ruby-paseto 0.1.1 → 0.2.0

data/lib/paseto/protocol/version4.rb

@@ -7,30 +7,31 @@ module Paseto
       extend T::Sig
       extend T::Helpers
 
+      include Singleton
       include Interface::Version
 
       sig(:final) { override.params(key: String, nonce: String, payload: String).returns(String) }
-      def self.crypt(key:, nonce:, payload:)
+      def crypt(key:, nonce:, payload:)
         Paseto::Sodium::Stream::XChaCha20Xor.new(key).encrypt(nonce, payload)
       end
 
       sig(:final) { override.params(data: String, digest_size: Integer).returns(String) }
-      def self.digest(data, digest_size:)
-        RbNaCl::Hash.blake2b(data, digest_size: digest_size)
+      def digest(data, digest_size: 32)
+        RbNaCl::Hash.blake2b(data, digest_size:)
       end
 
       sig(:final) { override.returns(Integer) }
-      def self.digest_bytes
+      def digest_bytes
         32
       end
 
       sig(:final) { override.params(data: String, key: String, digest_size: Integer).returns(String) }
-      def self.hmac(data, key:, digest_size: 32)
-        RbNaCl::Hash.blake2b(data, key: key, digest_size: digest_size)
+      def hmac(data, key:, digest_size: 32)
+        RbNaCl::Hash.blake2b(data, key:, digest_size:)
       end
 
       sig(:final) { override.returns(T.class_of(Operations::ID::IDv4)) }
-      def self.id
+      def id
         Operations::ID::IDv4
       end
 
@@ -42,7 +43,7 @@ module Paseto
           parameters: T.any(Symbol, Integer)
         ).returns(String)
       end
-      def self.kdf(password, salt:, length:, **parameters)
+      def kdf(password, salt:, length:, **parameters)
         memlimit = RbNaCl::PasswordHash::Argon2.memlimit_value(parameters[:memlimit])
         opslimit = RbNaCl::PasswordHash::Argon2.opslimit_value(parameters[:opslimit])
 
@@ -56,42 +57,42 @@ module Paseto
       end
 
       sig(:final) { override.returns(String) }
-      def self.paserk_version
+      def paserk_version
         'k4'
       end
 
       sig(:final) { override.returns(String) }
-      def self.pbkd_local_header
+      def pbkd_local_header
         'k4.local-pw'
       end
 
       sig(:final) { override.returns(String) }
-      def self.pbkd_secret_header
+      def pbkd_secret_header
         'k4.secret-pw'
       end
 
       sig(:final) { override.params(password: String).returns(Operations::PBKD::PBKDv4) }
-      def self.pbkw(password)
+      def pbkw(password)
         Operations::PBKD::PBKDv4.new(password)
       end
 
       sig(:final) { override.params(key: SymmetricKey).returns(Wrappers::PIE::PieV4) }
-      def self.pie(key)
+      def pie(key)
         Wrappers::PIE::PieV4.new(key)
       end
 
       sig(:final) { override.params(key: AsymmetricKey).returns(Operations::PKE::PKEv4) }
-      def self.pke(key)
+      def pke(key)
         Operations::PKE::PKEv4.new(key)
       end
 
       sig(:final) { override.params(size: Integer).returns(String) }
-      def self.random(size)
+      def random(size)
         RbNaCl::Random.random_bytes(size)
       end
 
       sig(:final) { override.returns(String) }
-      def self.version
+      def version
         'v4'
       end
     end

data/lib/paseto/symmetric_key.rb

@@ -34,14 +34,14 @@ module Paseto
       Util.pre_auth_encode(pae_header, n, c, footer, implicit_assertion)
           .then { |pre_auth| protocol.hmac(pre_auth, key: ak) }
           .then { |t| "#{n}#{c}#{t}" }
-          .then { |payload| Token.new(payload: payload, version: version, purpose: purpose, footer: footer) }
+          .then { |payload| Token.new(payload:, version:, purpose:, footer:) }
     end
 
     # Verify and decrypt an encrypted Token, with an optional string `implicit_assertion`, and return the plaintext.
     # If `token` includes a footer, it is treated as authenticated data to be verified but not returned.
     # `token` must be a `v4.local` type Token.
     sig(:final) { params(token: Token, implicit_assertion: String).returns(String) }
-    def decrypt(token:, implicit_assertion: '')
+    def decrypt(token:, implicit_assertion: '') # rubocop:disable Metrics/AbcSize
       raise LucidityError unless header == token.header
 
       n, c, t = split_payload(token.raw_payload)
@@ -52,9 +52,12 @@ module Paseto
       t2 = protocol.hmac(pre_auth, key: ak)
       raise InvalidAuthenticator unless Util.constant_compare(t, t2)
 
-      protocol.crypt(payload: c, key: ek, nonce: n2).encode(Encoding::UTF_8)
-    rescue Encoding::UndefinedConversionError
-      raise ParseError, 'invalid payload encoding'
+      decrypted = protocol.crypt(payload: c, key: ek, nonce: n2)
+      decrypted.force_encoding('UTF-8')
+
+      raise ParseError, 'invalid payload encoding' unless decrypted.valid_encoding?
+
+      decrypted
     end
 
     sig(:final) do
@@ -68,7 +71,7 @@ module Paseto
     def encode!(payload, footer: '', implicit_assertion: '', **options)
       n = T.cast(options.delete(:nonce), T.nilable(String))
       MultiJson.dump(payload, options)
-               .then { |message| encrypt(message: message, footer: footer, implicit_assertion: implicit_assertion, n: n) }
+               .then { |message| encrypt(message:, footer:, implicit_assertion:, n:) }
                .then(&:to_s)
     end
 
@@ -82,9 +85,9 @@ module Paseto
     def decode!(payload, implicit_assertion: '', **options)
       token = Token.parse(payload)
 
-      decrypt(token: token, implicit_assertion: implicit_assertion)
+      decrypt(token:, implicit_assertion:)
         .then { |json| MultiJson.load(json, **options) }
-        .then { |claims| Result.new(claims: claims, footer: token.footer) }
+        .then { |claims| Result.new(claims:, footer: token.footer) }
     end
 
     sig(:final) { override.returns(String) }
@@ -93,6 +96,9 @@ module Paseto
     sig(:final) { override.returns(String) }
     def pbkw_header = protocol.pbkd_local_header
 
+    sig(:final) { override.returns(String) }
+    def pie_header = "#{paserk_version}.local-wrap.pie."
+
     sig(:final) { returns(Interface::PIE) }
     def pie = protocol.pie(self)
 
@@ -103,10 +109,10 @@ module Paseto
     def to_bytes = key
 
     sig(:final) { params(paserk: String).returns(Interface::Key) }
-    def unwrap(paserk) = Paserk.from_paserk(paserk: paserk, wrapping_key: self)
+    def unwrap(paserk) = Paserk.from_paserk(paserk:, wrapping_key: self)
 
     sig(:final) { params(key: Interface::Key, nonce: T.nilable(String)).returns(String) }
-    def wrap(key, nonce: nil) = Paserk.wrap(key: key, wrapping_key: self, nonce: nonce)
+    def wrap(key, nonce: nil) = Paserk.wrap(key:, wrapping_key: self, nonce:)
 
     private
 

data/lib/paseto/token.rb

@@ -34,7 +34,7 @@ module Paseto
       payload = Util.decode64(payload)
       Util.decode64(footer)
           .then { |f| serializer.deserialize(f, options) }
-          .then { |f| new(version: version, purpose: purpose, payload: payload, footer: f) }
+          .then { |f| new(version:, purpose:, payload:, footer: f) }
     end
 
     sig { returns(Paseto::Interface::Serializer) }
@@ -60,13 +60,14 @@ module Paseto
                    .then { |data| "#{version}.#{purpose}.#{data}" }
                    .then(&:freeze)
 
-      @version =     T.let(version.freeze,             String)
-      @purpose =     T.let(purpose.freeze,             String)
-      @raw_payload = T.let(payload.freeze,             String)
-      @type =        T.let(validate_header,            T.class_of(Interface::Key))
-      @footer =      T.let(footer,                     T.any(String, T::Hash[String, T.untyped]))
-      @raw_footer =  T.let(raw_footer,                 String)
-      @str =         T.let(paseto,                     String)
+      @version     = T.let(version.freeze,  String)
+      @purpose     = T.let(purpose.freeze,  String)
+      @raw_payload = T.let(payload.freeze,  String)
+      @type        = T.let(validate_header, T.class_of(Interface::Key))
+      @footer      = T.let(footer,          T.any(String, T::Hash[String, T.untyped]))
+      @raw_footer  = T.let(raw_footer,      String)
+      @str         = T.let(paseto,          String)
+      @result      = T.let(nil,             T.nilable(Result))
     end
 
     sig do
@@ -79,8 +80,8 @@ module Paseto
     def decode!(key, implicit_assertion: '', **options)
       return @result.claims if @result
 
-      key.decode(@str, implicit_assertion: implicit_assertion, **options)
-         .then { |result| @result = T.let(result, T.nilable(Result)) }
+      key.decode(@str, implicit_assertion:, **options)
+         .then { |result| @result = result }
          .then(&:claims)
     end
 
@@ -116,12 +117,13 @@ module Paseto
 
     sig { returns(T.class_of(Interface::Key)) }
     def validate_header
-      type = TokenTypes.deserialize(header).key_klass
-      return type if type
+      type = begin
+        TokenTypes.deserialize(header).key_klass
+      rescue KeyError
+        nil
+      end
 
-      raise UnsupportedToken, header
-    rescue KeyError
-      raise UnsupportedToken, header
+      type or raise UnsupportedToken, header
     end
   end
 end

data/lib/paseto/token_types.rb

@@ -17,9 +17,9 @@ module Paseto
       case self
       in V3Local then V3::Local
       in V3Public then V3::Public
-      in V4Local if Paseto.rbnacl?
+      in V4Local if Paseto::HAS_RBNACL
         V4::Local
-      in V4Public if Paseto.rbnacl?
+      in V4Public if Paseto::HAS_RBNACL
         V4::Public
       else
         nil

data/lib/paseto/util.rb

@@ -76,7 +76,7 @@ module Paseto
     # Moving the sig out of the conditional triggers a bug in rubocop-sorbet
 
     # Use a faster comparison when RbNaCl is available
-    if Paseto.rbnacl?
+    if Paseto::HAS_RBNACL
       sig { params(a: String, b: String).returns(T::Boolean) }
       def self.constant_compare(a, b)
         h_a = RbNaCl::Hash.blake2b(a)
@@ -98,8 +98,7 @@ module Paseto
     def self.openssl?(major, minor = 0, fix = 0, patch = 0)
       return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
 
-      OpenSSL::OPENSSL_VERSION_NUMBER >=
-        (major * 0x10000000) + (minor * 0x100000) + (fix * 0x1000) + (patch * 0x10)
+      (major * 0x10000000) + (minor * 0x100000) + (fix * 0x1000) + (patch * 0x10) <= OpenSSL::OPENSSL_VERSION_NUMBER
     end
   end
 end

data/lib/paseto/v3/local.rb

@@ -28,7 +28,7 @@ module Paseto
 
       sig(:final) { params(ikm: String).void }
       def initialize(ikm:)
-        @protocol = T.let(Protocol::Version3.new, Paseto::Protocol::Version3)
+        @protocol = T.let(Protocol::Version3.instance, Paseto::Protocol::Version3)
 
         super(ikm)
       end

data/lib/paseto/v3/public.rb

@@ -50,7 +50,7 @@ module Paseto
         raise LucidityError unless @key.group.curve_name == 'secp384r1'
         raise InvalidKeyPair unless custom_check_key
 
-        @protocol = T.let(Protocol::Version3.new, Protocol::Version3)
+        @protocol = T.let(Protocol::Version3.instance, Protocol::Version3)
 
         super
       rescue OpenSSL::PKey::ECError => e
@@ -68,7 +68,7 @@ module Paseto
             .then { |data| @key.sign_raw(nil, data) }
             .then { |sig_asn| ASN1::ECDSASignature.from_asn1(sig_asn) }
             .then { |ecdsa_sig| ecdsa_sig.to_rs(SIGNATURE_PART_LEN) }
-            .then { |sig| Token.new(payload: "#{message}#{sig}", purpose: purpose, version: version, footer: footer) }
+            .then { |sig| Token.new(payload: "#{message}#{sig}", purpose:, version:, footer:) }
       rescue Encoding::CompatibilityError
         raise ParseError, 'invalid message encoding, must be UTF-8'
       end
@@ -80,9 +80,10 @@ module Paseto
         raise LucidityError unless header == token.header
 
         payload = token.raw_payload
-        raise ParseError, 'message too short' if payload.bytesize < SIGNATURE_BYTE_LEN
+        signature_end = payload.bytesize - SIGNATURE_BYTE_LEN
+        raise ParseError, 'message too short' if signature_end <= 0
 
-        m = T.must(payload.slice(0, payload.bytesize - SIGNATURE_BYTE_LEN))
+        m = T.must(payload.slice(0, signature_end))
 
         s = T.must(payload.slice(-SIGNATURE_BYTE_LEN, SIGNATURE_BYTE_LEN))
              .then { |bytes| ASN1::ECDSASignature.from_rs(bytes, SIGNATURE_PART_LEN).to_der }
@@ -131,74 +132,12 @@ module Paseto
 
       private
 
-      # TODO: Figure out how to get SimpleCov to cover this consistently. With OSSL1.1.1, most of
-      # this doesn't run. With OSSL3, check_key never raises...
-      # :nocov:
-
-      # The openssl gem as of 3.0.0 will prefer EVP_PKEY_public_check over EC_KEY_check_key
-      # whenever the EVP api is available, which is always for the library here as we're requiring
-      # 3.0.0 or greater. However, this has some problems.
-      #
-      # The behavior of EVP_PKEY_public_check is different between 1.1.1 and 3.x. Specifically,
-      # it no longer calls the custom verifier method in EVP_PKEY_METHOD, and only checks the
-      # correctness of the public component. This leads to a problem when calling EC#key_check,
-      # as the private component is NEVER verified for an ECDSA key through the APIs that the gem
-      # makes available to us.
-      #
-      # Until this is fixed in ruby/openssl, I am working around this by implementing the algorithm
-      # used by EVP_PKEY_pairwise_check through the OpenSSL API.
-      #
-      # BUG: https://github.com/ruby/openssl/issues/563
-      # https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_public_check.html
-      # https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_public_check.html
       sig(:final) { returns(T::Boolean) }
       def custom_check_key
-        begin
-          @key.check_key
-        rescue StandardError
-          return false
-        end
-
-        return true unless private? && Util.openssl?(3)
-
-        priv_key = @key.private_key
-        group = @key.group
-
-        # int ossl_ec_key_private_check(const EC_KEY *eckey)
-        # {
-        # ...
-        #   if (BN_cmp(eckey->priv_key, BN_value_one()) < 0
-        #     || BN_cmp(eckey->priv_key, eckey->group->order) >= 0) {
-        #     ERR_raise(ERR_LIB_EC, EC_R_INVALID_PRIVATE_KEY);
-        #     return 0;
-        #   }
-        # ...
-        # }
-        #
-        # https://github.com/openssl/openssl/blob/5ac7cfb56211d18596e3c35baa942542f3c0189a/crypto/ec/ec_key.c#L510
-        # private keys must be in range [1, order-1]
-        return false if priv_key < OpenSSL::BN.new(1) || priv_key > group.order
-
-        # int ossl_ec_key_pairwise_check(const EC_KEY *eckey, BN_CTX *ctx)
-        # {
-        # ...
-        #   if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, NULL, NULL, ctx)) {
-        #       ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
-        #       goto err;
-        #   }
-        #   if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) {
-        #       ERR_raise(ERR_LIB_EC, EC_R_INVALID_PRIVATE_KEY);
-        #       goto err;
-        #   }
-        # ...
-        # }
-        #
-        # https://github.com/openssl/openssl/blob/5ac7cfb56211d18596e3c35baa942542f3c0189a/crypto/ec/ec_key.c#L529
-        # Check generator * priv_key = pub_key
-        @key.public_key == group.generator.mul(priv_key)
+        @key.check_key
+      rescue StandardError
+        false
       end
-
-      # :nocov:
     end
   end
 end

data/lib/paseto/v4/local.rb

@@ -21,7 +21,7 @@ module Paseto
 
       sig(:final) { params(ikm: String).void }
       def initialize(ikm:)
-        @protocol = T.let(Protocol::Version4.new, Paseto::Protocol::Version4)
+        @protocol = T.let(Protocol::Version4.instance, Paseto::Protocol::Version4)
 
         super(ikm)
       end
@@ -31,10 +31,10 @@ module Paseto
       # Derive an encryption key, nonce, and authentication key from an input nonce.
       sig(:final) { override.params(nonce: String).returns([String, String, String]) }
       def calc_keys(nonce)
-        tmp = protocol.hmac("paseto-encryption-key#{nonce}", key: key, digest_size: 56)
+        tmp = protocol.hmac("paseto-encryption-key#{nonce}", key:, digest_size: 56)
         ek = T.must(tmp[0, 32])
         n2 = T.must(tmp[-24, 24])
-        ak = protocol.hmac("paseto-auth-key-for-aead#{nonce}", key: key, digest_size: 32)
+        ak = protocol.hmac("paseto-auth-key-for-aead#{nonce}", key:, digest_size: 32)
         [ek, n2, ak]
       end
 

data/lib/paseto/v4/public.rb

@@ -44,7 +44,7 @@ module Paseto
         @key = T.let(key, T.any(RbNaCl::SigningKey, RbNaCl::VerifyKey))
 
         @private = T.let(@key.is_a?(RbNaCl::SigningKey), T::Boolean)
-        @protocol = T.let(Protocol::Version4.new, Paseto::Protocol::Version4)
+        @protocol = T.let(Protocol::Version4.instance, Paseto::Protocol::Version4)
 
         super
       end
@@ -58,7 +58,7 @@ module Paseto
         Util.pre_auth_encode(pae_header, message, footer, implicit_assertion)
             .then { |m2| @key.sign(m2) }
             .then { |sig| "#{message}#{sig}" }
-            .then { |payload| Token.new(payload: payload, purpose: purpose, version: version, footer: footer) }
+            .then { |payload| Token.new(payload:, purpose:, version:, footer:) }
       end
 
       # Verify the signature of `token`, with an optional binding `implicit_assertion`. `token` must be a `v4.public`` type Token.
@@ -152,10 +152,7 @@ module Paseto
       def ossl_ed25519_private_key?(key)
         raise LucidityError, "expected Ed25519 key, got #{key.oid}" unless key.oid == 'ED25519'
 
-        return key.to_text.start_with?('ED25519 Private-Key') if Util.openssl?(3)
-        return key.to_text != "<INVALID PRIVATE KEY>\n" if Util.openssl?(1, 1, 1)
-
-        false
+        key.to_text.start_with?('ED25519 Private-Key')
       end
 
       sig(:final) { returns(RbNaCl::VerifyKey) }

data/lib/paseto/validator.rb

@@ -29,7 +29,7 @@ module Paseto
         return unless (aud = options[:verify_aud])
 
         given = payload['aud']
-        raise InvalidAudience, "Invalid audience. Expected #{aud}, got #{given || '<none>'}" if ([*aud] & [*given]).empty?
+        raise InvalidAudience, "Invalid audience. Expected #{aud}, got #{given || '<none>'}" unless [*aud].intersect?([*given])
       end
     end
 

data/lib/paseto/version.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Paseto
-  VERSION = '0.1.1'
+  VERSION = '0.2.0'
 end

data/lib/paseto/versions.rb

@@ -17,8 +17,8 @@ module Paseto
     sig { returns(Interface::Version) }
     def instance
       case self
-      when V3Version, V3Str, K3Str then Protocol::Version3.new
-      when V4Version, V4Str, K4Str then Protocol::Version4.new
+      when V3Version, V3Str, K3Str then Protocol::Version3.instance
+      when V4Version, V4Str, K4Str then Protocol::Version4.instance
       end
     end
   end

data/lib/paseto/wrappers/pie/pie_v3.rb

@@ -13,33 +13,20 @@ module Paseto
         DOMAIN_SEPARATOR_AUTH = "\x81"
         DOMAIN_SEPARATOR_ENCRYPT = "\x80"
 
-        sig { override.params(data: String).returns({ t: String, n: String, c: String }) }
-        def self.decode_and_split(data)
-          b = Util.decode64(data)
-          {
-            t: T.must(b.byteslice(0, 48)),
-            n: T.must(b.byteslice(48, 32)),
-            c: T.must(b.byteslice(80..))
-          }
-        end
+        sig { override.returns(String) }
+        attr_reader :local_header
 
         sig { override.returns(Protocol::Version3) }
-        def self.protocol
-          Protocol::Version3.new
-        end
+        attr_reader :protocol
 
         sig { override.returns(String) }
-        def local_header
-          'k3.local-wrap.pie.'
-        end
-
-        sig { override.returns(String) }
-        def secret_header
-          'k3.secret-wrap.pie.'
-        end
+        attr_reader :secret_header
 
         sig { params(wrapping_key: SymmetricKey).void }
         def initialize(wrapping_key)
+          @local_header = T.let('k3.local-wrap.pie.', String)
+          @protocol = T.let(Protocol::Version3.instance, Protocol::Version3)
+          @secret_header = T.let('k3.secret-wrap.pie.', String)
           @wrapping_key = wrapping_key
         end
 
@@ -53,6 +40,16 @@ module Paseto
           protocol.hmac(payload, key: auth_key)
         end
 
+        sig { override.params(data: String).returns({ t: String, n: String, c: String }) }
+        def decode_and_split(data)
+          b = Util.decode64(data)
+          {
+            t: T.must(b.byteslice(0, 48)),
+            n: T.must(b.byteslice(48, 32)),
+            c: T.must(b.byteslice(80..))
+          }
+        end
+
         sig { override.returns(String) }
         def random_nonce
           protocol.random(32)
@@ -64,7 +61,7 @@ module Paseto
           ek = T.must(x[0, 32])
           n2 = T.must(x[32..])
 
-          protocol.crypt(key: ek, nonce: n2, payload: payload)
+          protocol.crypt(key: ek, nonce: n2, payload:)
         end
       end
     end

data/lib/paseto/wrappers/pie/pie_v4.rb

@@ -13,33 +13,20 @@ module Paseto
         DOMAIN_SEPARATOR_AUTH = "\x81"
         DOMAIN_SEPARATOR_ENCRYPT = "\x80"
 
-        sig { override.params(data: String).returns({ t: String, n: String, c: String }) }
-        def self.decode_and_split(data)
-          b = Util.decode64(data)
-          {
-            t: T.must(b.byteslice(0, 32)),
-            n: T.must(b.byteslice(32, 32)),
-            c: T.must(b.byteslice(64..))
-          }
-        end
-
         sig { override.returns(Protocol::Version4) }
-        def self.protocol
-          Protocol::Version4.new
-        end
+        attr_reader :protocol
 
         sig { override.returns(String) }
-        def local_header
-          'k4.local-wrap.pie.'
-        end
+        attr_reader :local_header
 
         sig { override.returns(String) }
-        def secret_header
-          'k4.secret-wrap.pie.'
-        end
+        attr_reader :secret_header
 
         sig { params(wrapping_key: SymmetricKey).void }
         def initialize(wrapping_key)
+          @local_header = T.let('k4.local-wrap.pie.', String)
+          @protocol = T.let(Protocol::Version4.instance, Protocol::Version4)
+          @secret_header = T.let('k4.secret-wrap.pie.', String)
           @wrapping_key = wrapping_key
         end
 
@@ -53,6 +40,16 @@ module Paseto
           protocol.hmac(payload, key: auth_key, digest_size: 32)
         end
 
+        sig { override.params(data: String).returns({ t: String, n: String, c: String }) }
+        def decode_and_split(data)
+          b = Util.decode64(data)
+          {
+            t: T.must(b.byteslice(0, 32)),
+            n: T.must(b.byteslice(32, 32)),
+            c: T.must(b.byteslice(64..))
+          }
+        end
+
         sig { override.returns(String) }
         def random_nonce
           protocol.random(32)
@@ -64,7 +61,7 @@ module Paseto
           ek = T.must(x[0, 32])
           n2 = T.must(x[32..])
 
-          protocol.crypt(key: ek, nonce: n2, payload: payload)
+          protocol.crypt(key: ek, nonce: n2, payload:)
         end
       end
     end

data/lib/paseto/wrappers/pie.rb

@@ -20,11 +20,11 @@ module Paseto
         raise LucidityError unless key.version == @wrapping_key.version
 
         nonce ||= @coder.random_nonce
-        header = pie_header(key)
+        header = key.pie_header
 
-        c = @coder.crypt(nonce: nonce, payload: key.to_bytes)
+        c = @coder.crypt(nonce:, payload: key.to_bytes)
 
-        ak = @coder.authentication_key(nonce: nonce)
+        ak = @coder.authentication_key(nonce:)
         t = @coder.authentication_tag(payload: "#{header}#{nonce}#{c}", auth_key: ak)
 
         [header, Util.encode64("#{t}#{nonce}#{c}")].join
@@ -52,20 +52,6 @@ module Paseto
 
         PaserkTypes.deserialize("#{version}.#{type}").generate(ptk)
       end
-
-      private
-
-      sig { params(key: Interface::Key).returns(String) }
-      def pie_header(key)
-        case key
-        when SymmetricKey then @coder.local_header
-        when AsymmetricKey then @coder.secret_header
-        else
-          # :nocov:
-          raise ArgumentError, 'not a valid type of key'
-          # :nocov:
-        end
-      end
     end
   end
 end

data/lib/paseto.rb

@@ -42,6 +42,8 @@ module Paseto
   extend T::Sig
   extend Configuration
 
+  HAS_RBNACL = T.let(!defined?(RbNaCl).nil?, T::Boolean)
+
   class Error < StandardError; end
 
   class AlgorithmError < Error; end
@@ -89,11 +91,6 @@ module Paseto
   class ParseError < Error; end
   # Tried to work with a V4 token without RbNaCl loaded
   class UnsupportedToken < ParseError; end
-
-  sig { returns(T::Boolean) }
-  def self.rbnacl?
-    !!defined?(RbNaCl)
-  end
 end
 
 loader.eager_load