jwtear 1.0.5 → 1.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/gem-push.yml +42 -0
- data/Gemfile.lock +22 -22
- data/bin/jwtear +2 -0
- data/lib/jwtear/helpers/utils.rb +4 -2
- data/lib/jwtear/jwe.rb +5 -5
- data/lib/jwtear/jws.rb +21 -1
- data/lib/jwtear/token.rb +2 -3
- data/lib/jwtear/version.rb +1 -1
- data/plugins/generate.rb +1 -1
- data/plugins/wiki/README.md +2 -0
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 214465c3eb8ab23270f4caa51276a8af5814821515d77a29e7b17b57106a27d1
|
|
4
|
+
data.tar.gz: b9ecca972fcaa68d4729b1952b66f30aa9c6745070eb4a7261007162ed843277
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c4af5ebfe24cef925c15c87672b1572d37858a079d0b1d4044966999637597ff699c7a1be1a50a228329619c64c9ba003c76c9dcfc8b6262647493485c23164a
|
|
7
|
+
data.tar.gz: 97544a55bc3b65a2342f083dab6a877ae4db6285d4a6187a8116ac10ce5d9f24b72ed488912a0c945c5eae04c0a3384d5f0e5f939ba482d95d00eac6dd76e5aa
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
name: Ruby Gem
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches: [ master ]
|
|
6
|
+
pull_request:
|
|
7
|
+
branches: [ master ]
|
|
8
|
+
|
|
9
|
+
jobs:
|
|
10
|
+
build:
|
|
11
|
+
name: Build + Publish
|
|
12
|
+
runs-on: ubuntu-latest
|
|
13
|
+
|
|
14
|
+
steps:
|
|
15
|
+
- uses: actions/checkout@v2
|
|
16
|
+
- name: Set up Ruby 2.6
|
|
17
|
+
uses: actions/setup-ruby@v1
|
|
18
|
+
with:
|
|
19
|
+
ruby-version: 2.6.x
|
|
20
|
+
|
|
21
|
+
- name: Publish to GPR
|
|
22
|
+
run: |
|
|
23
|
+
mkdir -p $HOME/.gem
|
|
24
|
+
touch $HOME/.gem/credentials
|
|
25
|
+
chmod 0600 $HOME/.gem/credentials
|
|
26
|
+
printf -- "---\n:github: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
|
|
27
|
+
gem build *.gemspec
|
|
28
|
+
gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem
|
|
29
|
+
env:
|
|
30
|
+
GEM_HOST_API_KEY: "Bearer ${{secrets.GITHUB_TOKEN}}"
|
|
31
|
+
OWNER: ${{ github.repository_owner }}
|
|
32
|
+
|
|
33
|
+
- name: Publish to RubyGems
|
|
34
|
+
run: |
|
|
35
|
+
mkdir -p $HOME/.gem
|
|
36
|
+
touch $HOME/.gem/credentials
|
|
37
|
+
chmod 0600 $HOME/.gem/credentials
|
|
38
|
+
printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
|
|
39
|
+
gem build *.gemspec
|
|
40
|
+
gem push *.gem
|
|
41
|
+
env:
|
|
42
|
+
GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}"
|
data/Gemfile.lock
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
jwtear (1.0.
|
|
4
|
+
jwtear (1.0.6)
|
|
5
5
|
colorize (~> 0.8.1)
|
|
6
6
|
gli (~> 2.19, >= 2.19.0)
|
|
7
|
-
json-jwt (~> 1.
|
|
7
|
+
json-jwt (~> 1.11, >= 1.11.0)
|
|
8
8
|
jwe (~> 0.4.0)
|
|
9
9
|
tty-markdown (~> 0.6.0)
|
|
10
10
|
tty-pager (~> 0.12.1)
|
|
@@ -12,38 +12,38 @@ PATH
|
|
|
12
12
|
GEM
|
|
13
13
|
remote: https://rubygems.org/
|
|
14
14
|
specs:
|
|
15
|
-
activesupport (6.0.
|
|
15
|
+
activesupport (6.0.3.4)
|
|
16
16
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
|
17
17
|
i18n (>= 0.7, < 2)
|
|
18
18
|
minitest (~> 5.1)
|
|
19
19
|
tzinfo (~> 1.1)
|
|
20
|
-
zeitwerk (~> 2.
|
|
21
|
-
aes_key_wrap (1.0
|
|
22
|
-
bindata (2.4.
|
|
20
|
+
zeitwerk (~> 2.2, >= 2.2.2)
|
|
21
|
+
aes_key_wrap (1.1.0)
|
|
22
|
+
bindata (2.4.8)
|
|
23
23
|
colorize (0.8.1)
|
|
24
|
-
concurrent-ruby (1.1.
|
|
24
|
+
concurrent-ruby (1.1.7)
|
|
25
25
|
equatable (0.6.1)
|
|
26
|
-
gli (2.19.
|
|
27
|
-
i18n (1.
|
|
26
|
+
gli (2.19.2)
|
|
27
|
+
i18n (1.8.5)
|
|
28
28
|
concurrent-ruby (~> 1.0)
|
|
29
|
-
json-jwt (1.
|
|
29
|
+
json-jwt (1.13.0)
|
|
30
30
|
activesupport (>= 4.2)
|
|
31
31
|
aes_key_wrap
|
|
32
32
|
bindata
|
|
33
33
|
jwe (0.4.0)
|
|
34
34
|
kramdown (1.16.2)
|
|
35
|
-
minitest (5.
|
|
36
|
-
pastel (0.7.
|
|
35
|
+
minitest (5.14.2)
|
|
36
|
+
pastel (0.7.4)
|
|
37
37
|
equatable (~> 0.6)
|
|
38
38
|
tty-color (~> 0.5)
|
|
39
|
-
rouge (3.
|
|
40
|
-
strings (0.1.
|
|
39
|
+
rouge (3.25.0)
|
|
40
|
+
strings (0.1.8)
|
|
41
41
|
strings-ansi (~> 0.1)
|
|
42
42
|
unicode-display_width (~> 1.5)
|
|
43
43
|
unicode_utils (~> 1.4)
|
|
44
|
-
strings-ansi (0.
|
|
44
|
+
strings-ansi (0.2.0)
|
|
45
45
|
thread_safe (0.3.6)
|
|
46
|
-
tty-color (0.
|
|
46
|
+
tty-color (0.6.0)
|
|
47
47
|
tty-markdown (0.6.0)
|
|
48
48
|
kramdown (~> 1.16.2)
|
|
49
49
|
pastel (~> 0.7.2)
|
|
@@ -55,13 +55,13 @@ GEM
|
|
|
55
55
|
strings (~> 0.1.4)
|
|
56
56
|
tty-screen (~> 0.6)
|
|
57
57
|
tty-which (~> 0.4)
|
|
58
|
-
tty-screen (0.
|
|
59
|
-
tty-which (0.4.
|
|
60
|
-
tzinfo (1.2.
|
|
58
|
+
tty-screen (0.8.1)
|
|
59
|
+
tty-which (0.4.2)
|
|
60
|
+
tzinfo (1.2.8)
|
|
61
61
|
thread_safe (~> 0.1)
|
|
62
|
-
unicode-display_width (1.
|
|
62
|
+
unicode-display_width (1.7.0)
|
|
63
63
|
unicode_utils (1.4.0)
|
|
64
|
-
zeitwerk (2.1
|
|
64
|
+
zeitwerk (2.4.1)
|
|
65
65
|
|
|
66
66
|
PLATFORMS
|
|
67
67
|
ruby
|
|
@@ -70,4 +70,4 @@ DEPENDENCIES
|
|
|
70
70
|
jwtear!
|
|
71
71
|
|
|
72
72
|
BUNDLED WITH
|
|
73
|
-
2.
|
|
73
|
+
2.1.4
|
data/bin/jwtear
CHANGED
|
@@ -58,6 +58,8 @@ module JWTear
|
|
|
58
58
|
print_error "Option #{exception.message}"
|
|
59
59
|
when GLI::UnknownCommandArgument
|
|
60
60
|
print_error "#{exception.message}"
|
|
61
|
+
when GLI::UnknownCommand
|
|
62
|
+
print_error "#{exception.message}"
|
|
61
63
|
else
|
|
62
64
|
print_error "Unknown Exception:"
|
|
63
65
|
print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
|
data/lib/jwtear/helpers/utils.rb
CHANGED
|
@@ -19,8 +19,10 @@ module JWTear
|
|
|
19
19
|
|
|
20
20
|
# read key as a string or from file(eg. pub_key.pem)
|
|
21
21
|
def read_key(key)
|
|
22
|
-
if key
|
|
23
|
-
File.
|
|
22
|
+
if File.file?(File.absolute_path(key))
|
|
23
|
+
File.read(File.absolute_path(key))
|
|
24
|
+
else
|
|
25
|
+
key
|
|
24
26
|
end
|
|
25
27
|
end
|
|
26
28
|
|
data/lib/jwtear/jwe.rb
CHANGED
|
@@ -58,10 +58,10 @@ module JWTear
|
|
|
58
58
|
cipher_text = Base64.urlsafe_encode64(@cipher_text, padding: false)
|
|
59
59
|
authentication_tag = Base64.urlsafe_encode64(@authentication_tag, padding: false)
|
|
60
60
|
|
|
61
|
-
"#{header.to_json}" + "
|
|
62
|
-
"#{encrypted_key}" + "
|
|
63
|
-
"#{iv}" + "
|
|
64
|
-
"#{cipher_text}" + "
|
|
61
|
+
"#{header.to_json}" + ".".bold +
|
|
62
|
+
"#{encrypted_key}" + ".".bold +
|
|
63
|
+
"#{iv}" + ".".bold +
|
|
64
|
+
"#{cipher_text}" + ".".bold +
|
|
65
65
|
"#{authentication_tag}"
|
|
66
66
|
end
|
|
67
67
|
|
|
@@ -78,7 +78,7 @@ module JWTear
|
|
|
78
78
|
key = OpenSSL::PKey::RSA.new(key)
|
|
79
79
|
jwt = JSON::JWT.new(JSON.parse(payload, symbolize_names: true))
|
|
80
80
|
jwt.header = JSON.parse(header, symbolize_names: true)
|
|
81
|
-
::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as
|
|
81
|
+
::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as jwe does not support A192GCM AFAIK
|
|
82
82
|
rescue TypeError => e
|
|
83
83
|
print_bad "Invalid data type."
|
|
84
84
|
print_warning "Make sure your public/private key file exists."
|
data/lib/jwtear/jws.rb
CHANGED
|
@@ -39,7 +39,7 @@ module JWTear
|
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
def to_json_presentation
|
|
42
|
-
"#{@header.to_json}" + "
|
|
42
|
+
"#{@header.to_json}" + ".".bold + "#{@payload.to_json}" + ".".bold + "#{Base64.urlsafe_encode64(@signature, padding: false)}"
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
# generate_jws
|
|
@@ -59,6 +59,8 @@ module JWTear
|
|
|
59
59
|
puts "Unexpected algorithm '#{jwt.header[:alg]}'."
|
|
60
60
|
puts e.message
|
|
61
61
|
exit!
|
|
62
|
+
rescue Exception => e
|
|
63
|
+
print_error e.message
|
|
62
64
|
end
|
|
63
65
|
|
|
64
66
|
private
|
|
@@ -73,6 +75,24 @@ module JWTear
|
|
|
73
75
|
jwt.to_s
|
|
74
76
|
else
|
|
75
77
|
raise JSON::JWS::UnexpectedAlgorithm.new("Encryption algorithm '#{jwt.alg}' requires key.") if key.nil?
|
|
78
|
+
alg = jwt.alg.upcase
|
|
79
|
+
case
|
|
80
|
+
when alg.start_with?("HS")
|
|
81
|
+
key
|
|
82
|
+
when alg.start_with?("RS")
|
|
83
|
+
key = OpenSSL::PKey::RSA.new(key)
|
|
84
|
+
when alg.start_with?("PS")
|
|
85
|
+
key = OpenSSL::PKey::RSA.new(key)
|
|
86
|
+
when alg.start_with?("ES")
|
|
87
|
+
# key = OpenSSL::PKey::RSA.new(key)
|
|
88
|
+
print_error("Signing for ECDSA-SHA is not yet implemented")
|
|
89
|
+
print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
|
|
90
|
+
else
|
|
91
|
+
print_warning("Undefined algorithm. This might generate a wrong token")
|
|
92
|
+
print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
|
|
93
|
+
key
|
|
94
|
+
end
|
|
95
|
+
jwt.alg = alg.to_sym
|
|
76
96
|
jwt.sign(key).to_s
|
|
77
97
|
end
|
|
78
98
|
end
|
data/lib/jwtear/token.rb
CHANGED
|
@@ -23,10 +23,9 @@ module JWTear
|
|
|
23
23
|
@jwe.parse(token)
|
|
24
24
|
end
|
|
25
25
|
rescue Exception => e
|
|
26
|
-
print_error "
|
|
26
|
+
print_error "#{method(__method__).owner}##{__method__} : Unknown Exception"
|
|
27
27
|
print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
|
|
28
|
-
puts e
|
|
29
|
-
puts e.backtrace
|
|
28
|
+
puts e.full_message
|
|
30
29
|
exit!
|
|
31
30
|
end
|
|
32
31
|
|
data/lib/jwtear/version.rb
CHANGED
data/plugins/generate.rb
CHANGED
|
@@ -20,7 +20,7 @@ module JWTear
|
|
|
20
20
|
jws_cmd.desc "Key as a password string or a file public key. eg. P@ssw0rd | eg. public_key.pem"
|
|
21
21
|
jws_cmd.arg_name 'PASSWORD|PUB_KEY_FILE'
|
|
22
22
|
jws_cmd.flag [:k, :key]
|
|
23
|
-
jws_cmd.action do |
|
|
23
|
+
jws_cmd.action do |_, options, _|
|
|
24
24
|
gen = Generate.new
|
|
25
25
|
puts gen.jws_token(options[:header], options[:payload], read_key(options[:key]))
|
|
26
26
|
end
|
data/plugins/wiki/README.md
CHANGED
|
@@ -198,6 +198,7 @@ _source(JWT, JWS and JWE for Not So Dummies! (Part I))_
|
|
|
198
198
|
* [Pentesterlab(PRO) - JWT X](https://pentesterlab.com/exercises/jwt_x/)
|
|
199
199
|
* [Pentesterlab(PRO) - JWT XI](https://pentesterlab.com/exercises/jwt_xi)
|
|
200
200
|
* [Pentesterlab(PRO) - JWT XII](https://pentesterlab.com/exercises/jwt_xii)
|
|
201
|
+
* [Pentesterlab(PRO) - JWT XIII](https://pentesterlab.com/exercises/jwt_iii)
|
|
201
202
|
* [Pentesterlab(PRO) - JSON Web Encryption](https://pentesterlab.com/exercises/jwe)
|
|
202
203
|
* [Vulnerable JWT implementations](https://github.com/Sjord/jwtdemo)
|
|
203
204
|
|
|
@@ -212,3 +213,4 @@ _source(JWT, JWS and JWE for Not So Dummies! (Part I))_
|
|
|
212
213
|
* [Damn Vulnerable Service](https://github.com/snoopysecurity/dvws)
|
|
213
214
|
* [CSRF JWT redirect leak](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
|
|
214
215
|
* [Critical vulnerabilities in JSON Web Token libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)
|
|
216
|
+
* [JWT Attack Playbook](https://github.com/ticarpi/jwt_tool/wiki)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwtear
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- KING SABRI
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-02-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: gli
|
|
@@ -115,6 +115,7 @@ executables:
|
|
|
115
115
|
extensions: []
|
|
116
116
|
extra_rdoc_files: []
|
|
117
117
|
files:
|
|
118
|
+
- ".github/workflows/gem-push.yml"
|
|
118
119
|
- ".gitignore"
|
|
119
120
|
- CODE_OF_CONDUCT.md
|
|
120
121
|
- Gemfile
|
|
@@ -156,8 +157,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
156
157
|
- !ruby/object:Gem::Version
|
|
157
158
|
version: '0'
|
|
158
159
|
requirements: []
|
|
159
|
-
|
|
160
|
-
rubygems_version: 2.7.6.2
|
|
160
|
+
rubygems_version: 3.1.4
|
|
161
161
|
signing_key:
|
|
162
162
|
specification_version: 4
|
|
163
163
|
summary: JWTear, a modular command-line tool to parse, create and manipulate JWT tokens
|