jwt 2.5.0 → 2.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3098671a837e7b291103cde1921277c61ecaa0f0797b955e6adc65328498f0d
-  data.tar.gz: 3253833ac6d7743e40a5d5157b161cd0daecc9b77f61dfa7687d6b3da1be56ca
+  metadata.gz: 11007e8ec36d148026cd5b6761681b0a71437b7b461efba4ae492622fc5ff27b
+  data.tar.gz: 8090bbba3dce57e42cc203ef168d3d00c624e79e076de0e949b4390b531b4d55
 SHA512:
-  metadata.gz: 306c946b1199301a3f1000c8ffba4a77d07fd05dd83f769da86fd29f254827b5af8488a4b6a54b11f1f7f3a028cb88caafb7ed67528e7004c0337f6506e595ea
-  data.tar.gz: 57d1eba7a06bc9d9f9fcb76b42aa3808415af5020c53969b4cada890b1646e7d348a96ce18010ab0a978e42825febbeb7b3f205b72e8ce60ef90132cf5887599
+  metadata.gz: a035f44be760ad325105329cbaec12e90515afdade9649e798ee5c7cefced3271d4f3084afeef693c03c961541d9e5e45b2876734d1947dccdd24cc194acbca2
+  data.tar.gz: 61e3d071ce44809767f3501f12b452cae574f9ea0de668ca937731838d58e2a9fa85831829ce564f6a015177a86b2a05b1b6ddf60ba34ac515ea12c69ac618fe

data/CHANGELOG.md

@@ -1,22 +1,57 @@
 # Changelog
 
+## [v2.7.1](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2023-06-09)
 
-## [v2.5.0](https://github.com/jwt/ruby-jwt/tree/v2.5.0) (NEXT)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.0...v2.8.0)
 
-[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.4.1...master)
+**Fixes and enhancements:**
+
+- Handle invalid algorithm when decoding JWT [#559](https://github.com/jwt/ruby-jwt/pull/559) - [@nataliastanko](https://github.com/nataliastanko)
+- Do not raise error when verifying bad HMAC signature [#563](https://github.com/jwt/ruby-jwt/pull/563) - [@hieuk09](https://github.com/hieuk09)
+
+## [v2.7.0](https://github.com/jwt/ruby-jwt/tree/v2.7.0) (2023-02-01)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.6.0...v2.7.0)
+
+**Features:**
+
+- Support OKP (Ed25519) keys for JWKs [#540](https://github.com/jwt/ruby-jwt/pull/540) ([@anakinj](https://github.com/anakinj))
+- JWK Sets can now be used for tokens with nil kid [#543](https://github.com/jwt/ruby-jwt/pull/543) ([@bellebaum](https://github.com/bellebaum))
+
+**Fixes and enhancements:**
+
+- Fix issue with multiple keys returned by keyfinder and multiple allowed algorithms [#545](https://github.com/jwt/ruby-jwt/pull/545) ([@mpospelov](https://github.com/mpospelov))
+- Non-string `kid` header values are now rejected [#543](https://github.com/jwt/ruby-jwt/pull/543) ([@bellebaum](https://github.com/bellebaum))
+
+## [v2.6.0](https://github.com/jwt/ruby-jwt/tree/v2.6.0) (2022-12-22)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.5.0...v2.6.0)
+
+**Features:**
+
+- Support custom algorithms by passing algorithm objects[#512](https://github.com/jwt/ruby-jwt/pull/512) ([@anakinj](https://github.com/anakinj)).
+- Support descriptive (not key related) JWK parameters[#520](https://github.com/jwt/ruby-jwt/pull/520) ([@bellebaum](https://github.com/bellebaum)).
+- Support for JSON Web Key Sets[#525](https://github.com/jwt/ruby-jwt/pull/525) ([@bellebaum](https://github.com/bellebaum)).
+- Support HMAC keys over 32 chars when using RbNaCl[#521](https://github.com/jwt/ruby-jwt/pull/521) ([@anakinj](https://github.com/anakinj)).
+
+**Fixes and enhancements:**
+
+- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1 [#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan)).
+
+## [v2.5.0](https://github.com/jwt/ruby-jwt/tree/v2.5.0) (2022-08-25)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.4.1...v2.5.0)
 
 **Features:**
 
 - Support JWK thumbprints as key ids [#481](https://github.com/jwt/ruby-jwt/pull/481) ([@anakinj](https://github.com/anakinj)).
-- Your contribution here
+- Support OpenSSL >= 3.0 [#496](https://github.com/jwt/ruby-jwt/pull/496) ([@anakinj](https://github.com/anakinj)).
 
 **Fixes and enhancements:**
 - Bring back the old Base64 (RFC2045) deocode mechanisms [#488](https://github.com/jwt/ruby-jwt/pull/488) ([@anakinj](https://github.com/anakinj)).
 - Rescue RbNaCl exception for EdDSA wrong key [#491](https://github.com/jwt/ruby-jwt/pull/491) ([@n-studio](https://github.com/n-studio)).
 - New parameter name for cases when kid is not found using JWK key loader proc [#501](https://github.com/jwt/ruby-jwt/pull/501) ([@anakinj](https://github.com/anakinj)).
 - Fix NoMethodError when a 2 segment token is missing 'alg' header [#502](https://github.com/jwt/ruby-jwt/pull/502) ([@cmrd-senya](https://github.com/cmrd-senya)).
-- Support OpenSSL >= 3.0 [#496](https://github.com/jwt/ruby-jwt/pull/496) ([@anakinj](https://github.com/anakinj)).
-- Your contribution here
 
 ## [v2.4.1](https://github.com/jwt/ruby-jwt/tree/v2.4.1) (2022-06-07)
 

data/CONTRIBUTING.md

@@ -12,19 +12,19 @@ git remote add upstream https://github.com/jwt/ruby-jwt
 
 ## Create a branch for your implementation
 
-Make sure you have the latest upstream master branch of the project.
+Make sure you have the latest upstream main branch of the project.
 
 ```
 git fetch --all
-git checkout master
-git rebase upstream/master
-git push origin master
+git checkout main
+git rebase upstream/main
+git push origin main
 git checkout -b fix-a-little-problem
 ```
 
 ## Running the tests and linter
 
-Before you start with your implementation make sure you are able to get a succesful test run with the current revision.
+Before you start with your implementation make sure you are able to get a successful test run with the current revision.
 
 The tests are written with rspec and [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
 
@@ -78,12 +78,12 @@ A maintainer will review and probably merge you changes when time allows, be pat
 
 ## Keeping your branch up-to-date
 
-It's recommended that you keep your branch up-to-date by rebasing to the upstream master.
+It's recommended that you keep your branch up-to-date by rebasing to the upstream main.
 
 ```
 git fetch upstream
 git checkout fix-a-little-problem
-git rebase upstream/master
+git rebase upstream/main
 git push origin fix-a-little-problem -f
 ```
 

data/README.md

@@ -1,11 +1,10 @@
 # JWT
 
 [![Gem Version](https://badge.fury.io/rb/jwt.svg)](https://badge.fury.io/rb/jwt)
-[![Build Status](https://github.com/jwt/ruby-jwt/workflows/test/badge.svg?branch=master)](https://github.com/jwt/ruby-jwt/actions)
+[![Build Status](https://github.com/jwt/ruby-jwt/workflows/test/badge.svg?branch=main)](https://github.com/jwt/ruby-jwt/actions)
 [![Code Climate](https://codeclimate.com/github/jwt/ruby-jwt/badges/gpa.svg)](https://codeclimate.com/github/jwt/ruby-jwt)
 [![Test Coverage](https://codeclimate.com/github/jwt/ruby-jwt/badges/coverage.svg)](https://codeclimate.com/github/jwt/ruby-jwt/coverage)
 [![Issue Count](https://codeclimate.com/github/jwt/ruby-jwt/badges/issue_count.svg)](https://codeclimate.com/github/jwt/ruby-jwt)
-[![SourceLevel](https://app.sourcelevel.io/github/jwt/-/ruby-jwt.svg)](https://app.sourcelevel.io/github/jwt/-/ruby-jwt)
 
 A ruby implementation of the [RFC 7519 OAuth JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519) standard.
 
@@ -78,7 +77,7 @@ puts decoded_token
 * HS512 - HMAC using SHA-512 hash algorithm
 
 ```ruby
-# The secret must be a string. A JWT::DecodeError will be raised if it isn't provided.
+# The secret must be a string. With OpenSSL 3.0/openssl gem `<3.0.1`, JWT::DecodeError will be raised if it isn't provided.
 hmac_secret = 'my$ecretK3y'
 
 token = JWT.encode payload, hmac_secret, 'HS256'
@@ -96,9 +95,9 @@ decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
 puts decoded_token
 ```
 
-Note: If [RbNaCl](https://github.com/cryptosphere/rbnacl) is loadable, ruby-jwt will use it for HMAC-SHA256, HMAC-SHA512-256, and HMAC-SHA512. RbNaCl enforces a maximum key size of 32 bytes for these algorithms.
+Note: If [RbNaCl](https://github.com/RubyCrypto/rbnacl) is loadable, ruby-jwt will use it for HMAC-SHA256, HMAC-SHA512-256, and HMAC-SHA512. RbNaCl prior to 6.0.0 only support a maximum key size of 32 bytes for these algorithms.
 
-[RbNaCl](https://github.com/cryptosphere/rbnacl) requires
+[RbNaCl](https://github.com/RubyCrypto/rbnacl) requires
 [libsodium](https://github.com/jedisct1/libsodium), it can be installed
 on MacOS with `brew install libsodium`.
 
@@ -160,7 +159,7 @@ In order to use this algorithm you need to add the `RbNaCl` gem to you `Gemfile`
 gem 'rbnacl'
 ```
 
-For more detailed installation instruction check the official [repository](https://github.com/cryptosphere/rbnacl) on GitHub.
+For more detailed installation instruction check the official [repository](https://github.com/RubyCrypto/rbnacl) on GitHub.
 
 * ED25519
 
@@ -212,6 +211,33 @@ decoded_token = JWT.decode token, rsa_public, true, { algorithm: 'PS256' }
 puts decoded_token
 ```
 
+### **Custom algorithms**
+
+An object implementing custom signing or verification behaviour can be passed in the `algorithm` option when encoding and decoding. The given object needs to implement the method `valid_alg?` and `verify` and/or `alg` and `sign`, depending if object is used for encoding or decoding.
+
+```ruby
+module CustomHS512Algorithm
+  def self.alg
+    'HS512'
+  end
+
+  def self.valid_alg?(alg_to_validate)
+    alg_to_validate == alg
+  end
+
+  def self.sign(data:, signing_key:)
+    OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha512'), data, signing_key)
+  end
+
+  def self.verify(data:, signature:, verification_key:)
+    ::OpenSSL.secure_compare(sign(data: data, signing_key: verification_key), signature)
+  end
+end
+
+token = ::JWT.encode({'pay' => 'load'}, 'secret', CustomHS512Algorithm)
+payload, header = ::JWT.decode(token, 'secret', true, algorithm: CustomHS512Algorithm)
+```
+
 ## Support for reserved claim names
 JSON Web Token defines some reserved claim names and defines how they should be
 used. JWT supports these reserved claim names:
@@ -543,73 +569,115 @@ end
 
 ### JSON Web Key (JWK)
 
-JWK is a JSON structure representing a cryptographic key. Currently only supports RSA, EC and HMAC keys. The `jwks` option can be given as a lambda that evaluates every time a kid is resolved.
+JWK is a JSON structure representing a cryptographic key. This gem currently supports RSA, EC, OKP and HMAC keys. OKP support requires [RbNaCl](https://github.com/RubyCrypto/rbnacl) and currently only supports the Ed25519 curve.
 
-If the kid is not found from the given set the loader will be called a second time with the `kid_not_found` option set to `true`. The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
+To encode a JWT using your JWK:
 
 ```ruby
-  jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), 'optional-kid')
-  payload = { data: 'data' }
-  headers = { kid: jwk.kid }
+optional_parameters = { kid: 'my-kid', use: 'sig', alg: 'RS512' }
+jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
 
-  token = JWT.encode(payload, jwk.keypair, 'RS512', headers)
+# Encoding
+payload = { data: 'data' }
+token = JWT.encode(payload, jwk.signing_key, jwk[:alg], kid: jwk[:kid])
 
-  # The jwk loader would fetch the set of JWKs from a trusted source,
-  # to avoid malicious requests triggering cache invalidations there needs to be some kind of grace time or other logic for determining the validity of the invalidation.
-  # This example only allows cache invalidations every 5 minutes.
-  jwk_loader = ->(options) do
-    if options[:kid_not_found] && @cache_last_update < Time.now.to_i - 300
-      logger.info("Invalidating JWK cache. #{options[:kid]} not found from previous cache")
-      @cached_keys = nil
-    end
-    @cached_keys ||= begin
-      @cache_last_update = Time.now.to_i
-      { keys: [jwk.export] }
-    end
-  end
-
-  begin
-    JWT.decode(token, nil, true, { algorithms: ['RS512'], jwks: jwk_loader })
-  rescue JWT::JWKError
-    # Handle problems with the provided JWKs
-  rescue JWT::DecodeError
-    # Handle other decode related issues e.g. no kid in header, no matching public key found etc.
-  end
+# JSON Web Key Set for advertising your signing keys
+jwks_hash = JWT::JWK::Set.new(jwk).export
 ```
 
-or by passing the JWKs as a simple Hash
+To decode a JWT using a trusted entity's JSON Web Key Set (JWKS):
 
+```ruby
+jwks = JWT::JWK::Set.new(jwks_hash)
+jwks.filter! {|key| key[:use] == 'sig' } # Signing keys only!
+algorithms = jwks.map { |key| key[:alg] }.compact.uniq
+JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwks)
 ```
-jwks = { keys: [{ ... }] } # keys accepts both of string and symbol
-JWT.decode(token, nil, true, { algorithms: ['RS512'], jwks: jwks})
+
+
+The `jwks` option can also be given as a lambda that evaluates every time a kid is resolved.
+This can be used to implement caching of remotely fetched JWK Sets.
+
+If the requested `kid` is not found from the given set the loader will be called a second time with the `kid_not_found` option set to `true`.
+The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
+
+Tokens without a specified `kid` are rejected by default.
+This behaviour may be overwritten by setting the `allow_nil_kid` option for `decode` to `true`.
+
+```ruby
+jwks_loader = ->(options) do
+  # The jwk loader would fetch the set of JWKs from a trusted source.
+  # To avoid malicious requests triggering cache invalidations there needs to be
+  # some kind of grace time or other logic for determining the validity of the invalidation.
+  # This example only allows cache invalidations every 5 minutes.
+  if options[:kid_not_found] && @cache_last_update < Time.now.to_i - 300
+    logger.info("Invalidating JWK cache. #{options[:kid]} not found from previous cache")
+    @cached_keys = nil
+  end
+  @cached_keys ||= begin
+    @cache_last_update = Time.now.to_i
+    # Replace with your own JWKS fetching routine
+    jwks = JWT::JWK::Set.new(jwks_hash)
+    jwks.select! { |key| key[:use] == 'sig' } # Signing Keys only
+    jwks
+  end
+end
+
+begin
+  JWT.decode(token, nil, true, { algorithms: ['RS512'], jwks: jwks_loader })
+rescue JWT::JWKError
+  # Handle problems with the provided JWKs
+rescue JWT::DecodeError
+  # Handle other decode related issues e.g. no kid in header, no matching public key found etc.
+end
 ```
 
 ### Importing and exporting JSON Web Keys
 
-The ::JWT::JWK class can be used to import and export both the public key (default behaviour) and the private key. To include the private key in the export pass the `include_private` parameter to the export method.
+The ::JWT::JWK class can be used to import both JSON Web Keys and OpenSSL keys
+and export to either format with and without the private key included.
+
+To include the private key in the export pass the `include_private` parameter to the export method.
 
 ```ruby
-jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048))
+# Import a JWK Hash (showing an HMAC example)
+jwk = JWT::JWK.new({ kty: 'oct', k: 'my-secret', kid: 'my-kid' })
 
+# Import an OpenSSL key
+# You can optionally add descriptive parameters to the JWK
+desc_params = { kid: 'my-kid', use: 'sig' }
+jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), desc_params)
+
+# Export as JWK Hash (public key only by default)
 jwk_hash = jwk.export
 jwk_hash_with_private_key = jwk.export(include_private: true)
+
+# Export as OpenSSL key
+public_key = jwk.verify_key
+private_key = jwk.signing_key if jwk.private?
+
+# You can also import and export entire JSON Web Key Sets
+jwks_hash = { keys: [{ kty: 'oct', k: 'my-secret', kid: 'my-kid' }] }
+jwks = JWT::JWK::Set.new(jwks_hash)
+jwks_hash = jwks.export
 ```
 
 ### Key ID (kid) and JWKs
 
-The key id (kid) generation in the gem is a custom algorithm and not based on any standards. To use a standardized JWK thumbprint (RFC 7638) as the kid for JWKs a generator type can be specified in the global configuration or can be given to the JWK instance on initialization.
+The key id (kid) generation in the gem is a custom algorithm and not based on any standards.
+To use a standardized JWK thumbprint (RFC 7638) as the kid for JWKs a generator type can be specified in the global configuration
+or can be given to the JWK instance on initialization.
 
 ```ruby
 JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint
 # OR
 JWT.configuration.jwk.kid_generator = ::JWT::JWK::Thumbprint
 # OR
-jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), kid_generator: ::JWT::JWK::Thumbprint)
+jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), nil, kid_generator: ::JWT::JWK::Thumbprint)
 
 jwk_hash = jwk.export
 
 thumbprint_as_the_kid = jwk_hash[:kid]
-
 ```
 
 # Development and Tests

data/lib/jwt/algos/algo_wrapper.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module JWT
+  module Algos
+    class AlgoWrapper
+      attr_reader :alg, :cls
+
+      def initialize(alg, cls)
+        @alg = alg
+        @cls = cls
+      end
+
+      def valid_alg?(alg_to_check)
+        alg&.casecmp(alg_to_check)&.zero? == true
+      end
+
+      def sign(data:, signing_key:)
+        cls.sign(alg, data, signing_key)
+      end
+
+      def verify(data:, signature:, verification_key:)
+        cls.verify(alg, verification_key, data, signature)
+      end
+    end
+  end
+end

data/lib/jwt/algos/ecdsa.rb

@@ -30,8 +30,7 @@ module JWT
 
       SUPPORTED = NAMED_CURVES.map { |_, c| c[:algorithm] }.uniq.freeze
 
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
+      def sign(algorithm, msg, key)
         curve_definition = curve_by_name(key.group.curve_name)
         key_algorithm = curve_definition[:algorithm]
         if algorithm != key_algorithm
@@ -39,11 +38,10 @@ module JWT
         end
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
+        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
 
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
+      def verify(algorithm, public_key, signing_input, signature)
         curve_definition = curve_by_name(public_key.group.curve_name)
         key_algorithm = curve_definition[:algorithm]
         if algorithm != key_algorithm
@@ -51,7 +49,9 @@ module JWT
         end
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
+        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
 
       def curve_by_name(name)
@@ -59,6 +59,18 @@ module JWT
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
       end
+
+      def raw_to_asn1(signature, private_key)
+        byte_size = (private_key.group.degree + 7) / 8
+        sig_bytes = signature[0..(byte_size - 1)]
+        sig_char = signature[byte_size..-1] || ''
+        OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+      end
+
+      def asn1_to_raw(signature, public_key)
+        byte_size = (public_key.group.degree + 7) / 8
+        OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+      end
     end
   end
 end

data/lib/jwt/algos/eddsa.rb

@@ -7,8 +7,7 @@ module JWT
 
       SUPPORTED = %w[ED25519 EdDSA].freeze
 
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
+      def sign(algorithm, msg, key)
         if key.class != RbNaCl::Signatures::Ed25519::SigningKey
           raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
         end
@@ -19,8 +18,7 @@ module JWT
         key.sign(msg)
       end
 
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
+      def verify(algorithm, public_key, signing_input, signature)
         unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
           raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
         end

data/lib/jwt/algos/hmac.rb

@@ -5,32 +5,69 @@ module JWT
     module Hmac
       module_function
 
-      SUPPORTED = %w[HS256 HS512256 HS384 HS512].freeze
+      MAPPING = {
+        'HS256' => OpenSSL::Digest::SHA256,
+        'HS384' => OpenSSL::Digest::SHA384,
+        'HS512' => OpenSSL::Digest::SHA512
+      }.freeze
 
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
+      SUPPORTED = MAPPING.keys
+
+      def sign(algorithm, msg, key)
         key ||= ''
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
-        if authenticator && padded_key
-          authenticator.auth(padded_key, msg.encode('binary'))
-        else
-          OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
+
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+        OpenSSL::HMAC.digest(MAPPING[algorithm].new, key, msg)
+      rescue OpenSSL::HMACError => e
+        if key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
+          raise JWT::DecodeError, 'OpenSSL 3.0 does not support nil or empty hmac_secret'
         end
+
+        raise e
+      end
+
+      def verify(algorithm, key, signing_input, signature)
+        SecurityUtils.secure_compare(signature, sign(algorithm, signing_input, key))
       end
 
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
-        if authenticator && padded_key
-          begin
-            authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
-          rescue RbNaCl::BadAuthenticatorError
-            false
+      # Copy of https://github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb
+      # rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
+      module SecurityUtils
+        # Constant time string comparison, for fixed length strings.
+        #
+        # The values compared should be of fixed length, such as strings
+        # that have already been processed by HMAC. Raises in case of length mismatch.
+
+        if defined?(OpenSSL.fixed_length_secure_compare)
+          def fixed_length_secure_compare(a, b)
+            OpenSSL.fixed_length_secure_compare(a, b)
           end
         else
-          SecurityUtils.secure_compare(signature, sign(JWT::Signature::ToSign.new(algorithm, signing_input, public_key)))
+          def fixed_length_secure_compare(a, b)
+            raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize
+
+            l = a.unpack "C#{a.bytesize}"
+
+            res = 0
+            b.each_byte { |byte| res |= byte ^ l.shift }
+            res == 0
+          end
+        end
+        module_function :fixed_length_secure_compare
+
+        # Secure string comparison for strings of variable length.
+        #
+        # While a timing attack would not be able to discern the content of
+        # a secret compared via secure_compare, it is possible to determine
+        # the secret length. This should be considered when using secure_compare
+        # to compare weak, short secrets to user input.
+        def secure_compare(a, b)
+          a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
         end
+        module_function :secure_compare
       end
+      # rubocop:enable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
     end
   end
 end

data/lib/jwt/algos/hmac_rbnacl.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module JWT
+  module Algos
+    module HmacRbNaCl
+      module_function
+
+      MAPPING = {
+        'HS256' => ::RbNaCl::HMAC::SHA256,
+        'HS512256' => ::RbNaCl::HMAC::SHA512256,
+        'HS384' => nil,
+        'HS512' => ::RbNaCl::HMAC::SHA512
+      }.freeze
+
+      SUPPORTED = MAPPING.keys
+
+      def sign(algorithm, msg, key)
+        if (hmac = resolve_algorithm(algorithm))
+          hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
+        else
+          Hmac.sign(algorithm, msg, key)
+        end
+      end
+
+      def verify(algorithm, key, signing_input, signature)
+        if (hmac = resolve_algorithm(algorithm))
+          hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
+        else
+          Hmac.verify(algorithm, key, signing_input, signature)
+        end
+      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+        false
+      end
+
+      def key_for_rbnacl(hmac, key)
+        key ||= ''
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+        return padded_empty_key(hmac.key_bytes) if key == ''
+
+        key
+      end
+
+      def resolve_algorithm(algorithm)
+        MAPPING.fetch(algorithm)
+      end
+
+      def padded_empty_key(length)
+        Array.new(length, 0x0).pack('C*').encode('binary')
+      end
+    end
+  end
+end

data/lib/jwt/algos/hmac_rbnacl_fixed.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module JWT
+  module Algos
+    module HmacRbNaClFixed
+      module_function
+
+      MAPPING = {
+        'HS256' => ::RbNaCl::HMAC::SHA256,
+        'HS512256' => ::RbNaCl::HMAC::SHA512256,
+        'HS384' => nil,
+        'HS512' => ::RbNaCl::HMAC::SHA512
+      }.freeze
+
+      SUPPORTED = MAPPING.keys
+
+      def sign(algorithm, msg, key)
+        key ||= ''
+
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+          hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
+        else
+          Hmac.sign(algorithm, msg, key)
+        end
+      end
+
+      def verify(algorithm, key, signing_input, signature)
+        key ||= ''
+
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+          hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
+        else
+          Hmac.verify(algorithm, key, signing_input, signature)
+        end
+      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+        false
+      end
+
+      def resolve_algorithm(algorithm)
+        MAPPING.fetch(algorithm)
+      end
+
+      def padded_key_bytes(key, bytesize)
+        key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
+      end
+    end
+  end
+end

data/lib/jwt/algos/none.rb

@@ -7,7 +7,9 @@ module JWT
 
       SUPPORTED = %w[none].freeze
 
-      def sign(*); end
+      def sign(*)
+        ''
+      end
 
       def verify(*)
         true