jwk 0.1.0

data/lib/jwk/key.rb

@@ -0,0 +1,64 @@
+module JWK
+  class Key
+    class << self
+      def from_pem(pem)
+        key = OpenSSL::PKey.read(pem)
+        from_openssl(key)
+      end
+
+      def from_openssl(key)
+        if key.is_a?(OpenSSL::PKey::RSA)
+          RSAKey.from_openssl(key)
+        elsif key.is_a?(OpenSSL::PKey::EC)
+          ECKey.from_openssl(key)
+        end
+      end
+
+      def from_json(json)
+        key = JSON.parse(json)
+        validate_kty!(key['kty'])
+
+        case key['kty']
+        when 'EC'
+          ECKey.new(key)
+        when 'RSA'
+          RSAKey.new(key)
+        when 'oct'
+          OctKey.new(key)
+        end
+      end
+
+      def validate_kty!(kty)
+        unless %w[EC RSA oct].include?(kty)
+          raise JWK::InvalidKey, "The provided JWK has an unknown \"kty\" value: #{kty}."
+        end
+      end
+    end
+
+    def to_json
+      @key.to_json
+    end
+
+    %w[kty use key_ops alg kid x5u x5c x5t].each do |part|
+      define_method(part) do
+        @key[part]
+      end
+    end
+
+    def x5t_s256
+      @key['x5t#S256']
+    end
+
+    protected
+
+    def pem_base64(content)
+      Base64.strict_encode64(content).scan(/.{1,64}/).join("\n")
+    end
+
+    def generate_pem(header, asn)
+      "-----BEGIN #{header} KEY-----\n" +
+        pem_base64(asn) +
+        "\n-----END #{header} KEY-----\n"
+    end
+  end
+end

data/lib/jwk/oct_key.rb

@@ -0,0 +1,38 @@
+require 'jwk/key'
+
+module JWK
+  class OctKey < Key
+    def initialize(key)
+      @key = key
+      validate
+    end
+
+    def public?
+      true
+    end
+
+    def private?
+      true
+    end
+
+    def validate
+      raise JWK::InvalidKey, 'Invalid RSA key.' unless @key['k']
+    end
+
+    def to_pem
+      raise NotImplementedError, 'Oct Keys cannot be converted to PEM.'
+    end
+
+    def to_openssl_key
+      raise NotImplementedError, 'Oct Keys cannot be converted to OpenSSL::PKey.'
+    end
+
+    def to_s
+      k
+    end
+
+    def k
+      Utils.decode_ub64(@key['k'])
+    end
+  end
+end

data/lib/jwk/rsa_key.rb

@@ -0,0 +1,91 @@
+require 'jwk/key'
+
+module JWK
+  class RSAKey < Key
+    def initialize(key)
+      @key = key
+      validate
+    end
+
+    def public?
+      true
+    end
+
+    def private?
+      !@key['d'].nil?
+    end
+
+    def validate
+      raise JWK::InvalidKey, 'Invalid RSA key.' unless @key['n'] && @key['e']
+    end
+
+    def to_pem
+      asn = to_asn
+
+      if private?
+        generate_pem('RSA PRIVATE', asn)
+      else
+        generate_pem('PUBLIC', asn)
+      end
+    end
+
+    def to_openssl_key
+      OpenSSL::PKey.read(to_pem)
+    end
+
+    def to_s
+      to_pem
+    end
+
+    %w[n e d p q dp dq qi].each do |part|
+      define_method(part) do
+        Utils.decode_ub64_int(@key[part]) if @key[part]
+      end
+    end
+
+    class << self
+      def from_openssl(k)
+        if k.private?
+          key = { 'kty' => 'RSA' }.merge(key_params(k, 'n', 'e', 'd', 'p', 'q', 'dmp1', 'dmq1', 'iqmp'))
+          key['dp'] = key.delete('dmp1')
+          key['dq'] = key.delete('dmq1')
+          key['qi'] = key.delete('iqmp')
+        else
+          key = { 'kty' => 'RSA' }.merge(key_params(k, 'n', 'e'))
+        end
+
+        new(key)
+      end
+
+      private
+
+      def key_params(key, *params)
+        Hash[params.map do |p|
+          [p, Utils.encode_ub64_int(key.params[p].to_i)]
+        end]
+      end
+    end
+
+    private
+
+    def to_asn
+      if private?
+        unless full_private?
+          raise NotImplementedError, 'Cannot convert RSA private key to PEM. Missing key data.'
+        end
+
+        ASN1.rsa_private_key(*key_parts)
+      elsif public?
+        ASN1.rsa_public_key(n, e)
+      end
+    end
+
+    def full_private?
+      @key['d'] && @key['p'] && @key['q'] && @key['dp'] && @key['dq'] && @key['qi']
+    end
+
+    def key_parts
+      [n, e, d, p, q, dp, dq, qi]
+    end
+  end
+end

data/lib/jwk/utils.rb

@@ -0,0 +1,41 @@
+module JWK
+  module Utils
+    class << self
+      def hex_string_to_binary(s)
+        s.scan(/.{2}/).map { |n| n.to_i(16).chr }.join
+      end
+
+      def int_to_binary(n)
+        num_octets = (n.to_s(16).length / 2.0).ceil
+
+        shifted = n << 8
+        Array.new(num_octets) do
+          ((shifted >>= 8) & 0xFF).chr
+        end.join.reverse
+      end
+
+      def binary_to_int(s)
+        s.chars.inject(0) do |val, char|
+          (val << 8) | char[0].ord
+        end
+      end
+
+      def decode_ub64(data)
+        clean = data.gsub(/[[:space:]]/, '')
+
+        len = clean.length
+        padded = (len % 4).zero? ? clean : clean + '=' * (4 - len % 4)
+
+        Base64.urlsafe_decode64(padded)
+      end
+
+      def decode_ub64_int(data)
+        Utils.binary_to_int(decode_ub64(data))
+      end
+
+      def encode_ub64_int(n)
+        Base64.urlsafe_encode64(Utils.int_to_binary(n))
+      end
+    end
+  end
+end

data/lib/jwk/version.rb

@@ -0,0 +1,3 @@
+module JWK
+  VERSION = '0.1.0'.freeze
+end

data/spec/jwk/asn1_spec.rb

@@ -0,0 +1,70 @@
+describe JWK::ASN1 do
+  describe '.rsa_public_key' do
+    let(:known_asn) do
+      Base64.decode64('MBowDQYJKoZIhvcNAQEBBQADCQAwBgIBAQIBAg==')
+    end
+
+    let(:bignum) do
+      ([0x80FFFFFF] * 56).inject(0) { |a, n| (a << 32) | n }
+    end
+
+    let(:known_big_asn) do
+      Base64.decode64('MIH9MA0GCSqGSIb3DQEBAQUAA4HrADCB5wIBAQKB4QCA////gP///4D///+A
+                       ////gP///4D///+A////gP///4D///+A////gP///4D///+A////gP///4D/
+                       //+A////gP///4D///+A////gP///4D///+A////gP///4D///+A////gP//
+                       /4D///+A////gP///4D///+A////gP///4D///+A////gP///4D///+A////
+                       gP///4D///+A////gP///4D///+A////gP///4D///+A////gP///4D///+A
+                       ////gP///4D///+A////gP///4D///+A////gP///w==')
+    end
+
+    it 'generates valid ASN1 for a Generic Public Key of type RSA' do
+      result = JWK::ASN1.rsa_public_key(1, 2)
+      expect(result).to eq(known_asn)
+    end
+
+    it 'handles big values numbers correctly' do
+      result = JWK::ASN1.rsa_public_key(1, bignum)
+      expect(result).to eq(known_big_asn)
+    end
+  end
+
+  describe '.rsa_private_key' do
+    let(:known_asn) do
+      Base64.decode64('MBwCAQACAQECAQICAQMCAQQCAQUCAQYCAQcCAgCA')
+    end
+
+    it 'generates valid ASN1 for an RSA Private Key' do
+      result = JWK::ASN1.rsa_private_key(1, 2, 3, 4, 5, 6, 7, 0x80)
+      expect(result).to eq(known_asn)
+    end
+  end
+
+  describe '.ec_private_key' do
+    let(:known_p256_asn) do
+      Base64.decode64('MBoCAQEEAaCgCgYIKoZIzj0DAQehBgMEAAQCAw==')
+    end
+
+    let(:known_p384_asn) do
+      Base64.decode64('MBcCAQEEAaCgBwYFK4EEACKhBgMEAAQCAw==')
+    end
+
+    let(:known_p521_asn) do
+      Base64.decode64('MBcCAQEEAaCgBwYFK4EEACOhBgMEAAQCAw==')
+    end
+
+    it 'generates valid ASN1 for a P-256 EC Private Key' do
+      result = JWK::ASN1.ec_private_key('P-256', 0xA0, 2, 3)
+      expect(result).to eq(known_p256_asn)
+    end
+
+    it 'generates valid ASN1 for a P-384 EC Private Key' do
+      result = JWK::ASN1.ec_private_key('P-384', 0xA0, 2, 3)
+      expect(result).to eq(known_p384_asn)
+    end
+
+    it 'generates valid ASN1 for a P-521 EC Private Key' do
+      result = JWK::ASN1.ec_private_key('P-521', 0xA0, 2, 3)
+      expect(result).to eq(known_p521_asn)
+    end
+  end
+end

data/spec/jwk/ec_key_spec.rb

@@ -0,0 +1,84 @@
+describe JWK::ECKey do
+  let(:private_jwk) do
+    File.read('spec/support/ec_private.json')
+  end
+
+  let(:public_jwk) do
+    File.read('spec/support/ec_public.json')
+  end
+
+  let(:private_pem) do
+    File.read('spec/support/ec_private.pem')
+  end
+
+  describe '#initialize' do
+    it 'raises with invalid parameters' do
+      expect { JWK::Key.from_json('{"kty":"EC","crv":"P-256"}') }.to raise_error(JWK::InvalidKey)
+    end
+  end
+
+  describe '#to_pem' do
+    it 'converts private keys to the right format' do
+      key = JWK::Key.from_json(private_jwk)
+      expect(key.to_pem).to eq private_pem
+    end
+
+    it 'raises with public keys' do
+      key = JWK::Key.from_json(public_jwk)
+      expect { key.to_pem }.to raise_error NotImplementedError
+    end
+  end
+
+  describe '#to_s' do
+    it 'converts to pem' do
+      key = JWK::Key.from_json(private_jwk)
+      expect(key.to_s).to eq(key.to_pem)
+    end
+  end
+
+  describe '#to_openssl_key' do
+    it 'converts the private key to an openssl object' do
+      key = JWK::Key.from_json(private_jwk)
+
+      begin
+        expect(key.to_openssl_key).to be_a OpenSSL::PKey::EC
+      rescue Exception => e
+        # This is expected to fail on old jRuby versions
+        raise e unless defined?(JRUBY_VERSION)
+      end
+    end
+  end
+
+  describe '#to_json' do
+    it 'responds with the JWK JSON key' do
+      key = JWK::Key.from_json(private_jwk)
+      expect(JSON.parse(key.to_json)).to eq JSON.parse(private_jwk)
+    end
+  end
+
+  describe '#kty' do
+    it 'equals EC' do
+      key = JWK::Key.from_json(private_jwk)
+      expect(key.kty).to eq 'EC'
+    end
+  end
+
+  describe '#public?' do
+    it 'is true' do
+      key = JWK::Key.from_json(private_jwk)
+      expect(key.public?).to be_truthy
+    end
+  end
+
+  describe '#private?' do
+    it 'is true for private keys' do
+      key = JWK::Key.from_json(private_jwk)
+      expect(key.private?).to be_truthy
+    end
+
+    it 'is false for public keys' do
+      key = JWK::Key.from_json(public_jwk)
+      expect(key.private?).to be_falsey
+    end
+  end
+end

data/spec/jwk/key_spec.rb

@@ -0,0 +1,66 @@
+describe JWK::Key do
+  describe '.from_json' do
+    it 'raises for invalid kty' do
+      expect { JWK::Key.from_json('{"kty":"my-key-type"}') }.to raise_error JWK::InvalidKey
+    end
+  end
+
+  describe '.from_openssl' do
+    it 'creates an RSAKey for RSA keys' do
+      key = OpenSSL::PKey::RSA.new(2048)
+      jwk = JWK::Key.from_openssl(key)
+
+      expect(jwk).to be_a JWK::RSAKey
+    end
+
+    it 'creates an RSAKey for RSA keys that resolves to the same parameters' do
+      key = OpenSSL::PKey::RSA.new(2048)
+      jwk = JWK::Key.from_openssl(key)
+
+      expect(jwk.to_pem).to eq key.to_pem
+    end
+
+    it 'creates an RSAKey for RSA public keys that resolves to the same parameters' do
+      key = OpenSSL::PKey::RSA.new(2048).public_key
+      jwk = JWK::Key.from_openssl(key)
+
+      expect(jwk.to_pem).to eq key.to_pem
+    end
+
+    it 'creates an ECKey for EC keys' do
+      begin
+        key = OpenSSL::PKey::EC.new('secp384r1')
+        key.generate_key
+        jwk = JWK::Key.from_openssl(key)
+
+        expect(jwk).to be_a JWK::ECKey
+      rescue NameError => e
+        raise e unless defined?(JRUBY_VERSION)
+      end
+    end
+
+    # jRuby 9k OpenSSL generates a bad PEM file with private key only, skipping
+    # the public part. This is in contrast with all other OpenSSL implementations.
+    # And it makes this test fail.
+    it 'creates an ECKey for EC keys that resolves to the same parameters' do
+      begin
+        key = OpenSSL::PKey::EC.new('secp384r1')
+        key.generate_key
+        jwk = JWK::Key.from_openssl(key)
+
+        expect(jwk.to_pem).to eq key.to_pem unless defined?(JRUBY_VERSION)
+      rescue NameError => e
+        raise e unless defined?(JRUBY_VERSION)
+      end
+    end
+  end
+
+  describe '.from_pem' do
+    it 'generates an RSAKey for RSA Keys' do
+      pem = OpenSSL::PKey::RSA.new(2048).to_pem
+      jwk = JWK::Key.from_pem(pem)
+
+      expect(jwk).to be_a JWK::RSAKey
+    end
+  end
+end