From 93a1cca86ea8bbc40d699a2a902bda28383b5456 Mon Sep 17 00:00:00 2001 From: wconner Date: Tue, 9 Apr 2024 11:23:33 -0700 Subject: [PATCH] Add JWT MAC parameters and key type. PiperOrigin-RevId: 623228536 --- cc/jwt/BUILD.bazel | 18 +++++ cc/jwt/CMakeLists.txt | 142 ++++++++++++++++++++---------------- cc/jwt/jwt_mac_key.h | 60 +++++++++++++++ cc/jwt/jwt_mac_parameters.h | 34 +++++++++ 4 files changed, 192 insertions(+), 62 deletions(-) create mode 100644 cc/jwt/jwt_mac_key.h create mode 100644 cc/jwt/jwt_mac_parameters.h diff --git a/cc/jwt/BUILD.bazel b/cc/jwt/BUILD.bazel index 12b1a67d6d..ed25b796f3 100644 --- a/cc/jwt/BUILD.bazel +++ b/cc/jwt/BUILD.bazel @@ -192,6 +192,24 @@ cc_library( ], ) +cc_library( + name = "jwt_mac_parameters", + hdrs = ["jwt_mac_parameters.h"], + include_prefix = "tink/jwt", + deps = ["//:parameters"], +) + +cc_library( + name = "jwt_mac_key", + hdrs = ["jwt_mac_key.h"], + include_prefix = "tink/jwt", + deps = [ + ":jwt_mac_parameters", + "//:key", + "@com_google_absl//absl/types:optional", + ], +) + # tests cc_test( diff --git a/cc/jwt/CMakeLists.txt b/cc/jwt/CMakeLists.txt index 933ceac557..8024aa6da7 100644 --- a/cc/jwt/CMakeLists.txt +++ b/cc/jwt/CMakeLists.txt @@ -50,68 +50,6 @@ tink_cc_library( tink::util::statusor ) -# tests - -tink_cc_test( - NAME raw_jwt_test - SRCS - raw_jwt_test.cc - DEPS - tink::jwt::raw_jwt - gmock - absl::strings - absl::time - tink::util::statusor - tink::util::test_matchers - tink::util::test_util -) - -tink_cc_test( - NAME verified_jwt_test - SRCS - verified_jwt_test.cc - DEPS - tink::jwt::jwt_mac - tink::jwt::jwt_validator - tink::jwt::raw_jwt - tink::jwt::verified_jwt - gmock - absl::memory - absl::status - absl::strings - absl::time - absl::optional - tink::core::mac - tink::jwt::internal::jwt_mac_impl - tink::jwt::internal::jwt_mac_internal - tink::subtle::hmac_boringssl - tink::util::constants - tink::util::enums - tink::util::errors - tink::util::protobuf_helper - tink::util::secret_data - tink::util::status - tink::util::statusor - tink::util::test_matchers - tink::util::test_util - tink::proto::common_cc_proto -) - -tink_cc_test( - NAME jwt_validator_test - SRCS - jwt_validator_test.cc - DEPS - tink::jwt::jwt_validator - tink::jwt::raw_jwt - gmock - absl::strings - absl::time - tink::util::statusor - tink::util::test_matchers - tink::util::test_util -) - tink_cc_library( NAME jwt_mac SRCS @@ -234,6 +172,86 @@ tink_cc_library( tink::proto::tink_cc_proto ) +tink_cc_library( + NAME jwt_mac_parameters + SRCS + jwt_mac_parameters.h + DEPS + tink::core::parameters +) + +tink_cc_library( + NAME jwt_mac_key + SRCS + jwt_mac_key.h + DEPS + tink::jwt::jwt_mac_parameters + absl::optional + tink::core::key +) + +# tests + +tink_cc_test( + NAME raw_jwt_test + SRCS + raw_jwt_test.cc + DEPS + tink::jwt::raw_jwt + gmock + absl::strings + absl::time + tink::util::statusor + tink::util::test_matchers + tink::util::test_util +) + +tink_cc_test( + NAME verified_jwt_test + SRCS + verified_jwt_test.cc + DEPS + tink::jwt::jwt_mac + tink::jwt::jwt_validator + tink::jwt::raw_jwt + tink::jwt::verified_jwt + gmock + absl::memory + absl::status + absl::strings + absl::time + absl::optional + tink::core::mac + tink::jwt::internal::jwt_mac_impl + tink::jwt::internal::jwt_mac_internal + tink::subtle::hmac_boringssl + tink::util::constants + tink::util::enums + tink::util::errors + tink::util::protobuf_helper + tink::util::secret_data + tink::util::status + tink::util::statusor + tink::util::test_matchers + tink::util::test_util + tink::proto::common_cc_proto +) + +tink_cc_test( + NAME jwt_validator_test + SRCS + jwt_validator_test.cc + DEPS + tink::jwt::jwt_validator + tink::jwt::raw_jwt + gmock + absl::strings + absl::time + tink::util::statusor + tink::util::test_matchers + tink::util::test_util +) + tink_cc_test( NAME jwt_key_templates_test SRCS diff --git a/cc/jwt/jwt_mac_key.h b/cc/jwt/jwt_mac_key.h new file mode 100644 index 0000000000..74f24e97a3 --- /dev/null +++ b/cc/jwt/jwt_mac_key.h @@ -0,0 +1,60 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#ifndef TINK_JWT_JWT_MAC_KEY_H_ +#define TINK_JWT_JWT_MAC_KEY_H_ + +#include + +#include "absl/types/optional.h" +#include "tink/jwt/jwt_mac_parameters.h" +#include "tink/key.h" + +namespace crypto { +namespace tink { + +// Represents the authentication and verification functions for the JWT MAC +// primitive. +class JwtMacKey : public Key { + public: + // Returns the `kid` to be used for this key + // (https://www.rfc-editor.org/rfc/rfc7517#section-4.5). + // + // Note that the `kid` is not necessarily related to Tink's key ID in the + // keyset. + // + // If present, this `kid` will be written into the `kid` header during + // `ComputeMacAndEncode()`. If absent, no `kid` will be written. + // + // If present, and the `kid` header is present, the contents of the + // `kid` header need to match the return value of this function for + // validation to succeed in `VerifyMacAndDecode()`. + // + // Note that `GetParameters().AllowKidAbsent()` specifies whether or not + // omitting the `kid` header is allowed. Of course, if + // `GetParameters().AllowKidAbsent()` returns false, then `GetKid()` must + // return a non-empty value. + virtual absl::optional GetKid() const = 0; + + const JwtMacParameters& GetParameters() const override = 0; + + bool operator==(const Key& other) const override = 0; +}; + +} // namespace tink +} // namespace crypto + +#endif // TINK_JWT_JWT_MAC_KEY_H_ diff --git a/cc/jwt/jwt_mac_parameters.h b/cc/jwt/jwt_mac_parameters.h new file mode 100644 index 0000000000..2d189b3477 --- /dev/null +++ b/cc/jwt/jwt_mac_parameters.h @@ -0,0 +1,34 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#ifndef TINK_JWT_JWT_MAC_PARAMETERS_H_ +#define TINK_JWT_JWT_MAC_PARAMETERS_H_ + +#include "tink/parameters.h" + +namespace crypto { +namespace tink { + +// `JwtMacKey` description without the randomly chosen key material. +class JwtMacParameters : public Parameters { + // Returns true if verification is allowed for tokens without a `kid` header. + virtual bool AllowKidAbsent() const = 0; +}; + +} // namespace tink +} // namespace crypto + +#endif // TINK_JWT_JWT_MAC_PARAMETERS_H_