Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

rsa verification fix

raise when rsa verification fails (was silently ignoring the failure)
  • Loading branch information...
commit 1688aed16a58b5dc0082b564a1ef4c158792da55 1 parent ce5d39b
Jordan Brough authored
Showing with 10 additions and 3 deletions.
  1. +1 −1  lib/jwt.rb
  2. +9 −2 spec/jwt.rb
View
2  lib/jwt.rb
@@ -71,7 +71,7 @@ def self.decode(jwt, key=nil, verify=true)
if ["HS256", "HS384", "HS512"].include?(algo)
raise JWT::DecodeError.new("Signature verification failed") unless signature == sign_hmac(algo, signing_input, key)
elsif ["RS256", "RS384", "RS512"].include?(algo)
- verify_rsa(algo, key, signing_input, signature)
+ raise JWT::DecodeError.new("Signature verification failed") unless verify_rsa(algo, key, signing_input, signature)
else
raise JWT::DecodeError.new("Algorithm not supported")
end
View
11 spec/jwt.rb
@@ -27,12 +27,19 @@
decoded_payload.should == example_payload
end
- it "raises exception with wrong key" do
+ it "raises exception with wrong hmac key" do
right_secret = 'foo'
bad_secret = 'bar'
- jwt_message = JWT.encode(@payload, right_secret)
+ jwt_message = JWT.encode(@payload, right_secret, "HS256")
lambda { JWT.decode(jwt_message, bad_secret) }.should raise_error(JWT::DecodeError)
end
+
+ it "raises exception with wrong rsa key" do
+ right_private_key = OpenSSL::PKey::RSA.generate(512)
+ bad_private_key = OpenSSL::PKey::RSA.generate(512)
+ jwt = JWT.encode(@payload, right_private_key, "RS256")
+ lambda { JWT.decode(jwt, bad_private_key.public_key) }.should raise_error(JWT::DecodeError)
+ end
it "allows decoding without key" do
right_secret = 'foo'

4 comments on commit 1688aed

@sporkmonger

This is kinda huge. Can we get a new gem release with this fix pushed?

@progrium
Owner

Yes, you're right. Sorry for the delay. I'll work on getting a release out first thing tomorrow.

@sporkmonger

Thanks again!

@progrium
Owner

Done. Let me know if I missed anything.

Please sign in to comment.
Something went wrong with that request. Please try again.