tenduke::jwk::JWKSSignatureValidator Class Reference

#include <JWKSSignatureValidator.h>

Detailed Description

A tenduke::jwt::JWTSignatureValidator, which determines the validation key and algorithm based on the JWT header and looking up the key from memory cache.

The service maintains a (usually shared) key set, which is essentially a map. The service uses "kid"-claim from the header to lookup key from the key set. If the set does not contain the key, the token does not validate.

The service honors the "alg"-claim of the header and uses the algorithm to validate the signature (but note the validationAlgorithm constructor parameter).

Inheritance diagram for tenduke::jwk::JWKSSignatureValidator:

Public Member Functions
	JWKSSignatureValidator (const std::shared_ptr< tenduke::jwk::JWKS > &keySet, tenduke::crypto::MessageDigest::Algorithm validationAlgorithm=tenduke::crypto::MessageDigest::Algorithm::NONE, bool requireValidAlgClaim=true)
	Constructs new instance.
bool	validate (const tenduke::json::JSONObject *jwtHeader, const char *payload, std::size_t payloadLength, const unsigned char *signatureBytes, std::size_t signatureLengthB) const override
	Validates JWT signature.

Protected Member Functions
virtual std::unique_ptr< tenduke::jwk::JWK >	findJWK (const std::string &keyId) const
	Locates the key from cache by id.
virtual void	mergeKeys (const tenduke::jwk::JWKS &newKeySet) const
	Merges keys from newKeySet to the contained keySet.

Constructor & Destructor Documentation

JWKSSignatureValidator()

tenduke::jwk::JWKSSignatureValidator::JWKSSignatureValidator ( const std::shared_ptr< tenduke::jwk::JWKS > &  keySet, tenduke::crypto::MessageDigest::Algorithm  validationAlgorithm = tenduke::crypto::MessageDigest::Algorithm::NONE, bool  requireValidAlgClaim = true  )

explicit

Constructs new instance.

Parameters

keySet	-
validationAlgorithm	Pre-set validation algorithm to use. If set to anything else than NONE, this algorithm is ALWAYS used to validate the token. This prevents tampering the token. If NONE, the algorithm from the JWT header is used.
requireValidAlgClaim	If code true, then the JWT-header must have alg-claim which maps to supported algorithm (excluding NONE). Otherwise the token does not validate. If false, then missing alg or unsupported algorithm means that the token is always considered valid. This parameter has no effect if validationAlgorithm is set.

Member Function Documentation

findJWK()

std::unique_ptr< xdjwk::JWK > tenduke::jwk::JWKSSignatureValidator::findJWK ( const std::string &  keyId ) const

protectedvirtual

Locates the key from cache by id.

Parameters

keyId

-

Returns

the key, or nullptr if key not found

Reimplemented in tenduke::jwk::DynamicJWKSSignatureValidator.

validate()

bool tenduke::jwk::JWKSSignatureValidator::validate ( const tenduke::json::JSONObject *  jwtHeader, const char *  payload, std::size_t  payloadLength, const unsigned char *  signatureBytes, std::size_t  signatureLengthB  ) const

overridevirtual

Validates JWT signature.

Parameters

jwtHeader	JWT-header, can be e.g. used to determine the key and digestAlgorithm used
payload	JWT-payload to verify
payloadLength	length of the payload
signatureBytes	the signature
signatureLengthB	the signature length

Returns

true if the signature is valid, false if not

Exceptions

tenduke::crypto::CryptoException

if there are are cryptographic issues

Implements tenduke::jwt::JWTSignatureValidator.

---

The documentation for this class was generated from the following files:

• core/core/src/jwk/JWKSSignatureValidator.h
• core/core/src/jwk/JWKSSignatureValidator.cpp