Diff of the two buildlogs: -- --- b1/build.log 2025-08-23 12:31:07.137020783 +0000 +++ b2/build.log 2025-08-23 12:32:12.085101597 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Fri Sep 25 06:53:18 -12 2026 -I: pbuilder-time-stamp: 1790362398 +I: Current time: Sun Aug 24 02:31:09 +14 2025 +I: pbuilder-time-stamp: 1755952269 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/forky-reproducible-base.tgz] I: copying local configuration @@ -24,53 +24,85 @@ dpkg-source: info: applying no-pending-tests.patch I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/2566635/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/3486283/tmp/hooks/D01_modify_environment starting +debug: Running on codethink04-arm64. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Aug 23 12:31 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/3486283/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/3486283/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build/reproducible-path' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='arm64' - DEBIAN_FRONTEND='noninteractive' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="2" [2]="37" [3]="1" [4]="release" [5]="aarch64-unknown-linux-gnu") + BASH_VERSION='5.2.37(1)-release' + BUILDDIR=/build/reproducible-path + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=arm64 + DEBIAN_FRONTEND=noninteractive DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=12 ' - DISTRIBUTION='forky' - HOME='/root' - HOST_ARCH='arm64' + DIRSTACK=() + DISTRIBUTION=forky + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/root + HOSTNAME=i-capture-the-hostname + HOSTTYPE=aarch64 + HOST_ARCH=arm64 IFS=' ' - INVOCATION_ID='fe3094ba6997467eb60b6ed2052bff10' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='2566635' - PS1='# ' - PS2='> ' + INVOCATION_ID=5adc97ae9ded4803af7eaf8633c0c7ba + LANG=C + LANGUAGE=nl_BE:nl + LC_ALL=C + MACHTYPE=aarch64-unknown-linux-gnu + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnu + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=3486283 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.nDyZ2d3e/pbuilderrc_5JU5 --distribution forky --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/forky-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.nDyZ2d3e/b1 --logfile b1/build.log ruby-jwt_2.7.1-1.dsc' - SUDO_GID='109' - SUDO_HOME='/var/lib/jenkins' - SUDO_UID='104' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - _='/usr/bin/systemd-run' - http_proxy='http://192.168.101.4:3128' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.nDyZ2d3e/pbuilderrc_eQlx --distribution forky --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/forky-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.nDyZ2d3e/b2 --logfile b2/build.log ruby-jwt_2.7.1-1.dsc' + SUDO_GID=109 + SUDO_HOME=/var/lib/jenkins + SUDO_UID=104 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + _='I: set' + http_proxy=http://192.168.101.4:3128 I: uname -a - Linux codethink03-arm64 6.12.41+deb13-cloud-arm64 #1 SMP Debian 6.12.41-1 (2025-08-12) aarch64 GNU/Linux + Linux i-capture-the-hostname 6.12.41+deb13-cloud-arm64 #1 SMP Debian 6.12.41-1 (2025-08-12) aarch64 GNU/Linux I: ls -l /bin - lrwxrwxrwx 1 root root 7 Aug 10 2025 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/2566635/tmp/hooks/D02_print_environment finished + lrwxrwxrwx 1 root root 7 Aug 10 12:30 /bin -> usr/bin +I: user script /srv/workspace/pbuilder/3486283/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -83,7 +115,7 @@ Depends: debhelper-compat (= 13), gem2deb (>= 1), rake, ruby-rspec, ruby-rbnacl, ruby-simplecov dpkg-deb: building package 'pbuilder-satisfydepends-dummy' in '/tmp/satisfydepends-aptitude/pbuilder-satisfydepends-dummy.deb'. Selecting previously unselected package pbuilder-satisfydepends-dummy. -(Reading database ... 19969 files and directories currently installed.) +(Reading database ... 20003 files and directories currently installed.) Preparing to unpack .../pbuilder-satisfydepends-dummy.deb ... Unpacking pbuilder-satisfydepends-dummy (0.invalid.0) ... dpkg: pbuilder-satisfydepends-dummy: dependency problems, but configuring anyway as you requested: @@ -252,10 +284,10 @@ Get: 134 http://deb.debian.org/debian forky/main arm64 ruby-rspec all 3.13.0c0e0m0s1-2 [5184 B] Get: 135 http://deb.debian.org/debian forky/main arm64 ruby-simplecov-html all 0.12.3-2 [468 kB] Get: 136 http://deb.debian.org/debian forky/main arm64 ruby-simplecov all 0.22.0-2 [45.2 kB] -Fetched 35.9 MB in 0s (95.5 MB/s) +Fetched 35.9 MB in 0s (191 MB/s) Preconfiguring packages ... Selecting previously unselected package libexpat1:arm64. -(Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 19969 files and directories currently installed.) +(Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 20003 files and directories currently installed.) Preparing to unpack .../libexpat1_2.7.1-2_arm64.deb ... Unpacking libexpat1:arm64 (2.7.1-2) ... Selecting previously unselected package libpython3.13-minimal:arm64. @@ -268,7 +300,7 @@ Setting up libexpat1:arm64 (2.7.1-2) ... Setting up python3.13-minimal (3.13.6-1) ... Selecting previously unselected package python3-minimal. -(Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 20303 files and directories currently installed.) +(Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 20337 files and directories currently installed.) Preparing to unpack .../0-python3-minimal_3.13.5-1_arm64.deb ... Unpacking python3-minimal (3.13.5-1) ... Selecting previously unselected package media-types. @@ -304,7 +336,7 @@ Unpacking libpython3-stdlib:arm64 (3.13.5-1) ... Setting up python3-minimal (3.13.5-1) ... Selecting previously unselected package python3. -(Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 21318 files and directories currently installed.) +(Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 21352 files and directories currently installed.) Preparing to unpack .../000-python3_3.13.5-1_arm64.deb ... Unpacking python3 (3.13.5-1) ... Selecting previously unselected package sensible-utils. @@ -706,8 +738,8 @@ Setting up tzdata (2025b-5) ... Current default time zone: 'Etc/UTC' -Local time is now: Fri Sep 25 18:53:35 UTC 2026. -Universal Time is now: Fri Sep 25 18:53:35 UTC 2026. +Local time is now: Sat Aug 23 12:31:28 UTC 2025. +Universal Time is now: Sat Aug 23 12:31:28 UTC 2025. Run 'dpkg-reconfigure tzdata' if you wish to change it. Setting up ruby-minitest (5.25.4-3) ... @@ -831,7 +863,11 @@ Building tag database... -> Finished parsing the build-deps I: Building the package -I: Running cd /build/reproducible-path/ruby-jwt-2.7.1/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../ruby-jwt_2.7.1-1_source.changes +I: user script /srv/workspace/pbuilder/3486283/tmp/hooks/A99_set_merged_usr starting +Not re-configuring usrmerge for forky +I: user script /srv/workspace/pbuilder/3486283/tmp/hooks/A99_set_merged_usr finished +hostname: Name or service not known +I: Running cd /build/reproducible-path/ruby-jwt-2.7.1/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../ruby-jwt_2.7.1-1_source.changes dpkg-buildpackage: info: source package ruby-jwt dpkg-buildpackage: info: source version 2.7.1-1 dpkg-buildpackage: info: source distribution unstable @@ -864,7 +900,7 @@ │ ruby-jwt: Installing files and building extensions for ruby3.3 │ └──────────────────────────────────────────────────────────────────────────────┘ -/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20260925-2584428-kf2l7u/gemspec +/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20250824-3516007-t6spwg/gemspec WARNING: open-ended dependency on appraisal (>= 0, development) is not recommended use a bounded requirement, such as "~> x.y" WARNING: open-ended dependency on bundler (>= 0, development) is not recommended @@ -880,7 +916,7 @@ Name: jwt Version: 2.7.1 File: jwt-2.7.1.gem -/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-jwt/usr/share/rubygems-integration/all /tmp/d20260925-2584428-kf2l7u/jwt-2.7.1.gem +/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-jwt/usr/share/rubygems-integration/all /tmp/d20250824-3516007-t6spwg/jwt-2.7.1.gem /build/reproducible-path/ruby-jwt-2.7.1/debian/ruby-jwt/usr/share/rubygems-integration/all/gems/jwt-2.7.1/lib/jwt.rb /build/reproducible-path/ruby-jwt-2.7.1/debian/ruby-jwt/usr/share/rubygems-integration/all/gems/jwt-2.7.1/lib/jwt/algos.rb /build/reproducible-path/ruby-jwt-2.7.1/debian/ruby-jwt/usr/share/rubygems-integration/all/gems/jwt-2.7.1/lib/jwt/algos/algo_wrapper.rb @@ -955,826 +991,826 @@ All examples were filtered out; ignoring {:focus=>true} -Randomized with seed 31074 +Randomized with seed 15300 -JWT::Algos::Hmac +::JWT::Algos::HmacRbNaCl + .verify + when signature is invalid + can verify without error + when signature is generated with OpenSSL and key is very long + verifies the signature using OpenSSL features + when signature is generated with OpenSSL + verifies the signature .sign - when nil hmac_secret is passed - when OpenSSL raises any other error - raises the original error - when other versions of openssl do not raise an exception - is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" - when OpenSSL 3.0 raises a malloc failure - raises JWT::DecodeError - when blank hmac_secret is passed - when OpenSSL 3.0 raises a malloc failure - raises JWT::DecodeError - when OpenSSL raises any other error - raises the original error - when other versions of openssl do not raise an exception - is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" - when hmac_secret is passed - when other versions of openssl do not raise an exception - is expected to eql "\x88\xCD!\b\xB54}\x97<\xF3\x9C\xDF\x90S\xD7\xDDBpHv\xD8\xC9\xA9\xBD\x8E-\x16\x82Y\xD3\xDD\xF7" - when OpenSSL 3.0 raises a malloc failure - raises the original error - when OpenSSL raises any other error - raises the original error + when signature is generated by RbNaCl + can verify the signature with OpenSSL + +JWT::JWK::OKPRbNaCl + #verify_key + is the verify key + .new + when jwk parameters given + is expected to be a kind of JWT::JWK::OKPRbNaCl + when private key is given + is expected to be a kind of JWT::JWK::OKPRbNaCl + when something else than a public or private key is given + raises an ArgumentError + when public key is given + is expected to be a kind of JWT::JWK::OKPRbNaCl + #private? + when private key is given + is expected to eq true + when public key is given + is expected to eq false + .import + when exported public key is given + creates a new instance of the class + when exported private key is given + creates a new instance of the class + when JWK is given + creates a new instance of the class + #export + when private key is given + exports the public key + when private key is asked for + exports the private key + +JWT + JWT.configure + allows configuration to be changed via the block + yields the configuration JWT::Algos::Ecdsa .curve_by_name + when secp521r1 is given + is expected to eq {:algorithm=>"ES512", :digest=>"sha512"} when unknown is given raises an error when prime256v1 is given is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} when secp256r1 is given is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} - when secp521r1 is given - is expected to eq {:algorithm=>"ES512", :digest=>"sha512"} when secp256k1 is given is expected to eq {:algorithm=>"ES256K", :digest=>"sha256"} -JWT::Verify - .verify_aud(payload, options) - must raise JWT::InvalidAudError when the singular audience does not match - must allow a singular audience payload matching any value in the options array - must allow an array with any value matching the one in the options - must raise JWT::InvalidAudError when the payload has an array and none match the supplied value - must allow an array with any value matching any value in the options array - must allow a matching singular audience to pass - .verify_sub(payload, options) - must raise JWT::InvalidSubError when the subjects do not match - must allow a matching sub - .verify_jti(payload, options) - true proc should not raise JWT::InvalidJtiError - it should not throw arguement error with 2 args - must raise JWT::InvalidJtiError when the jti is missing - must raise JWT::InvalidJtiError when the jti is an empty string - should have payload as second param in proc - must allow any jti when the verfy_jti key in the options is truthy but not a proc - must raise JWT::InvalidJtiError when verify_jti proc returns false - .verify_not_before(payload, options) - must allow some leeway in the token age when nbf_leeway is configured - must allow some leeway in the token age when global leeway is configured - must raise JWT::ImmatureSignature when the nbf in the payload is in the future - .verify_expiration(payload, options) - must allow some leeway in the expiration when exp_leeway is configured - must allow some leeway in the expiration when global leeway is configured - must raise JWT::ExpiredSignature when the token has expired - must be expired if the exp claim equals the current time - when leeway is not specified - used a default leeway of 0 - .verify_claims - must raise error when verify_not_before option is set to true - must skip verification when verify_iss option is set to false - must skip verification when verify_expiration option is set to false - must raise error when verify_jti option is set to true - must raise error when verify_iat option is set to true - must skip verification when verify_iat option is set to false - must raise error when verify_sub option is set to true - must skip verification when verify_sub option is set to false - must raise error when verify_expiration option is set to true - must skip verification when verify_jti option is set to false - must raise error when verify_iss option is set to true - must skip verification when verify_aud option is set to false - must raise error when verify_aud option is set to true - must skip verification when verify_not_before option is set to false - .verify_iss(payload, options) - when iss is a String - must allow a matching issuer to pass - must raise JWT::InvalidIssuerError when the payload does not include an issuer - must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer - when iss is a Method instance - must raise JWT::InvalidIssuerError when the method returns false - must raise JWT::InvalidIssuerError when the payload does not include an issuer - must allow a method that returns true to pass - when iss is a Proc - must allow a proc that returns true to pass - must raise JWT::InvalidIssuerError when the payload does not include an issuer - must raise JWT::InvalidIssuerError when the proc returns false - when iss is a RegExp - must raise JWT::InvalidIssuerError when the regular expression does not match - must allow a regular expression matching the issuer to pass - must raise JWT::InvalidIssuerError when the payload does not include an issuer - when iss is an Array - must raise JWT::InvalidIssuerError when no matching issuers in array - must raise JWT::InvalidIssuerError when the payload does not include an issuer - must allow an array with matching issuer to pass - .verify_required_claims(payload, options) - must raise JWT::MissingRequiredClaim if a required claim is absent - must verify the claims if all required claims are present - .verify_iat(payload, options) - must raise JWT::InvalidIatError when the iat value is in the future - must properly handle integer times - must ignore configured leeway - must allow a valid iat - must raise JWT::InvalidIatError when the iat value is not Numeric +JWT::JWK::EC + .new + when a keypair with both keys given + creates an instance of the class + when a keypair with only public key is given + creates an instance of the class + #export + when keypair with public key is exported + returns a hash with the public parts of the key + when a custom "kid" is provided + exports it + when a common parameter is given + returns a hash including the common parameter + when private key is requested + returns a hash with the both parts of the key + when keypair with private key is exported + returns a hash with the both parts of the key + .import + when crv=P-521 + when keypair is private + returns a private key + with a custom "kid" value + imports that "kid" value + when keypair is public + returns a public key + returns a hash with the public parts of the key + when crv=P-256K + when keypair is public + returns a public key + returns a hash with the public parts of the key + when keypair is private + returns a private key + with a custom "kid" value + imports that "kid" value + when crv=P-384 + when keypair is public + returns a public key + returns a hash with the public parts of the key + when keypair is private + returns a private key + with a custom "kid" value + imports that "kid" value + when crv=P-256 + when keypair is public + returns a public key + returns a hash with the public parts of the key + when keypair is private + returns a private key + with a custom "kid" value + imports that "kid" value + #keypair + warns to stderr + +JWT::JWK::Thumbprint + #to_s + when example from RFC is given + is expected to eq "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" + when EC key is given + is expected to eq "dO52_we59sdR49HsGCpVzlDUQNvT3KxCTGakk4Un8qc" + when HMAC key is given + is expected to eq "wPf4ZF5qlzoFxsGkft4eu1iWcehgAcahZL4XPV4dT-s" + +JWT::X5cKeyFinder + returns the public key from a certificate that is signed by trusted roots and not revoked + already parsed certificates + returns the public key from a certificate that is signed by trusted roots and not revoked + CRL + not given + raises an error + expired + raises an error + signature could not be verified with the given trusted roots + raises an error + certificate + revoked + raises an error + could not be chained to a trusted root certificate + given an array + raises a verification error + given nil + raises a decode error + signature could not be verified with the given trusted roots + raises an error + expired + raises an error + ::JWT.decode + returns the encoded payload after successful certificate path verification + +JWT::JWK + .import + creates a ::JWT::JWK::RSA instance + parsed from JSON + creates a ::JWT::JWK::RSA instance from JSON parsed JWK + when keytype is not supported + raises an error + when keypair with defined kid is imported + returns the predefined kid if jwt_data contains a kid + when a common JWK parameter is specified + returns the defined common JWK parameter + .new + when secret key is given + is expected to be a kind of JWT::JWK::HMAC + when RSA key is given + is expected to be a kind of JWT::JWK::RSA + when kid is given + sets the kid + when EC key is given + is expected to be a kind of JWT::JWK::EC + when a common parameter is given + sets the common parameter + .[] + allows to read common parameters via the key-accessor + allows to set common parameters via the key-accessor + rejects key parameters as keys via the key-accessor + +JWT::ClaimsValidator + #validate! + nbf claim + it should behave like a NumericDate claim + when nbf payload is a float + does not raise error + when nbf payload is an integer + does not raise error + and key is a string + does not raise error + when nbf payload is a string + raises error + and key is a string + raises error + when nbf payload is a string + raises error + when nbf payload is a Time object + raises error + exp claim + it should behave like a NumericDate claim + when exp payload is a Time object + raises error + when exp payload is an integer + does not raise error + and key is a string + does not raise error + when exp payload is a float + does not raise error + when exp payload is a string + raises error + when exp payload is a string + raises error + and key is a string + raises error + iat claim + it should behave like a NumericDate claim + when iat payload is a string + raises error + and key is a string + raises error + when iat payload is a string + raises error + when iat payload is an integer + does not raise error + and key is a string + does not raise error + when iat payload is a float + does not raise error + when iat payload is a Time object + raises error + +::JWT::Algos::HmacRbNaClFixed + .verify + when signature is generated with OpenSSL and key is very long + verifies the signature using OpenSSL features (PENDING: Requires rbnacl gem < 6.0) + when signature is generated with OpenSSL + verifies the signature (PENDING: Requires rbnacl gem < 6.0) + when signature is invalid + can verify without error (PENDING: Requires rbnacl gem < 6.0) + .sign + when signature is generated by RbNaCl + can verify the signature with OpenSSL (PENDING: Requires rbnacl gem < 6.0) + +JWT::Configuration::JwkConfiguration + .kid_generator_type= + when valid value is passed + sets the generator matching the value + when invalid value is passed + raises ArgumentError + +JWT + .decode for JWK usecase + when jwk keys are given as an array + and kid is not in the set + raises an exception + no keys are found in the set + raises an exception + and kid is in the set + is able to decode the token + token does not know the kid + raises an exception + when the token kid is not a string + raises an exception + mixing algorithms using kid header + when HMAC secret is pointed to as RSA public key + fails in some way + when RSA key is pointed to as HMAC secret + raises JWT::DecodeError + when EC key is pointed to as HMAC secret + raises JWT::DecodeError + when OKP keys are used + decodes the token + when HMAC secret is pointed to as EC public key + fails in some way + when EC key is pointed to as RSA public key + fails in some way + when ES384 key is pointed to as ES512 key + fails in some way + when JWK features are used manually + is able to decode the token + when jwk keys are loaded from JSON with string keys + decodes the token + when the token kid is nil + and allow_nil_kid is specified + decodes the token + when jwk keys are loaded using a proc/lambda + decodes the token + when jwk keys are rotated + decodes the token JWT - should encode string payloads should not raise InvalidPayload exception if payload is an array + should encode string payloads should not verify token even if the payload has claims - alg: ES256K + alg: NONE should generate a valid token - should decode a valid token + decoding without verification + should decode a valid token + decoding with verification + specifying the none algorithm + when the claims are invalid + should fail to decode the token + when the claims are valid + should decode the token + without specifying the none algorithm + should fail to decode the token + algorithm case insensitivity + raises error for invalid algorithm + ignores algorithm casing during encode/decode + alg: PS256 + wrong key and verify = false should not raise JWT::DecodeError wrong key should raise JWT::DecodeError + should decode a valid token + should generate a valid token + alg: RS512 wrong key and verify = false should not raise JWT::DecodeError - alg: RS384 + should decode a valid token + wrong key should raise JWT::DecodeError should generate a valid token should decode a valid token using algorithm hash string key + when keyfinder resolves to multiple keys and multiple algorithms given + with issue with HS256 keys + tries until the first match + with issue with ES256 keys + tries until the first match + tries until the first match + when multiple algorithms given + starts trying with the algorithm referred in the header + alg: ES384 should decode a valid token - wrong key should raise JWT::DecodeError wrong key and verify = false should not raise JWT::DecodeError - when none token is decoded with a key given - decodes the token - a token with no segments - raises JWT::DecodeError - alg: EdDSA - should decode a valid token should generate a valid token - wrong key and verify = false should not raise JWT::DecodeError wrong key should raise JWT::DecodeError - when token is missing the alg header - raises JWT::IncorrectAlgorithm error - when the alg value is given as a header parameter - should generate the same token - does not override the actual algorithm used - a token with not too many segments - raises JWT::DecodeError - Invalid - raises "No verification key available" error - algorithm should raise NotImplementedError - ECDSA curve_name should raise JWT::IncorrectAlgorithm - when keyfinder given with 2 arguments - decodes the token - when token has null as the alg header - raises JWT::IncorrectAlgorithm error - a token with two segments but does not require verifying - raises something else than "Not enough or too many segments" - alg: ED25519 + alg: RS384 + should generate a valid token + wrong key and verify = false should not raise JWT::DecodeError + should decode a valid token + should decode a valid token using algorithm hash string key wrong key should raise JWT::DecodeError + alg: HS384 should decode a valid token + wrong secret should raise JWT::DecodeError should generate a valid token - wrong key and verify = false should not raise JWT::DecodeError - alg: PS512 + wrong secret and verify = false should not raise JWT::DecodeError + alg: EdDSA should generate a valid token - wrong key should raise JWT::DecodeError - wrong key and verify = false should not raise JWT::DecodeError should decode a valid token + wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError ::JWT.decode with verify_iat parameter when iat is exactly the same as Time.now and iat is given as a float considers iat valid - when iat is exactly the same as Time.now and iat is given as floored integer - considers iat valid when iat is 1 second before Time.now raises an error - when the alg is invalid - raises JWT::IncorrectAlgorithm error - alg: NONE + when iat is exactly the same as Time.now and iat is given as floored integer + considers iat valid + alg: ES256 + wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError should generate a valid token - decoding without verification - should decode a valid token - decoding with verification - specifying the none algorithm - when the claims are invalid - should fail to decode the token - when the claims are valid - should decode the token - without specifying the none algorithm - should fail to decode the token - when keyfinder resolves to multiple keys and multiple algorithms given - with issue with ES256 keys - tries until the first match - tries until the first match - with issue with HS256 keys - tries until the first match + should decode a valid token alg: HS512256 - wrong secret and verify = false should not raise JWT::DecodeError should decode a valid token + should generate a valid token + wrong secret and verify = false should not raise JWT::DecodeError wrong secret should raise JWT::DecodeError + payload validation + does not validate the payload if it is not present + validates the payload with the ClaimsValidator if the payload is a hash + alg: PS512 should generate a valid token - when token signed with nil and decoded with nil - raises JWT::DecodeError - alg: RS512 + should decode a valid token wrong key should raise JWT::DecodeError - should generate a valid token - should decode a valid token using algorithm hash string key wrong key and verify = false should not raise JWT::DecodeError - should decode a valid token when none token is and decoding without key and with verification decodes the token - payload validation - does not validate the payload if it is not present - validates the payload with the ClaimsValidator if the payload is a hash - when token ends with a newline char - ignores the newline and decodes the token - when keyfinder given with 3 arguments - decodes the token but does not pass the payload - alg: HS256 - wrong secret and verify = false should not raise JWT::DecodeError + alg: RS256 + wrong key and verify = false should not raise JWT::DecodeError should decode a valid token should generate a valid token - wrong secret should raise JWT::DecodeError - algorithm case insensitivity - ignores algorithm casing during encode/decode - raises error for invalid algorithm - a token with invalid Base64 segments - raises JWT::DecodeError - alg: PS256 + wrong key should raise JWT::DecodeError + should decode a valid token using algorithm hash string key + when token has null as the alg header + raises JWT::IncorrectAlgorithm error + ::JWT.decode with x5c parameter + calls X5cKeyFinder#from to verify the signature and return the payload + alg: ED25519 should generate a valid token should decode a valid token - wrong key and verify = false should not raise JWT::DecodeError wrong key should raise JWT::DecodeError - alg: HS384 - should decode a valid token - wrong secret should raise JWT::DecodeError - wrong secret and verify = false should not raise JWT::DecodeError - should generate a valid token + wrong key and verify = false should not raise JWT::DecodeError + when token is missing the alg header + raises JWT::IncorrectAlgorithm error + a token with invalid Base64 segments + raises JWT::DecodeError + when the alg value is given as a header parameter + does not override the actual algorithm used + should generate the same token + a token with two segments but does not require verifying + raises something else than "Not enough or too many segments" Verify + algorithm + should raise JWT::IncorrectAlgorithm on mismatch prior to kid public key network call + should raise JWT::IncorrectAlgorithm on mismatch + should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm + no algorithm provided + should use the default decode algorithm + token is missing algorithm + should raise JWT::IncorrectAlgorithm + 2-segment token + should raise JWT::IncorrectAlgorithm when encoded payload is used to extract key through find_key - should be able to find a key using the block passed to decode - should be able to find a key using a block with multiple issuers should be able to verify signature when block returns multiple keys with iss verification - should be able to find a key using the block passed to decode with iss verification - should be able to verify signature when block returns multiple keys should be able to verify signature when block returns multiple keys with multiple issuers + should be able to verify signature when block returns multiple keys + should be able to find a key using the block passed to decode with iss verification + should be able to find a key using the block passed to decode + should be able to find a key using a block with multiple issuers issuer claim if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError when key given as an array with multiple possible keys - should fail if only invalid keys are given should be able to verify signature when block returns multiple keys + should fail if only invalid keys are given should be able to verify signature when multiple keys given as a parameter - algorithm - should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm - should raise JWT::IncorrectAlgorithm on mismatch - should raise JWT::IncorrectAlgorithm on mismatch prior to kid public key network call - token is missing algorithm - should raise JWT::IncorrectAlgorithm - 2-segment token - should raise JWT::IncorrectAlgorithm - no algorithm provided - should use the default decode algorithm - alg: ES512 - wrong key and verify = false should not raise JWT::DecodeError - should decode a valid token - should generate a valid token - wrong key should raise JWT::DecodeError - when multiple algorithms given - starts trying with the algorithm referred in the header when none token is decoded without verify decodes the token - ::JWT.decode with x5c parameter - calls X5cKeyFinder#from to verify the signature and return the payload + a token with no segments + raises JWT::DecodeError + when none token is decoded with a key given + decodes the token when algorithm is a custom class can be used for decoding can be used for encoding + when signature is not matching + fails the validation process when #sign method is missing - raises an error on encoding allows decoding + raises an error on encoding when alg is not matching fails the validation process - when #verify method is missing - raises error on decoding - can be used for encoding - when signature is not matching - fails the validation process when multiple custom algorithms are given for decoding tries until the first match - alg: RS256 - should decode a valid token using algorithm hash string key - should generate a valid token - wrong key and verify = false should not raise JWT::DecodeError - wrong key should raise JWT::DecodeError - should decode a valid token + when #verify method is missing + can be used for encoding + raises error on decoding + when token ends with a newline char + ignores the newline and decodes the token + Invalid + algorithm should raise NotImplementedError + ECDSA curve_name should raise JWT::IncorrectAlgorithm + raises "No verification key available" error when keyfinder given with 1 argument decodes the token - alg: HS512 - wrong secret and verify = false should not raise JWT::DecodeError - wrong secret should raise JWT::DecodeError - should decode a valid token - should generate a valid token - alg: ES384 + when token signed with nil and decoded with nil + raises JWT::DecodeError + alg: PS384 should decode a valid token wrong key and verify = false should not raise JWT::DecodeError + should generate a valid token wrong key should raise JWT::DecodeError + alg: ES512 + should decode a valid token should generate a valid token + wrong key should raise JWT::DecodeError + wrong key and verify = false should not raise JWT::DecodeError when hmac algorithm is used without secret key encodes payload - a token with not enough segments - raises JWT::DecodeError - alg: ES256 - wrong key and verify = false should not raise JWT::DecodeError - wrong key should raise JWT::DecodeError - should generate a valid token + alg: HS256 + wrong secret should raise JWT::DecodeError + wrong secret and verify = false should not raise JWT::DecodeError should decode a valid token - alg: PS384 + should generate a valid token + alg: HS512 + wrong secret and verify = false should not raise JWT::DecodeError + should generate a valid token should decode a valid token + wrong secret should raise JWT::DecodeError + when keyfinder given with 3 arguments + decodes the token but does not pass the payload + alg: ES256K should generate a valid token - wrong key should raise JWT::DecodeError + should decode a valid token wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError + when the alg is invalid + raises JWT::IncorrectAlgorithm error + a token with not too many segments + raises JWT::DecodeError + when keyfinder given with 2 arguments + decodes the token + a token with not enough segments + raises JWT::DecodeError -JWT - JWT.configure - allows configuration to be changed via the block - yields the configuration +README.md code test + custom algorithm example + allows a module to be used as algorithm on encode and decode + claims + JWK with thumbprint as kid via symbol + jti + sub + JWK with thumbprint given in the initializer + iss + JWK with thumbprint as kid via type + required_claims + find_key + JWK with thumbprint given in the initializer (legacy) + JWK import and export + The JWKS loader example + works as expected + works as expected (legacy) + iat + without leeway + with leeway + nbf + with leeway + without leeway + aud + string + array + The JWK based encode/decode routine + works as expected + exp + without leeway + with leeway + custom header fields + with custom field + algorithm usage + ECDSA + NONE + EDDSA + decodes with HMAC algorithm with secret key + RSA + decodes with HMAC algorithm without secret key + RSASSA-PSS -JWT::JWK::RSA - .create_rsa_key_using_der - when only e, n, d, p and q are given - raises an error telling all the exponents are required - when all key components n, e, d, p, q, dp, dq, qi are given - creates a valid RSA object representing a public key - when public parameters (e, n) are given - creates a valid RSA object representing a public key - when e, n, d is given - expects all CRT parameters given and raises error - .create_rsa_key_using_sets - when e, n, d is given - creates a valid RSA object representing a private key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - can be used for encryption and decryption (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - can be used for signing and verification (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when all key components n, e, d, p, q, dp, dq, qi are given - creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when public parameters (e, n) are given - creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when only e, n, d, p and q are given - raises an error telling all the exponents are required (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) +JWT::Algos::Hmac + .sign + when nil hmac_secret is passed + when other versions of openssl do not raise an exception + is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" + when OpenSSL raises any other error + raises the original error + when OpenSSL 3.0 raises a malloc failure + raises JWT::DecodeError + when hmac_secret is passed + when OpenSSL raises any other error + raises the original error + when other versions of openssl do not raise an exception + is expected to eql "\x88\xCD!\b\xB54}\x97<\xF3\x9C\xDF\x90S\xD7\xDDBpHv\xD8\xC9\xA9\xBD\x8E-\x16\x82Y\xD3\xDD\xF7" + when OpenSSL 3.0 raises a malloc failure + raises the original error + when blank hmac_secret is passed + when OpenSSL raises any other error + raises the original error + when other versions of openssl do not raise an exception + is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" + when OpenSSL 3.0 raises a malloc failure + raises JWT::DecodeError + +JWT::JWK::HMAC #export - when keypair with public key is exported - returns a hash with the public parts of the key - when keypair with private key is exported - returns a hash with the public parts of the key - when unsupported keypair is given - raises an error - when private key is requested - returns a hash with the public AND private parts of the key - .kid - when kid is given as a String parameter - uses the given kid - when configuration says to use :rfc7638_thumbprint - generates the kid based on the thumbprint - when kid is given in a hash parameter - uses the given kid - .import - when keypair is imported with string keys from JSON - returns a hash with the public parts of the key - when private key is included in the data - creates a complete keypair - when keypair is imported with symbol keys - returns a hash with the public parts of the key - when jwk_data is given without e and/or n - raises an error - #keypair - warns to stderr - .common_parameters - when a common parameters hash is given - converts string keys to symbol keys - imports the common parameter + when key is exported + returns a hash with the key + when key is exported with private key + returns a hash with the key .new - when a keypair with only public key is given - creates an instance of the class - when a keypair with both keys given + when a secret key given creates an instance of the class - .create_rsa_key_using_accessors - when e, n, d is given - can be used for encryption and decryption (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - creates a valid RSA object representing a private key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - can be used for signing and verification (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - when public parameters (e, n) are given - creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - when all key components n, e, d, p, q, dp, dq, qi are given - creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - when only e, n, d, p and q are given - raises an error telling all the exponents are required (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + #keypair + returns a string + #[]= + when k is given + raises an error + .import + when secret key is given + returns a key + with a common parameter + imports that common parameter + with a custom "kid" value + imports that "kid" value JWT::JWK::Set - .reject! + .uniq! + filters out equal keys + .select! filters the keyset + .eql? + correctly classifies different sets + correctly classifies equal sets .merge merges two JWKSs - when called via .union when called directly + when called via .union when called via "|" operator .export exports the JWKS to Hash - .select! - filters the keyset - .eql? - correctly classifies different sets - correctly classifies equal sets .new - can create an empty set raises an error on invalid inputs + can create an empty set can create a set - from a JWKS hash with symbol keys + from a JWKS hash with string keys from an array of keys from an existing JWT::JWK::Set - from a JWKS hash with string keys from a JWK - .uniq! - filters out equal keys + from a JWKS hash with symbol keys + .reject! + filters the keyset -JWT::JWK::Thumbprint - #to_s - when EC key is given - is expected to eq "dO52_we59sdR49HsGCpVzlDUQNvT3KxCTGakk4Un8qc" - when HMAC key is given - is expected to eq "wPf4ZF5qlzoFxsGkft4eu1iWcehgAcahZL4XPV4dT-s" - when example from RFC is given - is expected to eq "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" +JWT::Verify + .verify_jti(payload, options) + must raise JWT::InvalidJtiError when the jti is missing + must raise JWT::InvalidJtiError when verify_jti proc returns false + should have payload as second param in proc + true proc should not raise JWT::InvalidJtiError + it should not throw arguement error with 2 args + must allow any jti when the verfy_jti key in the options is truthy but not a proc + must raise JWT::InvalidJtiError when the jti is an empty string + .verify_not_before(payload, options) + must raise JWT::ImmatureSignature when the nbf in the payload is in the future + must allow some leeway in the token age when nbf_leeway is configured + must allow some leeway in the token age when global leeway is configured + .verify_iss(payload, options) + when iss is a String + must allow a matching issuer to pass + must raise JWT::InvalidIssuerError when the payload does not include an issuer + must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer + when iss is a RegExp + must raise JWT::InvalidIssuerError when the regular expression does not match + must allow a regular expression matching the issuer to pass + must raise JWT::InvalidIssuerError when the payload does not include an issuer + when iss is a Proc + must raise JWT::InvalidIssuerError when the payload does not include an issuer + must raise JWT::InvalidIssuerError when the proc returns false + must allow a proc that returns true to pass + when iss is a Method instance + must raise JWT::InvalidIssuerError when the method returns false + must allow a method that returns true to pass + must raise JWT::InvalidIssuerError when the payload does not include an issuer + when iss is an Array + must raise JWT::InvalidIssuerError when no matching issuers in array + must allow an array with matching issuer to pass + must raise JWT::InvalidIssuerError when the payload does not include an issuer + .verify_required_claims(payload, options) + must verify the claims if all required claims are present + must raise JWT::MissingRequiredClaim if a required claim is absent + .verify_claims + must raise error when verify_jti option is set to true + must raise error when verify_iss option is set to true + must skip verification when verify_iat option is set to false + must raise error when verify_not_before option is set to true + must raise error when verify_iat option is set to true + must skip verification when verify_not_before option is set to false + must raise error when verify_sub option is set to true + must skip verification when verify_sub option is set to false + must raise error when verify_expiration option is set to true + must skip verification when verify_expiration option is set to false + must skip verification when verify_jti option is set to false + must skip verification when verify_aud option is set to false + must raise error when verify_aud option is set to true + must skip verification when verify_iss option is set to false + .verify_aud(payload, options) + must allow an array with any value matching any value in the options array + must raise JWT::InvalidAudError when the payload has an array and none match the supplied value + must allow a matching singular audience to pass + must allow a singular audience payload matching any value in the options array + must allow an array with any value matching the one in the options + must raise JWT::InvalidAudError when the singular audience does not match + .verify_expiration(payload, options) + must be expired if the exp claim equals the current time + must raise JWT::ExpiredSignature when the token has expired + must allow some leeway in the expiration when exp_leeway is configured + must allow some leeway in the expiration when global leeway is configured + when leeway is not specified + used a default leeway of 0 + .verify_iat(payload, options) + must raise JWT::InvalidIatError when the iat value is in the future + must raise JWT::InvalidIatError when the iat value is not Numeric + must properly handle integer times + must allow a valid iat + must ignore configured leeway + .verify_sub(payload, options) + must raise JWT::InvalidSubError when the subjects do not match + must allow a matching sub -JWT::JWK::EC - #keypair - warns to stderr +JWT::JWK::RSA .new when a keypair with both keys given creates an instance of the class when a keypair with only public key is given creates an instance of the class - .import - when crv=P-521 - when keypair is private - returns a private key - with a custom "kid" value - imports that "kid" value - when keypair is public - returns a public key - returns a hash with the public parts of the key - when crv=P-256K - when keypair is private - returns a private key - with a custom "kid" value - imports that "kid" value - when keypair is public - returns a public key - returns a hash with the public parts of the key - when crv=P-256 - when keypair is public - returns a public key - returns a hash with the public parts of the key - when keypair is private - returns a private key - with a custom "kid" value - imports that "kid" value - when crv=P-384 - when keypair is public - returns a public key - returns a hash with the public parts of the key - when keypair is private - returns a private key - with a custom "kid" value - imports that "kid" value #export - when a common parameter is given - returns a hash including the common parameter when keypair with public key is exported returns a hash with the public parts of the key - when a custom "kid" is provided - exports it - when private key is requested - returns a hash with the both parts of the key - when keypair with private key is exported - returns a hash with the both parts of the key - -::JWT::Algos::HmacRbNaClFixed - .sign - when signature is generated by RbNaCl - can verify the signature with OpenSSL (PENDING: Requires rbnacl gem < 6.0) - .verify - when signature is invalid - can verify without error (PENDING: Requires rbnacl gem < 6.0) - when signature is generated with OpenSSL and key is very long - verifies the signature using OpenSSL features (PENDING: Requires rbnacl gem < 6.0) - when signature is generated with OpenSSL - verifies the signature (PENDING: Requires rbnacl gem < 6.0) - -JWT - .decode for JWK usecase - mixing algorithms using kid header - when RSA key is pointed to as HMAC secret - raises JWT::DecodeError - when HMAC secret is pointed to as EC public key - fails in some way - when EC key is pointed to as RSA public key - fails in some way - when HMAC secret is pointed to as RSA public key - fails in some way - when ES384 key is pointed to as ES512 key - fails in some way - when OKP keys are used - decodes the token - when EC key is pointed to as HMAC secret - raises JWT::DecodeError - when jwk keys are loaded from JSON with string keys - decodes the token - when the token kid is nil - and allow_nil_kid is specified - decodes the token - when JWK features are used manually - is able to decode the token - when jwk keys are given as an array - no keys are found in the set - raises an exception - token does not know the kid - raises an exception - and kid is in the set - is able to decode the token - and kid is not in the set - raises an exception - when jwk keys are loaded using a proc/lambda - decodes the token - when jwk keys are rotated - decodes the token - when the token kid is not a string - raises an exception - -JWT::X5cKeyFinder - returns the public key from a certificate that is signed by trusted roots and not revoked - CRL - not given - raises an error - expired - raises an error - signature could not be verified with the given trusted roots - raises an error - certificate - expired - raises an error - could not be chained to a trusted root certificate - given nil - raises a decode error - given an array - raises a verification error - signature could not be verified with the given trusted roots - raises an error - revoked + when unsupported keypair is given raises an error - ::JWT.decode - returns the encoded payload after successful certificate path verification - already parsed certificates - returns the public key from a certificate that is signed by trusted roots and not revoked - -::JWT::Algos::HmacRbNaCl - .verify - when signature is generated with OpenSSL - verifies the signature - when signature is generated with OpenSSL and key is very long - verifies the signature using OpenSSL features - when signature is invalid - can verify without error - .sign - when signature is generated by RbNaCl - can verify the signature with OpenSSL - -JWT::ClaimsValidator - #validate! - exp claim - it should behave like a NumericDate claim - when exp payload is a string - raises error - when exp payload is a float - does not raise error - when exp payload is a string - raises error - and key is a string - raises error - when exp payload is an integer - does not raise error - and key is a string - does not raise error - when exp payload is a Time object - raises error - iat claim - it should behave like a NumericDate claim - when iat payload is a string - raises error - when iat payload is a float - does not raise error - when iat payload is an integer - does not raise error - and key is a string - does not raise error - when iat payload is a string - raises error - and key is a string - raises error - when iat payload is a Time object - raises error - nbf claim - it should behave like a NumericDate claim - when nbf payload is a float - does not raise error - when nbf payload is an integer - does not raise error - and key is a string - does not raise error - when nbf payload is a Time object - raises error - when nbf payload is a string - raises error - and key is a string - raises error - when nbf payload is a string - raises error - -JWT::JWK + when keypair with private key is exported + returns a hash with the public parts of the key + when private key is requested + returns a hash with the public AND private parts of the key + .common_parameters + when a common parameters hash is given + converts string keys to symbol keys + imports the common parameter + .create_rsa_key_using_sets + when public parameters (e, n) are given + creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when all key components n, e, d, p, q, dp, dq, qi are given + creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when e, n, d is given + creates a valid RSA object representing a private key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + can be used for encryption and decryption (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + can be used for signing and verification (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when only e, n, d, p and q are given + raises an error telling all the exponents are required (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) .import - creates a ::JWT::JWK::RSA instance - when a common JWK parameter is specified - returns the defined common JWK parameter - when keytype is not supported + when keypair is imported with string keys from JSON + returns a hash with the public parts of the key + when keypair is imported with symbol keys + returns a hash with the public parts of the key + when private key is included in the data + creates a complete keypair + when jwk_data is given without e and/or n raises an error - when keypair with defined kid is imported - returns the predefined kid if jwt_data contains a kid - parsed from JSON - creates a ::JWT::JWK::RSA instance from JSON parsed JWK - .new - when secret key is given - is expected to be a kind of JWT::JWK::HMAC - when kid is given - sets the kid - when EC key is given - is expected to be a kind of JWT::JWK::EC - when a common parameter is given - sets the common parameter - when RSA key is given - is expected to be a kind of JWT::JWK::RSA - .[] - rejects key parameters as keys via the key-accessor - allows to read common parameters via the key-accessor - allows to set common parameters via the key-accessor + .kid + when kid is given as a String parameter + uses the given kid + when kid is given in a hash parameter + uses the given kid + when configuration says to use :rfc7638_thumbprint + generates the kid based on the thumbprint + #keypair + warns to stderr + .create_rsa_key_using_der + when only e, n, d, p and q are given + raises an error telling all the exponents are required + when all key components n, e, d, p, q, dp, dq, qi are given + creates a valid RSA object representing a public key + when public parameters (e, n) are given + creates a valid RSA object representing a public key + when e, n, d is given + expects all CRT parameters given and raises error + .create_rsa_key_using_accessors + when all key components n, e, d, p, q, dp, dq, qi are given + creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + when e, n, d is given + can be used for encryption and decryption (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + creates a valid RSA object representing a private key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + can be used for signing and verification (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + when only e, n, d, p and q are given + raises an error telling all the exponents are required (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + when public parameters (e, n) are given + creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) -JWT::JWK::OKPRbNaCl - .import - when exported private key is given - creates a new instance of the class - when exported public key is given - creates a new instance of the class - when JWK is given - creates a new instance of the class - #export - when private key is asked for - exports the private key - when private key is given - exports the public key - .new - when public key is given - is expected to be a kind of JWT::JWK::OKPRbNaCl - when something else than a public or private key is given - raises an ArgumentError - when private key is given - is expected to be a kind of JWT::JWK::OKPRbNaCl - when jwk parameters given - is expected to be a kind of JWT::JWK::OKPRbNaCl - #private? - when private key is given - is expected to eq true - when public key is given - is expected to eq false - #verify_key - is the verify key +Pending: (Failures listed here are expected and do not affect your suite's status) -JWT::JWK::HMAC - #keypair - returns a string - .import - when secret key is given - returns a key - with a custom "kid" value - imports that "kid" value - with a common parameter - imports that common parameter - .new - when a secret key given - creates an instance of the class - #[]= - when k is given - raises an error - #export - when key is exported with private key - returns a hash with the key - when key is exported - returns a hash with the key + 1) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL and key is very long verifies the signature using OpenSSL features + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:27 -README.md code test - algorithm usage - decodes with HMAC algorithm without secret key - NONE - EDDSA - ECDSA - decodes with HMAC algorithm with secret key - RSASSA-PSS - RSA - claims - JWK with thumbprint as kid via symbol - JWK import and export - jti - iss - sub - JWK with thumbprint as kid via type - find_key - JWK with thumbprint given in the initializer (legacy) - JWK with thumbprint given in the initializer - required_claims - The JWK based encode/decode routine - works as expected - custom header fields - with custom field - iat - without leeway - with leeway - The JWKS loader example - works as expected (legacy) - works as expected - nbf - without leeway - with leeway - aud - array - string - exp - with leeway - without leeway - custom algorithm example - allows a module to be used as algorithm on encode and decode + 2) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL verifies the signature + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:16 -JWT::Configuration::JwkConfiguration - .kid_generator_type= - when valid value is passed - sets the generator matching the value - when invalid value is passed - raises ArgumentError + 3) ::JWT::Algos::HmacRbNaClFixed .verify when signature is invalid can verify without error + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:38 -Pending: (Failures listed here are expected and do not affect your suite's status) + 4) ::JWT::Algos::HmacRbNaClFixed .sign when signature is generated by RbNaCl can verify the signature with OpenSSL + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:49 - 1) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given creates a valid RSA object representing a private key + 5) JWT::JWK::RSA.create_rsa_key_using_sets when public parameters (e, n) are given creates a valid RSA object representing a public key # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:186 + # ./spec/jwk/rsa_spec.rb:154 - 2) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for encryption and decryption + 6) JWT::JWK::RSA.create_rsa_key_using_sets when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:191 + # ./spec/jwk/rsa_spec.rb:171 - 3) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for signing and verification + 7) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given creates a valid RSA object representing a private key # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:195 + # ./spec/jwk/rsa_spec.rb:186 - 4) JWT::JWK::RSA.create_rsa_key_using_sets when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key + 8) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for encryption and decryption # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:171 + # ./spec/jwk/rsa_spec.rb:191 - 5) JWT::JWK::RSA.create_rsa_key_using_sets when public parameters (e, n) are given creates a valid RSA object representing a public key + 9) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for signing and verification # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:154 + # ./spec/jwk/rsa_spec.rb:195 - 6) JWT::JWK::RSA.create_rsa_key_using_sets when only e, n, d, p and q are given raises an error telling all the exponents are required + 10) JWT::JWK::RSA.create_rsa_key_using_sets when only e, n, d, p and q are given raises an error telling all the exponents are required # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwk/rsa_spec.rb:163 - 7) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for encryption and decryption + 11) JWT::JWK::RSA.create_rsa_key_using_accessors when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key + # OpenSSL if RSA#set_key is available there is no accessors anymore + # ./spec/jwk/rsa_spec.rb:171 + + 12) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for encryption and decryption # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:191 - 8) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given creates a valid RSA object representing a private key + 13) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given creates a valid RSA object representing a private key # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:186 - 9) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for signing and verification + 14) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for signing and verification # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:195 - 10) JWT::JWK::RSA.create_rsa_key_using_accessors when public parameters (e, n) are given creates a valid RSA object representing a public key - # OpenSSL if RSA#set_key is available there is no accessors anymore - # ./spec/jwk/rsa_spec.rb:154 - - 11) JWT::JWK::RSA.create_rsa_key_using_accessors when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key - # OpenSSL if RSA#set_key is available there is no accessors anymore - # ./spec/jwk/rsa_spec.rb:171 - - 12) JWT::JWK::RSA.create_rsa_key_using_accessors when only e, n, d, p and q are given raises an error telling all the exponents are required + 15) JWT::JWK::RSA.create_rsa_key_using_accessors when only e, n, d, p and q are given raises an error telling all the exponents are required # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:163 - 13) ::JWT::Algos::HmacRbNaClFixed .sign when signature is generated by RbNaCl can verify the signature with OpenSSL - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:49 - - 14) ::JWT::Algos::HmacRbNaClFixed .verify when signature is invalid can verify without error - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:38 - - 15) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL and key is very long verifies the signature using OpenSSL features - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:27 - - 16) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL verifies the signature - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:16 + 16) JWT::JWK::RSA.create_rsa_key_using_accessors when public parameters (e, n) are given creates a valid RSA object representing a public key + # OpenSSL if RSA#set_key is available there is no accessors anymore + # ./spec/jwk/rsa_spec.rb:154 -Finished in 17.43 seconds (files took 0.38557 seconds to load) +Finished in 18.86 seconds (files took 0.41183 seconds to load) 402 examples, 0 failures, 16 pending -Randomized with seed 31074 +Randomized with seed 15300 ┌──────────────────────────────────────────────────────────────────────────────┐ @@ -1805,12 +1841,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: including full source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/3486283/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/3486283/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/2566635 and its subdirectories -I: Current time: Fri Sep 25 06:54:06 -12 2026 -I: pbuilder-time-stamp: 1790362446 +I: removing directory /srv/workspace/pbuilder/3486283 and its subdirectories +I: Current time: Sun Aug 24 02:32:11 +14 2025 +I: pbuilder-time-stamp: 1755952331