jwt · anakinj · Feb 3, 2023 · Feb 3, 2023
diff --git a/lib/jwt/algos.rb b/lib/jwt/algos.rb
@@ -7,7 +7,6 @@
 end
 require 'openssl'
 
-require 'jwt/security_utils'
 require 'jwt/algos/hmac'
 require 'jwt/algos/eddsa'
 require 'jwt/algos/ecdsa'

diff --git a/lib/jwt/algos/ecdsa.rb b/lib/jwt/algos/ecdsa.rb
@@ -38,7 +38,7 @@ def sign(algorithm, msg, key)
         end
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
+        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
 
       def verify(algorithm, public_key, signing_input, signature)
@@ -49,14 +49,26 @@ def verify(algorithm, public_key, signing_input, signature)
         end
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
+        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
       end
 
       def curve_by_name(name)
         NAMED_CURVES.fetch(name) do
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
       end
+
+      def raw_to_asn1(signature, private_key)
+        byte_size = (private_key.group.degree + 7) / 8
+        sig_bytes = signature[0..(byte_size - 1)]
+        sig_char = signature[byte_size..-1] || ''
+        OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+      end
+
+      def asn1_to_raw(signature, public_key)
+        byte_size = (public_key.group.degree + 7) / 8
+        OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+      end
     end
   end
 end
diff --git a/lib/jwt/algos/ps.rb b/lib/jwt/algos/ps.rb
@@ -12,9 +12,7 @@ module Ps
       def sign(algorithm, msg, key)
         require_openssl!
 
-        key_class = key.class
-
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
+        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key.is_a?(String)
 
         translated_algorithm = algorithm.sub('PS', 'sha')
 
@@ -23,8 +21,8 @@ def sign(algorithm, msg, key)
 
       def verify(algorithm, public_key, signing_input, signature)
         require_openssl!
-
-        SecurityUtils.verify_ps(algorithm, public_key, signing_input, signature)
+        translated_algorithm = algorithm.sub('PS', 'sha')
+        public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
       end
 
       def require_openssl!

diff --git a/lib/jwt/algos/rsa.rb b/lib/jwt/algos/rsa.rb
@@ -14,7 +14,7 @@ def sign(algorithm, msg, key)
       end
 
       def verify(algorithm, public_key, signing_input, signature)
-        SecurityUtils.verify_rsa(algorithm, public_key, signing_input, signature)
+        public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
       end
     end
   end

diff --git a/lib/jwt/security_utils.rb b/lib/jwt/security_utils.rb
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,7 +14,7 @@ def sign(algorithm, msg, key) @@
           end
           def verify(algorithm, public_key, signing_input, signature)
-            SecurityUtils.verify_rsa(algorithm, public_key, signing_input, signature)
+            public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
           end
         end
       end
@@ Expand Down @@