jwt 1.5.6 → 2.0.0.beta1

data/lib/jwt/decode.rb

@@ -1,21 +1,20 @@
 # frozen_string_literal: true
-require 'jwt/json'
-require 'jwt/verify'
+require 'json'
 
 # JWT::Decode module
 module JWT
-  extend JWT::Json
-
   # Decoding logic for JWT
   class Decode
     attr_reader :header, :payload, :signature
 
-    def initialize(jwt, key, verify, options, &keyfinder)
+    def self.base64url_decode(str)
+      str += '=' * (4 - str.length.modulo(4))
+      Base64.decode64(str.tr('-_', '+/'))
+    end
+
+    def initialize(jwt, verify)
       @jwt = jwt
-      @key = key
       @verify = verify
-      @options = options
-      @keyfinder = keyfinder
     end
 
     def decode_segments
@@ -26,32 +25,21 @@ module JWT
       [@header, @payload, @signature, signing_input]
     end
 
+    private
+
     def raw_segments(jwt, verify)
       segments = jwt.split('.')
       required_num_segments = verify ? [3] : [2, 3]
       raise(JWT::DecodeError, 'Not enough or too many segments') unless required_num_segments.include? segments.length
       segments
     end
-    private :raw_segments
 
     def decode_header_and_payload(header_segment, payload_segment)
-      header = JWT.decode_json(Decode.base64url_decode(header_segment))
-      payload = JWT.decode_json(Decode.base64url_decode(payload_segment))
+      header = JSON.parse(Decode.base64url_decode(header_segment))
+      payload = JSON.parse(Decode.base64url_decode(payload_segment))
       [header, payload]
-    end
-    private :decode_header_and_payload
-
-    def self.base64url_decode(str)
-      str += '=' * (4 - str.length.modulo(4))
-      Base64.decode64(str.tr('-_', '+/'))
-    end
-
-    def verify
-      @options.each do |key, val|
-        next unless key.to_s =~ /verify/
-
-        Verify.send(key, payload, @options) if val
-      end
+    rescue JSON::ParserError
+      raise JWT::DecodeError, 'Invalid segment encoding'
     end
   end
 end

data/lib/jwt/default_options.rb

@@ -0,0 +1,14 @@
+module JWT
+  module DefaultOptions
+    DEFAULT_OPTIONS = {
+      verify_expiration: true,
+      verify_not_before: true,
+      verify_iss: false,
+      verify_iat: false,
+      verify_jti: false,
+      verify_aud: false,
+      verify_sub: false,
+      leeway: 0
+    }.freeze
+  end
+end

data/lib/jwt/encode.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+require 'json'
+
+# JWT::Encode module
+module JWT
+  # Encoding logic for JWT
+  class Encode
+    attr_reader :payload, :key, :algorithm, :header_fields, :segments
+
+    def self.base64url_encode(str)
+      Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
+    end
+
+    def initialize(payload, key, algorithm, header_fields)
+      @payload = payload
+      @key = key
+      @algorithm = algorithm
+      @header_fields = header_fields
+      @segments = encode_segments
+    end
+
+    private
+
+    def encoded_header(algorithm, header_fields)
+      header = { 'alg' => algorithm }.merge(header_fields)
+      Encode.base64url_encode(JSON.generate(header))
+    end
+
+    def encoded_payload(payload)
+      raise InvalidPayload, 'exp claim must be an integer' if payload['exp'] && payload['exp'].is_a?(Time)
+      Encode.base64url_encode(JSON.generate(payload))
+    end
+
+    def encoded_signature(signing_input, key, algorithm)
+      if algorithm == 'none'
+        ''
+      else
+        signature = JWT::Signature.sign(algorithm, signing_input, key)
+        Encode.base64url_encode(signature)
+      end
+    end
+
+    def encode_segments
+      segments = []
+      segments << encoded_header(@algorithm, @header_fields)
+      segments << encoded_payload(@payload)
+      segments << encoded_signature(segments.join('.'), @key, @algorithm)
+      segments.join('.')
+    end
+  end
+end

data/lib/jwt/error.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 module JWT
+  class EncodeError < StandardError; end
   class DecodeError < StandardError; end
   class VerificationError < DecodeError; end
   class ExpiredSignature < DecodeError; end

data/lib/jwt/signature.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+require 'openssl'
+begin
+  require 'rbnacl'
+rescue LoadError
+end
+
+# JWT::Signature module
+module JWT
+  # Signature logic for JWT
+  module Signature
+    extend self
+
+    HMAC_ALGORITHMS = %w(HS256 HS512256 HS384 HS512).freeze
+    RSA_ALGORITHMS = %w(RS256 RS384 RS512).freeze
+    ECDSA_ALGORITHMS = %w(ES256 ES384 ES512).freeze
+
+    NAMED_CURVES = {
+      'prime256v1' => 'ES256',
+      'secp384r1' => 'ES384',
+      'secp521r1' => 'ES512'
+    }.freeze
+
+    def sign(algorithm, msg, key)
+      if HMAC_ALGORITHMS.include?(algorithm)
+        sign_hmac(algorithm, msg, key)
+      elsif RSA_ALGORITHMS.include?(algorithm)
+        sign_rsa(algorithm, msg, key)
+      elsif ECDSA_ALGORITHMS.include?(algorithm)
+        sign_ecdsa(algorithm, msg, key)
+      else
+        raise NotImplementedError, 'Unsupported signing method'
+      end
+    end
+
+    def verify(algo, key, signing_input, signature)
+      verified = if HMAC_ALGORITHMS.include?(algo)
+                   verify_hmac(algo, key, signing_input, signature)
+                 elsif RSA_ALGORITHMS.include?(algo)
+                   verify_rsa(algo, key, signing_input, signature)
+                 elsif ECDSA_ALGORITHMS.include?(algo)
+                   verify_ecdsa(algo, key, signing_input, signature)
+                 else
+                   raise JWT::VerificationError, 'Algorithm not supported'
+                 end
+
+      raise(JWT::VerificationError, 'Signature verification raised') unless verified
+    rescue OpenSSL::PKey::PKeyError
+      raise JWT::VerificationError, 'Signature verification raised'
+    ensure
+      OpenSSL.errors.clear
+    end
+
+    private
+
+    def sign_rsa(algorithm, msg, private_key)
+      raise EncodeError, "The given key is a #{private_key.class}. It has to be an OpenSSL::PKey::RSA instance." if private_key.class == String
+      private_key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
+    end
+
+    def sign_ecdsa(algorithm, msg, private_key)
+      key_algorithm = NAMED_CURVES[private_key.group.curve_name]
+      if algorithm != key_algorithm
+        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
+      end
+
+      digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+      asn1_to_raw(private_key.dsa_sign_asn1(digest.digest(msg)), private_key)
+    end
+
+    def sign_hmac(algorithm, msg, key)
+      authenticator, padded_key = rbnacl_fixup(algorithm, key)
+      if authenticator && padded_key
+        authenticator.auth(padded_key, msg.encode('binary'))
+      else
+        OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
+      end
+    end
+
+    def verify_rsa(algorithm, public_key, signing_input, signature)
+      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+    end
+
+    def verify_ecdsa(algorithm, public_key, signing_input, signature)
+      key_algorithm = NAMED_CURVES[public_key.group.curve_name]
+      if algorithm != key_algorithm
+        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
+      end
+
+      digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+      public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
+    end
+
+    def verify_hmac(algorithm, public_key, signing_input, signature)
+      authenticator, padded_key = rbnacl_fixup(algorithm, public_key)
+      if authenticator && padded_key
+        begin
+          authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
+        rescue RbNaCl::BadAuthenticatorError
+          false
+        end
+      else
+        secure_compare(signature, sign_hmac(algorithm, signing_input, public_key))
+      end
+    end
+
+    def asn1_to_raw(signature, public_key)
+      byte_size = (public_key.group.degree + 7) / 8
+      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+    end
+
+    def raw_to_asn1(signature, private_key)
+      byte_size = (private_key.group.degree + 7) / 8
+      r = signature[0..(byte_size - 1)]
+      s = signature[byte_size..-1] || ''
+      OpenSSL::ASN1::Sequence.new([r, s].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+    end
+
+    def rbnacl_fixup(algorithm, key)
+      algorithm = algorithm.sub('HS', 'SHA').to_sym
+
+      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
+
+      authenticator = RbNaCl::HMAC.const_get(algorithm)
+
+      # Fall back to OpenSSL for keys larger than 32 bytes.
+      return [] if key.bytesize > authenticator.key_bytes
+
+      [
+        authenticator,
+        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
+      ]
+    end
+
+    # From devise
+    # constant-time comparison algorithm to prevent timing attacks
+    def secure_compare(a, b)
+      return false if a.nil? || b.nil? || a.empty? || b.empty? || a.bytesize != b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res.zero?
+    end
+  end
+end

data/lib/jwt/verify.rb

@@ -10,6 +10,13 @@ module JWT
           new(payload, options).send(method_name)
         end
       end
+
+      def verify_claims(payload, options)
+        options.each do |key, val|
+          next unless key.to_s =~ /verify/
+          Verify.send(key, payload, options) if val
+        end
+      end
     end
 
     def initialize(payload, options)
@@ -18,89 +25,60 @@ module JWT
     end
 
     def verify_aud
-      return unless (options_aud = extract_option(:aud))
-
-      if @payload['aud'].is_a?(Array)
-        verify_aud_array(@payload['aud'], options_aud)
-      else
-        raise(
-          JWT::InvalidAudError,
-          "Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || '<none>'}"
-        ) unless @payload['aud'].to_s == options_aud.to_s
-      end
-    end
-
-    def verify_aud_array(audience, options_aud)
-      if options_aud.is_a?(Array)
-        options_aud.each do |aud|
-          raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(aud.to_s)
-        end
-      else
-        raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(options_aud.to_s)
-      end
+      return unless (options_aud = @options[:aud])
+      raise(JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || '<none>'}") if ([*@payload['aud']] & [*options_aud]).empty?
     end
 
     def verify_expiration
       return unless @payload.include?('exp')
-
-      if @payload['exp'].to_i <= (Time.now.to_i - leeway)
-        raise(JWT::ExpiredSignature, 'Signature has expired')
-      end
+      raise(JWT::ExpiredSignature, 'Signature has expired') if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
     end
 
     def verify_iat
       return unless @payload.include?('iat')
-
-      if !@payload['iat'].is_a?(Numeric) || @payload['iat'].to_f > (Time.now.to_f + leeway)
-        raise(JWT::InvalidIatError, 'Invalid iat')
-      end
+      raise(JWT::InvalidIatError, 'Invalid iat') if !@payload['iat'].is_a?(Numeric) || @payload['iat'].to_f > (Time.now.to_f + iat_leeway)
     end
 
     def verify_iss
-      return unless (options_iss = extract_option(:iss))
-
-      if @payload['iss'].to_s != options_iss.to_s
-        raise(
-          JWT::InvalidIssuerError,
-          "Invalid issuer. Expected #{options_iss}, received #{@payload['iss'] || '<none>'}"
-        )
-      end
+      return unless (options_iss = @options[:iss])
+      raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{@payload['iss'] || '<none>'}") if @payload['iss'].to_s != options_iss.to_s
     end
 
     def verify_jti
-      options_verify_jti = extract_option(:verify_jti)
+      options_verify_jti = @options[:verify_jti]
       if options_verify_jti.respond_to?(:call)
         raise(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(@payload['jti'])
-      else
-        raise(JWT::InvalidJtiError, 'Missing jti') if @payload['jti'].to_s.strip.empty?
+      elsif @payload['jti'].to_s.strip.empty?
+        raise(JWT::InvalidJtiError, 'Missing jti')
       end
     end
 
     def verify_not_before
       return unless @payload.include?('nbf')
-
-      if @payload['nbf'].to_i > (Time.now.to_i + leeway)
-        raise(JWT::ImmatureSignature, 'Signature nbf has not been reached')
-      end
+      raise(JWT::ImmatureSignature, 'Signature nbf has not been reached') if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
     end
 
     def verify_sub
-      return unless (options_sub = extract_option(:sub))
-
-      raise(
-        JWT::InvalidSubError,
-        "Invalid subject. Expected #{options_sub}, received #{@payload['sub'] || '<none>'}"
-      ) unless @payload['sub'].to_s == options_sub.to_s
+      return unless (options_sub = @options[:sub])
+      raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{@payload['sub'] || '<none>'}") unless @payload['sub'].to_s == options_sub.to_s
     end
 
     private
 
-    def extract_option(key)
-      @options.values_at(key.to_sym, key.to_s).compact.first
+    def global_leeway
+      @options[:leeway]
+    end
+
+    def exp_leeway
+      @options[:exp_leeway] || global_leeway
+    end
+
+    def iat_leeway
+      @options[:iat_leeway] || global_leeway
     end
 
-    def leeway
-      extract_option :leeway
+    def nbf_leeway
+      @options[:nbf_leeway] || global_leeway
     end
   end
 end

data/lib/jwt/version.rb

@@ -10,13 +10,13 @@ module JWT
   # Moments version builder module
   module VERSION
     # major version
-    MAJOR = 1
+    MAJOR = 2
     # minor version
-    MINOR = 5
+    MINOR = 0
     # tiny version
-    TINY  = 6
+    TINY  = 0
     # alpha, beta, etc. tag
-    PRE   = nil
+    PRE   = 'beta1'.freeze
 
     # Build version string
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/ruby-jwt.gemspec

@@ -6,7 +6,6 @@ Gem::Specification.new do |spec|
   spec.name = 'jwt'
   spec.version = JWT.gem_version
   spec.authors = [
-    'Jeff Lindsay',
     'Tim Rudat'
   ]
   spec.email = 'timrudat@gmail.com'
@@ -14,6 +13,7 @@ Gem::Specification.new do |spec|
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
   spec.homepage = 'http://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
+  spec.required_ruby_version = '~> 2.1'
 
   spec.files = `git ls-files -z`.split("\x0")
   spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
@@ -22,9 +22,10 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
-  spec.add_development_dependency 'json', '< 2.0'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'simplecov'
   spec.add_development_dependency 'simplecov-json'
   spec.add_development_dependency 'codeclimate-test-reporter'
+  spec.add_development_dependency 'codacy-coverage'
+  spec.add_development_dependency 'rbnacl'
 end