jwt 2.2.1 → 2.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (60) hide show
  1. checksums.yaml +4 -4
  2. data/AUTHORS +79 -44
  3. data/CHANGELOG.md +305 -20
  4. data/CODE_OF_CONDUCT.md +84 -0
  5. data/CONTRIBUTING.md +99 -0
  6. data/README.md +268 -40
  7. data/lib/jwt/base64.rb +16 -2
  8. data/lib/jwt/claims_validator.rb +13 -9
  9. data/lib/jwt/configuration/container.rb +32 -0
  10. data/lib/jwt/configuration/decode_configuration.rb +46 -0
  11. data/lib/jwt/configuration/jwk_configuration.rb +27 -0
  12. data/lib/jwt/configuration.rb +15 -0
  13. data/lib/jwt/decode.rb +80 -18
  14. data/lib/jwt/deprecations.rb +29 -0
  15. data/lib/jwt/encode.rb +24 -19
  16. data/lib/jwt/error.rb +17 -14
  17. data/lib/jwt/jwa/ecdsa.rb +76 -0
  18. data/lib/jwt/jwa/eddsa.rb +42 -0
  19. data/lib/jwt/jwa/hmac.rb +75 -0
  20. data/lib/jwt/jwa/hmac_rbnacl.rb +50 -0
  21. data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +46 -0
  22. data/lib/jwt/jwa/none.rb +19 -0
  23. data/lib/jwt/jwa/ps.rb +30 -0
  24. data/lib/jwt/jwa/rsa.rb +25 -0
  25. data/lib/jwt/{algos → jwa}/unsupported.rb +8 -5
  26. data/lib/jwt/jwa/wrapper.rb +26 -0
  27. data/lib/jwt/jwa.rb +62 -0
  28. data/lib/jwt/jwk/ec.rb +251 -0
  29. data/lib/jwt/jwk/hmac.rb +103 -0
  30. data/lib/jwt/jwk/key_base.rb +57 -0
  31. data/lib/jwt/jwk/key_finder.rb +19 -30
  32. data/lib/jwt/jwk/kid_as_key_digest.rb +15 -0
  33. data/lib/jwt/jwk/okp_rbnacl.rb +110 -0
  34. data/lib/jwt/jwk/rsa.rb +181 -25
  35. data/lib/jwt/jwk/set.rb +80 -0
  36. data/lib/jwt/jwk/thumbprint.rb +26 -0
  37. data/lib/jwt/jwk.rb +39 -15
  38. data/lib/jwt/verify.rb +25 -6
  39. data/lib/jwt/version.rb +24 -3
  40. data/lib/jwt/x5c_key_finder.rb +52 -0
  41. data/lib/jwt.rb +6 -4
  42. data/ruby-jwt.gemspec +18 -10
  43. metadata +45 -76
  44. data/.codeclimate.yml +0 -20
  45. data/.ebert.yml +0 -18
  46. data/.gitignore +0 -11
  47. data/.rspec +0 -1
  48. data/.rubocop.yml +0 -98
  49. data/.travis.yml +0 -20
  50. data/Appraisals +0 -14
  51. data/Gemfile +0 -3
  52. data/Rakefile +0 -11
  53. data/lib/jwt/algos/ecdsa.rb +0 -35
  54. data/lib/jwt/algos/eddsa.rb +0 -23
  55. data/lib/jwt/algos/hmac.rb +0 -33
  56. data/lib/jwt/algos/ps.rb +0 -43
  57. data/lib/jwt/algos/rsa.rb +0 -19
  58. data/lib/jwt/default_options.rb +0 -15
  59. data/lib/jwt/security_utils.rb +0 -57
  60. data/lib/jwt/signature.rb +0 -52
data/lib/jwt/algos/hmac.rb DELETED
@@ -1,33 +0,0 @@
1
- module JWT
2
- module Algos
3
- module Hmac
4
- module_function
5
-
6
- SUPPORTED = %w[HS256 HS512256 HS384 HS512].freeze
7
-
8
- def sign(to_sign)
9
- algorithm, msg, key = to_sign.values
10
- authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
11
- if authenticator && padded_key
12
- authenticator.auth(padded_key, msg.encode('binary'))
13
- else
14
- OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
15
- end
16
- end
17
-
18
- def verify(to_verify)
19
- algorithm, public_key, signing_input, signature = to_verify.values
20
- authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
21
- if authenticator && padded_key
22
- begin
23
- authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
24
- rescue RbNaCl::BadAuthenticatorError
25
- false
26
- end
27
- else
28
- SecurityUtils.secure_compare(signature, sign(JWT::Signature::ToSign.new(algorithm, signing_input, public_key)))
29
- end
30
- end
31
- end
32
- end
33
- end
data/lib/jwt/algos/ps.rb DELETED
@@ -1,43 +0,0 @@
1
- module JWT
2
- module Algos
3
- module Ps
4
- # RSASSA-PSS signing algorithms
5
-
6
- module_function
7
-
8
- SUPPORTED = %w[PS256 PS384 PS512].freeze
9
-
10
- def sign(to_sign)
11
- require_openssl!
12
-
13
- algorithm, msg, key = to_sign.values
14
-
15
- key_class = key.class
16
-
17
- raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
18
-
19
- translated_algorithm = algorithm.sub('PS', 'sha')
20
-
21
- key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
22
- end
23
-
24
- def verify(to_verify)
25
- require_openssl!
26
-
27
- SecurityUtils.verify_ps(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
28
- end
29
-
30
- def require_openssl!
31
- if Object.const_defined?('OpenSSL')
32
- major, minor = OpenSSL::VERSION.split('.').first(2)
33
-
34
- unless major.to_i >= 2 && minor.to_i >= 1
35
- raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
36
- end
37
- else
38
- raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
39
- end
40
- end
41
- end
42
- end
43
- end
data/lib/jwt/algos/rsa.rb DELETED
@@ -1,19 +0,0 @@
1
- module JWT
2
- module Algos
3
- module Rsa
4
- module_function
5
-
6
- SUPPORTED = %w[RS256 RS384 RS512].freeze
7
-
8
- def sign(to_sign)
9
- algorithm, msg, key = to_sign.values
10
- raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.class == String
11
- key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
12
- end
13
-
14
- def verify(to_verify)
15
- SecurityUtils.verify_rsa(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
16
- end
17
- end
18
- end
19
- end
data/lib/jwt/default_options.rb DELETED
@@ -1,15 +0,0 @@
1
- module JWT
2
- module DefaultOptions
3
- DEFAULT_OPTIONS = {
4
- verify_expiration: true,
5
- verify_not_before: true,
6
- verify_iss: false,
7
- verify_iat: false,
8
- verify_jti: false,
9
- verify_aud: false,
10
- verify_sub: false,
11
- leeway: 0,
12
- algorithms: ['HS256']
13
- }.freeze
14
- end
15
- end
data/lib/jwt/security_utils.rb DELETED
@@ -1,57 +0,0 @@
1
- module JWT
2
- # Collection of security methods
3
- #
4
- # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
5
- module SecurityUtils
6
- module_function
7
-
8
- def secure_compare(left, right)
9
- left_bytesize = left.bytesize
10
-
11
- return false unless left_bytesize == right.bytesize
12
-
13
- unpacked_left = left.unpack "C#{left_bytesize}"
14
- result = 0
15
- right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
16
- result.zero?
17
- end
18
-
19
- def verify_rsa(algorithm, public_key, signing_input, signature)
20
- public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
21
- end
22
-
23
- def verify_ps(algorithm, public_key, signing_input, signature)
24
- formatted_algorithm = algorithm.sub('PS', 'sha')
25
-
26
- public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
27
- end
28
-
29
- def asn1_to_raw(signature, public_key)
30
- byte_size = (public_key.group.degree + 7) / 8
31
- OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
32
- end
33
-
34
- def raw_to_asn1(signature, private_key)
35
- byte_size = (private_key.group.degree + 7) / 8
36
- sig_bytes = signature[0..(byte_size - 1)]
37
- sig_char = signature[byte_size..-1] || ''
38
- OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
39
- end
40
-
41
- def rbnacl_fixup(algorithm, key)
42
- algorithm = algorithm.sub('HS', 'SHA').to_sym
43
-
44
- return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
45
-
46
- authenticator = RbNaCl::HMAC.const_get(algorithm)
47
-
48
- # Fall back to OpenSSL for keys larger than 32 bytes.
49
- return [] if key.bytesize > authenticator.key_bytes
50
-
51
- [
52
- authenticator,
53
- key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
54
- ]
55
- end
56
- end
57
- end
data/lib/jwt/signature.rb DELETED
@@ -1,52 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'jwt/security_utils'
4
- require 'openssl'
5
- require 'jwt/algos/hmac'
6
- require 'jwt/algos/eddsa'
7
- require 'jwt/algos/ecdsa'
8
- require 'jwt/algos/rsa'
9
- require 'jwt/algos/ps'
10
- require 'jwt/algos/unsupported'
11
- begin
12
- require 'rbnacl'
13
- rescue LoadError
14
- raise if defined?(RbNaCl)
15
- end
16
-
17
- # JWT::Signature module
18
- module JWT
19
- # Signature logic for JWT
20
- module Signature
21
- extend self
22
- ALGOS = [
23
- Algos::Hmac,
24
- Algos::Ecdsa,
25
- Algos::Rsa,
26
- Algos::Eddsa,
27
- Algos::Ps,
28
- Algos::Unsupported
29
- ].freeze
30
- ToSign = Struct.new(:algorithm, :msg, :key)
31
- ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
32
-
33
- def sign(algorithm, msg, key)
34
- algo = ALGOS.find do |alg|
35
- alg.const_get(:SUPPORTED).include? algorithm
36
- end
37
- algo.sign ToSign.new(algorithm, msg, key)
38
- end
39
-
40
- def verify(algorithm, key, signing_input, signature)
41
- algo = ALGOS.find do |alg|
42
- alg.const_get(:SUPPORTED).include? algorithm
43
- end
44
- verified = algo.verify(ToVerify.new(algorithm, key, signing_input, signature))
45
- raise(JWT::VerificationError, 'Signature verification raised') unless verified
46
- rescue OpenSSL::PKey::PKeyError
47
- raise JWT::VerificationError, 'Signature verification raised'
48
- ensure
49
- OpenSSL.errors.clear
50
- end
51
- end
52
- end