jwt 2.2.2 → 2.10.2

data/lib/jwt/algos/ecdsa.rb

@@ -1,35 +0,0 @@
-module JWT
-  module Algos
-    module Ecdsa
-      module_function
-
-      SUPPORTED = %w[ES256 ES384 ES512].freeze
-      NAMED_CURVES = {
-        'prime256v1' => 'ES256',
-        'secp384r1' => 'ES384',
-        'secp521r1' => 'ES512'
-      }.freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        key_algorithm = NAMED_CURVES[key.group.curve_name]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
-        end
-
-        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
-      end
-
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        key_algorithm = NAMED_CURVES[public_key.group.curve_name]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-        end
-        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
-      end
-    end
-  end
-end

data/lib/jwt/algos/eddsa.rb

@@ -1,23 +0,0 @@
-module JWT
-  module Algos
-    module Eddsa
-      module_function
-
-      SUPPORTED = %w[ED25519].freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey" if key.class != RbNaCl::Signatures::Ed25519::SigningKey
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"  if algorithm.downcase.to_sym != key.primitive
-        key.sign(msg)
-      end
-
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{public_key.primitive} verification key was provided" if algorithm.downcase.to_sym != public_key.primitive
-        raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
-        public_key.verify(signature, signing_input)
-      end
-    end
-  end
-end

data/lib/jwt/algos/hmac.rb

@@ -1,34 +0,0 @@
-module JWT
-  module Algos
-    module Hmac
-      module_function
-
-      SUPPORTED = %w[HS256 HS512256 HS384 HS512].freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        key ||= ''
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
-        if authenticator && padded_key
-          authenticator.auth(padded_key, msg.encode('binary'))
-        else
-          OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
-        end
-      end
-
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
-        if authenticator && padded_key
-          begin
-            authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
-          rescue RbNaCl::BadAuthenticatorError
-            false
-          end
-        else
-          SecurityUtils.secure_compare(signature, sign(JWT::Signature::ToSign.new(algorithm, signing_input, public_key)))
-        end
-      end
-    end
-  end
-end

data/lib/jwt/algos/ps.rb

@@ -1,43 +0,0 @@
-module JWT
-  module Algos
-    module Ps
-      # RSASSA-PSS signing algorithms
-
-      module_function
-
-      SUPPORTED = %w[PS256 PS384 PS512].freeze
-
-      def sign(to_sign)
-        require_openssl!
-
-        algorithm, msg, key = to_sign.values
-
-        key_class = key.class
-
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
-
-        translated_algorithm = algorithm.sub('PS', 'sha')
-
-        key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
-      end
-
-      def verify(to_verify)
-        require_openssl!
-
-        SecurityUtils.verify_ps(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
-      end
-
-      def require_openssl!
-        if Object.const_defined?('OpenSSL')
-          major, minor = OpenSSL::VERSION.split('.').first(2)
-
-          unless major.to_i >= 2 && minor.to_i >= 1
-            raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
-          end
-        else
-          raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
-        end
-      end
-    end
-  end
-end

data/lib/jwt/algos/rsa.rb

@@ -1,19 +0,0 @@
-module JWT
-  module Algos
-    module Rsa
-      module_function
-
-      SUPPORTED = %w[RS256 RS384 RS512].freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.class == String
-        key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
-      end
-
-      def verify(to_verify)
-        SecurityUtils.verify_rsa(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
-      end
-    end
-  end
-end

data/lib/jwt/algos/unsupported.rb

@@ -1,16 +0,0 @@
-module JWT
-  module Algos
-    module Unsupported
-      module_function
-
-      SUPPORTED = Object.new.tap { |object| object.define_singleton_method(:include?) { |*| true } }
-      def verify(*)
-        raise JWT::VerificationError, 'Algorithm not supported'
-      end
-
-      def sign(*)
-        raise NotImplementedError, 'Unsupported signing method'
-      end
-    end
-  end
-end

data/lib/jwt/default_options.rb

@@ -1,15 +0,0 @@
-module JWT
-  module DefaultOptions
-    DEFAULT_OPTIONS = {
-      verify_expiration: true,
-      verify_not_before: true,
-      verify_iss: false,
-      verify_iat: false,
-      verify_jti: false,
-      verify_aud: false,
-      verify_sub: false,
-      leeway: 0,
-      algorithms: ['HS256']
-    }.freeze
-  end
-end

data/lib/jwt/security_utils.rb

@@ -1,57 +0,0 @@
-module JWT
-  # Collection of security methods
-  #
-  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
-  module SecurityUtils
-    module_function
-
-    def secure_compare(left, right)
-      left_bytesize = left.bytesize
-
-      return false unless left_bytesize == right.bytesize
-
-      unpacked_left = left.unpack "C#{left_bytesize}"
-      result = 0
-      right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
-      result.zero?
-    end
-
-    def verify_rsa(algorithm, public_key, signing_input, signature)
-      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-    end
-
-    def verify_ps(algorithm, public_key, signing_input, signature)
-      formatted_algorithm = algorithm.sub('PS', 'sha')
-
-      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
-    end
-
-    def asn1_to_raw(signature, public_key)
-      byte_size = (public_key.group.degree + 7) / 8
-      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
-    end
-
-    def raw_to_asn1(signature, private_key)
-      byte_size = (private_key.group.degree + 7) / 8
-      sig_bytes = signature[0..(byte_size - 1)]
-      sig_char = signature[byte_size..-1] || ''
-      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-    end
-
-    def rbnacl_fixup(algorithm, key)
-      algorithm = algorithm.sub('HS', 'SHA').to_sym
-
-      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
-
-      authenticator = RbNaCl::HMAC.const_get(algorithm)
-
-      # Fall back to OpenSSL for keys larger than 32 bytes.
-      return [] if key.bytesize > authenticator.key_bytes
-
-      [
-        authenticator,
-        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
-      ]
-    end
-  end
-end

data/lib/jwt/signature.rb

@@ -1,54 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/security_utils'
-require 'openssl'
-require 'jwt/algos/hmac'
-require 'jwt/algos/eddsa'
-require 'jwt/algos/ecdsa'
-require 'jwt/algos/rsa'
-require 'jwt/algos/ps'
-require 'jwt/algos/unsupported'
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-
-# JWT::Signature module
-module JWT
-  # Signature logic for JWT
-  module Signature
-    extend self
-    ALGOS = [
-      Algos::Hmac,
-      Algos::Ecdsa,
-      Algos::Rsa,
-      Algos::Eddsa,
-      Algos::Ps,
-      Algos::Unsupported
-    ].freeze
-    ToSign = Struct.new(:algorithm, :msg, :key)
-    ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
-
-    def sign(algorithm, msg, key)
-      algo = ALGOS.find do |alg|
-        alg.const_get(:SUPPORTED).include? algorithm
-      end
-      algo.sign ToSign.new(algorithm, msg, key)
-    end
-
-    def verify(algorithm, key, signing_input, signature)
-      raise JWT::DecodeError, 'No verification key available' unless key
-
-      algo = ALGOS.find do |alg|
-        alg.const_get(:SUPPORTED).include? algorithm
-      end
-      verified = algo.verify(ToVerify.new(algorithm, key, signing_input, signature))
-      raise(JWT::VerificationError, 'Signature verification raised') unless verified
-    rescue OpenSSL::PKey::PKeyError
-      raise JWT::VerificationError, 'Signature verification raised'
-    ensure
-      OpenSSL.errors.clear
-    end
-  end
-end