/
ec_spec.rb
126 lines (105 loc) · 4.13 KB
/
ec_spec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# frozen_string_literal: true
RSpec.describe JWT::JWK::EC do
let(:ec_key) { OpenSSL::PKey::EC.new("secp384r1").generate_key }
describe '.new' do
subject { described_class.new(keypair) }
context 'when a keypair with both keys given' do
let(:keypair) { ec_key }
it 'creates an instance of the class' do
expect(subject).to be_a described_class
expect(subject.private?).to eq true
end
end
context 'when a keypair with only public key is given' do
let(:keypair) { ec_key.tap { |x| x.private_key = nil } }
it 'creates an instance of the class' do
expect(subject).to be_a described_class
expect(subject.private?).to eq false
end
end
end
describe '#export' do
let(:kid) { nil }
subject { described_class.new(keypair, kid).export }
context 'when keypair with private key is exported' do
let(:keypair) { ec_key }
it 'returns a hash with the both parts of the key' do
expect(subject).to be_a Hash
expect(subject).to include(:kty, :kid, :x, :y)
# Exported keys do not currently include private key info,
# event if the in-memory key had that information. This is
# done to match the traditional behavior of RSA JWKs.
## expect(subject).to include(:d)
end
end
context 'when keypair with public key is exported' do
let(:keypair) { ec_key.tap { |x| x.private_key = nil } }
it 'returns a hash with the public parts of the key' do
expect(subject).to be_a Hash
expect(subject).to include(:kty, :kid, :x, :y)
# Don't include private `d` if not explicitly requested.
expect(subject).not_to include(:d)
end
context 'when a custom "kid" is provided' do
let(:kid) { 'custom_key_identifier' }
it 'exports it' do
expect(subject[:kid]).to eq 'custom_key_identifier'
end
end
end
context 'when private key is requested' do
subject { described_class.new(keypair).export(include_private: true) }
let(:keypair) { ec_key }
it 'returns a hash with the both parts of the key' do
expect(subject).to be_a Hash
expect(subject).to include(:kty, :kid, :x, :y)
# `d` is the private part.
expect(subject).to include(:d)
end
end
end
describe '.import' do
subject { described_class.import(params) }
let(:include_private) { false }
let(:exported_key) { described_class.new(keypair).export(include_private: include_private) }
['P-256', 'P-384', 'P-521'].each do |crv|
context "when crv=#{crv}" do
let(:openssl_curve) { JWT::JWK::EC.to_openssl_curve(crv) }
let(:ec_key) { OpenSSL::PKey::EC.new(openssl_curve).generate_key }
context 'when keypair is private' do
let(:include_private) { true }
let(:keypair) { ec_key }
let(:params) { exported_key }
it 'returns a private key' do
expect(subject.private?).to eq true
expect(subject).to be_a described_class
# Regular export returns only the non-private parts.
public_only = exported_key.select{ |k, v| k != :d }
expect(subject.export).to eq(public_only)
# Private export returns the original input.
expect(subject.export(include_private: true)).to eq(exported_key)
end
context 'with a custom "kid" value' do
let(:exported_key) {
super().merge(kid: 'custom_key_identifier')
}
it 'imports that "kid" value' do
expect(subject.kid).to eq('custom_key_identifier')
end
end
end
context 'when keypair is public' do
context 'returns a public key' do
let(:keypair) { ec_key.tap { |x| x.private_key = nil } }
let(:params) { exported_key }
it 'returns a hash with the public parts of the key' do
expect(subject).to be_a described_class
expect(subject.private?).to eq false
expect(subject.export).to eq(exported_key)
end
end
end
end
end
end
end