xref: /aosp_15_r20/external/tink/python/tink/jwt/_jwt_public_key_verify.py (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1# Copyright 2021 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7#      http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14"""Interface for JwtPublicKeyVerify."""
15
16import abc
17
18from typing import Optional
19
20from tink.jwt import _jwt_validator
21from tink.jwt import _verified_jwt
22
23
24class JwtPublicKeyVerify(metaclass=abc.ABCMeta):
25  """Interface for verifying a signed JWT.
26
27  Sees RFC 7519 and RFC 7515. Security guarantees: similar to PublicKeyVerify.
28  """
29
30  @abc.abstractmethod
31  def verify_and_decode(
32      self, compact: str,
33      validator: _jwt_validator.JwtValidator) -> _verified_jwt.VerifiedJwt:
34    """Verifies, validates and decodes a signed compact JWT token.
35
36    The JWT is validated against the rules in validator. That is, every claim in
37    validator must also be present in the JWT. For example, if validator
38    contains an issuer (iss) claim, the JWT must contain an identical claim.
39    The JWT can contain claims that are NOT in the validator, which are then
40    ignored. However, if the JWT contains a list of audiences, the validator
41    must also contain an audience in the list.
42
43    If the JWT contains timestamp claims such as expiration (exp), issued_at
44    (iat) or not_before (nbf), they will also be validated. Validator allows to
45    set a clock skew, to deal with small clock differences among different
46    machines.
47
48    Args:
49      compact: A signed token encoded in the JWS compact serialization format.
50      validator: A JwtValidator that validates the token.
51
52    Returns:
53      A VerifiedJwt.
54    Raises:
55      tink.TinkError if the operation fails.
56    """
57    raise NotImplementedError()
58
59
60class JwtPublicKeyVerifyInternal(metaclass=abc.ABCMeta):
61  """Internal interface for creating a signed JWT.
62
63  "kid" is an optional value that is set by the wrapper for keys with output
64  prefix TINK. It is set to None for output prefix RAW.
65  """
66
67  @abc.abstractmethod
68  def verify_and_decode_with_kid(
69      self, compact: str, validator: _jwt_validator.JwtValidator,
70      kid: Optional[str]) -> _verified_jwt.VerifiedJwt:
71    raise NotImplementedError()
72