RubyGems - jwt - Versions diffs - 2.10.1 → 2.10.3 - Mend

jwt 2.10.1 → 2.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dcc16f3a25f01facd96faaf83722fd6d45e2a2fa80539e68727cee1a6df71cc1
-  data.tar.gz: 241e7ef393bd3c40356e730466e32d45bc63f0d4e9983d2c40c7bef2424334fa
+  metadata.gz: 014554dde95af535e1c1b84fb4532d6a69ecf2391baaf21c69bbabefb91e4d1c
+  data.tar.gz: f309fd328b353d1ebc2f96e4938cd3d82bf1cc88ab3f94fbadb30027c98751d7
 SHA512:
-  metadata.gz: dffc0046d44c6a5d03538bbd9f0870da9142873ea5ffbb186ccfd339324d3e4c0c1f2e104c668f819047f54573717cd396b1bf8cb96a9a971cf02f6151100bfe
-  data.tar.gz: d86d34077d0fe9d760d72bd176262fafedcea294dada4e95f33b2a0bbeb9995f8e9e3f8d6225cff3cdd480d981dfa40da396683a662cdabc9410266fbde0709f
+  metadata.gz: f6c6fc5f6ec227884cb6cbef16cf91063c29e81a58b3a0186b50dce86b66ea769bac89742e030f4db59097e67d263819bf3d73a6e1b3ca337eec65dc6219bedb
+  data.tar.gz: 8c62212530a0f8bb6405ed923a0bcfb50375ed63e51f5fe3570d59f7208a6d018434d2de8fefb932b1a2401920b615a69adc5b072be1238f7bf849fda823f26a

data/CHANGELOG.md CHANGED Viewed

@@ -1,7 +1,25 @@
 # Changelog
+## [v2.10.3](https://github.com/jwt/ruby-jwt/tree/v2.10.3) (2026-05-22)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.10.2...v2.10.3)
+**Fixes and enhancements:**
+- Backport: Reject `nil` and empty HMAC keys when signing and verifying ([CVE-2026-45363](https://www.cve.org/CVERecord?id=CVE-2026-45363) / [GHSA-c32j-vqhx-rx3x](https://github.com/jwt/ruby-jwt/security/advisories/GHSA-c32j-vqhx-rx3x)) [#725](https://github.com/jwt/ruby-jwt/pull/725) ([@royzwambag](https://github.com/royzwambag))
+## [v2.10.2](https://github.com/jwt/ruby-jwt/tree/v2.10.2) (2025-06-29)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.10.1...v2.10.2)
+**Fixes and enhancements:**
+- Avoid using the same digest across calls in JWT::JWA::Ecdsa and JWT::JWA::Rsa [#697](https://github.com/jwt/ruby-jwt/pull/697)
 ## [v2.10.1](https://github.com/jwt/ruby-jwt/tree/v2.10.1) (2024-12-26)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.10.0...v2.10.1)
 **Fixes and enhancements:**
 - Make version constants public again [#646](https://github.com/jwt/ruby-jwt/pull/646) ([@anakinj]

data/lib/jwt/jwa/ecdsa.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module JWT
       def initialize(alg, digest)
         @alg = alg
-        @digest = OpenSSL::Digest.new(digest)
+        @digest = digest
       end
       def sign(data:, signing_key:)
@@ -16,7 +16,7 @@ module JWT
         key_algorithm = curve_definition[:algorithm]
         raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} signing key was provided" if alg != key_algorithm
-        asn1_to_raw(signing_key.dsa_sign_asn1(digest.digest(data)), signing_key)
+        asn1_to_raw(signing_key.dsa_sign_asn1(OpenSSL::Digest.new(digest).digest(data)), signing_key)
       end
       def verify(data:, signature:, verification_key:)
@@ -24,7 +24,7 @@ module JWT
         key_algorithm = curve_definition[:algorithm]
         raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} verification key was provided" if alg != key_algorithm
-        verification_key.dsa_verify_asn1(digest.digest(data), raw_to_asn1(signature, verification_key))
+        verification_key.dsa_verify_asn1(OpenSSL::Digest.new(digest).digest(data), raw_to_asn1(signature, verification_key))
       rescue OpenSSL::PKey::PKeyError
         raise JWT::VerificationError, 'Signature verification raised'
       end

data/lib/jwt/jwa/eddsa.rb CHANGED Viewed

@@ -13,7 +13,7 @@ module JWT
       def sign(data:, signing_key:)
         raise_sign_error!("Key given is a #{signing_key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey") unless signing_key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
-        Deprecations.warning('Using Ed25519 keys is deprecated and will be removed in a future version of ruby-jwt. Please use the ruby-eddsa gem instead.')
+        Deprecations.warning('Using the EdDSA algorithm is deprecated and will be removed in a future version of ruby-jwt. In the future the algorithm will be provided by the jwt-eddsa gem.')
         signing_key.sign(data)
       end
@@ -21,7 +21,7 @@ module JWT
       def verify(data:, signature:, verification_key:)
         raise_verify_error!("key given is a #{verification_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey") unless verification_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
-        Deprecations.warning('Using Ed25519 keys is deprecated and will be removed in a future version of ruby-jwt. Please use the ruby-eddsa gem instead.')
+        Deprecations.warning('Using the EdDSA algorithm is deprecated and will be removed in a future version of ruby-jwt. In the future the algorithm will be provided by the jwt-eddsa gem.')
         verification_key.verify(signature, data)
       rescue RbNaCl::CryptoError

data/lib/jwt/jwa/hmac.rb CHANGED Viewed

@@ -16,18 +16,15 @@ module JWT
       end
       def sign(data:, signing_key:)
-        signing_key ||= ''
-        raise_verify_error!('HMAC key expected to be a String') unless signing_key.is_a?(String)
+        ensure_valid_key!(signing_key)
         OpenSSL::HMAC.digest(digest.new, signing_key, data)
-      rescue OpenSSL::HMACError => e
-        raise_verify_error!('OpenSSL 3.0 does not support nil or empty hmac_secret') if signing_key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
-        raise e
       end
       def verify(data:, signature:, verification_key:)
-        SecurityUtils.secure_compare(signature, sign(data: data, signing_key: verification_key))
+        ensure_valid_key!(verification_key)
+        SecurityUtils.secure_compare(signature, OpenSSL::HMAC.digest(digest.new, verification_key, data))
       end
       register_algorithm(new('HS256', OpenSSL::Digest::SHA256))
@@ -38,6 +35,11 @@ module JWT
       attr_reader :digest
+      def ensure_valid_key!(key)
+        raise_verify_error!('HMAC key expected to be a String') unless key.is_a?(String)
+        raise_verify_error!('HMAC key cannot be empty') if key.empty?
+      end
       # Copy of https://github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb
       # rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
       module SecurityUtils

data/lib/jwt/jwa/rsa.rb CHANGED Viewed

@@ -8,17 +8,17 @@ module JWT
       def initialize(alg)
         @alg = alg
-        @digest = OpenSSL::Digest.new(alg.sub('RS', 'SHA'))
+        @digest = alg.sub('RS', 'SHA')
       end
       def sign(data:, signing_key:)
         raise_sign_error!("The given key is a #{signing_key.class}. It has to be an OpenSSL::PKey::RSA instance") unless signing_key.is_a?(OpenSSL::PKey::RSA)
-        signing_key.sign(digest, data)
+        signing_key.sign(OpenSSL::Digest.new(digest), data)
       end
       def verify(data:, signature:, verification_key:)
-        verification_key.verify(digest, signature, data)
+        verification_key.verify(OpenSSL::Digest.new(digest), signature, data)
       rescue OpenSSL::PKey::PKeyError
         raise JWT::VerificationError, 'Signature verification raised'
       end

data/lib/jwt/version.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module JWT
   module VERSION
     MAJOR = 2
     MINOR = 10
-    TINY  = 1
+    TINY  = 3
     PRE   = nil
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/ruby-jwt.gemspec CHANGED Viewed

@@ -35,6 +35,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'logger'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'rubocop'

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.10.1
+  version: 2.10.3
 platform: ruby
 authors:
 - Tim Rudat
 bindir: bin
 cert_chain: []
-date: 2024-12-26 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -51,6 +51,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -180,7 +194,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.10.1/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.10.3/CHANGELOG.md
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
@@ -196,7 +210,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 4.0.10
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []