jwt 2.7.0 → 2.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/README.md +1 -1
- data/lib/jwt/algos/algo_wrapper.rb +1 -5
- data/lib/jwt/algos/ecdsa.rb +16 -2
- data/lib/jwt/algos/hmac_rbnacl.rb +1 -1
- data/lib/jwt/algos/hmac_rbnacl_fixed.rb +1 -1
- data/lib/jwt/algos/ps.rb +5 -5
- data/lib/jwt/algos/rsa.rb +3 -1
- data/lib/jwt/algos.rb +0 -1
- data/lib/jwt/version.rb +1 -1
- metadata +3 -4
- data/lib/jwt/security_utils.rb +0 -32
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 11007e8ec36d148026cd5b6761681b0a71437b7b461efba4ae492622fc5ff27b
|
|
4
|
+
data.tar.gz: 8090bbba3dce57e42cc203ef168d3d00c624e79e076de0e949b4390b531b4d55
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a035f44be760ad325105329cbaec12e90515afdade9649e798ee5c7cefced3271d4f3084afeef693c03c961541d9e5e45b2876734d1947dccdd24cc194acbca2
|
|
7
|
+
data.tar.gz: 61e3d071ce44809767f3501f12b452cae574f9ea0de668ca937731838d58e2a9fa85831829ce564f6a015177a86b2a05b1b6ddf60ba34ac515ea12c69ac618fe
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [v2.7.1](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2023-06-09)
|
|
4
|
+
|
|
5
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.0...v2.8.0)
|
|
6
|
+
|
|
7
|
+
**Fixes and enhancements:**
|
|
8
|
+
|
|
9
|
+
- Handle invalid algorithm when decoding JWT [#559](https://github.com/jwt/ruby-jwt/pull/559) - [@nataliastanko](https://github.com/nataliastanko)
|
|
10
|
+
- Do not raise error when verifying bad HMAC signature [#563](https://github.com/jwt/ruby-jwt/pull/563) - [@hieuk09](https://github.com/hieuk09)
|
|
11
|
+
|
|
3
12
|
## [v2.7.0](https://github.com/jwt/ruby-jwt/tree/v2.7.0) (2023-02-01)
|
|
4
13
|
|
|
5
14
|
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.6.0...v2.7.0)
|
data/README.md
CHANGED
|
@@ -602,7 +602,7 @@ If the requested `kid` is not found from the given set the loader will be called
|
|
|
602
602
|
The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
|
|
603
603
|
|
|
604
604
|
Tokens without a specified `kid` are rejected by default.
|
|
605
|
-
This behaviour may be overwritten by setting the `
|
|
605
|
+
This behaviour may be overwritten by setting the `allow_nil_kid` option for `decode` to `true`.
|
|
606
606
|
|
|
607
607
|
```ruby
|
|
608
608
|
jwks_loader = ->(options) do
|
|
@@ -11,7 +11,7 @@ module JWT
|
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def valid_alg?(alg_to_check)
|
|
14
|
-
alg
|
|
14
|
+
alg&.casecmp(alg_to_check)&.zero? == true
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def sign(data:, signing_key:)
|
|
@@ -20,10 +20,6 @@ module JWT
|
|
|
20
20
|
|
|
21
21
|
def verify(data:, signature:, verification_key:)
|
|
22
22
|
cls.verify(alg, verification_key, data, signature)
|
|
23
|
-
rescue OpenSSL::PKey::PKeyError # These should be moved to the algorithms that actually need this, but left here to ensure nothing will break.
|
|
24
|
-
raise JWT::VerificationError, 'Signature verification raised'
|
|
25
|
-
ensure
|
|
26
|
-
OpenSSL.errors.clear
|
|
27
23
|
end
|
|
28
24
|
end
|
|
29
25
|
end
|
data/lib/jwt/algos/ecdsa.rb
CHANGED
|
@@ -38,7 +38,7 @@ module JWT
|
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
digest = OpenSSL::Digest.new(curve_definition[:digest])
|
|
41
|
-
|
|
41
|
+
asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
def verify(algorithm, public_key, signing_input, signature)
|
|
@@ -49,7 +49,9 @@ module JWT
|
|
|
49
49
|
end
|
|
50
50
|
|
|
51
51
|
digest = OpenSSL::Digest.new(curve_definition[:digest])
|
|
52
|
-
public_key.dsa_verify_asn1(digest.digest(signing_input),
|
|
52
|
+
public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
|
|
53
|
+
rescue OpenSSL::PKey::PKeyError
|
|
54
|
+
raise JWT::VerificationError, 'Signature verification raised'
|
|
53
55
|
end
|
|
54
56
|
|
|
55
57
|
def curve_by_name(name)
|
|
@@ -57,6 +59,18 @@ module JWT
|
|
|
57
59
|
raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
|
|
58
60
|
end
|
|
59
61
|
end
|
|
62
|
+
|
|
63
|
+
def raw_to_asn1(signature, private_key)
|
|
64
|
+
byte_size = (private_key.group.degree + 7) / 8
|
|
65
|
+
sig_bytes = signature[0..(byte_size - 1)]
|
|
66
|
+
sig_char = signature[byte_size..-1] || ''
|
|
67
|
+
OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
def asn1_to_raw(signature, public_key)
|
|
71
|
+
byte_size = (public_key.group.degree + 7) / 8
|
|
72
|
+
OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
|
|
73
|
+
end
|
|
60
74
|
end
|
|
61
75
|
end
|
|
62
76
|
end
|
data/lib/jwt/algos/ps.rb
CHANGED
|
@@ -12,9 +12,7 @@ module JWT
|
|
|
12
12
|
def sign(algorithm, msg, key)
|
|
13
13
|
require_openssl!
|
|
14
14
|
|
|
15
|
-
key_class
|
|
16
|
-
|
|
17
|
-
raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
|
|
15
|
+
raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key.is_a?(String)
|
|
18
16
|
|
|
19
17
|
translated_algorithm = algorithm.sub('PS', 'sha')
|
|
20
18
|
|
|
@@ -23,8 +21,10 @@ module JWT
|
|
|
23
21
|
|
|
24
22
|
def verify(algorithm, public_key, signing_input, signature)
|
|
25
23
|
require_openssl!
|
|
26
|
-
|
|
27
|
-
|
|
24
|
+
translated_algorithm = algorithm.sub('PS', 'sha')
|
|
25
|
+
public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
|
|
26
|
+
rescue OpenSSL::PKey::PKeyError
|
|
27
|
+
raise JWT::VerificationError, 'Signature verification raised'
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
def require_openssl!
|
data/lib/jwt/algos/rsa.rb
CHANGED
|
@@ -14,7 +14,9 @@ module JWT
|
|
|
14
14
|
end
|
|
15
15
|
|
|
16
16
|
def verify(algorithm, public_key, signing_input, signature)
|
|
17
|
-
|
|
17
|
+
public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
|
|
18
|
+
rescue OpenSSL::PKey::PKeyError
|
|
19
|
+
raise JWT::VerificationError, 'Signature verification raised'
|
|
18
20
|
end
|
|
19
21
|
end
|
|
20
22
|
end
|
data/lib/jwt/algos.rb
CHANGED
data/lib/jwt/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.7.
|
|
4
|
+
version: 2.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Rudat
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-06-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: appraisal
|
|
@@ -125,7 +125,6 @@ files:
|
|
|
125
125
|
- lib/jwt/jwk/rsa.rb
|
|
126
126
|
- lib/jwt/jwk/set.rb
|
|
127
127
|
- lib/jwt/jwk/thumbprint.rb
|
|
128
|
-
- lib/jwt/security_utils.rb
|
|
129
128
|
- lib/jwt/verify.rb
|
|
130
129
|
- lib/jwt/version.rb
|
|
131
130
|
- lib/jwt/x5c_key_finder.rb
|
|
@@ -135,7 +134,7 @@ licenses:
|
|
|
135
134
|
- MIT
|
|
136
135
|
metadata:
|
|
137
136
|
bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
|
|
138
|
-
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.
|
|
137
|
+
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.1/CHANGELOG.md
|
|
139
138
|
rubygems_mfa_required: 'true'
|
|
140
139
|
post_install_message:
|
|
141
140
|
rdoc_options: []
|
data/lib/jwt/security_utils.rb
DELETED
|
@@ -1,32 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
module JWT
|
|
4
|
-
# Collection of security methods
|
|
5
|
-
#
|
|
6
|
-
# @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
|
|
7
|
-
module SecurityUtils
|
|
8
|
-
module_function
|
|
9
|
-
|
|
10
|
-
def verify_rsa(algorithm, public_key, signing_input, signature)
|
|
11
|
-
public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
|
|
12
|
-
end
|
|
13
|
-
|
|
14
|
-
def verify_ps(algorithm, public_key, signing_input, signature)
|
|
15
|
-
formatted_algorithm = algorithm.sub('PS', 'sha')
|
|
16
|
-
|
|
17
|
-
public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
|
|
18
|
-
end
|
|
19
|
-
|
|
20
|
-
def asn1_to_raw(signature, public_key)
|
|
21
|
-
byte_size = (public_key.group.degree + 7) / 8
|
|
22
|
-
OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
|
|
23
|
-
end
|
|
24
|
-
|
|
25
|
-
def raw_to_asn1(signature, private_key)
|
|
26
|
-
byte_size = (private_key.group.degree + 7) / 8
|
|
27
|
-
sig_bytes = signature[0..(byte_size - 1)]
|
|
28
|
-
sig_char = signature[byte_size..-1] || ''
|
|
29
|
-
OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
|
|
30
|
-
end
|
|
31
|
-
end
|
|
32
|
-
end
|