RubyGems - jwt - Versions diffs - 2.7.0 → 2.8.0 - Mend

jwt 2.7.0 → 2.8.0

Files changed (33) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +55 -24
data/README.md +2 -9
data/lib/jwt/base64.rb +14 -2
data/lib/jwt/claims_validator.rb +1 -1
data/lib/jwt/decode.rb +1 -7
data/lib/jwt/encode.rb +2 -8
data/lib/jwt/{algos → jwa}/ecdsa.rb +17 -3
data/lib/jwt/jwa/eddsa.rb +42 -0
data/lib/jwt/{algos → jwa}/hmac.rb +3 -1
data/lib/jwt/jwa/hmac_rbnacl.rb +50 -0
data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +46 -0
data/lib/jwt/{algos → jwa}/none.rb +1 -1
data/lib/jwt/jwa/ps.rb +30 -0
data/lib/jwt/jwa/rsa.rb +25 -0
data/lib/jwt/{algos → jwa}/unsupported.rb +1 -1
data/lib/jwt/{algos/algo_wrapper.rb → jwa/wrapper.rb} +3 -7
data/lib/jwt/jwa.rb +62 -0
data/lib/jwt/jwk/ec.rb +22 -7
data/lib/jwt/jwk/key_base.rb +3 -1
data/lib/jwt/jwk.rb +1 -1
data/lib/jwt/verify.rb +8 -4
data/lib/jwt/version.rb +3 -2
data/lib/jwt/x5c_key_finder.rb +0 -3
data/ruby-jwt.gemspec +3 -0
metadata +42 -15
data/lib/jwt/algos/eddsa.rb +0 -33
data/lib/jwt/algos/hmac_rbnacl.rb +0 -53
data/lib/jwt/algos/hmac_rbnacl_fixed.rb +0 -52
data/lib/jwt/algos/ps.rb +0 -41
data/lib/jwt/algos/rsa.rb +0 -21
data/lib/jwt/algos.rb +0 -67
data/lib/jwt/security_utils.rb +0 -32

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f2ff80d9f32962a3c98d469c1b1078c84631291153f89481cccd9fc8d311e925
-  data.tar.gz: af54f20921b46237194671b957f9d0e2d04ec5ac501f8afa767f0d9d97e3acc6
+  metadata.gz: 79758529bec5a1fad3183ee054a2e47e800f6611681f9f9052cbb92ea645b4ef
+  data.tar.gz: d9bffb9bb0e855a2da3cc04ec0d3ee82174555b2bc23cceec8901b4c50b9a42a
 SHA512:
-  metadata.gz: 7bc55b74e5565674e38b6f706ca2e9d70cc25ee679f80dd6dad160d1f5e8070749d919f65e487acfd7131a22246be66b2d82e517deb9c38df7bed86aaf7b61e8
-  data.tar.gz: ed53859b1ac5423666d2351b7411014d74b6343fa0255bd5ed0b7ef5b58f8b073a6cc7905959866993ca4bbd7540b5e0a1fc3a08ce70f18fe82c9126f8cbc9b1
+  metadata.gz: e9622f261b3a037cfc6dddfdd8f452a123c0c0443a3599565830cc000f7a20eec9f5ad673450bd485a47a8c666e6c9c95729c2d8cc123c984e5d0a255ed41dc4
+  data.tar.gz: d0ef0c055249ac588d0cb26bc4ead5b1b607ae738eda5c0775723ca62640a9df092c3e07774c9fcb6545b9946d730f0260d40c2fc9e272fb7ec0ec62aa6f2b80

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,36 @@
 # Changelog
+## [v2.8.0](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2024-02-17)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.1...v2.8.0)
+**Features:**
+- Updated rubocop to 1.56 [#573](https://github.com/jwt/ruby-jwt/pull/573) ([@anakinj](https://github.com/anakinj))
+- Run CI on Ruby 3.3 [#577](https://github.com/jwt/ruby-jwt/pull/577) ([@anakinj](https://github.com/anakinj))
+- Deprecation warning added for the HMAC algorithm HS512256 (HMAC-SHA-512 truncated to 256-bits) [#575](https://github.com/jwt/ruby-jwt/pull/575) ([@anakinj](https://github.com/anakinj))
+- Stop using RbNaCl for standard HMAC algorithms [#575](https://github.com/jwt/ruby-jwt/pull/575) ([@anakinj](https://github.com/anakinj))
+**Fixes and enhancements:**
+- Fix signature has expired error if payload is a string [#555](https://github.com/jwt/ruby-jwt/pull/555) ([@GobinathAL](https://github.com/GobinathAL))
+- Fix key base equality and spaceship operators [#569](https://github.com/jwt/ruby-jwt/pull/569) ([@magneland](https://github.com/magneland))
+- Remove explicit base64 require from x5c_key_finder [#580](https://github.com/jwt/ruby-jwt/pull/580) ([@anakinj](https://github.com/anakinj))
+- Performance improvements and cleanup of tests [#581](https://github.com/jwt/ruby-jwt/pull/581) ([@anakinj](https://github.com/anakinj))
+- Repair EC x/y coordinates when importing JWK [#585](https://github.com/jwt/ruby-jwt/pull/585) ([@julik](https://github.com/julik))
+- Explicit dependency to the base64 gem [#582](https://github.com/jwt/ruby-jwt/pull/582) ([@anakinj](https://github.com/anakinj))
+- Deprecation warning for decoding content not compliant with RFC 4648 [#582](https://github.com/jwt/ruby-jwt/pull/582) ([@anakinj](https://github.com/anakinj))
+- Algorithms moved under the `::JWT::JWA` module ([@anakinj](https://github.com/anakinj))
+## [v2.7.1](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2023-06-09)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.0...v2.7.1)
+**Fixes and enhancements:**
+- Handle invalid algorithm when decoding JWT [#559](https://github.com/jwt/ruby-jwt/pull/559) ([@nataliastanko](https://github.com/nataliastanko))
+- Do not raise error when verifying bad HMAC signature [#563](https://github.com/jwt/ruby-jwt/pull/563) ([@hieuk09](https://github.com/hieuk09))
 ## [v2.7.0](https://github.com/jwt/ruby-jwt/tree/v2.7.0) (2023-02-01)
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.6.0...v2.7.0)
@@ -20,14 +51,14 @@
 **Features:**
-- Support custom algorithms by passing algorithm objects[#512](https://github.com/jwt/ruby-jwt/pull/512) ([@anakinj](https://github.com/anakinj)).
-- Support descriptive (not key related) JWK parameters[#520](https://github.com/jwt/ruby-jwt/pull/520) ([@bellebaum](https://github.com/bellebaum)).
-- Support for JSON Web Key Sets[#525](https://github.com/jwt/ruby-jwt/pull/525) ([@bellebaum](https://github.com/bellebaum)).
-- Support HMAC keys over 32 chars when using RbNaCl[#521](https://github.com/jwt/ruby-jwt/pull/521) ([@anakinj](https://github.com/anakinj)).
+- Support custom algorithms by passing algorithm objects [#512](https://github.com/jwt/ruby-jwt/pull/512) ([@anakinj](https://github.com/anakinj))
+- Support descriptive (not key related) JWK parameters [#520](https://github.com/jwt/ruby-jwt/pull/520) ([@bellebaum](https://github.com/bellebaum))
+- Support for JSON Web Key Sets [#525](https://github.com/jwt/ruby-jwt/pull/525) ([@bellebaum](https://github.com/bellebaum))
+- Support HMAC keys over 32 chars when using RbNaCl [#521](https://github.com/jwt/ruby-jwt/pull/521) ([@anakinj](https://github.com/anakinj))
 **Fixes and enhancements:**
-- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1 [#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan)).
+- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1 [#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan))
 ## [v2.5.0](https://github.com/jwt/ruby-jwt/tree/v2.5.0) (2022-08-25)
@@ -35,21 +66,21 @@
 **Features:**
-- Support JWK thumbprints as key ids [#481](https://github.com/jwt/ruby-jwt/pull/481) ([@anakinj](https://github.com/anakinj)).
-- Support OpenSSL >= 3.0 [#496](https://github.com/jwt/ruby-jwt/pull/496) ([@anakinj](https://github.com/anakinj)).
+- Support JWK thumbprints as key ids [#481](https://github.com/jwt/ruby-jwt/pull/481) ([@anakinj](https://github.com/anakinj))
+- Support OpenSSL >= 3.0 [#496](https://github.com/jwt/ruby-jwt/pull/496) ([@anakinj](https://github.com/anakinj))
 **Fixes and enhancements:**
-- Bring back the old Base64 (RFC2045) deocode mechanisms [#488](https://github.com/jwt/ruby-jwt/pull/488) ([@anakinj](https://github.com/anakinj)).
-- Rescue RbNaCl exception for EdDSA wrong key [#491](https://github.com/jwt/ruby-jwt/pull/491) ([@n-studio](https://github.com/n-studio)).
-- New parameter name for cases when kid is not found using JWK key loader proc [#501](https://github.com/jwt/ruby-jwt/pull/501) ([@anakinj](https://github.com/anakinj)).
-- Fix NoMethodError when a 2 segment token is missing 'alg' header [#502](https://github.com/jwt/ruby-jwt/pull/502) ([@cmrd-senya](https://github.com/cmrd-senya)).
+- Bring back the old Base64 (RFC2045) deocode mechanisms [#488](https://github.com/jwt/ruby-jwt/pull/488) ([@anakinj](https://github.com/anakinj))
+- Rescue RbNaCl exception for EdDSA wrong key [#491](https://github.com/jwt/ruby-jwt/pull/491) ([@n-studio](https://github.com/n-studio))
+- New parameter name for cases when kid is not found using JWK key loader proc [#501](https://github.com/jwt/ruby-jwt/pull/501) ([@anakinj](https://github.com/anakinj))
+- Fix NoMethodError when a 2 segment token is missing 'alg' header [#502](https://github.com/jwt/ruby-jwt/pull/502) ([@cmrd-senya](https://github.com/cmrd-senya))
 ## [v2.4.1](https://github.com/jwt/ruby-jwt/tree/v2.4.1) (2022-06-07)
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.4.0...v2.4.1)
 **Fixes and enhancements:**
-- Raise JWT::DecodeError on invalid signature [\#484](https://github.com/jwt/ruby-jwt/pull/484) ([@freakyfelt!](https://github.com/freakyfelt!)).
+- Raise JWT::DecodeError on invalid signature [\#484](https://github.com/jwt/ruby-jwt/pull/484) ([@freakyfelt!](https://github.com/freakyfelt!))
 ## [v2.4.0](https://github.com/jwt/ruby-jwt/tree/v2.4.0) (2022-06-06)
@@ -57,20 +88,20 @@
 **Features:**
-- Dropped support for Ruby 2.5 and older [#453](https://github.com/jwt/ruby-jwt/pull/453) - [@anakinj](https://github.com/anakinj).
-- Use Ruby built-in url-safe base64 methods [#454](https://github.com/jwt/ruby-jwt/pull/454) - [@bdewater](https://github.com/bdewater).
-- Updated rubocop to 1.23.0 [#457](https://github.com/jwt/ruby-jwt/pull/457) - [@anakinj](https://github.com/anakinj).
-- Add x5c header key finder [#338](https://github.com/jwt/ruby-jwt/pull/338) - [@bdewater](https://github.com/bdewater).
-- Author driven changelog process [#463](https://github.com/jwt/ruby-jwt/pull/463) - [@anakinj](https://github.com/anakinj).
-- Allow regular expressions and procs to verify issuer [\#437](https://github.com/jwt/ruby-jwt/pull/437) ([rewritten](https://github.com/rewritten)).
-- Add Support to be able to verify from multiple keys [\#425](https://github.com/jwt/ruby-jwt/pull/425) ([ritikesh](https://github.com/ritikesh)).
+- Dropped support for Ruby 2.5 and older [#453](https://github.com/jwt/ruby-jwt/pull/453) - ([@anakinj](https://github.com/anakinj))
+- Use Ruby built-in url-safe base64 methods [#454](https://github.com/jwt/ruby-jwt/pull/454) - ([@bdewater](https://github.com/bdewater))
+- Updated rubocop to 1.23.0 [#457](https://github.com/jwt/ruby-jwt/pull/457) - ([@anakinj](https://github.com/anakinj))
+- Add x5c header key finder [#338](https://github.com/jwt/ruby-jwt/pull/338) - ([@bdewater](https://github.com/bdewater))
+- Author driven changelog process [#463](https://github.com/jwt/ruby-jwt/pull/463) - ([@anakinj](https://github.com/anakinj))
+- Allow regular expressions and procs to verify issuer [\#437](https://github.com/jwt/ruby-jwt/pull/437) ([rewritten](https://github.com/rewritten))
+- Add Support to be able to verify from multiple keys [\#425](https://github.com/jwt/ruby-jwt/pull/425) ([ritikesh](https://github.com/ritikesh))
 **Fixes and enhancements:**
-- Readme: Typo fix re MissingRequiredClaim [\#451](https://github.com/jwt/ruby-jwt/pull/451) ([antonmorant](https://github.com/antonmorant)).
-- Fix RuboCop TODOs [\#476](https://github.com/jwt/ruby-jwt/pull/476) ([typhoon2099](https://github.com/typhoon2099)).
-- Make specific algorithms in README linkable [\#472](https://github.com/jwt/ruby-jwt/pull/472) ([milieu](https://github.com/milieu)).
-- Update note about supported JWK types [\#475](https://github.com/jwt/ruby-jwt/pull/475) ([dpashkevich](https://github.com/dpashkevich)).
-- Create CODE\_OF\_CONDUCT.md [\#449](https://github.com/jwt/ruby-jwt/pull/449) ([loic5](https://github.com/loic5)).
+- Readme: Typo fix re MissingRequiredClaim [\#451](https://github.com/jwt/ruby-jwt/pull/451) ([antonmorant](https://github.com/antonmorant))
+- Fix RuboCop TODOs [\#476](https://github.com/jwt/ruby-jwt/pull/476) ([typhoon2099](https://github.com/typhoon2099))
+- Make specific algorithms in README linkable [\#472](https://github.com/jwt/ruby-jwt/pull/472) ([milieu](https://github.com/milieu))
+- Update note about supported JWK types [\#475](https://github.com/jwt/ruby-jwt/pull/475) ([dpashkevich](https://github.com/dpashkevich))
+- Create CODE\_OF\_CONDUCT.md [\#449](https://github.com/jwt/ruby-jwt/pull/449) ([loic5](https://github.com/loic5))
 ## [v2.3.0](https://github.com/jwt/ruby-jwt/tree/v2.3.0) (2021-10-03)

data/README.md CHANGED Viewed

@@ -72,7 +72,6 @@ puts decoded_token
 ### **HMAC**
 * HS256 - HMAC using SHA-256 hash algorithm
-* HS512256 - HMAC using SHA-512-256 hash algorithm (only available with RbNaCl; see note below)
 * HS384 - HMAC using SHA-384 hash algorithm
 * HS512 - HMAC using SHA-512 hash algorithm
@@ -95,12 +94,6 @@ decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
 puts decoded_token
 ```
-Note: If [RbNaCl](https://github.com/RubyCrypto/rbnacl) is loadable, ruby-jwt will use it for HMAC-SHA256, HMAC-SHA512-256, and HMAC-SHA512. RbNaCl prior to 6.0.0 only support a maximum key size of 32 bytes for these algorithms.
-[RbNaCl](https://github.com/RubyCrypto/rbnacl) requires
-[libsodium](https://github.com/jedisct1/libsodium), it can be installed
-on MacOS with `brew install libsodium`.
 ### **RSA**
 * RS256 - RSA using SHA-256 hash algorithm
@@ -561,7 +554,7 @@ crls = crl_uris.map do |uri|
 end
 begin
-  JWT.decode(token, nil, true, { x5c: { root_certificates: root_certificates, crls: crls })
+  JWT.decode(token, nil, true, { x5c: { root_certificates: root_certificates, crls: crls } })
 rescue JWT::DecodeError
   # Handle error, e.g. x5c header certificate revoked or expired
 end
@@ -602,7 +595,7 @@ If the requested `kid` is not found from the given set the loader will be called
 The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
 Tokens without a specified `kid` are rejected by default.
-This behaviour may be overwritten by setting the `allow_nil_jwks` option for `decode` to `true`.
+This behaviour may be overwritten by setting the `allow_nil_kid` option for `decode` to `true`.
 ```ruby
 jwks_loader = ->(options) do

data/lib/jwt/base64.rb CHANGED Viewed

@@ -3,14 +3,26 @@
 require 'base64'
 module JWT
-  # Base64 helpers
+  # Base64 encoding and decoding
   class Base64
     class << self
+      # Encode a string with URL-safe Base64 complying with RFC 4648 (not padded).
       def url_encode(str)
-        ::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
+        ::Base64.urlsafe_encode64(str, padding: false)
       end
+      # Decode a string with URL-safe Base64 complying with RFC 4648.
+      # Deprecated support for RFC 2045 remains for now. ("All line breaks or other characters not found in Table 1 must be ignored by decoding software")
       def url_decode(str)
+        ::Base64.urlsafe_decode64(str)
+      rescue ArgumentError => e
+        raise unless e.message == 'invalid base64'
+        warn('[DEPRECATION] Invalid base64 input detected, could be because of invalid padding, trailing whitespaces or newline chars. Graceful handling of invalid input will be dropped in the next major version of ruby-jwt')
+        loose_urlsafe_decode64(str)
+      end
+      def loose_urlsafe_decode64(str)
         str += '=' * (4 - str.length.modulo(4))
         ::Base64.decode64(str.tr('-_', '+/'))
       end

data/lib/jwt/claims_validator.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-require_relative './error'
+require_relative 'error'
 module JWT
   class ClaimsValidator

data/lib/jwt/decode.rb CHANGED Viewed

@@ -92,13 +92,7 @@ module JWT
     end
     def resolve_allowed_algorithms
-      algs = given_algorithms.map do |alg|
-        if Algos.implementation?(alg)
-          alg
-        else
-          Algos.create(alg)
-        end
-      end
+      algs = given_algorithms.map { |alg| JWA.create(alg) }
       sort_by_alg_header(algs)
     end

data/lib/jwt/encode.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-require_relative 'algos'
+require_relative 'jwa'
 require_relative 'claims_validator'
 # JWT::Encode module
@@ -12,7 +12,7 @@ module JWT
     def initialize(options)
       @payload          = options[:payload]
       @key              = options[:key]
-      @algorithm        = resolve_algorithm(options[:algorithm])
+      @algorithm        = JWA.create(options[:algorithm])
       @headers          = options[:headers].transform_keys(&:to_s)
       @headers[ALG_KEY] = @algorithm.alg
     end
@@ -24,12 +24,6 @@ module JWT
     private
-    def resolve_algorithm(algorithm)
-      return algorithm if Algos.implementation?(algorithm)
-      Algos.create(algorithm)
-    end
     def encoded_header
       @encoded_header ||= encode_header
     end

data/lib/jwt/{algos → jwa}/ecdsa.rb RENAMED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module JWT
-  module Algos
+  module JWA
     module Ecdsa
       module_function
@@ -38,7 +38,7 @@ module JWT
         end
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
+        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
       def verify(algorithm, public_key, signing_input, signature)
@@ -49,7 +49,9 @@ module JWT
         end
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
+        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
       def curve_by_name(name)
@@ -57,6 +59,18 @@ module JWT
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
       end
+      def raw_to_asn1(signature, private_key)
+        byte_size = (private_key.group.degree + 7) / 8
+        sig_bytes = signature[0..(byte_size - 1)]
+        sig_char = signature[byte_size..-1] || ''
+        OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+      end
+      def asn1_to_raw(signature, public_key)
+        byte_size = (public_key.group.degree + 7) / 8
+        OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+      end
     end
   end
 end

data/lib/jwt/jwa/eddsa.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module JWT
+  module JWA
+    module Eddsa
+      SUPPORTED = %w[ED25519 EdDSA].freeze
+      SUPPORTED_DOWNCASED = SUPPORTED.map(&:downcase).freeze
+      class << self
+        def sign(algorithm, msg, key)
+          unless key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
+            raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
+          end
+          validate_algorithm!(algorithm)
+          key.sign(msg)
+        end
+        def verify(algorithm, public_key, signing_input, signature)
+          unless public_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
+            raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey"
+          end
+          validate_algorithm!(algorithm)
+          public_key.verify(signature, signing_input)
+        rescue RbNaCl::CryptoError
+          false
+        end
+        private
+        def validate_algorithm!(algorithm)
+          return if SUPPORTED_DOWNCASED.include?(algorithm.downcase)
+          raise IncorrectAlgorithm, "Algorithm #{algorithm} not supported. Supported algoritms are #{SUPPORTED.join(', ')}"
+        end
+      end
+    end
+  end
+end

data/lib/jwt/{algos → jwa}/hmac.rb RENAMED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module JWT
-  module Algos
+  module JWA
     module Hmac
       module_function
@@ -44,6 +44,7 @@ module JWT
             OpenSSL.fixed_length_secure_compare(a, b)
           end
         else
+          # :nocov:
           def fixed_length_secure_compare(a, b)
             raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize
@@ -53,6 +54,7 @@ module JWT
             b.each_byte { |byte| res |= byte ^ l.shift }
             res == 0
           end
+          # :nocov:
         end
         module_function :fixed_length_secure_compare

data/lib/jwt/jwa/hmac_rbnacl.rb ADDED Viewed

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+module JWT
+  module Algos
+    module HmacRbNaCl
+      MAPPING   = { 'HS512256' => ::RbNaCl::HMAC::SHA512256 }.freeze
+      SUPPORTED = MAPPING.keys
+      class << self
+        def sign(algorithm, msg, key)
+          warn("[DEPRECATION] The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
+          if (hmac = resolve_algorithm(algorithm))
+            hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
+          else
+            Hmac.sign(algorithm, msg, key)
+          end
+        end
+        def verify(algorithm, key, signing_input, signature)
+          warn("[DEPRECATION] The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
+          if (hmac = resolve_algorithm(algorithm))
+            hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
+          else
+            Hmac.verify(algorithm, key, signing_input, signature)
+          end
+        rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+          false
+        end
+        private
+        def key_for_rbnacl(hmac, key)
+          key ||= ''
+          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+          return padded_empty_key(hmac.key_bytes) if key == ''
+          key
+        end
+        def resolve_algorithm(algorithm)
+          MAPPING.fetch(algorithm)
+        end
+        def padded_empty_key(length)
+          Array.new(length, 0x0).pack('C*').encode('binary')
+        end
+      end
+    end
+  end
+end

data/lib/jwt/jwa/hmac_rbnacl_fixed.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+module JWT
+  module Algos
+    module HmacRbNaClFixed
+      MAPPING   = { 'HS512256' => ::RbNaCl::HMAC::SHA512256 }.freeze
+      SUPPORTED = MAPPING.keys
+      class << self
+        def sign(algorithm, msg, key)
+          key ||= ''
+          warn("[DEPRECATION] The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
+          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+          if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+            hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
+          else
+            Hmac.sign(algorithm, msg, key)
+          end
+        end
+        def verify(algorithm, key, signing_input, signature)
+          key ||= ''
+          warn("[DEPRECATION] The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
+          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+          if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+            hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
+          else
+            Hmac.verify(algorithm, key, signing_input, signature)
+          end
+        rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+          false
+        end
+        def resolve_algorithm(algorithm)
+          MAPPING.fetch(algorithm)
+        end
+        def padded_key_bytes(key, bytesize)
+          key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
+        end
+      end
+    end
+  end
+end

data/lib/jwt/{algos → jwa}/none.rb RENAMED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module JWT
-  module Algos
+  module JWA
     module None
       module_function

data/lib/jwt/jwa/ps.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+module JWT
+  module JWA
+    module Ps
+      # RSASSA-PSS signing algorithms
+      module_function
+      SUPPORTED = %w[PS256 PS384 PS512].freeze
+      def sign(algorithm, msg, key)
+        unless key.is_a?(::OpenSSL::PKey::RSA)
+          raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance."
+        end
+        translated_algorithm = algorithm.sub('PS', 'sha')
+        key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
+      end
+      def verify(algorithm, public_key, signing_input, signature)
+        translated_algorithm = algorithm.sub('PS', 'sha')
+        public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
+      end
+    end
+  end
+end

data/lib/jwt/jwa/rsa.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+module JWT
+  module JWA
+    module Rsa
+      module_function
+      SUPPORTED = %w[RS256 RS384 RS512].freeze
+      def sign(algorithm, msg, key)
+        unless key.is_a?(OpenSSL::PKey::RSA)
+          raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance"
+        end
+        key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
+      end
+      def verify(algorithm, public_key, signing_input, signature)
+        public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
+      end
+    end
+  end
+end

data/lib/jwt/{algos → jwa}/unsupported.rb RENAMED Viewed

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 module JWT
-  module Algos
+  module JWA
     module Unsupported
       module_function

data/lib/jwt/{algos/algo_wrapper.rb → jwa/wrapper.rb} RENAMED Viewed

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 module JWT
-  module Algos
-    class AlgoWrapper
+  module JWA
+    class Wrapper
       attr_reader :alg, :cls
       def initialize(alg, cls)
@@ -11,7 +11,7 @@ module JWT
       end
       def valid_alg?(alg_to_check)
-        alg.casecmp(alg_to_check)&.zero? == true
+        alg&.casecmp(alg_to_check)&.zero? == true
       end
       def sign(data:, signing_key:)
@@ -20,10 +20,6 @@ module JWT
       def verify(data:, signature:, verification_key:)
         cls.verify(alg, verification_key, data, signature)
-      rescue OpenSSL::PKey::PKeyError # These should be moved to the algorithms that actually need this, but left here to ensure nothing will break.
-        raise JWT::VerificationError, 'Signature verification raised'
-      ensure
-        OpenSSL.errors.clear
       end
     end
   end

data/lib/jwt/jwa.rb ADDED Viewed

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+require 'openssl'
+begin
+  require 'rbnacl'
+rescue LoadError
+  raise if defined?(RbNaCl)
+end
+require_relative 'jwa/hmac'
+require_relative 'jwa/eddsa'
+require_relative 'jwa/ecdsa'
+require_relative 'jwa/rsa'
+require_relative 'jwa/ps'
+require_relative 'jwa/none'
+require_relative 'jwa/unsupported'
+require_relative 'jwa/wrapper'
+module JWT
+  module JWA
+    ALGOS = [Hmac, Ecdsa, Rsa, Eddsa, Ps, None, Unsupported].tap do |l|
+      if ::JWT.rbnacl_6_or_greater?
+        require_relative 'jwa/hmac_rbnacl'
+        l << Algos::HmacRbNaCl
+      elsif ::JWT.rbnacl?
+        require_relative 'jwa/hmac_rbnacl_fixed'
+        l << Algos::HmacRbNaClFixed
+      end
+    end.freeze
+    class << self
+      def find(algorithm)
+        indexed[algorithm&.downcase]
+      end
+      def create(algorithm)
+        return algorithm if JWA.implementation?(algorithm)
+        Wrapper.new(*find(algorithm))
+      end
+      def implementation?(algorithm)
+        (algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
+          (algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
+      end
+      private
+      def indexed
+        @indexed ||= begin
+          fallback = [nil, Unsupported]
+          ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
+            cls.const_get(:SUPPORTED).each do |alg|
+              hash[alg.downcase] = [alg, cls]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwt/jwk/ec.rb CHANGED Viewed

@@ -11,6 +11,7 @@ module JWT
       EC_PUBLIC_KEY_ELEMENTS = %i[kty crv x y].freeze
       EC_PRIVATE_KEY_ELEMENTS = %i[d].freeze
       EC_KEY_ELEMENTS = (EC_PRIVATE_KEY_ELEMENTS + EC_PUBLIC_KEY_ELEMENTS).freeze
+      ZERO_BYTE = "\0".b.freeze
       def initialize(key, params = nil, options = {})
         params ||= {}
@@ -143,7 +144,6 @@ module JWT
       if ::JWT.openssl_3?
         def create_ec_key(jwk_crv, jwk_x, jwk_y, jwk_d) # rubocop:disable Metrics/MethodLength
           curve = EC.to_openssl_curve(jwk_crv)
           x_octets = decode_octets(jwk_x)
           y_octets = decode_octets(jwk_y)
@@ -205,12 +205,27 @@ module JWT
         end
       end
-      def decode_octets(jwk_data)
-        ::JWT::Base64.url_decode(jwk_data)
-      end
-      def decode_open_ssl_bn(jwk_data)
-        OpenSSL::BN.new(::JWT::Base64.url_decode(jwk_data), BINARY)
+      def decode_octets(base64_encoded_coordinate)
+        bytes = ::JWT::Base64.url_decode(base64_encoded_coordinate)
+        # Some base64 encoders on some platform omit a single 0-byte at
+        # the start of either Y or X coordinate of the elliptic curve point.
+        # This leads to an encoding error when data is passed to OpenSSL BN.
+        # It is know to have happend to exported JWKs on a Java application and
+        # on a Flutter/Dart application (both iOS and Android). All that is
+        # needed to fix the problem is adding a leading 0-byte. We know the
+        # required byte is 0 because with any other byte the point is no longer
+        # on the curve - and OpenSSL will actually communicate this via another
+        # exception. The indication of a stripped byte will be the fact that the
+        # coordinates - once decoded into bytes - should always be an even
+        # bytesize. For example, with a P-521 curve, both x and y must be 66 bytes.
+        # With a P-256 curve, both x and y must be 32 and so on. The simplest way
+        # to check for this truncation is thus to check whether the number of bytes
+        # is odd, and restore the leading 0-byte if it is.
+        if bytes.bytesize.odd?
+          ZERO_BYTE + bytes
+        else
+          bytes
+        end
       end
       class << self

data/lib/jwt/jwk/key_base.rb CHANGED Viewed

@@ -38,12 +38,14 @@ module JWT
       end
       def ==(other)
-        self[:kid] == other[:kid]
+        other.is_a?(::JWT::JWK::KeyBase) && self[:kid] == other[:kid]
       end
       alias eql? ==
       def <=>(other)
+        return nil unless other.is_a?(::JWT::JWK::KeyBase)
         self[:kid] <=> other[:kid]
       end

data/lib/jwt/jwk.rb CHANGED Viewed

@@ -52,4 +52,4 @@ require_relative 'jwk/key_base'
 require_relative 'jwk/ec'
 require_relative 'jwk/rsa'
 require_relative 'jwk/hmac'
-require_relative 'jwk/okp_rbnacl' if ::JWT.rbnacl?
+require_relative 'jwk/okp_rbnacl' if JWT.rbnacl?

data/lib/jwt/verify.rb CHANGED Viewed

@@ -38,12 +38,12 @@ module JWT
     end
     def verify_expiration
-      return unless @payload.include?('exp')
+      return unless contains_key?(@payload, 'exp')
       raise(JWT::ExpiredSignature, 'Signature has expired') if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
     end
     def verify_iat
-      return unless @payload.include?('iat')
+      return unless contains_key?(@payload, 'iat')
       iat = @payload['iat']
       raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
@@ -77,7 +77,7 @@ module JWT
     end
     def verify_not_before
-      return unless @payload.include?('nbf')
+      return unless contains_key?(@payload, 'nbf')
       raise(JWT::ImmatureSignature, 'Signature nbf has not been reached') if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
     end
@@ -92,7 +92,7 @@ module JWT
       return unless (options_required_claims = @options[:required_claims])
       options_required_claims.each do |required_claim|
-        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
+        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless contains_key?(@payload, required_claim)
       end
     end
@@ -109,5 +109,9 @@ module JWT
     def nbf_leeway
       @options[:nbf_leeway] || global_leeway
     end
+    def contains_key?(payload, key)
+      payload.respond_to?(:key?) && payload.key?(key)
+    end
   end
 end

data/lib/jwt/version.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 7
+    MINOR = 8
     # tiny version
     TINY  = 0
     # alpha, beta, etc. tag
@@ -23,7 +23,8 @@ module JWT
   def self.openssl_3?
     return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
-    return true if OpenSSL::OPENSSL_VERSION_NUMBER >= 3 * 0x10000000
+    true if 3 * 0x10000000 <= OpenSSL::OPENSSL_VERSION_NUMBER
   end
   def self.rbnacl?

data/lib/jwt/x5c_key_finder.rb CHANGED Viewed

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
-require 'base64'
-require 'jwt/error'
 module JWT
   # If the x5c header certificate chain can be validated by trusted root
   # certificates, and none of the certificates are revoked, returns the public

data/ruby-jwt.gemspec CHANGED Viewed

@@ -31,9 +31,12 @@ Gem::Specification.new do |spec|
   spec.executables = []
   spec.require_paths = %w[lib]
+  spec.add_dependency 'base64'
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop'
   spec.add_development_dependency 'simplecov'
 end

metadata CHANGED Viewed

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.7.0
+  version: 2.8.0
 platform: ruby
 authors:
 - Tim Rudat
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-01 00:00:00.000000000 Z
+date: 2024-02-17 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -94,17 +122,6 @@ files:
 - LICENSE
 - README.md
 - lib/jwt.rb
-- lib/jwt/algos.rb
-- lib/jwt/algos/algo_wrapper.rb
-- lib/jwt/algos/ecdsa.rb
-- lib/jwt/algos/eddsa.rb
-- lib/jwt/algos/hmac.rb
-- lib/jwt/algos/hmac_rbnacl.rb
-- lib/jwt/algos/hmac_rbnacl_fixed.rb
-- lib/jwt/algos/none.rb
-- lib/jwt/algos/ps.rb
-- lib/jwt/algos/rsa.rb
-- lib/jwt/algos/unsupported.rb
 - lib/jwt/base64.rb
 - lib/jwt/claims_validator.rb
 - lib/jwt/configuration.rb
@@ -115,6 +132,17 @@ files:
 - lib/jwt/encode.rb
 - lib/jwt/error.rb
 - lib/jwt/json.rb
+- lib/jwt/jwa.rb
+- lib/jwt/jwa/ecdsa.rb
+- lib/jwt/jwa/eddsa.rb
+- lib/jwt/jwa/hmac.rb
+- lib/jwt/jwa/hmac_rbnacl.rb
+- lib/jwt/jwa/hmac_rbnacl_fixed.rb
+- lib/jwt/jwa/none.rb
+- lib/jwt/jwa/ps.rb
+- lib/jwt/jwa/rsa.rb
+- lib/jwt/jwa/unsupported.rb
+- lib/jwt/jwa/wrapper.rb
 - lib/jwt/jwk.rb
 - lib/jwt/jwk/ec.rb
 - lib/jwt/jwk/hmac.rb
@@ -125,7 +153,6 @@ files:
 - lib/jwt/jwk/rsa.rb
 - lib/jwt/jwk/set.rb
 - lib/jwt/jwk/thumbprint.rb
-- lib/jwt/security_utils.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
 - lib/jwt/x5c_key_finder.rb
@@ -135,7 +162,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.0/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.8.0/CHANGELOG.md
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []

data/lib/jwt/algos/eddsa.rb DELETED Viewed

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module Algos
-    module Eddsa
-      module_function
-      SUPPORTED = %w[ED25519 EdDSA].freeze
-      def sign(algorithm, msg, key)
-        if key.class != RbNaCl::Signatures::Ed25519::SigningKey
-          raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
-        end
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-        key.sign(msg)
-      end
-      def verify(algorithm, public_key, signing_input, signature)
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-        raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
-        public_key.verify(signature, signing_input)
-      rescue RbNaCl::CryptoError
-        false
-      end
-    end
-  end
-end

data/lib/jwt/algos/hmac_rbnacl.rb DELETED Viewed

@@ -1,53 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module Algos
-    module HmacRbNaCl
-      module_function
-      MAPPING = {
-        'HS256' => ::RbNaCl::HMAC::SHA256,
-        'HS512256' => ::RbNaCl::HMAC::SHA512256,
-        'HS384' => nil,
-        'HS512' => ::RbNaCl::HMAC::SHA512
-      }.freeze
-      SUPPORTED = MAPPING.keys
-      def sign(algorithm, msg, key)
-        if (hmac = resolve_algorithm(algorithm))
-          hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
-        else
-          Hmac.sign(algorithm, msg, key)
-        end
-      end
-      def verify(algorithm, key, signing_input, signature)
-        if (hmac = resolve_algorithm(algorithm))
-          hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
-        else
-          Hmac.verify(algorithm, key, signing_input, signature)
-        end
-      rescue ::RbNaCl::BadAuthenticatorError
-        false
-      end
-      def key_for_rbnacl(hmac, key)
-        key ||= ''
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-        return padded_empty_key(hmac.key_bytes) if key == ''
-        key
-      end
-      def resolve_algorithm(algorithm)
-        MAPPING.fetch(algorithm)
-      end
-      def padded_empty_key(length)
-        Array.new(length, 0x0).pack('C*').encode('binary')
-      end
-    end
-  end
-end

data/lib/jwt/algos/hmac_rbnacl_fixed.rb DELETED Viewed

@@ -1,52 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module Algos
-    module HmacRbNaClFixed
-      module_function
-      MAPPING = {
-        'HS256' => ::RbNaCl::HMAC::SHA256,
-        'HS512256' => ::RbNaCl::HMAC::SHA512256,
-        'HS384' => nil,
-        'HS512' => ::RbNaCl::HMAC::SHA512
-      }.freeze
-      SUPPORTED = MAPPING.keys
-      def sign(algorithm, msg, key)
-        key ||= ''
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-          hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
-        else
-          Hmac.sign(algorithm, msg, key)
-        end
-      end
-      def verify(algorithm, key, signing_input, signature)
-        key ||= ''
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-          hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
-        else
-          Hmac.verify(algorithm, key, signing_input, signature)
-        end
-      rescue ::RbNaCl::BadAuthenticatorError
-        false
-      end
-      def resolve_algorithm(algorithm)
-        MAPPING.fetch(algorithm)
-      end
-      def padded_key_bytes(key, bytesize)
-        key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
-      end
-    end
-  end
-end

data/lib/jwt/algos/ps.rb DELETED Viewed

@@ -1,41 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module Algos
-    module Ps
-      # RSASSA-PSS signing algorithms
-      module_function
-      SUPPORTED = %w[PS256 PS384 PS512].freeze
-      def sign(algorithm, msg, key)
-        require_openssl!
-        key_class = key.class
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
-        translated_algorithm = algorithm.sub('PS', 'sha')
-        key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
-      end
-      def verify(algorithm, public_key, signing_input, signature)
-        require_openssl!
-        SecurityUtils.verify_ps(algorithm, public_key, signing_input, signature)
-      end
-      def require_openssl!
-        if Object.const_defined?('OpenSSL')
-          if ::Gem::Version.new(OpenSSL::VERSION) < ::Gem::Version.new('2.1')
-            raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
-          end
-        else
-          raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
-        end
-      end
-    end
-  end
-end

data/lib/jwt/algos/rsa.rb DELETED Viewed

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module Algos
-    module Rsa
-      module_function
-      SUPPORTED = %w[RS256 RS384 RS512].freeze
-      def sign(algorithm, msg, key)
-        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.instance_of?(String)
-        key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
-      end
-      def verify(algorithm, public_key, signing_input, signature)
-        SecurityUtils.verify_rsa(algorithm, public_key, signing_input, signature)
-      end
-    end
-  end
-end

data/lib/jwt/algos.rb DELETED Viewed

@@ -1,67 +0,0 @@
-# frozen_string_literal: true
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-require 'openssl'
-require 'jwt/security_utils'
-require 'jwt/algos/hmac'
-require 'jwt/algos/eddsa'
-require 'jwt/algos/ecdsa'
-require 'jwt/algos/rsa'
-require 'jwt/algos/ps'
-require 'jwt/algos/none'
-require 'jwt/algos/unsupported'
-require 'jwt/algos/algo_wrapper'
-module JWT
-  module Algos
-    extend self
-    ALGOS = [Algos::Ecdsa,
-             Algos::Rsa,
-             Algos::Eddsa,
-             Algos::Ps,
-             Algos::None,
-             Algos::Unsupported].tap do |l|
-      if ::JWT.rbnacl_6_or_greater?
-        require_relative 'algos/hmac_rbnacl'
-        l.unshift(Algos::HmacRbNaCl)
-      elsif ::JWT.rbnacl?
-        require_relative 'algos/hmac_rbnacl_fixed'
-        l.unshift(Algos::HmacRbNaClFixed)
-      else
-        l.unshift(Algos::Hmac)
-      end
-    end.freeze
-    def find(algorithm)
-      indexed[algorithm && algorithm.downcase]
-    end
-    def create(algorithm)
-      Algos::AlgoWrapper.new(*find(algorithm))
-    end
-    def implementation?(algorithm)
-      (algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
-        (algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
-    end
-    private
-    def indexed
-      @indexed ||= begin
-        fallback = [nil, Algos::Unsupported]
-        ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
-          cls.const_get(:SUPPORTED).each do |alg|
-            hash[alg.downcase] = [alg, cls]
-          end
-        end
-      end
-    end
-  end
-end

data/lib/jwt/security_utils.rb DELETED Viewed

@@ -1,32 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  # Collection of security methods
-  #
-  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
-  module SecurityUtils
-    module_function
-    def verify_rsa(algorithm, public_key, signing_input, signature)
-      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-    end
-    def verify_ps(algorithm, public_key, signing_input, signature)
-      formatted_algorithm = algorithm.sub('PS', 'sha')
-      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
-    end
-    def asn1_to_raw(signature, public_key)
-      byte_size = (public_key.group.degree + 7) / 8
-      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
-    end
-    def raw_to_asn1(signature, private_key)
-      byte_size = (private_key.group.degree + 7) / 8
-      sig_bytes = signature[0..(byte_size - 1)]
-      sig_char = signature[byte_size..-1] || ''
-      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-    end
-  end
-end