10Duke Enterprise C++ Client
Loading...
Searching...
No Matches
Public Member Functions | Protected Member Functions | List of all members
tenduke::jwk::JWKSSignatureValidator Class Reference

#include <JWKSSignatureValidator.h>

Detailed Description

A tenduke::jwt::JWTSignatureValidator, which determines the validation key and algorithm based on the JWT header and looking up the key from memory cache.

The service maintains a (usually shared) key set, which is essentially a map. The service uses "kid"-claim from the header to lookup key from the key set. If the set does not contain the key, the token does not validate.

The service honors the "alg"-claim of the header and uses the algorithm to validate the signature (but note the validationAlgorithm constructor parameter).

Inheritance diagram for tenduke::jwk::JWKSSignatureValidator:
tenduke::jwt::JWTSignatureValidator tenduke::jwk::DynamicJWKSSignatureValidator tenduke::test::unittests::FakeDynamicJWKSSignatureValidator

Public Member Functions

 JWKSSignatureValidator (const std::shared_ptr< tenduke::jwk::JWKS > &keySet, tenduke::crypto::MessageDigest::Algorithm validationAlgorithm=tenduke::crypto::MessageDigest::Algorithm::NONE, bool requireValidAlgClaim=true)
 Constructs new instance.
 
bool validate (const tenduke::json::JSONObject *jwtHeader, const char *payload, std::size_t payloadLength, const unsigned char *signatureBytes, std::size_t signatureLengthB) const override
 Validates JWT signature.
 

Protected Member Functions

virtual std::unique_ptr< tenduke::jwk::JWKfindJWK (const std::string &keyId) const
 Locates the key from cache by id.
 
virtual void mergeKeys (const tenduke::jwk::JWKS &newKeySet) const
 Merges keys from newKeySet to the contained keySet.
 

Constructor & Destructor Documentation

◆ JWKSSignatureValidator()

tenduke::jwk::JWKSSignatureValidator::JWKSSignatureValidator ( const std::shared_ptr< tenduke::jwk::JWKS > & keySet,
tenduke::crypto::MessageDigest::Algorithm validationAlgorithm = tenduke::crypto::MessageDigest::Algorithm::NONE,
bool requireValidAlgClaim = true )
explicit

Constructs new instance.

Parameters
keySet-
validationAlgorithmPre-set validation algorithm to use. If set to anything else than NONE, this algorithm is ALWAYS used to validate the token. This prevents tampering the token. If NONE, the algorithm from the JWT header is used.
requireValidAlgClaimIf code true, then the JWT-header must have alg-claim which maps to supported algorithm (excluding NONE). Otherwise the token does not validate. If false, then missing alg or unsupported algorithm means that the token is always considered valid. This parameter has no effect if validationAlgorithm is set.

Member Function Documentation

◆ findJWK()

std::unique_ptr< xdjwk::JWK > tenduke::jwk::JWKSSignatureValidator::findJWK ( const std::string & keyId) const
protectedvirtual

Locates the key from cache by id.

Parameters
keyId-
Returns
the key, or nullptr if key not found

Reimplemented in DynamicJWKSSignatureValidator, and tenduke::jwk::DynamicJWKSSignatureValidator.

◆ validate()

bool tenduke::jwk::JWKSSignatureValidator::validate ( const tenduke::json::JSONObject * jwtHeader,
const char * payload,
std::size_t payloadLength,
const unsigned char * signatureBytes,
std::size_t signatureLengthB ) const
overridevirtual

Validates JWT signature.

Parameters
jwtHeaderJWT-header, can be e.g. used to determine the key and digestAlgorithm used
payloadJWT-payload to verify
payloadLengthlength of the payload
signatureBytesthe signature
signatureLengthBthe signature length
Returns
true if the signature is valid, false if not
Exceptions
tenduke::crypto::CryptoExceptionif there are are cryptographic issues

Implements tenduke::jwt::JWTSignatureValidator.

The documentation for this class was generated from the following files: