_fixture_helper.rb +0 -52
- data/spec/interop/with_jsrsasign_spec.rb +0 -49
- data/spec/interop/with_nimbus_jose_spec.rb +0 -99
- data/spec/interop/with_rfc_example_spec.rb +0 -19
- data/spec/json/jwe_spec.rb +0 -351
- data/spec/json/jwk/jwkizable_spec.rb +0 -49
- data/spec/json/jwk/set_spec.rb +0 -75
- data/spec/json/jwk_spec.rb +0 -194
- data/spec/json/jws_spec.rb +0 -440
- data/spec/json/jwt_spec.rb +0 -523
- data/spec/spec_helper.rb +0 -28
@@ -1,6 +0,0 @@
|
|
1
|
-
-----BEGIN PUBLIC KEY-----
|
2
|
-
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBwwIP5rRrqucT1O8LSY6oX8MZdGDl
|
3
|
-
jeJNvh4c3BObaQPqK6PH0z9/x38UYevQ6GmrMSfitg9hmi4axsg8SAvSr/8BQtgR
|
4
|
-
3yX5tX8Ejbz1p7OFItnVEMXaW2AM8TL1jti2phrhwlymLLNUMyldbAGnpyODpNcg
|
5
|
-
2ShWtVdmE3jTiKG7gjY=
|
6
|
-
-----END PUBLIC KEY-----
|
Binary file
|
@@ -1,30 +0,0 @@
|
|
1
|
-
-----BEGIN RSA PRIVATE KEY-----
|
2
|
-
Proc-Type: 4,ENCRYPTED
|
3
|
-
DEK-Info: AES-256-CBC,A6B5D10FFA23D7BC66CE4FB46B754E8C
|
4
|
-
|
5
|
-
gvYFJmzetWSwpf1Ut6USm4IReFLA6bpp5nVUfU2Xa9dJmrCu0cTupTkdzNmGp14/
|
6
|
-
mzeT/a5WplK1hWV41Y7bLm57hOpaoxbEx2h3IW9cxuqgAp422AbafRu6hEvjUONO
|
7
|
-
qUEm63I4d7/FKo0he4IVVx0UHaX5eEq8pdY1AZR9+fqlxWvjpgZlB0anT3AMpfVL
|
8
|
-
CY4sGc/Es14M9A4zUpOkp+09PbV3WNG8A4G4IJA3wx6tYBxrd2866Te2ccP6/BL8
|
9
|
-
HA2uoqeD+70ziybvd//CtGAD1xoTDvOCwzXXT5A4fCuec3apFp8O6WyJ63ao99R4
|
10
|
-
E0r6AvD4iOkLMC8K2YUSc1zFLJAkhlfhBb8qFbXOwOomazWf2Z8rDtkP1VCfB9gC
|
11
|
-
W6oYRBOyVUkbaBSBOOPBJtxjuTL/cJBvFhn6r0zdC67g0CD4cabMPd1VY92lUVbl
|
12
|
-
JvE9CouDB5O39jwfpgfxo3kGev2UzwRze9U2uw6EdYIUB/ixyC8/5BoN8lKZXdTn
|
13
|
-
7vQBmcBsC3boMqQiq2c/dVGW7yrt/Y4q8wq9aGFwdBAY1pYhRlOZ0MwFmlAJKOzo
|
14
|
-
Y3i2OILtPM0sdfqIeAvrwicQULGAzLGEhecDOQ1r0GwZRy5/Sl3ILxKMW8ngdaK4
|
15
|
-
iNDM56u6F9dwqqArrZDZgkfwnKakXU2ZbltSOWTCleCfYrc1D75Yw3FHKcWozB/l
|
16
|
-
uyMTIqzBXzO6OiNDUv7zAE1xzVaV+VeBH/5KGx18dAuRP3TnpYltGSUVDyGk9FX7
|
17
|
-
m7nhvkqOcFJMHOGdTjt2Ff9Ibn3rgCEFI0CjCwcJPo2ym1Zox8GfP0/nXk3p/oWV
|
18
|
-
ebBTvS+yc9HaSm2Al77GDXEwY7NDcTef+3kEtQHpesS+xmC8mFtMEKV8vifXEhpt
|
19
|
-
iNp6gtsfDMtFmrFXCADTaUD1WBmhJQtYUsGsoQ75c5zzUHU93BOswBe2KODCA3Ie
|
20
|
-
X3XKvHTjGw3wjWJvLcnL3EgcHDL1x7ehIA5UgvHFixmkx5D91uIdq4YDMt6xERle
|
21
|
-
JgeLKF9g1qCl9wmxqT4T1J9h9LGMQQEUhth0uTFr6bEpzgg6hFTrPDaI8dOMlcgu
|
22
|
-
ctOH2wFZgRMfrykGIs53rwF4pL+8iy+pakaRRAVTaZIX2CL2dThy0283jTVu9dNn
|
23
|
-
f/Zfu5mNlvsRcXlZMgTy0UMBpXeLMjaWyd+JeAnAeZxO3/ID/Ppg6vcc0Wn8XyB5
|
24
|
-
YUOIQe+Rc0jJnB1zqjww2cB6H5Ke3GjktQqrulHFfEYbn7lj8WLVgDLmellFNOxX
|
25
|
-
k9H2sta5SN/t3fN3oBO0A6JyotQOiBE54yHVpgoc+PBlcrpoOxSZx67lprD+WnlV
|
26
|
-
Ynnf6qIrR9NxgYN00Elzj9KP9OT1ufFrMQ0BnW4EWdFLCScGLsZVlmBKPrtHwK3N
|
27
|
-
FSy3JFMJcpymgNas5+bqIyZGqAZREHH3AWhc2TVl1Kt11g6PZWm3dSafT6SlqgyP
|
28
|
-
Z7OcBEnWr+ZhDeJfnAXrn5siah9eXuT0KtQWlqpSn76dExlfz16Da/3xBtO4ceyz
|
29
|
-
Lk4gzZ1QjP1ZvjarWOIEtkT7eiWaCQHYNVbvFRu5wo98o/KwO3xaPTDN9LCZKGhR
|
30
|
-
-----END RSA PRIVATE KEY-----
|
@@ -1,8 +0,0 @@
|
|
1
|
-
-----BEGIN RSA PUBLIC KEY-----
|
2
|
-
MIIBCgKCAQEAx9vNhcvSrxjsegZAAo4OEuoZOV/oxINEeWneJYczS80/bQ1J6lSS
|
3
|
-
J81qecxXAzCLPlvsFoP4eeUNXSt/G7hP7SAM479N+kY/MzbihJ5LRY9sRzLbQTMe
|
4
|
-
qsmDAmmQe4y3Ke3bvd70r8VOmo5pqM3IPLGwBkTRTQmyRsDQArilg6WtxDUgy5ol
|
5
|
-
2STHFA8E1iCReh9bck8ZaLxzVhYRXZ0nuOKWGRMppocPlp55HVohOItUZh7uSCch
|
6
|
-
LcVAZuhTTNaDLtLIJ6G0yNJvfEieJUhA8wGBoPhD3LMQwQMxTMerpjZhP/qjm6Gg
|
7
|
-
eWpKf+iVil86/PSy/z0Vw06/rD0sfXPtlQIDAQAB
|
8
|
-
-----END RSA PUBLIC KEY-----
|
@@ -1,22 +0,0 @@
|
|
1
|
-
module NimbusSpecHelper
|
2
|
-
module_function
|
3
|
-
|
4
|
-
def setup
|
5
|
-
nimbus_path = File.expand_path(
|
6
|
-
File.join(
|
7
|
-
File.dirname(__FILE__),
|
8
|
-
'json-jwt-nimbus',
|
9
|
-
'nimbus_jwe.rb'
|
10
|
-
)
|
11
|
-
)
|
12
|
-
if File.exist? nimbus_path
|
13
|
-
require nimbus_path
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
|
-
def nimbus_available?
|
18
|
-
defined? NimbusJWE
|
19
|
-
end
|
20
|
-
end
|
21
|
-
|
22
|
-
NimbusSpecHelper.setup
|
@@ -1,52 +0,0 @@
|
|
1
|
-
module SignKeyFixtureHelper
|
2
|
-
def shared_secret
|
3
|
-
'shared-secret'
|
4
|
-
end
|
5
|
-
|
6
|
-
def pem_file(file_name)
|
7
|
-
File.new pem_file_path(file_name)
|
8
|
-
end
|
9
|
-
|
10
|
-
def pem_file_path(file_name)
|
11
|
-
File.join(
|
12
|
-
File.dirname(__FILE__),
|
13
|
-
"../fixtures/#{file_name}.pem"
|
14
|
-
)
|
15
|
-
end
|
16
|
-
|
17
|
-
def der_file_path(file_name)
|
18
|
-
File.join(
|
19
|
-
File.dirname(__FILE__),
|
20
|
-
"../fixtures/#{file_name}.der"
|
21
|
-
)
|
22
|
-
end
|
23
|
-
|
24
|
-
def private_key(algorithm = :rsa, options = {})
|
25
|
-
case algorithm
|
26
|
-
when :rsa
|
27
|
-
OpenSSL::PKey::RSA.new(
|
28
|
-
pem_file("#{algorithm}/private_key"),
|
29
|
-
'pass-phrase'
|
30
|
-
)
|
31
|
-
when :ecdsa
|
32
|
-
OpenSSL::PKey::EC.new(
|
33
|
-
pem_file("#{algorithm}/#{options[:digest_length] || 256}/private_key")
|
34
|
-
)
|
35
|
-
end
|
36
|
-
end
|
37
|
-
|
38
|
-
def public_key(algorithm = :rsa, options = {})
|
39
|
-
case algorithm
|
40
|
-
when :rsa
|
41
|
-
OpenSSL::PKey::RSA.new(
|
42
|
-
pem_file("#{algorithm}/public_key")
|
43
|
-
)
|
44
|
-
when :ecdsa
|
45
|
-
OpenSSL::PKey::EC.new(
|
46
|
-
pem_file("#{algorithm}/#{options[:digest_length] || 256}/public_key")
|
47
|
-
)
|
48
|
-
end
|
49
|
-
end
|
50
|
-
end
|
51
|
-
|
52
|
-
include SignKeyFixtureHelper
|
@@ -1,49 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
describe 'interop' do
|
4
|
-
describe 'with jsrsasign' do
|
5
|
-
context 'JWS' do
|
6
|
-
let(:public_key) do
|
7
|
-
pem = <<-PEM.strip_heredoc
|
8
|
-
-----BEGIN PUBLIC KEY-----
|
9
|
-
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoBUyo8CQAFPeYPvv78ylh5MwFZjT
|
10
|
-
CLQeb042TjiMJxG+9DLFmRSMlBQ9T/RsLLc+PmpB1+7yPAR+oR5gZn3kJQ==
|
11
|
-
-----END PUBLIC KEY-----
|
12
|
-
PEM
|
13
|
-
OpenSSL::PKey::EC.new pem
|
14
|
-
end
|
15
|
-
let(:private_key) do
|
16
|
-
pem = <<-PEM.strip_heredoc
|
17
|
-
-----BEGIN PRIVATE KEY-----
|
18
|
-
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgEbVzfPnZPxfAyxqE
|
19
|
-
ZV05laAoJAl+/6Xt2O4mOB611sOhRANCAASgFTKjwJAAU95g++/vzKWHkzAVmNMI
|
20
|
-
tB5vTjZOOIwnEb70MsWZFIyUFD1P9Gwstz4+akHX7vI8BH6hHmBmfeQl
|
21
|
-
-----END PRIVATE KEY-----
|
22
|
-
PEM
|
23
|
-
OpenSSL::PKey::EC.new pem
|
24
|
-
end
|
25
|
-
let(:jws_string) do
|
26
|
-
'eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2p3dC1pZHAuZXhhbXBsZS5jb20iLCJzdWIiOiJtYWlsdG86bWlrZUBleGFtcGxlLmNvbSIsIm5iZiI6MTQzNTA2MjUyMywiZXhwIjoxNDM1MDY2MTIzLCJpYXQiOjE0MzUwNjI1MjMsImp0aSI6ImlkMTIzNDU2IiwidHlwIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9yZWdpc3RlciJ9.HFmKrExGIFm5SwzTq_ayG80ELUIKnrR9psedV_6ZsuHl5ZLZ-1nV35o0yjKkN7qPQipQMK90xMvDYpi7e2XU9Q'
|
27
|
-
end
|
28
|
-
let(:payload) do
|
29
|
-
{
|
30
|
-
iss: 'https://jwt-idp.example.com',
|
31
|
-
sub: 'mailto:mike@example.com',
|
32
|
-
nbf: 1435062523,
|
33
|
-
exp: 1435066123,
|
34
|
-
iat: 1435062523,
|
35
|
-
jti: 'id123456',
|
36
|
-
typ: 'https://example.com/register'
|
37
|
-
}
|
38
|
-
end
|
39
|
-
|
40
|
-
describe 'verify' do
|
41
|
-
it 'should succeed' do
|
42
|
-
expect do
|
43
|
-
JSON::JWT.decode(jws_string, public_key, :ES256)
|
44
|
-
end.not_to raise_error
|
45
|
-
end
|
46
|
-
end
|
47
|
-
end
|
48
|
-
end
|
49
|
-
end
|
@@ -1,99 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
describe 'interop' do
|
4
|
-
describe 'with Nimbus JOSE' do
|
5
|
-
if NimbusSpecHelper.nimbus_available?
|
6
|
-
context 'JWE' do
|
7
|
-
let(:shared_key) { SecureRandom.hex 16 } # default shared key is too short
|
8
|
-
let(:private_key_path) { der_file_path 'rsa/private_key' }
|
9
|
-
|
10
|
-
describe 'encrypt!' do
|
11
|
-
shared_examples_for :gcm_encryption do
|
12
|
-
context 'when enc=A128GCM' do
|
13
|
-
before { jwe.enc = :A128GCM }
|
14
|
-
|
15
|
-
it 'should decryptable by Nimbus JOSE JWT' do
|
16
|
-
jwe.encrypt! key
|
17
|
-
NimbusJWE.decrypt(jwe, private_key_path).should == plain_text
|
18
|
-
end
|
19
|
-
end
|
20
|
-
|
21
|
-
context 'when enc=A256GCM' do
|
22
|
-
before { jwe.enc = :A256GCM }
|
23
|
-
|
24
|
-
it 'should decryptable by Nimbus JOSE JWT' do
|
25
|
-
jwe.encrypt! key
|
26
|
-
NimbusJWE.decrypt(jwe, private_key_path).should == plain_text
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
30
|
-
|
31
|
-
shared_examples_for :cbc_encryption do
|
32
|
-
context 'when enc=A128CBC-HS256' do
|
33
|
-
before { jwe.enc = :'A128CBC-HS256' }
|
34
|
-
|
35
|
-
it 'should decryptable by Nimbus JOSE JWT' do
|
36
|
-
jwe.encrypt! key
|
37
|
-
NimbusJWE.decrypt(jwe, private_key_path).should == plain_text
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
context 'when enc=A256CBC-HS512' do
|
42
|
-
before { jwe.enc = :'A256CBC-HS512' }
|
43
|
-
|
44
|
-
it 'should decryptable by Nimbus JOSE JWT' do
|
45
|
-
jwe.encrypt! key
|
46
|
-
NimbusJWE.decrypt(jwe, private_key_path).should == plain_text
|
47
|
-
end
|
48
|
-
end
|
49
|
-
end
|
50
|
-
|
51
|
-
context 'when plaintext given' do
|
52
|
-
let(:plain_text) { 'Hello World' }
|
53
|
-
let(:jwe) { JSON::JWE.new plain_text }
|
54
|
-
|
55
|
-
context 'when alg=RSA1_5' do
|
56
|
-
let(:key) { public_key }
|
57
|
-
before { jwe.alg = :'RSA1_5' }
|
58
|
-
|
59
|
-
it_behaves_like :gcm_encryption if gcm_supported?
|
60
|
-
it_behaves_like :cbc_encryption
|
61
|
-
end
|
62
|
-
|
63
|
-
context 'when alg=RSA-OAEP' do
|
64
|
-
let(:key) { public_key }
|
65
|
-
before { jwe.alg = :'RSA-OAEP' }
|
66
|
-
|
67
|
-
it_behaves_like :gcm_encryption if gcm_supported?
|
68
|
-
it_behaves_like :cbc_encryption
|
69
|
-
end
|
70
|
-
end
|
71
|
-
|
72
|
-
context 'when jwt given' do
|
73
|
-
let(:plain_text) { jwt.to_s }
|
74
|
-
let(:jwt) { JSON::JWT.new(foo: :bar) }
|
75
|
-
let(:jwe) { JSON::JWE.new jwt }
|
76
|
-
|
77
|
-
context 'when alg=RSA-OAEP' do
|
78
|
-
let(:key) { public_key }
|
79
|
-
before { jwe.alg = :'RSA1_5' }
|
80
|
-
|
81
|
-
it_behaves_like :gcm_encryption if gcm_supported?
|
82
|
-
it_behaves_like :cbc_encryption
|
83
|
-
end
|
84
|
-
|
85
|
-
context 'when alg=RSA-OAEP' do
|
86
|
-
let(:key) { public_key }
|
87
|
-
before { jwe.alg = :'RSA-OAEP' }
|
88
|
-
|
89
|
-
it_behaves_like :gcm_encryption if gcm_supported?
|
90
|
-
it_behaves_like :cbc_encryption
|
91
|
-
end
|
92
|
-
end
|
93
|
-
end
|
94
|
-
end
|
95
|
-
else
|
96
|
-
skip 'Nimbus JOSE unavailable'
|
97
|
-
end
|
98
|
-
end
|
99
|
-
end
|
@@ -1,19 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
describe 'interop' do
|
4
|
-
describe 'with RFC Example' do
|
5
|
-
describe 'JWK Thubmprint' do
|
6
|
-
subject do
|
7
|
-
JSON::JWK.new(
|
8
|
-
kty: :RSA,
|
9
|
-
n: '0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw',
|
10
|
-
e: 'AQAB',
|
11
|
-
alg: :RSA256,
|
12
|
-
kid: '2011-04-29'
|
13
|
-
)
|
14
|
-
end
|
15
|
-
|
16
|
-
its(:thumbprint) { should == 'NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs' }
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
data/spec/json/jwe_spec.rb
DELETED
@@ -1,351 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
describe JSON::JWE do
|
4
|
-
let(:private_key_path) { der_file_path 'rsa/private_key' }
|
5
|
-
|
6
|
-
describe '#content_type' do
|
7
|
-
let(:jwe) { JSON::JWE.new 'hello' }
|
8
|
-
it do
|
9
|
-
jwe.content_type.should == 'application/jose'
|
10
|
-
end
|
11
|
-
end
|
12
|
-
|
13
|
-
describe 'encrypt!' do
|
14
|
-
shared_examples_for :gcm_encryption_unsupported do
|
15
|
-
if gcm_supported?
|
16
|
-
skip 'GSM supported'
|
17
|
-
else
|
18
|
-
context 'when enc=A128GCM' do
|
19
|
-
before { jwe.enc = :A128GCM }
|
20
|
-
|
21
|
-
it do
|
22
|
-
expect do
|
23
|
-
jwe.encrypt! key
|
24
|
-
end.to raise_error JSON::JWE::UnexpectedAlgorithm
|
25
|
-
end
|
26
|
-
end
|
27
|
-
|
28
|
-
context 'when enc=A256GCM' do
|
29
|
-
before { jwe.enc = :A256GCM }
|
30
|
-
|
31
|
-
it do
|
32
|
-
expect do
|
33
|
-
jwe.encrypt! key
|
34
|
-
end.to raise_error JSON::JWE::UnexpectedAlgorithm
|
35
|
-
end
|
36
|
-
end
|
37
|
-
end
|
38
|
-
end
|
39
|
-
|
40
|
-
shared_examples_for :unexpected_algorithm_for_encryption do
|
41
|
-
it do
|
42
|
-
expect do
|
43
|
-
jwe.encrypt!(key).to_s # NOTE: encrypt! won't raise, but to_s does. might need to fix.
|
44
|
-
end.to raise_error JSON::JWE::UnexpectedAlgorithm
|
45
|
-
end
|
46
|
-
end
|
47
|
-
|
48
|
-
shared_examples_for :unsupported_algorithm_for_encryption do
|
49
|
-
it do
|
50
|
-
expect do
|
51
|
-
jwe.encrypt!(key).to_s # NOTE: encrypt! won't raise, but to_s does. might need to fix.
|
52
|
-
end.to raise_error NotImplementedError
|
53
|
-
end
|
54
|
-
end
|
55
|
-
|
56
|
-
context 'when plaintext given' do
|
57
|
-
let(:plain_text) { 'Hello World' }
|
58
|
-
let(:jwe) { JSON::JWE.new plain_text }
|
59
|
-
|
60
|
-
context 'when alg=RSA1_5' do
|
61
|
-
let(:key) { public_key }
|
62
|
-
before { jwe.alg = :'RSA1_5' }
|
63
|
-
it_behaves_like :gcm_encryption_unsupported
|
64
|
-
end
|
65
|
-
|
66
|
-
context 'when alg=RSA-OAEP' do
|
67
|
-
let(:key) { public_key }
|
68
|
-
before { jwe.alg = :'RSA-OAEP' }
|
69
|
-
it_behaves_like :gcm_encryption_unsupported
|
70
|
-
end
|
71
|
-
|
72
|
-
context 'when alg=dir' do
|
73
|
-
it :TODO
|
74
|
-
end
|
75
|
-
|
76
|
-
context 'when alg=A128KW' do
|
77
|
-
it :TODO
|
78
|
-
end
|
79
|
-
|
80
|
-
context 'when alg=A256KW' do
|
81
|
-
it :TODO
|
82
|
-
end
|
83
|
-
|
84
|
-
context 'when unknonw/unsupported algorithm given' do
|
85
|
-
let(:key) { public_key }
|
86
|
-
let(:alg) { :RSA1_5 }
|
87
|
-
let(:enc) { :'A128CBC-HS256' }
|
88
|
-
before { jwe.alg, jwe.enc = alg, enc }
|
89
|
-
|
90
|
-
context 'when alg=unknown' do
|
91
|
-
let(:alg) { :unknown }
|
92
|
-
it_behaves_like :unexpected_algorithm_for_encryption
|
93
|
-
end
|
94
|
-
|
95
|
-
context 'when enc=unknown' do
|
96
|
-
let(:enc) { :unknown }
|
97
|
-
it_behaves_like :unexpected_algorithm_for_encryption
|
98
|
-
end
|
99
|
-
|
100
|
-
[:'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
|
101
|
-
context "when alg=#{alg}" do
|
102
|
-
let(:alg) { alg }
|
103
|
-
it_behaves_like :unsupported_algorithm_for_encryption
|
104
|
-
end
|
105
|
-
end
|
106
|
-
end
|
107
|
-
end
|
108
|
-
|
109
|
-
context 'when jwt given' do
|
110
|
-
let(:plain_text) { jwt.to_s }
|
111
|
-
let(:jwt) { JSON::JWT.new(foo: :bar) }
|
112
|
-
let(:jwe) { JSON::JWE.new jwt }
|
113
|
-
|
114
|
-
context 'when alg=RSA-OAEP' do
|
115
|
-
let(:key) { public_key }
|
116
|
-
before { jwe.alg = :'RSA1_5' }
|
117
|
-
it_behaves_like :gcm_encryption_unsupported
|
118
|
-
end
|
119
|
-
|
120
|
-
context 'when alg=RSA-OAEP' do
|
121
|
-
let(:key) { public_key }
|
122
|
-
before { jwe.alg = :'RSA-OAEP' }
|
123
|
-
it_behaves_like :gcm_encryption_unsupported
|
124
|
-
end
|
125
|
-
end
|
126
|
-
end
|
127
|
-
|
128
|
-
describe 'decrypt!' do
|
129
|
-
let(:plain_text) { 'Hello World' }
|
130
|
-
let(:jwe_string) do
|
131
|
-
_jwe_ = JSON::JWE.new plain_text
|
132
|
-
_jwe_.alg, _jwe_.enc = alg, enc
|
133
|
-
_jwe_.encrypt! key
|
134
|
-
_jwe_.to_s
|
135
|
-
end
|
136
|
-
let(:jwe) do
|
137
|
-
_jwe_ = JSON::JWE.decode jwe_string, :skip_decryption
|
138
|
-
_jwe_.alg, _jwe_.enc = alg, enc
|
139
|
-
_jwe_
|
140
|
-
end
|
141
|
-
|
142
|
-
shared_examples_for :decryptable do
|
143
|
-
it do
|
144
|
-
jwe.decrypt! key
|
145
|
-
jwe.plain_text.should == plain_text
|
146
|
-
end
|
147
|
-
end
|
148
|
-
|
149
|
-
shared_examples_for :gcm_decryption_unsupported do
|
150
|
-
it do
|
151
|
-
expect do
|
152
|
-
jwe.decrypt! key
|
153
|
-
end.to raise_error JSON::JWE::UnexpectedAlgorithm
|
154
|
-
end
|
155
|
-
end
|
156
|
-
|
157
|
-
shared_examples_for :verify_cbc_authentication_tag do
|
158
|
-
let(:jwe_string) do
|
159
|
-
_jwe_ = JSON::JWE.new plain_text
|
160
|
-
_jwe_.alg, _jwe_.enc = alg, enc
|
161
|
-
_jwe_.encrypt! key
|
162
|
-
_jwe_.to_s + 'tampered'
|
163
|
-
end
|
164
|
-
|
165
|
-
it do
|
166
|
-
expect do
|
167
|
-
jwe.decrypt! key
|
168
|
-
end.to raise_error JSON::JWE::DecryptionFailed
|
169
|
-
end
|
170
|
-
end
|
171
|
-
|
172
|
-
shared_examples_for :verify_gcm_authentication_tag do
|
173
|
-
let(:jwe_string) do
|
174
|
-
_jwe_ = JSON::JWE.new plain_text
|
175
|
-
_jwe_.alg, _jwe_.enc = alg, enc
|
176
|
-
_jwe_.encrypt! key
|
177
|
-
header, key, iv, cipher_text, auth_tag = _jwe_.to_s.split('.')
|
178
|
-
truncated_auth_tag = Base64.urlsafe_decode64(auth_tag).slice(0..-2)
|
179
|
-
truncated_auth_tag = Base64.urlsafe_encode64(truncated_auth_tag, padding: false)
|
180
|
-
[header, key, iv, cipher_text, truncated_auth_tag].join('.')
|
181
|
-
end
|
182
|
-
|
183
|
-
it do
|
184
|
-
expect do
|
185
|
-
jwe.decrypt! key
|
186
|
-
end.to raise_error JSON::JWE::DecryptionFailed
|
187
|
-
end
|
188
|
-
end
|
189
|
-
|
190
|
-
shared_examples_for :unexpected_algorithm_for_decryption do
|
191
|
-
it do
|
192
|
-
expect do
|
193
|
-
jwe.decrypt! key
|
194
|
-
end.to raise_error JSON::JWE::UnexpectedAlgorithm
|
195
|
-
end
|
196
|
-
end
|
197
|
-
|
198
|
-
shared_examples_for :unsupported_algorithm_for_decryption do
|
199
|
-
it do
|
200
|
-
expect do
|
201
|
-
jwe.decrypt! key
|
202
|
-
end.to raise_error NotImplementedError
|
203
|
-
end
|
204
|
-
end
|
205
|
-
|
206
|
-
context 'when alg=RSA1_5' do
|
207
|
-
let(:alg) { :RSA1_5 }
|
208
|
-
let(:key) { private_key }
|
209
|
-
|
210
|
-
context 'when enc=A128GCM' do
|
211
|
-
let(:enc) { :A128GCM }
|
212
|
-
if gcm_supported?
|
213
|
-
it_behaves_like :decryptable
|
214
|
-
it_behaves_like :verify_gcm_authentication_tag
|
215
|
-
else
|
216
|
-
it_behaves_like :gcm_decryption_unsupported
|
217
|
-
end
|
218
|
-
end
|
219
|
-
|
220
|
-
context 'when enc=A256GCM' do
|
221
|
-
let(:enc) { :A256GCM }
|
222
|
-
if gcm_supported?
|
223
|
-
it_behaves_like :decryptable
|
224
|
-
it_behaves_like :verify_gcm_authentication_tag
|
225
|
-
else
|
226
|
-
it_behaves_like :gcm_decryption_unsupported
|
227
|
-
end
|
228
|
-
end
|
229
|
-
|
230
|
-
context 'when enc=A128CBC-HS256' do
|
231
|
-
let(:enc) { :'A128CBC-HS256' }
|
232
|
-
it_behaves_like :decryptable
|
233
|
-
end
|
234
|
-
|
235
|
-
context 'when enc=A256CBC-HS512' do
|
236
|
-
let(:enc) { :'A256CBC-HS512' }
|
237
|
-
it_behaves_like :decryptable
|
238
|
-
end
|
239
|
-
end
|
240
|
-
|
241
|
-
context 'when alg=RSA-OAEP' do
|
242
|
-
let(:alg) { :'RSA-OAEP' }
|
243
|
-
let(:key) { private_key }
|
244
|
-
|
245
|
-
context 'when enc=A128GCM' do
|
246
|
-
let(:enc) { :A128GCM }
|
247
|
-
if gcm_supported?
|
248
|
-
it_behaves_like :decryptable
|
249
|
-
it_behaves_like :verify_gcm_authentication_tag
|
250
|
-
else
|
251
|
-
it_behaves_like :gcm_decryption_unsupported
|
252
|
-
end
|
253
|
-
end
|
254
|
-
|
255
|
-
context 'when enc=A256GCM' do
|
256
|
-
let(:enc) { :A256GCM }
|
257
|
-
if gcm_supported?
|
258
|
-
it_behaves_like :decryptable
|
259
|
-
it_behaves_like :verify_gcm_authentication_tag
|
260
|
-
else
|
261
|
-
it_behaves_like :gcm_decryption_unsupported
|
262
|
-
end
|
263
|
-
end
|
264
|
-
|
265
|
-
context 'when enc=A128CBC-HS256' do
|
266
|
-
let(:enc) { :'A128CBC-HS256' }
|
267
|
-
it_behaves_like :decryptable
|
268
|
-
it_behaves_like :verify_cbc_authentication_tag
|
269
|
-
end
|
270
|
-
|
271
|
-
context 'when enc=A256CBC-HS512' do
|
272
|
-
let(:enc) { :'A256CBC-HS512' }
|
273
|
-
it_behaves_like :decryptable
|
274
|
-
it_behaves_like :verify_cbc_authentication_tag
|
275
|
-
end
|
276
|
-
end
|
277
|
-
|
278
|
-
context 'when alg=dir' do
|
279
|
-
let(:alg) { :dir }
|
280
|
-
let(:key) { SecureRandom.random_bytes key_size }
|
281
|
-
|
282
|
-
context 'when enc=A128GCM' do
|
283
|
-
let(:enc) { :A128GCM }
|
284
|
-
let(:key_size) { 16 }
|
285
|
-
if gcm_supported?
|
286
|
-
it_behaves_like :decryptable
|
287
|
-
it_behaves_like :verify_gcm_authentication_tag
|
288
|
-
else
|
289
|
-
it_behaves_like :gcm_decryption_unsupported
|
290
|
-
end
|
291
|
-
end
|
292
|
-
|
293
|
-
context 'when enc=A256GCM' do
|
294
|
-
let(:enc) { :A256GCM }
|
295
|
-
let(:key_size) { 32 }
|
296
|
-
if gcm_supported?
|
297
|
-
it_behaves_like :decryptable
|
298
|
-
it_behaves_like :verify_gcm_authentication_tag
|
299
|
-
else
|
300
|
-
it_behaves_like :gcm_decryption_unsupported
|
301
|
-
end
|
302
|
-
end
|
303
|
-
|
304
|
-
context 'when enc=A128CBC-HS256' do
|
305
|
-
let(:enc) { :'A128CBC-HS256' }
|
306
|
-
let(:key_size) { 32 }
|
307
|
-
it_behaves_like :decryptable
|
308
|
-
it_behaves_like :verify_cbc_authentication_tag
|
309
|
-
end
|
310
|
-
|
311
|
-
context 'when enc=A256CBC-HS512' do
|
312
|
-
let(:enc) { :'A256CBC-HS512' }
|
313
|
-
let(:key_size) { 64 }
|
314
|
-
it_behaves_like :decryptable
|
315
|
-
it_behaves_like :verify_cbc_authentication_tag
|
316
|
-
end
|
317
|
-
end
|
318
|
-
|
319
|
-
context 'when alg=A128KW' do
|
320
|
-
it :TODO
|
321
|
-
end
|
322
|
-
|
323
|
-
context 'when alg=A256KW' do
|
324
|
-
it :TODO
|
325
|
-
end
|
326
|
-
|
327
|
-
context 'when unknonw/unsupported algorithm given' do
|
328
|
-
let(:input) { 'header.key.iv.cipher_text.auth_tag' }
|
329
|
-
let(:key) { public_key }
|
330
|
-
let(:alg) { :RSA1_5 }
|
331
|
-
let(:enc) { :'A128CBC-HS256' }
|
332
|
-
|
333
|
-
context 'when alg=unknown' do
|
334
|
-
let(:alg) { :unknown }
|
335
|
-
it_behaves_like :unexpected_algorithm_for_decryption
|
336
|
-
end
|
337
|
-
|
338
|
-
context 'when enc=unknown' do
|
339
|
-
let(:enc) { :unknown }
|
340
|
-
it_behaves_like :unexpected_algorithm_for_decryption
|
341
|
-
end
|
342
|
-
|
343
|
-
[:'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
|
344
|
-
context "when alg=#{alg}" do
|
345
|
-
let(:alg) { alg }
|
346
|
-
it_behaves_like :unsupported_algorithm_for_decryption
|
347
|
-
end
|
348
|
-
end
|
349
|
-
end
|
350
|
-
end
|
351
|
-
end
|