jwt 2.1.0 → 2.2.0.pre.beta.0

data/lib/jwt/jwk.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative 'jwk/rsa'
+require_relative 'jwk/key_finder'
+
+module JWT
+  module JWK
+    MAPPINGS = {
+      'RSA' => ::JWT::JWK::RSA,
+      OpenSSL::PKey::RSA => ::JWT::JWK::RSA
+    }.freeze
+
+    class << self
+      def import(jwk_data)
+        raise JWT::JWKError, 'Key type (kty) not provided' unless jwk_data[:kty]
+
+        MAPPINGS.fetch(jwk_data[:kty].to_s) do |kty|
+          raise JWT::JWKError, "Key type #{kty} not supported"
+        end.import(jwk_data)
+      end
+
+      def create_from(keypair)
+        MAPPINGS.fetch(keypair.class) do |klass|
+          raise JWT::JWKError, "Cannot create JWK from a #{klass.name}"
+        end.new(keypair)
+      end
+
+      alias new create_from
+    end
+  end
+end

data/lib/jwt/jwk/key_finder.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class KeyFinder
+      def initialize(options)
+        jwks_or_loader = options[:jwks]
+        @jwks          = jwks_or_loader if jwks_or_loader.is_a?(Hash)
+        @jwk_loader    = jwks_or_loader if jwks_or_loader.respond_to?(:call)
+      end
+
+      def key_for(kid)
+        raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid
+
+        jwk = resolve_key(kid)
+
+        raise ::JWT::DecodeError, "Could not find public key for kid #{kid}" unless jwk
+
+        ::JWT::JWK.import(jwk).keypair
+      end
+
+      private
+
+      def resolve_key(kid)
+        jwk = find_key(kid)
+
+        return jwk if jwk
+
+        if reloadable?
+          load_keys(invalidate: true)
+          return find_key(kid)
+        end
+
+        nil
+      end
+
+      def jwks
+        return @jwks if @jwks
+
+        load_keys
+        @jwks
+      end
+
+      def load_keys(opts = {})
+        @jwks = @jwk_loader.call(opts)
+      end
+
+      def find_key(kid)
+        Array(jwks[:keys]).find { |key| key[:kid] == kid }
+      end
+
+      def reloadable?
+        @jwk_loader
+      end
+    end
+  end
+end

data/lib/jwt/jwk/rsa.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class RSA
+      extend Forwardable
+
+      attr_reader :keypair
+
+      def_delegators :keypair, :private?, :public_key
+
+      BINARY = 2
+      KTY    = 'RSA'.freeze
+
+      def initialize(keypair)
+        raise ArgumentError, 'keypair must be of type OpenSSL::PKey::RSA' unless keypair.is_a?(OpenSSL::PKey::RSA)
+
+        @keypair = keypair
+      end
+
+      def kid
+        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(public_key.n),
+                                            OpenSSL::ASN1::Integer.new(public_key.e)])
+        OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
+      end
+
+      def export
+        {
+          kty: KTY,
+          n: ::Base64.urlsafe_encode64(public_key.n.to_s(BINARY), padding: false),
+          e: ::Base64.urlsafe_encode64(public_key.e.to_s(BINARY), padding: false),
+          kid: kid
+        }
+      end
+
+      def self.import(jwk_data)
+        imported_key = OpenSSL::PKey::RSA.new
+        imported_key.set_key(OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:n]), BINARY),
+          OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:e]), BINARY),
+          nil)
+        self.new(imported_key)
+      end
+    end
+  end
+end

data/lib/jwt/security_utils.rb

@@ -20,6 +20,12 @@ module JWT
       public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
     end
 
+    def verify_ps(algorithm, public_key, signing_input, signature)
+      formatted_algorithm = algorithm.sub('PS', 'sha')
+
+      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
+    end
+
     def asn1_to_raw(signature, public_key)
       byte_size = (public_key.group.degree + 7) / 8
       OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join

data/lib/jwt/signature.rb

@@ -6,6 +6,7 @@ require 'jwt/algos/hmac'
 require 'jwt/algos/eddsa'
 require 'jwt/algos/ecdsa'
 require 'jwt/algos/rsa'
+require 'jwt/algos/ps'
 require 'jwt/algos/unsupported'
 begin
   require 'rbnacl'
@@ -23,6 +24,7 @@ module JWT
       Algos::Ecdsa,
       Algos::Rsa,
       Algos::Eddsa,
+      Algos::Ps,
       Algos::Unsupported
     ].freeze
     ToSign = Struct.new(:algorithm, :msg, :key)

data/lib/jwt/verify.rb

@@ -45,7 +45,7 @@ module JWT
       return unless @payload.include?('iat')
 
       iat = @payload['iat']
-      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > (Time.now.to_f + iat_leeway)
+      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
     end
 
     def verify_iss
@@ -91,10 +91,6 @@ module JWT
       @options[:exp_leeway] || global_leeway
     end
 
-    def iat_leeway
-      @options[:iat_leeway] || global_leeway
-    end
-
     def nbf_leeway
       @options[:nbf_leeway] || global_leeway
     end

data/lib/jwt/version.rb

@@ -12,13 +12,13 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 1
+    MINOR = 2
     # tiny version
     TINY  = 0
     # alpha, beta, etc. tag
-    PRE   = nil
+    PRE   = 'beta.0'
 
     # Build version string
-    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
+    STRING = [[MAJOR, MINOR, TINY].compact.join('.'), PRE].compact.join('-')
   end
 end

data/ruby-jwt.gemspec

@@ -11,15 +11,16 @@ Gem::Specification.new do |spec|
   spec.email = 'timrudat@gmail.com'
   spec.summary = 'JSON Web Token implementation in Ruby'
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
-  spec.homepage = 'http://github.com/jwt/ruby-jwt'
+  spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
   spec.required_ruby_version = '>= 2.1'
 
-  spec.files = `git ls-files -z`.split("\x0")
-  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
+  spec.executables = []
   spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = %w[lib]
 
+  spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
@@ -28,4 +29,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'codeclimate-test-reporter'
   spec.add_development_dependency 'codacy-coverage'
   spec.add_development_dependency 'rbnacl'
+  # RSASSA-PSS support provided by OpenSSL +2.1
+  spec.add_development_dependency 'openssl', '~> 2.1'
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.2.0.pre.beta.0
 platform: ruby
 authors:
 - Tim Rudat
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-06 00:00:00.000000000 Z
+date: 2019-03-20 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +136,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
 description: A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT)
   standard.
 email: timrudat@gmail.com
@@ -132,56 +160,39 @@ files:
 - ".codeclimate.yml"
 - ".ebert.yml"
 - ".gitignore"
-- ".reek.yml"
 - ".rspec"
 - ".rubocop.yml"
 - ".travis.yml"
+- AUTHORS
+- Appraisals
 - CHANGELOG.md
 - Gemfile
 - LICENSE
-- Manifest
 - README.md
 - Rakefile
 - lib/jwt.rb
 - lib/jwt/algos/ecdsa.rb
 - lib/jwt/algos/eddsa.rb
 - lib/jwt/algos/hmac.rb
+- lib/jwt/algos/ps.rb
 - lib/jwt/algos/rsa.rb
 - lib/jwt/algos/unsupported.rb
+- lib/jwt/base64.rb
+- lib/jwt/claims_validator.rb
 - lib/jwt/decode.rb
 - lib/jwt/default_options.rb
 - lib/jwt/encode.rb
 - lib/jwt/error.rb
+- lib/jwt/json.rb
+- lib/jwt/jwk.rb
+- lib/jwt/jwk/key_finder.rb
+- lib/jwt/jwk/rsa.rb
 - lib/jwt/security_utils.rb
 - lib/jwt/signature.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
 - ruby-jwt.gemspec
-- spec/fixtures/certs/ec256-private.pem
-- spec/fixtures/certs/ec256-public.pem
-- spec/fixtures/certs/ec256-wrong-private.pem
-- spec/fixtures/certs/ec256-wrong-public.pem
-- spec/fixtures/certs/ec384-private.pem
-- spec/fixtures/certs/ec384-public.pem
-- spec/fixtures/certs/ec384-wrong-private.pem
-- spec/fixtures/certs/ec384-wrong-public.pem
-- spec/fixtures/certs/ec512-private.pem
-- spec/fixtures/certs/ec512-public.pem
-- spec/fixtures/certs/ec512-wrong-private.pem
-- spec/fixtures/certs/ec512-wrong-public.pem
-- spec/fixtures/certs/rsa-1024-private.pem
-- spec/fixtures/certs/rsa-1024-public.pem
-- spec/fixtures/certs/rsa-2048-private.pem
-- spec/fixtures/certs/rsa-2048-public.pem
-- spec/fixtures/certs/rsa-2048-wrong-private.pem
-- spec/fixtures/certs/rsa-2048-wrong-public.pem
-- spec/fixtures/certs/rsa-4096-private.pem
-- spec/fixtures/certs/rsa-4096-public.pem
-- spec/integration/readme_examples_spec.rb
-- spec/jwt/verify_spec.rb
-- spec/jwt_spec.rb
-- spec/spec_helper.rb
-homepage: http://github.com/jwt/ruby-jwt
+homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
 metadata: {}
@@ -196,37 +207,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
-test_files:
-- spec/fixtures/certs/ec256-private.pem
-- spec/fixtures/certs/ec256-public.pem
-- spec/fixtures/certs/ec256-wrong-private.pem
-- spec/fixtures/certs/ec256-wrong-public.pem
-- spec/fixtures/certs/ec384-private.pem
-- spec/fixtures/certs/ec384-public.pem
-- spec/fixtures/certs/ec384-wrong-private.pem
-- spec/fixtures/certs/ec384-wrong-public.pem
-- spec/fixtures/certs/ec512-private.pem
-- spec/fixtures/certs/ec512-public.pem
-- spec/fixtures/certs/ec512-wrong-private.pem
-- spec/fixtures/certs/ec512-wrong-public.pem
-- spec/fixtures/certs/rsa-1024-private.pem
-- spec/fixtures/certs/rsa-1024-public.pem
-- spec/fixtures/certs/rsa-2048-private.pem
-- spec/fixtures/certs/rsa-2048-public.pem
-- spec/fixtures/certs/rsa-2048-wrong-private.pem
-- spec/fixtures/certs/rsa-2048-wrong-public.pem
-- spec/fixtures/certs/rsa-4096-private.pem
-- spec/fixtures/certs/rsa-4096-public.pem
-- spec/integration/readme_examples_spec.rb
-- spec/jwt/verify_spec.rb
-- spec/jwt_spec.rb
-- spec/spec_helper.rb
+test_files: []

data/.reek.yml

@@ -1,40 +0,0 @@
----
-TooManyStatements:
-  max_statements: 10
-UncommunicativeMethodName:
-  reject:
-  - !ruby/regexp /^[a-z]$/
-  - !ruby/regexp /[0-9]$/
-UncommunicativeParameterName:
-  reject:
-  - !ruby/regexp /^.$/
-  - !ruby/regexp /[0-9]$/
-  - !ruby/regexp /^_/
-UncommunicativeVariableName:
-  reject:
-  - !ruby/regexp /^.$/
-  - !ruby/regexp /[0-9]$/
-UtilityFunction:
-  enabled: false
-LongParameterList:
-  enabled: false
-DuplicateMethodCall:
-  max_calls: 2
-IrresponsibleModule:
-  enabled: false
-NestedIterators:
-  max_allowed_nesting: 2
-PrimaDonnaMethod:
-  enabled: false
-UnusedParameters:
-  enabled: false
-FeatureEnvy:
-  enabled: false
-ControlParameter:
-  enabled: false
-UnusedPrivateMethod:
-  enabled: false
-InstanceVariableAssumption:
-  exclude:
-    - !ruby/regexp /Controller$/
-    - !ruby/regexp /Mailer$/s

data/Manifest

@@ -1,8 +0,0 @@
-Rakefile
-README.md
-LICENSE
-lib/jwt.rb
-lib/jwt/json.rb
-spec/spec_helper.rb
-spec/jwt_spec.rb
-Manifest

data/spec/fixtures/certs/ec256-private.pem

@@ -1,8 +0,0 @@
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIJmVse5uPfj6B4TcXrUAvf9/8pJh+KrKKYLNcmOnp/vPoAoGCCqGSM49
-AwEHoUQDQgAEAr+WbDE5VtIDGhtYMxvEc6cMsDBc/DX1wuhIMu8dQzOLSt0tpqK9
-MVfXbVfrKdayVFgoWzs8MilcYq0QIhKx/w==
------END EC PRIVATE KEY-----