Support signing with jwk

anakinj · anakinj · commit 90398f15aef0 · 2025-06-23T19:19:42.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,7 @@
 - Raise an error if the ECDSA signing or verification key is not an instance of `OpenSSL::PKey::EC` [#688](https://github.com/jwt/ruby-jwt/pull/688) ([@anakinj](https://github.com/anakinj))
 - Allow `OpenSSL::PKey::EC::Point` to be used as the verification key in ECDSA [#689](https://github.com/jwt/ruby-jwt/pull/689) ([@anakinj](https://github.com/anakinj))
 - Require claims to have been verified before accessing the `JWT::EncodedToken#payload` [#690](https://github.com/jwt/ruby-jwt/pull/690) ([@anakinj](https://github.com/anakinj))
-- Support verifying token signature using a JWK [#692](https://github.com/jwt/ruby-jwt/pull/692) ([@anakinj](https://github.com/anakinj))
+- Support verifying and signing token signature using a JWK [#692](https://github.com/jwt/ruby-jwt/pull/692) ([@anakinj](https://github.com/anakinj))
 - Your contribution here
 
 **Fixes and enhancements:**
diff --git a/README.md b/README.md
@@ -251,7 +251,7 @@ encoded_token.payload # => { 'exp'=>1234, 'jti'=>'1234", 'sub'=>'my-subject' }
 encoded_token.header # {'kid'=>'hmac', 'alg'=>'HS256'}
 ```
 
-A JWK can be used to verify the token if it's possible to derive the signing algorithm from the key.
+A JWK can be used to sign and verify the token if it's possible to derive the signing algorithm from the key.
 
 ```ruby
 jwk_json = '{
@@ -262,6 +262,11 @@ jwk_json = '{
 }'
 
 jwk = JWT::JWK.import(JSON.parse(jwk_json))
+
+token = JWT::Token.new(payload: payload, header: header)
+
+token.sign!(key: jwk)
+
 encoded_token = JWT::EncodedToken.new(token.jwt)
 encoded_token.verify!(signature: { key: jwk})
 ```
diff --git a/lib/jwt/encoded_token.rb b/lib/jwt/encoded_token.rb
@@ -147,7 +147,7 @@ def verify_signature!(algorithm: nil, key: nil, key_finder: nil)
     # Checks if the signature of the JWT token is valid.
     #
     # @param algorithm [String, Array<String>, Object, Array<Object>] the algorithm(s) to use for verification.
-    # @param key [String, Array<String>] the key(s) to use for verification.
+    # @param key [String, Array<String>, JWT::JWK::KeyBase, Array<JWT::JWK::KeyBase>] the key(s) to use for verification.
     # @param key_finder [#call] an object responding to `call` to find the key for verification.
     # @return [Boolean] true if the signature is valid, false otherwise.
     def valid_signature?(algorithm: nil, key: nil, key_finder: nil)
diff --git a/lib/jwt/jwa.rb b/lib/jwt/jwa.rb
@@ -13,34 +13,60 @@
 module JWT
   # The JWA module contains all supported algorithms.
   module JWA
+    # @api private
+    class VerifierContext
+      def initialize(jwa:, keys:)
+        @jwa = jwa
+        @keys = Array(keys)
+      end
+
+      def verify(*args, **kwargs)
+        @keys.any? do |key|
+          @jwa.verify(*args, **kwargs, verification_key: key)
+        end
+      end
+    end
+
+    # @api private
+    class SignerContext
+      def initialize(jwa:, key:)
+        @jwa = jwa
+        @key = key
+      end
+
+      def sign(*args, **kwargs)
+        @jwa.sign(*args, **kwargs, signing_key: @key)
+      end
+
+      def jwa_header
+        @jwa.header
+      end
+    end
+
     class << self
       # @api private
       def resolve(algorithm)
         return find(algorithm) if algorithm.is_a?(String) || algorithm.is_a?(Symbol)
 
+        raise ArgumentError, 'Algorithm must be provided' if algorithm.nil?
+
         raise ArgumentError, 'Custom algorithms are required to include JWT::JWA::SigningAlgorithm' unless algorithm.is_a?(SigningAlgorithm)
 
         algorithm
       end
 
       # @api private
       def resolve_and_sort(algorithms:, preferred_algorithm:)
-        algs = Array(algorithms).map { |alg| JWA.resolve(alg) }
-        algs.partition { |alg| alg.valid_alg?(preferred_algorithm) }.flatten
+        Array(algorithms).map { |alg| JWA.resolve(alg) }
+                         .partition { |alg| alg.valid_alg?(preferred_algorithm) }
+                         .flatten
       end
 
       # @api private
-      class VerificationContext
-        def initialize(jwa:, keys:)
-          @jwa = jwa
-          @keys = Array(keys)
-        end
+      def create_signer(algorithm:, key:)
+        return key if key.is_a?(JWK::KeyBase)
 
-        def verify(*args, **kwargs)
-          @keys.any? do |key|
-            @jwa.verify(*args, **kwargs, verification_key: key)
-          end
-        end
+        SignerContext.new(jwa: resolve(algorithm), key: key)
       end
 
       # @api private
@@ -49,7 +75,7 @@ def create_verifiers(algorithms:, keys:, preferred_algorithm:)
 
         jwks + resolve_and_sort(algorithms: algorithms,
                                 preferred_algorithm: preferred_algorithm)
-               .map { |jwa| VerificationContext.new(jwa: jwa, keys: other_keys) }
+               .map { |jwa| VerifierContext.new(jwa: jwa, keys: other_keys) }
       end
     end
   end
diff --git a/lib/jwt/jwk/ec.rb b/lib/jwt/jwk/ec.rb
@@ -73,7 +73,7 @@ def []=(key, value)
 
       private
 
-      def resolve_algorithm
+      def jwa
         return super if self[:alg]
 
         curve_name = self.class.to_openssl_curve(self[:crv])
diff --git a/lib/jwt/jwk/key_base.rb b/lib/jwt/jwk/key_base.rb
@@ -43,11 +43,16 @@ def ==(other)
       end
 
       def verify(**kwargs)
-        resolve_algorithm.verify(**kwargs, verification_key: verify_key)
+        jwa.verify(**kwargs, verification_key: verify_key)
       end
 
       def sign(**kwargs)
-        resolve_algorithm.sign(**kwargs, signing_key: signing_key)
+        jwa.sign(**kwargs, signing_key: signing_key)
+      end
+
+      # @api private
+      def jwa_header
+        jwa.header
       end
 
       alias eql? ==
@@ -60,7 +65,7 @@ def <=>(other)
 
       private
 
-      def resolve_algorithm
+      def jwa
         raise JWT::JWKError, 'Could not resolve the JWA, the "alg" parameter is missing' unless self[:alg]
 
         JWA.resolve(self[:alg])
diff --git a/lib/jwt/token.rb b/lib/jwt/token.rb
@@ -87,16 +87,16 @@ def detach_payload!
 
     # Signs the JWT token.
     #
+    # @param key [String, JWT::JWK::KeyBase] the key to use for signing.
     # @param algorithm [String, Object] the algorithm to use for signing.
-    # @param key [String] the key to use for signing.
     # @return [void]
     # @raise [JWT::EncodeError] if the token is already signed or other problems when signing
-    def sign!(algorithm:, key:)
+    def sign!(key:, algorithm: nil)
       raise ::JWT::EncodeError, 'Token already signed' if @signature
 
-      JWA.resolve(algorithm).tap do |algo|
-        header.merge!(algo.header) { |_key, old, _new| old }
-        @signature = algo.sign(data: signing_input, signing_key: key)
+      JWA.create_signer(algorithm: algorithm, key: key).tap do |signer|
+        header.merge!(signer.jwa_header) { |_key, old, _new| old }
+        @signature = signer.sign(data: signing_input)
       end
 
       nil
diff --git a/spec/integration/readme_examples_spec.rb b/spec/integration/readme_examples_spec.rb
@@ -462,9 +462,6 @@ def self.verify(data:, signature:, verification_key:)
       payload = { exp: Time.now.to_i + 60, jti: '1234', sub: 'my-subject' }
       header = { kid: 'hmac' }
 
-      token = JWT::Token.new(payload: payload, header: header)
-      token.sign!(algorithm: 'HS256', key: 'secret')
-
       jwk_json = '{
                   "kty": "oct",
                   "k": "c2VjcmV0",
@@ -473,6 +470,10 @@ def self.verify(data:, signature:, verification_key:)
                   }'
 
       jwk = JWT::JWK.import(JSON.parse(jwk_json))
+
+      token = JWT::Token.new(payload: payload, header: header)
+      token.sign!(key: jwk)
+
       encoded_token = JWT::EncodedToken.new(token.jwt)
       expect { encoded_token.verify!(signature: { key: jwk }) }.not_to raise_error
     end
diff --git a/spec/jwt/token_spec.rb b/spec/jwt/token_spec.rb
@@ -22,6 +22,22 @@
         expect { token.sign!(algorithm: 'HS256', key: 'secret') }.to raise_error(JWT::EncodeError)
       end
     end
+
+    context 'when JWK is given as key' do
+      let(:jwk) { JWT::JWK::RSA.new(OpenSSL::PKey::RSA.new(2048), alg: 'RS256') }
+
+      it 'signs the token' do
+        token.sign!(key: jwk)
+
+        expect(JWT::EncodedToken.new(token.jwt).valid_signature?(algorithm: 'RS256', key: jwk.verify_key)).to be(true)
+      end
+    end
+
+    context 'when string key is given but not algorithm' do
+      it 'raises an error' do
+        expect { token.sign!(key: 'secret') }.to raise_error(ArgumentError, 'Algorithm must be provided')
+      end
+    end
   end
 
   describe '#jwt' do

Original file line number	Diff line number	Diff line change
`@@ -147,7 +147,7 @@ def verify_signature!(algorithm: nil, key: nil, key_finder: nil)`
`147`	`147`	`# Checks if the signature of the JWT token is valid.`
`148`	`148`	`#`
`149`	`149`	`# @param algorithm [String, Array<String>, Object, Array<Object>] the algorithm(s) to use for verification.`
`150`		`- # @param key [String, Array<String>] the key(s) to use for verification.`
	`150`	`+ # @param key [String, Array<String>, JWT::JWK::KeyBase, Array<JWT::JWK::KeyBase>] the key(s) to use for verification.`
`151`	`151`	# @param key_finder [#call] an object responding to `call` to find the key for verification.
`152`	`152`	`# @return [Boolean] true if the signature is valid, false otherwise.`
`153`	`153`	`def valid_signature?(algorithm: nil, key: nil, key_finder: nil)`