Diff of the two buildlogs: -- --- b1/build.log 2025-01-16 13:09:39.636697454 +0000 +++ b2/build.log 2025-01-16 13:15:52.355887623 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Thu Jan 16 01:00:20 -12 2025 -I: pbuilder-time-stamp: 1737032420 +I: Current time: Fri Jan 17 03:09:49 +14 2025 +I: pbuilder-time-stamp: 1737032989 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/unstable-reproducible-base.tgz] I: copying local configuration @@ -24,52 +24,84 @@ dpkg-source: info: applying no-pending-tests.patch I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/15609/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/9711/tmp/hooks/D01_modify_environment starting +debug: Running on virt32b. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Jan 16 13:10 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/9711/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/9711/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build/reproducible-path' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='armhf' - DEBIAN_FRONTEND='noninteractive' - DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=5 ' - DISTRIBUTION='unstable' - HOME='/root' - HOST_ARCH='armhf' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="2" [2]="37" [3]="1" [4]="release" [5]="arm-unknown-linux-gnueabihf") + BASH_VERSION='5.2.37(1)-release' + BUILDDIR=/build/reproducible-path + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=armhf + DEBIAN_FRONTEND=noninteractive + DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=4 ' + DIRSTACK=() + DISTRIBUTION=unstable + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/root + HOSTNAME=i-capture-the-hostname + HOSTTYPE=arm + HOST_ARCH=armhf IFS=' ' - INVOCATION_ID='665a86cadd834c6cbd7fea26898c08ef' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='15609' - PS1='# ' - PS2='> ' + INVOCATION_ID=c3c9bb7062ad43dea934a25c3e6bc32a + LANG=C + LANGUAGE=it_CH:it + LC_ALL=C + MACHTYPE=arm-unknown-linux-gnueabihf + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnueabihf + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=9711 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.GZRhxycA/pbuilderrc_Hr44 --distribution unstable --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.GZRhxycA/b1 --logfile b1/build.log ruby-jwt_2.7.1-1.dsc' - SUDO_GID='114' - SUDO_UID='109' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - _='/usr/bin/systemd-run' - http_proxy='http://10.0.0.15:3142/' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.GZRhxycA/pbuilderrc_P4Mz --distribution unstable --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/unstable-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.GZRhxycA/b2 --logfile b2/build.log ruby-jwt_2.7.1-1.dsc' + SUDO_GID=112 + SUDO_UID=106 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + _='I: set' + http_proxy=http://10.0.0.15:3142/ I: uname -a - Linux ff64a 6.1.0-30-arm64 #1 SMP Debian 6.1.124-1 (2025-01-12) aarch64 GNU/Linux + Linux i-capture-the-hostname 6.1.0-30-armmp-lpae #1 SMP Debian 6.1.124-1 (2025-01-12) armv7l GNU/Linux I: ls -l /bin lrwxrwxrwx 1 root root 7 Nov 22 14:40 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/15609/tmp/hooks/D02_print_environment finished +I: user script /srv/workspace/pbuilder/9711/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -265,7 +297,7 @@ Get: 148 http://deb.debian.org/debian unstable/main armhf ruby-rspec all 3.13.0c0e0m0s1-2 [5184 B] Get: 149 http://deb.debian.org/debian unstable/main armhf ruby-simplecov-html all 0.12.3-2 [468 kB] Get: 150 http://deb.debian.org/debian unstable/main armhf ruby-simplecov all 0.22.0-2 [45.2 kB] -Fetched 54.4 MB in 2s (23.7 MB/s) +Fetched 54.4 MB in 4s (12.4 MB/s) Preconfiguring packages ... Selecting previously unselected package libpython3.13-minimal:armhf. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 19563 files and directories currently installed.) @@ -762,8 +794,8 @@ Setting up tzdata (2024b-6) ... Current default time zone: 'Etc/UTC' -Local time is now: Thu Jan 16 13:03:01 UTC 2025. -Universal Time is now: Thu Jan 16 13:03:01 UTC 2025. +Local time is now: Thu Jan 16 13:12:42 UTC 2025. +Universal Time is now: Thu Jan 16 13:12:42 UTC 2025. Run 'dpkg-reconfigure tzdata' if you wish to change it. Setting up autotools-dev (20220109.1) ... @@ -900,7 +932,11 @@ Building tag database... -> Finished parsing the build-deps I: Building the package -I: Running cd /build/reproducible-path/ruby-jwt-2.7.1/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../ruby-jwt_2.7.1-1_source.changes +I: user script /srv/workspace/pbuilder/9711/tmp/hooks/A99_set_merged_usr starting +Not re-configuring usrmerge for unstable +I: user script /srv/workspace/pbuilder/9711/tmp/hooks/A99_set_merged_usr finished +hostname: Name or service not known +I: Running cd /build/reproducible-path/ruby-jwt-2.7.1/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../ruby-jwt_2.7.1-1_source.changes dpkg-buildpackage: info: source package ruby-jwt dpkg-buildpackage: info: source version 2.7.1-1 dpkg-buildpackage: info: source distribution unstable @@ -933,7 +969,7 @@ │ ruby-jwt: Installing files and building extensions for ruby3.1 │ └──────────────────────────────────────────────────────────────────────────────┘ -/usr/bin/ruby3.1 -S gem build --config-file /dev/null --verbose /tmp/d20250116-24815-c7m2a3/gemspec +/usr/bin/ruby3.1 -S gem build --config-file /dev/null --verbose /tmp/d20250117-16558-lse5tj/gemspec Failed to load /dev/null because it doesn't contain valid YAML hash WARNING: open-ended dependency on appraisal (>= 0, development) is not recommended use a bounded requirement, such as '~> x.y' @@ -950,7 +986,7 @@ Name: jwt Version: 2.7.1 File: jwt-2.7.1.gem -/usr/bin/ruby3.1 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-jwt/usr/share/rubygems-integration/all /tmp/d20250116-24815-c7m2a3/jwt-2.7.1.gem +/usr/bin/ruby3.1 -S gem install --config-file /dev/null --verbose --local --verbose --no-document --ignore-dependencies --install-dir debian/ruby-jwt/usr/share/rubygems-integration/all /tmp/d20250117-16558-lse5tj/jwt-2.7.1.gem Failed to load /dev/null because it doesn't contain valid YAML hash /build/reproducible-path/ruby-jwt-2.7.1/debian/ruby-jwt/usr/share/rubygems-integration/all/gems/jwt-2.7.1/lib/jwt.rb /build/reproducible-path/ruby-jwt-2.7.1/debian/ruby-jwt/usr/share/rubygems-integration/all/gems/jwt-2.7.1/lib/jwt/algos.rb @@ -1027,260 +1063,140 @@ All examples were filtered out; ignoring {:focus=>true} -Randomized with seed 61033 - -::JWT::Algos::HmacRbNaClFixed - .sign - when signature is generated by RbNaCl - can verify the signature with OpenSSL (PENDING: Requires rbnacl gem < 6.0) - .verify - when signature is generated with OpenSSL - verifies the signature (PENDING: Requires rbnacl gem < 6.0) - when signature is generated with OpenSSL and key is very long - verifies the signature using OpenSSL features (PENDING: Requires rbnacl gem < 6.0) - when signature is invalid - can verify without error (PENDING: Requires rbnacl gem < 6.0) - -JWT - .decode for JWK usecase - when jwk keys are rotated - decodes the token - when the token kid is nil - and allow_nil_kid is specified - decodes the token - mixing algorithms using kid header - when EC key is pointed to as RSA public key - fails in some way - when HMAC secret is pointed to as EC public key - fails in some way - when OKP keys are used - decodes the token - when HMAC secret is pointed to as RSA public key - fails in some way - when ES384 key is pointed to as ES512 key - fails in some way - when RSA key is pointed to as HMAC secret - raises JWT::DecodeError - when EC key is pointed to as HMAC secret - raises JWT::DecodeError - when the token kid is not a string - raises an exception - when jwk keys are loaded from JSON with string keys - decodes the token - when jwk keys are given as an array - token does not know the kid - raises an exception - and kid is not in the set - raises an exception - no keys are found in the set - raises an exception - and kid is in the set - is able to decode the token - when JWK features are used manually - is able to decode the token - when jwk keys are loaded using a proc/lambda - decodes the token - -JWT::Verify - .verify_claims - must skip verification when verify_iat option is set to false - must skip verification when verify_iss option is set to false - must raise error when verify_sub option is set to true - must skip verification when verify_jti option is set to false - must skip verification when verify_not_before option is set to false - must raise error when verify_jti option is set to true - must skip verification when verify_expiration option is set to false - must raise error when verify_expiration option is set to true - must raise error when verify_iat option is set to true - must skip verification when verify_sub option is set to false - must raise error when verify_aud option is set to true - must raise error when verify_not_before option is set to true - must skip verification when verify_aud option is set to false - must raise error when verify_iss option is set to true - .verify_required_claims(payload, options) - must raise JWT::MissingRequiredClaim if a required claim is absent - must verify the claims if all required claims are present - .verify_iss(payload, options) - when iss is a Proc - must raise JWT::InvalidIssuerError when the proc returns false - must raise JWT::InvalidIssuerError when the payload does not include an issuer - must allow a proc that returns true to pass - when iss is a Method instance - must raise JWT::InvalidIssuerError when the payload does not include an issuer - must allow a method that returns true to pass - must raise JWT::InvalidIssuerError when the method returns false - when iss is a RegExp - must raise JWT::InvalidIssuerError when the payload does not include an issuer - must allow a regular expression matching the issuer to pass - must raise JWT::InvalidIssuerError when the regular expression does not match - when iss is a String - must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer - must allow a matching issuer to pass - must raise JWT::InvalidIssuerError when the payload does not include an issuer - when iss is an Array - must allow an array with matching issuer to pass - must raise JWT::InvalidIssuerError when the payload does not include an issuer - must raise JWT::InvalidIssuerError when no matching issuers in array - .verify_iat(payload, options) - must allow a valid iat - must ignore configured leeway - must raise JWT::InvalidIatError when the iat value is in the future - must properly handle integer times - must raise JWT::InvalidIatError when the iat value is not Numeric - .verify_expiration(payload, options) - must raise JWT::ExpiredSignature when the token has expired - must allow some leeway in the expiration when exp_leeway is configured - must allow some leeway in the expiration when global leeway is configured - must be expired if the exp claim equals the current time - when leeway is not specified - used a default leeway of 0 - .verify_not_before(payload, options) - must allow some leeway in the token age when nbf_leeway is configured - must raise JWT::ImmatureSignature when the nbf in the payload is in the future - must allow some leeway in the token age when global leeway is configured - .verify_sub(payload, options) - must allow a matching sub - must raise JWT::InvalidSubError when the subjects do not match - .verify_jti(payload, options) - must allow any jti when the verfy_jti key in the options is truthy but not a proc - it should not throw arguement error with 2 args - must raise JWT::InvalidJtiError when the jti is an empty string - should have payload as second param in proc - true proc should not raise JWT::InvalidJtiError - must raise JWT::InvalidJtiError when the jti is missing - must raise JWT::InvalidJtiError when verify_jti proc returns false - .verify_aud(payload, options) - must allow a singular audience payload matching any value in the options array - must allow a matching singular audience to pass - must allow an array with any value matching the one in the options - must raise JWT::InvalidAudError when the payload has an array and none match the supplied value - must allow an array with any value matching any value in the options array - must raise JWT::InvalidAudError when the singular audience does not match +Randomized with seed 6273 JWT::JWK::Set - .export - exports the JWKS to Hash + .merge + merges two JWKSs + when called via "|" operator + when called via .union + when called directly .new - raises an error on invalid inputs can create an empty set + raises an error on invalid inputs can create a set from a JWKS hash with symbol keys - from a JWKS hash with string keys from a JWK - from an existing JWT::JWK::Set from an array of keys + from a JWKS hash with string keys + from an existing JWT::JWK::Set .reject! filters the keyset - .merge - merges two JWKSs - when called directly - when called via .union - when called via "|" operator - .eql? - correctly classifies equal sets - correctly classifies different sets + .export + exports the JWKS to Hash .uniq! filters out equal keys .select! filters the keyset + .eql? + correctly classifies different sets + correctly classifies equal sets -JWT::JWK::OKPRbNaCl - #private? - when private key is given - is expected to eq true - when public key is given - is expected to eq false - #export - when private key is given - exports the public key - when private key is asked for - exports the private key - #verify_key - is the verify key - .new - when jwk parameters given - is expected to be a kind of JWT::JWK::OKPRbNaCl - when something else than a public or private key is given - raises an ArgumentError - when public key is given - is expected to be a kind of JWT::JWK::OKPRbNaCl - when private key is given - is expected to be a kind of JWT::JWK::OKPRbNaCl +JWT::JWK::RSA .import - when exported public key is given - creates a new instance of the class - when JWK is given - creates a new instance of the class - when exported private key is given - creates a new instance of the class - -JWT::JWK::HMAC - #[]= - when k is given + when keypair is imported with string keys from JSON + returns a hash with the public parts of the key + when keypair is imported with symbol keys + returns a hash with the public parts of the key + when private key is included in the data + creates a complete keypair + when jwk_data is given without e and/or n raises an error - #export - when key is exported with private key - returns a hash with the key - when key is exported - returns a hash with the key - .import - when secret key is given - returns a key - with a custom "kid" value - imports that "kid" value - with a common parameter - imports that common parameter - .new - when a secret key given - creates an instance of the class + .kid + when kid is given in a hash parameter + uses the given kid + when configuration says to use :rfc7638_thumbprint + generates the kid based on the thumbprint + when kid is given as a String parameter + uses the given kid + .create_rsa_key_using_der + when only e, n, d, p and q are given + raises an error telling all the exponents are required + when all key components n, e, d, p, q, dp, dq, qi are given + creates a valid RSA object representing a public key + when public parameters (e, n) are given + creates a valid RSA object representing a public key + when e, n, d is given + expects all CRT parameters given and raises error + .create_rsa_key_using_accessors + when only e, n, d, p and q are given + raises an error telling all the exponents are required (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + when public parameters (e, n) are given + creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + when e, n, d is given + can be used for signing and verification (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + can be used for encryption and decryption (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + creates a valid RSA object representing a private key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) + when all key components n, e, d, p, q, dp, dq, qi are given + creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) #keypair - returns a string - -JWT::JWK::EC + warns to stderr + .common_parameters + when a common parameters hash is given + converts string keys to symbol keys + imports the common parameter #export when private key is requested - returns a hash with the both parts of the key + returns a hash with the public AND private parts of the key + when keypair with private key is exported + returns a hash with the public parts of the key + when unsupported keypair is given + raises an error when keypair with public key is exported returns a hash with the public parts of the key - when a custom "kid" is provided - exports it - when a common parameter is given - returns a hash including the common parameter - when keypair with private key is exported - returns a hash with the both parts of the key - #keypair - warns to stderr .new - when a keypair with both keys given - creates an instance of the class when a keypair with only public key is given creates an instance of the class + when a keypair with both keys given + creates an instance of the class + .create_rsa_key_using_sets + when all key components n, e, d, p, q, dp, dq, qi are given + creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when only e, n, d, p and q are given + raises an error telling all the exponents are required (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when public parameters (e, n) are given + creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when e, n, d is given + can be used for encryption and decryption (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + can be used for signing and verification (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + creates a valid RSA object representing a private key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + +JWT::JWK::Thumbprint + #to_s + when EC key is given + is expected to eq "dO52_we59sdR49HsGCpVzlDUQNvT3KxCTGakk4Un8qc" + when HMAC key is given + is expected to eq "wPf4ZF5qlzoFxsGkft4eu1iWcehgAcahZL4XPV4dT-s" + when example from RFC is given + is expected to eq "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" + +JWT::JWK::EC .import - when crv=P-521 + when crv=P-256K + when keypair is public + returns a public key + returns a hash with the public parts of the key when keypair is private returns a private key with a custom "kid" value imports that "kid" value + when crv=P-256 when keypair is public returns a public key returns a hash with the public parts of the key - when crv=P-256K when keypair is private returns a private key with a custom "kid" value imports that "kid" value - when keypair is public - returns a public key - returns a hash with the public parts of the key - when crv=P-384 - when keypair is public - returns a public key - returns a hash with the public parts of the key + when crv=P-521 when keypair is private returns a private key with a custom "kid" value imports that "kid" value - when crv=P-256 + when keypair is public + returns a public key + returns a hash with the public parts of the key + when crv=P-384 when keypair is public returns a public key returns a hash with the public parts of the key @@ -1288,172 +1204,487 @@ returns a private key with a custom "kid" value imports that "kid" value + .new + when a keypair with both keys given + creates an instance of the class + when a keypair with only public key is given + creates an instance of the class + #keypair + warns to stderr + #export + when private key is requested + returns a hash with the both parts of the key + when keypair with public key is exported + returns a hash with the public parts of the key + when a custom "kid" is provided + exports it + when keypair with private key is exported + returns a hash with the both parts of the key + when a common parameter is given + returns a hash including the common parameter -JWT - JWT.configure - yields the configuration - allows configuration to be changed via the block +JWT::JWK::HMAC + #export + when key is exported with private key + returns a hash with the key + when key is exported + returns a hash with the key + #[]= + when k is given + raises an error + .import + when secret key is given + returns a key + with a common parameter + imports that common parameter + with a custom "kid" value + imports that "kid" value + .new + when a secret key given + creates an instance of the class + #keypair + returns a string + +JWT::Verify + .verify_aud(payload, options) + must raise JWT::InvalidAudError when the singular audience does not match + must allow an array with any value matching any value in the options array + must allow a matching singular audience to pass + must raise JWT::InvalidAudError when the payload has an array and none match the supplied value + must allow a singular audience payload matching any value in the options array + must allow an array with any value matching the one in the options + .verify_iss(payload, options) + when iss is an Array + must raise JWT::InvalidIssuerError when no matching issuers in array + must raise JWT::InvalidIssuerError when the payload does not include an issuer + must allow an array with matching issuer to pass + when iss is a Method instance + must raise JWT::InvalidIssuerError when the payload does not include an issuer + must raise JWT::InvalidIssuerError when the method returns false + must allow a method that returns true to pass + when iss is a RegExp + must raise JWT::InvalidIssuerError when the regular expression does not match + must raise JWT::InvalidIssuerError when the payload does not include an issuer + must allow a regular expression matching the issuer to pass + when iss is a String + must allow a matching issuer to pass + must raise JWT::InvalidIssuerError when the payload does not include an issuer + must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer + when iss is a Proc + must raise JWT::InvalidIssuerError when the payload does not include an issuer + must allow a proc that returns true to pass + must raise JWT::InvalidIssuerError when the proc returns false + .verify_iat(payload, options) + must ignore configured leeway + must raise JWT::InvalidIatError when the iat value is not Numeric + must properly handle integer times + must raise JWT::InvalidIatError when the iat value is in the future + must allow a valid iat + .verify_expiration(payload, options) + must allow some leeway in the expiration when global leeway is configured + must allow some leeway in the expiration when exp_leeway is configured + must be expired if the exp claim equals the current time + must raise JWT::ExpiredSignature when the token has expired + when leeway is not specified + used a default leeway of 0 + .verify_not_before(payload, options) + must allow some leeway in the token age when global leeway is configured + must raise JWT::ImmatureSignature when the nbf in the payload is in the future + must allow some leeway in the token age when nbf_leeway is configured + .verify_sub(payload, options) + must allow a matching sub + must raise JWT::InvalidSubError when the subjects do not match + .verify_claims + must skip verification when verify_iat option is set to false + must raise error when verify_jti option is set to true + must raise error when verify_not_before option is set to true + must raise error when verify_aud option is set to true + must skip verification when verify_jti option is set to false + must skip verification when verify_not_before option is set to false + must raise error when verify_sub option is set to true + must skip verification when verify_sub option is set to false + must skip verification when verify_aud option is set to false + must skip verification when verify_iss option is set to false + must raise error when verify_iat option is set to true + must raise error when verify_expiration option is set to true + must raise error when verify_iss option is set to true + must skip verification when verify_expiration option is set to false + .verify_required_claims(payload, options) + must verify the claims if all required claims are present + must raise JWT::MissingRequiredClaim if a required claim is absent + .verify_jti(payload, options) + true proc should not raise JWT::InvalidJtiError + should have payload as second param in proc + it should not throw arguement error with 2 args + must raise JWT::InvalidJtiError when the jti is an empty string + must raise JWT::InvalidJtiError when the jti is missing + must allow any jti when the verfy_jti key in the options is truthy but not a proc + must raise JWT::InvalidJtiError when verify_jti proc returns false + +::JWT::Algos::HmacRbNaClFixed + .sign + when signature is generated by RbNaCl + can verify the signature with OpenSSL (PENDING: Requires rbnacl gem < 6.0) + .verify + when signature is generated with OpenSSL and key is very long + verifies the signature using OpenSSL features (PENDING: Requires rbnacl gem < 6.0) + when signature is generated with OpenSSL + verifies the signature (PENDING: Requires rbnacl gem < 6.0) + when signature is invalid + can verify without error (PENDING: Requires rbnacl gem < 6.0) + +JWT::Algos::Ecdsa + .curve_by_name + when unknown is given + raises an error + when secp256r1 is given + is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} + when secp256k1 is given + is expected to eq {:algorithm=>"ES256K", :digest=>"sha256"} + when secp521r1 is given + is expected to eq {:algorithm=>"ES512", :digest=>"sha512"} + when prime256v1 is given + is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} + +JWT::ClaimsValidator + #validate! + exp claim + it should behave like a NumericDate claim + when exp payload is a string + raises error + and key is a string + raises error + when exp payload is a Time object + raises error + when exp payload is an integer + does not raise error + and key is a string + does not raise error + when exp payload is a string + raises error + when exp payload is a float + does not raise error + nbf claim + it should behave like a NumericDate claim + when nbf payload is a string + raises error + and key is a string + raises error + when nbf payload is a string + raises error + when nbf payload is an integer + does not raise error + and key is a string + does not raise error + when nbf payload is a Time object + raises error + when nbf payload is a float + does not raise error + iat claim + it should behave like a NumericDate claim + when iat payload is a float + does not raise error + when iat payload is a string + raises error + when iat payload is an integer + does not raise error + and key is a string + does not raise error + when iat payload is a Time object + raises error + when iat payload is a string + raises error + and key is a string + raises error JWT::Algos::Hmac .sign - when nil hmac_secret is passed + when hmac_secret is passed when OpenSSL raises any other error raises the original error + when other versions of openssl do not raise an exception + is expected to eql "\x88\xCD!\b\xB54}\x97<\xF3\x9C\xDF\x90S\xD7\xDDBpHv\xD8\xC9\xA9\xBD\x8E-\x16\x82Y\xD3\xDD\xF7" when OpenSSL 3.0 raises a malloc failure - raises JWT::DecodeError + raises the original error + when nil hmac_secret is passed + when OpenSSL raises any other error + raises the original error when other versions of openssl do not raise an exception is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" + when OpenSSL 3.0 raises a malloc failure + raises JWT::DecodeError when blank hmac_secret is passed when OpenSSL 3.0 raises a malloc failure raises JWT::DecodeError - when other versions of openssl do not raise an exception - is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" - when OpenSSL raises any other error - raises the original error - when hmac_secret is passed when OpenSSL raises any other error raises the original error when other versions of openssl do not raise an exception - is expected to eql "\x88\xCD!\b\xB54}\x97<\xF3\x9C\xDF\x90S\xD7\xDDBpHv\xD8\xC9\xA9\xBD\x8E-\x16\x82Y\xD3\xDD\xF7" - when OpenSSL 3.0 raises a malloc failure - raises the original error + is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" + +README.md code test + custom algorithm example + allows a module to be used as algorithm on encode and decode + algorithm usage + decodes with HMAC algorithm without secret key + EDDSA + decodes with HMAC algorithm with secret key + RSASSA-PSS + ECDSA + RSA + NONE + claims + required_claims + JWK import and export + sub + jti + JWK with thumbprint as kid via type + JWK with thumbprint as kid via symbol + JWK with thumbprint given in the initializer (legacy) + JWK with thumbprint given in the initializer + find_key + iss + custom header fields + with custom field + aud + string + array + The JWKS loader example + works as expected + works as expected (legacy) + The JWK based encode/decode routine + works as expected + nbf + with leeway + without leeway + iat + with leeway + without leeway + exp + with leeway + without leeway + +JWT::Configuration::JwkConfiguration + .kid_generator_type= + when invalid value is passed + raises ArgumentError + when valid value is passed + sets the generator matching the value + +JWT::X5cKeyFinder + returns the public key from a certificate that is signed by trusted roots and not revoked + CRL + expired + raises an error + signature could not be verified with the given trusted roots + raises an error + not given + raises an error + certificate + revoked + raises an error + signature could not be verified with the given trusted roots + raises an error + expired + raises an error + could not be chained to a trusted root certificate + given an array + raises a verification error + given nil + raises a decode error + ::JWT.decode + returns the encoded payload after successful certificate path verification + already parsed certificates + returns the public key from a certificate that is signed by trusted roots and not revoked + +JWT + JWT.configure + yields the configuration + allows configuration to be changed via the block + +::JWT::Algos::HmacRbNaCl + .sign + when signature is generated by RbNaCl + can verify the signature with OpenSSL + .verify + when signature is generated with OpenSSL and key is very long + verifies the signature using OpenSSL features + when signature is invalid + can verify without error + when signature is generated with OpenSSL + verifies the signature + +JWT + .decode for JWK usecase + when jwk keys are loaded from JSON with string keys + decodes the token + when the token kid is not a string + raises an exception + when jwk keys are rotated + decodes the token + when jwk keys are given as an array + and kid is not in the set + raises an exception + and kid is in the set + is able to decode the token + token does not know the kid + raises an exception + no keys are found in the set + raises an exception + when JWK features are used manually + is able to decode the token + when the token kid is nil + and allow_nil_kid is specified + decodes the token + when jwk keys are loaded using a proc/lambda + decodes the token + mixing algorithms using kid header + when EC key is pointed to as RSA public key + fails in some way + when HMAC secret is pointed to as RSA public key + fails in some way + when HMAC secret is pointed to as EC public key + fails in some way + when ES384 key is pointed to as ES512 key + fails in some way + when OKP keys are used + decodes the token + when EC key is pointed to as HMAC secret + raises JWT::DecodeError + when RSA key is pointed to as HMAC secret + raises JWT::DecodeError + +JWT::JWK + .new + when kid is given + sets the kid + when secret key is given + is expected to be a kind of JWT::JWK::HMAC + when RSA key is given + is expected to be a kind of JWT::JWK::RSA + when EC key is given + is expected to be a kind of JWT::JWK::EC + when a common parameter is given + sets the common parameter + .import + creates a ::JWT::JWK::RSA instance + when a common JWK parameter is specified + returns the defined common JWK parameter + when keypair with defined kid is imported + returns the predefined kid if jwt_data contains a kid + when keytype is not supported + raises an error + parsed from JSON + creates a ::JWT::JWK::RSA instance from JSON parsed JWK + .[] + rejects key parameters as keys via the key-accessor + allows to set common parameters via the key-accessor + allows to read common parameters via the key-accessor + +JWT::JWK::OKPRbNaCl + .new + when private key is given + is expected to be a kind of JWT::JWK::OKPRbNaCl + when public key is given + is expected to be a kind of JWT::JWK::OKPRbNaCl + when jwk parameters given + is expected to be a kind of JWT::JWK::OKPRbNaCl + when something else than a public or private key is given + raises an ArgumentError + #private? + when private key is given + is expected to eq true + when public key is given + is expected to eq false + #export + when private key is given + exports the public key + when private key is asked for + exports the private key + .import + when JWK is given + creates a new instance of the class + when exported private key is given + creates a new instance of the class + when exported public key is given + creates a new instance of the class + #verify_key + is the verify key JWT should not raise InvalidPayload exception if payload is an array - should encode string payloads should not verify token even if the payload has claims - payload validation - validates the payload with the ClaimsValidator if the payload is a hash - does not validate the payload if it is not present - Verify - issuer claim - if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError - algorithm - should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm - should raise JWT::IncorrectAlgorithm on mismatch prior to kid public key network call - should raise JWT::IncorrectAlgorithm on mismatch - no algorithm provided - should use the default decode algorithm - token is missing algorithm - should raise JWT::IncorrectAlgorithm - 2-segment token - should raise JWT::IncorrectAlgorithm - when encoded payload is used to extract key through find_key - should be able to find a key using the block passed to decode with iss verification - should be able to verify signature when block returns multiple keys with multiple issuers - should be able to verify signature when block returns multiple keys with iss verification - should be able to find a key using a block with multiple issuers - should be able to verify signature when block returns multiple keys - should be able to find a key using the block passed to decode - when key given as an array with multiple possible keys - should fail if only invalid keys are given - should be able to verify signature when multiple keys given as a parameter - should be able to verify signature when block returns multiple keys - ::JWT.decode with x5c parameter - calls X5cKeyFinder#from to verify the signature and return the payload + should encode string payloads alg: PS512 wrong key and verify = false should not raise JWT::DecodeError - wrong key should raise JWT::DecodeError should decode a valid token - should generate a valid token - alg: ES256 wrong key should raise JWT::DecodeError + should generate a valid token + alg: ES384 wrong key and verify = false should not raise JWT::DecodeError should decode a valid token should generate a valid token + wrong key should raise JWT::DecodeError alg: ES256K - should generate a valid token wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError + should generate a valid token should decode a valid token + when keyfinder given with 1 argument + decodes the token + alg: ES512 wrong key should raise JWT::DecodeError - when the alg is invalid - raises JWT::IncorrectAlgorithm error + should decode a valid token + should generate a valid token + wrong key and verify = false should not raise JWT::DecodeError + when hmac algorithm is used without secret key + encodes payload when token has null as the alg header raises JWT::IncorrectAlgorithm error - a token with invalid Base64 segments - raises JWT::DecodeError - a token with no segments - raises JWT::DecodeError - Invalid - ECDSA curve_name should raise JWT::IncorrectAlgorithm - algorithm should raise NotImplementedError - raises "No verification key available" error a token with not too many segments raises JWT::DecodeError - when keyfinder given with 3 arguments - decodes the token but does not pass the payload - alg: RS256 - should generate a valid token - should decode a valid token + when token is missing the alg header + raises JWT::IncorrectAlgorithm error + when multiple algorithms given + starts trying with the algorithm referred in the header + a token with invalid Base64 segments + raises JWT::DecodeError + alg: ED25519 wrong key and verify = false should not raise JWT::DecodeError - wrong key should raise JWT::DecodeError - should decode a valid token using algorithm hash string key - alg: HS256 should decode a valid token - wrong secret and verify = false should not raise JWT::DecodeError should generate a valid token - wrong secret should raise JWT::DecodeError + wrong key should raise JWT::DecodeError ::JWT.decode with verify_iat parameter when iat is exactly the same as Time.now and iat is given as floored integer considers iat valid - when iat is exactly the same as Time.now and iat is given as a float - considers iat valid when iat is 1 second before Time.now raises an error + when iat is exactly the same as Time.now and iat is given as a float + considers iat valid alg: RS384 should decode a valid token should generate a valid token wrong key should raise JWT::DecodeError - should decode a valid token using algorithm hash string key wrong key and verify = false should not raise JWT::DecodeError - when keyfinder given with 2 arguments - decodes the token - when none token is and decoding without key and with verification - decodes the token + should decode a valid token using algorithm hash string key + a token with no segments + raises JWT::DecodeError alg: RS512 - wrong key and verify = false should not raise JWT::DecodeError - should generate a valid token should decode a valid token using algorithm hash string key - wrong key should raise JWT::DecodeError - should decode a valid token - when token ends with a newline char - ignores the newline and decodes the token - alg: ED25519 + should generate a valid token should decode a valid token wrong key and verify = false should not raise JWT::DecodeError - should generate a valid token wrong key should raise JWT::DecodeError - when multiple algorithms given - starts trying with the algorithm referred in the header - alg: HS384 + alg: PS384 should decode a valid token - wrong secret and verify = false should not raise JWT::DecodeError - wrong secret should raise JWT::DecodeError - should generate a valid token - algorithm case insensitivity - ignores algorithm casing during encode/decode - raises error for invalid algorithm - alg: NONE should generate a valid token - decoding with verification - specifying the none algorithm - when the claims are valid - should decode the token - when the claims are invalid - should fail to decode the token - without specifying the none algorithm - should fail to decode the token - decoding without verification - should decode a valid token - when token is missing the alg header - raises JWT::IncorrectAlgorithm error - alg: HS512256 - wrong secret and verify = false should not raise JWT::DecodeError + wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError + alg: RS256 should generate a valid token + wrong key should raise JWT::DecodeError + wrong key and verify = false should not raise JWT::DecodeError should decode a valid token - wrong secret should raise JWT::DecodeError - when none token is decoded without verify - decodes the token + should decode a valid token using algorithm hash string key a token with two segments but does not require verifying raises something else than "Not enough or too many segments" when algorithm is a custom class @@ -1462,391 +1693,196 @@ when #verify method is missing can be used for encoding raises error on decoding + when alg is not matching + fails the validation process + when multiple custom algorithms are given for decoding + tries until the first match when #sign method is missing raises an error on encoding allows decoding - when multiple custom algorithms are given for decoding - tries until the first match when signature is not matching fails the validation process - when alg is not matching - fails the validation process - when keyfinder given with 1 argument - decodes the token - when token signed with nil and decoded with nil - raises JWT::DecodeError - alg: EdDSA - wrong key should raise JWT::DecodeError - should generate a valid token - wrong key and verify = false should not raise JWT::DecodeError - should decode a valid token - when hmac algorithm is used without secret key - encodes payload + when the alg is invalid + raises JWT::IncorrectAlgorithm error alg: PS256 - should decode a valid token - should generate a valid token - wrong key should raise JWT::DecodeError - wrong key and verify = false should not raise JWT::DecodeError - alg: ES384 wrong key should raise JWT::DecodeError should decode a valid token + should generate a valid token wrong key and verify = false should not raise JWT::DecodeError + a token with not enough segments + raises JWT::DecodeError + algorithm case insensitivity + raises error for invalid algorithm + ignores algorithm casing during encode/decode + when none token is and decoding without key and with verification + decodes the token + alg: HS512 should generate a valid token + wrong secret should raise JWT::DecodeError + wrong secret and verify = false should not raise JWT::DecodeError + should decode a valid token + ::JWT.decode with x5c parameter + calls X5cKeyFinder#from to verify the signature and return the payload + when keyfinder given with 2 arguments + decodes the token when the alg value is given as a header parameter - should generate the same token does not override the actual algorithm used - when none token is decoded with a key given - decodes the token - alg: HS512 + should generate the same token + alg: NONE + should generate a valid token + decoding without verification + should decode a valid token + decoding with verification + specifying the none algorithm + when the claims are invalid + should fail to decode the token + when the claims are valid + should decode the token + without specifying the none algorithm + should fail to decode the token + alg: HS384 wrong secret and verify = false should not raise JWT::DecodeError wrong secret should raise JWT::DecodeError should decode a valid token should generate a valid token - a token with not enough segments - raises JWT::DecodeError - alg: ES512 + when keyfinder given with 3 arguments + decodes the token but does not pass the payload + when keyfinder resolves to multiple keys and multiple algorithms given + with issue with HS256 keys + tries until the first match + with issue with ES256 keys + tries until the first match + tries until the first match + payload validation + does not validate the payload if it is not present + validates the payload with the ClaimsValidator if the payload is a hash + alg: HS256 + wrong secret and verify = false should not raise JWT::DecodeError should generate a valid token + wrong secret should raise JWT::DecodeError + should decode a valid token + alg: ES256 should decode a valid token + wrong key and verify = false should not raise JWT::DecodeError + should generate a valid token wrong key should raise JWT::DecodeError + when none token is decoded without verify + decodes the token + when token ends with a newline char + ignores the newline and decodes the token + when none token is decoded with a key given + decodes the token + Invalid + raises "No verification key available" error + ECDSA curve_name should raise JWT::IncorrectAlgorithm + algorithm should raise NotImplementedError + alg: EdDSA wrong key and verify = false should not raise JWT::DecodeError - alg: PS384 should decode a valid token - wrong key and verify = false should not raise JWT::DecodeError wrong key should raise JWT::DecodeError should generate a valid token - when keyfinder resolves to multiple keys and multiple algorithms given - with issue with ES256 keys - tries until the first match - tries until the first match - with issue with HS256 keys - tries until the first match - -JWT::Algos::Ecdsa - .curve_by_name - when unknown is given - raises an error - when prime256v1 is given - is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} - when secp521r1 is given - is expected to eq {:algorithm=>"ES512", :digest=>"sha512"} - when secp256r1 is given - is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} - when secp256k1 is given - is expected to eq {:algorithm=>"ES256K", :digest=>"sha256"} - -README.md code test - claims - JWK with thumbprint as kid via type - required_claims - jti - JWK with thumbprint as kid via symbol - JWK with thumbprint given in the initializer (legacy) - iss - find_key - JWK with thumbprint given in the initializer - JWK import and export - sub - iat - without leeway - with leeway - custom header fields - with custom field - nbf - with leeway - without leeway - The JWK based encode/decode routine - works as expected - The JWKS loader example - works as expected (legacy) - works as expected - aud - string - array - exp - without leeway - with leeway - algorithm usage - EDDSA - ECDSA - RSA - decodes with HMAC algorithm without secret key - NONE - decodes with HMAC algorithm with secret key - RSASSA-PSS - custom algorithm example - allows a module to be used as algorithm on encode and decode - -JWT::JWK::RSA - .common_parameters - when a common parameters hash is given - converts string keys to symbol keys - imports the common parameter - .kid - when kid is given in a hash parameter - uses the given kid - when configuration says to use :rfc7638_thumbprint - generates the kid based on the thumbprint - when kid is given as a String parameter - uses the given kid - .create_rsa_key_using_sets - when all key components n, e, d, p, q, dp, dq, qi are given - creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when only e, n, d, p and q are given - raises an error telling all the exponents are required (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when e, n, d is given - creates a valid RSA object representing a private key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - can be used for signing and verification (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - can be used for encryption and decryption (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when public parameters (e, n) are given - creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - #keypair - warns to stderr - .create_rsa_key_using_accessors - when e, n, d is given - can be used for encryption and decryption (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - can be used for signing and verification (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - creates a valid RSA object representing a private key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - when public parameters (e, n) are given - creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - when all key components n, e, d, p, q, dp, dq, qi are given - creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - when only e, n, d, p and q are given - raises an error telling all the exponents are required (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - .new - when a keypair with both keys given - creates an instance of the class - when a keypair with only public key is given - creates an instance of the class - .create_rsa_key_using_der - when public parameters (e, n) are given - creates a valid RSA object representing a public key - when all key components n, e, d, p, q, dp, dq, qi are given - creates a valid RSA object representing a public key - when only e, n, d, p and q are given - raises an error telling all the exponents are required - when e, n, d is given - expects all CRT parameters given and raises error - #export - when private key is requested - returns a hash with the public AND private parts of the key - when keypair with public key is exported - returns a hash with the public parts of the key - when unsupported keypair is given - raises an error - when keypair with private key is exported - returns a hash with the public parts of the key - .import - when keypair is imported with symbol keys - returns a hash with the public parts of the key - when keypair is imported with string keys from JSON - returns a hash with the public parts of the key - when jwk_data is given without e and/or n - raises an error - when private key is included in the data - creates a complete keypair - -JWT::JWK::Thumbprint - #to_s - when HMAC key is given - is expected to eq "wPf4ZF5qlzoFxsGkft4eu1iWcehgAcahZL4XPV4dT-s" - when EC key is given - is expected to eq "dO52_we59sdR49HsGCpVzlDUQNvT3KxCTGakk4Un8qc" - when example from RFC is given - is expected to eq "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" - -JWT::X5cKeyFinder - returns the public key from a certificate that is signed by trusted roots and not revoked - already parsed certificates - returns the public key from a certificate that is signed by trusted roots and not revoked - certificate - expired - raises an error - could not be chained to a trusted root certificate - given nil - raises a decode error - given an array - raises a verification error - signature could not be verified with the given trusted roots - raises an error - revoked - raises an error - ::JWT.decode - returns the encoded payload after successful certificate path verification - CRL - expired - raises an error - signature could not be verified with the given trusted roots - raises an error - not given - raises an error - -JWT::ClaimsValidator - #validate! - iat claim - it should behave like a NumericDate claim - when iat payload is a string - raises error - when iat payload is an integer - does not raise error - and key is a string - does not raise error - when iat payload is a string - raises error - and key is a string - raises error - when iat payload is a Time object - raises error - when iat payload is a float - does not raise error - exp claim - it should behave like a NumericDate claim - when exp payload is a string - raises error - and key is a string - raises error - when exp payload is a float - does not raise error - when exp payload is a string - raises error - when exp payload is an integer - does not raise error - and key is a string - does not raise error - when exp payload is a Time object - raises error - nbf claim - it should behave like a NumericDate claim - when nbf payload is an integer - does not raise error - and key is a string - does not raise error - when nbf payload is a float - does not raise error - when nbf payload is a string - raises error - and key is a string - raises error - when nbf payload is a string - raises error - when nbf payload is a Time object - raises error - -JWT::JWK - .import - creates a ::JWT::JWK::RSA instance - when keytype is not supported - raises an error - when a common JWK parameter is specified - returns the defined common JWK parameter - parsed from JSON - creates a ::JWT::JWK::RSA instance from JSON parsed JWK - when keypair with defined kid is imported - returns the predefined kid if jwt_data contains a kid - .[] - allows to set common parameters via the key-accessor - rejects key parameters as keys via the key-accessor - allows to read common parameters via the key-accessor - .new - when kid is given - sets the kid - when secret key is given - is expected to be a kind of JWT::JWK::HMAC - when a common parameter is given - sets the common parameter - when RSA key is given - is expected to be a kind of JWT::JWK::RSA - when EC key is given - is expected to be a kind of JWT::JWK::EC + when token signed with nil and decoded with nil + raises JWT::DecodeError + alg: HS512256 + should decode a valid token + wrong secret should raise JWT::DecodeError + wrong secret and verify = false should not raise JWT::DecodeError + should generate a valid token + Verify + issuer claim + if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError + algorithm + should raise JWT::IncorrectAlgorithm on mismatch + should raise JWT::IncorrectAlgorithm on mismatch prior to kid public key network call + should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm + no algorithm provided + should use the default decode algorithm + token is missing algorithm + should raise JWT::IncorrectAlgorithm + 2-segment token + should raise JWT::IncorrectAlgorithm + when encoded payload is used to extract key through find_key + should be able to verify signature when block returns multiple keys with iss verification + should be able to verify signature when block returns multiple keys with multiple issuers + should be able to find a key using a block with multiple issuers + should be able to find a key using the block passed to decode + should be able to verify signature when block returns multiple keys + should be able to find a key using the block passed to decode with iss verification + when key given as an array with multiple possible keys + should be able to verify signature when block returns multiple keys + should fail if only invalid keys are given + should be able to verify signature when multiple keys given as a parameter -JWT::Configuration::JwkConfiguration - .kid_generator_type= - when invalid value is passed - raises ArgumentError - when valid value is passed - sets the generator matching the value +Pending: (Failures listed here are expected and do not affect your suite's status) -::JWT::Algos::HmacRbNaCl - .sign - when signature is generated by RbNaCl - can verify the signature with OpenSSL - .verify - when signature is generated with OpenSSL and key is very long - verifies the signature using OpenSSL features - when signature is generated with OpenSSL - verifies the signature - when signature is invalid - can verify without error + 1) JWT::JWK::RSA.create_rsa_key_using_accessors when only e, n, d, p and q are given raises an error telling all the exponents are required + # OpenSSL if RSA#set_key is available there is no accessors anymore + # ./spec/jwk/rsa_spec.rb:163 -Pending: (Failures listed here are expected and do not affect your suite's status) + 2) JWT::JWK::RSA.create_rsa_key_using_accessors when public parameters (e, n) are given creates a valid RSA object representing a public key + # OpenSSL if RSA#set_key is available there is no accessors anymore + # ./spec/jwk/rsa_spec.rb:154 - 1) ::JWT::Algos::HmacRbNaClFixed .sign when signature is generated by RbNaCl can verify the signature with OpenSSL - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:49 + 3) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for signing and verification + # OpenSSL if RSA#set_key is available there is no accessors anymore + # ./spec/jwk/rsa_spec.rb:195 - 2) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL verifies the signature - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:16 + 4) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for encryption and decryption + # OpenSSL if RSA#set_key is available there is no accessors anymore + # ./spec/jwk/rsa_spec.rb:191 - 3) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL and key is very long verifies the signature using OpenSSL features - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:27 + 5) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given creates a valid RSA object representing a private key + # OpenSSL if RSA#set_key is available there is no accessors anymore + # ./spec/jwk/rsa_spec.rb:186 - 4) ::JWT::Algos::HmacRbNaClFixed .verify when signature is invalid can verify without error - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:38 + 6) JWT::JWK::RSA.create_rsa_key_using_accessors when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key + # OpenSSL if RSA#set_key is available there is no accessors anymore + # ./spec/jwk/rsa_spec.rb:171 - 5) JWT::JWK::RSA.create_rsa_key_using_sets when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key + 7) JWT::JWK::RSA.create_rsa_key_using_sets when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwk/rsa_spec.rb:171 - 6) JWT::JWK::RSA.create_rsa_key_using_sets when only e, n, d, p and q are given raises an error telling all the exponents are required + 8) JWT::JWK::RSA.create_rsa_key_using_sets when only e, n, d, p and q are given raises an error telling all the exponents are required # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwk/rsa_spec.rb:163 - 7) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given creates a valid RSA object representing a private key - # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:186 - - 8) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for signing and verification + 9) JWT::JWK::RSA.create_rsa_key_using_sets when public parameters (e, n) are given creates a valid RSA object representing a public key # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:195 + # ./spec/jwk/rsa_spec.rb:154 - 9) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for encryption and decryption + 10) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for encryption and decryption # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwk/rsa_spec.rb:191 - 10) JWT::JWK::RSA.create_rsa_key_using_sets when public parameters (e, n) are given creates a valid RSA object representing a public key + 11) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for signing and verification # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:154 - - 11) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for encryption and decryption - # OpenSSL if RSA#set_key is available there is no accessors anymore - # ./spec/jwk/rsa_spec.rb:191 - - 12) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for signing and verification - # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:195 - 13) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given creates a valid RSA object representing a private key - # OpenSSL if RSA#set_key is available there is no accessors anymore + 12) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given creates a valid RSA object representing a private key + # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwk/rsa_spec.rb:186 - 14) JWT::JWK::RSA.create_rsa_key_using_accessors when public parameters (e, n) are given creates a valid RSA object representing a public key - # OpenSSL if RSA#set_key is available there is no accessors anymore - # ./spec/jwk/rsa_spec.rb:154 + 13) ::JWT::Algos::HmacRbNaClFixed .sign when signature is generated by RbNaCl can verify the signature with OpenSSL + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:49 - 15) JWT::JWK::RSA.create_rsa_key_using_accessors when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key - # OpenSSL if RSA#set_key is available there is no accessors anymore - # ./spec/jwk/rsa_spec.rb:171 + 14) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL and key is very long verifies the signature using OpenSSL features + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:27 - 16) JWT::JWK::RSA.create_rsa_key_using_accessors when only e, n, d, p and q are given raises an error telling all the exponents are required - # OpenSSL if RSA#set_key is available there is no accessors anymore - # ./spec/jwk/rsa_spec.rb:163 + 15) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL verifies the signature + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:16 -Finished in 2 minutes 11.9 seconds (files took 3.74 seconds to load) + 16) ::JWT::Algos::HmacRbNaClFixed .verify when signature is invalid can verify without error + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:38 + +Finished in 51.8 seconds (files took 1.91 seconds to load) 402 examples, 0 failures, 16 pending -Randomized with seed 61033 +Randomized with seed 6273 /usr/bin/ruby3.3 /usr/bin/gem2deb-test-runner @@ -1871,689 +1907,467 @@ All examples were filtered out; ignoring {:focus=>true} -Randomized with seed 47817 - -JWT::JWK::Thumbprint - #to_s - when HMAC key is given - is expected to eq "wPf4ZF5qlzoFxsGkft4eu1iWcehgAcahZL4XPV4dT-s" - when example from RFC is given - is expected to eq "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" - when EC key is given - is expected to eq "dO52_we59sdR49HsGCpVzlDUQNvT3KxCTGakk4Un8qc" - -JWT - JWT.configure - yields the configuration - allows configuration to be changed via the block - -README.md code test - claims - JWK with thumbprint as kid via type - sub - JWK import and export - find_key - JWK with thumbprint given in the initializer - JWK with thumbprint as kid via symbol - required_claims - iss - JWK with thumbprint given in the initializer (legacy) - jti - The JWK based encode/decode routine - works as expected - aud - array - string - custom header fields - with custom field - exp - with leeway - without leeway - The JWKS loader example - works as expected - works as expected (legacy) - nbf - with leeway - without leeway - iat - with leeway - without leeway - algorithm usage - EDDSA - NONE - RSA - decodes with HMAC algorithm with secret key - ECDSA - RSASSA-PSS - decodes with HMAC algorithm without secret key - custom algorithm example - allows a module to be used as algorithm on encode and decode - -JWT::JWK::OKPRbNaCl - .import - when exported private key is given - creates a new instance of the class - when exported public key is given - creates a new instance of the class - when JWK is given - creates a new instance of the class - .new - when jwk parameters given - is expected to be a kind of JWT::JWK::OKPRbNaCl - when something else than a public or private key is given - raises an ArgumentError - when public key is given - is expected to be a kind of JWT::JWK::OKPRbNaCl - when private key is given - is expected to be a kind of JWT::JWK::OKPRbNaCl - #verify_key - is the verify key - #private? - when public key is given - is expected to eq false - when private key is given - is expected to eq true - #export - when private key is asked for - exports the private key - when private key is given - exports the public key - -JWT::ClaimsValidator - #validate! - exp claim - it should behave like a NumericDate claim - when exp payload is a Time object - raises error - when exp payload is a float - does not raise error - when exp payload is an integer - does not raise error - and key is a string - does not raise error - when exp payload is a string - raises error - and key is a string - raises error - when exp payload is a string - raises error - nbf claim - it should behave like a NumericDate claim - when nbf payload is an integer - does not raise error - and key is a string - does not raise error - when nbf payload is a float - does not raise error - when nbf payload is a string - raises error - and key is a string - raises error - when nbf payload is a Time object - raises error - when nbf payload is a string - raises error - iat claim - it should behave like a NumericDate claim - when iat payload is a float - does not raise error - when iat payload is an integer - does not raise error - and key is a string - does not raise error - when iat payload is a string - raises error - when iat payload is a Time object - raises error - when iat payload is a string - raises error - and key is a string - raises error - -::JWT::Algos::HmacRbNaCl - .verify - when signature is invalid - can verify without error - when signature is generated with OpenSSL - verifies the signature - when signature is generated with OpenSSL and key is very long - verifies the signature using OpenSSL features - .sign - when signature is generated by RbNaCl - can verify the signature with OpenSSL - -JWT::Algos::Ecdsa - .curve_by_name - when unknown is given - raises an error - when secp256r1 is given - is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} - when prime256v1 is given - is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} - when secp521r1 is given - is expected to eq {:algorithm=>"ES512", :digest=>"sha512"} - when secp256k1 is given - is expected to eq {:algorithm=>"ES256K", :digest=>"sha256"} - -JWT::JWK - .import - creates a ::JWT::JWK::RSA instance - parsed from JSON - creates a ::JWT::JWK::RSA instance from JSON parsed JWK - when a common JWK parameter is specified - returns the defined common JWK parameter - when keypair with defined kid is imported - returns the predefined kid if jwt_data contains a kid - when keytype is not supported - raises an error - .[] - allows to read common parameters via the key-accessor - rejects key parameters as keys via the key-accessor - allows to set common parameters via the key-accessor - .new - when secret key is given - is expected to be a kind of JWT::JWK::HMAC - when RSA key is given - is expected to be a kind of JWT::JWK::RSA - when a common parameter is given - sets the common parameter - when kid is given - sets the kid - when EC key is given - is expected to be a kind of JWT::JWK::EC - -JWT::JWK::Set - .reject! - filters the keyset - .eql? - correctly classifies equal sets - correctly classifies different sets - .export - exports the JWKS to Hash - .uniq! - filters out equal keys - .new - raises an error on invalid inputs - can create an empty set - can create a set - from a JWKS hash with string keys - from a JWKS hash with symbol keys - from an array of keys - from an existing JWT::JWK::Set - from a JWK - .select! - filters the keyset - .merge - merges two JWKSs - when called via "|" operator - when called directly - when called via .union - -JWT - .decode for JWK usecase - when jwk keys are loaded from JSON with string keys - decodes the token - when jwk keys are given as an array - and kid is not in the set - raises an exception - token does not know the kid - raises an exception - and kid is in the set - is able to decode the token - no keys are found in the set - raises an exception - when the token kid is not a string - raises an exception - when the token kid is nil - and allow_nil_kid is specified - decodes the token - mixing algorithms using kid header - when RSA key is pointed to as HMAC secret - raises JWT::DecodeError - when HMAC secret is pointed to as RSA public key - fails in some way - when HMAC secret is pointed to as EC public key - fails in some way - when EC key is pointed to as RSA public key - fails in some way - when ES384 key is pointed to as ES512 key - fails in some way - when OKP keys are used - decodes the token - when EC key is pointed to as HMAC secret - raises JWT::DecodeError - when JWK features are used manually - is able to decode the token - when jwk keys are rotated - decodes the token - when jwk keys are loaded using a proc/lambda - decodes the token - -JWT::JWK::EC - #keypair - warns to stderr - .import - when crv=P-256 - when keypair is public - returns a public key - returns a hash with the public parts of the key - when keypair is private - returns a private key - with a custom "kid" value - imports that "kid" value - when crv=P-384 - when keypair is private - returns a private key - with a custom "kid" value - imports that "kid" value - when keypair is public - returns a public key - returns a hash with the public parts of the key - when crv=P-256K - when keypair is private - returns a private key - with a custom "kid" value - imports that "kid" value - when keypair is public - returns a public key - returns a hash with the public parts of the key - when crv=P-521 - when keypair is private - returns a private key - with a custom "kid" value - imports that "kid" value - when keypair is public - returns a public key - returns a hash with the public parts of the key - .new - when a keypair with only public key is given - creates an instance of the class - when a keypair with both keys given - creates an instance of the class - #export - when private key is requested - returns a hash with the both parts of the key - when a common parameter is given - returns a hash including the common parameter - when keypair with private key is exported - returns a hash with the both parts of the key - when keypair with public key is exported - returns a hash with the public parts of the key - when a custom "kid" is provided - exports it +Randomized with seed 48683 JWT::Verify - .verify_not_before(payload, options) - must allow some leeway in the token age when nbf_leeway is configured - must allow some leeway in the token age when global leeway is configured - must raise JWT::ImmatureSignature when the nbf in the payload is in the future - .verify_required_claims(payload, options) - must verify the claims if all required claims are present - must raise JWT::MissingRequiredClaim if a required claim is absent - .verify_jti(payload, options) - must raise JWT::InvalidJtiError when verify_jti proc returns false - should have payload as second param in proc - must raise JWT::InvalidJtiError when the jti is missing - must raise JWT::InvalidJtiError when the jti is an empty string - true proc should not raise JWT::InvalidJtiError - must allow any jti when the verfy_jti key in the options is truthy but not a proc - it should not throw arguement error with 2 args - .verify_iat(payload, options) - must raise JWT::InvalidIatError when the iat value is in the future - must properly handle integer times - must ignore configured leeway - must allow a valid iat - must raise JWT::InvalidIatError when the iat value is not Numeric - .verify_sub(payload, options) - must raise JWT::InvalidSubError when the subjects do not match - must allow a matching sub + .verify_aud(payload, options) + must raise JWT::InvalidAudError when the singular audience does not match + must allow an array with any value matching the one in the options + must allow a singular audience payload matching any value in the options array + must allow a matching singular audience to pass + must raise JWT::InvalidAudError when the payload has an array and none match the supplied value + must allow an array with any value matching any value in the options array .verify_expiration(payload, options) + must raise JWT::ExpiredSignature when the token has expired must allow some leeway in the expiration when global leeway is configured must allow some leeway in the expiration when exp_leeway is configured must be expired if the exp claim equals the current time - must raise JWT::ExpiredSignature when the token has expired when leeway is not specified used a default leeway of 0 + .verify_required_claims(payload, options) + must raise JWT::MissingRequiredClaim if a required claim is absent + must verify the claims if all required claims are present .verify_claims - must raise error when verify_not_before option is set to true - must skip verification when verify_expiration option is set to false + must raise error when verify_expiration option is set to true must skip verification when verify_iat option is set to false - must skip verification when verify_iss option is set to false - must raise error when verify_iss option is set to true must raise error when verify_sub option is set to true - must raise error when verify_aud option is set to true + must skip verification when verify_expiration option is set to false + must raise error when verify_jti option is set to true must skip verification when verify_jti option is set to false + must skip verification when verify_aud option is set to false must raise error when verify_iat option is set to true - must skip verification when verify_not_before option is set to false + must raise error when verify_not_before option is set to true must skip verification when verify_sub option is set to false - must raise error when verify_jti option is set to true - must skip verification when verify_aud option is set to false - must raise error when verify_expiration option is set to true + must raise error when verify_iss option is set to true + must raise error when verify_aud option is set to true + must skip verification when verify_iss option is set to false + must skip verification when verify_not_before option is set to false + .verify_sub(payload, options) + must raise JWT::InvalidSubError when the subjects do not match + must allow a matching sub + .verify_iat(payload, options) + must raise JWT::InvalidIatError when the iat value is in the future + must raise JWT::InvalidIatError when the iat value is not Numeric + must properly handle integer times + must ignore configured leeway + must allow a valid iat + .verify_not_before(payload, options) + must allow some leeway in the token age when global leeway is configured + must allow some leeway in the token age when nbf_leeway is configured + must raise JWT::ImmatureSignature when the nbf in the payload is in the future + .verify_jti(payload, options) + should have payload as second param in proc + must raise JWT::InvalidJtiError when verify_jti proc returns false + it should not throw arguement error with 2 args + true proc should not raise JWT::InvalidJtiError + must raise JWT::InvalidJtiError when the jti is missing + must raise JWT::InvalidJtiError when the jti is an empty string + must allow any jti when the verfy_jti key in the options is truthy but not a proc .verify_iss(payload, options) - when iss is a Method instance + when iss is an Array + must raise JWT::InvalidIssuerError when the payload does not include an issuer + must allow an array with matching issuer to pass + must raise JWT::InvalidIssuerError when no matching issuers in array + when iss is a RegExp + must raise JWT::InvalidIssuerError when the regular expression does not match + must allow a regular expression matching the issuer to pass must raise JWT::InvalidIssuerError when the payload does not include an issuer + when iss is a Method instance must allow a method that returns true to pass + must raise JWT::InvalidIssuerError when the payload does not include an issuer must raise JWT::InvalidIssuerError when the method returns false when iss is a Proc must allow a proc that returns true to pass - must raise JWT::InvalidIssuerError when the proc returns false - must raise JWT::InvalidIssuerError when the payload does not include an issuer - when iss is an Array - must raise JWT::InvalidIssuerError when no matching issuers in array - must allow an array with matching issuer to pass must raise JWT::InvalidIssuerError when the payload does not include an issuer + must raise JWT::InvalidIssuerError when the proc returns false when iss is a String must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer - must allow a matching issuer to pass - must raise JWT::InvalidIssuerError when the payload does not include an issuer - when iss is a RegExp - must raise JWT::InvalidIssuerError when the regular expression does not match - must allow a regular expression matching the issuer to pass must raise JWT::InvalidIssuerError when the payload does not include an issuer - .verify_aud(payload, options) - must raise JWT::InvalidAudError when the payload has an array and none match the supplied value - must allow an array with any value matching any value in the options array - must allow a matching singular audience to pass - must allow an array with any value matching the one in the options - must allow a singular audience payload matching any value in the options array - must raise JWT::InvalidAudError when the singular audience does not match - -JWT::Configuration::JwkConfiguration - .kid_generator_type= - when valid value is passed - sets the generator matching the value - when invalid value is passed - raises ArgumentError - -JWT::JWK::HMAC - .import - when secret key is given - returns a key - with a common parameter - imports that common parameter - with a custom "kid" value - imports that "kid" value - .new - when a secret key given - creates an instance of the class - #export - when key is exported with private key - returns a hash with the key - when key is exported - returns a hash with the key - #[]= - when k is given - raises an error - #keypair - returns a string - -JWT::X5cKeyFinder - returns the public key from a certificate that is signed by trusted roots and not revoked - already parsed certificates - returns the public key from a certificate that is signed by trusted roots and not revoked - ::JWT.decode - returns the encoded payload after successful certificate path verification - CRL - expired - raises an error - signature could not be verified with the given trusted roots - raises an error - not given - raises an error - certificate - expired - raises an error - could not be chained to a trusted root certificate - given nil - raises a decode error - given an array - raises a verification error - signature could not be verified with the given trusted roots - raises an error - revoked - raises an error - -JWT::Algos::Hmac - .sign - when nil hmac_secret is passed - when OpenSSL raises any other error - raises the original error - when other versions of openssl do not raise an exception - is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" - when OpenSSL 3.0 raises a malloc failure - raises JWT::DecodeError - when blank hmac_secret is passed - when OpenSSL 3.0 raises a malloc failure - raises JWT::DecodeError - when OpenSSL raises any other error - raises the original error - when other versions of openssl do not raise an exception - is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" - when hmac_secret is passed - when OpenSSL raises any other error - raises the original error - when OpenSSL 3.0 raises a malloc failure - raises the original error - when other versions of openssl do not raise an exception - is expected to eql "\x88\xCD!\b\xB54}\x97<\xF3\x9C\xDF\x90S\xD7\xDDBpHv\xD8\xC9\xA9\xBD\x8E-\x16\x82Y\xD3\xDD\xF7" + must allow a matching issuer to pass JWT should not raise InvalidPayload exception if payload is an array - should encode string payloads should not verify token even if the payload has claims - Invalid - raises "No verification key available" error - ECDSA curve_name should raise JWT::IncorrectAlgorithm - algorithm should raise NotImplementedError - when the alg value is given as a header parameter - should generate the same token - does not override the actual algorithm used - when token is missing the alg header - raises JWT::IncorrectAlgorithm error + should encode string payloads + a token with no segments + raises JWT::DecodeError a token with not enough segments raises JWT::DecodeError - when token has null as the alg header - raises JWT::IncorrectAlgorithm error - alg: NONE + alg: ES256K + should decode a valid token should generate a valid token - decoding without verification - should decode a valid token - decoding with verification - without specifying the none algorithm - should fail to decode the token - specifying the none algorithm - when the claims are valid - should decode the token - when the claims are invalid - should fail to decode the token + wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError + when hmac algorithm is used without secret key + encodes payload + alg: ES384 + wrong key and verify = false should not raise JWT::DecodeError + should decode a valid token + should generate a valid token + wrong key should raise JWT::DecodeError when keyfinder given with 3 arguments decodes the token but does not pass the payload + when keyfinder given with 2 arguments + decodes the token alg: HS256 - should generate a valid token + should decode a valid token wrong secret and verify = false should not raise JWT::DecodeError wrong secret should raise JWT::DecodeError - should decode a valid token - a token with no segments - raises JWT::DecodeError - alg: ES256 - should decode a valid token - wrong key should raise JWT::DecodeError should generate a valid token - wrong key and verify = false should not raise JWT::DecodeError - alg: RS256 - wrong key should raise JWT::DecodeError + alg: RS384 should decode a valid token using algorithm hash string key should decode a valid token wrong key and verify = false should not raise JWT::DecodeError should generate a valid token - alg: HS384 + wrong key should raise JWT::DecodeError + alg: PS384 should generate a valid token - wrong secret should raise JWT::DecodeError - wrong secret and verify = false should not raise JWT::DecodeError should decode a valid token - alg: RS512 - should decode a valid token using algorithm hash string key - should generate a valid token - wrong key should raise JWT::DecodeError wrong key and verify = false should not raise JWT::DecodeError - should decode a valid token - a token with invalid Base64 segments + wrong key should raise JWT::DecodeError + a token with not too many segments raises JWT::DecodeError - when the alg is invalid - raises JWT::IncorrectAlgorithm error Verify - when encoded payload is used to extract key through find_key - should be able to verify signature when block returns multiple keys with iss verification - should be able to verify signature when block returns multiple keys with multiple issuers - should be able to find a key using the block passed to decode - should be able to find a key using a block with multiple issuers - should be able to find a key using the block passed to decode with iss verification - should be able to verify signature when block returns multiple keys - issuer claim - if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError algorithm + should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm should raise JWT::IncorrectAlgorithm on mismatch prior to kid public key network call should raise JWT::IncorrectAlgorithm on mismatch - should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm - no algorithm provided - should use the default decode algorithm token is missing algorithm should raise JWT::IncorrectAlgorithm 2-segment token should raise JWT::IncorrectAlgorithm + no algorithm provided + should use the default decode algorithm + issuer claim + if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError + when encoded payload is used to extract key through find_key + should be able to find a key using a block with multiple issuers + should be able to verify signature when block returns multiple keys with multiple issuers + should be able to verify signature when block returns multiple keys with iss verification + should be able to find a key using the block passed to decode with iss verification + should be able to verify signature when block returns multiple keys + should be able to find a key using the block passed to decode when key given as an array with multiple possible keys should fail if only invalid keys are given should be able to verify signature when multiple keys given as a parameter should be able to verify signature when block returns multiple keys - when algorithm is a custom class - can be used for encoding - can be used for decoding - when signature is not matching - fails the validation process - when multiple custom algorithms are given for decoding - tries until the first match - when #verify method is missing - raises error on decoding - can be used for encoding - when alg is not matching - fails the validation process - when #sign method is missing - allows decoding - raises an error on encoding - a token with not too many segments - raises JWT::DecodeError - when keyfinder given with 1 argument - decodes the token - when keyfinder given with 2 arguments - decodes the token - when hmac algorithm is used without secret key - encodes payload - when none token is and decoding without key and with verification + alg: HS512 + should generate a valid token + wrong secret and verify = false should not raise JWT::DecodeError + should decode a valid token + wrong secret should raise JWT::DecodeError + algorithm case insensitivity + ignores algorithm casing during encode/decode + raises error for invalid algorithm + when none token is decoded without verify decodes the token alg: PS512 wrong key and verify = false should not raise JWT::DecodeError - should decode a valid token + should generate a valid token wrong key should raise JWT::DecodeError + should decode a valid token + alg: NONE should generate a valid token - alg: HS512 + decoding without verification + should decode a valid token + decoding with verification + specifying the none algorithm + when the claims are invalid + should fail to decode the token + when the claims are valid + should decode the token + without specifying the none algorithm + should fail to decode the token + a token with invalid Base64 segments + raises JWT::DecodeError + alg: HS512256 wrong secret and verify = false should not raise JWT::DecodeError should generate a valid token - wrong secret should raise JWT::DecodeError should decode a valid token - when token signed with nil and decoded with nil - raises JWT::DecodeError - ::JWT.decode with x5c parameter - calls X5cKeyFinder#from to verify the signature and return the payload - alg: PS384 - wrong key should raise JWT::DecodeError + wrong secret should raise JWT::DecodeError + alg: EdDSA should decode a valid token - should generate a valid token wrong key and verify = false should not raise JWT::DecodeError - alg: ED25519 should generate a valid token wrong key should raise JWT::DecodeError - should decode a valid token - wrong key and verify = false should not raise JWT::DecodeError - when none token is decoded with a key given - decodes the token - ::JWT.decode with verify_iat parameter - when iat is exactly the same as Time.now and iat is given as a float - considers iat valid - when iat is 1 second before Time.now - raises an error - when iat is exactly the same as Time.now and iat is given as floored integer - considers iat valid - alg: RS384 + a token with two segments but does not require verifying + raises something else than "Not enough or too many segments" + alg: RS512 should decode a valid token using algorithm hash string key + wrong key and verify = false should not raise JWT::DecodeError wrong key should raise JWT::DecodeError should decode a valid token should generate a valid token - wrong key and verify = false should not raise JWT::DecodeError - alg: ES256K + alg: ES256 should generate a valid token - wrong key should raise JWT::DecodeError wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError should decode a valid token - algorithm case insensitivity - raises error for invalid algorithm - ignores algorithm casing during encode/decode - alg: ES384 + alg: HS384 + wrong secret should raise JWT::DecodeError + wrong secret and verify = false should not raise JWT::DecodeError should generate a valid token - wrong key and verify = false should not raise JWT::DecodeError should decode a valid token - wrong key should raise JWT::DecodeError + when multiple algorithms given + starts trying with the algorithm referred in the header + when token is missing the alg header + raises JWT::IncorrectAlgorithm error + when the alg is invalid + raises JWT::IncorrectAlgorithm error + when token signed with nil and decoded with nil + raises JWT::DecodeError + payload validation + does not validate the payload if it is not present + validates the payload with the ClaimsValidator if the payload is a hash + ::JWT.decode with x5c parameter + calls X5cKeyFinder#from to verify the signature and return the payload alg: ES512 should decode a valid token wrong key and verify = false should not raise JWT::DecodeError - wrong key should raise JWT::DecodeError should generate a valid token - when token ends with a newline char - ignores the newline and decodes the token + wrong key should raise JWT::DecodeError when keyfinder resolves to multiple keys and multiple algorithms given with issue with HS256 keys tries until the first match with issue with ES256 keys tries until the first match tries until the first match - when none token is decoded without verify + alg: PS256 + should generate a valid token + should decode a valid token + wrong key and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError + when the alg value is given as a header parameter + does not override the actual algorithm used + should generate the same token + when token has null as the alg header + raises JWT::IncorrectAlgorithm error + when algorithm is a custom class + can be used for decoding + can be used for encoding + when #sign method is missing + allows decoding + raises an error on encoding + when alg is not matching + fails the validation process + when signature is not matching + fails the validation process + when #verify method is missing + raises error on decoding + can be used for encoding + when multiple custom algorithms are given for decoding + tries until the first match + when keyfinder given with 1 argument decodes the token - payload validation - does not validate the payload if it is not present - validates the payload with the ClaimsValidator if the payload is a hash - alg: EdDSA + Invalid + raises "No verification key available" error + algorithm should raise NotImplementedError + ECDSA curve_name should raise JWT::IncorrectAlgorithm + when token ends with a newline char + ignores the newline and decodes the token + alg: ED25519 wrong key and verify = false should not raise JWT::DecodeError - should decode a valid token wrong key should raise JWT::DecodeError should generate a valid token - alg: PS256 - wrong key should raise JWT::DecodeError - wrong key and verify = false should not raise JWT::DecodeError should decode a valid token + ::JWT.decode with verify_iat parameter + when iat is exactly the same as Time.now and iat is given as floored integer + considers iat valid + when iat is 1 second before Time.now + raises an error + when iat is exactly the same as Time.now and iat is given as a float + considers iat valid + when none token is and decoding without key and with verification + decodes the token + alg: RS256 + wrong key and verify = false should not raise JWT::DecodeError should generate a valid token - a token with two segments but does not require verifying - raises something else than "Not enough or too many segments" - when multiple algorithms given - starts trying with the algorithm referred in the header - alg: HS512256 - wrong secret should raise JWT::DecodeError + should decode a valid token using algorithm hash string key should decode a valid token - should generate a valid token - wrong secret and verify = false should not raise JWT::DecodeError + wrong key should raise JWT::DecodeError + when none token is decoded with a key given + decodes the token -::JWT::Algos::HmacRbNaClFixed - .sign - when signature is generated by RbNaCl - can verify the signature with OpenSSL (PENDING: Requires rbnacl gem < 6.0) - .verify - when signature is invalid - can verify without error (PENDING: Requires rbnacl gem < 6.0) - when signature is generated with OpenSSL - verifies the signature (PENDING: Requires rbnacl gem < 6.0) - when signature is generated with OpenSSL and key is very long - verifies the signature using OpenSSL features (PENDING: Requires rbnacl gem < 6.0) +JWT::Configuration::JwkConfiguration + .kid_generator_type= + when valid value is passed + sets the generator matching the value + when invalid value is passed + raises ArgumentError + +JWT::JWK::OKPRbNaCl + #export + when private key is asked for + exports the private key + when private key is given + exports the public key + .new + when something else than a public or private key is given + raises an ArgumentError + when jwk parameters given + is expected to be a kind of JWT::JWK::OKPRbNaCl + when private key is given + is expected to be a kind of JWT::JWK::OKPRbNaCl + when public key is given + is expected to be a kind of JWT::JWK::OKPRbNaCl + #verify_key + is the verify key + .import + when exported public key is given + creates a new instance of the class + when JWK is given + creates a new instance of the class + when exported private key is given + creates a new instance of the class + #private? + when private key is given + is expected to eq true + when public key is given + is expected to eq false + +JWT::JWK::Thumbprint + #to_s + when example from RFC is given + is expected to eq "NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs" + when HMAC key is given + is expected to eq "wPf4ZF5qlzoFxsGkft4eu1iWcehgAcahZL4XPV4dT-s" + when EC key is given + is expected to eq "dO52_we59sdR49HsGCpVzlDUQNvT3KxCTGakk4Un8qc" + +JWT::JWK::Set + .select! + filters the keyset + .new + raises an error on invalid inputs + can create an empty set + can create a set + from a JWKS hash with string keys + from a JWKS hash with symbol keys + from a JWK + from an array of keys + from an existing JWT::JWK::Set + .merge + merges two JWKSs + when called via "|" operator + when called via .union + when called directly + .export + exports the JWKS to Hash + .reject! + filters the keyset + .uniq! + filters out equal keys + .eql? + correctly classifies different sets + correctly classifies equal sets + +README.md code test + algorithm usage + RSASSA-PSS + ECDSA + RSA + decodes with HMAC algorithm with secret key + EDDSA + NONE + decodes with HMAC algorithm without secret key + custom algorithm example + allows a module to be used as algorithm on encode and decode + claims + JWK import and export + iss + JWK with thumbprint given in the initializer (legacy) + find_key + JWK with thumbprint given in the initializer + jti + JWK with thumbprint as kid via type + sub + required_claims + JWK with thumbprint as kid via symbol + nbf + with leeway + without leeway + The JWK based encode/decode routine + works as expected + exp + with leeway + without leeway + custom header fields + with custom field + iat + without leeway + with leeway + aud + string + array + The JWKS loader example + works as expected (legacy) + works as expected + +JWT::Algos::Ecdsa + .curve_by_name + when secp521r1 is given + is expected to eq {:algorithm=>"ES512", :digest=>"sha512"} + when secp256k1 is given + is expected to eq {:algorithm=>"ES256K", :digest=>"sha256"} + when unknown is given + raises an error + when prime256v1 is given + is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} + when secp256r1 is given + is expected to eq {:algorithm=>"ES256", :digest=>"sha256"} + +JWT::X5cKeyFinder + returns the public key from a certificate that is signed by trusted roots and not revoked + CRL + not given + raises an error + expired + raises an error + signature could not be verified with the given trusted roots + raises an error + ::JWT.decode + returns the encoded payload after successful certificate path verification + already parsed certificates + returns the public key from a certificate that is signed by trusted roots and not revoked + certificate + expired + raises an error + signature could not be verified with the given trusted roots + raises an error + could not be chained to a trusted root certificate + given an array + raises a verification error + given nil + raises a decode error + revoked + raises an error + +JWT::JWK::HMAC + #[]= + when k is given + raises an error + #export + when key is exported with private key + returns a hash with the key + when key is exported + returns a hash with the key + .import + when secret key is given + returns a key + with a common parameter + imports that common parameter + with a custom "kid" value + imports that "kid" value + .new + when a secret key given + creates an instance of the class + #keypair + returns a string JWT::JWK::RSA .create_rsa_key_using_accessors + when public parameters (e, n) are given + creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) when only e, n, d, p and q are given raises an error telling all the exponents are required (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) when e, n, d is given @@ -2562,135 +2376,357 @@ can be used for signing and verification (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - when public parameters (e, n) are given - creates a valid RSA object representing a public key (PENDING: OpenSSL if RSA#set_key is available there is no accessors anymore) - .create_rsa_key_using_sets - when only e, n, d, p and q are given - raises an error telling all the exponents are required (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when e, n, d is given - can be used for signing and verification (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - creates a valid RSA object representing a private key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - can be used for encryption and decryption (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when all key components n, e, d, p, q, dp, dq, qi are given - creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - when public parameters (e, n) are given - creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) - #export - when private key is requested - returns a hash with the public AND private parts of the key - when keypair with private key is exported - returns a hash with the public parts of the key - when unsupported keypair is given - raises an error - when keypair with public key is exported - returns a hash with the public parts of the key .import - when keypair is imported with string keys from JSON - returns a hash with the public parts of the key + when private key is included in the data + creates a complete keypair when keypair is imported with symbol keys returns a hash with the public parts of the key + when keypair is imported with string keys from JSON + returns a hash with the public parts of the key when jwk_data is given without e and/or n raises an error - when private key is included in the data - creates a complete keypair + .new + when a keypair with both keys given + creates an instance of the class + when a keypair with only public key is given + creates an instance of the class .create_rsa_key_using_der - when only e, n, d, p and q are given - raises an error telling all the exponents are required - when public parameters (e, n) are given - creates a valid RSA object representing a public key when e, n, d is given expects all CRT parameters given and raises error + when only e, n, d, p and q are given + raises an error telling all the exponents are required when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key + when public parameters (e, n) are given + creates a valid RSA object representing a public key .kid + when kid is given in a hash parameter + uses the given kid when configuration says to use :rfc7638_thumbprint generates the kid based on the thumbprint when kid is given as a String parameter uses the given kid - when kid is given in a hash parameter - uses the given kid .common_parameters when a common parameters hash is given converts string keys to symbol keys imports the common parameter + #export + when unsupported keypair is given + raises an error + when keypair with public key is exported + returns a hash with the public parts of the key + when keypair with private key is exported + returns a hash with the public parts of the key + when private key is requested + returns a hash with the public AND private parts of the key + #keypair + warns to stderr + .create_rsa_key_using_sets + when e, n, d is given + can be used for encryption and decryption (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + can be used for signing and verification (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + creates a valid RSA object representing a private key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when all key components n, e, d, p, q, dp, dq, qi are given + creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when public parameters (e, n) are given + creates a valid RSA object representing a public key (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + when only e, n, d, p and q are given + raises an error telling all the exponents are required (PENDING: OpenSSL 3.0 does not allow mutating objects anymore) + +::JWT::Algos::HmacRbNaCl + .sign + when signature is generated by RbNaCl + can verify the signature with OpenSSL + .verify + when signature is generated with OpenSSL + verifies the signature + when signature is generated with OpenSSL and key is very long + verifies the signature using OpenSSL features + when signature is invalid + can verify without error + +JWT::Algos::Hmac + .sign + when hmac_secret is passed + when other versions of openssl do not raise an exception + is expected to eql "\x88\xCD!\b\xB54}\x97<\xF3\x9C\xDF\x90S\xD7\xDDBpHv\xD8\xC9\xA9\xBD\x8E-\x16\x82Y\xD3\xDD\xF7" + when OpenSSL raises any other error + raises the original error + when OpenSSL 3.0 raises a malloc failure + raises the original error + when nil hmac_secret is passed + when OpenSSL 3.0 raises a malloc failure + raises JWT::DecodeError + when other versions of openssl do not raise an exception + is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" + when OpenSSL raises any other error + raises the original error + when blank hmac_secret is passed + when other versions of openssl do not raise an exception + is expected to eql "C\xB0\xCE\xF9\x92e\xF9\xE3L\x10\xEA\x9D5\x01\x92m'\xB3\x9FW\xC6\xD6tV\x1D\x8B\xA26\xE7\xA8\x19\xFB" + when OpenSSL raises any other error + raises the original error + when OpenSSL 3.0 raises a malloc failure + raises JWT::DecodeError + +::JWT::Algos::HmacRbNaClFixed + .verify + when signature is generated with OpenSSL and key is very long + verifies the signature using OpenSSL features (PENDING: Requires rbnacl gem < 6.0) + when signature is invalid + can verify without error (PENDING: Requires rbnacl gem < 6.0) + when signature is generated with OpenSSL + verifies the signature (PENDING: Requires rbnacl gem < 6.0) + .sign + when signature is generated by RbNaCl + can verify the signature with OpenSSL (PENDING: Requires rbnacl gem < 6.0) + +JWT + JWT.configure + allows configuration to be changed via the block + yields the configuration + +JWT + .decode for JWK usecase + when jwk keys are rotated + decodes the token + when JWK features are used manually + is able to decode the token + when the token kid is nil + and allow_nil_kid is specified + decodes the token + when jwk keys are loaded using a proc/lambda + decodes the token + when jwk keys are given as an array + and kid is in the set + is able to decode the token + and kid is not in the set + raises an exception + token does not know the kid + raises an exception + no keys are found in the set + raises an exception + when jwk keys are loaded from JSON with string keys + decodes the token + mixing algorithms using kid header + when ES384 key is pointed to as ES512 key + fails in some way + when HMAC secret is pointed to as EC public key + fails in some way + when OKP keys are used + decodes the token + when EC key is pointed to as RSA public key + fails in some way + when HMAC secret is pointed to as RSA public key + fails in some way + when EC key is pointed to as HMAC secret + raises JWT::DecodeError + when RSA key is pointed to as HMAC secret + raises JWT::DecodeError + when the token kid is not a string + raises an exception + +JWT::JWK::EC .new - when a keypair with only public key is given - creates an instance of the class when a keypair with both keys given creates an instance of the class + when a keypair with only public key is given + creates an instance of the class #keypair warns to stderr + #export + when a common parameter is given + returns a hash including the common parameter + when keypair with public key is exported + returns a hash with the public parts of the key + when a custom "kid" is provided + exports it + when keypair with private key is exported + returns a hash with the both parts of the key + when private key is requested + returns a hash with the both parts of the key + .import + when crv=P-384 + when keypair is private + returns a private key + with a custom "kid" value + imports that "kid" value + when keypair is public + returns a public key + returns a hash with the public parts of the key + when crv=P-256K + when keypair is private + returns a private key + with a custom "kid" value + imports that "kid" value + when keypair is public + returns a public key + returns a hash with the public parts of the key + when crv=P-256 + when keypair is private + returns a private key + with a custom "kid" value + imports that "kid" value + when keypair is public + returns a public key + returns a hash with the public parts of the key + when crv=P-521 + when keypair is private + returns a private key + with a custom "kid" value + imports that "kid" value + when keypair is public + returns a public key + returns a hash with the public parts of the key -Pending: (Failures listed here are expected and do not affect your suite's status) - - 1) ::JWT::Algos::HmacRbNaClFixed .sign when signature is generated by RbNaCl can verify the signature with OpenSSL - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:49 +JWT::ClaimsValidator + #validate! + nbf claim + it should behave like a NumericDate claim + when nbf payload is a Time object + raises error + when nbf payload is a float + does not raise error + when nbf payload is a string + raises error + and key is a string + raises error + when nbf payload is an integer + does not raise error + and key is a string + does not raise error + when nbf payload is a string + raises error + exp claim + it should behave like a NumericDate claim + when exp payload is an integer + does not raise error + and key is a string + does not raise error + when exp payload is a float + does not raise error + when exp payload is a string + raises error + and key is a string + raises error + when exp payload is a string + raises error + when exp payload is a Time object + raises error + iat claim + it should behave like a NumericDate claim + when iat payload is an integer + does not raise error + and key is a string + does not raise error + when iat payload is a string + raises error + and key is a string + raises error + when iat payload is a Time object + raises error + when iat payload is a string + raises error + when iat payload is a float + does not raise error - 2) ::JWT::Algos::HmacRbNaClFixed .verify when signature is invalid can verify without error - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:38 +JWT::JWK + .[] + allows to set common parameters via the key-accessor + allows to read common parameters via the key-accessor + rejects key parameters as keys via the key-accessor + .new + when secret key is given + is expected to be a kind of JWT::JWK::HMAC + when a common parameter is given + sets the common parameter + when EC key is given + is expected to be a kind of JWT::JWK::EC + when RSA key is given + is expected to be a kind of JWT::JWK::RSA + when kid is given + sets the kid + .import + creates a ::JWT::JWK::RSA instance + when keypair with defined kid is imported + returns the predefined kid if jwt_data contains a kid + when keytype is not supported + raises an error + parsed from JSON + creates a ::JWT::JWK::RSA instance from JSON parsed JWK + when a common JWK parameter is specified + returns the defined common JWK parameter - 3) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL verifies the signature - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:16 +Pending: (Failures listed here are expected and do not affect your suite's status) - 4) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL and key is very long verifies the signature using OpenSSL features - # Requires rbnacl gem < 6.0 - # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:27 + 1) JWT::JWK::RSA.create_rsa_key_using_accessors when public parameters (e, n) are given creates a valid RSA object representing a public key + # OpenSSL if RSA#set_key is available there is no accessors anymore + # ./spec/jwk/rsa_spec.rb:154 - 5) JWT::JWK::RSA.create_rsa_key_using_accessors when only e, n, d, p and q are given raises an error telling all the exponents are required + 2) JWT::JWK::RSA.create_rsa_key_using_accessors when only e, n, d, p and q are given raises an error telling all the exponents are required # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:163 - 6) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for encryption and decryption + 3) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for encryption and decryption # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:191 - 7) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given creates a valid RSA object representing a private key + 4) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given creates a valid RSA object representing a private key # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:186 - 8) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for signing and verification + 5) JWT::JWK::RSA.create_rsa_key_using_accessors when e, n, d is given can be used for signing and verification # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:195 - 9) JWT::JWK::RSA.create_rsa_key_using_accessors when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key + 6) JWT::JWK::RSA.create_rsa_key_using_accessors when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key # OpenSSL if RSA#set_key is available there is no accessors anymore # ./spec/jwk/rsa_spec.rb:171 - 10) JWT::JWK::RSA.create_rsa_key_using_accessors when public parameters (e, n) are given creates a valid RSA object representing a public key - # OpenSSL if RSA#set_key is available there is no accessors anymore - # ./spec/jwk/rsa_spec.rb:154 - - 11) JWT::JWK::RSA.create_rsa_key_using_sets when only e, n, d, p and q are given raises an error telling all the exponents are required + 7) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for encryption and decryption # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:163 + # ./spec/jwk/rsa_spec.rb:191 - 12) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for signing and verification + 8) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for signing and verification # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwk/rsa_spec.rb:195 - 13) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given creates a valid RSA object representing a private key + 9) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given creates a valid RSA object representing a private key # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwk/rsa_spec.rb:186 - 14) JWT::JWK::RSA.create_rsa_key_using_sets when e, n, d is given can be used for encryption and decryption - # OpenSSL 3.0 does not allow mutating objects anymore - # ./spec/jwk/rsa_spec.rb:191 - - 15) JWT::JWK::RSA.create_rsa_key_using_sets when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key + 10) JWT::JWK::RSA.create_rsa_key_using_sets when all key components n, e, d, p, q, dp, dq, qi are given creates a valid RSA object representing a public key # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwk/rsa_spec.rb:171 - 16) JWT::JWK::RSA.create_rsa_key_using_sets when public parameters (e, n) are given creates a valid RSA object representing a public key + 11) JWT::JWK::RSA.create_rsa_key_using_sets when public parameters (e, n) are given creates a valid RSA object representing a public key # OpenSSL 3.0 does not allow mutating objects anymore # ./spec/jwk/rsa_spec.rb:154 -Finished in 2 minutes 25.7 seconds (files took 2.89 seconds to load) + 12) JWT::JWK::RSA.create_rsa_key_using_sets when only e, n, d, p and q are given raises an error telling all the exponents are required + # OpenSSL 3.0 does not allow mutating objects anymore + # ./spec/jwk/rsa_spec.rb:163 + + 13) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL and key is very long verifies the signature using OpenSSL features + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:27 + + 14) ::JWT::Algos::HmacRbNaClFixed .verify when signature is invalid can verify without error + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:38 + + 15) ::JWT::Algos::HmacRbNaClFixed .verify when signature is generated with OpenSSL verifies the signature + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:16 + + 16) ::JWT::Algos::HmacRbNaClFixed .sign when signature is generated by RbNaCl can verify the signature with OpenSSL + # Requires rbnacl gem < 6.0 + # ./spec/jwt/algos/hmac_rbnacl_fixed_spec.rb:49 + +Finished in 1 minute 3.08 seconds (files took 1.41 seconds to load) 402 examples, 0 failures, 16 pending -Randomized with seed 47817 +Randomized with seed 48683 ┌──────────────────────────────────────────────────────────────────────────────┐ @@ -2721,12 +2757,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: including full source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/9711/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/9711/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/15609 and its subdirectories -I: Current time: Thu Jan 16 01:09:34 -12 2025 -I: pbuilder-time-stamp: 1737032974 +I: removing directory /srv/workspace/pbuilder/9711 and its subdirectories +I: Current time: Fri Jan 17 03:15:46 +14 2025 +I: pbuilder-time-stamp: 1737033346