sandal 0.4.0 → 0.5.0

data/spec/sandal/sig/rs_spec.rb

@@ -1,106 +1,109 @@
-require 'helper'
-require 'openssl'
-
-rsa_private_key = <<KEY_END
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA4lt7zb5RlxwLVvw2mOKW06AGrBW3kfUVIkV6lImwqRps6jpZ
-UNBOUkLjqIipXBkKeG6TbL46z4Rw2oEcUTTpOgm/9XEiJP/7nfkK/Sr6cChVLDr5
-sohKnxkADrltdNwUUF0gPlK0REa2wiEvpd00D46Sfxfa5kpe/oYajCyRtesmGyrD
-iD4BKJIaHTal4613l1k8HWhzza4qztbufZ4BMPfHkjyjOBWLsYSU0axI86b5WnxJ
-KZUyghxeL51jYqV5eSeMBC3rr+HHuwdF3ulhvDo0jUxGjFJBG/6ZUheVNAGrAvD8
-5RV3tp8ukcc02t2l0Z97PWDcZHpiiul+DvvmeQIDAQABAoIBADy56lbiDiWKAojN
-lSAi+e/AaMnV8a+YnpjZJu+emORlEH8uNDP4DmsHQug98aGhnit9DtQHnON7VoNo
-S96FYWSOpQ8F0PE4M5rH62jMFO/uAhuhnseExPA11swcdv745AJDWZkeuvnuNq2S
-FaRb2dGqoCa0kadioGWMOKcOdfDlqcBApTI5IWy67wLJwF7+qTS+BT7BVAreQnQf
-2qlYXSPWBxpL8iGobBGXQlsWTdiYDalrfyV0mvJaXxwHml3PMxyVrJyIvbc0HgMn
-YqrBgnWrCz7FIU+8OXd4XFGqD09QpHn7SkdLvgXNlSy5fi3SeLN+ClyP1XvrFQYk
-KhfCbwECgYEA/CpsxJEZzwCtvBeHlhNvEV5H2O0HI7Wb+pN5J3QyhMjdOc8KZozx
-8D3hj6+I2NJM/Uj0V27LH0R92H29fKLjXUjtRwHtrV33PXWQAMzSS8gHOdeQe8iP
-GgdAVDdDJsCR3W5oXEQGj7q8QgLAVdV0X9jZ6BG2MGIbdMi6SUE7DlECgYEA5cyY
-/diePvEcXsEX8AgraOGwH+E4w+d21uJPjh4UpBhiJdrqEdZ2bjKtpl6czKmqu4tx
-R7WNHqRd8LyUpdGHNvQU+kg1Uc1y1hy8HR1x1lZQYMBi4qkB1P6G08RHEL/oilxO
-F1EIxYpwHbW/ZVXzGAyIr4Z9xGMLE5j9jVTsg6kCgYB4JdaxSdmcMdyVtDhcH2Ja
-Siu9hiJSt2NcXwvo6opvji0qMCXqetmD+FgS2DZB6OHaBPq29gk+GqpDjpXMXugq
-OGcl4BtY8V6uH+e/GdhRVztqKfWjpQnaAv55oeMTAcn+UW7UF21w6i5s3Va7Dvtl
-97LLyjSelQA0ArgP007KIQKBgQDDzDAPGiK7PnUNxzi+LDfQhXurrhrP0MhRD0L5
-tGeh6aS23G/UAwelnUiYGMVBHM98PLOohehX03S3Sfbd0kmDaTT2i8/ig0r1ZEZk
-CFKWbbTOux2GQrps4PHAPdzPSLS6LyvachEnP22H4vPRRAp80zEjXVSLoFgvuotP
-gKyFAQKBgBuMvB9XVILcn8IcZ3ax9B8agU4jeBLScoBV25GvSq7hUaFaNC4WMHzf
-8av7nDTzlZlLLDMB8rvpz66gMWIWGeU5JWYJaiLMM/JeS9UJOo/6Wn10MvtNSBXH
-30+kWAHpOSjtxL7tzmMrb46krFS/0iYDFKiLtIPNiacjxlEzBTZL
------END RSA PRIVATE KEY-----
-KEY_END
-rsa_public_key = <<KEY_END
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4lt7zb5RlxwLVvw2mOKW
-06AGrBW3kfUVIkV6lImwqRps6jpZUNBOUkLjqIipXBkKeG6TbL46z4Rw2oEcUTTp
-Ogm/9XEiJP/7nfkK/Sr6cChVLDr5sohKnxkADrltdNwUUF0gPlK0REa2wiEvpd00
-D46Sfxfa5kpe/oYajCyRtesmGyrDiD4BKJIaHTal4613l1k8HWhzza4qztbufZ4B
-MPfHkjyjOBWLsYSU0axI86b5WnxJKZUyghxeL51jYqV5eSeMBC3rr+HHuwdF3ulh
-vDo0jUxGjFJBG/6ZUheVNAGrAvD85RV3tp8ukcc02t2l0Z97PWDcZHpiiul+Dvvm
-eQIDAQAB
------END PUBLIC KEY-----
-KEY_END
+require "helper"
+require "openssl"
 
-describe Sandal::Sig::RS256 do
+shared_examples "signing and validation" do |enc_class|
 
-  it 'can sign data and verify signatures' do
-    data = 'Hello RS256'
+  it "can sign data and validate signatures" do
+    data = "this is my data"
     private_key = OpenSSL::PKey::RSA.generate(2048)
-    signer = Sandal::Sig::RS256.new(private_key)
+    signer = enc_class.new(private_key)
     signature = signer.sign(data)
-    validator = Sandal::Sig::RS256.new(private_key.public_key)
+    validator = enc_class.new(private_key.public_key)
     validator.valid?(signature, data).should == true
   end
 
-  it 'can use string keys to sign data and verify signatures' do
-    data = 'Hello RS256'
-    signer = Sandal::Sig::RS256.new(rsa_private_key)
+  it "can use DER-encoded keys to sign data and validate signatures" do
+    data = "there are many like it"
+    private_key = OpenSSL::PKey::RSA.generate(2048)
+    signer = enc_class.new(private_key.to_der)
     signature = signer.sign(data)
-    validator = Sandal::Sig::RS256.new(rsa_public_key)
+    validator = enc_class.new(private_key.public_key.to_der)
     validator.valid?(signature, data).should == true
   end
 
+  it "can use PEM-encoded keys to sign data and validate signatures" do
+    data = "but this one is mine"
+    private_key = OpenSSL::PKey::RSA.generate(2048)
+    signer = enc_class.new(private_key.to_pem)
+    signature = signer.sign(data)
+    validator = enc_class.new(private_key.public_key.to_pem)
+    validator.valid?(signature, data).should == true
+  end
+
+  context "#valid?" do
+
+    it "fails to validate the signature when the key is changed" do
+      data = "this is my data"
+      signer = enc_class.new(OpenSSL::PKey::RSA.generate(2048))
+      signature = signer.sign(data)
+      validator = enc_class.new(OpenSSL::PKey::RSA.generate(2048).public_key)
+      validator.valid?(signature, data).should == false
+    end
+
+    it "fails to validate the signature when the signature is changed" do
+      data = "this is my data"
+      private_key = OpenSSL::PKey::RSA.generate(2048)
+      signer = enc_class.new(private_key)
+      signature = signer.sign(data)
+      validator = enc_class.new(private_key.public_key)
+      validator.valid?(signature + "x", data).should == false
+    end
+
+    it "fails to validate the signature when the data is changed" do
+      data = "this is my data"
+      private_key = OpenSSL::PKey::RSA.generate(2048)
+      signer = enc_class.new(private_key)
+      signature = signer.sign(data)
+      validator = enc_class.new(private_key.public_key)
+      validator.valid?(signature, data + "x").should == false
+    end
+
+  end
+
 end
 
-describe Sandal::Sig::RS384 do
 
-  it 'can sign data and verify signatures' do
-    data = 'Hello RS384'
-    private_key = OpenSSL::PKey::RSA.generate(2048)
+describe Sandal::Sig::RS256 do
+  include_examples "signing and validation", Sandal::Sig::RS256
+
+  it "can validate the signature from JWS dratf-11 appendix 2", :jruby_incompatible do
+    data = "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ"
+    private_key = SampleKeys.jws_draft11_appendix2_rsa
     signer = Sandal::Sig::RS384.new(private_key)
     signature = signer.sign(data)
     validator = Sandal::Sig::RS384.new(private_key.public_key)
     validator.valid?(signature, data).should == true
+  end 
+
+  context "#name" do
+    it "is 'RS256'" do
+      enc = Sandal::Sig::RS256.new(OpenSSL::PKey::RSA.generate(2048))
+      enc.name.should == "RS256"
+    end
   end
 
-  it 'can use string keys to sign data and verify signatures' do
-    data = 'Hello RS384'
-    signer = Sandal::Sig::RS384.new(rsa_private_key)
-    signature = signer.sign(data)
-    validator = Sandal::Sig::RS384.new(rsa_public_key)
-    validator.valid?(signature, data).should == true
+end
+
+describe Sandal::Sig::RS384 do
+  include_examples "signing and validation", Sandal::Sig::RS384
+
+  context "#name" do
+    it "is 'RS384'" do
+      enc = Sandal::Sig::RS384.new(OpenSSL::PKey::RSA.generate(2048))
+      enc.name.should == "RS384"
+    end
   end
 
 end
 
 describe Sandal::Sig::RS512 do
-  
-  it 'can sign data and verify signatures' do
-    data = 'Hello RS512'
-    private_key = OpenSSL::PKey::RSA.generate(2048)
-    signer = Sandal::Sig::RS512.new(private_key)
-    signature = signer.sign(data)
-    validator = Sandal::Sig::RS512.new(private_key.public_key)
-    validator.valid?(signature, data).should == true
-  end
+  include_examples "signing and validation", Sandal::Sig::RS512
 
-  it 'can use string keys to sign data and verify signatures' do
-    data = 'Hello RS512'
-    signer = Sandal::Sig::RS512.new(rsa_private_key)
-    signature = signer.sign(data)
-    validator = Sandal::Sig::RS512.new(rsa_public_key)
-    validator.valid?(signature, data).should == true
+  context "#name" do
+    it "is 'RS512'" do
+      enc = Sandal::Sig::RS512.new(OpenSSL::PKey::RSA.generate(2048))
+      enc.name.should == "RS512"
+    end
   end
-
+  
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sandal
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Greg Beech
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-04-30 00:00:00.000000000 Z
+date: 2013-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -148,8 +148,7 @@ files:
 - lib/sandal/enc/agcm.rb
 - lib/sandal/enc/alg.rb
 - lib/sandal/enc/alg/direct.rb
-- lib/sandal/enc/alg/rsa1_5.rb
-- lib/sandal/enc/alg/rsa_oaep.rb
+- lib/sandal/enc/alg/rsa.rb
 - lib/sandal/sig.rb
 - lib/sandal/sig/es.rb
 - lib/sandal/sig/hs.rb
@@ -158,13 +157,14 @@ files:
 - lib/sandal/version.rb
 - sandal.gemspec
 - spec/helper.rb
+- spec/sample_keys.rb
 - spec/sandal/claims_spec.rb
 - spec/sandal/enc/a128cbc_hs256_spec.rb
 - spec/sandal/enc/a128gcm_spec.rb
 - spec/sandal/enc/a256cbc_hs512_spec.rb
 - spec/sandal/enc/a256gcm_spec.rb
 - spec/sandal/enc/alg/direct_spec.rb
-- spec/sandal/enc/alg/rsa1_5_spec.rb
+- spec/sandal/enc/alg/rsa_spec.rb
 - spec/sandal/enc/shared_examples.rb
 - spec/sandal/sig/es_spec.rb
 - spec/sandal/sig/hs_spec.rb
@@ -198,13 +198,14 @@ specification_version: 4
 summary: A JSON Web Token (JWT) library.
 test_files:
 - spec/helper.rb
+- spec/sample_keys.rb
 - spec/sandal/claims_spec.rb
 - spec/sandal/enc/a128cbc_hs256_spec.rb
 - spec/sandal/enc/a128gcm_spec.rb
 - spec/sandal/enc/a256cbc_hs512_spec.rb
 - spec/sandal/enc/a256gcm_spec.rb
 - spec/sandal/enc/alg/direct_spec.rb
-- spec/sandal/enc/alg/rsa1_5_spec.rb
+- spec/sandal/enc/alg/rsa_spec.rb
 - spec/sandal/enc/shared_examples.rb
 - spec/sandal/sig/es_spec.rb
 - spec/sandal/sig/hs_spec.rb

data/lib/sandal/enc/alg/rsa1_5.rb

@@ -1,47 +0,0 @@
-require 'openssl'
-
-module Sandal
-  module Enc
-    module Alg
-
-      # The RSAES-PKCS1-V1_5 key encryption mechanism.
-      class RSA1_5
-
-        # @return [String] The JWA name of the algorithm.
-        attr_reader :name
-
-        # Creates a new instance.
-        #
-        # @param key [OpenSSL::PKey::RSA or String] The key to use for CMK 
-        # encryption (public) or decryption (private). If the value is a String 
-        # then it will be passed to the constructor of the RSA class. This must 
-        # be at least 2048 bits to be compliant with the JWA specification.
-        def initialize(key)
-          @name = 'RSA1_5'
-          @key = key.is_a?(String) ? OpenSSL::PKey::RSA.new(key) : key
-        end
-
-        # Encrypts the content master key.
-        #
-        # @param cmk [String] The content master key.
-        # @return [String] The encrypted content master key.
-        def encrypt_cmk(cmk)
-          @key.public_encrypt(cmk)
-        end
-
-        # Decrypts the content master key.
-        #
-        # @param encrypted_cmk [String] The encrypted content master key.
-        # @return [String] The pre-shared content master key.
-        # @raise [Sandal::TokenError] The content master key can't be decrypted.
-        def decrypt_cmk(encrypted_cmk)
-          @key.private_decrypt(encrypted_cmk)
-        rescue
-          raise Sandal::TokenError, 'Cannot decrypt content master key.'
-        end
-
-      end
-
-    end
-  end
-end

data/lib/sandal/enc/alg/rsa_oaep.rb

@@ -1,48 +0,0 @@
-require 'openssl'
-
-module Sandal
-  module Enc
-    module Alg
-
-      # The RSAES with OAEP key encryption mechanism.
-      class RSA_OAEP
-
-        # @return [String] The JWA name of the algorithm.
-        attr_reader :name
-
-        # Creates a new instance.
-        #
-        # @param key [OpenSSL::PKey::RSA or String] The key to use for CMK 
-        # encryption (public) or decryption (private). If the value is a String 
-        # then it will be passed to the constructor of the RSA class. This must 
-        # be at least 2048 bits to be compliant with the JWA specification.
-        def initialize(key)
-          @name = 'RSA-OAEP'
-          @key = key.is_a?(String) ? OpenSSL::PKey::RSA.new(key) : key
-          @padding = OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
-        end
-
-        # Encrypts the content master key.
-        #
-        # @param cmk [String] The content master key.
-        # @return [String] The encrypted content master key.
-        def encrypt_cmk(cmk)
-          @key.public_encrypt(cmk, @padding)
-        end
-
-        # Decrypts the content master key.
-        #
-        # @param encrypted_cmk [String] The encrypted content master key.
-        # @return [String] The pre-shared content master key.
-        # @raise [Sandal::TokenError] The content master key can't be decrypted.
-        def decrypt_cmk(encrypted_cmk)
-          @key.private_decrypt(encrypted_cmk, @padding)
-        rescue
-          raise Sandal::TokenError, 'Cannot decrypt content master key.'
-        end
-
-      end
-      
-    end
-  end
-end

data/spec/sandal/enc/alg/rsa1_5_spec.rb

@@ -1,40 +0,0 @@
-require 'helper'
-require 'openssl'
-
-include Sandal::Util
-
-describe Sandal::Enc::Alg::RSA1_5 do
-
-  context '#name' do
-
-    it 'is "RSA1_5"' do
-      alg = Sandal::Enc::Alg::RSA1_5.new(OpenSSL::PKey::RSA.new(2048))
-      alg.name.should == 'RSA1_5'
-    end
-
-  end
-
-  context '#decrypt_cmk' do
-
-    it 'can decrypt the encypted content master key from JWE section A.2', :jruby_incompatible do
-      key = OpenSSL::PKey::RSA.new(2048)
-      key.n = make_bn([177, 119, 33, 13, 164, 30, 108, 121, 207, 136, 107, 242, 12, 224, 19, 226, 198, 134, 17, 71, 173, 75, 42, 61, 48, 162, 206, 161, 97, 108, 185, 234, 226, 219, 118, 206, 118, 5, 169, 224, 60, 181, 90, 85, 51, 123, 6, 224, 4, 122, 29, 230, 151, 12, 244, 127, 121, 25, 4, 85, 220, 144, 215, 110, 130, 17, 68, 228, 129, 138, 7, 130, 231, 40, 212, 214, 17, 179, 28, 124, 151, 178, 207, 20, 14, 154, 222, 113, 176, 24, 198, 73, 211, 113, 9, 33, 178, 80, 13, 25, 21, 25, 153, 212, 206, 67, 154, 147, 70, 194, 192, 183, 160, 83, 98, 236, 175, 85, 23, 97, 75, 199, 177, 73, 145, 50, 253, 206, 32, 179, 254, 236, 190, 82, 73, 67, 129, 253, 252, 220, 108, 136, 138, 11, 192, 1, 36, 239, 228, 55, 81, 113, 17, 25, 140, 63, 239, 146, 3, 172, 96, 60, 227, 233, 64, 255, 224, 173, 225, 228, 229, 92, 112, 72, 99, 97, 26, 87, 187, 123, 46, 50, 90, 202, 117, 73, 10, 153, 47, 224, 178, 163, 77, 48, 46, 154, 33, 148, 34, 228, 33, 172, 216, 89, 46, 225, 127, 68, 146, 234, 30, 147, 54, 146, 5, 133, 45, 78, 254, 85, 55, 75, 213, 86, 194, 218, 215, 163, 189, 194, 54, 6, 83, 36, 18, 153, 53, 7, 48, 89, 35, 66, 144, 7, 65, 154, 13, 97, 75, 55, 230, 132, 3, 13, 239, 71]) 
-      key.e = make_bn([1, 0, 1])
-      key.d = make_bn([84, 80, 150, 58, 165, 235, 242, 123, 217, 55, 38, 154, 36, 181, 221, 156, 211, 215, 100, 164, 90, 88, 40, 228, 83, 148, 54, 122, 4, 16, 165, 48, 76, 194, 26, 107, 51, 53, 179, 165, 31, 18, 198, 173, 78, 61, 56, 97, 252, 158, 140, 80, 63, 25, 223, 156, 36, 203, 214, 252, 120, 67, 180, 167, 3, 82, 243, 25, 97, 214, 83, 133, 69, 16, 104, 54, 160, 200, 41, 83, 164, 187, 70, 153, 111, 234, 242, 158, 175, 28, 198, 48, 211, 45, 148, 58, 23, 62, 227, 74, 52, 117, 42, 90, 41, 249, 130, 154, 80, 119, 61, 26, 193, 40, 125, 10, 152, 174, 227, 225, 205, 32, 62, 66, 6, 163, 100, 99, 219, 19, 253, 25, 105, 80, 201, 29, 252, 157, 237, 69, 1, 80, 171, 167, 20, 196, 156, 109, 249, 88, 0, 3, 152, 38, 165, 72, 87, 6, 152, 71, 156, 214, 16, 71, 30, 82, 51, 103, 76, 218, 63, 9, 84, 163, 249, 91, 215, 44, 238, 85, 101, 240, 148, 1, 82, 224, 91, 135, 105, 127, 84, 171, 181, 152, 210, 183, 126, 24, 46, 196, 90, 173, 38, 245, 219, 186, 222, 27, 240, 212, 194, 15, 66, 135, 226, 178, 190, 52, 245, 74, 65, 224, 81, 100, 85, 25, 204, 165, 203, 187, 175, 84, 100, 82, 15, 11, 23, 202, 151, 107, 54, 41, 207, 3, 136, 229, 134, 131, 93, 139, 50, 182, 204, 93, 130, 89])
-      cmk = [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44, 207].pack('C*')
-      encrypted_cmk = jwt_base64_decode('ZmnlqWgjXyqwjr7cXHys8F79anIUI6J2UWdAyRQEcGBU-KPHsePM910_RoTDGu1IW40Dn0dvcdVEjpJcPPNIbzWcMxDi131Ejeg-b8ViW5YX5oRdYdiR4gMSDDB3mbkInMNUFT-PK5CuZRnHB2rUK5fhPuF6XFqLLZCG5Q_rJm6Evex-XLcNQAJNa1-6CIU12Wj3mPExxw9vbnsQDU7B4BfmhdyiflLA7Ae5ZGoVRl3A__yLPXxRjHFhpOeDp_adx8NyejF5cz9yDKULugNsDMdlHeJQOMGVLYaSZt3KP6aWNSqFA1PHDg-10ceuTEtq_vPE4-Gtev4N4K4Eudlj4Q')
-      alg = Sandal::Enc::Alg::RSA1_5.new(key)
-      alg.decrypt_cmk(encrypted_cmk).should == cmk
-    end
-
-    it 'raises a TokenError when the wrong key is used for decryption' do
-      key = OpenSSL::PKey::RSA.new(2048)
-      cmk = [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44, 207].pack('C*')
-      encrypted_cmk = jwt_base64_decode('ZmnlqWgjXyqwjr7cXHys8F79anIUI6J2UWdAyRQEcGBU-KPHsePM910_RoTDGu1IW40Dn0dvcdVEjpJcPPNIbzWcMxDi131Ejeg-b8ViW5YX5oRdYdiR4gMSDDB3mbkInMNUFT-PK5CuZRnHB2rUK5fhPuF6XFqLLZCG5Q_rJm6Evex-XLcNQAJNa1-6CIU12Wj3mPExxw9vbnsQDU7B4BfmhdyiflLA7Ae5ZGoVRl3A__yLPXxRjHFhpOeDp_adx8NyejF5cz9yDKULugNsDMdlHeJQOMGVLYaSZt3KP6aWNSqFA1PHDg-10ceuTEtq_vPE4-Gtev4N4K4Eudlj4Q')
-      alg = Sandal::Enc::Alg::RSA1_5.new(key)
-      expect { alg.decrypt_cmk(encrypted_cmk) }.to raise_error Sandal::TokenError, 'Cannot decrypt content master key.'
-    end
-
-  end
-
-end