Add JWT MAC parameters and key type.

PiperOrigin-RevId: 623228536
tink-crypto · Apr 9, 2024 · 93a1cca · 93a1cca
1 parent ac2db86
commit 93a1cca
Show file tree

Hide file tree

Showing 4 changed files with 192 additions and 62 deletions.
diff --git a/cc/jwt/BUILD.bazel b/cc/jwt/BUILD.bazel
@@ -192,6 +192,24 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "jwt_mac_parameters",
+    hdrs = ["jwt_mac_parameters.h"],
+    include_prefix = "tink/jwt",
+    deps = ["//:parameters"],
+)
+
+cc_library(
+    name = "jwt_mac_key",
+    hdrs = ["jwt_mac_key.h"],
+    include_prefix = "tink/jwt",
+    deps = [
+        ":jwt_mac_parameters",
+        "//:key",
+        "@com_google_absl//absl/types:optional",
+    ],
+)
+
 # tests
 
 cc_test(

diff --git a/cc/jwt/CMakeLists.txt b/cc/jwt/CMakeLists.txt
@@ -50,68 +50,6 @@ tink_cc_library(
     tink::util::statusor
 )
 
-# tests
-
-tink_cc_test(
-  NAME raw_jwt_test
-  SRCS
-    raw_jwt_test.cc
-  DEPS
-    tink::jwt::raw_jwt
-    gmock
-    absl::strings
-    absl::time
-    tink::util::statusor
-    tink::util::test_matchers
-    tink::util::test_util
-)
-
-tink_cc_test(
-  NAME verified_jwt_test
-  SRCS
-    verified_jwt_test.cc
-  DEPS
-    tink::jwt::jwt_mac
-    tink::jwt::jwt_validator
-    tink::jwt::raw_jwt
-    tink::jwt::verified_jwt
-    gmock
-    absl::memory
-    absl::status
-    absl::strings
-    absl::time
-    absl::optional
-    tink::core::mac
-    tink::jwt::internal::jwt_mac_impl
-    tink::jwt::internal::jwt_mac_internal
-    tink::subtle::hmac_boringssl
-    tink::util::constants
-    tink::util::enums
-    tink::util::errors
-    tink::util::protobuf_helper
-    tink::util::secret_data
-    tink::util::status
-    tink::util::statusor
-    tink::util::test_matchers
-    tink::util::test_util
-    tink::proto::common_cc_proto
-)
-
-tink_cc_test(
-  NAME jwt_validator_test
-  SRCS
-    jwt_validator_test.cc
-  DEPS
-    tink::jwt::jwt_validator
-    tink::jwt::raw_jwt
-    gmock
-    absl::strings
-    absl::time
-    tink::util::statusor
-    tink::util::test_matchers
-    tink::util::test_util
-)
-
 tink_cc_library(
   NAME jwt_mac
   SRCS
@@ -234,6 +172,86 @@ tink_cc_library(
     tink::proto::tink_cc_proto
 )
 
+tink_cc_library(
+  NAME jwt_mac_parameters
+  SRCS
+    jwt_mac_parameters.h
+  DEPS
+    tink::core::parameters
+)
+
+tink_cc_library(
+  NAME jwt_mac_key
+  SRCS
+    jwt_mac_key.h
+  DEPS
+    tink::jwt::jwt_mac_parameters
+    absl::optional
+    tink::core::key
+)
+
+# tests
+
+tink_cc_test(
+  NAME raw_jwt_test
+  SRCS
+    raw_jwt_test.cc
+  DEPS
+    tink::jwt::raw_jwt
+    gmock
+    absl::strings
+    absl::time
+    tink::util::statusor
+    tink::util::test_matchers
+    tink::util::test_util
+)
+
+tink_cc_test(
+  NAME verified_jwt_test
+  SRCS
+    verified_jwt_test.cc
+  DEPS
+    tink::jwt::jwt_mac
+    tink::jwt::jwt_validator
+    tink::jwt::raw_jwt
+    tink::jwt::verified_jwt
+    gmock
+    absl::memory
+    absl::status
+    absl::strings
+    absl::time
+    absl::optional
+    tink::core::mac
+    tink::jwt::internal::jwt_mac_impl
+    tink::jwt::internal::jwt_mac_internal
+    tink::subtle::hmac_boringssl
+    tink::util::constants
+    tink::util::enums
+    tink::util::errors
+    tink::util::protobuf_helper
+    tink::util::secret_data
+    tink::util::status
+    tink::util::statusor
+    tink::util::test_matchers
+    tink::util::test_util
+    tink::proto::common_cc_proto
+)
+
+tink_cc_test(
+  NAME jwt_validator_test
+  SRCS
+    jwt_validator_test.cc
+  DEPS
+    tink::jwt::jwt_validator
+    tink::jwt::raw_jwt
+    gmock
+    absl::strings
+    absl::time
+    tink::util::statusor
+    tink::util::test_matchers
+    tink::util::test_util
+)
+
 tink_cc_test(
   NAME jwt_key_templates_test
   SRCS

diff --git a/cc/jwt/jwt_mac_key.h b/cc/jwt/jwt_mac_key.h
@@ -0,0 +1,60 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef TINK_JWT_JWT_MAC_KEY_H_
+#define TINK_JWT_JWT_MAC_KEY_H_
+
+#include <string>
+
+#include "absl/types/optional.h"
+#include "tink/jwt/jwt_mac_parameters.h"
+#include "tink/key.h"
+
+namespace crypto {
+namespace tink {
+
+// Represents the authentication and verification functions for the JWT MAC
+// primitive.
+class JwtMacKey : public Key {
+ public:
+  // Returns the `kid` to be used for this key
+  // (https://www.rfc-editor.org/rfc/rfc7517#section-4.5).
+  //
+  // Note that the `kid` is not necessarily related to Tink's key ID in the
+  // keyset.
+  //
+  // If present, this `kid` will be written into the `kid` header during
+  // `ComputeMacAndEncode()`. If absent, no `kid` will be written.
+  //
+  // If present, and the `kid` header is present, the contents of the
+  // `kid` header need to match the return value of this function for
+  // validation to succeed in `VerifyMacAndDecode()`.
+  //
+  // Note that `GetParameters().AllowKidAbsent()` specifies whether or not
+  // omitting the `kid` header is allowed. Of course, if
+  // `GetParameters().AllowKidAbsent()` returns false, then `GetKid()` must
+  // return a non-empty value.
+  virtual absl::optional<std::string> GetKid() const = 0;
+
+  const JwtMacParameters& GetParameters() const override = 0;
+
+  bool operator==(const Key& other) const override = 0;
+};
+
+}  // namespace tink
+}  // namespace crypto
+
+#endif  // TINK_JWT_JWT_MAC_KEY_H_
diff --git a/cc/jwt/jwt_mac_parameters.h b/cc/jwt/jwt_mac_parameters.h
@@ -0,0 +1,34 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef TINK_JWT_JWT_MAC_PARAMETERS_H_
+#define TINK_JWT_JWT_MAC_PARAMETERS_H_
+
+#include "tink/parameters.h"
+
+namespace crypto {
+namespace tink {
+
+// `JwtMacKey` description without the randomly chosen key material.
+class JwtMacParameters : public Parameters {
+  // Returns true if verification is allowed for tokens without a `kid` header.
+  virtual bool AllowKidAbsent() const = 0;
+};
+
+}  // namespace tink
+}  // namespace crypto
+
+#endif  // TINK_JWT_JWT_MAC_PARAMETERS_H_