jwt 1.5.4 → 2.7.0

data/lib/jwt/verify.rb

@@ -1,98 +1,113 @@
+# frozen_string_literal: true
+
 require 'jwt/error'
 
 module JWT
   # JWT verify methods
   class Verify
+    DEFAULTS = {
+      leeway: 0
+    }.freeze
+
     class << self
-      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method_name|
+      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
         define_method method_name do |payload, options|
           new(payload, options).send(method_name)
         end
       end
+
+      def verify_claims(payload, options)
+        options.each do |key, val|
+          next unless key.to_s =~ /verify/
+
+          Verify.send(key, payload, options) if val
+        end
+      end
     end
 
     def initialize(payload, options)
       @payload = payload
-      @options = options
+      @options = DEFAULTS.merge(options)
     end
 
     def verify_aud
-      return unless (options_aud = extract_option(:aud))
+      return unless (options_aud = @options[:aud])
 
-      if @payload['aud'].is_a?(Array)
-        fail(
-          JWT::InvalidAudError,
-          'Invalid audience'
-        ) unless @payload['aud'].include?(options_aud.to_s)
-      else
-        fail(
-          JWT::InvalidAudError,
-          "Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || '<none>'}"
-        ) unless @payload['aud'].to_s == options_aud.to_s
-      end
+      aud = @payload['aud']
+      raise(JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}") if ([*aud] & [*options_aud]).empty?
     end
 
     def verify_expiration
       return unless @payload.include?('exp')
-
-      if @payload['exp'].to_i < (Time.now.to_i - leeway)
-        fail(JWT::ExpiredSignature, 'Signature has expired')
-      end
+      raise(JWT::ExpiredSignature, 'Signature has expired') if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
     end
 
     def verify_iat
       return unless @payload.include?('iat')
 
-      if !(@payload['iat'].is_a?(Numeric)) || @payload['iat'].to_f > (Time.now.to_f + leeway)
-        fail(JWT::InvalidIatError, 'Invalid iat')
-      end
+      iat = @payload['iat']
+      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
     end
 
     def verify_iss
-      return unless (options_iss = extract_option(:iss))
+      return unless (options_iss = @options[:iss])
+
+      iss = @payload['iss']
 
-      if @payload['iss'].to_s != options_iss.to_s
-        fail(
-          JWT::InvalidIssuerError,
-          "Invalid issuer. Expected #{options_iss}, received #{@payload['iss'] || '<none>'}"
-        )
+      options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
+
+      case iss
+      when *options_iss
+        nil
+      else
+        raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
       end
     end
 
     def verify_jti
-      options_verify_jti = extract_option(:verify_jti)
+      options_verify_jti = @options[:verify_jti]
+      jti = @payload['jti']
+
       if options_verify_jti.respond_to?(:call)
-        fail(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(@payload['jti'])
-      else
-        fail(JWT::InvalidJtiError, 'Missing jti') if @payload['jti'].to_s.strip.empty?
+        verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
+        raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
+      elsif jti.to_s.strip.empty?
+        raise(JWT::InvalidJtiError, 'Missing jti')
       end
     end
 
     def verify_not_before
       return unless @payload.include?('nbf')
-
-      if @payload['nbf'].to_i > (Time.now.to_i + leeway)
-        fail(JWT::ImmatureSignature, 'Signature nbf has not been reached')
-      end
+      raise(JWT::ImmatureSignature, 'Signature nbf has not been reached') if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
     end
 
     def verify_sub
-      return unless (options_sub = extract_option(:sub))
+      return unless (options_sub = @options[:sub])
 
-      fail(
-        JWT::InvalidSubError,
-        "Invalid subject. Expected #{options_sub}, received #{@payload['sub'] || '<none>'}"
-      ) unless @payload['sub'].to_s == options_sub.to_s
+      sub = @payload['sub']
+      raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
+    end
+
+    def verify_required_claims
+      return unless (options_required_claims = @options[:required_claims])
+
+      options_required_claims.each do |required_claim|
+        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
+      end
     end
 
     private
 
-    def extract_option(key)
-      @options.values_at(key.to_sym, key.to_s).compact.first
+    def global_leeway
+      @options[:leeway]
+    end
+
+    def exp_leeway
+      @options[:exp_leeway] || global_leeway
     end
 
-    def leeway
-      extract_option :leeway
+    def nbf_leeway
+      @options[:nbf_leeway] || global_leeway
     end
   end
 end

data/lib/jwt/version.rb

@@ -1,4 +1,4 @@
-# encoding: utf-8
+# frozen_string_literal: true
 
 # Moments version builder module
 module JWT
@@ -9,15 +9,36 @@ module JWT
   # Moments version builder module
   module VERSION
     # major version
-    MAJOR = 1
+    MAJOR = 2
     # minor version
-    MINOR = 5
+    MINOR = 7
     # tiny version
-    TINY  = 4
+    TINY  = 0
     # alpha, beta, etc. tag
     PRE   = nil
 
     # Build version string
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
+
+  def self.openssl_3?
+    return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
+    return true if OpenSSL::OPENSSL_VERSION_NUMBER >= 3 * 0x10000000
+  end
+
+  def self.rbnacl?
+    defined?(::RbNaCl)
+  end
+
+  def self.rbnacl_6_or_greater?
+    rbnacl? && ::Gem::Version.new(::RbNaCl::VERSION) >= ::Gem::Version.new('6.0.0')
+  end
+
+  def self.openssl_3_hmac_empty_key_regression?
+    openssl_3? && openssl_version <= ::Gem::Version.new('3.0.0')
+  end
+
+  def self.openssl_version
+    @openssl_version ||= ::Gem::Version.new(OpenSSL::VERSION)
+  end
 end

data/lib/jwt/x5c_key_finder.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'jwt/error'
+
+module JWT
+  # If the x5c header certificate chain can be validated by trusted root
+  # certificates, and none of the certificates are revoked, returns the public
+  # key from the first certificate.
+  # See https://tools.ietf.org/html/rfc7515#section-4.1.6
+  class X5cKeyFinder
+    def initialize(root_certificates, crls = nil)
+      raise(ArgumentError, 'Root certificates must be specified') unless root_certificates
+
+      @store = build_store(root_certificates, crls)
+    end
+
+    def from(x5c_header_or_certificates)
+      signing_certificate, *certificate_chain = parse_certificates(x5c_header_or_certificates)
+      store_context = OpenSSL::X509::StoreContext.new(@store, signing_certificate, certificate_chain)
+
+      if store_context.verify
+        signing_certificate.public_key
+      else
+        error = "Certificate verification failed: #{store_context.error_string}."
+        if (current_cert = store_context.current_cert)
+          error = "#{error} Certificate subject: #{current_cert.subject}."
+        end
+
+        raise(JWT::VerificationError, error)
+      end
+    end
+
+    private
+
+    def build_store(root_certificates, crls)
+      store = OpenSSL::X509::Store.new
+      store.purpose = OpenSSL::X509::PURPOSE_ANY
+      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      root_certificates.each { |certificate| store.add_cert(certificate) }
+      crls&.each { |crl| store.add_crl(crl) }
+      store
+    end
+
+    def parse_certificates(x5c_header_or_certificates)
+      if x5c_header_or_certificates.all? { |obj| obj.is_a?(OpenSSL::X509::Certificate) }
+        x5c_header_or_certificates
+      else
+        x5c_header_or_certificates.map do |encoded|
+          OpenSSL::X509::Certificate.new(::JWT::Base64.url_decode(encoded))
+        end
+      end
+    end
+  end
+end

data/lib/jwt.rb

@@ -1,177 +1,31 @@
-require 'base64'
-require 'openssl'
+# frozen_string_literal: true
+
+require 'jwt/version'
+require 'jwt/base64'
+require 'jwt/json'
 require 'jwt/decode'
+require 'jwt/configuration'
+require 'jwt/encode'
 require 'jwt/error'
-require 'jwt/json'
+require 'jwt/jwk'
 
 # JSON Web Token implementation
 #
 # Should be up to date with the latest spec:
-# https://tools.ietf.org/html/rfc7519#section-4.1.5
+# https://tools.ietf.org/html/rfc7519
 module JWT
-  extend JWT::Json
-
-  NAMED_CURVES = {
-    'prime256v1' => 'ES256',
-    'secp384r1' => 'ES384',
-    'secp521r1' => 'ES512'
-  }
+  extend ::JWT::Configuration
 
   module_function
 
-  def sign(algorithm, msg, key)
-    if %w(HS256 HS384 HS512).include?(algorithm)
-      sign_hmac(algorithm, msg, key)
-    elsif %w(RS256 RS384 RS512).include?(algorithm)
-      sign_rsa(algorithm, msg, key)
-    elsif %w(ES256 ES384 ES512).include?(algorithm)
-      sign_ecdsa(algorithm, msg, key)
-    else
-      fail NotImplementedError, 'Unsupported signing method'
-    end
-  end
-
-  def sign_rsa(algorithm, msg, private_key)
-    private_key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
-  end
-
-  def sign_ecdsa(algorithm, msg, private_key)
-    key_algorithm = NAMED_CURVES[private_key.group.curve_name]
-    if algorithm != key_algorithm
-      fail IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
-    end
-
-    digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-    asn1_to_raw(private_key.dsa_sign_asn1(digest.digest(msg)), private_key)
-  end
-
-  def verify_rsa(algorithm, public_key, signing_input, signature)
-    public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-  end
-
-  def verify_ecdsa(algorithm, public_key, signing_input, signature)
-    key_algorithm = NAMED_CURVES[public_key.group.curve_name]
-    if algorithm != key_algorithm
-      fail IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-    end
-
-    digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-    public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
-  end
-
-  def sign_hmac(algorithm, msg, key)
-    OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
-  end
-
-  def base64url_encode(str)
-    Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
-  end
-
-  def encoded_header(algorithm = 'HS256', header_fields = {})
-    header = { 'typ' => 'JWT', 'alg' => algorithm }.merge(header_fields)
-    base64url_encode(encode_json(header))
-  end
-
-  def encoded_payload(payload)
-    base64url_encode(encode_json(payload))
-  end
-
-  def encoded_signature(signing_input, key, algorithm)
-    if algorithm == 'none'
-      ''
-    else
-      signature = sign(algorithm, signing_input, key)
-      base64url_encode(signature)
-    end
-  end
-
   def encode(payload, key, algorithm = 'HS256', header_fields = {})
-    algorithm ||= 'none'
-    segments = []
-    segments << encoded_header(algorithm, header_fields)
-    segments << encoded_payload(payload)
-    segments << encoded_signature(segments.join('.'), key, algorithm)
-    segments.join('.')
-  end
-
-  def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
-    fail(JWT::DecodeError, 'Nil JSON web token') unless jwt
-
-    options = {
-      verify_expiration: true,
-      verify_not_before: true,
-      verify_iss: false,
-      verify_iat: false,
-      verify_jti: false,
-      verify_aud: false,
-      verify_sub: false,
-      leeway: 0
-    }
-
-    merged_options = options.merge(custom_options)
-
-    decoder = Decode.new jwt, key, verify, merged_options, &keyfinder
-    header, payload, signature, signing_input = decoder.decode_segments
-    decoder.verify
-
-    fail(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
-
-    if verify
-      algo, key = signature_algorithm_and_key(header, key, &keyfinder)
-      if merged_options[:algorithm] && algo != merged_options[:algorithm]
-        fail JWT::IncorrectAlgorithm, 'Expected a different algorithm'
-      end
-      verify_signature(algo, key, signing_input, signature)
-    end
-
-    [payload, header]
-  end
-
-  def signature_algorithm_and_key(header, key, &keyfinder)
-    key = keyfinder.call(header) if keyfinder
-    [header['alg'], key]
-  end
-
-  def verify_signature(algo, key, signing_input, signature)
-    if %w(HS256 HS384 HS512).include?(algo)
-      fail(JWT::VerificationError, 'Signature verification raised') unless secure_compare(signature, sign_hmac(algo, signing_input, key))
-    elsif %w(RS256 RS384 RS512).include?(algo)
-      fail(JWT::VerificationError, 'Signature verification raised') unless verify_rsa(algo, key, signing_input, signature)
-    elsif %w(ES256 ES384 ES512).include?(algo)
-      fail(JWT::VerificationError, 'Signature verification raised') unless verify_ecdsa(algo, key, signing_input, signature)
-    else
-      fail JWT::VerificationError, 'Algorithm not supported'
-    end
-  rescue OpenSSL::PKey::PKeyError
-    raise JWT::VerificationError, 'Signature verification raised'
-  ensure
-    OpenSSL.errors.clear
-  end
-
-  # From devise
-  # constant-time comparison algorithm to prevent timing attacks
-  def secure_compare(a, b)
-    return false if a.nil? || b.nil? || a.empty? || b.empty? || a.bytesize != b.bytesize
-    l = a.unpack "C#{a.bytesize}"
-
-    res = 0
-    b.each_byte { |byte| res |= byte ^ l.shift }
-    res == 0
-  end
-
-  def raw_to_asn1(signature, private_key)
-    byte_size = (private_key.group.degree + 7) / 8
-    r = signature[0..(byte_size - 1)]
-    s = signature[byte_size..-1]
-    OpenSSL::ASN1::Sequence.new([r, s].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-  end
-
-  def asn1_to_raw(signature, public_key)
-    byte_size = (public_key.group.degree + 7) / 8
-    OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+    Encode.new(payload: payload,
+               key: key,
+               algorithm: algorithm,
+               headers: header_fields).segments
   end
 
-  def base64url_decode(str)
-    Decode.base64url_decode(str)
+  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
+    Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
   end
 end

data/ruby-jwt.gemspec

@@ -1,4 +1,6 @@
-lib = File.expand_path('../lib/', __FILE__)
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'jwt/version'
 
@@ -6,24 +8,32 @@ Gem::Specification.new do |spec|
   spec.name = 'jwt'
   spec.version = JWT.gem_version
   spec.authors = [
-    'Jeff Lindsay',
     'Tim Rudat'
   ]
   spec.email = 'timrudat@gmail.com'
   spec.summary = 'JSON Web Token implementation in Ruby'
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
-  spec.homepage = 'http://github.com/jwt/ruby-jwt'
+  spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
+  spec.required_ruby_version = '>= 2.5'
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
+    'changelog_uri' => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md",
+    'rubygems_mfa_required' => 'true'
+  }
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(spec|gemfiles|coverage|bin)/}) || # Irrelevant folders
+      f.match(/^\.+/) || # Files and folders starting with .
+      f.match(/^(Appraisals|Gemfile|Rakefile)$/) # Irrelevant files
+  end
 
-  spec.files = `git ls-files -z`.split("\x0")
-  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = %w(lib)
+  spec.executables = []
+  spec.require_paths = %w[lib]
 
+  spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'simplecov'
-  spec.add_development_dependency 'simplecov-json'
-  spec.add_development_dependency 'codeclimate-test-reporter'
 end