sandal 0.2.0 → 0.3.0

data/spec/sandal/enc/shared_examples.rb

@@ -0,0 +1,37 @@
+require 'helper'
+require 'securerandom'
+
+shared_examples 'algorithm compatibility' do |enc_class|
+
+  it 'can encrypt and decrypt tokens with the "dir" algorithm' do
+    payload = 'Some text to encrypt'
+    content_master_key = SecureRandom.random_bytes(32)
+    encrypter = enc_class.new(Sandal::Enc::Alg::Direct.new(content_master_key))
+    token = Sandal.encrypt_token(payload, encrypter)
+    output = Sandal.decrypt_token(token) { encrypter }
+    output.should == payload
+  end
+
+  it 'can encrypt and decrypt tokens with the RSA1_5 algorithm' do
+    payload = 'Some other text to encrypt'
+    rsa = OpenSSL::PKey::RSA.new(2048)
+    encrypter = enc_class.new(Sandal::Enc::Alg::RSA1_5.new(rsa.public_key))
+    token = Sandal.encrypt_token(payload, encrypter)
+    output = Sandal.decrypt_token(token) do 
+      enc_class.new(Sandal::Enc::Alg::RSA1_5.new(rsa))
+    end
+    output.should == payload
+  end
+
+  it 'can encrypt and decrypt tokens with the RSA-OAEP algorithm' do
+    payload = 'Some more text to encrypt'
+    rsa = OpenSSL::PKey::RSA.new(2048)
+    encrypter = enc_class.new(Sandal::Enc::Alg::RSA_OAEP.new(rsa.public_key))
+    token = Sandal.encrypt_token(payload, encrypter)
+    output = Sandal.decrypt_token(token) do 
+      enc_class.new(Sandal::Enc::Alg::RSA_OAEP.new(rsa))
+    end
+    output.should == payload
+  end
+
+end

data/spec/sandal/sig/es_spec.rb

@@ -1,6 +1,8 @@
 require 'helper'
 require 'openssl'
 
+include Sandal::Util
+
 # EC isn't implemented in jruby-openssl at the moment
 if defined? Sandal::Sig::ES
 
@@ -26,7 +28,7 @@ describe Sandal::Sig::ES do
     r = make_bn([14, 209, 33, 83, 121, 99, 108, 72, 60, 47, 127, 21, 88, 7, 212, 2, 163, 178, 40, 3, 58, 249, 124, 126, 23, 129, 154, 195, 22, 158, 166, 101]  )
     s = make_bn([197, 10, 7, 211, 140, 60, 112, 229, 216, 241, 45, 175, 8, 74, 84, 128, 166, 101, 144, 197, 242, 147, 80, 154, 143, 63, 127, 138, 131, 163, 84, 213])
     signature = Sandal::Sig::ES.encode_jws_signature(r, s, 256)
-    base64_signature = Sandal::Util.base64_encode(signature)
+    base64_signature = jwt_base64_encode(signature)
     base64_signature.should == 'DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q'
   end
 
@@ -34,7 +36,7 @@ describe Sandal::Sig::ES do
     r = make_bn([1, 220, 12, 129, 231, 171, 194, 209, 232, 135, 233, 117, 247, 105, 122, 210, 26, 125, 192, 1, 217, 21, 82, 91, 45, 240, 255, 83, 19, 34, 239, 71, 48, 157, 147, 152, 105, 18, 53, 108, 163, 214, 68, 231, 62, 153, 150, 106, 194, 164, 246, 72, 143, 138, 24, 50, 129, 223, 133, 206, 209, 172, 63, 237, 119, 109]    )
     s = make_bn([0, 111, 6, 105, 44, 5, 41, 208, 128, 61, 152, 40, 92, 61, 152, 4, 150, 66, 60, 69, 247, 196, 170, 81, 193, 199, 78, 59, 194, 169, 16, 124, 9, 143, 42, 142, 131, 48, 206, 238, 34, 175, 83, 203, 220, 159, 3, 107, 155, 22, 27, 73, 111, 68, 68, 21, 238, 144, 229, 232, 148, 188, 222, 59, 242, 103] )
     signature = Sandal::Sig::ES.encode_jws_signature(r, s, 521)
-    base64_signature = Sandal::Util.base64_encode(signature)
+    base64_signature = jwt_base64_encode(signature)
     base64_signature.should == 'AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn'
   end
 
@@ -54,12 +56,36 @@ describe Sandal::Sig::ES256 do
     validator.valid?(signature, data).should == true
   end
 
+  it 'can use string keys to sign data and verify signatures' do
+    private_key = <<KEY_END
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEII1Ar4w2EVK6wNL84EpVTVY7XXXVmVqyvjZ4EW9kBGhSoAoGCCqGSM49
+AwEHoUQDQgAEVnYRY+AEiU+UNdYzl+KtuWvdAfKBoAmEekv4icfZQCbLew/eXIlv
+32E8+j0bFYwYi3XjxCJXRE3S2iWPEEygcA==
+-----END EC PRIVATE KEY-----
+KEY_END
+    public_key = <<KEY_END
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVnYRY+AEiU+UNdYzl+KtuWvdAfKB
+oAmEekv4icfZQCbLew/eXIlv32E8+j0bFYwYi3XjxCJXRE3S2iWPEEygcA==
+-----END PUBLIC KEY-----
+KEY_END
+    data = 'Hello ES256'
+    signer = Sandal::Sig::ES256.new(private_key)
+    signature = signer.sign(data)
+    validator = Sandal::Sig::ES256.new(public_key)
+    validator.valid?(signature, data).should == true
+  end
+
   it 'can verify the signature in JWS section A3.1' do
     x = make_bn([127, 205, 206, 39, 112, 246, 196, 93, 65, 131, 203, 238, 111, 219, 75, 123, 88, 7, 51, 53, 123, 233, 239, 19, 186, 207, 110, 60, 123, 209, 84, 69])
     y = make_bn([199, 241, 68, 205, 27, 189, 155, 126, 135, 44, 223, 237, 185, 238, 185, 244, 179, 105, 93, 110, 169, 11, 36, 173, 138, 70, 35, 40, 133, 136, 229, 173])
     d = make_bn([142, 155, 16, 158, 113, 144, 152, 191, 152, 4, 135, 223, 31, 93, 119, 233, 203, 41, 96, 110, 190, 210, 38, 59, 95, 87, 194, 19, 223, 132, 244, 178])
     data = 'eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ'
-    signature = Sandal::Util.base64_decode('DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q')
+    signature = jwt_base64_decode('DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q')
 
     group = OpenSSL::PKey::EC::Group.new('prime256v1') 
     public_key = OpenSSL::PKey::EC.new(group)
@@ -73,7 +99,7 @@ describe Sandal::Sig::ES256 do
     y = make_bn([199, 241, 68, 205, 27, 189, 155, 126, 135, 44, 223, 237, 185, 238, 185, 244, 179, 105, 93, 110, 169, 11, 36, 173, 138, 70, 35, 40, 133, 136, 229, 173])
     d = make_bn([142, 155, 16, 158, 113, 144, 152, 191, 152, 4, 135, 223, 31, 93, 119, 233, 203, 41, 96, 110, 190, 210, 38, 59, 95, 87, 194, 19, 223, 132, 244, 178])
     data = 'not the data that was signed'
-    signature = Sandal::Util.base64_decode('DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q')
+    signature = jwt_base64_decode('DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q')
 
     group = OpenSSL::PKey::EC::Group.new('prime256v1') 
     public_key = OpenSSL::PKey::EC.new(group)
@@ -104,6 +130,32 @@ describe Sandal::Sig::ES384 do
     validator.valid?(signature, data).should == true
   end
 
+  it 'can use string keys to sign data and verify signatures' do
+    private_key = <<KEY_END
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDHWNCqR7V8EQS1aeCWXJ6arxaj31tvfBozSVDhbgzvFsFM9tbgbhTb
+1PGWXJEP91SgBwYFK4EEACKhZANiAASSjX9LH/BrmGp6WoHN/gBYN3Su/nIAApwM
+iuFPbUFcWamxo8hUUTxLpdwvrrEHIVV2urXaVc0KHdSo93bVEHMOvLYjpXFXu+8f
+6Fu17ofcECDNIaI9A+uydWY3E/cJUDM=
+-----END EC PRIVATE KEY-----
+KEY_END
+    public_key = <<KEY_END
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEko1/Sx/wa5hqelqBzf4AWDd0rv5yAAKc
+DIrhT21BXFmpsaPIVFE8S6XcL66xByFVdrq12lXNCh3UqPd21RBzDry2I6VxV7vv
+H+hbte6H3BAgzSGiPQPrsnVmNxP3CVAz
+-----END PUBLIC KEY-----
+KEY_END
+    data = 'Hello ES384'
+    signer = Sandal::Sig::ES384.new(private_key)
+    signature = signer.sign(data)
+    validator = Sandal::Sig::ES384.new(public_key)
+    validator.valid?(signature, data).should == true
+  end
+
   it 'raises an argument error if the key has the wrong curve' do
     group = OpenSSL::PKey::EC::Group.new('secp521r1') 
     private_key = OpenSSL::PKey::EC.new(group).generate_key
@@ -126,12 +178,40 @@ describe Sandal::Sig::ES512 do
     validator.valid?(signature, data).should == true
   end
 
+  it 'can use string keys to sign data and verify signatures' do
+    private_key = <<KEY_END
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBQokOnEjac/cnqtuEPrS+ekzObqwN4wcsh4MgW1M9D/lC+cfHcgso
+QhdmC1fZEYV9G3eiVYRO818XBrgzX8sOqQGgBwYFK4EEACOhgYkDgYYABADWDbxx
+FZHDy5nzP+tL1AcDgbVtZbin6jOz3E0EPzjDJS8267XROdSLxh/FdM54HaZ5ak2D
+q0VThSOquJdkiy6jyAEOlXLeznDrV9ZP9ddFFFA8OMM2aImU+HdGq6rlWrAs7qMU
+tu6lP9k3+WHD7Z1+YkCafox+lpraE4NrnlkVqO2RVg==
+-----END EC PRIVATE KEY-----
+KEY_END
+    public_key = <<KEY_END
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA1g28cRWRw8uZ8z/rS9QHA4G1bWW4
+p+ozs9xNBD84wyUvNuu10TnUi8YfxXTOeB2meWpNg6tFU4UjqriXZIsuo8gBDpVy
+3s5w61fWT/XXRRRQPDjDNmiJlPh3Rquq5VqwLO6jFLbupT/ZN/lhw+2dfmJAmn6M
+fpaa2hODa55ZFajtkVY=
+-----END PUBLIC KEY-----
+KEY_END
+    data = 'Hello ES512'
+    signer = Sandal::Sig::ES512.new(private_key)
+    signature = signer.sign(data)
+    validator = Sandal::Sig::ES512.new(public_key)
+    validator.valid?(signature, data).should == true
+  end
+
   it 'can verify the signature in JWS section A4.1' do
     x = make_bn([1, 233, 41, 5, 15, 18, 79, 198, 188, 85, 199, 213, 57, 51, 101, 223, 157, 239, 74, 176, 194, 44, 178, 87, 152, 249, 52, 235, 4, 227, 198, 186, 227, 112, 26, 87, 167, 145, 14, 157, 129, 191, 54, 49, 89, 232, 235, 203, 21, 93, 99, 73, 244, 189, 182, 204, 248, 169, 76, 92, 89, 199, 170, 193, 1, 164])
     y = make_bn([0, 52, 166, 68, 14, 55, 103, 80, 210, 55, 31, 209, 189, 194, 200, 243, 183, 29, 47, 78, 229, 234, 52, 50, 200, 21, 204, 163, 21, 96, 254, 93, 147, 135, 236, 119, 75, 85, 131, 134, 48, 229, 203, 191, 90, 140, 190, 10, 145, 221, 0, 100, 198, 153, 154, 31, 110, 110, 103, 250, 221, 237, 228, 200, 200, 246])
     d = make_bn([1, 142, 105, 111, 176, 52, 80, 88, 129, 221, 17, 11, 72, 62, 184, 125, 50, 206, 73, 95, 227, 107, 55, 69, 237, 242, 216, 202, 228, 240, 242, 83, 159, 70, 21, 160, 233, 142, 171, 82, 179, 192, 197, 234, 196, 206, 7, 81, 133, 168, 231, 187, 71, 222, 172, 29, 29, 231, 123, 204, 246, 97, 53, 230, 61, 130]  )
     data = 'eyJhbGciOiJFUzUxMiJ9.UGF5bG9hZA'
-    signature = Sandal::Util.base64_decode('AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn')
+    signature = jwt_base64_decode('AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn')
 
     group = OpenSSL::PKey::EC::Group.new('secp521r1') 
     public_key = OpenSSL::PKey::EC.new(group)
@@ -145,7 +225,7 @@ describe Sandal::Sig::ES512 do
     y = make_bn([0, 52, 166, 68, 14, 55, 103, 80, 210, 55, 31, 209, 189, 194, 200, 243, 183, 29, 47, 78, 229, 234, 52, 50, 200, 21, 204, 163, 21, 96, 254, 93, 147, 135, 236, 119, 75, 85, 131, 134, 48, 229, 203, 191, 90, 140, 190, 10, 145, 221, 0, 100, 198, 153, 154, 31, 110, 110, 103, 250, 221, 237, 228, 200, 200, 246])
     d = make_bn([1, 142, 105, 111, 176, 52, 80, 88, 129, 221, 17, 11, 72, 62, 184, 125, 50, 206, 73, 95, 227, 107, 55, 69, 237, 242, 216, 202, 228, 240, 242, 83, 159, 70, 21, 160, 233, 142, 171, 82, 179, 192, 197, 234, 196, 206, 7, 81, 133, 168, 231, 187, 71, 222, 172, 29, 29, 231, 123, 204, 246, 97, 53, 230, 61, 130]  )
     data = 'not the data that was signed'
-    signature = Sandal::Util.base64_decode('AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn')
+    signature = jwt_base64_decode('AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn')
 
     group = OpenSSL::PKey::EC::Group.new('secp521r1') 
     public_key = OpenSSL::PKey::EC.new(group)

data/spec/sandal/sig/rs_spec.rb

@@ -1,7 +1,49 @@
 require 'helper'
 require 'openssl'
 
+rsa_private_key = <<KEY_END
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA4lt7zb5RlxwLVvw2mOKW06AGrBW3kfUVIkV6lImwqRps6jpZ
+UNBOUkLjqIipXBkKeG6TbL46z4Rw2oEcUTTpOgm/9XEiJP/7nfkK/Sr6cChVLDr5
+sohKnxkADrltdNwUUF0gPlK0REa2wiEvpd00D46Sfxfa5kpe/oYajCyRtesmGyrD
+iD4BKJIaHTal4613l1k8HWhzza4qztbufZ4BMPfHkjyjOBWLsYSU0axI86b5WnxJ
+KZUyghxeL51jYqV5eSeMBC3rr+HHuwdF3ulhvDo0jUxGjFJBG/6ZUheVNAGrAvD8
+5RV3tp8ukcc02t2l0Z97PWDcZHpiiul+DvvmeQIDAQABAoIBADy56lbiDiWKAojN
+lSAi+e/AaMnV8a+YnpjZJu+emORlEH8uNDP4DmsHQug98aGhnit9DtQHnON7VoNo
+S96FYWSOpQ8F0PE4M5rH62jMFO/uAhuhnseExPA11swcdv745AJDWZkeuvnuNq2S
+FaRb2dGqoCa0kadioGWMOKcOdfDlqcBApTI5IWy67wLJwF7+qTS+BT7BVAreQnQf
+2qlYXSPWBxpL8iGobBGXQlsWTdiYDalrfyV0mvJaXxwHml3PMxyVrJyIvbc0HgMn
+YqrBgnWrCz7FIU+8OXd4XFGqD09QpHn7SkdLvgXNlSy5fi3SeLN+ClyP1XvrFQYk
+KhfCbwECgYEA/CpsxJEZzwCtvBeHlhNvEV5H2O0HI7Wb+pN5J3QyhMjdOc8KZozx
+8D3hj6+I2NJM/Uj0V27LH0R92H29fKLjXUjtRwHtrV33PXWQAMzSS8gHOdeQe8iP
+GgdAVDdDJsCR3W5oXEQGj7q8QgLAVdV0X9jZ6BG2MGIbdMi6SUE7DlECgYEA5cyY
+/diePvEcXsEX8AgraOGwH+E4w+d21uJPjh4UpBhiJdrqEdZ2bjKtpl6czKmqu4tx
+R7WNHqRd8LyUpdGHNvQU+kg1Uc1y1hy8HR1x1lZQYMBi4qkB1P6G08RHEL/oilxO
+F1EIxYpwHbW/ZVXzGAyIr4Z9xGMLE5j9jVTsg6kCgYB4JdaxSdmcMdyVtDhcH2Ja
+Siu9hiJSt2NcXwvo6opvji0qMCXqetmD+FgS2DZB6OHaBPq29gk+GqpDjpXMXugq
+OGcl4BtY8V6uH+e/GdhRVztqKfWjpQnaAv55oeMTAcn+UW7UF21w6i5s3Va7Dvtl
+97LLyjSelQA0ArgP007KIQKBgQDDzDAPGiK7PnUNxzi+LDfQhXurrhrP0MhRD0L5
+tGeh6aS23G/UAwelnUiYGMVBHM98PLOohehX03S3Sfbd0kmDaTT2i8/ig0r1ZEZk
+CFKWbbTOux2GQrps4PHAPdzPSLS6LyvachEnP22H4vPRRAp80zEjXVSLoFgvuotP
+gKyFAQKBgBuMvB9XVILcn8IcZ3ax9B8agU4jeBLScoBV25GvSq7hUaFaNC4WMHzf
+8av7nDTzlZlLLDMB8rvpz66gMWIWGeU5JWYJaiLMM/JeS9UJOo/6Wn10MvtNSBXH
+30+kWAHpOSjtxL7tzmMrb46krFS/0iYDFKiLtIPNiacjxlEzBTZL
+-----END RSA PRIVATE KEY-----
+KEY_END
+rsa_public_key = <<KEY_END
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4lt7zb5RlxwLVvw2mOKW
+06AGrBW3kfUVIkV6lImwqRps6jpZUNBOUkLjqIipXBkKeG6TbL46z4Rw2oEcUTTp
+Ogm/9XEiJP/7nfkK/Sr6cChVLDr5sohKnxkADrltdNwUUF0gPlK0REa2wiEvpd00
+D46Sfxfa5kpe/oYajCyRtesmGyrDiD4BKJIaHTal4613l1k8HWhzza4qztbufZ4B
+MPfHkjyjOBWLsYSU0axI86b5WnxJKZUyghxeL51jYqV5eSeMBC3rr+HHuwdF3ulh
+vDo0jUxGjFJBG/6ZUheVNAGrAvD85RV3tp8ukcc02t2l0Z97PWDcZHpiiul+Dvvm
+eQIDAQAB
+-----END PUBLIC KEY-----
+KEY_END
+
 describe Sandal::Sig::RS256 do
+
   it 'can sign data and verify signatures' do
     data = 'Hello RS256'
     private_key = OpenSSL::PKey::RSA.generate(2048)
@@ -10,9 +52,19 @@ describe Sandal::Sig::RS256 do
     validator = Sandal::Sig::RS256.new(private_key.public_key)
     validator.valid?(signature, data).should == true
   end
+
+  it 'can use string keys to sign data and verify signatures' do
+    data = 'Hello RS256'
+    signer = Sandal::Sig::RS256.new(rsa_private_key)
+    signature = signer.sign(data)
+    validator = Sandal::Sig::RS256.new(rsa_public_key)
+    validator.valid?(signature, data).should == true
+  end
+
 end
 
 describe Sandal::Sig::RS384 do
+
   it 'can sign data and verify signatures' do
     data = 'Hello RS384'
     private_key = OpenSSL::PKey::RSA.generate(2048)
@@ -21,9 +73,19 @@ describe Sandal::Sig::RS384 do
     validator = Sandal::Sig::RS384.new(private_key.public_key)
     validator.valid?(signature, data).should == true
   end
+
+  it 'can use string keys to sign data and verify signatures' do
+    data = 'Hello RS384'
+    signer = Sandal::Sig::RS384.new(rsa_private_key)
+    signature = signer.sign(data)
+    validator = Sandal::Sig::RS384.new(rsa_public_key)
+    validator.valid?(signature, data).should == true
+  end
+
 end
 
 describe Sandal::Sig::RS512 do
+  
   it 'can sign data and verify signatures' do
     data = 'Hello RS512'
     private_key = OpenSSL::PKey::RSA.generate(2048)
@@ -32,4 +94,13 @@ describe Sandal::Sig::RS512 do
     validator = Sandal::Sig::RS512.new(private_key.public_key)
     validator.valid?(signature, data).should == true
   end
+
+  it 'can use string keys to sign data and verify signatures' do
+    data = 'Hello RS512'
+    signer = Sandal::Sig::RS512.new(rsa_private_key)
+    signature = signer.sign(data)
+    validator = Sandal::Sig::RS512.new(rsa_public_key)
+    validator.valid?(signature, data).should == true
+  end
+
 end

data/spec/sandal/util_spec.rb

@@ -1,37 +1,77 @@
 require 'helper'
 require 'openssl'
+require 'benchmark'
+
+include Sandal::Util
 
 describe Sandal::Util do
 
-  it 'encodes and decodes base64 as per JWT example 6.1' do
-    src =  "{\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n \"http://example.com/is_root\":true}" 
-    encoded = Sandal::Util.base64_encode(src)
-    encoded.should == 'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ'
-    val = Sandal::Util.base64_decode(encoded)
-    val.should == src
-  end
+  context '#jwt_base64_decode' do
 
-  it 'raises a token error if base64 strings contain padding' do
-    expect { Sandal::Util.base64_decode('eyJpc3MiOiJq=') }.to raise_error Sandal::TokenError
-  end
+    it 'decodes base64 as per JWT example 6.1' do
+      encoded = 'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ'
+      val = jwt_base64_decode(encoded)
+      val.should == %!{"iss":"joe",\r\n "exp":1300819380,\r\n "http://example.com/is_root":true}!
+    end
 
-  it 'compares nil strings as equal' do
-    Sandal::Util.secure_equals(nil, nil).should == true
-  end
+    it 'raises an ArgumentError if base64 strings contain padding' do
+      expect { jwt_base64_decode('eyJpc3MiOiJq=') }.to raise_error ArgumentError
+    end
+
+    it 'raises an ArgumentError if base64 strings are invalid' do
+      expect { jwt_base64_decode('not valid base64') }.to raise_error ArgumentError
+    end
 
-  it 'compares nil strings as unequal to empty strings' do
-    Sandal::Util.secure_equals(nil, '').should == false
-    Sandal::Util.secure_equals('', nil).should == false
   end
 
-  it 'compares equal strings as equal' do
-    Sandal::Util.secure_equals('hello', 'hello').should == true
-    Sandal::Util.secure_equals('a longer string', 'a longer string').should == true
+  context '#jwt_base64_encode' do
+
+    it 'encodes base64 as per JWT example 6.1' do
+      src =  %!{"iss":"joe",\r\n "exp":1300819380,\r\n "http://example.com/is_root":true}!
+      encoded = jwt_base64_encode(src)
+      encoded.should == 'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ'
+    end
+
   end
 
-  it 'compares unequal strings as unequal' do
-    Sandal::Util.secure_equals('hello', 'world').should == false
-    Sandal::Util.secure_equals('a longer string', 'a different longer string').should == false
+  context '#jwt_strings_equal?' do
+
+    it 'compares nil strings as equal' do
+      jwt_strings_equal?(nil, nil).should == true
+    end
+
+    it 'compares empty strings as equal' do
+      jwt_strings_equal?('', '').should == true
+    end
+
+    it 'compares nil strings as unequal to empty strings' do
+      jwt_strings_equal?(nil, '').should == false
+      jwt_strings_equal?('', nil).should == false
+    end
+
+    it 'compares equal strings as equal' do
+      jwt_strings_equal?('hello', 'hello').should == true
+      jwt_strings_equal?('a longer string', 'a longer string').should == true
+    end
+
+    it 'compares unequal strings as unequal' do
+      jwt_strings_equal?('hello', 'world').should == false
+      jwt_strings_equal?('a longer string', 'a different longer string').should == false
+    end
+
+    it 'compares strings without short-circuiting', :timing_dependent do
+      measure_equals = -> a, b do
+        Benchmark.realtime { 100.times { jwt_strings_equal?(a, b) } } 
+      end
+      ref = 'a' * 10000
+      cmp1 = ('a' * 9999) + 'b'
+      cmp2 = 'a' + ('b' * 9999)
+      t1 = measure_equals.(ref, cmp1)
+      t2 = measure_equals.(ref, cmp2)
+      range = (t1 - t1/20.0)..(t1 + t1/20.0)
+      range.should === t2
+    end
+
   end
 
 end

data/spec/sandal_spec.rb

@@ -45,14 +45,20 @@ describe Sandal do
     expect { Sandal.decode_token(token) }.to raise_error Sandal::ClaimError
   end
 
-  it 'does not raise an error when the expiry date is far in the past but validation is disabled' do
+  it 'does not raise an error when the expiry date is in the past but validation is disabled' do
     token = Sandal.encode_token({ 'exp' => (Time.now - 600).to_i }, nil)
-    Sandal.decode_token(token) { |header, options| options[:validate_exp] = false }
+    Sandal.decode_token(token) do |header, options| 
+      options[:ignore_exp] = true
+      nil
+    end
   end
 
   it 'does not raise an error when the expiry date is in the past but within the clock skew' do
     token = Sandal.encode_token({ 'exp' => (Time.now - 60).to_i }, nil)
-    Sandal.decode_token(token)
+    Sandal.decode_token(token) do |header, options|
+      options[:max_clock_skew] = 300
+      nil
+    end
   end
 
   it 'does not raise an error when the expiry date is valid' do
@@ -70,14 +76,20 @@ describe Sandal do
     expect { Sandal.decode_token(token) }.to raise_error Sandal::ClaimError
   end
 
-  it 'does not raise an error when the not-before date is far in the future but validation is disabled' do
+  it 'does not raise an error when the not-before date is in the future but validation is disabled' do
     token = Sandal.encode_token({ 'nbf' => (Time.now + 600).to_i }, nil)
-    Sandal.decode_token(token) { |header, options| options[:validate_nbf] = false }
+    Sandal.decode_token(token) do |header, options| 
+      options[:ignore_nbf] = true
+      nil
+    end
   end
 
   it 'does not raise an error when the not-before date is in the future but within the clock skew' do
     token = Sandal.encode_token({ 'nbf' => (Time.now + 60).to_i }, nil)
-    Sandal.decode_token(token)
+    Sandal.decode_token(token) do |header, options|
+      options[:max_clock_skew] = 300
+      nil
+    end
   end
 
   it 'does not raise an error when the not-before is valid' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sandal
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Greg Beech
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-04-05 00:00:00.000000000 Z
+date: 2013-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -66,6 +66,20 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '2.13'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0.7'
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
@@ -144,8 +158,13 @@ files:
 - lib/sandal/version.rb
 - sandal.gemspec
 - spec/helper.rb
+- spec/sandal/claims_spec.rb
 - spec/sandal/enc/a128cbc_hs256_spec.rb
 - spec/sandal/enc/a128gcm_spec.rb
+- spec/sandal/enc/a256cbc_hs512_spec.rb
+- spec/sandal/enc/a256gcm_spec.rb
+- spec/sandal/enc/alg/direct_spec.rb
+- spec/sandal/enc/shared_examples.rb
 - spec/sandal/sig/es_spec.rb
 - spec/sandal/sig/hs_spec.rb
 - spec/sandal/sig/rs_spec.rb
@@ -178,8 +197,13 @@ specification_version: 4
 summary: A JSON Web Token (JWT) library.
 test_files:
 - spec/helper.rb
+- spec/sandal/claims_spec.rb
 - spec/sandal/enc/a128cbc_hs256_spec.rb
 - spec/sandal/enc/a128gcm_spec.rb
+- spec/sandal/enc/a256cbc_hs512_spec.rb
+- spec/sandal/enc/a256gcm_spec.rb
+- spec/sandal/enc/alg/direct_spec.rb
+- spec/sandal/enc/shared_examples.rb
 - spec/sandal/sig/es_spec.rb
 - spec/sandal/sig/hs_spec.rb
 - spec/sandal/sig/rs_spec.rb