json-jwt 1.15.3.1 → 1.16.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/{test_ruby.yml → spec.yml} +10 -9
  3. data/CHANGELOG.md +17 -0
  4. data/README.md +0 -2
  5. data/VERSION +1 -1
  6. data/json-jwt.gemspec +3 -1
  7. data/lib/json/jwe.rb +14 -4
  8. data/lib/json/jwk/set/fetcher.rb +11 -12
  9. data/lib/json/jws.rb +2 -1
  10. data/lib/json/jwt.rb +3 -3
  11. metadata +33 -6
  12. data/.travis.yml +0 -12
  13. data/lib/json/jwk/set/fetcher/debugger/request_filter.rb +0 -34
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c3d9dceefdfb0168531cd68668848730898141b097c5541cde5cbb95a1bc24d7
4
- data.tar.gz: 9dd27ddf48a2102ee1da5b8a7da411d10393fb622570a170b63dc328d50db7b3
3
+ metadata.gz: 67d205daa24111b954cc01c6b9b68baf98c0f932a6afc02c86ca0ff766d4bdd2
4
+ data.tar.gz: e2d61533659adb4d6d99314aeb0ff7581c1806a09604d4060e0433ceadc82c47
5
5
  SHA512:
6
- metadata.gz: edbf0b0eb0521841aae74427293f66595ab30dee065b59b21bf0e3bd57f929b8d700caa67d8458e6e832819d962998862067eb8de0ea5530db967f89e4b19cbc
7
- data.tar.gz: d7dcc87bf09ef1ddcf9b81306c41db9286e62f9f9b90c7838a1073f6d88cdc8a8114be0834dc54c2b1e4a69a7355771257b0093ec63b1554b3bfaeab685b022a
6
+ metadata.gz: 23bfcadd5ef026d90357e2c9501783811f2e10d9a4950269024e4181a8c3b235077066bf0da00d8334159bf4d8d69ddd49754f60e1a93dcef0f4b5a9bb531118
7
+ data.tar.gz: 3b22c8b470f40c0b392a1236aad0b2921bc629e915351d41db384ad9c302926c4144be36f859b6e70242c15ca909e69535a0abeac4a3ed1f7d01f2397811796d
data/.github/workflows/{test_ruby.yml → spec.yml} RENAMED
@@ -1,22 +1,23 @@
1
- name: Test Ruby
1
+ name: Spec
2
2
 
3
3
  on:
4
4
  push:
5
+ branches:
6
+ - main
5
7
  pull_request:
6
8
 
7
9
  permissions:
8
10
  contents: read
9
11
 
10
12
  jobs:
11
- test:
13
+ spec:
12
14
  strategy:
13
15
  matrix:
14
- os: ['ubuntu-20.04']
15
- ruby-version: ['2.6', '2.7', '3.0', '3.1']
16
- # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
16
+ os: ['ubuntu-20.04', 'ubuntu-22.04']
17
+ ruby-version: ['3.1', '3.2', '3.3']
17
18
  include:
18
- - os: 'ubuntu-22.04'
19
- ruby-version: '3.1'
19
+ - os: 'ubuntu-20.04'
20
+ ruby-version: '3.0'
20
21
  runs-on: ${{ matrix.os }}
21
22
 
22
23
  steps:
@@ -26,5 +27,5 @@ jobs:
26
27
  with:
27
28
  ruby-version: ${{ matrix.ruby-version }}
28
29
  bundler-cache: true
29
- - name: Run tests
30
- run: bundle exec rake
30
+ - name: Run Specs
31
+ run: bundle exec rake spec
data/CHANGELOG.md ADDED
@@ -0,0 +1,17 @@
1
+ ## [Unreleased]
2
+
3
+ ## [1.16.0] - 2022-10-08
4
+
5
+ ### Fixed
6
+
7
+ - Remove padding oracle by @btoews in https://github.com/nov/json-jwt/pull/109
8
+
9
+ ## [1.16.0] - 2022-10-08
10
+
11
+ ### Added
12
+
13
+ - start recording CHANGELOG
14
+
15
+ ### Changed
16
+
17
+ * Switch from httpclient to faraday v2 https://github.com/nov/json-jwt/pull/110
data/README.md CHANGED
@@ -2,8 +2,6 @@
2
2
 
3
3
  JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby
4
4
 
5
- [![Build Status](https://secure.travis-ci.org/nov/json-jwt.png)](http://travis-ci.org/nov/json-jwt)
6
-
7
5
  ## Installation
8
6
 
9
7
  ```
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.15.3.1
1
+ 1.16.6
data/json-jwt.gemspec CHANGED
@@ -14,9 +14,11 @@ Gem::Specification.new do |gem|
14
14
  gem.require_paths = ['lib']
15
15
  gem.required_ruby_version = '>= 2.4'
16
16
  gem.add_runtime_dependency 'activesupport', '>= 4.2'
17
+ gem.add_runtime_dependency 'base64'
17
18
  gem.add_runtime_dependency 'bindata'
18
19
  gem.add_runtime_dependency 'aes_key_wrap'
19
- gem.add_runtime_dependency 'httpclient'
20
+ gem.add_runtime_dependency 'faraday', '~> 2.0'
21
+ gem.add_runtime_dependency 'faraday-follow_redirects'
20
22
  gem.add_development_dependency 'rake'
21
23
  gem.add_development_dependency 'simplecov'
22
24
  gem.add_development_dependency 'webmock'
data/lib/json/jwe.rb CHANGED
@@ -43,9 +43,12 @@ module JSON
43
43
  raise UnexpectedAlgorithm.new('Unexpected alg header') unless algorithms.blank? || Array(algorithms).include?(alg)
44
44
  raise UnexpectedAlgorithm.new('Unexpected enc header') unless encryption_methods.blank? || Array(encryption_methods).include?(enc)
45
45
  self.private_key_or_secret = with_jwk_support private_key_or_secret
46
- cipher.decrypt
47
46
  self.content_encryption_key = decrypt_content_encryption_key
48
47
  self.mac_key, self.encryption_key = derive_encryption_and_mac_keys
48
+
49
+ verify_cbc_authentication_tag! if cbc?
50
+
51
+ cipher.decrypt
49
52
  cipher.key = encryption_key
50
53
  cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
51
54
  if gcm?
@@ -54,8 +57,15 @@ module JSON
54
57
  cipher.auth_tag = authentication_tag
55
58
  cipher.auth_data = auth_data
56
59
  end
57
- self.plain_text = cipher.update(cipher_text) + cipher.final
58
- verify_cbc_authentication_tag! if cbc?
60
+
61
+ begin
62
+ self.plain_text = cipher.update(cipher_text) + cipher.final
63
+ rescue OpenSSL::OpenSSLError
64
+ # Ensure that the same error is raised for invalid PKCS7 padding
65
+ # as for invalid signatures. This prevents padding-oracle attacks.
66
+ raise DecryptionFailed
67
+ end
68
+
59
69
  self
60
70
  end
61
71
 
@@ -244,7 +254,7 @@ module JSON
244
254
  sha_digest, mac_key, secured_input
245
255
  )[0, sha_size / 2 / 8]
246
256
  unless secure_compare(authentication_tag, expected_authentication_tag)
247
- raise DecryptionFailed.new('Invalid authentication tag')
257
+ raise DecryptionFailed
248
258
  end
249
259
  end
250
260
 
data/lib/json/jwk/set/fetcher.rb CHANGED
@@ -6,6 +6,8 @@ module JSON
6
6
  def fetch(cache_key, options = {})
7
7
  yield
8
8
  end
9
+
10
+ def delete(cache_key, options = {}); end
9
11
  end
10
12
 
11
13
  def self.logger
@@ -36,17 +38,13 @@ module JSON
36
38
  self.debugging = false
37
39
 
38
40
  def self.http_client
39
- _http_client_ = HTTPClient.new(
40
- agent_name: "JSON::JWK::Set::Fetcher (#{JSON::JWT::VERSION})"
41
- )
42
-
43
- # NOTE: httpclient gem seems stopped maintaining root certtificate set, use OS default.
44
- _http_client_.ssl_config.clear_cert_store
45
- _http_client_.ssl_config.cert_store.set_default_paths
46
-
47
- _http_client_.request_filter << Debugger::RequestFilter.new if debugging?
48
- http_config.try(:call, _http_client_)
49
- _http_client_
41
+ Faraday.new(headers: {user_agent: "JSON::JWK::Set::Fetcher #{VERSION}"}) do |faraday|
42
+ faraday.response :raise_error
43
+ faraday.response :follow_redirects
44
+ faraday.response :logger, JSON::JWK::Set::Fetcher.logger if debugging?
45
+ faraday.adapter Faraday.default_adapter
46
+ http_config.try(:call, faraday)
47
+ end
50
48
  end
51
49
  def self.http_config(&block)
52
50
  @@http_config ||= block
@@ -70,10 +68,11 @@ module JSON
70
68
  jwks = Set.new(
71
69
  JSON.parse(
72
70
  cache.fetch(cache_key, options) do
73
- http_client.get_content(jwks_uri)
71
+ http_client.get(jwks_uri).body
74
72
  end
75
73
  )
76
74
  )
75
+ cache.delete(cache_key, options) if jwks[kid].blank?
77
76
 
78
77
  if auto_detect
79
78
  jwks[kid] or raise KidNotFound
data/lib/json/jws.rb CHANGED
@@ -124,7 +124,8 @@ module JSON
124
124
  public_key_or_secret = with_jwk_support public_key_or_secret
125
125
  case
126
126
  when hmac?
127
- secure_compare sign(signature_base_string, public_key_or_secret), signature
127
+ secret = public_key_or_secret
128
+ secure_compare sign(signature_base_string, secret), signature
128
129
  when rsa?
129
130
  public_key = public_key_or_secret
130
131
  public_key.verify digest, signature, signature_base_string
data/lib/json/jwt.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  require 'openssl'
2
2
  require 'base64'
3
- require 'httpclient'
3
+ require 'faraday'
4
+ require 'faraday/follow_redirects'
4
5
  require 'active_support'
5
6
  require 'active_support/core_ext'
6
7
  require 'json/jose'
@@ -141,5 +142,4 @@ require 'json/jwe'
141
142
  require 'json/jwk'
142
143
  require 'json/jwk/jwkizable'
143
144
  require 'json/jwk/set'
144
- require 'json/jwk/set/fetcher'
145
- require 'json/jwk/set/fetcher/debugger/request_filter'
145
+ require 'json/jwk/set/fetcher'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: json-jwt
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.15.3.1
4
+ version: 1.16.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - nov matake
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-03-06 00:00:00.000000000 Z
11
+ date: 2024-03-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -24,6 +24,20 @@ dependencies:
24
24
  - - ">="
25
25
  - !ruby/object:Gem::Version
26
26
  version: '4.2'
27
+ - !ruby/object:Gem::Dependency
28
+ name: base64
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
27
41
  - !ruby/object:Gem::Dependency
28
42
  name: bindata
29
43
  requirement: !ruby/object:Gem::Requirement
@@ -53,7 +67,21 @@ dependencies:
53
67
  - !ruby/object:Gem::Version
54
68
  version: '0'
55
69
  - !ruby/object:Gem::Dependency
56
- name: httpclient
70
+ name: faraday
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: '2.0'
76
+ type: :runtime
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: '2.0'
83
+ - !ruby/object:Gem::Dependency
84
+ name: faraday-follow_redirects
57
85
  requirement: !ruby/object:Gem::Requirement
58
86
  requirements:
59
87
  - - ">="
@@ -145,11 +173,11 @@ extensions: []
145
173
  extra_rdoc_files: []
146
174
  files:
147
175
  - ".github/FUNDING.yml"
148
- - ".github/workflows/test_ruby.yml"
176
+ - ".github/workflows/spec.yml"
149
177
  - ".gitignore"
150
178
  - ".gitmodules"
151
179
  - ".rspec"
152
- - ".travis.yml"
180
+ - CHANGELOG.md
153
181
  - Gemfile
154
182
  - LICENSE
155
183
  - README.md
@@ -162,7 +190,6 @@ files:
162
190
  - lib/json/jwk/jwkizable.rb
163
191
  - lib/json/jwk/set.rb
164
192
  - lib/json/jwk/set/fetcher.rb
165
- - lib/json/jwk/set/fetcher/debugger/request_filter.rb
166
193
  - lib/json/jws.rb
167
194
  - lib/json/jwt.rb
168
195
  homepage: https://github.com/nov/json-jwt
data/.travis.yml DELETED
@@ -1,12 +0,0 @@
1
- before_install:
2
- - gem install bundler
3
- - git submodule update --init --recursive
4
-
5
- rvm:
6
- - 2.6.10
7
- - 2.7.6
8
- - 3.0.4
9
- - 3.1.2
10
-
11
- jdk:
12
- - openjdk11
data/lib/json/jwk/set/fetcher/debugger/request_filter.rb DELETED
@@ -1,34 +0,0 @@
1
- module JSON
2
- class JWK
3
- class Set
4
- module Fetcher
5
- module Debugger
6
- class RequestFilter
7
- # Callback called in HTTPClient (before sending a request)
8
- # request:: HTTP::Message
9
- def filter_request(request)
10
- started = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST STARTED ======="
11
- log started, request.dump
12
- end
13
-
14
- # Callback called in HTTPClient (after received a response)
15
- # request:: HTTP::Message
16
- # response:: HTTP::Message
17
- def filter_response(request, response)
18
- finished = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST FINISHED ======="
19
- log '-' * 50, response.dump, finished
20
- end
21
-
22
- private
23
-
24
- def log(*outputs)
25
- outputs.each do |output|
26
- JSON::JWK::Set::Fetcher.logger.info output
27
- end
28
- end
29
- end
30
- end
31
- end
32
- end
33
- end
34
- end