Module: PQCrypto::JWT::JWK

Defined in:

lib/pq_crypto/jwt/jwk.rb

Constant Summary

KTY =

"AKP".freeze

Class Method Summary

• .alg_for_algorithm!(algorithm) ⇒ Object
• .algorithm_from_jwk!(jwk) ⇒ Object
• .base64url(bytes) ⇒ Object
• .base64url_decode(value) ⇒ Object
• .from_public_key(public_key, kid: nil) ⇒ Object
• .from_secret_key ⇒ Object
• .normalize_hash!(hash) ⇒ Object
• .public_key_from_jwk(hash) ⇒ Object
• .secret_key_from_jwk ⇒ Object
• .thumbprint(jwk_hash) ⇒ Object

Class Method Details

.alg_for_algorithm!(algorithm) ⇒ Object

Raises:

• (PQCrypto::JWT::UnsupportedAlgorithm)

# File 'lib/pq_crypto/jwt/jwk.rb', line 90

def alg_for_algorithm!(algorithm)
  match = PQCrypto::JWT.signing_algorithms.find { |candidate| candidate.pq_crypto_algorithm == algorithm }
  raise PQCrypto::JWT::UnsupportedAlgorithm, "Unsupported pq_crypto signature algorithm: #{algorithm.inspect}" unless match

  match.alg
end

.algorithm_from_jwk!(jwk) ⇒ Object

Raises:

• (PQCrypto::JWT::UnsupportedAlgorithm)

# File 'lib/pq_crypto/jwt/jwk.rb', line 77

def algorithm_from_jwk!(jwk)
  unless jwk.fetch("kty", nil) == KTY
    raise PQCrypto::JWT::Error, "Unsupported JWK kty: #{jwk.fetch('kty', nil).inspect}"
  end

  alg = jwk.fetch("alg", nil)
  algorithm = PQCrypto::JWT.algorithm_for(alg)
  raise PQCrypto::JWT::UnsupportedAlgorithm, "Unsupported JWK alg: #{alg.inspect}" unless algorithm
  raise PQCrypto::JWT::UnsupportedAlgorithm, "Unsupported JWK alg: #{alg.inspect}" unless algorithm.key_kind == :signature

  algorithm.pq_crypto_algorithm
end

.base64url(bytes) ⇒ Object

# File 'lib/pq_crypto/jwt/jwk.rb', line 49

def base64url(bytes)
  Base64.urlsafe_encode64(String(bytes).b, padding: false)
end

.base64url_decode(value) ⇒ Object

# File 'lib/pq_crypto/jwt/jwk.rb', line 53

def base64url_decode(value)
  Base64.urlsafe_decode64(String(value))
rescue ArgumentError => e
  raise PQCrypto::JWT::Error, "Invalid base64url value: #{e.message}"
end

.from_public_key(public_key, kid: nil) ⇒ Object

# File 'lib/pq_crypto/jwt/jwk.rb', line 14

def from_public_key(public_key, kid: nil)
  validate_public_key!(public_key)
  base_public_jwk(public_key.algorithm, public_key.to_bytes, kid: kid).freeze
end

.from_secret_key ⇒ Object

Raises:

• (PQCrypto::JWT::UnsupportedAlgorithm)

# File 'lib/pq_crypto/jwt/jwk.rb', line 19

def from_secret_key(*, **)
  raise PQCrypto::JWT::UnsupportedAlgorithm,
        "Private AKP JWK export is not supported in the first release; use PEM/PKCS#8 for signing keys"
end

.normalize_hash!(hash) ⇒ Object

# File 'lib/pq_crypto/jwt/jwk.rb', line 59

def normalize_hash!(hash)
  unless hash.respond_to?(:to_hash)
    raise PQCrypto::JWT::Error, "JWK must be a Hash-like object"
  end

  hash.to_hash.each_with_object({}) do |(key, value), normalized|
    normalized[String(key)] = value
  end
end

.public_key_from_jwk(hash) ⇒ Object

# File 'lib/pq_crypto/jwt/jwk.rb', line 24

def public_key_from_jwk(hash)
  jwk = normalize_hash!(hash)
  reject_private_material!(jwk)
  algorithm = algorithm_from_jwk!(jwk)
  public_bytes = decode_required_key_bytes!(jwk, "pub", algorithm, :public_key_bytes)
  PQCrypto::Signature.public_key_from_bytes(algorithm, public_bytes)
rescue ArgumentError => e
  raise PQCrypto::JWT::Error, e.message
end

.secret_key_from_jwk ⇒ Object

Raises:

• (PQCrypto::JWT::UnsupportedAlgorithm)

# File 'lib/pq_crypto/jwt/jwk.rb', line 34

def secret_key_from_jwk(*)
  raise PQCrypto::JWT::UnsupportedAlgorithm,
        "Private AKP JWK import is not supported in the first release; use PEM/PKCS#8 for signing keys"
end

.thumbprint(jwk_hash) ⇒ Object

Raises:

• (PQCrypto::JWT::Error)

# File 'lib/pq_crypto/jwt/jwk.rb', line 39

def thumbprint(jwk_hash)
  jwk = normalize_hash!(jwk_hash)
  reject_private_material!(jwk)
  algorithm_from_jwk!(jwk)
  raise PQCrypto::JWT::Error, "JWK pub is required" unless jwk.key?("pub")

  canonical = JSON.generate({ "alg" => jwk.fetch("alg"), "kty" => KTY, "pub" => jwk.fetch("pub") })
  base64url(Digest::SHA256.digest(canonical.b))
end