Resolve JWA based on curve

anakinj · anakinj · commit a7dc59ea04e4 · 2025-06-21T22:58:11.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,7 +10,7 @@
 - Raise an error if the ECDSA signing or verification key is not an instance of `OpenSSL::PKey::EC` [#688](https://github.com/jwt/ruby-jwt/pull/688) ([@anakinj](https://github.com/anakinj))
 - Allow `OpenSSL::PKey::EC::Point` to be used as the verification key in ECDSA [#689](https://github.com/jwt/ruby-jwt/pull/689) ([@anakinj](https://github.com/anakinj))
 - Require claims to have been verified before accessing the `JWT::EncodedToken#payload`
-- Resolve the verification algorithm based on the JWK "alg" parameter [#692](https://github.com/jwt/ruby-jwt/pull/692) ([@anakinj](https://github.com/anakinj))
+- Support passing the key as a JWK when verifying signatures [#692](https://github.com/jwt/ruby-jwt/pull/692) ([@anakinj](https://github.com/anakinj))
 - Your contribution here
 
 **Fixes and enhancements:**
diff --git a/lib/jwt/jwa/ecdsa.rb b/lib/jwt/jwa/ecdsa.rb
@@ -64,6 +64,7 @@ def verify(data:, signature:, verification_key:)
         register_algorithm(new(v[:algorithm], v[:digest]))
       end
 
+      # @api private
       def self.curve_by_name(name)
         NAMED_CURVES.fetch(name) do
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
diff --git a/lib/jwt/jwk/ec.rb b/lib/jwt/jwk/ec.rb
@@ -73,6 +73,13 @@ def []=(key, value)
 
       private
 
+      def resolve_algorithm
+        return super if self[:alg]
+
+        curve_name = self.class.to_openssl_curve(self[:crv])
+        JWA.resolve(JWA::Ecdsa.curve_by_name(curve_name)[:algorithm])
+      end
+
       def ec_key
         @ec_key ||= create_ec_key(self[:crv], self[:x], self[:y], self[:d])
       end
diff --git a/spec/jwt/jwk/ec_spec.rb b/spec/jwt/jwk/ec_spec.rb
@@ -110,6 +110,37 @@
     end
   end
 
+  describe '#verify' do
+    let(:data) { 'data_to_sign' }
+    let(:signature) { jwk.sign(data: data) }
+
+    context 'when jwk is missing the alg parameter' do
+      let(:jwk) { described_class.new(ec_key) }
+
+      context 'when the signature is valid' do
+        it 'returns true' do
+          expect(jwk.verify(data: data, signature: signature)).to be(true)
+        end
+      end
+    end
+
+    context 'when jwk has alg parameter' do
+      let(:jwk) { described_class.new(ec_key, alg: 'ES384') }
+
+      context 'when the signature is valid' do
+        it 'returns true' do
+          expect(jwk.verify(data: data, signature: signature)).to be(true)
+        end
+      end
+
+      context 'when the signature is invalid' do
+        it 'returns true' do
+          expect(jwk.verify(data: data, signature: 'invalid')).to be(false)
+        end
+      end
+    end
+  end
+
   describe '.to_openssl_curve' do
     context 'when a valid curve name is given' do
       it 'returns the corresponding OpenSSL curve name' do
