jwt 1.4.1 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cdfac4049ccdded9be1f09b66e5af478ef37fc4d
-  data.tar.gz: af9de309fd5e3a80c94c28003b203c7776782591
+  metadata.gz: ee5f493cb3c4ed9c97a60b59f7377f410b280218
+  data.tar.gz: f86ae6f76dbdd064ff4a7a83370b1ba343981d90
 SHA512:
-  metadata.gz: 175bb4f9a775da249f7d3825469d8970f6c2d0d2e78316f2f152be4c2446062d9480d9f0ca6033f2f7c109da9f4d5d6ec56c14386dba0024cc62c4d68d565c54
-  data.tar.gz: ca034a2e46c9cbac727a8822fc0c170d2adf04799cc6e698cfe2dc6e014507726d32a939bb4e87739518aca7d60660afc13cfa09a7bc9a6cce30248d7e76be61
+  metadata.gz: 79802a75028b87314162658551582a1c4ace40439ac718bc8ac82ed57ccaa9b5d0ac695cf4daa318bcc89616ddc8e93bf3ff79d7cb4c47903c03aee51e5bb8a1
+  data.tar.gz: c14849f306b4952c7eba478d8fbc11c0a5045f38b931b563c67fef6367d9a8e89a66b78cccd9c8e4fbc546645e221b9b70437cde4aed18ca584269a95e94e9b6

data/Rakefile

@@ -2,7 +2,7 @@ require 'rubygems'
 require 'rake'
 require 'echoe'
 
-Echoe.new('jwt', '1.4.1') do |p|
+Echoe.new('jwt', '1.5.0') do |p|
   p.description    = 'JSON Web Token implementation in Ruby'
   p.url            = 'http://github.com/progrium/ruby-jwt'
   p.author         = 'Jeff Lindsay'

data/jwt.gemspec

@@ -1,14 +1,14 @@
 # -*- encoding: utf-8 -*-
-# stub: jwt 1.4.1 ruby lib
+# stub: jwt 1.5.0 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "jwt"
-  s.version = "1.4.1"
+  s.version = "1.5.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]
   s.authors = ["Jeff Lindsay"]
-  s.date = "2015-03-12"
+  s.date = "2015-05-09"
   s.description = "JSON Web Token implementation in Ruby"
   s.email = "progrium@gmail.com"
   s.extra_rdoc_files = ["lib/jwt.rb", "lib/jwt/json.rb"]

data/lib/jwt.rb

@@ -12,6 +12,7 @@ module JWT
   class DecodeError < StandardError; end
   class VerificationError < DecodeError; end
   class ExpiredSignature < DecodeError; end
+  class IncorrectAlgorithm < DecodeError; end
   class ImmatureSignature < DecodeError; end
   class InvalidIssuerError < DecodeError; end
   class InvalidIatError < DecodeError; end
@@ -20,6 +21,12 @@ module JWT
   class InvalidJtiError < DecodeError; end
   extend JWT::Json
 
+  NAMED_CURVES = {
+    'prime256v1' => 'ES256',
+    'secp384r1' => 'ES384',
+    'secp521r1' => 'ES512',
+  }
+
   module_function
 
   def sign(algorithm, msg, key)
@@ -27,6 +34,8 @@ module JWT
       sign_hmac(algorithm, msg, key)
     elsif ['RS256', 'RS384', 'RS512'].include?(algorithm)
       sign_rsa(algorithm, msg, key)
+    elsif ['ES256', 'ES384', 'ES512'].include?(algorithm)
+      sign_ecdsa(algorithm, msg, key)
     else
       raise NotImplementedError.new('Unsupported signing method')
     end
@@ -36,10 +45,30 @@ module JWT
     private_key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
   end
 
+  def sign_ecdsa(algorithm, msg, private_key)
+    key_algorithm = NAMED_CURVES[private_key.group.curve_name]
+    if algorithm != key_algorithm
+      raise IncorrectAlgorithm.new("payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided")
+    end
+
+    digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+    private_key.dsa_sign_asn1(digest.digest(msg))
+  end
+
   def verify_rsa(algorithm, public_key, signing_input, signature)
     public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
   end
 
+  def verify_ecdsa(algorithm, public_key, signing_input, signature)
+    key_algorithm = NAMED_CURVES[public_key.group.curve_name]
+    if algorithm != key_algorithm
+      raise IncorrectAlgorithm.new("payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided")
+    end
+
+    digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+    public_key.dsa_verify_asn1(digest.digest(signing_input), signature)
+  end
+
   def sign_hmac(algorithm, msg, key)
     OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
   end
@@ -122,6 +151,9 @@ module JWT
 
     if verify
       algo, key = signature_algorithm_and_key(header, key, &keyfinder)
+      if options[:algorithm] && algo != options[:algorithm]
+        raise JWT::IncorrectAlgorithm.new('Expected a different algorithm')
+      end
       verify_signature(algo, key, signing_input, signature)
     end
 
@@ -168,6 +200,8 @@ module JWT
         raise JWT::VerificationError.new('Signature verification failed') unless secure_compare(signature, sign_hmac(algo, signing_input, key))
       elsif ['RS256', 'RS384', 'RS512'].include?(algo)
         raise JWT::VerificationError.new('Signature verification failed') unless verify_rsa(algo, key, signing_input, signature)
+      elsif ['ES256', 'ES384', 'ES512'].include?(algo)
+        raise JWT::VerificationError.new('Signature verification failed') unless verify_ecdsa(algo, key, signing_input, signature)
       else
         raise JWT::VerificationError.new('Algorithm not supported')
       end

data/spec/jwt_spec.rb

@@ -19,6 +19,36 @@ describe JWT do
     expect(decoded_payload).to include(@payload)
   end
 
+  it 'encodes and decodes JWTs for ECDSA P-256 signatures' do
+    private_key = OpenSSL::PKey::EC.new('prime256v1')
+    private_key.generate_key
+    public_key = OpenSSL::PKey::EC.new(private_key)
+    public_key.private_key = nil
+    jwt = JWT.encode(@payload, private_key, 'ES256')
+    decoded_payload = JWT.decode(jwt, public_key)
+    expect(decoded_payload).to include(@payload)
+  end
+
+  it 'encodes and decodes JWTs for ECDSA P-384 signatures' do
+    private_key = OpenSSL::PKey::EC.new('secp384r1')
+    private_key.generate_key
+    public_key = OpenSSL::PKey::EC.new(private_key)
+    public_key.private_key = nil
+    jwt = JWT.encode(@payload, private_key, 'ES384')
+    decoded_payload = JWT.decode(jwt, public_key)
+    expect(decoded_payload).to include(@payload)
+  end
+
+  it 'encodes and decodes JWTs for ECDSA P-521 signatures' do
+    private_key = OpenSSL::PKey::EC.new('secp521r1')
+    private_key.generate_key
+    public_key = OpenSSL::PKey::EC.new(private_key)
+    public_key.private_key = nil
+    jwt = JWT.encode(@payload, private_key, 'ES512')
+    decoded_payload = JWT.decode(jwt, public_key)
+    expect(decoded_payload).to include(@payload)
+  end
+
   it 'encodes and decodes JWTs with custom header fields' do
     private_key = OpenSSL::PKey::RSA.generate(512)
     jwt = JWT.encode(@payload, private_key, 'RS256', {'kid' => 'default'})
@@ -29,6 +59,14 @@ describe JWT do
     expect(decoded_payload).to include(@payload)
   end
 
+  it 'raises encode exception when ECDSA algorithm does not match key' do
+    private_key = OpenSSL::PKey::EC.new('prime256v1')
+    private_key.generate_key
+    expect do
+      JWT.encode(@payload, private_key, 'ES512')
+    end.to raise_error(JWT::IncorrectAlgorithm, 'payload algorithm is ES512 but ES256 signing key was provided')
+  end
+
   it 'decodes valid JWTs' do
     example_payload = {'hello' => 'world'}
     example_secret = 'secret'
@@ -146,6 +184,21 @@ describe JWT do
     expect { JWT.decode(jwt_message, bad_secret) }.to raise_error(JWT::VerificationError)
   end
 
+  it 'raises decode exception when ECDSA algorithm does not match key' do
+    right_private_key = OpenSSL::PKey::EC.new('prime256v1')
+    right_private_key.generate_key
+    right_public_key = OpenSSL::PKey::EC.new(right_private_key)
+    right_public_key.private_key = nil
+    bad_private_key = OpenSSL::PKey::EC.new('secp384r1')
+    bad_private_key.generate_key
+    bad_public_key = OpenSSL::PKey::EC.new(bad_private_key)
+    bad_public_key.private_key = nil
+    jwt = JWT.encode(@payload, right_private_key, 'ES256')
+    expect do
+      JWT.decode(jwt, bad_public_key)
+    end.to raise_error(JWT::IncorrectAlgorithm, 'payload algorithm is ES256 but ES384 verification key was provided')
+  end
+
   it 'raises verification exception with wrong rsa key' do
     right_private_key = OpenSSL::PKey::RSA.generate(512)
     bad_private_key = OpenSSL::PKey::RSA.generate(512)
@@ -153,6 +206,17 @@ describe JWT do
     expect { JWT.decode(jwt, bad_private_key.public_key) }.to raise_error(JWT::VerificationError)
   end
 
+  it 'raises verification exception with wrong ECDSA key' do
+    right_private_key = OpenSSL::PKey::EC.new('prime256v1')
+    right_private_key.generate_key
+    bad_private_key = OpenSSL::PKey::EC.new('prime256v1')
+    bad_private_key.generate_key
+    bad_public_key = OpenSSL::PKey::EC.new(bad_private_key)
+    bad_public_key.private_key = nil
+    jwt = JWT.encode(@payload, right_private_key, 'ES256')
+    expect { JWT.decode(jwt, bad_public_key) }.to raise_error(JWT::VerificationError)
+  end
+
   it 'raises decode exception with invalid signature' do
     example_secret = 'secret'
     example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.'
@@ -191,6 +255,16 @@ describe JWT do
     expect { JWT.encode(@payload, 'secret', 'HS1024') }.to raise_error(NotImplementedError)
   end
 
+  it 'raises exception when decoded with a different algorithm than it was encoded with' do
+    jwt = JWT.encode(@payload, 'foo', 'HS384')
+    expect { JWT.decode(jwt, 'foo', true, :algorithm => 'HS512') }.to raise_error(JWT::IncorrectAlgorithm)
+  end
+
+  it 'does not raise exception when encoded with the expected algorithm' do
+    jwt = JWT.encode(@payload, 'foo', 'HS512')
+    JWT.decode(jwt, 'foo', true, :algorithm => 'HS512')
+  end
+
   it 'encodes and decodes plaintext JWTs' do
     jwt = JWT.encode(@payload, nil, nil)
     expect(jwt.split('.').length).to eq(2)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.5.0
 platform: ruby
 authors:
 - Jeff Lindsay
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-03-12 00:00:00.000000000 Z
+date: 2015-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: echoe