From e5f5711d674ecfd9e022fefd0873f0259fde790d Mon Sep 17 00:00:00 2001
From: Joakim Antman <antmanj@gmail.com>
Date: Fri, 3 Feb 2023 22:37:53 +0200
Subject: [PATCH] Move rescueing OpenSSL::PKey::PKeyError closer to the
 verification happens using a pkey

---
 lib/jwt/algos/algo_wrapper.rb | 4 ----
 lib/jwt/algos/ecdsa.rb        | 2 ++
 lib/jwt/algos/ps.rb           | 2 ++
 lib/jwt/algos/rsa.rb          | 2 ++
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/jwt/algos/algo_wrapper.rb b/lib/jwt/algos/algo_wrapper.rb
index caf823e6..2a800ede 100644
--- a/lib/jwt/algos/algo_wrapper.rb
+++ b/lib/jwt/algos/algo_wrapper.rb
@@ -20,10 +20,6 @@ def sign(data:, signing_key:)
 
       def verify(data:, signature:, verification_key:)
         cls.verify(alg, verification_key, data, signature)
-      rescue OpenSSL::PKey::PKeyError # These should be moved to the algorithms that actually need this, but left here to ensure nothing will break.
-        raise JWT::VerificationError, 'Signature verification raised'
-      ensure
-        OpenSSL.errors.clear
       end
     end
   end
diff --git a/lib/jwt/algos/ecdsa.rb b/lib/jwt/algos/ecdsa.rb
index d5a1d25c..86c1611e 100644
--- a/lib/jwt/algos/ecdsa.rb
+++ b/lib/jwt/algos/ecdsa.rb
@@ -50,6 +50,8 @@ def verify(algorithm, public_key, signing_input, signature)
 
         digest = OpenSSL::Digest.new(curve_definition[:digest])
         public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
 
       def curve_by_name(name)
diff --git a/lib/jwt/algos/ps.rb b/lib/jwt/algos/ps.rb
index f80d0a5a..1163932d 100644
--- a/lib/jwt/algos/ps.rb
+++ b/lib/jwt/algos/ps.rb
@@ -23,6 +23,8 @@ def verify(algorithm, public_key, signing_input, signature)
         require_openssl!
         translated_algorithm = algorithm.sub('PS', 'sha')
         public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
 
       def require_openssl!
diff --git a/lib/jwt/algos/rsa.rb b/lib/jwt/algos/rsa.rb
index ddb26b3a..2b792d6d 100644
--- a/lib/jwt/algos/rsa.rb
+++ b/lib/jwt/algos/rsa.rb
@@ -15,6 +15,8 @@ def sign(algorithm, msg, key)
 
       def verify(algorithm, public_key, signing_input, signature)
         public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
       end
     end
   end