jwtear 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 64f91b4e924b43dd19b0071db21dc93cdbf5b37a
-  data.tar.gz: 241b7dd36ea2fcee9bbf1644e08ae5eaf7ac1b03
+  metadata.gz: bd40b5099b880a09ed4277d0964f85d0255a1be9
+  data.tar.gz: 9b016a13f78d711c0b1e4e61de499ed5bdfa30fb
 SHA512:
-  metadata.gz: 6592677502c4af5a925159651cbb47aa8e9798c9c38dc6fc580823ba186f125b7628774348620cf2f7442f5fea8e871578c8d79465daa3ab3ff03f1c85d9c055
-  data.tar.gz: 0f0f310463e42be3eda35d75f9d70fbac6c6eda2fd93fa735564aad6d04809793f764079669c1a10abfde563063613c4d8e5fa1eadede5d81ea2a73a4c4989b9
+  metadata.gz: 5d2d82eeabaa80693048981de0f3e3c7ea5688ad3d4b833f9b0893050e04c442adba291a696ac143bfc7f5521b778624e4ed057abba887bbd040a710e2feef35
+  data.tar.gz: 4506e71a5e670fd92c23584e9aa2d2a9cd1e0a5dd235f683b7f60ebd9b3269b705fe6634fff22a9991815237e6a044575b836e26c9c7fb7a703c12c9a9708a5f

data/README.md

@@ -45,7 +45,7 @@ Usage:
 jwtear <OPTIONS>
 
 Example:
-jwtear --generate-token --header '{"typ":"JWT","alg":" "}' --payload '{"login":"admin"}' --key 'P@ssw0rd!'
+jwtear --generate-token --header '{"typ":"JWT","alg":"HS256"}' --payload '{"login":"admin"}' --key 'P@ssw0rd!'
 jwtear --generate-sig --header '{"typ":"JWT","alg":"HS256"}' --payload '{"login":"admin"}' --key 'P@ssw0rd!'
 jwtear --parse 'eyJwI...6IfJ9.kxrMS...MjAMm.zEybN...TU2Njk3ZmE3OA'
 

data/bin/jwtear

@@ -22,21 +22,21 @@ option_parser.banner = "#{"JWTear".bold} - Parse, create and manipulate JWT toke
 option_parser.set_summary_indent '   '
 option_parser.separator "\nHelp menu:".underline
 option_parser.on('-p', '--parse JWT_TOKEN' , 'Parse JWT token') {|v| options[:parse] = v}
-option_parser.on('--generate-token', 'Generate JWT token.') {|v| options[:generate_token] = v}
-option_parser.on('--generate-sig', 'Generate JWT signature.') {|v| options[:generate_sig] = v}
-option_parser.on('--header HEADER',
+option_parser.on('-t', '--generate-token', 'Generate JWT token.') {|v| options[:generate_token] = v}
+option_parser.on('-s', '--generate-sig', 'Generate JWT signature.') {|v| options[:generate_sig] = v}
+option_parser.on('-H', '--header HEADER',
                   'JWT header (JSON format). (required for generate-token and generate-sig)',
                   '  eg. {"typ":"JWT","alg":"HS256"} | Supported algorithms: [HS256, RS512, etc]'
 ) {|v| options[:header] = v}
-option_parser.on('--payload PAYLOAD' ,
+option_parser.on('-P', '--payload PAYLOAD' ,
                     'JWT payload (JSON format). (required for generate-token and generate-sig)',
                     '  eg. {"login":"admin"}'
 ) {|v| options[:payload] = v}
-option_parser.on('--alg ALGORITHM',
+option_parser.on('-g', '--alg ALGORITHM',
                   'Force algorithm type when generating a new token (ignore the one in header). (optional with generate-token)',
                   '  Supported algorithms: [HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512]'
 ) {|v| options[:alg] = v}
-option_parser.on('--key SECRET',
+option_parser.on('-k', '--key SECRET',
                  'Secret Key for symmetric encryption. (required for generate-token and generate-sig. Accept password as a string or a file)',
                  '  eg. P@ssw0rd  | eg. public_key.pem'
 ) {|v| options[:key] = v}
@@ -47,7 +47,7 @@ option_parser.on('--key SECRET',
 option_parser.on('-h', '--help', 'Show this help message') {puts JWTear::Utils.banner , option_parser; exit!}
 option_parser.on_tail "\nUsage:\n".underline + "jwtear <OPTIONS>"
 option_parser.on_tail "\nExample:".underline
-option_parser.on_tail %Q{jwtear --generate-token --header #{"'".bold}{"typ":"JWT","alg":" "}#{"'".bold} --payload #{"'".bold}{"login":"admin"}#{"'".bold} --key 'P@ssw0rd!'}
+option_parser.on_tail %Q{jwtear --generate-token --header #{"'".bold}{"typ":"JWT","alg":"HS256"}#{"'".bold} --payload #{"'".bold}{"login":"admin"}#{"'".bold} --key 'P@ssw0rd!'}
 option_parser.on_tail %Q{jwtear --generate-sig --header #{"'".bold}{"typ":"JWT","alg":"HS256"}#{"'".bold} --payload #{"'".bold}{"login":"admin"}#{"'".bold} --key 'P@ssw0rd!'}
 option_parser.on_tail %Q{jwtear --parse #{"'".bold}eyJwI...6IfJ9#{'.'.bold}kxrMS...MjAMm#{'.'.bold}zEybN...TU2Njk3ZmE3OA#{"'".bold}\n\n}
 
@@ -55,6 +55,7 @@ begin
   option_parser.parse!
   include JWTear::Utils
   case
+    # parse
     when options[:parse]
       jwt = JWTear::JWT.new(options[:parse])
       jwt_parsed = jwt.parse
@@ -70,9 +71,11 @@ begin
       puts "[+] ".dark_green + "Signature (envelope segment) - encoded:".bold.underline
       puts "#{Base64.urlsafe_encode64(jwt.signature)}"
 
+    # checking missing for generate_token
     when options[:generate_token] && (options[:header] || options[:payload] || options[:key]).nil?
       puts '[!] '.red + "Missing mandatory switch(es) '--header/--payload/--alg/--key'"
 
+    # checking missing for generate_sig
     when options[:generate_sig] && (options[:header] || options[:payload] || options[:key]).nil?
       puts '[!] '.red + "Missing mandatory switch(es) '--header/--payload/--key'"
 
@@ -112,7 +115,6 @@ rescue OptionParser::InvalidOption => e
 rescue Exception => e
   puts "[x] ".red + "Unknown Exception: option parser"
   puts '[!] '.yellow + 'Please report the issue at: https://github.com/KINGSABRI/jwtear/issues'.underline
-  puts e.backtrace
   puts e.backtrace_locations
   puts e
 end

data/lib/jwtear/algorithms.rb

@@ -72,6 +72,7 @@ module  JWTear
     #
     def supported_algorithms
       {
+          None:  [],
           SHA:   %w{HS256 HS384 HS512},
           RSA:   %w{RS256 RS384 RS512},
           ESDSA: %w{ES256 ES384 ES512}

data/lib/jwtear/errors.rb

@@ -1,4 +1,8 @@
 module JWTear
+
+  # Token
+  class InvalidTokenError < Exception; end
+
   # Algorithm Errors
   class AlgorithmRequiresKeyError < TypeError; end
   class AlgorithmUnknownError < Exception; end

data/lib/jwtear/jwt.rb

@@ -8,8 +8,8 @@ module JWTear
     include JWTear::Utils
 
     # @!attribute [rw] token [String] generated or parsed token
-    # @!attribute [rw] header [String] generated or parsed header
-    # @!attribute [rw] payload [String] generated or parsed payload
+    # @!attribute [rw] header [Hash]
+    # @!attribute [rw] payload [Hash]
     attr_accessor :token, :header, :payload
     # @!attribute [rw] alg [String] generated or parsed algorithm
     # @!attribute [rw] key [String] given encryption key
@@ -18,7 +18,7 @@ module JWTear
     # @!attribute [r] json [JSON] given or parsed json
     # @!attribute [r] hash [Hash] hash result of parsing given or generated json
     attr_reader :json, :hash
-    # @!attribute [r] signature [String] generated or parsed signature
+    # @!attribute [r] signature [String] generated or parsed signature.
     # @!attribute [r] rsa_private [String] generated private private key
     # @!attribute [r] rsa_public [String] generated or given public key
     attr_reader :signature, :rsa_private, :rsa_public
@@ -33,27 +33,28 @@ module JWTear
     #
     # @param token String
     def parse(token=@token)
+      is_token?(token)
       _token = token.split('.')
-      @header     = JSON.parse(Base64.urlsafe_decode64(_token[0]))
+      @header     = JSON.parse(decode(_token[0]))
       @type, @alg = @header['type'], @header['alg']
-      @payload    = JSON.parse(Base64.urlsafe_decode64(_token[1]))
-      @signature  = Base64.urlsafe_decode64(_token[2]) unless (_token[2].nil? or _token[2].empty?)
+      @payload    = JSON.parse(decode(_token[1]))
+      @signature  = decode(_token[2]) unless (_token[2].nil? or _token[2].empty?)
       set_hash_and_json
     end
 
     # build the hash and Json format from the parsed or generated token
     def set_hash_and_json
-      @json       = "#{@header.to_json}.#{@payload.to_json}.#{Base64.urlsafe_encode64(@signature, padding: false)}"
-      @hash       = {header: @header, payload: @payload, signature: Base64.urlsafe_encode64(@signature, padding: false)}
+      @hash       = {header: @header, payload: @payload, signature: encode(@signature)}
+      @json       = "#{@header.to_json}.#{@payload.to_json}.#{encode(@signature)}"
     end
 
     # generate signature
     #
     # @param data [String]. 'Base64.encode(header)'.'Base64.encode(payload)'>
-    # @param alg [String] supported algorithms: HS256 HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512
+    # @param alg [String] supported algorithms: @see [Algorithms#supported_algorithms]
     # @param key String
     #
-    # @return [String] the generate signature
+    # @return [Self] the generate signature
     #
     def generate_sig(data, alg, key)
       begin
@@ -66,9 +67,9 @@ module JWTear
             @rsa_private = rsa[:private_key]
             @signature   = rsa[:signature]
           when /^ES/
-            ecdsa(data, alg)
+            @signature = ecdsa(data, alg)
           when /none/i
-            none
+            @signature = none
           else
             raise AlgorithmUnknownError
         end
@@ -93,22 +94,24 @@ module JWTear
     end
 
     # generate JWT token
-    #   by default, generate_token uses the given json header to detect the algorithm. But it also accept to ignore than
-    #   and force it to you another algorithm.
+    #   by default, generate_token uses the given json header to detect the algorithm.
+    #   But it also accept to ignore that and force it to you another algorithm.
     #
     # @return [String] the generated token
     #
     def generate_token
-      @header    =  JSON.parse(@header)  unless @header.is_a?(Hash)
-      @payload   =  JSON.parse(@payload) unless @payload.is_a?(Hash)
-      @alg       = @header['alg'] if @alg.nil?
-      header    = Base64.urlsafe_encode64(@header.to_json, padding: false)
-      payload   = Base64.urlsafe_encode64(@payload.to_json, padding: false)
-      data      = "#{header}.#{payload}"
-      @signature = generate_sig(data, @alg, @key).signature
-      signature = encode(@signature)
-      token = [header, payload, signature].join('.')
-      parse(token)
+
+      @header   = JSON.parse(@header)  unless @header.is_a?(Hash)
+      @payload  = JSON.parse(@payload) unless @payload.is_a?(Hash)
+      @alg      = @header['alg'] if @alg.nil?   # if algorithm not forced, take if from the header
+
+      header_encoded    = encode(@header.to_json)
+      payload_encoded   = encode(@payload.to_json)
+      data              = "#{header_encoded}.#{payload_encoded}"
+      signature_encoded = encode(generate_sig(data, @alg, @key).signature)
+      token     = [header_encoded, payload_encoded, signature_encoded].join('.')
+
+      set_hash_and_json
 
       token
     end

data/lib/jwtear/utils.rb

@@ -1,6 +1,17 @@
 module JWTear
   module Utils
 
+    # check token format
+    def is_token?(token)
+      begin
+        token_size = token.split('.').size
+        raise InvalidTokenError if token_size < 2
+      rescue InvalidTokenError
+        puts '[!] '.red + "Invalid token: #{token}"
+        exit!
+      end
+    end
+    
     def encode(data)
       Base64.urlsafe_encode64(data, padding: false)
     end
@@ -9,13 +20,13 @@ module JWTear
       Base64.urlsafe_decode64(data)
     end
 
-    def encode_header_payload(header, payload)
-      [header, payload].map {|part| encode part}.join('.')
-    end
+    # def encode_header_payload_signature(header, payload, signature)
+    #   [header, payload, signature].map {|part| encode part}.join('.')
+    # end
 
     # JWTear's logo
     def self.banner
-      %Q{\n  888888 888       888 88888888888
+      %Q{\n    888888 888       888 88888888888
       "88b 888   o   888     888
        888 888  d8b  888     888
        888 888 d888b 888     888   .d88b.   8888b.  888d888

data/lib/jwtear/version.rb

@@ -1,3 +1,3 @@
 module JWTear
-  VERSION = "0.1.1"
+  VERSION = "0.1.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwtear
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - KING SABRI
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-01-11 00:00:00.000000000 Z
+date: 2018-01-19 00:00:00.000000000 Z
 dependencies: []
 description: JWTear, command-line tool and library to parse, create and manipulate
   JWT tokens for security testing purposes.