sandal 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: be263e03b58c9fb37944f44b22935361d7ad7b3d
-  data.tar.gz: f46dd2129ffe4870f9596aae4a19592a354f4aa4
+  metadata.gz: 0f0ff3d982eff5453f5a1db3592b96e6f8a75884
+  data.tar.gz: b2ea7fad0f11051f2470f1a90bec6803ee10bb09
 SHA512:
-  metadata.gz: 59be234975d305a39bb25e7a1c508ac272d2bb10e5af132d9afe132c8c4419c555c8ec4e30b9cadc12c3a1e8eabbae57fb7f3d9bcb8309af322ea4df43d79457
-  data.tar.gz: b680f42d362ae72b6c124efd7a06bedf1d2a38b7c214f7e587aef617c20c2ead8006f12b45150826d2fc2a1624206bf748a63a107d55465459169ef1c3423d90
+  metadata.gz: b10f36c1a03b93e428533b0df5eb3f4ba9ab18cfdd911ec3e1733f431b3b89c9babcd7cc2c4915787c6fbe9904427b4702ac5062db1f12439644e08be46c8fc0
+  data.tar.gz: 27de343a94a824e353b1118003c752596b408ab7b2a8381c15af1e079ec407b797518ae7e1b885845fe0a191f658ad0718fa8538265b80db038e19140bb3b807

data/CHANGELOG.md

@@ -1,4 +1,20 @@
-## 0.2.0
+## 0.3.0 (20 April 2013)
+
+Features:
+
+- Keys can now be passed as strings as well as OpenSSL types.
+
+Breaking changes:
+
+- Default options have changed so that the behaviour is consistent with no options being passed.
+
+Bug fixes:
+
+- Strings are now compared by codepoint rather than by byte, in accordance with JWS § 5.3.
+- Integrity value check in AES/CBC+HS algorithms now uses the constant time string comparison function rather than ==.
+- Base64 decoding now checks that the decode was not lossy, as jruby would do a 'best effort' decode of invalid base64 strings.
+
+## 0.2.0 (05 April 2013)
 
 Features:
 

data/README.md

@@ -1,6 +1,4 @@
-**NOTE: This library is pretty new and still has a lot of things that aren't finished or could be improved. It also needs much more testing against the specs. Expect bugs and interface changes. Pull requests or feedback very much appreciated.**
-
-# Sandal [![Build Status](https://travis-ci.org/gregbeech/sandal.png?branch=master)](https://travis-ci.org/gregbeech/sandal) [![Coverage Status](https://coveralls.io/repos/gregbeech/sandal/badge.png?branch=master)](https://coveralls.io/r/gregbeech/sandal) [![Code Climate](https://codeclimate.com/github/gregbeech/sandal.png)](https://codeclimate.com/github/gregbeech/sandal)
+# Sandal [![Build Status](https://travis-ci.org/gregbeech/sandal.png?branch=master)](https://travis-ci.org/gregbeech/sandal) [![Coverage Status](https://coveralls.io/repos/gregbeech/sandal/badge.png?branch=master)](https://coveralls.io/r/gregbeech/sandal) [![Code Climate](https://codeclimate.com/github/gregbeech/sandal.png)](https://codeclimate.com/github/gregbeech/sandal) [![Dependency Status](https://gemnasium.com/gregbeech/sandal.png)](https://gemnasium.com/gregbeech/sandal)
 
 A Ruby library for creating and reading [JSON Web Tokens (JWT) draft-06](http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06), supporting [JSON Web Signatures (JWS) draft-08](http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-08) and [JSON Web Encryption (JWE) draft-08](http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-08). See the [CHANGELOG](CHANGELOG.md) for version history.
 
@@ -8,7 +6,9 @@ A Ruby library for creating and reading [JSON Web Tokens (JWT) draft-06](http://
 
 Add this line to your application's Gemfile:
 
-    gem 'sandal'
+```ruby
+gem 'sandal'
+```
 
 And then execute:
 
@@ -30,16 +30,12 @@ All the JWA signature methods are supported:
 Signing example:
 
 ```ruby
-require 'openssl'
-require 'sandal'
-
 claims = { 
   'iss' => 'example.org',
   'sub' => 'user@example.org',
   'exp' => (Time.now + 3600).to_i
 }
-key = OpenSSL::PKey::EC.new(File.read('/path/to/ec_private_key.pem'))
-signer = Sandal::Sig::ES256.new(key)
+signer = Sandal::Sig::ES256.new(File.read('/path/to/ec_private_key.pem'))
 jws_token = Sandal.encode_token(claims, signer, { 
   'kid' => 'my ec key'
 })
@@ -48,13 +44,9 @@ jws_token = Sandal.encode_token(claims, signer, {
 Decoding and validating example:
 
 ```ruby
-require 'openssl'
-require 'sandal'
-
 claims = Sandal.decode_token(jws_token) do |header|
   if header['kid'] == 'my ec key'
-    key = OpenSSL::PKey::EC.new(File.read('/path/to/ec_public_key.pem'))
-    Sandal::Sig::ES256.new(key)
+    Sandal::Sig::ES256.new(File.read('/path/to/ec_public_key.pem'))
   end
 end
 ```
@@ -66,14 +58,12 @@ Keys for these examples can be generated by executing:
 
 ## Encrypted Tokens
 
-**NOTE: Encryption is still somewhat experimental and likely to be incorrect and/or buggy. Please let me know if you have any issues.**
-
 All the JWA encryption methods are supported:
 
 - A128CBC+HS256, A256CBC+HS512
 - A128GCM, A256GCM (note: requires ruby 2.0.0 or later)
 
-Some of the JWA key encryption algorithms are supported at the moment; others will follow. Feel free to submit a pull request if you want to add one before I get around to it:
+Some of the JWA key encryption algorithms are supported at the moment. The key wrap algorithms don't appear to exist in Ruby so they're not likely to be supported in the near future, but ECDH-ES should be soon:
 
 - RSA1_5
 - RSA-OAEP
@@ -82,8 +72,7 @@ Some of the JWA key encryption algorithms are supported at the moment; others wi
 Encrypting example (assumes use of the jws_token from the signing examples, as typically JWE tokens will be used to wrap JWS tokens):
 
 ```ruby
-key = OpenSSL::PKey::RSA.new(File.Read('/path/to/rsa_public_key.pem'))
-alg = Sandal::Enc::Alg::RSA_OAEP.new(key.public_key)
+alg = Sandal::Enc::Alg::RSA_OAEP.new(File.Read('/path/to/rsa_public_key.pem'))
 encrypter = Sandal::Enc::A128GCM.new(alg)
 jwe_token = Sandal.encrypt_token(jws_token, encrypter, {
   'kid': 'your rsa key',
@@ -94,13 +83,9 @@ jwe_token = Sandal.encrypt_token(jws_token, encrypter, {
 Decrypting example:
 
 ```ruby
-require 'openssl'
-require 'sandal'
-
 jws_token = Sandal.decrypt_token(jwe_token) do |header|
   if header['kid'] == 'your rsa key'
-    key = OpenSSL::PKey::RSA.new(File.Read('/path/to/rsa_private_key.pem'))
-    alg = Sandal::Enc::Alg::RSA_OAEP.new(key)
+    alg = Sandal::Enc::Alg::RSA_OAEP.new(File.Read('/path/to/rsa_private_key.pem'))
     Sandal::Enc::A128GCM.new(alg)
   end
 end
@@ -122,7 +107,7 @@ Sandal.default! valid_iss: ['example.org'], max_clock_skew: 60
 Sometimes while developing it can be useful to turn off some validation options just to get things working (don't do this in production!):
 
 ```ruby
-Sandal.default! validate_signature: false, validate_exp: false
+Sandal.default! ignore_signature: true, ignore_exp: true
 ```
 
 These options can also be configured on a per-token basis by using a second `options` parameter in the block passed to the `decode` method.

data/lib/sandal.rb

@@ -7,8 +7,13 @@ require 'sandal/sig'
 require 'sandal/util'
 
 
-# A library for creating and reading JSON Web Tokens (JWT).
+# A library for creating and reading JSON Web Tokens (JWT), supporting JSON Web 
+# Signatures (JWS) and JSON Web Encryption (JWE).
+#
+# Currently supports draft-06 of the JWT spec, and draft-08 of the JWS and JWE 
+# specs.
 module Sandal
+  extend Sandal::Util
 
   # The error that is raised when a token is invalid.
   class TokenError < StandardError; end
@@ -18,83 +23,108 @@ module Sandal
 
   # The default options for token handling.
   #
-  # max_clock_skew:: The maximum clock skew, in seconds, when validating times.
-  # valid_iss:: A list of valid token issuers, if issuer validation is required.
-  # valid_aud:: A list of valid audiences, if audience validation is required.
-  # validate_exp:: Whether the expiry date of the token is validated.
-  # validate_nbf:: Whether the not-before date of the token is validated.
-  # validate_signature:: Whether the signature of signed (JWS) tokens is validated.
+  # ignore_exp:: 
+  #   Whether to ignore the expiry date of the token. This setting is just to
+  #   help get things working and should always be false in real apps!
+  # ignore_nbf:: 
+  #   Whether to ignore the not-before date of the token. This setting is just 
+  #   to help get things working and should always be false in real apps!
+  # ignore_signature:: 
+  #   Whether to ignore the signature of signed (JWS) tokens.  This setting is 
+  #   just tohelp get things working and should always be false in real apps!
+  # max_clock_skew:: 
+  #   The maximum clock skew, in seconds, when validating times. If your server
+  #   time is out of sync with the token server then this can be increased to
+  #   take that into account. It probably shouldn't be more than about 300.
+  # valid_iss:: 
+  #   A list of valid token issuers, if validation of the issuer claim is 
+  #   required.
+  # valid_aud:: 
+  #   A list of valid audiences, if validation of the audience claim is
+  #   required.
   DEFAULT_OPTIONS = {
-    max_clock_skew: 300,
+    ignore_exp: false,
+    ignore_nbf: false,
+    ignore_signature: false,
+    max_clock_skew: 0,
     valid_iss: [],
     valid_aud: [],
-    validate_exp: true,
-    validate_nbf: true,
-    validate_signature: true
   }
 
   # Overrides the default options.
   #
-  # @param defaults [Hash] The options to override (see {DEFAULT_OPTIONS} for details).
+  # @param defaults [Hash] The options to override (see {DEFAULT_OPTIONS} for
+  #   details).
   # @return [Hash] The new default options.
   def self.default!(defaults)
     DEFAULT_OPTIONS.merge!(defaults)
   end
 
-  # Creates a signed JSON Web Token (JWS).
+  # Creates a signed JSON Web Token.
   #
-  # @param payload [String/Hash] The payload of the token. Hashes will be encoded as JSON.
-  # @param signer [#name,#sign] The token signer, which may be nil for an unsigned token.
-  # @param header_fields [Hash] Header fields for the token (note: do not include 'alg').
+  # @param payload [String or Hash] The payload of the token. Hashes will be 
+  #   encoded as JSON.
+  # @param signer [#name,#sign] The token signer, which may be nil for an 
+  #   unsigned token.
+  # @param header_fields [Hash] Header fields for the token (note: do not
+  #   include 'alg').
   # @return [String] A signed JSON Web Token.
   def self.encode_token(payload, signer, header_fields = nil)
-    signer ||= Sandal::Sig::None.instance
+    signer ||= Sandal::Sig::NONE
 
     header = {}
-    header['alg'] = signer.name if signer.name != Sandal::Sig::None.instance.name
+    header['alg'] = signer.name if signer.name != Sandal::Sig::NONE.name
     header = header_fields.merge(header) if header_fields
     header = MultiJson.dump(header)
 
     payload = MultiJson.dump(payload) unless payload.is_a?(String)
 
-    secured_input = [header, payload].map { |part| Sandal::Util.base64_encode(part) }.join('.')
-    signature = signer.sign(secured_input)
-    [secured_input, Sandal::Util.base64_encode(signature)].join('.')
+    sec_input = [header, payload].map { |p| jwt_base64_encode(p) }.join('.')
+    signature = signer.sign(sec_input)
+    [sec_input, jwt_base64_encode(signature)].join('.')
   end
 
-  # Decodes and validates a signed JSON Web Token (JWS).
+  # Decodes and validates a signed JSON Web Token.
   #
-  # The block is called with the token header as the first parameter, and should return the appropriate
-  # {Sandal::Sig} to validate the signature. It can optionally have a second options parameter which can
-  # be used to override the {DEFAULT_OPTIONS} on a per-token basis.
+  # The block is called with the token header as the first parameter, and should
+  # return the appropriate signature method to validate the signature. It can
+  # optionally have a second options parameter which can be used to override the
+  # {DEFAULT_OPTIONS} on a per-token basis.
   #
   # @param token [String] The encoded JSON Web Token.
   # @yieldparam header [Hash] The JWT header values.
-  # @yieldparam options [Hash] (Optional) A hash that can be used to override the default options.
+  # @yieldparam options [Hash] (Optional) A hash that can be used to override 
+  #   the default options.
   # @yieldreturn [#valid?] The signature validator.
-  # @return [Hash/String] The payload of the token as a Hash if it was JSON, otherwise as a String.
-  # @raise [Sandal::TokenError] The token format is invalid, or validation of the token failed.
+  # @return [Hash or String] The payload of the token as a Hash if it was JSON, 
+  #   otherwise as a String.
+  # @raise [Sandal::ClaimError] One or more claims in the token is invalid.
+  # @raise [Sandal::TokenError] The token format is invalid, or validation of 
+  #   the token failed.
   def self.decode_token(token)
     parts = token.split('.')
     header, payload, signature = decode_jws_token_parts(parts)
 
     options = DEFAULT_OPTIONS.clone
     validator = yield header, options if block_given?
-    validator ||= Sandal::Sig::None.instance
+    validator ||= Sandal::Sig::NONE
 
-    if options[:validate_signature]
+    unless options[:ignore_signature]
       secured_input = parts.take(2).join('.')
-      raise TokenError, 'Invalid signature.' unless validator.valid?(signature, secured_input)
+      unless validator.valid?(signature, secured_input)
+        raise TokenError, 'Invalid signature.'
+      end
     end
 
     parse_and_validate(payload, header['cty'], options)
   end
 
-  # Creates an encrypted JSON Web Token (JWE).
+  # Creates an encrypted JSON Web Token.
   #
   # @param payload [String] The payload of the token.
-  # @param encrypter [Sandal::Enc] The token encrypter.
-  # @param header_fields [Hash] Header fields for the token (note: do not include 'alg' or 'enc').
+  # @param encrypter [#name,#alg,#encrypt] The token encrypter.
+  # @param header_fields [Hash] Header fields for the token (note: do not
+  #   include 'alg' or 'enc').
   # @return [String] An encrypted JSON Web Token.
   def self.encrypt_token(payload, encrypter, header_fields = nil)
     header = {}
@@ -105,14 +135,23 @@ module Sandal
     encrypter.encrypt(header, payload)
   end
 
-  # Decrypts and validates an encrypted JSON Web Token (JWE).
+  # Decrypts and validates an encrypted JSON Web Token.
+  #
+  # The block is called with the token header as the first parameter, and should
+  # return the appropriate encryption method to decrypt the token. It can
+  # optionally have a second options parameter which can be used to override the
+  # {DEFAULT_OPTIONS} on a per-token basis.
   #
   # @param token [String] The encrypted JSON Web Token.
   # @yieldparam header [Hash] The JWT header values.
-  # @yieldparam options [Hash] (Optional) A hash that can be used to override the default options.
+  # @yieldparam options [Hash] (Optional) A hash that can be used to override
+  #   the default options.
   # @yieldreturn [#decrypt] The token decrypter.
-  # @return [Hash/String] The payload of the token as a Hash if it was JSON, otherwise as a String.
-  # @raise [Sandal::TokenError] The token format is invalid, or decryption/validation of the token failed.
+  # @return [Hash or String] The payload of the token as a Hash if it was JSON,
+  #   otherwise as a String.
+  # @raise [Sandal::ClaimError] One or more claims in the token is invalid.
+  # @raise [Sandal::TokenError] The token format is invalid, or decryption or
+  #   validation of the token failed.
   def self.decrypt_token(token)
     parts = token.split('.')
     decoded_parts = decode_jwe_token_parts(parts)
@@ -144,14 +183,14 @@ private
 
   # Decodes the parts of a token.
   def self.decode_token_parts(parts)
-    parts = parts.map { |part| Sandal::Util.base64_decode(part) }
+    parts = parts.map { |part| jwt_base64_decode(part) }
     parts[0] = MultiJson.load(parts[0])
     parts
   rescue
     raise TokenError, 'Invalid token encoding.'
   end
 
-  # Parses the content of a token and validates the claims if is a JSON claim set.
+  # Parses the content of a token and validates the claims if is JSON claims.
   def self.parse_and_validate(payload, content_type, options)
     return payload if content_type == 'JWT'
 

data/lib/sandal/claims.rb

@@ -1,15 +1,17 @@
 module Sandal
-  # A module that can be mixed into Hash-like objects to provide claims-related functionality.
+  # A module that can be mixed into Hash-like objects to provide claims-related
+  # functionality.
   module Claims
 
     # Validates the set of claims.
     #
-    # @param options [Hash] The validation options (see {Sandal::DEFAULT_OPTIONS} for details).
+    # @param options [Hash] The claim validation options (see 
+    #   {Sandal::DEFAULT_OPTIONS} for details).
     # @return [Hash] A reference to self.
     # @raise [Sandal::ClaimError] One or more claims is invalid.
-    def validate_claims(options)
-      validate_exp(options[:max_clock_skew]) if options[:validate_exp]
-      validate_nbf(options[:max_clock_skew]) if options[:validate_nbf]
+    def validate_claims(options = {})
+      validate_exp(options[:max_clock_skew]) unless options[:ignore_exp]
+      validate_nbf(options[:max_clock_skew]) unless options[:ignore_nbf]
       validate_iss(options[:valid_iss])
       validate_aud(options[:valid_aud])
       self
@@ -19,21 +21,26 @@ module Sandal
     #
     # @param max_clock_skew [Numeric] The maximum clock skew, in seconds.
     # @return [void].
-    # @raise [Sandal::ClaimError] The 'exp' claim is invalid, or the token has expired.
-    def validate_exp(max_clock_skew)
+    # @raise [Sandal::ClaimError] The 'exp' claim is invalid, or the token has 
+    #   expired.
+    def validate_exp(max_clock_skew = 0)
+      max_clock_skew ||= 0
+
       exp = time_claim('exp')
       if exp && exp <= (Time.now - max_clock_skew)
         raise Sandal::ClaimError, 'The token has expired.' 
       end
-      nil
     end
 
     # Validates the not-before claim.
     #
     # @param max_clock_skew [Numeric] The maximum clock skew, in seconds.
     # @return [void].
-    # @raise [Sandal::ClaimError] The 'nbf' claim is invalid, or the token is not valid yet.
-    def validate_nbf(max_clock_skew)
+    # @raise [Sandal::ClaimError] The 'nbf' claim is invalid, or the token is 
+    #   not valid yet.
+    def validate_nbf(max_clock_skew = 0)
+      max_clock_skew ||= 0
+
       nbf = time_claim('nbf')
       if nbf && nbf > (Time.now + max_clock_skew)
         raise Sandal::ClaimError, 'The token is not valid yet.'
@@ -46,8 +53,10 @@ module Sandal
     # @return [void].
     # @raise [Sandal::ClaimError] The 'iss' claim value is not a valid issuer.
     def validate_iss(valid_iss)
-      if valid_iss && valid_iss.length > 0
-        raise Sandal::ClaimError, 'The issuer is invalid.' unless valid_iss.include?(self['iss'])
+      return unless valid_iss && valid_iss.length > 0
+
+      unless valid_iss.include?(self['iss'])
+        raise Sandal::ClaimError, 'The issuer is invalid.'
       end
     end
 
@@ -55,12 +64,15 @@ module Sandal
     #
     # @param valid_aud [Array] The valid audiences.
     # @return [void].
-    # @raise [Sandal::ClaimError] The 'aud' claim value does not contain a valid audience.
+    # @raise [Sandal::ClaimError] The 'aud' claim value does not contain a valid
+    #   audience.
     def validate_aud(valid_aud)
-      if valid_aud && valid_aud.length > 0
-        aud = self['aud']
-        aud = [aud] unless aud.is_a?(Array)
-        raise Sandal::ClaimError, 'The audence is invalid.' unless (aud & valid_aud).length > 0
+      return unless valid_aud && valid_aud.length > 0
+
+      aud = self['aud']
+      aud = [aud] unless aud.is_a?(Array)
+      unless (aud & valid_aud).length > 0
+        raise Sandal::ClaimError, 'The audence is invalid.'
       end
     end
 
@@ -73,7 +85,7 @@ module Sandal
         begin
           Time.at(claim)
         rescue
-          raise ClaimError, "The '#{name}' claim is invalid."
+          raise Sandal::ClaimError, "The '#{name}' claim is invalid."
         end
       end
     end

data/lib/sandal/enc/acbc_hs.rb

@@ -4,8 +4,10 @@ require 'sandal/util'
 module Sandal
   module Enc
 
-    # Base implementation of the AES/CBC+HMAC-SHA family of encryption algorithms.
+    # Base implementation of the AES/CBC+HMAC-SHA family of encryption 
+    # algorithms.
     class ACBC_HS
+      extend Sandal::Util
 
       # The JWA name of the encryption.
       attr_reader :name
@@ -13,11 +15,13 @@ module Sandal
       # The JWA algorithm used to encrypt the content master key.
       attr_reader :alg
 
-      # Creates a new instance; it's probably easier to use one of the subclass constructors.
+      # Creates a new instance; it's probably easier to use one of the subclass 
+      # constructors.
       #
       # @param aes_size [Integer] The size of the AES algorithm.
       # @param sha_size [Integer] The size of the SHA algorithm.
-      # @param key [#name, #encrypt_cmk, #decrypt_cmk] The algorithm to use to encrypt and/or decrypt the AES key.
+      # @param alg [#name, #encrypt_cmk, #decrypt_cmk] The algorithm to use to 
+      #   encrypt and/or decrypt the AES key.
       def initialize(aes_size, sha_size, alg)
         @aes_size = aes_size
         @sha_size = sha_size
@@ -29,55 +33,61 @@ module Sandal
 
       def encrypt(header, payload)
         cipher = OpenSSL::Cipher.new(@cipher_name).encrypt
-        content_master_key = @alg.respond_to?(:cmk) ? @alg.cmk : cipher.random_key
-        encrypted_key = @alg.encrypt_cmk(content_master_key)
+        cmk = @alg.respond_to?(:cmk) ? @alg.cmk : cipher.random_key
+        encrypted_key = @alg.encrypt_cmk(cmk)
 
-        cipher.key = derive_encryption_key(content_master_key) 
+        cipher.key = derive_encryption_key(cmk) 
         iv = cipher.random_iv
         ciphertext = cipher.update(payload) + cipher.final
 
-        secured_parts = [MultiJson.dump(header), encrypted_key, iv, ciphertext]
-        secured_input = secured_parts.map { |part| Sandal::Util.base64_encode(part) }.join('.')
-        content_integrity_key = derive_integrity_key(content_master_key)
-        integrity_value = compute_integrity_value(content_integrity_key, secured_input)
+        sec_parts = [MultiJson.dump(header), encrypted_key, iv, ciphertext]
+        sec_input = sec_parts.map { |part| jwt_base64_encode(part) }.join('.')
+        cik = derive_integrity_key(cmk)
+        integrity_value = compute_integrity_value(cik, sec_input)
 
-        secured_input << '.' << Sandal::Util.base64_encode(integrity_value)
+        sec_input << '.' << jwt_base64_encode(integrity_value)
       end
 
       def decrypt(parts, decoded_parts)
-        content_master_key = @alg.decrypt_cmk(decoded_parts[1])
+        cmk = @alg.decrypt_cmk(decoded_parts[1])
         
-        content_integrity_key = derive_integrity_key(content_master_key)
-        computed_integrity_value = compute_integrity_value(content_integrity_key, parts.take(4).join('.'))
-        raise Sandal::TokenError, 'Invalid integrity value.' unless decoded_parts[4] == computed_integrity_value
+        cik = derive_integrity_key(cmk)
+        integrity_value = compute_integrity_value(cik, parts.take(4).join('.'))
+        unless jwt_strings_equal?(decoded_parts[4], integrity_value)
+          raise Sandal::TokenError, 'Invalid integrity value.'
+        end
 
         cipher = OpenSSL::Cipher.new(@cipher_name).decrypt
-        cipher.key = derive_encryption_key(content_master_key)
-        cipher.iv = decoded_parts[2]
-        cipher.update(decoded_parts[3]) + cipher.final
+        begin
+          cipher.key = derive_encryption_key(cmk)
+          cipher.iv = decoded_parts[2]
+          cipher.update(decoded_parts[3]) + cipher.final
+        rescue OpenSSL::Cipher::CipherError
+          raise Sandal::TokenError, 'Invalid token.'
+        end
       end
 
     private
 
       # Computes the integrity value.
-      def compute_integrity_value(content_integrity_key, secured_input)
-        OpenSSL::HMAC.digest(@digest, content_integrity_key, secured_input)
+      def compute_integrity_value(cik, sec_input)
+        OpenSSL::HMAC.digest(@digest, cik, sec_input)
       end
 
       # Derives the content encryption key from the content master key.
-      def derive_encryption_key(content_master_key)
-        derive_content_key('Encryption', content_master_key, @aes_size)
+      def derive_encryption_key(cmk)
+        derive_content_key('Encryption', cmk, @aes_size)
       end
 
       # Derives the content integrity key from the content master key.
-      def derive_integrity_key(content_master_key)
-        derive_content_key('Integrity', content_master_key, @sha_size)
+      def derive_integrity_key(cmk)
+        derive_content_key('Integrity', cmk, @sha_size)
       end
 
       # Derives content keys using the Concat KDF.
-      def derive_content_key(label, content_master_key, size)
+      def derive_content_key(label, cmk, size)
         hash_input = [1].pack('N')
-        hash_input << content_master_key
+        hash_input << cmk
         hash_input << [size].pack('N')
         hash_input << @name.encode('utf-8')
         hash_input << [0].pack('N')