jwtear 1.0.5 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/gem-push.yml +42 -0
  3. data/Gemfile.lock +22 -22
  4. data/bin/jwtear +2 -0
  5. data/lib/jwtear/helpers/utils.rb +4 -2
  6. data/lib/jwtear/jwe.rb +5 -5
  7. data/lib/jwtear/jws.rb +21 -1
  8. data/lib/jwtear/token.rb +2 -3
  9. data/lib/jwtear/version.rb +1 -1
  10. data/plugins/generate.rb +1 -1
  11. data/plugins/wiki/README.md +2 -0
  12. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4e325882534b86402268e985372b35209081c98c9c4bf7f23534c7fa098388f5
4
- data.tar.gz: cb11ceb477305198e61b56d6806df69760845cc6f12b05c1dac4f29b2a8dbb26
3
+ metadata.gz: 214465c3eb8ab23270f4caa51276a8af5814821515d77a29e7b17b57106a27d1
4
+ data.tar.gz: b9ecca972fcaa68d4729b1952b66f30aa9c6745070eb4a7261007162ed843277
5
5
  SHA512:
6
- metadata.gz: a582c094d9cc6e632ef1097a9f6ea12cc441ebffd09ecbeb9be751e9e3382059a1e3546cb028defad7606336ec508f1a2441e16433a1e977e64dcfd1c1abf89d
7
- data.tar.gz: edee73199d6fb13e1e0be565d6a1bac562c284258615de55f6c570379d2a42b17f41053f44725e4e38169b71f23a277eb25f66318553577008b1de091438f197
6
+ metadata.gz: c4af5ebfe24cef925c15c87672b1572d37858a079d0b1d4044966999637597ff699c7a1be1a50a228329619c64c9ba003c76c9dcfc8b6262647493485c23164a
7
+ data.tar.gz: 97544a55bc3b65a2342f083dab6a877ae4db6285d4a6187a8116ac10ce5d9f24b72ed488912a0c945c5eae04c0a3384d5f0e5f939ba482d95d00eac6dd76e5aa
data/.github/workflows/gem-push.yml ADDED
@@ -0,0 +1,42 @@
1
+ name: Ruby Gem
2
+
3
+ on:
4
+ push:
5
+ branches: [ master ]
6
+ pull_request:
7
+ branches: [ master ]
8
+
9
+ jobs:
10
+ build:
11
+ name: Build + Publish
12
+ runs-on: ubuntu-latest
13
+
14
+ steps:
15
+ - uses: actions/checkout@v2
16
+ - name: Set up Ruby 2.6
17
+ uses: actions/setup-ruby@v1
18
+ with:
19
+ ruby-version: 2.6.x
20
+
21
+ - name: Publish to GPR
22
+ run: |
23
+ mkdir -p $HOME/.gem
24
+ touch $HOME/.gem/credentials
25
+ chmod 0600 $HOME/.gem/credentials
26
+ printf -- "---\n:github: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
27
+ gem build *.gemspec
28
+ gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem
29
+ env:
30
+ GEM_HOST_API_KEY: "Bearer ${{secrets.GITHUB_TOKEN}}"
31
+ OWNER: ${{ github.repository_owner }}
32
+
33
+ - name: Publish to RubyGems
34
+ run: |
35
+ mkdir -p $HOME/.gem
36
+ touch $HOME/.gem/credentials
37
+ chmod 0600 $HOME/.gem/credentials
38
+ printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
39
+ gem build *.gemspec
40
+ gem push *.gem
41
+ env:
42
+ GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}"
data/Gemfile.lock CHANGED
@@ -1,10 +1,10 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- jwtear (1.0.4)
4
+ jwtear (1.0.6)
5
5
  colorize (~> 0.8.1)
6
6
  gli (~> 2.19, >= 2.19.0)
7
- json-jwt (~> 1.10, >= 1.10.2)
7
+ json-jwt (~> 1.11, >= 1.11.0)
8
8
  jwe (~> 0.4.0)
9
9
  tty-markdown (~> 0.6.0)
10
10
  tty-pager (~> 0.12.1)
@@ -12,38 +12,38 @@ PATH
12
12
  GEM
13
13
  remote: https://rubygems.org/
14
14
  specs:
15
- activesupport (6.0.0)
15
+ activesupport (6.0.3.4)
16
16
  concurrent-ruby (~> 1.0, >= 1.0.2)
17
17
  i18n (>= 0.7, < 2)
18
18
  minitest (~> 5.1)
19
19
  tzinfo (~> 1.1)
20
- zeitwerk (~> 2.1, >= 2.1.8)
21
- aes_key_wrap (1.0.1)
22
- bindata (2.4.4)
20
+ zeitwerk (~> 2.2, >= 2.2.2)
21
+ aes_key_wrap (1.1.0)
22
+ bindata (2.4.8)
23
23
  colorize (0.8.1)
24
- concurrent-ruby (1.1.5)
24
+ concurrent-ruby (1.1.7)
25
25
  equatable (0.6.1)
26
- gli (2.19.0)
27
- i18n (1.7.0)
26
+ gli (2.19.2)
27
+ i18n (1.8.5)
28
28
  concurrent-ruby (~> 1.0)
29
- json-jwt (1.10.2)
29
+ json-jwt (1.13.0)
30
30
  activesupport (>= 4.2)
31
31
  aes_key_wrap
32
32
  bindata
33
33
  jwe (0.4.0)
34
34
  kramdown (1.16.2)
35
- minitest (5.12.2)
36
- pastel (0.7.3)
35
+ minitest (5.14.2)
36
+ pastel (0.7.4)
37
37
  equatable (~> 0.6)
38
38
  tty-color (~> 0.5)
39
- rouge (3.11.1)
40
- strings (0.1.6)
39
+ rouge (3.25.0)
40
+ strings (0.1.8)
41
41
  strings-ansi (~> 0.1)
42
42
  unicode-display_width (~> 1.5)
43
43
  unicode_utils (~> 1.4)
44
- strings-ansi (0.1.0)
44
+ strings-ansi (0.2.0)
45
45
  thread_safe (0.3.6)
46
- tty-color (0.5.0)
46
+ tty-color (0.6.0)
47
47
  tty-markdown (0.6.0)
48
48
  kramdown (~> 1.16.2)
49
49
  pastel (~> 0.7.2)
@@ -55,13 +55,13 @@ GEM
55
55
  strings (~> 0.1.4)
56
56
  tty-screen (~> 0.6)
57
57
  tty-which (~> 0.4)
58
- tty-screen (0.7.0)
59
- tty-which (0.4.1)
60
- tzinfo (1.2.5)
58
+ tty-screen (0.8.1)
59
+ tty-which (0.4.2)
60
+ tzinfo (1.2.8)
61
61
  thread_safe (~> 0.1)
62
- unicode-display_width (1.6.0)
62
+ unicode-display_width (1.7.0)
63
63
  unicode_utils (1.4.0)
64
- zeitwerk (2.1.10)
64
+ zeitwerk (2.4.1)
65
65
 
66
66
  PLATFORMS
67
67
  ruby
@@ -70,4 +70,4 @@ DEPENDENCIES
70
70
  jwtear!
71
71
 
72
72
  BUNDLED WITH
73
- 2.0.2
73
+ 2.1.4
data/bin/jwtear CHANGED
@@ -58,6 +58,8 @@ module JWTear
58
58
  print_error "Option #{exception.message}"
59
59
  when GLI::UnknownCommandArgument
60
60
  print_error "#{exception.message}"
61
+ when GLI::UnknownCommand
62
+ print_error "#{exception.message}"
61
63
  else
62
64
  print_error "Unknown Exception:"
63
65
  print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
data/lib/jwtear/helpers/utils.rb CHANGED
@@ -19,8 +19,10 @@ module JWTear
19
19
 
20
20
  # read key as a string or from file(eg. pub_key.pem)
21
21
  def read_key(key)
22
- if key
23
- File.file?(key)? File.read(key) : key
22
+ if File.file?(File.absolute_path(key))
23
+ File.read(File.absolute_path(key))
24
+ else
25
+ key
24
26
  end
25
27
  end
26
28
 
data/lib/jwtear/jwe.rb CHANGED
@@ -58,10 +58,10 @@ module JWTear
58
58
  cipher_text = Base64.urlsafe_encode64(@cipher_text, padding: false)
59
59
  authentication_tag = Base64.urlsafe_encode64(@authentication_tag, padding: false)
60
60
 
61
- "#{header.to_json}" + "" +
62
- "#{encrypted_key}" + "" +
63
- "#{iv}" + "" +
64
- "#{cipher_text}" + "" +
61
+ "#{header.to_json}" + ".".bold +
62
+ "#{encrypted_key}" + ".".bold +
63
+ "#{iv}" + ".".bold +
64
+ "#{cipher_text}" + ".".bold +
65
65
  "#{authentication_tag}"
66
66
  end
67
67
 
@@ -78,7 +78,7 @@ module JWTear
78
78
  key = OpenSSL::PKey::RSA.new(key)
79
79
  jwt = JSON::JWT.new(JSON.parse(payload, symbolize_names: true))
80
80
  jwt.header = JSON.parse(header, symbolize_names: true)
81
- ::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as json-jwt does not support A192GCM AFAIK
81
+ ::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as jwe does not support A192GCM AFAIK
82
82
  rescue TypeError => e
83
83
  print_bad "Invalid data type."
84
84
  print_warning "Make sure your public/private key file exists."
data/lib/jwtear/jws.rb CHANGED
@@ -39,7 +39,7 @@ module JWTear
39
39
  end
40
40
 
41
41
  def to_json_presentation
42
- "#{@header.to_json}" + "" + "#{@payload.to_json}" + "" + "#{Base64.urlsafe_encode64(@signature, padding: false)}"
42
+ "#{@header.to_json}" + ".".bold + "#{@payload.to_json}" + ".".bold + "#{Base64.urlsafe_encode64(@signature, padding: false)}"
43
43
  end
44
44
 
45
45
  # generate_jws
@@ -59,6 +59,8 @@ module JWTear
59
59
  puts "Unexpected algorithm '#{jwt.header[:alg]}'."
60
60
  puts e.message
61
61
  exit!
62
+ rescue Exception => e
63
+ print_error e.message
62
64
  end
63
65
 
64
66
  private
@@ -73,6 +75,24 @@ module JWTear
73
75
  jwt.to_s
74
76
  else
75
77
  raise JSON::JWS::UnexpectedAlgorithm.new("Encryption algorithm '#{jwt.alg}' requires key.") if key.nil?
78
+ alg = jwt.alg.upcase
79
+ case
80
+ when alg.start_with?("HS")
81
+ key
82
+ when alg.start_with?("RS")
83
+ key = OpenSSL::PKey::RSA.new(key)
84
+ when alg.start_with?("PS")
85
+ key = OpenSSL::PKey::RSA.new(key)
86
+ when alg.start_with?("ES")
87
+ # key = OpenSSL::PKey::RSA.new(key)
88
+ print_error("Signing for ECDSA-SHA is not yet implemented")
89
+ print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
90
+ else
91
+ print_warning("Undefined algorithm. This might generate a wrong token")
92
+ print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
93
+ key
94
+ end
95
+ jwt.alg = alg.to_sym
76
96
  jwt.sign(key).to_s
77
97
  end
78
98
  end
data/lib/jwtear/token.rb CHANGED
@@ -23,10 +23,9 @@ module JWTear
23
23
  @jwe.parse(token)
24
24
  end
25
25
  rescue Exception => e
26
- print_error "Unknown Exception: #{method(__method__).owner}"
26
+ print_error "#{method(__method__).owner}##{__method__} : Unknown Exception"
27
27
  print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
28
- puts e
29
- puts e.backtrace
28
+ puts e.full_message
30
29
  exit!
31
30
  end
32
31
 
data/lib/jwtear/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module JWTear
2
- VERSION = "1.0.5"
2
+ VERSION = "1.0.6"
3
3
  end
data/plugins/generate.rb CHANGED
@@ -20,7 +20,7 @@ module JWTear
20
20
  jws_cmd.desc "Key as a password string or a file public key. eg. P@ssw0rd | eg. public_key.pem"
21
21
  jws_cmd.arg_name 'PASSWORD|PUB_KEY_FILE'
22
22
  jws_cmd.flag [:k, :key]
23
- jws_cmd.action do |global, options, args|
23
+ jws_cmd.action do |_, options, _|
24
24
  gen = Generate.new
25
25
  puts gen.jws_token(options[:header], options[:payload], read_key(options[:key]))
26
26
  end
data/plugins/wiki/README.md CHANGED
@@ -198,6 +198,7 @@ _source(JWT, JWS and JWE for Not So Dummies! (Part I))_
198
198
  * [Pentesterlab(PRO) - JWT X](https://pentesterlab.com/exercises/jwt_x/)
199
199
  * [Pentesterlab(PRO) - JWT XI](https://pentesterlab.com/exercises/jwt_xi)
200
200
  * [Pentesterlab(PRO) - JWT XII](https://pentesterlab.com/exercises/jwt_xii)
201
+ * [Pentesterlab(PRO) - JWT XIII](https://pentesterlab.com/exercises/jwt_iii)
201
202
  * [Pentesterlab(PRO) - JSON Web Encryption](https://pentesterlab.com/exercises/jwe)
202
203
  * [Vulnerable JWT implementations](https://github.com/Sjord/jwtdemo)
203
204
 
@@ -212,3 +213,4 @@ _source(JWT, JWS and JWE for Not So Dummies! (Part I))_
212
213
  * [Damn Vulnerable Service](https://github.com/snoopysecurity/dvws)
213
214
  * [CSRF JWT redirect leak](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
214
215
  * [Critical vulnerabilities in JSON Web Token libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)
216
+ * [JWT Attack Playbook](https://github.com/ticarpi/jwt_tool/wiki)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jwtear
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.5
4
+ version: 1.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - KING SABRI
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-01-10 00:00:00.000000000 Z
11
+ date: 2021-02-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: gli
@@ -115,6 +115,7 @@ executables:
115
115
  extensions: []
116
116
  extra_rdoc_files: []
117
117
  files:
118
+ - ".github/workflows/gem-push.yml"
118
119
  - ".gitignore"
119
120
  - CODE_OF_CONDUCT.md
120
121
  - Gemfile
@@ -156,8 +157,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
156
157
  - !ruby/object:Gem::Version
157
158
  version: '0'
158
159
  requirements: []
159
- rubyforge_project:
160
- rubygems_version: 2.7.6.2
160
+ rubygems_version: 3.1.4
161
161
  signing_key:
162
162
  specification_version: 4
163
163
  summary: JWTear, a modular command-line tool to parse, create and manipulate JWT tokens