Move rescueing OpenSSL::PKey::PKeyError closer to the verification ha…

…ppens using a pkey

lib/jwt/algos/algo_wrapper.rb

@@ -20,10 +20,6 @@ def sign(data:, signing_key:)
 
       def verify(data:, signature:, verification_key:)
         cls.verify(alg, verification_key, data, signature)
-      rescue OpenSSL::PKey::PKeyError # These should be moved to the algorithms that actually need this, but left here to ensure nothing will break.
-        raise JWT::VerificationError, 'Signature verification raised'
-      ensure
-        OpenSSL.errors.clear
       end
     end
   end

lib/jwt/algos/ecdsa.rb

@@ -50,6 +50,8 @@ def verify(algorithm, public_key, signing_input, signature)
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
         public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
 
       def curve_by_name(name)

lib/jwt/algos/ps.rb

@@ -23,6 +23,8 @@ def verify(algorithm, public_key, signing_input, signature)
         require_openssl!
         translated_algorithm = algorithm.sub('PS', 'sha')
         public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
 
       def require_openssl!

lib/jwt/algos/rsa.rb

@@ -15,6 +15,8 @@ def sign(algorithm, msg, key)
 
       def verify(algorithm, public_key, signing_input, signature)
         public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
     end
   end