jwt 2.2.3 → 2.4.0

data/lib/jwt/jwk/ec.rb

@@ -8,7 +8,7 @@ module JWT
       extend Forwardable
       def_delegators :@keypair, :public_key
 
-      KTY    = 'EC'.freeze
+      KTY    = 'EC'
       KTYS   = [KTY, OpenSSL::PKey::EC].freeze
       BINARY = 2
 
@@ -66,17 +66,17 @@ module JWT
           crv = 'P-521'
           x_octets, y_octets = encoded_point.unpack('xa66a66')
         else
-          raise Jwt::JWKError, "Unsupported curve '#{ec_keypair.group.curve_name}'"
+          raise JWT::JWKError, "Unsupported curve '#{ec_keypair.group.curve_name}'"
         end
         [crv, x_octets, y_octets]
       end
 
       def encode_octets(octets)
-        ::JWT::Base64.url_encode(octets)
+        Base64.urlsafe_encode64(octets, padding: false)
       end
 
       def encode_open_ssl_bn(key_part)
-        ::JWT::Base64.url_encode(key_part.to_s(BINARY))
+        Base64.urlsafe_encode64(key_part.to_s(BINARY), padding: false)
       end
 
       class << self
@@ -85,7 +85,7 @@ module JWT
           # explanation of the relevant parameters.
 
           jwk_crv, jwk_x, jwk_y, jwk_d, jwk_kid = jwk_attrs(jwk_data, %i[crv x y d kid])
-          raise Jwt::JWKError, 'Key format is invalid for EC' unless jwk_crv && jwk_x && jwk_y
+          raise JWT::JWKError, 'Key format is invalid for EC' unless jwk_crv && jwk_x && jwk_y
 
           new(ec_pkey(jwk_crv, jwk_x, jwk_y, jwk_d), jwk_kid)
         end
@@ -138,11 +138,11 @@ module JWT
         end
 
         def decode_octets(jwk_data)
-          ::JWT::Base64.url_decode(jwk_data)
+          Base64.urlsafe_decode64(jwk_data)
         end
 
         def decode_open_ssl_bn(jwk_data)
-          OpenSSL::BN.new(::JWT::Base64.url_decode(jwk_data), BINARY)
+          OpenSSL::BN.new(Base64.urlsafe_decode64(jwk_data), BINARY)
         end
       end
     end

data/lib/jwt/jwk/hmac.rb

@@ -3,7 +3,7 @@
 module JWT
   module JWK
     class HMAC < KeyBase
-      KTY = 'oct'.freeze
+      KTY = 'oct'
       KTYS = [KTY, String].freeze
 
       def initialize(keypair, kid = nil)

data/lib/jwt/jwk/key_base.rb

@@ -11,6 +11,7 @@ module JWT
       end
 
       def self.inherited(klass)
+        super
         ::JWT::JWK.classes << klass
       end
     end

data/lib/jwt/jwk/rsa.rb

@@ -4,12 +4,13 @@ module JWT
   module JWK
     class RSA < KeyBase
       BINARY = 2
-      KTY    = 'RSA'.freeze
+      KTY    = 'RSA'
       KTYS   = [KTY, OpenSSL::PKey::RSA].freeze
       RSA_KEY_ELEMENTS = %i[n e d p q dp dq qi].freeze
 
       def initialize(keypair, kid = nil)
         raise ArgumentError, 'keypair must be of type OpenSSL::PKey::RSA' unless keypair.is_a?(OpenSSL::PKey::RSA)
+
         super(keypair, kid || generate_kid(keypair.public_key))
       end
 
@@ -54,7 +55,7 @@ module JWT
       end
 
       def encode_open_ssl_bn(key_part)
-        ::JWT::Base64.url_encode(key_part.to_s(BINARY))
+        Base64.urlsafe_encode64(key_part.to_s(BINARY), padding: false)
       end
 
       class << self
@@ -107,7 +108,7 @@ module JWT
         def decode_open_ssl_bn(jwk_data)
           return nil unless jwk_data
 
-          OpenSSL::BN.new(::JWT::Base64.url_decode(jwk_data), BINARY)
+          OpenSSL::BN.new(Base64.urlsafe_decode64(jwk_data), BINARY)
         end
       end
     end

data/lib/jwt/jwk.rb

@@ -14,10 +14,10 @@ module JWT
         end.import(jwk_data)
       end
 
-      def create_from(keypair)
+      def create_from(keypair, kid = nil)
         mappings.fetch(keypair.class) do |klass|
           raise JWT::JWKError, "Cannot create JWK from a #{klass.name}"
-        end.new(keypair)
+        end.new(keypair, kid)
       end
 
       def classes
@@ -36,6 +36,7 @@ module JWT
       def generate_mappings
         classes.each_with_object({}) do |klass, hash|
           next unless klass.const_defined?('KTYS')
+
           Array(klass::KTYS).each do |kty|
             hash[kty] = klass
           end

data/lib/jwt/security_utils.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   # Collection of security methods
   #

data/lib/jwt/signature.rb

@@ -13,7 +13,8 @@ end
 module JWT
   # Signature logic for JWT
   module Signature
-    extend self
+    module_function
+
     ToSign = Struct.new(:algorithm, :msg, :key)
     ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
 
@@ -23,13 +24,8 @@ module JWT
     end
 
     def verify(algorithm, key, signing_input, signature)
-      return true if algorithm.casecmp('none').zero?
-
-      raise JWT::DecodeError, 'No verification key available' unless key
-
       algo, code = Algos.find(algorithm)
-      verified = algo.verify(ToVerify.new(code, key, signing_input, signature))
-      raise(JWT::VerificationError, 'Signature verification raised') unless verified
+      algo.verify(ToVerify.new(code, key, signing_input, signature))
     rescue OpenSSL::PKey::PKeyError
       raise JWT::VerificationError, 'Signature verification raised'
     ensure

data/lib/jwt/verify.rb

@@ -10,7 +10,7 @@ module JWT
     }.freeze
 
     class << self
-      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method_name|
+      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
         define_method method_name do |payload, options|
           new(payload, options).send(method_name)
         end
@@ -19,6 +19,7 @@ module JWT
       def verify_claims(payload, options)
         options.each do |key, val|
           next unless key.to_s =~ /verify/
+
           Verify.send(key, payload, options) if val
         end
       end
@@ -53,9 +54,14 @@ module JWT
 
       iss = @payload['iss']
 
-      return if Array(options_iss).map(&:to_s).include?(iss.to_s)
+      options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
 
-      raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
+      case iss
+      when *options_iss
+        nil
+      else
+        raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
+      end
     end
 
     def verify_jti
@@ -77,10 +83,19 @@ module JWT
 
     def verify_sub
       return unless (options_sub = @options[:sub])
+
       sub = @payload['sub']
       raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
     end
 
+    def verify_required_claims
+      return unless (options_required_claims = @options[:required_claims])
+
+      options_required_claims.each do |required_claim|
+        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
+      end
+    end
+
     private
 
     def global_leeway

data/lib/jwt/version.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # frozen_string_literal: true
 
 # Moments version builder module
@@ -12,9 +11,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 2
+    MINOR = 4
     # tiny version
-    TINY  = 3
+    TINY  = 0
     # alpha, beta, etc. tag
     PRE   = nil
 

data/lib/jwt/x5c_key_finder.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'jwt/error'
+
+module JWT
+  # If the x5c header certificate chain can be validated by trusted root
+  # certificates, and none of the certificates are revoked, returns the public
+  # key from the first certificate.
+  # See https://tools.ietf.org/html/rfc7515#section-4.1.6
+  class X5cKeyFinder
+    def initialize(root_certificates, crls = nil)
+      raise(ArgumentError, 'Root certificates must be specified') unless root_certificates
+
+      @store = build_store(root_certificates, crls)
+    end
+
+    def from(x5c_header_or_certificates)
+      signing_certificate, *certificate_chain = parse_certificates(x5c_header_or_certificates)
+      store_context = OpenSSL::X509::StoreContext.new(@store, signing_certificate, certificate_chain)
+
+      if store_context.verify
+        signing_certificate.public_key
+      else
+        error = "Certificate verification failed: #{store_context.error_string}."
+        if (current_cert = store_context.current_cert)
+          error = "#{error} Certificate subject: #{current_cert.subject}."
+        end
+
+        raise(JWT::VerificationError, error)
+      end
+    end
+
+    private
+
+    def build_store(root_certificates, crls)
+      store = OpenSSL::X509::Store.new
+      store.purpose = OpenSSL::X509::PURPOSE_ANY
+      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      root_certificates.each { |certificate| store.add_cert(certificate) }
+      crls&.each { |crl| store.add_crl(crl) }
+      store
+    end
+
+    def parse_certificates(x5c_header_or_certificates)
+      if x5c_header_or_certificates.all? { |obj| obj.is_a?(OpenSSL::X509::Certificate) }
+        x5c_header_or_certificates
+      else
+        x5c_header_or_certificates.map do |encoded|
+          OpenSSL::X509::Certificate.new(::Base64.strict_decode64(encoded))
+        end
+      end
+    end
+  end
+end

data/lib/jwt.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'jwt/base64'
+require 'base64'
 require 'jwt/json'
 require 'jwt/decode'
 require 'jwt/default_options'

data/ruby-jwt.gemspec

@@ -1,4 +1,6 @@
-lib = File.expand_path('../lib/', __FILE__)
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'jwt/version'
 
@@ -13,7 +15,11 @@ Gem::Specification.new do |spec|
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
   spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
-  spec.required_ruby_version = '>= 2.1'
+  spec.required_ruby_version = '>= 2.5'
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
+    'changelog_uri'   => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"
+  }
 
   spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
   spec.executables = []

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.2.3
+  version: 2.4.0
 platform: ruby
 authors:
 - Tim Rudat
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-19 00:00:00.000000000 Z
+date: 2022-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -87,6 +87,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".codeclimate.yml"
+- ".github/workflows/coverage.yml"
 - ".github/workflows/test.yml"
 - ".gitignore"
 - ".rspec"
@@ -96,6 +98,7 @@ files:
 - AUTHORS
 - Appraisals
 - CHANGELOG.md
+- CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE
 - README.md
@@ -109,7 +112,6 @@ files:
 - lib/jwt/algos/ps.rb
 - lib/jwt/algos/rsa.rb
 - lib/jwt/algos/unsupported.rb
-- lib/jwt/base64.rb
 - lib/jwt/claims_validator.rb
 - lib/jwt/decode.rb
 - lib/jwt/default_options.rb
@@ -126,11 +128,14 @@ files:
 - lib/jwt/signature.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
+- lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
 homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.4.0/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -139,14 +144,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.16
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: JSON Web Token implementation in Ruby

data/lib/jwt/base64.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-require 'base64'
-
-module JWT
-  # Base64 helpers
-  class Base64
-    class << self
-      def url_encode(str)
-        ::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
-      end
-
-      def url_decode(str)
-        str += '=' * (4 - str.length.modulo(4))
-        ::Base64.decode64(str.tr('-_', '+/'))
-      end
-    end
-  end
-end