jwt / ruby-jwe Goto Github PK
View Code? Open in Web Editor NEWJSON Web Encryption for Ruby
License: MIT License
JSON Web Encryption for Ruby
License: MIT License
I think this is a feature request, as I haven't really seen it in the docs.
I'd like to able to pass an "enc" JWK (or an array of them) instead of the decryption key.
The "jwt" gem knows how to build and load a JWK key, so maybe this is a feature that makes more sense as an extension of "jwt", as it could be used in the "JWT.verify" method.
I tried encrypting custom headers however i found that version 0.3.0 that I installed from rubygems.org does not reflect what is in master.
Hi there,
Installed the gem and got a syntax error.
No ruby version restrictions described on rubygems.org.
Looks like you use keyword arguments which is a feature in Ruby 2.0 and higher.
Could you confirm this?
Uncaught exception: /.../gems/jwe-0.1.1/lib/jwe.rb:22: syntax error, unexpected tLABEL
def self.encrypt(payload, key, alg: 'RSA-OAEP', enc: 'A128GCM', zip: nil)
Regards
Several of the class names under JWE::Alg
aren't cased correctly to match the output from JWE.param_to_class_name
. This mismatch means that perfectly valid algs throw a NotImplementedError.
For example:
With JWE.encrypt(jwt, secret, alg: 'A256KW')
, JWE.param_to_class_name
converts the alg to "A256kw"
. Then const_get
looks for a matching class name, but doesn't find one because the class is A256Kw.
This should be a real quick fix.
Does it make sense to make a release under the new ruby-jwe
name?
Hi, I found an issue while trying to decrypt something with enc: A256CBC-HS512 which was encrypted by another library. I was getting 'Authentication tag verification failed' with this library but not on others.
After hunting down the differences on how the tag was calculated I narrowed it down to this line
According to RFC 7516 JSON Web Encryption (JWE)
The octet string AL, which is the number of bits in AAD expressed as a big-endian 64-bit unsigned integer
I made the changes to both decrypt and encrypt in my fork, but was unable to figure out how to fix all the failing tests in spec/jwe/enc_spec.rb
so haven't raised a PR.
While trying to consume ruby-jwe generated tokens in Clojure's buddy-sign library, I raised this issue with the buddy developers.
They've investigated and found that when ruby-jwe calls Zlib::Deflate, it produces a byte stream that doesn't conform with RFC7516 4.1.3. Turns out you have to go out of your way to make it comply with RFC1951 rather than RFC1950.
More details are in the issue I raised :)
When using the zip: DEF
option on large payloads it failed to deflate properly. Output appears to be truncated.
Hi and thanks a lot
How to use this gem as a container to a JWT (e.g created with ruby-jwt)?
Should the JWT output of the ruby-jwt be the payload for the encrypt function?
Thanks a lot
I'm trying to use the encrypt method. When I call JWE.encrypt it throws the error
(undefined method `public_encrypt' for #<String:0x00007f8fa78b75c0>)
require 'json'
require 'open-uri'
require 'jwe'
URL = 'https://gist.githubusercontent.com/.../my_json_file.json'.freeze
KEY = "-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----".freeze
data = JSON.load(open(URL))
encrypted = JWE.encrypt(JSON.dump(data), KEY)
puts encrypted
IO.popen('pbcopy', 'r+') { |clipboard| clipboard.puts encrypted }
Is this still being actively maintained? Am requiring RSA-OAEP-256
support for JWE and would like to use this library along with the ruby-jwt
library as opposed to finding alternatives.
Am considering forking and exploring adding the support but am just wondering if it's still actively maintained, and would it be complex to add this support (have not explored code in-depth yet) ?
When using the algorithm "dir" and not giving a encryption key, the lib allow me to encrypt the message anyway (without knowing the encryption key)
pry(main)> JWE.encrypt('plain', nil, alg: 'dir')
=> "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..gOyySHAV-rYOmDd1.zfWUxIY.W7YvYlp7I01ZEJe3ZGntJw"
# How should I decipher it?
The issue is more pernicious and prod like in the following case:
pry(main)> cipher = JWE.encrypt('plain', ENV['ENCRYPTION_KEY'], alg: 'dir')
pry(main)> JWE.decrypt(cipher, ENV['ENCRYPTION_KEY'])
=> JWE::InvalidData: Invalid ciphertext or authentication tag
When using an ENV variable to hold the key, and forgetting to set that variable on the server.
An error raised, when not providing an encryption key when trying to encrypt the message
In https://github.com/jwt/ruby-jwe/blob/master/lib/jwe.rb#L31 we set the key directly if the alg is "dir"
cipher.cek = key if alg == 'dir'
In https://github.com/jwt/ruby-jwe/blob/master/lib/jwe/enc/aes_gcm.rb#L45-L47
the attr accessor set the variable @cek
on the instance and when calling :cek
afterward the variable @cek
is set to random_bytes. That is used to encrypt the plain text.
attr_accessor :cek
...
def cek
@cek ||= SecureRandom.random_bytes(key_length)
end
When deciphering the cipher, the cipher key (random bytes) and the encryption key (nil) does not match an we get a CipherError
With the updated openssl library within ruby 2.4 you get this error:
key must be 16 bytes (ArgumentError)
I am ready with a quick rspec test case but it fails on anything > 2.4
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.