json_web_token 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a1bab6670404e2a3185dabc1944f130891cb6de6
-  data.tar.gz: 142fb6257f61b6c906e29519af046289ba085508
+  metadata.gz: 85fab1d0b61ff35a7c47e3411003750aea5ff5f0
+  data.tar.gz: b143541e7d1e7ce670862e3e5be132fef4dcc507
 SHA512:
-  metadata.gz: 263eb8d5f5855937117026134f7dce4f76c37c48a3c0ef955d4c21d47e41395793cc3c55bea20de613f56c1808cc6ae55af919d16bfae214a81b1a8ec9f1d840
-  data.tar.gz: 29073ba554234ce1581d0608e29e17e12885c962ecbda6f402564c7bc85aa18669c9a47039bd817ce09e42e6def463623fd97f554bccff2b76049f610af85bd5
+  metadata.gz: 3a7f1e6c56f7e8b8aefdf85888ba94680b6b4c6506d3e2309941ff61872fe6f4547028e30cac7f96a631397910609c29b85d48bd23c0c55960e357a391a02554
+  data.tar.gz: d483e04b29d45fbf7b84493df4b59e279f2f1b62ad5ae6bb16c8796bf6aa8aecd687de40159f4ea0b10cdbea7b7b05ccc9dfe20d966e7b688d96efbf23ecbbbd

data/README.md

@@ -66,7 +66,7 @@ jwt = JsonWebToken.sign({foo: 'bar'}, alg: 'none')
 
 Returns either:
 * a JWT claims set string or hash, if the Message Authentication Code (MAC), or signature, is verified
-* a string, 'Invalid', otherwise
+* a hash, error: 'invalid', otherwise
 
 `jwt` (required) is a JSON web token string
 

data/json_web_token.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |s|
   s.homepage = 'https://github.com/garyf/json_web_token'
   s.name = 'json_web_token'
   s.platform = Gem::Platform::RUBY
-  s.summary = 'JSON Web Token for Ruby'
+  s.summary = 'JSON Web Token (JWT) for Ruby'
   s.version = JsonWebToken::VERSION
   # recommended
   s.license = 'MIT'

data/lib/json_web_token/algorithm/common.rb

@@ -10,9 +10,9 @@ module JsonWebToken
         '512'
       ]
 
-      def validate_key(key, sha_bits)
+      def validate_key(sha_bits, key)
         validate_sha_bits(sha_bits)
-        validate_key_size(key, sha_bits)
+        validate_key_size(sha_bits, key)
       end
 
       def validate_sha_bits(sha_bits)

data/lib/json_web_token/algorithm/ecdsa.rb

@@ -26,7 +26,7 @@ module JsonWebToken
       #   Ecdsa.sign('256', private_key, 'signing_input').bytes
       #   # => [90, 34, 44, 252, 147, 130, 167, 173, 86, 191, 247, 93, 94, 12, 200, 30, 173, 115, 248, 89, 246, 222, 4, 213, 119, 74, 70, 20, 231, 194, 104, 103]
       def sign(sha_bits, private_key, signing_input)
-        validate_key(private_key, sha_bits)
+        validate_key(sha_bits, private_key)
         der = private_key.dsa_sign_asn1(ssl_digest_hash sha_bits, signing_input)
         der_to_signature(der, sha_bits)
       end
@@ -40,21 +40,20 @@ module JsonWebToken
       #   Ecdsa.verify?(< binary_string >, '256', < public_key >, 'signing_input')
       #   # => true
       def verify?(mac, sha_bits, public_key, signing_input)
-        validate_key(public_key, sha_bits)
+        validate_key(sha_bits, public_key)
         validate_signature_size(mac, sha_bits)
         der = signature_to_der(mac, sha_bits)
         public_key.dsa_verify_asn1(ssl_digest_hash(sha_bits, signing_input), der)
       end
 
-      def validate_key_size(_key, _sha_bits); end
+      def validate_key_size(_sha_bits, _key); end
 
       def ssl_digest_hash(sha_bits, signing_input)
         digest_new(sha_bits).digest(signing_input)
       end
 
       def validate_signature_size(mac, sha_bits)
-        n = MAC_BYTE_COUNT[sha_bits]
-        fail('Invalid signature') unless mac && mac.bytesize == n
+        fail('Invalid signature') unless mac && mac.bytesize == MAC_BYTE_COUNT[sha_bits]
       end
 
       private_class_method :validate_key_size,

data/lib/json_web_token/algorithm/hmac.rb

@@ -20,7 +20,7 @@ module JsonWebToken
       #   Hmac.sign('256', shared_key, 'signing_input').bytes
       #   # => [90, 34, 44, 252, 147, 130, 167, 173, 86, 191, 247, 93, 94, 12, 200, 30, 173, 115, 248, 89, 246, 222, 4, 213, 119, 74, 70, 20, 231, 194, 104, 103]
       def sign(sha_bits, shared_key, signing_input)
-        validate_key(shared_key, sha_bits)
+        validate_key(sha_bits, shared_key)
         OpenSSL::HMAC.digest(digest_new(sha_bits), shared_key, signing_input)
       end
 
@@ -34,15 +34,20 @@ module JsonWebToken
       #   Hmac.verify?(< binary_string >, '256', shared_key, 'signing_input')
       #   # => true
       def verify?(mac, sha_bits, shared_key, signing_input)
-        validate_key(shared_key, sha_bits)
+        validate_key(sha_bits, shared_key)
         Util.constant_time_compare?(mac, sign(sha_bits, shared_key, signing_input))
       end
 
-      def validate_key_size(key, sha_bits)
-        fail('Invalid shared key') unless key && key.bytesize * 8 >= sha_bits.to_i
+      def validate_key_size(sha_bits, key)
+        fail('Invalid shared key') if weak_key?(sha_bits, key)
       end
 
-      private_class_method :validate_key_size
+      def weak_key?(sha_bits, key)
+        !key || key.bytesize * 8 < sha_bits.to_i
+      end
+
+      private_class_method :validate_key_size,
+        :weak_key?
     end
   end
 end

data/lib/json_web_token/algorithm/rsa.rb

@@ -10,6 +10,9 @@ module JsonWebToken
 
       KEY_BITS_MIN = 2048
 
+      # @see http://tools.ietf.org/html/rfc3447#section-7.2
+      MESSAGE_BYTES_MAX = 245 # 256 - 11 bytes
+
       module_function
 
       # @param sha_bits [String] desired security level in bits of the signature scheme
@@ -20,7 +23,7 @@ module JsonWebToken
       #   Rsa.sign('256', < private_key >, 'signing_input').bytes.length
       #   # => 256
       def sign(sha_bits, private_key, signing_input)
-        validate_key(private_key, sha_bits)
+        validate_params(sha_bits, private_key, signing_input)
         private_key.sign(digest_new(sha_bits), signing_input)
       end
 
@@ -31,16 +34,33 @@ module JsonWebToken
       #   Rsa.verify?(< binary_string >, '256', < public_key >, 'signing_input')
       #   # => true
       def verify?(mac, sha_bits, public_key, signing_input)
-        validate_key(public_key, sha_bits)
+        validate_params(sha_bits, public_key, signing_input)
         public_key.verify(digest_new(sha_bits), mac, signing_input)
       end
 
+      def validate_params(sha_bits, key, signing_input)
+        validate_key(sha_bits, key)
+        validate_message_size(signing_input)
+      end
+
+      def validate_key_size(_sha_bits, key)
+        fail('Invalid key: RSA modulus too small') if weak_key?(key)
+      end
+
       # https://github.com/ruby/openssl/issues/5
-      def validate_key_size(key, sha_bits)
-        fail('Invalid private key') unless key && key.n.num_bits >= KEY_BITS_MIN
+      def weak_key?(key)
+        !key || key.n.num_bits < KEY_BITS_MIN
+      end
+
+      # http://tools.ietf.org/html/rfc3447#section-7.2
+      def validate_message_size(signing_input)
+        fail('Invalid message: too large for RSA') if signing_input.bytesize > MESSAGE_BYTES_MAX
       end
 
-      private_class_method :validate_key_size
+      private_class_method :validate_params,
+        :validate_key_size,
+        :weak_key?,
+        :validate_message_size
     end
   end
 end

data/lib/json_web_token/version.rb

@@ -1,3 +1,3 @@
 module JsonWebToken
-  VERSION = '0.2.0'
+  VERSION = '0.2.1'
 end

data/spec/json_web_token/algorithm/rsa_spec.rb

@@ -47,7 +47,8 @@ module JsonWebToken
       context 'param validation' do
         shared_examples_for 'invalid private_key' do
           it 'raises' do
-            expect { Rsa.sign(sha_bits, private_key, signing_input_0) }.to raise_error(RuntimeError, 'Invalid private key')
+            expect { Rsa.sign(sha_bits, private_key, signing_input_0) }
+              .to raise_error(RuntimeError, 'Invalid key: RSA modulus too small')
           end
         end
 

data/spec/json_web_token/jws_spec.rb

@@ -23,7 +23,7 @@ module JsonWebToken
               it_behaves_like 'does #verify'
 
               describe 'w/o passing key to #verify' do
-                it "returns 'Invalid'" do
+                it 'returns false' do
                   jws = Jws.sign(header, payload, signing_key)
                   expect(Jws.verify jws, algorithm, nil).to be false
                 end
@@ -31,7 +31,7 @@ module JsonWebToken
 
               describe 'w passing a changed key to #verify' do
                 let(:changed_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9Z' }
-                it "returns 'Invalid'" do
+                it 'returns false' do
                   jws = Jws.sign(header, payload, signing_key)
                   expect(Jws.verify jws, algorithm, changed_key).to be false
                 end

data/spec/json_web_token/jwt_spec.rb

@@ -59,6 +59,13 @@ module JsonWebToken
           end
         end
 
+        describe 'w/o key w default header alg' do
+          it 'raises' do
+            expect { JsonWebToken.sign(claims, {}) }
+              .to raise_error(RuntimeError, 'Invalid shared key')
+          end
+        end
+
         describe 'w HS256 key changed' do
           let(:sign_options) { {alg: 'HS256', key: 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C'} }
           let(:changed_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9Z' }

data/spec/json_web_token_spec.rb

@@ -34,12 +34,6 @@ describe JsonWebToken do
         end
       end
     end
-
-    describe 'w/o key w default header alg' do
-      it 'raises' do
-        expect { JsonWebToken.sign(claims, {}) }.to raise_error(RuntimeError, 'Invalid shared key')
-      end
-    end
   end
 
   context 'module alias JWT' do

metadata

@@ -1,47 +1,47 @@
 --- !ruby/object:Gem::Specification
 name: json_web_token
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Gary Fleshman
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-02 00:00:00.000000000 Z
+date: 2015-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.8'
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.8.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.8'
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.8.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.3'
 description: Ruby implementation of the JSON Web Token (JWT) standard, RFC 7519
@@ -50,9 +50,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE
@@ -93,12 +93,12 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 2.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
@@ -106,6 +106,6 @@ rubyforge_project:
 rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
-summary: JSON Web Token for Ruby
+summary: JSON Web Token (JWT) for Ruby
 test_files: []
 has_rdoc: