jwt 2.2.1 → 2.8.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/AUTHORS +79 -44
- data/CHANGELOG.md +305 -20
- data/CODE_OF_CONDUCT.md +84 -0
- data/CONTRIBUTING.md +99 -0
- data/README.md +268 -40
- data/lib/jwt/base64.rb +16 -2
- data/lib/jwt/claims_validator.rb +13 -9
- data/lib/jwt/configuration/container.rb +32 -0
- data/lib/jwt/configuration/decode_configuration.rb +46 -0
- data/lib/jwt/configuration/jwk_configuration.rb +27 -0
- data/lib/jwt/configuration.rb +15 -0
- data/lib/jwt/decode.rb +80 -18
- data/lib/jwt/deprecations.rb +29 -0
- data/lib/jwt/encode.rb +24 -19
- data/lib/jwt/error.rb +17 -14
- data/lib/jwt/jwa/ecdsa.rb +76 -0
- data/lib/jwt/jwa/eddsa.rb +42 -0
- data/lib/jwt/jwa/hmac.rb +75 -0
- data/lib/jwt/jwa/hmac_rbnacl.rb +50 -0
- data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +46 -0
- data/lib/jwt/jwa/none.rb +19 -0
- data/lib/jwt/jwa/ps.rb +30 -0
- data/lib/jwt/jwa/rsa.rb +25 -0
- data/lib/jwt/{algos → jwa}/unsupported.rb +8 -5
- data/lib/jwt/jwa/wrapper.rb +26 -0
- data/lib/jwt/jwa.rb +62 -0
- data/lib/jwt/jwk/ec.rb +251 -0
- data/lib/jwt/jwk/hmac.rb +103 -0
- data/lib/jwt/jwk/key_base.rb +57 -0
- data/lib/jwt/jwk/key_finder.rb +19 -30
- data/lib/jwt/jwk/kid_as_key_digest.rb +15 -0
- data/lib/jwt/jwk/okp_rbnacl.rb +110 -0
- data/lib/jwt/jwk/rsa.rb +181 -25
- data/lib/jwt/jwk/set.rb +80 -0
- data/lib/jwt/jwk/thumbprint.rb +26 -0
- data/lib/jwt/jwk.rb +39 -15
- data/lib/jwt/verify.rb +25 -6
- data/lib/jwt/version.rb +24 -3
- data/lib/jwt/x5c_key_finder.rb +52 -0
- data/lib/jwt.rb +6 -4
- data/ruby-jwt.gemspec +18 -10
- metadata +45 -76
- data/.codeclimate.yml +0 -20
- data/.ebert.yml +0 -18
- data/.gitignore +0 -11
- data/.rspec +0 -1
- data/.rubocop.yml +0 -98
- data/.travis.yml +0 -20
- data/Appraisals +0 -14
- data/Gemfile +0 -3
- data/Rakefile +0 -11
- data/lib/jwt/algos/ecdsa.rb +0 -35
- data/lib/jwt/algos/eddsa.rb +0 -23
- data/lib/jwt/algos/hmac.rb +0 -33
- data/lib/jwt/algos/ps.rb +0 -43
- data/lib/jwt/algos/rsa.rb +0 -19
- data/lib/jwt/default_options.rb +0 -15
- data/lib/jwt/security_utils.rb +0 -57
- data/lib/jwt/signature.rb +0 -52
data/lib/jwt/algos/hmac.rb
DELETED
@@ -1,33 +0,0 @@
|
|
1
|
-
module JWT
|
2
|
-
module Algos
|
3
|
-
module Hmac
|
4
|
-
module_function
|
5
|
-
|
6
|
-
SUPPORTED = %w[HS256 HS512256 HS384 HS512].freeze
|
7
|
-
|
8
|
-
def sign(to_sign)
|
9
|
-
algorithm, msg, key = to_sign.values
|
10
|
-
authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
|
11
|
-
if authenticator && padded_key
|
12
|
-
authenticator.auth(padded_key, msg.encode('binary'))
|
13
|
-
else
|
14
|
-
OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
|
15
|
-
end
|
16
|
-
end
|
17
|
-
|
18
|
-
def verify(to_verify)
|
19
|
-
algorithm, public_key, signing_input, signature = to_verify.values
|
20
|
-
authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
|
21
|
-
if authenticator && padded_key
|
22
|
-
begin
|
23
|
-
authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
|
24
|
-
rescue RbNaCl::BadAuthenticatorError
|
25
|
-
false
|
26
|
-
end
|
27
|
-
else
|
28
|
-
SecurityUtils.secure_compare(signature, sign(JWT::Signature::ToSign.new(algorithm, signing_input, public_key)))
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
data/lib/jwt/algos/ps.rb
DELETED
@@ -1,43 +0,0 @@
|
|
1
|
-
module JWT
|
2
|
-
module Algos
|
3
|
-
module Ps
|
4
|
-
# RSASSA-PSS signing algorithms
|
5
|
-
|
6
|
-
module_function
|
7
|
-
|
8
|
-
SUPPORTED = %w[PS256 PS384 PS512].freeze
|
9
|
-
|
10
|
-
def sign(to_sign)
|
11
|
-
require_openssl!
|
12
|
-
|
13
|
-
algorithm, msg, key = to_sign.values
|
14
|
-
|
15
|
-
key_class = key.class
|
16
|
-
|
17
|
-
raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
|
18
|
-
|
19
|
-
translated_algorithm = algorithm.sub('PS', 'sha')
|
20
|
-
|
21
|
-
key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
|
22
|
-
end
|
23
|
-
|
24
|
-
def verify(to_verify)
|
25
|
-
require_openssl!
|
26
|
-
|
27
|
-
SecurityUtils.verify_ps(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
|
28
|
-
end
|
29
|
-
|
30
|
-
def require_openssl!
|
31
|
-
if Object.const_defined?('OpenSSL')
|
32
|
-
major, minor = OpenSSL::VERSION.split('.').first(2)
|
33
|
-
|
34
|
-
unless major.to_i >= 2 && minor.to_i >= 1
|
35
|
-
raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
|
36
|
-
end
|
37
|
-
else
|
38
|
-
raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
|
39
|
-
end
|
40
|
-
end
|
41
|
-
end
|
42
|
-
end
|
43
|
-
end
|
data/lib/jwt/algos/rsa.rb
DELETED
@@ -1,19 +0,0 @@
|
|
1
|
-
module JWT
|
2
|
-
module Algos
|
3
|
-
module Rsa
|
4
|
-
module_function
|
5
|
-
|
6
|
-
SUPPORTED = %w[RS256 RS384 RS512].freeze
|
7
|
-
|
8
|
-
def sign(to_sign)
|
9
|
-
algorithm, msg, key = to_sign.values
|
10
|
-
raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.class == String
|
11
|
-
key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
|
12
|
-
end
|
13
|
-
|
14
|
-
def verify(to_verify)
|
15
|
-
SecurityUtils.verify_rsa(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
|
16
|
-
end
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
data/lib/jwt/default_options.rb
DELETED
@@ -1,15 +0,0 @@
|
|
1
|
-
module JWT
|
2
|
-
module DefaultOptions
|
3
|
-
DEFAULT_OPTIONS = {
|
4
|
-
verify_expiration: true,
|
5
|
-
verify_not_before: true,
|
6
|
-
verify_iss: false,
|
7
|
-
verify_iat: false,
|
8
|
-
verify_jti: false,
|
9
|
-
verify_aud: false,
|
10
|
-
verify_sub: false,
|
11
|
-
leeway: 0,
|
12
|
-
algorithms: ['HS256']
|
13
|
-
}.freeze
|
14
|
-
end
|
15
|
-
end
|
data/lib/jwt/security_utils.rb
DELETED
@@ -1,57 +0,0 @@
|
|
1
|
-
module JWT
|
2
|
-
# Collection of security methods
|
3
|
-
#
|
4
|
-
# @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
|
5
|
-
module SecurityUtils
|
6
|
-
module_function
|
7
|
-
|
8
|
-
def secure_compare(left, right)
|
9
|
-
left_bytesize = left.bytesize
|
10
|
-
|
11
|
-
return false unless left_bytesize == right.bytesize
|
12
|
-
|
13
|
-
unpacked_left = left.unpack "C#{left_bytesize}"
|
14
|
-
result = 0
|
15
|
-
right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
|
16
|
-
result.zero?
|
17
|
-
end
|
18
|
-
|
19
|
-
def verify_rsa(algorithm, public_key, signing_input, signature)
|
20
|
-
public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
|
21
|
-
end
|
22
|
-
|
23
|
-
def verify_ps(algorithm, public_key, signing_input, signature)
|
24
|
-
formatted_algorithm = algorithm.sub('PS', 'sha')
|
25
|
-
|
26
|
-
public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
|
27
|
-
end
|
28
|
-
|
29
|
-
def asn1_to_raw(signature, public_key)
|
30
|
-
byte_size = (public_key.group.degree + 7) / 8
|
31
|
-
OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
|
32
|
-
end
|
33
|
-
|
34
|
-
def raw_to_asn1(signature, private_key)
|
35
|
-
byte_size = (private_key.group.degree + 7) / 8
|
36
|
-
sig_bytes = signature[0..(byte_size - 1)]
|
37
|
-
sig_char = signature[byte_size..-1] || ''
|
38
|
-
OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
|
39
|
-
end
|
40
|
-
|
41
|
-
def rbnacl_fixup(algorithm, key)
|
42
|
-
algorithm = algorithm.sub('HS', 'SHA').to_sym
|
43
|
-
|
44
|
-
return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
|
45
|
-
|
46
|
-
authenticator = RbNaCl::HMAC.const_get(algorithm)
|
47
|
-
|
48
|
-
# Fall back to OpenSSL for keys larger than 32 bytes.
|
49
|
-
return [] if key.bytesize > authenticator.key_bytes
|
50
|
-
|
51
|
-
[
|
52
|
-
authenticator,
|
53
|
-
key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
|
54
|
-
]
|
55
|
-
end
|
56
|
-
end
|
57
|
-
end
|
data/lib/jwt/signature.rb
DELETED
@@ -1,52 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require 'jwt/security_utils'
|
4
|
-
require 'openssl'
|
5
|
-
require 'jwt/algos/hmac'
|
6
|
-
require 'jwt/algos/eddsa'
|
7
|
-
require 'jwt/algos/ecdsa'
|
8
|
-
require 'jwt/algos/rsa'
|
9
|
-
require 'jwt/algos/ps'
|
10
|
-
require 'jwt/algos/unsupported'
|
11
|
-
begin
|
12
|
-
require 'rbnacl'
|
13
|
-
rescue LoadError
|
14
|
-
raise if defined?(RbNaCl)
|
15
|
-
end
|
16
|
-
|
17
|
-
# JWT::Signature module
|
18
|
-
module JWT
|
19
|
-
# Signature logic for JWT
|
20
|
-
module Signature
|
21
|
-
extend self
|
22
|
-
ALGOS = [
|
23
|
-
Algos::Hmac,
|
24
|
-
Algos::Ecdsa,
|
25
|
-
Algos::Rsa,
|
26
|
-
Algos::Eddsa,
|
27
|
-
Algos::Ps,
|
28
|
-
Algos::Unsupported
|
29
|
-
].freeze
|
30
|
-
ToSign = Struct.new(:algorithm, :msg, :key)
|
31
|
-
ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
|
32
|
-
|
33
|
-
def sign(algorithm, msg, key)
|
34
|
-
algo = ALGOS.find do |alg|
|
35
|
-
alg.const_get(:SUPPORTED).include? algorithm
|
36
|
-
end
|
37
|
-
algo.sign ToSign.new(algorithm, msg, key)
|
38
|
-
end
|
39
|
-
|
40
|
-
def verify(algorithm, key, signing_input, signature)
|
41
|
-
algo = ALGOS.find do |alg|
|
42
|
-
alg.const_get(:SUPPORTED).include? algorithm
|
43
|
-
end
|
44
|
-
verified = algo.verify(ToVerify.new(algorithm, key, signing_input, signature))
|
45
|
-
raise(JWT::VerificationError, 'Signature verification raised') unless verified
|
46
|
-
rescue OpenSSL::PKey::PKeyError
|
47
|
-
raise JWT::VerificationError, 'Signature verification raised'
|
48
|
-
ensure
|
49
|
-
OpenSSL.errors.clear
|
50
|
-
end
|
51
|
-
end
|
52
|
-
end
|