jwt 2.6.0 → 2.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -1
- data/README.md +7 -4
- data/lib/jwt/decode.rb +5 -5
- data/lib/jwt/jwk/ec.rb +24 -11
- data/lib/jwt/jwk/hmac.rb +13 -3
- data/lib/jwt/jwk/key_finder.rb +8 -4
- data/lib/jwt/jwk/okp_rbnacl.rb +110 -0
- data/lib/jwt/jwk/rsa.rb +20 -8
- data/lib/jwt/jwk.rb +1 -0
- data/lib/jwt/version.rb +1 -1
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f2ff80d9f32962a3c98d469c1b1078c84631291153f89481cccd9fc8d311e925
|
|
4
|
+
data.tar.gz: af54f20921b46237194671b957f9d0e2d04ec5ac501f8afa767f0d9d97e3acc6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7bc55b74e5565674e38b6f706ca2e9d70cc25ee679f80dd6dad160d1f5e8070749d919f65e487acfd7131a22246be66b2d82e517deb9c38df7bed86aaf7b61e8
|
|
7
|
+
data.tar.gz: ed53859b1ac5423666d2351b7411014d74b6343fa0255bd5ed0b7ef5b58f8b073a6cc7905959866993ca4bbd7540b5e0a1fc3a08ce70f18fe82c9126f8cbc9b1
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,19 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [v2.7.0](https://github.com/jwt/ruby-jwt/tree/v2.7.0) (2023-02-01)
|
|
4
|
+
|
|
5
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.6.0...v2.7.0)
|
|
6
|
+
|
|
7
|
+
**Features:**
|
|
8
|
+
|
|
9
|
+
- Support OKP (Ed25519) keys for JWKs [#540](https://github.com/jwt/ruby-jwt/pull/540) ([@anakinj](https://github.com/anakinj))
|
|
10
|
+
- JWK Sets can now be used for tokens with nil kid [#543](https://github.com/jwt/ruby-jwt/pull/543) ([@bellebaum](https://github.com/bellebaum))
|
|
11
|
+
|
|
12
|
+
**Fixes and enhancements:**
|
|
13
|
+
|
|
14
|
+
- Fix issue with multiple keys returned by keyfinder and multiple allowed algorithms [#545](https://github.com/jwt/ruby-jwt/pull/545) ([@mpospelov](https://github.com/mpospelov))
|
|
15
|
+
- Non-string `kid` header values are now rejected [#543](https://github.com/jwt/ruby-jwt/pull/543) ([@bellebaum](https://github.com/bellebaum))
|
|
16
|
+
|
|
3
17
|
## [v2.6.0](https://github.com/jwt/ruby-jwt/tree/v2.6.0) (2022-12-22)
|
|
4
18
|
|
|
5
19
|
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.5.0...v2.6.0)
|
|
@@ -13,7 +27,7 @@
|
|
|
13
27
|
|
|
14
28
|
**Fixes and enhancements:**
|
|
15
29
|
|
|
16
|
-
- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1[#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan)).
|
|
30
|
+
- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1 [#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan)).
|
|
17
31
|
|
|
18
32
|
## [v2.5.0](https://github.com/jwt/ruby-jwt/tree/v2.5.0) (2022-08-25)
|
|
19
33
|
|
data/README.md
CHANGED
|
@@ -569,7 +569,7 @@ end
|
|
|
569
569
|
|
|
570
570
|
### JSON Web Key (JWK)
|
|
571
571
|
|
|
572
|
-
JWK is a JSON structure representing a cryptographic key. This gem currently supports RSA, EC and HMAC keys.
|
|
572
|
+
JWK is a JSON structure representing a cryptographic key. This gem currently supports RSA, EC, OKP and HMAC keys. OKP support requires [RbNaCl](https://github.com/RubyCrypto/rbnacl) and currently only supports the Ed25519 curve.
|
|
573
573
|
|
|
574
574
|
To encode a JWT using your JWK:
|
|
575
575
|
|
|
@@ -579,7 +579,7 @@ jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
|
|
|
579
579
|
|
|
580
580
|
# Encoding
|
|
581
581
|
payload = { data: 'data' }
|
|
582
|
-
token = JWT.encode(payload, jwk.
|
|
582
|
+
token = JWT.encode(payload, jwk.signing_key, jwk[:alg], kid: jwk[:kid])
|
|
583
583
|
|
|
584
584
|
# JSON Web Key Set for advertising your signing keys
|
|
585
585
|
jwks_hash = JWT::JWK::Set.new(jwk).export
|
|
@@ -601,6 +601,9 @@ This can be used to implement caching of remotely fetched JWK Sets.
|
|
|
601
601
|
If the requested `kid` is not found from the given set the loader will be called a second time with the `kid_not_found` option set to `true`.
|
|
602
602
|
The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
|
|
603
603
|
|
|
604
|
+
Tokens without a specified `kid` are rejected by default.
|
|
605
|
+
This behaviour may be overwritten by setting the `allow_nil_jwks` option for `decode` to `true`.
|
|
606
|
+
|
|
604
607
|
```ruby
|
|
605
608
|
jwks_loader = ->(options) do
|
|
606
609
|
# The jwk loader would fetch the set of JWKs from a trusted source.
|
|
@@ -650,8 +653,8 @@ jwk_hash = jwk.export
|
|
|
650
653
|
jwk_hash_with_private_key = jwk.export(include_private: true)
|
|
651
654
|
|
|
652
655
|
# Export as OpenSSL key
|
|
653
|
-
public_key = jwk.
|
|
654
|
-
private_key = jwk.
|
|
656
|
+
public_key = jwk.verify_key
|
|
657
|
+
private_key = jwk.signing_key if jwk.private?
|
|
655
658
|
|
|
656
659
|
# You can also import and export entire JSON Web Key Sets
|
|
657
660
|
jwks_hash = { keys: [{ kty: 'oct', k: 'my-secret', kid: 'my-kid' }] }
|
data/lib/jwt/decode.rb
CHANGED
|
@@ -52,25 +52,25 @@ module JWT
|
|
|
52
52
|
def verify_algo
|
|
53
53
|
raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
|
|
54
54
|
raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless alg_in_header
|
|
55
|
-
raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm')
|
|
55
|
+
raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') if allowed_and_valid_algorithms.empty?
|
|
56
56
|
end
|
|
57
57
|
|
|
58
58
|
def set_key
|
|
59
59
|
@key = find_key(&@keyfinder) if @keyfinder
|
|
60
|
-
@key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
|
|
60
|
+
@key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).key_for(header['kid']) if @options[:jwks]
|
|
61
61
|
if (x5c_options = @options[:x5c])
|
|
62
62
|
@key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(header['x5c'])
|
|
63
63
|
end
|
|
64
64
|
end
|
|
65
65
|
|
|
66
66
|
def verify_signature_for?(key)
|
|
67
|
-
|
|
67
|
+
allowed_and_valid_algorithms.any? do |alg|
|
|
68
68
|
alg.verify(data: signing_input, signature: @signature, verification_key: key)
|
|
69
69
|
end
|
|
70
70
|
end
|
|
71
71
|
|
|
72
|
-
def
|
|
73
|
-
allowed_algorithms.
|
|
72
|
+
def allowed_and_valid_algorithms
|
|
73
|
+
@allowed_and_valid_algorithms ||= allowed_algorithms.select { |alg| alg.valid_alg?(alg_in_header) }
|
|
74
74
|
end
|
|
75
75
|
|
|
76
76
|
# Order is very important - first check for string keys, next for symbols
|
data/lib/jwt/jwk/ec.rb
CHANGED
|
@@ -5,9 +5,6 @@ require 'forwardable'
|
|
|
5
5
|
module JWT
|
|
6
6
|
module JWK
|
|
7
7
|
class EC < KeyBase # rubocop:disable Metrics/ClassLength
|
|
8
|
-
extend Forwardable
|
|
9
|
-
def_delegators :keypair, :public_key
|
|
10
|
-
|
|
11
8
|
KTY = 'EC'
|
|
12
9
|
KTYS = [KTY, OpenSSL::PKey::EC, JWT::JWK::EC].freeze
|
|
13
10
|
BINARY = 2
|
|
@@ -24,17 +21,29 @@ module JWT
|
|
|
24
21
|
key_params = extract_key_params(key)
|
|
25
22
|
|
|
26
23
|
params = params.transform_keys(&:to_sym)
|
|
27
|
-
|
|
24
|
+
check_jwk_params!(key_params, params)
|
|
28
25
|
|
|
29
26
|
super(options, key_params.merge(params))
|
|
30
27
|
end
|
|
31
28
|
|
|
32
29
|
def keypair
|
|
33
|
-
|
|
30
|
+
ec_key
|
|
34
31
|
end
|
|
35
32
|
|
|
36
33
|
def private?
|
|
37
|
-
|
|
34
|
+
ec_key.private_key?
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def signing_key
|
|
38
|
+
ec_key
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
def verify_key
|
|
42
|
+
ec_key
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def public_key
|
|
46
|
+
ec_key
|
|
38
47
|
end
|
|
39
48
|
|
|
40
49
|
def members
|
|
@@ -48,7 +57,7 @@ module JWT
|
|
|
48
57
|
end
|
|
49
58
|
|
|
50
59
|
def key_digest
|
|
51
|
-
_crv, x_octets, y_octets = keypair_components(
|
|
60
|
+
_crv, x_octets, y_octets = keypair_components(ec_key)
|
|
52
61
|
sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(x_octets, BINARY)),
|
|
53
62
|
OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(y_octets, BINARY))])
|
|
54
63
|
OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
|
|
@@ -64,12 +73,16 @@ module JWT
|
|
|
64
73
|
|
|
65
74
|
private
|
|
66
75
|
|
|
76
|
+
def ec_key
|
|
77
|
+
@ec_key ||= create_ec_key(self[:crv], self[:x], self[:y], self[:d])
|
|
78
|
+
end
|
|
79
|
+
|
|
67
80
|
def extract_key_params(key)
|
|
68
81
|
case key
|
|
69
82
|
when JWT::JWK::EC
|
|
70
83
|
key.export(include_private: true)
|
|
71
84
|
when OpenSSL::PKey::EC # Accept OpenSSL key as input
|
|
72
|
-
@
|
|
85
|
+
@ec_key = key # Preserve the object to avoid recreation
|
|
73
86
|
parse_ec_key(key)
|
|
74
87
|
when Hash
|
|
75
88
|
key.transform_keys(&:to_sym)
|
|
@@ -78,10 +91,10 @@ module JWT
|
|
|
78
91
|
end
|
|
79
92
|
end
|
|
80
93
|
|
|
81
|
-
def
|
|
94
|
+
def check_jwk_params!(key_params, params)
|
|
82
95
|
raise ArgumentError, 'cannot overwrite cryptographic key attributes' unless (EC_KEY_ELEMENTS & params.keys).empty?
|
|
83
|
-
raise JWT::JWKError, "Incorrect 'kty' value: #{
|
|
84
|
-
raise JWT::JWKError, 'Key format is invalid for EC' unless
|
|
96
|
+
raise JWT::JWKError, "Incorrect 'kty' value: #{key_params[:kty]}, expected #{KTY}" unless key_params[:kty] == KTY
|
|
97
|
+
raise JWT::JWKError, 'Key format is invalid for EC' unless key_params[:crv] && key_params[:x] && key_params[:y]
|
|
85
98
|
end
|
|
86
99
|
|
|
87
100
|
def keypair_components(ec_keypair)
|
data/lib/jwt/jwk/hmac.rb
CHANGED
|
@@ -24,7 +24,7 @@ module JWT
|
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
def keypair
|
|
27
|
-
|
|
27
|
+
secret
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
def private?
|
|
@@ -35,6 +35,14 @@ module JWT
|
|
|
35
35
|
nil
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
+
def verify_key
|
|
39
|
+
secret
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
def signing_key
|
|
43
|
+
secret
|
|
44
|
+
end
|
|
45
|
+
|
|
38
46
|
# See https://tools.ietf.org/html/rfc7517#appendix-A.3
|
|
39
47
|
def export(options = {})
|
|
40
48
|
exported = parameters.clone
|
|
@@ -46,8 +54,6 @@ module JWT
|
|
|
46
54
|
HMAC_KEY_ELEMENTS.each_with_object({}) { |i, h| h[i] = self[i] }
|
|
47
55
|
end
|
|
48
56
|
|
|
49
|
-
alias signing_key keypair # for backwards compatibility
|
|
50
|
-
|
|
51
57
|
def key_digest
|
|
52
58
|
sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::UTF8String.new(signing_key),
|
|
53
59
|
OpenSSL::ASN1::UTF8String.new(KTY)])
|
|
@@ -64,6 +70,10 @@ module JWT
|
|
|
64
70
|
|
|
65
71
|
private
|
|
66
72
|
|
|
73
|
+
def secret
|
|
74
|
+
self[:k]
|
|
75
|
+
end
|
|
76
|
+
|
|
67
77
|
def extract_key_params(key)
|
|
68
78
|
case key
|
|
69
79
|
when JWT::JWK::HMAC
|
data/lib/jwt/jwk/key_finder.rb
CHANGED
|
@@ -4,6 +4,7 @@ module JWT
|
|
|
4
4
|
module JWK
|
|
5
5
|
class KeyFinder
|
|
6
6
|
def initialize(options)
|
|
7
|
+
@allow_nil_kid = options[:allow_nil_kid]
|
|
7
8
|
jwks_or_loader = options[:jwks]
|
|
8
9
|
|
|
9
10
|
@jwks_loader = if jwks_or_loader.respond_to?(:call)
|
|
@@ -14,28 +15,31 @@ module JWT
|
|
|
14
15
|
end
|
|
15
16
|
|
|
16
17
|
def key_for(kid)
|
|
17
|
-
raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid
|
|
18
|
+
raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid || @allow_nil_kid
|
|
19
|
+
raise ::JWT::DecodeError, 'Invalid type for kid header parameter' unless kid.nil? || kid.is_a?(String)
|
|
18
20
|
|
|
19
21
|
jwk = resolve_key(kid)
|
|
20
22
|
|
|
21
23
|
raise ::JWT::DecodeError, 'No keys found in jwks' unless @jwks.any?
|
|
22
24
|
raise ::JWT::DecodeError, "Could not find public key for kid #{kid}" unless jwk
|
|
23
25
|
|
|
24
|
-
jwk.
|
|
26
|
+
jwk.verify_key
|
|
25
27
|
end
|
|
26
28
|
|
|
27
29
|
private
|
|
28
30
|
|
|
29
31
|
def resolve_key(kid)
|
|
32
|
+
key_matcher = ->(key) { (kid.nil? && @allow_nil_kid) || key[:kid] == kid }
|
|
33
|
+
|
|
30
34
|
# First try without invalidation to facilitate application caching
|
|
31
35
|
@jwks ||= JWT::JWK::Set.new(@jwks_loader.call(kid: kid))
|
|
32
|
-
jwk = @jwks.find { |key| key
|
|
36
|
+
jwk = @jwks.find { |key| key_matcher.call(key) }
|
|
33
37
|
|
|
34
38
|
return jwk if jwk
|
|
35
39
|
|
|
36
40
|
# Second try, invalidate for backwards compatibility
|
|
37
41
|
@jwks = JWT::JWK::Set.new(@jwks_loader.call(invalidate: true, kid_not_found: true, kid: kid))
|
|
38
|
-
@jwks.find { |key| key
|
|
42
|
+
@jwks.find { |key| key_matcher.call(key) }
|
|
39
43
|
end
|
|
40
44
|
end
|
|
41
45
|
end
|
|
@@ -0,0 +1,110 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module JWT
|
|
4
|
+
module JWK
|
|
5
|
+
class OKPRbNaCl < KeyBase
|
|
6
|
+
KTY = 'OKP'
|
|
7
|
+
KTYS = [KTY, JWT::JWK::OKPRbNaCl, RbNaCl::Signatures::Ed25519::SigningKey, RbNaCl::Signatures::Ed25519::VerifyKey].freeze
|
|
8
|
+
OKP_PUBLIC_KEY_ELEMENTS = %i[kty n x].freeze
|
|
9
|
+
OKP_PRIVATE_KEY_ELEMENTS = %i[d].freeze
|
|
10
|
+
|
|
11
|
+
def initialize(key, params = nil, options = {})
|
|
12
|
+
params ||= {}
|
|
13
|
+
|
|
14
|
+
# For backwards compatibility when kid was a String
|
|
15
|
+
params = { kid: params } if params.is_a?(String)
|
|
16
|
+
|
|
17
|
+
key_params = extract_key_params(key)
|
|
18
|
+
|
|
19
|
+
params = params.transform_keys(&:to_sym)
|
|
20
|
+
check_jwk_params!(key_params, params)
|
|
21
|
+
super(options, key_params.merge(params))
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def verify_key
|
|
25
|
+
return @verify_key if defined?(@verify_key)
|
|
26
|
+
|
|
27
|
+
@verify_key = verify_key_from_parameters
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def signing_key
|
|
31
|
+
return @signing_key if defined?(@signing_key)
|
|
32
|
+
|
|
33
|
+
@signing_key = signing_key_from_parameters
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def key_digest
|
|
37
|
+
Thumbprint.new(self).to_s
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def private?
|
|
41
|
+
!signing_key.nil?
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def members
|
|
45
|
+
OKP_PUBLIC_KEY_ELEMENTS.each_with_object({}) { |i, h| h[i] = self[i] }
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def export(options = {})
|
|
49
|
+
exported = parameters.clone
|
|
50
|
+
exported.reject! { |k, _| OKP_PRIVATE_KEY_ELEMENTS.include?(k) } unless private? && options[:include_private] == true
|
|
51
|
+
exported
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
private
|
|
55
|
+
|
|
56
|
+
def extract_key_params(key)
|
|
57
|
+
case key
|
|
58
|
+
when JWT::JWK::KeyBase
|
|
59
|
+
key.export(include_private: true)
|
|
60
|
+
when RbNaCl::Signatures::Ed25519::SigningKey
|
|
61
|
+
@signing_key = key
|
|
62
|
+
@verify_key = key.verify_key
|
|
63
|
+
parse_okp_key_params(@verify_key, @signing_key)
|
|
64
|
+
when RbNaCl::Signatures::Ed25519::VerifyKey
|
|
65
|
+
@signing_key = nil
|
|
66
|
+
@verify_key = key
|
|
67
|
+
parse_okp_key_params(@verify_key)
|
|
68
|
+
when Hash
|
|
69
|
+
key.transform_keys(&:to_sym)
|
|
70
|
+
else
|
|
71
|
+
raise ArgumentError, 'key must be of type RbNaCl::Signatures::Ed25519::SigningKey, RbNaCl::Signatures::Ed25519::VerifyKey or Hash with key parameters'
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
def check_jwk_params!(key_params, _given_params)
|
|
76
|
+
raise JWT::JWKError, "Incorrect 'kty' value: #{key_params[:kty]}, expected #{KTY}" unless key_params[:kty] == KTY
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def parse_okp_key_params(verify_key, signing_key = nil)
|
|
80
|
+
params = {
|
|
81
|
+
kty: KTY,
|
|
82
|
+
crv: 'Ed25519',
|
|
83
|
+
x: ::JWT::Base64.url_encode(verify_key.to_bytes)
|
|
84
|
+
}
|
|
85
|
+
|
|
86
|
+
if signing_key
|
|
87
|
+
params[:d] = ::JWT::Base64.url_encode(signing_key.to_bytes)
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
params
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
def verify_key_from_parameters
|
|
94
|
+
RbNaCl::Signatures::Ed25519::VerifyKey.new(::JWT::Base64.url_decode(self[:x]))
|
|
95
|
+
end
|
|
96
|
+
|
|
97
|
+
def signing_key_from_parameters
|
|
98
|
+
return nil unless self[:d]
|
|
99
|
+
|
|
100
|
+
RbNaCl::Signatures::Ed25519::SigningKey.new(::JWT::Base64.url_decode(self[:d]))
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
class << self
|
|
104
|
+
def import(jwk_data)
|
|
105
|
+
new(jwk_data)
|
|
106
|
+
end
|
|
107
|
+
end
|
|
108
|
+
end
|
|
109
|
+
end
|
|
110
|
+
end
|
data/lib/jwt/jwk/rsa.rb
CHANGED
|
@@ -22,21 +22,29 @@ module JWT
|
|
|
22
22
|
key_params = extract_key_params(key)
|
|
23
23
|
|
|
24
24
|
params = params.transform_keys(&:to_sym)
|
|
25
|
-
|
|
25
|
+
check_jwk_params!(key_params, params)
|
|
26
26
|
|
|
27
27
|
super(options, key_params.merge(params))
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
def keypair
|
|
31
|
-
|
|
31
|
+
rsa_key
|
|
32
32
|
end
|
|
33
33
|
|
|
34
34
|
def private?
|
|
35
|
-
|
|
35
|
+
rsa_key.private?
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
def public_key
|
|
39
|
-
|
|
39
|
+
rsa_key.public_key
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
def signing_key
|
|
43
|
+
rsa_key if private?
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def verify_key
|
|
47
|
+
rsa_key.public_key
|
|
40
48
|
end
|
|
41
49
|
|
|
42
50
|
def export(options = {})
|
|
@@ -65,12 +73,16 @@ module JWT
|
|
|
65
73
|
|
|
66
74
|
private
|
|
67
75
|
|
|
76
|
+
def rsa_key
|
|
77
|
+
@rsa_key ||= self.class.create_rsa_key(jwk_attributes(*(RSA_KEY_ELEMENTS - [:kty])))
|
|
78
|
+
end
|
|
79
|
+
|
|
68
80
|
def extract_key_params(key)
|
|
69
81
|
case key
|
|
70
82
|
when JWT::JWK::RSA
|
|
71
83
|
key.export(include_private: true)
|
|
72
84
|
when OpenSSL::PKey::RSA # Accept OpenSSL key as input
|
|
73
|
-
@
|
|
85
|
+
@rsa_key = key # Preserve the object to avoid recreation
|
|
74
86
|
parse_rsa_key(key)
|
|
75
87
|
when Hash
|
|
76
88
|
key.transform_keys(&:to_sym)
|
|
@@ -79,10 +91,10 @@ module JWT
|
|
|
79
91
|
end
|
|
80
92
|
end
|
|
81
93
|
|
|
82
|
-
def
|
|
94
|
+
def check_jwk_params!(key_params, params)
|
|
83
95
|
raise ArgumentError, 'cannot overwrite cryptographic key attributes' unless (RSA_KEY_ELEMENTS & params.keys).empty?
|
|
84
|
-
raise JWT::JWKError, "Incorrect 'kty' value: #{
|
|
85
|
-
raise JWT::JWKError, 'Key format is invalid for RSA' unless
|
|
96
|
+
raise JWT::JWKError, "Incorrect 'kty' value: #{key_params[:kty]}, expected #{KTY}" unless key_params[:kty] == KTY
|
|
97
|
+
raise JWT::JWKError, 'Key format is invalid for RSA' unless key_params[:n] && key_params[:e]
|
|
86
98
|
end
|
|
87
99
|
|
|
88
100
|
def parse_rsa_key(key)
|
data/lib/jwt/jwk.rb
CHANGED
data/lib/jwt/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Rudat
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-02-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: appraisal
|
|
@@ -121,6 +121,7 @@ files:
|
|
|
121
121
|
- lib/jwt/jwk/key_base.rb
|
|
122
122
|
- lib/jwt/jwk/key_finder.rb
|
|
123
123
|
- lib/jwt/jwk/kid_as_key_digest.rb
|
|
124
|
+
- lib/jwt/jwk/okp_rbnacl.rb
|
|
124
125
|
- lib/jwt/jwk/rsa.rb
|
|
125
126
|
- lib/jwt/jwk/set.rb
|
|
126
127
|
- lib/jwt/jwk/thumbprint.rb
|
|
@@ -134,7 +135,7 @@ licenses:
|
|
|
134
135
|
- MIT
|
|
135
136
|
metadata:
|
|
136
137
|
bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
|
|
137
|
-
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.
|
|
138
|
+
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.0/CHANGELOG.md
|
|
138
139
|
rubygems_mfa_required: 'true'
|
|
139
140
|
post_install_message:
|
|
140
141
|
rdoc_options: []
|