jwt 2.2.0 → 2.3.0

data/lib/jwt/jwk/hmac.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class HMAC < KeyBase
+      KTY = 'oct'.freeze
+      KTYS = [KTY, String].freeze
+
+      def initialize(keypair, kid = nil)
+        raise ArgumentError, 'keypair must be of type String' unless keypair.is_a?(String)
+
+        super
+        @kid = kid || generate_kid
+      end
+
+      def private?
+        true
+      end
+
+      def public_key
+        nil
+      end
+
+      # See https://tools.ietf.org/html/rfc7517#appendix-A.3
+      def export(options = {})
+        exported_hash = {
+          kty: KTY,
+          kid: kid
+        }
+
+        return exported_hash unless private? && options[:include_private] == true
+
+        exported_hash.merge(
+          k: keypair
+        )
+      end
+
+      private
+
+      def generate_kid
+        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::UTF8String.new(keypair),
+                                            OpenSSL::ASN1::UTF8String.new(KTY)])
+        OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
+      end
+
+      class << self
+        def import(jwk_data)
+          jwk_k = jwk_data[:k] || jwk_data['k']
+          jwk_kid = jwk_data[:kid] || jwk_data['kid']
+
+          raise JWT::JWKError, 'Key format is invalid for HMAC' unless jwk_k
+
+          self.new(jwk_k, jwk_kid)
+        end
+      end
+    end
+  end
+end

data/lib/jwt/jwk/key_base.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class KeyBase
+      attr_reader :keypair, :kid
+
+      def initialize(keypair, kid = nil)
+        @keypair = keypair
+        @kid     = kid
+      end
+
+      def self.inherited(klass)
+        ::JWT::JWK.classes << klass
+      end
+    end
+  end
+end

data/lib/jwt/jwk/key_finder.rb

@@ -14,6 +14,7 @@ module JWT
 
         jwk = resolve_key(kid)
 
+        raise ::JWT::DecodeError, 'No keys found in jwks' if jwks_keys.empty?
         raise ::JWT::DecodeError, "Could not find public key for kid #{kid}" unless jwk
 
         ::JWT::JWK.import(jwk).keypair
@@ -45,8 +46,12 @@ module JWT
         @jwks = @jwk_loader.call(opts)
       end
 
+      def jwks_keys
+        Array(jwks[:keys] || jwks['keys'])
+      end
+
       def find_key(kid)
-        Array(jwks[:keys]).find { |key| key[:kid] == kid }
+        jwks_keys.find { |key| (key[:kid] || key['kid']) == kid }
       end
 
       def reloadable?

data/lib/jwt/jwk/rsa.rb

@@ -2,43 +2,113 @@
 
 module JWT
   module JWK
-    class RSA
-      extend Forwardable
-
-      attr_reader :keypair
-
-      def_delegators :keypair, :private?, :public_key
-
+    class RSA < KeyBase
       BINARY = 2
       KTY    = 'RSA'.freeze
+      KTYS   = [KTY, OpenSSL::PKey::RSA].freeze
+      RSA_KEY_ELEMENTS = %i[n e d p q dp dq qi].freeze
 
-      def initialize(keypair)
+      def initialize(keypair, kid = nil)
         raise ArgumentError, 'keypair must be of type OpenSSL::PKey::RSA' unless keypair.is_a?(OpenSSL::PKey::RSA)
+        super(keypair, kid || generate_kid(keypair.public_key))
+      end
 
-        @keypair = keypair
+      def private?
+        keypair.private?
       end
 
-      def kid
-        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(public_key.n),
-                                            OpenSSL::ASN1::Integer.new(public_key.e)])
-        OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
+      def public_key
+        keypair.public_key
       end
 
-      def export
-        {
+      def export(options = {})
+        exported_hash = {
           kty: KTY,
-          n: ::Base64.urlsafe_encode64(public_key.n.to_s(BINARY), padding: false),
-          e: ::Base64.urlsafe_encode64(public_key.e.to_s(BINARY), padding: false),
+          n: encode_open_ssl_bn(public_key.n),
+          e: encode_open_ssl_bn(public_key.e),
           kid: kid
         }
+
+        return exported_hash unless private? && options[:include_private] == true
+
+        append_private_parts(exported_hash)
       end
 
-      def self.import(jwk_data)
-        imported_key = OpenSSL::PKey::RSA.new
-        imported_key.set_key(OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:n]), BINARY),
-          OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:e]), BINARY),
-          nil)
-        self.new(imported_key)
+      private
+
+      def generate_kid(public_key)
+        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(public_key.n),
+                                            OpenSSL::ASN1::Integer.new(public_key.e)])
+        OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
+      end
+
+      def append_private_parts(the_hash)
+        the_hash.merge(
+          d: encode_open_ssl_bn(keypair.d),
+          p: encode_open_ssl_bn(keypair.p),
+          q: encode_open_ssl_bn(keypair.q),
+          dp: encode_open_ssl_bn(keypair.dmp1),
+          dq: encode_open_ssl_bn(keypair.dmq1),
+          qi: encode_open_ssl_bn(keypair.iqmp)
+        )
+      end
+
+      def encode_open_ssl_bn(key_part)
+        ::JWT::Base64.url_encode(key_part.to_s(BINARY))
+      end
+
+      class << self
+        def import(jwk_data)
+          pkey_params = jwk_attributes(jwk_data, *RSA_KEY_ELEMENTS) do |value|
+            decode_open_ssl_bn(value)
+          end
+          kid = jwk_attributes(jwk_data, :kid)[:kid]
+          self.new(rsa_pkey(pkey_params), kid)
+        end
+
+        private
+
+        def jwk_attributes(jwk_data, *attributes)
+          attributes.each_with_object({}) do |attribute, hash|
+            value = jwk_data[attribute] || jwk_data[attribute.to_s]
+            value = yield(value) if block_given?
+            hash[attribute] = value
+          end
+        end
+
+        def rsa_pkey(rsa_parameters)
+          raise JWT::JWKError, 'Key format is invalid for RSA' unless rsa_parameters[:n] && rsa_parameters[:e]
+
+          populate_key(OpenSSL::PKey::RSA.new, rsa_parameters)
+        end
+
+        if OpenSSL::PKey::RSA.new.respond_to?(:set_key)
+          def populate_key(rsa_key, rsa_parameters)
+            rsa_key.set_key(rsa_parameters[:n], rsa_parameters[:e], rsa_parameters[:d])
+            rsa_key.set_factors(rsa_parameters[:p], rsa_parameters[:q]) if rsa_parameters[:p] && rsa_parameters[:q]
+            rsa_key.set_crt_params(rsa_parameters[:dp], rsa_parameters[:dq], rsa_parameters[:qi]) if rsa_parameters[:dp] && rsa_parameters[:dq] && rsa_parameters[:qi]
+            rsa_key
+          end
+        else
+          def populate_key(rsa_key, rsa_parameters)
+            rsa_key.n = rsa_parameters[:n]
+            rsa_key.e = rsa_parameters[:e]
+            rsa_key.d = rsa_parameters[:d] if rsa_parameters[:d]
+            rsa_key.p = rsa_parameters[:p] if rsa_parameters[:p]
+            rsa_key.q = rsa_parameters[:q] if rsa_parameters[:q]
+            rsa_key.dmp1 = rsa_parameters[:dp] if rsa_parameters[:dp]
+            rsa_key.dmq1 = rsa_parameters[:dq] if rsa_parameters[:dq]
+            rsa_key.iqmp = rsa_parameters[:qi] if rsa_parameters[:qi]
+
+            rsa_key
+          end
+        end
+
+        def decode_open_ssl_bn(jwk_data)
+          return nil unless jwk_data
+
+          OpenSSL::BN.new(::JWT::Base64.url_decode(jwk_data), BINARY)
+        end
       end
     end
   end

data/lib/jwt/jwk.rb

@@ -1,31 +1,51 @@
 # frozen_string_literal: true
 
-require_relative 'jwk/rsa'
 require_relative 'jwk/key_finder'
 
 module JWT
   module JWK
-    MAPPINGS = {
-      'RSA' => ::JWT::JWK::RSA,
-      OpenSSL::PKey::RSA => ::JWT::JWK::RSA
-    }.freeze
-
     class << self
       def import(jwk_data)
-        raise JWT::JWKError, 'Key type (kty) not provided' unless jwk_data[:kty]
+        jwk_kty = jwk_data[:kty] || jwk_data['kty']
+        raise JWT::JWKError, 'Key type (kty) not provided' unless jwk_kty
 
-        MAPPINGS.fetch(jwk_data[:kty].to_s) do |kty|
+        mappings.fetch(jwk_kty.to_s) do |kty|
           raise JWT::JWKError, "Key type #{kty} not supported"
         end.import(jwk_data)
       end
 
-      def create_from(keypair)
-        MAPPINGS.fetch(keypair.class) do |klass|
+      def create_from(keypair, kid = nil)
+        mappings.fetch(keypair.class) do |klass|
           raise JWT::JWKError, "Cannot create JWK from a #{klass.name}"
-        end.new(keypair)
+        end.new(keypair, kid)
+      end
+
+      def classes
+        @mappings = nil # reset the cached mappings
+        @classes ||= []
       end
 
       alias new create_from
+
+      private
+
+      def mappings
+        @mappings ||= generate_mappings
+      end
+
+      def generate_mappings
+        classes.each_with_object({}) do |klass, hash|
+          next unless klass.const_defined?('KTYS')
+          Array(klass::KTYS).each do |kty|
+            hash[kty] = klass
+          end
+        end
+      end
     end
   end
 end
+
+require_relative 'jwk/key_base'
+require_relative 'jwk/ec'
+require_relative 'jwk/rsa'
+require_relative 'jwk/hmac'

data/lib/jwt/signature.rb

@@ -2,12 +2,7 @@
 
 require 'jwt/security_utils'
 require 'openssl'
-require 'jwt/algos/hmac'
-require 'jwt/algos/eddsa'
-require 'jwt/algos/ecdsa'
-require 'jwt/algos/rsa'
-require 'jwt/algos/ps'
-require 'jwt/algos/unsupported'
+require 'jwt/algos'
 begin
   require 'rbnacl'
 rescue LoadError
@@ -19,29 +14,21 @@ module JWT
   # Signature logic for JWT
   module Signature
     extend self
-    ALGOS = [
-      Algos::Hmac,
-      Algos::Ecdsa,
-      Algos::Rsa,
-      Algos::Eddsa,
-      Algos::Ps,
-      Algos::Unsupported
-    ].freeze
     ToSign = Struct.new(:algorithm, :msg, :key)
     ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
 
     def sign(algorithm, msg, key)
-      algo = ALGOS.find do |alg|
-        alg.const_get(:SUPPORTED).include? algorithm
-      end
-      algo.sign ToSign.new(algorithm, msg, key)
+      algo, code = Algos.find(algorithm)
+      algo.sign ToSign.new(code, msg, key)
     end
 
     def verify(algorithm, key, signing_input, signature)
-      algo = ALGOS.find do |alg|
-        alg.const_get(:SUPPORTED).include? algorithm
-      end
-      verified = algo.verify(ToVerify.new(algorithm, key, signing_input, signature))
+      return true if algorithm.casecmp('none').zero?
+
+      raise JWT::DecodeError, 'No verification key available' unless key
+
+      algo, code = Algos.find(algorithm)
+      verified = algo.verify(ToVerify.new(code, key, signing_input, signature))
       raise(JWT::VerificationError, 'Signature verification raised') unless verified
     rescue OpenSSL::PKey::PKeyError
       raise JWT::VerificationError, 'Signature verification raised'

data/lib/jwt/verify.rb

@@ -10,7 +10,7 @@ module JWT
     }.freeze
 
     class << self
-      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method_name|
+      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
         define_method method_name do |payload, options|
           new(payload, options).send(method_name)
         end
@@ -81,6 +81,13 @@ module JWT
       raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
     end
 
+    def verify_required_claims
+      return unless (options_required_claims = @options[:required_claims])
+      options_required_claims.each do |required_claim|
+        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
+      end
+    end
+
     private
 
     def global_leeway

data/lib/jwt/version.rb

@@ -12,13 +12,13 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 2
+    MINOR = 3
     # tiny version
     TINY  = 0
     # alpha, beta, etc. tag
     PRE   = nil
 
     # Build version string
-    STRING = [[MAJOR, MINOR, TINY].compact.join('.'), PRE].compact.join('-')
+    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
 end

data/ruby-jwt.gemspec

@@ -14,6 +14,10 @@ Gem::Specification.new do |spec|
   spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
   spec.required_ruby_version = '>= 2.1'
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
+    'changelog_uri'   => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"
+  }
 
   spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
   spec.executables = []
@@ -25,10 +29,4 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'simplecov'
-  spec.add_development_dependency 'simplecov-json'
-  spec.add_development_dependency 'codeclimate-test-reporter'
-  spec.add_development_dependency 'codacy-coverage'
-  spec.add_development_dependency 'rbnacl'
-  # RSASSA-PSS support provided by OpenSSL +2.1
-  spec.add_development_dependency 'openssl', '~> 2.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Tim Rudat
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-05-23 00:00:00.000000000 Z
+date: 2021-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -80,76 +80,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: simplecov-json
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: codacy-coverage
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rbnacl
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: openssl
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.1'
 description: A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT)
   standard.
 email: timrudat@gmail.com
@@ -157,12 +87,12 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".codeclimate.yml"
-- ".ebert.yml"
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
+- ".rubocop_todo.yml"
+- ".sourcelevel.yml"
 - AUTHORS
 - Appraisals
 - CHANGELOG.md
@@ -171,9 +101,11 @@ files:
 - README.md
 - Rakefile
 - lib/jwt.rb
+- lib/jwt/algos.rb
 - lib/jwt/algos/ecdsa.rb
 - lib/jwt/algos/eddsa.rb
 - lib/jwt/algos/hmac.rb
+- lib/jwt/algos/none.rb
 - lib/jwt/algos/ps.rb
 - lib/jwt/algos/rsa.rb
 - lib/jwt/algos/unsupported.rb
@@ -185,6 +117,9 @@ files:
 - lib/jwt/error.rb
 - lib/jwt/json.rb
 - lib/jwt/jwk.rb
+- lib/jwt/jwk/ec.rb
+- lib/jwt/jwk/hmac.rb
+- lib/jwt/jwk/key_base.rb
 - lib/jwt/jwk/key_finder.rb
 - lib/jwt/jwk/rsa.rb
 - lib/jwt/security_utils.rb
@@ -195,8 +130,10 @@ files:
 homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
-metadata: {}
-post_install_message: 
+metadata:
+  bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.3.0/CHANGELOG.md
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -211,8 +148,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.2.19
+signing_key:
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []

data/.codeclimate.yml

@@ -1,20 +0,0 @@
-engines:
-  rubocop:
-    enabled: true
-  golint:
-    enabled: false
-  gofmt:
-    enabled: false
-  eslint:
-    enabled: false
-  csslint:
-    enabled: false
-
-ratings:
-  paths:
-    - lib/**
-    - "**.rb"
-
-exclude_paths:
-  - spec/**/*
-  - vendor/**/*

data/.travis.yml

@@ -1,20 +0,0 @@
-sudo: required
-cache: bundler
-dist: trusty
-language: ruby
-rvm:
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-gemfiles:
-  - gemfiles/standalone.gemfile
-  - gemfiles/rails_5.0.gemfile
-  - gemfiles/rails_5.1.gemfile
-  - gemfiles/rails_5.2.gemfile
-script: "bundle exec rspec && bundle exec codeclimate-test-reporter"
-before_install:
-  - sudo add-apt-repository ppa:chris-lea/libsodium -y
-  - sudo apt-get update -q
-  - sudo apt-get install libsodium-dev -y
-  - gem install bundler