json-jwt 1.16.0 → 1.16.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of json-jwt might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.github/workflows/spec.yml +4 -5
- data/CHANGELOG.md +17 -0
- data/VERSION +1 -1
- data/lib/json/jwe.rb +14 -4
- data/lib/json/jwk/set/fetcher.rb +8 -1
- metadata +7 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 943e11e9656a90f2d3557da3a0c227453b1e110e06d01bf6e1935deebc8bd44c
|
4
|
+
data.tar.gz: 0645022a7f9972fbfcf82afe24f209e62c168f57d4e2d6128adcfd00309bdf80
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d70e5a720c705ec1bb82d0c334dc15f78b2346c91932eb3ff67a454dd17b17cbcbaecebe3a3f5f4b0254dfdad9ef89df3c0e567f9efdda1c638daaf86fc25ecd
|
7
|
+
data.tar.gz: 29f755168b6be56c8d32d8ef4c9339129d6ad8ce5710a3b1e76e2f3da87714031660370f8728a044ca760f1a4ad23425d94c0fe2f6a671b837ea1d636fa14f82
|
data/.github/workflows/spec.yml
CHANGED
@@ -13,12 +13,11 @@ jobs:
|
|
13
13
|
spec:
|
14
14
|
strategy:
|
15
15
|
matrix:
|
16
|
-
os: ['ubuntu-20.04']
|
17
|
-
ruby-version: ['
|
18
|
-
# ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
|
16
|
+
os: ['ubuntu-20.04', 'ubuntu-22.04']
|
17
|
+
ruby-version: ['3.1', '3.2']
|
19
18
|
include:
|
20
|
-
- os: 'ubuntu-
|
21
|
-
ruby-version: '3.
|
19
|
+
- os: 'ubuntu-20.04'
|
20
|
+
ruby-version: '3.0'
|
22
21
|
runs-on: ${{ matrix.os }}
|
23
22
|
|
24
23
|
steps:
|
data/CHANGELOG.md
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
## [Unreleased]
|
2
|
+
|
3
|
+
## [1.16.0] - 2022-10-08
|
4
|
+
|
5
|
+
### Fixed
|
6
|
+
|
7
|
+
- Remove padding oracle by @btoews in https://github.com/nov/json-jwt/pull/109
|
8
|
+
|
9
|
+
## [1.16.0] - 2022-10-08
|
10
|
+
|
11
|
+
### Added
|
12
|
+
|
13
|
+
- start recording CHANGELOG
|
14
|
+
|
15
|
+
### Changed
|
16
|
+
|
17
|
+
* Switch from httpclient to faraday v2 https://github.com/nov/json-jwt/pull/110
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.16.
|
1
|
+
1.16.2
|
data/lib/json/jwe.rb
CHANGED
@@ -43,9 +43,12 @@ module JSON
|
|
43
43
|
raise UnexpectedAlgorithm.new('Unexpected alg header') unless algorithms.blank? || Array(algorithms).include?(alg)
|
44
44
|
raise UnexpectedAlgorithm.new('Unexpected enc header') unless encryption_methods.blank? || Array(encryption_methods).include?(enc)
|
45
45
|
self.private_key_or_secret = with_jwk_support private_key_or_secret
|
46
|
-
cipher.decrypt
|
47
46
|
self.content_encryption_key = decrypt_content_encryption_key
|
48
47
|
self.mac_key, self.encryption_key = derive_encryption_and_mac_keys
|
48
|
+
|
49
|
+
verify_cbc_authentication_tag! if cbc?
|
50
|
+
|
51
|
+
cipher.decrypt
|
49
52
|
cipher.key = encryption_key
|
50
53
|
cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
|
51
54
|
if gcm?
|
@@ -54,8 +57,15 @@ module JSON
|
|
54
57
|
cipher.auth_tag = authentication_tag
|
55
58
|
cipher.auth_data = auth_data
|
56
59
|
end
|
57
|
-
|
58
|
-
|
60
|
+
|
61
|
+
begin
|
62
|
+
self.plain_text = cipher.update(cipher_text) + cipher.final
|
63
|
+
rescue OpenSSL::OpenSSLError
|
64
|
+
# Ensure that the same error is raised for invalid PKCS7 padding
|
65
|
+
# as for invalid signatures. This prevents padding-oracle attacks.
|
66
|
+
raise DecryptionFailed
|
67
|
+
end
|
68
|
+
|
59
69
|
self
|
60
70
|
end
|
61
71
|
|
@@ -244,7 +254,7 @@ module JSON
|
|
244
254
|
sha_digest, mac_key, secured_input
|
245
255
|
)[0, sha_size / 2 / 8]
|
246
256
|
unless secure_compare(authentication_tag, expected_authentication_tag)
|
247
|
-
raise DecryptionFailed
|
257
|
+
raise DecryptionFailed
|
248
258
|
end
|
249
259
|
end
|
250
260
|
|
data/lib/json/jwk/set/fetcher.rb
CHANGED
@@ -6,6 +6,8 @@ module JSON
|
|
6
6
|
def fetch(cache_key, options = {})
|
7
7
|
yield
|
8
8
|
end
|
9
|
+
|
10
|
+
def delete(cache_key, options = {}); end
|
9
11
|
end
|
10
12
|
|
11
13
|
def self.logger
|
@@ -72,7 +74,12 @@ module JSON
|
|
72
74
|
)
|
73
75
|
|
74
76
|
if auto_detect
|
75
|
-
jwks[kid]
|
77
|
+
if jwks[kid]
|
78
|
+
jwks[kid]
|
79
|
+
else
|
80
|
+
cache.delete(cache_key)
|
81
|
+
raise KidNotFound
|
82
|
+
end
|
76
83
|
else
|
77
84
|
jwks
|
78
85
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: json-jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.16.
|
4
|
+
version: 1.16.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- nov matake
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -163,6 +163,7 @@ files:
|
|
163
163
|
- ".gitignore"
|
164
164
|
- ".gitmodules"
|
165
165
|
- ".rspec"
|
166
|
+
- CHANGELOG.md
|
166
167
|
- Gemfile
|
167
168
|
- LICENSE
|
168
169
|
- README.md
|
@@ -181,7 +182,7 @@ homepage: https://github.com/nov/json-jwt
|
|
181
182
|
licenses:
|
182
183
|
- MIT
|
183
184
|
metadata: {}
|
184
|
-
post_install_message:
|
185
|
+
post_install_message:
|
185
186
|
rdoc_options: []
|
186
187
|
require_paths:
|
187
188
|
- lib
|
@@ -196,8 +197,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
196
197
|
- !ruby/object:Gem::Version
|
197
198
|
version: '0'
|
198
199
|
requirements: []
|
199
|
-
rubygems_version: 3.
|
200
|
-
signing_key:
|
200
|
+
rubygems_version: 3.3.26
|
201
|
+
signing_key:
|
201
202
|
specification_version: 4
|
202
203
|
summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and
|
203
204
|
JSON Web Key) in Ruby
|