jwt 2.7.1 → 2.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 11007e8ec36d148026cd5b6761681b0a71437b7b461efba4ae492622fc5ff27b
-  data.tar.gz: 8090bbba3dce57e42cc203ef168d3d00c624e79e076de0e949b4390b531b4d55
+  metadata.gz: 79758529bec5a1fad3183ee054a2e47e800f6611681f9f9052cbb92ea645b4ef
+  data.tar.gz: d9bffb9bb0e855a2da3cc04ec0d3ee82174555b2bc23cceec8901b4c50b9a42a
 SHA512:
-  metadata.gz: a035f44be760ad325105329cbaec12e90515afdade9649e798ee5c7cefced3271d4f3084afeef693c03c961541d9e5e45b2876734d1947dccdd24cc194acbca2
-  data.tar.gz: 61e3d071ce44809767f3501f12b452cae574f9ea0de668ca937731838d58e2a9fa85831829ce564f6a015177a86b2a05b1b6ddf60ba34ac515ea12c69ac618fe
+  metadata.gz: e9622f261b3a037cfc6dddfdd8f452a123c0c0443a3599565830cc000f7a20eec9f5ad673450bd485a47a8c666e6c9c95729c2d8cc123c984e5d0a255ed41dc4
+  data.tar.gz: d0ef0c055249ac588d0cb26bc4ead5b1b607ae738eda5c0775723ca62640a9df092c3e07774c9fcb6545b9946d730f0260d40c2fc9e272fb7ec0ec62aa6f2b80

data/CHANGELOG.md

@@ -1,13 +1,35 @@
 # Changelog
 
+## [v2.8.0](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2024-02-17)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.1...v2.8.0)
+
+**Features:**
+
+- Updated rubocop to 1.56 [#573](https://github.com/jwt/ruby-jwt/pull/573) ([@anakinj](https://github.com/anakinj))
+- Run CI on Ruby 3.3 [#577](https://github.com/jwt/ruby-jwt/pull/577) ([@anakinj](https://github.com/anakinj))
+- Deprecation warning added for the HMAC algorithm HS512256 (HMAC-SHA-512 truncated to 256-bits) [#575](https://github.com/jwt/ruby-jwt/pull/575) ([@anakinj](https://github.com/anakinj))
+- Stop using RbNaCl for standard HMAC algorithms [#575](https://github.com/jwt/ruby-jwt/pull/575) ([@anakinj](https://github.com/anakinj))
+
+**Fixes and enhancements:**
+
+- Fix signature has expired error if payload is a string [#555](https://github.com/jwt/ruby-jwt/pull/555) ([@GobinathAL](https://github.com/GobinathAL))
+- Fix key base equality and spaceship operators [#569](https://github.com/jwt/ruby-jwt/pull/569) ([@magneland](https://github.com/magneland))
+- Remove explicit base64 require from x5c_key_finder [#580](https://github.com/jwt/ruby-jwt/pull/580) ([@anakinj](https://github.com/anakinj))
+- Performance improvements and cleanup of tests [#581](https://github.com/jwt/ruby-jwt/pull/581) ([@anakinj](https://github.com/anakinj))
+- Repair EC x/y coordinates when importing JWK [#585](https://github.com/jwt/ruby-jwt/pull/585) ([@julik](https://github.com/julik))
+- Explicit dependency to the base64 gem [#582](https://github.com/jwt/ruby-jwt/pull/582) ([@anakinj](https://github.com/anakinj))
+- Deprecation warning for decoding content not compliant with RFC 4648 [#582](https://github.com/jwt/ruby-jwt/pull/582) ([@anakinj](https://github.com/anakinj))
+- Algorithms moved under the `::JWT::JWA` module ([@anakinj](https://github.com/anakinj))
+
 ## [v2.7.1](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2023-06-09)
 
-[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.0...v2.8.0)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.0...v2.7.1)
 
 **Fixes and enhancements:**
 
-- Handle invalid algorithm when decoding JWT [#559](https://github.com/jwt/ruby-jwt/pull/559) - [@nataliastanko](https://github.com/nataliastanko)
-- Do not raise error when verifying bad HMAC signature [#563](https://github.com/jwt/ruby-jwt/pull/563) - [@hieuk09](https://github.com/hieuk09)
+- Handle invalid algorithm when decoding JWT [#559](https://github.com/jwt/ruby-jwt/pull/559) ([@nataliastanko](https://github.com/nataliastanko))
+- Do not raise error when verifying bad HMAC signature [#563](https://github.com/jwt/ruby-jwt/pull/563) ([@hieuk09](https://github.com/hieuk09))
 
 ## [v2.7.0](https://github.com/jwt/ruby-jwt/tree/v2.7.0) (2023-02-01)
 
@@ -29,14 +51,14 @@
 
 **Features:**
 
-- Support custom algorithms by passing algorithm objects[#512](https://github.com/jwt/ruby-jwt/pull/512) ([@anakinj](https://github.com/anakinj)).
-- Support descriptive (not key related) JWK parameters[#520](https://github.com/jwt/ruby-jwt/pull/520) ([@bellebaum](https://github.com/bellebaum)).
-- Support for JSON Web Key Sets[#525](https://github.com/jwt/ruby-jwt/pull/525) ([@bellebaum](https://github.com/bellebaum)).
-- Support HMAC keys over 32 chars when using RbNaCl[#521](https://github.com/jwt/ruby-jwt/pull/521) ([@anakinj](https://github.com/anakinj)).
+- Support custom algorithms by passing algorithm objects [#512](https://github.com/jwt/ruby-jwt/pull/512) ([@anakinj](https://github.com/anakinj))
+- Support descriptive (not key related) JWK parameters [#520](https://github.com/jwt/ruby-jwt/pull/520) ([@bellebaum](https://github.com/bellebaum))
+- Support for JSON Web Key Sets [#525](https://github.com/jwt/ruby-jwt/pull/525) ([@bellebaum](https://github.com/bellebaum))
+- Support HMAC keys over 32 chars when using RbNaCl [#521](https://github.com/jwt/ruby-jwt/pull/521) ([@anakinj](https://github.com/anakinj))
 
 **Fixes and enhancements:**
 
-- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1 [#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan)).
+- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1 [#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan))
 
 ## [v2.5.0](https://github.com/jwt/ruby-jwt/tree/v2.5.0) (2022-08-25)
 
@@ -44,21 +66,21 @@
 
 **Features:**
 
-- Support JWK thumbprints as key ids [#481](https://github.com/jwt/ruby-jwt/pull/481) ([@anakinj](https://github.com/anakinj)).
-- Support OpenSSL >= 3.0 [#496](https://github.com/jwt/ruby-jwt/pull/496) ([@anakinj](https://github.com/anakinj)).
+- Support JWK thumbprints as key ids [#481](https://github.com/jwt/ruby-jwt/pull/481) ([@anakinj](https://github.com/anakinj))
+- Support OpenSSL >= 3.0 [#496](https://github.com/jwt/ruby-jwt/pull/496) ([@anakinj](https://github.com/anakinj))
 
 **Fixes and enhancements:**
-- Bring back the old Base64 (RFC2045) deocode mechanisms [#488](https://github.com/jwt/ruby-jwt/pull/488) ([@anakinj](https://github.com/anakinj)).
-- Rescue RbNaCl exception for EdDSA wrong key [#491](https://github.com/jwt/ruby-jwt/pull/491) ([@n-studio](https://github.com/n-studio)).
-- New parameter name for cases when kid is not found using JWK key loader proc [#501](https://github.com/jwt/ruby-jwt/pull/501) ([@anakinj](https://github.com/anakinj)).
-- Fix NoMethodError when a 2 segment token is missing 'alg' header [#502](https://github.com/jwt/ruby-jwt/pull/502) ([@cmrd-senya](https://github.com/cmrd-senya)).
+- Bring back the old Base64 (RFC2045) deocode mechanisms [#488](https://github.com/jwt/ruby-jwt/pull/488) ([@anakinj](https://github.com/anakinj))
+- Rescue RbNaCl exception for EdDSA wrong key [#491](https://github.com/jwt/ruby-jwt/pull/491) ([@n-studio](https://github.com/n-studio))
+- New parameter name for cases when kid is not found using JWK key loader proc [#501](https://github.com/jwt/ruby-jwt/pull/501) ([@anakinj](https://github.com/anakinj))
+- Fix NoMethodError when a 2 segment token is missing 'alg' header [#502](https://github.com/jwt/ruby-jwt/pull/502) ([@cmrd-senya](https://github.com/cmrd-senya))
 
 ## [v2.4.1](https://github.com/jwt/ruby-jwt/tree/v2.4.1) (2022-06-07)
 
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.4.0...v2.4.1)
 
 **Fixes and enhancements:**
-- Raise JWT::DecodeError on invalid signature [\#484](https://github.com/jwt/ruby-jwt/pull/484) ([@freakyfelt!](https://github.com/freakyfelt!)).
+- Raise JWT::DecodeError on invalid signature [\#484](https://github.com/jwt/ruby-jwt/pull/484) ([@freakyfelt!](https://github.com/freakyfelt!))
 
 ## [v2.4.0](https://github.com/jwt/ruby-jwt/tree/v2.4.0) (2022-06-06)
 
@@ -66,20 +88,20 @@
 
 **Features:**
 
-- Dropped support for Ruby 2.5 and older [#453](https://github.com/jwt/ruby-jwt/pull/453) - [@anakinj](https://github.com/anakinj).
-- Use Ruby built-in url-safe base64 methods [#454](https://github.com/jwt/ruby-jwt/pull/454) - [@bdewater](https://github.com/bdewater).
-- Updated rubocop to 1.23.0 [#457](https://github.com/jwt/ruby-jwt/pull/457) - [@anakinj](https://github.com/anakinj).
-- Add x5c header key finder [#338](https://github.com/jwt/ruby-jwt/pull/338) - [@bdewater](https://github.com/bdewater).
-- Author driven changelog process [#463](https://github.com/jwt/ruby-jwt/pull/463) - [@anakinj](https://github.com/anakinj).
-- Allow regular expressions and procs to verify issuer [\#437](https://github.com/jwt/ruby-jwt/pull/437) ([rewritten](https://github.com/rewritten)).
-- Add Support to be able to verify from multiple keys [\#425](https://github.com/jwt/ruby-jwt/pull/425) ([ritikesh](https://github.com/ritikesh)).
+- Dropped support for Ruby 2.5 and older [#453](https://github.com/jwt/ruby-jwt/pull/453) - ([@anakinj](https://github.com/anakinj))
+- Use Ruby built-in url-safe base64 methods [#454](https://github.com/jwt/ruby-jwt/pull/454) - ([@bdewater](https://github.com/bdewater))
+- Updated rubocop to 1.23.0 [#457](https://github.com/jwt/ruby-jwt/pull/457) - ([@anakinj](https://github.com/anakinj))
+- Add x5c header key finder [#338](https://github.com/jwt/ruby-jwt/pull/338) - ([@bdewater](https://github.com/bdewater))
+- Author driven changelog process [#463](https://github.com/jwt/ruby-jwt/pull/463) - ([@anakinj](https://github.com/anakinj))
+- Allow regular expressions and procs to verify issuer [\#437](https://github.com/jwt/ruby-jwt/pull/437) ([rewritten](https://github.com/rewritten))
+- Add Support to be able to verify from multiple keys [\#425](https://github.com/jwt/ruby-jwt/pull/425) ([ritikesh](https://github.com/ritikesh))
 
 **Fixes and enhancements:**
-- Readme: Typo fix re MissingRequiredClaim [\#451](https://github.com/jwt/ruby-jwt/pull/451) ([antonmorant](https://github.com/antonmorant)).
-- Fix RuboCop TODOs [\#476](https://github.com/jwt/ruby-jwt/pull/476) ([typhoon2099](https://github.com/typhoon2099)).
-- Make specific algorithms in README linkable [\#472](https://github.com/jwt/ruby-jwt/pull/472) ([milieu](https://github.com/milieu)).
-- Update note about supported JWK types [\#475](https://github.com/jwt/ruby-jwt/pull/475) ([dpashkevich](https://github.com/dpashkevich)).
-- Create CODE\_OF\_CONDUCT.md [\#449](https://github.com/jwt/ruby-jwt/pull/449) ([loic5](https://github.com/loic5)).
+- Readme: Typo fix re MissingRequiredClaim [\#451](https://github.com/jwt/ruby-jwt/pull/451) ([antonmorant](https://github.com/antonmorant))
+- Fix RuboCop TODOs [\#476](https://github.com/jwt/ruby-jwt/pull/476) ([typhoon2099](https://github.com/typhoon2099))
+- Make specific algorithms in README linkable [\#472](https://github.com/jwt/ruby-jwt/pull/472) ([milieu](https://github.com/milieu))
+- Update note about supported JWK types [\#475](https://github.com/jwt/ruby-jwt/pull/475) ([dpashkevich](https://github.com/dpashkevich))
+- Create CODE\_OF\_CONDUCT.md [\#449](https://github.com/jwt/ruby-jwt/pull/449) ([loic5](https://github.com/loic5))
 
 ## [v2.3.0](https://github.com/jwt/ruby-jwt/tree/v2.3.0) (2021-10-03)
 

data/README.md

@@ -72,7 +72,6 @@ puts decoded_token
 ### **HMAC**
 
 * HS256 - HMAC using SHA-256 hash algorithm
-* HS512256 - HMAC using SHA-512-256 hash algorithm (only available with RbNaCl; see note below)
 * HS384 - HMAC using SHA-384 hash algorithm
 * HS512 - HMAC using SHA-512 hash algorithm
 
@@ -95,12 +94,6 @@ decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
 puts decoded_token
 ```
 
-Note: If [RbNaCl](https://github.com/RubyCrypto/rbnacl) is loadable, ruby-jwt will use it for HMAC-SHA256, HMAC-SHA512-256, and HMAC-SHA512. RbNaCl prior to 6.0.0 only support a maximum key size of 32 bytes for these algorithms.
-
-[RbNaCl](https://github.com/RubyCrypto/rbnacl) requires
-[libsodium](https://github.com/jedisct1/libsodium), it can be installed
-on MacOS with `brew install libsodium`.
-
 ### **RSA**
 
 * RS256 - RSA using SHA-256 hash algorithm
@@ -561,7 +554,7 @@ crls = crl_uris.map do |uri|
 end
 
 begin
-  JWT.decode(token, nil, true, { x5c: { root_certificates: root_certificates, crls: crls })
+  JWT.decode(token, nil, true, { x5c: { root_certificates: root_certificates, crls: crls } })
 rescue JWT::DecodeError
   # Handle error, e.g. x5c header certificate revoked or expired
 end

data/lib/jwt/base64.rb

@@ -3,14 +3,26 @@
 require 'base64'
 
 module JWT
-  # Base64 helpers
+  # Base64 encoding and decoding
   class Base64
     class << self
+      # Encode a string with URL-safe Base64 complying with RFC 4648 (not padded).
       def url_encode(str)
-        ::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
+        ::Base64.urlsafe_encode64(str, padding: false)
       end
 
+      # Decode a string with URL-safe Base64 complying with RFC 4648.
+      # Deprecated support for RFC 2045 remains for now. ("All line breaks or other characters not found in Table 1 must be ignored by decoding software")
       def url_decode(str)
+        ::Base64.urlsafe_decode64(str)
+      rescue ArgumentError => e
+        raise unless e.message == 'invalid base64'
+
+        warn('[DEPRECATION] Invalid base64 input detected, could be because of invalid padding, trailing whitespaces or newline chars. Graceful handling of invalid input will be dropped in the next major version of ruby-jwt')
+        loose_urlsafe_decode64(str)
+      end
+
+      def loose_urlsafe_decode64(str)
         str += '=' * (4 - str.length.modulo(4))
         ::Base64.decode64(str.tr('-_', '+/'))
       end

data/lib/jwt/claims_validator.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative './error'
+require_relative 'error'
 
 module JWT
   class ClaimsValidator

data/lib/jwt/decode.rb

@@ -92,13 +92,7 @@ module JWT
     end
 
     def resolve_allowed_algorithms
-      algs = given_algorithms.map do |alg|
-        if Algos.implementation?(alg)
-          alg
-        else
-          Algos.create(alg)
-        end
-      end
+      algs = given_algorithms.map { |alg| JWA.create(alg) }
 
       sort_by_alg_header(algs)
     end

data/lib/jwt/encode.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative 'algos'
+require_relative 'jwa'
 require_relative 'claims_validator'
 
 # JWT::Encode module
@@ -12,7 +12,7 @@ module JWT
     def initialize(options)
       @payload          = options[:payload]
       @key              = options[:key]
-      @algorithm        = resolve_algorithm(options[:algorithm])
+      @algorithm        = JWA.create(options[:algorithm])
       @headers          = options[:headers].transform_keys(&:to_s)
       @headers[ALG_KEY] = @algorithm.alg
     end
@@ -24,12 +24,6 @@ module JWT
 
     private
 
-    def resolve_algorithm(algorithm)
-      return algorithm if Algos.implementation?(algorithm)
-
-      Algos.create(algorithm)
-    end
-
     def encoded_header
       @encoded_header ||= encode_header
     end

data/lib/jwt/{algos → jwa}/ecdsa.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module JWT
-  module Algos
+  module JWA
     module Ecdsa
       module_function
 

data/lib/jwt/jwa/eddsa.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWA
+    module Eddsa
+      SUPPORTED = %w[ED25519 EdDSA].freeze
+      SUPPORTED_DOWNCASED = SUPPORTED.map(&:downcase).freeze
+
+      class << self
+        def sign(algorithm, msg, key)
+          unless key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
+            raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
+          end
+
+          validate_algorithm!(algorithm)
+
+          key.sign(msg)
+        end
+
+        def verify(algorithm, public_key, signing_input, signature)
+          unless public_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
+            raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey"
+          end
+
+          validate_algorithm!(algorithm)
+
+          public_key.verify(signature, signing_input)
+        rescue RbNaCl::CryptoError
+          false
+        end
+
+        private
+
+        def validate_algorithm!(algorithm)
+          return if SUPPORTED_DOWNCASED.include?(algorithm.downcase)
+
+          raise IncorrectAlgorithm, "Algorithm #{algorithm} not supported. Supported algoritms are #{SUPPORTED.join(', ')}"
+        end
+      end
+    end
+  end
+end

data/lib/jwt/{algos → jwa}/hmac.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module JWT
-  module Algos
+  module JWA
     module Hmac
       module_function
 
@@ -44,6 +44,7 @@ module JWT
             OpenSSL.fixed_length_secure_compare(a, b)
           end
         else
+          # :nocov:
           def fixed_length_secure_compare(a, b)
             raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize
 
@@ -53,6 +54,7 @@ module JWT
             b.each_byte { |byte| res |= byte ^ l.shift }
             res == 0
           end
+          # :nocov:
         end
         module_function :fixed_length_secure_compare
 

data/lib/jwt/jwa/hmac_rbnacl.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module JWT
+  module Algos
+    module HmacRbNaCl
+      MAPPING   = { 'HS512256' => ::RbNaCl::HMAC::SHA512256 }.freeze
+      SUPPORTED = MAPPING.keys
+      class << self
+        def sign(algorithm, msg, key)
+          warn("[DEPRECATION] The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
+          if (hmac = resolve_algorithm(algorithm))
+            hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
+          else
+            Hmac.sign(algorithm, msg, key)
+          end
+        end
+
+        def verify(algorithm, key, signing_input, signature)
+          warn("[DEPRECATION] The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
+          if (hmac = resolve_algorithm(algorithm))
+            hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
+          else
+            Hmac.verify(algorithm, key, signing_input, signature)
+          end
+        rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+          false
+        end
+
+        private
+
+        def key_for_rbnacl(hmac, key)
+          key ||= ''
+          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+          return padded_empty_key(hmac.key_bytes) if key == ''
+
+          key
+        end
+
+        def resolve_algorithm(algorithm)
+          MAPPING.fetch(algorithm)
+        end
+
+        def padded_empty_key(length)
+          Array.new(length, 0x0).pack('C*').encode('binary')
+        end
+      end
+    end
+  end
+end

data/lib/jwt/jwa/hmac_rbnacl_fixed.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module JWT
+  module Algos
+    module HmacRbNaClFixed
+      MAPPING   = { 'HS512256' => ::RbNaCl::HMAC::SHA512256 }.freeze
+      SUPPORTED = MAPPING.keys
+
+      class << self
+        def sign(algorithm, msg, key)
+          key ||= ''
+          warn("[DEPRECATION] The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
+          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+          if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+            hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
+          else
+            Hmac.sign(algorithm, msg, key)
+          end
+        end
+
+        def verify(algorithm, key, signing_input, signature)
+          key ||= ''
+          warn("[DEPRECATION] The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
+          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+
+          if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
+            hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
+          else
+            Hmac.verify(algorithm, key, signing_input, signature)
+          end
+        rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
+          false
+        end
+
+        def resolve_algorithm(algorithm)
+          MAPPING.fetch(algorithm)
+        end
+
+        def padded_key_bytes(key, bytesize)
+          key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
+        end
+      end
+    end
+  end
+end

data/lib/jwt/{algos → jwa}/none.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module JWT
-  module Algos
+  module JWA
     module None
       module_function
 

data/lib/jwt/{algos → jwa}/ps.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module JWT
-  module Algos
+  module JWA
     module Ps
       # RSASSA-PSS signing algorithms
 
@@ -10,9 +10,9 @@ module JWT
       SUPPORTED = %w[PS256 PS384 PS512].freeze
 
       def sign(algorithm, msg, key)
-        require_openssl!
-
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key.is_a?(String)
+        unless key.is_a?(::OpenSSL::PKey::RSA)
+          raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance."
+        end
 
         translated_algorithm = algorithm.sub('PS', 'sha')
 
@@ -20,22 +20,11 @@ module JWT
       end
 
       def verify(algorithm, public_key, signing_input, signature)
-        require_openssl!
         translated_algorithm = algorithm.sub('PS', 'sha')
         public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
       rescue OpenSSL::PKey::PKeyError
         raise JWT::VerificationError, 'Signature verification raised'
       end
-
-      def require_openssl!
-        if Object.const_defined?('OpenSSL')
-          if ::Gem::Version.new(OpenSSL::VERSION) < ::Gem::Version.new('2.1')
-            raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
-          end
-        else
-          raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
-        end
-      end
     end
   end
 end

data/lib/jwt/{algos → jwa}/rsa.rb

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 
 module JWT
-  module Algos
+  module JWA
     module Rsa
       module_function
 
       SUPPORTED = %w[RS256 RS384 RS512].freeze
 
       def sign(algorithm, msg, key)
-        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.instance_of?(String)
+        unless key.is_a?(OpenSSL::PKey::RSA)
+          raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance"
+        end
 
         key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
       end

data/lib/jwt/{algos → jwa}/unsupported.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module JWT
-  module Algos
+  module JWA
     module Unsupported
       module_function
 

data/lib/jwt/{algos/algo_wrapper.rb → jwa/wrapper.rb}

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module JWT
-  module Algos
-    class AlgoWrapper
+  module JWA
+    class Wrapper
       attr_reader :alg, :cls
 
       def initialize(alg, cls)

data/lib/jwt/jwa.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+begin
+  require 'rbnacl'
+rescue LoadError
+  raise if defined?(RbNaCl)
+end
+
+require_relative 'jwa/hmac'
+require_relative 'jwa/eddsa'
+require_relative 'jwa/ecdsa'
+require_relative 'jwa/rsa'
+require_relative 'jwa/ps'
+require_relative 'jwa/none'
+require_relative 'jwa/unsupported'
+require_relative 'jwa/wrapper'
+
+module JWT
+  module JWA
+    ALGOS = [Hmac, Ecdsa, Rsa, Eddsa, Ps, None, Unsupported].tap do |l|
+      if ::JWT.rbnacl_6_or_greater?
+        require_relative 'jwa/hmac_rbnacl'
+        l << Algos::HmacRbNaCl
+      elsif ::JWT.rbnacl?
+        require_relative 'jwa/hmac_rbnacl_fixed'
+        l << Algos::HmacRbNaClFixed
+      end
+    end.freeze
+
+    class << self
+      def find(algorithm)
+        indexed[algorithm&.downcase]
+      end
+
+      def create(algorithm)
+        return algorithm if JWA.implementation?(algorithm)
+
+        Wrapper.new(*find(algorithm))
+      end
+
+      def implementation?(algorithm)
+        (algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
+          (algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
+      end
+
+      private
+
+      def indexed
+        @indexed ||= begin
+          fallback = [nil, Unsupported]
+          ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
+            cls.const_get(:SUPPORTED).each do |alg|
+              hash[alg.downcase] = [alg, cls]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwt/jwk/ec.rb

@@ -11,6 +11,7 @@ module JWT
       EC_PUBLIC_KEY_ELEMENTS = %i[kty crv x y].freeze
       EC_PRIVATE_KEY_ELEMENTS = %i[d].freeze
       EC_KEY_ELEMENTS = (EC_PRIVATE_KEY_ELEMENTS + EC_PUBLIC_KEY_ELEMENTS).freeze
+      ZERO_BYTE = "\0".b.freeze
 
       def initialize(key, params = nil, options = {})
         params ||= {}
@@ -143,7 +144,6 @@ module JWT
       if ::JWT.openssl_3?
         def create_ec_key(jwk_crv, jwk_x, jwk_y, jwk_d) # rubocop:disable Metrics/MethodLength
           curve = EC.to_openssl_curve(jwk_crv)
-
           x_octets = decode_octets(jwk_x)
           y_octets = decode_octets(jwk_y)
 
@@ -205,12 +205,27 @@ module JWT
         end
       end
 
-      def decode_octets(jwk_data)
-        ::JWT::Base64.url_decode(jwk_data)
-      end
-
-      def decode_open_ssl_bn(jwk_data)
-        OpenSSL::BN.new(::JWT::Base64.url_decode(jwk_data), BINARY)
+      def decode_octets(base64_encoded_coordinate)
+        bytes = ::JWT::Base64.url_decode(base64_encoded_coordinate)
+        # Some base64 encoders on some platform omit a single 0-byte at
+        # the start of either Y or X coordinate of the elliptic curve point.
+        # This leads to an encoding error when data is passed to OpenSSL BN.
+        # It is know to have happend to exported JWKs on a Java application and
+        # on a Flutter/Dart application (both iOS and Android). All that is
+        # needed to fix the problem is adding a leading 0-byte. We know the
+        # required byte is 0 because with any other byte the point is no longer
+        # on the curve - and OpenSSL will actually communicate this via another
+        # exception. The indication of a stripped byte will be the fact that the
+        # coordinates - once decoded into bytes - should always be an even
+        # bytesize. For example, with a P-521 curve, both x and y must be 66 bytes.
+        # With a P-256 curve, both x and y must be 32 and so on. The simplest way
+        # to check for this truncation is thus to check whether the number of bytes
+        # is odd, and restore the leading 0-byte if it is.
+        if bytes.bytesize.odd?
+          ZERO_BYTE + bytes
+        else
+          bytes
+        end
       end
 
       class << self

data/lib/jwt/jwk/key_base.rb

@@ -38,12 +38,14 @@ module JWT
       end
 
       def ==(other)
-        self[:kid] == other[:kid]
+        other.is_a?(::JWT::JWK::KeyBase) && self[:kid] == other[:kid]
       end
 
       alias eql? ==
 
       def <=>(other)
+        return nil unless other.is_a?(::JWT::JWK::KeyBase)
+
         self[:kid] <=> other[:kid]
       end
 

data/lib/jwt/jwk.rb

@@ -52,4 +52,4 @@ require_relative 'jwk/key_base'
 require_relative 'jwk/ec'
 require_relative 'jwk/rsa'
 require_relative 'jwk/hmac'
-require_relative 'jwk/okp_rbnacl' if ::JWT.rbnacl?
+require_relative 'jwk/okp_rbnacl' if JWT.rbnacl?

data/lib/jwt/verify.rb

@@ -38,12 +38,12 @@ module JWT
     end
 
     def verify_expiration
-      return unless @payload.include?('exp')
+      return unless contains_key?(@payload, 'exp')
       raise(JWT::ExpiredSignature, 'Signature has expired') if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
     end
 
     def verify_iat
-      return unless @payload.include?('iat')
+      return unless contains_key?(@payload, 'iat')
 
       iat = @payload['iat']
       raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
@@ -77,7 +77,7 @@ module JWT
     end
 
     def verify_not_before
-      return unless @payload.include?('nbf')
+      return unless contains_key?(@payload, 'nbf')
       raise(JWT::ImmatureSignature, 'Signature nbf has not been reached') if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
     end
 
@@ -92,7 +92,7 @@ module JWT
       return unless (options_required_claims = @options[:required_claims])
 
       options_required_claims.each do |required_claim|
-        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
+        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless contains_key?(@payload, required_claim)
       end
     end
 
@@ -109,5 +109,9 @@ module JWT
     def nbf_leeway
       @options[:nbf_leeway] || global_leeway
     end
+
+    def contains_key?(payload, key)
+      payload.respond_to?(:key?) && payload.key?(key)
+    end
   end
 end

data/lib/jwt/version.rb

@@ -11,9 +11,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 7
+    MINOR = 8
     # tiny version
-    TINY  = 1
+    TINY  = 0
     # alpha, beta, etc. tag
     PRE   = nil
 
@@ -23,7 +23,8 @@ module JWT
 
   def self.openssl_3?
     return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
-    return true if OpenSSL::OPENSSL_VERSION_NUMBER >= 3 * 0x10000000
+
+    true if 3 * 0x10000000 <= OpenSSL::OPENSSL_VERSION_NUMBER
   end
 
   def self.rbnacl?

data/lib/jwt/x5c_key_finder.rb

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 
-require 'base64'
-require 'jwt/error'
-
 module JWT
   # If the x5c header certificate chain can be validated by trusted root
   # certificates, and none of the certificates are revoked, returns the public

data/ruby-jwt.gemspec

@@ -31,9 +31,12 @@ Gem::Specification.new do |spec|
   spec.executables = []
   spec.require_paths = %w[lib]
 
+  spec.add_dependency 'base64'
+
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop'
   spec.add_development_dependency 'simplecov'
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.7.1
+  version: 2.8.0
 platform: ruby
 authors:
 - Tim Rudat
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-06-09 00:00:00.000000000 Z
+date: 2024-02-17 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -94,17 +122,6 @@ files:
 - LICENSE
 - README.md
 - lib/jwt.rb
-- lib/jwt/algos.rb
-- lib/jwt/algos/algo_wrapper.rb
-- lib/jwt/algos/ecdsa.rb
-- lib/jwt/algos/eddsa.rb
-- lib/jwt/algos/hmac.rb
-- lib/jwt/algos/hmac_rbnacl.rb
-- lib/jwt/algos/hmac_rbnacl_fixed.rb
-- lib/jwt/algos/none.rb
-- lib/jwt/algos/ps.rb
-- lib/jwt/algos/rsa.rb
-- lib/jwt/algos/unsupported.rb
 - lib/jwt/base64.rb
 - lib/jwt/claims_validator.rb
 - lib/jwt/configuration.rb
@@ -115,6 +132,17 @@ files:
 - lib/jwt/encode.rb
 - lib/jwt/error.rb
 - lib/jwt/json.rb
+- lib/jwt/jwa.rb
+- lib/jwt/jwa/ecdsa.rb
+- lib/jwt/jwa/eddsa.rb
+- lib/jwt/jwa/hmac.rb
+- lib/jwt/jwa/hmac_rbnacl.rb
+- lib/jwt/jwa/hmac_rbnacl_fixed.rb
+- lib/jwt/jwa/none.rb
+- lib/jwt/jwa/ps.rb
+- lib/jwt/jwa/rsa.rb
+- lib/jwt/jwa/unsupported.rb
+- lib/jwt/jwa/wrapper.rb
 - lib/jwt/jwk.rb
 - lib/jwt/jwk/ec.rb
 - lib/jwt/jwk/hmac.rb
@@ -134,7 +162,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.1/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.8.0/CHANGELOG.md
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []

data/lib/jwt/algos/eddsa.rb

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Eddsa
-      module_function
-
-      SUPPORTED = %w[ED25519 EdDSA].freeze
-
-      def sign(algorithm, msg, key)
-        if key.class != RbNaCl::Signatures::Ed25519::SigningKey
-          raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
-        end
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-
-        key.sign(msg)
-      end
-
-      def verify(algorithm, public_key, signing_input, signature)
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-        raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
-
-        public_key.verify(signature, signing_input)
-      rescue RbNaCl::CryptoError
-        false
-      end
-    end
-  end
-end

data/lib/jwt/algos/hmac_rbnacl.rb

@@ -1,53 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module HmacRbNaCl
-      module_function
-
-      MAPPING = {
-        'HS256' => ::RbNaCl::HMAC::SHA256,
-        'HS512256' => ::RbNaCl::HMAC::SHA512256,
-        'HS384' => nil,
-        'HS512' => ::RbNaCl::HMAC::SHA512
-      }.freeze
-
-      SUPPORTED = MAPPING.keys
-
-      def sign(algorithm, msg, key)
-        if (hmac = resolve_algorithm(algorithm))
-          hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
-        else
-          Hmac.sign(algorithm, msg, key)
-        end
-      end
-
-      def verify(algorithm, key, signing_input, signature)
-        if (hmac = resolve_algorithm(algorithm))
-          hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
-        else
-          Hmac.verify(algorithm, key, signing_input, signature)
-        end
-      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-        false
-      end
-
-      def key_for_rbnacl(hmac, key)
-        key ||= ''
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-        return padded_empty_key(hmac.key_bytes) if key == ''
-
-        key
-      end
-
-      def resolve_algorithm(algorithm)
-        MAPPING.fetch(algorithm)
-      end
-
-      def padded_empty_key(length)
-        Array.new(length, 0x0).pack('C*').encode('binary')
-      end
-    end
-  end
-end

data/lib/jwt/algos/hmac_rbnacl_fixed.rb

@@ -1,52 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module HmacRbNaClFixed
-      module_function
-
-      MAPPING = {
-        'HS256' => ::RbNaCl::HMAC::SHA256,
-        'HS512256' => ::RbNaCl::HMAC::SHA512256,
-        'HS384' => nil,
-        'HS512' => ::RbNaCl::HMAC::SHA512
-      }.freeze
-
-      SUPPORTED = MAPPING.keys
-
-      def sign(algorithm, msg, key)
-        key ||= ''
-
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-          hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
-        else
-          Hmac.sign(algorithm, msg, key)
-        end
-      end
-
-      def verify(algorithm, key, signing_input, signature)
-        key ||= ''
-
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-        if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-          hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
-        else
-          Hmac.verify(algorithm, key, signing_input, signature)
-        end
-      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-        false
-      end
-
-      def resolve_algorithm(algorithm)
-        MAPPING.fetch(algorithm)
-      end
-
-      def padded_key_bytes(key, bytesize)
-        key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
-      end
-    end
-  end
-end

data/lib/jwt/algos.rb

@@ -1,66 +0,0 @@
-# frozen_string_literal: true
-
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-require 'openssl'
-
-require 'jwt/algos/hmac'
-require 'jwt/algos/eddsa'
-require 'jwt/algos/ecdsa'
-require 'jwt/algos/rsa'
-require 'jwt/algos/ps'
-require 'jwt/algos/none'
-require 'jwt/algos/unsupported'
-require 'jwt/algos/algo_wrapper'
-
-module JWT
-  module Algos
-    extend self
-
-    ALGOS = [Algos::Ecdsa,
-             Algos::Rsa,
-             Algos::Eddsa,
-             Algos::Ps,
-             Algos::None,
-             Algos::Unsupported].tap do |l|
-      if ::JWT.rbnacl_6_or_greater?
-        require_relative 'algos/hmac_rbnacl'
-        l.unshift(Algos::HmacRbNaCl)
-      elsif ::JWT.rbnacl?
-        require_relative 'algos/hmac_rbnacl_fixed'
-        l.unshift(Algos::HmacRbNaClFixed)
-      else
-        l.unshift(Algos::Hmac)
-      end
-    end.freeze
-
-    def find(algorithm)
-      indexed[algorithm && algorithm.downcase]
-    end
-
-    def create(algorithm)
-      Algos::AlgoWrapper.new(*find(algorithm))
-    end
-
-    def implementation?(algorithm)
-      (algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
-        (algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
-    end
-
-    private
-
-    def indexed
-      @indexed ||= begin
-        fallback = [nil, Algos::Unsupported]
-        ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
-          cls.const_get(:SUPPORTED).each do |alg|
-            hash[alg.downcase] = [alg, cls]
-          end
-        end
-      end
-    end
-  end
-end