From d0978c1ded4b3684abb1d86c23c8015643aa97fa Mon Sep 17 00:00:00 2001
From: Joakim Antman <antmanj@gmail.com>
Date: Fri, 3 Feb 2023 21:26:06 +0200
Subject: [PATCH] Move SecurityUtils methods closer to the usage

---
 lib/jwt/algos.rb          |  1 -
 lib/jwt/algos/ecdsa.rb    | 16 ++++++++++++++--
 lib/jwt/algos/ps.rb       |  8 +++-----
 lib/jwt/algos/rsa.rb      |  2 +-
 lib/jwt/security_utils.rb | 32 --------------------------------
 5 files changed, 18 insertions(+), 41 deletions(-)
 delete mode 100644 lib/jwt/security_utils.rb

diff --git a/lib/jwt/algos.rb b/lib/jwt/algos.rb
index c78281ec..96f71b63 100644
--- a/lib/jwt/algos.rb
+++ b/lib/jwt/algos.rb
@@ -7,7 +7,6 @@
 end
 require 'openssl'
 
-require 'jwt/security_utils'
 require 'jwt/algos/hmac'
 require 'jwt/algos/eddsa'
 require 'jwt/algos/ecdsa'
diff --git a/lib/jwt/algos/ecdsa.rb b/lib/jwt/algos/ecdsa.rb
index ea154bd3..d5a1d25c 100644
--- a/lib/jwt/algos/ecdsa.rb
+++ b/lib/jwt/algos/ecdsa.rb
@@ -38,7 +38,7 @@ def sign(algorithm, msg, key)
         end
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
+        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
 
       def verify(algorithm, public_key, signing_input, signature)
@@ -49,7 +49,7 @@ def verify(algorithm, public_key, signing_input, signature)
         end
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
+        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
       end
 
       def curve_by_name(name)
@@ -57,6 +57,18 @@ def curve_by_name(name)
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
       end
+
+      def raw_to_asn1(signature, private_key)
+        byte_size = (private_key.group.degree + 7) / 8
+        sig_bytes = signature[0..(byte_size - 1)]
+        sig_char = signature[byte_size..-1] || ''
+        OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+      end
+
+      def asn1_to_raw(signature, public_key)
+        byte_size = (public_key.group.degree + 7) / 8
+        OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+      end
     end
   end
 end
diff --git a/lib/jwt/algos/ps.rb b/lib/jwt/algos/ps.rb
index a30c3268..f80d0a5a 100644
--- a/lib/jwt/algos/ps.rb
+++ b/lib/jwt/algos/ps.rb
@@ -12,9 +12,7 @@ module Ps
       def sign(algorithm, msg, key)
         require_openssl!
 
-        key_class = key.class
-
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
+        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key.is_a?(String)
 
         translated_algorithm = algorithm.sub('PS', 'sha')
 
@@ -23,8 +21,8 @@ def sign(algorithm, msg, key)
 
       def verify(algorithm, public_key, signing_input, signature)
         require_openssl!
-
-        SecurityUtils.verify_ps(algorithm, public_key, signing_input, signature)
+        translated_algorithm = algorithm.sub('PS', 'sha')
+        public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
       end
 
       def require_openssl!
diff --git a/lib/jwt/algos/rsa.rb b/lib/jwt/algos/rsa.rb
index e7e54daa..ddb26b3a 100644
--- a/lib/jwt/algos/rsa.rb
+++ b/lib/jwt/algos/rsa.rb
@@ -14,7 +14,7 @@ def sign(algorithm, msg, key)
       end
 
       def verify(algorithm, public_key, signing_input, signature)
-        SecurityUtils.verify_rsa(algorithm, public_key, signing_input, signature)
+        public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
       end
     end
   end
diff --git a/lib/jwt/security_utils.rb b/lib/jwt/security_utils.rb
deleted file mode 100644
index 1cfc5481..00000000
--- a/lib/jwt/security_utils.rb
+++ /dev/null
@@ -1,32 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  # Collection of security methods
-  #
-  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
-  module SecurityUtils
-    module_function
-
-    def verify_rsa(algorithm, public_key, signing_input, signature)
-      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-    end
-
-    def verify_ps(algorithm, public_key, signing_input, signature)
-      formatted_algorithm = algorithm.sub('PS', 'sha')
-
-      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
-    end
-
-    def asn1_to_raw(signature, public_key)
-      byte_size = (public_key.group.degree + 7) / 8
-      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
-    end
-
-    def raw_to_asn1(signature, private_key)
-      byte_size = (private_key.group.degree + 7) / 8
-      sig_bytes = signature[0..(byte_size - 1)]
-      sig_char = signature[byte_size..-1] || ''
-      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-    end
-  end
-end