Convert points to ec pkeys

Author: anakinj

lib/jwt/jwa/ecdsa.rb

@@ -13,6 +13,7 @@ def initialize(alg, digest)
 
       def sign(data:, signing_key:)
         raise_sign_error!("The given key is a #{signing_key.class}. It has to be an OpenSSL::PKey::EC instance.") unless signing_key.is_a?(::OpenSSL::PKey::EC)
+        raise_sign_error!('The given key is not a private key.') unless signing_key.private?
 
         curve_definition = curve_by_name(signing_key.group.curve_name)
         key_algorithm = curve_definition[:algorithm]
@@ -23,6 +24,8 @@ def sign(data:, signing_key:)
       end
 
       def verify(data:, signature:, verification_key:)
+        verification_key = self.class.create_public_key_from_point(verification_key) if verification_key.is_a?(::OpenSSL::PKey::EC::Point)
+
         raise_verify_error!("The given key is a #{verification_key.class}. It has to be an OpenSSL::PKey::EC instance.") unless verification_key.is_a?(::OpenSSL::PKey::EC)
 
         curve_definition = curve_by_name(verification_key.group.curve_name)
@@ -67,6 +70,14 @@ def self.curve_by_name(name)
         end
       end
 
+      def self.create_public_key_from_point(point)
+        sequence = OpenSSL::ASN1::Sequence([
+                                             OpenSSL::ASN1::Sequence([OpenSSL::ASN1::ObjectId('id-ecPublicKey'), OpenSSL::ASN1::ObjectId(point.group.curve_name)]),
+                                             OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
+                                           ])
+        OpenSSL::PKey::EC.new(sequence.to_der)
+      end
+
       private
 
       attr_reader :digest

lib/jwt/jwk/ec.rb

@@ -137,7 +137,7 @@ def parse_ec_key(key)
       end
 
       if ::JWT.openssl_3?
-        def create_ec_key(jwk_crv, jwk_x, jwk_y, jwk_d) # rubocop:disable Metrics/MethodLength
+        def create_ec_key(jwk_crv, jwk_x, jwk_y, jwk_d)
           curve = EC.to_openssl_curve(jwk_crv)
           x_octets = decode_octets(jwk_x)
           y_octets = decode_octets(jwk_y)
@@ -147,29 +147,25 @@ def create_ec_key(jwk_crv, jwk_x, jwk_y, jwk_d) # rubocop:disable Metrics/Method
             OpenSSL::BN.new([0x04, x_octets, y_octets].pack('Ca*a*'), 2)
           )
 
-          sequence = if jwk_d
-                       # https://datatracker.ietf.org/doc/html/rfc5915.html
-                       # ECPrivateKey ::= SEQUENCE {
-                       #   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
-                       #   privateKey     OCTET STRING,
-                       #   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
-                       #   publicKey  [1] BIT STRING OPTIONAL
-                       # }
+          if jwk_d
+            # https://datatracker.ietf.org/doc/html/rfc5915.html
+            # ECPrivateKey ::= SEQUENCE {
+            #   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+            #   privateKey     OCTET STRING,
+            #   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+            #   publicKey  [1] BIT STRING OPTIONAL
+            # }
 
-                       OpenSSL::ASN1::Sequence([
+            sequence = OpenSSL::ASN1::Sequence([
                                                  OpenSSL::ASN1::Integer(1),
                                                  OpenSSL::ASN1::OctetString(OpenSSL::BN.new(decode_octets(jwk_d), 2).to_s(2)),
                                                  OpenSSL::ASN1::ObjectId(curve, 0, :EXPLICIT),
                                                  OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed), 1, :EXPLICIT)
                                                ])
-                     else
-                       OpenSSL::ASN1::Sequence([
-                                                 OpenSSL::ASN1::Sequence([OpenSSL::ASN1::ObjectId('id-ecPublicKey'), OpenSSL::ASN1::ObjectId(curve)]),
-                                                 OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
-                                               ])
-                     end
-
-          OpenSSL::PKey::EC.new(sequence.to_der)
+            OpenSSL::PKey::EC.new(sequence.to_der)
+          else
+            ::JWT::JWA::Ecdsa.create_public_key_from_point(point)
+          end
         end
       else
         def create_ec_key(jwk_crv, jwk_x, jwk_y, jwk_d)

spec/jwt/jwa/ecdsa_spec.rb

@@ -35,18 +35,19 @@
   let(:ecdsa_key) { test_pkey('ec256-private.pem') }
   let(:data) { 'test data' }
   let(:instance) { described_class.new('ES256', 'sha256') }
+  let(:signature) { instance.sign(data: data, signing_key: ecdsa_key) }
 
   describe '#verify' do
     context 'when the verification key is valid' do
       it 'returns true for a valid signature' do
-        signature = instance.sign(data: data, signing_key: ecdsa_key)
         expect(instance.verify(data: data, signature: signature, verification_key: ecdsa_key)).to be true
       end
 
       it 'returns false for an invalid signature' do
         expect(instance.verify(data: data, signature: 'invalid_signature', verification_key: ecdsa_key)).to be false
       end
     end
+
     context 'when verification results in a OpenSSL::PKey::PKeyError error' do
       it 'raises a JWT::VerificationError' do
         allow(ecdsa_key).to receive(:dsa_verify_asn1).and_raise(OpenSSL::PKey::PKeyError.new('Error'))
@@ -63,12 +64,18 @@
         end.to raise_error(JWT::DecodeError, 'The given key is a String. It has to be an OpenSSL::PKey::EC instance.')
       end
     end
+
+    context 'when the verification key is a point' do
+      it 'verifies the signature' do
+        expect(ecdsa_key.public_key).to be_a(OpenSSL::PKey::EC::Point)
+        expect(instance.verify(data: data, signature: signature, verification_key: ecdsa_key.public_key)).to be(true)
+      end
+    end
   end
 
   describe '#sign' do
     context 'when the signing key is valid' do
       it 'returns a valid signature' do
-        signature = instance.sign(data: data, signing_key: ecdsa_key)
         expect(signature).to be_a(String)
         expect(signature.length).to be > 0
       end