jwt 2.8.2 → 2.9.0

data/lib/jwt/jwa/hmac_rbnacl.rb

@@ -1,49 +1,44 @@
 # frozen_string_literal: true
 
 module JWT
-  module Algos
-    module HmacRbNaCl
-      MAPPING   = { 'HS512256' => ::RbNaCl::HMAC::SHA512256 }.freeze
-      SUPPORTED = MAPPING.keys
-      class << self
-        def sign(algorithm, msg, key)
-          Deprecations.warning("The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
-          if (hmac = resolve_algorithm(algorithm))
-            hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
-          else
-            Hmac.sign(algorithm, msg, key)
-          end
-        end
-
-        def verify(algorithm, key, signing_input, signature)
-          Deprecations.warning("The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
-          if (hmac = resolve_algorithm(algorithm))
-            hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
-          else
-            Hmac.verify(algorithm, key, signing_input, signature)
-          end
-        rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-          false
-        end
-
-        private
-
-        def key_for_rbnacl(hmac, key)
-          key ||= ''
-          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-          return padded_empty_key(hmac.key_bytes) if key == ''
-
-          key
-        end
-
-        def resolve_algorithm(algorithm)
-          MAPPING.fetch(algorithm)
-        end
-
-        def padded_empty_key(length)
-          Array.new(length, 0x0).pack('C*').encode('binary')
-        end
+  module JWA
+    class HmacRbNaCl
+      include JWT::JWA::SigningAlgorithm
+
+      def initialize(alg, hmac)
+        @alg = alg
+        @hmac = hmac
+      end
+
+      def sign(data:, signing_key:)
+        Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt")
+        hmac.auth(key_for_rbnacl(hmac, signing_key).encode('binary'), data.encode('binary'))
+      end
+
+      def verify(data:, signature:, verification_key:)
+        Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt")
+        hmac.verify(key_for_rbnacl(hmac, verification_key).encode('binary'), signature.encode('binary'), data.encode('binary'))
+      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+        false
+      end
+
+      register_algorithm(new('HS512256', ::RbNaCl::HMAC::SHA512256))
+
+      private
+
+      attr_reader :hmac
+
+      def key_for_rbnacl(hmac, key)
+        key ||= ''
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+        return padded_empty_key(hmac.key_bytes) if key == ''
+
+        key
+      end
+
+      def padded_empty_key(length)
+        Array.new(length, 0x0).pack('C*').encode('binary')
       end
     end
   end

data/lib/jwt/jwa/hmac_rbnacl_fixed.rb

@@ -1,45 +1,41 @@
 # frozen_string_literal: true
 
 module JWT
-  module Algos
-    module HmacRbNaClFixed
-      MAPPING   = { 'HS512256' => ::RbNaCl::HMAC::SHA512256 }.freeze
-      SUPPORTED = MAPPING.keys
-
-      class << self
-        def sign(algorithm, msg, key)
-          key ||= ''
-          Deprecations.warning("The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
-          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-          if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-            hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
-          else
-            Hmac.sign(algorithm, msg, key)
-          end
-        end
-
-        def verify(algorithm, key, signing_input, signature)
-          key ||= ''
-          Deprecations.warning("The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
-          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-          if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-            hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
-          else
-            Hmac.verify(algorithm, key, signing_input, signature)
-          end
-        rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-          false
-        end
-
-        def resolve_algorithm(algorithm)
-          MAPPING.fetch(algorithm)
-        end
-
-        def padded_key_bytes(key, bytesize)
-          key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
-        end
+  module JWA
+    class HmacRbNaClFixed
+      include JWT::JWA::SigningAlgorithm
+
+      def initialize(alg, hmac)
+        @alg = alg
+        @hmac = hmac
+      end
+
+      def sign(data:, signing_key:)
+        signing_key ||= ''
+        Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt")
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless signing_key.is_a?(String)
+
+        hmac.auth(padded_key_bytes(signing_key, hmac.key_bytes), data.encode('binary'))
+      end
+
+      def verify(data:, signature:, verification_key:)
+        verification_key ||= ''
+        Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt")
+        raise JWT::DecodeError, 'HMAC key expected to be a String' unless verification_key.is_a?(String)
+
+        hmac.verify(padded_key_bytes(verification_key, hmac.key_bytes), signature.encode('binary'), data.encode('binary'))
+      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+        false
+      end
+
+      register_algorithm(new('HS512256', ::RbNaCl::HMAC::SHA512256))
+
+      private
+
+      attr_reader :hmac
+
+      def padded_key_bytes(key, bytesize)
+        key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
       end
     end
   end

data/lib/jwt/jwa/none.rb

@@ -2,10 +2,12 @@
 
 module JWT
   module JWA
-    module None
-      module_function
+    class None
+      include JWT::JWA::SigningAlgorithm
 
-      SUPPORTED = %w[none].freeze
+      def initialize
+        @alg = 'none'
+      end
 
       def sign(*)
         ''
@@ -14,6 +16,8 @@ module JWT
       def verify(*)
         true
       end
+
+      register_algorithm(new)
     end
   end
 end

data/lib/jwt/jwa/ps.rb

@@ -2,29 +2,35 @@
 
 module JWT
   module JWA
-    module Ps
-      # RSASSA-PSS signing algorithms
+    class Ps
+      include JWT::JWA::SigningAlgorithm
 
-      module_function
-
-      SUPPORTED = %w[PS256 PS384 PS512].freeze
+      def initialize(alg)
+        @alg = alg
+        @digest_algorithm = alg.sub('PS', 'sha')
+      end
 
-      def sign(algorithm, msg, key)
-        unless key.is_a?(::OpenSSL::PKey::RSA)
-          raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance."
+      def sign(data:, signing_key:)
+        unless signing_key.is_a?(::OpenSSL::PKey::RSA)
+          raise_sign_error!("The given key is a #{signing_key.class}. It has to be an OpenSSL::PKey::RSA instance.")
         end
 
-        translated_algorithm = algorithm.sub('PS', 'sha')
-
-        key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
+        signing_key.sign_pss(digest_algorithm, data, salt_length: :digest, mgf1_hash: digest_algorithm)
       end
 
-      def verify(algorithm, public_key, signing_input, signature)
-        translated_algorithm = algorithm.sub('PS', 'sha')
-        public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
+      def verify(data:, signature:, verification_key:)
+        verification_key.verify_pss(digest_algorithm, signature, data, salt_length: :auto, mgf1_hash: digest_algorithm)
       rescue OpenSSL::PKey::PKeyError
         raise JWT::VerificationError, 'Signature verification raised'
       end
+
+      register_algorithm(new('PS256'))
+      register_algorithm(new('PS384'))
+      register_algorithm(new('PS512'))
+
+      private
+
+      attr_reader :digest_algorithm
     end
   end
 end

data/lib/jwt/jwa/rsa.rb

@@ -2,24 +2,35 @@
 
 module JWT
   module JWA
-    module Rsa
-      module_function
+    class Rsa
+      include JWT::JWA::SigningAlgorithm
 
-      SUPPORTED = %w[RS256 RS384 RS512].freeze
+      def initialize(alg)
+        @alg = alg
+        @digest = OpenSSL::Digest.new(alg.sub('RS', 'SHA'))
+      end
 
-      def sign(algorithm, msg, key)
-        unless key.is_a?(OpenSSL::PKey::RSA)
-          raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance"
+      def sign(data:, signing_key:)
+        unless signing_key.is_a?(OpenSSL::PKey::RSA)
+          raise_sign_error!("The given key is a #{signing_key.class}. It has to be an OpenSSL::PKey::RSA instance")
         end
 
-        key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
+        signing_key.sign(digest, data)
       end
 
-      def verify(algorithm, public_key, signing_input, signature)
-        public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+      def verify(data:, signature:, verification_key:)
+        verification_key.verify(digest, signature, data)
       rescue OpenSSL::PKey::PKeyError
         raise JWT::VerificationError, 'Signature verification raised'
       end
+
+      register_algorithm(new('RS256'))
+      register_algorithm(new('RS384'))
+      register_algorithm(new('RS512'))
+
+      private
+
+      attr_reader :digest
     end
   end
 end

data/lib/jwt/jwa/signing_algorithm.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWA
+    module SigningAlgorithm
+      module ClassMethods
+        def register_algorithm(algo)
+          ::JWT::JWA.register_algorithm(algo)
+        end
+      end
+
+      def self.included(klass)
+        klass.extend(ClassMethods)
+      end
+
+      attr_reader :alg
+
+      def valid_alg?(alg_to_check)
+        alg&.casecmp(alg_to_check)&.zero? == true
+      end
+
+      def header(*)
+        { 'alg' => alg }
+      end
+
+      def sign(*)
+        raise_sign_error!('Algorithm implementation is missing the sign method')
+      end
+
+      def verify(*)
+        raise_verify_error!('Algorithm implementation is missing the verify method')
+      end
+
+      def raise_verify_error!(message)
+        raise(DecodeError.new(message).tap { |e| e.set_backtrace(caller(1)) })
+      end
+
+      def raise_sign_error!(message)
+        raise(EncodeError.new(message).tap { |e| e.set_backtrace(caller(1)) })
+      end
+    end
+
+    class << self
+      def register_algorithm(algo)
+        algorithms[algo.alg.to_s.downcase] = algo
+      end
+
+      def find(algo)
+        algorithms.fetch(algo.to_s.downcase, Unsupported)
+      end
+
+      private
+
+      def algorithms
+        @algorithms ||= {}
+      end
+    end
+  end
+end

data/lib/jwt/jwa/unsupported.rb

@@ -3,16 +3,16 @@
 module JWT
   module JWA
     module Unsupported
-      module_function
+      class << self
+        include JWT::JWA::SigningAlgorithm
 
-      SUPPORTED = [].freeze
+        def sign(*)
+          raise_sign_error!('Unsupported signing method')
+        end
 
-      def sign(*)
-        raise NotImplementedError, 'Unsupported signing method'
-      end
-
-      def verify(*)
-        raise JWT::VerificationError, 'Algorithm not supported'
+        def verify(*)
+          raise JWT::VerificationError, 'Algorithm not supported'
+        end
       end
     end
   end

data/lib/jwt/jwa/wrapper.rb

@@ -3,23 +3,40 @@
 module JWT
   module JWA
     class Wrapper
-      attr_reader :alg, :cls
+      include SigningAlgorithm
 
-      def initialize(alg, cls)
-        @alg = alg
-        @cls = cls
+      def initialize(algorithm)
+        @algorithm = algorithm
+      end
+
+      def alg
+        return @algorithm.alg if @algorithm.respond_to?(:alg)
+
+        super
       end
 
       def valid_alg?(alg_to_check)
-        alg&.casecmp(alg_to_check)&.zero? == true
+        return @algorithm.valid_alg?(alg_to_check) if @algorithm.respond_to?(:valid_alg?)
+
+        super
       end
 
-      def sign(data:, signing_key:)
-        cls.sign(alg, data, signing_key)
+      def header(*args, **kwargs)
+        return @algorithm.header(*args, **kwargs) if @algorithm.respond_to?(:header)
+
+        super
       end
 
-      def verify(data:, signature:, verification_key:)
-        cls.verify(alg, verification_key, data, signature)
+      def sign(*args, **kwargs)
+        return @algorithm.sign(*args, **kwargs) if @algorithm.respond_to?(:sign)
+
+        super
+      end
+
+      def verify(*args, **kwargs)
+        return @algorithm.verify(*args, **kwargs) if @algorithm.respond_to?(:verify)
+
+        super
       end
     end
   end

data/lib/jwt/jwa.rb

@@ -8,54 +8,37 @@ rescue LoadError
   raise if defined?(RbNaCl)
 end
 
-require_relative 'jwa/hmac'
-require_relative 'jwa/eddsa'
+require_relative 'jwa/signing_algorithm'
 require_relative 'jwa/ecdsa'
-require_relative 'jwa/rsa'
-require_relative 'jwa/ps'
+require_relative 'jwa/hmac'
 require_relative 'jwa/none'
+require_relative 'jwa/ps'
+require_relative 'jwa/rsa'
 require_relative 'jwa/unsupported'
 require_relative 'jwa/wrapper'
 
+if JWT.rbnacl?
+  require_relative 'jwa/eddsa'
+end
+
+if JWT.rbnacl_6_or_greater?
+  require_relative 'jwa/hmac_rbnacl'
+elsif JWT.rbnacl?
+  require_relative 'jwa/hmac_rbnacl_fixed'
+end
+
 module JWT
   module JWA
-    ALGOS = [Hmac, Ecdsa, Rsa, Eddsa, Ps, None, Unsupported].tap do |l|
-      if ::JWT.rbnacl_6_or_greater?
-        require_relative 'jwa/hmac_rbnacl'
-        l << Algos::HmacRbNaCl
-      elsif ::JWT.rbnacl?
-        require_relative 'jwa/hmac_rbnacl_fixed'
-        l << Algos::HmacRbNaClFixed
-      end
-    end.freeze
-
     class << self
-      def find(algorithm)
-        indexed[algorithm&.downcase]
-      end
-
-      def create(algorithm)
-        return algorithm if JWA.implementation?(algorithm)
-
-        Wrapper.new(*find(algorithm))
-      end
-
-      def implementation?(algorithm)
-        (algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
-          (algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
-      end
+      def resolve(algorithm)
+        return find(algorithm) if algorithm.is_a?(String) || algorithm.is_a?(Symbol)
 
-      private
-
-      def indexed
-        @indexed ||= begin
-          fallback = [nil, Unsupported]
-          ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
-            cls.const_get(:SUPPORTED).each do |alg|
-              hash[alg.downcase] = [alg, cls]
-            end
-          end
+        unless algorithm.is_a?(SigningAlgorithm)
+          Deprecations.warning('Custom algorithms are required to include JWT::JWA::SigningAlgorithm')
+          return Wrapper.new(algorithm)
         end
+
+        algorithm
       end
     end
   end

data/lib/jwt/version.rb

@@ -11,9 +11,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 8
+    MINOR = 9
     # tiny version
-    TINY  = 2
+    TINY  = 0
     # alpha, beta, etc. tag
     PRE   = nil
 

data/lib/jwt.rb

@@ -9,6 +9,7 @@ require 'jwt/deprecations'
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
+require 'jwt/claims'
 
 # JSON Web Token implementation
 #

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.8.2
+  version: 2.9.0
 platform: ruby
 authors:
 - Tim Rudat
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-18 00:00:00.000000000 Z
+date: 2024-09-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -123,7 +123,16 @@ files:
 - README.md
 - lib/jwt.rb
 - lib/jwt/base64.rb
-- lib/jwt/claims_validator.rb
+- lib/jwt/claims.rb
+- lib/jwt/claims/audience.rb
+- lib/jwt/claims/expiration.rb
+- lib/jwt/claims/issued_at.rb
+- lib/jwt/claims/issuer.rb
+- lib/jwt/claims/jwt_id.rb
+- lib/jwt/claims/not_before.rb
+- lib/jwt/claims/numeric.rb
+- lib/jwt/claims/required.rb
+- lib/jwt/claims/subject.rb
 - lib/jwt/configuration.rb
 - lib/jwt/configuration/container.rb
 - lib/jwt/configuration/decode_configuration.rb
@@ -142,6 +151,7 @@ files:
 - lib/jwt/jwa/none.rb
 - lib/jwt/jwa/ps.rb
 - lib/jwt/jwa/rsa.rb
+- lib/jwt/jwa/signing_algorithm.rb
 - lib/jwt/jwa/unsupported.rb
 - lib/jwt/jwa/wrapper.rb
 - lib/jwt/jwk.rb
@@ -154,7 +164,6 @@ files:
 - lib/jwt/jwk/rsa.rb
 - lib/jwt/jwk/set.rb
 - lib/jwt/jwk/thumbprint.rb
-- lib/jwt/verify.rb
 - lib/jwt/version.rb
 - lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
@@ -163,9 +172,9 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.8.2/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.9.0/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -180,8 +189,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.5.16
+signing_key: 
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []

data/lib/jwt/claims_validator.rb

@@ -1,37 +0,0 @@
-# frozen_string_literal: true
-
-require_relative 'error'
-
-module JWT
-  class ClaimsValidator
-    NUMERIC_CLAIMS = %i[
-      exp
-      iat
-      nbf
-    ].freeze
-
-    def initialize(payload)
-      @payload = payload.transform_keys(&:to_sym)
-    end
-
-    def validate!
-      validate_numeric_claims
-
-      true
-    end
-
-    private
-
-    def validate_numeric_claims
-      NUMERIC_CLAIMS.each do |claim|
-        validate_is_numeric(claim) if @payload.key?(claim)
-      end
-    end
-
-    def validate_is_numeric(claim)
-      return if @payload[claim].is_a?(Numeric)
-
-      raise InvalidPayload, "#{claim} claim must be a Numeric value but it is a #{@payload[claim].class}"
-    end
-  end
-end