jwt 2.7.0 → 2.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/README.md +1 -1
- data/lib/jwt/algos/algo_wrapper.rb +1 -5
- data/lib/jwt/algos/ecdsa.rb +16 -2
- data/lib/jwt/algos/hmac_rbnacl.rb +1 -1
- data/lib/jwt/algos/hmac_rbnacl_fixed.rb +1 -1
- data/lib/jwt/algos/ps.rb +5 -5
- data/lib/jwt/algos/rsa.rb +3 -1
- data/lib/jwt/algos.rb +0 -1
- data/lib/jwt/version.rb +1 -1
- metadata +3 -4
- data/lib/jwt/security_utils.rb +0 -32
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 11007e8ec36d148026cd5b6761681b0a71437b7b461efba4ae492622fc5ff27b
|
|
4
|
+
data.tar.gz: 8090bbba3dce57e42cc203ef168d3d00c624e79e076de0e949b4390b531b4d55
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a035f44be760ad325105329cbaec12e90515afdade9649e798ee5c7cefced3271d4f3084afeef693c03c961541d9e5e45b2876734d1947dccdd24cc194acbca2
|
|
7
|
+
data.tar.gz: 61e3d071ce44809767f3501f12b452cae574f9ea0de668ca937731838d58e2a9fa85831829ce564f6a015177a86b2a05b1b6ddf60ba34ac515ea12c69ac618fe
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [v2.7.1](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2023-06-09)
|
|
4
|
+
|
|
5
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.0...v2.8.0)
|
|
6
|
+
|
|
7
|
+
**Fixes and enhancements:**
|
|
8
|
+
|
|
9
|
+
- Handle invalid algorithm when decoding JWT [#559](https://github.com/jwt/ruby-jwt/pull/559) - [@nataliastanko](https://github.com/nataliastanko)
|
|
10
|
+
- Do not raise error when verifying bad HMAC signature [#563](https://github.com/jwt/ruby-jwt/pull/563) - [@hieuk09](https://github.com/hieuk09)
|
|
11
|
+
|
|
3
12
|
## [v2.7.0](https://github.com/jwt/ruby-jwt/tree/v2.7.0) (2023-02-01)
|
|
4
13
|
|
|
5
14
|
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.6.0...v2.7.0)
|
data/README.md
CHANGED
|
@@ -602,7 +602,7 @@ If the requested `kid` is not found from the given set the loader will be called
|
|
|
602
602
|
The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
|
|
603
603
|
|
|
604
604
|
Tokens without a specified `kid` are rejected by default.
|
|
605
|
-
This behaviour may be overwritten by setting the `
|
|
605
|
+
This behaviour may be overwritten by setting the `allow_nil_kid` option for `decode` to `true`.
|
|
606
606
|
|
|
607
607
|
```ruby
|
|
608
608
|
jwks_loader = ->(options) do
|
|
@@ -11,7 +11,7 @@ module JWT
|
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def valid_alg?(alg_to_check)
|
|
14
|
-
alg
|
|
14
|
+
alg&.casecmp(alg_to_check)&.zero? == true
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def sign(data:, signing_key:)
|
|
@@ -20,10 +20,6 @@ module JWT
|
|
|
20
20
|
|
|
21
21
|
def verify(data:, signature:, verification_key:)
|
|
22
22
|
cls.verify(alg, verification_key, data, signature)
|
|
23
|
-
rescue OpenSSL::PKey::PKeyError # These should be moved to the algorithms that actually need this, but left here to ensure nothing will break.
|
|
24
|
-
raise JWT::VerificationError, 'Signature verification raised'
|
|
25
|
-
ensure
|
|
26
|
-
OpenSSL.errors.clear
|
|
27
23
|
end
|
|
28
24
|
end
|
|
29
25
|
end
|
data/lib/jwt/algos/ecdsa.rb
CHANGED
|
@@ -38,7 +38,7 @@ module JWT
|
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
digest = OpenSSL::Digest.new(curve_definition[:digest])
|
|
41
|
-
|
|
41
|
+
asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
def verify(algorithm, public_key, signing_input, signature)
|
|
@@ -49,7 +49,9 @@ module JWT
|
|
|
49
49
|
end
|
|
50
50
|
|
|
51
51
|
digest = OpenSSL::Digest.new(curve_definition[:digest])
|
|
52
|
-
public_key.dsa_verify_asn1(digest.digest(signing_input),
|
|
52
|
+
public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
|
|
53
|
+
rescue OpenSSL::PKey::PKeyError
|
|
54
|
+
raise JWT::VerificationError, 'Signature verification raised'
|
|
53
55
|
end
|
|
54
56
|
|
|
55
57
|
def curve_by_name(name)
|
|
@@ -57,6 +59,18 @@ module JWT
|
|
|
57
59
|
raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
|
|
58
60
|
end
|
|
59
61
|
end
|
|
62
|
+
|
|
63
|
+
def raw_to_asn1(signature, private_key)
|
|
64
|
+
byte_size = (private_key.group.degree + 7) / 8
|
|
65
|
+
sig_bytes = signature[0..(byte_size - 1)]
|
|
66
|
+
sig_char = signature[byte_size..-1] || ''
|
|
67
|
+
OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
def asn1_to_raw(signature, public_key)
|
|
71
|
+
byte_size = (public_key.group.degree + 7) / 8
|
|
72
|
+
OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
|
|
73
|
+
end
|
|
60
74
|
end
|
|
61
75
|
end
|
|
62
76
|
end
|
data/lib/jwt/algos/ps.rb
CHANGED
|
@@ -12,9 +12,7 @@ module JWT
|
|
|
12
12
|
def sign(algorithm, msg, key)
|
|
13
13
|
require_openssl!
|
|
14
14
|
|
|
15
|
-
key_class
|
|
16
|
-
|
|
17
|
-
raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
|
|
15
|
+
raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key.is_a?(String)
|
|
18
16
|
|
|
19
17
|
translated_algorithm = algorithm.sub('PS', 'sha')
|
|
20
18
|
|
|
@@ -23,8 +21,10 @@ module JWT
|
|
|
23
21
|
|
|
24
22
|
def verify(algorithm, public_key, signing_input, signature)
|
|
25
23
|
require_openssl!
|
|
26
|
-
|
|
27
|
-
|
|
24
|
+
translated_algorithm = algorithm.sub('PS', 'sha')
|
|
25
|
+
public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
|
|
26
|
+
rescue OpenSSL::PKey::PKeyError
|
|
27
|
+
raise JWT::VerificationError, 'Signature verification raised'
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
def require_openssl!
|
data/lib/jwt/algos/rsa.rb
CHANGED
|
@@ -14,7 +14,9 @@ module JWT
|
|
|
14
14
|
end
|
|
15
15
|
|
|
16
16
|
def verify(algorithm, public_key, signing_input, signature)
|
|
17
|
-
|
|
17
|
+
public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
|
|
18
|
+
rescue OpenSSL::PKey::PKeyError
|
|
19
|
+
raise JWT::VerificationError, 'Signature verification raised'
|
|
18
20
|
end
|
|
19
21
|
end
|
|
20
22
|
end
|
data/lib/jwt/algos.rb
CHANGED
data/lib/jwt/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.7.
|
|
4
|
+
version: 2.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Rudat
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-06-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: appraisal
|
|
@@ -125,7 +125,6 @@ files:
|
|
|
125
125
|
- lib/jwt/jwk/rsa.rb
|
|
126
126
|
- lib/jwt/jwk/set.rb
|
|
127
127
|
- lib/jwt/jwk/thumbprint.rb
|
|
128
|
-
- lib/jwt/security_utils.rb
|
|
129
128
|
- lib/jwt/verify.rb
|
|
130
129
|
- lib/jwt/version.rb
|
|
131
130
|
- lib/jwt/x5c_key_finder.rb
|
|
@@ -135,7 +134,7 @@ licenses:
|
|
|
135
134
|
- MIT
|
|
136
135
|
metadata:
|
|
137
136
|
bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
|
|
138
|
-
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.
|
|
137
|
+
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.1/CHANGELOG.md
|
|
139
138
|
rubygems_mfa_required: 'true'
|
|
140
139
|
post_install_message:
|
|
141
140
|
rdoc_options: []
|
data/lib/jwt/security_utils.rb
DELETED
|
@@ -1,32 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
module JWT
|
|
4
|
-
# Collection of security methods
|
|
5
|
-
#
|
|
6
|
-
# @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
|
|
7
|
-
module SecurityUtils
|
|
8
|
-
module_function
|
|
9
|
-
|
|
10
|
-
def verify_rsa(algorithm, public_key, signing_input, signature)
|
|
11
|
-
public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
|
|
12
|
-
end
|
|
13
|
-
|
|
14
|
-
def verify_ps(algorithm, public_key, signing_input, signature)
|
|
15
|
-
formatted_algorithm = algorithm.sub('PS', 'sha')
|
|
16
|
-
|
|
17
|
-
public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
|
|
18
|
-
end
|
|
19
|
-
|
|
20
|
-
def asn1_to_raw(signature, public_key)
|
|
21
|
-
byte_size = (public_key.group.degree + 7) / 8
|
|
22
|
-
OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
|
|
23
|
-
end
|
|
24
|
-
|
|
25
|
-
def raw_to_asn1(signature, private_key)
|
|
26
|
-
byte_size = (private_key.group.degree + 7) / 8
|
|
27
|
-
sig_bytes = signature[0..(byte_size - 1)]
|
|
28
|
-
sig_char = signature[byte_size..-1] || ''
|
|
29
|
-
OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
|
|
30
|
-
end
|
|
31
|
-
end
|
|
32
|
-
end
|