xref: /aosp_15_r20/external/tink/cc/examples/jwt/jwt_sign.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1*e7b1675dSTing-Kang Chang // Copyright 2023 Google LLC
2*e7b1675dSTing-Kang Chang //
3*e7b1675dSTing-Kang Chang // Licensed under the Apache License, Version 2.0 (the "License");
4*e7b1675dSTing-Kang Chang // you may not use this file except in compliance with the License.
5*e7b1675dSTing-Kang Chang // You may obtain a copy of the License at
6*e7b1675dSTing-Kang Chang //
7*e7b1675dSTing-Kang Chang //     http://www.apache.org/licenses/LICENSE-2.0
8*e7b1675dSTing-Kang Chang //
9*e7b1675dSTing-Kang Chang // Unless required by applicable law or agreed to in writing, software
10*e7b1675dSTing-Kang Chang // distributed under the License is distributed on an "AS IS" BASIS,
11*e7b1675dSTing-Kang Chang // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*e7b1675dSTing-Kang Chang // See the License for the specific language governing permissions and
13*e7b1675dSTing-Kang Chang // limitations under the License.
14*e7b1675dSTing-Kang Chang //
15*e7b1675dSTing-Kang Chang ///////////////////////////////////////////////////////////////////////////////
16*e7b1675dSTing-Kang Chang // [START jwt-sign]
17*e7b1675dSTing-Kang Chang // An example for signing JSON Web Tokens (JWT).
18*e7b1675dSTing-Kang Chang #include <iostream>
19*e7b1675dSTing-Kang Chang #include <memory>
20*e7b1675dSTing-Kang Chang #include <ostream>
21*e7b1675dSTing-Kang Chang #include <string>
22*e7b1675dSTing-Kang Chang #include <utility>
23*e7b1675dSTing-Kang Chang 
24*e7b1675dSTing-Kang Chang #include "absl/flags/flag.h"
25*e7b1675dSTing-Kang Chang #include "absl/flags/parse.h"
26*e7b1675dSTing-Kang Chang #include "absl/log/check.h"
27*e7b1675dSTing-Kang Chang #include "util/util.h"
28*e7b1675dSTing-Kang Chang #include "tink/jwt/jwt_public_key_sign.h"
29*e7b1675dSTing-Kang Chang #include "tink/jwt/jwt_signature_config.h"
30*e7b1675dSTing-Kang Chang #include "tink/jwt/raw_jwt.h"
31*e7b1675dSTing-Kang Chang #include "tink/keyset_handle.h"
32*e7b1675dSTing-Kang Chang #include "tink/util/status.h"
33*e7b1675dSTing-Kang Chang 
34*e7b1675dSTing-Kang Chang ABSL_FLAG(std::string, keyset_filename, "", "Keyset file in JSON format");
35*e7b1675dSTing-Kang Chang ABSL_FLAG(std::string, audience, "", "Expected audience in the token");
36*e7b1675dSTing-Kang Chang ABSL_FLAG(std::string, token_filename, "", "Path to the token file");
37*e7b1675dSTing-Kang Chang 
38*e7b1675dSTing-Kang Chang namespace {
39*e7b1675dSTing-Kang Chang 
40*e7b1675dSTing-Kang Chang using ::crypto::tink::JwtPublicKeySign;
41*e7b1675dSTing-Kang Chang using ::crypto::tink::KeysetHandle;
42*e7b1675dSTing-Kang Chang using ::crypto::tink::RawJwt;
43*e7b1675dSTing-Kang Chang using ::crypto::tink::RawJwtBuilder;
44*e7b1675dSTing-Kang Chang using ::crypto::tink::util::Status;
45*e7b1675dSTing-Kang Chang using ::crypto::tink::util::StatusOr;
46*e7b1675dSTing-Kang Chang 
ValidateParams()47*e7b1675dSTing-Kang Chang void ValidateParams() {
48*e7b1675dSTing-Kang Chang   // [START_EXCLUDE]
49*e7b1675dSTing-Kang Chang   CHECK(!absl::GetFlag(FLAGS_keyset_filename).empty())
50*e7b1675dSTing-Kang Chang       << "Keyset file must be specified";
51*e7b1675dSTing-Kang Chang   CHECK(!absl::GetFlag(FLAGS_audience).empty())
52*e7b1675dSTing-Kang Chang       << "Expected audience in the token must be specified";
53*e7b1675dSTing-Kang Chang   CHECK(!absl::GetFlag(FLAGS_token_filename).empty())
54*e7b1675dSTing-Kang Chang       << "Token file must be specified";
55*e7b1675dSTing-Kang Chang   // [END_EXCLUDE]
56*e7b1675dSTing-Kang Chang }
57*e7b1675dSTing-Kang Chang 
58*e7b1675dSTing-Kang Chang }  // namespace
59*e7b1675dSTing-Kang Chang 
60*e7b1675dSTing-Kang Chang namespace tink_cc_examples {
61*e7b1675dSTing-Kang Chang 
62*e7b1675dSTing-Kang Chang // JWT sign example CLI implementation.
JwtSign(const std::string & keyset_filename,absl::string_view audience,const std::string & token_filename)63*e7b1675dSTing-Kang Chang Status JwtSign(const std::string& keyset_filename, absl::string_view audience,
64*e7b1675dSTing-Kang Chang                const std::string& token_filename) {
65*e7b1675dSTing-Kang Chang   Status result = crypto::tink::JwtSignatureRegister();
66*e7b1675dSTing-Kang Chang   if (!result.ok()) return result;
67*e7b1675dSTing-Kang Chang 
68*e7b1675dSTing-Kang Chang   // Read the keyset from file.
69*e7b1675dSTing-Kang Chang   StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
70*e7b1675dSTing-Kang Chang       ReadJsonCleartextKeyset(keyset_filename);
71*e7b1675dSTing-Kang Chang   if (!keyset_handle.ok()) return keyset_handle.status();
72*e7b1675dSTing-Kang Chang   StatusOr<RawJwt> raw_jwt =
73*e7b1675dSTing-Kang Chang       RawJwtBuilder()
74*e7b1675dSTing-Kang Chang           .AddAudience(audience)
75*e7b1675dSTing-Kang Chang           .SetExpiration(absl::Now() + absl::Seconds(100))
76*e7b1675dSTing-Kang Chang           .Build();
77*e7b1675dSTing-Kang Chang   if (!raw_jwt.ok()) return raw_jwt.status();
78*e7b1675dSTing-Kang Chang   StatusOr<std::unique_ptr<JwtPublicKeySign>> jwt_signer =
79*e7b1675dSTing-Kang Chang       (*keyset_handle)->GetPrimitive<JwtPublicKeySign>();
80*e7b1675dSTing-Kang Chang   if (!jwt_signer.ok()) return jwt_signer.status();
81*e7b1675dSTing-Kang Chang 
82*e7b1675dSTing-Kang Chang   StatusOr<std::string> token = (*jwt_signer)->SignAndEncode(*raw_jwt);
83*e7b1675dSTing-Kang Chang   if (!token.ok()) return token.status();
84*e7b1675dSTing-Kang Chang 
85*e7b1675dSTing-Kang Chang   return WriteToFile(*token, token_filename);
86*e7b1675dSTing-Kang Chang }
87*e7b1675dSTing-Kang Chang 
88*e7b1675dSTing-Kang Chang }  // namespace tink_cc_examples
89*e7b1675dSTing-Kang Chang 
main(int argc,char ** argv)90*e7b1675dSTing-Kang Chang int main(int argc, char** argv) {
91*e7b1675dSTing-Kang Chang   absl::ParseCommandLine(argc, argv);
92*e7b1675dSTing-Kang Chang 
93*e7b1675dSTing-Kang Chang   ValidateParams();
94*e7b1675dSTing-Kang Chang 
95*e7b1675dSTing-Kang Chang   std::string keyset_filename = absl::GetFlag(FLAGS_keyset_filename);
96*e7b1675dSTing-Kang Chang   std::string audience = absl::GetFlag(FLAGS_audience);
97*e7b1675dSTing-Kang Chang   std::string token_filename = absl::GetFlag(FLAGS_token_filename);
98*e7b1675dSTing-Kang Chang 
99*e7b1675dSTing-Kang Chang   std::clog << "Using keyset in " << keyset_filename << " to ";
100*e7b1675dSTing-Kang Chang   std::clog << " generate and sign a token using audience '" << audience
101*e7b1675dSTing-Kang Chang             << "'; the resulting signature is written to " << token_filename
102*e7b1675dSTing-Kang Chang             << std::endl;
103*e7b1675dSTing-Kang Chang 
104*e7b1675dSTing-Kang Chang   CHECK_OK(
105*e7b1675dSTing-Kang Chang       tink_cc_examples::JwtSign(keyset_filename, audience, token_filename));
106*e7b1675dSTing-Kang Chang   return 0;
107*e7b1675dSTing-Kang Chang }
108*e7b1675dSTing-Kang Chang // [END jwt-sign]
109