web-push 1.0.0 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a165b29c06bb5d9a9aab0b65de25bd913ef7926909773485e97f0778bda4299d
-  data.tar.gz: c3f9727392a4049e27ac6bf83718749d5110cd290fa37718ee5b988d2c9c16e3
+  metadata.gz: a688b354339ddf4f82d8febb54a2042bb432357dffd77a571c3c9212c107aa2f
+  data.tar.gz: 01060b2687a57217cafb2cf96b3925c6e2e39102daf6f796277d06d767ae6a0e
 SHA512:
-  metadata.gz: ca5db1201aa140ed1abe235d217183270b8b171d8b368ea7b5392c9cb04a2bf923c1c0e468788e1c2846dbd5c38bc32af53d427dbf307193ccaa00efbf6dd7d6
-  data.tar.gz: 8f179fd84cc0bd0f9e4899353d95af62e9e716552ae0bec86cdc7be2782056fcfb08b06a7efd3297e7468f1bb72ab6f5b16a29e31fc5ed0eb615117e790b8885
+  metadata.gz: 2386c18e4fef78c027b2a5dee6a1778dc82d43cf26dcf0468e83feb8ff972eca1b743c87d68612fffee8ea9feb05329bc4a06127599643de72d922b465aca776
+  data.tar.gz: b023139054b433c36d32d5a91465e8d0082231a6c7c2e8f0ff79825599457c28b57e51ffcabdf21e7fb03ab5e63a28750c00fddfea74204c3f8da640fd9ffe38

data/.github/workflows/ci.yml

@@ -0,0 +1,23 @@
+name: CI
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-20.04, ubuntu-22.04]
+        ruby-version: ['3.0', '3.1', '3.2']
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run tests
+      run: bundle exec rspec

data/.gitignore

@@ -1,10 +1,2 @@
-/.bundle/
-/.yardoc
 /Gemfile.lock
-/_yardoc/
-/coverage/
-/doc/
-/pkg/
-/spec/reports/
-/tmp/
-.idea/
+/coverage

data/README.md

@@ -1,45 +1,37 @@
 # WebPush
 
-[![Code Climate](https://codeclimate.com/github/zaru/webpush/badges/gpa.svg)](https://codeclimate.com/github/zaru/webpush)
-[![Test Coverage](https://codeclimate.com/github/zaru/webpush/badges/coverage.svg)](https://codeclimate.com/github/zaru/webpush/coverage)
-[![Build Status](https://travis-ci.org/zaru/webpush.svg?branch=master)](https://travis-ci.org/zaru/webpush)
-[![Gem Version](https://badge.fury.io/rb/webpush.svg)](https://badge.fury.io/rb/webpush)
+[![Gem Version](https://badge.fury.io/rb/web-push.svg)](https://badge.fury.io/rb/web-push)
+![Build Status](https://github.com/pushpad/web-push/workflows/CI/badge.svg)
 
-This gem makes it possible to send push messages to web browsers from Ruby backends using the [Web Push Protocol](https://tools.ietf.org/html/draft-ietf-webpush-protocol-10). It supports [Message Encryption for Web Push](https://tools.ietf.org/html/draft-ietf-webpush-encryption) to send messages securely from server to user agent.
+This gem makes it possible to send push messages to web browsers from Ruby backends using the [Web Push Protocol](https://datatracker.ietf.org/doc/html/rfc8030). It supports [Message Encryption for Web Push](https://datatracker.ietf.org/doc/html/rfc8291) and [VAPID](https://datatracker.ietf.org/doc/html/rfc8292).
 
-Payload is supported by Chrome 50+, Firefox 48+, Edge 79+.
-
-[webpush Demo app here (building by Sinatra app).](https://github.com/zaru/webpush_demo_ruby)
+**Note**: This is an open source gem for Web Push. If you want to send web push notifications from Ruby using Pushpad, you need to use another gem ([pushpad gem](https://github.com/pushpad/pushpad-ruby)).
 
 ## Installation
 
-Add this line to your application's Gemfile:
+Add this line to the Gemfile:
 
 ```ruby
 gem 'web-push'
 ```
 
-And then execute:
-
-    $ bundle
-
-Or install it yourself as:
+Or install the gem:
 
-    $ gem install web-push
+```console
+$ gem install web-push
+```
 
 ## Usage
 
 Sending a web push message to a visitor of your website requires a number of steps:
 
-1. Your server has (optionally) generated (one-time) a set of [Voluntary Application server Identification (VAPID)](https://tools.ietf.org/html/draft-ietf-webpush-vapid-01) keys. Otherwise, to send messages through Chrome, you have registered your site through the [Google Developer Console](https://console.developers.google.com/) and have obtained a GCM sender id and GCM API key from your app settings.
-2. A `manifest.json` file, linked from your user's page, identifies your app settings.
-3. Also in the user's web browser, a `serviceWorker` is installed and activated and its `pushManager` property is subscribed to push events with your VAPID public key, with creates a `subscription` JSON object on the client side.
-4. Your server uses the `web-push` gem to send a notification with the `subscription` obtained from the client and an optional payload (the message).
-5. Your service worker is set up to receive `'push'` events. To trigger a desktop notification, the user has accepted the prompt to receive notifications from your site.
+1. In the user's web browser, a `serviceWorker` is installed and activated and its `pushManager` property is subscribed to push events with your VAPID public key, which creates a `subscription` JSON object on the client side.
+2. Your server uses the `web-push` gem to send a notification with the `subscription` obtained from the client and an optional payload (the message).
+3. Your service worker is set up to receive `'push'` events. To trigger a desktop notification, the user has accepted the prompt to receive notifications from your site.
 
 ### Generating VAPID keys
 
-Use `web-push` to generate a VAPID key that has both a `public_key` and `private_key` attribute to be saved on the server side.
+Use `web-push` to generate a VAPID key pair (that has both a `public_key` and `private_key`) and save it on the server side.
 
 ```ruby
 # One-time, on the server
@@ -53,64 +45,25 @@ vapid_key.private_key
 vapid_key.to_pem
 ```
 
-### Declaring manifest.json
-
-Check out the [Web Manifest docs](https://developer.mozilla.org/en-US/docs/Web/Manifest) for details on what to include in your `manifest.json` file. If using VAPID, no app credentials are needed.
-
-```javascript
-{
-  "name": "My Website"
-}
-```
-For Chrome web push, add the GCM sender id to a `manifest.json`.
-
-```javascript
-{
-  "name": "My Website",
-  "gcm_sender_id": "1006629465533"
-}
-```
-
-The file is served within the scope of your service worker script, like at the root, and link to it somewhere in the `<head>` tag:
-
-```html
-<!-- index.html -->
-<link rel="manifest" href="/manifest.json" />
-```
-
 ### Installing a service worker
 
-Your application javascript must register a service worker script at an appropriate scope (we're sticking with the root).
+Your application must use JavaScript to register a service worker script at an appropriate scope (root is recommended).
 
 ```javascript
-// application.js
-// Register the serviceWorker script at /serviceworker.js from your server if supported
-if (navigator.serviceWorker) {
-  navigator.serviceWorker.register('/serviceworker.js')
-  .then(function(reg) {
-     console.log('Service worker change, registered the service worker');
-  });
-}
-// Otherwise, no push notifications :(
-else {
-  console.error('Service worker is not supported in this browser');
-}
+navigator.serviceWorker.register('/service-worker.js')
 ```
 
 ### Subscribing to push notifications
 
-#### With VAPID
-
-The VAPID public key you generated earlier is made available to the client as a `UInt8Array`. To do this, one way would be to expose the urlsafe-decoded bytes from Ruby to JavaScript when rendering the HTML template. (Global variables used here for simplicity).
+The VAPID public key you generated earlier is made available to the client as a `UInt8Array`. To do this, one way would be to expose the urlsafe-decoded bytes from Ruby to JavaScript when rendering the HTML template.
 
 ```javascript
 window.vapidPublicKey = new Uint8Array(<%= Base64.urlsafe_decode64(ENV['VAPID_PUBLIC_KEY']).bytes %>);
 ```
 
-Your application javascript uses the `navigator.serviceWorker.pushManager` to subscribe to push notifications, passing the VAPID public key to the subscription settings.
+Your JavaScript code uses the `pushManager` interface to subscribe to push notifications, passing the VAPID public key to the subscription settings.
 
 ```javascript
-// application.js
 // When serviceWorker is supported, installed, and activated,
 // subscribe the pushManager property with the vapidPublicKey
 navigator.serviceWorker.ready.then((serviceWorkerRegistration) => {
@@ -122,120 +75,49 @@ navigator.serviceWorker.ready.then((serviceWorkerRegistration) => {
 });
 ```
 
-#### Without VAPID
-
-If you will not be sending VAPID details, then there is no need generate VAPID keys, and the `applicationServerKey` parameter may be omitted from the `pushManager.subscribe` call.
-
-```javascript
-// application.js
-// When serviceWorker is supported, installed, and activated,
-// subscribe the pushManager property with the vapidPublicKey
-navigator.serviceWorker.ready.then((serviceWorkerRegistration) => {
-  serviceWorkerRegistration.pushManager
-  .subscribe({
-    userVisibleOnly: true
-  });
-});
-```
-
 ### Triggering a web push notification
 
-Hook into an client-side or backend event in your app to deliver a push message. The server must be made aware of the `subscription`. In the example below, we send the JSON generated subscription object to our backend at the "/push" endpoint with a message.
+In order to send web push notifications, the push subscription must be stored in the backend. Get the subscription with `pushManager.getSubscription()` and store it in your database.
 
-```javascript
-// application.js
-// Send the subscription and message from the client for the backend
-// to set up a push notification
-$(".web-push-button").on("click", (e) => {
-  navigator.serviceWorker.ready
-  .then((serviceWorkerRegistration) => {
-    serviceWorkerRegistration.pushManager.getSubscription()
-    .then((subscription) => {
-      $.post("/push", { subscription: subscription.toJSON(), message: "You clicked a button!" });
-    });
-  });
-});
-```
-
-Imagine a Ruby app endpoint that responds to the request by triggering notification through the `web-push` gem.
+Then you can use this gem to send web push messages:
 
 ```ruby
-# app.rb
-# Use the web-push gem API to deliver a push notiifcation merging
-# the message, subscription values, and vapid options
-post "/push" do
-  WebPush.payload_send(
-    message: params[:message],
-    endpoint: params[:subscription][:endpoint],
-    p256dh: params[:subscription][:keys][:p256dh],
-    auth: params[:subscription][:keys][:auth],
-    vapid: {
-      subject: "mailto:sender@example.com",
-      public_key: ENV['VAPID_PUBLIC_KEY'],
-      private_key: ENV['VAPID_PRIVATE_KEY']
-    },
-    ssl_timeout: 5, # value for Net::HTTP#ssl_timeout=, optional
-    open_timeout: 5, # value for Net::HTTP#open_timeout=, optional
-    read_timeout: 5 # value for Net::HTTP#read_timeout=, optional
-  )
-end
+WebPush.payload_send(
+  message: message,
+  endpoint: subscription['endpoint'],
+  p256dh: subscription['keys']['p256dh'],
+  auth: subscription['keys']['auth'],
+  vapid: {
+    subject: "mailto:sender@example.com",
+    public_key: ENV['VAPID_PUBLIC_KEY'],
+    private_key: ENV['VAPID_PRIVATE_KEY']
+  },
+  ssl_timeout: 5, # optional value for Net::HTTP#ssl_timeout=
+  open_timeout: 5, # optional value for Net::HTTP#open_timeout=
+  read_timeout: 5 # optional value for Net::HTTP#read_timeout=
+)
 ```
 
-Note: the VAPID options should be omitted if the client-side subscription was
-generated without the `applicationServerKey` parameter described earlier. You
-would instead pass the GCM api key along with the api request as shown in the
-Usage section below.
-
 ### Receiving the push event
 
-Your `/serviceworker.js` script may respond to `'push'` events. One action it can take is to trigger desktop notifications by calling `showNotification` on the `registration` property.
+Your `service-worker.js` script should respond to `'push'` events. One action it can take is to trigger desktop notifications by calling `showNotification` on the `registration` property.
 
 ```javascript
-// serviceworker.js
-// The serviceworker context can respond to 'push' events and trigger
-// notifications on the registration property
-self.addEventListener("push", (event) => {
-  let title = (event.data && event.data.text()) || "Yay a message";
-  let body = "We have received a push message";
-  let tag = "push-simple-demo-notification-tag";
-  let icon = '/assets/my-logo-120x120.png';
-
-  event.waitUntil(
-    self.registration.showNotification(title, { body, icon, tag })
-  )
+self.addEventListener('push', (event) => {
+  // Get the push message
+  var message = event.data;
+  // Display a notification
+  event.waitUntil(self.registration.showNotification('Example'));
 });
 ```
 
-Before the notifications can be displayed, the user must grant permission for [notifications](https://developer.mozilla.org/en-US/docs/Web/API/notification) in a browser prompt, using something like the example below.
+Before the notifications can be displayed, the user must grant permission for [notifications](https://developer.mozilla.org/en-US/docs/Web/API/notification) in a browser prompt. Use something like this in your JavaScript code:
 
 ```javascript
-// application.js
-
-// Let's check if the browser supports notifications
-if (!("Notification" in window)) {
-  console.error("This browser does not support desktop notification");
-}
-
-// Let's check whether notification permissions have already been granted
-else if (Notification.permission === "granted") {
-  console.log("Permission to receive notifications has been granted");
-}
-
-// Otherwise, we need to ask the user for permission
-else if (Notification.permission !== 'denied') {
-  Notification.requestPermission(function (permission) {
-    // If the user accepts, let's create a notification
-    if (permission === "granted") {
-      console.log("Permission to receive notifications has been granted");
-    }
-  });
-}
+Notification.requestPermission();
 ```
 
-If everything worked, you should see a desktop notification triggered via web
-push. Yay!
-
-Note: if you're using Rails, check out [serviceworker-rails](https://github.com/rossta/serviceworker-rails), a gem that makes it easier to host serviceworker scripts and manifest.json files at canonical endpoints (i.e., non-digested URLs) while taking advantage of the asset pipeline.
+If everything worked, you should see a desktop notification triggered via web push. Yay!
 
 ## API
 
@@ -243,9 +125,9 @@ Note: if you're using Rails, check out [serviceworker-rails](https://github.com/
 
 ```ruby
 message = {
-  title: "title",
-  body: "body",
-  icon: "http://example.com/icon.pn"
+  title: "Example",
+  body: "Hello, world!",
+  icon: "https://example.com/icon.png"
 }
 
 WebPush.payload_send(
@@ -298,59 +180,16 @@ WebPush.payload_send(
   p256dh: "BO/aG9nYXNkZmFkc2ZmZHNmYWRzZmFl...",
   auth: "aW1hcmthcmFpa3V6ZQ==",
   vapid: {
-    subject: "mailto:sender@example.com"
+    subject: "mailto:sender@example.com",
     pem: ENV['VAPID_KEYS']
   }
 )
 ```
 
-### With GCM api key
-
-```ruby
-WebPush.payload_send(
-  endpoint: "https://fcm.googleapis.com/gcm/send/eah7hak....",
-  message: "A message",
-  p256dh: "BO/aG9nYXNkZmFkc2ZmZHNmYWRzZmFl...",
-  auth: "aW1hcmthcmFpa3V6ZQ==",
-  api_key: "<GCM API KEY>"
-)
-```
-
-### ServiceWorker sample
-
-see. https://github.com/zaru/web-push-sample
-
-p256dh and auth generate sample code.
-
-```javascript
-navigator.serviceWorker.ready.then(function(sw) {
-  Notification.requestPermission(function(permission) {
-    if(permission !== 'denied') {
-      sw.pushManager.subscribe({userVisibleOnly: true}).then(function(s) {
-        var data = {
-          endpoint: s.endpoint,
-          p256dh: btoa(String.fromCharCode.apply(null, new Uint8Array(s.getKey('p256dh')))).replace(/\+/g, '-').replace(/\//g, '_'),
-          auth: btoa(String.fromCharCode.apply(null, new Uint8Array(s.getKey('auth')))).replace(/\+/g, '-').replace(/\//g, '_')
-        }
-        console.log(data);
-      });
-    }
-  });
-});
-```
+## Contributing
 
-payloads received sample code.
+Bug reports and pull requests are welcome on GitHub at https://github.com/pushpad/web-push.
 
-```javascript
-self.addEventListener("push", function(event) {
-  var json = event.data.json();
-  self.registration.showNotification(json.title, {
-    body: json.body,
-    icon: json.icon
-  });
-});
-```
-
-## Contributing
+## Credits
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/zaru/webpush.
+This library is a fork of [zaru/webpush](https://github.com/zaru/webpush) actively maintained by [Pushpad](https://pushpad.xyz) with many improvements, bug fixes and frequent updates.

data/lib/web_push/encryption.rb

@@ -4,15 +4,14 @@ module WebPush
   module Encryption
     extend self
 
-    # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
     def encrypt(message, p256dh, auth)
       assert_arguments(message, p256dh, auth)
 
       group_name = 'prime256v1'
+      hash = 'SHA256'
       salt = Random.new.bytes(16)
 
-      server = OpenSSL::PKey::EC.new(group_name)
-      server.generate_key
+      server = OpenSSL::PKey::EC.generate(group_name)
       server_public_key_bn = server.public_key.to_bn
 
       group = OpenSSL::PKey::EC::Group.new(group_name)
@@ -27,11 +26,11 @@ module WebPush
       content_encryption_key_info = "Content-Encoding: aes128gcm\0"
       nonce_info = "Content-Encoding: nonce\0"
 
-      prk = HKDF.new(shared_secret, salt: client_auth_token, algorithm: 'SHA256', info: info).next_bytes(32)
+      prk = OpenSSL::KDF.hkdf(shared_secret, salt: client_auth_token, info: info, hash: hash, length: 32)
 
-      content_encryption_key = HKDF.new(prk, salt: salt, info: content_encryption_key_info).next_bytes(16)
+      content_encryption_key = OpenSSL::KDF.hkdf(prk, salt: salt, info: content_encryption_key_info, hash: hash, length: 16)
 
-      nonce = HKDF.new(prk, salt: salt, info: nonce_info).next_bytes(12)
+      nonce = OpenSSL::KDF.hkdf(prk, salt: salt, info: nonce_info, hash: hash, length: 12)
 
       ciphertext = encrypt_payload(message, content_encryption_key, nonce)
 
@@ -43,7 +42,6 @@ module WebPush
 
       aes128gcmheader + ciphertext
     end
-    # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
 
     private
 

data/lib/web_push/request.rb

@@ -1,25 +1,16 @@
 # frozen_string_literal: true
 
-require 'uri'
-require 'jwt'
-require 'base64'
-
 module WebPush
-  # It is temporary URL until supported by the GCM server.
-  GCM_URL = 'https://android.googleapis.com/gcm/send'.freeze
-  TEMP_GCM_URL = 'https://fcm.googleapis.com/fcm'.freeze
 
-  # rubocop:disable Metrics/ClassLength
   class Request
     def initialize(message: '', subscription:, vapid:, **options)
       endpoint = subscription.fetch(:endpoint)
-      @endpoint = endpoint.gsub(GCM_URL, TEMP_GCM_URL)
+      @endpoint = endpoint
       @payload = build_payload(message, subscription)
       @vapid_options = vapid
       @options = default_options.merge(options)
     end
 
-    # rubocop:disable Metrics/AbcSize
     def perform
       http = Net::HTTP.new(uri.host, uri.port, *proxy_options)
       http.use_ssl = true
@@ -35,7 +26,6 @@ module WebPush
 
       resp
     end
-    # rubocop:enable Metrics/AbcSize
 
     def proxy_options
       return [] unless @options[:proxy]
@@ -45,7 +35,6 @@ module WebPush
       [proxy_uri.host, proxy_uri.port, proxy_uri.user, proxy_uri.password]
     end
 
-    # rubocop:disable Metrics/MethodLength
     def headers
       headers = {}
       headers['Content-Type'] = 'application/octet-stream'
@@ -57,24 +46,18 @@ module WebPush
         headers["Content-Length"] = @payload.length.to_s
       end
 
-      if api_key?
-        headers['Authorization'] = "key=#{api_key}"
-      elsif vapid?
+      if vapid?
         headers["Authorization"] = build_vapid_header
       end
 
       headers
     end
-    # rubocop:enable Metrics/MethodLength
 
     def build_vapid_header
-      # https://tools.ietf.org/id/draft-ietf-webpush-vapid-03.html
-
       vapid_key = vapid_pem ? VapidKey.from_pem(vapid_pem) : VapidKey.from_keys(vapid_public_key, vapid_private_key)
       jwt = JWT.encode(jwt_payload, vapid_key.curve, 'ES256', jwt_header_fields)
       p256ecdsa = vapid_key.public_key_for_push_header
-
-       "vapid t=#{jwt},k=#{p256ecdsa}"
+      "vapid t=#{jwt},k=#{p256ecdsa}"
     end
 
     def body
@@ -112,11 +95,11 @@ module WebPush
     end
 
     def expiration
-      @vapid_options.fetch(:expiration, 24 * 60 * 60)
+      @vapid_options.fetch(:expiration, 12 * 60 * 60)
     end
 
     def subject
-      @vapid_options.fetch(:subject, 'sender@example.com')
+      @vapid_options.fetch(:subject, 'mailto:sender@example.com')
     end
 
     def vapid_public_key
@@ -148,14 +131,6 @@ module WebPush
       Encryption.encrypt(message, p256dh, auth)
     end
 
-    def api_key
-      @options.fetch(:api_key, nil)
-    end
-
-    def api_key?
-      !(api_key.nil? || api_key.empty?) && @endpoint =~ %r{\Ahttps://(android|gcm-http|fcm)\.googleapis\.com}
-    end
-
     def vapid?
       @vapid_options.any?
     end
@@ -164,7 +139,6 @@ module WebPush
       WebPush.encode64(bin).delete('=')
     end
 
-    # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity, Style/GuardClause
     def verify_response(resp)
       if resp.is_a?(Net::HTTPGone) # 410
         raise ExpiredSubscription.new(resp, uri.host)
@@ -183,7 +157,5 @@ module WebPush
         raise ResponseError.new(resp, uri.host)
       end
     end
-    # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity, Style/GuardClause
   end
-  # rubocop:enable Metrics/ClassLength
 end

data/lib/web_push/vapid_key.rb

@@ -10,9 +10,7 @@ module WebPush
     # @return [WebPush::VapidKey] a VapidKey instance for the given public and private keys
     def self.from_keys(public_key, private_key)
       key = new
-      key.public_key = public_key
-      key.private_key = private_key
-
+      key.set_keys! public_key, private_key
       key
     end
 
@@ -20,19 +18,14 @@ module WebPush
     #
     # @return [WebPush::VapidKey] a VapidKey instance for the given public and private keys
     def self.from_pem(pem)
-      key = new
-      src = OpenSSL::PKey.read pem
-      key.curve.public_key = src.public_key
-      key.curve.private_key = src.private_key
-
-      key
+      new(OpenSSL::PKey.read(pem))
     end
 
     attr_reader :curve
 
-    def initialize
-      @curve = OpenSSL::PKey::EC.new('prime256v1')
-      @curve.generate_key
+    def initialize(pkey = nil)
+      @curve = pkey
+      @curve = OpenSSL::PKey::EC.generate('prime256v1') if @curve.nil?
     end
 
     # Retrieve the encoded elliptic curve public key for VAPID protocol
@@ -57,11 +50,37 @@ module WebPush
     end
 
     def public_key=(key)
-      curve.public_key = OpenSSL::PKey::EC::Point.new(group, to_big_num(key))
+      set_keys! key, nil
     end
 
     def private_key=(key)
-      curve.private_key = to_big_num(key)
+      set_keys! nil, key
+    end
+    
+    def set_keys!(public_key = nil, private_key = nil)
+      if public_key.nil?
+        public_key = curve.public_key
+      else
+        public_key = OpenSSL::PKey::EC::Point.new(group, to_big_num(public_key))
+      end
+
+      if private_key.nil?
+        private_key = curve.private_key
+      else
+        private_key = to_big_num(private_key)
+      end
+
+      asn1 = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer.new(1),
+        # Not properly padded but OpenSSL doesn't mind
+        OpenSSL::ASN1::OctetString(private_key.to_s(2)),
+        OpenSSL::ASN1::ObjectId('prime256v1', 0, :EXPLICIT),
+        OpenSSL::ASN1::BitString(public_key.to_octet_string(:uncompressed), 1, :EXPLICIT),
+      ])
+
+      der = asn1.to_der
+
+      @curve = OpenSSL::PKey::EC.new(der)
     end
 
     def curve_name
@@ -78,10 +97,15 @@ module WebPush
     alias to_hash to_h
 
     def to_pem
-      public_key = OpenSSL::PKey::EC.new curve
-      public_key.private_key = nil
+      private_key_to_pem + public_key_to_pem
+    end
+
+    def private_key_to_pem
+      curve.to_pem
+    end
 
-      curve.to_pem + public_key.to_pem
+    def public_key_to_pem
+      curve.public_to_pem
     end
 
     def inspect

data/lib/web_push/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebPush
-  VERSION = '1.0.0'.freeze
+  VERSION = '3.0.1'.freeze
 end