jwt 2.1.0 → 2.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/AUTHORS +119 -0
- data/CHANGELOG.md +355 -19
- data/CODE_OF_CONDUCT.md +84 -0
- data/CONTRIBUTING.md +99 -0
- data/README.md +331 -102
- data/lib/jwt/algos/algo_wrapper.rb +30 -0
- data/lib/jwt/algos/ecdsa.rb +39 -12
- data/lib/jwt/algos/eddsa.rb +18 -8
- data/lib/jwt/algos/hmac.rb +57 -17
- data/lib/jwt/algos/hmac_rbnacl.rb +53 -0
- data/lib/jwt/algos/hmac_rbnacl_fixed.rb +52 -0
- data/lib/jwt/algos/none.rb +19 -0
- data/lib/jwt/algos/ps.rb +41 -0
- data/lib/jwt/algos/rsa.rb +7 -5
- data/lib/jwt/algos/unsupported.rb +7 -4
- data/lib/jwt/algos.rb +67 -0
- data/lib/jwt/base64.rb +19 -0
- data/lib/jwt/claims_validator.rb +37 -0
- data/lib/jwt/configuration/container.rb +21 -0
- data/lib/jwt/configuration/decode_configuration.rb +46 -0
- data/lib/jwt/configuration/jwk_configuration.rb +27 -0
- data/lib/jwt/configuration.rb +15 -0
- data/lib/jwt/decode.rb +143 -24
- data/lib/jwt/encode.rb +54 -26
- data/lib/jwt/error.rb +6 -0
- data/lib/jwt/json.rb +18 -0
- data/lib/jwt/jwk/ec.rb +236 -0
- data/lib/jwt/jwk/hmac.rb +103 -0
- data/lib/jwt/jwk/key_base.rb +55 -0
- data/lib/jwt/jwk/key_finder.rb +46 -0
- data/lib/jwt/jwk/kid_as_key_digest.rb +15 -0
- data/lib/jwt/jwk/okp_rbnacl.rb +110 -0
- data/lib/jwt/jwk/rsa.rb +203 -0
- data/lib/jwt/jwk/set.rb +80 -0
- data/lib/jwt/jwk/thumbprint.rb +26 -0
- data/lib/jwt/jwk.rb +55 -0
- data/lib/jwt/security_utils.rb +8 -27
- data/lib/jwt/verify.rb +19 -8
- data/lib/jwt/version.rb +22 -2
- data/lib/jwt/x5c_key_finder.rb +55 -0
- data/lib/jwt.rb +12 -44
- data/ruby-jwt.gemspec +18 -10
- metadata +45 -118
- data/.codeclimate.yml +0 -20
- data/.ebert.yml +0 -18
- data/.gitignore +0 -11
- data/.reek.yml +0 -40
- data/.rspec +0 -1
- data/.rubocop.yml +0 -98
- data/.travis.yml +0 -14
- data/Gemfile +0 -3
- data/Manifest +0 -8
- data/Rakefile +0 -11
- data/lib/jwt/default_options.rb +0 -15
- data/lib/jwt/signature.rb +0 -50
- data/spec/fixtures/certs/ec256-private.pem +0 -8
- data/spec/fixtures/certs/ec256-public.pem +0 -4
- data/spec/fixtures/certs/ec256-wrong-private.pem +0 -8
- data/spec/fixtures/certs/ec256-wrong-public.pem +0 -4
- data/spec/fixtures/certs/ec384-private.pem +0 -9
- data/spec/fixtures/certs/ec384-public.pem +0 -5
- data/spec/fixtures/certs/ec384-wrong-private.pem +0 -9
- data/spec/fixtures/certs/ec384-wrong-public.pem +0 -5
- data/spec/fixtures/certs/ec512-private.pem +0 -10
- data/spec/fixtures/certs/ec512-public.pem +0 -6
- data/spec/fixtures/certs/ec512-wrong-private.pem +0 -10
- data/spec/fixtures/certs/ec512-wrong-public.pem +0 -6
- data/spec/fixtures/certs/rsa-1024-private.pem +0 -15
- data/spec/fixtures/certs/rsa-1024-public.pem +0 -6
- data/spec/fixtures/certs/rsa-2048-private.pem +0 -27
- data/spec/fixtures/certs/rsa-2048-public.pem +0 -9
- data/spec/fixtures/certs/rsa-2048-wrong-private.pem +0 -27
- data/spec/fixtures/certs/rsa-2048-wrong-public.pem +0 -9
- data/spec/fixtures/certs/rsa-4096-private.pem +0 -51
- data/spec/fixtures/certs/rsa-4096-public.pem +0 -14
- data/spec/integration/readme_examples_spec.rb +0 -202
- data/spec/jwt/verify_spec.rb +0 -232
- data/spec/jwt_spec.rb +0 -315
- data/spec/spec_helper.rb +0 -28
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module JWT
|
|
4
|
+
module Algos
|
|
5
|
+
class AlgoWrapper
|
|
6
|
+
attr_reader :alg, :cls
|
|
7
|
+
|
|
8
|
+
def initialize(alg, cls)
|
|
9
|
+
@alg = alg
|
|
10
|
+
@cls = cls
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def valid_alg?(alg_to_check)
|
|
14
|
+
alg.casecmp(alg_to_check)&.zero? == true
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def sign(data:, signing_key:)
|
|
18
|
+
cls.sign(alg, data, signing_key)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def verify(data:, signature:, verification_key:)
|
|
22
|
+
cls.verify(alg, verification_key, data, signature)
|
|
23
|
+
rescue OpenSSL::PKey::PKeyError # These should be moved to the algorithms that actually need this, but left here to ensure nothing will break.
|
|
24
|
+
raise JWT::VerificationError, 'Signature verification raised'
|
|
25
|
+
ensure
|
|
26
|
+
OpenSSL.errors.clear
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
data/lib/jwt/algos/ecdsa.rb
CHANGED
|
@@ -1,35 +1,62 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
module JWT
|
|
2
4
|
module Algos
|
|
3
5
|
module Ecdsa
|
|
4
6
|
module_function
|
|
5
7
|
|
|
6
|
-
SUPPORTED = %(ES256 ES384 ES512).freeze
|
|
7
8
|
NAMED_CURVES = {
|
|
8
|
-
'prime256v1' =>
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'prime256v1' => {
|
|
10
|
+
algorithm: 'ES256',
|
|
11
|
+
digest: 'sha256'
|
|
12
|
+
},
|
|
13
|
+
'secp256r1' => { # alias for prime256v1
|
|
14
|
+
algorithm: 'ES256',
|
|
15
|
+
digest: 'sha256'
|
|
16
|
+
},
|
|
17
|
+
'secp384r1' => {
|
|
18
|
+
algorithm: 'ES384',
|
|
19
|
+
digest: 'sha384'
|
|
20
|
+
},
|
|
21
|
+
'secp521r1' => {
|
|
22
|
+
algorithm: 'ES512',
|
|
23
|
+
digest: 'sha512'
|
|
24
|
+
},
|
|
25
|
+
'secp256k1' => {
|
|
26
|
+
algorithm: 'ES256K',
|
|
27
|
+
digest: 'sha256'
|
|
28
|
+
}
|
|
11
29
|
}.freeze
|
|
12
30
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
31
|
+
SUPPORTED = NAMED_CURVES.map { |_, c| c[:algorithm] }.uniq.freeze
|
|
32
|
+
|
|
33
|
+
def sign(algorithm, msg, key)
|
|
34
|
+
curve_definition = curve_by_name(key.group.curve_name)
|
|
35
|
+
key_algorithm = curve_definition[:algorithm]
|
|
16
36
|
if algorithm != key_algorithm
|
|
17
37
|
raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
|
|
18
38
|
end
|
|
19
39
|
|
|
20
|
-
digest = OpenSSL::Digest.new(
|
|
40
|
+
digest = OpenSSL::Digest.new(curve_definition[:digest])
|
|
21
41
|
SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
|
|
22
42
|
end
|
|
23
43
|
|
|
24
|
-
def verify(
|
|
25
|
-
|
|
26
|
-
key_algorithm =
|
|
44
|
+
def verify(algorithm, public_key, signing_input, signature)
|
|
45
|
+
curve_definition = curve_by_name(public_key.group.curve_name)
|
|
46
|
+
key_algorithm = curve_definition[:algorithm]
|
|
27
47
|
if algorithm != key_algorithm
|
|
28
48
|
raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
|
|
29
49
|
end
|
|
30
|
-
|
|
50
|
+
|
|
51
|
+
digest = OpenSSL::Digest.new(curve_definition[:digest])
|
|
31
52
|
public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
|
|
32
53
|
end
|
|
54
|
+
|
|
55
|
+
def curve_by_name(name)
|
|
56
|
+
NAMED_CURVES.fetch(name) do
|
|
57
|
+
raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
|
|
58
|
+
end
|
|
59
|
+
end
|
|
33
60
|
end
|
|
34
61
|
end
|
|
35
62
|
end
|
data/lib/jwt/algos/eddsa.rb
CHANGED
|
@@ -1,22 +1,32 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
module JWT
|
|
2
4
|
module Algos
|
|
3
5
|
module Eddsa
|
|
4
6
|
module_function
|
|
5
7
|
|
|
6
|
-
SUPPORTED = %w[ED25519].freeze
|
|
8
|
+
SUPPORTED = %w[ED25519 EdDSA].freeze
|
|
9
|
+
|
|
10
|
+
def sign(algorithm, msg, key)
|
|
11
|
+
if key.class != RbNaCl::Signatures::Ed25519::SigningKey
|
|
12
|
+
raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
|
|
13
|
+
end
|
|
14
|
+
unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
|
|
15
|
+
raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
|
|
16
|
+
end
|
|
7
17
|
|
|
8
|
-
def sign(to_sign)
|
|
9
|
-
algorithm, msg, key = to_sign.values
|
|
10
|
-
raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey" if key.class != RbNaCl::Signatures::Ed25519::SigningKey
|
|
11
|
-
raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided" if algorithm.downcase.to_sym != key.primitive
|
|
12
18
|
key.sign(msg)
|
|
13
19
|
end
|
|
14
20
|
|
|
15
|
-
def verify(
|
|
16
|
-
|
|
17
|
-
|
|
21
|
+
def verify(algorithm, public_key, signing_input, signature)
|
|
22
|
+
unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
|
|
23
|
+
raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
|
|
24
|
+
end
|
|
18
25
|
raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
|
|
26
|
+
|
|
19
27
|
public_key.verify(signature, signing_input)
|
|
28
|
+
rescue RbNaCl::CryptoError
|
|
29
|
+
false
|
|
20
30
|
end
|
|
21
31
|
end
|
|
22
32
|
end
|
data/lib/jwt/algos/hmac.rb
CHANGED
|
@@ -1,33 +1,73 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
module JWT
|
|
2
4
|
module Algos
|
|
3
5
|
module Hmac
|
|
4
6
|
module_function
|
|
5
7
|
|
|
6
|
-
|
|
8
|
+
MAPPING = {
|
|
9
|
+
'HS256' => OpenSSL::Digest::SHA256,
|
|
10
|
+
'HS384' => OpenSSL::Digest::SHA384,
|
|
11
|
+
'HS512' => OpenSSL::Digest::SHA512
|
|
12
|
+
}.freeze
|
|
7
13
|
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
14
|
+
SUPPORTED = MAPPING.keys
|
|
15
|
+
|
|
16
|
+
def sign(algorithm, msg, key)
|
|
17
|
+
key ||= ''
|
|
18
|
+
|
|
19
|
+
raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
|
|
20
|
+
|
|
21
|
+
OpenSSL::HMAC.digest(MAPPING[algorithm].new, key, msg)
|
|
22
|
+
rescue OpenSSL::HMACError => e
|
|
23
|
+
if key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
|
|
24
|
+
raise JWT::DecodeError, 'OpenSSL 3.0 does not support nil or empty hmac_secret'
|
|
15
25
|
end
|
|
26
|
+
|
|
27
|
+
raise e
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def verify(algorithm, key, signing_input, signature)
|
|
31
|
+
SecurityUtils.secure_compare(signature, sign(algorithm, signing_input, key))
|
|
16
32
|
end
|
|
17
33
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
34
|
+
# Copy of https://github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb
|
|
35
|
+
# rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
|
|
36
|
+
module SecurityUtils
|
|
37
|
+
# Constant time string comparison, for fixed length strings.
|
|
38
|
+
#
|
|
39
|
+
# The values compared should be of fixed length, such as strings
|
|
40
|
+
# that have already been processed by HMAC. Raises in case of length mismatch.
|
|
41
|
+
|
|
42
|
+
if defined?(OpenSSL.fixed_length_secure_compare)
|
|
43
|
+
def fixed_length_secure_compare(a, b)
|
|
44
|
+
OpenSSL.fixed_length_secure_compare(a, b)
|
|
26
45
|
end
|
|
27
46
|
else
|
|
28
|
-
|
|
47
|
+
def fixed_length_secure_compare(a, b)
|
|
48
|
+
raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize
|
|
49
|
+
|
|
50
|
+
l = a.unpack "C#{a.bytesize}"
|
|
51
|
+
|
|
52
|
+
res = 0
|
|
53
|
+
b.each_byte { |byte| res |= byte ^ l.shift }
|
|
54
|
+
res == 0
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
module_function :fixed_length_secure_compare
|
|
58
|
+
|
|
59
|
+
# Secure string comparison for strings of variable length.
|
|
60
|
+
#
|
|
61
|
+
# While a timing attack would not be able to discern the content of
|
|
62
|
+
# a secret compared via secure_compare, it is possible to determine
|
|
63
|
+
# the secret length. This should be considered when using secure_compare
|
|
64
|
+
# to compare weak, short secrets to user input.
|
|
65
|
+
def secure_compare(a, b)
|
|
66
|
+
a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
|
|
29
67
|
end
|
|
68
|
+
module_function :secure_compare
|
|
30
69
|
end
|
|
70
|
+
# rubocop:enable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
|
|
31
71
|
end
|
|
32
72
|
end
|
|
33
73
|
end
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module JWT
|
|
4
|
+
module Algos
|
|
5
|
+
module HmacRbNaCl
|
|
6
|
+
module_function
|
|
7
|
+
|
|
8
|
+
MAPPING = {
|
|
9
|
+
'HS256' => ::RbNaCl::HMAC::SHA256,
|
|
10
|
+
'HS512256' => ::RbNaCl::HMAC::SHA512256,
|
|
11
|
+
'HS384' => nil,
|
|
12
|
+
'HS512' => ::RbNaCl::HMAC::SHA512
|
|
13
|
+
}.freeze
|
|
14
|
+
|
|
15
|
+
SUPPORTED = MAPPING.keys
|
|
16
|
+
|
|
17
|
+
def sign(algorithm, msg, key)
|
|
18
|
+
if (hmac = resolve_algorithm(algorithm))
|
|
19
|
+
hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
|
|
20
|
+
else
|
|
21
|
+
Hmac.sign(algorithm, msg, key)
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def verify(algorithm, key, signing_input, signature)
|
|
26
|
+
if (hmac = resolve_algorithm(algorithm))
|
|
27
|
+
hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
|
|
28
|
+
else
|
|
29
|
+
Hmac.verify(algorithm, key, signing_input, signature)
|
|
30
|
+
end
|
|
31
|
+
rescue ::RbNaCl::BadAuthenticatorError
|
|
32
|
+
false
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def key_for_rbnacl(hmac, key)
|
|
36
|
+
key ||= ''
|
|
37
|
+
raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
|
|
38
|
+
|
|
39
|
+
return padded_empty_key(hmac.key_bytes) if key == ''
|
|
40
|
+
|
|
41
|
+
key
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def resolve_algorithm(algorithm)
|
|
45
|
+
MAPPING.fetch(algorithm)
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def padded_empty_key(length)
|
|
49
|
+
Array.new(length, 0x0).pack('C*').encode('binary')
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module JWT
|
|
4
|
+
module Algos
|
|
5
|
+
module HmacRbNaClFixed
|
|
6
|
+
module_function
|
|
7
|
+
|
|
8
|
+
MAPPING = {
|
|
9
|
+
'HS256' => ::RbNaCl::HMAC::SHA256,
|
|
10
|
+
'HS512256' => ::RbNaCl::HMAC::SHA512256,
|
|
11
|
+
'HS384' => nil,
|
|
12
|
+
'HS512' => ::RbNaCl::HMAC::SHA512
|
|
13
|
+
}.freeze
|
|
14
|
+
|
|
15
|
+
SUPPORTED = MAPPING.keys
|
|
16
|
+
|
|
17
|
+
def sign(algorithm, msg, key)
|
|
18
|
+
key ||= ''
|
|
19
|
+
|
|
20
|
+
raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
|
|
21
|
+
|
|
22
|
+
if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
|
|
23
|
+
hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
|
|
24
|
+
else
|
|
25
|
+
Hmac.sign(algorithm, msg, key)
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def verify(algorithm, key, signing_input, signature)
|
|
30
|
+
key ||= ''
|
|
31
|
+
|
|
32
|
+
raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
|
|
33
|
+
|
|
34
|
+
if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
|
|
35
|
+
hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
|
|
36
|
+
else
|
|
37
|
+
Hmac.verify(algorithm, key, signing_input, signature)
|
|
38
|
+
end
|
|
39
|
+
rescue ::RbNaCl::BadAuthenticatorError
|
|
40
|
+
false
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def resolve_algorithm(algorithm)
|
|
44
|
+
MAPPING.fetch(algorithm)
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def padded_key_bytes(key, bytesize)
|
|
48
|
+
key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
data/lib/jwt/algos/ps.rb
ADDED
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module JWT
|
|
4
|
+
module Algos
|
|
5
|
+
module Ps
|
|
6
|
+
# RSASSA-PSS signing algorithms
|
|
7
|
+
|
|
8
|
+
module_function
|
|
9
|
+
|
|
10
|
+
SUPPORTED = %w[PS256 PS384 PS512].freeze
|
|
11
|
+
|
|
12
|
+
def sign(algorithm, msg, key)
|
|
13
|
+
require_openssl!
|
|
14
|
+
|
|
15
|
+
key_class = key.class
|
|
16
|
+
|
|
17
|
+
raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
|
|
18
|
+
|
|
19
|
+
translated_algorithm = algorithm.sub('PS', 'sha')
|
|
20
|
+
|
|
21
|
+
key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def verify(algorithm, public_key, signing_input, signature)
|
|
25
|
+
require_openssl!
|
|
26
|
+
|
|
27
|
+
SecurityUtils.verify_ps(algorithm, public_key, signing_input, signature)
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def require_openssl!
|
|
31
|
+
if Object.const_defined?('OpenSSL')
|
|
32
|
+
if ::Gem::Version.new(OpenSSL::VERSION) < ::Gem::Version.new('2.1')
|
|
33
|
+
raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
|
|
34
|
+
end
|
|
35
|
+
else
|
|
36
|
+
raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
data/lib/jwt/algos/rsa.rb
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
module JWT
|
|
2
4
|
module Algos
|
|
3
5
|
module Rsa
|
|
@@ -5,14 +7,14 @@ module JWT
|
|
|
5
7
|
|
|
6
8
|
SUPPORTED = %w[RS256 RS384 RS512].freeze
|
|
7
9
|
|
|
8
|
-
def sign(
|
|
9
|
-
|
|
10
|
-
|
|
10
|
+
def sign(algorithm, msg, key)
|
|
11
|
+
raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.instance_of?(String)
|
|
12
|
+
|
|
11
13
|
key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
|
|
12
14
|
end
|
|
13
15
|
|
|
14
|
-
def verify(
|
|
15
|
-
SecurityUtils.verify_rsa(
|
|
16
|
+
def verify(algorithm, public_key, signing_input, signature)
|
|
17
|
+
SecurityUtils.verify_rsa(algorithm, public_key, signing_input, signature)
|
|
16
18
|
end
|
|
17
19
|
end
|
|
18
20
|
end
|
|
@@ -1,16 +1,19 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
module JWT
|
|
2
4
|
module Algos
|
|
3
5
|
module Unsupported
|
|
4
6
|
module_function
|
|
5
7
|
|
|
6
|
-
SUPPORTED =
|
|
7
|
-
def verify(*)
|
|
8
|
-
raise JWT::VerificationError, 'Algorithm not supported'
|
|
9
|
-
end
|
|
8
|
+
SUPPORTED = [].freeze
|
|
10
9
|
|
|
11
10
|
def sign(*)
|
|
12
11
|
raise NotImplementedError, 'Unsupported signing method'
|
|
13
12
|
end
|
|
13
|
+
|
|
14
|
+
def verify(*)
|
|
15
|
+
raise JWT::VerificationError, 'Algorithm not supported'
|
|
16
|
+
end
|
|
14
17
|
end
|
|
15
18
|
end
|
|
16
19
|
end
|
data/lib/jwt/algos.rb
ADDED
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
begin
|
|
4
|
+
require 'rbnacl'
|
|
5
|
+
rescue LoadError
|
|
6
|
+
raise if defined?(RbNaCl)
|
|
7
|
+
end
|
|
8
|
+
require 'openssl'
|
|
9
|
+
|
|
10
|
+
require 'jwt/security_utils'
|
|
11
|
+
require 'jwt/algos/hmac'
|
|
12
|
+
require 'jwt/algos/eddsa'
|
|
13
|
+
require 'jwt/algos/ecdsa'
|
|
14
|
+
require 'jwt/algos/rsa'
|
|
15
|
+
require 'jwt/algos/ps'
|
|
16
|
+
require 'jwt/algos/none'
|
|
17
|
+
require 'jwt/algos/unsupported'
|
|
18
|
+
require 'jwt/algos/algo_wrapper'
|
|
19
|
+
|
|
20
|
+
module JWT
|
|
21
|
+
module Algos
|
|
22
|
+
extend self
|
|
23
|
+
|
|
24
|
+
ALGOS = [Algos::Ecdsa,
|
|
25
|
+
Algos::Rsa,
|
|
26
|
+
Algos::Eddsa,
|
|
27
|
+
Algos::Ps,
|
|
28
|
+
Algos::None,
|
|
29
|
+
Algos::Unsupported].tap do |l|
|
|
30
|
+
if ::JWT.rbnacl_6_or_greater?
|
|
31
|
+
require_relative 'algos/hmac_rbnacl'
|
|
32
|
+
l.unshift(Algos::HmacRbNaCl)
|
|
33
|
+
elsif ::JWT.rbnacl?
|
|
34
|
+
require_relative 'algos/hmac_rbnacl_fixed'
|
|
35
|
+
l.unshift(Algos::HmacRbNaClFixed)
|
|
36
|
+
else
|
|
37
|
+
l.unshift(Algos::Hmac)
|
|
38
|
+
end
|
|
39
|
+
end.freeze
|
|
40
|
+
|
|
41
|
+
def find(algorithm)
|
|
42
|
+
indexed[algorithm && algorithm.downcase]
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def create(algorithm)
|
|
46
|
+
Algos::AlgoWrapper.new(*find(algorithm))
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def implementation?(algorithm)
|
|
50
|
+
(algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
|
|
51
|
+
(algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
private
|
|
55
|
+
|
|
56
|
+
def indexed
|
|
57
|
+
@indexed ||= begin
|
|
58
|
+
fallback = [nil, Algos::Unsupported]
|
|
59
|
+
ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
|
|
60
|
+
cls.const_get(:SUPPORTED).each do |alg|
|
|
61
|
+
hash[alg.downcase] = [alg, cls]
|
|
62
|
+
end
|
|
63
|
+
end
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
data/lib/jwt/base64.rb
ADDED
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'base64'
|
|
4
|
+
|
|
5
|
+
module JWT
|
|
6
|
+
# Base64 helpers
|
|
7
|
+
class Base64
|
|
8
|
+
class << self
|
|
9
|
+
def url_encode(str)
|
|
10
|
+
::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def url_decode(str)
|
|
14
|
+
str += '=' * (4 - str.length.modulo(4))
|
|
15
|
+
::Base64.decode64(str.tr('-_', '+/'))
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_relative './error'
|
|
4
|
+
|
|
5
|
+
module JWT
|
|
6
|
+
class ClaimsValidator
|
|
7
|
+
NUMERIC_CLAIMS = %i[
|
|
8
|
+
exp
|
|
9
|
+
iat
|
|
10
|
+
nbf
|
|
11
|
+
].freeze
|
|
12
|
+
|
|
13
|
+
def initialize(payload)
|
|
14
|
+
@payload = payload.transform_keys(&:to_sym)
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def validate!
|
|
18
|
+
validate_numeric_claims
|
|
19
|
+
|
|
20
|
+
true
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
private
|
|
24
|
+
|
|
25
|
+
def validate_numeric_claims
|
|
26
|
+
NUMERIC_CLAIMS.each do |claim|
|
|
27
|
+
validate_is_numeric(claim) if @payload.key?(claim)
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def validate_is_numeric(claim)
|
|
32
|
+
return if @payload[claim].is_a?(Numeric)
|
|
33
|
+
|
|
34
|
+
raise InvalidPayload, "#{claim} claim must be a Numeric value but it is a #{@payload[claim].class}"
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_relative 'decode_configuration'
|
|
4
|
+
require_relative 'jwk_configuration'
|
|
5
|
+
|
|
6
|
+
module JWT
|
|
7
|
+
module Configuration
|
|
8
|
+
class Container
|
|
9
|
+
attr_accessor :decode, :jwk
|
|
10
|
+
|
|
11
|
+
def initialize
|
|
12
|
+
reset!
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def reset!
|
|
16
|
+
@decode = DecodeConfiguration.new
|
|
17
|
+
@jwk = JwkConfiguration.new
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module JWT
|
|
4
|
+
module Configuration
|
|
5
|
+
class DecodeConfiguration
|
|
6
|
+
attr_accessor :verify_expiration,
|
|
7
|
+
:verify_not_before,
|
|
8
|
+
:verify_iss,
|
|
9
|
+
:verify_iat,
|
|
10
|
+
:verify_jti,
|
|
11
|
+
:verify_aud,
|
|
12
|
+
:verify_sub,
|
|
13
|
+
:leeway,
|
|
14
|
+
:algorithms,
|
|
15
|
+
:required_claims
|
|
16
|
+
|
|
17
|
+
def initialize
|
|
18
|
+
@verify_expiration = true
|
|
19
|
+
@verify_not_before = true
|
|
20
|
+
@verify_iss = false
|
|
21
|
+
@verify_iat = false
|
|
22
|
+
@verify_jti = false
|
|
23
|
+
@verify_aud = false
|
|
24
|
+
@verify_sub = false
|
|
25
|
+
@leeway = 0
|
|
26
|
+
@algorithms = ['HS256']
|
|
27
|
+
@required_claims = []
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def to_h
|
|
31
|
+
{
|
|
32
|
+
verify_expiration: verify_expiration,
|
|
33
|
+
verify_not_before: verify_not_before,
|
|
34
|
+
verify_iss: verify_iss,
|
|
35
|
+
verify_iat: verify_iat,
|
|
36
|
+
verify_jti: verify_jti,
|
|
37
|
+
verify_aud: verify_aud,
|
|
38
|
+
verify_sub: verify_sub,
|
|
39
|
+
leeway: leeway,
|
|
40
|
+
algorithms: algorithms,
|
|
41
|
+
required_claims: required_claims
|
|
42
|
+
}
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_relative '../jwk/kid_as_key_digest'
|
|
4
|
+
require_relative '../jwk/thumbprint'
|
|
5
|
+
|
|
6
|
+
module JWT
|
|
7
|
+
module Configuration
|
|
8
|
+
class JwkConfiguration
|
|
9
|
+
def initialize
|
|
10
|
+
self.kid_generator_type = :key_digest
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def kid_generator_type=(value)
|
|
14
|
+
self.kid_generator = case value
|
|
15
|
+
when :key_digest
|
|
16
|
+
JWT::JWK::KidAsKeyDigest
|
|
17
|
+
when :rfc7638_thumbprint
|
|
18
|
+
JWT::JWK::Thumbprint
|
|
19
|
+
else
|
|
20
|
+
raise ArgumentError, "#{value} is not a valid kid generator type."
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
attr_accessor :kid_generator
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|