RubyGems - sandal - Versions diffs - 0.4.0 → 0.5.0 - Mend

sandal 0.4.0 → 0.5.0

Files changed (35) hide show

checksums.yaml +4 -4
data/.travis.yml +0 -1
data/CHANGELOG.md +14 -0
data/README.md +1 -1
data/lib/sandal.rb +77 -76
data/lib/sandal/claims.rb +13 -13
data/lib/sandal/enc.rb +15 -49
data/lib/sandal/enc/acbc_hs.rb +97 -52
data/lib/sandal/enc/agcm.rb +64 -26
data/lib/sandal/enc/alg.rb +2 -3
data/lib/sandal/enc/alg/direct.rb +27 -25
data/lib/sandal/enc/alg/rsa.rb +82 -0
data/lib/sandal/sig.rb +12 -12
data/lib/sandal/sig/es.rb +43 -25
data/lib/sandal/sig/hs.rb +21 -8
data/lib/sandal/sig/rs.rb +34 -23
data/lib/sandal/util.rb +7 -7
data/lib/sandal/version.rb +1 -1
data/spec/helper.rb +1 -0
data/spec/sample_keys.rb +28 -0
data/spec/sandal/claims_spec.rb +4 -4
data/spec/sandal/enc/a128cbc_hs256_spec.rb +15 -39
data/spec/sandal/enc/a128gcm_spec.rb +13 -6
data/spec/sandal/enc/a256cbc_hs512_spec.rb +13 -4
data/spec/sandal/enc/a256gcm_spec.rb +15 -37
data/spec/sandal/enc/alg/direct_spec.rb +27 -33
data/spec/sandal/enc/alg/rsa_spec.rb +100 -0
data/spec/sandal/enc/shared_examples.rb +93 -21
data/spec/sandal/sig/es_spec.rb +145 -188
data/spec/sandal/sig/hs_spec.rb +73 -18
data/spec/sandal/sig/rs_spec.rb +81 -78
metadata +7 -6
data/lib/sandal/enc/alg/rsa1_5.rb +0 -47
data/lib/sandal/enc/alg/rsa_oaep.rb +0 -48
data/spec/sandal/enc/alg/rsa1_5_spec.rb +0 -40

@@ -1,5 +1,5 @@
-require 'helper'
-require 'openssl'
+require "helper"
+require "openssl"
 include Sandal::Util
@@ -7,237 +7,194 @@ include Sandal::Util
 if defined? Sandal::Sig::ES
 def make_point(group, x, y)
-  def pad(c)
-    if c.length <= 64
-      padding_length = 64 - c.length
-    elsif c.length <= 96
-      padding_length = 96 - c.length
-    elsif c.length <= 132
-      padding_length = 132 - c.length
-    end
-    ('0' * padding_length) + c
-  end
-  str = '04' + pad(x.to_s(16)) + pad(y.to_s(16))
+  group_size = group.curve_name.match(/(\d+)/)[0].to_i
+  bn_size = ((group_size + 7) / 8) * 2
+  str = "04" + x.to_s(16).rjust(bn_size, "0") + y.to_s(16).rjust(bn_size, "0")
   bn = OpenSSL::BN.new(str, 16)
   OpenSSL::PKey::EC::Point.new(group, bn)
 end
-describe Sandal::Sig::ES do
-  it 'can encode the signature in JWS section A3.1' do
-    r = make_bn([14, 209, 33, 83, 121, 99, 108, 72, 60, 47, 127, 21, 88, 7, 212, 2, 163, 178, 40, 3, 58, 249, 124, 126, 23, 129, 154, 195, 22, 158, 166, 101]  )
-    s = make_bn([197, 10, 7, 211, 140, 60, 112, 229, 216, 241, 45, 175, 8, 74, 84, 128, 166, 101, 144, 197, 242, 147, 80, 154, 143, 63, 127, 138, 131, 163, 84, 213])
-    signature = Sandal::Sig::ES.encode_jws_signature(r, s, 256)
-    base64_signature = jwt_base64_encode(signature)
-    base64_signature.should == 'DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q'
-  end
-  it 'can encode the signature in JWS section A4.1' do
-    r = make_bn([1, 220, 12, 129, 231, 171, 194, 209, 232, 135, 233, 117, 247, 105, 122, 210, 26, 125, 192, 1, 217, 21, 82, 91, 45, 240, 255, 83, 19, 34, 239, 71, 48, 157, 147, 152, 105, 18, 53, 108, 163, 214, 68, 231, 62, 153, 150, 106, 194, 164, 246, 72, 143, 138, 24, 50, 129, 223, 133, 206, 209, 172, 63, 237, 119, 109]    )
-    s = make_bn([0, 111, 6, 105, 44, 5, 41, 208, 128, 61, 152, 40, 92, 61, 152, 4, 150, 66, 60, 69, 247, 196, 170, 81, 193, 199, 78, 59, 194, 169, 16, 124, 9, 143, 42, 142, 131, 48, 206, 238, 34, 175, 83, 203, 220, 159, 3, 107, 155, 22, 27, 73, 111, 68, 68, 21, 238, 144, 229, 232, 148, 188, 222, 59, 242, 103] )
-    signature = Sandal::Sig::ES.encode_jws_signature(r, s, 521)
-    base64_signature = jwt_base64_encode(signature)
-    base64_signature.should == 'AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn'
-  end
+shared_examples "signing and validation" do |enc_class|
-end
-describe Sandal::Sig::ES256 do
-  it 'can sign data and verify signatures' do
-    group = OpenSSL::PKey::EC::Group.new('prime256v1')
+  it "can sign data and validate signatures" do
+    data = "some data to sign"
+    group = OpenSSL::PKey::EC::Group.new(enc_class::CURVE_NAME)
     private_key = OpenSSL::PKey::EC.new(group).generate_key
-    data = 'Hello ES256'
-    signer = Sandal::Sig::ES256.new(private_key)
+    signer = enc_class.new(private_key)
     signature = signer.sign(data)
     public_key = OpenSSL::PKey::EC.new(group)
     public_key.public_key = private_key.public_key
-    validator = Sandal::Sig::ES256.new(public_key)
+    validator = enc_class.new(public_key)
     validator.valid?(signature, data).should == true
   end
-  it 'can use string keys to sign data and verify signatures' do
-    private_key = <<KEY_END
------BEGIN EC PARAMETERS-----
-BggqhkjOPQMBBw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEII1Ar4w2EVK6wNL84EpVTVY7XXXVmVqyvjZ4EW9kBGhSoAoGCCqGSM49
-AwEHoUQDQgAEVnYRY+AEiU+UNdYzl+KtuWvdAfKBoAmEekv4icfZQCbLew/eXIlv
-32E8+j0bFYwYi3XjxCJXRE3S2iWPEEygcA==
------END EC PRIVATE KEY-----
-KEY_END
-    public_key = <<KEY_END
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVnYRY+AEiU+UNdYzl+KtuWvdAfKB
-oAmEekv4icfZQCbLew/eXIlv32E8+j0bFYwYi3XjxCJXRE3S2iWPEEygcA==
------END PUBLIC KEY-----
-KEY_END
-    data = 'Hello ES256'
-    signer = Sandal::Sig::ES256.new(private_key)
+  it "can use DER-encoded keys to sign data and validate signatures" do
+    data = "some data to sign"
+    group = OpenSSL::PKey::EC::Group.new(enc_class::CURVE_NAME)
+    private_key = OpenSSL::PKey::EC.new(group).generate_key
+    signer = enc_class.new(private_key.to_der)
     signature = signer.sign(data)
-    validator = Sandal::Sig::ES256.new(public_key)
+    public_key = OpenSSL::PKey::EC.new(group)
+    public_key.public_key = private_key.public_key
+    validator = enc_class.new(public_key.to_der)
     validator.valid?(signature, data).should == true
   end
-  it 'can verify the signature in JWS section A3.1' do
-    x = make_bn([127, 205, 206, 39, 112, 246, 196, 93, 65, 131, 203, 238, 111, 219, 75, 123, 88, 7, 51, 53, 123, 233, 239, 19, 186, 207, 110, 60, 123, 209, 84, 69])
-    y = make_bn([199, 241, 68, 205, 27, 189, 155, 126, 135, 44, 223, 237, 185, 238, 185, 244, 179, 105, 93, 110, 169, 11, 36, 173, 138, 70, 35, 40, 133, 136, 229, 173])
-    d = make_bn([142, 155, 16, 158, 113, 144, 152, 191, 152, 4, 135, 223, 31, 93, 119, 233, 203, 41, 96, 110, 190, 210, 38, 59, 95, 87, 194, 19, 223, 132, 244, 178])
-    data = 'eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ'
-    signature = jwt_base64_decode('DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q')
-    group = OpenSSL::PKey::EC::Group.new('prime256v1')
+  it "can use PEM-encoded keys to sign data and validate signatures" do
+    data = "some data to sign"
+    group = OpenSSL::PKey::EC::Group.new(enc_class::CURVE_NAME)
+    private_key = OpenSSL::PKey::EC.new(group).generate_key
+    signer = enc_class.new(private_key.to_pem)
+    signature = signer.sign(data)
     public_key = OpenSSL::PKey::EC.new(group)
-    public_key.public_key = make_point(group, x, y)
-    validator = Sandal::Sig::ES256.new(public_key)
+    public_key.public_key = private_key.public_key
+    validator = enc_class.new(public_key.to_pem)
     validator.valid?(signature, data).should == true
   end
-  it 'fails to verify the signature in JWS section A3.1 when the data is changed' do
-    x = make_bn([127, 205, 206, 39, 112, 246, 196, 93, 65, 131, 203, 238, 111, 219, 75, 123, 88, 7, 51, 53, 123, 233, 239, 19, 186, 207, 110, 60, 123, 209, 84, 69])
-    y = make_bn([199, 241, 68, 205, 27, 189, 155, 126, 135, 44, 223, 237, 185, 238, 185, 244, 179, 105, 93, 110, 169, 11, 36, 173, 138, 70, 35, 40, 133, 136, 229, 173])
-    d = make_bn([142, 155, 16, 158, 113, 144, 152, 191, 152, 4, 135, 223, 31, 93, 119, 233, 203, 41, 96, 110, 190, 210, 38, 59, 95, 87, 194, 19, 223, 132, 244, 178])
-    data = 'not the data that was signed'
-    signature = jwt_base64_decode('DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q')
+  context "#initialize" do
+    it "raises an argument error if the key has the wrong curve" do
+      group = OpenSSL::PKey::EC::Group.new("secp224k1")
+      private_key = OpenSSL::PKey::EC.new(group).generate_key
+      expect { enc_class.new(private_key) }.to raise_error ArgumentError
+    end
-    group = OpenSSL::PKey::EC::Group.new('prime256v1')
-    public_key = OpenSSL::PKey::EC.new(group)
-    public_key.public_key = make_point(group, x, y)
-    validator = Sandal::Sig::ES256.new(public_key)
-    validator.valid?(signature, data).should == false
   end
-  it 'raises an argument error if the key has the wrong curve' do
-    group = OpenSSL::PKey::EC::Group.new('secp384r1')
-    private_key = OpenSSL::PKey::EC.new(group).generate_key
-    expect { Sandal::Sig::ES256.new(private_key) }.to raise_error ArgumentError
+  context "#valid?" do
+    it "fails to validate the signature when the key is changed" do
+      data = "some data to sign"
+      group = OpenSSL::PKey::EC::Group.new(enc_class::CURVE_NAME)
+      private_key = OpenSSL::PKey::EC.new(group).generate_key
+      signer = enc_class.new(private_key)
+      signature = signer.sign(data)
+      public_key = OpenSSL::PKey::EC.new(group).generate_key
+      validator = enc_class.new(public_key)
+      validator.valid?(signature, data).should == false
+    end
+    it "fails to validate the signature when the signature is changed" do
+      data = "some data to sign"
+      group = OpenSSL::PKey::EC::Group.new(enc_class::CURVE_NAME)
+      private_key = OpenSSL::PKey::EC.new(group).generate_key
+      signer = enc_class.new(private_key)
+      signature = signer.sign(data)
+      public_key = OpenSSL::PKey::EC.new(group)
+      public_key.public_key = private_key.public_key
+      validator = enc_class.new(public_key)
+      validator.valid?(signature + "x", data).should == false
+    end
+    it "fails to validate the signature when the data is changed" do
+      data = "some data to sign"
+      group = OpenSSL::PKey::EC::Group.new(enc_class::CURVE_NAME)
+      private_key = OpenSSL::PKey::EC.new(group).generate_key
+      signer = enc_class.new(private_key)
+      signature = signer.sign(data)
+      public_key = OpenSSL::PKey::EC.new(group)
+      public_key.public_key = private_key.public_key
+      validator = enc_class.new(public_key)
+      validator.valid?(signature, data + "x").should == false
+    end
   end
 end
-describe Sandal::Sig::ES384 do
+describe Sandal::Sig::ES do
-  it 'can sign data and verify signatures' do
-    group = OpenSSL::PKey::EC::Group.new('secp384r1')
-    private_key = OpenSSL::PKey::EC.new(group).generate_key
-    data = 'Hello ES384'
-    signer = Sandal::Sig::ES384.new(private_key)
-    signature = signer.sign(data)
-    public_key = OpenSSL::PKey::EC.new(group)
-    public_key.public_key = private_key.public_key
-    validator = Sandal::Sig::ES384.new(public_key)
-    validator.valid?(signature, data).should == true
-  end
+  context "#encode_jws_signature" do
-  it 'can use string keys to sign data and verify signatures' do
-    private_key = <<KEY_END
------BEGIN EC PARAMETERS-----
-BgUrgQQAIg==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDDHWNCqR7V8EQS1aeCWXJ6arxaj31tvfBozSVDhbgzvFsFM9tbgbhTb
-1PGWXJEP91SgBwYFK4EEACKhZANiAASSjX9LH/BrmGp6WoHN/gBYN3Su/nIAApwM
-iuFPbUFcWamxo8hUUTxLpdwvrrEHIVV2urXaVc0KHdSo93bVEHMOvLYjpXFXu+8f
-6Fu17ofcECDNIaI9A+uydWY3E/cJUDM=
------END EC PRIVATE KEY-----
-KEY_END
-    public_key = <<KEY_END
------BEGIN PUBLIC KEY-----
-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEko1/Sx/wa5hqelqBzf4AWDd0rv5yAAKc
-DIrhT21BXFmpsaPIVFE8S6XcL66xByFVdrq12lXNCh3UqPd21RBzDry2I6VxV7vv
-H+hbte6H3BAgzSGiPQPrsnVmNxP3CVAz
------END PUBLIC KEY-----
-KEY_END
-    data = 'Hello ES384'
-    signer = Sandal::Sig::ES384.new(private_key)
-    signature = signer.sign(data)
-    validator = Sandal::Sig::ES384.new(public_key)
-    validator.valid?(signature, data).should == true
-  end
+    it "can encode the signature in JWS draft-11 appendix 3" do
+      r = make_bn([14, 209, 33, 83, 121, 99, 108, 72, 60, 47, 127, 21, 88, 7, 212, 2, 163, 178, 40, 3, 58, 249, 124, 126, 23, 129, 154, 195, 22, 158, 166, 101])
+      s = make_bn([197, 10, 7, 211, 140, 60, 112, 229, 216, 241, 45, 175, 8, 74, 84, 128, 166, 101, 144, 197, 242, 147, 80, 154, 143, 63, 127, 138, 131, 163, 84, 213])
+      signature = Sandal::Sig::ES.encode_jws_signature(r, s, 256)
+      base64_signature = jwt_base64_encode(signature)
+      base64_signature.should == "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
+    end
+    it "can encode the signature in JWS draft-11 appendix 4" do
+      r = make_bn([1, 220, 12, 129, 231, 171, 194, 209, 232, 135, 233, 117, 247, 105, 122, 210, 26, 125, 192, 1, 217, 21, 82, 91, 45, 240, 255, 83, 19, 34, 239, 71, 48, 157, 147, 152, 105, 18, 53, 108, 163, 214, 68, 231, 62, 153, 150, 106, 194, 164, 246, 72, 143, 138, 24, 50, 129, 223, 133, 206, 209, 172, 63, 237, 119, 109])
+      s = make_bn([0, 111, 6, 105, 44, 5, 41, 208, 128, 61, 152, 40, 92, 61, 152, 4, 150, 66, 60, 69, 247, 196, 170, 81, 193, 199, 78, 59, 194, 169, 16, 124, 9, 143, 42, 142, 131, 48, 206, 238, 34, 175, 83, 203, 220, 159, 3, 107, 155, 22, 27, 73, 111, 68, 68, 21, 238, 144, 229, 232, 148, 188, 222, 59, 242, 103])
+      signature = Sandal::Sig::ES.encode_jws_signature(r, s, 521)
+      base64_signature = jwt_base64_encode(signature)
+      base64_signature.should == "AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn"
+    end
-  it 'raises an argument error if the key has the wrong curve' do
-    group = OpenSSL::PKey::EC::Group.new('secp521r1')
-    private_key = OpenSSL::PKey::EC.new(group).generate_key
-    expect { Sandal::Sig::ES384.new(private_key) }.to raise_error ArgumentError
   end
 end
-describe Sandal::Sig::ES512 do
+describe Sandal::Sig::ES256 do
+  include_examples "signing and validation", Sandal::Sig::ES256, "prime256v1"
-  it 'can sign data and verify signatures' do
-    group = OpenSSL::PKey::EC::Group.new('secp521r1')
-    private_key = OpenSSL::PKey::EC.new(group).generate_key
-    data = 'Hello ES512'
-    signer = Sandal::Sig::ES512.new(private_key)
-    signature = signer.sign(data)
-    public_key = OpenSSL::PKey::EC.new(group)
-    public_key.public_key = private_key.public_key
-    validator = Sandal::Sig::ES512.new(public_key)
-    validator.valid?(signature, data).should == true
+  context "#name" do
+    it "is 'ES256'" do
+      enc = Sandal::Sig::ES256.new(OpenSSL::PKey::EC.new("prime256v1").generate_key)
+      enc.name.should == "ES256"
+    end
   end
-  it 'can use string keys to sign data and verify signatures' do
-    private_key = <<KEY_END
------BEGIN EC PARAMETERS-----
-BgUrgQQAIw==
------END EC PARAMETERS-----
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBQokOnEjac/cnqtuEPrS+ekzObqwN4wcsh4MgW1M9D/lC+cfHcgso
-QhdmC1fZEYV9G3eiVYRO818XBrgzX8sOqQGgBwYFK4EEACOhgYkDgYYABADWDbxx
-FZHDy5nzP+tL1AcDgbVtZbin6jOz3E0EPzjDJS8267XROdSLxh/FdM54HaZ5ak2D
-q0VThSOquJdkiy6jyAEOlXLeznDrV9ZP9ddFFFA8OMM2aImU+HdGq6rlWrAs7qMU
-tu6lP9k3+WHD7Z1+YkCafox+lpraE4NrnlkVqO2RVg==
------END EC PRIVATE KEY-----
-KEY_END
-    public_key = <<KEY_END
------BEGIN PUBLIC KEY-----
-MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA1g28cRWRw8uZ8z/rS9QHA4G1bWW4
-p+ozs9xNBD84wyUvNuu10TnUi8YfxXTOeB2meWpNg6tFU4UjqriXZIsuo8gBDpVy
-3s5w61fWT/XXRRRQPDjDNmiJlPh3Rquq5VqwLO6jFLbupT/ZN/lhw+2dfmJAmn6M
-fpaa2hODa55ZFajtkVY=
------END PUBLIC KEY-----
-KEY_END
-    data = 'Hello ES512'
-    signer = Sandal::Sig::ES512.new(private_key)
-    signature = signer.sign(data)
-    validator = Sandal::Sig::ES512.new(public_key)
-    validator.valid?(signature, data).should == true
+  context "#valid?" do
+    it "can validate the signature in JWS draft-11 appendix 3" do
+      x = make_bn([127, 205, 206, 39, 112, 246, 196, 93, 65, 131, 203, 238, 111, 219, 75, 123, 88, 7, 51, 53, 123, 233, 239, 19, 186, 207, 110, 60, 123, 209, 84, 69])
+      y = make_bn([199, 241, 68, 205, 27, 189, 155, 126, 135, 44, 223, 237, 185, 238, 185, 244, 179, 105, 93, 110, 169, 11, 36, 173, 138, 70, 35, 40, 133, 136, 229, 173])
+      d = make_bn([142, 155, 16, 158, 113, 144, 152, 191, 152, 4, 135, 223, 31, 93, 119, 233, 203, 41, 96, 110, 190, 210, 38, 59, 95, 87, 194, 19, 223, 132, 244, 178])
+      data = "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ"
+      signature = jwt_base64_decode("DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q")
+      group = OpenSSL::PKey::EC::Group.new("prime256v1")
+      public_key = OpenSSL::PKey::EC.new(group)
+      public_key.public_key = make_point(group, x, y)
+      validator = Sandal::Sig::ES256.new(public_key)
+      validator.valid?(signature, data).should == true
+    end
   end
-  it 'can verify the signature in JWS section A4.1' do
-    x = make_bn([1, 233, 41, 5, 15, 18, 79, 198, 188, 85, 199, 213, 57, 51, 101, 223, 157, 239, 74, 176, 194, 44, 178, 87, 152, 249, 52, 235, 4, 227, 198, 186, 227, 112, 26, 87, 167, 145, 14, 157, 129, 191, 54, 49, 89, 232, 235, 203, 21, 93, 99, 73, 244, 189, 182, 204, 248, 169, 76, 92, 89, 199, 170, 193, 1, 164])
-    y = make_bn([0, 52, 166, 68, 14, 55, 103, 80, 210, 55, 31, 209, 189, 194, 200, 243, 183, 29, 47, 78, 229, 234, 52, 50, 200, 21, 204, 163, 21, 96, 254, 93, 147, 135, 236, 119, 75, 85, 131, 134, 48, 229, 203, 191, 90, 140, 190, 10, 145, 221, 0, 100, 198, 153, 154, 31, 110, 110, 103, 250, 221, 237, 228, 200, 200, 246])
-    d = make_bn([1, 142, 105, 111, 176, 52, 80, 88, 129, 221, 17, 11, 72, 62, 184, 125, 50, 206, 73, 95, 227, 107, 55, 69, 237, 242, 216, 202, 228, 240, 242, 83, 159, 70, 21, 160, 233, 142, 171, 82, 179, 192, 197, 234, 196, 206, 7, 81, 133, 168, 231, 187, 71, 222, 172, 29, 29, 231, 123, 204, 246, 97, 53, 230, 61, 130]  )
-    data = 'eyJhbGciOiJFUzUxMiJ9.UGF5bG9hZA'
-    signature = jwt_base64_decode('AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn')
+end
-    group = OpenSSL::PKey::EC::Group.new('secp521r1')
-    public_key = OpenSSL::PKey::EC.new(group)
-    public_key.public_key = make_point(group, x, y)
-    validator = Sandal::Sig::ES512.new(public_key)
-    validator.valid?(signature, data).should == true
+describe Sandal::Sig::ES384 do
+  include_examples "signing and validation", Sandal::Sig::ES384, "secp384r1"
+  context "#name" do
+    it "is 'ES384'" do
+      enc = Sandal::Sig::ES384.new(OpenSSL::PKey::EC.new("secp384r1").generate_key)
+      enc.name.should == "ES384"
+    end
   end
-  it 'fails to verify the signature in JWS section A4.1 when the data is changed' do
-    x = make_bn([1, 233, 41, 5, 15, 18, 79, 198, 188, 85, 199, 213, 57, 51, 101, 223, 157, 239, 74, 176, 194, 44, 178, 87, 152, 249, 52, 235, 4, 227, 198, 186, 227, 112, 26, 87, 167, 145, 14, 157, 129, 191, 54, 49, 89, 232, 235, 203, 21, 93, 99, 73, 244, 189, 182, 204, 248, 169, 76, 92, 89, 199, 170, 193, 1, 164])
-    y = make_bn([0, 52, 166, 68, 14, 55, 103, 80, 210, 55, 31, 209, 189, 194, 200, 243, 183, 29, 47, 78, 229, 234, 52, 50, 200, 21, 204, 163, 21, 96, 254, 93, 147, 135, 236, 119, 75, 85, 131, 134, 48, 229, 203, 191, 90, 140, 190, 10, 145, 221, 0, 100, 198, 153, 154, 31, 110, 110, 103, 250, 221, 237, 228, 200, 200, 246])
-    d = make_bn([1, 142, 105, 111, 176, 52, 80, 88, 129, 221, 17, 11, 72, 62, 184, 125, 50, 206, 73, 95, 227, 107, 55, 69, 237, 242, 216, 202, 228, 240, 242, 83, 159, 70, 21, 160, 233, 142, 171, 82, 179, 192, 197, 234, 196, 206, 7, 81, 133, 168, 231, 187, 71, 222, 172, 29, 29, 231, 123, 204, 246, 97, 53, 230, 61, 130]  )
-    data = 'not the data that was signed'
-    signature = jwt_base64_decode('AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn')
+end
+describe Sandal::Sig::ES512 do
+  include_examples "signing and validation", Sandal::Sig::ES512, "secp521r1"
-    group = OpenSSL::PKey::EC::Group.new('secp521r1')
-    public_key = OpenSSL::PKey::EC.new(group)
-    public_key.public_key = make_point(group, x, y)
-    validator = Sandal::Sig::ES512.new(public_key)
-    validator.valid?(signature, data).should == false
+  context "#name" do
+    it "is 'ES512'" do
+      enc = Sandal::Sig::ES512.new(OpenSSL::PKey::EC.new("secp521r1").generate_key)
+      enc.name.should == "ES512"
+    end
   end
-  it 'raises an argument error if the key has the wrong curve' do
-    group = OpenSSL::PKey::EC::Group.new('prime256v1')
-    private_key = OpenSSL::PKey::EC.new(group).generate_key
-    expect { Sandal::Sig::ES512.new(private_key) }.to raise_error ArgumentError
+  context "#validate?" do
+    it "can validate the signature in JWS draft-11 appendix 4" do
+      x = make_bn([1, 233, 41, 5, 15, 18, 79, 198, 188, 85, 199, 213, 57, 51, 101, 223, 157, 239, 74, 176, 194, 44, 178, 87, 152, 249, 52, 235, 4, 227, 198, 186, 227, 112, 26, 87, 167, 145, 14, 157, 129, 191, 54, 49, 89, 232, 235, 203, 21, 93, 99, 73, 244, 189, 182, 204, 248, 169, 76, 92, 89, 199, 170, 193, 1, 164])
+      y = make_bn([0, 52, 166, 68, 14, 55, 103, 80, 210, 55, 31, 209, 189, 194, 200, 243, 183, 29, 47, 78, 229, 234, 52, 50, 200, 21, 204, 163, 21, 96, 254, 93, 147, 135, 236, 119, 75, 85, 131, 134, 48, 229, 203, 191, 90, 140, 190, 10, 145, 221, 0, 100, 198, 153, 154, 31, 110, 110, 103, 250, 221, 237, 228, 200, 200, 246])
+      d = make_bn([1, 142, 105, 111, 176, 52, 80, 88, 129, 221, 17, 11, 72, 62, 184, 125, 50, 206, 73, 95, 227, 107, 55, 69, 237, 242, 216, 202, 228, 240, 242, 83, 159, 70, 21, 160, 233, 142, 171, 82, 179, 192, 197, 234, 196, 206, 7, 81, 133, 168, 231, 187, 71, 222, 172, 29, 29, 231, 123, 204, 246, 97, 53, 230, 61, 130]  )
+      data = "eyJhbGciOiJFUzUxMiJ9.UGF5bG9hZA"
+      signature = jwt_base64_decode("AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZqwqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8KpEHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn")
+      group = OpenSSL::PKey::EC::Group.new("secp521r1")
+      public_key = OpenSSL::PKey::EC.new(group)
+      public_key.public_key = make_point(group, x, y)
+      validator = Sandal::Sig::ES512.new(public_key)
+      validator.valid?(signature, data).should == true
+    end
   end
 end

data/spec/sandal/sig/hs_spec.rb CHANGED

@@ -1,32 +1,87 @@
-require 'helper'
-require 'openssl'
+require "helper"
+require "openssl"
+shared_examples "signing and validation" do |enc_class|
+  it "can sign data and validate signatures" do
+    data = "some data to sign"
+    key = "A secret key"
+    signer = enc_class.new(key)
+    signature = signer.sign(data)
+    signer.valid?(signature, data).should == true
+  end
+  context "#valid?" do
+    it "fails to validate the signature when the key is changed" do
+      data = "some other data to sign"
+      key = "Another secret key"
+      signer = enc_class.new(key)
+      signature = signer.sign(data)
+      verifier = enc_class.new(key + "x")
+      verifier.valid?(signature, data).should == false
+    end
+    it "fails to validate the signature when the signature is changed" do
+      data = "some other data to sign"
+      key = "Another secret key"
+      signer = enc_class.new(key)
+      signature = signer.sign(data)
+      signer.valid?(signature + "x", data).should == false
+    end
+    it "fails to validate the signature when the data is changed" do
+      data = "some other data to sign"
+      key = "Another secret key"
+      signer = enc_class.new(key)
+      signature = signer.sign(data)
+      signer.valid?(signature, data + "x").should == false
+    end
+  end
+end
 describe Sandal::Sig::HS256 do
-  it 'can sign data and verify signatures' do
-    data = 'Hello HS256'
-    key = 'A secret key'
+  include_examples "signing and validation", Sandal::Sig::HS256
+  context "#name" do
+    it "is 'HS256'" do
+      enc = Sandal::Sig::HS256.new("any old key")
+      enc.name.should == "HS256"
+    end
+  end
+  it "can validate the signature from JWS dratf-11 appendix 1" do
+    data = "eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ"
+    key = [3, 35, 53, 75, 43, 15, 165, 188, 131, 126, 6, 101, 119, 123, 166, 143, 90, 179, 40, 230, 240, 84, 201, 40, 169, 15, 132, 178, 210, 80, 46, 191, 211, 251, 90, 146, 210, 6, 71, 239, 150, 138, 180, 195, 119, 98, 61, 34, 61, 46, 33, 114, 5, 46, 79, 8, 192, 205, 154, 245, 103, 208, 128, 163].pack("C*")
     signer = Sandal::Sig::HS256.new(key)
-    signature = signer.sign(data)
+    signature = [116, 24, 223, 180, 151, 153, 224, 37, 79, 250, 96, 125, 216, 173, 187, 186, 22, 212, 37, 77, 105, 214, 191, 240, 91, 88, 5, 88, 83, 132, 141, 121].pack("C*")
     signer.valid?(signature, data).should == true
   end
 end
 describe Sandal::Sig::HS384 do
-  it 'can sign data and verify signatures' do
-    data = 'Hello HS384'
-    key = 'Another secret key'
-    signer = Sandal::Sig::HS384.new(key)
-    signature = signer.sign(data)
-    signer.valid?(signature, data).should == true
+  include_examples "signing and validation", Sandal::Sig::HS384
+  context "#name" do
+    it "is 'HS384'" do
+      enc = Sandal::Sig::HS384.new("any old key")
+      enc.name.should == "HS384"
+    end
   end
 end
 describe Sandal::Sig::HS512 do
-  it 'can sign data and verify signatures' do
-    data = 'Hello HS512'
-    key = 'Yet another secret key'
-    signer = Sandal::Sig::HS512.new(key)
-    signature = signer.sign(data)
-    signer.valid?(signature, data).should == true
+  include_examples "signing and validation", Sandal::Sig::HS512
+  context "#name" do
+    it "is 'HS512'" do
+      enc = Sandal::Sig::HS512.new("any old key")
+      enc.name.should == "HS512"
+    end
   end
 end