RubyGems - json-jwt - Versions diffs - 1.8.3 → 1.9.0 - Mend

json-jwt 1.8.3 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of json-jwt might be problematic. Click here for more details.

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3abc4f60457c79cdc55e59cb46553722b816acbe
-  data.tar.gz: 5c305020b1dfcc15f0aff4ee7ea0ab2dee3a9009
+  metadata.gz: ac7876d6689bcbfa09531f34dca2b9e899e5271c
+  data.tar.gz: 39c83be6aa4d803d67b2db513846c1539876abc4
 SHA512:
-  metadata.gz: 83f3cc919f8336b259a1e8fd203692024ae6d5cd7d6402ce83713a28994dd896e0e9b1800b53f9bd1ff8cc98fddf1f18ba3d1241c1349482c56d2a23ba1ffc6b
-  data.tar.gz: f17db83dbd4751c3da5f4e3d37b1e231ae5bda78916677dd13e7fb854ce0706dc58221657542287dd5e55dc81101afe498baf199ec1ba9caa633ede5b3095e90
+  metadata.gz: c95995a62590d5f37fecbdf4930000a7e7c58cb97288a852c10b1c60915f8f54da30a1b99e7d9d892c85370fa77ecf7698dd7616573376a946f4b1a0c04fc488
+  data.tar.gz: 9401202361965498b2410b84d9ef95196f5945956e28cfd86af2c77caf6d416ab7433f8b2d7c8179ea4390fffdb30acb951271c054bd3de4a8c1e3a3e888a30d

data/.travis.yml CHANGED Viewed

@@ -3,10 +3,9 @@ before_install:
   - git submodule update --init --recursive
 rvm:
-  - 2.2.2 # NOTE: 2.2.1 or lower aren't supported by activesupport 5.0, CI isn't needed for such legacy versions.
-  - 2.2.6
-  - 2.3.3
-  - 2.4.1
+  - 2.3.6
+  - 2.4.3
+  - 2.5.0
 jdk:
   - oraclejdk8

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 1.8.3
1	+ 1.9.0

data/json-jwt.gemspec CHANGED Viewed

@@ -19,4 +19,4 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'rspec'
   gem.add_development_dependency 'rspec-its'
-end
+end

data/lib/json/jwt.rb CHANGED Viewed

@@ -31,7 +31,16 @@ module JSON
         #  I'd like to make :RS256 default.
         #  However, by histrical reasons, :HS256 was default.
         #  This code is needed to keep legacy behavior.
-        algorithm = private_key_or_secret.is_a?(String) ? :HS256 : :RS256
+        algorithm = case private_key_or_secret
+        when String
+          :HS256
+        when OpenSSL::PKey::RSA
+          :RS256
+        when OpenSSL::PKey::EC
+          :ES256
+        else
+          raise UnexpectedAlgorithm.new('Signature algorithm auto-detection failed')
+        end
       end
       jws = JWS.new self
       jws.kid ||= private_key_or_secret[:kid] if private_key_or_secret.is_a? JSON::JWK

data/spec/json/jwt_spec.rb CHANGED Viewed

@@ -191,7 +191,7 @@ describe JSON::JWT do
               ].join('.')
             end
-            it 'should do verification' do
+            it do
               expect do
                 JSON::JWT.decode malformed_jwt_string, 'secret'
               end.to raise_error JSON::JWT::VerificationFailed
@@ -215,7 +215,7 @@ describe JSON::JWT do
               ].join('.')
             end
-            it 'should fail verification' do
+            it do
               expect do
                 JSON::JWT.decode malformed_jwt_string, public_key
               end.to raise_error JSON::JWT::UnexpectedAlgorithm
@@ -229,7 +229,7 @@ describe JSON::JWT do
               malformed_signature = OpenSSL::HMAC.digest(
                 OpenSSL::Digest.new('SHA256'),
                 public_key.to_s,
-                [malformed_header, payload].join('.')
+                [UrlSafeBase64.encode64(malformed_header), payload].join('.')
               )
               [
                 UrlSafeBase64.encode64(malformed_header),
@@ -238,13 +238,93 @@ describe JSON::JWT do
               ].join('.')
             end
-            it 'should fail verification' do
+            it do
               expect do
                 JSON::JWT.decode malformed_jwt_string, public_key
               end.to raise_error JSON::JWS::UnexpectedAlgorithm
             end
           end
         end
+        context 'from alg=PS512' do
+          let(:jws) do
+            jwt.sign private_key, :PS512
+          end
+          if pss_supported?
+            context 'to alg=PS256' do
+              let(:malformed_jwt_string) do
+                header, payload, signature = jws.to_s.split('.')
+                malformed_header = {alg: :PS256}.to_json
+                digest = OpenSSL::Digest.new('SHA256')
+                malformed_signature = private_key.sign_pss(
+                  digest,
+                  [UrlSafeBase64.encode64(malformed_header), payload].join('.'),
+                  salt_length: :digest,
+                  mgf1_hash: digest
+                )
+                [
+                  UrlSafeBase64.encode64(malformed_header),
+                  payload,
+                  UrlSafeBase64.encode64(malformed_signature)
+                ].join('.')
+              end
+              context 'when verification algorithm is specified' do
+                it do
+                  expect do
+                    JSON::JWT.decode malformed_jwt_string, public_key, :PS512
+                  end.to raise_error JSON::JWS::UnexpectedAlgorithm, 'Unexpected alg header'
+                end
+              end
+              context 'otherwise' do
+                it do
+                  expect do
+                    JSON::JWT.decode malformed_jwt_string, public_key
+                  end.not_to raise_error
+                end
+              end
+            end
+            context 'to alg=RS516' do
+              let(:malformed_jwt_string) do
+                header, payload, signature = jws.to_s.split('.')
+                malformed_header = {alg: :RS512}.to_json
+                malformed_signature = private_key.sign(
+                  OpenSSL::Digest.new('SHA512'),
+                  [UrlSafeBase64.encode64(malformed_header), payload].join('.')
+                )
+                [
+                  UrlSafeBase64.encode64(malformed_header),
+                  payload,
+                  UrlSafeBase64.encode64(malformed_signature)
+                ].join('.')
+              end
+              context 'when verification algorithm is specified' do
+                it do
+                  expect do
+                    JSON::JWT.decode malformed_jwt_string, public_key, :PS512
+                  end.to raise_error JSON::JWS::UnexpectedAlgorithm, 'Unexpected alg header'
+                end
+              end
+              context 'otherwise' do
+                it do
+                  expect do
+                    JSON::JWT.decode malformed_jwt_string, public_key
+                  end.not_to raise_error
+                end
+              end
+            end
+          else
+            skip 'RSA PSS not supported'
+            it do
+              expect { jws }.to raise_error 'PS512 isn\'t supported. OpenSSL gem v2.1.0+ is required to use PS512.'
+            end
+          end
+        end
       end
       context 'when :skip_verification given as secret/key' do
@@ -320,6 +400,32 @@ describe JSON::JWT do
           end.not_to raise_error
         end
       end
+      context 'when alg & enc is specified' do
+        context 'when expected' do
+          it do
+            expect do
+              JSON::JWT.decode(input, private_key, 'RSA1_5', 'A128CBC-HS256')
+            end.not_to raise_error
+          end
+        end
+        context 'when alg is unexpected' do
+          it do
+            expect do
+              JSON::JWT.decode(input, private_key, 'dir', 'A128CBC-HS256')
+            end.to raise_error JSON::JWE::UnexpectedAlgorithm, 'Unexpected alg header'
+          end
+        end
+        context 'when enc is unexpected' do
+          it do
+            expect do
+              JSON::JWT.decode(input, private_key, 'RSA1_5', 'A128GCM')
+            end.to raise_error JSON::JWE::UnexpectedAlgorithm, 'Unexpected enc header'
+          end
+        end
+      end
     end
     context 'when JSON parse failed' do
@@ -348,4 +454,26 @@ describe JSON::JWT do
       end
     end
   end
+  describe '.pretty_generate' do
+    subject { JSON::JWT.pretty_generate jws.to_s }
+    its(:size) { should == 2 }
+    its(:first) do
+      should == <<~HEADER.chop
+        {
+          "typ": "JWT",
+          "alg": "HS256"
+        }
+      HEADER
+    end
+    its(:last) do
+      should == <<~HEADER.chop
+        {
+          "iss": "joe",
+          "exp": 1300819380,
+          "http://example.com/is_root": true
+        }
+      HEADER
+    end
+  end
 end

data/spec/spec_helper.rb CHANGED Viewed

@@ -20,5 +20,9 @@ def gcm_supported?
   end
 end
+def pss_supported?
+  OpenSSL::VERSION >= '2.1.0'
+end
 require 'helpers/sign_key_fixture_helper'
 require 'helpers/nimbus_spec_helper'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 1.8.3
+  version: 1.9.0
 platform: ruby
 authors:
 - nov matake
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-12-05 00:00:00.000000000 Z
+date: 2018-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: url_safe_base64
@@ -188,7 +188,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 2.6.11
 signing_key:
 specification_version: 4
 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and