New upstream version 1.9.4

parent bec1cea6
......@@ -3,10 +3,9 @@ before_install:
- git submodule update --init --recursive
rvm:
- 2.2.2 # NOTE: 2.2.1 or lower aren't supported by activesupport 5.0, CI isn't needed for such legacy versions.
- 2.2.6
- 2.3.3
- 2.4.1
- 2.3.6
- 2.4.3
- 2.5.0
jdk:
- oraclejdk8
1.7.2
1.9.4
\ No newline at end of file
Gem::Specification.new do |gem|
gem.name = "json-jwt"
gem.version = File.read("VERSION")
gem.authors = ["nov matake"]
gem.email = ["nov@matake.jp"]
gem.homepage = "https://github.com/nov/json-jwt"
gem.name = 'json-jwt'
gem.version = File.read('VERSION')
gem.authors = ['nov matake']
gem.email = ['nov@matake.jp']
gem.homepage = 'https://github.com/nov/json-jwt'
gem.summary = %q{JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby}
gem.description = %q{JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and JSON Web Key) in Ruby}
gem.license = 'MIT'
gem.files = `git ls-files`.split("\n")
gem.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
gem.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
gem.require_paths = ["lib"]
gem.add_runtime_dependency "multi_json", ">= 1.3"
gem.add_runtime_dependency "url_safe_base64"
gem.add_runtime_dependency "activesupport"
gem.add_runtime_dependency "bindata"
gem.add_runtime_dependency "securecompare"
gem.add_development_dependency "rake", ">= 0.8"
gem.add_development_dependency "simplecov"
gem.add_development_dependency "rspec"
gem.require_paths = ['lib']
gem.add_runtime_dependency 'activesupport'
gem.add_runtime_dependency 'bindata'
gem.add_runtime_dependency 'aes_key_wrap'
gem.add_development_dependency 'rake'
gem.add_development_dependency 'simplecov'
gem.add_development_dependency 'rspec'
gem.add_development_dependency 'rspec-its'
end
\ No newline at end of file
end
require 'securecompare'
require 'active_support/security_utils'
module JSON
module JOSE
......@@ -6,7 +6,6 @@ module JSON
included do
extend ClassMethods
include SecureCompare
register_header_keys :alg, :jku, :jwk, :x5u, :x5t, :x5c, :kid, :typ, :cty, :crit
alias_method :algorithm, :alg
......@@ -33,6 +32,18 @@ module JSON
end
end
def secure_compare(a, b)
if ActiveSupport::SecurityUtils.respond_to?(:fixed_length_secure_compare)
begin
ActiveSupport::SecurityUtils.fixed_length_secure_compare(a, b)
rescue ArgumentError
false
end
else
ActiveSupport::SecurityUtils.secure_compare(a, b)
end
end
module ClassMethods
def register_header_keys(*keys)
keys.each do |header_key|
......@@ -45,15 +56,15 @@ module JSON
end
end
def decode(input, key_or_secret = nil)
def decode(input, key_or_secret = nil, algorithms = nil, encryption_methods = nil)
if input.is_a? Hash
decode_json_serialized input, key_or_secret
decode_json_serialized input, key_or_secret, algorithms, encryption_methods
else
decode_compact_serialized input, key_or_secret
decode_compact_serialized input, key_or_secret, algorithms, encryption_methods
end
rescue MultiJson::DecodeError
rescue JSON::ParserError, ArgumentError
raise JWT::InvalidFormat.new("Invalid JSON Format")
end
end
end
end
\ No newline at end of file
end
require 'securerandom'
require 'bindata'
require 'aes_key_wrap'
module JSON
class JWE
......@@ -31,13 +32,15 @@ module JSON
self.mac_key, self.encryption_key = derive_encryption_and_mac_keys
cipher.key = encryption_key
self.iv = cipher.random_iv # NOTE: 'iv' has to be set after 'key' for GCM
self.auth_data = UrlSafeBase64.encode64 header.to_json
self.auth_data = Base64.urlsafe_encode64 header.to_json, padding: false
cipher.auth_data = auth_data if gcm?
self.cipher_text = cipher.update(plain_text) + cipher.final
self
end
def decrypt!(private_key_or_secret)
def decrypt!(private_key_or_secret, algorithms = nil, encryption_methods = nil)
raise UnexpectedAlgorithm.new('Unexpected alg header') unless algorithms.blank? || Array(algorithms).include?(alg)
raise UnexpectedAlgorithm.new('Unexpected enc header') unless encryption_methods.blank? || Array(encryption_methods).include?(enc)
self.private_key_or_secret = with_jwk_support private_key_or_secret
cipher.decrypt
self.content_encryption_key = decrypt_content_encryption_key
......@@ -45,6 +48,8 @@ module JSON
cipher.key = encryption_key
cipher.iv = iv # NOTE: 'iv' has to be set after 'key' for GCM
if gcm?
# https://github.com/ruby/openssl/issues/63
raise DecryptionFailed.new('Invalid authentication tag') if authentication_tag.length < 16
cipher.auth_tag = authentication_tag
cipher.auth_data = auth_data
end
......@@ -61,7 +66,7 @@ module JSON
cipher_text,
authentication_tag
].collect do |segment|
UrlSafeBase64.encode64 segment.to_s
Base64.urlsafe_encode64 segment.to_s, padding: false
end.join('.')
end
......@@ -69,21 +74,21 @@ module JSON
case options[:syntax]
when :general
{
protected: UrlSafeBase64.encode64(header.to_json),
protected: Base64.urlsafe_encode64(header.to_json, padding: false),
recipients: [{
encrypted_key: UrlSafeBase64.encode64(jwe_encrypted_key)
encrypted_key: Base64.urlsafe_encode64(jwe_encrypted_key, padding: false)
}],
iv: UrlSafeBase64.encode64(iv),
ciphertext: UrlSafeBase64.encode64(cipher_text),
tag: UrlSafeBase64.encode64(authentication_tag)
iv: Base64.urlsafe_encode64(iv, padding: false),
ciphertext: Base64.urlsafe_encode64(cipher_text, padding: false),
tag: Base64.urlsafe_encode64(authentication_tag, padding: false)
}
else
{
protected: UrlSafeBase64.encode64(header.to_json),
encrypted_key: UrlSafeBase64.encode64(jwe_encrypted_key),
iv: UrlSafeBase64.encode64(iv),
ciphertext: UrlSafeBase64.encode64(cipher_text),
tag: UrlSafeBase64.encode64(authentication_tag)
protected: Base64.urlsafe_encode64(header.to_json, padding: false),
encrypted_key: Base64.urlsafe_encode64(jwe_encrypted_key, padding: false),
iv: Base64.urlsafe_encode64(iv, padding: false),
ciphertext: Base64.urlsafe_encode64(cipher_text, padding: false),
tag: Base64.urlsafe_encode64(authentication_tag, padding: false)
}
end
end
......@@ -92,10 +97,6 @@ module JSON
# common
def gcm_supported?
RUBY_VERSION >= '2.0.0' && OpenSSL::OPENSSL_VERSION >= 'OpenSSL 1.0.1'
end
def gcm?
[:A128GCM, :A256GCM].include? encryption_method.try(:to_sym)
end
......@@ -109,11 +110,8 @@ module JSON
end
def cipher
@cipher ||= if gcm? && !gcm_supported?
raise UnexpectedAlgorithm.new('AEC GCM requires Ruby 2.0+ and OpenSSL 1.0.1c+')
else
OpenSSL::Cipher.new cipher_name
end
raise "#{cipher_name} isn't supported" unless OpenSSL::Cipher.ciphers.include?(cipher_name)
@cipher ||= OpenSSL::Cipher.new cipher_name
end
def cipher_name
......@@ -165,10 +163,8 @@ module JSON
public_key_or_secret.public_encrypt content_encryption_key
when :'RSA-OAEP'
public_key_or_secret.public_encrypt content_encryption_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
when :A128KW
raise NotImplementedError.new('A128KW not supported yet')
when :A256KW
raise NotImplementedError.new('A256KW not supported yet')
when :A128KW, :A256KW
AESKeyWrap.wrap content_encryption_key, public_key_or_secret
when :dir
''
when :'ECDH-ES'
......@@ -219,10 +215,8 @@ module JSON
private_key_or_secret.private_decrypt jwe_encrypted_key
when :'RSA-OAEP'
private_key_or_secret.private_decrypt jwe_encrypted_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
when :A128KW
raise NotImplementedError.new('A128KW not supported yet')
when :A256KW
raise NotImplementedError.new('A256KW not supported yet')
when :A128KW, :A256KW
AESKeyWrap.unwrap jwe_encrypted_key, private_key_or_secret
when :dir
private_key_or_secret
when :'ECDH-ES'
......@@ -254,21 +248,27 @@ module JSON
end
class << self
def decode_compact_serialized(input, private_key_or_secret)
def decode_compact_serialized(input, private_key_or_secret, algorithms = nil, encryption_methods = nil)
unless input.count('.') + 1 == NUM_OF_SEGMENTS
raise InvalidFormat.new("Invalid JWE Format. JWE should include #{NUM_OF_SEGMENTS} segments.")
end
jwe = new
_header_json_, jwe.jwe_encrypted_key, jwe.iv, jwe.cipher_text, jwe.authentication_tag = input.split('.').collect do |segment|
UrlSafeBase64.decode64 segment
begin
Base64.urlsafe_decode64 segment
rescue ArgumentError
raise DecryptionFailed
end
end
jwe.auth_data = input.split('.').first
jwe.header = MultiJson.load(_header_json_).with_indifferent_access
jwe.decrypt! private_key_or_secret unless private_key_or_secret == :skip_decryption
jwe.header = JSON.parse(_header_json_).with_indifferent_access
unless private_key_or_secret == :skip_decryption
jwe.decrypt! private_key_or_secret, algorithms, encryption_methods
end
jwe
end
def decode_json_serialized(input, private_key_or_secret)
def decode_json_serialized(input, private_key_or_secret, algorithms = nil, encryption_methods = nil)
input = input.with_indifferent_access
jwe_encrypted_key = if input[:recipients].present?
input[:recipients].first[:encrypted_key]
......@@ -282,8 +282,8 @@ module JSON
input[:ciphertext],
input[:tag]
].join('.')
decode_compact_serialized compact_serialized, private_key_or_secret
decode_compact_serialized compact_serialized, private_key_or_secret, algorithms, encryption_methods
end
end
end
end
\ No newline at end of file
end
......@@ -34,7 +34,7 @@ module JSON
else
raise UnknownAlgorithm.new('Unknown Digest Algorithm')
end
UrlSafeBase64.encode64 digest.digest(normalize.to_json)
Base64.urlsafe_encode64 digest.digest(normalize.to_json), padding: false
end
def to_key
......@@ -98,7 +98,7 @@ module JSON
def to_rsa_key
e, n, d, p, q, dp, dq, qi = [:e, :n, :d, :p, :q, :dp, :dq, :qi].collect do |key|
if self[key]
OpenSSL::BN.new UrlSafeBase64.decode64(self[key]), 2
OpenSSL::BN.new Base64.urlsafe_decode64(self[key]), 2
end
end
key = OpenSSL::PKey::RSA.new
......@@ -132,14 +132,14 @@ module JSON
end
x, y, d = [:x, :y, :d].collect do |key|
if self[key]
OpenSSL::BN.new UrlSafeBase64.decode64(self[key]), 2
Base64.urlsafe_decode64(self[key])
end
end
key = OpenSSL::PKey::EC.new curve_name
key.private_key = d if d
key.private_key = OpenSSL::BN.new(d, 2) if d
key.public_key = OpenSSL::PKey::EC::Point.new(
OpenSSL::PKey::EC::Group.new(curve_name),
OpenSSL::BN.new(['04' + x.to_s(16) + y.to_s(16)].pack('H*'), 2)
OpenSSL::BN.new(['04' + x.unpack('H*').first + y.unpack('H*').first].pack('H*'), 2)
)
key
end
......
......@@ -5,17 +5,17 @@ module JSON
def to_jwk(ex_params = {})
params = {
kty: :RSA,
e: UrlSafeBase64.encode64(e.to_s(2)),
n: UrlSafeBase64.encode64(n.to_s(2))
e: Base64.urlsafe_encode64(e.to_s(2), padding: false),
n: Base64.urlsafe_encode64(n.to_s(2), padding: false)
}.merge ex_params
if private?
params.merge!(
d: UrlSafeBase64.encode64(d.to_s(2)),
p: UrlSafeBase64.encode64(p.to_s(2)),
q: UrlSafeBase64.encode64(q.to_s(2)),
dp: UrlSafeBase64.encode64(dmp1.to_s(2)),
dq: UrlSafeBase64.encode64(dmq1.to_s(2)),
qi: UrlSafeBase64.encode64(iqmp.to_s(2)),
d: Base64.urlsafe_encode64(d.to_s(2), padding: false),
p: Base64.urlsafe_encode64(p.to_s(2), padding: false),
q: Base64.urlsafe_encode64(q.to_s(2), padding: false),
dp: Base64.urlsafe_encode64(dmp1.to_s(2), padding: false),
dq: Base64.urlsafe_encode64(dmq1.to_s(2), padding: false),
qi: Base64.urlsafe_encode64(iqmp.to_s(2), padding: false),
)
end
JWK.new params
......@@ -27,10 +27,10 @@ module JSON
params = {
kty: :EC,
crv: curve_name,
x: UrlSafeBase64.encode64(coordinates[:x].to_s(2)),
y: UrlSafeBase64.encode64(coordinates[:y].to_s(2))
x: Base64.urlsafe_encode64([coordinates[:x]].pack('H*'), padding: false),
y: Base64.urlsafe_encode64([coordinates[:y]].pack('H*'), padding: false)
}.merge ex_params
params[:d] = UrlSafeBase64.encode64(coordinates[:d].to_s(2)) if private_key?
params[:d] = Base64.urlsafe_encode64([coordinates[:d]].pack('H*'), padding: false) if private_key?
JWK.new params
end
......@@ -56,10 +56,10 @@ module JSON
hex_x = hex[2, data_len / 2]
hex_y = hex[2 + data_len / 2, data_len / 2]
@coordinates = {
x: OpenSSL::BN.new([hex_x].pack('H*'), 2),
y: OpenSSL::BN.new([hex_y].pack('H*'), 2)
x: hex_x,
y: hex_y
}
@coordinates[:d] = private_key if private_key?
@coordinates[:d] = private_key.to_s(16) if private_key?
end
@coordinates
end
......
......@@ -13,17 +13,20 @@ module JSON
end
def sign!(private_key_or_secret)
self.alg = autodetected_algorithm_from(private_key_or_secret) if algorithm == :autodetect
self.signature = sign signature_base_string, private_key_or_secret
self
end
def verify!(public_key_or_secret)
def verify!(public_key_or_secret, algorithms = nil)
if alg.try(:to_sym) == :none
raise UnexpectedAlgorithm if public_key_or_secret
signature == '' or raise VerificationFailed
else
elsif algorithms.blank? || Array(algorithms).include?(alg.try(:to_sym))
public_key_or_secret && valid?(public_key_or_secret) or
raise VerificationFailed
else
raise UnexpectedAlgorithm.new('Unexpected alg header')
end
end
......@@ -50,16 +53,51 @@ module JSON
[:RS256, :RS384, :RS512].include? algorithm.try(:to_sym)
end
def rsa_pss?
if [:PS256, :PS384, :PS512].include? algorithm.try(:to_sym)
if OpenSSL::VERSION < '2.1.0'
raise "#{alg} isn't supported. OpenSSL gem v2.1.0+ is required to use #{alg}."
else
true
end
else
false
end
end
def ecdsa?
[:ES256, :ES384, :ES512].include? algorithm.try(:to_sym)
end
def autodetected_algorithm_from(private_key_or_secret)
private_key_or_secret = with_jwk_support private_key_or_secret
case private_key_or_secret
when String
:HS256
when OpenSSL::PKey::RSA
:RS256
when OpenSSL::PKey::EC
case private_key_or_secret.group.curve_name
when 'prime256v1'
:ES256
when 'secp384r1'
:ES384
when 'secp521r1'
:ES512
else
raise UnknownAlgorithm.new('Unknown EC Curve')
end
else
raise UnexpectedAlgorithm.new('Signature algorithm auto-detection failed')
end
end
def signature_base_string
@signature_base_string ||= [
header.to_json,
self.to_json
].collect do |segment|
UrlSafeBase64.encode64 segment
Base64.urlsafe_encode64 segment, padding: false
end.join('.')
end
......@@ -72,6 +110,9 @@ module JSON
when rsa?
private_key = private_key_or_secret
private_key.sign digest, signature_base_string
when rsa_pss?
private_key = private_key_or_secret
private_key.sign_pss digest, signature_base_string, salt_length: :digest, mgf1_hash: digest
when ecdsa?
private_key = private_key_or_secret
verify_ecdsa_group! private_key
......@@ -92,6 +133,9 @@ module JSON
when rsa?
public_key = public_key_or_secret
public_key.verify digest, signature, signature_base_string
when rsa_pss?
public_key = public_key_or_secret
public_key.verify_pss digest, signature, signature_base_string, salt_length: :digest, mgf1_hash: digest
when ecdsa?
public_key = public_key_or_secret
verify_ecdsa_group! public_key
......@@ -132,25 +176,25 @@ module JSON
end
class << self
def decode_compact_serialized(input, public_key_or_secret)
def decode_compact_serialized(input, public_key_or_secret, algorithms = nil)
unless input.count('.') + 1 == NUM_OF_SEGMENTS
raise InvalidFormat.new("Invalid JWS Format. JWS should include #{NUM_OF_SEGMENTS} segments.")
end
header, claims, signature = input.split('.', JWS::NUM_OF_SEGMENTS).collect do |segment|
UrlSafeBase64.decode64 segment.to_s
Base64.urlsafe_decode64 segment.to_s
end
header, claims = [header, claims].collect do |json|
MultiJson.load(json).with_indifferent_access
JSON.parse(json).with_indifferent_access
end
jws = new claims
jws.header = header
jws.signature = signature
jws.signature_base_string = input.split('.')[0, JWS::NUM_OF_SEGMENTS - 1].join('.')
jws.verify! public_key_or_secret unless public_key_or_secret == :skip_verification
jws.verify! public_key_or_secret, algorithms unless public_key_or_secret == :skip_verification
jws
end
def decode_json_serialized(input, public_key_or_secret)
def decode_json_serialized(input, public_key_or_secret, algorithms = nil)
input = input.with_indifferent_access
header, payload, signature = if input[:signatures].present?
[
......@@ -166,7 +210,7 @@ module JSON
end
end
compact_serialized = [header, payload, signature].join('.')
decode_compact_serialized compact_serialized, public_key_or_secret
decode_compact_serialized compact_serialized, public_key_or_secret, algorithms
end
end
end
......
require 'openssl'
require 'url_safe_base64'
require 'multi_json'
require 'base64'
require 'active_support'
require 'active_support/core_ext'
require 'json/jose'
......@@ -27,13 +26,6 @@ module JSON
end
def sign(private_key_or_secret, algorithm = :autodetect)
if algorithm == :autodetect
# NOTE:
# I'd like to make :RS256 default.
# However, by histrical reasons, :HS256 was default.
# This code is needed to keep legacy behavior.
algorithm = private_key_or_secret.is_a?(String) ? :HS256 : :RS256
end
jws = JWS.new self
jws.kid ||= private_key_or_secret[:kid] if private_key_or_secret.is_a? JSON::JWK
jws.alg = algorithm
......@@ -54,7 +46,7 @@ module JSON
self.to_json,
signature
].collect do |segment|
UrlSafeBase64.encode64 segment.to_s
Base64.urlsafe_encode64 segment.to_s, padding: false
end.join('.')
end
......@@ -62,45 +54,56 @@ module JSON
case options[:syntax]
when :general
{
payload: UrlSafeBase64.encode64(self.to_json),
payload: Base64.urlsafe_encode64(self.to_json, padding: false),
signatures: [{
protected: UrlSafeBase64.encode64(header.to_json),
signature: UrlSafeBase64.encode64(signature.to_s)
protected: Base64.urlsafe_encode64(header.to_json, padding: false),
signature: Base64.urlsafe_encode64(signature.to_s, padding: false)
}]
}
when :flattened
{
protected: UrlSafeBase64.encode64(header.to_json),
payload: UrlSafeBase64.encode64(self.to_json),
signature: UrlSafeBase64.encode64(signature.to_s)
protected: Base64.urlsafe_encode64(header.to_json, padding: false),
payload: Base64.urlsafe_encode64(self.to_json, padding: false),
signature: Base64.urlsafe_encode64(signature.to_s, padding: false)
}
else
super
end
end
def pretty_generate
[
JSON.pretty_generate(header),
JSON.pretty_generate(self)
]
end
class << self
def decode_compact_serialized(jwt_string, key_or_secret)
def decode_compact_serialized(jwt_string, key_or_secret, algorithms = nil, encryption_methods = nil)
case jwt_string.count('.') + 1
when JWS::NUM_OF_SEGMENTS
JWS.decode_compact_serialized jwt_string, key_or_secret
JWS.decode_compact_serialized jwt_string, key_or_secret, algorithms
when JWE::NUM_OF_SEGMENTS
JWE.decode_compact_serialized jwt_string, key_or_secret
JWE.decode_compact_serialized jwt_string, key_or_secret, algorithms, encryption_methods
else
raise InvalidFormat.new("Invalid JWT Format. JWT should include #{JWS::NUM_OF_SEGMENTS} or #{JWE::NUM_OF_SEGMENTS} segments.")
end
end
def decode_json_serialized(input, key_or_secret)
def decode_json_serialized(input, key_or_secret, algorithms = nil, encryption_methods = nil)
input = input.with_indifferent_access
if (input[:signatures] || input[:signature]).present?
JWS.decode_json_serialized input, key_or_secret
JWS.decode_json_serialized input, key_or_secret, algorithms
elsif input[:ciphertext].present?
JWE.decode_json_serialized input, key_or_secret
JWE.decode_json_serialized input, key_or_secret, algorithms, encryption_methods
else
raise InvalidFormat.new("Unexpected JOSE JSON Serialization Format.")
end
end
def pretty_generate(jwt_string)
decode(jwt_string, :skip_verification).pretty_generate
end
end
end
end
......@@ -109,4 +112,4 @@ require 'json/jws'
require 'json/jwe'
require 'json/jwk'
require 'json/jwk/jwkizable'
require 'json/jwk/set'
\ No newline at end of file
require 'json/jwk/set'
......@@ -40,7 +40,7 @@ describe 'interop' do
describe 'verify' do
it 'should succeed' do
expect do
JSON::JWT.decode(jws_string, public_key)
JSON::JWT.decode(jws_string, public_key, :ES256)
end.not_to raise_error
end
end
......
......@@ -73,6 +73,14 @@ describe JSON::JWE do
it :TODO
end
context 'when alg=A128KW' do
it :TODO
end
context 'when alg=A256KW' do
it :TODO
end
context 'when unknonw/unsupported algorithm given' do
let(:key) { public_key }
let(:alg) { :RSA1_5 }
......@@ -89,7 +97,7 @@ describe JSON::JWE do
it_behaves_like :unexpected_algorithm_for_encryption
end
[:A128KW, :A256KW, :'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
[:'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
context "when alg=#{alg}" do
let(:alg) { alg }
it_behaves_like :unsupported_algorithm_for_encryption
......@@ -161,6 +169,24 @@ describe JSON::JWE do
end
end
shared_examples_for :verify_gcm_authentication_tag do
let(:jwe_string) do
_jwe_ = JSON::JWE.new plain_text
_jwe_.alg, _jwe_.enc = alg, enc
_jwe_.encrypt! key
header, key, iv, cipher_text, auth_tag = _jwe_.to_s.split('.')
truncated_auth_tag = Base64.urlsafe_decode64(auth_tag).slice(0..-2)
truncated_auth_tag = Base64.urlsafe_encode64(truncated_auth_tag, padding: false)
[header, key, iv, cipher_text, truncated_auth_tag].join('.')
end
it do
expect do
jwe.decrypt! key
end.to raise_error JSON::JWE::DecryptionFailed
end
end
shared_examples_for :unexpected_algorithm_for_decryption do
it do
expect do
......@@ -185,6 +211,7 @@ describe JSON::JWE do
let(:enc) { :A128GCM }
if gcm_supported?
it_behaves_like :decryptable
it_behaves_like :verify_gcm_authentication_tag
else
it_behaves_like :gcm_decryption_unsupported
end
......@@ -194,6 +221,7 @@ describe JSON::JWE do
let(:enc) { :A256GCM }
if gcm_supported?
it_behaves_like :decryptable
it_behaves_like :verify_gcm_authentication_tag
else
it_behaves_like :gcm_decryption_unsupported
end
......@@ -218,6 +246,7 @@ describe JSON::JWE do
let(:enc) { :A128GCM }
if gcm_supported?
it_behaves_like :decryptable
it_behaves_like :verify_gcm_authentication_tag
else
it_behaves_like :gcm_decryption_unsupported
end
......@@ -227,6 +256,7 @@ describe JSON::JWE do
let(:enc) { :A256GCM }
if gcm_supported?
it_behaves_like :decryptable
it_behaves_like :verify_gcm_authentication_tag
else
it_behaves_like :gcm_decryption_unsupported
end
......@@ -254,6 +284,7 @@ describe JSON::JWE do
let(:key_size) { 16 }
if gcm_supported?
it_behaves_like :decryptable
it_behaves_like :verify_gcm_authentication_tag
else
it_behaves_like :gcm_decryption_unsupported
end
......@@ -264,6 +295,7 @@ describe JSON::JWE do
let(:key_size) { 32 }
if gcm_supported?
it_behaves_like :decryptable
it_behaves_like :verify_gcm_authentication_tag
else
it_behaves_like :gcm_decryption_unsupported
end
......@@ -284,6 +316,14 @@ describe JSON::JWE do
end
end
context 'when alg=A128KW' do
it :TODO
end
context 'when alg=A256KW' do
it :TODO
end
context 'when unknonw/unsupported algorithm given' do
let(:input) { 'header.key.iv.cipher_text.auth_tag' }
let(:key) { public_key }
......@@ -300,7 +340,7 @@ describe JSON::JWE do
it_behaves_like :unexpected_algorithm_for_decryption
end
[:A128KW, :A256KW, :'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
[:'ECDH-ES', :'ECDH-ES+A128KW', :'ECDH-ES+A256KW'].each do |alg|
context "when alg=#{alg}" do