jwt 2.4.1 → 2.9.3

data/lib/jwt/algos/ecdsa.rb

@@ -1,64 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Ecdsa
-      module_function
-
-      NAMED_CURVES = {
-        'prime256v1' => {
-          algorithm: 'ES256',
-          digest: 'sha256'
-        },
-        'secp256r1' => { # alias for prime256v1
-          algorithm: 'ES256',
-          digest: 'sha256'
-        },
-        'secp384r1' => {
-          algorithm: 'ES384',
-          digest: 'sha384'
-        },
-        'secp521r1' => {
-          algorithm: 'ES512',
-          digest: 'sha512'
-        },
-        'secp256k1' => {
-          algorithm: 'ES256K',
-          digest: 'sha256'
-        }
-      }.freeze
-
-      SUPPORTED = NAMED_CURVES.map { |_, c| c[:algorithm] }.uniq.freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        curve_definition = curve_by_name(key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
-        end
-
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
-      end
-
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        curve_definition = curve_by_name(public_key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-        end
-
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
-      end
-
-      def curve_by_name(name)
-        NAMED_CURVES.fetch(name) do
-          raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
-        end
-      end
-    end
-  end
-end

data/lib/jwt/algos/eddsa.rb

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Eddsa
-      module_function
-
-      SUPPORTED = %w[ED25519 EdDSA].freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        if key.class != RbNaCl::Signatures::Ed25519::SigningKey
-          raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
-        end
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-
-        key.sign(msg)
-      end
-
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-        raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
-
-        public_key.verify(signature, signing_input)
-      end
-    end
-  end
-end

data/lib/jwt/algos/hmac.rb

@@ -1,36 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Hmac
-      module_function
-
-      SUPPORTED = %w[HS256 HS512256 HS384 HS512].freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        key ||= ''
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
-        if authenticator && padded_key
-          authenticator.auth(padded_key, msg.encode('binary'))
-        else
-          OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
-        end
-      end
-
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
-        if authenticator && padded_key
-          begin
-            authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
-          rescue RbNaCl::BadAuthenticatorError
-            false
-          end
-        else
-          SecurityUtils.secure_compare(signature, sign(JWT::Signature::ToSign.new(algorithm, signing_input, public_key)))
-        end
-      end
-    end
-  end
-end

data/lib/jwt/algos/none.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module None
-      module_function
-
-      SUPPORTED = %w[none].freeze
-
-      def sign(*); end
-
-      def verify(*)
-        true
-      end
-    end
-  end
-end

data/lib/jwt/algos/ps.rb

@@ -1,43 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Ps
-      # RSASSA-PSS signing algorithms
-
-      module_function
-
-      SUPPORTED = %w[PS256 PS384 PS512].freeze
-
-      def sign(to_sign)
-        require_openssl!
-
-        algorithm, msg, key = to_sign.values
-
-        key_class = key.class
-
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
-
-        translated_algorithm = algorithm.sub('PS', 'sha')
-
-        key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
-      end
-
-      def verify(to_verify)
-        require_openssl!
-
-        SecurityUtils.verify_ps(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
-      end
-
-      def require_openssl!
-        if Object.const_defined?('OpenSSL')
-          if ::Gem::Version.new(OpenSSL::VERSION) < ::Gem::Version.new('2.1')
-            raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
-          end
-        else
-          raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
-        end
-      end
-    end
-  end
-end

data/lib/jwt/algos/rsa.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Rsa
-      module_function
-
-      SUPPORTED = %w[RS256 RS384 RS512].freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.instance_of?(String)
-
-        key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
-      end
-
-      def verify(to_verify)
-        SecurityUtils.verify_rsa(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
-      end
-    end
-  end
-end

data/lib/jwt/algos/unsupported.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Unsupported
-      module_function
-
-      SUPPORTED = [].freeze
-
-      def sign(*)
-        raise NotImplementedError, 'Unsupported signing method'
-      end
-
-      def verify(*)
-        raise JWT::VerificationError, 'Algorithm not supported'
-      end
-    end
-  end
-end

data/lib/jwt/algos.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/algos/hmac'
-require 'jwt/algos/eddsa'
-require 'jwt/algos/ecdsa'
-require 'jwt/algos/rsa'
-require 'jwt/algos/ps'
-require 'jwt/algos/none'
-require 'jwt/algos/unsupported'
-
-# JWT::Signature module
-module JWT
-  # Signature logic for JWT
-  module Algos
-    extend self
-
-    ALGOS = [
-      Algos::Hmac,
-      Algos::Ecdsa,
-      Algos::Rsa,
-      Algos::Eddsa,
-      Algos::Ps,
-      Algos::None,
-      Algos::Unsupported
-    ].freeze
-
-    def find(algorithm)
-      indexed[algorithm && algorithm.downcase]
-    end
-
-    private
-
-    def indexed
-      @indexed ||= begin
-        fallback = [Algos::Unsupported, nil]
-        ALGOS.each_with_object(Hash.new(fallback)) do |alg, hash|
-          alg.const_get(:SUPPORTED).each do |code|
-            hash[code.downcase] = [alg, code]
-          end
-        end
-      end
-    end
-  end
-end

data/lib/jwt/default_options.rb

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module DefaultOptions
-    DEFAULT_OPTIONS = {
-      verify_expiration: true,
-      verify_not_before: true,
-      verify_iss: false,
-      verify_iat: false,
-      verify_jti: false,
-      verify_aud: false,
-      verify_sub: false,
-      leeway: 0,
-      algorithms: ['HS256'],
-      required_claims: []
-    }.freeze
-  end
-end

data/lib/jwt/security_utils.rb

@@ -1,59 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  # Collection of security methods
-  #
-  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
-  module SecurityUtils
-    module_function
-
-    def secure_compare(left, right)
-      left_bytesize = left.bytesize
-
-      return false unless left_bytesize == right.bytesize
-
-      unpacked_left = left.unpack "C#{left_bytesize}"
-      result = 0
-      right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
-      result.zero?
-    end
-
-    def verify_rsa(algorithm, public_key, signing_input, signature)
-      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-    end
-
-    def verify_ps(algorithm, public_key, signing_input, signature)
-      formatted_algorithm = algorithm.sub('PS', 'sha')
-
-      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
-    end
-
-    def asn1_to_raw(signature, public_key)
-      byte_size = (public_key.group.degree + 7) / 8
-      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
-    end
-
-    def raw_to_asn1(signature, private_key)
-      byte_size = (private_key.group.degree + 7) / 8
-      sig_bytes = signature[0..(byte_size - 1)]
-      sig_char = signature[byte_size..-1] || ''
-      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-    end
-
-    def rbnacl_fixup(algorithm, key)
-      algorithm = algorithm.sub('HS', 'SHA').to_sym
-
-      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
-
-      authenticator = RbNaCl::HMAC.const_get(algorithm)
-
-      # Fall back to OpenSSL for keys larger than 32 bytes.
-      return [] if key.bytesize > authenticator.key_bytes
-
-      [
-        authenticator,
-        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
-      ]
-    end
-  end
-end

data/lib/jwt/signature.rb

@@ -1,35 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/security_utils'
-require 'openssl'
-require 'jwt/algos'
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-
-# JWT::Signature module
-module JWT
-  # Signature logic for JWT
-  module Signature
-    module_function
-
-    ToSign = Struct.new(:algorithm, :msg, :key)
-    ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
-
-    def sign(algorithm, msg, key)
-      algo, code = Algos.find(algorithm)
-      algo.sign ToSign.new(code, msg, key)
-    end
-
-    def verify(algorithm, key, signing_input, signature)
-      algo, code = Algos.find(algorithm)
-      algo.verify(ToVerify.new(code, key, signing_input, signature))
-    rescue OpenSSL::PKey::PKeyError
-      raise JWT::VerificationError, 'Signature verification raised'
-    ensure
-      OpenSSL.errors.clear
-    end
-  end
-end