Diff of the two buildlogs: -- --- b1/build.log 2025-10-29 00:51:47.182973567 +0000 +++ b2/build.log 2025-10-29 00:54:28.631100835 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Tue Oct 28 12:50:57 -12 2025 -I: pbuilder-time-stamp: 1761699057 +I: Current time: Tue Dec 1 21:14:48 +14 2026 +I: pbuilder-time-stamp: 1796109288 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/unstable-reproducible-base.tgz] I: copying local configuration @@ -24,53 +24,85 @@ dpkg-source: info: applying no-pending-tests.patch I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/3045412/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/2597848/tmp/hooks/D01_modify_environment starting +debug: Running on codethink03-arm64. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Dec 1 07:15 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/2597848/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/2597848/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build/reproducible-path' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='arm64' - DEBIAN_FRONTEND='noninteractive' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="3" [2]="3" [3]="1" [4]="release" [5]="aarch64-unknown-linux-gnu") + BASH_VERSION='5.3.3(1)-release' + BUILDDIR=/build/reproducible-path + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=arm64 + DEBIAN_FRONTEND=noninteractive DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=12 ' - DISTRIBUTION='unstable' - HOME='/root' - HOST_ARCH='arm64' + DIRSTACK=() + DISTRIBUTION=unstable + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/root + HOSTNAME=i-capture-the-hostname + HOSTTYPE=aarch64 + HOST_ARCH=arm64 IFS=' ' - INVOCATION_ID='29c74b7b9e054fb190a27101ae3b8ff2' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='3045412' - PS1='# ' - PS2='> ' + INVOCATION_ID=7053fd6921c746d98c702cc6125ee95e + LANG=C + LANGUAGE=nl_BE:nl + LC_ALL=C + MACHTYPE=aarch64-unknown-linux-gnu + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnu + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=2597848 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.qnpz8u29/pbuilderrc_fLu8 --distribution unstable --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.qnpz8u29/b1 --logfile b1/build.log ruby-jwt_3.1.2-1.dsc' - SUDO_GID='109' - SUDO_HOME='/var/lib/jenkins' - SUDO_UID='104' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - _='/usr/bin/systemd-run' - http_proxy='http://192.168.101.4:3128' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.qnpz8u29/pbuilderrc_kkTr --distribution unstable --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.qnpz8u29/b2 --logfile b2/build.log ruby-jwt_3.1.2-1.dsc' + SUDO_GID=109 + SUDO_HOME=/var/lib/jenkins + SUDO_UID=104 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + _='I: set' + http_proxy=http://192.168.101.4:3128 I: uname -a - Linux codethink04-arm64 6.12.48+deb13-cloud-arm64 #1 SMP Debian 6.12.48-1 (2025-09-20) aarch64 GNU/Linux + Linux i-capture-the-hostname 6.12.48+deb13-cloud-arm64 #1 SMP Debian 6.12.48-1 (2025-09-20) aarch64 GNU/Linux I: ls -l /bin - lrwxrwxrwx 1 root root 7 Aug 10 12:30 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/3045412/tmp/hooks/D02_print_environment finished + lrwxrwxrwx 1 root root 7 Aug 10 2025 /bin -> usr/bin +I: user script /srv/workspace/pbuilder/2597848/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -253,7 +285,7 @@ Get: 135 http://deb.debian.org/debian unstable/main arm64 ruby-rspec all 3.13.0c0e0m0s1-2 [5184 B] Get: 136 http://deb.debian.org/debian unstable/main arm64 ruby-simplecov-html all 0.12.3-2 [468 kB] Get: 137 http://deb.debian.org/debian unstable/main arm64 ruby-simplecov all 0.22.0-2 [45.2 kB] -Fetched 36.0 MB in 0s (118 MB/s) +Fetched 36.0 MB in 1s (45.1 MB/s) Preconfiguring packages ... Selecting previously unselected package libexpat1:arm64. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 19964 files and directories currently installed.) @@ -710,8 +742,8 @@ Setting up tzdata (2025b-5) ... Current default time zone: 'Etc/UTC' -Local time is now: Wed Oct 29 00:51:17 UTC 2025. -Universal Time is now: Wed Oct 29 00:51:17 UTC 2025. +Local time is now: Tue Dec 1 07:15:46 UTC 2026. +Universal Time is now: Tue Dec 1 07:15:46 UTC 2026. Run 'dpkg-reconfigure tzdata' if you wish to change it. Setting up ruby-minitest (5.25.4-3) ... @@ -836,7 +868,11 @@ Building tag database... -> Finished parsing the build-deps I: Building the package -I: Running cd /build/reproducible-path/ruby-jwt-3.1.2/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../ruby-jwt_3.1.2-1_source.changes +I: user script /srv/workspace/pbuilder/2597848/tmp/hooks/A99_set_merged_usr starting +Not re-configuring usrmerge for unstable +I: user script /srv/workspace/pbuilder/2597848/tmp/hooks/A99_set_merged_usr finished +hostname: Name or service not known +I: Running cd /build/reproducible-path/ruby-jwt-3.1.2/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../ruby-jwt_3.1.2-1_source.changes dpkg-buildpackage: info: source package ruby-jwt dpkg-buildpackage: info: source version 3.1.2-1 dpkg-buildpackage: info: source distribution unstable @@ -869,7 +905,7 @@ │ ruby-jwt: Installing files and building extensions for ruby3.3 │ └──────────────────────────────────────────────────────────────────────────────┘ -/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20251028-3051556-v0x2hz/gemspec +/usr/bin/ruby3.3 -S gem build --config-file /dev/null --verbose /tmp/d20261201-2616419-xdkr7j/gemspec WARNING: open-ended dependency on base64 (>= 0) is not recommended use a bounded requirement, such as "~> x.y" WARNING: open-ended dependency on appraisal (>= 0, development) is not recommended @@ -893,7 +929,7 @@ Name: jwt Version: 3.1.2 File: jwt-3.1.2.gem -/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-jwt/usr/share/rubygems-integration/all /tmp/d20251028-3051556-v0x2hz/jwt-3.1.2.gem +/usr/bin/ruby3.3 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-jwt/usr/share/rubygems-integration/all /tmp/d20261201-2616419-xdkr7j/jwt-3.1.2.gem /build/reproducible-path/ruby-jwt-3.1.2/debian/ruby-jwt/usr/share/rubygems-integration/all/gems/jwt-3.1.2/lib/jwt.rb /build/reproducible-path/ruby-jwt-3.1.2/debian/ruby-jwt/usr/share/rubygems-integration/all/gems/jwt-3.1.2/lib/jwt/base64.rb /build/reproducible-path/ruby-jwt-3.1.2/debian/ruby-jwt/usr/share/rubygems-integration/all/gems/jwt-3.1.2/lib/jwt/claims.rb @@ -977,381 +1013,57 @@ All examples were filtered out; ignoring {:focus=>true} -Randomized with seed 19014 +Randomized with seed 3836 -JWT::JWA - .resolve_and_sort - when algorithms have the preferred in the middle - places the preferred algorithm first - when algorithms have the preferred last - places the preferred algorithm first +JWT::JWA::Ps + #verify + with a valid RSA key + verifies the signature with PS256 + verifies the signature with PS384 + verifies the signature with PS512 + when verification results in a OpenSSL::PKey::PKeyError error + raises a JWT::VerificationError + with an invalid signature + raises a verification error + #initialize + initializes with the correct algorithm and digest + #sign + with an invalid key + raises an error + with a valid RSA key + signs the data with PS256 + signs the data with PS384 + signs the data with PS512 + with a key length less than 2048 bits + raises an error -JWT::Claims::JwtId - when payload contains a jti +JWT::Claims::Issuer + when expected issuer is an array that does not match the payload + raises JWT::InvalidIssuerError + when expected issuer is an array and payload does not have any issuer + raises JWT::InvalidIssuerError + when issuer is given as a Proc and payload does not have any issuer + raises JWT::InvalidIssuerError + when issuer is given as a Proc passes validation - when jti validator is a proc returning false - raises JWT::InvalidJtiError - when payload contains a jti that is an empty string - raises JWT::InvalidJtiError - when payload contains a jti that is a blank string - raises JWT::InvalidJtiError - when jti validator has 2 args + when payload does not contain any issuer + raises JWT::InvalidIssuerError + when expected issuer is an array that matches the payload passes validation - when jti validator is a proc returning true + when expected issuer is a string that does not match the payload + raises JWT::InvalidIssuerError + when issuer is given as a Method instance passes validation - when payload is missing a jti - raises JWT::InvalidJtiError - when jti validator has 2 args - the second arg is the payload - -JWT::Claims::Numeric - use via ::JWT::Claims.verify_payload! - exp claim - it should behave like a NumericDate claim - when exp payload is an integer - does not raise error - and key is a string - does not raise error - when exp payload is a float - does not raise error - when exp payload is a string - raises error - and key is a string - raises error - when exp payload is a string - raises error - when exp payload is a Time object - raises error - iat claim - it should behave like a NumericDate claim - when iat payload is a string - raises error - and key is a string - raises error - when iat payload is a Time object - raises error - when iat payload is a string - raises error - when iat payload is a float - does not raise error - when iat payload is an integer - does not raise error - and key is a string - does not raise error - nbf claim - it should behave like a NumericDate claim - when nbf payload is a Time object - raises error - when nbf payload is an integer - does not raise error - and key is a string - does not raise error - when nbf payload is a string - raises error - and key is a string - raises error - when nbf payload is a string - raises error - when nbf payload is a float - does not raise error - #verify! - nbf claim - it should behave like a NumericDate claim - when nbf payload is a string - raises error - and key is a string - raises error - when nbf payload is a float - does not raise error - when nbf payload is a Time object - raises error - when nbf payload is an integer - does not raise error - and key is a string - does not raise error - when nbf payload is a string - raises error - iat claim - it should behave like a NumericDate claim - when iat payload is a string - raises error - and key is a string - raises error - when iat payload is a Time object - raises error - when iat payload is a string - raises error - when iat payload is an integer - does not raise error - and key is a string - does not raise error - when iat payload is a float - does not raise error - exp claim - it should behave like a NumericDate claim - when exp payload is an integer - does not raise error - and key is a string - does not raise error - when exp payload is a float - does not raise error - when exp payload is a Time object - raises error - when exp payload is a string - raises error - and key is a string - raises error - when exp payload is a string - raises error - -JWT - should not raise InvalidPayload exception if payload is an array - should not verify token even if the payload has claims - should encode string payloads - when none token is decoded with a key given - decodes the token - alg: HS256 - wrong secret should raise JWT::DecodeError - wrong secret and verify = false should not raise JWT::DecodeError - should generate a valid token - should decode a valid token - alg: PS384 - wrong key should raise JWT::DecodeError - should decode a valid token - should generate a valid token - wrong key and verify = false should not raise JWT::DecodeError - when none token is decoded without verify - decodes the token - alg: ES512 - should generate a valid token - wrong key and verify = false should not raise JWT::DecodeError - should decode a valid token - wrong key should raise JWT::DecodeError - when hmac algorithm is used without secret key - encodes payload - when keyfinder resolves to multiple keys and multiple algorithms given - with issue with HS256 keys - tries until the first match - with issue with ES256 keys - tries until the first match - tries until the first match - when algorithm is a custom class - can be used for encoding - can be used for decoding - when multiple custom algorithms are given for decoding - tries until the first match - when #verify method is missing - can be used for encoding - raises error on decoding - when #sign method is missing - allows decoding - raises an error on encoding - when class is not utilizing the ::JWT::JWA::SigningAlgorithm module - raises an error - when alg is not matching - fails the validation process - when class has custom header method - uses the provided header - when signature is not matching - fails the validation process - when none token is and decoding without key and with verification - decodes the token - ::JWT.decode with verify_iat parameter - when iat is exactly the same as Time.now and iat is given as floored integer - considers iat valid - when iat is 1 second before Time.now - raises an error - when iat is exactly the same as Time.now and iat is given as a float - considers iat valid - alg: ES384 - wrong key and verify = false should not raise JWT::DecodeError - should decode a valid token - wrong key should raise JWT::DecodeError - should generate a valid token - alg: PS512 - should decode a valid token - wrong key and verify = false should not raise JWT::DecodeError - wrong key should raise JWT::DecodeError - should generate a valid token - a token with no segments - raises JWT::DecodeError - when token has null as the alg header - raises JWT::IncorrectAlgorithm error - when the alg is invalid - raises JWT::IncorrectAlgorithm error - alg: RS256 - should decode a valid token - wrong key should raise JWT::DecodeError - should decode a valid token using algorithm hash string key - wrong key and verify = false should not raise JWT::DecodeError - should generate a valid token - a token with invalid Base64 segments - raises JWT::Base64DecodeError - ::JWT.decode with x5c parameter - calls X5cKeyFinder#from to verify the signature and return the payload - when keyfinder given with 3 arguments - decodes the token but does not pass the payload - when token ends with a newline char and strict_decoding enabled - raises JWT::DecodeError - Invalid - algorithm should raise DecodeError - raises "No verification key available" error - ECDSA curve_name should raise JWT::IncorrectAlgorithm - alg: HS512 - should generate a valid token - wrong secret should raise JWT::DecodeError - wrong secret and verify = false should not raise JWT::DecodeError - should decode a valid token - Verify - when encoded payload is used to extract key through find_key - should be able to find a key using the block passed to decode - should be able to find a key using a block with multiple issuers - should be able to find a key using the block passed to decode with iss verification - should be able to verify signature when block returns multiple keys - should be able to verify signature when block returns multiple keys with iss verification - should be able to verify signature when block returns multiple keys with multiple issuers - algorithm - raises error when keyfinder does not find anything - should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm - should raise JWT::IncorrectAlgorithm on mismatch prior to kid public key network call - should raise JWT::IncorrectAlgorithm on mismatch - token is missing algorithm - should raise JWT::IncorrectAlgorithm - invalid header format - should raise JWT::DecodeError - 2-segment token - should raise JWT::IncorrectAlgorithm - no algorithm provided - should use the default decode algorithm - when key given as an array with multiple possible keys - should be able to verify signature when multiple keys given as a parameter - should fail if only invalid keys are given - should be able to verify signature when block returns multiple keys - claim verification order - when two claims are invalid - depends on the order of the parameters what error is raised - audience claim - when verify_aud is set to true and no audience given - does not raise - issuer claim - if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError - when verify_iss is set to true and no issues given - does not raise - algorithm case insensitivity - raises error for invalid algorithm - ignores algorithm casing during encode/decode - alg: NONE - should generate a valid token - decoding without verification - should decode a valid token - decoding with verification - specifying the none algorithm - when the claims are invalid - should fail to decode the token - when the claims are valid - should decode the token - without specifying the none algorithm - should fail to decode the token - a token with not enough segments - raises JWT::DecodeError - when multiple algorithms given - starts trying with the algorithm referred in the header - when keyfinder given with 2 arguments - decodes the token - when token signed with nil and decoded with nil - raises JWT::DecodeError - when keyfinder given with 1 argument - decodes the token - alg: PS256 - wrong key and verify = false should not raise JWT::DecodeError - should generate a valid token - wrong key should raise JWT::DecodeError - should decode a valid token - alg: HS384 - wrong secret should raise JWT::DecodeError - should generate a valid token - wrong secret and verify = false should not raise JWT::DecodeError - should decode a valid token - when token ends with a newline char - raises an error - alg: ES256 - should decode a valid token - wrong key should raise JWT::DecodeError - wrong key and verify = false should not raise JWT::DecodeError - should generate a valid token - when token is missing the alg header - raises JWT::IncorrectAlgorithm error - a token with not too many segments - raises JWT::DecodeError - a token with two segments but does not require verifying - raises something else than "Not enough or too many segments" - when the alg value is given as a header parameter - should generate the same token - overrides the actual algorithm used - alg: RS512 - wrong key and verify = false should not raise JWT::DecodeError - should decode a valid token using algorithm hash string key - should generate a valid token - wrong key should raise JWT::DecodeError - should decode a valid token - alg: RS384 - wrong key should raise JWT::DecodeError - should generate a valid token - should decode a valid token - should decode a valid token using algorithm hash string key - wrong key and verify = false should not raise JWT::DecodeError - alg: ES256K - wrong key should raise JWT::DecodeError - should decode a valid token - wrong key and verify = false should not raise JWT::DecodeError - should generate a valid token - -JWT::JWA::Unsupported - .sign - raises an error for unsupported signing method - .verify - raises an error for unsupported algorithm - -JWT::Token - #claim_errors - exp claim - when claim is invalid - returns array with error objects - when claim is valid - returns empty array - #valid_claims? - exp claim - when claim is valid - returns true - when claim is invalid - returns true - #jwt - when alg is given in header - returns a signed and encoded token - when token is not signed - returns a signed and encoded token - when token is signed - returns a signed and encoded token - when EC JWK is given as key - signs the token - #verify_claims! - when required_claims is passed - raises error - #sign! - signs the token - when string key is given but not algorithm - raises an error - when RSA JWK is given as key - signs the token - with mismatching algorithm provided in sign call - signs the token - with algorithm provided in sign call - signs the token - when signed twice - raises - #detach_payload! - before token is signed - detaches the payload + when issuer is given as a RegExp + passes validation + when issuer is given as a RegExp and payload does not have any issuer + raises JWT::InvalidIssuerError + when expected issuer is a string that matches the payload + passes validation + when issuer is given as a Proc and does not match the payload + raises JWT::InvalidIssuerError + when issuer is given as a RegExp and does not match the payload + raises JWT::InvalidIssuerError JWT::Claims::IssuedAt when iat is in the future @@ -1360,384 +1072,122 @@ passes validation when iat is not a number fails validation - when payload is a string containing iat - passes validation when iat is now passes validation - -JWT::JWA::Rsa - #verify - with an invalid signature - returns false - with a valid RSA key - returns true - with an invalid key - returns false - #sign - with a valid RSA key - signs the data - with a key length less than 2048 bits - raises an error - with an invalid key - raises an error - #initialize - initializes with the correct algorithm and digest - -JWT - JWT.configure - allows configuration to be changed via the block - yields the configuration - -JWT::JWA::None - #verify - returns true - #sign - returns an empty string + when payload is a string containing iat + passes validation JWT::JWK::RSA - .common_parameters - when a common parameters hash is given - imports the common parameter - converts string keys to symbol keys .import - when keypair is imported with symbol keys - returns a hash with the public parts of the key - when keypair is imported with string keys from JSON - returns a hash with the public parts of the key when private key is included in the data creates a complete keypair + when keypair is imported with string keys from JSON + returns a hash with the public parts of the key + when keypair is imported with symbol keys + returns a hash with the public parts of the key when jwk_data is given without e and/or n raises an error - .new - when a keypair with only public key is given - creates an instance of the class - when a keypair with both keys given - creates an instance of the class - #verify - when the signature is invalid - returns false - when the jwk has an invalid alg header - raises JWT::VerificationError - when the signature is valid - returns true - when the jwk has HS256 as the alg parameter - raises JWT::DecodeError - when the jwk is missing the alg header - raises JWT::JWKError - when the jwk has none as the alg parameter - raises JWT::JWKError - #keypair - warns to stderr #export - when unsupported keypair is given - raises an error when keypair with private key is exported returns a hash with the public parts of the key - when keypair with public key is exported - returns a hash with the public parts of the key + when unsupported keypair is given + raises an error when private key is requested returns a hash with the public AND private parts of the key + when keypair with public key is exported + returns a hash with the public parts of the key + #keypair + warns to stderr .kid when kid is given as a String parameter uses the given kid - when configuration says to use :rfc7638_thumbprint - generates the kid based on the thumbprint when kid is given in a hash parameter uses the given kid + when configuration says to use :rfc7638_thumbprint + generates the kid based on the thumbprint + #verify + when the signature is valid + returns true + when the jwk has HS256 as the alg parameter + raises JWT::DecodeError + when the jwk has none as the alg parameter + raises JWT::JWKError + when the signature is invalid + returns false + when the jwk is missing the alg header + raises JWT::JWKError + when the jwk has an invalid alg header + raises JWT::VerificationError .create_rsa_key_using_accessors - when all key components n, e, d, p, q, dp, dq, qi are given - creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#d= is not available there is no accessors anymore) when only e, n, d, p and q are given raises an error telling all the exponents are required (PENDING: OpenSSL if RSA#d= is not available there is no accessors anymore) + when public parameters (e, n) are given + creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#d= is not available there is no accessors anymore) when e, n, d is given + can be used for signing and verification (PENDING: OpenSSL if RSA#d= is not available there is no accessors anymore) can be used for encryption and decryption (PENDING: OpenSSL if RSA#d= is not available there is no accessors anymore) creates a valid RSA object representing a private key (PENDING: OpenSSL if RSA#d= is not available there is no accessors anymore) - can be used for signing and verification (PENDING: OpenSSL if RSA#d= is not available there is no accessors anymore) - when public parameters (e, n) are given + when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#d= is not available there is no accessors anymore) .create_rsa_key_using_sets when public parameters (e, n) are given creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when only e, n, d, p and q are given + raises an error telling all the exponents are required (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when all key components n, e, d, p, q, dp, dq, qi are given + creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) when e, n, d is given - can be used for encryption and decryption (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) can be used for signing and verification (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) creates a valid RSA object representing a private key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when all key components n, e, d, p, q, dp, dq, qi are given - creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when only e, n, d, p and q are given - raises an error telling all the exponents are required (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + can be used for encryption and decryption (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + .new + when a keypair with both keys given + creates an instance of the class + when a keypair with only public key is given + creates an instance of the class + .common_parameters + when a common parameters hash is given + imports the common parameter + converts string keys to symbol keys .create_rsa_key_using_der - when only e, n, d, p and q are given - raises an error telling all the exponents are required - when public parameters (e, n) are given + when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key when e, n, d is given expects all CRT parameters given and raises error - when all key components n, e, d, p, q, dp, dq, qi are given + when only e, n, d, p and q are given + raises an error telling all the exponents are required + when public parameters (e, n) are given creates a valid RSA object representing a public key -JWT::JWK::HMAC - .import - when secret key is given - returns a key - with a common parameter - imports that common parameter - with a custom "kid" value - imports that "kid" value - when example from RFC - decodes the k - #[]= - when k is given - raises an error - #export - when key is exported with private key - returns a hash with the key - when key is exported - returns a hash with the key - #== - is not equal to a different key - is equal to a clone of itself - is not equal to boolean true - is equal to itself - is not equal to a non-key - is not equal to nil - #<=> - is equal to a clone of itself - is equal to itself - is not comparable to a non-key - is not comparable to boolean true - is not equal to a different key - is not comparable to nil - .new - when a secret key given - creates an instance of the class - when key is a number - raises an ArgumentError - #keypair - returns a string - JWT::JWK::Thumbprint #to_s - when example from RFC is given - is expected to eq "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" when EC key is given is expected to eq "dO52_we59sdR49HsGCpVzlDUQNvT3KxCTGakk4Un8qc" when HMAC key is given is expected to eq "wPf4ZF5qlzoFxsGkft4eu1iWcehgAcahZL4XPV4dT-s" + when example from RFC is given + is expected to eq "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" -JWT::JWK::Set - .export - exports the JWKS to Hash - .eql? - correctly classifies equal sets - correctly classifies different sets - .uniq! - filters out equal keys - .select! - filters the keyset - .new - raises an error on invalid inputs - can create an empty set - can create a set - from a JWKS hash with symbol keys - from a JWKS hash with string keys - from an array of keys - from a JWK - from an existing JWT::JWK::Set - .merge - merges two JWKSs - when called via .union - when called directly - when called via "|" operator - .reject! - filters the keyset - -JWT::EncodedToken - #unverified_payload - is expected to eq {"pay"=>"load"} - when token is the empty string - raises decode error - when payload is detached - when payload is not provided - raises decode error - when payload provided in separate - is expected to eq {"pay"=>"load"} - when payload is not encoded and the b64 crit is enabled - handles the payload encoding - integration use-cases - simple verify HS256 with defaults - protects the user from unverified payload access - #payload - when token is verified using #verify_signature! - raises an error - when token is verified using #valid_signature? but is not valid - raises an error - when token is not verified - raises an error - when token is verified using #verify_signature! and #verify_claims! - is expected to eq {"pay"=>"load"} - when token is checked using #valid_signature? and #valid_claims? - is expected to eq {"pay"=>"load"} - when token is verified using #valid? - is expected to eq {"pay"=>"load"} - #verify! - when key is invalid +JWT::JWA::Rsa + #sign + with an invalid key raises an error - when key is valid - does not raise - when claims are invalid + with a valid RSA key + signs the data + with a key length less than 2048 bits raises an error - #claim_errors - exp claim - when claim is invalid - returns array with error objects - when claim is valid - returns empty array - #signing_input - is expected to eq "eyJhbGciOiJIUzI1NiJ9.eyJwYXkiOiJsb2FkIn0" - #header - is expected to eq {"alg"=>"HS256"} - when token is the empty string - raises decode error - #signature - is expected to be a kind of String - #verify_claims! - when required_claims is passed - raises error - when header contains crits header - when expected crits are missing - raises an error - when expected crits are present - passes verification - exp claim - verifies the exp - when claims given as symbol - validates the claim - when claim validation skips verifying the exp claim - does not raise - when claims given as a list of symbols - validates the claim - when claims given as a list of symbols and hashes - validates the claim - when no claims are provided - raises ExpiredSignature error - when payload is detached - when payload provided in separate - raises claim verification error - when payload is not provided - raises decode error - #valid? - when claims are provided as an array + #initialize + initializes with the correct algorithm and digest + #verify + with a valid RSA key returns true - when key is invalid + with an invalid signature returns false - when claims are invalid + with an invalid key returns false - when key is valid - returns true - #verify_signature! - when key is invalid - raises an error - when JWT::KeyFinder is used as a key_finder - uses the keys provided by the JWK key finder - when payload is not encoded - does not raise - when algorithm is not given - raises an error - when algorithm is an empty array - raises an error - when header has invalid alg value - does not raise - when key is an array with one valid entry - does not raise - when key_finder is given - can utilize an array provided by keyfinder - uses key provided by keyfinder - when both key or key_finder is given - raises an ArgumentError - when RSA JWK is given as a key - with algorithms not supported by key provided - raises JWT::VerificationError - with empty algorithm array provided - uses the JWK for verification - with algorithms supported by key provided - uses the JWK for verification - when key is valid - does not raise - when payload is detached - when payload is not provided - raises VerificationError - when payload provided in separate - does not raise - when neither key or key_finder is given - raises an ArgumentError - #valid_claims? - exp claim - when claim is valid - returns true - when claim validation skips verifying the exp claim - returns true - when no claims are provided - validates the exp claim and returns false - when claim is invalid - returns true - -JWT::JWA::Ecdsa - #verify - when the verification key is a point - verifies the signature - when the verification key is not an OpenSSL::PKey::EC instance - raises a JWT::DecodeError - when the verification key is valid - returns true for a valid signature - returns false for an invalid signature - when verification results in a OpenSSL::PKey::PKeyError error - raises a JWT::VerificationError - #sign - when the signing key is a public key - raises a JWT::DecodeError - when the signing key is invalid - raises a JWT::DecodeError - when the signing key is valid - returns a valid signature - when the signing key is not an OpenSSL::PKey::EC instance - raises a JWT::DecodeError - .curve_by_name - when secp256r1 is given - is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} - when prime256v1 is given - is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} - when secp256k1 is given - is expected to eq {:algorithm=>"ES256K", :digest=>"sha256"} - when secp521r1 is given - is expected to eq {:algorithm=>"ES512", :digest=>"sha512"} - when unknown is given - raises an error - -JWT::Claims::Expiration - when token is expired but some leeway is defined - passes validation - when token is not a Hash - passes validation - when token exp is set to current time - fails validation - when token is expired - must raise JWT::ExpiredSignature when the token has expired JWT::JWK::EC .import - with missing 0-byte at the start of EC coordinates - prepends a 0-byte to either X or Y coordinate so that the keys decode correctly - when crv=P-521 - when keypair is private - returns a private key - with a custom "kid" value - imports that "kid" value - when keypair is public - returns a public key - returns a hash with the public parts of the key - with missing 0-byte at the start of EC coordinates - prepends a 0-byte to either X or Y coordinate so that the keys decode correctly when crv=P-256 when keypair is public returns a public key @@ -1746,6 +1196,8 @@ returns a private key with a custom "kid" value imports that "kid" value + with missing 0-byte at the start of EC coordinates + prepends a 0-byte to either X or Y coordinate so that the keys decode correctly when crv=P-256K when keypair is public returns a public key @@ -1754,10 +1206,6 @@ returns a private key with a custom "kid" value imports that "kid" value - with missing 0-byte at the start of EC coordinates - prepends a 0-byte to either X or Y coordinate so that the keys decode correctly - with missing 0-byte at the start of EC coordinates - prepends a 0-byte to either X or Y coordinate so that the keys decode correctly when crv=P-384 when keypair is public returns a public key @@ -1766,30 +1214,52 @@ returns a private key with a custom "kid" value imports that "kid" value + when crv=P-521 + when keypair is private + returns a private key + with a custom "kid" value + imports that "kid" value + when keypair is public + returns a public key + returns a hash with the public parts of the key + with missing 0-byte at the start of EC coordinates + prepends a 0-byte to either X or Y coordinate so that the keys decode correctly + with missing 0-byte at the start of EC coordinates + prepends a 0-byte to either X or Y coordinate so that the keys decode correctly + with missing 0-byte at the start of EC coordinates + prepends a 0-byte to either X or Y coordinate so that the keys decode correctly #keypair returns the key + .to_openssl_curve + when an invalid curve name is given + raises an error + when a valid curve name is given + returns the corresponding OpenSSL curve name + #public_key + returns the key .new - when a keypair with both keys given - creates an instance of the class when EC with unsupported curve is given raises an error + when a keypair with both keys given + creates an instance of the class when a number is given raises an argument error when a keypair with only public key is given creates an instance of the class - .to_openssl_curve - when a valid curve name is given - returns the corresponding OpenSSL curve name - when an invalid curve name is given - raises an error - #public_key - returns the key + #export + when keypair with public key is exported + returns a hash with the public parts of the key + when a custom "kid" is provided + exports it + when a common parameter is given + returns a hash including the common parameter + when keypair with private key is exported + returns a hash with the both parts of the key + when private key is requested + returns a hash with the both parts of the key #verify - when jwk is missing the alg parameter - when the signature is valid - returns true - when the jwk has none as the alg parameter - raises JWT::JWKError + when the jwk has an invalid alg header + raises JWT::VerificationError when the jwk has HS256 as the alg parameter raises JWT::DecodeError when jwk has alg parameter @@ -1797,196 +1267,179 @@ returns false when the signature is valid returns true - when the jwk has an invalid alg header - raises JWT::VerificationError - #export - when private key is requested - returns a hash with the both parts of the key - when keypair with private key is exported - returns a hash with the both parts of the key - when a common parameter is given - returns a hash including the common parameter - when keypair with public key is exported - returns a hash with the public parts of the key - when a custom "kid" is provided - exports it - -JWT - VERSION constants - has a MAJOR version - has a PRE version - has a MINOR version - has a STRING version - has a TINY version - .gem_version - returns the gem version - -JWT::Claims::Required - when payload has the required claims - passes validation - when payload is missing the required claim - raises JWT::MissingRequiredClaim - -JWT::Claims::Audience - #verify! - when any value in payload matches a single expected - passes validation - when single audience is required - passes validation - when the payload has an array and none match the supplied value - raises JWT::InvalidAudError - when the singular audience does not match - raises JWT::InvalidAudError - when a singular audience payload matching any value in the options array - passes validation - when an array with any value matching all in the options - passes validation - when an array with any value matching the one in the options - passes validation - -JWT::Claims::Crit - when header is missing - raises JWT::InvalidCritError - when header is not an array - raises JWT::InvalidCritError - when header is an array containing exactly the expected values - does not raise an error - when header is an array containing at least the expected values - does not raise an error - when header is an array and not containing the expected value - raises an InvalidCritError - -JWT::Claims::NotBefore - #verify! - when leeway is given - does not raise error - when nbf is in the past - does not raise error - when nbf is in the future - raises JWT::ImmatureSignature + when the jwk has none as the alg parameter + raises JWT::JWKError + when jwk is missing the alg parameter + when the signature is valid + returns true JWT::JWK .[] + allows to set common parameters via the key-accessor rejects key parameters as keys via the key-accessor allows to read common parameters via the key-accessor - allows to set common parameters via the key-accessor .import creates a ::JWT::JWK::RSA instance + when keypair with defined kid is imported + returns the predefined kid if jwt_data contains a kid when number is given raises an error when a common JWK parameter is specified returns the defined common JWK parameter - parsed from JSON - creates a ::JWT::JWK::RSA instance from JSON parsed JWK - when keypair with defined kid is imported - returns the predefined kid if jwt_data contains a kid when keytype is not supported raises an error + parsed from JSON + creates a ::JWT::JWK::RSA instance from JSON parsed JWK .new when a common parameter is given sets the common parameter + when kid is given + sets the kid when EC key is given is expected to be a kind of JWT::JWK::EC when RSA key is given is expected to be a kind of JWT::JWK::RSA when secret key is given is expected to be a kind of JWT::JWK::HMAC - when kid is given - sets the kid - -JWT::JWA::Ecdsa - used across threads for encoding and decoding - successfully encodes, decodes, and verifies -JWT::Configuration::JwkConfiguration - .kid_generator_type= - when valid value is passed - sets the generator matching the value - when invalid value is passed - raises ArgumentError +JWT::Claims::Expiration + when token exp is set to current time + fails validation + when token is not a Hash + passes validation + when token is expired but some leeway is defined + passes validation + when token is expired + must raise JWT::ExpiredSignature when the token has expired JWT .decode for JWK usecase - when jwk keys are given as an array - token does not know the kid - raises an exception - and kid is in the set - is able to decode the token - and x5t is in the set - is able to decode the token - no keys are found in the set - raises an exception - and kid is not in the set - raises an exception - and both kid and x5t is in the set - is able to decode the token based on the priority of the key defined in key_fields - when JWK features are used manually - is able to decode the token - when jwk keys are loaded from JSON with string keys - decodes the token mixing algorithms using kid header when HMAC secret is pointed to as EC public key fails in some way - when HMAC secret is pointed to as RSA public key - fails in some way when RSA key is pointed to as HMAC secret raises JWT::DecodeError - when EC key is pointed to as HMAC secret - raises JWT::DecodeError when EC key is pointed to as RSA public key fails in some way when ES384 key is pointed to as ES512 key fails in some way - when the token kid is not a string - raises an exception - when jwk keys are loaded using a proc/lambda - decodes the token + when EC key is pointed to as HMAC secret + raises JWT::DecodeError + when HMAC secret is pointed to as RSA public key + fails in some way when the token kid is nil and allow_nil_kid is specified decodes the token when jwk keys are rotated decodes the token + when the token kid is not a string + raises an exception + when jwk keys are given as an array + and kid is not in the set + raises an exception + and x5t is in the set + is able to decode the token + and kid is in the set + is able to decode the token + token does not know the kid + raises an exception + and both kid and x5t is in the set + is able to decode the token based on the priority of the key defined in key_fields + no keys are found in the set + raises an exception + when JWK features are used manually + is able to decode the token + when jwk keys are loaded using a proc/lambda + decodes the token + when jwk keys are loaded from JSON with string keys + decodes the token -JWT::Claims::Issuer - when issuer is given as a RegExp - passes validation - when issuer is given as a Method instance - passes validation - when issuer is given as a Proc - passes validation - when issuer is given as a RegExp and payload does not have any issuer - raises JWT::InvalidIssuerError - when payload does not contain any issuer - raises JWT::InvalidIssuerError - when issuer is given as a RegExp and does not match the payload - raises JWT::InvalidIssuerError - when expected issuer is a string that matches the payload - passes validation - when expected issuer is an array that does not match the payload - raises JWT::InvalidIssuerError - when issuer is given as a Proc and does not match the payload - raises JWT::InvalidIssuerError - when expected issuer is a string that does not match the payload - raises JWT::InvalidIssuerError - when issuer is given as a Proc and payload does not have any issuer - raises JWT::InvalidIssuerError - when expected issuer is an array and payload does not have any issuer - raises JWT::InvalidIssuerError - when expected issuer is an array that matches the payload - passes validation +JWT::JWA::Hmac + #sign + when signing with a key + is expected to eq "<8WH\xB9\xC2\x96\r\x12\x94L\xF5^[\xC9@o[\xA7\x9C+\x94)q\xA8\x9C\x89\f\v\x1F:a" + when hmac_secret is passed + when other versions of openssl do not raise an exception + is expected to eql "\x88\xCD!\b\xB54}\x97<\xF3\x9C\xDF\x90S\xD7\xDDBpHv\xD8\xC9\xA9\xBD\x8E-\x16\x82Y\xD3\xDD\xF7" + when OpenSSL 3.0 raises a malloc failure + raises the original error + when OpenSSL raises any other error + raises the original error + when nil hmac_secret is passed + when OpenSSL raises any other error + raises the original error + when other versions of openssl do not raise an exception + is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" + when OpenSSL 3.0 raises a malloc failure + raises JWT::DecodeError + when blank hmac_secret is passed + when other versions of openssl do not raise an exception + is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" + when OpenSSL 3.0 raises a malloc failure + raises JWT::DecodeError + when OpenSSL raises any other error + raises the original error + #verify + when signature is invalid + is expected to equal false + when signature is valid + is expected to equal true + +JWT::JWA + .resolve_and_sort + when algorithms have the preferred in the middle + places the preferred algorithm first + when algorithms have the preferred last + places the preferred algorithm first + +JWT + .gem_version + returns the gem version + VERSION constants + has a MAJOR version + has a TINY version + has a PRE version + has a MINOR version + has a STRING version + +JWT::JWA::Unsupported + .sign + raises an error for unsupported signing method + .verify + raises an error for unsupported algorithm + +JWT::JWA::Ecdsa + used across threads for encoding and decoding + successfully encodes, decodes, and verifies + +JWT::JWK::Set + .export + exports the JWKS to Hash + .eql? + correctly classifies equal sets + correctly classifies different sets + .uniq! + filters out equal keys + .merge + merges two JWKSs + when called via .union + when called directly + when called via "|" operator + .reject! + filters the keyset + .new + raises an error on invalid inputs + can create an empty set + can create a set + from a JWKS hash with symbol keys + from an existing JWT::JWK::Set + from a JWKS hash with string keys + from a JWK + from an array of keys + .select! + filters the keyset JWT::Claims - .verify_payload! - exp claim - verifies the exp - when claims given as symbol - validates the claim - when claims given as a list of symbols and hashes - validates the claim - when claims given as a list of symbols - validates the claim - when required_claims is passed - raises error .payload_errors exp claim when claim is invalid @@ -1998,197 +1451,780 @@ raises an error .valid_payload? exp claim - when claim is valid - returns true when claim is invalid returns false + when claim is valid + returns true various types of params - when payload is missing most of the claims - raises an error when payload has everything that is expected of it does not raise + when payload is missing most of the claims + raises an error + .verify_payload! + exp claim + verifies the exp + when claims given as a list of symbols + validates the claim + when claims given as a list of symbols and hashes + validates the claim + when claims given as symbol + validates the claim + when required_claims is passed + raises error README.md code test - algorithm usage - decodes with HMAC algorithm without secret key - ECDSA - RSA - NONE - RSASSA-PSS - decodes with HMAC algorithm with secret key custom algorithm example allows a module to be used as algorithm on encode and decode - JWK to verify a signature - allows to verify a signature with a JWK claims - JWK import and export + JWK with thumbprint given in the initializer required_claims - JWK with thumbprint as kid via type - JWK with thumbprint given in the initializer (legacy) - find_key - iss + JWK import and export JWK with thumbprint as kid via symbol sub + find_key jti - JWK with thumbprint given in the initializer - exp + JWK with thumbprint given in the initializer (legacy) + JWK with thumbprint as kid via type + iss + iat with leeway without leeway nbf - without leeway with leeway - iat without leeway - with leeway - The JWKS loader example - works as expected (legacy) - works as expected aud - string array + string custom header fields with custom field The JWK based encode/decode routine works as expected + The JWKS loader example + works as expected (legacy) + works as expected + exp + with leeway + without leeway + algorithm usage + ECDSA + RSA + RSASSA-PSS + decodes with HMAC algorithm without secret key + decodes with HMAC algorithm with secret key + NONE + JWK to verify a signature + allows to verify a signature with a JWK JWT::X5cKeyFinder returns the public key from a certificate that is signed by trusted roots and not revoked - already parsed certificates - returns the public key from a certificate that is signed by trusted roots and not revoked + CRL + signature could not be verified with the given trusted roots + raises an error + not given + raises an error + expired + raises an error certificate + signature could not be verified with the given trusted roots + raises an error could not be chained to a trusted root certificate given an array raises a verification error given nil raises a decode error - signature could not be verified with the given trusted roots - raises an error expired raises an error revoked raises an error - CRL - expired + ::JWT.decode + returns the encoded payload after successful certificate path verification + already parsed certificates + returns the public key from a certificate that is signed by trusted roots and not revoked + +JWT::Claims::Audience + #verify! + when any value in payload matches a single expected + passes validation + when the singular audience does not match + raises JWT::InvalidAudError + when a singular audience payload matching any value in the options array + passes validation + when an array with any value matching the one in the options + passes validation + when the payload has an array and none match the supplied value + raises JWT::InvalidAudError + when single audience is required + passes validation + when an array with any value matching all in the options + passes validation + +JWT::Claims::NotBefore + #verify! + when leeway is given + does not raise error + when nbf is in the future + raises JWT::ImmatureSignature + when nbf is in the past + does not raise error + +JWT::EncodedToken + #verify_claims! + when header contains crits header + when expected crits are missing + raises an error + when expected crits are present + passes verification + exp claim + verifies the exp + when claims given as symbol + validates the claim + when claim validation skips verifying the exp claim + does not raise + when claims given as a list of symbols + validates the claim + when payload is detached + when payload is not provided + raises decode error + when payload provided in separate + raises claim verification error + when no claims are provided + raises ExpiredSignature error + when claims given as a list of symbols and hashes + validates the claim + when required_claims is passed + raises error + #signature + is expected to be a kind of String + #valid? + when claims are invalid + returns false + when key is invalid + returns false + when claims are provided as an array + returns true + when key is valid + returns true + #claim_errors + exp claim + when claim is invalid + returns array with error objects + when claim is valid + returns empty array + #valid_claims? + exp claim + when no claims are provided + validates the exp claim and returns false + when claim is valid + returns true + when claim validation skips verifying the exp claim + returns true + when claim is invalid + returns true + #verify_signature! + when algorithm is an empty array raises an error - signature could not be verified with the given trusted roots + when key_finder is given + can utilize an array provided by keyfinder + uses key provided by keyfinder + when both key or key_finder is given + raises an ArgumentError + when key is valid + does not raise + when key is an array with one valid entry + does not raise + when algorithm is not given raises an error - not given + when key is invalid raises an error - ::JWT.decode - returns the encoded payload after successful certificate path verification + when RSA JWK is given as a key + with empty algorithm array provided + uses the JWK for verification + with algorithms supported by key provided + uses the JWK for verification + with algorithms not supported by key provided + raises JWT::VerificationError + when header has invalid alg value + does not raise + when neither key or key_finder is given + raises an ArgumentError + when JWT::KeyFinder is used as a key_finder + uses the keys provided by the JWK key finder + when payload is not encoded + does not raise + when payload is detached + when payload is not provided + raises VerificationError + when payload provided in separate + does not raise + integration use-cases + simple verify HS256 with defaults + protects the user from unverified payload access + #signing_input + is expected to eq "eyJhbGciOiJIUzI1NiJ9.eyJwYXkiOiJsb2FkIn0" + #payload + when token is checked using #valid_signature? and #valid_claims? + is expected to eq {"pay"=>"load"} + when token is verified using #verify_signature! + raises an error + when token is verified using #valid? + is expected to eq {"pay"=>"load"} + when token is not verified + raises an error + when token is verified using #verify_signature! and #verify_claims! + is expected to eq {"pay"=>"load"} + when token is verified using #valid_signature? but is not valid + raises an error + #header + is expected to eq {"alg"=>"HS256"} + when token is the empty string + raises decode error + #unverified_payload + is expected to eq {"pay"=>"load"} + when payload is detached + when payload provided in separate + is expected to eq {"pay"=>"load"} + when payload is not provided + raises decode error + when token is the empty string + raises decode error + when payload is not encoded and the b64 crit is enabled + handles the payload encoding + #verify! + when claims are invalid + raises an error + when key is invalid + raises an error + when key is valid + does not raise + +JWT::Configuration::JwkConfiguration + .kid_generator_type= + when invalid value is passed + raises ArgumentError + when valid value is passed + sets the generator matching the value + +JWT::Claims::Crit + when header is missing + raises JWT::InvalidCritError + when header is not an array + raises JWT::InvalidCritError + when header is an array and not containing the expected value + raises an InvalidCritError + when header is an array containing at least the expected values + does not raise an error + when header is an array containing exactly the expected values + does not raise an error + +JWT::Claims::Numeric + use via ::JWT::Claims.verify_payload! + nbf claim + it should behave like a NumericDate claim + when nbf payload is a string + raises error + when nbf payload is a string + raises error + and key is a string + raises error + when nbf payload is a float + does not raise error + when nbf payload is an integer + does not raise error + and key is a string + does not raise error + when nbf payload is a Time object + raises error + iat claim + it should behave like a NumericDate claim + when iat payload is a string + raises error + and key is a string + raises error + when iat payload is a Time object + raises error + when iat payload is a float + does not raise error + when iat payload is a string + raises error + when iat payload is an integer + does not raise error + and key is a string + does not raise error + exp claim + it should behave like a NumericDate claim + when exp payload is a float + does not raise error + when exp payload is a string + raises error + when exp payload is a Time object + raises error + when exp payload is a string + raises error + and key is a string + raises error + when exp payload is an integer + does not raise error + and key is a string + does not raise error + #verify! + iat claim + it should behave like a NumericDate claim + when iat payload is a string + raises error + when iat payload is a Time object + raises error + when iat payload is a float + does not raise error + when iat payload is an integer + does not raise error + and key is a string + does not raise error + when iat payload is a string + raises error + and key is a string + raises error + exp claim + it should behave like a NumericDate claim + when exp payload is a string + raises error + and key is a string + raises error + when exp payload is an integer + does not raise error + and key is a string + does not raise error + when exp payload is a float + does not raise error + when exp payload is a Time object + raises error + when exp payload is a string + raises error + nbf claim + it should behave like a NumericDate claim + when nbf payload is a float + does not raise error + when nbf payload is a Time object + raises error + when nbf payload is an integer + does not raise error + and key is a string + does not raise error + when nbf payload is a string + raises error + and key is a string + raises error + when nbf payload is a string + raises error + +JWT::Claims::JwtId + when payload is missing a jti + raises JWT::InvalidJtiError + when jti validator is a proc returning true + passes validation + when payload contains a jti + passes validation + when payload contains a jti that is an empty string + raises JWT::InvalidJtiError + when payload contains a jti that is a blank string + raises JWT::InvalidJtiError + when jti validator has 2 args + the second arg is the payload + when jti validator has 2 args + passes validation + when jti validator is a proc returning false + raises JWT::InvalidJtiError + +JWT::Claims::Required + when payload is missing the required claim + raises JWT::MissingRequiredClaim + when payload has the required claims + passes validation JWT::Claims::Verifier .verify! when all claims are given verifies all claims -JWT::JWA::Ps - #initialize - initializes with the correct algorithm and digest +JWT + JWT.configure + yields the configuration + allows configuration to be changed via the block + +JWT::Token + when EC JWK is given as key + signs the token + #sign! + signs the token + when string key is given but not algorithm + raises an error + when RSA JWK is given as key + signs the token + with mismatching algorithm provided in sign call + signs the token + with algorithm provided in sign call + signs the token + when signed twice + raises + #claim_errors + exp claim + when claim is invalid + returns array with error objects + when claim is valid + returns empty array + #detach_payload! + before token is signed + detaches the payload + #verify_claims! + when required_claims is passed + raises error + #valid_claims? + exp claim + when claim is valid + returns true + when claim is invalid + returns true + #jwt + when token is not signed + returns a signed and encoded token + when alg is given in header + returns a signed and encoded token + when token is signed + returns a signed and encoded token + +JWT::JWA::Ecdsa + .curve_by_name + when prime256v1 is given + is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} + when secp521r1 is given + is expected to eq {:algorithm=>"ES512", :digest=>"sha512"} + when unknown is given + raises an error + when secp256r1 is given + is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} + when secp256k1 is given + is expected to eq {:algorithm=>"ES256K", :digest=>"sha256"} #verify + when the verification key is a point + verifies the signature + when the verification key is valid + returns true for a valid signature + returns false for an invalid signature + when the verification key is not an OpenSSL::PKey::EC instance + raises a JWT::DecodeError when verification results in a OpenSSL::PKey::PKeyError error raises a JWT::VerificationError - with a valid RSA key - verifies the signature with PS384 - verifies the signature with PS512 - verifies the signature with PS256 - with an invalid signature - raises a verification error #sign - with a key length less than 2048 bits + when the signing key is invalid + raises a JWT::DecodeError + when the signing key is valid + returns a valid signature + when the signing key is not an OpenSSL::PKey::EC instance + raises a JWT::DecodeError + when the signing key is a public key + raises a JWT::DecodeError + +JWT::JWA::None + #sign + returns an empty string + #verify + returns true + +JWT + should not verify token even if the payload has claims + should not raise InvalidPayload exception if payload is an array + should encode string payloads + alg: HS384 + should generate a valid token + wrong secret and verify = false should not raise JWT::DecodeError + wrong secret should raise JWT::DecodeError + should decode a valid token + when token ends with a newline char + raises an error + ::JWT.decode with x5c parameter + calls X5cKeyFinder#from to verify the signature and return the payload + alg: HS256 + wrong secret and verify = false should not raise JWT::DecodeError + wrong secret should raise JWT::DecodeError + should generate a valid token + should decode a valid token + alg: HS512 + wrong secret and verify = false should not raise JWT::DecodeError + should decode a valid token + wrong secret should raise JWT::DecodeError + should generate a valid token + a token with not enough segments + raises JWT::DecodeError + when none token is and decoding without key and with verification + decodes the token + alg: ES512 + wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError + should generate a valid token + should decode a valid token + alg: ES256K + wrong key should raise JWT::DecodeError + should decode a valid token + wrong key and verify = false should not raise JWT::DecodeError + should generate a valid token + when none token is decoded with a key given + decodes the token + a token with two segments but does not require verifying + raises something else than "Not enough or too many segments" + alg: PS512 + should generate a valid token + should decode a valid token + wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError + when keyfinder given with 1 argument + decodes the token + when the alg value is given as a header parameter + should generate the same token + overrides the actual algorithm used + when token has null as the alg header + raises JWT::IncorrectAlgorithm error + when token is missing the alg header + raises JWT::IncorrectAlgorithm error + alg: ES256 + wrong key should raise JWT::DecodeError + should decode a valid token + should generate a valid token + wrong key and verify = false should not raise JWT::DecodeError + a token with invalid Base64 segments + raises JWT::Base64DecodeError + when algorithm is a custom class + can be used for decoding + can be used for encoding + when class is not utilizing the ::JWT::JWA::SigningAlgorithm module raises an error - with an invalid key + when #verify method is missing + raises error on decoding + can be used for encoding + when signature is not matching + fails the validation process + when multiple custom algorithms are given for decoding + tries until the first match + when alg is not matching + fails the validation process + when class has custom header method + uses the provided header + when #sign method is missing + raises an error on encoding + allows decoding + Invalid + raises "No verification key available" error + algorithm should raise DecodeError + ECDSA curve_name should raise JWT::IncorrectAlgorithm + a token with not too many segments + raises JWT::DecodeError + alg: PS384 + should generate a valid token + wrong key should raise JWT::DecodeError + should decode a valid token + wrong key and verify = false should not raise JWT::DecodeError + ::JWT.decode with verify_iat parameter + when iat is exactly the same as Time.now and iat is given as a float + considers iat valid + when iat is 1 second before Time.now raises an error - with a valid RSA key - signs the data with PS512 - signs the data with PS256 - signs the data with PS384 + when iat is exactly the same as Time.now and iat is given as floored integer + considers iat valid + when hmac algorithm is used without secret key + encodes payload + alg: RS512 + should generate a valid token + should decode a valid token using algorithm hash string key + wrong key and verify = false should not raise JWT::DecodeError + should decode a valid token + wrong key should raise JWT::DecodeError + alg: PS256 + should decode a valid token + should generate a valid token + wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError + when none token is decoded without verify + decodes the token + when multiple algorithms given + starts trying with the algorithm referred in the header + alg: RS256 + wrong key and verify = false should not raise JWT::DecodeError + should decode a valid token + should generate a valid token + wrong key should raise JWT::DecodeError + should decode a valid token using algorithm hash string key + alg: NONE + should generate a valid token + decoding without verification + should decode a valid token + decoding with verification + without specifying the none algorithm + should fail to decode the token + specifying the none algorithm + when the claims are invalid + should fail to decode the token + when the claims are valid + should decode the token + algorithm case insensitivity + ignores algorithm casing during encode/decode + raises error for invalid algorithm + when token ends with a newline char and strict_decoding enabled + raises JWT::DecodeError + when the alg is invalid + raises JWT::IncorrectAlgorithm error + Verify + algorithm + should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm + should raise JWT::IncorrectAlgorithm on mismatch prior to kid public key network call + raises error when keyfinder does not find anything + should raise JWT::IncorrectAlgorithm on mismatch + no algorithm provided + should use the default decode algorithm + token is missing algorithm + should raise JWT::IncorrectAlgorithm + invalid header format + should raise JWT::DecodeError + 2-segment token + should raise JWT::IncorrectAlgorithm + claim verification order + when two claims are invalid + depends on the order of the parameters what error is raised + audience claim + when verify_aud is set to true and no audience given + does not raise + when key given as an array with multiple possible keys + should be able to verify signature when multiple keys given as a parameter + should fail if only invalid keys are given + should be able to verify signature when block returns multiple keys + issuer claim + if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError + when verify_iss is set to true and no issues given + does not raise + when encoded payload is used to extract key through find_key + should be able to find a key using a block with multiple issuers + should be able to find a key using the block passed to decode + should be able to find a key using the block passed to decode with iss verification + should be able to verify signature when block returns multiple keys + should be able to verify signature when block returns multiple keys with multiple issuers + should be able to verify signature when block returns multiple keys with iss verification + when keyfinder given with 2 arguments + decodes the token + when keyfinder resolves to multiple keys and multiple algorithms given + with issue with ES256 keys + tries until the first match + tries until the first match + with issue with HS256 keys + tries until the first match + alg: ES384 + wrong key should raise JWT::DecodeError + should decode a valid token + wrong key and verify = false should not raise JWT::DecodeError + should generate a valid token + a token with no segments + raises JWT::DecodeError + alg: RS384 + wrong key should raise JWT::DecodeError + should decode a valid token using algorithm hash string key + should decode a valid token + wrong key and verify = false should not raise JWT::DecodeError + should generate a valid token + when keyfinder given with 3 arguments + decodes the token but does not pass the payload + when token signed with nil and decoded with nil + raises JWT::DecodeError -JWT::JWA::Hmac - #verify - when signature is valid - is expected to equal true - when signature is invalid - is expected to equal false - #sign - when nil hmac_secret is passed - when OpenSSL raises any other error - raises the original error - when other versions of openssl do not raise an exception - is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" - when OpenSSL 3.0 raises a malloc failure - raises JWT::DecodeError - when blank hmac_secret is passed - when OpenSSL raises any other error - raises the original error - when other versions of openssl do not raise an exception - is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" - when OpenSSL 3.0 raises a malloc failure - raises JWT::DecodeError - when hmac_secret is passed - when OpenSSL raises any other error - raises the original error - when OpenSSL 3.0 raises a malloc failure - raises the original error - when other versions of openssl do not raise an exception - is expected to eql "\x88\xCD!\b\xB54}\x97<\xF3\x9C\xDF\x90S\xD7\xDDBpHv\xD8\xC9\xA9\xBD\x8E-\x16\x82Y\xD3\xDD\xF7" - when signing with a key - is expected to eq "<8WH\xB9\xC2\x96\r\x12\x94L\xF5^[\xC9@o[\xA7\x9C+\x94)q\xA8\x9C\x89\f\v\x1F:a" +JWT::JWK::HMAC + #export + when key is exported + returns a hash with the key + when key is exported with private key + returns a hash with the key + #keypair + returns a string + .new + when a secret key given + creates an instance of the class + when key is a number + raises an ArgumentError + .import + when example from RFC + decodes the k + when secret key is given + returns a key + with a custom "kid" value + imports that "kid" value + with a common parameter + imports that common parameter + #<=> + is equal to a clone of itself + is equal to itself + is not comparable to boolean true + is not comparable to nil + is not equal to a different key + is not comparable to a non-key + #== + is not equal to a different key + is not equal to boolean true + is equal to a clone of itself + is not equal to nil + is not equal to a non-key + is equal to itself + #[]= + when k is given + raises an error Pending: (Failures listed here are expected and do not affect your suite's status) - 1) JWT::JWK::RSA.create_rsa_key_using_accessors when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key + 1) JWT::JWK::RSA.create_rsa_key_using_accessors when only e, n, d, p and q are given raises an error telling all the exponents are required # OpenSSL if RSA#d= is not available there is no accessors anymore - # ./spec/jwt/jwk/rsa_spec.rb:217 + # ./spec/jwt/jwk/rsa_spec.rb:209 - 2) JWT::JWK::RSA.create_rsa_key_using_accessors when only e, n, d, p and q are given raises an error telling all the exponents are required + 2) JWT::JWK::RSA.create_rsa_key_using_accessors when public parameters (e, n) are given creates a valid RSA object representing a public key # OpenSSL if RSA#d= is not available there is no accessors anymore - # ./spec/jwt/jwk/rsa_spec.rb:209 + # ./spec/jwt/jwk/rsa_spec.rb:200 - 3) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for encryption and decryption + 3) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for signing and verification # OpenSSL if RSA#d= is not available there is no accessors anymore - # ./spec/jwt/jwk/rsa_spec.rb:237 + # ./spec/jwt/jwk/rsa_spec.rb:241 - 4) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given creates a valid RSA object representing a private key + 4) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for encryption and decryption # OpenSSL if RSA#d= is not available there is no accessors anymore - # ./spec/jwt/jwk/rsa_spec.rb:232 + # ./spec/jwt/jwk/rsa_spec.rb:237 - 5) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for signing and verification + 5) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given creates a valid RSA object representing a private key # OpenSSL if RSA#d= is not available there is no accessors anymore - # ./spec/jwt/jwk/rsa_spec.rb:241 + # ./spec/jwt/jwk/rsa_spec.rb:232 - 6) JWT::JWK::RSA.create_rsa_key_using_accessors when public parameters (e, n) are given creates a valid RSA object representing a public key + 6) JWT::JWK::RSA.create_rsa_key_using_accessors when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key # OpenSSL if RSA#d= is not available there is no accessors anymore - # ./spec/jwt/jwk/rsa_spec.rb:200 + # ./spec/jwt/jwk/rsa_spec.rb:217 7) JWT::JWK::RSA.create_rsa_key_using_sets when public parameters (e, n) are given creates a valid RSA object representing a public key # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwt/jwk/rsa_spec.rb:200 - 8) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for encryption and decryption + 8) JWT::JWK::RSA.create_rsa_key_using_sets when only e, n, d, p and q are given raises an error telling all the exponents are required # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwt/jwk/rsa_spec.rb:237 + # ./spec/jwt/jwk/rsa_spec.rb:209 - 9) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for signing and verification + 9) JWT::JWK::RSA.create_rsa_key_using_sets when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwt/jwk/rsa_spec.rb:241 + # ./spec/jwt/jwk/rsa_spec.rb:217 - 10) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given creates a valid RSA object representing a private key + 10) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for signing and verification # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwt/jwk/rsa_spec.rb:232 + # ./spec/jwt/jwk/rsa_spec.rb:241 - 11) JWT::JWK::RSA.create_rsa_key_using_sets when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key + 11) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given creates a valid RSA object representing a private key # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwt/jwk/rsa_spec.rb:217 + # ./spec/jwt/jwk/rsa_spec.rb:232 - 12) JWT::JWK::RSA.create_rsa_key_using_sets when only e, n, d, p and q are given raises an error telling all the exponents are required + 12) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for encryption and decryption # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwt/jwk/rsa_spec.rb:209 + # ./spec/jwt/jwk/rsa_spec.rb:237 -Finished in 12.67 seconds (files took 0.3872 seconds to load) +Finished in 47.55 seconds (files took 1.96 seconds to load) 551 examples, 0 failures, 12 pending -Randomized with seed 19014 +Randomized with seed 3836 ┌──────────────────────────────────────────────────────────────────────────────┐ @@ -2219,12 +2255,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: including full source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/2597848/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/2597848/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/3045412 and its subdirectories -I: Current time: Tue Oct 28 12:51:46 -12 2025 -I: pbuilder-time-stamp: 1761699106 +I: removing directory /srv/workspace/pbuilder/2597848 and its subdirectories +I: Current time: Tue Dec 1 21:17:26 +14 2026 +I: pbuilder-time-stamp: 1796109446