json-jwt 1.12.0 → 1.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 68b182c2d39eda33bcfda685dc386a10575c6a30a740104101849d3396d96268
-  data.tar.gz: 0cd7d0f10a6aa740d91055d98804a19589cd004092829d5de250df3a730dc8d2
+  metadata.gz: 881eaf3476eb9b98f7e02ba780e2893398f79f707c55c7e151f1de8f1a344f5c
+  data.tar.gz: fe2329046f613383e73b4b8579d440f6e394457ad3b090fee27c373b47daa690
 SHA512:
-  metadata.gz: 36420fb065425af2ab32d5b6b17dede95077e990a9bcdbd4b71df51b89d7cf751566d8acfb4297b55f5f1e0bda7c44d07597163cfadd4c8168b5b6a65441b263
-  data.tar.gz: 389b33e913fc804c3f824863a105505f54af77a7f9ad95c52d78616084ee5ac0acb4192ec58b7b91f0a50c080acb724debe98be625ad9eb2f9301e2392f02730
+  metadata.gz: d337b0e27607d55697ae6e162b25674fbcc27b21fe23bfa34d42bc4812e0a35f39f95b8eff66b7a4f6de7e78e883450f6e580931164c632a0146253b7ee89d58
+  data.tar.gz: 0fea890071b4038cbc4ee8080d5c99388035f7642707dd1f4303bcafd7f5f9d8c2f517a5d938d988b551d680211ef6909987b6bbd7e3a5d4688136e37a469f54

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: nov

data/.github/workflows/test_ruby.yml

@@ -0,0 +1,30 @@
+name: Test Ruby
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    strategy:
+      matrix:
+        os: ['ubuntu-18.04', 'ubuntu-20.04']
+        ruby-version: ['2.5', '2.6', '2.7', '3.0', '3.1']
+        # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
+        include:
+        - os: 'ubuntu-22.04'
+          ruby-version: '3.1'
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run tests
+      run: bundle exec rake

data/.gitmodules

@@ -1,3 +1,3 @@
 [submodule "spec/helpers/json-jwt-nimbus"]
 	path = spec/helpers/json-jwt-nimbus
-	url = git://github.com/nov/json-jwt-nimbus.git
+	url = https://github.com/nov/json-jwt-nimbus.git

data/.travis.yml

@@ -3,9 +3,9 @@ before_install:
   - git submodule update --init --recursive
 
 rvm:
-  - 2.5.8
-  - 2.6.6
-  - 2.7.1
+  - 2.7.6
+  - 3.0.4
+  - 3.1.2
 
 jdk:
   - openjdk11

data/VERSION

@@ -1 +1 @@
-1.12.0
+1.15.0

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "json/jwt"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/json-jwt.gemspec

@@ -12,12 +12,14 @@ Gem::Specification.new do |gem|
   end
   gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   gem.require_paths = ['lib']
-  gem.required_ruby_version = '>= 2.3'
+  gem.required_ruby_version = '>= 2.4'
   gem.add_runtime_dependency 'activesupport', '>= 4.2'
   gem.add_runtime_dependency 'bindata'
   gem.add_runtime_dependency 'aes_key_wrap'
+  gem.add_runtime_dependency 'httpclient'
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'webmock'
   gem.add_development_dependency 'rspec'
   gem.add_development_dependency 'rspec-its'
 end

data/lib/json/jose.rb

@@ -7,6 +7,8 @@ module JSON
     included do
       extend ClassMethods
       register_header_keys :alg, :jku, :jwk, :x5u, :x5t, :x5c, :kid, :typ, :cty, :crit
+
+      # NOTE: not used anymore in this gem, but keeping in case developers are calling it.
       alias_method :algorithm, :alg
 
       attr_writer :header

data/lib/json/jwe.rb

@@ -107,7 +107,7 @@ module JSON
     end
 
     def dir?
-      :dir == algorithm&.to_sym
+      :dir == alg&.to_sym
     end
 
     def cipher
@@ -159,7 +159,7 @@ module JSON
     # encryption
 
     def jwe_encrypted_key
-      @jwe_encrypted_key ||= case algorithm&.to_sym
+      @jwe_encrypted_key ||= case alg&.to_sym
       when :RSA1_5
         public_key_or_secret.public_encrypt content_encryption_key
       when :'RSA-OAEP'
@@ -211,7 +211,7 @@ module JSON
 
     def decrypt_content_encryption_key
       fake_content_encryption_key = generate_content_encryption_key # NOTE: do this always not to make timing difference
-      case algorithm&.to_sym
+      case alg&.to_sym
       when :RSA1_5
         private_key_or_secret.private_decrypt jwe_encrypted_key
       when :'RSA-OAEP'

data/lib/json/jwk/jwkizable.rb

@@ -44,6 +44,8 @@ module JSON
             :'P-384'
           when 'secp521r1'
             :'P-521'
+          when 'secp256k1'
+            :secp256k1
           else
             raise UnknownAlgorithm.new('Unknown EC Curve')
           end

data/lib/json/jwk/set/fetcher/debugger/request_filter.rb

@@ -0,0 +1,34 @@
+module JSON
+  class JWK
+    class Set
+      module Fetcher
+        module Debugger
+          class RequestFilter
+            # Callback called in HTTPClient (before sending a request)
+            # request:: HTTP::Message
+            def filter_request(request)
+              started = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST STARTED ======="
+              log started, request.dump
+            end
+
+            # Callback called in HTTPClient (after received a response)
+            # request::  HTTP::Message
+            # response:: HTTP::Message
+            def filter_response(request, response)
+              finished = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST FINISHED ======="
+              log '-' * 50, response.dump, finished
+            end
+
+            private
+
+            def log(*outputs)
+              outputs.each do |output|
+                JSON::JWK::Set::Fetcher.logger.info output
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/json/jwk/set/fetcher.rb

@@ -0,0 +1,83 @@
+module JSON
+  class JWK
+    class Set
+      module Fetcher
+        class Cache
+          def fetch(cache_key)
+            yield
+          end
+        end
+
+        def self.logger
+          @@logger
+        end
+        def self.logger=(logger)
+          @@logger = logger
+        end
+        self.logger = Logger.new(STDOUT)
+        self.logger.progname = 'JSON::JWK::Set::Fetcher'
+
+        def self.debugging?
+          @@debugging
+        end
+        def self.debugging=(boolean)
+          @@debugging = boolean
+        end
+        def self.debug!
+          self.debugging = true
+        end
+        def self.debug(&block)
+          original = self.debugging?
+          debug!
+          yield
+        ensure
+          self.debugging = original
+        end
+        self.debugging = false
+
+        def self.http_client
+          _http_client_ = HTTPClient.new(
+            agent_name: "JSON::JWK::Set::Fetcher (#{JSON::JWT::VERSION})"
+          )
+
+          # NOTE: httpclient gem seems stopped maintaining root certtificate set, use OS default.
+          _http_client_.ssl_config.clear_cert_store
+          _http_client_.ssl_config.cert_store.set_default_paths
+
+          _http_client_.request_filter << Debugger::RequestFilter.new if debugging?
+          http_config.try(:call, _http_client_)
+          _http_client_
+        end
+        def self.http_config(&block)
+          @@http_config ||= block
+        end
+
+        def self.cache=(cache)
+          @@cache = cache
+        end
+        def self.cache
+          @@cache
+        end
+        self.cache = Cache.new
+
+        def self.fetch(jwks_uri, kid:)
+          cache_key = [
+            'json:jwk:set',
+            OpenSSL::Digest::MD5.hexdigest(jwks_uri),
+            kid
+          ].collect(&:to_s).join(':')
+          jwks = Set.new(
+            JSON.parse(
+              cache.fetch(cache_key) do
+                http_client.get_content(jwks_uri)
+              end
+            )
+          )
+          jwks.detect do |jwk|
+            jwk[:kid] && jwk[:kid] == kid
+          end or raise JWK::Set::KidNotFound
+        end
+      end
+    end
+  end
+end

data/lib/json/jwk.rb

@@ -88,35 +88,42 @@ module JSON
     end
 
     private
-    
+
     def calculate_default_kid
       self[:kid] = thumbprint
     rescue
       # ignore
     end
-    
+
     def to_rsa_key
       e, n, d, p, q, dp, dq, qi = [:e, :n, :d, :p, :q, :dp, :dq, :qi].collect do |key|
         if self[key]
           OpenSSL::BN.new Base64.urlsafe_decode64(self[key]), 2
         end
       end
-      key = OpenSSL::PKey::RSA.new
-      if key.respond_to? :set_key
-        key.set_key n, e, d
-        key.set_factors p, q if p && q
-        key.set_crt_params dp, dq, qi if dp && dq && qi
-      else
-        key.e = e
-        key.n = n
-        key.d = d if d
-        key.p = p if p
-        key.q = q if q
-        key.dmp1 = dp if dp
-        key.dmq1 = dq if dq
-        key.iqmp = qi if qi
+
+      # Public key
+      data_sequence = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer(n),
+        OpenSSL::ASN1::Integer(e),
+      ])
+
+      if d && p && q && dp && dq && qi
+        data_sequence = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(0),
+          OpenSSL::ASN1::Integer(n),
+          OpenSSL::ASN1::Integer(e),
+          OpenSSL::ASN1::Integer(d),
+          OpenSSL::ASN1::Integer(p),
+          OpenSSL::ASN1::Integer(q),
+          OpenSSL::ASN1::Integer(dp),
+          OpenSSL::ASN1::Integer(dq),
+          OpenSSL::ASN1::Integer(qi),
+        ])
       end
-      key
+
+      asn1 = OpenSSL::ASN1::Sequence(data_sequence)
+      OpenSSL::PKey::RSA.new(asn1.to_der)
     end
 
     def to_ec_key
@@ -127,6 +134,8 @@ module JSON
         'secp384r1'
       when :'P-521'
         'secp521r1'
+      when :secp256k1
+        'secp256k1'
       else
         raise UnknownAlgorithm.new('Unknown EC Curve')
       end
@@ -135,13 +144,32 @@ module JSON
           Base64.urlsafe_decode64(self[key])
         end
       end
-      key = OpenSSL::PKey::EC.new curve_name
-      key.private_key = OpenSSL::BN.new(d, 2) if d
-      key.public_key = OpenSSL::PKey::EC::Point.new(
+
+      point = OpenSSL::PKey::EC::Point.new(
         OpenSSL::PKey::EC::Group.new(curve_name),
         OpenSSL::BN.new(['04' + x.unpack('H*').first + y.unpack('H*').first].pack('H*'), 2)
       )
-      key
+
+      # Public key
+      data_sequence = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+          OpenSSL::ASN1::ObjectId(curve_name)
+        ]),
+        OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
+      ])
+
+      if d
+        # Private key
+        data_sequence = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(1),
+          OpenSSL::ASN1::OctetString(OpenSSL::BN.new(d, 2).to_s(2)),
+          OpenSSL::ASN1::ObjectId(curve_name, 0, :EXPLICIT),
+          OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed), 1, :EXPLICIT)
+        ])
+      end
+
+      OpenSSL::PKey::EC.new(data_sequence.to_der)
     end
   end
 end

data/lib/json/jws.rb

@@ -13,7 +13,7 @@ module JSON
     end
 
     def sign!(private_key_or_secret)
-      self.alg = autodetected_algorithm_from(private_key_or_secret) if algorithm == :autodetect
+      self.alg = autodetected_algorithm_from(private_key_or_secret) if alg == :autodetect
       self.signature = sign signature_base_string, private_key_or_secret
       self
     end
@@ -43,31 +43,23 @@ module JSON
     private
 
     def digest
-      OpenSSL::Digest.new "SHA#{algorithm.to_s[2, 3]}"
+      OpenSSL::Digest.new "SHA#{alg.to_s[2, 3]}"
     end
 
     def hmac?
-      [:HS256, :HS384, :HS512].include? algorithm&.to_sym
+      [:HS256, :HS384, :HS512].include? alg&.to_sym
     end
 
     def rsa?
-      [:RS256, :RS384, :RS512].include? algorithm&.to_sym
+      [:RS256, :RS384, :RS512].include? alg&.to_sym
     end
 
     def rsa_pss?
-      if [:PS256, :PS384, :PS512].include? algorithm&.to_sym
-        if OpenSSL::VERSION < '2.1.0'
-          raise "#{alg} isn't supported. OpenSSL gem v2.1.0+ is required to use #{alg}."
-        else
-          true
-        end
-      else
-        false
-      end
+      [:PS256, :PS384, :PS512].include? alg&.to_sym
     end
 
     def ecdsa?
-      [:ES256, :ES384, :ES512].include? algorithm&.to_sym
+      [:ES256, :ES384, :ES512, :ES256K].include? alg&.to_sym
     end
 
     def autodetected_algorithm_from(private_key_or_secret)
@@ -85,6 +77,8 @@ module JSON
           :ES384
         when 'secp521r1'
           :ES512
+        when 'secp256k1'
+          :ES256K
         else
           raise UnknownAlgorithm.new('Unknown EC Curve')
         end
@@ -118,8 +112,7 @@ module JSON
         private_key = private_key_or_secret
         verify_ecdsa_group! private_key
         asn1_to_raw(
-          private_key.dsa_sign_asn1(digest.digest signature_base_string),
-          # private_key.sign(digest, signature_base_string), # NOTE: this causes `undefined method `private?'` error in ruby 2.3
+          private_key.sign(digest, signature_base_string),
           private_key
         )
       else
@@ -152,14 +145,19 @@ module JSON
     def verify_ecdsa_group!(key)
       group_name = case digest.digest_length * 8
       when 256
-        :prime256v1
+        case key.group.curve_name
+        when 'secp256k1'
+          :secp256k1
+        else
+          :prime256v1
+        end
       when 384
         :secp384r1
       when 512
         :secp521r1
       end
-      key.group = OpenSSL::PKey::EC::Group.new group_name.to_s
-      key.check_key
+      newkey = OpenSSL::PKey::EC.generate(group_name.to_s)
+      newkey.check_key
     end
 
     def raw_to_asn1(signature, public_key)

data/lib/json/jwt.rb

@@ -1,11 +1,16 @@
 require 'openssl'
 require 'base64'
+require 'httpclient'
 require 'active_support'
 require 'active_support/core_ext'
 require 'json/jose'
 
 module JSON
   class JWT < ActiveSupport::HashWithIndifferentAccess
+    VERSION = ::File.read(
+      ::File.join(::File.dirname(__FILE__), '../../VERSION')
+    ).chomp
+
     attr_accessor :blank_payload
     attr_accessor :signature
 
@@ -132,3 +137,5 @@ require 'json/jwe'
 require 'json/jwk'
 require 'json/jwk/jwkizable'
 require 'json/jwk/set'
+require 'json/jwk/set/fetcher'
+require 'json/jwk/set/fetcher/debugger/request_filter'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 1.12.0
+  version: 1.15.0
 platform: ruby
 authors:
 - nov matake
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-22 00:00:00.000000000 Z
+date: 2022-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: httpclient
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +94,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -112,10 +140,13 @@ description: JSON Web Token and its family (JSON Web Signature, JSON Web Encrypt
   and JSON Web Key) in Ruby
 email:
 - nov@matake.jp
-executables: []
+executables:
+- console
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/workflows/test_ruby.yml"
 - ".gitignore"
 - ".gitmodules"
 - ".rspec"
@@ -125,12 +156,15 @@ files:
 - README.md
 - Rakefile
 - VERSION
+- bin/console
 - json-jwt.gemspec
 - lib/json/jose.rb
 - lib/json/jwe.rb
 - lib/json/jwk.rb
 - lib/json/jwk/jwkizable.rb
 - lib/json/jwk/set.rb
+- lib/json/jwk/set/fetcher.rb
+- lib/json/jwk/set/fetcher/debugger/request_filter.rb
 - lib/json/jws.rb
 - lib/json/jwt.rb
 homepage: https://github.com/nov/json-jwt
@@ -145,14 +179,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and