json_web_token 0.0.2 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d1518a4e0fe92dc8de73a3ed606115ac89ef466b
-  data.tar.gz: 5d38d88d1307780db38343d0c23d315963fa376d
+  metadata.gz: b8edcad4e223e03c0e62c87821bda85d261108a4
+  data.tar.gz: 3eaa77429d1e1e114226ad5db6ade121a46c56f8
 SHA512:
-  metadata.gz: 781e08e80e4ec08fa00f02e7d7127bca5ba50ce83f2708c7e5135c53b4edeaac53891bac3a0fcc517112511210ab55fd38552e105db62bc631453f3f5df289c1
-  data.tar.gz: 4c55609063885e415f48ea97c9169076837551fdc2a779f80ee27d14442cdfaf487d3f3dcdeae9fca6ceb6000af210b81d12876e7697250f7ec7ccaff9d976bc
+  metadata.gz: 9e39740af0f48f4781537d5b64ad6f94eaa21945d96155a9beed99db588509201233c07f320eda7aa3ba78126a800c857e35a03c26b1fb4d90935e72061c4aee
+  data.tar.gz: 84d4f1ad8cdb91063fcfa3ad48706722ebae3df3cf78deb947a5c512c62f56c78fada15408b840e5d2014ea24a20f69f4f4d5bc496bfa7e6fd19d4576f009989

data/.travis.yml

@@ -0,0 +1,7 @@
+language: ruby
+rvm:
+  - 2.2.2
+  - 2.1.6
+  - 2.0.0
+# uncomment this line if your project needs to run something other than `rake`:
+script: bundle exec rspec spec

data/CHANGELOG.md

@@ -1,11 +1,16 @@
 ## Changelog
 
-### 0.0.2 2015-07-11
+### v0.1.0 (2015-07-12)
+
+* enhancements
+  * support ECDSA algorithm
+
+### v0.0.2 (2015-07-11)
 
 * enhancements
   * support RSASSA-PKCS-v1_5 algorithm
 
-### 0.0.1 2015-07-09
+### v0.0.1 (2015-07-09)
 
 * initial
   * support HMAC algorithm

data/README.md

@@ -1,7 +1,8 @@
 # JSON Web Token
 
 ## A JSON Web Token implementation for Ruby
-**Work in progress -- not yet ready for production**
+
+[![code_climate][cc_img]][code_climate]
 
 ### Description
 A Ruby implementation of the JSON Web Token (JWT) Standards Track [RFC 7519][rfc7519]
@@ -16,10 +17,12 @@ A Ruby implementation of the JSON Web Token (JWT) Standards Track [RFC 7519][rfc
   - JSON Web Algorithms (JWA) Standards Track [RFC 7518][rfc7518]
 * Thorough test coverage
 * Modularity for comprehension and extensibility
+* Fail fast and hard, with maximally strict validation
+  - Inspired by [The Harmful Consequences of Postel's Maxim][thomson-postel]
 * Implement only the REQUIRED elements of the JWT standard (initially)
 
 ### Intended Audience
-Token authentication of API requests to Rails via these popular gems
+Token authentication of API requests to Rails via these prominent gems:
 
 - [Devise][devise]
 - [Doorkeeper][doorkeeper]
@@ -37,7 +40,7 @@ Returns a JSON Web Token string
 
 `options` (optional) hash
 
-* **alg**, default: `HS256`
+* **alg** (optional, default: `HS256`)
 * **key** (required unless alg is 'none')
 
 Example
@@ -49,12 +52,12 @@ require 'json_web_token'
 jwt = JsonWebToken.create({foo: 'bar'}, key: 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C')
 
 # sign with RSA SHA256 algorithm
-options = {
+opts = {
   alg: 'RSA256',
   key: < RSA private key >
 }
 
-jwt = JsonWebToken.create({foo: 'bar'}, options)
+jwt = JsonWebToken.create({foo: 'bar'}, opts)
 
 # unsecured token (algorithm is 'none')
 jwt = JsonWebToken.create({foo: 'bar'}, alg: 'none')
@@ -63,13 +66,15 @@ jwt = JsonWebToken.create({foo: 'bar'}, alg: 'none')
 
 ### JsonWebToken.validate(jwt, options)
 
-Returns a JWT claims set string or hash, if the MAC signature is valid
+Returns either:
+* a JWT claims set string or hash, if the Message Authentication Code (MAC), or signature, is verified
+* a string, 'Invalid', otherwise
 
 `jwt` (required) is a JSON web token string
 
 `options` (optional) hash
 
-* **algorithm**, default: `HS256`
+* **alg** (optional, default: `HS256`)
 * **key** (required unless alg is 'none')
 
 Example
@@ -77,24 +82,24 @@ Example
 ```ruby
 require 'json_web_token'
 
-secure_jwt = 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt.cGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'
+secure_jwt_example = 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt.cGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'
 
 # verify with default algorithm, HMAC SHA256
-claims = JsonWebToken.validate(secure_jwt, key: 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C')
+claims = JsonWebToken.validate(secure_jwt_example, key: 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C')
 
 # verify with RSA SHA256 algorithm
-options = {
+opts = {
   alg: 'RSA256',
   key: < RSA public key >
 }
 
-claims = JsonWebToken.validate(jwt, options)
+claims = JsonWebToken.validate(jwt, opts)
 
 # unsecured token (algorithm is 'none')
 
-unsecured_jwt = 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt.'
+unsecured_jwt_example = 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt.'
 
-claims = JsonWebToken.validate(unsecured_jwt, alg: 'none')
+claims = JsonWebToken.validate(unsecured_jwt_example, alg: 'none')
 
 ```
 ### Supported encryption algorithms
@@ -107,6 +112,9 @@ HS512 | HMAC using SHA-512
 RS256 | RSASSA-PKCS-v1_5 using SHA-256 per [RFC3447][rfc3447]
 RS384 | RSASSA-PKCS-v1_5 using SHA-384
 RS512 | RSASSA-PKCS-v1_5 using SHA-512
+ES256 | ECDSA using P-256 and SHA-256 per [DSS][dss]
+ES384 | ECDSA using P-384 and SHA-384
+ES512 | ECDSA using P-521 and SHA-512
 none | No digital signature or MAC performed (unsecured)
 
 ### Supported Ruby Versions
@@ -115,7 +123,7 @@ Ruby 2.0 and up
 ### Limitations
 Future implementation may include these features:
 
-- additional RECOMMENDED or OPTIONAL encryption algorithms
+- processing of OPTIONAL JWT registered claim names (e.g. 'exp')
 - representation of a JWT as a JSON Web Encryption (JWE) [RFC 7516][rfc7516]
 - OPTIONAL nested JWTs
 
@@ -125,9 +133,14 @@ Future implementation may include these features:
 [rfc7516]: http://tools.ietf.org/html/rfc7516
 [rfc7518]: http://tools.ietf.org/html/rfc7518
 [rfc7519]: http://tools.ietf.org/html/rfc7519
+[dss]: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
 
+[thomson-postel]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
 [cors]: http://www.w3.org/TR/cors/
 [devise]: https://github.com/plataformatec/devise
 [doorkeeper]: https://github.com/doorkeeper-gem/doorkeeper
 [oauth2]: https://github.com/intridea/oauth2
 [rack-cors]: https://github.com/cyu/rack-cors
+
+[code_climate]: https://codeclimate.com/github/garyf/json_web_token
+[cc_img]: https://codeclimate.com/github/garyf/json_web_token/badges/gpa.svg

data/lib/json_web_token/algorithm/ecdsa.rb

@@ -0,0 +1,50 @@
+require 'json_web_token/algorithm/common'
+require 'json_web_token/format/asn1'
+
+module JsonWebToken
+  module Algorithm
+    module Ecdsa
+
+      extend JsonWebToken::Algorithm::Common
+      extend JsonWebToken::Format::Asn1
+
+      MAC_BYTE_COUNT = {
+        '256' => 64, # secp256k1
+        '384' => 96, # secp384r1
+        '512' => 132 # secp521r1 note difference (not 128) due to using 521-bit integers
+      }
+
+      module_function
+
+      def signed(sha_bits, private_key, data)
+        validate_key(private_key, sha_bits)
+        der = private_key.dsa_sign_asn1(ssl_digest_hash sha_bits, data)
+        der_to_signature(der, sha_bits)
+      end
+
+      def verified?(signature, sha_bits, key, data)
+        validate_key(key, sha_bits)
+        validate_signature_size(signature, sha_bits)
+        der = signature_to_der(signature, sha_bits)
+        key.dsa_verify_asn1(ssl_digest_hash(sha_bits, data), der)
+      end
+
+      # private
+
+      def validate_key_size(_key, _sha_bits); end
+
+      def ssl_digest_hash(sha_bits, data)
+        digest_new(sha_bits).digest(data)
+      end
+
+      def validate_signature_size(signature, sha_bits)
+        n = MAC_BYTE_COUNT[sha_bits]
+        fail('Invalid signature') unless signature && signature.bytesize == n
+      end
+
+      private_class_method :validate_key_size,
+        :ssl_digest_hash,
+        :validate_signature_size
+    end
+  end
+end

data/lib/json_web_token/format/asn1.rb

@@ -0,0 +1,61 @@
+require 'openssl'
+
+module JsonWebToken
+  module Format
+    module Asn1
+
+      KEY_BITS = {
+        '256' => 256,
+        '384' => 384,
+        '512' => 521 # note difference
+      }
+
+      module_function
+
+      # ASN1 data structures are usually encoded using the Distinguished Encoding Rules (DER).
+      # The ASN1 module provides the necessary classes that allow generation of ASN1 data
+      # structures and the methods to encode them using a DER encoding. The decode method allows
+      # parsing arbitrary DER-encoded data to a Ruby object that can then be modified and
+      # re-encoded at will. (see http://docs.ruby-lang.org/en/2.1.0/OpenSSL/ASN1.html)
+
+      def der_to_signature(der, sha_bits)
+        signature_pair = OpenSSL::ASN1.decode(der).value
+        width = per_part_byte_count(sha_bits)
+        signature_pair.map { |part| part.value.to_s(2).rjust(width, "\x00") }.join
+      end
+
+      def signature_to_der(signature, sha_bits)
+        hsh = destructured_sig(signature, sha_bits)
+        asn1_seq = OpenSSL::ASN1::Sequence.new([
+          asn1_int(hsh[:r]),
+          asn1_int(hsh[:s])
+        ])
+        asn1_seq.to_der
+      end
+
+      # private
+
+      def per_part_byte_count(sha_bits)
+        bits = KEY_BITS[sha_bits]
+        bits ? (bits + 7) / 8 : fail('Invalid sha_bits')
+      end
+
+      def destructured_sig(signature, sha_bits)
+        n = per_part_byte_count(sha_bits)
+        fail('Invalid signature length') unless signature.length == n * 2
+        {
+          r: signature[0, n],
+          s: signature[n, n]
+        }
+      end
+
+      def asn1_int(int)
+        OpenSSL::ASN1::Integer.new(OpenSSL::BN.new int, 2)
+      end
+
+      private_class_method :per_part_byte_count,
+        :destructured_sig,
+        :asn1_int
+    end
+  end
+end

data/lib/json_web_token/jwa.rb

@@ -1,10 +1,11 @@
+require 'json_web_token/algorithm/ecdsa'
 require 'json_web_token/algorithm/hmac'
 require 'json_web_token/algorithm/rsa'
 
 module JsonWebToken
   module Jwa
 
-    ALGORITHMS = /(HS|RS)(256|384|512)?/i
+    ALGORITHMS = /(HS|RS|ES)(256|384|512)?/i
     ALG_LENGTH = 5
 
     module_function
@@ -39,6 +40,7 @@ module JsonWebToken
       case str
       when 'hs' then Algorithm::Hmac
       when 'rs' then Algorithm::Rsa
+      when 'es' then Algorithm::Ecdsa
       else fail('Unsupported algorithm')
       end
     end

data/lib/json_web_token/version.rb

@@ -1,3 +1,3 @@
 module JsonWebToken
-  VERSION = '0.0.2'
+  VERSION = '0.1.0'
 end

data/spec/json_web_token/algorithm/ecdsa_spec.rb

@@ -0,0 +1,56 @@
+require 'json_web_token/algorithm/ecdsa'
+require 'support/ecdsa_key'
+
+module JsonWebToken
+  module Algorithm
+    describe Ecdsa do
+      describe 'detect changed signature or data' do
+        let(:signing_input_0) { 'signing_input_0' }
+        let(:signing_input_1) { 'signing_input_1' }
+        shared_examples_for '#signed' do
+          it 'is #verified?' do
+            private_key_0 = EcdsaKey.curve_new(sha_bits)
+            public_key_str_0 = EcdsaKey.public_key_str(private_key_0)
+            public_key_0 = EcdsaKey.public_key_new(sha_bits, public_key_str_0)
+
+            mac_0 = Ecdsa.signed(sha_bits, private_key_0, signing_input_0)
+            expect(mac_0.bytes.count).to eql expected_mac_byte_count
+            expect(Ecdsa.verified? mac_0, sha_bits, public_key_0, signing_input_0).to be true
+
+            private_key_1 = EcdsaKey.curve_new(sha_bits)
+            public_key_str_1 = EcdsaKey.public_key_str(private_key_1)
+            public_key_1 = EcdsaKey.public_key_new(sha_bits, public_key_str_1)
+
+            expect(Ecdsa.verified? mac_0, sha_bits, public_key_0, signing_input_1).to be false
+            expect(Ecdsa.verified? mac_0, sha_bits, public_key_1, signing_input_0).to be false
+            expect(Ecdsa.verified? mac_0, sha_bits, public_key_1, signing_input_1).to be false
+
+            mac_1 = Ecdsa.signed(sha_bits, private_key_1, signing_input_1)
+            expect(Ecdsa.verified? mac_1, sha_bits, public_key_0, signing_input_0).to be false
+            expect(Ecdsa.verified? mac_1, sha_bits, public_key_0, signing_input_1).to be false
+            expect(Ecdsa.verified? mac_1, sha_bits, public_key_1, signing_input_0).to be false
+            expect(Ecdsa.verified? mac_1, sha_bits, public_key_1, signing_input_1).to be true
+          end
+        end
+
+        describe 'ES256' do
+          let(:sha_bits) { '256' }
+          let(:expected_mac_byte_count) { 64 }
+          it_behaves_like '#signed'
+        end
+
+        describe 'ES384' do
+          let(:sha_bits) { '384' }
+          let(:expected_mac_byte_count) { 96 }
+          it_behaves_like '#signed'
+        end
+
+        describe 'ES512' do
+          let(:sha_bits) { '512' }
+          let(:expected_mac_byte_count) { 132 }
+          it_behaves_like '#signed'
+        end
+      end
+    end
+  end
+end

data/spec/json_web_token/algorithm/hmac_spec.rb

@@ -78,7 +78,6 @@ module JsonWebToken
             it 'returns a 32-byte MAC string' do
               mac = Hmac.signed(sha_bits, key, data)
               expect(mac.bytesize).to eql 32
-              expect(mac.class).to eql String
             end
           end
         end
@@ -95,7 +94,6 @@ module JsonWebToken
             it 'returns a 48-byte MAC string' do
               mac = Hmac.signed(sha_bits, key, data)
               expect(mac.bytesize).to eql 48
-              expect(mac.class).to eql String
             end
           end
         end
@@ -112,7 +110,6 @@ module JsonWebToken
             it 'returns a 64-byte MAC string' do
               mac = Hmac.signed(sha_bits, key, data)
               expect(mac.bytesize).to eql 64
-              expect(mac.class).to eql String
             end
           end
         end

data/spec/json_web_token/algorithm/rsa_spec.rb

@@ -75,7 +75,6 @@ module JsonWebToken
           it 'returns a 256-byte MAC string' do
             mac = Rsa.signed(sha_bits, private_key, data)
             expect(mac.bytesize).to eql 256
-            expect(mac.class).to eql String
           end
         end
 

data/spec/json_web_token/format/asn1_spec.rb

@@ -0,0 +1,105 @@
+require 'json_web_token/format/asn1'
+
+module JsonWebToken
+  module Format
+    describe Asn1 do
+      context 'w bytes' do
+        let(:der) { der_bytes.map(&:chr).join }
+        let(:signature) { signature_bytes.map(&:chr).join }
+        shared_examples_for '#der_to_signature' do
+          it 'converts' do
+            expect(signature.bytes.length).to eql signature_byte_count
+            expect(Asn1.der_to_signature(der, sha_bits).bytes).to eql signature_bytes
+          end
+        end
+
+        shared_examples_for '#signature_to_der' do
+          it 'converts' do
+            expect(Asn1.signature_to_der(signature, sha_bits).bytes).to eql der_bytes
+          end
+        end
+
+        shared_examples_for 'w/o valid signature' do
+          let(:signature_invalid) { (signature_bytes + [123]).map(&:chr).join }
+          it '#signature_to_der raises' do
+            expect { Asn1.signature_to_der(signature_invalid, sha_bits) }
+              .to raise_error(RuntimeError, 'Invalid signature length')
+          end
+        end
+
+        context 'for ES256' do
+          let(:sha_bits) { '256' }
+          let(:der_bytes) { [48, 69, 2, 32, 39, 115, 251, 5, 254, 60, 42, 53, 128, 68, 123, 82,
+            222, 136, 26, 167, 246, 163, 233, 216, 206, 122, 106, 141, 43, 143, 137, 3, 88, 196,
+            235, 161, 2, 33, 0, 143, 213, 54, 244, 194, 216, 188, 161, 77, 28, 87, 205, 16, 160,
+            11, 125, 21, 62, 206, 233, 242, 201, 149, 152, 53, 25, 103, 6, 4, 56, 193, 161] }
+          let(:signature_bytes) { [39, 115, 251, 5, 254, 60, 42, 53, 128, 68, 123, 82, 222, 136,
+            26, 167, 246, 163, 233, 216, 206, 122, 106, 141, 43, 143, 137, 3, 88, 196, 235, 161,
+            143, 213, 54, 244, 194, 216, 188, 161, 77, 28, 87, 205, 16, 160, 11, 125, 21, 62,
+            206, 233, 242, 201, 149, 152, 53, 25, 103, 6, 4, 56, 193, 161] }
+          let(:signature_byte_count) { 64 }
+          it_behaves_like '#der_to_signature'
+          it_behaves_like '#signature_to_der'
+          it_behaves_like 'w/o valid signature'
+
+          describe 'invalid sha_bits' do
+            let(:invalid_sha_bits) { '257' }
+            it '#der_to_signature raises' do
+              expect { Asn1.der_to_signature(der, invalid_sha_bits) }
+                .to raise_error(RuntimeError, 'Invalid sha_bits')
+            end
+
+            it '#signature_to_der raises' do
+              expect { Asn1.signature_to_der(signature, invalid_sha_bits) }
+                .to raise_error(RuntimeError, 'Invalid sha_bits')
+            end
+          end
+        end
+
+        context 'for ES384' do
+          let(:sha_bits) { '384' }
+          let(:der_bytes) { [48, 101, 2, 48, 22, 221, 123, 224, 5, 100, 163, 31, 98, 78, 240,
+            249, 85, 126, 120, 130, 228, 123, 69, 2, 21, 65, 249, 229, 151, 208, 186, 162, 31,
+            149, 42, 165, 134, 214, 197, 176, 120, 10, 205, 247, 176, 19, 2, 156, 112, 89, 58,
+            234, 2, 49, 0, 255, 43, 120, 92, 206, 84, 88, 29, 109, 225, 254, 162, 37, 255, 127,
+            231, 37, 178, 36, 173, 225, 201, 121, 154, 43, 122, 229, 114, 50, 83, 69, 243, 143,
+            248, 89, 109, 136, 233, 223, 148, 137, 226, 96, 78, 166, 141, 222, 236] }
+          let(:signature_bytes) { [22, 221, 123, 224, 5, 100, 163, 31, 98, 78, 240, 249, 85,
+            126, 120, 130, 228, 123, 69, 2, 21, 65, 249, 229, 151, 208, 186, 162, 31, 149, 42,
+            165, 134, 214, 197, 176, 120, 10, 205, 247, 176, 19, 2, 156, 112, 89, 58, 234, 255,
+            43, 120, 92, 206, 84, 88, 29, 109, 225, 254, 162, 37, 255, 127, 231, 37, 178, 36,
+            173, 225, 201, 121, 154, 43, 122, 229, 114, 50, 83, 69, 243, 143, 248, 89, 109, 136,
+            233, 223, 148, 137, 226, 96, 78, 166, 141, 222, 236] }
+          let(:signature_byte_count) { 96 }
+          it_behaves_like '#der_to_signature'
+          it_behaves_like '#signature_to_der'
+          it_behaves_like 'w/o valid signature'
+        end
+
+        context 'for ES512' do
+          let(:sha_bits) { '512' }
+          let(:der_bytes) { [48, 129, 135, 2, 66, 0, 173, 236, 131, 242, 12, 189, 123, 8, 129,
+            2, 239, 202, 73, 168, 134, 216, 173, 241, 30, 1, 216, 177, 69, 61, 2, 196, 126, 145,
+            132, 172, 174, 210, 133, 191, 50, 57, 239, 229, 201, 118, 197, 62, 197, 62, 128,
+            143, 82, 84, 251, 80, 18, 196, 194, 198, 62, 144, 16, 149, 26, 67, 3, 215, 235, 179,
+            146, 2, 65, 40, 137, 198, 254, 15, 50, 214, 252, 43, 65, 203, 163, 140, 204, 66,
+            159, 53, 125, 184, 29, 24, 189, 249, 21, 64, 109, 87, 100, 165, 139, 83, 129, 190,
+            121, 180, 86, 241, 83, 238, 39, 63, 25, 247, 253, 130, 153, 47, 27, 138, 164, 221,
+            25, 151, 135, 144, 84, 240, 46, 59, 94, 99, 147, 138, 103, 67] }
+          let(:signature_bytes) { [0, 173, 236, 131, 242, 12, 189, 123, 8, 129, 2, 239, 202, 73,
+            168, 134, 216, 173, 241, 30, 1, 216, 177, 69, 61, 2, 196, 126, 145, 132, 172, 174,
+            210, 133, 191, 50, 57, 239, 229, 201, 118, 197, 62, 197, 62, 128, 143, 82, 84, 251,
+            80, 18, 196, 194, 198, 62, 144, 16, 149, 26, 67, 3, 215, 235, 179, 146, 0, 40, 137,
+            198, 254, 15, 50, 214, 252, 43, 65, 203, 163, 140, 204, 66, 159, 53, 125, 184, 29,
+            24, 189, 249, 21, 64, 109, 87, 100, 165, 139, 83, 129, 190, 121, 180, 86, 241, 83,
+            238, 39, 63, 25, 247, 253, 130, 153, 47, 27, 138, 164, 221, 25, 151, 135, 144, 84,
+            240, 46, 59, 94, 99, 147, 138, 103, 67] }
+          let(:signature_byte_count) { 132 }
+          it_behaves_like '#der_to_signature'
+          it_behaves_like '#signature_to_der'
+          it_behaves_like 'w/o valid signature'
+        end
+      end
+    end
+  end
+end

data/spec/json_web_token/jwa_spec.rb

@@ -1,33 +1,50 @@
 require 'json_web_token/jwa'
+require 'support/ecdsa_key'
 
 module JsonWebToken
   describe Jwa do
-    context 'detect changed signing_input or MAC' do
-      let(:signing_input) { 'signing_input' }
-      let(:changed_signing_input) { 'changed_signing_input' }
-      shared_examples_for '#signed' do
-        it 'is #verified?' do
-          mac = Jwa.signed(algorithm, signing_key, signing_input)
-          expect(Jwa.verified? mac, algorithm, verifying_key, signing_input).to be true
-          expect(Jwa.verified? mac, algorithm, verifying_key, changed_signing_input).to be false
-
-          changed_mac = Jwa.signed(algorithm, signing_key, changed_signing_input)
-          expect(Jwa.verified? changed_mac, algorithm, verifying_key, signing_input).to be false
-        end
+    shared_examples_for 'w #verified?' do
+      it 'true' do
+        expect(Jwa.verified? mac, algorithm, verifying_key, signing_input).to be true
       end
-
+    end
+    context '#signed' do
+      let(:signing_input) { 'signing_input' }
+      let(:mac) { Jwa.signed(algorithm, private_key, signing_input) }
       describe 'HS256' do
         let(:algorithm) { 'HS256' }
-        let(:signing_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
-        let(:verifying_key) { signing_key }
-        it_behaves_like '#signed'
+        let(:private_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+        let(:verifying_key) { private_key }
+        it_behaves_like 'w #verified?'
+
+        it 'returns a 32-byte MAC' do
+          expect(mac.bytesize).to eql 32
+        end
       end
 
       describe 'RS256' do
         let(:algorithm) { 'RS256' }
-        let(:signing_key) { OpenSSL::PKey::RSA.generate(2048) }
-        let(:verifying_key) { signing_key.public_key }
-        it_behaves_like '#signed'
+        let(:private_key) { OpenSSL::PKey::RSA.generate(2048) }
+        let(:verifying_key) { private_key.public_key }
+        it_behaves_like 'w #verified?'
+
+        it 'returns a 256-byte MAC' do
+          expect(mac.bytesize).to eql 256
+        end
+      end
+
+      describe 'ES256' do
+        let(:algorithm) { 'ES256' }
+        it 'w #verified? true, returns a 64-byte MAC' do
+          private_key = EcdsaKey.curve_new('256')
+          public_key_str = EcdsaKey.public_key_str(private_key)
+          public_key = EcdsaKey.public_key_new('256', public_key_str)
+
+          mac = Jwa.signed(algorithm, private_key, signing_input)
+          expect(Jwa.verified? mac, algorithm, public_key, signing_input).to be true
+
+          expect(mac.bytesize).to eql 64
+        end
       end
     end
 
@@ -44,25 +61,6 @@ module JsonWebToken
             end
           end
         end
-
-        describe 'HS256' do
-          let(:algorithm) { 'HS256' }
-          it 'returns a 32-byte MAC string' do
-            mac = Jwa.signed(algorithm, key, data)
-            expect(mac.bytesize).to eql 32
-            expect(mac.class).to eql String
-          end
-        end
-      end
-
-      describe 'RS256' do
-        let(:private_key) { OpenSSL::PKey::RSA.generate(2048) }
-        let(:algorithm) { 'RS256' }
-        it 'returns a 256-byte MAC string' do
-          mac = Jwa.signed(algorithm, private_key, data)
-          expect(mac.bytesize).to eql 256
-          expect(mac.class).to eql String
-        end
       end
     end
   end

data/spec/json_web_token/jws_spec.rb

@@ -1,4 +1,5 @@
 require 'json_web_token/jws'
+require 'support/ecdsa_key'
 
 module JsonWebToken
   describe Jws do
@@ -6,7 +7,7 @@ module JsonWebToken
       let(:payload) { 'payload' }
       context '#message_signature' do
         shared_examples_for 'w #validate' do
-          it 'verified' do
+          it 'is verified' do
             jws = Jws.message_signature(header, payload, signing_key)
             expect(Jws.validate jws, algorithm, verifying_key).to eql jws
           end
@@ -51,6 +52,21 @@ module JsonWebToken
             end
           end
         end
+
+        context "w ES256 'alg' header parameter" do
+          let(:header) { {alg: 'ES256'} }
+          describe 'w passing a matching algorithm to #validate' do
+            let(:algorithm) { 'ES256' }
+            it 'is verified' do
+              private_key = EcdsaKey.curve_new('256')
+              public_key_str = EcdsaKey.public_key_str(private_key)
+              public_key = EcdsaKey.public_key_new('256', public_key_str)
+
+              jws = Jws.message_signature(header, payload, private_key)
+              expect(Jws.validate jws, algorithm, public_key).to eql jws
+            end
+          end
+        end
       end
 
       context 'header validation' do

data/spec/json_web_token/jwt_spec.rb

@@ -1,11 +1,12 @@
 require 'json_web_token/jwt'
+require 'support/ecdsa_key'
 require 'support/plausible_jwt'
 
 module JsonWebToken
   describe Jwt do
     context '#create' do
       shared_examples_for 'w #validate' do
-        it 'verified' do
+        it 'is verified' do
           jwt = Jwt.create(claims, create_options)
           expect(Jwt.validate jwt, validate_options).to include(claims)
         end
@@ -30,29 +31,29 @@ module JsonWebToken
             it_behaves_like 'return message signature'
           end
 
-          describe 'passing header parameters' do
-            let(:create_options) { {typ: 'JWT', alg: 'HS256', key: signing_key} }
+          describe 'w alg option' do
+            let(:create_options) { {alg: 'HS256', key: signing_key} }
             it_behaves_like 'w #validate'
             it_behaves_like 'return message signature'
           end
 
-          describe "w 'alg':'nil' header parameter" do
+          describe 'w alg: nil option' do
             let(:create_options) { {alg: nil, key: signing_key} }
             it_behaves_like 'w #validate'
             it_behaves_like 'return message signature'
           end
 
-          describe "w 'alg':'' header parameter" do
+          describe "w alg empty string option" do
             let(:create_options) { {alg: '', key: signing_key} }
             it_behaves_like 'w #validate'
             it_behaves_like 'return message signature'
           end
 
-          describe "w 'alg':'none' header parameter" do
-            let(:create_options) { {typ: 'JWT', alg: 'none', key: signing_key} }
+          describe "w alg: 'none' option" do
+            let(:create_options) { {alg: 'none', key: signing_key} }
             it 'raises' do
               jwt = Jwt.create(claims, create_options)
-              expect { Jwt.validate(jwt) }
+              expect { Jwt.validate(jwt, validate_options) }
                 .to raise_error(RuntimeError, "Algorithm not matching 'alg' header parameter")
             end
           end
@@ -62,9 +63,10 @@ module JsonWebToken
           let(:signing_key) { OpenSSL::PKey::RSA.generate(2048) }
           let(:verifying_key) { signing_key.public_key }
           let(:validate_options) { {alg: 'RS256', key: verifying_key} }
-          describe 'passing header parameters' do
-            let(:create_options) { {typ: 'JWT', alg: 'RS256', key: signing_key} }
+          describe 'passing matching options' do
+            let(:create_options) { {alg: 'RS256', key: signing_key} }
             it_behaves_like 'w #validate'
+
             it 'plausible' do
               jwt = Jwt.create(claims, create_options)
               expect(plausible_message_signature? jwt, 256).to be true
@@ -72,10 +74,29 @@ module JsonWebToken
           end
         end
 
+        context "w ES256 'alg' header parameter" do
+          let(:algorithm) { 'ES256' }
+          describe 'w passing a matching algorithm to #validate' do
+            it 'is verified and plausible' do
+              private_key = EcdsaKey.curve_new('256')
+              public_key_str = EcdsaKey.public_key_str(private_key)
+              public_key = EcdsaKey.public_key_new('256', public_key_str)
+
+              create_options = {alg: algorithm, key: private_key}
+              jwt = Jwt.create(claims, create_options)
+
+              validate_options = {alg: algorithm, key: public_key}
+              expect(Jwt.validate jwt, validate_options).to include(claims)
+
+              expect(plausible_message_signature? jwt, 64).to be true
+            end
+          end
+        end
+
         context 'w/o key' do
-          context "w alg 'none' header parameter" do
-            let(:create_options) { {typ: 'JWT', alg: 'none'} }
-            describe "w validate alg 'none'" do
+          context "w alg: 'none' header parameter" do
+            let(:create_options) { {alg: 'none'} }
+            describe "w validate alg: 'none'" do
               let(:validate_options) { {alg: 'none'} }
               it 'validates a plausible unsecured jws' do
                 jwt = Jwt.create(claims, create_options)
@@ -84,7 +105,7 @@ module JsonWebToken
               end
             end
 
-            describe "w default validate alg" do
+            describe 'w default validate alg' do
               it 'raises' do
                 jwt = Jwt.create(claims, create_options)
                 expect { Jwt.validate(jwt) }
@@ -109,7 +130,7 @@ module JsonWebToken
           it_behaves_like 'w/o claims'
         end
 
-        describe "w claims ''" do
+        describe 'w claims an empty string' do
           let(:claims) { '' }
           it_behaves_like 'w/o claims'
         end

data/spec/support/ecdsa_key.rb

@@ -0,0 +1,30 @@
+require 'openssl'
+
+module EcdsaKey
+
+  BUILT_IN_CURVES = {
+    '256' => 'secp256k1',
+    '384' => 'secp384r1',
+    '512' => 'secp521r1'
+  }
+
+  module_function
+
+  def curve_new(sha_bits)
+    OpenSSL::PKey::EC.new(BUILT_IN_CURVES[sha_bits])
+  end
+
+  def public_key_str(curve, base = 16)
+    curve.generate_key unless curve.private_key
+    curve.public_key.to_bn.to_s(base)
+  end
+
+  def public_key_new(sha_bits, public_key_str, base = 16)
+    curve_name = BUILT_IN_CURVES[sha_bits]
+    fail('Unsupported curve') unless curve_name
+    group = OpenSSL::PKey::EC::Group.new(curve_name)
+    curve = OpenSSL::PKey::EC.new(group)
+    curve.public_key = OpenSSL::PKey::EC::Point.new(group, OpenSSL::BN.new(public_key_str, base))
+    curve
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json_web_token
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.1.0
 platform: ruby
 authors:
 - Gary Fleshman
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-11 00:00:00.000000000 Z
+date: 2015-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -52,6 +52,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE
@@ -59,16 +60,20 @@ files:
 - json_web_token.gemspec
 - lib/json_web_token.rb
 - lib/json_web_token/algorithm/common.rb
+- lib/json_web_token/algorithm/ecdsa.rb
 - lib/json_web_token/algorithm/hmac.rb
 - lib/json_web_token/algorithm/rsa.rb
+- lib/json_web_token/format/asn1.rb
 - lib/json_web_token/format/base64_url.rb
 - lib/json_web_token/jwa.rb
 - lib/json_web_token/jws.rb
 - lib/json_web_token/jwt.rb
 - lib/json_web_token/util.rb
 - lib/json_web_token/version.rb
+- spec/json_web_token/algorithm/ecdsa_spec.rb
 - spec/json_web_token/algorithm/hmac_spec.rb
 - spec/json_web_token/algorithm/rsa_spec.rb
+- spec/json_web_token/format/asn1_spec.rb
 - spec/json_web_token/format/base64_url_spec.rb
 - spec/json_web_token/jwa_spec.rb
 - spec/json_web_token/jws_spec.rb
@@ -76,6 +81,7 @@ files:
 - spec/json_web_token/util_spec.rb
 - spec/json_web_token_spec.rb
 - spec/spec_helper.rb
+- spec/support/ecdsa_key.rb
 - spec/support/plausible_jwt.rb
 homepage: https://github.com/garyf/json_web_token
 licenses: