xref: /aosp_15_r20/external/tink/java_src/src/main/java/com/google/crypto/tink/jwt/JwtPublicKeyVerifyInternal.java (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //      http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16 
17 package com.google.crypto.tink.jwt;
18 
19 import com.google.errorprone.annotations.Immutable;
20 import java.security.GeneralSecurityException;
21 import java.util.Optional;
22 
23 /**
24  * Interface for verifying a signed JWT, as described in RFC 7519 and RFC 7515.
25  *
26  * <h3>Security guarantees: similar to {@link com.google.crypto.tink.PublicKeyVerify}.</h3>
27  */
28 @Immutable
29 public interface JwtPublicKeyVerifyInternal {
30   /**
31    * Verifies and decodes a JWT in the JWS compact serialization format.
32    *
33    * <p>The JWT is validated against the rules in {@code validator}. That is, every claim in {@code
34    * validator} must also be present in the JWT. For example, if {@code validator} contains an
35    * {@code iss} claim, the JWT must contain an identical claim. The JWT can contain claims that are
36    * {@code NOT} in the {@code validator}. However, if the JWT contains a list of audiences, the
37    * validator must also contain an audience in the list.
38    *
39    * <p>If the JWT contains timestamp claims such as {@code exp}, {@code iat} or {@code nbf}, they
40    * will also be validated. {@code validator} allows to set a clock skew, to deal with small clock
41    * differences among different machines.
42    *
43    * <p>Additionally, it verifies that the correct kid header is present if a kid is provided.
44    *
45    * @throws GeneralSecurityException when the signature of the token could not be verified, the
46    *     token contains an invalid claim or header, the token has been expired or can't be used yet
47    */
verifyAndDecodeWithKid(String compact, JwtValidator validator, Optional<String> kid)48   VerifiedJwt verifyAndDecodeWithKid(String compact, JwtValidator validator, Optional<String> kid)
49       throws GeneralSecurityException;
50 }
51