jwt 2.2.1 → 2.7.1

data/lib/jwt/version.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # frozen_string_literal: true
 
 # Moments version builder module
@@ -12,13 +11,34 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 2
+    MINOR = 7
     # tiny version
     TINY  = 1
     # alpha, beta, etc. tag
     PRE   = nil
 
     # Build version string
-    STRING = [[MAJOR, MINOR, TINY].compact.join('.'), PRE].compact.join('-')
+    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
+  end
+
+  def self.openssl_3?
+    return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
+    return true if OpenSSL::OPENSSL_VERSION_NUMBER >= 3 * 0x10000000
+  end
+
+  def self.rbnacl?
+    defined?(::RbNaCl)
+  end
+
+  def self.rbnacl_6_or_greater?
+    rbnacl? && ::Gem::Version.new(::RbNaCl::VERSION) >= ::Gem::Version.new('6.0.0')
+  end
+
+  def self.openssl_3_hmac_empty_key_regression?
+    openssl_3? && openssl_version <= ::Gem::Version.new('3.0.0')
+  end
+
+  def self.openssl_version
+    @openssl_version ||= ::Gem::Version.new(OpenSSL::VERSION)
   end
 end

data/lib/jwt/x5c_key_finder.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'jwt/error'
+
+module JWT
+  # If the x5c header certificate chain can be validated by trusted root
+  # certificates, and none of the certificates are revoked, returns the public
+  # key from the first certificate.
+  # See https://tools.ietf.org/html/rfc7515#section-4.1.6
+  class X5cKeyFinder
+    def initialize(root_certificates, crls = nil)
+      raise(ArgumentError, 'Root certificates must be specified') unless root_certificates
+
+      @store = build_store(root_certificates, crls)
+    end
+
+    def from(x5c_header_or_certificates)
+      signing_certificate, *certificate_chain = parse_certificates(x5c_header_or_certificates)
+      store_context = OpenSSL::X509::StoreContext.new(@store, signing_certificate, certificate_chain)
+
+      if store_context.verify
+        signing_certificate.public_key
+      else
+        error = "Certificate verification failed: #{store_context.error_string}."
+        if (current_cert = store_context.current_cert)
+          error = "#{error} Certificate subject: #{current_cert.subject}."
+        end
+
+        raise(JWT::VerificationError, error)
+      end
+    end
+
+    private
+
+    def build_store(root_certificates, crls)
+      store = OpenSSL::X509::Store.new
+      store.purpose = OpenSSL::X509::PURPOSE_ANY
+      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      root_certificates.each { |certificate| store.add_cert(certificate) }
+      crls&.each { |crl| store.add_crl(crl) }
+      store
+    end
+
+    def parse_certificates(x5c_header_or_certificates)
+      if x5c_header_or_certificates.all? { |obj| obj.is_a?(OpenSSL::X509::Certificate) }
+        x5c_header_or_certificates
+      else
+        x5c_header_or_certificates.map do |encoded|
+          OpenSSL::X509::Certificate.new(::JWT::Base64.url_decode(encoded))
+        end
+      end
+    end
+  end
+end

data/lib/jwt.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
+require 'jwt/version'
 require 'jwt/base64'
 require 'jwt/json'
 require 'jwt/decode'
-require 'jwt/default_options'
+require 'jwt/configuration'
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
@@ -13,7 +14,7 @@ require 'jwt/jwk'
 # Should be up to date with the latest spec:
 # https://tools.ietf.org/html/rfc7519
 module JWT
-  include JWT::DefaultOptions
+  extend ::JWT::Configuration
 
   module_function
 
@@ -24,7 +25,7 @@ module JWT
                headers: header_fields).segments
   end
 
-  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder)
-    Decode.new(jwt, key, verify, DEFAULT_OPTIONS.merge(options), &keyfinder).decode_segments
+  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
+    Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
   end
 end

data/ruby-jwt.gemspec

@@ -1,4 +1,6 @@
-lib = File.expand_path('../lib/', __FILE__)
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'jwt/version'
 
@@ -13,11 +15,20 @@ Gem::Specification.new do |spec|
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
   spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
-  spec.required_ruby_version = '>= 2.1'
+  spec.required_ruby_version = '>= 2.5'
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
+    'changelog_uri' => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md",
+    'rubygems_mfa_required' => 'true'
+  }
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(spec|gemfiles|coverage|bin)/}) || # Irrelevant folders
+      f.match(/^\.+/) || # Files and folders starting with .
+      f.match(/^(Appraisals|Gemfile|Rakefile)$/) # Irrelevant files
+  end
 
-  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
   spec.executables = []
-  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = %w[lib]
 
   spec.add_development_dependency 'appraisal'
@@ -25,10 +36,4 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'simplecov'
-  spec.add_development_dependency 'simplecov-json'
-  spec.add_development_dependency 'codeclimate-test-reporter'
-  spec.add_development_dependency 'codacy-coverage'
-  spec.add_development_dependency 'rbnacl'
-  # RSASSA-PSS support provided by OpenSSL +2.1
-  spec.add_development_dependency 'openssl', '~> 2.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.7.1
 platform: ruby
 authors:
 - Tim Rudat
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-05-24 00:00:00.000000000 Z
+date: 2023-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -80,76 +80,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: simplecov-json
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: codacy-coverage
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rbnacl
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: openssl
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.1'
 description: A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT)
   standard.
 email: timrudat@gmail.com
@@ -157,46 +87,56 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".codeclimate.yml"
-- ".ebert.yml"
-- ".gitignore"
-- ".rspec"
-- ".rubocop.yml"
-- ".travis.yml"
 - AUTHORS
-- Appraisals
 - CHANGELOG.md
-- Gemfile
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - LICENSE
 - README.md
-- Rakefile
 - lib/jwt.rb
+- lib/jwt/algos.rb
+- lib/jwt/algos/algo_wrapper.rb
 - lib/jwt/algos/ecdsa.rb
 - lib/jwt/algos/eddsa.rb
 - lib/jwt/algos/hmac.rb
+- lib/jwt/algos/hmac_rbnacl.rb
+- lib/jwt/algos/hmac_rbnacl_fixed.rb
+- lib/jwt/algos/none.rb
 - lib/jwt/algos/ps.rb
 - lib/jwt/algos/rsa.rb
 - lib/jwt/algos/unsupported.rb
 - lib/jwt/base64.rb
 - lib/jwt/claims_validator.rb
+- lib/jwt/configuration.rb
+- lib/jwt/configuration/container.rb
+- lib/jwt/configuration/decode_configuration.rb
+- lib/jwt/configuration/jwk_configuration.rb
 - lib/jwt/decode.rb
-- lib/jwt/default_options.rb
 - lib/jwt/encode.rb
 - lib/jwt/error.rb
 - lib/jwt/json.rb
 - lib/jwt/jwk.rb
+- lib/jwt/jwk/ec.rb
+- lib/jwt/jwk/hmac.rb
+- lib/jwt/jwk/key_base.rb
 - lib/jwt/jwk/key_finder.rb
+- lib/jwt/jwk/kid_as_key_digest.rb
+- lib/jwt/jwk/okp_rbnacl.rb
 - lib/jwt/jwk/rsa.rb
-- lib/jwt/security_utils.rb
-- lib/jwt/signature.rb
+- lib/jwt/jwk/set.rb
+- lib/jwt/jwk/thumbprint.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
+- lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
 homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
-metadata: {}
-post_install_message: 
+metadata:
+  bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.1/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -204,15 +144,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []

data/.codeclimate.yml

@@ -1,20 +0,0 @@
-engines:
-  rubocop:
-    enabled: true
-  golint:
-    enabled: false
-  gofmt:
-    enabled: false
-  eslint:
-    enabled: false
-  csslint:
-    enabled: false
-
-ratings:
-  paths:
-    - lib/**
-    - "**.rb"
-
-exclude_paths:
-  - spec/**/*
-  - vendor/**/*

data/.ebert.yml

@@ -1,18 +0,0 @@
-styleguide: excpt/linters
-engines:
-  reek:
-    enabled: true
-  fixme:
-    enabled: true
-  rubocop:
-    enabled: true
-    channel: rubocop-0-49
-  duplication:
-    config:
-      languages:
-      - ruby
-    enabled: true
-  remark-lint:
-    enabled: true
-exclude_paths:
-- spec

data/.gitignore

@@ -1,11 +0,0 @@
-.idea/
-jwt.gemspec
-pkg
-Gemfile.lock
-coverage/
-.DS_Store
-.rbenv-gemsets
-.ruby-version
-.vscode/
-.bundle
-*gemfile.lock

data/.rspec

@@ -1 +0,0 @@
---color

data/.rubocop.yml

@@ -1,98 +0,0 @@
-AllCops:
-  Exclude:
-    - 'bin/**/*'
-    - 'db/**/*'
-    - 'config/**/*'
-    - 'script/**/*'
-
-Rails:
-  Enabled: true
-
-Style/AlignParameters:
-  EnforcedStyle: with_fixed_indentation
-
-Style/CaseIndentation:
-  EnforcedStyle: end
-
-Style/AsciiComments:
-  Enabled: false
-
-Style/IndentHash:
-  Enabled: false
-
-Style/CollectionMethods:
-  Enabled: true
-  PreferredMethods:
-      inject: 'inject'
-
-Style/Documentation:
-  Enabled: false
-
-Style/BlockDelimiters:
-  Exclude:
-    - spec/**/*_spec.rb
-
-Style/BracesAroundHashParameters:
-  Exclude:
-    - spec/**/*_spec.rb
-
-Style/GuardClause:
-  Enabled: false
-
-Style/IfUnlessModifier:
-  Enabled: false
-
-Style/SpaceInsideHashLiteralBraces:
-  Enabled: false
-
-Style/Lambda:
-  Enabled: false
-
-Style/RaiseArgs:
-  Enabled: false
-
-Style/SignalException:
-  Enabled: false
-
-Metrics/AbcSize:
-  Max: 20
-
-Metrics/ClassLength:
-  Max: 100
-
-Metrics/ModuleLength:
-  Max: 100
-
-Metrics/LineLength:
-  Enabled: false
-
-Metrics/MethodLength:
-  Max: 15
-
-Style/SingleLineBlockParams:
-  Enabled: false
-
-Lint/EndAlignment:
-  EnforcedStyleAlignWith: variable
-
-Style/FormatString:
-  Enabled: false
-
-Style/MultilineMethodCallIndentation:
-  EnforcedStyle: indented
-
-Style/MultilineOperationIndentation:
-  EnforcedStyle: indented
-
-Style/WordArray:
-  Enabled: false
-
-Style/RedundantSelf:
-  Enabled: false
-
-Style/AlignHash:
-  Enabled: true
-  EnforcedLastArgumentHashStyle: always_ignore
-
-Style/TrivialAccessors:
-  AllowPredicates: true

data/.travis.yml

@@ -1,20 +0,0 @@
-sudo: required
-cache: bundler
-dist: trusty
-language: ruby
-rvm:
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-gemfiles:
-  - gemfiles/standalone.gemfile
-  - gemfiles/rails_5.0.gemfile
-  - gemfiles/rails_5.1.gemfile
-  - gemfiles/rails_5.2.gemfile
-script: "bundle exec rspec && bundle exec codeclimate-test-reporter"
-before_install:
-  - sudo add-apt-repository ppa:chris-lea/libsodium -y
-  - sudo apt-get update -q
-  - sudo apt-get install libsodium-dev -y
-  - gem install bundler

data/Appraisals

@@ -1,14 +0,0 @@
-appraise 'standalone' do
-end
-
-appraise 'rails-5.0' do
-  gem 'rails', '~> 5.0.0'
-end
-
-appraise 'rails-5.1' do
-  gem 'rails', '~> 5.1.0'
-end
-
-appraise 'rails-5.2' do
-  gem 'rails', '~> 5.2.0'
-end

data/Gemfile

@@ -1,3 +0,0 @@
-source 'https://rubygems.org'
-
-gemspec

data/Rakefile

@@ -1,11 +0,0 @@
-require 'bundler/gem_tasks'
-
-begin
-  require 'rspec/core/rake_task'
-
-  RSpec::Core::RakeTask.new(:test)
-
-  task default: :test
-rescue LoadError
-  puts 'RSpec rake tasks not available. Please run "bundle install" to install missing dependencies.'
-end

data/lib/jwt/default_options.rb

@@ -1,15 +0,0 @@
-module JWT
-  module DefaultOptions
-    DEFAULT_OPTIONS = {
-      verify_expiration: true,
-      verify_not_before: true,
-      verify_iss: false,
-      verify_iat: false,
-      verify_jti: false,
-      verify_aud: false,
-      verify_sub: false,
-      leeway: 0,
-      algorithms: ['HS256']
-    }.freeze
-  end
-end

data/lib/jwt/security_utils.rb

@@ -1,57 +0,0 @@
-module JWT
-  # Collection of security methods
-  #
-  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
-  module SecurityUtils
-    module_function
-
-    def secure_compare(left, right)
-      left_bytesize = left.bytesize
-
-      return false unless left_bytesize == right.bytesize
-
-      unpacked_left = left.unpack "C#{left_bytesize}"
-      result = 0
-      right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
-      result.zero?
-    end
-
-    def verify_rsa(algorithm, public_key, signing_input, signature)
-      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-    end
-
-    def verify_ps(algorithm, public_key, signing_input, signature)
-      formatted_algorithm = algorithm.sub('PS', 'sha')
-
-      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
-    end
-
-    def asn1_to_raw(signature, public_key)
-      byte_size = (public_key.group.degree + 7) / 8
-      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
-    end
-
-    def raw_to_asn1(signature, private_key)
-      byte_size = (private_key.group.degree + 7) / 8
-      sig_bytes = signature[0..(byte_size - 1)]
-      sig_char = signature[byte_size..-1] || ''
-      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-    end
-
-    def rbnacl_fixup(algorithm, key)
-      algorithm = algorithm.sub('HS', 'SHA').to_sym
-
-      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
-
-      authenticator = RbNaCl::HMAC.const_get(algorithm)
-
-      # Fall back to OpenSSL for keys larger than 32 bytes.
-      return [] if key.bytesize > authenticator.key_bytes
-
-      [
-        authenticator,
-        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
-      ]
-    end
-  end
-end

data/lib/jwt/signature.rb

@@ -1,52 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/security_utils'
-require 'openssl'
-require 'jwt/algos/hmac'
-require 'jwt/algos/eddsa'
-require 'jwt/algos/ecdsa'
-require 'jwt/algos/rsa'
-require 'jwt/algos/ps'
-require 'jwt/algos/unsupported'
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-
-# JWT::Signature module
-module JWT
-  # Signature logic for JWT
-  module Signature
-    extend self
-    ALGOS = [
-      Algos::Hmac,
-      Algos::Ecdsa,
-      Algos::Rsa,
-      Algos::Eddsa,
-      Algos::Ps,
-      Algos::Unsupported
-    ].freeze
-    ToSign = Struct.new(:algorithm, :msg, :key)
-    ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
-
-    def sign(algorithm, msg, key)
-      algo = ALGOS.find do |alg|
-        alg.const_get(:SUPPORTED).include? algorithm
-      end
-      algo.sign ToSign.new(algorithm, msg, key)
-    end
-
-    def verify(algorithm, key, signing_input, signature)
-      algo = ALGOS.find do |alg|
-        alg.const_get(:SUPPORTED).include? algorithm
-      end
-      verified = algo.verify(ToVerify.new(algorithm, key, signing_input, signature))
-      raise(JWT::VerificationError, 'Signature verification raised') unless verified
-    rescue OpenSSL::PKey::PKeyError
-      raise JWT::VerificationError, 'Signature verification raised'
-    ensure
-      OpenSSL.errors.clear
-    end
-  end
-end