json-jwt 1.9.3 → 1.9.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 9d4b2dfb27f37a7525522312228284729a9f940698bfa3d1b7b3562f94cf998b
-  data.tar.gz: 865265a1f3d884476535d0f3c8d3de258db91d9ca4948283b78f4a48cc1023c3
+SHA1:
+  metadata.gz: f808ae988b45e4c8e03f0afcee499e0d4c89295e
+  data.tar.gz: f0f2cd732d906a495cc247afc0fd7eaa18725be2
 SHA512:
-  metadata.gz: eae66e49d8e101e68575ec4a4bf7ac46cef62d151d3dbae4d1a1c17a7a17235f376991c7346c8e46c9605b8028bca41113da7b84d85a52b58a28050e59c586c1
-  data.tar.gz: '0295d9284c1fb49c1f29881c915ffacac5f5f9c985f19f2a39c2bc27aac5570102f1f2d07032f62254b88eb3e8133236d4e6d4551235c83ec03c64a324e8593e'
+  metadata.gz: 5c6e99521dd9ec520097930ab4a0094f43b3e263f56c701eebc7f1278f75a51b2abf12dee99729efcf51db8d7dd40645e9546e6ad1e2ea8600e8284d00cedbfd
+  data.tar.gz: 5b87068577c488f213de6a2fe2346d757ee01d1c92aca73e2a87dbd3af07f28b321d511afb4968cd228afb47a41822c3b0040320ef47760629699701a8d8c0cc

data/VERSION

@@ -1 +1 @@
-1.9.3
+1.9.4

data/json-jwt.gemspec

@@ -13,7 +13,6 @@ Gem::Specification.new do |gem|
   gem.require_paths = ['lib']
   gem.add_runtime_dependency 'activesupport'
   gem.add_runtime_dependency 'bindata'
-  gem.add_runtime_dependency 'securecompare'
   gem.add_runtime_dependency 'aes_key_wrap'
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'simplecov'

data/lib/json/jose.rb

@@ -1,4 +1,4 @@
-require 'securecompare'
+require 'active_support/security_utils'
 
 module JSON
   module JOSE
@@ -6,7 +6,6 @@ module JSON
 
     included do
       extend ClassMethods
-      include SecureCompare
       register_header_keys :alg, :jku, :jwk, :x5u, :x5t, :x5c, :kid, :typ, :cty, :crit
       alias_method :algorithm, :alg
 
@@ -33,6 +32,18 @@ module JSON
       end
     end
 
+    def secure_compare(a, b)
+      if ActiveSupport::SecurityUtils.respond_to?(:fixed_length_secure_compare)
+        begin
+          ActiveSupport::SecurityUtils.fixed_length_secure_compare(a, b)
+        rescue ArgumentError
+          false
+        end
+      else
+        ActiveSupport::SecurityUtils.secure_compare(a, b)
+      end
+    end
+
     module ClassMethods
       def register_header_keys(*keys)
         keys.each do |header_key|

data/lib/json/jwe.rb

@@ -48,6 +48,8 @@ module JSON
       cipher.key = encryption_key
       cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
       if gcm?
+        # https://github.com/ruby/openssl/issues/63
+        raise DecryptionFailed.new('Invalid authentication tag') if authentication_tag.length < 16
         cipher.auth_tag = authentication_tag
         cipher.auth_data = auth_data
       end

data/lib/json/jws.rb

@@ -70,6 +70,7 @@ module JSON
     end
 
     def autodetected_algorithm_from(private_key_or_secret)
+      private_key_or_secret = with_jwk_support private_key_or_secret
       case private_key_or_secret
       when String
         :HS256

data/spec/json/jwe_spec.rb

@@ -169,6 +169,24 @@ describe JSON::JWE do
       end
     end
 
+    shared_examples_for :verify_gcm_authentication_tag do
+      let(:jwe_string) do
+        _jwe_ = JSON::JWE.new plain_text
+        _jwe_.alg, _jwe_.enc = alg, enc
+        _jwe_.encrypt! key
+        header, key, iv, cipher_text, auth_tag = _jwe_.to_s.split('.')
+        truncated_auth_tag = Base64.urlsafe_decode64(auth_tag).slice(0..-2)
+        truncated_auth_tag = Base64.urlsafe_encode64(truncated_auth_tag, padding: false)
+        [header, key, iv, cipher_text, truncated_auth_tag].join('.')
+      end
+
+      it do
+        expect do
+          jwe.decrypt! key
+        end.to raise_error JSON::JWE::DecryptionFailed
+      end
+    end
+
     shared_examples_for :unexpected_algorithm_for_decryption do
       it do
         expect do
@@ -193,6 +211,7 @@ describe JSON::JWE do
         let(:enc) { :A128GCM }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -202,6 +221,7 @@ describe JSON::JWE do
         let(:enc) { :A256GCM }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -226,6 +246,7 @@ describe JSON::JWE do
         let(:enc) { :A128GCM }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -235,6 +256,7 @@ describe JSON::JWE do
         let(:enc) { :A256GCM }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -262,6 +284,7 @@ describe JSON::JWE do
         let(:key_size) { 16 }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end
@@ -272,6 +295,7 @@ describe JSON::JWE do
         let(:key_size) { 32 }
         if gcm_supported?
           it_behaves_like :decryptable
+          it_behaves_like :verify_gcm_authentication_tag
         else
           it_behaves_like :gcm_decryption_unsupported
         end

data/spec/json/jwt_spec.rb

@@ -77,6 +77,33 @@ describe JSON::JWT do
           its(:alg) { should == :ES512 }
         end
       end
+
+      context 'when key is JWK with kty=okt' do
+        let(:key) { JSON::JWK.new shared_secret }
+        its(:alg) { should == :HS256 }
+      end
+
+      context 'when key is JWK with kty=RSA' do
+        let(:key) { JSON::JWK.new private_key }
+        its(:alg) { should == :RS256 }
+      end
+
+      context 'when key is JWK with kty=EC' do
+        context 'when prime256v1' do
+          let(:key) { JSON::JWK.new private_key(:ecdsa) }
+          its(:alg) { should == :ES256 }
+        end
+
+        context 'when secp384r1' do
+          let(:key) { JSON::JWK.new private_key(:ecdsa, digest_length: 384) }
+          its(:alg) { should == :ES384 }
+        end
+
+        context 'when secp521r1' do
+          let(:key) { JSON::JWK.new private_key(:ecdsa, digest_length: 512) }
+          its(:alg) { should == :ES512 }
+        end
+      end
     end
 
     context 'when non-JWK key is given' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 1.9.3
+  version: 1.9.4
 platform: ruby
 authors:
 - nov matake
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-27 00:00:00.000000000 Z
+date: 2018-05-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -38,20 +38,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: securecompare
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: aes_key_wrap
   requirement: !ruby/object:Gem::Requirement
@@ -188,7 +174,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and