jwt 2.6.0 → 2.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c18ec5fbed5aff7aa65bfe9e7893583c677d0d18269c1ebd9cff7761916e298
-  data.tar.gz: e1e270fff52673d769982888b97c741a4b5c38b34214ee9d547857c0244ff0db
+  metadata.gz: 11007e8ec36d148026cd5b6761681b0a71437b7b461efba4ae492622fc5ff27b
+  data.tar.gz: 8090bbba3dce57e42cc203ef168d3d00c624e79e076de0e949b4390b531b4d55
 SHA512:
-  metadata.gz: 452b6056da93ed535d8e93fc17d3ec69105a623b217f38d816ab1dc298dbcb93b1e45143732c3d13b752f421495e3b56f8cf51b5a8a802570bc5832072f28a26
-  data.tar.gz: 0a5616fd089942547a6222eb6a7fd22f7825e0b7f219336a6e5904f58ede7bf58e454390c2ebcb2cc026951549d739661c515db1ec3cda9d2ede7009ea668bc8
+  metadata.gz: a035f44be760ad325105329cbaec12e90515afdade9649e798ee5c7cefced3271d4f3084afeef693c03c961541d9e5e45b2876734d1947dccdd24cc194acbca2
+  data.tar.gz: 61e3d071ce44809767f3501f12b452cae574f9ea0de668ca937731838d58e2a9fa85831829ce564f6a015177a86b2a05b1b6ddf60ba34ac515ea12c69ac618fe

data/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## [v2.7.1](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2023-06-09)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.0...v2.8.0)
+
+**Fixes and enhancements:**
+
+- Handle invalid algorithm when decoding JWT [#559](https://github.com/jwt/ruby-jwt/pull/559) - [@nataliastanko](https://github.com/nataliastanko)
+- Do not raise error when verifying bad HMAC signature [#563](https://github.com/jwt/ruby-jwt/pull/563) - [@hieuk09](https://github.com/hieuk09)
+
+## [v2.7.0](https://github.com/jwt/ruby-jwt/tree/v2.7.0) (2023-02-01)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.6.0...v2.7.0)
+
+**Features:**
+
+- Support OKP (Ed25519) keys for JWKs [#540](https://github.com/jwt/ruby-jwt/pull/540) ([@anakinj](https://github.com/anakinj))
+- JWK Sets can now be used for tokens with nil kid [#543](https://github.com/jwt/ruby-jwt/pull/543) ([@bellebaum](https://github.com/bellebaum))
+
+**Fixes and enhancements:**
+
+- Fix issue with multiple keys returned by keyfinder and multiple allowed algorithms [#545](https://github.com/jwt/ruby-jwt/pull/545) ([@mpospelov](https://github.com/mpospelov))
+- Non-string `kid` header values are now rejected [#543](https://github.com/jwt/ruby-jwt/pull/543) ([@bellebaum](https://github.com/bellebaum))
+
 ## [v2.6.0](https://github.com/jwt/ruby-jwt/tree/v2.6.0) (2022-12-22)
 
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.5.0...v2.6.0)
@@ -13,7 +36,7 @@
 
 **Fixes and enhancements:**
 
-- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1[#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan)).
+- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1 [#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan)).
 
 ## [v2.5.0](https://github.com/jwt/ruby-jwt/tree/v2.5.0) (2022-08-25)
 

data/README.md

@@ -569,7 +569,7 @@ end
 
 ### JSON Web Key (JWK)
 
-JWK is a JSON structure representing a cryptographic key. This gem currently supports RSA, EC and HMAC keys.
+JWK is a JSON structure representing a cryptographic key. This gem currently supports RSA, EC, OKP and HMAC keys. OKP support requires [RbNaCl](https://github.com/RubyCrypto/rbnacl) and currently only supports the Ed25519 curve.
 
 To encode a JWT using your JWK:
 
@@ -579,7 +579,7 @@ jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
 
 # Encoding
 payload = { data: 'data' }
-token = JWT.encode(payload, jwk.keypair, jwk[:alg], kid: jwk[:kid])
+token = JWT.encode(payload, jwk.signing_key, jwk[:alg], kid: jwk[:kid])
 
 # JSON Web Key Set for advertising your signing keys
 jwks_hash = JWT::JWK::Set.new(jwk).export
@@ -601,6 +601,9 @@ This can be used to implement caching of remotely fetched JWK Sets.
 If the requested `kid` is not found from the given set the loader will be called a second time with the `kid_not_found` option set to `true`.
 The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
 
+Tokens without a specified `kid` are rejected by default.
+This behaviour may be overwritten by setting the `allow_nil_kid` option for `decode` to `true`.
+
 ```ruby
 jwks_loader = ->(options) do
   # The jwk loader would fetch the set of JWKs from a trusted source.
@@ -650,8 +653,8 @@ jwk_hash = jwk.export
 jwk_hash_with_private_key = jwk.export(include_private: true)
 
 # Export as OpenSSL key
-public_key = jwk.public_key
-private_key = jwk.keypair if jwk.private?
+public_key = jwk.verify_key
+private_key = jwk.signing_key if jwk.private?
 
 # You can also import and export entire JSON Web Key Sets
 jwks_hash = { keys: [{ kty: 'oct', k: 'my-secret', kid: 'my-kid' }] }

data/lib/jwt/algos/algo_wrapper.rb

@@ -11,7 +11,7 @@ module JWT
       end
 
       def valid_alg?(alg_to_check)
-        alg.casecmp(alg_to_check)&.zero? == true
+        alg&.casecmp(alg_to_check)&.zero? == true
       end
 
       def sign(data:, signing_key:)
@@ -20,10 +20,6 @@ module JWT
 
       def verify(data:, signature:, verification_key:)
         cls.verify(alg, verification_key, data, signature)
-      rescue OpenSSL::PKey::PKeyError # These should be moved to the algorithms that actually need this, but left here to ensure nothing will break.
-        raise JWT::VerificationError, 'Signature verification raised'
-      ensure
-        OpenSSL.errors.clear
       end
     end
   end

data/lib/jwt/algos/ecdsa.rb

@@ -38,7 +38,7 @@ module JWT
         end
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
+        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
 
       def verify(algorithm, public_key, signing_input, signature)
@@ -49,7 +49,9 @@ module JWT
         end
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
+        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
 
       def curve_by_name(name)
@@ -57,6 +59,18 @@ module JWT
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
       end
+
+      def raw_to_asn1(signature, private_key)
+        byte_size = (private_key.group.degree + 7) / 8
+        sig_bytes = signature[0..(byte_size - 1)]
+        sig_char = signature[byte_size..-1] || ''
+        OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+      end
+
+      def asn1_to_raw(signature, public_key)
+        byte_size = (public_key.group.degree + 7) / 8
+        OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+      end
     end
   end
 end

data/lib/jwt/algos/hmac_rbnacl.rb

@@ -28,7 +28,7 @@ module JWT
         else
           Hmac.verify(algorithm, key, signing_input, signature)
         end
-      rescue ::RbNaCl::BadAuthenticatorError
+      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
         false
       end
 

data/lib/jwt/algos/hmac_rbnacl_fixed.rb

@@ -36,7 +36,7 @@ module JWT
         else
           Hmac.verify(algorithm, key, signing_input, signature)
         end
-      rescue ::RbNaCl::BadAuthenticatorError
+      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
         false
       end
 

data/lib/jwt/algos/ps.rb

@@ -12,9 +12,7 @@ module JWT
       def sign(algorithm, msg, key)
         require_openssl!
 
-        key_class = key.class
-
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
+        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key.is_a?(String)
 
         translated_algorithm = algorithm.sub('PS', 'sha')
 
@@ -23,8 +21,10 @@ module JWT
 
       def verify(algorithm, public_key, signing_input, signature)
         require_openssl!
-
-        SecurityUtils.verify_ps(algorithm, public_key, signing_input, signature)
+        translated_algorithm = algorithm.sub('PS', 'sha')
+        public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
 
       def require_openssl!

data/lib/jwt/algos/rsa.rb

@@ -14,7 +14,9 @@ module JWT
       end
 
       def verify(algorithm, public_key, signing_input, signature)
-        SecurityUtils.verify_rsa(algorithm, public_key, signing_input, signature)
+        public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
     end
   end

data/lib/jwt/algos.rb

@@ -7,7 +7,6 @@ rescue LoadError
 end
 require 'openssl'
 
-require 'jwt/security_utils'
 require 'jwt/algos/hmac'
 require 'jwt/algos/eddsa'
 require 'jwt/algos/ecdsa'

data/lib/jwt/decode.rb

@@ -52,25 +52,25 @@ module JWT
     def verify_algo
       raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
       raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless alg_in_header
-      raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless valid_alg_in_header?
+      raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') if allowed_and_valid_algorithms.empty?
     end
 
     def set_key
       @key = find_key(&@keyfinder) if @keyfinder
-      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
+      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).key_for(header['kid']) if @options[:jwks]
       if (x5c_options = @options[:x5c])
         @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(header['x5c'])
       end
     end
 
     def verify_signature_for?(key)
-      allowed_algorithms.any? do |alg|
+      allowed_and_valid_algorithms.any? do |alg|
         alg.verify(data: signing_input, signature: @signature, verification_key: key)
       end
     end
 
-    def valid_alg_in_header?
-      allowed_algorithms.any? { |alg| alg.valid_alg?(alg_in_header) }
+    def allowed_and_valid_algorithms
+      @allowed_and_valid_algorithms ||= allowed_algorithms.select { |alg| alg.valid_alg?(alg_in_header) }
     end
 
     # Order is very important - first check for string keys, next for symbols

data/lib/jwt/jwk/ec.rb

@@ -5,9 +5,6 @@ require 'forwardable'
 module JWT
   module JWK
     class EC < KeyBase # rubocop:disable Metrics/ClassLength
-      extend Forwardable
-      def_delegators :keypair, :public_key
-
       KTY    = 'EC'
       KTYS   = [KTY, OpenSSL::PKey::EC, JWT::JWK::EC].freeze
       BINARY = 2
@@ -24,17 +21,29 @@ module JWT
         key_params = extract_key_params(key)
 
         params = params.transform_keys(&:to_sym)
-        check_jwk(key_params, params)
+        check_jwk_params!(key_params, params)
 
         super(options, key_params.merge(params))
       end
 
       def keypair
-        @keypair ||= create_ec_key(self[:crv], self[:x], self[:y], self[:d])
+        ec_key
       end
 
       def private?
-        keypair.private_key?
+        ec_key.private_key?
+      end
+
+      def signing_key
+        ec_key
+      end
+
+      def verify_key
+        ec_key
+      end
+
+      def public_key
+        ec_key
       end
 
       def members
@@ -48,7 +57,7 @@ module JWT
       end
 
       def key_digest
-        _crv, x_octets, y_octets = keypair_components(keypair)
+        _crv, x_octets, y_octets = keypair_components(ec_key)
         sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(x_octets, BINARY)),
                                             OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(y_octets, BINARY))])
         OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
@@ -64,12 +73,16 @@ module JWT
 
       private
 
+      def ec_key
+        @ec_key ||= create_ec_key(self[:crv], self[:x], self[:y], self[:d])
+      end
+
       def extract_key_params(key)
         case key
         when JWT::JWK::EC
           key.export(include_private: true)
         when OpenSSL::PKey::EC # Accept OpenSSL key as input
-          @keypair = key # Preserve the object to avoid recreation
+          @ec_key = key # Preserve the object to avoid recreation
           parse_ec_key(key)
         when Hash
           key.transform_keys(&:to_sym)
@@ -78,10 +91,10 @@ module JWT
         end
       end
 
-      def check_jwk(keypair, params)
+      def check_jwk_params!(key_params, params)
         raise ArgumentError, 'cannot overwrite cryptographic key attributes' unless (EC_KEY_ELEMENTS & params.keys).empty?
-        raise JWT::JWKError, "Incorrect 'kty' value: #{keypair[:kty]}, expected #{KTY}" unless keypair[:kty] == KTY
-        raise JWT::JWKError, 'Key format is invalid for EC' unless keypair[:crv] && keypair[:x] && keypair[:y]
+        raise JWT::JWKError, "Incorrect 'kty' value: #{key_params[:kty]}, expected #{KTY}" unless key_params[:kty] == KTY
+        raise JWT::JWKError, 'Key format is invalid for EC' unless key_params[:crv] && key_params[:x] && key_params[:y]
       end
 
       def keypair_components(ec_keypair)

data/lib/jwt/jwk/hmac.rb

@@ -24,7 +24,7 @@ module JWT
       end
 
       def keypair
-        self[:k]
+        secret
       end
 
       def private?
@@ -35,6 +35,14 @@ module JWT
         nil
       end
 
+      def verify_key
+        secret
+      end
+
+      def signing_key
+        secret
+      end
+
       # See https://tools.ietf.org/html/rfc7517#appendix-A.3
       def export(options = {})
         exported = parameters.clone
@@ -46,8 +54,6 @@ module JWT
         HMAC_KEY_ELEMENTS.each_with_object({}) { |i, h| h[i] = self[i] }
       end
 
-      alias signing_key keypair # for backwards compatibility
-
       def key_digest
         sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::UTF8String.new(signing_key),
                                             OpenSSL::ASN1::UTF8String.new(KTY)])
@@ -64,6 +70,10 @@ module JWT
 
       private
 
+      def secret
+        self[:k]
+      end
+
       def extract_key_params(key)
         case key
         when JWT::JWK::HMAC

data/lib/jwt/jwk/key_finder.rb

@@ -4,6 +4,7 @@ module JWT
   module JWK
     class KeyFinder
       def initialize(options)
+        @allow_nil_kid = options[:allow_nil_kid]
         jwks_or_loader = options[:jwks]
 
         @jwks_loader = if jwks_or_loader.respond_to?(:call)
@@ -14,28 +15,31 @@ module JWT
       end
 
       def key_for(kid)
-        raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid
+        raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid || @allow_nil_kid
+        raise ::JWT::DecodeError, 'Invalid type for kid header parameter' unless kid.nil? || kid.is_a?(String)
 
         jwk = resolve_key(kid)
 
         raise ::JWT::DecodeError, 'No keys found in jwks' unless @jwks.any?
         raise ::JWT::DecodeError, "Could not find public key for kid #{kid}" unless jwk
 
-        jwk.keypair
+        jwk.verify_key
       end
 
       private
 
       def resolve_key(kid)
+        key_matcher = ->(key) { (kid.nil? && @allow_nil_kid) || key[:kid] == kid }
+
         # First try without invalidation to facilitate application caching
         @jwks ||= JWT::JWK::Set.new(@jwks_loader.call(kid: kid))
-        jwk = @jwks.find { |key| key[:kid] == kid }
+        jwk = @jwks.find { |key| key_matcher.call(key) }
 
         return jwk if jwk
 
         # Second try, invalidate for backwards compatibility
         @jwks = JWT::JWK::Set.new(@jwks_loader.call(invalidate: true, kid_not_found: true, kid: kid))
-        @jwks.find { |key| key[:kid] == kid }
+        @jwks.find { |key| key_matcher.call(key) }
       end
     end
   end

data/lib/jwt/jwk/okp_rbnacl.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class OKPRbNaCl < KeyBase
+      KTY  = 'OKP'
+      KTYS = [KTY, JWT::JWK::OKPRbNaCl, RbNaCl::Signatures::Ed25519::SigningKey, RbNaCl::Signatures::Ed25519::VerifyKey].freeze
+      OKP_PUBLIC_KEY_ELEMENTS = %i[kty n x].freeze
+      OKP_PRIVATE_KEY_ELEMENTS = %i[d].freeze
+
+      def initialize(key, params = nil, options = {})
+        params ||= {}
+
+        # For backwards compatibility when kid was a String
+        params = { kid: params } if params.is_a?(String)
+
+        key_params = extract_key_params(key)
+
+        params = params.transform_keys(&:to_sym)
+        check_jwk_params!(key_params, params)
+        super(options, key_params.merge(params))
+      end
+
+      def verify_key
+        return @verify_key if defined?(@verify_key)
+
+        @verify_key = verify_key_from_parameters
+      end
+
+      def signing_key
+        return @signing_key if defined?(@signing_key)
+
+        @signing_key = signing_key_from_parameters
+      end
+
+      def key_digest
+        Thumbprint.new(self).to_s
+      end
+
+      def private?
+        !signing_key.nil?
+      end
+
+      def members
+        OKP_PUBLIC_KEY_ELEMENTS.each_with_object({}) { |i, h| h[i] = self[i] }
+      end
+
+      def export(options = {})
+        exported = parameters.clone
+        exported.reject! { |k, _| OKP_PRIVATE_KEY_ELEMENTS.include?(k) } unless private? && options[:include_private] == true
+        exported
+      end
+
+      private
+
+      def extract_key_params(key)
+        case key
+        when JWT::JWK::KeyBase
+          key.export(include_private: true)
+        when RbNaCl::Signatures::Ed25519::SigningKey
+          @signing_key = key
+          @verify_key = key.verify_key
+          parse_okp_key_params(@verify_key, @signing_key)
+        when RbNaCl::Signatures::Ed25519::VerifyKey
+          @signing_key = nil
+          @verify_key = key
+          parse_okp_key_params(@verify_key)
+        when Hash
+          key.transform_keys(&:to_sym)
+        else
+          raise ArgumentError, 'key must be of type RbNaCl::Signatures::Ed25519::SigningKey, RbNaCl::Signatures::Ed25519::VerifyKey or Hash with key parameters'
+        end
+      end
+
+      def check_jwk_params!(key_params, _given_params)
+        raise JWT::JWKError, "Incorrect 'kty' value: #{key_params[:kty]}, expected #{KTY}" unless key_params[:kty] == KTY
+      end
+
+      def parse_okp_key_params(verify_key, signing_key = nil)
+        params = {
+          kty: KTY,
+          crv: 'Ed25519',
+          x: ::JWT::Base64.url_encode(verify_key.to_bytes)
+        }
+
+        if signing_key
+          params[:d] = ::JWT::Base64.url_encode(signing_key.to_bytes)
+        end
+
+        params
+      end
+
+      def verify_key_from_parameters
+        RbNaCl::Signatures::Ed25519::VerifyKey.new(::JWT::Base64.url_decode(self[:x]))
+      end
+
+      def signing_key_from_parameters
+        return nil unless self[:d]
+
+        RbNaCl::Signatures::Ed25519::SigningKey.new(::JWT::Base64.url_decode(self[:d]))
+      end
+
+      class << self
+        def import(jwk_data)
+          new(jwk_data)
+        end
+      end
+    end
+  end
+end

data/lib/jwt/jwk/rsa.rb

@@ -22,21 +22,29 @@ module JWT
         key_params = extract_key_params(key)
 
         params = params.transform_keys(&:to_sym)
-        check_jwk(key_params, params)
+        check_jwk_params!(key_params, params)
 
         super(options, key_params.merge(params))
       end
 
       def keypair
-        @keypair ||= self.class.create_rsa_key(jwk_attributes(*(RSA_KEY_ELEMENTS - [:kty])))
+        rsa_key
       end
 
       def private?
-        keypair.private?
+        rsa_key.private?
       end
 
       def public_key
-        keypair.public_key
+        rsa_key.public_key
+      end
+
+      def signing_key
+        rsa_key if private?
+      end
+
+      def verify_key
+        rsa_key.public_key
       end
 
       def export(options = {})
@@ -65,12 +73,16 @@ module JWT
 
       private
 
+      def rsa_key
+        @rsa_key ||= self.class.create_rsa_key(jwk_attributes(*(RSA_KEY_ELEMENTS - [:kty])))
+      end
+
       def extract_key_params(key)
         case key
         when JWT::JWK::RSA
           key.export(include_private: true)
         when OpenSSL::PKey::RSA # Accept OpenSSL key as input
-          @keypair = key # Preserve the object to avoid recreation
+          @rsa_key = key # Preserve the object to avoid recreation
           parse_rsa_key(key)
         when Hash
           key.transform_keys(&:to_sym)
@@ -79,10 +91,10 @@ module JWT
         end
       end
 
-      def check_jwk(keypair, params)
+      def check_jwk_params!(key_params, params)
         raise ArgumentError, 'cannot overwrite cryptographic key attributes' unless (RSA_KEY_ELEMENTS & params.keys).empty?
-        raise JWT::JWKError, "Incorrect 'kty' value: #{keypair[:kty]}, expected #{KTY}" unless keypair[:kty] == KTY
-        raise JWT::JWKError, 'Key format is invalid for RSA' unless keypair[:n] && keypair[:e]
+        raise JWT::JWKError, "Incorrect 'kty' value: #{key_params[:kty]}, expected #{KTY}" unless key_params[:kty] == KTY
+        raise JWT::JWKError, 'Key format is invalid for RSA' unless key_params[:n] && key_params[:e]
       end
 
       def parse_rsa_key(key)

data/lib/jwt/jwk.rb

@@ -52,3 +52,4 @@ require_relative 'jwk/key_base'
 require_relative 'jwk/ec'
 require_relative 'jwk/rsa'
 require_relative 'jwk/hmac'
+require_relative 'jwk/okp_rbnacl' if ::JWT.rbnacl?

data/lib/jwt/version.rb

@@ -11,9 +11,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 6
+    MINOR = 7
     # tiny version
-    TINY  = 0
+    TINY  = 1
     # alpha, beta, etc. tag
     PRE   = nil
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.6.0
+  version: 2.7.1
 platform: ruby
 authors:
 - Tim Rudat
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-22 00:00:00.000000000 Z
+date: 2023-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -121,10 +121,10 @@ files:
 - lib/jwt/jwk/key_base.rb
 - lib/jwt/jwk/key_finder.rb
 - lib/jwt/jwk/kid_as_key_digest.rb
+- lib/jwt/jwk/okp_rbnacl.rb
 - lib/jwt/jwk/rsa.rb
 - lib/jwt/jwk/set.rb
 - lib/jwt/jwk/thumbprint.rb
-- lib/jwt/security_utils.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
 - lib/jwt/x5c_key_finder.rb
@@ -134,7 +134,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.6.0/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.1/CHANGELOG.md
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []

data/lib/jwt/security_utils.rb

@@ -1,32 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  # Collection of security methods
-  #
-  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
-  module SecurityUtils
-    module_function
-
-    def verify_rsa(algorithm, public_key, signing_input, signature)
-      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-    end
-
-    def verify_ps(algorithm, public_key, signing_input, signature)
-      formatted_algorithm = algorithm.sub('PS', 'sha')
-
-      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
-    end
-
-    def asn1_to_raw(signature, public_key)
-      byte_size = (public_key.group.degree + 7) / 8
-      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
-    end
-
-    def raw_to_asn1(signature, private_key)
-      byte_size = (private_key.group.degree + 7) / 8
-      sig_bytes = signature[0..(byte_size - 1)]
-      sig_char = signature[byte_size..-1] || ''
-      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-    end
-  end
-end