RubyGems - pq_crypto-jwt - Versions diffs - 0.1.2 → 0.2.0 - Mend

pq_crypto-jwt 0.1.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +47 -0
data/README.md +73 -19
data/lib/pq_crypto/jwt/errors.rb +1 -0
data/lib/pq_crypto/jwt/jwa/ml_dsa_44.rb +2 -0
data/lib/pq_crypto/jwt/jwa/ml_dsa_87.rb +2 -0
data/lib/pq_crypto/jwt/jwa/ml_dsa_streaming.rb +77 -59
data/lib/pq_crypto/jwt/jwa.rb +24 -55
data/lib/pq_crypto/jwt/jwk/akp.rb +39 -43
data/lib/pq_crypto/jwt/jwk.rb +118 -62
data/lib/pq_crypto/jwt/jwks.rb +24 -23
data/lib/pq_crypto/jwt/keys.rb +42 -56
data/lib/pq_crypto/jwt/version.rb +1 -1
data/lib/pq_crypto/jwt.rb +10 -36
metadata +12 -10
data/lib/pq_crypto/jwt/algorithms/ml_dsa_44.rb +0 -3
data/lib/pq_crypto/jwt/algorithms/ml_dsa_65.rb +0 -3
data/lib/pq_crypto/jwt/algorithms/ml_dsa_87.rb +0 -3
data/lib/pq_crypto/jwt/algorithms.rb +0 -3

data/lib/pq_crypto/jwt/jwk/akp.rb CHANGED Viewed

@@ -6,61 +6,50 @@ module JWT
   module JWK
     class AKP < KeyBase
       KTY = "AKP".freeze
-      KTYS = [
-        KTY,
-        PQCrypto::Signature::PublicKey,
-        JWT::JWK::AKP,
-      ].freeze
+      KTYS = [KTY, PQCrypto::Signature::PublicKey, JWT::JWK::AKP].freeze
       AKP_KEY_ELEMENTS = %i[kty alg pub priv].freeze
+      PRIVATE_EXPORT_OPTIONS = %i[private include_private].freeze
       class NullKidGenerator
         def initialize(_jwk); end
         def generate = nil
       end
       def initialize(key, params = nil, options = {})
-        params ||= {}
-        options ||= {}
-        options = { kid_generator: NullKidGenerator }.merge(options)
-        params = { kid: params } if params.is_a?(String)
-        key_params = extract_key_params(key)
+        params = params.is_a?(String) ? { kid: params } : (params || {})
         params = params.transform_keys(&:to_sym)
-        check_jwk_params!(key_params, params)
-        super(options, key_params.merge(params))
+        key_params = extract_key_params(key)
+        @checked_public_key, @checked_secret_key = check_jwk_params!(key_params, params)
+        super({ kid_generator: NullKidGenerator }.merge(options || {}), key_params.merge(params))
       end
-      def private?
-        false
-      end
+      def private? = parameters.key?(:priv) && !parameters[:priv].nil?
+      def verify_key = public_key
       def public_key
-        @public_key ||= PQCrypto::JWT::JWK.public_key_from_jwk(string_export)
+        @public_key ||= @checked_public_key || PQCrypto::JWT::JWK.public_key_from_jwk(string_export)
       end
-      def signing_key
-        public_key
-      end
+      def signing_key = private? ? secret_key : public_key
-      def verify_key
-        public_key
-      end
+      def secret_key
+        raise JWT::JWKError, "AKP JWK does not contain private material" unless private?
-      def export(_options = {})
-        parameters.clone.tap { |exported| exported.delete(:priv) }
+        @secret_key ||= @checked_secret_key || PQCrypto::JWT::JWK.secret_key_from_jwk(string_export(include_private: true))
       end
-      def members
-        %i[alg kty pub].each_with_object({}) { |key, out| out[key] = self[key] }
+      def export(options = {})
+        include_private = PRIVATE_EXPORT_OPTIONS.any? { |key| (options || {})[key] }
+        parameters.clone.tap { |exported| exported.delete(:priv) unless include_private }
       end
-      def key_digest
-        PQCrypto::JWT::JWK.thumbprint(string_export)
+      def members
+        keys = private? ? %i[alg kty pub priv] : %i[alg kty pub]
+        keys.each_with_object({}) { |key, out| out[key] = self[key] }
       end
-      def jwa
-        PQCrypto::JWT.algorithm_for(self[:alg]) || super
-      end
+      def key_digest = PQCrypto::JWT::JWK.thumbprint(string_export)
+      def jwa = PQCrypto::JWT.algorithm_for(self[:alg]) || super
       def []=(key, value)
         raise ArgumentError, "cannot overwrite cryptographic key attributes" if AKP_KEY_ELEMENTS.include?(key.to_sym)
@@ -70,23 +59,25 @@ module JWT
       private
-      def string_export
-        export.transform_keys(&:to_s)
+      def string_export(include_private: false)
+        export(include_private: include_private).transform_keys(&:to_s)
       end
       def extract_key_params(key)
         case key
-        when JWT::JWK::AKP
-          key.export
-        when Hash
-          key.transform_keys(&:to_sym)
+        when JWT::JWK::AKP then key.export(include_private: key.private?)
+        when Hash then key.transform_keys(&:to_sym)
         when PQCrypto::Signature::PublicKey
           PQCrypto::JWT::JWK.from_public_key(key).transform_keys(&:to_sym)
         when PQCrypto::Signature::Keypair, PQCrypto::Signature::SecretKey
-          raise JWT::JWKError, "AKP private JWK export is not supported in the first release"
+          raise JWT::JWKError,
+                "AKP private JWK export from SecretKey requires public seed-export APIs in pq_crypto; " \
+                "use PQCrypto::JWT::JWK.from_seed(seed, alg:, public_key:) instead"
         else
-          raise ArgumentError, "key must be a public AKP JWK Hash or PQCrypto::Signature::PublicKey"
+          raise ArgumentError, "key must be an AKP JWK Hash or PQCrypto::Signature::PublicKey"
         end
+      rescue PQCrypto::JWT::Error => e
+        raise JWT::JWKError, e.message
       end
       def check_jwk_params!(key_params, params)
@@ -94,11 +85,16 @@ module JWT
         raise JWT::JWKError, "Incorrect 'kty' value: #{key_params[:kty]}, expected #{KTY}" unless key_params[:kty] == KTY
         raise JWT::JWKError, "AKP JWK alg is required" unless key_params[:alg]
         raise JWT::JWKError, "AKP JWK pub is required" unless key_params[:pub]
-        raise JWT::JWKError, "AKP private JWK import is not supported in the first release" if key_params[:priv]
         raise JWT::JWKError, "Unsupported AKP JWK alg: #{key_params[:alg].inspect}" unless PQCrypto::JWT.algorithm_for(key_params[:alg])
+        parsed = key_params.transform_keys(&:to_s)
+        [
+          PQCrypto::JWT::JWK.public_key_from_jwk(parsed),
+          key_params[:priv] ? PQCrypto::JWT::JWK.secret_key_from_jwk(parsed) : nil
+        ]
+      rescue PQCrypto::JWT::Error => e
+        raise JWT::JWKError, e.message
       end
     end
   end
 end
-JWT::JWK.classes.delete(JWT::JWK::AKP)

data/lib/pq_crypto/jwt/jwk.rb CHANGED Viewed

@@ -10,39 +10,72 @@ module PQCrypto
       module_function
       KTY = "AKP".freeze
+      SEED_BYTES = defined?(PQCrypto::PKCS8::ML_DSA_SEED_BYTES) ? PQCrypto::PKCS8::ML_DSA_SEED_BYTES : 32
-      def from_public_key(public_key, kid: nil)
-        validate_public_key!(public_key)
-        base_public_jwk(public_key.algorithm, public_key.to_bytes, kid: kid).freeze
+      def from_public_key(public_key, kid: nil, use: nil, key_ops: nil)
+        validate_key!(public_key, PQCrypto::Signature::PublicKey)
+        public_jwk(public_key.algorithm, public_key.to_bytes, kid: kid, use: use, key_ops: key_ops).freeze
       end
-      def from_secret_key(*, **)
-        raise PQCrypto::JWT::UnsupportedAlgorithm,
-              "Private AKP JWK export is not supported in the first release; use PEM/PKCS#8 for signing keys"
+      def from_seed(seed, alg:, kid: nil, public_key: nil, use: nil, key_ops: nil, verify_public: false)
+        algorithm = pq_algorithm_from_jose!(alg)
+        seed_bytes = validate_seed!(seed, algorithm)
+        derived = derive_public_key(algorithm, seed_bytes) if public_key.nil? || verify_public
+        public_key ||= derived
+        unless public_key
+          raise PQCrypto::JWT::UnsupportedFeature,
+                "AKP JWK export from seed requires pq_crypto public_key_from_seed/keypair_from_seed or public_key:"
+        end
+        validate_key!(public_key, PQCrypto::Signature::PublicKey)
+        unless public_key.algorithm == algorithm
+          raise PQCrypto::JWT::KeyTypeError, "public_key algorithm mismatch: expected #{algorithm.inspect}, got #{public_key.algorithm.inspect}"
+        end
+        check_seed_matches_public!(public_key, derived) if verify_public
+        public_jwk(algorithm, public_key.to_bytes, kid: kid, use: use, key_ops: key_ops)
+          .merge!("priv" => base64url(seed_bytes))
+          .freeze
+      end
+      def from_secret_key(secret_key, kid: nil, public_key: nil, use: nil, key_ops: nil)
+        if secret_key.is_a?(PQCrypto::Signature::Keypair)
+          public_key ||= secret_key.public_key
+          secret_key = secret_key.secret_key
+        end
+        validate_key!(secret_key, PQCrypto::Signature::SecretKey)
+        from_seed(seed_from_secret_key!(secret_key),
+                  alg: jose_alg_for!(secret_key.algorithm),
+                  kid: kid, public_key: public_key, use: use, key_ops: key_ops)
       end
       def public_key_from_jwk(hash)
         jwk = normalize_hash!(hash)
-        reject_private_material!(jwk)
         algorithm = algorithm_from_jwk!(jwk)
-        public_bytes = decode_required_key_bytes!(jwk, "pub", algorithm, :public_key_bytes)
-        PQCrypto::Signature.public_key_from_bytes(algorithm, public_bytes)
-      rescue ArgumentError => e
+        PQCrypto::Signature.public_key_from_bytes(algorithm, decode_field!(jwk, "pub", algorithm))
+      rescue ArgumentError, PQCrypto::Error => e
         raise PQCrypto::JWT::Error, e.message
       end
-      def secret_key_from_jwk(*)
-        raise PQCrypto::JWT::UnsupportedAlgorithm,
-              "Private AKP JWK import is not supported in the first release; use PEM/PKCS#8 for signing keys"
+      def secret_key_from_jwk(hash, verify_public: false)
+        jwk = normalize_hash!(hash)
+        algorithm = algorithm_from_jwk!(jwk)
+        decode_field!(jwk, "pub", algorithm)
+        seed = validate_seed!(base64url_decode(jwk.fetch("priv") { raise PQCrypto::JWT::Error, "JWK priv is required" }), algorithm)
+        check_seed_matches_public!(public_key_from_jwk(jwk), derive_public_key(algorithm, seed)) if verify_public
+        PQCrypto::Signature.secret_key_from_seed(algorithm, seed)
+      rescue ArgumentError, PQCrypto::Error => e
+        raise PQCrypto::JWT::Error, e.message
       end
       def thumbprint(jwk_hash)
         jwk = normalize_hash!(jwk_hash)
-        reject_private_material!(jwk)
         algorithm_from_jwk!(jwk)
         raise PQCrypto::JWT::Error, "JWK pub is required" unless jwk.key?("pub")
-        canonical = JSON.generate({ "alg" => jwk.fetch("alg"), "kty" => KTY, "pub" => jwk.fetch("pub") })
+        canonical = JSON.generate("alg" => jwk.fetch("alg"), "kty" => KTY, "pub" => jwk.fetch("pub"))
         base64url(Digest::SHA256.digest(canonical.b))
       end
@@ -51,90 +84,113 @@ module PQCrypto
       end
       def base64url_decode(value)
-        Base64.urlsafe_decode64(String(value))
+        raw = String(value)
+        Base64.urlsafe_decode64(raw + ("=" * ((4 - raw.bytesize % 4) % 4)))
       rescue ArgumentError => e
         raise PQCrypto::JWT::Error, "Invalid base64url value: #{e.message}"
       end
       def normalize_hash!(hash)
-        unless hash.respond_to?(:to_hash)
-          raise PQCrypto::JWT::Error, "JWK must be a Hash-like object"
-        end
+        raise PQCrypto::JWT::Error, "JWK must be a Hash-like object" unless hash.respond_to?(:to_hash)
-        hash.to_hash.each_with_object({}) do |(key, value), normalized|
-          normalized[String(key)] = value
-        end
+        hash.to_hash.each_with_object({}) { |(key, value), out| out[String(key)] = value }
       end
-      def reject_private_material!(jwk)
-        return unless jwk.key?("priv")
+      def algorithm_from_jwk!(jwk)
+        raise PQCrypto::JWT::Error, "Unsupported JWK kty: #{jwk['kty'].inspect}" unless jwk["kty"] == KTY
-        raise PQCrypto::JWT::UnsupportedAlgorithm,
-              "Private AKP JWK material is not supported in the first release"
+        pq_algorithm_from_jose!(jwk["alg"])
       end
-      private_class_method :reject_private_material!
-      def algorithm_from_jwk!(jwk)
-        unless jwk.fetch("kty", nil) == KTY
-          raise PQCrypto::JWT::Error, "Unsupported JWK kty: #{jwk.fetch('kty', nil).inspect}"
-        end
-        alg = jwk.fetch("alg", nil)
+      def pq_algorithm_from_jose!(alg)
         algorithm = PQCrypto::JWT.algorithm_for(alg)
-        raise PQCrypto::JWT::UnsupportedAlgorithm, "Unsupported JWK alg: #{alg.inspect}" unless algorithm
-        raise PQCrypto::JWT::UnsupportedAlgorithm, "Unsupported JWK alg: #{alg.inspect}" unless algorithm.key_kind == :signature
+        raise PQCrypto::JWT::UnsupportedAlgorithm, "Unsupported JWK alg: #{alg.inspect}" unless algorithm&.key_kind == :signature
         algorithm.pq_crypto_algorithm
       end
+      private_class_method :pq_algorithm_from_jose!
-      def alg_for_algorithm!(algorithm)
-        match = PQCrypto::JWT.signing_algorithms.find { |candidate| candidate.pq_crypto_algorithm == algorithm }
-        raise PQCrypto::JWT::UnsupportedAlgorithm, "Unsupported pq_crypto signature algorithm: #{algorithm.inspect}" unless match
+      def jose_alg_for!(pq_algorithm)
+        match = PQCrypto::JWT.signing_algorithms.find { |candidate| candidate.pq_crypto_algorithm == pq_algorithm }
+        raise PQCrypto::JWT::UnsupportedAlgorithm, "Unsupported pq_crypto signature algorithm: #{pq_algorithm.inspect}" unless match
         match.alg
       end
+      private_class_method :jose_alg_for!
-      def base_public_jwk(algorithm, public_bytes, kid: nil)
-        jwk = {
-          "kty" => KTY,
-          "alg" => alg_for_algorithm!(algorithm),
-          "pub" => base64url(public_bytes),
-        }
+      def public_jwk(pq_algorithm, public_bytes, kid:, use:, key_ops:)
+        jwk = { "kty" => KTY, "alg" => jose_alg_for!(pq_algorithm), "pub" => base64url(public_bytes) }
         jwk["kid"] = String(kid) unless kid.nil?
+        jwk["use"] = String(use) unless use.nil?
+        jwk["key_ops"] = Array(key_ops).map(&:to_s) unless key_ops.nil?
         jwk
       end
-      private_class_method :base_public_jwk
+      private_class_method :public_jwk
-      def decode_required_key_bytes!(jwk, field, algorithm, detail_key)
+      def decode_field!(jwk, field, algorithm)
         raise PQCrypto::JWT::Error, "JWK #{field} is required" unless jwk.key?(field)
         decoded = base64url_decode(jwk.fetch(field))
-        details = PQCrypto::Signature.details(algorithm)
-        expected = details.fetch(detail_key) { details.fetch(detail_key.to_s) }
-        unless decoded.bytesize == expected
-          raise PQCrypto::JWT::Error,
-                "Invalid #{field} length for #{algorithm.inspect}: expected #{expected}, got #{decoded.bytesize}"
-        end
+        expected = PQCrypto::Signature.details(algorithm).fetch(:public_key_bytes)
+        raise PQCrypto::JWT::Error, "Invalid #{field} length for #{algorithm.inspect}: expected #{expected}, got #{decoded.bytesize}" unless decoded.bytesize == expected
         decoded.b
       end
-      private_class_method :decode_required_key_bytes!
+      private_class_method :decode_field!
+      def validate_seed!(seed, algorithm)
+        bytes = String(seed).b
+        return bytes if bytes.bytesize == SEED_BYTES
+        raise PQCrypto::JWT::Error, "Invalid priv seed length for #{algorithm.inspect}: expected #{SEED_BYTES}, got #{bytes.bytesize}"
+      end
+      private_class_method :validate_seed!
+      def validate_key!(key, klass)
+        raise PQCrypto::JWT::KeyTypeError, "Expected #{klass}" unless key.is_a?(klass)
+        return if PQCrypto::JWT.signing_algorithms.any? { |c| c.pq_crypto_algorithm == key.algorithm }
+        raise PQCrypto::JWT::KeyTypeError, "Unsupported signature algorithm: #{key.algorithm.inspect}"
+      end
+      private_class_method :validate_key!
+      def derive_public_key(algorithm, seed)
+        return PQCrypto::Signature.public_key_from_seed(algorithm, seed) if PQCrypto::Signature.respond_to?(:public_key_from_seed)
+        return PQCrypto::Signature.keypair_from_seed(algorithm, seed).public_key if PQCrypto::Signature.respond_to?(:keypair_from_seed)
+        nil
+      end
+      private_class_method :derive_public_key
-      def validate_public_key!(public_key)
-        unless public_key.is_a?(PQCrypto::Signature::PublicKey)
-          raise PQCrypto::JWT::KeyTypeError, "Expected PQCrypto::Signature::PublicKey"
+      def check_seed_matches_public!(public_key, derived)
+        unless derived
+          raise PQCrypto::JWT::UnsupportedFeature,
+                "AKP JWK pub/priv consistency verification requires pq_crypto public_key_from_seed/keypair_from_seed"
         end
+        return if public_key.to_bytes == derived.to_bytes
-        validate_algorithm!(public_key.algorithm)
+        raise PQCrypto::JWT::Error, "AKP JWK public_key does not match priv seed"
       end
-      private_class_method :validate_public_key!
+      private_class_method :check_seed_matches_public!
+      def seed_from_secret_key!(secret_key)
+        if secret_key.respond_to?(:seed?) && !secret_key.seed?
+          raise PQCrypto::JWT::UnsupportedFeature,
+                "SecretKey was not created from a seed; cannot export RFC 9964 AKP JWK"
+        end
+        unless secret_key.respond_to?(:to_seed)
+          raise PQCrypto::JWT::UnsupportedFeature,
+                "SecretKey seed export requires a public pq_crypto #to_seed API; use from_seed(..., public_key:) instead"
+        end
-      def validate_algorithm!(algorithm)
-        return if PQCrypto::JWT.signing_algorithms.any? { |candidate| candidate.pq_crypto_algorithm == algorithm }
+        seed = secret_key.to_seed
+        raise PQCrypto::JWT::UnsupportedFeature, "SecretKey #to_seed returned nil" if seed.nil?
-        raise PQCrypto::JWT::KeyTypeError, "Unsupported signature algorithm: #{algorithm.inspect}"
+        validate_seed!(seed, secret_key.algorithm)
+      rescue PQCrypto::Error => e
+        raise PQCrypto::JWT::UnsupportedFeature, "SecretKey seed export failed: #{e.message}"
       end
-      private_class_method :validate_algorithm!
+      private_class_method :seed_from_secret_key!
     end
   end
 end

data/lib/pq_crypto/jwt/jwks.rb CHANGED Viewed

@@ -5,50 +5,51 @@ module PQCrypto
     module JWKS
       module_function
+      CACHE_EMPTY = Object.new.freeze
       def from_keys(public_keys, kids: nil)
         keys = Array(public_keys).each_with_index.map do |public_key, index|
-          kid = kids&.fetch(index, nil)
-          PQCrypto::JWT::JWK.from_public_key(public_key, kid: kid)
+          PQCrypto::JWT::JWK.from_public_key(public_key, kid: kids&.fetch(index, nil))
         end
         { "keys" => keys }.freeze
       end
-      def find(jwks, kid: nil, alg: nil)
-        keys_from(jwks).find do |key|
-          (kid.nil? || value_for(key, "kid") == kid) &&
-            (alg.nil? || value_for(key, "alg") == alg)
-        end
+      def find(jwks, kid: nil, alg: nil, thumbprint: nil)
+        keys_from(jwks).find { |key| match?(key, kid, alg, thumbprint) }
+      end
+      def find_all(jwks, kid: nil, alg: nil, thumbprint: nil)
+        keys_from(jwks).select { |key| match?(key, kid, alg, thumbprint) }
       end
       def loader(jwks_hash_or_callable)
-        cached = nil
+        cached = CACHE_EMPTY
         lambda do |options = {}|
-          if jwks_hash_or_callable.respond_to?(:call)
-            cached = nil if options && options[:invalidate]
-            cached ||= jwks_hash_or_callable.call(options || {})
-          else
-            cached = nil if options && options[:invalidate]
-            cached ||= jwks_hash_or_callable
+          options ||= {}
+          cached = CACHE_EMPTY if options[:invalidate]
+          if cached.equal?(CACHE_EMPTY)
+            cached = jwks_hash_or_callable.respond_to?(:call) ? jwks_hash_or_callable.call(options) : jwks_hash_or_callable
           end
+          cached
         end
       end
       def keys_from(jwks)
         source = jwks.respond_to?(:to_hash) ? jwks.to_hash : jwks
-        keys = source["keys"] || source[:keys] if source.respond_to?(:[])
-        Array(keys).map { |key| stringify_hash(key) }
+        keys = source.respond_to?(:[]) ? (source["keys"] || source[:keys]) : nil
+        Array(keys).map { |key| key.to_hash.each_with_object({}) { |(k, v), out| out[String(k)] = v } }
       end
       private_class_method :keys_from
-      def stringify_hash(hash)
-        hash.to_hash.each_with_object({}) { |(key, value), out| out[String(key)] = value }
-      end
-      private_class_method :stringify_hash
+      def value_for(hash, key) = hash[key] || hash[key.to_sym]
+      private_class_method :value_for
-      def value_for(hash, key)
-        hash[key] || hash[key.to_sym]
+      def match?(key, kid, alg, thumbprint)
+        (kid.nil? || value_for(key, "kid") == kid) &&
+          (alg.nil? || value_for(key, "alg") == alg) &&
+          (thumbprint.nil? || PQCrypto::JWT::JWK.thumbprint(key) == thumbprint)
       end
-      private_class_method :value_for
+      private_class_method :match?
     end
   end
 end

data/lib/pq_crypto/jwt/keys.rb CHANGED Viewed

@@ -1,15 +1,12 @@
 # frozen_string_literal: true
-require "base64"
-require "openssl"
-require "set"
 module PQCrypto
   module JWT
     module Keys
       module_function
       EXPECT_VALUES = [:auto, :signature].freeze
+      LOAD_ERRORS = [PQCrypto::Error, ArgumentError].freeze
       def generate(alg)
         algorithm = PQCrypto::JWT.algorithm_for(alg)
@@ -21,79 +18,68 @@ module PQCrypto
       def public_from_pem(pem, expect: :auto)
         validate_expect!(expect)
-        return PQCrypto::Signature.public_key_from_spki_pem(pem) if expect == :signature
-        dispatch_public_from_pem(pem)
+        key = begin
+          expect == :signature ? PQCrypto::Signature.public_key_from_spki_pem(pem) : PQCrypto::Key.from_pem(pem)
+        rescue *LOAD_ERRORS => e
+          raise PQCrypto::JWT::Error, e.message
+        end
+        as_public!(key)
       end
-      def secret_from_pem(pem, expect: :auto)
+      def public_from_der(der, expect: :auto)
         validate_expect!(expect)
-        return PQCrypto::Signature.secret_key_from_pkcs8_pem(pem) if expect == :signature
-        dispatch_secret_from_pem(pem)
-      end
-      def validate_expect!(expect)
-        return if EXPECT_VALUES.include?(expect)
-        raise ArgumentError, "expect: must be one of #{EXPECT_VALUES.map(&:inspect).join(', ')}"
+        key = begin
+          expect == :signature ? PQCrypto::Signature.public_key_from_spki_der(der) : PQCrypto::Key.from_der(der)
+        rescue *LOAD_ERRORS => e
+          raise PQCrypto::JWT::Error, e.message
+        end
+        as_public!(key)
       end
-      private_class_method :validate_expect!
-      def dispatch_public_from_pem(pem)
-        oid = spki_oid_from_pem(pem)
-        return PQCrypto::Signature.public_key_from_spki_pem(pem) if signature_oids.include?(oid.to_s)
+      def secret_from_pem(pem, expect: :auto, passphrase: nil)
+        validate_expect!(expect)
-        raise PQCrypto::JWT::Error, "Unknown or unsupported PQCrypto SPKI algorithm OID: #{oid.inspect}"
+        key = begin
+          expect == :signature ? PQCrypto::Signature.secret_key_from_pkcs8_pem(pem, passphrase: passphrase) : PQCrypto::Key.from_pem(pem, passphrase: passphrase)
+        rescue *LOAD_ERRORS => e
+          raise PQCrypto::JWT::Error, e.message
+        end
+        as_secret!(key)
       end
-      private_class_method :dispatch_public_from_pem
-      def dispatch_secret_from_pem(pem)
-        oid = pkcs8_oid_from_pem(pem)
-        return PQCrypto::Signature.secret_key_from_pkcs8_pem(pem) if signature_oids.include?(oid.to_s)
+      def secret_from_der(der, expect: :auto, passphrase: nil)
+        validate_expect!(expect)
-        raise PQCrypto::JWT::Error, "Unknown or unsupported PQCrypto PKCS#8 algorithm OID: #{oid.inspect}"
+        key = begin
+          expect == :signature ? PQCrypto::Signature.secret_key_from_pkcs8_der(der, passphrase: passphrase) : PQCrypto::Key.from_der(der, passphrase: passphrase)
+        rescue *LOAD_ERRORS => e
+          raise PQCrypto::JWT::Error, e.message
+        end
+        as_secret!(key)
       end
-      private_class_method :dispatch_secret_from_pem
-      def spki_oid_from_pem(pem)
-        sequence = OpenSSL::ASN1.decode(pem_to_der(pem))
-        sequence.value.fetch(0).value.fetch(0).oid
-      rescue StandardError => e
-        raise PQCrypto::JWT::Error, "Unable to read SPKI algorithm OID: #{e.message}"
-      end
-      private_class_method :spki_oid_from_pem
+      def validate_expect!(expect)
+        return if EXPECT_VALUES.include?(expect)
-      def pkcs8_oid_from_pem(pem)
-        sequence = OpenSSL::ASN1.decode(pem_to_der(pem))
-        sequence.value.fetch(1).value.fetch(0).oid
-      rescue StandardError => e
-        raise PQCrypto::JWT::Error, "Unable to read PKCS#8 algorithm OID: #{e.message}"
+        raise ArgumentError, "expect: must be one of #{EXPECT_VALUES.map(&:inspect).join(', ')}"
       end
-      private_class_method :pkcs8_oid_from_pem
+      private_class_method :validate_expect!
-      def pem_to_der(pem)
-        body = pem.to_s.lines.reject { |line| line.start_with?("-----") }.join
-        Base64.decode64(body)
-      end
-      private_class_method :pem_to_der
+      def as_public!(key)
+        return key if key.is_a?(PQCrypto::Signature::PublicKey)
-      def signature_oids
-        @signature_oids ||= PQCrypto::JWT.signing_algorithms.filter_map do |algorithm|
-          oid_for_algorithm(algorithm.pq_crypto_algorithm)
-        end.to_set
+        raise PQCrypto::JWT::KeyTypeError, "Expected PQCrypto::Signature::PublicKey, got #{key.class}"
       end
-      private_class_method :signature_oids
+      private_class_method :as_public!
-      def oid_for_algorithm(algorithm)
-        return unless PQCrypto.const_defined?(:AlgorithmRegistry)
+      def as_secret!(key)
+        return key if key.is_a?(PQCrypto::Signature::SecretKey)
-        oid = PQCrypto::AlgorithmRegistry.standard_oid(algorithm)
-        oid&.to_s
-      rescue StandardError
-        nil
+        raise PQCrypto::JWT::KeyTypeError, "Expected PQCrypto::Signature::SecretKey, got #{key.class}"
       end
-      private_class_method :oid_for_algorithm
+      private_class_method :as_secret!
     end
   end
 end

data/lib/pq_crypto/jwt/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module PQCrypto
   module JWT
-    VERSION = "0.1.2"
+    VERSION = "0.2.0"
   end
 end