RubyGems - json-jwt - Versions diffs - 1.13.0 → 1.16.1 - Mend

json-jwt 1.13.0 → 1.16.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of json-jwt might be problematic. Click here for more details.

Files changed (17) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e18796342211bf21448b9bb5b43749894717bc0a270ae7e1679efbbaa387fc4b
-  data.tar.gz: 19b56b26f69a78d2b3ac842865571b973426006b371674ebb6f19cfaf9156385
+  metadata.gz: '0593ae4268dde10889b1e4272e01d7c95f2fdb2c69b365b81b67837b66d30531'
+  data.tar.gz: 27badbcb85bf47a663eed76b859cf0c7d502a0bb683a8f10ce9d8e3539a9149c
 SHA512:
-  metadata.gz: 90e611ff8e6f87f4b4008c15839008b0eaea3abf498e1d40dcfb875c99c7212d558d38ea5e93f74e3dcbfb4c0f05d29d712b8e64152179ccd02602b6ec79c8ca
-  data.tar.gz: 82eb46ca549465d81027f9953f2cde953a582a7912e534a828b1114c78e1f469c9e03c9ebfb6b6609bddf11e1686defe10134fe287ed2b5768e05b8a3b53babf
+  metadata.gz: aa6a607b44857bddb3f1f489c60cea213eaef6c4ab3481ffb3b665b21c4088bc7e12724bda2ca6c66d55cc2032cc392f85d08cabc6e774f5e8cb13bd62ec695d
+  data.tar.gz: c75bd449bb1e6d746e456ea2c58582cfff85a4d285f30d53e4b724f7904d13f626f84899034dffccdf4e9c41db0721b1573d968c45d2c123b1fb1e42e1379f8b

data/.github/FUNDING.yml ADDED Viewed

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+github: nov

data/.github/workflows/spec.yml ADDED Viewed

@@ -0,0 +1,32 @@
+name: Spec
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+permissions:
+  contents: read
+jobs:
+  spec:
+    strategy:
+      matrix:
+        os: ['ubuntu-20.04']
+        ruby-version: ['2.6', '2.7', '3.0', '3.1']
+        # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
+        include:
+        - os: 'ubuntu-22.04'
+          ruby-version: '3.1'
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run Specs
+      run: bundle exec rake spec

data/.gitmodules CHANGED Viewed

@@ -1,3 +1,3 @@
 [submodule "spec/helpers/json-jwt-nimbus"]
 	path = spec/helpers/json-jwt-nimbus
-	url = git://github.com/nov/json-jwt-nimbus.git
+	url = https://github.com/nov/json-jwt-nimbus.git

data/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,11 @@
+## [Unreleased]
+## [1.16.0] - 2022-10-08
+### Added
+- start recording CHANGELOG
+### Changed
+* Switch from httpclient to faraday v2 https://github.com/nov/json-jwt/pull/110

data/README.md CHANGED Viewed

@@ -2,8 +2,6 @@
 JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby
-[![Build Status](https://secure.travis-ci.org/nov/json-jwt.png)](http://travis-ci.org/nov/json-jwt)
 ## Installation
 ```
@@ -49,6 +47,17 @@ input = "jwt_header.jwt_claims.jwt_signature"
 JSON::JWT.decode(input, public_key)
 ```
+If you need to get a JWK from `jwks_uri` of OpenID Connect IdP, you can use `JSON::JWK::Set::Fetcher` to fetch (& optionally cache) it.
+```ruby
+# JWK Set Fetching & Caching
+# NOTE: Optionally by setting cache instance, JWKs are cached by kid.
+JSON::JWK::Set::Fetcher.cache = Rails.cache
+JSON::JWK::Set::Fetcher.fetch(jwks_uri, kid: kid)
+# => returns JSON::JWK instance or raise JSON::JWK::Set::KidNotFound
+```
 For more details, read [Documentation Wiki](https://github.com/nov/json-jwt/wiki).
 ## Note on Patches/Pull Requests

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 1.13.0
1	+ 1.16.1

data/json-jwt.gemspec CHANGED Viewed

@@ -16,8 +16,11 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency 'activesupport', '>= 4.2'
   gem.add_runtime_dependency 'bindata'
   gem.add_runtime_dependency 'aes_key_wrap'
+  gem.add_runtime_dependency 'faraday', '~> 2.0'
+  gem.add_runtime_dependency 'faraday-follow_redirects'
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'webmock'
   gem.add_development_dependency 'rspec'
   gem.add_development_dependency 'rspec-its'
 end

data/lib/json/jose.rb CHANGED Viewed

@@ -26,9 +26,7 @@ module JSON
       when JSON::JWK
         key.to_key
       when JSON::JWK::Set
-        key.detect do |jwk|
-          jwk[:kid] && jwk[:kid] == kid
-        end&.to_key or raise JWK::Set::KidNotFound
+        key[kid]&.to_key or raise JWK::Set::KidNotFound
       else
         key
       end

data/lib/json/jwe.rb CHANGED Viewed

@@ -43,9 +43,12 @@ module JSON
       raise UnexpectedAlgorithm.new('Unexpected alg header') unless algorithms.blank? || Array(algorithms).include?(alg)
       raise UnexpectedAlgorithm.new('Unexpected enc header') unless encryption_methods.blank? || Array(encryption_methods).include?(enc)
       self.private_key_or_secret = with_jwk_support private_key_or_secret
-      cipher.decrypt
       self.content_encryption_key = decrypt_content_encryption_key
       self.mac_key, self.encryption_key = derive_encryption_and_mac_keys
+      verify_cbc_authentication_tag! if cbc?
+      cipher.decrypt
       cipher.key = encryption_key
       cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
       if gcm?
@@ -54,8 +57,15 @@ module JSON
         cipher.auth_tag = authentication_tag
         cipher.auth_data = auth_data
       end
-      self.plain_text = cipher.update(cipher_text) + cipher.final
-      verify_cbc_authentication_tag! if cbc?
+      begin
+        self.plain_text = cipher.update(cipher_text) + cipher.final
+      rescue OpenSSL::OpenSSLError
+        # Ensure that the same error is raised for invalid PKCS7 padding
+        # as for invalid signatures. This prevents padding-oracle attacks.
+        raise DecryptionFailed
+      end
       self
     end
@@ -244,7 +254,7 @@ module JSON
         sha_digest, mac_key, secured_input
       )[0, sha_size / 2 / 8]
       unless secure_compare(authentication_tag, expected_authentication_tag)
-        raise DecryptionFailed.new('Invalid authentication tag')
+        raise DecryptionFailed
       end
     end

data/lib/json/jwk/set/fetcher.rb ADDED Viewed

@@ -0,0 +1,83 @@
+module JSON
+  class JWK
+    class Set
+      module Fetcher
+        class Cache
+          def fetch(cache_key, options = {})
+            yield
+          end
+        end
+        def self.logger
+          @@logger
+        end
+        def self.logger=(logger)
+          @@logger = logger
+        end
+        self.logger = Logger.new(STDOUT)
+        self.logger.progname = 'JSON::JWK::Set::Fetcher'
+        def self.debugging?
+          @@debugging
+        end
+        def self.debugging=(boolean)
+          @@debugging = boolean
+        end
+        def self.debug!
+          self.debugging = true
+        end
+        def self.debug(&block)
+          original = self.debugging?
+          debug!
+          yield
+        ensure
+          self.debugging = original
+        end
+        self.debugging = false
+        def self.http_client
+          Faraday.new(headers: {user_agent: "JSON::JWK::Set::Fetcher #{VERSION}"}) do |faraday|
+            faraday.response :raise_error
+            faraday.response :follow_redirects
+            faraday.response :logger, JSON::JWK::Set::Fetcher.logger if debugging?
+            faraday.adapter Faraday.default_adapter
+            http_config.try(:call, faraday)
+          end
+        end
+        def self.http_config(&block)
+          @@http_config ||= block
+        end
+        def self.cache=(cache)
+          @@cache = cache
+        end
+        def self.cache
+          @@cache
+        end
+        self.cache = Cache.new
+        def self.fetch(jwks_uri, kid:, auto_detect: true, **options)
+          cache_key = [
+            'json:jwk:set',
+            OpenSSL::Digest::MD5.hexdigest(jwks_uri),
+            kid
+          ].collect(&:to_s).join(':')
+          jwks = Set.new(
+            JSON.parse(
+              cache.fetch(cache_key, options) do
+                http_client.get(jwks_uri).body
+              end
+            )
+          )
+          if auto_detect
+            jwks[kid] or raise KidNotFound
+          else
+            jwks
+          end
+        end
+      end
+    end
+  end
+end

data/lib/json/jwk/set.rb CHANGED Viewed

@@ -19,6 +19,12 @@ module JSON
         'application/jwk-set+json'
       end
+      def [](kid)
+        detect do |jwk|
+          jwk[:kid] && jwk[:kid] == kid
+        end
+      end
       def as_json(options = {})
         # NOTE: Array.new wrapper is requied to avoid CircularReferenceError
         {keys: Array.new(self)}

data/lib/json/jwk.rb CHANGED Viewed

@@ -101,22 +101,29 @@ module JSON
           OpenSSL::BN.new Base64.urlsafe_decode64(self[key]), 2
         end
       end
-      key = OpenSSL::PKey::RSA.new
-      if key.respond_to? :set_key
-        key.set_key n, e, d
-        key.set_factors p, q if p && q
-        key.set_crt_params dp, dq, qi if dp && dq && qi
-      else
-        key.e = e
-        key.n = n
-        key.d = d if d
-        key.p = p if p
-        key.q = q if q
-        key.dmp1 = dp if dp
-        key.dmq1 = dq if dq
-        key.iqmp = qi if qi
+      # Public key
+      data_sequence = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer(n),
+        OpenSSL::ASN1::Integer(e),
+      ])
+      if d && p && q && dp && dq && qi
+        data_sequence = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(0),
+          OpenSSL::ASN1::Integer(n),
+          OpenSSL::ASN1::Integer(e),
+          OpenSSL::ASN1::Integer(d),
+          OpenSSL::ASN1::Integer(p),
+          OpenSSL::ASN1::Integer(q),
+          OpenSSL::ASN1::Integer(dp),
+          OpenSSL::ASN1::Integer(dq),
+          OpenSSL::ASN1::Integer(qi),
+        ])
       end
-      key
+      asn1 = OpenSSL::ASN1::Sequence(data_sequence)
+      OpenSSL::PKey::RSA.new(asn1.to_der)
     end
     def to_ec_key
@@ -137,13 +144,32 @@ module JSON
           Base64.urlsafe_decode64(self[key])
         end
       end
-      key = OpenSSL::PKey::EC.new curve_name
-      key.private_key = OpenSSL::BN.new(d, 2) if d
-      key.public_key = OpenSSL::PKey::EC::Point.new(
+      point = OpenSSL::PKey::EC::Point.new(
         OpenSSL::PKey::EC::Group.new(curve_name),
         OpenSSL::BN.new(['04' + x.unpack('H*').first + y.unpack('H*').first].pack('H*'), 2)
       )
-      key
+      # Public key
+      data_sequence = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+          OpenSSL::ASN1::ObjectId(curve_name)
+        ]),
+        OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
+      ])
+      if d
+        # Private key
+        data_sequence = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(1),
+          OpenSSL::ASN1::OctetString(OpenSSL::BN.new(d, 2).to_s(2)),
+          OpenSSL::ASN1::ObjectId(curve_name, 0, :EXPLICIT),
+          OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed), 1, :EXPLICIT)
+        ])
+      end
+      OpenSSL::PKey::EC.new(data_sequence.to_der)
     end
   end
 end

data/lib/json/jws.rb CHANGED Viewed

@@ -156,8 +156,8 @@ module JSON
       when 512
         :secp521r1
       end
-      key.group = OpenSSL::PKey::EC::Group.new group_name.to_s
-      key.check_key
+      newkey = OpenSSL::PKey::EC.generate(group_name.to_s)
+      newkey.check_key
     end
     def raw_to_asn1(signature, public_key)

data/lib/json/jwt.rb CHANGED Viewed

@@ -1,11 +1,17 @@
 require 'openssl'
 require 'base64'
+require 'faraday'
+require 'faraday/follow_redirects'
 require 'active_support'
 require 'active_support/core_ext'
 require 'json/jose'
 module JSON
   class JWT < ActiveSupport::HashWithIndifferentAccess
+    VERSION = ::File.read(
+      ::File.join(::File.dirname(__FILE__), '../../VERSION')
+    ).chomp
     attr_accessor :blank_payload
     attr_accessor :signature
@@ -132,3 +138,4 @@ require 'json/jwe'
 require 'json/jwk'
 require 'json/jwk/jwkizable'
 require 'json/jwk/set'
+require 'json/jwk/set/fetcher'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 1.16.1
 platform: ruby
 authors:
 - nov matake
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-31 00:00:00.000000000 Z
+date: 2022-10-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -52,6 +52,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: faraday-follow_redirects
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +108,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -116,10 +158,12 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/workflows/spec.yml"
 - ".gitignore"
 - ".gitmodules"
 - ".rspec"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
@@ -131,13 +175,14 @@ files:
 - lib/json/jwk.rb
 - lib/json/jwk/jwkizable.rb
 - lib/json/jwk/set.rb
+- lib/json/jwk/set/fetcher.rb
 - lib/json/jws.rb
 - lib/json/jwt.rb
 homepage: https://github.com/nov/json-jwt
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -152,8 +197,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key:
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and
   JSON Web Key) in Ruby

data/.travis.yml DELETED Viewed

@@ -1,11 +0,0 @@
-before_install:
-  - gem install bundler
-  - git submodule update --init --recursive
-rvm:
-  - 2.5.8
-  - 2.6.6
-  - 2.7.1
-jdk:
-  - openjdk11