sandal 0.0.3 → 0.1.0

data/.coveralls.yml

@@ -0,0 +1 @@
+service_name: travis-ci

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+*.rbc
+.bundle
+.config
+.DS_Store
+coverage
+Gemfile.lock
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

data/.travis.yml

@@ -0,0 +1,7 @@
+language: ruby
+rvm:
+  - rbx-19mode
+  - jruby-19mode
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0

data/.yardopts

@@ -0,0 +1,6 @@
+--no-private 
+--protected 
+lib/**/*.rb 
+- 
+README.md 
+LICENSE.md

data/CHANGELOG.md

@@ -0,0 +1,9 @@
+## 0.1.0 (30 March 2013)
+
+The first version worth using.
+
+Features:
+
+- Supports all JWA signature algorithms (ES, HS, RS, none).
+- Validates exp, nbf, iss and aud claims.
+- Configurable token validation options.

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE.md

@@ -0,0 +1,7 @@
+Copyright (C) 2013 Greg Beech
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,96 @@
+**NOTE: This library is pretty new and still has a lot of things that aren't finished or could be improved. Expect bugs and interface changes. Pull requests or feedback very much appreciated.**
+
+# Sandal [![Build Status](https://travis-ci.org/gregbeech/sandal.png?branch=master)](https://travis-ci.org/gregbeech/sandal) [![Coverage Status](https://coveralls.io/repos/gregbeech/sandal/badge.png?branch=master)](https://coveralls.io/r/gregbeech/sandal)
+
+A Ruby library for creating and reading [JSON Web Tokens (JWT) draft-06](http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06), supporting [JSON Web Signatures (JWS) draft-08](http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-08) and [JSON Web Encryption (JWE) draft-08](http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-08). See the [CHANGELOG](CHANGELOG.md) for version history.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'sandal'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install sandal
+
+## Signed Tokens
+
+The signing part of the library is a lot smaller and easier to implement than the encryption part, so I focused on that first. All the JWA signature methods are supported:
+
+- ES256, ES384, ES512 (note: not supported on jruby)
+- HS256, HS384, HS512
+- RS256, RS384, RS512
+- none
+
+Signing example:
+
+```ruby
+require 'openssl'
+require 'sandal'
+
+claims = { 
+  'iss' => 'example.org',
+  'sub' => 'user@example.org',
+  'exp' => (Time.now + 3600).to_i
+}
+key = OpenSSL::PKey::EC.new(File.read('/path/to/private_key.pem'))
+signer = Sandal::Sig::ES256.new(key)
+token = Sandal.encode_token(claims, signer, { 
+  'kid' => 'my key identifier' 
+})
+```
+
+Decoding and validating example:
+
+```ruby
+require 'openssl'
+require 'sandal'
+
+claims = Sandal.decode_token(token) do |header|
+  if header['kid'] == 'my key identifier'
+    key = OpenSSL::PKey::EC.new(File.read('/path/to/public_key.pem'))
+    Sandal::Sig::ES256.new(key)
+  end
+end
+```
+
+Keys for these examples can be generated by executing:
+
+    $ openssl ecparam -out private_key.pem -name prime256v1 -genkey
+    $ openssl ec -out public_key.pem -in private_key.pem -pubout
+
+## Encrypted Tokens
+
+This part of the library still needs a lot of work. The current version supports the AES/CBC algorithms and RSA1_5 key protection, but expect a lot of changes here. I'd avoid it for now.
+
+## Validation Options
+
+You can change the default validation options, for example if you only want to accept tokens from 'example.org' with a maximum clock skew of one minute:
+
+```ruby
+Sandal.default! valid_iss: ['example.org'], max_clock_skew: 60
+```
+
+Sometimes while developing it can be useful to turn off some validation options just to get things working (don't do this in production!):
+
+```ruby
+Sandal.default! validate_signature: false, validate_exp: false
+```
+
+These options can also be configured on a per-token basis by using a second `options` parameter in the block passed to the `decode` method.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch: `git checkout -b my-new-feature`
+3. Commit your changes: `git commit -am 'Add some feature'`
+4. Push to the branch: `git push origin my-new-feature`
+5. Create a new Pull Request
+
+
+

data/Rakefile

@@ -0,0 +1,7 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new
+
+task :default => :spec
+task :build => :spec

data/lib/sandal.rb

@@ -11,15 +11,45 @@ require 'sandal/enc'
 # A library for creating and reading JSON Web Tokens (JWT).
 module Sandal
 
+  # The error that is raised when a token is invalid.
+  class TokenError < StandardError; end
+
+  # The default options for token handling.
+  #
+  # max_clock_skew:: The maximum clock skew, in seconds, when validating times.
+  # valid_iss:: A list of valid token issuers, if issuer validation is required.
+  # valid_aud:: A list of valid audiences, if audience validation is required.
+  # validate_exp:: Whether the expiry date of the token is validated.
+  # validate_nbf:: Whether the not-before date of the token is validated.
+  # validate_integrity:: Whether the integrity value of encrypted (JWE) tokens is validated.
+  # validate_signature:: Whether the signature of signed (JWS) tokens is validated.
+  DEFAULT_OPTIONS = {
+    max_clock_skew: 300,
+    valid_iss: [],
+    valid_aud: [],
+    validate_exp: true,
+    validate_nbf: true,
+    validate_integrity: true,
+    validate_signature: true
+  }
+
+  # Overrides the default options.
+  #
+  # @param defaults [Hash] The options to override (see {DEFAULT_OPTIONS} for details).
+  # @return [Hash] The new default options.
+  def self.default!(defaults)
+    DEFAULT_OPTIONS.merge!(defaults)
+  end
+
   # Creates a signed JSON Web Token.
   #
-  # @param payload [String] The payload of the token.
+  # @param payload [String/Hash] The payload of the token. If a Hash then it will be encoded as JSON.
   # @param signer [Sandal::Sig] The token signer, which may be nil for an unsigned token.
   # @param header_fields [Hash] Header fields for the token (note: do not include 'alg').
   # @return [String] A signed JSON Web Token.
   def self.encode_token(payload, signer, header_fields = nil)
     if header_fields && header_fields['enc']
-      throw ArgumentError.new('The header cannot contain an "enc" parameter.')
+      raise ArgumentError, 'The header cannot contain an "enc" parameter.'
     end
     signer ||= Sandal::Sig::None.instance
 
@@ -27,6 +57,8 @@ module Sandal
     header['alg'] = signer.name if signer.name != Sandal::Sig::None.instance.name
     header = header_fields.merge(header) if header_fields
 
+    payload = JSON.generate(payload) if payload.kind_of?(Hash)
+
     encoded_header = Sandal::Util.base64_encode(JSON.generate(header))
     encoded_payload = Sandal::Util.base64_encode(payload)
     secured_input = [encoded_header, encoded_payload].join('.')
@@ -39,7 +71,7 @@ module Sandal
   # Creates an encrypted JSON Web Token.
   #
   # @param payload [String] The payload of the token.
-  # @param encrypted [Sandal::Enc] The token encrypter.
+  # @param encrypter [Sandal::Enc] The token encrypter.
   # @param header_fields [Hash] Header fields for the token (note: do not include 'alg' or 'enc').
   # @return [String] An encrypted JSON Web Token.
   def self.encrypt_token(payload, encrypter, header_fields = nil)
@@ -51,30 +83,50 @@ module Sandal
     encrypter.encrypt(header, payload)
   end
 
-  # Decodes a JSON Web Token, verifying the signature as necessary.
+  # Decodes and validates a JSON Web Token.
   #
-  # **NOTE: This method is likely to change, to allow more validation options**
-  def self.decode_token(token, &sig_finder)
+  # The block is called with the token header as the first parameter, and should return the appropriate
+  # {Sandal::Sig} to verify the signature. It can optionally have a second options parameter which can
+  # be used to override the {DEFAULT_OPTIONS} on a per-token basis.
+  #
+  # @param token [String] The encoded JSON Web Token.
+  # @yieldparam header [Hash] The JWT header values.
+  # @yieldparam options [Hash] (Optional) A hash that can be used to override the default options.
+  # @yieldreturn [Sandal::Sig] The signature verifier.
+  # @return [Hash/String] The payload of the token as a Hash if it was JSON, otherwise as a String.
+  # @raise [ArgumentError] The token parameter is nil or empty, or the block has the wrong arity.
+  # @raise [TokenError] The token format is invalid, or validation of the token failed.
+  def self.decode_token(token, &block)
+    raise ArgumentError, 'A token is required.' unless token && token.length > 0
     parts = token.split('.')
-    throw ArgumentError.new('Invalid token format.') unless [2, 3].include?(parts.length)
+    raise TokenError, 'Invalid token format.' unless [2, 3].include?(parts.length)
     begin
       header = JSON.parse(Sandal::Util.base64_decode(parts[0]))
       payload = Sandal::Util.base64_decode(parts[1])
       signature = if parts.length > 2 then Sandal::Util.base64_decode(parts[2]) else '' end
     rescue
-      throw ArgumentError.new('Invalid token encoding.')
+      raise TokenError, 'Invalid token encoding.'
     end
 
-    algorithm = header['alg']
-    if algorithm && algorithm != 'none'
-      throw SecurityError.new('The signature is missing.') unless signature.length > 0
-      sig = sig_finder.call(header)
-      throw SecurityError.new('No signature verifier was found.') unless sig
+    options = DEFAULT_OPTIONS.clone
+    if block
+      case block.arity
+      when 1 then verifier = block.call(header)
+      when 2 then verifier = block.call(header, options)
+      else raise ArgumentError, 'Incorrect number of block parameters.'
+      end
+    end    
+    verifier ||= Sandal::Sig::None.instance
+
+    if options[:validate_signature]
       secured_input = parts.take(2).join('.')
-      throw ArgumentError.new('Invalid signature.') unless sig.verify(signature, secured_input)
+      raise TokenError, 'Invalid signature.' unless verifier.verify(signature, secured_input)
     end
 
-    payload
+    claims = JSON.parse(payload) rescue nil
+    validate_claims(claims, options) if claims
+
+    claims || payload
   end
 
   # Decrypts an encrypted JSON Web Token.
@@ -82,7 +134,7 @@ module Sandal
   # **NOTE: This method is likely to change, to allow more validation options**
   def self.decrypt_token(encrypted_token, &enc_finder)
     parts = encrypted_token.split('.')
-    throw ArgumentError.new('Invalid token format.') unless parts.length == 5
+    raise ArgumentError, 'Invalid token format.' unless parts.length == 5
     begin
       header = JSON.parse(Sandal::Util.base64_decode(parts[0]))
       encrypted_key = Sandal::Util.base64_decode(parts[1])
@@ -90,46 +142,64 @@ module Sandal
       ciphertext = Sandal::Util.base64_decode(parts[3])
       integrity_value = Sandal::Util.base64_decode(parts[4])
     rescue
-      throw ArgumentError.new('Invalid token encoding.')
+      raise ArgumentError, 'Invalid token encoding.'
     end
 
     enc = enc_finder.call(header)
-    throw SecurityError.new('No decryptor was found.') unless enc
+    raise TokenError, 'No decryptor was found.' unless enc
     enc.decrypt(encrypted_key, iv, ciphertext, parts.take(4).join('.'), integrity_value)
   end
 
-end
-
-if __FILE__ == $0
-
-  # create payload
-  issued_at = Time.now
-  claims = JSON.generate({
-    iss: 'example.org',
-    aud: 'example.com',
-    sub: 'user@example.org',
-    iat: issued_at.to_i,
-    exp: (issued_at + 3600).to_i
-  })
+  private
 
-  puts claims.to_s
-
-  # sign and encrypt
-  jws_key = OpenSSL::PKey::RSA.new(2048)
-  sig = Sandal::Sig::RS256.new(jws_key)
-  jws_token = Sandal.encode_token(claims.to_s, sig)
-
-  puts jws_token
+  # Validates token claims according to the options
+  def self.validate_claims(claims, options)
+    validate_expires(claims, options)
+    validate_not_before(claims, options)
+    validate_issuer(claims, options)
+    validate_audience(claims, options)
+  end
 
-  jwe_key = OpenSSL::PKey::RSA.new(2048)
-  enc = Sandal::Enc::AES128GCM.new(jwe_key.public_key)
-  jwe_token = Sandal.encrypt_token(jws_token, enc, { 'cty' => 'JWT' })
+  # Validates the 'exp' claim.
+  def self.validate_expires(claims, options)
+    if options[:validate_exp] && claims['exp']
+      begin
+        exp = Time.at(claims['exp'])
+      rescue
+        raise TokenError, 'The "exp" claim is invalid.'
+      end
+      raise TokenError, 'The token has expired.' unless exp > (Time.now - options[:max_clock_skew])
+    end
+  end
 
-  puts jwe_token
+  # Validates the 'nbf' claim
+  def self.validate_not_before(claims, options)
+    if options[:validate_nbf] && claims['nbf']
+      begin
+        nbf = Time.at(claims['nbf'])
+      rescue
+        raise TokenError, 'The "nbf" claim is invalid.'
+      end
+      raise TokenError, 'The token is not valid yet.' unless nbf < (Time.now + options[:max_clock_skew])
+    end
+  end
 
-  jws_token_2 = Sandal.decrypt_token(jwe_token) { |header| Sandal::Enc::AES128CBC.new(jwe_key) }
-  roundtrip_claims = Sandal.decode_token(jws_token_2) { |header| Sandal::Sig::RS256.new(jws_key.public_key) }
+  # Validates the 'iss' claim.
+  def self.validate_issuer(claims, options)
+    valid_iss = options[:valid_iss]
+    if valid_iss && valid_iss.length > 0
+      raise TokenError, 'The issuer is invalid.' unless valid_iss.include?(claims['iss'])
+    end
+  end
 
-  puts roundtrip_claims
+  # Validates the 'aud' claim.
+  def self.validate_audience(claims, options)
+    valid_aud = options[:valid_aud]
+    if valid_aud && valid_aud.length > 0
+      aud = claims['aud']
+      aud = [aud] unless aud.kind_of?(Array)
+      raise TokenError, 'The audence is invalid.' unless (aud & valid_aud).length > 0
+    end
+  end
 
 end

data/lib/sandal/enc.rb

@@ -10,12 +10,12 @@ module Sandal
 
     # Encrypts a header and payload, and returns an encrypted token.
     def encrypt(header, payload)
-      throw NotImplementedError.new("#{@name}.encrypt is not implemented.")
+      raise NotImplementedError, "#{@name}.encrypt is not implemented."
     end
 
     # Decrypts a token.
     def decrypt(encrypted_key, iv, ciphertext, secured_input, integrity_value)
-      throw NotImplementedError.new("#{@name}.decrypt is not implemented.")
+      raise NotImplementedError, "#{@name}.decrypt is not implemented."
     end
 
   end

data/lib/sandal/enc/aescbc.rb

@@ -9,7 +9,7 @@ module Sandal
       include Sandal::Enc
 
       def initialize(aes_size, key)
-        throw ArgumentError.new('A key is required.') unless key
+        raise ArgumentError, 'A key is required.' unless key
         @aes_size = aes_size
         @sha_size = aes_size * 2 # TODO: Any smarter way to do this?
         @name = "A#{aes_size}CBC+HS#{@sha_size}"
@@ -49,7 +49,7 @@ module Sandal
 
         content_integrity_key = derive_content_key('Integrity', content_master_key, @sha_size)
         computed_integrity_value = OpenSSL::HMAC.digest(@digest, content_integrity_key, secured_input)
-        throw ArgumentError.new('Invalid signature.') unless integrity_value == computed_integrity_value
+        raise ArgumentError, 'Invalid signature.' unless integrity_value == computed_integrity_value
 
         cipher = OpenSSL::Cipher.new(@cipher_name).decrypt
         cipher.key = derive_content_key('Encryption', content_master_key, @aes_size)

data/lib/sandal/enc/aesgcm.rb

@@ -9,15 +9,15 @@ module Sandal
       include Sandal::Enc
 
       def initialize(aes_size, key)
-        throw NotImplementedException.new('AES-CGM is not yet implemented.')
+        raise NotImplementedException, 'AES-CGM is not yet implemented.'
       end
 
       def encrypt(header, payload)
-        throw NotImplementedException.new('AES-CGM is not yet implemented.')
+        raise NotImplementedException, 'AES-CGM is not yet implemented.'
       end
 
       def decrypt(encrypted_key, iv, ciphertext, secured_input, integrity_value)
-        throw NotImplementedException.new('AES-CGM is not yet implemented.')
+        raise NotImplementedException, 'AES-CGM is not yet implemented.'
       end
 
     end

data/lib/sandal/sig.rb

@@ -12,7 +12,7 @@ module Sandal
     # @param payload [String] The payload of the token to sign.
     # @return [String] The signature.
     def sign(payload)
-      throw NotImplementedError.new("#{@name}.sign is not implemented.")
+      raise NotImplementedError, "#{@name}.sign is not implemented."
     end
 
     # Verifies a payload signature and returns whether the signature matches.
@@ -21,7 +21,7 @@ module Sandal
     # @param payload [String] The payload of the token.
     # @return [Boolean] true if the signature is correct; otherwise false.
     def verify(signature, payload)
-      throw NotImplementedError.new("#{@name}.verify is not implemented.")
+      raise NotImplementedError, "#{@name}.verify is not implemented."
     end
 
     # The 'none' JWA signature method.

data/lib/sandal/sig/es.rb

@@ -9,7 +9,7 @@ module Sandal
 
       # Creates a new instance with the size of the SHA algorithm and an OpenSSL ES PKey.
       def initialize(sha_size, prime_size, key)
-        throw ArgumentError.new('A key is required.') unless key
+        raise ArgumentError, 'A key is required.' unless key
         @name = "ES#{sha_size}"
         @digest = OpenSSL::Digest.new("sha#{sha_size}")
         @prime_size = prime_size

data/lib/sandal/sig/hs.rb

@@ -9,7 +9,7 @@ module Sandal
 
       # Creates a new instance with the size of the SHA algorithm and a string key.
       def initialize(sha_size, key)
-        throw ArgumentError.new('A key is required.') unless key
+        raise ArgumentError, 'A key is required.' unless key
         @name = "HS#{sha_size}"
         @digest = OpenSSL::Digest.new("sha#{sha_size}")
         @key = key

data/lib/sandal/sig/rs.rb

@@ -12,7 +12,7 @@ module Sandal
       # Note that the size of the RSA key must be at least 2048 bits to be compliant with the
       # JWA specification.
       def initialize(sha_size, key)
-        throw ArgumentError.new('A key is required.') unless key
+        raise ArgumentError, 'A key is required.' unless key
         @name = "RS#{sha_size}"
         @digest = OpenSSL::Digest.new("sha#{sha_size}")
         @key = key
@@ -20,7 +20,7 @@ module Sandal
 
       # Signs a payload and returns the signature.
       def sign(payload)
-        throw ArgumentError.new('A private key is required to sign the payload.') unless @key.private?
+        raise ArgumentError, 'A private key is required to sign the payload.' unless @key.private?
         @key.sign(@digest, payload)
       end
 

data/lib/sandal/version.rb

@@ -1,4 +1,4 @@
 module Sandal
   # The semantic version of the library.
-  VERSION = '0.0.3'
+  VERSION = '0.1.0'
 end

data/sandal.gemspec

@@ -0,0 +1,32 @@
+($LOAD_PATH << File.expand_path("../lib", __FILE__)).uniq!
+require 'sandal/version'
+
+Gem::Specification.new do |s|
+  s.name = 'sandal'
+  s.version = Sandal::VERSION
+  s.summary = 'A JSON Web Token (JWT) library.'
+  s.description = 'A ruby library for creating and reading JSON Web Tokens (JWT), supporting JSON Web Signatures (JWS) and JSON Web Encryption (JWE).'
+  s.author = 'Greg Beech'
+  s.email = 'greg@gregbeech.com'
+  s.homepage = 'http://rubygems.org/gems/sandal'
+  s.license = 'MIT'
+
+  s.files = `git ls-files`.split($/)
+  s.executables = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+  s.require_paths = ['lib']
+  s.extra_rdoc_files = ['README.md', 'LICENSE.md']
+
+  s.add_runtime_dependency 'json', '~> 1.7'
+  s.add_runtime_dependency 'jruby-openssl', '~> 0.7', '>= 0.7.3' if RUBY_PLATFORM == 'java'
+
+  s.add_development_dependency 'bundler', '~> 1.3'
+  s.add_development_dependency 'rake', '~> 10.0'
+  s.add_development_dependency 'rspec', '~> 2.13'
+  s.add_development_dependency 'coveralls', '~> 0.6'
+  s.add_development_dependency 'yard', '~> 0.8'
+  s.add_development_dependency 'redcarpet', '~> 2.2' unless RUBY_PLATFORM == 'java' # for yard
+  s.add_development_dependency 'kramdown', '~> 1.0' if RUBY_PLATFORM == 'java'      # for yard
+
+  s.requirements << 'openssl 1.0.1c for EC signature methods'
+end

data/spec/helper.rb

@@ -0,0 +1,8 @@
+require 'coveralls'
+Coveralls.wear!
+
+require 'rspec'
+require "#{File.dirname(__FILE__)}/../lib/sandal.rb"
+
+RSpec.configure do |c|
+end

data/spec/sandal/sig/es_spec.rb

@@ -0,0 +1,152 @@
+require 'helper'
+require 'openssl'
+
+# EC isn't implemented in jruby-openssl at the moment
+if defined? OpenSSL::PKey::EC
+
+def make_bn(arr)
+  hex_str = arr.pack('C*').unpack('H*')[0]
+  OpenSSL::BN.new(hex_str, 16)
+end
+
+def make_point(group, x, y)
+  def pad(c)
+    if c.length <= 64
+      padding_length = 64 - c.length
+    elsif c.length <= 96
+      padding_length = 96 - c.length
+    elsif c.length <= 132
+      padding_length = 132 - c.length
+    end
+    ('0' * padding_length) + c
+  end
+  str = '04' + pad(x.to_s(16)) + pad(y.to_s(16))
+  bn = OpenSSL::BN.new(str, 16)
+  OpenSSL::PKey::EC::Point.new(group, bn)
+end
+
+describe Sandal::Sig::ES do
+
+  it 'can encode the signature in JWS section A3.1' do
+    r = make_bn([14, 209, 33, 83, 121, 99, 108, 72, 60, 47, 127, 21, 88, 7, 212, 2, 163, 178, 40, 3, 58, 249, 124, 126, 23, 129, 154, 195, 22, 158, 166, 101]  )
+    s = make_bn([197, 10, 7, 211, 140, 60, 112, 229, 216, 241, 45, 175, 8, 74, 84, 128, 166, 101, 144, 197, 242, 147, 80, 154, 143, 63, 127, 138, 131, 163, 84, 213])
+    signature = Sandal::Sig::ES.encode_jws_signature(r, s, 256)
+    base64_signature = Sandal::Util.base64_encode(signature)
+    base64_signature.should == 'DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q'
+  end
+
+  it 'can encode the signature in JWS section A4.1' do
+    r = make_bn([1, 220, 12, 129, 231, 171, 194, 209, 232, 135, 233, 117, 247, 105, 122, 210, 26, 125, 192, 1, 217, 21, 82, 91, 45, 240, 255, 83, 19, 34, 239, 71, 48, 157, 147, 152, 105, 18, 53, 108, 163, 214, 68, 231, 62, 153, 150, 106, 194, 164, 246, 72, 143, 138, 24, 50, 129, 223, 133, 206, 209, 172, 63, 237, 119, 109]    )
+    s = make_bn([0, 111, 6, 105, 44, 5, 41, 208, 128, 61, 152, 40, 92, 61, 152, 4, 150, 66, 60, 69, 247, 196, 170, 81, 193, 199, 78, 59, 194, 169, 16, 124, 9, 143, 42, 142, 131, 48, 206, 238, 34, 175, 83, 203, 220, 159, 3, 107, 155, 22, 27, 73, 111, 68, 68, 21, 238, 144, 229, 232, 148, 188, 222, 59, 242, 103] )
+    signature = Sandal::Sig::ES.encode_jws_signature(r, s, 521)
+    base64_signature = Sandal::Util.base64_encode(signature)
+    base64_signature.should == 'AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn'
+  end
+
+end
+
+describe Sandal::Sig::ES256 do
+
+  it 'can sign data and verify signatures' do
+    group = OpenSSL::PKey::EC::Group.new('prime256v1') 
+    private_key = OpenSSL::PKey::EC.new(group).generate_key
+    data = 'Hello ES256'
+    signer = Sandal::Sig::ES256.new(private_key)
+    signature = signer.sign(data)
+    public_key = OpenSSL::PKey::EC.new(group)
+    public_key.public_key = private_key.public_key
+    verifier = Sandal::Sig::ES256.new(public_key)
+    verifier.verify(signature, data).should == true
+  end
+
+  it 'can verify the signature in JWS section A3.1' do
+    x = make_bn([127, 205, 206, 39, 112, 246, 196, 93, 65, 131, 203, 238, 111, 219, 75, 123, 88, 7, 51, 53, 123, 233, 239, 19, 186, 207, 110, 60, 123, 209, 84, 69])
+    y = make_bn([199, 241, 68, 205, 27, 189, 155, 126, 135, 44, 223, 237, 185, 238, 185, 244, 179, 105, 93, 110, 169, 11, 36, 173, 138, 70, 35, 40, 133, 136, 229, 173])
+    d = make_bn([142, 155, 16, 158, 113, 144, 152, 191, 152, 4, 135, 223, 31, 93, 119, 233, 203, 41, 96, 110, 190, 210, 38, 59, 95, 87, 194, 19, 223, 132, 244, 178])
+    data = 'eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ'
+    signature = Sandal::Util.base64_decode('DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q')
+
+    group = OpenSSL::PKey::EC::Group.new('prime256v1') 
+    public_key = OpenSSL::PKey::EC.new(group)
+    public_key.public_key = make_point(group, x, y)
+    verifier = Sandal::Sig::ES256.new(public_key)
+    verifier.verify(signature, data).should == true
+  end
+
+  it 'fails to verify the signature in JWS section A3.1 when the data is changed' do
+    x = make_bn([127, 205, 206, 39, 112, 246, 196, 93, 65, 131, 203, 238, 111, 219, 75, 123, 88, 7, 51, 53, 123, 233, 239, 19, 186, 207, 110, 60, 123, 209, 84, 69])
+    y = make_bn([199, 241, 68, 205, 27, 189, 155, 126, 135, 44, 223, 237, 185, 238, 185, 244, 179, 105, 93, 110, 169, 11, 36, 173, 138, 70, 35, 40, 133, 136, 229, 173])
+    d = make_bn([142, 155, 16, 158, 113, 144, 152, 191, 152, 4, 135, 223, 31, 93, 119, 233, 203, 41, 96, 110, 190, 210, 38, 59, 95, 87, 194, 19, 223, 132, 244, 178])
+    data = 'not the data that was signed'
+    signature = Sandal::Util.base64_decode('DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q')
+
+    group = OpenSSL::PKey::EC::Group.new('prime256v1') 
+    public_key = OpenSSL::PKey::EC.new(group)
+    public_key.public_key = make_point(group, x, y)
+    verifier = Sandal::Sig::ES256.new(public_key)
+    verifier.verify(signature, data).should == false
+  end
+
+end
+
+describe Sandal::Sig::ES384 do
+
+  it 'can sign data and verify signatures' do
+    group = OpenSSL::PKey::EC::Group.new('secp384r1') 
+    private_key = OpenSSL::PKey::EC.new(group).generate_key
+    data = 'Hello ES384'
+    signer = Sandal::Sig::ES384.new(private_key)
+    signature = signer.sign(data)
+    public_key = OpenSSL::PKey::EC.new(group)
+    public_key.public_key = private_key.public_key
+    verifier = Sandal::Sig::ES384.new(public_key)
+    verifier.verify(signature, data).should == true
+  end
+
+end
+
+describe Sandal::Sig::ES512 do
+
+  it 'can sign data and verify signatures' do
+    group = OpenSSL::PKey::EC::Group.new('secp521r1') 
+    private_key = OpenSSL::PKey::EC.new(group).generate_key
+    data = 'Hello ES512'
+    signer = Sandal::Sig::ES512.new(private_key)
+    signature = signer.sign(data)
+    public_key = OpenSSL::PKey::EC.new(group)
+    public_key.public_key = private_key.public_key
+    verifier = Sandal::Sig::ES512.new(public_key)
+    verifier.verify(signature, data).should == true
+  end
+
+  it 'can verify the signature in JWS section A4.1' do
+    x = make_bn([1, 233, 41, 5, 15, 18, 79, 198, 188, 85, 199, 213, 57, 51, 101, 223, 157, 239, 74, 176, 194, 44, 178, 87, 152, 249, 52, 235, 4, 227, 198, 186, 227, 112, 26, 87, 167, 145, 14, 157, 129, 191, 54, 49, 89, 232, 235, 203, 21, 93, 99, 73, 244, 189, 182, 204, 248, 169, 76, 92, 89, 199, 170, 193, 1, 164])
+    y = make_bn([0, 52, 166, 68, 14, 55, 103, 80, 210, 55, 31, 209, 189, 194, 200, 243, 183, 29, 47, 78, 229, 234, 52, 50, 200, 21, 204, 163, 21, 96, 254, 93, 147, 135, 236, 119, 75, 85, 131, 134, 48, 229, 203, 191, 90, 140, 190, 10, 145, 221, 0, 100, 198, 153, 154, 31, 110, 110, 103, 250, 221, 237, 228, 200, 200, 246])
+    d = make_bn([1, 142, 105, 111, 176, 52, 80, 88, 129, 221, 17, 11, 72, 62, 184, 125, 50, 206, 73, 95, 227, 107, 55, 69, 237, 242, 216, 202, 228, 240, 242, 83, 159, 70, 21, 160, 233, 142, 171, 82, 179, 192, 197, 234, 196, 206, 7, 81, 133, 168, 231, 187, 71, 222, 172, 29, 29, 231, 123, 204, 246, 97, 53, 230, 61, 130]  )
+    data = 'eyJhbGciOiJFUzUxMiJ9.UGF5bG9hZA'
+    signature = Sandal::Util.base64_decode('AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn')
+
+    group = OpenSSL::PKey::EC::Group.new('secp521r1') 
+    public_key = OpenSSL::PKey::EC.new(group)
+    public_key.public_key = make_point(group, x, y)
+    verifier = Sandal::Sig::ES512.new(public_key)
+    verifier.verify(signature, data).should == true
+  end
+
+  it 'fails to verify the signature in JWS section A4.1 when the data is changed' do
+    x = make_bn([1, 233, 41, 5, 15, 18, 79, 198, 188, 85, 199, 213, 57, 51, 101, 223, 157, 239, 74, 176, 194, 44, 178, 87, 152, 249, 52, 235, 4, 227, 198, 186, 227, 112, 26, 87, 167, 145, 14, 157, 129, 191, 54, 49, 89, 232, 235, 203, 21, 93, 99, 73, 244, 189, 182, 204, 248, 169, 76, 92, 89, 199, 170, 193, 1, 164])
+    y = make_bn([0, 52, 166, 68, 14, 55, 103, 80, 210, 55, 31, 209, 189, 194, 200, 243, 183, 29, 47, 78, 229, 234, 52, 50, 200, 21, 204, 163, 21, 96, 254, 93, 147, 135, 236, 119, 75, 85, 131, 134, 48, 229, 203, 191, 90, 140, 190, 10, 145, 221, 0, 100, 198, 153, 154, 31, 110, 110, 103, 250, 221, 237, 228, 200, 200, 246])
+    d = make_bn([1, 142, 105, 111, 176, 52, 80, 88, 129, 221, 17, 11, 72, 62, 184, 125, 50, 206, 73, 95, 227, 107, 55, 69, 237, 242, 216, 202, 228, 240, 242, 83, 159, 70, 21, 160, 233, 142, 171, 82, 179, 192, 197, 234, 196, 206, 7, 81, 133, 168, 231, 187, 71, 222, 172, 29, 29, 231, 123, 204, 246, 97, 53, 230, 61, 130]  )
+    data = 'not the data that was signed'
+    signature = Sandal::Util.base64_decode('AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn')
+
+    group = OpenSSL::PKey::EC::Group.new('secp521r1') 
+    public_key = OpenSSL::PKey::EC.new(group)
+    public_key.public_key = make_point(group, x, y)
+    verifier = Sandal::Sig::ES512.new(public_key)
+    verifier.verify(signature, data).should == false
+  end
+
+end
+
+end

data/spec/sandal/sig/hs_spec.rb

@@ -0,0 +1,32 @@
+require 'helper'
+require 'openssl'
+
+describe Sandal::Sig::HS256 do
+  it 'can sign data and verify signatures' do
+    data = 'Hello HS256'
+    key = 'A secret key'
+    signer = Sandal::Sig::HS256.new(key)
+    signature = signer.sign(data)
+    signer.verify(signature, data).should == true
+  end
+end
+
+describe Sandal::Sig::HS384 do
+  it 'can sign data and verify signatures' do
+    data = 'Hello HS384'
+    key = 'Another secret key'
+    signer = Sandal::Sig::HS384.new(key)
+    signature = signer.sign(data)
+    signer.verify(signature, data).should == true
+  end
+end
+
+describe Sandal::Sig::HS512 do
+  it 'can sign data and verify signatures' do
+    data = 'Hello HS512'
+    key = 'Yet another secret key'
+    signer = Sandal::Sig::HS512.new(key)
+    signature = signer.sign(data)
+    signer.verify(signature, data).should == true
+  end
+end

data/spec/sandal/sig/rs_spec.rb

@@ -0,0 +1,35 @@
+require 'helper'
+require 'openssl'
+
+describe Sandal::Sig::RS256 do
+  it 'can sign data and verify signatures' do
+    data = 'Hello RS256'
+    private_key = OpenSSL::PKey::RSA.generate(2048)
+    signer = Sandal::Sig::RS256.new(private_key)
+    signature = signer.sign(data)
+    verifier = Sandal::Sig::RS256.new(private_key.public_key)
+    verifier.verify(signature, data).should == true
+  end
+end
+
+describe Sandal::Sig::RS384 do
+  it 'can sign data and verify signatures' do
+    data = 'Hello RS384'
+    private_key = OpenSSL::PKey::RSA.generate(2048)
+    signer = Sandal::Sig::RS384.new(private_key)
+    signature = signer.sign(data)
+    verifier = Sandal::Sig::RS384.new(private_key.public_key)
+    verifier.verify(signature, data).should == true
+  end
+end
+
+describe Sandal::Sig::RS512 do
+  it 'can sign data and verify signatures' do
+    data = 'Hello RS512'
+    private_key = OpenSSL::PKey::RSA.generate(2048)
+    signer = Sandal::Sig::RS512.new(private_key)
+    signature = signer.sign(data)
+    verifier = Sandal::Sig::RS512.new(private_key.public_key)
+    verifier.verify(signature, data).should == true
+  end
+end

data/spec/sandal/util_spec.rb

@@ -0,0 +1,33 @@
+require 'helper'
+require 'openssl'
+
+describe Sandal::Util do
+
+  it 'encodes and decodes base64 as per JWT example 6.1' do
+    src =  "{\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http://example.com/is_root\":true}" 
+    encoded = Sandal::Util.base64_encode(src)
+    encoded.should == 'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ'
+    val = Sandal::Util.base64_decode(encoded)
+    val.should == src
+  end
+
+  it 'compares nil strings as equal' do
+    Sandal::Util.secure_equals(nil, nil).should == true
+  end
+
+  it 'compares nil strings as unequal to empty strings' do
+    Sandal::Util.secure_equals(nil, '').should == false
+    Sandal::Util.secure_equals('', nil).should == false
+  end
+
+  it 'compares equal strings as equal' do
+    Sandal::Util.secure_equals('hello', 'hello').should == true
+    Sandal::Util.secure_equals('a longer string', 'a longer string').should == true
+  end
+
+  it 'compares unequal strings as unequal' do
+    Sandal::Util.secure_equals('hello', 'world').should == false
+    Sandal::Util.secure_equals('a longer string', 'a different longer string').should == false
+  end
+
+end

data/spec/sandal_spec.rb

@@ -0,0 +1,160 @@
+require 'helper'
+require 'openssl'
+
+describe Sandal do
+
+  it 'raises a token error when the token format is invalid' do
+    expect { Sandal.decode_token('not a valid token') }.to raise_error Sandal::TokenError
+  end  
+
+  it 'raises a token error when the token encoding is invalid' do
+    expect { Sandal.decode_token('an.invalid.token') }.to raise_error Sandal::TokenError
+  end
+
+  it 'encodes and decodes tokens with no signature' do
+    payload = 'Hello, World'
+    token = Sandal.encode_token(payload, nil)
+    decoded_payload = Sandal.decode_token(token)
+    decoded_payload.should == payload
+  end
+
+  it 'encodes and decodes tokens with "none" signature' do
+    payload = 'Hello, World'
+    token = Sandal.encode_token(payload, Sandal::Sig::None.instance)
+    decoded_payload = Sandal.decode_token(token)
+    decoded_payload.should == payload
+  end
+
+  it 'decodes non-JSON payloads to a String' do
+    token = Sandal.encode_token('not valid json', nil)
+    Sandal.decode_token(token).class.should == String
+  end
+
+  it 'decodes JSON payloads to a Hash' do
+    token = Sandal.encode_token({ 'valid' => 'json' }, nil)
+    Sandal.decode_token(token).class.should == Hash
+  end
+
+  it 'raises a token error when the expiry date is far in the past' do
+    token = Sandal.encode_token({ 'exp' => (Time.now - 600).to_i }, nil)
+    expect { Sandal.decode_token(token) }.to raise_error Sandal::TokenError
+  end
+
+  it 'raises a token error when the expiry date is invalid' do
+    token = Sandal.encode_token({ 'exp' => 'invalid value' }, nil)
+    expect { Sandal.decode_token(token) }.to raise_error Sandal::TokenError
+  end
+
+  it 'does not raise an error when the expiry date is far in the past but validation is disabled' do
+    token = Sandal.encode_token({ 'exp' => (Time.now - 600).to_i }, nil)
+    Sandal.decode_token(token) { |header, options| options[:validate_exp] = false }
+  end
+
+  it 'does not raise an error when the expiry date is in the past but within the clock skew' do
+    token = Sandal.encode_token({ 'exp' => (Time.now - 60).to_i }, nil)
+    Sandal.decode_token(token)
+  end
+
+  it 'does not raise an error when the expiry date is valid' do
+    token = Sandal.encode_token({ 'exp' => (Time.now + 60).to_i }, nil)
+    Sandal.decode_token(token)
+  end
+
+  it 'raises a token error when the not-before date is far in the future' do
+    token = Sandal.encode_token({ 'nbf' => (Time.now + 600).to_i }, nil)
+    expect { Sandal.decode_token(token) }.to raise_error Sandal::TokenError
+  end
+
+  it 'raises a token error when the not-before date is invalid' do
+    token = Sandal.encode_token({ 'nbf' => 'invalid value' }, nil)
+    expect { Sandal.decode_token(token) }.to raise_error Sandal::TokenError
+  end
+
+  it 'does not raise an error when the not-before date is far in the future but validation is disabled' do
+    token = Sandal.encode_token({ 'nbf' => (Time.now + 600).to_i }, nil)
+    Sandal.decode_token(token) { |header, options| options[:validate_nbf] = false }
+  end
+
+  it 'does not raise an error when the not-before date is in the future but within the clock skew' do
+    token = Sandal.encode_token({ 'nbf' => (Time.now + 60).to_i }, nil)
+    Sandal.decode_token(token)
+  end
+
+  it 'does not raise an error when the not-before is valid' do
+    token = Sandal.encode_token({ 'nbf' => (Time.now - 60).to_i }, nil)
+    Sandal.decode_token(token)
+  end
+
+  it 'raises a token error when the issuer is not valid' do
+    token = Sandal.encode_token({ 'iss' => 'example.org' }, nil)
+    expect { Sandal.decode_token(token) do |header, options| 
+      options[:valid_iss] = ['example.net'] 
+      nil
+    end }.to raise_error Sandal::TokenError
+  end
+
+  it 'does not raise an error when the issuer is valid' do
+    token = Sandal.encode_token({ 'iss' => 'example.org' }, nil)
+    Sandal.decode_token(token) do |header, options| 
+      options[:valid_iss] = ['example.org', 'example.com']
+      nil
+    end
+  end
+
+  it 'raises a token error when the audience string is not valid' do
+    token = Sandal.encode_token({ 'aud' => 'example.com' }, nil)
+    expect { Sandal.decode_token(token) do |header, options| 
+      options[:valid_aud] = ['example.net'] 
+      nil
+    end }.to raise_error Sandal::TokenError
+  end
+
+  it 'raises a token error when the audience array is not valid' do
+    token = Sandal.encode_token({ 'aud' => ['example.org', 'example.com'] }, nil)
+    expect { Sandal.decode_token(token) do |header, options| 
+      options[:valid_aud] = ['example.net'] 
+      nil
+    end }.to raise_error Sandal::TokenError
+  end
+
+  it 'does not raise an error when the audience string is valid' do
+    token = Sandal.encode_token({ 'aud' => 'example.net' }, nil)
+    Sandal.decode_token(token) do |header, options| 
+      options[:valid_aud] = ['example.net'] 
+      nil
+    end
+  end
+
+  it 'does not raise an error when the audience array is valid' do
+    token = Sandal.encode_token({ 'aud' => ['example.com', 'example.net'] }, nil)
+    Sandal.decode_token(token) do |header, options| 
+      options[:valid_aud] = ['example.net'] 
+      nil
+    end
+  end
+
+  it 'encodes and decodes tokens with RS256 signatures' do
+    payload = 'Hello RSA256'
+    private_key = OpenSSL::PKey::RSA.generate(2048)
+    token = Sandal.encode_token(payload, Sandal::Sig::RS256.new(private_key))
+    decoded_payload = Sandal.decode_token(token) { |header| Sandal::Sig::RS256.new(private_key.public_key) }
+    decoded_payload.should == payload
+  end
+
+  it 'encodes and decodes tokens with RS384 signatures' do
+    payload = 'Hello RSA384'
+    private_key = OpenSSL::PKey::RSA.generate(2048)
+    token = Sandal.encode_token(payload, Sandal::Sig::RS384.new(private_key))
+    decoded_payload = Sandal.decode_token(token) { |header| Sandal::Sig::RS384.new(private_key.public_key) }
+    decoded_payload.should == payload
+  end
+
+  it 'encodes and decodes tokens with RS512 signatures' do
+    payload = 'Hello RSA512'
+    private_key = OpenSSL::PKey::RSA.generate(2048)
+    token = Sandal.encode_token(payload, Sandal::Sig::RS512.new(private_key))
+    decoded_payload = Sandal.decode_token(token) { |header| Sandal::Sig::RS512.new(private_key.public_key) }
+    decoded_payload.should == payload
+  end
+
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sandal
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,26 +9,156 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-29 00:00:00.000000000 Z
-dependencies: []
+date: 2013-03-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.13'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: redcarpet
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.2'
 description: A ruby library for creating and reading JSON Web Tokens (JWT), supporting
   JSON Web Signatures (JWS) and JSON Web Encryption (JWE).
-email:
-- greg@gregbeech.com
+email: greg@gregbeech.com
 executables: []
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- README.md
+- LICENSE.md
 files:
+- .coveralls.yml
+- .gitignore
+- .rspec
+- .travis.yml
+- .yardopts
+- CHANGELOG.md
+- Gemfile
+- LICENSE.md
+- README.md
+- Rakefile
+- lib/sandal.rb
+- lib/sandal/enc.rb
 - lib/sandal/enc/aescbc.rb
 - lib/sandal/enc/aesgcm.rb
-- lib/sandal/enc.rb
+- lib/sandal/sig.rb
 - lib/sandal/sig/es.rb
 - lib/sandal/sig/hs.rb
 - lib/sandal/sig/rs.rb
-- lib/sandal/sig.rb
 - lib/sandal/util.rb
 - lib/sandal/version.rb
-- lib/sandal.rb
+- sandal.gemspec
+- spec/helper.rb
+- spec/sandal/sig/es_spec.rb
+- spec/sandal/sig/hs_spec.rb
+- spec/sandal/sig/rs_spec.rb
+- spec/sandal/util_spec.rb
+- spec/sandal_spec.rb
 homepage: http://rubygems.org/gems/sandal
 licenses:
 - MIT
@@ -42,17 +172,30 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -3672992457221215645
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-requirements: []
+      segments:
+      - 0
+      hash: -3672992457221215645
+requirements:
+- openssl 1.0.1c for EC signature methods
 rubyforge_project: 
 rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: A JSON Web Token (JWT) library.
-test_files: []
+test_files:
+- spec/helper.rb
+- spec/sandal/sig/es_spec.rb
+- spec/sandal/sig/hs_spec.rb
+- spec/sandal/sig/rs_spec.rb
+- spec/sandal/util_spec.rb
+- spec/sandal_spec.rb
 has_rdoc: