jwtear 0.2.0 → 1.0.0.pre

Sign up to get free protection for your applications and to get access to all the features.
metadata CHANGED
@@ -1,17 +1,99 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jwtear
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 1.0.0.pre
5
5
  platform: ruby
6
6
  authors:
7
7
  - KING SABRI
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-01-27 00:00:00.000000000 Z
12
- dependencies: []
13
- description: JWTear, command-line tool and library to parse, create and manipulate
14
- JWT tokens for security testing purposes.
11
+ date: 2019-10-04 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: gli
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '2.19'
20
+ - - ">="
21
+ - !ruby/object:Gem::Version
22
+ version: 2.19.0
23
+ type: :runtime
24
+ prerelease: false
25
+ version_requirements: !ruby/object:Gem::Requirement
26
+ requirements:
27
+ - - "~>"
28
+ - !ruby/object:Gem::Version
29
+ version: '2.19'
30
+ - - ">="
31
+ - !ruby/object:Gem::Version
32
+ version: 2.19.0
33
+ - !ruby/object:Gem::Dependency
34
+ name: json-jwt
35
+ requirement: !ruby/object:Gem::Requirement
36
+ requirements:
37
+ - - "~>"
38
+ - !ruby/object:Gem::Version
39
+ version: '1.10'
40
+ - - ">="
41
+ - !ruby/object:Gem::Version
42
+ version: 1.10.2
43
+ type: :runtime
44
+ prerelease: false
45
+ version_requirements: !ruby/object:Gem::Requirement
46
+ requirements:
47
+ - - "~>"
48
+ - !ruby/object:Gem::Version
49
+ version: '1.10'
50
+ - - ">="
51
+ - !ruby/object:Gem::Version
52
+ version: 1.10.2
53
+ - !ruby/object:Gem::Dependency
54
+ name: jwe
55
+ requirement: !ruby/object:Gem::Requirement
56
+ requirements:
57
+ - - "~>"
58
+ - !ruby/object:Gem::Version
59
+ version: 0.4.0
60
+ type: :runtime
61
+ prerelease: false
62
+ version_requirements: !ruby/object:Gem::Requirement
63
+ requirements:
64
+ - - "~>"
65
+ - !ruby/object:Gem::Version
66
+ version: 0.4.0
67
+ - !ruby/object:Gem::Dependency
68
+ name: tty-markdown
69
+ requirement: !ruby/object:Gem::Requirement
70
+ requirements:
71
+ - - "~>"
72
+ - !ruby/object:Gem::Version
73
+ version: 0.6.0
74
+ type: :runtime
75
+ prerelease: false
76
+ version_requirements: !ruby/object:Gem::Requirement
77
+ requirements:
78
+ - - "~>"
79
+ - !ruby/object:Gem::Version
80
+ version: 0.6.0
81
+ - !ruby/object:Gem::Dependency
82
+ name: tty-pager
83
+ requirement: !ruby/object:Gem::Requirement
84
+ requirements:
85
+ - - "~>"
86
+ - !ruby/object:Gem::Version
87
+ version: 0.12.1
88
+ type: :runtime
89
+ prerelease: false
90
+ version_requirements: !ruby/object:Gem::Requirement
91
+ requirements:
92
+ - - "~>"
93
+ - !ruby/object:Gem::Version
94
+ version: 0.12.1
95
+ description: JWTear, a modular command-line tool to parse, create and manipulate JWT
96
+ tokens for security testing purposes.
15
97
  email:
16
98
  - king.sabri@gmail.com
17
99
  executables:
@@ -20,20 +102,27 @@ extensions: []
20
102
  extra_rdoc_files: []
21
103
  files:
22
104
  - ".gitignore"
105
+ - CODE_OF_CONDUCT.md
23
106
  - Gemfile
24
- - LICENSE.txt
107
+ - Gemfile.lock
25
108
  - README.md
26
109
  - Rakefile
27
110
  - bin/jwtear
28
111
  - jwtear.gemspec
29
112
  - lib/jwtear.rb
30
- - lib/jwtear/algorithms.rb
31
113
  - lib/jwtear/errors.rb
32
- - lib/jwtear/extensions.rb
33
- - lib/jwtear/jwt.rb
34
- - lib/jwtear/utils.rb
114
+ - lib/jwtear/helpers/extensions.rb
115
+ - lib/jwtear/helpers/utils.rb
116
+ - lib/jwtear/jwe.rb
117
+ - lib/jwtear/jws.rb
118
+ - lib/jwtear/token.rb
35
119
  - lib/jwtear/version.rb
36
- - modules/bruteforce.rb
120
+ - plugins/bruteforce.rb
121
+ - plugins/generate.rb
122
+ - plugins/parse.rb
123
+ - plugins/plugin-template.rb
124
+ - plugins/wiki.rb
125
+ - plugins/wiki/README.md
37
126
  homepage: https://github.com/KINGSABRI/jwtear
38
127
  licenses:
39
128
  - MIT
@@ -49,14 +138,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
49
138
  version: '0'
50
139
  required_rubygems_version: !ruby/object:Gem::Requirement
51
140
  requirements:
52
- - - ">="
141
+ - - ">"
53
142
  - !ruby/object:Gem::Version
54
- version: '0'
143
+ version: 1.3.1
55
144
  requirements: []
56
145
  rubyforge_project:
57
- rubygems_version: 2.6.13
146
+ rubygems_version: 2.7.6.2
58
147
  signing_key:
59
148
  specification_version: 4
60
- summary: JWTear, command-line tool and library to parse, create and manipulate JWT
61
- tokens for security testing purposes.
149
+ summary: JWTear, a modular command-line tool to parse, create and manipulate JWT tokens
150
+ for security testing purposes.
62
151
  test_files: []
@@ -1,21 +0,0 @@
1
- The MIT License (MIT)
2
-
3
- Copyright (c) 2018 KING SABRI
4
-
5
- Permission is hereby granted, free of charge, to any person obtaining a copy
6
- of this software and associated documentation files (the "Software"), to deal
7
- in the Software without restriction, including without limitation the rights
8
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
- copies of the Software, and to permit persons to whom the Software is
10
- furnished to do so, subject to the following conditions:
11
-
12
- The above copyright notice and this permission notice shall be included in
13
- all copies or substantial portions of the Software.
14
-
15
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
- THE SOFTWARE.
@@ -1,83 +0,0 @@
1
- module JWTear
2
-
3
- # Algorithms module contains all algorithms that are supported for this lib
4
- # @Note if you are looking for production library, please use jwt gem
5
- #
6
- module Algorithms
7
-
8
- # sha generates SHA signature
9
- #
10
- # @param data [String]
11
- # the data you want to encrypt or make signature for.
12
- # @param alg [String]
13
- # the algorithm you want. @example: SHA256, SHA384, SHA512
14
- # @param key [String]
15
- #
16
- # @return [String] SHA signature
17
- #
18
- def sha(data, alg, key)
19
- raise AlgorithmRequiresKeyError if key.nil?
20
- digit = /[[:digit:]]+/
21
- OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'.sub(digit, alg[digit])), key, data)
22
- end
23
-
24
- # rsa generates RSA signature
25
- #
26
- # @param data [String]
27
- # the data you want to encrypt or make signature for.
28
- # @param alg [String]
29
- # the algorithm you want. @example: RSA256, RSA384, RSA512
30
- # @return [Hash]
31
- # of public_key, private_key and signature
32
- #
33
- def rsa(data, alg)
34
- rsa_private = OpenSSL::PKey::RSA.generate(2048)
35
- rsa_public = @rsa_private.public_key
36
- signature = @rsa_private.sign(OpenSSL::Digest.new(alg.sub('RS', 'sha')), data)
37
-
38
- {public_key: rsa_public, private_key: rsa_private, signature: signature}
39
- # FIXME: need to sign using public key
40
- # cert = File.open('pub_cert.pem').read
41
- # @public_key = OpenSSL::PKey::RSA.new(cert)
42
- # raise 'Not a public certificate' unless public_key.public?
43
- end
44
-
45
- # ecdsa generates ESDSA signature
46
- #
47
- # @param data [String]
48
- # @param alg [String]
49
- # @return [String] of ESDSA signature
50
- #
51
- def ecdsa(data, alg)
52
- # TODO:
53
- # - fixme
54
- # - support P-256 as SHA256
55
- ecdsa_key = OpenSSL::PKey::EC.new('prime256v1')
56
- ecdsa_key.generate_key
57
- ecdsa_public = OpenSSL::PKey::EC.new(ecdsa_key)
58
- ecdsa_public.private_key = nil
59
- end
60
-
61
- # Just None encryption
62
- #
63
- # @return [String]
64
- # empty string if none algorithm, yes it happens in JWT
65
- def none
66
- ''
67
- end
68
-
69
- # List of supported algorithms
70
- #
71
- # @return [Hash]
72
- #
73
- def supported_algorithms
74
- {
75
- None: [],
76
- SHA: %w{HS256 HS384 HS512},
77
- RSA: %w{RS256 RS384 RS512},
78
- ESDSA: %w{ES256 ES384 ES512}
79
- }
80
- end
81
-
82
- end
83
- end
@@ -1,41 +0,0 @@
1
- module JWTear
2
- module Extensions
3
- module Core
4
- module String
5
- def red; colorize(self, "\e[1m\e[31m"); end
6
- def green; colorize(self, "\e[1m\e[32m"); end
7
- def dark_green; colorize(self, "\e[32m"); end
8
- def yellow; colorize(self, "\e[1m\e[33m"); end
9
- def blue; colorize(self, "\e[1m\e[34m"); end
10
- def dark_blue; colorize(self, "\e[34m"); end
11
- def purple; colorize(self, "\e[35m"); end
12
- def dark_purple; colorize(self, "\e[1;35m"); end
13
- def cyan; colorize(self, "\e[1;36m"); end
14
- def dark_cyan; colorize(self, "\e[36m"); end
15
- def pure; colorize(self, "\e[0m\e[28m"); end
16
- def underline; colorize(self, "\e[4m"); end
17
- def bold; colorize(self, "\e[1m"); end
18
- def colorize(text, color_code) "#{color_code}#{text}\e[0m" end
19
- end
20
-
21
- # module NilClass
22
- # def puts(type=nil, arg)
23
- # case type
24
- # when nil
25
- # puts arg
26
- # when :error
27
- # puts '[x] '.red + arg
28
- # when :warning
29
- # puts '[!] '.yellow + arg
30
- # when :success
31
- # puts '[x] '.green.bold + arg
32
- # when :status
33
- # puts '[x] '.green + arg
34
- # else
35
- # puts arg
36
- # end
37
- # end
38
- # end
39
- end
40
- end
41
- end
@@ -1,129 +0,0 @@
1
- require 'jwtear/algorithms'
2
- require 'jwtear/utils'
3
-
4
- module JWTear
5
- class JWT
6
- include JWTear::Extensions
7
- include JWTear::Algorithms
8
- include JWTear::Utils
9
-
10
- # @!attribute [rw] token [String] generated or parsed token
11
- # @!attribute [rw] header [Hash]
12
- # @!attribute [rw] payload [Hash]
13
- attr_accessor :token, :header, :payload
14
- # @!attribute [rw] alg [String] generated or parsed algorithm
15
- # @!attribute [rw] key [String] given encryption key
16
- # @!attribute [rw] data [String] given or parsed data
17
- attr_accessor :alg, :key, :data
18
- # @!attribute [r] json [JSON] given or parsed json
19
- # @!attribute [r] hash [Hash] hash result of parsing given or generated json
20
- attr_reader :json, :hash
21
- # @!attribute [r] signature [String] generated or parsed signature.
22
- # @!attribute [r] rsa_private [String] generated private private key
23
- # @!attribute [r] rsa_public [String] generated or given public key
24
- attr_reader :signature, :rsa_private, :rsa_public
25
-
26
- def initialize(token='')
27
- @token = token
28
- @key = nil
29
- end
30
-
31
- # parse a given token.
32
- # The main use of it is to parse and initiate header, payload, type, alg, signature values
33
- #
34
- # @param token String
35
- def parse(token=@token)
36
- is_token?(token)
37
- _token = token.split('.')
38
- @header = JSON.parse(decode(_token[0]))
39
- @type, @alg = @header['typ'], @header['alg']
40
- @payload = JSON.parse(decode(_token[1]))
41
- @signature = decode(_token[2]) unless (_token[2].nil? or _token[2].empty?)
42
- set_hash_and_json
43
- end
44
-
45
- # build the hash and Json format from the parsed or generated token
46
- def set_hash_and_json
47
- @hash = {header: @header, payload: @payload, signature: encode(@signature)}
48
- @json = "#{@header.to_json}.#{@payload.to_json}.#{encode(@signature)}"
49
- end
50
-
51
- # generate signature
52
- #
53
- # @param data [String]. 'Base64.encode(header)'.'Base64.encode(payload)'>
54
- # @param alg [String] supported algorithms: @see [Algorithms#supported_algorithms]
55
- # @param key String
56
- #
57
- # @return [Self] the generate signature
58
- #
59
- def generate_sig(data, alg, key)
60
- begin
61
- case alg
62
- when /^HS/
63
- @signature = sha(data, alg, key)
64
- when /^RS/
65
- rsa = rsa(data, alg)
66
- @rsa_public = rsa[:public_key]
67
- @rsa_private = rsa[:private_key]
68
- @signature = rsa[:signature]
69
- when /^ES/
70
- @signature = ecdsa(data, alg)
71
- when /none/i
72
- @signature = none
73
- else
74
- raise AlgorithmUnknownError
75
- end
76
- rescue AlgorithmUnknownError
77
- puts "[x] ".red + "algorithm cannot be nil, empty or unsupported, Use: '--alg ALGORITHM' option"
78
- puts "[!] ".yellow + 'Supported Algorithms:'
79
- supported_algorithms.each_pair do |alg_key, alg_val|
80
- puts alg_key, alg_val.map{|_alg| " #{_alg}" }
81
- end
82
- exit!
83
- rescue AlgorithmRequiresKeyError
84
- puts "[x] ".red + "key cannot be nil or empty, Use: '--key SECRET_KEY' option"
85
- exit!
86
- rescue Exception => e
87
- puts "[x] ".red + "Unknown Exception: generate_sig"
88
- puts '[!] '.yellow + 'Please report the issue at: https://github.com/KINGSABRI/jwtear/issues'.underline
89
- puts e
90
- puts e.backtrace
91
- end
92
-
93
- self
94
- end
95
-
96
- # generate JWT token
97
- # by default, generate_token uses the given json header to detect the algorithm.
98
- # But it also accept to ignore that and force it to you another algorithm.
99
- #
100
- # @return [String] the generated token
101
- #
102
- def generate_token
103
- begin
104
- @header = JSON.parse(@header) unless @header.is_a?(Hash)
105
- @payload = JSON.parse(@payload) unless @payload.is_a?(Hash)
106
- @alg = @header['alg'] if @alg.nil? # if algorithm not forced, take if from the header
107
-
108
- header_encoded = encode(@header.to_json)
109
- payload_encoded = encode(@payload.to_json)
110
- data = "#{header_encoded}.#{payload_encoded}"
111
- signature_encoded = encode(generate_sig(data, @alg, @key).signature)
112
- token = [header_encoded, payload_encoded, signature_encoded].join('.')
113
-
114
- set_hash_and_json
115
- token
116
- rescue JSON::ParserError => e
117
- puts '[x] '.red + "Invalid JSON: #{e.message}"
118
- puts "[!] ".yellow + "Make sure you've single quoted your input: eg. --header #{"'".bold}{\"type\":\"JWT\",\"alg\":\"HS256\"}#{"'".bold}"
119
- exit!
120
- rescue Exception => e
121
- puts "[x] ".red + "Unknown Exception: generate_sig"
122
- puts '[!] '.yellow + 'Please report the issue at: https://github.com/KINGSABRI/jwtear/issues'.underline
123
- puts e
124
- puts e.backtrace
125
- end
126
- end
127
-
128
- end
129
- end
@@ -1,57 +0,0 @@
1
- module JWTear
2
- module Utils
3
-
4
- # Check latest version
5
- def latest_version
6
- begin
7
- current_version = JWTear::VERSION
8
- rubygem_api = JSON.parse open("https://rubygems.org/api/v1/versions/jwtear.json").read
9
- remote_version = rubygem_api.first["number"]
10
- latest = remote_version.eql?(current_version)? true : false
11
-
12
- latest ? current_version : remote_version
13
- rescue Exception => e
14
- puts "[!] ".yellow + " Couldn't check the latest version, please check internet connectivity."
15
- exit!
16
- end
17
- end
18
-
19
- # check token format
20
- def is_token?(token)
21
- begin
22
- token_size = token.split('.').size
23
- raise InvalidTokenError if token_size < 2
24
- rescue InvalidTokenError
25
- puts '[!] '.red + "Invalid token: #{token}"
26
- exit!
27
- end
28
- end
29
-
30
- def encode(data)
31
- Base64.urlsafe_encode64(data, padding: false) unless data.nil?
32
- end
33
-
34
- def decode(data)
35
- Base64.urlsafe_decode64(data)
36
- end
37
-
38
- # def encode_header_payload_signature(header, payload, signature)
39
- # [header, payload, signature].map {|part| encode part}.join('.')
40
- # end
41
-
42
- # JWTear's logo
43
- def self.banner
44
- %Q{\n 888888 888 888 88888888888
45
- "88b 888 o 888 888
46
- 888 888 d8b 888 888
47
- 888 888 d888b 888 888 .d88b. 8888b. 888d888
48
- 888 888d88888b888 888 d8P Y8b "88b 888P"
49
- 888 88888P Y88888 888 88888888 .d888888 888
50
- 88P 8888P Y8888 888 Y8b. 888 888 888
51
- 888 888P Y888 888 "Y8888 "Y888888 888
52
- .d88P v#{JWTear::VERSION}
53
- .d88P"
54
- 888P" }
55
- end
56
- end
57
- end