RubyGems - json-jwt - Versions diffs - 0.5.0 → 0.5.1 - Mend

json-jwt 0.5.0 → 0.5.1

Potentially problematic release.

This version of json-jwt might be problematic. Click here for more details.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7fc22bebad1c3924998f637b07f91089ba1d365f
-  data.tar.gz: 8f969eba9420ffccaeb0053096e039c02fbcfb89
+  metadata.gz: 86380eefda874cbe7e7939e70fdfcffe379395e4
+  data.tar.gz: d2f3fc1ba0a60787927dac2d0b21d8a151488218
 SHA512:
-  metadata.gz: a32887bed2783fb91c98776c70e6a471a6640f59b336b56d4a5576019ab79cdbdbb25bcf149bf26d4710006f03a0699c4dae0137ab61d3895ded29dbd38cdfa2
-  data.tar.gz: 44ee98be92413ef444c90d93529566802a0725a182e55517d5ecea8e8b7b66b5d3386e3dccf7d3b67e728c038ca336f42a2bcf3837ffd2c5c20a2f73b5f0bcfc
+  metadata.gz: 2257bab98f399a6b5da81de323eead584846a68064024655bd58cc06c29305be08ee173b32816fb2d848b47f633c9382d6d1929bf83b2171c159f07a04ad4854
+  data.tar.gz: f4721c5653fd40b4895b9086ca4291e78317a135c9ec22005d9fda471cb9c07a06f278fc9d787b295345ce88f9fa09e569b1430003795e95e394d0bb3a9b33e6

data/.gitignore CHANGED Viewed

@@ -17,6 +17,7 @@ tmtags
 coverage*
 rdoc
 pkg
+Gemfile.lock
 ## PROJECT::SPECIFIC
 .class

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.5.0
1	+ 0.5.1

data/lib/json/jwe.rb CHANGED Viewed

@@ -7,16 +7,22 @@ module JSON
     class DecryptionFailed < JWT::VerificationFailed; end
     class UnexpectedAlgorithm < JWT::UnexpectedAlgorithm; end
-    attr_accessor :public_key_or_secret, :plain_text, :master_key, :encrypted_master_key, :encryption_key, :integrity_key, :integrity_value, :iv, :cipher_text
+    attr_accessor(
+      :public_key_or_secret, :private_key_or_secret, :mode,
+      :input, :plain_text, :cipher_text, :integrity_value, :iv,
+      :master_key, :encrypted_master_key, :encryption_key, :integrity_key
+    )
     register_header_keys :enc, :epk, :zip, :jku, :jwk, :x5u, :x5t, :x5c, :kid, :typ, :cty, :apu, :apv, :epu, :epv
     alias_method :encryption_method, :enc
-    def initialize(jwt_or_plain_text)
-      self.plain_text = jwt_or_plain_text.to_s
+    def initialize(input)
+      self.input = input.to_s
     end
     def encrypt!(public_key_or_secret)
+      self.mode = :encyption
+      self.plain_text = input
       self.public_key_or_secret = public_key_or_secret
       cipher.encrypt
       generate_cipher_keys!
@@ -24,24 +30,37 @@ module JSON
       self
     end
-    def decrypt!
-      raise NotImplementedError.new('JWE decryption not supported yet')
+    def decrypt!(private_key_or_secret)
+      self.mode = :decryption
+      self.private_key_or_secret = private_key_or_secret
+      decode_segments!
+      cipher.decrypt
+      restore_cipher_keys!
+      self.plain_text = cipher.update(cipher_text) + cipher.final
+      verify_cbc_integirity_value! if cbc?
+      self
     end
     def to_s
-      [
-        header.to_json,
-        encrypted_master_key,
-        iv,
-        cipher_text,
-        integrity_value
-      ].collect do |segment|
-        UrlSafeBase64.encode64 segment.to_s
-      end.join('.')
+      if mode == :encyption
+        [
+          header.to_json,
+          encrypted_master_key,
+          iv,
+          cipher_text,
+          integrity_value
+        ].collect do |segment|
+          UrlSafeBase64.encode64 segment.to_s
+        end.join('.')
+      else
+        plain_text
+      end
     end
     private
+    # common
     def gcm_supported?
       RUBY_VERSION >= '2.0.0' && OpenSSL::OPENSSL_VERSION >= 'OpenSSL 1.0.1c'
     end
@@ -96,6 +115,44 @@ module JSON
       OpenSSL::Digest::Digest.new "SHA#{sha_size}"
     end
+    def derive_cbc_encryption_and_integirity_keys!
+      encryption_key_size = sha_size / 2
+      integrity_key_size = sha_size
+      encryption_segments = [
+        1,
+        master_key,
+        encryption_key_size,
+        encryption_method,
+        epu || 0,
+        epv || 0,
+        'Encryption'
+      ]
+      integrity_segments = [
+        1,
+        master_key,
+        integrity_key_size,
+        encryption_method,
+        epu || 0,
+        epv || 0,
+        'Integrity'
+      ]
+      encryption_hash_input, integrity_hash_input = [encryption_segments, integrity_segments].collect do |segments|
+        segments.collect do |segment|
+          case segment
+          when Integer
+            BinData::Int32be.new(segment).to_binary_s
+          else
+            segment.to_s
+          end
+        end.join
+      end
+      self.encryption_key = sha_digest.digest(encryption_hash_input)[0, encryption_key_size / 8]
+      self.integrity_key = sha_digest.digest integrity_hash_input
+      self
+    end
+    # encyption
     def encrypted_master_key
       @encrypted_master_key ||= case algorithm.to_s
       when :RSA1_5.to_s
@@ -126,8 +183,8 @@ module JSON
       when cbc?
         generate_cbc_keys!
       end
-      @cipher.key = encryption_key
-      self.iv = @cipher.random_iv
+      cipher.key = encryption_key
+      self.iv = cipher.random_iv
       if gcm?
         cipher.auth_data = [header.to_json, encrypted_master_key, iv].collect do |segment|
           UrlSafeBase64.encode64 segment.to_s
@@ -140,7 +197,7 @@ module JSON
       self.master_key ||= if dir?
         public_key_or_secret
       else
-        @cipher.random_key
+        cipher.random_key
       end
       self.encryption_key = master_key
       self.integrity_key = :wont_be_used
@@ -148,50 +205,19 @@ module JSON
     end
     def generate_cbc_keys!
-      encryption_key_size = sha_size / 2
-      integrity_key_size = master_key_size = sha_size
       self.master_key ||= if dir?
         public_key_or_secret
       else
-        SecureRandom.random_bytes master_key_size / 8
+        SecureRandom.random_bytes sha_size / 8
       end
-      encryption_segments = [
-        1,
-        master_key,
-        encryption_key_size,
-        encryption_method,
-        epu || 0,
-        epv || 0,
-        'Encryption'
-      ]
-      integrity_segments = [
-        1,
-        master_key,
-        integrity_key_size,
-        encryption_method,
-        epu || 0,
-        epv || 0,
-        'Integrity'
-      ]
-      encryption_hash_input, integrity_hash_input = [encryption_segments, integrity_segments].collect do |segments|
-        segments.collect do |segment|
-          case segment
-          when Integer
-            BinData::Int32be.new(segment).to_binary_s
-          else
-            segment.to_s
-          end
-        end.join
-      end
-      self.encryption_key = sha_digest.digest(encryption_hash_input)[0, encryption_key_size / 8]
-      self.integrity_key = sha_digest.digest integrity_hash_input
-      self
+      derive_cbc_encryption_and_integirity_keys!
     end
     def integrity_value
-      @integrity_value ||= if gcm?
+      @integrity_value ||= case
+      when gcm?
         cipher.auth_tag
-      else
+      when cbc?
         secured_input = [
           header.to_json,
           encrypted_master_key,
@@ -202,7 +228,59 @@ module JSON
         end.join('.')
         OpenSSL::HMAC.digest sha_digest, integrity_key, secured_input
       end
-      @integrity_value
+    end
+    # decryption
+    def decode_segments!
+      _header_json_, self.encrypted_master_key, self.iv, self.cipher_text, self.integrity_value = input.split('.').collect do |segment|
+        UrlSafeBase64.decode64 segment
+      end
+      self
+    end
+    def decrypt_master_key
+      case algorithm.to_s
+      when :RSA1_5.to_s
+        private_key_or_secret.private_decrypt encrypted_master_key
+      when :'RSA-OAEP'.to_s
+        private_key_or_secret.private_decrypt encrypted_master_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+      when :A128KW .to_s
+        raise NotImplementedError.new('A128KW not supported yet')
+      when :A256KW.to_s
+        raise NotImplementedError.new('A256KW not supported yet')
+      when :dir.to_s
+        private_key_or_secret
+      when :'ECDH-ES'.to_s
+        raise NotImplementedError.new('ECDH-ES not supported yet')
+      when :'ECDH-ES+A128KW'.to_s
+        raise NotImplementedError.new('ECDH-ES+A128KW not supported yet')
+      when :'ECDH-ES+A256KW'.to_s
+        raise NotImplementedError.new('ECDH-ES+A256KW not supported yet')
+      else
+        raise UnexpectedAlgorithm.new('Unknown Encryption Algorithm')
+      end
+    end
+    def restore_cipher_keys!
+      self.master_key = decrypt_master_key
+      case
+      when gcm?
+        self.encryption_key = master_key
+        self.integrity_key = :wont_be_used
+      when cbc?
+        derive_cbc_encryption_and_integirity_keys!
+      end
+      cipher.key = encryption_key
+      cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
+      if gcm?
+        cipher.auth_tag = integrity_value
+        cipher.auth_data = input.split('.')[0, 3].join('.')
+      end
+    end
+    def verify_cbc_integirity_value!
+      # raise UnexpectedAlgorithm.new('TODO')
     end
   end
 end

data/spec/json/jwe_spec.rb CHANGED Viewed

@@ -154,4 +154,106 @@ describe JSON::JWE do
       end
     end
   end
+  describe 'decrypt!' do
+    let(:plain_text) { 'Hello World' }
+    let(:input) do
+      _jwe_ = JSON::JWE.new plain_text
+      _jwe_.alg, _jwe_.enc = alg, enc
+      _jwe_.encrypt! key
+      _jwe_.to_s
+    end
+    let(:jwe) do
+      _jwe_ = JSON::JWE.new input
+      _jwe_.alg, _jwe_.enc = alg, enc
+      _jwe_
+    end
+    shared_examples_for :decryptable do
+      it do
+        jwe.decrypt! key
+        jwe.to_s.should == plain_text
+      end
+    end
+    shared_examples_for :gcm_decryption_unsupported do
+      it do
+        expect do
+          jwe.decrypt! key
+        end.to raise_error JSON::JWE::UnexpectedAlgorithm
+      end
+    end
+    context 'when alg=RSA1_5' do
+      let(:alg) { :RSA1_5 }
+      let(:key) { private_key }
+      context 'when enc=A128GCM' do
+        let(:enc) { :A128GCM }
+        if gcm_supported?
+          it_behaves_like :decryptable
+        else
+          it_behaves_like :gcm_decryption_unsupported
+        end
+      end
+      context 'when enc=A256GCM' do
+        let(:enc) { :A256GCM }
+        if gcm_supported?
+          it_behaves_like :decryptable
+        else
+          it_behaves_like :gcm_decryption_unsupported
+        end
+      end
+      context 'when enc=A128CBC+HS256' do
+        let(:enc) { :'A128CBC+HS256' }
+        it_behaves_like :decryptable
+      end
+      context 'when enc=A256CBC+HS512' do
+        let(:enc) { :'A256CBC+HS512' }
+        it_behaves_like :decryptable
+      end
+    end
+    context 'when alg=RSA-OAEP' do
+      let(:alg) { :'RSA-OAEP' }
+      let(:key) { private_key }
+      context 'when enc=A128GCM' do
+        let(:enc) { :A128GCM }
+        if gcm_supported?
+          it_behaves_like :decryptable
+        else
+          it_behaves_like :gcm_decryption_unsupported
+        end
+      end
+      context 'when enc=A256GCM' do
+        let(:enc) { :A256GCM }
+        if gcm_supported?
+          it_behaves_like :decryptable
+        else
+          it_behaves_like :gcm_decryption_unsupported
+        end
+      end
+      context 'when enc=A128CBC+HS256' do
+        let(:enc) { :'A128CBC+HS256' }
+        it_behaves_like :decryptable
+      end
+      context 'when enc=A256CBC+HS512' do
+        let(:enc) { :'A256CBC+HS512' }
+        it_behaves_like :decryptable
+      end
+    end
+    context 'when alg=dir' do
+      let(:alg) { :dir }
+      let(:key) { 'todo' }
+      it :TODO
+    end
+  end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.1
 platform: ruby
 authors:
 - nov matake
@@ -135,7 +135,6 @@ files:
 - .rspec
 - .travis.yml
 - Gemfile
-- Gemfile.lock
 - LICENSE
 - README.rdoc
 - Rakefile
@@ -182,7 +181,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.0
+rubygems_version: 2.0.3
 signing_key:
 specification_version: 4
 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and
@@ -205,4 +204,3 @@ test_files:
 - spec/json/jws_spec.rb
 - spec/json/jwt_spec.rb
 - spec/spec_helper.rb
-has_rdoc:

data/Gemfile.lock DELETED Viewed

@@ -1,44 +0,0 @@
-PATH
-  remote: .
-  specs:
-    json-jwt (0.4.3)
-      activesupport (>= 2.3)
-      i18n
-      multi_json (>= 1.3)
-      url_safe_base64
-GEM
-  remote: http://rubygems.org/
-  specs:
-    activesupport (3.2.12)
-      i18n (~> 0.6)
-      multi_json (~> 1.0)
-    configatron (2.10.0)
-      yamler (>= 0.1.0)
-    cover_me (1.2.0)
-      configatron
-      hashie
-    diff-lcs (1.2.1)
-    hashie (2.0.2)
-    i18n (0.6.4)
-    multi_json (1.6.1)
-    rake (10.0.3)
-    rspec (2.13.0)
-      rspec-core (~> 2.13.0)
-      rspec-expectations (~> 2.13.0)
-      rspec-mocks (~> 2.13.0)
-    rspec-core (2.13.0)
-    rspec-expectations (2.13.0)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.13.0)
-    url_safe_base64 (0.2.1)
-    yamler (0.1.0)
-PLATFORMS
-  ruby
-DEPENDENCIES
-  cover_me (>= 1.2.0)
-  json-jwt!
-  rake (>= 0.8)
-  rspec (>= 2)