jwt 2.3.0 → 2.5.0

data/lib/jwt/decode.rb

@@ -4,12 +4,14 @@ require 'json'
 
 require 'jwt/signature'
 require 'jwt/verify'
+require 'jwt/x5c_key_finder'
 # JWT::Decode module
 module JWT
   # Decoding logic for JWT
   class Decode
     def initialize(jwt, key, verify, options, &keyfinder)
       raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
+
       @jwt = jwt
       @key = key
       @options = options
@@ -23,28 +25,50 @@ module JWT
       validate_segment_count!
       if @verify
         decode_crypto
+        verify_algo
+        set_key
         verify_signature
         verify_claims
       end
       raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
+
       [payload, header]
     end
 
     private
 
     def verify_signature
+      return unless @key || @verify
+
+      return if none_algorithm?
+
+      raise JWT::DecodeError, 'No verification key available' unless @key
+
+      return if Array(@key).any? { |key| verify_signature_for?(key) }
+
+      raise(JWT::VerificationError, 'Signature verification failed')
+    end
+
+    def verify_algo
       raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
-      raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless header['alg']
+      raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless algorithm
       raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
+    end
 
+    def set_key
       @key = find_key(&@keyfinder) if @keyfinder
       @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
+      if (x5c_options = @options[:x5c])
+        @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(header['x5c'])
+      end
+    end
 
-      Signature.verify(header['alg'], @key, signing_input, @signature)
+    def verify_signature_for?(key)
+      Signature.verify(algorithm, key, signing_input, @signature)
     end
 
     def options_includes_algo_in_header?
-      allowed_algorithms.any? { |alg| alg.casecmp(header['alg']).zero? }
+      allowed_algorithms.any? { |alg| alg.casecmp(algorithm).zero? }
     end
 
     def allowed_algorithms
@@ -65,8 +89,10 @@ module JWT
 
     def find_key(&keyfinder)
       key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header))
-      raise JWT::DecodeError, 'No verification key available' unless key
-      key
+      # key can be of type [string, nil, OpenSSL::PKey, Array]
+      return key if key && !Array(key).empty?
+
+      raise JWT::DecodeError, 'No verification key available'
     end
 
     def verify_claims
@@ -77,7 +103,7 @@ module JWT
     def validate_segment_count!
       return if segment_length == 3
       return if !@verify && segment_length == 2 # If no verifying required, the signature is not needed
-      return if segment_length == 2 && header['alg'] == 'none'
+      return if segment_length == 2 && none_algorithm?
 
       raise(JWT::DecodeError, 'Not enough or too many segments')
     end
@@ -86,8 +112,16 @@ module JWT
       @segments.count
     end
 
+    def none_algorithm?
+      algorithm == 'none'
+    end
+
     def decode_crypto
-      @signature = JWT::Base64.url_decode(@segments[2] || '')
+      @signature = ::JWT::Base64.url_decode(@segments[2] || '')
+    end
+
+    def algorithm
+      header['alg']
     end
 
     def header
@@ -103,7 +137,7 @@ module JWT
     end
 
     def parse_and_decode(segment)
-      JWT::JSON.parse(JWT::Base64.url_decode(segment))
+      JWT::JSON.parse(::JWT::Base64.url_decode(segment))
     rescue ::JSON::ParserError
       raise JWT::DecodeError, 'Invalid segment encoding'
     end

data/lib/jwt/encode.rb

@@ -7,14 +7,14 @@ require_relative './claims_validator'
 module JWT
   # Encoding logic for JWT
   class Encode
-    ALG_NONE = 'none'.freeze
-    ALG_KEY  = 'alg'.freeze
+    ALG_NONE = 'none'
+    ALG_KEY  = 'alg'
 
     def initialize(options)
       @payload = options[:payload]
       @key = options[:key]
       _, @algorithm = Algos.find(options[:algorithm])
-      @headers = options[:headers].each_with_object({}) { |(key, value), headers| headers[key.to_s] = value }
+      @headers = options[:headers].transform_keys(&:to_s)
     end
 
     def segments
@@ -45,7 +45,7 @@ module JWT
     end
 
     def encode_payload
-      if @payload && @payload.is_a?(Hash)
+      if @payload.is_a?(Hash)
         ClaimsValidator.new(@payload).validate!
       end
 
@@ -55,11 +55,11 @@ module JWT
     def encode_signature
       return '' if @algorithm == ALG_NONE
 
-      JWT::Base64.url_encode(JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key))
+      ::JWT::Base64.url_encode(JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key))
     end
 
     def encode(data)
-      JWT::Base64.url_encode(JWT::JSON.generate(data))
+      ::JWT::Base64.url_encode(JWT::JSON.generate(data))
     end
 
     def combine(*parts)

data/lib/jwt/error.rb

@@ -10,6 +10,7 @@ module JWT
   class IncorrectAlgorithm < DecodeError; end
   class ImmatureSignature < DecodeError; end
   class InvalidIssuerError < DecodeError; end
+  class UnsupportedEcdsaCurve < IncorrectAlgorithm; end
   class InvalidIatError < DecodeError; end
   class InvalidAudError < DecodeError; end
   class InvalidSubError < DecodeError; end

data/lib/jwt/jwk/ec.rb

@@ -4,39 +4,53 @@ require 'forwardable'
 
 module JWT
   module JWK
-    class EC < KeyBase
+    class EC < KeyBase # rubocop:disable Metrics/ClassLength
       extend Forwardable
-      def_delegators :@keypair, :public_key
+      def_delegators :keypair, :public_key
 
-      KTY    = 'EC'.freeze
+      KTY    = 'EC'
       KTYS   = [KTY, OpenSSL::PKey::EC].freeze
       BINARY = 2
 
-      def initialize(keypair, kid = nil)
+      attr_reader :keypair
+
+      def initialize(keypair, options = {})
         raise ArgumentError, 'keypair must be of type OpenSSL::PKey::EC' unless keypair.is_a?(OpenSSL::PKey::EC)
 
-        kid ||= generate_kid(keypair)
-        super(keypair, kid)
+        @keypair = keypair
+
+        super(options)
       end
 
       def private?
         @keypair.private_key?
       end
 
-      def export(options = {})
+      def members
         crv, x_octets, y_octets = keypair_components(keypair)
-        exported_hash = {
+        {
           kty: KTY,
           crv: crv,
           x: encode_octets(x_octets),
-          y: encode_octets(y_octets),
-          kid: kid
+          y: encode_octets(y_octets)
         }
+      end
+
+      def export(options = {})
+        exported_hash = members.merge(kid: kid)
+
         return exported_hash unless private? && options[:include_private] == true
 
         append_private_parts(exported_hash)
       end
 
+      def key_digest
+        _crv, x_octets, y_octets = keypair_components(keypair)
+        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(x_octets, BINARY)),
+                                            OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(y_octets, BINARY))])
+        OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
+      end
+
       private
 
       def append_private_parts(the_hash)
@@ -46,19 +60,15 @@ module JWT
         )
       end
 
-      def generate_kid(ec_keypair)
-        _crv, x_octets, y_octets = keypair_components(ec_keypair)
-        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(x_octets, BINARY)),
-                                            OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(y_octets, BINARY))])
-        OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
-      end
-
       def keypair_components(ec_keypair)
         encoded_point = ec_keypair.public_key.to_bn.to_s(BINARY)
         case ec_keypair.group.curve_name
         when 'prime256v1'
           crv = 'P-256'
           x_octets, y_octets = encoded_point.unpack('xa32a32')
+        when 'secp256k1'
+          crv = 'P-256K'
+          x_octets, y_octets = encoded_point.unpack('xa32a32')
         when 'secp384r1'
           crv = 'P-384'
           x_octets, y_octets = encoded_point.unpack('xa48a48')
@@ -87,7 +97,7 @@ module JWT
           jwk_crv, jwk_x, jwk_y, jwk_d, jwk_kid = jwk_attrs(jwk_data, %i[crv x y d kid])
           raise JWT::JWKError, 'Key format is invalid for EC' unless jwk_crv && jwk_x && jwk_y
 
-          new(ec_pkey(jwk_crv, jwk_x, jwk_y, jwk_d), jwk_kid)
+          new(ec_pkey(jwk_crv, jwk_x, jwk_y, jwk_d), kid: jwk_kid)
         end
 
         def to_openssl_curve(crv)
@@ -98,6 +108,7 @@ module JWT
           when 'P-256' then 'prime256v1'
           when 'P-384' then 'secp384r1'
           when 'P-521' then 'secp521r1'
+          when 'P-256K' then 'secp256k1'
           else raise JWT::JWKError, 'Invalid curve provided'
           end
         end
@@ -110,31 +121,69 @@ module JWT
           end
         end
 
-        def ec_pkey(jwk_crv, jwk_x, jwk_y, jwk_d)
-          curve = to_openssl_curve(jwk_crv)
-
-          x_octets = decode_octets(jwk_x)
-          y_octets = decode_octets(jwk_y)
-
-          key = OpenSSL::PKey::EC.new(curve)
-
-          # The details of the `Point` instantiation are covered in:
-          # - https://docs.ruby-lang.org/en/2.4.0/OpenSSL/PKey/EC.html
-          # - https://www.openssl.org/docs/manmaster/man3/EC_POINT_new.html
-          # - https://tools.ietf.org/html/rfc5480#section-2.2
-          # - https://www.secg.org/SEC1-Ver-1.0.pdf
-          # Section 2.3.3 of the last of these references specifies that the
-          # encoding of an uncompressed point consists of the byte `0x04` followed
-          # by the x value then the y value.
-          point = OpenSSL::PKey::EC::Point.new(
-            OpenSSL::PKey::EC::Group.new(curve),
-            OpenSSL::BN.new([0x04, x_octets, y_octets].pack('Ca*a*'), 2)
-          )
-
-          key.public_key = point
-          key.private_key = OpenSSL::BN.new(decode_octets(jwk_d), 2) if jwk_d
-
-          key
+        if ::JWT.openssl_3?
+          def ec_pkey(jwk_crv, jwk_x, jwk_y, jwk_d) # rubocop:disable Metrics/MethodLength
+            curve = to_openssl_curve(jwk_crv)
+
+            x_octets = decode_octets(jwk_x)
+            y_octets = decode_octets(jwk_y)
+
+            point = OpenSSL::PKey::EC::Point.new(
+              OpenSSL::PKey::EC::Group.new(curve),
+              OpenSSL::BN.new([0x04, x_octets, y_octets].pack('Ca*a*'), 2)
+            )
+
+            sequence = if jwk_d
+              # https://datatracker.ietf.org/doc/html/rfc5915.html
+              # ECPrivateKey ::= SEQUENCE {
+              #   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+              #   privateKey     OCTET STRING,
+              #   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+              #   publicKey  [1] BIT STRING OPTIONAL
+              # }
+
+              OpenSSL::ASN1::Sequence([
+                                        OpenSSL::ASN1::Integer(1),
+                                        OpenSSL::ASN1::OctetString(OpenSSL::BN.new(decode_octets(jwk_d), 2).to_s(2)),
+                                        OpenSSL::ASN1::ObjectId(curve, 0, :EXPLICIT),
+                                        OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed), 1, :EXPLICIT)
+                                      ])
+            else
+              OpenSSL::ASN1::Sequence([
+                                        OpenSSL::ASN1::Sequence([OpenSSL::ASN1::ObjectId('id-ecPublicKey'), OpenSSL::ASN1::ObjectId(curve)]),
+                                        OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
+                                      ])
+            end
+
+            OpenSSL::PKey::EC.new(sequence.to_der)
+          end
+        else
+          def ec_pkey(jwk_crv, jwk_x, jwk_y, jwk_d)
+            curve = to_openssl_curve(jwk_crv)
+
+            x_octets = decode_octets(jwk_x)
+            y_octets = decode_octets(jwk_y)
+
+            key = OpenSSL::PKey::EC.new(curve)
+
+            # The details of the `Point` instantiation are covered in:
+            # - https://docs.ruby-lang.org/en/2.4.0/OpenSSL/PKey/EC.html
+            # - https://www.openssl.org/docs/manmaster/man3/EC_POINT_new.html
+            # - https://tools.ietf.org/html/rfc5480#section-2.2
+            # - https://www.secg.org/SEC1-Ver-1.0.pdf
+            # Section 2.3.3 of the last of these references specifies that the
+            # encoding of an uncompressed point consists of the byte `0x04` followed
+            # by the x value then the y value.
+            point = OpenSSL::PKey::EC::Point.new(
+              OpenSSL::PKey::EC::Group.new(curve),
+              OpenSSL::BN.new([0x04, x_octets, y_octets].pack('Ca*a*'), 2)
+            )
+
+            key.public_key = point
+            key.private_key = OpenSSL::BN.new(decode_octets(jwk_d), 2) if jwk_d
+
+            key
+          end
         end
 
         def decode_octets(jwk_data)

data/lib/jwt/jwk/hmac.rb

@@ -3,14 +3,16 @@
 module JWT
   module JWK
     class HMAC < KeyBase
-      KTY = 'oct'.freeze
+      KTY  = 'oct'
       KTYS = [KTY, String].freeze
 
-      def initialize(keypair, kid = nil)
-        raise ArgumentError, 'keypair must be of type String' unless keypair.is_a?(String)
+      attr_reader :signing_key
 
-        super
-        @kid = kid || generate_kid
+      def initialize(signing_key, options = {})
+        raise ArgumentError, 'signing_key must be of type String' unless signing_key.is_a?(String)
+
+        @signing_key = signing_key
+        super(options)
       end
 
       def private?
@@ -31,14 +33,21 @@ module JWT
         return exported_hash unless private? && options[:include_private] == true
 
         exported_hash.merge(
-          k: keypair
+          k: signing_key
         )
       end
 
-      private
+      def members
+        {
+          kty: KTY,
+          k: signing_key
+        }
+      end
+
+      alias keypair signing_key # for backwards compatibility
 
-      def generate_kid
-        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::UTF8String.new(keypair),
+      def key_digest
+        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::UTF8String.new(signing_key),
                                             OpenSSL::ASN1::UTF8String.new(KTY)])
         OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
       end
@@ -50,7 +59,7 @@ module JWT
 
           raise JWT::JWKError, 'Key format is invalid for HMAC' unless jwk_k
 
-          self.new(jwk_k, jwk_kid)
+          new(jwk_k, kid: jwk_kid)
         end
       end
     end

data/lib/jwt/jwk/key_base.rb

@@ -3,15 +3,32 @@
 module JWT
   module JWK
     class KeyBase
-      attr_reader :keypair, :kid
+      def self.inherited(klass)
+        super
+        ::JWT::JWK.classes << klass
+      end
 
-      def initialize(keypair, kid = nil)
-        @keypair = keypair
-        @kid     = kid
+      def initialize(options)
+        options ||= {}
+
+        if options.is_a?(String) # For backwards compatibility when kid was a String
+          options = { kid: options }
+        end
+
+        @kid           = options[:kid]
+        @kid_generator = options[:kid_generator] || ::JWT.configuration.jwk.kid_generator
       end
 
-      def self.inherited(klass)
-        ::JWT::JWK.classes << klass
+      def kid
+        @kid ||= generate_kid
+      end
+
+      private
+
+      attr_reader :kid_generator
+
+      def generate_kid
+        kid_generator.new(self).generate
       end
     end
   end

data/lib/jwt/jwk/key_finder.rb

@@ -28,7 +28,7 @@ module JWT
         return jwk if jwk
 
         if reloadable?
-          load_keys(invalidate: true)
+          load_keys(invalidate: true, kid_not_found: true, kid: kid) # invalidate for backwards compatibility
           return find_key(kid)
         end
 

data/lib/jwt/jwk/kid_as_key_digest.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class KidAsKeyDigest
+      def initialize(jwk)
+        @jwk = jwk
+      end
+
+      def generate
+        @jwk.key_digest
+      end
+    end
+  end
+end

data/lib/jwt/jwk/rsa.rb

@@ -4,13 +4,18 @@ module JWT
   module JWK
     class RSA < KeyBase
       BINARY = 2
-      KTY    = 'RSA'.freeze
+      KTY    = 'RSA'
       KTYS   = [KTY, OpenSSL::PKey::RSA].freeze
       RSA_KEY_ELEMENTS = %i[n e d p q dp dq qi].freeze
 
-      def initialize(keypair, kid = nil)
+      attr_reader :keypair
+
+      def initialize(keypair, options = {})
         raise ArgumentError, 'keypair must be of type OpenSSL::PKey::RSA' unless keypair.is_a?(OpenSSL::PKey::RSA)
-        super(keypair, kid || generate_kid(keypair.public_key))
+
+        @keypair = keypair
+
+        super(options)
       end
 
       def private?
@@ -22,26 +27,29 @@ module JWT
       end
 
       def export(options = {})
-        exported_hash = {
-          kty: KTY,
-          n: encode_open_ssl_bn(public_key.n),
-          e: encode_open_ssl_bn(public_key.e),
-          kid: kid
-        }
+        exported_hash = members.merge(kid: kid)
 
         return exported_hash unless private? && options[:include_private] == true
 
         append_private_parts(exported_hash)
       end
 
-      private
+      def members
+        {
+          kty: KTY,
+          n: encode_open_ssl_bn(public_key.n),
+          e: encode_open_ssl_bn(public_key.e)
+        }
+      end
 
-      def generate_kid(public_key)
+      def key_digest
         sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(public_key.n),
                                             OpenSSL::ASN1::Integer.new(public_key.e)])
         OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
       end
 
+      private
+
       def append_private_parts(the_hash)
         the_hash.merge(
           d: encode_open_ssl_bn(keypair.d),
@@ -62,8 +70,7 @@ module JWT
           pkey_params = jwk_attributes(jwk_data, *RSA_KEY_ELEMENTS) do |value|
             decode_open_ssl_bn(value)
           end
-          kid = jwk_attributes(jwk_data, :kid)[:kid]
-          self.new(rsa_pkey(pkey_params), kid)
+          new(rsa_pkey(pkey_params), kid: jwk_attributes(jwk_data, :kid)[:kid])
         end
 
         private
@@ -79,28 +86,44 @@ module JWT
         def rsa_pkey(rsa_parameters)
           raise JWT::JWKError, 'Key format is invalid for RSA' unless rsa_parameters[:n] && rsa_parameters[:e]
 
-          populate_key(OpenSSL::PKey::RSA.new, rsa_parameters)
+          create_rsa_key(rsa_parameters)
         end
 
-        if OpenSSL::PKey::RSA.new.respond_to?(:set_key)
-          def populate_key(rsa_key, rsa_parameters)
-            rsa_key.set_key(rsa_parameters[:n], rsa_parameters[:e], rsa_parameters[:d])
-            rsa_key.set_factors(rsa_parameters[:p], rsa_parameters[:q]) if rsa_parameters[:p] && rsa_parameters[:q]
-            rsa_key.set_crt_params(rsa_parameters[:dp], rsa_parameters[:dq], rsa_parameters[:qi]) if rsa_parameters[:dp] && rsa_parameters[:dq] && rsa_parameters[:qi]
-            rsa_key
+        if ::JWT.openssl_3?
+          ASN1_SEQUENCE = %i[n e d p q dp dq qi].freeze
+          def create_rsa_key(rsa_parameters)
+            sequence = ASN1_SEQUENCE.each_with_object([]) do |key, arr|
+              next if rsa_parameters[key].nil?
+
+              arr << OpenSSL::ASN1::Integer.new(rsa_parameters[key])
+            end
+
+            if sequence.size > 2 # For a private key
+              sequence.unshift(OpenSSL::ASN1::Integer.new(0))
+            end
+
+            OpenSSL::PKey::RSA.new(OpenSSL::ASN1::Sequence(sequence).to_der)
+          end
+        elsif OpenSSL::PKey::RSA.new.respond_to?(:set_key)
+          def create_rsa_key(rsa_parameters)
+            OpenSSL::PKey::RSA.new.tap do |rsa_key|
+              rsa_key.set_key(rsa_parameters[:n], rsa_parameters[:e], rsa_parameters[:d])
+              rsa_key.set_factors(rsa_parameters[:p], rsa_parameters[:q]) if rsa_parameters[:p] && rsa_parameters[:q]
+              rsa_key.set_crt_params(rsa_parameters[:dp], rsa_parameters[:dq], rsa_parameters[:qi]) if rsa_parameters[:dp] && rsa_parameters[:dq] && rsa_parameters[:qi]
+            end
           end
         else
-          def populate_key(rsa_key, rsa_parameters)
-            rsa_key.n = rsa_parameters[:n]
-            rsa_key.e = rsa_parameters[:e]
-            rsa_key.d = rsa_parameters[:d] if rsa_parameters[:d]
-            rsa_key.p = rsa_parameters[:p] if rsa_parameters[:p]
-            rsa_key.q = rsa_parameters[:q] if rsa_parameters[:q]
-            rsa_key.dmp1 = rsa_parameters[:dp] if rsa_parameters[:dp]
-            rsa_key.dmq1 = rsa_parameters[:dq] if rsa_parameters[:dq]
-            rsa_key.iqmp = rsa_parameters[:qi] if rsa_parameters[:qi]
-
-            rsa_key
+          def create_rsa_key(rsa_parameters) # rubocop:disable Metrics/AbcSize
+            OpenSSL::PKey::RSA.new.tap do |rsa_key|
+              rsa_key.n = rsa_parameters[:n]
+              rsa_key.e = rsa_parameters[:e]
+              rsa_key.d = rsa_parameters[:d] if rsa_parameters[:d]
+              rsa_key.p = rsa_parameters[:p] if rsa_parameters[:p]
+              rsa_key.q = rsa_parameters[:q] if rsa_parameters[:q]
+              rsa_key.dmp1 = rsa_parameters[:dp] if rsa_parameters[:dp]
+              rsa_key.dmq1 = rsa_parameters[:dq] if rsa_parameters[:dq]
+              rsa_key.iqmp = rsa_parameters[:qi] if rsa_parameters[:qi]
+            end
           end
         end
 

data/lib/jwt/jwk/thumbprint.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    # https://tools.ietf.org/html/rfc7638
+    class Thumbprint
+      attr_reader :jwk
+
+      def initialize(jwk)
+        @jwk = jwk
+      end
+
+      def generate
+        ::Base64.urlsafe_encode64(
+          Digest::SHA256.digest(
+            JWT::JSON.generate(
+              jwk.members.sort.to_h
+            )
+          ), padding: false
+        )
+      end
+
+      alias to_s generate
+    end
+  end
+end

data/lib/jwt/jwk.rb

@@ -36,6 +36,7 @@ module JWT
       def generate_mappings
         classes.each_with_object({}) do |klass, hash|
           next unless klass.const_defined?('KTYS')
+
           Array(klass::KTYS).each do |kty|
             hash[kty] = klass
           end

data/lib/jwt/security_utils.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   # Collection of security methods
   #