jwt 2.0.0 → 2.2.2

data/lib/jwt/error.rb

@@ -3,6 +3,8 @@
 module JWT
   class EncodeError < StandardError; end
   class DecodeError < StandardError; end
+  class RequiredDependencyError < StandardError; end
+
   class VerificationError < DecodeError; end
   class ExpiredSignature < DecodeError; end
   class IncorrectAlgorithm < DecodeError; end
@@ -13,4 +15,6 @@ module JWT
   class InvalidSubError < DecodeError; end
   class InvalidJtiError < DecodeError; end
   class InvalidPayload < DecodeError; end
+
+  class JWKError < DecodeError; end
 end

data/lib/jwt/json.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module JWT
+  # JSON wrapper
+  class JSON
+    class << self
+      def generate(data)
+        ::JSON.generate(data)
+      end
+
+      def parse(data)
+        ::JSON.parse(data)
+      end
+    end
+  end
+end

data/lib/jwt/jwk.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative 'jwk/rsa'
+require_relative 'jwk/key_finder'
+
+module JWT
+  module JWK
+    MAPPINGS = {
+      'RSA' => ::JWT::JWK::RSA,
+      OpenSSL::PKey::RSA => ::JWT::JWK::RSA
+    }.freeze
+
+    class << self
+      def import(jwk_data)
+        raise JWT::JWKError, 'Key type (kty) not provided' unless jwk_data[:kty]
+
+        MAPPINGS.fetch(jwk_data[:kty].to_s) do |kty|
+          raise JWT::JWKError, "Key type #{kty} not supported"
+        end.import(jwk_data)
+      end
+
+      def create_from(keypair)
+        MAPPINGS.fetch(keypair.class) do |klass|
+          raise JWT::JWKError, "Cannot create JWK from a #{klass.name}"
+        end.new(keypair)
+      end
+
+      alias new create_from
+    end
+  end
+end

data/lib/jwt/jwk/key_finder.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class KeyFinder
+      def initialize(options)
+        jwks_or_loader = options[:jwks]
+        @jwks          = jwks_or_loader if jwks_or_loader.is_a?(Hash)
+        @jwk_loader    = jwks_or_loader if jwks_or_loader.respond_to?(:call)
+      end
+
+      def key_for(kid)
+        raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid
+
+        jwk = resolve_key(kid)
+
+        raise ::JWT::DecodeError, "Could not find public key for kid #{kid}" unless jwk
+
+        ::JWT::JWK.import(jwk).keypair
+      end
+
+      private
+
+      def resolve_key(kid)
+        jwk = find_key(kid)
+
+        return jwk if jwk
+
+        if reloadable?
+          load_keys(invalidate: true)
+          return find_key(kid)
+        end
+
+        nil
+      end
+
+      def jwks
+        return @jwks if @jwks
+
+        load_keys
+        @jwks
+      end
+
+      def load_keys(opts = {})
+        @jwks = @jwk_loader.call(opts)
+      end
+
+      def find_key(kid)
+        Array(jwks[:keys]).find { |key| key[:kid] == kid }
+      end
+
+      def reloadable?
+        @jwk_loader
+      end
+    end
+  end
+end

data/lib/jwt/jwk/rsa.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class RSA
+      attr_reader :keypair
+
+      BINARY = 2
+      KTY    = 'RSA'.freeze
+
+      def initialize(keypair)
+        raise ArgumentError, 'keypair must be of type OpenSSL::PKey::RSA' unless keypair.is_a?(OpenSSL::PKey::RSA)
+
+        @keypair = keypair
+      end
+
+      def private?
+        keypair.private?
+      end
+
+      def public_key
+        keypair.public_key
+      end
+
+      def kid
+        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(public_key.n),
+                                            OpenSSL::ASN1::Integer.new(public_key.e)])
+        OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
+      end
+
+      def export
+        {
+          kty: KTY,
+          n: ::Base64.urlsafe_encode64(public_key.n.to_s(BINARY), padding: false),
+          e: ::Base64.urlsafe_encode64(public_key.e.to_s(BINARY), padding: false),
+          kid: kid
+        }
+      end
+
+      def self.import(jwk_data)
+        imported_key = OpenSSL::PKey::RSA.new
+        if imported_key.respond_to?(:set_key)
+          imported_key.set_key(OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:n]), BINARY),
+            OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:e]), BINARY),
+            nil)
+        else
+          imported_key.n = OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:n]), BINARY)
+          imported_key.e = OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:e]), BINARY)
+        end
+        self.new(imported_key)
+      end
+    end
+  end
+end

data/lib/jwt/security_utils.rb

@@ -3,7 +3,6 @@ module JWT
   #
   # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
   module SecurityUtils
-
     module_function
 
     def secure_compare(left, right)
@@ -21,6 +20,12 @@ module JWT
       public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
     end
 
+    def verify_ps(algorithm, public_key, signing_input, signature)
+      formatted_algorithm = algorithm.sub('PS', 'sha')
+
+      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
+    end
+
     def asn1_to_raw(signature, public_key)
       byte_size = (public_key.group.degree + 7) / 8
       OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join

data/lib/jwt/signature.rb

@@ -2,10 +2,16 @@
 
 require 'jwt/security_utils'
 require 'openssl'
+require 'jwt/algos/hmac'
+require 'jwt/algos/eddsa'
+require 'jwt/algos/ecdsa'
+require 'jwt/algos/rsa'
+require 'jwt/algos/ps'
+require 'jwt/algos/unsupported'
 begin
   require 'rbnacl'
-rescue LoadError => e
-  abort(e.message) if defined?(RbNaCl)
+rescue LoadError
+  raise if defined?(RbNaCl)
 end
 
 # JWT::Signature module
@@ -13,94 +19,36 @@ module JWT
   # Signature logic for JWT
   module Signature
     extend self
-
-    HMAC_ALGORITHMS = %w[HS256 HS512256 HS384 HS512].freeze
-    RSA_ALGORITHMS = %w[RS256 RS384 RS512].freeze
-    ECDSA_ALGORITHMS = %w[ES256 ES384 ES512].freeze
-
-    NAMED_CURVES = {
-      'prime256v1' => 'ES256',
-      'secp384r1' => 'ES384',
-      'secp521r1' => 'ES512'
-    }.freeze
+    ALGOS = [
+      Algos::Hmac,
+      Algos::Ecdsa,
+      Algos::Rsa,
+      Algos::Eddsa,
+      Algos::Ps,
+      Algos::Unsupported
+    ].freeze
+    ToSign = Struct.new(:algorithm, :msg, :key)
+    ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
 
     def sign(algorithm, msg, key)
-      if HMAC_ALGORITHMS.include?(algorithm)
-        sign_hmac(algorithm, msg, key)
-      elsif RSA_ALGORITHMS.include?(algorithm)
-        sign_rsa(algorithm, msg, key)
-      elsif ECDSA_ALGORITHMS.include?(algorithm)
-        sign_ecdsa(algorithm, msg, key)
-      else
-        raise NotImplementedError, 'Unsupported signing method'
+      algo = ALGOS.find do |alg|
+        alg.const_get(:SUPPORTED).include? algorithm
       end
+      algo.sign ToSign.new(algorithm, msg, key)
     end
 
-    def verify(algo, key, signing_input, signature)
-      verified = if HMAC_ALGORITHMS.include?(algo)
-        verify_hmac(algo, key, signing_input, signature)
-      elsif RSA_ALGORITHMS.include?(algo)
-        SecurityUtils.verify_rsa(algo, key, signing_input, signature)
-      elsif ECDSA_ALGORITHMS.include?(algo)
-        verify_ecdsa(algo, key, signing_input, signature)
-      else
-        raise JWT::VerificationError, 'Algorithm not supported'
-      end
+    def verify(algorithm, key, signing_input, signature)
+      raise JWT::DecodeError, 'No verification key available' unless key
 
+      algo = ALGOS.find do |alg|
+        alg.const_get(:SUPPORTED).include? algorithm
+      end
+      verified = algo.verify(ToVerify.new(algorithm, key, signing_input, signature))
       raise(JWT::VerificationError, 'Signature verification raised') unless verified
     rescue OpenSSL::PKey::PKeyError
       raise JWT::VerificationError, 'Signature verification raised'
     ensure
       OpenSSL.errors.clear
     end
-
-    private
-
-    def sign_rsa(algorithm, msg, private_key)
-      raise EncodeError, "The given key is a #{private_key.class}. It has to be an OpenSSL::PKey::RSA instance." if private_key.class == String
-      private_key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
-    end
-
-    def sign_ecdsa(algorithm, msg, private_key)
-      key_algorithm = NAMED_CURVES[private_key.group.curve_name]
-      if algorithm != key_algorithm
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
-      end
-
-      digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-      SecurityUtils.asn1_to_raw(private_key.dsa_sign_asn1(digest.digest(msg)), private_key)
-    end
-
-    def sign_hmac(algorithm, msg, key)
-      authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
-      if authenticator && padded_key
-        authenticator.auth(padded_key, msg.encode('binary'))
-      else
-        OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
-      end
-    end
-
-    def verify_ecdsa(algorithm, public_key, signing_input, signature)
-      key_algorithm = NAMED_CURVES[public_key.group.curve_name]
-      if algorithm != key_algorithm
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-      end
-
-      digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-      public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
-    end
-
-    def verify_hmac(algorithm, public_key, signing_input, signature)
-      authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
-      if authenticator && padded_key
-        begin
-          authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
-        rescue RbNaCl::BadAuthenticatorError
-          false
-        end
-      else
-        SecurityUtils.secure_compare(signature, sign_hmac(algorithm, signing_input, public_key))
-      end
-    end
   end
 end

data/lib/jwt/verify.rb

@@ -45,16 +45,16 @@ module JWT
       return unless @payload.include?('iat')
 
       iat = @payload['iat']
-      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > (Time.now.to_f + iat_leeway)
+      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
     end
 
     def verify_iss
       return unless (options_iss = @options[:iss])
 
       iss = @payload['iss']
-      
+
       return if Array(options_iss).map(&:to_s).include?(iss.to_s)
-      
+
       raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
     end
 
@@ -63,7 +63,8 @@ module JWT
       jti = @payload['jti']
 
       if options_verify_jti.respond_to?(:call)
-        raise(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(jti)
+        verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
+        raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
       elsif jti.to_s.strip.empty?
         raise(JWT::InvalidJtiError, 'Missing jti')
       end
@@ -90,10 +91,6 @@ module JWT
       @options[:exp_leeway] || global_leeway
     end
 
-    def iat_leeway
-      @options[:iat_leeway] || global_leeway
-    end
-
     def nbf_leeway
       @options[:nbf_leeway] || global_leeway
     end

data/lib/jwt/version.rb

@@ -12,9 +12,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 0
+    MINOR = 2
     # tiny version
-    TINY  = 0
+    TINY  = 2
     # alpha, beta, etc. tag
     PRE   = nil
 

data/ruby-jwt.gemspec

@@ -11,21 +11,24 @@ Gem::Specification.new do |spec|
   spec.email = 'timrudat@gmail.com'
   spec.summary = 'JSON Web Token implementation in Ruby'
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
-  spec.homepage = 'http://github.com/jwt/ruby-jwt'
+  spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
   spec.required_ruby_version = '>= 2.1'
 
-  spec.files = `git ls-files -z`.split("\x0")
-  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
+  spec.executables = []
   spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = %w[lib]
 
+  spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
-  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'simplecov', '< 0.18'
   spec.add_development_dependency 'simplecov-json'
   spec.add_development_dependency 'codeclimate-test-reporter'
   spec.add_development_dependency 'codacy-coverage'
   spec.add_development_dependency 'rbnacl'
+  # RSASSA-PSS support provided by OpenSSL +2.1
+  spec.add_development_dependency 'openssl', '~> 2.1'
 end

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.2.2
 platform: ruby
 authors:
 - Tim Rudat
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-09-03 00:00:00.000000000 Z
+date: 2020-08-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -25,7 +25,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -39,7 +39,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -53,7 +53,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -66,6 +66,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.18'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.18'
 - !ruby/object:Gem::Dependency
   name: simplecov-json
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +136,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
 description: A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT)
   standard.
 email: timrudat@gmail.com
@@ -132,55 +160,43 @@ files:
 - ".codeclimate.yml"
 - ".ebert.yml"
 - ".gitignore"
-- ".reek.yml"
 - ".rspec"
 - ".rubocop.yml"
 - ".travis.yml"
+- AUTHORS
+- Appraisals
 - CHANGELOG.md
 - Gemfile
 - LICENSE
-- Manifest
 - README.md
 - Rakefile
 - lib/jwt.rb
+- lib/jwt/algos/ecdsa.rb
+- lib/jwt/algos/eddsa.rb
+- lib/jwt/algos/hmac.rb
+- lib/jwt/algos/ps.rb
+- lib/jwt/algos/rsa.rb
+- lib/jwt/algos/unsupported.rb
+- lib/jwt/base64.rb
+- lib/jwt/claims_validator.rb
 - lib/jwt/decode.rb
 - lib/jwt/default_options.rb
 - lib/jwt/encode.rb
 - lib/jwt/error.rb
+- lib/jwt/json.rb
+- lib/jwt/jwk.rb
+- lib/jwt/jwk/key_finder.rb
+- lib/jwt/jwk/rsa.rb
 - lib/jwt/security_utils.rb
 - lib/jwt/signature.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
 - ruby-jwt.gemspec
-- spec/fixtures/certs/ec256-private.pem
-- spec/fixtures/certs/ec256-public.pem
-- spec/fixtures/certs/ec256-wrong-private.pem
-- spec/fixtures/certs/ec256-wrong-public.pem
-- spec/fixtures/certs/ec384-private.pem
-- spec/fixtures/certs/ec384-public.pem
-- spec/fixtures/certs/ec384-wrong-private.pem
-- spec/fixtures/certs/ec384-wrong-public.pem
-- spec/fixtures/certs/ec512-private.pem
-- spec/fixtures/certs/ec512-public.pem
-- spec/fixtures/certs/ec512-wrong-private.pem
-- spec/fixtures/certs/ec512-wrong-public.pem
-- spec/fixtures/certs/rsa-1024-private.pem
-- spec/fixtures/certs/rsa-1024-public.pem
-- spec/fixtures/certs/rsa-2048-private.pem
-- spec/fixtures/certs/rsa-2048-public.pem
-- spec/fixtures/certs/rsa-2048-wrong-private.pem
-- spec/fixtures/certs/rsa-2048-wrong-public.pem
-- spec/fixtures/certs/rsa-4096-private.pem
-- spec/fixtures/certs/rsa-4096-public.pem
-- spec/integration/readme_examples_spec.rb
-- spec/jwt/verify_spec.rb
-- spec/jwt_spec.rb
-- spec/spec_helper.rb
-homepage: http://github.com/jwt/ruby-jwt
+homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -195,33 +211,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
-test_files:
-- spec/fixtures/certs/ec256-private.pem
-- spec/fixtures/certs/ec256-public.pem
-- spec/fixtures/certs/ec256-wrong-private.pem
-- spec/fixtures/certs/ec256-wrong-public.pem
-- spec/fixtures/certs/ec384-private.pem
-- spec/fixtures/certs/ec384-public.pem
-- spec/fixtures/certs/ec384-wrong-private.pem
-- spec/fixtures/certs/ec384-wrong-public.pem
-- spec/fixtures/certs/ec512-private.pem
-- spec/fixtures/certs/ec512-public.pem
-- spec/fixtures/certs/ec512-wrong-private.pem
-- spec/fixtures/certs/ec512-wrong-public.pem
-- spec/fixtures/certs/rsa-1024-private.pem
-- spec/fixtures/certs/rsa-1024-public.pem
-- spec/fixtures/certs/rsa-2048-private.pem
-- spec/fixtures/certs/rsa-2048-public.pem
-- spec/fixtures/certs/rsa-2048-wrong-private.pem
-- spec/fixtures/certs/rsa-2048-wrong-public.pem
-- spec/fixtures/certs/rsa-4096-private.pem
-- spec/fixtures/certs/rsa-4096-public.pem
-- spec/integration/readme_examples_spec.rb
-- spec/jwt/verify_spec.rb
-- spec/jwt_spec.rb
-- spec/spec_helper.rb
+test_files: []