jwt 3.1.2 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4fbf6e518cee3ac505360ea356f34fab6a68c5dfc2112671105085fbb03c08df
-  data.tar.gz: 0f206bdf51b4a979b6f734d6582f7e18762f2d3a1ee7feb38499fc4a92d77115
+  metadata.gz: 0bb396cd444a952a2c732720675f053ce5c4557978acf54acc0753a98b81f402
+  data.tar.gz: deeb4ea2635a1620f8dab94b4b7b2d6b7a01087ea0f45b9f79b408c9a7b23c25
 SHA512:
-  metadata.gz: 4fa9df3dae62f1abbe065fd144641a8869faddd45be94cb58871dc690fead80f38f741b5de5319b5a31d8d28fe16ae32627f27d396cbe2f91f80acc9a6d3e477
-  data.tar.gz: 41e30090c5ee55b3706b4d2bddd73dc596e4db46669c292af56bca9ebe9f36a8eafe7ce33578f3012d87f910a6880ee26e6c26c46bfda59470a23f24e47a739d
+  metadata.gz: d9913bf66785a88c127148c5a4a3fd6dcd9a28820f53c20635ab5469cebdfb159366566ba8b198154c9a541927224c11e75ced5c9f5b69c1d32a9e01764ca0dd
+  data.tar.gz: e2d4765fa99b67229f3204b917aea480a1d4027c23a216f307f92d6ffa8acd049b72071377d7e0c4c8fcba5eb845f9751c944dbc87e9a597020665859edd40c1

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## [v3.2.0](https://github.com/jwt/ruby-jwt/tree/v3.2.0) (2026-05-13)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v3.1.2...v3.2.0)
+
+**Features:**
+
+- Add `enforce_hmac_key_length` configuration option [#716](https://github.com/jwt/ruby-jwt/pull/716) - ([@304](https://github.com/304))
+
+**Fixes and enhancements:**
+
+- Reject `nil` and empty HMAC keys when signing and verifying ([CVE-2026-45363](https://www.cve.org/CVERecord?id=CVE-2026-45363) / [GHSA-c32j-vqhx-rx3x](https://github.com/jwt/ruby-jwt/security/advisories/GHSA-c32j-vqhx-rx3x))
+- Fix compatibility with the openssl 4.0 gem [#706](https://github.com/jwt/ruby-jwt/pull/706)
+- Test against Ruby 4.0 on CI [#707](https://github.com/jwt/ruby-jwt/pull/707)
+- Fix type error when header is not a JSON object [#715](https://github.com/jwt/ruby-jwt/pull/715) - ([@304](https://github.com/304))
+
 ## [v3.1.2](https://github.com/jwt/ruby-jwt/tree/v3.1.2) (2025-06-28)
 
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v3.1.1...v3.1.2)
@@ -74,7 +89,7 @@ Take a look at the [upgrade guide](UPGRADING.md) for more details.
 - JWT::Token and JWT::EncodedToken for signing and verifying tokens [#621](https://github.com/jwt/ruby-jwt/pull/621) ([@anakinj](https://github.com/anakinj))
 - Detached payload support for JWT::Token and JWT::EncodedToken [#630](https://github.com/jwt/ruby-jwt/pull/630) ([@anakinj](https://github.com/anakinj))
 - Skip decoding payload if b64 header is present and false [#631](https://github.com/jwt/ruby-jwt/pull/631) ([@anakinj](https://github.com/anakinj))
-- Remove a few custom Rubocop configs [#638](https://github.com/jwt/ruby-jwt/pull/638) ([@anakinj](https://github.com/anakinj))
+- Remove a few custom RuboCop configs [#638](https://github.com/jwt/ruby-jwt/pull/638) ([@anakinj](https://github.com/anakinj))
 
 **Fixes and enhancements:**
 
@@ -352,7 +367,7 @@ Take a look at the [upgrade guide](UPGRADING.md) for more details.
 **Implemented enhancements:**
 
 - JWK does not decode. [\#332](https://github.com/jwt/ruby-jwt/issues/332)
-- Inconsistent use of symbol and string keys in args \(exp and alrogithm\). [\#331](https://github.com/jwt/ruby-jwt/issues/331)
+- Inconsistent use of symbol and string keys in args \(exp and algorithm\). [\#331](https://github.com/jwt/ruby-jwt/issues/331)
 - Pin simplecov to \< 0.18 [\#356](https://github.com/jwt/ruby-jwt/pull/356) ([anakinj](https://github.com/anakinj))
 - verifies algorithm before evaluating keyfinder [\#346](https://github.com/jwt/ruby-jwt/pull/346) ([jb08](https://github.com/jb08))
 - Update Rails 6 appraisal to use actual release version [\#336](https://github.com/jwt/ruby-jwt/pull/336) ([smudge](https://github.com/smudge))
@@ -467,7 +482,7 @@ Take a look at the [upgrade guide](UPGRADING.md) for more details.
 - 'DecodeError'will replace 'ExpiredSignature' [\#260](https://github.com/jwt/ruby-jwt/issues/260)
 - TypeError: no implicit conversion of OpenSSL::PKey::RSA into String [\#259](https://github.com/jwt/ruby-jwt/issues/259)
 - NameError: uninitialized constant JWT::Algos::Eddsa::RbNaCl [\#258](https://github.com/jwt/ruby-jwt/issues/258)
-- Get new token if curren token expired [\#256](https://github.com/jwt/ruby-jwt/issues/256)
+- Get new token if current token expired [\#256](https://github.com/jwt/ruby-jwt/issues/256)
 - Infer algorithm from header [\#254](https://github.com/jwt/ruby-jwt/issues/254)
 - Why is the result of decode is an array? [\#252](https://github.com/jwt/ruby-jwt/issues/252)
 - Add support for headless token [\#251](https://github.com/jwt/ruby-jwt/issues/251)
@@ -686,8 +701,8 @@ Take a look at the [upgrade guide](UPGRADING.md) for more details.
 **Implemented enhancements:**
 
 - Refactor obsolete code for ruby 1.8 support [\#120](https://github.com/jwt/ruby-jwt/issues/120)
-- Fix "Rubocop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb [\#106](https://github.com/jwt/ruby-jwt/issues/106)
-- Fix "Rubocop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb [\#105](https://github.com/jwt/ruby-jwt/issues/105)
+- Fix "RuboCop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb [\#106](https://github.com/jwt/ruby-jwt/issues/106)
+- Fix "RuboCop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb [\#105](https://github.com/jwt/ruby-jwt/issues/105)
 - Allow a proc to be passed for JTI verification [\#126](https://github.com/jwt/ruby-jwt/pull/126) ([yahooguntu](https://github.com/yahooguntu))
 - Relax restrictions on "jti" claim verification [\#113](https://github.com/jwt/ruby-jwt/pull/113) ([lwe](https://github.com/lwe))
 
@@ -833,13 +848,13 @@ Take a look at the [upgrade guide](UPGRADING.md) for more details.
 - Signature Verification to Return Verification Error rather than decode error [\#57](https://github.com/jwt/ruby-jwt/issues/57)
 - Incorrect readme for leeway [\#55](https://github.com/jwt/ruby-jwt/issues/55)
 - What is the reason behind stripping the = in base64 encoding? [\#54](https://github.com/jwt/ruby-jwt/issues/54)
-- Preperations for version 2.x [\#50](https://github.com/jwt/ruby-jwt/issues/50)
+- Preparations for version 2.x [\#50](https://github.com/jwt/ruby-jwt/issues/50)
 - Release a new version [\#47](https://github.com/jwt/ruby-jwt/issues/47)
 - Catch up for ActiveWhatever 4.1.1 series [\#40](https://github.com/jwt/ruby-jwt/issues/40)
 
 **Merged pull requests:**
 
-- raise verification error for signiture verification [\#58](https://github.com/jwt/ruby-jwt/pull/58) ([punkle](https://github.com/punkle))
+- raise verification error for signature verification [\#58](https://github.com/jwt/ruby-jwt/pull/58) ([punkle](https://github.com/punkle))
 - Added support for not before claim verification [\#56](https://github.com/jwt/ruby-jwt/pull/56) ([punkle](https://github.com/punkle))
 
 ## [jwt-1.2.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.2.1) (2015-01-22)

data/CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 ## Forking the project
 
-Fork the project on GitHub and clone your own fork. Instuctions on forking can be found from the [GitHub Docs](https://docs.github.com/en/get-started/quickstart/fork-a-repo)
+Fork the project on GitHub and clone your own fork. Instructions on forking can be found from the [GitHub Docs](https://docs.github.com/en/get-started/quickstart/fork-a-repo)
 
 ```bash
 git clone git@github.com:you/ruby-jwt.git
@@ -28,7 +28,7 @@ Before you start with your implementation make sure you are able to get a succes
 
 The tests are written with rspec and [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
 
-[Rubocop](https://github.com/rubocop/rubocop) is used to enforce the Ruby style.
+[RuboCop](https://github.com/rubocop/rubocop) is used to enforce the Ruby style.
 
 To run the complete set of tests and linter run the following
 

data/lib/jwt/configuration/decode_configuration.rb

@@ -24,6 +24,8 @@ module JWT
       #   @return [Array<String>] the list of acceptable algorithms.
       # @!attribute [rw] required_claims
       #   @return [Array<String>] the list of required claims.
+      # @!attribute [rw] enforce_hmac_key_length
+      #   @return [Boolean] whether to enforce minimum HMAC key lengths. false disables validation (default).
 
       attr_accessor :verify_expiration,
                     :verify_not_before,
@@ -34,7 +36,8 @@ module JWT
                     :verify_sub,
                     :leeway,
                     :algorithms,
-                    :required_claims
+                    :required_claims,
+                    :enforce_hmac_key_length
 
       # Initializes a new DecodeConfiguration instance with default settings.
       def initialize
@@ -48,6 +51,7 @@ module JWT
         @leeway = 0
         @algorithms = ['HS256']
         @required_claims = []
+        @enforce_hmac_key_length = false
       end
 
       # @api private
@@ -62,7 +66,8 @@ module JWT
           verify_sub: verify_sub,
           leeway: leeway,
           algorithms: algorithms,
-          required_claims: required_claims
+          required_claims: required_claims,
+          enforce_hmac_key_length: enforce_hmac_key_length
         }
       end
     end

data/lib/jwt/decode.rb

@@ -58,7 +58,7 @@ module JWT
 
     def verify_algo
       raise JWT::IncorrectAlgorithm, 'An algorithm must be specified' if allowed_algorithms.empty?
-      raise JWT::DecodeError, 'Token header not a JSON object' unless token.header.is_a?(Hash)
+      raise JWT::DecodeError, 'Token header not a JSON object' unless valid_token_header?
       raise JWT::IncorrectAlgorithm, 'Token is missing alg header' unless alg_in_header
       raise JWT::IncorrectAlgorithm, 'Expected a different algorithm' if allowed_and_valid_algorithms.empty?
     end
@@ -113,9 +113,15 @@ module JWT
     end
 
     def none_algorithm?
+      return false unless valid_token_header?
+
       alg_in_header == 'none'
     end
 
+    def valid_token_header?
+      token.header.is_a?(Hash)
+    end
+
     def alg_in_header
       token.header['alg']
     end

data/lib/jwt/encoded_token/claims_context.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'forwardable'
+
+module JWT
+  # @private
+  class EncodedToken
+    # Allow access to the unverified payload for claim verification.
+    class ClaimsContext
+      extend Forwardable
+
+      def_delegators :@token, :header, :unverified_payload
+
+      def initialize(token)
+        @token = token
+      end
+
+      def payload
+        unverified_payload
+      end
+    end
+  end
+end

data/lib/jwt/encoded_token.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative 'encoded_token/claims_context'
+
 module JWT
   # Represents an encoded JWT token
   #
@@ -12,22 +14,6 @@ module JWT
   #   encoded_token.verify_signature!(algorithm: 'HS256', key: 'secret')
   #   encoded_token.payload # => {'pay' => 'load'}
   class EncodedToken
-    # @private
-    # Allow access to the unverified payload for claim verification.
-    class ClaimsContext
-      extend Forwardable
-
-      def_delegators :@token, :header, :unverified_payload
-
-      def initialize(token)
-        @token = token
-      end
-
-      def payload
-        unverified_payload
-      end
-    end
-
     DEFAULT_CLAIMS = [:exp].freeze
 
     private_constant(:DEFAULT_CLAIMS)

data/lib/jwt/jwa/hmac.rb

@@ -6,24 +6,32 @@ module JWT
     class Hmac
       include JWT::JWA::SigningAlgorithm
 
+      # Minimum key lengths for HMAC algorithms based on RFC 7518 Section 3.2.
+      # Keys must be at least the size of the hash output to ensure sufficient
+      # entropy for the algorithm's security level.
+      MIN_KEY_LENGTHS = {
+        'HS256' => 32,
+        'HS384' => 48,
+        'HS512' => 64
+      }.freeze
+
       def initialize(alg, digest)
         @alg = alg
         @digest = digest
       end
 
       def sign(data:, signing_key:)
-        signing_key ||= ''
-        raise_verify_error!('HMAC key expected to be a String') unless signing_key.is_a?(String)
+        ensure_valid_key!(signing_key)
+        validate_key_length!(signing_key)
 
         OpenSSL::HMAC.digest(digest.new, signing_key, data)
-      rescue OpenSSL::HMACError => e
-        raise_verify_error!('OpenSSL 3.0 does not support nil or empty hmac_secret') if signing_key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
-
-        raise e
       end
 
       def verify(data:, signature:, verification_key:)
-        SecurityUtils.secure_compare(signature, sign(data: data, signing_key: verification_key))
+        ensure_valid_key!(verification_key)
+        validate_key_length!(verification_key)
+
+        SecurityUtils.secure_compare(signature, OpenSSL::HMAC.digest(digest.new, verification_key, data))
       end
 
       register_algorithm(new('HS256', OpenSSL::Digest::SHA256))
@@ -34,6 +42,20 @@ module JWT
 
       attr_reader :digest
 
+      def ensure_valid_key!(key)
+        raise_verify_error!('HMAC key expected to be a String') unless key.is_a?(String)
+        raise_verify_error!('HMAC key cannot be empty') if key.empty?
+      end
+
+      def validate_key_length!(key)
+        return unless JWT.configuration.decode.enforce_hmac_key_length
+
+        min_length = MIN_KEY_LENGTHS[alg]
+        return if key.bytesize >= min_length
+
+        raise_verify_error!("HMAC key must be at least #{min_length} bytes for #{alg} algorithm")
+      end
+
       # Copy of https://github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb
       # rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
       module SecurityUtils

data/lib/jwt/jwa/signer_context.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWA
+    # @api private
+    class SignerContext
+      attr_reader :jwa
+
+      def initialize(jwa:, key:)
+        @jwa = jwa
+        @key = key
+      end
+
+      def sign(*args, **kwargs)
+        @jwa.sign(*args, **kwargs, signing_key: @key)
+      end
+    end
+  end
+end

data/lib/jwt/jwa/verifier_context.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWA
+    # @api private
+    class VerifierContext
+      attr_reader :jwa
+
+      def initialize(jwa:, keys:)
+        @jwa = jwa
+        @keys = Array(keys)
+      end
+
+      def verify(*args, **kwargs)
+        @keys.any? do |key|
+          @jwa.verify(*args, **kwargs, verification_key: key)
+        end
+      end
+    end
+  end
+end

data/lib/jwt/jwa.rb

@@ -9,40 +9,12 @@ require_relative 'jwa/none'
 require_relative 'jwa/ps'
 require_relative 'jwa/rsa'
 require_relative 'jwa/unsupported'
+require_relative 'jwa/verifier_context'
+require_relative 'jwa/signer_context'
 
 module JWT
   # The JWA module contains all supported algorithms.
   module JWA
-    # @api private
-    class VerifierContext
-      attr_reader :jwa
-
-      def initialize(jwa:, keys:)
-        @jwa = jwa
-        @keys = Array(keys)
-      end
-
-      def verify(*args, **kwargs)
-        @keys.any? do |key|
-          @jwa.verify(*args, **kwargs, verification_key: key)
-        end
-      end
-    end
-
-    # @api private
-    class SignerContext
-      attr_reader :jwa
-
-      def initialize(jwa:, key:)
-        @jwa = jwa
-        @key = key
-      end
-
-      def sign(*args, **kwargs)
-        @jwa.sign(*args, **kwargs, signing_key: @key)
-      end
-    end
-
     class << self
       # @api private
       def resolve(algorithm)

data/lib/jwt/jwk/rsa.rb

@@ -195,7 +195,7 @@ module JWT
 
         if ::JWT.openssl_3?
           alias create_rsa_key create_rsa_key_using_der
-        elsif OpenSSL::PKey::RSA.new.respond_to?(:set_key)
+        elsif OpenSSL::PKey::RSA.method_defined?(:set_key)
           alias create_rsa_key create_rsa_key_using_sets
         else
           alias create_rsa_key create_rsa_key_using_accessors

data/lib/jwt/version.rb

@@ -15,8 +15,8 @@ module JWT
   # Version constants
   module VERSION
     MAJOR = 3
-    MINOR = 1
-    TINY  = 2
+    MINOR = 2
+    TINY  = 0
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
@@ -32,14 +32,6 @@ module JWT
     true if 3 * 0x10000000 <= OpenSSL::OPENSSL_VERSION_NUMBER
   end
 
-  # Checks if there is an OpenSSL 3 HMAC empty key regression.
-  #
-  # @return [Boolean] true if there is an OpenSSL 3 HMAC empty key regression, false otherwise.
-  # @api private
-  def self.openssl_3_hmac_empty_key_regression?
-    openssl_3? && openssl_version <= ::Gem::Version.new('3.0.0')
-  end
-
   # Returns the OpenSSL version.
   #
   # @return [Gem::Version] the OpenSSL version.

data/lib/jwt/x5c_key_finder.rb

@@ -40,7 +40,7 @@ module JWT
     end
 
     def parse_certificates(x5c_header_or_certificates)
-      if x5c_header_or_certificates.all? { |obj| obj.is_a?(OpenSSL::X509::Certificate) }
+      if x5c_header_or_certificates.all?(OpenSSL::X509::Certificate)
         x5c_header_or_certificates
       else
         x5c_header_or_certificates.map do |encoded|

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 3.1.2
+  version: 3.2.0
 platform: ruby
 authors:
 - Tim Rudat
@@ -171,6 +171,7 @@ files:
 - lib/jwt/decode.rb
 - lib/jwt/encode.rb
 - lib/jwt/encoded_token.rb
+- lib/jwt/encoded_token/claims_context.rb
 - lib/jwt/error.rb
 - lib/jwt/json.rb
 - lib/jwt/jwa.rb
@@ -179,8 +180,10 @@ files:
 - lib/jwt/jwa/none.rb
 - lib/jwt/jwa/ps.rb
 - lib/jwt/jwa/rsa.rb
+- lib/jwt/jwa/signer_context.rb
 - lib/jwt/jwa/signing_algorithm.rb
 - lib/jwt/jwa/unsupported.rb
+- lib/jwt/jwa/verifier_context.rb
 - lib/jwt/jwk.rb
 - lib/jwt/jwk/ec.rb
 - lib/jwt/jwk/hmac.rb
@@ -199,7 +202,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v3.1.2/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v3.2.0/CHANGELOG.md
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
@@ -215,7 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 4.0.10
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []