json-jwt 1.8.3 → 1.9.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of json-jwt might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.travis.yml +3 -4
- data/VERSION +1 -1
- data/json-jwt.gemspec +1 -1
- data/lib/json/jwt.rb +10 -1
- data/spec/json/jwt_spec.rb +132 -4
- data/spec/spec_helper.rb +4 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ac7876d6689bcbfa09531f34dca2b9e899e5271c
|
|
4
|
+
data.tar.gz: 39c83be6aa4d803d67b2db513846c1539876abc4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c95995a62590d5f37fecbdf4930000a7e7c58cb97288a852c10b1c60915f8f54da30a1b99e7d9d892c85370fa77ecf7698dd7616573376a946f4b1a0c04fc488
|
|
7
|
+
data.tar.gz: 9401202361965498b2410b84d9ef95196f5945956e28cfd86af2c77caf6d416ab7433f8b2d7c8179ea4390fffdb30acb951271c054bd3de4a8c1e3a3e888a30d
|
data/.travis.yml
CHANGED
|
@@ -3,10 +3,9 @@ before_install:
|
|
|
3
3
|
- git submodule update --init --recursive
|
|
4
4
|
|
|
5
5
|
rvm:
|
|
6
|
-
- 2.
|
|
7
|
-
- 2.
|
|
8
|
-
- 2.
|
|
9
|
-
- 2.4.1
|
|
6
|
+
- 2.3.6
|
|
7
|
+
- 2.4.3
|
|
8
|
+
- 2.5.0
|
|
10
9
|
|
|
11
10
|
jdk:
|
|
12
11
|
- oraclejdk8
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.9.0
|
data/json-jwt.gemspec
CHANGED
data/lib/json/jwt.rb
CHANGED
|
@@ -31,7 +31,16 @@ module JSON
|
|
|
31
31
|
# I'd like to make :RS256 default.
|
|
32
32
|
# However, by histrical reasons, :HS256 was default.
|
|
33
33
|
# This code is needed to keep legacy behavior.
|
|
34
|
-
algorithm = private_key_or_secret
|
|
34
|
+
algorithm = case private_key_or_secret
|
|
35
|
+
when String
|
|
36
|
+
:HS256
|
|
37
|
+
when OpenSSL::PKey::RSA
|
|
38
|
+
:RS256
|
|
39
|
+
when OpenSSL::PKey::EC
|
|
40
|
+
:ES256
|
|
41
|
+
else
|
|
42
|
+
raise UnexpectedAlgorithm.new('Signature algorithm auto-detection failed')
|
|
43
|
+
end
|
|
35
44
|
end
|
|
36
45
|
jws = JWS.new self
|
|
37
46
|
jws.kid ||= private_key_or_secret[:kid] if private_key_or_secret.is_a? JSON::JWK
|
data/spec/json/jwt_spec.rb
CHANGED
|
@@ -191,7 +191,7 @@ describe JSON::JWT do
|
|
|
191
191
|
].join('.')
|
|
192
192
|
end
|
|
193
193
|
|
|
194
|
-
it
|
|
194
|
+
it do
|
|
195
195
|
expect do
|
|
196
196
|
JSON::JWT.decode malformed_jwt_string, 'secret'
|
|
197
197
|
end.to raise_error JSON::JWT::VerificationFailed
|
|
@@ -215,7 +215,7 @@ describe JSON::JWT do
|
|
|
215
215
|
].join('.')
|
|
216
216
|
end
|
|
217
217
|
|
|
218
|
-
it
|
|
218
|
+
it do
|
|
219
219
|
expect do
|
|
220
220
|
JSON::JWT.decode malformed_jwt_string, public_key
|
|
221
221
|
end.to raise_error JSON::JWT::UnexpectedAlgorithm
|
|
@@ -229,7 +229,7 @@ describe JSON::JWT do
|
|
|
229
229
|
malformed_signature = OpenSSL::HMAC.digest(
|
|
230
230
|
OpenSSL::Digest.new('SHA256'),
|
|
231
231
|
public_key.to_s,
|
|
232
|
-
[malformed_header, payload].join('.')
|
|
232
|
+
[UrlSafeBase64.encode64(malformed_header), payload].join('.')
|
|
233
233
|
)
|
|
234
234
|
[
|
|
235
235
|
UrlSafeBase64.encode64(malformed_header),
|
|
@@ -238,13 +238,93 @@ describe JSON::JWT do
|
|
|
238
238
|
].join('.')
|
|
239
239
|
end
|
|
240
240
|
|
|
241
|
-
it
|
|
241
|
+
it do
|
|
242
242
|
expect do
|
|
243
243
|
JSON::JWT.decode malformed_jwt_string, public_key
|
|
244
244
|
end.to raise_error JSON::JWS::UnexpectedAlgorithm
|
|
245
245
|
end
|
|
246
246
|
end
|
|
247
247
|
end
|
|
248
|
+
|
|
249
|
+
context 'from alg=PS512' do
|
|
250
|
+
let(:jws) do
|
|
251
|
+
jwt.sign private_key, :PS512
|
|
252
|
+
end
|
|
253
|
+
|
|
254
|
+
if pss_supported?
|
|
255
|
+
context 'to alg=PS256' do
|
|
256
|
+
let(:malformed_jwt_string) do
|
|
257
|
+
header, payload, signature = jws.to_s.split('.')
|
|
258
|
+
malformed_header = {alg: :PS256}.to_json
|
|
259
|
+
digest = OpenSSL::Digest.new('SHA256')
|
|
260
|
+
malformed_signature = private_key.sign_pss(
|
|
261
|
+
digest,
|
|
262
|
+
[UrlSafeBase64.encode64(malformed_header), payload].join('.'),
|
|
263
|
+
salt_length: :digest,
|
|
264
|
+
mgf1_hash: digest
|
|
265
|
+
)
|
|
266
|
+
[
|
|
267
|
+
UrlSafeBase64.encode64(malformed_header),
|
|
268
|
+
payload,
|
|
269
|
+
UrlSafeBase64.encode64(malformed_signature)
|
|
270
|
+
].join('.')
|
|
271
|
+
end
|
|
272
|
+
|
|
273
|
+
context 'when verification algorithm is specified' do
|
|
274
|
+
it do
|
|
275
|
+
expect do
|
|
276
|
+
JSON::JWT.decode malformed_jwt_string, public_key, :PS512
|
|
277
|
+
end.to raise_error JSON::JWS::UnexpectedAlgorithm, 'Unexpected alg header'
|
|
278
|
+
end
|
|
279
|
+
end
|
|
280
|
+
|
|
281
|
+
context 'otherwise' do
|
|
282
|
+
it do
|
|
283
|
+
expect do
|
|
284
|
+
JSON::JWT.decode malformed_jwt_string, public_key
|
|
285
|
+
end.not_to raise_error
|
|
286
|
+
end
|
|
287
|
+
end
|
|
288
|
+
end
|
|
289
|
+
|
|
290
|
+
context 'to alg=RS516' do
|
|
291
|
+
let(:malformed_jwt_string) do
|
|
292
|
+
header, payload, signature = jws.to_s.split('.')
|
|
293
|
+
malformed_header = {alg: :RS512}.to_json
|
|
294
|
+
malformed_signature = private_key.sign(
|
|
295
|
+
OpenSSL::Digest.new('SHA512'),
|
|
296
|
+
[UrlSafeBase64.encode64(malformed_header), payload].join('.')
|
|
297
|
+
)
|
|
298
|
+
[
|
|
299
|
+
UrlSafeBase64.encode64(malformed_header),
|
|
300
|
+
payload,
|
|
301
|
+
UrlSafeBase64.encode64(malformed_signature)
|
|
302
|
+
].join('.')
|
|
303
|
+
end
|
|
304
|
+
|
|
305
|
+
context 'when verification algorithm is specified' do
|
|
306
|
+
it do
|
|
307
|
+
expect do
|
|
308
|
+
JSON::JWT.decode malformed_jwt_string, public_key, :PS512
|
|
309
|
+
end.to raise_error JSON::JWS::UnexpectedAlgorithm, 'Unexpected alg header'
|
|
310
|
+
end
|
|
311
|
+
end
|
|
312
|
+
|
|
313
|
+
context 'otherwise' do
|
|
314
|
+
it do
|
|
315
|
+
expect do
|
|
316
|
+
JSON::JWT.decode malformed_jwt_string, public_key
|
|
317
|
+
end.not_to raise_error
|
|
318
|
+
end
|
|
319
|
+
end
|
|
320
|
+
end
|
|
321
|
+
else
|
|
322
|
+
skip 'RSA PSS not supported'
|
|
323
|
+
it do
|
|
324
|
+
expect { jws }.to raise_error 'PS512 isn\'t supported. OpenSSL gem v2.1.0+ is required to use PS512.'
|
|
325
|
+
end
|
|
326
|
+
end
|
|
327
|
+
end
|
|
248
328
|
end
|
|
249
329
|
|
|
250
330
|
context 'when :skip_verification given as secret/key' do
|
|
@@ -320,6 +400,32 @@ describe JSON::JWT do
|
|
|
320
400
|
end.not_to raise_error
|
|
321
401
|
end
|
|
322
402
|
end
|
|
403
|
+
|
|
404
|
+
context 'when alg & enc is specified' do
|
|
405
|
+
context 'when expected' do
|
|
406
|
+
it do
|
|
407
|
+
expect do
|
|
408
|
+
JSON::JWT.decode(input, private_key, 'RSA1_5', 'A128CBC-HS256')
|
|
409
|
+
end.not_to raise_error
|
|
410
|
+
end
|
|
411
|
+
end
|
|
412
|
+
|
|
413
|
+
context 'when alg is unexpected' do
|
|
414
|
+
it do
|
|
415
|
+
expect do
|
|
416
|
+
JSON::JWT.decode(input, private_key, 'dir', 'A128CBC-HS256')
|
|
417
|
+
end.to raise_error JSON::JWE::UnexpectedAlgorithm, 'Unexpected alg header'
|
|
418
|
+
end
|
|
419
|
+
end
|
|
420
|
+
|
|
421
|
+
context 'when enc is unexpected' do
|
|
422
|
+
it do
|
|
423
|
+
expect do
|
|
424
|
+
JSON::JWT.decode(input, private_key, 'RSA1_5', 'A128GCM')
|
|
425
|
+
end.to raise_error JSON::JWE::UnexpectedAlgorithm, 'Unexpected enc header'
|
|
426
|
+
end
|
|
427
|
+
end
|
|
428
|
+
end
|
|
323
429
|
end
|
|
324
430
|
|
|
325
431
|
context 'when JSON parse failed' do
|
|
@@ -348,4 +454,26 @@ describe JSON::JWT do
|
|
|
348
454
|
end
|
|
349
455
|
end
|
|
350
456
|
end
|
|
457
|
+
|
|
458
|
+
describe '.pretty_generate' do
|
|
459
|
+
subject { JSON::JWT.pretty_generate jws.to_s }
|
|
460
|
+
its(:size) { should == 2 }
|
|
461
|
+
its(:first) do
|
|
462
|
+
should == <<~HEADER.chop
|
|
463
|
+
{
|
|
464
|
+
"typ": "JWT",
|
|
465
|
+
"alg": "HS256"
|
|
466
|
+
}
|
|
467
|
+
HEADER
|
|
468
|
+
end
|
|
469
|
+
its(:last) do
|
|
470
|
+
should == <<~HEADER.chop
|
|
471
|
+
{
|
|
472
|
+
"iss": "joe",
|
|
473
|
+
"exp": 1300819380,
|
|
474
|
+
"http://example.com/is_root": true
|
|
475
|
+
}
|
|
476
|
+
HEADER
|
|
477
|
+
end
|
|
478
|
+
end
|
|
351
479
|
end
|
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: json-jwt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.9.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- nov matake
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-02-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: url_safe_base64
|
|
@@ -188,7 +188,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
188
188
|
version: '0'
|
|
189
189
|
requirements: []
|
|
190
190
|
rubyforge_project:
|
|
191
|
-
rubygems_version: 2.6.
|
|
191
|
+
rubygems_version: 2.6.11
|
|
192
192
|
signing_key:
|
|
193
193
|
specification_version: 4
|
|
194
194
|
summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and
|