jwt 2.7.1 → 2.9.0

data/lib/jwt/jwa/wrapper.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWA
+    class Wrapper
+      include SigningAlgorithm
+
+      def initialize(algorithm)
+        @algorithm = algorithm
+      end
+
+      def alg
+        return @algorithm.alg if @algorithm.respond_to?(:alg)
+
+        super
+      end
+
+      def valid_alg?(alg_to_check)
+        return @algorithm.valid_alg?(alg_to_check) if @algorithm.respond_to?(:valid_alg?)
+
+        super
+      end
+
+      def header(*args, **kwargs)
+        return @algorithm.header(*args, **kwargs) if @algorithm.respond_to?(:header)
+
+        super
+      end
+
+      def sign(*args, **kwargs)
+        return @algorithm.sign(*args, **kwargs) if @algorithm.respond_to?(:sign)
+
+        super
+      end
+
+      def verify(*args, **kwargs)
+        return @algorithm.verify(*args, **kwargs) if @algorithm.respond_to?(:verify)
+
+        super
+      end
+    end
+  end
+end

data/lib/jwt/jwa.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+begin
+  require 'rbnacl'
+rescue LoadError
+  raise if defined?(RbNaCl)
+end
+
+require_relative 'jwa/signing_algorithm'
+require_relative 'jwa/ecdsa'
+require_relative 'jwa/hmac'
+require_relative 'jwa/none'
+require_relative 'jwa/ps'
+require_relative 'jwa/rsa'
+require_relative 'jwa/unsupported'
+require_relative 'jwa/wrapper'
+
+if JWT.rbnacl?
+  require_relative 'jwa/eddsa'
+end
+
+if JWT.rbnacl_6_or_greater?
+  require_relative 'jwa/hmac_rbnacl'
+elsif JWT.rbnacl?
+  require_relative 'jwa/hmac_rbnacl_fixed'
+end
+
+module JWT
+  module JWA
+    class << self
+      def resolve(algorithm)
+        return find(algorithm) if algorithm.is_a?(String) || algorithm.is_a?(Symbol)
+
+        unless algorithm.is_a?(SigningAlgorithm)
+          Deprecations.warning('Custom algorithms are required to include JWT::JWA::SigningAlgorithm')
+          return Wrapper.new(algorithm)
+        end
+
+        algorithm
+      end
+    end
+  end
+end

data/lib/jwt/jwk/ec.rb

@@ -11,6 +11,7 @@ module JWT
       EC_PUBLIC_KEY_ELEMENTS = %i[kty crv x y].freeze
       EC_PRIVATE_KEY_ELEMENTS = %i[d].freeze
       EC_KEY_ELEMENTS = (EC_PRIVATE_KEY_ELEMENTS + EC_PUBLIC_KEY_ELEMENTS).freeze
+      ZERO_BYTE = "\0".b.freeze
 
       def initialize(key, params = nil, options = {})
         params ||= {}
@@ -143,7 +144,6 @@ module JWT
       if ::JWT.openssl_3?
         def create_ec_key(jwk_crv, jwk_x, jwk_y, jwk_d) # rubocop:disable Metrics/MethodLength
           curve = EC.to_openssl_curve(jwk_crv)
-
           x_octets = decode_octets(jwk_x)
           y_octets = decode_octets(jwk_y)
 
@@ -153,26 +153,26 @@ module JWT
           )
 
           sequence = if jwk_d
-            # https://datatracker.ietf.org/doc/html/rfc5915.html
-            # ECPrivateKey ::= SEQUENCE {
-            #   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
-            #   privateKey     OCTET STRING,
-            #   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
-            #   publicKey  [1] BIT STRING OPTIONAL
-            # }
-
-            OpenSSL::ASN1::Sequence([
-                                      OpenSSL::ASN1::Integer(1),
-                                      OpenSSL::ASN1::OctetString(OpenSSL::BN.new(decode_octets(jwk_d), 2).to_s(2)),
-                                      OpenSSL::ASN1::ObjectId(curve, 0, :EXPLICIT),
-                                      OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed), 1, :EXPLICIT)
-                                    ])
-          else
-            OpenSSL::ASN1::Sequence([
-                                      OpenSSL::ASN1::Sequence([OpenSSL::ASN1::ObjectId('id-ecPublicKey'), OpenSSL::ASN1::ObjectId(curve)]),
-                                      OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
-                                    ])
-          end
+                       # https://datatracker.ietf.org/doc/html/rfc5915.html
+                       # ECPrivateKey ::= SEQUENCE {
+                       #   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+                       #   privateKey     OCTET STRING,
+                       #   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+                       #   publicKey  [1] BIT STRING OPTIONAL
+                       # }
+
+                       OpenSSL::ASN1::Sequence([
+                                                 OpenSSL::ASN1::Integer(1),
+                                                 OpenSSL::ASN1::OctetString(OpenSSL::BN.new(decode_octets(jwk_d), 2).to_s(2)),
+                                                 OpenSSL::ASN1::ObjectId(curve, 0, :EXPLICIT),
+                                                 OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed), 1, :EXPLICIT)
+                                               ])
+                     else
+                       OpenSSL::ASN1::Sequence([
+                                                 OpenSSL::ASN1::Sequence([OpenSSL::ASN1::ObjectId('id-ecPublicKey'), OpenSSL::ASN1::ObjectId(curve)]),
+                                                 OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
+                                               ])
+                     end
 
           OpenSSL::PKey::EC.new(sequence.to_der)
         end
@@ -205,12 +205,27 @@ module JWT
         end
       end
 
-      def decode_octets(jwk_data)
-        ::JWT::Base64.url_decode(jwk_data)
-      end
-
-      def decode_open_ssl_bn(jwk_data)
-        OpenSSL::BN.new(::JWT::Base64.url_decode(jwk_data), BINARY)
+      def decode_octets(base64_encoded_coordinate)
+        bytes = ::JWT::Base64.url_decode(base64_encoded_coordinate)
+        # Some base64 encoders on some platform omit a single 0-byte at
+        # the start of either Y or X coordinate of the elliptic curve point.
+        # This leads to an encoding error when data is passed to OpenSSL BN.
+        # It is know to have happend to exported JWKs on a Java application and
+        # on a Flutter/Dart application (both iOS and Android). All that is
+        # needed to fix the problem is adding a leading 0-byte. We know the
+        # required byte is 0 because with any other byte the point is no longer
+        # on the curve - and OpenSSL will actually communicate this via another
+        # exception. The indication of a stripped byte will be the fact that the
+        # coordinates - once decoded into bytes - should always be an even
+        # bytesize. For example, with a P-521 curve, both x and y must be 66 bytes.
+        # With a P-256 curve, both x and y must be 32 and so on. The simplest way
+        # to check for this truncation is thus to check whether the number of bytes
+        # is odd, and restore the leading 0-byte if it is.
+        if bytes.bytesize.odd?
+          ZERO_BYTE + bytes
+        else
+          bytes
+        end
       end
 
       class << self

data/lib/jwt/jwk/key_base.rb

@@ -38,12 +38,14 @@ module JWT
       end
 
       def ==(other)
-        self[:kid] == other[:kid]
+        other.is_a?(::JWT::JWK::KeyBase) && self[:kid] == other[:kid]
       end
 
       alias eql? ==
 
       def <=>(other)
+        return nil unless other.is_a?(::JWT::JWK::KeyBase)
+
         self[:kid] <=> other[:kid]
       end
 

data/lib/jwt/jwk/key_finder.rb

@@ -8,10 +8,10 @@ module JWT
         jwks_or_loader = options[:jwks]
 
         @jwks_loader = if jwks_or_loader.respond_to?(:call)
-          jwks_or_loader
-        else
-          ->(_options) { jwks_or_loader }
-        end
+                         jwks_or_loader
+                       else
+                         ->(_options) { jwks_or_loader }
+                       end
       end
 
       def key_for(kid)

data/lib/jwt/jwk/set.rb

@@ -25,7 +25,7 @@ module JWT
                   jwks.map { |k| JWT::JWK.new(k, nil, options) }
                 else
                   raise ArgumentError, 'Can only create new JWKS from Hash, Array and JWK'
-        end
+                end
       end
 
       def export(options = {})

data/lib/jwt/jwk.rb

@@ -52,4 +52,4 @@ require_relative 'jwk/key_base'
 require_relative 'jwk/ec'
 require_relative 'jwk/rsa'
 require_relative 'jwk/hmac'
-require_relative 'jwk/okp_rbnacl' if ::JWT.rbnacl?
+require_relative 'jwk/okp_rbnacl' if JWT.rbnacl?

data/lib/jwt/version.rb

@@ -11,9 +11,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 7
+    MINOR = 9
     # tiny version
-    TINY  = 1
+    TINY  = 0
     # alpha, beta, etc. tag
     PRE   = nil
 
@@ -23,7 +23,8 @@ module JWT
 
   def self.openssl_3?
     return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
-    return true if OpenSSL::OPENSSL_VERSION_NUMBER >= 3 * 0x10000000
+
+    true if 3 * 0x10000000 <= OpenSSL::OPENSSL_VERSION_NUMBER
   end
 
   def self.rbnacl?

data/lib/jwt/x5c_key_finder.rb

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 
-require 'base64'
-require 'jwt/error'
-
 module JWT
   # If the x5c header certificate chain can be validated by trusted root
   # certificates, and none of the certificates are revoked, returns the public
@@ -10,7 +7,7 @@ module JWT
   # See https://tools.ietf.org/html/rfc7515#section-4.1.6
   class X5cKeyFinder
     def initialize(root_certificates, crls = nil)
-      raise(ArgumentError, 'Root certificates must be specified') unless root_certificates
+      raise ArgumentError, 'Root certificates must be specified' unless root_certificates
 
       @store = build_store(root_certificates, crls)
     end
@@ -27,7 +24,7 @@ module JWT
           error = "#{error} Certificate subject: #{current_cert.subject}."
         end
 
-        raise(JWT::VerificationError, error)
+        raise JWT::VerificationError, error
       end
     end
 

data/lib/jwt.rb

@@ -5,9 +5,11 @@ require 'jwt/base64'
 require 'jwt/json'
 require 'jwt/decode'
 require 'jwt/configuration'
+require 'jwt/deprecations'
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
+require 'jwt/claims'
 
 # JSON Web Token implementation
 #
@@ -26,6 +28,8 @@ module JWT
   end
 
   def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
-    Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
+    Deprecations.context do
+      Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
+    end
   end
 end

data/ruby-jwt.gemspec

@@ -31,9 +31,12 @@ Gem::Specification.new do |spec|
   spec.executables = []
   spec.require_paths = %w[lib]
 
+  spec.add_dependency 'base64'
+
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop'
   spec.add_development_dependency 'simplecov'
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.7.1
+  version: 2.9.0
 platform: ruby
 authors:
 - Tim Rudat
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-06-09 00:00:00.000000000 Z
+date: 2024-09-15 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -94,27 +122,38 @@ files:
 - LICENSE
 - README.md
 - lib/jwt.rb
-- lib/jwt/algos.rb
-- lib/jwt/algos/algo_wrapper.rb
-- lib/jwt/algos/ecdsa.rb
-- lib/jwt/algos/eddsa.rb
-- lib/jwt/algos/hmac.rb
-- lib/jwt/algos/hmac_rbnacl.rb
-- lib/jwt/algos/hmac_rbnacl_fixed.rb
-- lib/jwt/algos/none.rb
-- lib/jwt/algos/ps.rb
-- lib/jwt/algos/rsa.rb
-- lib/jwt/algos/unsupported.rb
 - lib/jwt/base64.rb
-- lib/jwt/claims_validator.rb
+- lib/jwt/claims.rb
+- lib/jwt/claims/audience.rb
+- lib/jwt/claims/expiration.rb
+- lib/jwt/claims/issued_at.rb
+- lib/jwt/claims/issuer.rb
+- lib/jwt/claims/jwt_id.rb
+- lib/jwt/claims/not_before.rb
+- lib/jwt/claims/numeric.rb
+- lib/jwt/claims/required.rb
+- lib/jwt/claims/subject.rb
 - lib/jwt/configuration.rb
 - lib/jwt/configuration/container.rb
 - lib/jwt/configuration/decode_configuration.rb
 - lib/jwt/configuration/jwk_configuration.rb
 - lib/jwt/decode.rb
+- lib/jwt/deprecations.rb
 - lib/jwt/encode.rb
 - lib/jwt/error.rb
 - lib/jwt/json.rb
+- lib/jwt/jwa.rb
+- lib/jwt/jwa/ecdsa.rb
+- lib/jwt/jwa/eddsa.rb
+- lib/jwt/jwa/hmac.rb
+- lib/jwt/jwa/hmac_rbnacl.rb
+- lib/jwt/jwa/hmac_rbnacl_fixed.rb
+- lib/jwt/jwa/none.rb
+- lib/jwt/jwa/ps.rb
+- lib/jwt/jwa/rsa.rb
+- lib/jwt/jwa/signing_algorithm.rb
+- lib/jwt/jwa/unsupported.rb
+- lib/jwt/jwa/wrapper.rb
 - lib/jwt/jwk.rb
 - lib/jwt/jwk/ec.rb
 - lib/jwt/jwk/hmac.rb
@@ -125,7 +164,6 @@ files:
 - lib/jwt/jwk/rsa.rb
 - lib/jwt/jwk/set.rb
 - lib/jwt/jwk/thumbprint.rb
-- lib/jwt/verify.rb
 - lib/jwt/version.rb
 - lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
@@ -134,9 +172,9 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.1/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.9.0/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -151,8 +189,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key:
+rubygems_version: 3.5.16
+signing_key: 
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []

data/lib/jwt/algos/algo_wrapper.rb

@@ -1,26 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    class AlgoWrapper
-      attr_reader :alg, :cls
-
-      def initialize(alg, cls)
-        @alg = alg
-        @cls = cls
-      end
-
-      def valid_alg?(alg_to_check)
-        alg&.casecmp(alg_to_check)&.zero? == true
-      end
-
-      def sign(data:, signing_key:)
-        cls.sign(alg, data, signing_key)
-      end
-
-      def verify(data:, signature:, verification_key:)
-        cls.verify(alg, verification_key, data, signature)
-      end
-    end
-  end
-end

data/lib/jwt/algos/eddsa.rb

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Eddsa
-      module_function
-
-      SUPPORTED = %w[ED25519 EdDSA].freeze
-
-      def sign(algorithm, msg, key)
-        if key.class != RbNaCl::Signatures::Ed25519::SigningKey
-          raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
-        end
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-
-        key.sign(msg)
-      end
-
-      def verify(algorithm, public_key, signing_input, signature)
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-        raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
-
-        public_key.verify(signature, signing_input)
-      rescue RbNaCl::CryptoError
-        false
-      end
-    end
-  end
-end

data/lib/jwt/algos/hmac_rbnacl.rb

@@ -1,53 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module HmacRbNaCl
-      module_function
-
-      MAPPING = {
-        'HS256' => ::RbNaCl::HMAC::SHA256,
-        'HS512256' => ::RbNaCl::HMAC::SHA512256,
-        'HS384' => nil,
-        'HS512' => ::RbNaCl::HMAC::SHA512
-      }.freeze
-
-      SUPPORTED = MAPPING.keys
-
-      def sign(algorithm, msg, key)
-        if (hmac = resolve_algorithm(algorithm))
-          hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
-        else
-          Hmac.sign(algorithm, msg, key)
-        end
-      end
-
-      def verify(algorithm, key, signing_input, signature)
-        if (hmac = resolve_algorithm(algorithm))
-          hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
-        else
-          Hmac.verify(algorithm, key, signing_input, signature)
-        end
-      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-        false
-      end
-
-      def key_for_rbnacl(hmac, key)
-        key ||= ''
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-        return padded_empty_key(hmac.key_bytes) if key == ''
-
-        key
-      end
-
-      def resolve_algorithm(algorithm)
-        MAPPING.fetch(algorithm)
-      end
-
-      def padded_empty_key(length)
-        Array.new(length, 0x0).pack('C*').encode('binary')
-      end
-    end
-  end
-end

data/lib/jwt/algos/hmac_rbnacl_fixed.rb

@@ -1,52 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module HmacRbNaClFixed
-      module_function
-
-      MAPPING = {
-        'HS256' => ::RbNaCl::HMAC::SHA256,
-        'HS512256' => ::RbNaCl::HMAC::SHA512256,
-        'HS384' => nil,
-        'HS512' => ::RbNaCl::HMAC::SHA512
-      }.freeze
-
-      SUPPORTED = MAPPING.keys
-
-      def sign(algorithm, msg, key)
-        key ||= ''
-
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-          hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
-        else
-          Hmac.sign(algorithm, msg, key)
-        end
-      end
-
-      def verify(algorithm, key, signing_input, signature)
-        key ||= ''
-
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-          hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
-        else
-          Hmac.verify(algorithm, key, signing_input, signature)
-        end
-      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-        false
-      end
-
-      def resolve_algorithm(algorithm)
-        MAPPING.fetch(algorithm)
-      end
-
-      def padded_key_bytes(key, bytesize)
-        key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
-      end
-    end
-  end
-end

data/lib/jwt/algos/none.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module None
-      module_function
-
-      SUPPORTED = %w[none].freeze
-
-      def sign(*)
-        ''
-      end
-
-      def verify(*)
-        true
-      end
-    end
-  end
-end