jwt 1.5.1 → 2.1.0

data/lib/jwt/default_options.rb

@@ -0,0 +1,15 @@
+module JWT
+  module DefaultOptions
+    DEFAULT_OPTIONS = {
+      verify_expiration: true,
+      verify_not_before: true,
+      verify_iss: false,
+      verify_iat: false,
+      verify_jti: false,
+      verify_aud: false,
+      verify_sub: false,
+      leeway: 0,
+      algorithms: ['HS256']
+    }.freeze
+  end
+end

data/lib/jwt/encode.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'json'
+
+# JWT::Encode module
+module JWT
+  # Encoding logic for JWT
+  class Encode
+    attr_reader :payload, :key, :algorithm, :header_fields, :segments
+
+    def self.base64url_encode(str)
+      Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
+    end
+
+    def initialize(payload, key, algorithm, header_fields)
+      @payload = payload
+      @key = key
+      @algorithm = algorithm
+      @header_fields = header_fields
+      @segments = encode_segments
+    end
+
+    private
+
+    def encoded_header
+      header = { 'alg' => @algorithm }.merge(@header_fields)
+      Encode.base64url_encode(JSON.generate(header))
+    end
+
+    def encoded_payload
+      raise InvalidPayload, 'exp claim must be an integer' if @payload && @payload.is_a?(Hash) && @payload.key?('exp') && !@payload['exp'].is_a?(Integer)
+      Encode.base64url_encode(JSON.generate(@payload))
+    end
+
+    def encoded_signature(signing_input)
+      if @algorithm == 'none'
+        ''
+      else
+        signature = JWT::Signature.sign(@algorithm, signing_input, @key)
+        Encode.base64url_encode(signature)
+      end
+    end
+
+    def encode_segments
+      header = encoded_header
+      payload = encoded_payload
+      signature = encoded_signature([header, payload].join('.'))
+      [header, payload, signature].join('.')
+    end
+  end
+end

data/lib/jwt/error.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module JWT
+  class EncodeError < StandardError; end
+  class DecodeError < StandardError; end
+  class VerificationError < DecodeError; end
+  class ExpiredSignature < DecodeError; end
+  class IncorrectAlgorithm < DecodeError; end
+  class ImmatureSignature < DecodeError; end
+  class InvalidIssuerError < DecodeError; end
+  class InvalidIatError < DecodeError; end
+  class InvalidAudError < DecodeError; end
+  class InvalidSubError < DecodeError; end
+  class InvalidJtiError < DecodeError; end
+  class InvalidPayload < DecodeError; end
+end

data/lib/jwt/security_utils.rb

@@ -0,0 +1,51 @@
+module JWT
+  # Collection of security methods
+  #
+  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
+  module SecurityUtils
+    module_function
+
+    def secure_compare(left, right)
+      left_bytesize = left.bytesize
+
+      return false unless left_bytesize == right.bytesize
+
+      unpacked_left = left.unpack "C#{left_bytesize}"
+      result = 0
+      right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
+      result.zero?
+    end
+
+    def verify_rsa(algorithm, public_key, signing_input, signature)
+      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+    end
+
+    def asn1_to_raw(signature, public_key)
+      byte_size = (public_key.group.degree + 7) / 8
+      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+    end
+
+    def raw_to_asn1(signature, private_key)
+      byte_size = (private_key.group.degree + 7) / 8
+      sig_bytes = signature[0..(byte_size - 1)]
+      sig_char = signature[byte_size..-1] || ''
+      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+    end
+
+    def rbnacl_fixup(algorithm, key)
+      algorithm = algorithm.sub('HS', 'SHA').to_sym
+
+      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
+
+      authenticator = RbNaCl::HMAC.const_get(algorithm)
+
+      # Fall back to OpenSSL for keys larger than 32 bytes.
+      return [] if key.bytesize > authenticator.key_bytes
+
+      [
+        authenticator,
+        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
+      ]
+    end
+  end
+end

data/lib/jwt/signature.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'jwt/security_utils'
+require 'openssl'
+require 'jwt/algos/hmac'
+require 'jwt/algos/eddsa'
+require 'jwt/algos/ecdsa'
+require 'jwt/algos/rsa'
+require 'jwt/algos/unsupported'
+begin
+  require 'rbnacl'
+rescue LoadError
+  raise if defined?(RbNaCl)
+end
+
+# JWT::Signature module
+module JWT
+  # Signature logic for JWT
+  module Signature
+    extend self
+    ALGOS = [
+      Algos::Hmac,
+      Algos::Ecdsa,
+      Algos::Rsa,
+      Algos::Eddsa,
+      Algos::Unsupported
+    ].freeze
+    ToSign = Struct.new(:algorithm, :msg, :key)
+    ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
+
+    def sign(algorithm, msg, key)
+      algo = ALGOS.find do |alg|
+        alg.const_get(:SUPPORTED).include? algorithm
+      end
+      algo.sign ToSign.new(algorithm, msg, key)
+    end
+
+    def verify(algorithm, key, signing_input, signature)
+      algo = ALGOS.find do |alg|
+        alg.const_get(:SUPPORTED).include? algorithm
+      end
+      verified = algo.verify(ToVerify.new(algorithm, key, signing_input, signature))
+      raise(JWT::VerificationError, 'Signature verification raised') unless verified
+    rescue OpenSSL::PKey::PKeyError
+      raise JWT::VerificationError, 'Signature verification raised'
+    ensure
+      OpenSSL.errors.clear
+    end
+  end
+end

data/lib/jwt/verify.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require 'jwt/error'
+
+module JWT
+  # JWT verify methods
+  class Verify
+    DEFAULTS = {
+      leeway: 0
+    }.freeze
+
+    class << self
+      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method_name|
+        define_method method_name do |payload, options|
+          new(payload, options).send(method_name)
+        end
+      end
+
+      def verify_claims(payload, options)
+        options.each do |key, val|
+          next unless key.to_s =~ /verify/
+          Verify.send(key, payload, options) if val
+        end
+      end
+    end
+
+    def initialize(payload, options)
+      @payload = payload
+      @options = DEFAULTS.merge(options)
+    end
+
+    def verify_aud
+      return unless (options_aud = @options[:aud])
+
+      aud = @payload['aud']
+      raise(JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}") if ([*aud] & [*options_aud]).empty?
+    end
+
+    def verify_expiration
+      return unless @payload.include?('exp')
+      raise(JWT::ExpiredSignature, 'Signature has expired') if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
+    end
+
+    def verify_iat
+      return unless @payload.include?('iat')
+
+      iat = @payload['iat']
+      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > (Time.now.to_f + iat_leeway)
+    end
+
+    def verify_iss
+      return unless (options_iss = @options[:iss])
+
+      iss = @payload['iss']
+
+      return if Array(options_iss).map(&:to_s).include?(iss.to_s)
+
+      raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
+    end
+
+    def verify_jti
+      options_verify_jti = @options[:verify_jti]
+      jti = @payload['jti']
+
+      if options_verify_jti.respond_to?(:call)
+        verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
+        raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
+      elsif jti.to_s.strip.empty?
+        raise(JWT::InvalidJtiError, 'Missing jti')
+      end
+    end
+
+    def verify_not_before
+      return unless @payload.include?('nbf')
+      raise(JWT::ImmatureSignature, 'Signature nbf has not been reached') if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
+    end
+
+    def verify_sub
+      return unless (options_sub = @options[:sub])
+      sub = @payload['sub']
+      raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
+    end
+
+    private
+
+    def global_leeway
+      @options[:leeway]
+    end
+
+    def exp_leeway
+      @options[:exp_leeway] || global_leeway
+    end
+
+    def iat_leeway
+      @options[:iat_leeway] || global_leeway
+    end
+
+    def nbf_leeway
+      @options[:nbf_leeway] || global_leeway
+    end
+  end
+end

data/lib/jwt/version.rb

@@ -0,0 +1,24 @@
+# encoding: utf-8
+# frozen_string_literal: true
+
+# Moments version builder module
+module JWT
+  def self.gem_version
+    Gem::Version.new VERSION::STRING
+  end
+
+  # Moments version builder module
+  module VERSION
+    # major version
+    MAJOR = 2
+    # minor version
+    MINOR = 1
+    # tiny version
+    TINY  = 0
+    # alpha, beta, etc. tag
+    PRE   = nil
+
+    # Build version string
+    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
+  end
+end

data/lib/jwt.rb

@@ -1,233 +1,63 @@
-# encoding: utf-8
+# frozen_string_literal: true
 
 require 'base64'
-require 'openssl'
-require 'jwt/json'
+require 'jwt/decode'
+require 'jwt/default_options'
+require 'jwt/encode'
+require 'jwt/error'
+require 'jwt/signature'
+require 'jwt/verify'
 
 # JSON Web Token implementation
 #
 # Should be up to date with the latest spec:
-# http://self-issued.info/docs/draft-jones-json-web-token-06.html
+# https://tools.ietf.org/html/rfc7519
 module JWT
-  class DecodeError < StandardError; end
-  class VerificationError < DecodeError; end
-  class ExpiredSignature < DecodeError; end
-  class IncorrectAlgorithm < DecodeError; end
-  class ImmatureSignature < DecodeError; end
-  class InvalidIssuerError < DecodeError; end
-  class InvalidIatError < DecodeError; end
-  class InvalidAudError < DecodeError; end
-  class InvalidSubError < DecodeError; end
-  class InvalidJtiError < DecodeError; end
-  extend JWT::Json
-
-  NAMED_CURVES = {
-    'prime256v1' => 'ES256',
-    'secp384r1' => 'ES384',
-    'secp521r1' => 'ES512'
-  }
+  include JWT::DefaultOptions
 
   module_function
 
-  def sign(algorithm, msg, key)
-    if ['HS256', 'HS384', 'HS512'].include?(algorithm)
-      sign_hmac(algorithm, msg, key)
-    elsif ['RS256', 'RS384', 'RS512'].include?(algorithm)
-      sign_rsa(algorithm, msg, key)
-    elsif ['ES256', 'ES384', 'ES512'].include?(algorithm)
-      sign_ecdsa(algorithm, msg, key)
-    else
-      fail NotImplementedError.new('Unsupported signing method')
-    end
-  end
-
-  def sign_rsa(algorithm, msg, private_key)
-    private_key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
-  end
-
-  def sign_ecdsa(algorithm, msg, private_key)
-    key_algorithm = NAMED_CURVES[private_key.group.curve_name]
-    if algorithm != key_algorithm
-      fail IncorrectAlgorithm.new("payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided")
-    end
-
-    digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-    asn1_to_raw(private_key.dsa_sign_asn1(digest.digest(msg)), private_key)
-  end
-
-  def verify_rsa(algorithm, public_key, signing_input, signature)
-    public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-  end
-
-  def verify_ecdsa(algorithm, public_key, signing_input, signature)
-    key_algorithm = NAMED_CURVES[public_key.group.curve_name]
-    if algorithm != key_algorithm
-      fail IncorrectAlgorithm.new("payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided")
-    end
-
-    digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-    public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
+  def encode(payload, key, algorithm = 'HS256', header_fields = {})
+    encoder = Encode.new payload, key, algorithm, header_fields
+    encoder.segments
   end
 
-  def sign_hmac(algorithm, msg, key)
-    OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
-  end
+  def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
+    raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
 
-  def base64url_decode(str)
-    str += '=' * (4 - str.length.modulo(4))
-    Base64.decode64(str.tr('-_', '+/'))
-  end
+    merged_options = DEFAULT_OPTIONS.merge(custom_options)
 
-  def base64url_encode(str)
-    Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
-  end
+    decoder = Decode.new jwt, verify
+    header, payload, signature, signing_input = decoder.decode_segments
+    decode_verify_signature(key, header, payload, signature, signing_input, merged_options, &keyfinder) if verify
 
-  def encoded_header(algorithm='HS256', header_fields={})
-    header = { 'typ' => 'JWT', 'alg' => algorithm }.merge(header_fields)
-    base64url_encode(encode_json(header))
-  end
+    Verify.verify_claims(payload, merged_options) if verify
 
-  def encoded_payload(payload)
-    base64url_encode(encode_json(payload))
-  end
-
-  def encoded_signature(signing_input, key, algorithm)
-    if algorithm == 'none'
-      ''
-    else
-      signature = sign(algorithm, signing_input, key)
-      base64url_encode(signature)
-    end
-  end
-
-  def encode(payload, key, algorithm='HS256', header_fields={})
-    algorithm ||= 'none'
-    segments = []
-    segments << encoded_header(algorithm, header_fields)
-    segments << encoded_payload(payload)
-    segments << encoded_signature(segments.join('.'), key, algorithm)
-    segments.join('.')
-  end
+    raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
 
-  def raw_segments(jwt, verify=true)
-    segments = jwt.split('.')
-    required_num_segments = verify ? [3] : [2, 3]
-    fail JWT::DecodeError.new('Not enough or too many segments') unless required_num_segments.include? segments.length
-    segments
-  end
-
-  def decode_header_and_payload(header_segment, payload_segment)
-    header = decode_json(base64url_decode(header_segment))
-    payload = decode_json(base64url_decode(payload_segment))
-    [header, payload]
-  end
-
-  def decoded_segments(jwt, verify=true)
-    header_segment, payload_segment, crypto_segment = raw_segments(jwt, verify)
-    header, payload = decode_header_and_payload(header_segment, payload_segment)
-    signature = base64url_decode(crypto_segment.to_s) if verify
-    signing_input = [header_segment, payload_segment].join('.')
-    [header, payload, signature, signing_input]
+    [payload, header]
   end
 
-  def decode(jwt, key=nil, verify=true, options={}, &keyfinder)
-    fail JWT::DecodeError.new('Nil JSON web token') unless jwt
-
-    header, payload, signature, signing_input = decoded_segments(jwt, verify)
-    fail JWT::DecodeError.new('Not enough or too many segments') unless header && payload
-
-    default_options = {
-      :verify_expiration => true,
-      :verify_not_before => true,
-      :verify_iss => false,
-      :verify_iat => false,
-      :verify_jti => false,
-      :verify_aud => false,
-      :verify_sub => false,
-      :leeway => 0
-    }
+  def decode_verify_signature(key, header, payload, signature, signing_input, options, &keyfinder)
+    algo, key = signature_algorithm_and_key(header, payload, key, &keyfinder)
 
-    options = default_options.merge(options)
+    raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms(options).empty?
+    raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless allowed_algorithms(options).include?(algo)
 
-    if verify
-      algo, key = signature_algorithm_and_key(header, key, &keyfinder)
-      if options[:algorithm] && algo != options[:algorithm]
-        fail JWT::IncorrectAlgorithm.new('Expected a different algorithm')
-      end
-      verify_signature(algo, key, signing_input, signature)
-    end
-
-    if options[:verify_expiration] && payload.include?('exp')
-      fail JWT::ExpiredSignature.new('Signature has expired') unless payload['exp'].to_i > (Time.now.to_i - options[:leeway])
-    end
-    if options[:verify_not_before] && payload.include?('nbf')
-      fail JWT::ImmatureSignature.new('Signature nbf has not been reached') unless payload['nbf'].to_i < (Time.now.to_i + options[:leeway])
-    end
-    if options[:verify_iss] && options['iss']
-      fail JWT::InvalidIssuerError.new("Invalid issuer. Expected #{options['iss']}, received #{payload['iss'] || '<none>'}") unless payload['iss'].to_s == options['iss'].to_s
-    end
-    if options[:verify_iat] && payload.include?('iat')
-      fail JWT::InvalidIatError.new('Invalid iat') unless payload['iat'].is_a?(Integer) && payload['iat'].to_i <= Time.now.to_i
-    end
-    if options[:verify_aud] && options['aud']
-      if payload['aud'].is_a?(Array)
-        fail JWT::InvalidAudError.new('Invalid audience') unless payload['aud'].include?(options['aud'].to_s)
-      else
-        fail JWT::InvalidAudError.new("Invalid audience. Expected #{options['aud']}, received #{payload['aud'] || '<none>'}") unless payload['aud'].to_s == options['aud'].to_s
-      end
-    end
-    if options[:verify_sub] && payload.include?('sub')
-      fail JWT::InvalidSubError.new("Invalid subject. Expected #{options['sub']}, received #{payload['sub']}") unless payload['sub'].to_s == options['sub'].to_s
-    end
-    if options[:verify_jti] && payload.include?('jti')
-      fail JWT::InvalidJtiError.new('need iat for verify jwt id') unless payload.include?('iat')
-      fail JWT::InvalidJtiError.new('Not a uniq jwt id') unless options['jti'].to_s == Digest::MD5.hexdigest("#{key}:#{payload['iat']}")
-    end
-
-    [payload, header]
+    Signature.verify(algo, key, signing_input, signature)
   end
 
-  def signature_algorithm_and_key(header, key, &keyfinder)
-    key = keyfinder.call(header) if keyfinder
+  def signature_algorithm_and_key(header, payload, key, &keyfinder)
+    key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header)) if keyfinder
+    raise JWT::DecodeError, 'No verification key available' unless key
     [header['alg'], key]
   end
 
-  def verify_signature(algo, key, signing_input, signature)
-    if ['HS256', 'HS384', 'HS512'].include?(algo)
-      fail JWT::VerificationError.new('Signature verification failed') unless secure_compare(signature, sign_hmac(algo, signing_input, key))
-    elsif ['RS256', 'RS384', 'RS512'].include?(algo)
-      fail JWT::VerificationError.new('Signature verification failed') unless verify_rsa(algo, key, signing_input, signature)
-    elsif ['ES256', 'ES384', 'ES512'].include?(algo)
-      fail JWT::VerificationError.new('Signature verification failed') unless verify_ecdsa(algo, key, signing_input, signature)
+  def allowed_algorithms(options)
+    if options.key?(:algorithm)
+      [options[:algorithm]]
     else
-      fail JWT::VerificationError.new('Algorithm not supported')
+      options[:algorithms] || []
     end
-  rescue OpenSSL::PKey::PKeyError
-    raise JWT::VerificationError.new('Signature verification failed')
-  ensure
-    OpenSSL.errors.clear
-  end
-
-  # From devise
-  # constant-time comparison algorithm to prevent timing attacks
-  def secure_compare(a, b)
-    return false if a.nil? || b.nil? || a.empty? || b.empty? || a.bytesize != b.bytesize
-    l = a.unpack "C#{a.bytesize}"
-
-    res = 0
-    b.each_byte { |byte| res |= byte ^ l.shift }
-    res == 0
-  end
-
-  def raw_to_asn1(signature, private_key)
-    byte_size = (private_key.group.degree + 7) / 8
-    r = signature[0..(byte_size - 1)]
-    s = signature[byte_size..-1]
-    OpenSSL::ASN1::Sequence.new([r, s].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-  end
-
-  def asn1_to_raw(signature, public_key)
-    byte_size = (public_key.group.degree + 7) / 8
-    OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
   end
 end

data/ruby-jwt.gemspec

@@ -0,0 +1,31 @@
+lib = File.expand_path('../lib/', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'jwt/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'jwt'
+  spec.version = JWT.gem_version
+  spec.authors = [
+    'Tim Rudat'
+  ]
+  spec.email = 'timrudat@gmail.com'
+  spec.summary = 'JSON Web Token implementation in Ruby'
+  spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
+  spec.homepage = 'http://github.com/jwt/ruby-jwt'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 2.1'
+
+  spec.files = `git ls-files -z`.split("\x0")
+  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = %w[lib]
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'simplecov-json'
+  spec.add_development_dependency 'codeclimate-test-reporter'
+  spec.add_development_dependency 'codacy-coverage'
+  spec.add_development_dependency 'rbnacl'
+end

data/spec/fixtures/certs/ec256-private.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJmVse5uPfj6B4TcXrUAvf9/8pJh+KrKKYLNcmOnp/vPoAoGCCqGSM49
+AwEHoUQDQgAEAr+WbDE5VtIDGhtYMxvEc6cMsDBc/DX1wuhIMu8dQzOLSt0tpqK9
+MVfXbVfrKdayVFgoWzs8MilcYq0QIhKx/w==
+-----END EC PRIVATE KEY-----

data/spec/fixtures/certs/ec256-public.pem

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAr+WbDE5VtIDGhtYMxvEc6cMsDBc
+/DX1wuhIMu8dQzOLSt0tpqK9MVfXbVfrKdayVFgoWzs8MilcYq0QIhKx/w==
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/ec256-wrong-private.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQACg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEICfA4AaomONdmPTzeyrx5U/jugYXTERyb5U3ETTv7Hx7oAcGBSuBBAAK
+oUQDQgAEPmuXZT3jpJnEMVPOW6RMsmxeGLOCE1PN6fwvUwOsxv7YnyoQ5/bpo64n
++Jp4slSl1aUNoCBF2oz9bS0iyBo3jg==
+-----END EC PRIVATE KEY-----

data/spec/fixtures/certs/ec256-wrong-public.pem

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEPmuXZT3jpJnEMVPOW6RMsmxeGLOCE1PN
+6fwvUwOsxv7YnyoQ5/bpo64n+Jp4slSl1aUNoCBF2oz9bS0iyBo3jg==
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/ec384-private.pem

@@ -0,0 +1,9 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDxOljqUKw9YNhkluSJIBAYO1YXcNtS+vckd5hpTZ5toxsOlwbmyrnU
+Tn+D5Xma1m2gBwYFK4EEACKhZANiAASQwYTiRvXu1hMHceSosMs/8uf50sJI3jvK
+kdSkvuRAPxSzhtrUvCQDnVsThFq4aOdZZY1qh2ErJGtzmrx+pEsJvJnvfOTG3NGU
+KRalek+LQfVqAUSvDMKlxdkz2e67tso=
+-----END EC PRIVATE KEY-----

data/spec/fixtures/certs/ec384-public.pem

@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkMGE4kb17tYTB3HkqLDLP/Ln+dLCSN47
+ypHUpL7kQD8Us4ba1LwkA51bE4RauGjnWWWNaodhKyRrc5q8fqRLCbyZ73zkxtzR
+lCkWpXpPi0H1agFErwzCpcXZM9nuu7bK
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/ec384-wrong-private.pem

@@ -0,0 +1,9 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDAfZW47dSKnC5JkSVOk1ERxCIi/IJ1p1WBnVGx4hnrNHy+dxtaZJaF+
+YLInFQ/QbYegBwYFK4EEACKhZANiAAQwXkx4BFBGLXbzl5yVrfxK7er8hSi38iDE
+K2+7cdrR137Wn5JUnL4WTwXTzkyUgfBOL3sHNozwfgU03GD/EOUEKqzsIJiz2cbP
+bFALd4hS+8T4szDLVC9Jl1W6k0CAtmM=
+-----END EC PRIVATE KEY-----