truelayer-signing 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8cc4b5beb4b79ccfafd7350d4882927d45abea2580d4d4d869d39faae157498d
-  data.tar.gz: ab43241ee2475b2797ff43fc5c142b778ff4e4ef28d042a123b9ac8179d913aa
+  metadata.gz: 7675d871fb8de41624e5f92fb6b0252fac90900f2f52c6bd9b182ea0f80cde44
+  data.tar.gz: 2345bf7cfc1619ef8c5e1bb20ed56f966ec9a71263798bde713aca0ba92b0811
 SHA512:
-  metadata.gz: 6e208e6b3ed16190946cdeceae856ebcddc42b472458b86c527e0dfe52a67fe0d33e954c018f63fcb8502b659081aa35522516f9dacfb12f492b36a7830fe6b6
-  data.tar.gz: 3282b084e0907c8c709dfa2f3d2bef71527bca7181c342a24de63262c70ffa3a9e41f4437eb77f667a1e9c6a45776b8db6549ce709b244128b5fb58006b4afea
+  metadata.gz: df411a9c02a97ab165f5a47063ec0ca3fae67fe437f96af20b1f71eab4f88105bd8259a3c9685056c91210c3dca0134721f5c3b94e9cc39691756f6b64c17279
+  data.tar.gz: a39b865f5c4a1a3226cc8071f3c5971ff8c32c536d4b7b88ddab8cf7ffcc71fa2e36c3d3409b5fa7f3d25647f8ea8fb202ef6f74ac51661e85c2b089f6a4e2c4

data/CHANGELOG.md

@@ -9,6 +9,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - ...
 
+## [0.2.0] – 2023-06-13
+
+- Add support for signature verification using a JWKS: `TrueLayerSigning.verify_with_jwks(jwks)`
+    and `TrueLayerSigning.extract_jws_header(signature)`.
+
 ## [0.1.2] – 2023-05-19
 
 - Fix conflict with JWT library

data/README.md

@@ -59,10 +59,20 @@ See full example of [request signing].
 
 ## Verifying webhooks
 
-The `verify_with_pem` method may be used to verify webhook `Tl-Signature` header signatures.
+The `verify_with_jwks` method may be used to verify webhook `Tl-Signature` header signatures.
 
 ```ruby
-TrueLayerSigning.verify_with_pem(pem)
+# The `jku` field is included in webhook signatures
+jku = TrueLayerSigning.extract_jws_header(webhook_signature).jku
+
+# You should check that the `jku` is a valid TrueLayer URL (not provided by this library)
+ensure_jku_allowed(jku)
+
+# Then fetch JSON Web Key Set from the public URL (not provided by this library)
+jwks = fetch_jwks(jku)
+
+# The raw JWKS value may be used directly to verify a signature
+TrueLayerSigning.verify_with_jwks(jwks)
   .set_method(method)
   .set_path(path)
   .set_headers(headers)

data/examples/webhook-server/Gemfile

@@ -1,4 +1,5 @@
 source "https://rubygems.org"
 
+gem "http"
 gem "truelayer-signing"
 gem "webrick"

data/examples/webhook-server/Gemfile.lock

@@ -1,15 +1,40 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    jwt (2.6.0)
-    truelayer-signing (0.1.1)
-      jwt (= 2.6)
+    addressable (2.8.4)
+      public_suffix (>= 2.0.2, < 6.0)
+    domain_name (0.5.20190701)
+      unf (>= 0.0.5, < 1.0.0)
+    ffi (1.15.5)
+    ffi-compiler (1.0.1)
+      ffi (>= 1.0.0)
+      rake
+    http (5.1.1)
+      addressable (~> 2.8)
+      http-cookie (~> 1.0)
+      http-form_data (~> 2.2)
+      llhttp-ffi (~> 0.4.0)
+    http-cookie (1.0.5)
+      domain_name (~> 0.5)
+    http-form_data (2.3.0)
+    jwt (2.7.0)
+    llhttp-ffi (0.4.0)
+      ffi-compiler (~> 1.0)
+      rake (~> 13.0)
+    public_suffix (5.0.1)
+    rake (13.0.6)
+    truelayer-signing (0.2.0)
+      jwt (~> 2.7)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.8.2)
     webrick (1.8.1)
 
 PLATFORMS
   arm64-darwin-21
 
 DEPENDENCIES
+  http
   truelayer-signing
   webrick
 

data/examples/webhook-server/main.rb

@@ -1,23 +1,14 @@
-require 'securerandom'
-require 'truelayer-signing'
-require 'webrick'
+require "http"
+require "truelayer-signing"
+require "webrick"
 
 class TrueLayerSigningExamples
   # Note: the webhook path can be whatever is configured for your application.
   # Here a unique path is used, matching the example signature in the README.
   WEBHOOK_PATH = "/hook/d7a2c49d-110a-4ed2-a07d-8fdb3ea6424b".freeze
-  PUBLIC_KEY_PEM = <<~TXT.freeze
-    -----BEGIN PUBLIC KEY-----
-    MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBJ6ET9XeVCyMy+yOetZaNNCXPhwr5
-    BlyDDg1CLmyNM5SvqOs8RveL6dYl4lpPur4xrPQl04ggYlVd9wnHkZnp3jcBlXw8
-    Lc5phyYF1q2/QV/5wp2WHIhKDqUiXC0TvlE8d7MdTAN9yolcwrh6aWZ3kesTMZif
-    BgItyT6PXUab8mMdI8k=
-    -----END PUBLIC KEY-----
-  TXT
 
   class << self
     def run_webhook_server
-      TrueLayerSigning.certificate_id ||= SecureRandom.uuid
       server = WEBrick::HTTPServer.new(Port: 4567)
 
       puts "Server running at http://localhost:4567"
@@ -61,9 +52,19 @@ class TrueLayerSigningExamples
 
       return ["400", "Bad Request – Header `Tl-Signature` missing"] unless tl_signature
 
+      jku = TrueLayerSigning.extract_jws_header(tl_signature).jku
+
+      return ["400", "Bad Request – Signature missing `jku`"] unless jku
+      return ["401", "Unauthorized – Unpermitted `jku`"] \
+        unless jku == "https://webhooks.truelayer.com/.well-known/jwks" ||
+          jku == "https://webhooks.truelayer-sandbox.com/.well-known/jwks"
+
+      jwks = HTTP.get(jku)
+
+      return ["401", "Unauthorized – Unavailable `jwks` resource"] unless jwks.status.success?
+
       begin
-        TrueLayerSigning
-          .verify_with_pem(PUBLIC_KEY_PEM)
+        TrueLayerSigning.verify_with_jwks(jwks.to_s)
           .set_method(:post)
           .set_path(path)
           .set_headers(headers)

data/lib/truelayer-signing/verifier.rb

@@ -1,9 +1,12 @@
 module TrueLayerSigning
   class Verifier < JwsBase
-    attr_reader :required_headers, :key_value
+    EXPECTED_COORDS_LENGTH = 66.freeze
+
+    attr_reader :required_headers, :key_type, :key_value
 
     def initialize(args)
       super
+      @key_type = args[:key_type]
       @key_value = args[:key_value]
     end
 
@@ -11,7 +14,6 @@ module TrueLayerSigning
       ensure_verifier_config!
 
       jws_header, jws_header_b64, signature_b64 = self.class.parse_tl_signature(tl_signature)
-      public_key = OpenSSL::PKey.read(key_value)
 
       raise(Error, "Unexpected `alg` header value") if jws_header.alg != TrueLayerSigning.algorithm
 
@@ -22,24 +24,7 @@ module TrueLayerSigning
       raise(Error, "Signature missing required header(s)") if required_headers &&
         required_headers.any? { |key| !normalised_headers.has_key?(key.downcase) }
 
-      payload_b64 = Base64.urlsafe_encode64(build_signing_payload(ordered_headers), padding: false)
-      full_signature = [jws_header_b64, payload_b64, signature_b64].join(".")
-      jwt_options = { algorithm: TrueLayerSigning.algorithm }
-
-      begin
-        JWT.truelayer_decode(full_signature, public_key, true, jwt_options)
-      rescue JWT::VerificationError
-        @path = path.end_with?("/") && path[0...-1] || path + "/"
-        payload_b64 = Base64.urlsafe_encode64(build_signing_payload(ordered_headers),
-                                              padding: false)
-        full_signature = [jws_header_b64, payload_b64, signature_b64].join(".")
-
-        begin
-          JWT.truelayer_decode(full_signature, public_key, true, jwt_options)
-        rescue
-          raise(Error, "Signature verification failed")
-        end
-      end
+      verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
     end
 
     def require_header(name)
@@ -69,6 +54,73 @@ module TrueLayerSigning
       [jws_header, jws_header_b64, signature_b64]
     end
 
+    private def verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
+      full_signature = build_full_signature(ordered_headers, jws_header_b64, signature_b64)
+
+      begin
+        verify_signature(jws_header, full_signature)
+      rescue JWT::VerificationError
+        @path = path.end_with?("/") && path[0...-1] || path + "/"
+        full_signature = build_full_signature(ordered_headers, jws_header_b64, signature_b64)
+
+        begin
+          verify_signature(jws_header, full_signature)
+        rescue JWT::VerificationError
+          raise(Error, "Signature verification failed")
+        end
+      end
+    end
+
+    private def build_full_signature(ordered_headers, jws_header_b64, signature_b64)
+      payload_b64 = Base64.urlsafe_encode64(build_signing_payload(ordered_headers), padding: false)
+
+      [jws_header_b64, payload_b64, signature_b64].join(".")
+    end
+
+    private def verify_signature(jws_header, full_signature)
+      case key_type
+      when :pem
+        public_key = OpenSSL::PKey.read(key_value)
+      when :jwks
+        public_key = retrieve_public_key(:jwks, key_value, jws_header)
+      end
+
+      jwt_options = { algorithm: TrueLayerSigning.algorithm }
+      JWT.truelayer_decode(full_signature, public_key, true, jwt_options)
+    end
+
+    private def retrieve_public_key(key_type, key_value, jws_header)
+      case key_type
+      when :pem
+        OpenSSL::PKey.read(key_value)
+      when :jwks
+        jwks_hash = JSON.parse(key_value, symbolize_names: true)
+        jwk = jwks_hash[:keys].find { |key| key[:kid] == jws_header.kid }
+
+        raise(Error, "JWKS does not include given `kid` value") unless jwk
+
+        valid_jwk = apply_zero_padding_as_needed(jwk)
+
+        JWT::JWK::EC.import(valid_jwk).public_key
+      else
+        raise(Error, "Type of public key not recognised")
+      end
+    end
+
+    private def apply_zero_padding_as_needed(jwk)
+      valid_jwk = jwk.clone
+
+      %i(x y).each do |elem|
+        coords = Base64.urlsafe_decode64(valid_jwk[elem])
+        length = coords.length
+        diff = EXPECTED_COORDS_LENGTH - length
+
+        valid_jwk[elem] = Base64.urlsafe_encode64(("\x00" * diff) + coords) if diff > 0
+      end
+
+      valid_jwk
+    end
+
     private def ensure_verifier_config!
       raise(Error, "Key value missing") unless key_value
     end

data/lib/truelayer-signing.rb

@@ -28,8 +28,16 @@ module TrueLayerSigning
       Signer.new
     end
 
+    def extract_jws_header(signature)
+      Verifier.parse_tl_signature(signature).first
+    end
+
+    def verify_with_jwks(jwks)
+      Verifier.new(key_type: :jwks, key_value: jwks)
+    end
+
     def verify_with_pem(pem)
-      Verifier.new(key_value: pem)
+      Verifier.new(key_type: :pem, key_value: pem)
     end
   end
 end

data/test/resources/missing-zero-padding-test-jwks.json

@@ -0,0 +1,19 @@
+{
+  "keys": [
+    {
+      "kty": "RSA",
+      "alg": "RS512",
+      "kid": "c9034c0f-bd06-4dd1-98fe-f67a5a1a0601",
+      "n": "yWTtfMrBLrVaMgUO2Oz83kMHbJX0aCSwkQ4gZoXruicEBfhWKSC4VV6WB3CZIBGfxGhJhSBFkFizdZzjSTQYIB-OIQcFR2FtP5tSSpK2K7d4-CvBs78_rOFyA4Vz4aoYLlJOWmFurMod27BmQe1UrDRm0SWJbE9L8TqtQYKDva0sWeQPuxj2Stv4BBf7Z5Zq8NyCAiW-TMmhV7silLT8eN7MLp6X_-BFoHgZSL26ECd5KkQxVE8kl9Cl-GelmcbT8CIM4LQ8vTSYB6ADHcAte24xtP3IUv5_K-gFaNucbC1i95X0Ha2UNx13uFfaBVOngwFyAnU7eFlZh_MJS_kCXw",
+      "e": "AQAB"
+    },
+    {
+      "kty": "EC",
+      "alg": "ES512",
+      "kid": "d3534b83-bdc7-4066-adb5-c8d4bf616601",
+      "crv": "P-521",
+      "x": "AQO9n3CGUtsvQEWivE7KTkbaqY-xxsa0EPhplLxj0Nak6dS400ug0VhMqgTXfyc3nV3UA7Mz7x5dDL13YyUtfiOq",
+      "y": "fRU9nhcoS3FUZD7UzBUt9AOOpShMlV8yXC3VXn0FTRB7ySDqZnr1th0ZYnt0uihMDKYKB0-TrptWg1hgA75aeiI"
+    }
+  ]
+}

data/test/resources/missing-zero-padding-test-payload.json

@@ -0,0 +1,22 @@
+{
+  "type": "payment_executed",
+  "event_version": 1,
+  "event_id": "2606ed6d-5c89-4bd9-8f95-40e42c95ca71",
+  "payment_id": "a62ba556-4b35-4628-9d8c-42302d2e5d02",
+  "payment_method": {
+    "type": "bank_transfer",
+    "provider_id": "mock-payments-gb-redirect",
+    "scheme_id": "faster_payments_service"
+  },
+  "executed_at": "2023-06-09T15:40:30.561Z",
+  "payment_source": {
+    "account_identifiers": [
+      {
+        "type": "sort_code_account_number",
+        "sort_code": "040668",
+        "account_number": "00000871"
+      }
+    ],
+    "account_holder_name": "JOHN SANDBRIDGE"
+  }
+}

data/test/resources/missing-zero-padding-test-signature.txt

@@ -0,0 +1 @@
+eyJhbGciOiJFUzUxMiIsImtpZCI6ImQzNTM0YjgzLWJkYzctNDA2Ni1hZGI1LWM4ZDRiZjYxNjYwMSIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGVhZGVycyI6IngtdGwtd2ViaG9vay10aW1lc3RhbXAiLCJqa3UiOiJodHRwczovL3dlYmhvb2tzLnRydWVsYXllci1zYW5kYm94LmNvbS8ud2VsbC1rbm93bi9qd2tzIn0..AVKH1WQK4Z4tIF3I-gU1AkLI7o4Dk-ZpALG7rKuMPQdksVwzUVBa8zq3LdvV2SHNzlH50NhGVYi-j4nC8G23Qd5UAW8DCvMB1ynTBVE_3vKzbmbfh8Dg3TAPvZCdajQiDLrLJp5iiUtcRgML2EI_zt9SEAkpIaSxFU8DHnMm8CN3YEQT

data/test/test-truelayer-signing.rb

@@ -1,11 +1,13 @@
 require "minitest/autorun"
 require "truelayer-signing"
 
+def read_file(path)
+  File.read(File.expand_path(path, File.dirname(__FILE__)))
+end
+
 CERTIFICATE_ID = "45fc75cf-5649-4134-84b3-192c2c78e990".freeze
-PRIVATE_KEY = File.read(File.expand_path("../../test-resources/ec512-private.pem",
-                                         File.dirname(__FILE__))).freeze
-PUBLIC_KEY = File.read(File.expand_path("../../test-resources/ec512-public.pem",
-                                        File.dirname(__FILE__))).freeze
+PRIVATE_KEY = read_file("../../test-resources/ec512-private.pem").freeze
+PUBLIC_KEY = read_file("../../test-resources/ec512-public.pem").freeze
 
 TrueLayerSigning.certificate_id = CERTIFICATE_ID.freeze
 TrueLayerSigning.private_key = PRIVATE_KEY.freeze
@@ -59,6 +61,24 @@ class TrueLayerSigningTest < Minitest::Test
     refute(result.first.include?("\nIdempotency-Key: "))
   end
 
+  def test_full_request_signature_without_method_should_default_to_post_and_succeed
+    body = { currency: "GBP", max_amount_in_minor: 50_000_00 }.to_json
+    path = "/merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping"
+
+    tl_signature = TrueLayerSigning.sign_with_pem
+      .set_path(path)
+      .set_body(body)
+      .sign
+
+    result = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
+      .set_path(path)
+      .set_body(body)
+      .verify(tl_signature)
+
+    assert(result.first
+      .start_with?("POST /merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping\n"))
+  end
+
   def test_mismatched_signature_with_attached_valid_body_should_fail
     # Signature for `/bar` but with a valid jws-body pre-attached.
     # If we run a simple jws verify on this unchanged, it'll work!
@@ -101,8 +121,7 @@ class TrueLayerSigningTest < Minitest::Test
     body = { currency: "GBP", max_amount_in_minor: 50_000_00, name: "Foo???" }.to_json
     idempotency_key = "idemp-2076717c-9005-4811-a321-9e0787fa0382"
     path = "/merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping"
-    tl_signature = File.read(File.expand_path("../../test-resources/tl-signature.txt",
-                                              File.dirname(__FILE__)))
+    tl_signature = read_file("../../test-resources/tl-signature.txt")
 
     result = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
       .set_method(:post)
@@ -370,6 +389,99 @@ class TrueLayerSigningTest < Minitest::Test
       .start_with?("POST /merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping\n"))
   end
 
+  def test_extract_jws_header_should_succeed
+    hook_signature = read_file("../../test-resources/webhook-signature.txt")
+    jws_header = TrueLayerSigning.extract_jws_header(hook_signature)
+
+    assert_equal("ES512", jws_header.alg)
+    assert_equal(CERTIFICATE_ID, jws_header.kid)
+    assert_equal("2", jws_header.tl_version)
+    assert_equal("X-Tl-Webhook-Timestamp,Content-Type", jws_header.tl_headers)
+    assert_equal("https://webhooks.truelayer.com/.well-known/jwks", jws_header.jku)
+  end
+
+  def test_verify_with_jwks_should_succeed
+    hook_signature = read_file("../../test-resources/webhook-signature.txt")
+    jwks = read_file("../../test-resources/jwks.json")
+    body = { event_type: "example", event_id: "18b2842b-a57b-4887-a0a6-d3c7c36f1020" }.to_json
+
+    TrueLayerSigning.verify_with_jwks(jwks)
+      .set_method(:post)
+      .set_path("/tl-webhook")
+      .add_header("x-tl-webhook-timestamp", "2021-11-29T11:42:55Z")
+      .add_header("content-type", "application/json")
+      .set_body(body)
+      .verify(hook_signature)
+  end
+
+  def test_verify_with_jwks_with_zero_padding_missing_should_succeed
+    jwks = read_file("resources/missing-zero-padding-test-jwks.json")
+
+    # JWKS with EC key missing zero padded coords is not supported by `jwt` gem
+
+    jwks_as_json = JSON.parse(jwks, symbolize_names: true)
+    jwk_missing_padding = jwks_as_json[:keys].find { |e| e[:kty] == "EC" }
+    imported_jwk = JWT::JWK::EC.import(jwk_missing_padding)
+
+    error = assert_raises(OpenSSL::PKey::EC::Point::Error) { imported_jwk.public_key.check_key }
+    assert_equal("EC_POINT_bn2point: invalid encoding", error.message)
+
+    # But supported by `truelayer-signing` using zero padding (prepend)
+
+    payload = read_file("resources/missing-zero-padding-test-payload.json")
+    body = JSON.parse(payload).to_json
+
+    TrueLayerSigning.verify_with_jwks(jwks)
+      .set_method(:post)
+      .set_path("/a147f26a-f07e-47e3-9526-d52f1f1fdd55")
+      .add_header("x-tl-webhook-timestamp", "2023-06-09T15:40:30Z")
+      .set_body(body)
+      .verify(read_file("resources/missing-zero-padding-test-signature.txt"))
+  end
+
+  def test_verify_with_jwks_with_wrong_timestamp_should_fail
+    hook_signature = read_file("../../test-resources/webhook-signature.txt")
+    jwks = read_file("../../test-resources/jwks.json")
+    body = { event_type: "example", event_id: "18b2842b-a57b-4887-a0a6-d3c7c36f1020" }.to_json
+
+    verifier = TrueLayerSigning.verify_with_jwks(jwks)
+      .set_method(:post)
+      .set_path("/tl-webhook")
+      .add_header("x-tl-webhook-timestamp", "2021-12-29T11:42:55Z")
+      .add_header("content-type", "application/json")
+      .set_body(body)
+
+    error = assert_raises(TrueLayerSigning::Error) { verifier.verify(hook_signature) }
+    assert_equal("Signature verification failed", error.message)
+  end
+
+  def test_sign_with_pem_and_custom_jku_should_succeed
+    body = { currency: "GBP", max_amount_in_minor: 50_000_00 }.to_json
+    idempotency_key = "idemp-2076717c-9005-4811-a321-9e0787fa0382"
+    path = "/merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping"
+
+    tl_signature_1 = TrueLayerSigning.sign_with_pem
+      .set_path(path)
+      .add_header("Idempotency-Key", idempotency_key)
+      .set_body(body)
+      .sign
+
+    jws_header_1 = TrueLayerSigning.extract_jws_header(tl_signature_1)
+
+    assert_nil(jws_header_1.jku)
+
+    tl_signature_2 = TrueLayerSigning.sign_with_pem
+      .set_path(path)
+      .add_header("Idempotency-Key", idempotency_key)
+      .set_body(body)
+      .set_jku("https://webhooks.truelayer.com/.well-known/jwks")
+      .sign
+
+    jws_header_2 = TrueLayerSigning.extract_jws_header(tl_signature_2)
+
+    assert_equal("https://webhooks.truelayer.com/.well-known/jwks", jws_header_2.jku)
+  end
+
   # TODO: remove if/when we get rid of `lib/truelayer-signing/jwt.rb`
   def test_jwt_encode_and_decode_should_succeed
     payload_object = { currency: "GBP", max_amount_in_minor: 50_000_00 }

data/truelayer-signing.gemspec

@@ -2,7 +2,7 @@ $LOAD_PATH.unshift(::File.join(::File.dirname(__FILE__), "lib"))
 
 Gem::Specification.new do |s|
   s.name = "truelayer-signing"
-  s.version = "0.1.2"
+  s.version = "0.2.0"
   s.summary = "Ruby gem to produce and verify TrueLayer API requests signatures"
   s.description = "TrueLayer provides instant access to open banking to " \
     "easily integrate next-generation payments and financial data into any app." \
@@ -21,5 +21,5 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
 
   s.required_ruby_version = ">= 2.7"
-  s.add_runtime_dependency("jwt",  "2.6")
+  s.add_runtime_dependency("jwt",  "~> 2.7")
 end

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: truelayer-signing
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Kevin Plattret
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-05-19 00:00:00.000000000 Z
+date: 2023-06-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '2.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '2.7'
 description: TrueLayer provides instant access to open banking to easily integrate
   next-generation payments and financial data into any app.This helps easily sign
   TrueLayer API requests using a JSON web signature.
@@ -37,76 +37,7 @@ files:
 - "./LICENSE-MIT"
 - "./README.md"
 - "./Rakefile"
-- "./doc/CHANGELOG_md.html"
-- "./doc/JWT.html"
-- "./doc/JWT/Decode.html"
-- "./doc/JWT/Encode.html"
-- "./doc/JWT/JWK.html"
-- "./doc/JWT/JWK/EC.html"
-- "./doc/LICENSE-APACHE.html"
-- "./doc/LICENSE-MIT.html"
-- "./doc/README_md.html"
-- "./doc/Rakefile.html"
-- "./doc/TrueLayerSigning.html"
-- "./doc/TrueLayerSigning/Config.html"
-- "./doc/TrueLayerSigning/Error.html"
-- "./doc/TrueLayerSigning/JwsBase.html"
-- "./doc/TrueLayerSigning/JwsHeader.html"
-- "./doc/TrueLayerSigning/Signer.html"
-- "./doc/TrueLayerSigning/Verifier.html"
-- "./doc/TrueLayerSigningExamples.html"
-- "./doc/created.rid"
-- "./doc/css/fonts.css"
-- "./doc/css/rdoc.css"
-- "./doc/examples/sign-request/Gemfile.html"
-- "./doc/examples/sign-request/Gemfile_lock.html"
-- "./doc/examples/sign-request/README_md.html"
-- "./doc/examples/webhook-server/Gemfile.html"
-- "./doc/examples/webhook-server/Gemfile_lock.html"
-- "./doc/examples/webhook-server/README_md.html"
-- "./doc/fonts/Lato-Light.ttf"
-- "./doc/fonts/Lato-LightItalic.ttf"
-- "./doc/fonts/Lato-Regular.ttf"
-- "./doc/fonts/Lato-RegularItalic.ttf"
-- "./doc/fonts/SourceCodePro-Bold.ttf"
-- "./doc/fonts/SourceCodePro-Regular.ttf"
-- "./doc/images/add.png"
-- "./doc/images/arrow_up.png"
-- "./doc/images/brick.png"
-- "./doc/images/brick_link.png"
-- "./doc/images/bug.png"
-- "./doc/images/bullet_black.png"
-- "./doc/images/bullet_toggle_minus.png"
-- "./doc/images/bullet_toggle_plus.png"
-- "./doc/images/date.png"
-- "./doc/images/delete.png"
-- "./doc/images/find.png"
-- "./doc/images/loadingAnimation.gif"
-- "./doc/images/macFFBgHack.png"
-- "./doc/images/package.png"
-- "./doc/images/page_green.png"
-- "./doc/images/page_white_text.png"
-- "./doc/images/page_white_width.png"
-- "./doc/images/plugin.png"
-- "./doc/images/ruby.png"
-- "./doc/images/tag_blue.png"
-- "./doc/images/tag_green.png"
-- "./doc/images/transparent.png"
-- "./doc/images/wrench.png"
-- "./doc/images/wrench_orange.png"
-- "./doc/images/zoom.png"
-- "./doc/index.html"
-- "./doc/js/darkfish.js"
-- "./doc/js/navigation.js"
-- "./doc/js/navigation.js.gz"
-- "./doc/js/search.js"
-- "./doc/js/search_index.js"
-- "./doc/js/search_index.js.gz"
-- "./doc/js/searcher.js"
-- "./doc/js/searcher.js.gz"
-- "./doc/table_of_contents.html"
 - "./examples/sign-request/Gemfile"
-- "./examples/sign-request/Gemfile.lock"
 - "./examples/sign-request/README.md"
 - "./examples/sign-request/main.rb"
 - "./examples/webhook-server/Gemfile"
@@ -120,6 +51,9 @@ files:
 - "./lib/truelayer-signing/signer.rb"
 - "./lib/truelayer-signing/utils.rb"
 - "./lib/truelayer-signing/verifier.rb"
+- "./test/resources/missing-zero-padding-test-jwks.json"
+- "./test/resources/missing-zero-padding-test-payload.json"
+- "./test/resources/missing-zero-padding-test-signature.txt"
 - "./test/test-truelayer-signing.rb"
 - "./truelayer-signing.gemspec"
 homepage: https://github.com/TrueLayer/truelayer-signing/tree/main/ruby