Hello community, here is the log from the commit of package rubygem-json-jwt for openSUSE:Factory checked in at 2018-02-26 23:25:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-json-jwt (Old) and /work/SRC/openSUSE:Factory/.rubygem-json-jwt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-json-jwt" Mon Feb 26 23:25:44 2018 rev:2 rq:580039 version:1.9.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-json-jwt/rubygem-json-jwt.changes 2018-01-10 23:31:49.877418074 +0100 +++ /work/SRC/openSUSE:Factory/.rubygem-json-jwt.new/rubygem-json-jwt.changes 2018-02-26 23:25:45.289033241 +0100 @@ -1,0 +2,12 @@ +Sat Feb 24 05:29:31 UTC 2018 - [email protected] + +- updated to version 1.9.1 + no changelog found + +------------------------------------------------------------------- +Fri Feb 23 05:30:12 UTC 2018 - [email protected] + +- updated to version 1.9.0 + no changelog found + +------------------------------------------------------------------- Old: ---- json-jwt-1.8.3.gem New: ---- json-jwt-1.9.1.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-json-jwt.spec ++++++ --- /var/tmp/diff_new_pack.P84zyF/_old 2018-02-26 23:25:46.240999003 +0100 +++ /var/tmp/diff_new_pack.P84zyF/_new 2018-02-26 23:25:46.240999003 +0100 @@ -1,7 +1,7 @@ # # spec file for package rubygem-json-jwt # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,14 +24,14 @@ # Name: rubygem-json-jwt -Version: 1.8.3 +Version: 1.9.1 Release: 0 %define mod_name json-jwt %define mod_full_name %{mod_name}-%{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: ruby-macros >= 5 -BuildRequires: %{ruby} BuildRequires: %{rubygem gem2rpm} +BuildRequires: %{ruby} +BuildRequires: ruby-macros >= 5 Url: https://github.com/nov/json-jwt Source: https://rubygems.org/gems/%{mod_full_name}.gem Source1: gem2rpm.yml ++++++ json-jwt-1.8.3.gem -> json-jwt-1.9.1.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.travis.yml new/.travis.yml --- old/.travis.yml 2017-12-05 03:25:58.000000000 +0100 +++ new/.travis.yml 2018-02-23 14:35:33.000000000 +0100 @@ -3,10 +3,9 @@ - git submodule update --init --recursive rvm: - - 2.2.2 # NOTE: 2.2.1 or lower aren't supported by activesupport 5.0, CI isn't needed for such legacy versions. - - 2.2.6 - - 2.3.3 - - 2.4.1 + - 2.3.6 + - 2.4.3 + - 2.5.0 jdk: - oraclejdk8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/VERSION new/VERSION --- old/VERSION 2017-12-05 03:25:58.000000000 +0100 +++ new/VERSION 2018-02-23 14:35:33.000000000 +0100 @@ -1 +1 @@ -1.8.3 +1.9.1 \ No newline at end of file Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/json-jwt.gemspec new/json-jwt.gemspec --- old/json-jwt.gemspec 2017-12-05 03:25:58.000000000 +0100 +++ new/json-jwt.gemspec 2018-02-23 14:35:33.000000000 +0100 @@ -19,4 +19,4 @@ gem.add_development_dependency 'simplecov' gem.add_development_dependency 'rspec' gem.add_development_dependency 'rspec-its' -end \ No newline at end of file +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/json/jws.rb new/lib/json/jws.rb --- old/lib/json/jws.rb 2017-12-05 03:25:58.000000000 +0100 +++ new/lib/json/jws.rb 2018-02-23 14:35:33.000000000 +0100 @@ -13,6 +13,7 @@ end def sign!(private_key_or_secret) + self.alg = autodetected_algorithm_from(private_key_or_secret) if algorithm == :autodetect self.signature = sign signature_base_string, private_key_or_secret self end @@ -68,6 +69,28 @@ [:ES256, :ES384, :ES512].include? algorithm.try(:to_sym) end + def autodetected_algorithm_from(private_key_or_secret) + case private_key_or_secret + when String + :HS256 + when OpenSSL::PKey::RSA + :RS256 + when OpenSSL::PKey::EC + case private_key_or_secret.group.curve_name + when 'prime256v1' + :ES256 + when 'secp384r1' + :ES384 + when 'secp521r1' + :ES512 + else + raise UnknownAlgorithm.new('Unknown EC Curve') + end + else + raise UnexpectedAlgorithm.new('Signature algorithm auto-detection failed') + end + end + def signature_base_string @signature_base_string ||= [ header.to_json, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/json/jwt.rb new/lib/json/jwt.rb --- old/lib/json/jwt.rb 2017-12-05 03:25:58.000000000 +0100 +++ new/lib/json/jwt.rb 2018-02-23 14:35:33.000000000 +0100 @@ -26,13 +26,6 @@ end def sign(private_key_or_secret, algorithm = :autodetect) - if algorithm == :autodetect - # NOTE: - # I'd like to make :RS256 default. - # However, by histrical reasons, :HS256 was default. - # This code is needed to keep legacy behavior. - algorithm = private_key_or_secret.is_a?(String) ? :HS256 : :RS256 - end jws = JWS.new self jws.kid ||= private_key_or_secret[:kid] if private_key_or_secret.is_a? JSON::JWK jws.alg = algorithm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2017-12-05 03:25:58.000000000 +0100 +++ new/metadata 2018-02-23 14:35:33.000000000 +0100 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: json-jwt version: !ruby/object:Gem::Version - version: 1.8.3 + version: 1.9.1 platform: ruby authors: - nov matake autorequire: bindir: bin cert_chain: [] -date: 2017-12-05 00:00:00.000000000 Z +date: 2018-02-23 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: url_safe_base64 @@ -188,7 +188,7 @@ version: '0' requirements: [] rubyforge_project: -rubygems_version: 2.6.13 +rubygems_version: 2.6.11 signing_key: specification_version: 4 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spec/json/jwt_spec.rb new/spec/json/jwt_spec.rb --- old/spec/json/jwt_spec.rb 2017-12-05 03:25:58.000000000 +0100 +++ new/spec/json/jwt_spec.rb 2018-02-23 14:35:33.000000000 +0100 @@ -56,10 +56,27 @@ its(:alg) { should == :HS256 } end - context 'otherwise' do + context 'when key is RSA key' do let(:key) { private_key } its(:alg) { should == :RS256 } end + + context 'when key is EC key' do + context 'when prime256v1' do + let(:key) { private_key(:ecdsa) } + its(:alg) { should == :ES256 } + end + + context 'when secp384r1' do + let(:key) { private_key(:ecdsa, digest_length: 384) } + its(:alg) { should == :ES384 } + end + + context 'when secp521r1' do + let(:key) { private_key(:ecdsa, digest_length: 512) } + its(:alg) { should == :ES512 } + end + end end context 'when non-JWK key is given' do @@ -191,7 +208,7 @@ ].join('.') end - it 'should do verification' do + it do expect do JSON::JWT.decode malformed_jwt_string, 'secret' end.to raise_error JSON::JWT::VerificationFailed @@ -215,7 +232,7 @@ ].join('.') end - it 'should fail verification' do + it do expect do JSON::JWT.decode malformed_jwt_string, public_key end.to raise_error JSON::JWT::UnexpectedAlgorithm @@ -229,7 +246,7 @@ malformed_signature = OpenSSL::HMAC.digest( OpenSSL::Digest.new('SHA256'), public_key.to_s, - [malformed_header, payload].join('.') + [UrlSafeBase64.encode64(malformed_header), payload].join('.') ) [ UrlSafeBase64.encode64(malformed_header), @@ -238,13 +255,93 @@ ].join('.') end - it 'should fail verification' do + it do expect do JSON::JWT.decode malformed_jwt_string, public_key end.to raise_error JSON::JWS::UnexpectedAlgorithm end end end + + context 'from alg=PS512' do + let(:jws) do + jwt.sign private_key, :PS512 + end + + if pss_supported? + context 'to alg=PS256' do + let(:malformed_jwt_string) do + header, payload, signature = jws.to_s.split('.') + malformed_header = {alg: :PS256}.to_json + digest = OpenSSL::Digest.new('SHA256') + malformed_signature = private_key.sign_pss( + digest, + [UrlSafeBase64.encode64(malformed_header), payload].join('.'), + salt_length: :digest, + mgf1_hash: digest + ) + [ + UrlSafeBase64.encode64(malformed_header), + payload, + UrlSafeBase64.encode64(malformed_signature) + ].join('.') + end + + context 'when verification algorithm is specified' do + it do + expect do + JSON::JWT.decode malformed_jwt_string, public_key, :PS512 + end.to raise_error JSON::JWS::UnexpectedAlgorithm, 'Unexpected alg header' + end + end + + context 'otherwise' do + it do + expect do + JSON::JWT.decode malformed_jwt_string, public_key + end.not_to raise_error + end + end + end + + context 'to alg=RS516' do + let(:malformed_jwt_string) do + header, payload, signature = jws.to_s.split('.') + malformed_header = {alg: :RS512}.to_json + malformed_signature = private_key.sign( + OpenSSL::Digest.new('SHA512'), + [UrlSafeBase64.encode64(malformed_header), payload].join('.') + ) + [ + UrlSafeBase64.encode64(malformed_header), + payload, + UrlSafeBase64.encode64(malformed_signature) + ].join('.') + end + + context 'when verification algorithm is specified' do + it do + expect do + JSON::JWT.decode malformed_jwt_string, public_key, :PS512 + end.to raise_error JSON::JWS::UnexpectedAlgorithm, 'Unexpected alg header' + end + end + + context 'otherwise' do + it do + expect do + JSON::JWT.decode malformed_jwt_string, public_key + end.not_to raise_error + end + end + end + else + skip 'RSA PSS not supported' + it do + expect { jws }.to raise_error 'PS512 isn\'t supported. OpenSSL gem v2.1.0+ is required to use PS512.' + end + end + end end context 'when :skip_verification given as secret/key' do @@ -320,6 +417,32 @@ end.not_to raise_error end end + + context 'when alg & enc is specified' do + context 'when expected' do + it do + expect do + JSON::JWT.decode(input, private_key, 'RSA1_5', 'A128CBC-HS256') + end.not_to raise_error + end + end + + context 'when alg is unexpected' do + it do + expect do + JSON::JWT.decode(input, private_key, 'dir', 'A128CBC-HS256') + end.to raise_error JSON::JWE::UnexpectedAlgorithm, 'Unexpected alg header' + end + end + + context 'when enc is unexpected' do + it do + expect do + JSON::JWT.decode(input, private_key, 'RSA1_5', 'A128GCM') + end.to raise_error JSON::JWE::UnexpectedAlgorithm, 'Unexpected enc header' + end + end + end end context 'when JSON parse failed' do @@ -348,4 +471,26 @@ end end end + + describe '.pretty_generate' do + subject { JSON::JWT.pretty_generate jws.to_s } + its(:size) { should == 2 } + its(:first) do + should == <<~HEADER.chop + { + "typ": "JWT", + "alg": "HS256" + } + HEADER + end + its(:last) do + should == <<~HEADER.chop + { + "iss": "joe", + "exp": 1300819380, + "http://example.com/is_root": true + } + HEADER + end + end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spec/spec_helper.rb new/spec/spec_helper.rb --- old/spec/spec_helper.rb 2017-12-05 03:25:58.000000000 +0100 +++ new/spec/spec_helper.rb 2018-02-23 14:35:33.000000000 +0100 @@ -20,5 +20,9 @@ end end +def pss_supported? + OpenSSL::VERSION >= '2.1.0' +end + require 'helpers/sign_key_fixture_helper' require 'helpers/nimbus_spec_helper'
