Ensure backwards compatibility (#676)

* Remove unused exception

* openssl 2.0

* Check for PS support

* Check for PS support

* Check for PS support

* Does it work with superold version

* Avoid intantiating key to check for method existance

* Disable Naming/PredicateMethod

* Try to avoid truffleruby error

Author: anakinj

.github/workflows/test.yml

@@ -50,7 +50,7 @@ jobs:
         experimental: [false]
         include:
           - os: ubuntu-latest
-            ruby: "3.0"
+            ruby: "2.5"
             gemfile: "gemfiles/openssl.gemfile"
             experimental: false
           - os: ubuntu-latest
@@ -64,7 +64,6 @@ jobs:
     continue-on-error: ${{ matrix.experimental }}
     env:
       BUNDLE_GEMFILE: ${{ matrix.gemfile }}
-
     steps:
       - uses: actions/checkout@v4
 

.rubocop.yml

@@ -22,3 +22,6 @@ Layout/LineLength:
 
 Gemspec/DevelopmentDependencies:
   EnforcedStyle: gemspec
+
+Naming/PredicateMethod:
+  Enabled: false

gemfiles/openssl.gemfile

@@ -2,6 +2,6 @@
 
 source "https://rubygems.org"
 
-gem "openssl", "~> 2.1"
+gem "openssl", "< 2.0"
 
 gemspec path: "../"

lib/jwt/error.rb

@@ -7,9 +7,6 @@ class EncodeError < StandardError; end
   # The DecodeError class is raised when there is an error decoding a JWT.
   class DecodeError < StandardError; end
 
-  # The RequiredDependencyError class is raised when a required dependency is missing.
-  class RequiredDependencyError < StandardError; end
-
   # The VerificationError class is raised when there is an error verifying a JWT.
   class VerificationError < DecodeError; end
 

spec/jwt/jwa/ps_spec.rb

@@ -7,6 +7,10 @@
   let(:ps384_instance) { described_class.new('PS384') }
   let(:ps512_instance) { described_class.new('PS512') }
 
+  before do
+    skip 'OpenSSL gem missing RSA-PSS support' unless OpenSSL::PKey::RSA.method_defined?(:sign_pss)
+  end
+
   describe '#initialize' do
     it 'initializes with the correct algorithm and digest' do
       expect(ps256_instance.instance_variable_get(:@alg)).to eq('PS256')

spec/jwt/jwt_spec.rb

@@ -163,6 +163,10 @@
   end
 
   %w[ES256 ES384 ES512 ES256K].each do |alg|
+    before do
+      skip 'OpenSSL gem missing RSA-PSS support' unless OpenSSL::PKey::RSA.method_defined?(:sign_pss)
+    end
+
     context "alg: #{alg}" do
       before(:each) do
         data[alg] = JWT.encode(payload, data["#{alg}_private"], alg)
@@ -198,64 +202,51 @@
     end
   end
 
-  if Gem::Version.new(OpenSSL::VERSION) >= Gem::Version.new('2.1')
-    %w[PS256 PS384 PS512].each do |alg|
-      context "alg: #{alg}" do
-        before(:each) do
-          data[alg] = JWT.encode payload, data[:rsa_private], alg
-        end
+  %w[PS256 PS384 PS512].each do |alg|
+    context "alg: #{alg}" do
+      before(:each) do
+        data[alg] = JWT.encode payload, data[:rsa_private], alg
+      end
 
-        let(:wrong_key) { data[:wrong_rsa_public] }
+      let(:wrong_key) { data[:wrong_rsa_public] }
 
-        it 'should generate a valid token' do
-          token = data[alg]
+      it 'should generate a valid token' do
+        token = data[alg]
 
-          header, body, signature = token.split('.')
+        header, body, signature = token.split('.')
 
-          expect(header).to eql(Base64.strict_encode64({ alg: alg }.to_json))
-          expect(body).to   eql(Base64.strict_encode64(payload.to_json))
+        expect(header).to eql(Base64.strict_encode64({ alg: alg }.to_json))
+        expect(body).to   eql(Base64.strict_encode64(payload.to_json))
 
-          # Validate signature is made of up header and body of JWT
-          translated_alg  = alg.gsub('PS', 'sha')
-          valid_signature = data[:rsa_public].verify_pss(
-            translated_alg,
-            JWT::Base64.url_decode(signature),
-            [header, body].join('.'),
-            salt_length: :auto,
-            mgf1_hash: translated_alg
-          )
-          expect(valid_signature).to be true
-        end
-
-        it 'should decode a valid token' do
-          jwt_payload, header = JWT.decode data[alg], data[:rsa_public], true, algorithm: alg
+        # Validate signature is made of up header and body of JWT
+        translated_alg  = alg.gsub('PS', 'sha')
+        valid_signature = data[:rsa_public].verify_pss(
+          translated_alg,
+          JWT::Base64.url_decode(signature),
+          [header, body].join('.'),
+          salt_length: :auto,
+          mgf1_hash: translated_alg
+        )
+        expect(valid_signature).to be true
+      end
 
-          expect(header['alg']).to eq alg
-          expect(jwt_payload).to eq payload
-        end
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data[:rsa_public], true, algorithm: alg
 
-        it 'wrong key should raise JWT::DecodeError' do
-          expect do
-            JWT.decode data[alg], wrong_key
-          end.to raise_error JWT::DecodeError
-        end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
 
-        it 'wrong key and verify = false should not raise JWT::DecodeError' do
-          expect do
-            JWT.decode data[alg], wrong_key, false
-          end.not_to raise_error
-        end
+      it 'wrong key should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key
+        end.to raise_error JWT::DecodeError
       end
-    end
-  else
-    %w[PS256 PS384 PS512].each do |alg|
-      context "alg: #{alg}" do
-        it 'raises error about OpenSSL version' do
-          expect { JWT.encode payload, data[:rsa_private], alg }.to raise_error(
-            JWT::RequiredDependencyError,
-            /You currently have OpenSSL .*. PS support requires >= 2.1/
-          )
-        end
+
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key, false
+        end.not_to raise_error
       end
     end
   end
@@ -766,8 +757,9 @@
     let(:token) { JWT.encode(payload, 'secret', 'HS256') }
 
     it 'starts trying with the algorithm referred in the header' do
-      expect(JWT::JWA::Rsa).not_to receive(:verify)
+      allow(JWT::JWA::Rsa).to receive(:verify)
       JWT.decode(token, 'secret', true, algorithm: %w[RS512 HS256])
+      expect(JWT::JWA::Rsa).not_to have_received(:verify)
     end
   end