standard_singpass 0.1.0

data/lib/standard_singpass/myinfo/person_data_parser.rb

@@ -0,0 +1,356 @@
+# typed: strict
+
+module StandardSingpass
+  module Myinfo
+    class PersonDataParser
+      extend T::Sig
+
+      # Extracts structured fields from the raw MyInfo person data response.
+      # Returns a hash suitable for storing in the host application's MyInfo
+      # record (typically encrypted at rest).
+      sig { params(person_data: T.nilable(T::Hash[String, T.untyped])).returns(T::Hash[Symbol, T.untyped]) }
+      def self.call(person_data)
+        new(person_data).parse
+      end
+
+      # Singpass FAPI 2.0 / v5 userinfo responses wrap the attribute set in
+      # `person_info`:
+      #   { "sub" => "<uuid>", "person_info" => { "uinfin" => { "value" => "..." }, ... } }
+      # Per the official migration guide:
+      #   https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps
+      # We unwrap once here so every consumer can read attributes at the top
+      # level. Tests and mock-mode pass flat data — that also works because we
+      # only unwrap when the wrapper key is present.
+      sig { params(person_data: T.nilable(T::Hash[String, T.untyped])).void }
+      def initialize(person_data)
+        data = person_data || {}
+        @data = T.let(data.key?("person_info") ? (data["person_info"] || {}) : data, T::Hash[String, T.untyped])
+      end
+
+      sig { returns(T::Hash[Symbol, T.untyped]) }
+      def parse
+        {
+          # Identity
+          nric: extract_value("uinfin"),
+          name: extract_value("name"),
+          alias_name: extract_value("aliasname"),
+          hanyu_pinyin_name: extract_value("hanyupinyinname"),
+          hanyu_pinyin_alias_name: extract_value("hanyupinyinaliasname"),
+          married_name: extract_value("marriedname"),
+          sex: extract_code("sex"),
+          race: extract_code("race"),
+          nationality: extract_code("nationality"),
+          date_of_birth: extract_value("dob"),
+          residential_status: extract_code("residentialstatus"),
+          marital_status: extract_code("marital"),
+
+          # Contact
+          email: extract_value("email"),
+          mobile_number:,
+
+          # Address
+          registered_address:,
+          hdb_type: extract_label("hdbtype"),
+          housing_type: extract_label("housingtype"),
+
+          # Pass info — FIN-only; absent for SC/PR.
+          pass_type: extract_label("passtype"),
+          pass_status: extract_label("passstatus"),
+          pass_expiry_date: extract_value("passexpirydate"),
+          employment_sector: extract_label("employmentsector"),
+
+          # Employment. Singpass `employment` returns the employer's company
+          # name for FIN holders, but a status label ("EMPLOYED" / "SELF-
+          # EMPLOYED") for SC/PR. Stored as `:employment` rather than
+          # `:employer_name` so consumers don't render "Employer: EMPLOYED"
+          # for citizen borrowers.
+          employment: extract_value("employment"),
+          # SSOC 4-digit code → desc (e.g. "5223" → "SALES SUPERVISOR"). Codes
+          # alone are meaningless to humans reviewing what's been shared.
+          occupation: extract_label("occupation"),
+          cpf_employers:,
+
+          # Income — MAS TDSR inputs
+          noa_basic:,
+          noa_history_basic:,
+          noa: noa_detailed,
+          noa_history: noa_history_detailed,
+          cpf_contributions:,
+
+          # Assets / liabilities
+          cpf_balances:,
+          cpf_housing_withdrawal:,
+          owner_private: extract_value("ownerprivate"),
+          hdb_ownership:,
+          vehicles:
+        }.compact
+      end
+
+      private
+
+      sig { params(field: String).returns(T.nilable(String)) }
+      def extract_value(field)
+        target = @data[field]
+        return nil unless target.is_a?(Hash)
+        val = target["value"]
+        return nil if val.nil?
+        return nil if val.is_a?(String) && val.empty?
+        # Singpass returns some Y/N attributes (observed on `ownerprivate`
+        # in FAPI 2.0 v5) as JSON booleans rather than "Y"/"N" strings.
+        # Normalise here so downstream consumers see one shape regardless
+        # of upstream type. Boolean false → "N", true → "Y".
+        return val ? "Y" : "N" if val == true || val == false
+        return val if val.is_a?(String)
+        # Numeric or other unexpected types — stringify rather than crash.
+        val.to_s
+      end
+
+      sig { params(field: String).returns(T.nilable(String)) }
+      def extract_code(field)
+        target = @data[field]
+        return nil unless target.is_a?(Hash)
+        target["code"].presence
+      end
+
+      # Singpass MyInfo v5 returns enum fields as `{ code: "112", desc: "4-ROOM FLAT", ... }`.
+      # `extract_code` keeps the raw enum for business logic (e.g. residential
+      # status eligibility check). For display-only enums (HDB type, housing
+      # type, occupation, pass info, employment sector) the desc is what the
+      # human reviewing what's been shared needs to see — falling back to code
+      # when desc is absent rather than render an empty cell.
+      sig { params(field: String).returns(T.nilable(String)) }
+      def extract_label(field)
+        label_from(@data[field])
+      end
+
+      # Hash-direct variant of `extract_label` for nested code/desc blocks
+      # (e.g. `hdbownership[].hdbtype`) where the parent already navigated
+      # to the leaf hash.
+      sig { params(hash: T.untyped).returns(T.nilable(String)) }
+      def label_from(hash)
+        return nil unless hash.is_a?(Hash)
+        hash["desc"].presence || hash["code"].presence
+      end
+
+      # Singpass MyInfo (FAPI 2.0) returns `mobileno` as three nested objects —
+      # `prefix` ("+"), `areacode` ("65"), `nbr` ("91234567") — each wrapped in
+      # `{ "value" => ... }`.
+      sig { returns(T.nilable(String)) }
+      def mobile_number
+        mobileno = @data["mobileno"]
+        return nil unless mobileno.is_a?(Hash)
+
+        prefix = mobileno.dig("prefix", "value")
+        areacode = mobileno.dig("areacode", "value")
+        number = mobileno.dig("nbr", "value")
+        return nil if number.blank? || prefix.blank?
+
+        "#{prefix}#{areacode}#{number}"
+      end
+
+      sig { returns(T.nilable(T::Hash[Symbol, String])) }
+      def registered_address
+        addr = @data["regadd"]
+        return nil unless addr
+
+        {
+          block: addr.dig("block", "value"),
+          building: addr.dig("building", "value"),
+          floor: addr.dig("floor", "value"),
+          unit: addr.dig("unit", "value"),
+          street: addr.dig("street", "value"),
+          postal: addr.dig("postal", "value"),
+          country: addr.dig("country", "code")
+        }.compact
+      end
+
+      # CPF Ordinary Account balance only. FAPI 2.0 sub-attribute scope
+      # assumption: the `cpfbalances.oa` scope returns the response in the
+      # nested form `{ "cpfbalances": { "oa": { "value": "..." } } }` rather
+      # than a flattened key. Same assumption for `hdbownership.*` and
+      # `vehicles.effectiveownership` below.
+      sig { returns(T.nilable(T::Hash[Symbol, String])) }
+      def cpf_balances
+        oa = @data.dig("cpfbalances", "oa", "value")
+        return nil if oa.blank?
+        { ordinary_account: oa }
+      end
+
+      sig { returns(T.nilable(T::Array[T::Hash[Symbol, String]])) }
+      def cpf_contributions
+        list = array_at("cpfcontributions", "history")
+        return nil unless list
+
+        list.filter_map do |entry|
+          next unless entry.is_a?(Hash)
+          record = {
+            employer: entry.dig("employer", "value"),
+            month: entry.dig("month", "value"),
+            amount: entry.dig("amount", "value"),
+            date: entry.dig("date", "value")
+          }.compact
+          record.presence
+        end.presence
+      end
+
+      sig { returns(T.nilable(T::Array[T::Hash[Symbol, String]])) }
+      def cpf_employers
+        list = array_at("cpfemployers", "history")
+        return nil unless list
+
+        list.filter_map do |entry|
+          next unless entry.is_a?(Hash)
+          record = {
+            name: entry.dig("employer", "value"),
+            month: entry.dig("month", "value")
+          }.compact
+          record.presence
+        end.presence
+      end
+
+      sig { returns(T.nilable(T::Hash[Symbol, String])) }
+      def cpf_housing_withdrawal
+        block = @data["cpfhousingwithdrawal"]
+        return nil unless block.is_a?(Hash)
+
+        record = {
+          principal: block.dig("totalprincipalamount", "value"),
+          monthly_instalment: block.dig("totalmonthlyinstalmentamount", "value"),
+          accrued_interest: block.dig("totalaccruedinterestamount", "value")
+        }.compact
+        record.presence
+      end
+
+      sig { returns(T.nilable(T::Hash[Symbol, String])) }
+      def noa_basic
+        noa_record(@data["noa-basic"])
+      end
+
+      sig { returns(T.nilable(T::Array[T::Hash[Symbol, String]])) }
+      def noa_history_basic
+        list = array_at("noahistory-basic", "noas")
+        return nil unless list
+
+        list.filter_map { |entry| noa_record(entry) }.presence
+      end
+
+      sig { returns(T.nilable(T::Hash[Symbol, String])) }
+      def noa_detailed
+        block = @data["noa"]
+        return nil unless block.is_a?(Hash)
+
+        record = {
+          year_of_assessment: block.dig("yearofassessment", "value"),
+          amount: block.dig("amount", "value"),
+          employment: block.dig("employment", "value"),
+          trade: block.dig("trade", "value"),
+          rent: block.dig("rent", "value"),
+          interest: block.dig("interest", "value"),
+          tax_category: block.dig("taxclearance", "value")
+        }.compact
+        record.presence
+      end
+
+      sig { returns(T.nilable(T::Array[T::Hash[Symbol, String]])) }
+      def noa_history_detailed
+        list = array_at("noahistory", "noas")
+        return nil unless list
+
+        list.filter_map do |entry|
+          next unless entry.is_a?(Hash)
+          record = {
+            year_of_assessment: entry.dig("yearofassessment", "value"),
+            amount: entry.dig("amount", "value"),
+            employment: entry.dig("employment", "value"),
+            trade: entry.dig("trade", "value"),
+            rent: entry.dig("rent", "value"),
+            interest: entry.dig("interest", "value"),
+            tax_category: entry.dig("taxclearance", "value")
+          }.compact
+          record.presence
+        end.presence
+      end
+
+      # HDB ownership records — one entry per flat owned. The 8 sub-fields
+      # drive TDSR housing-loan calculations: monthly instalment is the most
+      # important (direct repayment-capacity reduction); outstanding balance
+      # gives leverage ratio context.
+      sig { returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
+      def hdb_ownership
+        list = array_at("hdbownership")
+        return nil unless list
+
+        list.filter_map do |entry|
+          next unless entry.is_a?(Hash)
+          record = {
+            no_of_owners: entry.dig("noofowners", "value"),
+            address: hdb_address(entry["address"]),
+            hdb_type: label_from(entry["hdbtype"]),
+            loan_granted: entry.dig("loangranted", "value"),
+            balance_loan_repayment: entry.dig("balanceloanrepayment", "value"),
+            outstanding_loan_balance: entry.dig("outstandingloanbalance", "value"),
+            monthly_loan_instalment: entry.dig("monthlyloaninstalment", "value"),
+            outstanding_instalment: entry.dig("outstandinginstalment", "value")
+          }.compact
+          record.presence
+        end.presence
+      end
+
+      sig { params(addr: T.untyped).returns(T.nilable(T::Hash[Symbol, String])) }
+      def hdb_address(addr)
+        return nil unless addr.is_a?(Hash)
+
+        record = {
+          block: addr.dig("block", "value"),
+          building: addr.dig("building", "value"),
+          floor: addr.dig("floor", "value"),
+          unit: addr.dig("unit", "value"),
+          street: addr.dig("street", "value"),
+          postal: addr.dig("postal", "value"),
+          country: addr.dig("country", "code")
+        }.compact
+        record.presence
+      end
+
+      sig { returns(T.nilable(T::Array[T::Hash[Symbol, String]])) }
+      def vehicles
+        list = array_at("vehicles")
+        return nil unless list
+
+        list.filter_map do |entry|
+          next unless entry.is_a?(Hash)
+          date = entry.dig("effectiveownership", "value")
+          next if date.blank?
+          { effective_ownership_date: date }
+        end.presence
+      end
+
+      sig { params(entry: T.untyped).returns(T.nilable(T::Hash[Symbol, String])) }
+      def noa_record(entry)
+        return nil unless entry.is_a?(Hash)
+        record = {
+          year_of_assessment: entry.dig("yearofassessment", "value"),
+          amount: entry.dig("amount", "value")
+        }.compact
+        record.presence
+      end
+
+      # Singpass returns array-shaped attributes either as a direct array
+      # (e.g. `vehicles: [...]`) or wrapped in a sub-key like
+      # `cpfcontributions: { history: [...] }` / `noahistory: { noas: [...] }`.
+      sig { params(field: String, sub: T.nilable(String)).returns(T.nilable(T::Array[T.untyped])) }
+      def array_at(field, sub = nil)
+        block = @data[field]
+
+        direct =
+          case block
+          when Array then block
+          when Hash then sub ? block[sub] : nil
+          end
+
+        return direct if direct.is_a?(Array)
+        nil
+      end
+    end
+  end
+end

data/lib/standard_singpass/myinfo/security.rb

@@ -0,0 +1,186 @@
+# typed: strict
+
+module StandardSingpass
+  module Myinfo
+    class Security
+      extend T::Sig
+
+      class DecryptionError < StandardError; end
+      class ValidationError < StandardError; end
+
+      JWKS_CACHE_TTL = T.let(1.hour, ActiveSupport::Duration)
+
+      # Generates a PKCE code verifier and code challenge pair (S256).
+      sig { returns({ code_verifier: String, code_challenge: String }) }
+      def self.generate_pkce_pair
+        code_verifier = SecureRandom.urlsafe_base64(48)
+        code_challenge = Base64.urlsafe_encode64(
+          Digest::SHA256.digest(code_verifier), padding: false
+        )
+        { code_verifier:, code_challenge: }
+      end
+
+      # Generates an ephemeral EC key pair (ES256 / prime256v1) for DPoP.
+      sig { returns(OpenSSL::PKey::EC) }
+      def self.generate_ephemeral_key_pair
+        OpenSSL::PKey::EC.generate("prime256v1")
+      end
+
+      # Builds a DPoP proof JWT per RFC 9449.
+      sig { params(http_method: String, url: String, key_pair: OpenSSL::PKey::EC, access_token: T.nilable(String)).returns(String) }
+      def self.build_dpop_proof(http_method:, url:, key_pair:, access_token: nil)
+        jwk = JWT::JWK.new(key_pair)
+
+        header = {
+          typ: "dpop+jwt",
+          alg: "ES256",
+          jwk: jwk.export(include_private: false)
+        }
+
+        htu = URI(url).tap { |u| u.query = nil; u.fragment = nil }.to_s
+
+        claims = {
+          htm: http_method.upcase,
+          htu:,
+          iat: Time.current.to_i,
+          exp: (Time.current + 2.minutes).to_i,
+          jti: SecureRandom.uuid
+        }
+
+        if access_token
+          ath = Base64.urlsafe_encode64(
+            Digest::SHA256.digest(access_token), padding: false
+          )
+          claims[:ath] = ath
+        end
+
+        JWT.encode(claims, key_pair, "ES256", header)
+      end
+
+      # Builds a private_key_jwt client assertion for the token endpoint.
+      sig { params(client_id: String, audience: String, signing_key: T.any(String, OpenSSL::PKey::PKey), signing_kid: String, code: T.nilable(String)).returns(String) }
+      def self.build_client_assertion(client_id:, audience:, signing_key:, signing_kid:, code: nil)
+        key = signing_key.is_a?(OpenSSL::PKey::PKey) ? signing_key : OpenSSL::PKey.read(signing_key)
+
+        header = {
+          alg: "ES256",
+          kid: signing_kid,
+          typ: "JWT"
+        }
+
+        claims = {
+          iss: client_id,
+          sub: client_id,
+          aud: audience,
+          iat: Time.current.to_i,
+          exp: (Time.current + 2.minutes).to_i,
+          jti: SecureRandom.uuid
+        }
+        claims[:code] = code if code.present?
+
+        JWT.encode(claims, key, "ES256", header)
+      end
+
+      # Decrypts a JWE string using the matching private key (by kid). FAPI 2.0
+      # mandates EC P-256 with ECDH-ES+A256KW; RSA-OAEP (the v4 path) is no
+      # longer supported by Singpass and we no longer accept it on our side.
+      sig { params(jwe_string: String, private_keys: T::Array[T::Hash[Symbol, T.untyped]]).returns(String) }
+      def self.decrypt_jwe(jwe_string, private_keys:)
+        header_kid = extract_jwe_kid(jwe_string)
+        raise DecryptionError, "JWE header missing kid field" unless header_kid
+
+        matching_key = private_keys.find { |k| k[:kid] == header_kid }
+        raise DecryptionError, "No matching decryption key found" unless matching_key
+
+        alg = extract_jwe_alg(jwe_string)
+        unless EcdhJwe::SUPPORTED_ALGS.include?(alg)
+          raise DecryptionError, "Unsupported JWE alg #{alg.inspect}; FAPI 2.0 requires #{EcdhJwe::SUPPORTED_ALGS.join('/')}"
+        end
+
+        EcdhJwe.decrypt(jwe_string, private_key: resolve_key(matching_key[:key]))
+      rescue EcdhJwe::DecryptionFailed => e
+        raise DecryptionError, "JWE decryption failed: #{e.message}"
+      rescue ArgumentError => e
+        raise DecryptionError, "Malformed JWE: #{e.message}"
+      end
+
+      # Validates a JWS string against keys from a JWKS endpoint.
+      # Performs signature verification only — callers must validate claims (aud, iss, nbf, etc.).
+      sig { params(jws_string: String, jwks_url: String).returns(T::Hash[String, T.untyped]) }
+      def self.validate_jws(jws_string, jwks_url:)
+        jwks_data = fetch_jwks(jwks_url)
+        begin
+          decode_with_jwks(jws_string, jwks_data)
+        rescue JWT::VerificationError
+          # Retry once with a fresh JWKS fetch in case of key rotation
+          jwks_data = fetch_jwks(jwks_url, force_refresh: true)
+          begin
+            decode_with_jwks(jws_string, jwks_data)
+          rescue JWT::DecodeError => e
+            raise ValidationError, "JWS validation failed: #{e.message}"
+          end
+        rescue JWT::DecodeError => e
+          raise ValidationError, "JWS validation failed: #{e.message}"
+        end
+      end
+
+      sig { params(jws_string: String, jwks_data: T::Hash[String, T.untyped]).returns(T::Hash[String, T.untyped]) }
+      private_class_method def self.decode_with_jwks(jws_string, jwks_data)
+        jwks = JWT::JWK::Set.new(jwks_data)
+        decoded = JWT.decode(jws_string, nil, true, algorithms: ALLOWED_ALGORITHMS, jwks:)
+        decoded.first
+      end
+
+      sig { params(jwe_string: String).returns(T::Hash[String, T.untyped]) }
+      def self.extract_jwe_header(jwe_string)
+        header_segment = jwe_string.split(".").first
+        return {} unless header_segment.present?
+        padded = header_segment + "=" * ((4 - header_segment.length % 4) % 4)
+        JSON.parse(Base64.urlsafe_decode64(padded))
+      end
+      private_class_method :extract_jwe_header
+
+      sig { params(jwe_string: String).returns(T.nilable(String)) }
+      def self.extract_jwe_kid(jwe_string)
+        extract_jwe_header(jwe_string)["kid"]
+      end
+      private_class_method :extract_jwe_kid
+
+      sig { params(jwe_string: String).returns(T.nilable(String)) }
+      def self.extract_jwe_alg(jwe_string)
+        extract_jwe_header(jwe_string)["alg"]
+      end
+      private_class_method :extract_jwe_alg
+
+      sig { params(key: T.untyped).returns(T.untyped) }
+      def self.resolve_key(key)
+        case key
+        when OpenSSL::PKey::PKey then key
+        when String then OpenSSL::PKey.read(key)
+        else raise DecryptionError, "Unsupported key type: #{key.class}"
+        end
+      end
+      private_class_method :resolve_key
+
+      sig { params(url: String, force_refresh: T::Boolean).returns(T::Hash[String, T.untyped]) }
+      def self.fetch_jwks(url, force_refresh: false)
+        cache_key = "standard_singpass:myinfo:jwks:#{Digest::SHA256.hexdigest(url)}"
+
+        Rails.cache.delete(cache_key) if force_refresh
+
+        Rails.cache.fetch(cache_key, expires_in: JWKS_CACHE_TTL) do
+          response = Faraday.get(url) { |req| req.options.timeout = 5; req.options.open_timeout = 3 }
+          raise ValidationError, "Failed to fetch JWKS: HTTP #{response.status}" unless response.success?
+
+          JSON.parse(response.body)
+        end
+      rescue Faraday::Error, JSON::ParserError => e
+        raise ValidationError, "Failed to fetch JWKS: #{e.message}"
+      end
+      private_class_method :fetch_jwks
+
+      # FAPI 2.0 mandates ES256 for all JWS signatures.
+      ALLOWED_ALGORITHMS = T.let(%w[ES256].freeze, T::Array[String])
+    end
+  end
+end

data/lib/standard_singpass/myinfo/test_personas.rb

@@ -0,0 +1,47 @@
+# typed: false
+
+module StandardSingpass
+  module Myinfo
+    # Loads the test-persona fixture set used by Singpass mock-callback flows
+    # (E2E only) and RSpec helpers. The fixture file is the single source of
+    # truth so Ruby and Playwright sides can't drift.
+    #
+    # The host application can override the fixture path via
+    # `StandardSingpass::Myinfo.configuration.personas_path = Pathname.new(...)`.
+    # Without an override, the gem's bundled `fixtures/myinfo-personas.json`
+    # is used.
+    module TestPersonas
+      DEFAULT_KEY = "default"
+      GEM_FIXTURE_PATH = Pathname.new(File.expand_path("../../../fixtures/myinfo-personas.json", __dir__)).freeze
+
+      class UnknownPersona < KeyError; end
+
+      def self.fetch(key)
+        key = key.to_s.presence || DEFAULT_KEY
+        data.fetch(key) do
+          raise UnknownPersona, "Unknown MyInfo test persona: #{key.inspect}. Known: #{data.keys.inspect}"
+        end
+      end
+
+      def self.keys
+        data.keys
+      end
+
+      def self.data
+        @data ||= JSON.parse(fixture_path.read).freeze
+      end
+
+      # Test-only — call from a spec `before(:suite)` if you want to pick up
+      # mid-run edits to the fixture file.
+      def self.reload!
+        @data = nil
+        data
+      end
+
+      def self.fixture_path
+        configured = StandardSingpass::Myinfo.configuration.personas_path
+        configured ? Pathname.new(configured) : GEM_FIXTURE_PATH
+      end
+    end
+  end
+end

data/lib/standard_singpass/myinfo.rb

@@ -0,0 +1,78 @@
+require "sorbet-runtime"
+require "active_support/all"
+require "faraday"
+require "jwt"
+require "openssl"
+require "json"
+require "base64"
+require "digest"
+require "securerandom"
+require "aes_key_wrap"
+
+require "standard_singpass/myinfo/error"
+require "standard_singpass/myinfo/configuration"
+require "standard_singpass/myinfo/ecdh_jwe"
+require "standard_singpass/myinfo/security"
+require "standard_singpass/myinfo/client"
+require "standard_singpass/myinfo/person_data_parser"
+require "standard_singpass/myinfo/jwks_generator"
+require "standard_singpass/myinfo/test_personas"
+
+module StandardSingpass
+  module Myinfo
+    class << self
+      def configure
+        yield(configuration) if block_given?
+        @public_jwks = nil
+      end
+
+      def configuration
+        @configuration ||= Configuration.new
+      end
+
+      def reset_configuration!
+        @configuration = Configuration.new
+        @public_jwks = nil
+      end
+
+      def public_jwks
+        @public_jwks ||= build_public_jwks
+      end
+
+      private
+
+      def build_public_jwks
+        keys = []
+        c = configuration
+
+        if c.signing_key.present? && c.signing_kid.present?
+          begin
+            key = OpenSSL::PKey.read(c.signing_key)
+            jwk = JWT::JWK.new(key, kid: c.signing_kid)
+            exported = jwk.export(include_private: false)
+            exported[:use] = "sig"
+            exported[:alg] = "ES256"
+            keys << exported
+          rescue OpenSSL::PKey::PKeyError => e
+            Rails.logger.error("StandardSingpass::Myinfo: failed to load signing key: #{e.message}")
+            Rails.error.report(e, handled: true, context: { component: "StandardSingpass::Myinfo", reason: "build_public_jwks_signing", kid: c.signing_kid })
+          end
+        end
+
+        Array(c.encryption_keys).each do |enc_key_config|
+          key = OpenSSL::PKey.read(enc_key_config[:key])
+          jwk = JWT::JWK.new(key, kid: enc_key_config[:kid])
+          exported = jwk.export(include_private: false)
+          exported[:use] = "enc"
+          exported[:alg] = "ECDH-ES+A256KW"
+          keys << exported
+        rescue OpenSSL::PKey::PKeyError => e
+          Rails.logger.error("StandardSingpass::Myinfo: failed to load encryption key #{enc_key_config[:kid]}: #{e.message}")
+          Rails.error.report(e, handled: true, context: { component: "StandardSingpass::Myinfo", reason: "build_public_jwks_encryption", kid: enc_key_config[:kid] })
+        end
+
+        { keys: }
+      end
+    end
+  end
+end

data/lib/standard_singpass/version.rb

@@ -0,0 +1,3 @@
+module StandardSingpass
+  VERSION = "0.1.0"
+end

data/lib/standard_singpass.rb

@@ -0,0 +1,6 @@
+require "standard_singpass/version"
+require "standard_singpass/engine"
+require "standard_singpass/myinfo"
+
+module StandardSingpass
+end