jwtear 1.0.5 → 1.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4e325882534b86402268e985372b35209081c98c9c4bf7f23534c7fa098388f5
-  data.tar.gz: cb11ceb477305198e61b56d6806df69760845cc6f12b05c1dac4f29b2a8dbb26
+  metadata.gz: 0d16d14566a4ef0035cf36f1120930d6d8147015768bf5eafab76940587003a7
+  data.tar.gz: 9d44f6bee9b1541b3f1f9010ea213392353140d45d897c44fa01cea3e25d1bbd
 SHA512:
-  metadata.gz: a582c094d9cc6e632ef1097a9f6ea12cc441ebffd09ecbeb9be751e9e3382059a1e3546cb028defad7606336ec508f1a2441e16433a1e977e64dcfd1c1abf89d
-  data.tar.gz: edee73199d6fb13e1e0be565d6a1bac562c284258615de55f6c570379d2a42b17f41053f44725e4e38169b71f23a277eb25f66318553577008b1de091438f197
+  metadata.gz: d8b73d0cb81751b22da4a5a9645bf02c4fb1f967bb4e3a3ee6a2a75b045cc81acbf21657eae422e0262abb043da056a02f9d526a5bb445754c716e4193fd4bd7
+  data.tar.gz: 14586493d374327ee19530b5d92bc2bb9bc4807bdc51f56e0becc27e58bf05f5a614227c4cac334f9cd970d10494bc20c31c132cffef89042b48d2e08f25e43a

data/.github/workflows/gem-push.yml

@@ -0,0 +1,30 @@
+name: Push2RubyGems
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    name: Build + Publish
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby 2.6
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.6.x
+
+    - name: Publish to RubyGems
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem build *.gemspec
+        gem push *.gem
+      env:
+        GEM_HOST_API_KEY: "${{secrets.GEM_HOST_API_KEY}}"

data/Gemfile.lock

@@ -1,73 +1,70 @@
 PATH
   remote: .
   specs:
-    jwtear (1.0.4)
+    jwtear (1.0.7)
       colorize (~> 0.8.1)
-      gli (~> 2.19, >= 2.19.0)
-      json-jwt (~> 1.10, >= 1.10.2)
+      gli (~> 2.20, >= 2.20.0)
+      json-jwt (~> 1.13.0)
       jwe (~> 0.4.0)
-      tty-markdown (~> 0.6.0)
-      tty-pager (~> 0.12.1)
+      tty-markdown (~> 0.7.0)
+      tty-pager (~> 0.14.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.0)
+    activesupport (6.1.4.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.1, >= 2.1.8)
-    aes_key_wrap (1.0.1)
-    bindata (2.4.4)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    aes_key_wrap (1.1.0)
+    bindata (2.4.10)
     colorize (0.8.1)
-    concurrent-ruby (1.1.5)
-    equatable (0.6.1)
-    gli (2.19.0)
-    i18n (1.7.0)
+    concurrent-ruby (1.1.9)
+    gli (2.20.1)
+    i18n (1.8.10)
       concurrent-ruby (~> 1.0)
-    json-jwt (1.10.2)
+    json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
     jwe (0.4.0)
-    kramdown (1.16.2)
-    minitest (5.12.2)
-    pastel (0.7.3)
-      equatable (~> 0.6)
+    kramdown (2.3.1)
+      rexml
+    minitest (5.14.4)
+    pastel (0.8.0)
       tty-color (~> 0.5)
-    rouge (3.11.1)
-    strings (0.1.6)
-      strings-ansi (~> 0.1)
-      unicode-display_width (~> 1.5)
+    rexml (3.2.5)
+    rouge (3.26.0)
+    strings (0.2.1)
+      strings-ansi (~> 0.2)
+      unicode-display_width (>= 1.5, < 3.0)
       unicode_utils (~> 1.4)
-    strings-ansi (0.1.0)
-    thread_safe (0.3.6)
-    tty-color (0.5.0)
-    tty-markdown (0.6.0)
-      kramdown (~> 1.16.2)
-      pastel (~> 0.7.2)
-      rouge (~> 3.3)
-      strings (~> 0.1.4)
-      tty-color (~> 0.4)
-      tty-screen (~> 0.6)
-    tty-pager (0.12.1)
-      strings (~> 0.1.4)
-      tty-screen (~> 0.6)
-      tty-which (~> 0.4)
-    tty-screen (0.7.0)
-    tty-which (0.4.1)
-    tzinfo (1.2.5)
-      thread_safe (~> 0.1)
-    unicode-display_width (1.6.0)
+    strings-ansi (0.2.0)
+    tty-color (0.6.0)
+    tty-markdown (0.7.0)
+      kramdown (>= 1.16.2, < 3.0)
+      pastel (~> 0.8)
+      rouge (~> 3.14)
+      strings (~> 0.2.0)
+      tty-color (~> 0.5)
+      tty-screen (~> 0.8)
+    tty-pager (0.14.0)
+      strings (~> 0.2.0)
+      tty-screen (~> 0.8)
+    tty-screen (0.8.1)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (2.0.0)
     unicode_utils (1.4.0)
-    zeitwerk (2.1.10)
+    zeitwerk (2.4.2)
 
 PLATFORMS
-  ruby
+  x86_64-linux
 
 DEPENDENCIES
   jwtear!
 
 BUNDLED WITH
-   2.0.2
+   2.2.25

data/bin/jwtear

@@ -58,6 +58,8 @@ module  JWTear
         print_error "Option #{exception.message}"
       when GLI::UnknownCommandArgument
         print_error "#{exception.message}"
+      when GLI::UnknownCommand
+        print_error "#{exception.message}"
       else
         print_error "Unknown Exception:"
         print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline

data/jwtear.gemspec

@@ -18,11 +18,11 @@ Gem::Specification.new do |spec|
   spec.executables   = ['jwtear']
   spec.require_paths = ["lib"]
 
-  spec.add_dependency 'gli',          '~> 2.19', '>= 2.19.0'
-  spec.add_dependency 'json-jwt',     '~> 1.11', '>= 1.11.0'
+  spec.add_dependency 'gli',          '~> 2.20', '>= 2.20.0'
+  spec.add_dependency 'json-jwt',     '~> 1.13.0'
   spec.add_dependency 'jwe',          "~> 0.4.0"
-  spec.add_dependency 'tty-markdown', "~> 0.6.0"
-  spec.add_dependency 'tty-pager',    "~> 0.12.1"
+  spec.add_dependency 'tty-markdown', "~> 0.7.0"
+  spec.add_dependency 'tty-pager',    "~> 0.14.0"
   spec.add_dependency 'colorize',     "~> 0.8.1"
 
   # spec.add_development_dependency('rake', '~> 0.9.2.2')

data/lib/jwtear/helpers/utils.rb

@@ -19,8 +19,10 @@ module JWTear
 
       # read key as a string or from file(eg. pub_key.pem)
       def read_key(key)
-        if key
-          File.file?(key)? File.read(key) : key
+        if File.file?(File.absolute_path(key))
+          File.read(File.absolute_path(key))
+        else
+          key
         end
       end
 
@@ -44,7 +46,7 @@ module JWTear
           end
         end
       ensure
-        unless missing.empty?
+        unless missing.nil? or missing.empty?
           print_error "Missing dependencies!"
           print_warning "Please install as follows:"
           puts "gem install #{missing.join(' ')}"

data/lib/jwtear/jwe.rb

@@ -58,10 +58,10 @@ module JWTear
       cipher_text = Base64.urlsafe_encode64(@cipher_text, padding: false)
       authentication_tag = Base64.urlsafe_encode64(@authentication_tag, padding: false)
 
-      "#{header.to_json}" + "●" +
-      "#{encrypted_key}"  + "●" +
-      "#{iv}"             + "●" +
-      "#{cipher_text}"    + "●" +
+      "#{header.to_json}" + ".".bold +
+      "#{encrypted_key}"  + ".".bold +
+      "#{iv}"             + ".".bold +
+      "#{cipher_text}"    + ".".bold +
       "#{authentication_tag}"
     end
 
@@ -78,7 +78,7 @@ module JWTear
       key = OpenSSL::PKey::RSA.new(key)
       jwt = JSON::JWT.new(JSON.parse(payload, symbolize_names: true))
       jwt.header = JSON.parse(header, symbolize_names: true)
-      ::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as json-jwt does not support A192GCM AFAIK
+      ::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as jwe does not support A192GCM AFAIK
     rescue TypeError => e
       print_bad "Invalid data type."
       print_warning "Make sure your public/private key file exists."

data/lib/jwtear/jws.rb

@@ -39,7 +39,7 @@ module JWTear
     end
 
     def to_json_presentation
-      "#{@header.to_json}" + "●" + "#{@payload.to_json}" + "●" + "#{Base64.urlsafe_encode64(@signature, padding: false)}"
+      "#{@header.to_json}" + ".".bold + "#{@payload.to_json}" + ".".bold + "#{Base64.urlsafe_encode64(@signature, padding: false)}"
     end
 
     # generate_jws
@@ -59,6 +59,8 @@ module JWTear
       puts "Unexpected algorithm '#{jwt.header[:alg]}'."
       puts e.message
       exit!
+    rescue Exception => e
+      print_error e.message
     end
     
     private
@@ -73,6 +75,24 @@ module JWTear
         jwt.to_s
       else
         raise JSON::JWS::UnexpectedAlgorithm.new("Encryption algorithm '#{jwt.alg}' requires key.") if key.nil?
+        alg = jwt.alg.upcase
+        case
+        when alg.start_with?("HS")
+          key
+        when alg.start_with?("RS")
+          key = OpenSSL::PKey::RSA.new(key)
+        when alg.start_with?("PS")
+          key = OpenSSL::PKey::RSA.new(key)
+        when alg.start_with?("ES")
+          # key = OpenSSL::PKey::RSA.new(key)
+          print_error("Signing for ECDSA-SHA is not yet implemented")
+          print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
+        else
+          print_warning("Undefined algorithm. This might generate a wrong token")
+          print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
+          key
+        end
+        jwt.alg = alg.to_sym
         jwt.sign(key).to_s
       end
     end

data/lib/jwtear/token.rb

@@ -23,10 +23,9 @@ module JWTear
         @jwe.parse(token)
       end
     rescue Exception => e
-      print_error "Unknown Exception: #{method(__method__).owner}"
+      print_error "#{method(__method__).owner}##{__method__} : Unknown Exception"
       print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
-      puts e
-      puts e.backtrace
+      puts e.full_message
       exit!
     end
 

data/lib/jwtear/version.rb

@@ -1,3 +1,3 @@
 module JWTear
-  VERSION = "1.0.5"
+  VERSION = "1.1.8"
 end

data/plugins/generate.rb

@@ -20,7 +20,7 @@ module JWTear
       jws_cmd.desc "Key as a password string or a file public key. eg. P@ssw0rd  | eg. public_key.pem"
       jws_cmd.arg_name 'PASSWORD|PUB_KEY_FILE'
       jws_cmd.flag [:k, :key]
-      jws_cmd.action do |global, options, args|
+      jws_cmd.action do |_, options, _|
         gen = Generate.new
         puts gen.jws_token(options[:header], options[:payload], read_key(options[:key]))
       end

data/plugins/parse.rb

@@ -1,3 +1,5 @@
+require 'time'
+
 module JWTear
   module CLI
     extend GLI::App
@@ -83,10 +85,28 @@ module JWTear
       def print_jws_payload(payload)
         print_h2 "Payload"
         payload.each do |k, v|
-          print_h3 "#{k}" , "#{v}"
+          if k == "iat" || k == "nbf"            
+            print_h3 "#{k}" , "#{v}", "\tTIMESTAMP = #{Time.at(v.to_i)}".green
+          elsif k == "exp" 
+            compare_time_with_now(k,v)
+          else
+            print_h3 "#{k}" , "#{v}"
+          end          
         end
       end
 
+      def compare_time_with_now(k, timestamp)
+        if timestamp.nil?
+          return
+        end
+        readable_time = Time.at(timestamp.to_i)
+        if readable_time < Time.now
+          print_h3 "#{k}", "#{timestamp}", "\tTIMESTAMP = #{readable_time}\t(EXPIRED)".red
+        else
+          print_h3 "#{k}", "#{timestamp}", "\tTIMESTAMP = #{readable_time}".green
+        end
+      end
+      
       def print_jws_sig(signature)
         print_h2 "Signature - B64 encoded"
         puts Base64.urlsafe_encode64(@token.signature, padding: false)

data/plugins/wiki/README.md

@@ -198,6 +198,7 @@ _source(JWT, JWS and JWE for Not So Dummies! (Part I))_
 * [Pentesterlab(PRO)  - JWT X](https://pentesterlab.com/exercises/jwt_x/)
 * [Pentesterlab(PRO)  - JWT XI](https://pentesterlab.com/exercises/jwt_xi)
 * [Pentesterlab(PRO)  - JWT XII](https://pentesterlab.com/exercises/jwt_xii)
+* [Pentesterlab(PRO)  - JWT XIII](https://pentesterlab.com/exercises/jwt_iii)
 * [Pentesterlab(PRO)  - JSON Web Encryption](https://pentesterlab.com/exercises/jwe)
 * [Vulnerable JWT implementations](https://github.com/Sjord/jwtdemo)
 
@@ -212,3 +213,4 @@ _source(JWT, JWS and JWE for Not So Dummies! (Part I))_
 * [Damn Vulnerable Service](https://github.com/snoopysecurity/dvws)
 * [CSRF JWT redirect leak](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
 * [Critical vulnerabilities in JSON Web Token libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)
+* [JWT Attack Playbook](https://github.com/ticarpi/jwt_tool/wiki)

data/plugins/wiki.rb

@@ -34,7 +34,7 @@ module JWTear
         require 'open-uri'
         print_status 'Updating wiki'
         current_wiki = File.expand_path(File.join(__dir__ ,  'wiki', 'README.md'))
-        updated_wiki = open('https://raw.githubusercontent.com/KINGSABRI/jwtear/master/plugins/wiki/README.md').read
+        updated_wiki = URI.open('https://raw.githubusercontent.com/KINGSABRI/jwtear/master/plugins/wiki/README.md').read
         if File.exists?(current_wiki) && File.writable?(current_wiki)
           File.write(current_wiki, updated_wiki)
         else

metadata

@@ -1,55 +1,49 @@
 --- !ruby/object:Gem::Specification
 name: jwtear
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.1.8
 platform: ruby
 authors:
 - KING SABRI
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-10 00:00:00.000000000 Z
+date: 2021-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gli
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.19'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.19.0
+        version: 2.20.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.20'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.19'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.19.0
+        version: 2.20.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.20'
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.11'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.11.0
+        version: 1.13.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.11'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.11.0
+        version: 1.13.0
 - !ruby/object:Gem::Dependency
   name: jwe
   requirement: !ruby/object:Gem::Requirement
@@ -70,28 +64,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: tty-pager
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.1
+        version: 0.14.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.1
+        version: 0.14.0
 - !ruby/object:Gem::Dependency
   name: colorize
   requirement: !ruby/object:Gem::Requirement
@@ -115,6 +109,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/gem-push.yml"
 - ".gitignore"
 - CODE_OF_CONDUCT.md
 - Gemfile
@@ -156,8 +151,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: JWTear, a modular command-line tool to parse, create and manipulate JWT tokens