1 // Copyright 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/jwt/jwk_set_converter.h"
18
19 #include <memory>
20 #include <string>
21 #include <tuple>
22 #include <utility>
23
24 #include "google/protobuf/util/message_differencer.h"
25 #include "gmock/gmock.h"
26 #include "gtest/gtest.h"
27 #include "absl/strings/match.h"
28 #include "tink/cleartext_keyset_handle.h"
29 #include "tink/json_keyset_reader.h"
30 #include "tink/json_keyset_writer.h"
31 #include "tink/jwt/internal/json_util.h"
32 #include "tink/jwt/jwt_public_key_sign.h"
33 #include "tink/jwt/jwt_public_key_verify.h"
34 #include "tink/jwt/jwt_signature_config.h"
35 #include "tink/jwt/jwt_validator.h"
36 #include "tink/jwt/verified_jwt.h"
37 #include "tink/keyset_handle.h"
38 #include "tink/util/test_matchers.h"
39 #include "proto/jwt_ecdsa.pb.h"
40 #include "proto/jwt_rsa_ssa_pkcs1.pb.h"
41
42 namespace crypto {
43 namespace tink {
44 namespace {
45
46 using ::crypto::tink::test::IsOk;
47 using ::crypto::tink::test::IsOkAndHolds;
48 using ::google::protobuf::Struct;
49 using ::google::protobuf::util::MessageDifferencer;
50 using ::testing::Eq;
51 using ::testing::Not;
52
53 constexpr absl::string_view kRs256PrivateKey = R"( {
54 "primaryKeyId":1277272603,
55 "key":[{
56 "keyData":{
57 "typeUrl":
58 "type.googleapis.com/google.crypto.tink.JwtRsaSsaPkcs1PrivateKey",
59 "value":"QoABP3S5U0JiFQcqcMFT0Ysqk7FK2NunBCY9o+EAE+svaQi6zWQq2ODFoxB2NU9nqa3ZbhRiCdKNLz6o+jOTIpemKx8Gh/7GufRGLFAjjMchZYs3ripiTNSMaqXgm6ECt8DqrAZbMQ7D3Ha1vArcZG97pbE9t3m4M87zhLs3wPYd/kQ6gAEFPE2GLD5ai8VYd/Q0ePZR0ttLgkJ/2yIig5T8YyJaoZEPjK+v3zVFQuGguJApnl2tC0S7OqOtqsDZ5Dux0H3Cx85FLeyB2STHlXtq9GUGI2VrC/TP3OASc6ap75WMKZRpowEVaip8wWehAOL+VIgTajiFf0yXdSodc4ZjJKreiTKAAd6ahHQiVJapNKY6XANgA+JmluAWq/Fk1LmEnTybWVelcODbppwIvhJ6Xuz6kjuEhhxsUtkPO4vuZJfEF8DWAH5L/FHjJpgP3NnDoNVzGOL5w8SdgIfgCS0UqBLSv2/KhlIEijuL9NYaqydN1cPcjdeadSMcDSIwKjNASRVaPZDJKoABx1/CfOqCbE8eh450YvGwYvII+ro8tR+uusnt2QuQZux3wvl9eto9Dr+5Iq/0bKqpMMgvYHIT+mlkgK6SYLcynZx+SYMAtbixa0nH1lJnnBodOJS6zdMRTcFkpI4g/CbCvzTp5gF5EkfBSbVToVLqICydokKnTvNK6chX3MEUjskigAH0eGwQwn174yJzJTUWH4cRxDredI6LkjADm/ikza76AHT8qRJHJkmwSXL88p3M2bYFN+g9Z/FTL21Ylc0mxn/iII3vabfZWZTWK9QGR7YjAicFyLDeu/ZccCkCXgTFzqqlZ7w4Sv05hWz57xxm81JyxftzapeflfAmjRircFXG2RqAAgub/Z28+SFSf6zSPFMKiYVWx//DI0ubbiuuu65tUse9xYq9JtHEobgYk0dJXNuY9RzPkGblZ8/SD06yRf9l8DMRAbivDfgXY5QZ2PBDk1jn6A2y0S+i80h9MILJ+/sfkljiyvtBFDQwiI9tPOOnxbWmg6bl5xYUdvjbhxBoVB1fgOtAid6gGuLstbf8ycV+DkaWg3mo4054ge9BBT4eWKGC/LHctSaQ/OBs5cbGW+UqZxIjSN9YeOTkbvNKO4l4jGTg0BUBPB3GH8KQPtE4sbBhUDyjYYgAZZcSaRq7AfhLUkiDSfIVcKAIoEOaTS63vf2BQlbW8/HuNlWNUX0M+hkSigIiAwEAARqAAr5lDmutk2K8Y+zfK2VQM6BHUp5rEUGjVgTAHQfGnRmvJ+MnBomFqBr9LmVnPLx9o5+pdz2v+9m29iB39/ig9lGk8C5Ncd8koV8mxKEuWRfW3ps659qITYsRqDezn4+8D2+tWfhdTb+d56t9PM/kSNVnsiB/vR47iHLlMWlmNFXr7F8wnoTCT+YO5Fc8peeW2HEYtvHYnZFWs681YDRt+cjTTBC99qFtVX776e4X0B7cUsJBTj8yYMyDx2yRW8QCxq64Fx7KKu1LQ0HUvb76BKePyc0IQrZwhCmoYJE8Dlsk/ejpURmIjyUhR1k7o8tUJ3ejinPCxhLKQF+KA+mZfmEQAQ==",
60 "keyMaterialType":"ASYMMETRIC_PRIVATE"
61 },
62 "status":"ENABLED",
63 "keyId":1277272603,
64 "outputPrefixType":"TINK"
65 }]
66 })";
67
68 constexpr absl::string_view kRs256JwkPublicKey = R"({
69 "keys":[{
70 "kty":"RSA",
71 "n": "vmUOa62TYrxj7N8rZVAzoEdSnmsRQaNWBMAdB8adGa8n4ycGiYWoGv0uZWc8vH2jn6l3Pa_72bb2IHf3-KD2UaTwLk1x3yShXybEoS5ZF9bemzrn2ohNixGoN7Ofj7wPb61Z-F1Nv53nq308z-RI1WeyIH-9HjuIcuUxaWY0VevsXzCehMJP5g7kVzyl55bYcRi28didkVazrzVgNG35yNNMEL32oW1Vfvvp7hfQHtxSwkFOPzJgzIPHbJFbxALGrrgXHsoq7UtDQdS9vvoEp4_JzQhCtnCEKahgkTwOWyT96OlRGYiPJSFHWTujy1Qnd6OKc8LGEspAX4oD6Zl-YQ",
72 "e":"AQAB",
73 "use":"sig",
74 "alg":"RS256",
75 "key_ops":["verify"],
76 "kid":"TCGiGw"
77 }]
78 })";
79
80 constexpr absl::string_view kRs384PrivateKey = R"({
81 "primaryKeyId":357749026,
82 "key":[{
83 "keyData":{
84 "typeUrl":
85 "type.googleapis.com/google.crypto.tink.JwtRsaSsaPkcs1PrivateKey",
86 "value":"EosDEAIagQMAjzf/xTLS/jFLqQNkqpyrNJt7KSzLYLrtqO0jjUnYowO072NRoQBD24OEy5uNnM9iHXB/+C0mAALk9KIjd84tQbQAcJuL/JdV8ff/VT9iXhv97zLH80/K4i/AfBfATlrfaGKyz0+5jb6oSK8fksrgBfE+JOJRz3HiCHU7BlpJNhZPtJE77RE7BjALCmDhR/Qgwu2Yei782Y3DS46U6Ap/H4QWYzNX7mmykSfCwer+KMVLGYc0B3LlLSfi7UsgoqaBckjJS7cAp8AkzJ2fqdMrOs5ylfTIyfE+r3I/zEq4r+ZfKwXI2+ZLRKrlz6Cs4RMV4wVJzB6hSlZWdg4IJLJn3fICGxNRacONl3uK6OL1jvNSjg9aUpfJFHP9pKnGuyfvQs5k0stSMgtV7J8JGzYlem1/EI2DfCDoVUAfTFM5GY8YgKBYObA4WA/Vjq1b6nRycrwvBWS5FyXIoAy9O1ib3FlkdRKPDzqscScHZV+w9MifT9YBWcnY4AqG5Uy3CMHtIgMBAAEagAMPPYhMNdJaFmjUvXWy6iUV3g3HHesuifXMah/EYz1Ya4aPiuQe2+Zcr6wr9oulSjRIqbYUdMl8atJubeqUTy5ltX/ue77zzC7rJtbW/X28QgJNt/urGqyeUTKMggKG1Ai+FPKuOO+n88f4pBoaBti8CSXxytul1ZqWB9OWI3ly9gDZWDMmURUU3XvvSMvwWjw6Qgpdxi5GAF3t5mhWIPfSJL41JDuRNVI5PB/vftA5CnWpa8fPmxxkJ8BwO/RnGoy3GgFGFwRuvuLiQgQiHwjCq6czgCKaw1FPq5HaTyJBdCfv+gDG8EjvnsDLzWQqQkq7obvY7uSCxw2lomlXp4cPOo5dbwTSJg2OessyL4rQQJZjw78etOMjOx1M+Q4sVlKbPdd/qxZpnlZ2EG1oUjRM7ZMuJEVfxSy7KRt9GG0P4pqMX7uhMmjF5B/H/re/GujrhISA92cPc8MQX+IA1z9ZHUrHgSMLoSVIf7pwB335sQe9R6pR8xjgoPorFzQ7/kEiwQEAwBOLB9g8uS68ypaUHMixM0RSqaHwaCmhJ8YvJ3z3y7qDYrJWSNmL1zzAjPdbHtvO+u9yssevvuj0/RdjI4U0lAYbT/RsSWMG9M+ojRr/CpK3tcOGE+fJg6EAjOnJXKxkGhxdftM8Nr9ErlyQcei5iNoNbzC5yrytPOM3QvczwiIpbWiygI/+IouMM1gnY7f0OfUFHEyMMOl4hEc8rBKiijJSSbLnuTERLLHDkVlvoCz59D1VUuG+aCUaaRb3vF6ZKsEBAL7h5x4M7K+tBi0prtJy/PCxL70RgGWscummSF7gO8Rw0W0SmA4g8Q9SrEBOI3I/51KFTdxgp6CWQfO2S/L5tbhtDeye7CGqnO8oVeDuB2kD7k4yUkhgyeUFxc7DB/aU1lo8Bc3kClsmecWtwDbJ1pMrCwF7yXifBK6TuVY6iZ/46+HfLnZQ+fWcvvbPAtSbKVZ1YMVYMVipBbvIWf1slWOaHfXIi1YtZlkM+wJHX+a9zheP4HW2TBt4qoTSlm92dTLAAXPv1+2mQhDs+xu1hDVTllIBnXuyua/F4PZnE7NcJR4duIxsZNSYK2aBzx/HdoLL3sVsnuj2y0gKyUWzRi38i14FyZqbSHmLgnlmlrCFaQhywty95kJBmEsRdYmY2+hKTinMkUqqKiBJlyU/zhhThxnptE43NQ4AkPi9lW+gUueNQ0A8//HF+HnVjYy4Wx4/vPT2xlzsf3pOkmYVsbOTk/SipzTA/km0Kk+2BPvI5i3iuAUKuGPMyueF7ckdCe/zkTrAAWDkpP/hCagnSTJVrVNQYUsAdj4gCzAROIeYC7Z1VoFhzzzxqlPJrvPbQGqn/2A4RgDif+J1AcIHY9UFXUoqLW8/lEjfZvez9lOEAwvZZ9OL1kTFUHVDBFkH9B//aiRl6uUFAOFBd2xLfJa2mxJ0pEIyIDURk/Rxq9u+St8VedTFc19Fff07H5boiRsZe9NWK8aicIvcN7hMnAd1LRDyNGbJzZl8whXtl71uVGAUwP6MrHfTZdn6vmlXeB9SEmDkHULAASQW/j0wELpL4tHoIM1q+MpU6x/JB4e+H3oAZv081V9ADroMaweBurQtfa6wH+w/imenWNh+ipFZQe7R9UKsno9fhU2uBZG6gsOLmb2MMpuBMWJNqJMZAQ7jfsubtpyTeL44nkRT8cOxIIGwmjU9jt6CA/CrfKrgH5s5UYcfhIiLqJI+jLIVHn+ygbG0aLoUVoy55mtdW3aCkpdb1GIR8G9ahguwIDzvWKIy8GQpyKA9Rt2tpzMFm7gWK4cz3qrXHg==",
87 "keyMaterialType":"ASYMMETRIC_PRIVATE"
88 },
89 "status":"ENABLED",
90 "keyId":357749026,
91 "outputPrefixType":"TINK"
92 }]
93 })";
94
95 constexpr absl::string_view kRs384JwkPublicKey = R"({
96 "keys":[{
97 "kty":"RSA",
98 "n":"AI83_8Uy0v4xS6kDZKqcqzSbeyksy2C67ajtI41J2KMDtO9jUaEAQ9uDhMubjZzPYh1wf_gtJgAC5PSiI3fOLUG0AHCbi_yXVfH3_1U_Yl4b_e8yx_NPyuIvwHwXwE5a32hiss9PuY2-qEivH5LK4AXxPiTiUc9x4gh1OwZaSTYWT7SRO-0ROwYwCwpg4Uf0IMLtmHou_NmNw0uOlOgKfx-EFmMzV-5pspEnwsHq_ijFSxmHNAdy5S0n4u1LIKKmgXJIyUu3AKfAJMydn6nTKzrOcpX0yMnxPq9yP8xKuK_mXysFyNvmS0Sq5c-grOETFeMFScweoUpWVnYOCCSyZ93yAhsTUWnDjZd7iuji9Y7zUo4PWlKXyRRz_aSpxrsn70LOZNLLUjILVeyfCRs2JXptfxCNg3wg6FVAH0xTORmPGICgWDmwOFgP1Y6tW-p0cnK8LwVkuRclyKAMvTtYm9xZZHUSjw86rHEnB2VfsPTIn0_WAVnJ2OAKhuVMtwjB7Q",
99 "e":"AQAB",
100 "use":"sig",
101 "alg":"RS384",
102 "key_ops":["verify"],
103 "kid":"FVLRIg"
104 }]
105 })";
106
107 constexpr absl::string_view kRs512PrivateKey = R"({
108 "primaryKeyId":2102918723,
109 "key":[{
110 "keyData":{
111 "typeUrl":
112 "type.googleapis.com/google.crypto.tink.JwtRsaSsaPkcs1PrivateKey",
113 "value":"EosEEAMagQQApm24cAZjL7Uxzvyx2nWA5XeMwIm07s2aHItKmuhZwGepI3WD2YHYR0Hbb5YtaEH9T8mVlEJ0dPoLE8dKJ3Rz0klz7YKaJX3NTaxVMlSQLK05VLSGtw8TPkkrprpVXL5KRz/X4jQPZi6td3RpEHIMAsLyF4cyiTpVBdbyrAeBHJzQmvVFxtj4IX9IyVFefzyDh7dueTUAmI9yYewk5zCRqfCVbGrjoPE+/l9/Su5c3iA8NhT7r8nrJkmt5iPCuX4uGSrM6TPp74sTix0jlYUlBH1wYZEx/iS2AXeSoW1wU0WQa106/Dkx0t7R5oQ0PNnxNnJAOCIdiXzvzHy48+mah6J/lp/9lQCyu/9tX6HdGlKhN1M/hKVAyY/7fLZHYvG9Sz8KJRqGhUXBO39tEc7RDL5DClO8B0lfwLOsrZq6rJwVrBibzFiOP96lMVLAEIm5mNqbGllJrb3NMOo/gBfC3b70s77vSPma7MNAvflzOkGBpdIAQmSsz1273U6OQna+1gVUuNai6A3m5WkQHHUiyT8qCt46CXeUXW+zYSNO6KFrEmEz7XtqUkuYMvTpkQOyG3ZSG79kTER8/BMppH/6R+OVqa6gtS9O1WHM1m44cP9cA6sZp8yMz1ZWr8PleOoXtYWdv+3hgg5A2YZ454gUtvguVHmccHUcgdSkBZrOu+UiAwEAARqABE1h5sfvsF6WWTpstCVnTS9kjsVXQhFm96kd+upb7p9Pk40xLsULYox/SpBvu10mkalviWUOISfiuxPPLeN6ef/kt0pP12xnOfZLkrF8MC0Vvfpslda347KqQuma6eXddJv8S1yZ6C8StQU90zwaSwtdqULXUeAMh0vXza2/L4EmSLhEItV6PKUWkblJZC607FNGLs+cnVJSIFT3f5EfPBtQCaoHaR+EDE4qCP3GJtgBFP3wc7YgpH2A9KJ1Li0hRj3dcLldsf/3InckbU8wQS39RSuYXy5T02yLNFpqkDenuKazCqIL1ea+Q8py3fcNPuKZ7NIsyp8KwFTMCRMgIwD5dq6l0lsNZ7UMx2/5ex5LEGlTmNdQZCZivav2hQF8/zeEWzq4dH+hDrNWSwIyMF1t70mxChMAQ0RAzH6iteCQQFnLIFFqVTiXIo2FCwwlyg2uQ6ASJvnW4M6ftXw8ktpLlPeP9uDpN2idBW3kO8dLUfQbCjIIr4cQozQvYenVkMBAbXjqORFK0YRp7xtUNeV5i/y0Dd8tKTmVx8QwGaI48RLVZUC6xelFugbP7UKCkVTPw204JbQGj0Bc1o+KM+ekEWd6Z1oyQQEE/tx2pMsQwrC5FrOv6LtVCLTyQrfHmrENpFI3MRyHJsBFSO0UrDFu9CSCsLSvGjM4eAlI+1xhIoECAP9WTkzedYf0VvNI3oMuENt4nG1CLycY9ZoUmebVvaR6jcFFHr8AxT0JGt/ZdnSt5iDK+VC52Z4kjVfiyJaj9O8PKifKiGho9IpXbd57k0lhDVwEZ6jLJ55y3KJRBcXaTtqodO3KsP8Nix2mcInQvKT9y6ZY7w8PT9WOrJuXtClc3CvgK5LyFQLRQ8dsCWclcb2MWD7IKBam1yvdd5mtCylsF0mnSoLfYPFcPAZ/O0zKCQOtyCm1duEfuBlef0mGwYAJsvKvj4N8U10Yk5TNr4oZM4olP2WY4Jf4fucnKscMxwkkbSVOOjms/r8NEBUH6XUpGewUQyaV47LPcFsvw48qgQIAptxTtmGV5XcQqYJJ3bvPAjm03+wr0A32cr4Z0cnByBz/dfNFxacEm6cWKflsu4CB931hDiI0CLveTgElNR0TKdNG5tpM6/17WOowACANRhLjEMH+p5A7zpzAwJrWHEh5qrSpgPm08fJhrUfyWoRZ7kxXm7SoVHWlKvAw4QR1PNPYxcg3Tm1zgZ40/gYn3JSdnDf1KN25XRfxrHgSVbKl3XRL4+6TgzTyu7olONlYEXjpxuuX+UMyTX5oozyxNAC3UUHNXlRPMWhKLy5vbhLDsk5LFwM4j5PL0Edj6pdfuegclsZYqxwWXLdHWu98EKUdZaucFVFoHc77h9OgmSv/SzKAAjhOW+3vkJNuek4j342l9umu6y/czHEeu+pCaL3SnINM0z2vdFxCWzxeaaK7XbfVMU5B9ECs+yQ4g0LCK+GsPjMJcQ5dRz9fBa4MIZpSPeSMllmYTxOV2SLDyYuxukgrIABv7XkSnX1hCzB6p458jV0E6ofATNdRVRWO5Nla1svYQmUahgFdiOyaIQw08s3gH/jgngUaNlzoZcKyj9E/q5pyz5/aWEAL6mDPKh10qSsB0oMRK3anIZP7XqmZgRBBuyH1AZUqyccA/5Ej/kduJCub6xWnqRdKYxygG7v1kyVZ1/pYIgl7+rMFRxfyVX2NxRmk+qZowXYcz516yRgSrFk6gQIAlvfbabTrKTzLv4IZENwelHXfl4WXslsfsnsa4zt273aFD5O2efj961KGdB2u6gqADIrM6Du79nb70Hmqz15p+zqj+LRkSlQCaNUh7ssRF2h5Nq0+mR6fbfVXVCwDMn3ETtW8UuwacZmKFHx24rzCnR9HWKJgdmImuS2uG7ir1ggaJgBbQcM3cXvRmE+7exCfdTsPvhS15GuIhjHw7MaA2VeiXix6HIkoYP8vNDs5Oj26zfZUfvr0JTcMtzxvW4yWT5eIlyMSr7IbBIsv2Fhz5Px/ZefNIeJn0h71YMfqnUpLq4LzsITuGp7cmYL6Lhkl+toEkykfWXDvFNo9gLhU90KBAgDytWdZp7okr10lBmVx+V5mMkmYv7Pa6H2Xp+Ntgr5JxGac771oZs/46EQ4Kl7F6+OSDqyL0d0JVgOYOT3toNnEdYEe+Pv0xfl7PKG2OV2v7+Ud0Ko4PITt9tYUrBHI/LuDJl1D9MsEDwEToQIFhNjgfNlwHsvqWpOWUo1Km2h108cubdC8wv7pkMCJJagOb8XsfnYscT+FCQHOGv+PRIzKTxU1DtZe07i3ZTkvRyYh2e5PLvMRFBNM0RudybikzECPboeWd8EpKY2RUaesNZoXmpPeFh/LsRZQfgnOt9trxQGtKmVUT0b63Jt0sRe3ydYuYldp0PvO0CsClFihj4tv",
114 "keyMaterialType":"ASYMMETRIC_PRIVATE"
115 },
116 "status":"ENABLED",
117 "keyId":2102918723,
118 "outputPrefixType":"TINK"
119 }]
120 })";
121
122 constexpr absl::string_view kRs512JwkPublicKey = R"({
123 "keys":[{
124 "kty":"RSA",
125 "n":"AKZtuHAGYy-1Mc78sdp1gOV3jMCJtO7NmhyLSproWcBnqSN1g9mB2EdB22-WLWhB_U_JlZRCdHT6CxPHSid0c9JJc-2CmiV9zU2sVTJUkCytOVS0hrcPEz5JK6a6VVy-Skc_1-I0D2YurXd0aRByDALC8heHMok6VQXW8qwHgRyc0Jr1RcbY-CF_SMlRXn88g4e3bnk1AJiPcmHsJOcwkanwlWxq46DxPv5ff0ruXN4gPDYU-6_J6yZJreYjwrl-LhkqzOkz6e-LE4sdI5WFJQR9cGGRMf4ktgF3kqFtcFNFkGtdOvw5MdLe0eaENDzZ8TZyQDgiHYl878x8uPPpmoeif5af_ZUAsrv_bV-h3RpSoTdTP4SlQMmP-3y2R2LxvUs_CiUahoVFwTt_bRHO0Qy-QwpTvAdJX8CzrK2auqycFawYm8xYjj_epTFSwBCJuZjamxpZSa29zTDqP4AXwt2-9LO-70j5muzDQL35czpBgaXSAEJkrM9du91OjkJ2vtYFVLjWougN5uVpEBx1Isk_KgreOgl3lF1vs2EjTuihaxJhM-17alJLmDL06ZEDsht2Uhu_ZExEfPwTKaR_-kfjlamuoLUvTtVhzNZuOHD_XAOrGafMjM9WVq_D5XjqF7WFnb_t4YIOQNmGeOeIFLb4LlR5nHB1HIHUpAWazrvl",
126 "e":"AQAB",
127 "use":"sig",
128 "alg":"RS512",
129 "key_ops":["verify"],
130 "kid":"fVf-Qw"
131 }]
132 })";
133
134 constexpr absl::string_view kRawRs256PrivateKey = R"(
135 {
136 "primaryKeyId":234505441,
137 "key":[{
138 "keyData":{
139 "typeUrl":
140 "type.googleapis.com/google.crypto.tink.JwtRsaSsaPkcs1PrivateKey",
141 "value":"EosCEAEagQIAiatQ/c8O22Ke3tqUHEp7Fj457icKPRM5nTrK4qCrtRC77cZzwonJAc7lLM+UwHLoWNxao7PP6SQ2b2x6PcCx0aFMkJw4JgOguACtgJoxCgws46MxAlNVsd6I+nJWAfO+kb1fD8hU09tEmGxPibOoe7KilQQR7FVBwWjoXdTzMTWSmnHOgy8iLPn5mbp0VfwSjOiUwPZMsOHg1kUBv7q4mzxNjNLw53pXQFWHUJ8cvUK4im8iKuSCSLZEZc0TWvntuEl8xlRa2oBRdvlIzYgWEtRyAYtX49/E/ZzFwnsceGTn6UV/nv3gKapwVriaWJHa0lGeFRHa+aWDGpSPPArccSIDAQABGoACOgE5vcbpLpxt7d3Qu97R37xWMja2xKb+BnZIF5a04jRryjJsgdIGJEHlI61Osot3xEEL25+egU/ls6rUEoLHKVk55lA8BCBRLlXyxJWzBdW9cChJNP6hw7DMrCFShb4KVGOi0waIXz8qtsIj/RP6cCwC/qBZYOdHLlOiXC6mTNv0blQ2Cb9yfZZ1Lz855DH0l2/GMdZYXwb6JElM+u/vR7lxTp4Wc6kq/31PULDH7G+Ps+QpXxHMIqghgSWyRsJ9+SHv5yo7JxA58eTQEUXkI6RCJJQ3pSXjdveBzzPyN6ZCmjz91Np3oPh36dZtknW0UspZ6Jnpc5GLphkvG8GblSKBAQC/vcua6r6FGW0VO2yD93nWgX1qepmULYGw7lv+mfOvodPUr+8EqDZXaRzUqCHynhVfb1BDEsoxP9aLoPVFZoJbL1MqBnUx6X0FXoKu2FzqsEJYw2qnl4VLhFn7xebnR+vwv+MMYf+yvnIdcMfmrZhWmCS4hTFQlJDfxji2SPSdByqBAQC3znfJnB2xC7eDUCTSH49h/xW1YWaS6nTqXvk3LJeq4tX2WGBWxfCLh6xpNpzF31xCDdYlt+yGcy6UUBKr4TteePrWf6jY9TWJZO7FvAqIIIxaQv3a/0A4/sgzYcrr2ansWzhNtfCESxOaPFVfLE1wh/PpJBzbcltRbG/mEY3UxzKBAQCfvXhN5Pm6m1c0lCAwxVE88v5QYjlmqI7en4YG062gCbsX+0au45D6O7joNfaqUSdPLcZ5SsMmSp/sDbmpCuDZJNEtNtoWLgaZHYbUMa8fWp67onpNiz9ija4Fwnc/Ab1AAi0fGNnUyTL68gWoWcGLiw80pspR7qPPui1vN9KKqzqAASl2qg8Q6KHHwt4cdjHwbKfuozcHgdwih71XL2EC7jPed+XaieEJRfoz4PDbIQKCII3GEUjw9Kpf0WIjrhKX/IyTPgKlSbGnnywfWL3CbZ3HueGiuyFr81DoKMFujhgmQe7PpSPipx8w0Hs6oQeXNuDryloNi3T1lyQHEjcUPqqBQoABcIm6r6QyTlBactKBKEqyhkXF1tCvw7YR9herJoubM/xklWzU5J8bgSQ1h4dutlANutXFqeOInUufyPChP3inQhcirp3CccJFaMP9uevRMMhUxyOyQkpOfxnAe7hvCjRsDDZZqh5bi5siNzeIEnU1s7sq/0XvzZA7G5fGZgb+dZs=",
142 "keyMaterialType":"ASYMMETRIC_PRIVATE"
143 },
144 "status":"ENABLED",
145 "keyId":234505441,
146 "outputPrefixType":"RAW"
147 }]
148 })";
149
150 constexpr absl::string_view kRs256JwkPublicKeyWithoutKid = R"({
151 "keys":[{
152 "kty":"RSA",
153 "n":"AImrUP3PDttint7alBxKexY-Oe4nCj0TOZ06yuKgq7UQu-3Gc8KJyQHO5SzPlMBy6FjcWqOzz-kkNm9sej3AsdGhTJCcOCYDoLgArYCaMQoMLOOjMQJTVbHeiPpyVgHzvpG9Xw_IVNPbRJhsT4mzqHuyopUEEexVQcFo6F3U8zE1kppxzoMvIiz5-Zm6dFX8EozolMD2TLDh4NZFAb-6uJs8TYzS8Od6V0BVh1CfHL1CuIpvIirkgki2RGXNE1r57bhJfMZUWtqAUXb5SM2IFhLUcgGLV-PfxP2cxcJ7HHhk5-lFf5794CmqcFa4mliR2tJRnhUR2vmlgxqUjzwK3HE",
154 "e":"AQAB",
155 "use":"sig",
156 "alg":"RS256",
157 "key_ops":["verify"]
158 }]
159 })";
160
161 constexpr absl::string_view kPs256PrivateKey = R"( {
162 "primaryKeyId": 1803616132,
163 "key": [
164 {
165 "keyData": {
166 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtRsaSsaPssPrivateKey",
167 "value": "QoABPzsxHq7K5f91YucwaXUDk7ERgE8pqLSc8w34gEnc/wo5vk0BamvQaWRVQQdzEfK+eqVbrHmWi5mhY9QXpOv0dhuhyvo8ZS0ya60cT6DYSu2LBLDHFa68Wp6SWbIwFN4X5uGC8DYvWpJU9PCYg6XUu67T37FhGFekGHTSXDLf9Ko6gAFm7TJOM/v8MbHkCpY5NTtda7fb09XBXFDSC2XFGKvOkfQrGEKdEAvOCffpTBHsyvZAEJag/p2OZ+4W2D3upPNFkrmtS9MSGU39o0kn2fd6Cw90w5S1gjfxgWDbZpzs4AvbpU436Zy2wZYjJSIG6xbjDuYwizrflPX/sq5GUpuCuTKAAW+ovScT/DR/doxZm+xykUTTfEr2W4pd5PpLQiI1gUA2UTnY6p0svW+IbbSaj6vTE8s6+STsTGYAteUgdFBo7Ao501XbAJpJQX4ONI6o66BUvvzy0S6VLs+YQ6MWpArvNnnzRo5NbznO6IESyumWNm+8HQMaJ12sAqpWOoH4bz1xKoAB02eSVf5ZSDiYa4uF85NvvAVvEVPOPAd2gOqXzOWH+AXtTHJ8n/gcvUMnFR3W7cdZdyY2HslV0qphvkL7mCwsoOUBH5dA+F10Ebmk4hU9XEkeQvgFVgffzyqKjG521WOnAXQXudhOkJgXqGoTB/fESyRvSqA7ZKwPL1dvZnpJRv8igAH8m64q3qJFFcHWsnUb3hS58BXm8aTuk8Reju8XDXjBa9DPy5UySS0P/Chyh8HF5PAIwWSXTYDtFvdve3UN28oxTzhZ1xsz86BOeF2lFHpZ1y8/uNzwLRTIYWCXhbAS+bGpQOUR4JJDjSyivJCBqrkMCDUWAXQSqIZzHnyD+wbP8RqAAkukY+fCuoTpXOd06ASnbIsb+ZF4y++LsoulcQ//wmemVEOihJcQDgAfcL0j6HTylFG2EJJMDoLVWv6sZgrYpR1O1g97IB8KsLvyLm1JHxb9rbTDBnKSWL72NSZWPfs/Q5y5SXRxSD1gJoL/pcL5uuOosJjIvQ2olVMryYAgbnsA5UHZP7N8YpX0njZxBl9/PFNrTkWBMr15+A0VqOGh0TGnE/D4iAAduMJn1f4a3ZYVC4FgxKVxLxkB3oOLZz+QXKvs61slwRjotY3BXoKeImedOFmZoOJCA9qD+9rT01mQ113Fi9ylkBD1VGqtvIoB1CZa4tZZkRyoAeIMU7vMUpESigIiAwEAARqAAtCag5YMvymg6QloWgfeXCnS7MgRgm4fOubRxytyzNSL+apbeHqjvZ9gZ+Uef2R6zBBr1aAZsKZH51pmjMamYPuvZPIndHTeDyngbiGHjuQtiBNw9LjtVFs7D4uFx7V39wmJsGDlByeQ0/Kv44DF2Ann8rODr2JEXH0qVlbxbRdT8wUoo0GsQ0FMdK3Sb4tCWU0Dlx5eDMIM6xaBEU3WbMAF4dtTCtVGr+vAGv2fE2VN0f6mPk1+/KoQQr/E/9cK6KKaxf8WiaqcsF5LVJ0MVYLvmhuvsqKKqyAr6G3Pyx3Rf/EfkKdqWH7B0pjw0irvuSassiCKMX16S3VLKw5eBw8QAQ==",
168 "keyMaterialType": "ASYMMETRIC_PRIVATE"
169 },
170 "status": "ENABLED",
171 "keyId": 1803616132,
172 "outputPrefixType": "TINK"
173 }
174 ]
175 })";
176
177 constexpr absl::string_view kPs256JwkPublicKey = R"({
178 "keys":[{
179 "kty":"RSA",
180 "n":"0JqDlgy_KaDpCWhaB95cKdLsyBGCbh865tHHK3LM1Iv5qlt4eqO9n2Bn5R5_ZHrMEGvVoBmwpkfnWmaMxqZg-69k8id0dN4PKeBuIYeO5C2IE3D0uO1UWzsPi4XHtXf3CYmwYOUHJ5DT8q_jgMXYCefys4OvYkRcfSpWVvFtF1PzBSijQaxDQUx0rdJvi0JZTQOXHl4MwgzrFoERTdZswAXh21MK1Uav68Aa_Z8TZU3R_qY-TX78qhBCv8T_1wrooprF_xaJqpywXktUnQxVgu-aG6-yooqrICvobc_LHdF_8R-Qp2pYfsHSmPDSKu-5JqyyIIoxfXpLdUsrDl4HDw",
181 "e":"AQAB",
182 "use":"sig",
183 "alg":"PS256",
184 "key_ops":["verify"],
185 "kid":"a4D_hA"
186 }]
187 })";
188
189 constexpr absl::string_view kPs384PrivateKey = R"( {
190 "primaryKeyId": 743880559,
191 "key": [
192 {
193 "keyData": {
194 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtRsaSsaPssPrivateKey",
195 "value": "QsABGgBRiQlPP7T0l7qjag22t5qPSbLa/PkaEnEatcxTqtJ18qo9ncTqNa7Ts851twenilUdELx+HLARFmRtmYcJuanBNMIrJ4ua/I0+rWY2rU/NwxB39x3SglT2T/wvwOx0fZAhXPNqgF6m2aGLMsppgDN6TKrvWZdC8YTC1e+ZoDlq4miBuU+NEOOsrS6Zv0SW/ZI5OxUqvGqQwaaiiy0VCsIzpJjO8GkaPntCYnA6Z1MNZTREOUcncMg2MsPEmYslOsABxBOOesQfs2aiCmt50XjN9bUvTlu/Z9z6/k327kwLpWloxZuzZWz1LMpbchnmrNvl8uj+N8qSvaIk6/Gq2y6w5TtDEdELZuuNcCkUqnnOaUJyVqkZ10PwILL0Ig+tt4GSIGlEFmdt1cL9tdU8Za/IQTkYzDQG11iG6h6llYPmj4aJxeDc/wnon5dT1pMuW93uFygwXpSkYMIvzDBQys6sUGtRbPVjNRsndRVl9w8oiF5wvEeLMtAMpAUgFxmXdC5JMsABHN4zpQrc8qsuYZa57/5gCmi4qGhECQNdsJlu7YjqjScBcRQZEK5F4pUZl2lY4zGQlClRnXUgx/g6F9FGW/ENnHebfYQ63eg2wL/EqvWBujDdYjYvs1oUBXcMFSG66VAkOYkkS8a8JnQpOfEPCkvo4/Hmz32YXjExEZWe450v8KhE4JYsaEolyoH/EoDAfG++NoIfUR6A+slyXqeQlnWK8+GMitoLKaN6EMdc31YeVsioEhn/rFfzd7p5FlLbjqBJKsABzisQA/QhytqNUWQhnhYFSs9QF+Z10ZCuUxwaSZKmD8SV4JTiHcMy7LK7RGt3Btlf76HmTNVOtTTsjXbBftVv4HDNamPmtzg1ggZi05cjPYi3STFZu3lUVAv2tJP5gdjuMe7slW+MqECUfPyz7OkJRBVAPQl0fbH/FSeSb529H6R+/1uXQ9nmXmikUFEt5PvY77li7Qyb6p67B1krBQusW0Lk2SL1Fs8Y8bj/lkjJar86sxGIGl2JNfSwajyK/waJIsAB1o1XIXWE82dw1r/TmkhY+bF4vvApYMYSz7lhsK5shZcY6VeQMXNUY/SCMTTndHzUNmbwdi4NCbnNt/vEOvmZnvQ2Q3YNphd6BLfeZxEmBcPzUMDTKXNaZBLbe8j1HUtaOHoaCfVuLhxxDT8knntNZNIJNuGhAK8YweR96qKQSDyL1zZRXBqnPZlGNnVCDVx0ijMmAmAY43IC5/XCR5h03TwbiJTQ5tG3FImoSXqA7RmwTSr1ynR4EKmRWt34uiVFGoADF4o9gu4FGlXDarpwmxkGQwUESUpJUEI65LDD0Vk71q0ZMMWUg2AXDov5UFx5zQkxx0Hx1ncN/pNy4qyaL3NgGg82OTxtajflwarFm5S4gKp4Ly3jtVWEYJDxa8D6JA4O5xuUl+qSJhEEIcLdUYXU/x/aPISklyupxSF2ze07QG1yNYV3/IadLxOWTtPlos1R0HE+x9g8JAYVC4kt2fQ6ldmZaD6h9fJORqSr6i5mdikzGw1vrJs0XaGmIxuN+C9jAS031tkD15BgK9vd6wrlT9d5C/KDJT7zJShYnNTJ2E9vRXBby7AaiOGjeRx/E67oPzdWH/8qwsLNfkS4eYLT9nbwmIMQ7pWVxcatnWKzuQuYLpCR/O2iJlaSoO76Xuy8RklES38lB2+FNzHuHtN2xAPms74WAUX+dLrIlcA7ceWwUqeF8iyXL9vmCuMmd5kHZGxUJbzVpLOkRUdcDNtc1qXm8qufzWABOUtzVnkn1CuejH/Xv9IpbuCHhQEv8o4REooDIgMBAAEagAOsydNGtOTfNZ/Rmq6SayE30Yf1SwJwPRrZaWY77SrvH+TfUkh7bC2qGVBHCzN+44mYvkzhymy+QMFPy2HnIOrPMcwlECzrUmroAI16mPf/SErwazPGLLEVAveazGa7x7cXXgz5Xfmf1ouvSZ5EeT23Ob3rz7C+nsj8heW/WFvMd6OH+APXiDL4aN2IlgbCDWhYg0vpjNK/kMhLEgC/0cu7l+YEu2hXK9T2Jksd9Ql2rdGWPmIIFQQUwlVvrw99aIH/GgDuePe+mAB8aMPNDrZtWtVo4c6DYjhfY7EkFYny4XDpFGhykB8P+URkF637DoVowdeH+JXDE9Y241NtUeV6t91QdMwc7aMJHUkoqQjmnHtpUzt9BRW1hIGTvngsg2FKGQwI72j76Tuxk4Uv9WiFoIe0T19HEgzkxg4o/K89N/fwTIKsCqt4V3iiXQUI95ryfz0HBXfvUateA/kL/0F2gba5jqvFHBPMw2IvHPFamS+Wms1HECx1FJk8TMo4j+0QAg==",
196 "keyMaterialType": "ASYMMETRIC_PRIVATE"
197 },
198 "status": "ENABLED",
199 "keyId": 743880559,
200 "outputPrefixType": "TINK"
201 }
202 ]
203 })";
204
205 constexpr absl::string_view kPs384JwkPublicKey = R"({
206 "keys":[{
207 "kty":"RSA",
208 "n":"rMnTRrTk3zWf0ZqukmshN9GH9UsCcD0a2WlmO-0q7x_k31JIe2wtqhlQRwszfuOJmL5M4cpsvkDBT8th5yDqzzHMJRAs61Jq6ACNepj3_0hK8GszxiyxFQL3msxmu8e3F14M-V35n9aLr0meRHk9tzm968-wvp7I_IXlv1hbzHejh_gD14gy-GjdiJYGwg1oWINL6YzSv5DISxIAv9HLu5fmBLtoVyvU9iZLHfUJdq3Rlj5iCBUEFMJVb68PfWiB_xoA7nj3vpgAfGjDzQ62bVrVaOHOg2I4X2OxJBWJ8uFw6RRocpAfD_lEZBet-w6FaMHXh_iVwxPWNuNTbVHlerfdUHTMHO2jCR1JKKkI5px7aVM7fQUVtYSBk754LINhShkMCO9o--k7sZOFL_VohaCHtE9fRxIM5MYOKPyvPTf38EyCrAqreFd4ol0FCPea8n89BwV371GrXgP5C_9BdoG2uY6rxRwTzMNiLxzxWpkvlprNRxAsdRSZPEzKOI_t",
209 "e":"AQAB",
210 "use":"sig",
211 "alg":"PS384",
212 "key_ops":["verify"],
213 "kid":"LFa3bw"
214 }]
215 })";
216
217 constexpr absl::string_view kPs512PrivateKey = R"( {
218 "primaryKeyId": 803396643,
219 "key": [
220 {
221 "keyData": {
222 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtRsaSsaPssPrivateKey",
223 "value": "QoACUsRKIPRhEtXtTxcFVM0/KMBMyzrafB6NNwb8cHSM0N9XGZEbeUh6EF5JGsbI0PndFyMk2wdhkCdtpdH7Bc/n7hLlW7yVR9fvPQMDoG6mITa0E2XXDkW/iJZ1cZhkiR4ptWMgNKm2xLlxOUTGcVr8+jKQ0Tb1TMsvojs3GeBLJ5jDtzq3HE6kcNY611L/hzft1aOb3+zJGRZpLcN3CuXVbhluTyrccl4V3jWN1KSejvj32zn5l0hRMYES9Ek2h686a+gqK4RYkbeP4QL7ZnT2tkG0rxfi5HlklmLn620YTzrlYpGd9x3ID7NnMjDfTz0mR/910p6JzVBloCbJ6Ai/JTqAApRrAvbP7oGaPN25FupqEWCrTZfpmOZuH2NT4h6KiB6/RxyrbRQWSh6bpRXsS/C8aHlnSj83nFT+G1j7qLINDbqHlrYD8aycRRuiLm5WWNtO6wQzpXmWmrSYutln9Yj6QWtIOIA0Pn4b1u1Aj7DudBpKhd8feihkZa9AHqmsolOi9FKILQ2FwAfmEGDXHtRjP6KrB6bMbg1XuLXrJT6xEBLyfSswsk/UnlHG3+q++jDp5tLPJnmqDgPcZ017PY71JoHE8QyNu2d4+Ng8+wOZxyYWPOvfgC12ZFaGso8do3+vG8C+HEIiHM9+brv4SyWaVZxFt3jn/aezXDlXbIsG4nMygAIJ7xT/Qz6vOVZSAvqRSVMXS20Awi1TnsgxHbUzImi6KMBRrlyFud0ltpQcZw98jlo5qB11d34HFnXTK1TOvNiB61Z2olr2+4Nt2MFPRu26r3uR3mhpacHW+TfkHw5whudHpybXkFc2asiL8auAToS2i2pr1hSOqKUDI0B6qy+qjDjWUCDziJE+IcpWjTEY74UpE5rREBIer5Xci8FPCP4FFjfomAtZZSGgS3DHwnCh9NfqyLZTGdDVJe+MEMlAFFmFUcCAk708H16bqJ8UuJMdGoFqvxU9bJrLGDkAg/CttX0BI6OCs5DR4Rqy+XKHYIkIvy6DVFja3mmhIhAVXXQHKoACvAckkJ1ayoNwbcV11yOBd0qNmPl0+NWdGlkc7+Aft6rLAR25t2tpfEjsFFYEaNCQIlzJNLAXa41Ac7cGdOLx+nRAJI3d/ExRLXhJrbAD95YM6WSM8cXf0dsR+q3hoTE0522T1XwSXICXb1Z2hzfmghL5WigezMdsEolqF/pRpQUcnZug/mpa0P40evFEIsoiPpMJYwS67iETxKeeEJv55z1W5GkT5reEeRwkQIuJm3kZB2r95p2sU82PFyXMVjgnqcqUAKWudi+oRp3jhzd0IUMQg6gcm62kpF7XgQmobMPYloc2c5VIEM1NS52s4arADR7dFxU6R28paLea8LsCByKAAvzUpants7GpQz2rJ7Gl9x0uQjr48yetqeTyzxInjezcKGgO7s85c2GzO3MkeaYcT+68NXHtdUVXrXJYerAiH+PAA2CdouEg8ra/ZOl0t3x9402kkFYcwbzmI1O0TLV4kv6NONapFj7U2WYfj0IdVILYoJWS4PSvvMWrDzP2SlZ7alSZ0zqCUGYa47Mz9d9A7d2teQ6z3UdzrUw3EBWz83szslYXQg6QDtsF+PYUhNx0tBuAdUtF4kVFXPSZoaOzaKdYwxb9TApmRheVsmOVAqb7xtwo9WmqUuJgDADjlfxwA9cam+uggvogd7Ta3i48SbJG6RXboaydht1F0AYeKZsagAQVZNwC5x8yE/nFakDyvtlO5SHR/1qvzhE0ZCepOIEmCmGTubQs5JwMllGJWhwxucVVv/5Rq9CsYjn+fpV8uj6DC2qqMiSIag+SuKjymACBktQuGGOiByYQExwMC8/ry326ehPAy588K9SM8ZuDeCswvp/cWs0aUDOlGsuXtJrKgKXdr8zDnbmZvrTIzA+nDC7R7Kv6NaBTF613XwIPIw0oPSDij0OPHy72+9BLraTRJVQP8GbvSWLb0YraMW2lyYNQN7Djd8rpO2AYKfsJAmmax/HFyPGMuKm2SjlnSxo8bmvH69DGjyK7wkU7bLJQ5Lbp98DpauhGY3EdXispU2fnJkoa9DaDmEzArRGa+T05YCyuzezuYE4eBUlxXJj2QY5ABDH5VkxcnWPSftKUUG5TSRwnIKZQ2Ab2ONNOQDafSOsg2KYDBKmLw4ZxUp2I2izXPeICfCJ2sBW2IOwSK5tRcvno8QoMvkz+9Ci8QNRpNLYTiCgbxXaoW/eLayvKt3qhkj+rKMded7yzWjq2dNv3HfvPUIwtSlAHGSqEhGkuzSijHhp2s2LN5OB6mfQt6d4pzvlh5w+pxaK3sH/wsLoVsdvUg4OBaH+KBFVYRZ9eAQMU8a6fmoFreMpSiNS6B0jY7XPsCL3mgSAuzkojCx2YBh79VB9SjcKrGGdRYLot/RKKBCIDAQABGoAEubM3lgyGn8IyKO+56q18hvuJkkxPrDXgalRWNmnA3QEseglU/9tp598dlq04eF1G4Xkrmk9OVyVSCuRdvMoko6wP4Jum+3cn42/Gsk8PdTwm3WD+yEBg/Usa/omLGiTfktyqqoZhh1TeOOBtNpD1U/p1wQxP3+bLl4//uR75CqlK9FYdBrIuqLP3nqa3/OAFuPBX77BuD1kcr5pUxPZkXBNAWpnvsW56swyIMZF2GRhfv2n2bZJgT4iybQcmEnvt1wfY3ecO5ZMSX2QNKpnRRejlIEqR9uAQa4wIJMViL8jDbAV+ZvUjMM1G0aAyMHPQzb2Hfkr9OtEi+/xyUCwqF2IUZfUb0+mCjOutpbBlSfkYULOrwd9RQTaLeNe3GhRjYWTJ+gLDS8DUWz8AcpCI7xoQSfuZLmBwxslqsObMYolxQJXej1IDmGX+Rjr4ro80EpMkv67gxYQwjP8p7FMHfK7FSDZMtT+h4mO7AD68vwHd99c9ALDJfPO7tAMG53opzD7YEZU+ySKRcMBIFRe5Kxj+m1fbN9q2ictzoQOvKh8TBlCsPLRbF5WVheUtE9anKiIik5zQInihoZidH5YJksdipMVWLeRs1Qk5J8ddv7n2dlbW7zoC60sh3ubLQ/MDm+eHlXoeKGioCMjDABRdokqal4wugvQUZyQcBBtfWT0QAw==",
224 "keyMaterialType": "ASYMMETRIC_PRIVATE"
225 },
226 "status": "ENABLED",
227 "keyId": 803396643,
228 "outputPrefixType": "TINK"
229 }
230 ]
231 })";
232
233 constexpr absl::string_view kPs512JwkPublicKey = R"({
234 "keys":[{
235 "kty":"RSA",
236 "n":"ubM3lgyGn8IyKO-56q18hvuJkkxPrDXgalRWNmnA3QEseglU_9tp598dlq04eF1G4Xkrmk9OVyVSCuRdvMoko6wP4Jum-3cn42_Gsk8PdTwm3WD-yEBg_Usa_omLGiTfktyqqoZhh1TeOOBtNpD1U_p1wQxP3-bLl4__uR75CqlK9FYdBrIuqLP3nqa3_OAFuPBX77BuD1kcr5pUxPZkXBNAWpnvsW56swyIMZF2GRhfv2n2bZJgT4iybQcmEnvt1wfY3ecO5ZMSX2QNKpnRRejlIEqR9uAQa4wIJMViL8jDbAV-ZvUjMM1G0aAyMHPQzb2Hfkr9OtEi-_xyUCwqF2IUZfUb0-mCjOutpbBlSfkYULOrwd9RQTaLeNe3GhRjYWTJ-gLDS8DUWz8AcpCI7xoQSfuZLmBwxslqsObMYolxQJXej1IDmGX-Rjr4ro80EpMkv67gxYQwjP8p7FMHfK7FSDZMtT-h4mO7AD68vwHd99c9ALDJfPO7tAMG53opzD7YEZU-ySKRcMBIFRe5Kxj-m1fbN9q2ictzoQOvKh8TBlCsPLRbF5WVheUtE9anKiIik5zQInihoZidH5YJksdipMVWLeRs1Qk5J8ddv7n2dlbW7zoC60sh3ubLQ_MDm-eHlXoeKGioCMjDABRdokqal4wugvQUZyQcBBtfWT0",
237 "e":"AQAB",
238 "use":"sig",
239 "alg":"PS512",
240 "key_ops":["verify"],
241 "kid":"L-LcIw"
242 }]
243 })";
244
245 constexpr absl::string_view kRawPs256PrivateKey = R"( {
246 "primaryKeyId": 1629784556,
247 "key": [
248 {
249 "keyData": {
250 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtRsaSsaPssPrivateKey",
251 "value": "QoABP9TTJpZ3lfj28Zh9hqHMNydjyJGup+Q8xjYubqsE+E3AlnSIvRDp9r0VVHZzsHBEdKtQQgCW4FT0I7Cy4z4W3ecKskuJWFYYn0PYOXLZoFo2MF3yZ0wI04aWhRS2+Zwl3BSr1eu84jiCm9rTsODyZ0MQORvpeBVaX9Y2IOPclvQ6gAGBpXDhI/1yKJq6vlymUBwKS2FG9Tf3as3YkH2B0b7wtv1Ir+WEa78ub52BwxnOKsf3V57WLnuQppLiw/bvHFxKVDNuWGiGTzEVhJW2qK3RgryXtqzkACm6cjL1FT22B9VmVx/GqWOOOLX4He1pq+UYkboWgXVkAdP0OaPv2hWIMTKAASnEMbcFq+ZbOJIJBwZXsSmrdSnfg8A2kwuatK2U2Of7/YCE5i11CUjWUvi99plk8g/mAinYu0Gfw6YSRgbWsAvK4GsIJ4322WT1yy4g6XuncL8MKC2rCYIkhFWpI1qcsS/PxU3zWMYodV6GjK31HXvqczlJfBYNEBo9HxeYDtchKoAB0vRt2QsYTMSVYw1gIDeKdHnhMDaakaIazjc4o+DCQSk+dU0EStSn8GHON0nIrEA8A5UHqF8/yh1mW+M0mkSaSiBp+7CLAowEu72wgdrymK/e6eIELH+joEDDgWpcF/WMEWSvls2a0q1atiYvC2ERLuSxSFjoJ8IRKVfVmjPi53EigAHUpqb3E/I863RAT2ocS5CnT7A8PBgttZqIyR1H8iC2bocre8H+8z8fVf4SeYsLhqvuBcTPXxZSUT+ZVf+LeELfmcd54savTU/yTQJ27s8WIkuLeTj+80FWCVtengLwP+Bte7nyzqbuXSWHUTUSVTCMK5PiBdWrOElVYlp3JxvTxRqAAgNrTEVGQYjy+xnFbKHHmGr7olwVAi1lqCGQDDZKMQH2fZOQqURH13MhdpPEL8LlKYuLejl5B+hzLaTWOqxx4TmD9Df3nMwAC0ELpDUAfz4e2quvuRD28+cR9u0G560ON53sJPbqPGVlbtaDmpn8nzvCOmczpoGmtzcBeZ/4GeEHThzq1sRE+tBJ6B4oS8R4LUtldg+FBUnZgqJvSC1gYYHO7oySCPC5V0R3EhpWDcVbYf7PyMC7oaxIPmCAu5Wc4DFirh13BAZI2FKW+Np/heZAjYUKa4Gtb0dMxvLwz3OcPPa/AQKSjko6aMRAQvjgd/UgQ+Sr496td45I4JGandESigIiAwEAARqAAq87vw0RbcxaTFMvrVwvfGMbcgEsvt4VbTNV/SosAKGoUn3e1X8yJSF3G591XsJGQbShgvfLBkCUkFgPhGoDozA7muKwBlQmfQo9NdTMctXto+sO6kQrnbVmjKK5nzKT+p9obetR5GZEA2SJW3Ub69tBpX9iloHfCoEqBGSkuwIyB76BmyQlOwO2o2zjcironK2KtV2LOG9XWEqkOFSGWnouTUDO/7XXWCZfpUijd5ixD4XVih1n9a1Xw2yTaGwG6jewu9K1CiUtw2ZMKPqt/kDqGZXiVyk17q3UQIU+up32vtX+4nZiDt+y8EXl/M64A1pjGT2dpqXwPOnSJZJJPPUQAQ==",
252 "keyMaterialType": "ASYMMETRIC_PRIVATE"
253 },
254 "status": "ENABLED",
255 "keyId": 1629784556,
256 "outputPrefixType": "RAW"
257 }
258 ]
259 })";
260
261 constexpr absl::string_view kPs256JwkPublicKeyWithoutKid = R"({
262 "keys":[{
263 "kty":"RSA",
264 "n":"rzu_DRFtzFpMUy-tXC98YxtyASy-3hVtM1X9KiwAoahSfd7VfzIlIXcbn3VewkZBtKGC98sGQJSQWA-EagOjMDua4rAGVCZ9Cj011Mxy1e2j6w7qRCudtWaMormfMpP6n2ht61HkZkQDZIlbdRvr20Glf2KWgd8KgSoEZKS7AjIHvoGbJCU7A7ajbONyKuicrYq1XYs4b1dYSqQ4VIZaei5NQM7_tddYJl-lSKN3mLEPhdWKHWf1rVfDbJNobAbqN7C70rUKJS3DZkwo-q3-QOoZleJXKTXurdRAhT66nfa-1f7idmIO37LwReX8zrgDWmMZPZ2mpfA86dIlkkk89Q",
265 "e":"AQAB",
266 "use":"sig",
267 "alg":"PS256",
268 "key_ops":["verify"],
269 }]
270 })";
271
272 // contains the public key of both kRs256PrivateKey and kRs384PrivateKey
273 constexpr absl::string_view kJwkPublicKeySet = R"({
274 "keys":[{
275 "kty":"RSA",
276 "n": "vmUOa62TYrxj7N8rZVAzoEdSnmsRQaNWBMAdB8adGa8n4ycGiYWoGv0uZWc8vH2jn6l3Pa_72bb2IHf3-KD2UaTwLk1x3yShXybEoS5ZF9bemzrn2ohNixGoN7Ofj7wPb61Z-F1Nv53nq308z-RI1WeyIH-9HjuIcuUxaWY0VevsXzCehMJP5g7kVzyl55bYcRi28didkVazrzVgNG35yNNMEL32oW1Vfvvp7hfQHtxSwkFOPzJgzIPHbJFbxALGrrgXHsoq7UtDQdS9vvoEp4_JzQhCtnCEKahgkTwOWyT96OlRGYiPJSFHWTujy1Qnd6OKc8LGEspAX4oD6Zl-YQ",
277 "e":"AQAB",
278 "use":"sig",
279 "alg":"RS256",
280 "key_ops":["verify"],
281 "kid":"TCGiGw"
282 }, {
283 "kty":"RSA",
284 "n":"AI83_8Uy0v4xS6kDZKqcqzSbeyksy2C67ajtI41J2KMDtO9jUaEAQ9uDhMubjZzPYh1wf_gtJgAC5PSiI3fOLUG0AHCbi_yXVfH3_1U_Yl4b_e8yx_NPyuIvwHwXwE5a32hiss9PuY2-qEivH5LK4AXxPiTiUc9x4gh1OwZaSTYWT7SRO-0ROwYwCwpg4Uf0IMLtmHou_NmNw0uOlOgKfx-EFmMzV-5pspEnwsHq_ijFSxmHNAdy5S0n4u1LIKKmgXJIyUu3AKfAJMydn6nTKzrOcpX0yMnxPq9yP8xKuK_mXysFyNvmS0Sq5c-grOETFeMFScweoUpWVnYOCCSyZ93yAhsTUWnDjZd7iuji9Y7zUo4PWlKXyRRz_aSpxrsn70LOZNLLUjILVeyfCRs2JXptfxCNg3wg6FVAH0xTORmPGICgWDmwOFgP1Y6tW-p0cnK8LwVkuRclyKAMvTtYm9xZZHUSjw86rHEnB2VfsPTIn0_WAVnJ2OAKhuVMtwjB7Q",
285 "e":"AQAB",
286 "use":"sig",
287 "alg":"RS384",
288 "key_ops":["verify"],
289 "kid":"FVLRIg"
290 }]
291 })";
292
293 constexpr absl::string_view kEs256PrivateKey = R"(
294 {
295 "primaryKeyId": 303799737,
296 "key": [
297 {
298 "keyData": {
299 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey",
300 "value": "GiA2S/eedsXqu0DhnOlCJugsHugdpPaAGr/byxXXsZBiVRJGIiDuhGJiGeaQ/qeqt1daC2xZRarm4VEsmSHJUWJY9EHbvxogwO6uIxh8SkKOO8VjZXNRTteRcwCPE4/4JElKyaa0fcQQAQ==",
301 "keyMaterialType": "ASYMMETRIC_PRIVATE"
302 },
303 "status": "ENABLED",
304 "keyId": 303799737,
305 "outputPrefixType": "TINK"
306 }
307 ]
308 })";
309
310 constexpr absl::string_view kEs256JwkPublicKey = R"({
311 "keys":[{
312 "kty":"EC",
313 "crv":"P-256",
314 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
315 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
316 "use":"sig","alg":"ES256","key_ops":["verify"],
317 "kid":"EhuduQ"}]
318 })";
319
320 constexpr absl::string_view kEs384PrivateKey = R"(
321 {
322 "primaryKeyId": 2145899635,
323 "key": [
324 {
325 "keyData": {
326 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey",
327 "value": "GjCfHcFYHsiwTcBCATSyjOyJ64iy4LGa4OuFaR9wZqkYTuYrY1I3ssxO4UK11j/IUe4SZiIwwQcqkI9pV66PJFmJVyZ7BsqvFaqoWT+jAFvYNjsgdvAIpyB3MHWXkxNhlPYcpEIfGjAARQJOQqFEMSAnalOLI+hKwg4RHLCsHbGMEOBQfwsuDQCj3FPZLEpp3Et1EUivwuUQAg==",
328 "keyMaterialType": "ASYMMETRIC_PRIVATE"
329 },
330 "status": "ENABLED",
331 "keyId": 2145899635,
332 "outputPrefixType": "TINK"
333 }
334 ]
335 })";
336
337 constexpr absl::string_view kEs384JwkPublicKey = R"({
338 "keys":[{"kty":"EC","crv":"P-384",
339 "x":"AEUCTkKhRDEgJ2pTiyPoSsIOERywrB2xjBDgUH8LLg0Ao9xT2SxKadxLdRFIr8Ll",
340 "y":"wQcqkI9pV66PJFmJVyZ7BsqvFaqoWT-jAFvYNjsgdvAIpyB3MHWXkxNhlPYcpEIf",
341 "use":"sig","alg":"ES384","key_ops":["verify"],"kid":"f-fUcw"}]
342 })";
343
344 constexpr absl::string_view kEs512PrivateKey = R"(
345 {
346 "primaryKeyId": 1480242041,
347 "key": [
348 {
349 "keyData": {
350 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey",
351 "value": "GkIBnhWq6UrOj8hKwGovjSsLT+dtAGlRqoIkQ2FzMeKxIApx0dT3O4yHrmi6v5sElZHM6BsLz47IopAOajVRYGh48b0SigEiQgDWSuSY03DQCrXs5lxbw0pK8XcT4rl9rj6uqEdzNKW9sKp3wy/p1nlnCm9pwDsWEssnbK2ffG8QS+tJRK9tMdRnPxpCAKRFrHHoTaFAO+d4sCOw78KyUlZijBgqfp2rXtkLZ/QQGLtDM2nScAilkryvw3c/4fM39CEygtSunFLI9xyUyE3mEAM=",
352 "keyMaterialType": "ASYMMETRIC_PRIVATE"
353 },
354 "status": "ENABLED",
355 "keyId": 1480242041,
356 "outputPrefixType": "TINK"
357 }
358 ]
359 })";
360
361 constexpr absl::string_view kEs512JwkPublicKey = R"({
362 "keys":[{"kty":"EC","crv":"P-521",
363 "x":"AKRFrHHoTaFAO-d4sCOw78KyUlZijBgqfp2rXtkLZ_QQGLtDM2nScAilkryvw3c_4fM39CEygtSunFLI9xyUyE3m",
364 "y":"ANZK5JjTcNAKtezmXFvDSkrxdxPiuX2uPq6oR3M0pb2wqnfDL-nWeWcKb2nAOxYSyydsrZ98bxBL60lEr20x1Gc_",
365 "use":"sig","alg":"ES512","key_ops":["verify"],"kid":"WDqzeQ"}]
366 })";
367
368 constexpr absl::string_view kRawEs256PrivateKey = R"(
369 {
370 "primaryKeyId": 765975903,
371 "key": [
372 {
373 "keyData": {
374 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey",
375 "value": "GiCbUAItoAVleOSwYdPWs563CCFhGHSdX4t/C2xBY2J/ERJGIiAA7lMx7mU1yMmm4aOMa0d3iBf084b12H+8b7ym2nscmxogytH8MlvqTx3X+eL0pdx4ULKUb2YOi2DPnIPpSaIk28MQAQ==",
376 "keyMaterialType": "ASYMMETRIC_PRIVATE"
377 },
378 "status": "ENABLED",
379 "keyId": 765975903,
380 "outputPrefixType": "RAW"
381 }
382 ]
383 })";
384
385 constexpr absl::string_view kEs256JwkPublicKeyWithoutKid = R"({
386 "keys":[{
387 "kty":"EC",
388 "crv":"P-256",
389 "x":"ytH8MlvqTx3X-eL0pdx4ULKUb2YOi2DPnIPpSaIk28M",
390 "y":"AO5TMe5lNcjJpuGjjGtHd4gX9POG9dh_vG-8ptp7HJs",
391 "use":"sig","alg":"ES256","key_ops":["verify"]}],
392 })";
393
394 class JwkSetConverterTest : public testing::TestWithParam<std::string> {
SetUp()395 void SetUp() override { ASSERT_THAT(JwtSignatureRegister(), IsOk()); }
396 };
397
398 TEST_P(JwkSetConverterTest, ToAndFromPublicKeysetHandleIsIdentical) {
399 std::string jwk_set = GetParam();
400
401 // Convert JWK set to KeysetHandle
402 util::StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
403 JwkSetToPublicKeysetHandle(jwk_set);
404 ASSERT_THAT(keyset_handle, IsOk());
405
406 // Convert KeysetHandle to JWK set
407 util::StatusOr<std::string> output =
408 JwkSetFromPublicKeysetHandle(**keyset_handle);
409 ASSERT_THAT(output, IsOk());
410
411 // Check that output is the same as jwk_set. The order of the elements may
412 // have changed.
413 util::StatusOr<google::protobuf::Struct> output_struct =
414 jwt_internal::JsonStringToProtoStruct(*output);
415 ASSERT_THAT(output_struct, IsOk());
416 util::StatusOr<google::protobuf::Struct> expected_struct =
417 jwt_internal::JsonStringToProtoStruct(jwk_set);
418 ASSERT_THAT(expected_struct, IsOk());
419
420 std::string differences;
421 MessageDifferencer message_differencer;
422 message_differencer.ReportDifferencesToString(&differences);
423 EXPECT_TRUE(message_differencer.Compare(*output_struct, *expected_struct))
424 << differences;
425 }
426
427 INSTANTIATE_TEST_SUITE_P(
428 JwkSetConverterTest, JwkSetConverterTest,
429 testing::Values(kEs256JwkPublicKey, kEs384JwkPublicKey, kEs512JwkPublicKey,
430 kEs256JwkPublicKeyWithoutKid, kRs256JwkPublicKey,
431 kRs384JwkPublicKey, kRs512JwkPublicKey,
432 kRs256JwkPublicKeyWithoutKid, kPs256JwkPublicKey,
433 kPs384JwkPublicKey, kPs512JwkPublicKey,
434 kPs256JwkPublicKeyWithoutKid));
435
436 class JwkSetToPublicKeysetHandleTest
437 : public testing::TestWithParam<std::tuple<std::string, std::string>> {
438 void SetUp() override { ASSERT_TRUE(JwtSignatureRegister().ok()); }
439 };
440
441 TEST_P(JwkSetToPublicKeysetHandleTest, VerifyValidJwtWithSuccess) {
442 std::string private_keyset;
443 std::string jwk_public_keyset;
444 std::tie(private_keyset, jwk_public_keyset) = GetParam();
445
446 // Create a valid jwt using the private key
447 util::StatusOr<std::unique_ptr<KeysetReader>> reader =
448 JsonKeysetReader::New(private_keyset);
449 EXPECT_THAT(reader, IsOk());
450 util::StatusOr<std::unique_ptr<KeysetHandle>> private_handle =
451 CleartextKeysetHandle::Read(std::move(*reader));
452 EXPECT_THAT(private_handle, IsOk());
453
454 util::StatusOr<std::unique_ptr<JwtPublicKeySign>> sign =
455 (*private_handle)->GetPrimitive<JwtPublicKeySign>();
456 ASSERT_THAT(sign, IsOk());
457
458 util::StatusOr<RawJwt> raw_jwt =
459 RawJwtBuilder().SetIssuer("issuer").WithoutExpiration().Build();
460 ASSERT_THAT(raw_jwt, IsOk());
461
462 util::StatusOr<std::string> compact = (*sign)->SignAndEncode(*raw_jwt);
463 ASSERT_THAT(compact, IsOk());
464
465 // verify the JWT using the JWK public keys
466 util::StatusOr<std::unique_ptr<KeysetHandle>> public_handle =
467 JwkSetToPublicKeysetHandle(jwk_public_keyset);
468 ASSERT_THAT(public_handle, IsOk());
469
470 util::StatusOr<std::unique_ptr<JwtPublicKeyVerify>> verify =
471 (*public_handle)->GetPrimitive<JwtPublicKeyVerify>();
472 ASSERT_THAT(verify, IsOk());
473
474 util::StatusOr<JwtValidator> validator = JwtValidatorBuilder()
475 .ExpectIssuer("issuer")
476 .AllowMissingExpiration()
477 .Build();
478 util::StatusOr<VerifiedJwt> verified_jwt =
479 (*verify)->VerifyAndDecode(*compact, *validator);
480 ASSERT_THAT(verified_jwt, IsOk());
481 EXPECT_THAT(verified_jwt->GetIssuer(), IsOkAndHolds("issuer"));
482 }
483
484 INSTANTIATE_TEST_SUITE_P(
485 JwkSetToPublicKeysetHandleTest, JwkSetToPublicKeysetHandleTest,
486 testing::Values(
487 std::make_tuple(std::string(kRs256PrivateKey),
488 std::string(kRs256JwkPublicKey)),
489 std::make_tuple(std::string(kRs384PrivateKey),
490 std::string(kRs384JwkPublicKey)),
491 std::make_tuple(std::string(kRs512PrivateKey),
492 std::string(kRs512JwkPublicKey)),
493 std::make_tuple(std::string(kRawRs256PrivateKey),
494 std::string(kRs256JwkPublicKeyWithoutKid)),
495 std::make_tuple(std::string(kRs256PrivateKey),
496 std::string(kJwkPublicKeySet)),
497 std::make_tuple(std::string(kRs384PrivateKey),
498 std::string(kJwkPublicKeySet)),
499 std::make_tuple(std::string(kEs256PrivateKey),
500 std::string(kEs256JwkPublicKey)),
501 std::make_tuple(std::string(kEs384PrivateKey),
502 std::string(kEs384JwkPublicKey)),
503 std::make_tuple(std::string(kEs512PrivateKey),
504 std::string(kEs512JwkPublicKey)),
505 std::make_tuple(std::string(kRawEs256PrivateKey),
506 std::string(kEs256JwkPublicKeyWithoutKid)),
507 std::make_tuple(std::string(kPs256PrivateKey),
508 std::string(kPs256JwkPublicKey)),
509 std::make_tuple(std::string(kPs384PrivateKey),
510 std::string(kPs384JwkPublicKey)),
511 std::make_tuple(std::string(kPs512PrivateKey),
512 std::string(kPs512JwkPublicKey)),
513 std::make_tuple(std::string(kRawPs256PrivateKey),
514 std::string(kPs256JwkPublicKeyWithoutKid))));
515
516 TEST_F(JwkSetToPublicKeysetHandleTest, InvalidJsonFails) {
517 std::string invalid_json = R"({[}])";
518 EXPECT_THAT(JwkSetToPublicKeysetHandle(invalid_json), Not(IsOk()));
519 }
520
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256WithSmallModulusGetPrimitiveFails)521 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256WithSmallModulusGetPrimitiveFails) {
522 std::string jwt_set = R"(
523 {"keys":[
524 {"kty":"RSA",
525 "n":"AQAB",
526 "e":"AQAB",
527 "use":"sig",
528 "alg":"RS256",
529 "key_ops":["verify"],
530 "kid":"DfpE4Q"
531 }]
532 })";
533 // The keys in the keyset are validated when the primitive is generated.
534 // So JwkSetToPublicKeysetHandle succeeds, but GetPrimitive fails.
535 util::StatusOr<std::unique_ptr<KeysetHandle>> public_handle =
536 JwkSetToPublicKeysetHandle(jwt_set);
537 ASSERT_THAT(public_handle, IsOk());
538 util::StatusOr<std::unique_ptr<JwtPublicKeyVerify>> verify =
539 (*public_handle)->GetPrimitive<JwtPublicKeyVerify>();
540 EXPECT_THAT(verify, Not(IsOk()));
541 }
542
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256CorrectlySetsKid)543 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256CorrectlySetsKid) {
544 std::string jwt_set = R"(
545 {"keys":[
546 {"kty":"RSA",
547 "n":"AQAB",
548 "e":"AQAB",
549 "use":"sig",
550 "alg":"RS256",
551 "key_ops":["verify"],
552 "kid":"DfpE4Q"
553 }]
554 })";
555 util::StatusOr<std::unique_ptr<KeysetHandle>> public_handle =
556 JwkSetToPublicKeysetHandle(jwt_set);
557 EXPECT_THAT(public_handle, IsOk());
558 const google::crypto::tink::Keyset &keyset =
559 CleartextKeysetHandle::GetKeyset(**public_handle);
560 ASSERT_THAT(keyset.key_size(), Eq(1));
561 EXPECT_THAT(keyset.key(0).output_prefix_type(),
562 Eq(google::crypto::tink::OutputPrefixType::RAW));
563 google::crypto::tink::JwtRsaSsaPkcs1PublicKey key;
564 key.ParseFromString(keyset.key(0).key_data().value());
565 EXPECT_THAT(key.custom_kid().value(), Eq("DfpE4Q"));
566 }
567
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256WithoutOptionalFieldsSucceeds)568 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256WithoutOptionalFieldsSucceeds) {
569 std::string jwt_set = R"(
570 {"keys":[
571 {"kty":"RSA",
572 "n":"AQAB",
573 "e":"AQAB",
574 "alg":"RS256",
575 }]
576 })";
577 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), IsOk());
578 }
579
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256WithoutKtyFails)580 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256WithoutKtyFails) {
581 std::string jwt_set = R"(
582 {"keys":[
583 {"n":"AQAB",
584 "e":"AQAB",
585 "use":"sig",
586 "alg":"RS256",
587 "key_ops":["verify"],
588 "kid":"DfpE4Q"
589 }]
590 })";
591 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
592 }
593
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256WithoutAlgFails)594 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256WithoutAlgFails) {
595 std::string jwt_set = R"(
596 {"keys":[
597 {"kty":"RSA",
598 "n":"AQAB",
599 "e":"AQAB",
600 "use":"sig",
601 "key_ops":["verify"],
602 "kid":"DfpE4Q"
603 }]
604 })";
605 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
606 }
607
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256InvalidKtyFails)608 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256InvalidKtyFails) {
609 std::string jwt_set = R"(
610 {"keys":[
611 {"kty":"EC",
612 "n":"AQAB",
613 "e":"AQAB",
614 "use":"sig",
615 "alg":"RS256",
616 "key_ops":["verify"],
617 "kid":"DfpE4Q"
618 }]
619 })";
620 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
621 }
622
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256InvalidAlgFails)623 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256InvalidAlgFails) {
624 std::string jwt_set = R"(
625 {"keys":[
626 {"kty":"RSA",
627 "n":"AQAB",
628 "e":"AQAB",
629 "use":"sig",
630 "alg":"RS257",
631 "key_ops":["verify"],
632 "kid":"DfpE4Q"
633 }]
634 })";
635 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
636 }
637
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256InvalidKeyOpsFails)638 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256InvalidKeyOpsFails) {
639 std::string jwt_set = R"(
640 {"keys":[
641 {"kty":"RSA",
642 "n":"AQAB",
643 "e":"AQAB",
644 "use":"sig",
645 "alg":"RS256",
646 "key_ops":["verify "],
647 "kid":"DfpE4Q"
648 }]
649 })";
650 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
651 }
652
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256InvalidKeyOpsTypeFails)653 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256InvalidKeyOpsTypeFails) {
654 std::string jwt_set = R"(
655 {"keys":[
656 {"kty":"RSA",
657 "n":"AQAB",
658 "e":"AQAB",
659 "use":"sig",
660 "alg":"RS256",
661 "key_ops":"verify",
662 "kid":"DfpE4Q"
663 }]
664 })";
665 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
666 }
667
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256InvalidUseFails)668 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256InvalidUseFails) {
669 std::string jwt_set = R"(
670 {"keys":[
671 {"kty":"RSA",
672 "n":"AQAB",
673 "e":"AQAB",
674 "use":"zag",
675 "alg":"RS256",
676 "key_ops":["verify"],
677 "kid":"DfpE4Q"
678 }]
679 })";
680 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
681 }
682
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256WithoutModulusFails)683 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256WithoutModulusFails) {
684 std::string jwt_set = R"(
685 {"keys":[
686 {"kty":"RSA",
687 "e":"AQAB",
688 "use":"sig",
689 "alg":"RS256",
690 "key_ops":["verify"],
691 "kid":"DfpE4Q"
692 }]
693 })";
694 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
695 }
696
TEST_F(JwkSetToPublicKeysetHandleTest,Rs256WithoutExponentFails)697 TEST_F(JwkSetToPublicKeysetHandleTest, Rs256WithoutExponentFails) {
698 std::string jwt_set = R"(
699 {"keys":[
700 {"kty":"RSA",
701 "n":"AQAB",
702 "use":"sig",
703 "alg":"RS256",
704 "key_ops":["verify"],
705 "kid":"DfpE4Q"
706 }]
707 })";
708 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
709 }
710
TEST_F(JwkSetToPublicKeysetHandleTest,Es256WithSmallXFails)711 TEST_F(JwkSetToPublicKeysetHandleTest, Es256WithSmallXFails) {
712 std::string jwt_set = R"({
713 "keys":[{
714 "kty":"EC",
715 "crv":"P-256",
716 "x":"wO6uIxh8Sk",
717 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
718 "use":"sig","alg":"ES256","key_ops":["verify"]}],
719 "kid":"EhuduQ"
720 })";
721 // The keys in the keyset are validated when the primitive is generated.
722 // So JwkSetToPublicKeysetHandle succeeds, but GetPrimitive fails.
723 util::StatusOr<std::unique_ptr<KeysetHandle>> public_handle =
724 JwkSetToPublicKeysetHandle(jwt_set);
725 ASSERT_THAT(public_handle, IsOk());
726 util::StatusOr<std::unique_ptr<JwtPublicKeyVerify>> verify =
727 (*public_handle)->GetPrimitive<JwtPublicKeyVerify>();
728 EXPECT_THAT(verify, Not(IsOk()));
729 }
730
TEST_F(JwkSetToPublicKeysetHandleTest,Es256WithSmallYFails)731 TEST_F(JwkSetToPublicKeysetHandleTest, Es256WithSmallYFails) {
732 std::string jwt_set = R"({
733 "keys":[{
734 "kty":"EC",
735 "crv":"P-256",
736 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
737 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB27",
738 "use":"sig","alg":"ES256","key_ops":["verify"]}],
739 "kid":"EhuduQ"
740 })";
741 // The keys in the keyset are validated when the primitive is generated.
742 // So JwkSetToPublicKeysetHandle succeeds, but GetPrimitive fails.
743 util::StatusOr<std::unique_ptr<KeysetHandle>> public_handle =
744 JwkSetToPublicKeysetHandle(jwt_set);
745 ASSERT_THAT(public_handle, IsOk());
746 util::StatusOr<std::unique_ptr<JwtPublicKeyVerify>> verify =
747 (*public_handle)->GetPrimitive<JwtPublicKeyVerify>();
748 EXPECT_THAT(verify, Not(IsOk()));
749 }
750
TEST_F(JwkSetToPublicKeysetHandleTest,Es256CorrectlySetsKid)751 TEST_F(JwkSetToPublicKeysetHandleTest, Es256CorrectlySetsKid) {
752 std::string jwt_set = R"({
753 "keys":[{
754 "kty":"EC",
755 "crv":"P-256",
756 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
757 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
758 "use":"sig","alg":"ES256","key_ops":["verify"],
759 "kid":"EhuduQ"}]
760 })";
761 util::StatusOr<std::unique_ptr<KeysetHandle>> public_handle =
762 JwkSetToPublicKeysetHandle(jwt_set);
763 EXPECT_THAT(public_handle, IsOk());
764 const google::crypto::tink::Keyset &keyset =
765 CleartextKeysetHandle::GetKeyset(**public_handle);
766 ASSERT_THAT(keyset.key_size(), Eq(1));
767 EXPECT_THAT(keyset.key(0).output_prefix_type(),
768 Eq(google::crypto::tink::OutputPrefixType::RAW));
769 google::crypto::tink::JwtEcdsaPublicKey key;
770 key.ParseFromString(keyset.key(0).key_data().value());
771 EXPECT_THAT(key.custom_kid().value(), Eq("EhuduQ"));
772 }
773
TEST_F(JwkSetToPublicKeysetHandleTest,Es256WithoutOptionalFieldsSucceeds)774 TEST_F(JwkSetToPublicKeysetHandleTest, Es256WithoutOptionalFieldsSucceeds) {
775 std::string jwt_set = R"({
776 "keys":[{
777 "kty":"EC",
778 "crv":"P-256",
779 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
780 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
781 "alg":"ES256"}]
782 })";
783 util::StatusOr<std::unique_ptr<KeysetHandle>> public_handle =
784 JwkSetToPublicKeysetHandle(jwt_set);
785 EXPECT_THAT(public_handle, IsOk());
786 }
787
TEST_F(JwkSetToPublicKeysetHandleTest,Es256WithoutKtyFails)788 TEST_F(JwkSetToPublicKeysetHandleTest, Es256WithoutKtyFails) {
789 std::string jwt_set = R"({
790 "keys":[{
791 "crv":"P-256",
792 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
793 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
794 "use":"sig","alg":"ES256","key_ops":["verify"],
795 "kid":"EhuduQ"}]
796 })";
797 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
798 }
799
TEST_F(JwkSetToPublicKeysetHandleTest,Es256WithoutAlgFails)800 TEST_F(JwkSetToPublicKeysetHandleTest, Es256WithoutAlgFails) {
801 std::string jwt_set = R"({
802 "keys":[{
803 "kty":"EC",
804 "crv":"P-256",
805 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
806 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
807 "use":"sig","key_ops":["verify"],
808 "kid":"EhuduQ"}]
809 })";
810 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
811 }
812
TEST_F(JwkSetToPublicKeysetHandleTest,Es256WithoutCrvFails)813 TEST_F(JwkSetToPublicKeysetHandleTest, Es256WithoutCrvFails) {
814 std::string jwt_set = R"({
815 "keys":[{
816 "kty":"EC",
817 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
818 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
819 "use":"sig","alg":"ES256","key_ops":["verify"],
820 "kid":"EhuduQ"}]
821 })";
822 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
823 }
824
TEST_F(JwkSetToPublicKeysetHandleTest,Es256InvalidKtyFails)825 TEST_F(JwkSetToPublicKeysetHandleTest, Es256InvalidKtyFails) {
826 std::string jwt_set = R"({
827 "keys":[{
828 "kty":"RSA",
829 "crv":"P-256",
830 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
831 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
832 "use":"sig","alg":"ES256","key_ops":["verify"],
833 "kid":"EhuduQ"}]
834 })";
835 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
836 }
837
TEST_F(JwkSetToPublicKeysetHandleTest,Es256InvalidAlgFails)838 TEST_F(JwkSetToPublicKeysetHandleTest, Es256InvalidAlgFails) {
839 std::string jwt_set = R"({
840 "keys":[{
841 "kty":"EC",
842 "crv":"P-256",
843 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
844 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
845 "use":"sig","alg":"ES257","key_ops":["verify"],
846 "kid":"EhuduQ"}]
847 })";
848 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
849 }
850
TEST_F(JwkSetToPublicKeysetHandleTest,Es256InvalidKeyOpsFails)851 TEST_F(JwkSetToPublicKeysetHandleTest, Es256InvalidKeyOpsFails) {
852 std::string jwt_set = R"({
853 "keys":[{
854 "kty":"EC",
855 "crv":"P-256",
856 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
857 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
858 "use":"sig","alg":"ES256","key_ops":["verify "],
859 "kid":"EhuduQ"}]
860 })";
861 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
862 }
863
TEST_F(JwkSetToPublicKeysetHandleTest,Es256InvalidKeyOpsTypeFails)864 TEST_F(JwkSetToPublicKeysetHandleTest, Es256InvalidKeyOpsTypeFails) {
865 std::string jwt_set = R"({
866 "keys":[{
867 "kty":"EC",
868 "crv":"P-256",
869 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
870 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
871 "use":"sig","alg":"ES256","key_ops":"verify",
872 "kid":"EhuduQ"}]
873 })";
874 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
875 }
876
TEST_F(JwkSetToPublicKeysetHandleTest,Es256InvalidUseFails)877 TEST_F(JwkSetToPublicKeysetHandleTest, Es256InvalidUseFails) {
878 std::string jwt_set = R"({
879 "keys":[{
880 "kty":"EC",
881 "crv":"P-256",
882 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
883 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
884 "use":"zag","alg":"ES256","key_ops":["verify"],
885 "kid":"EhuduQ"}]
886 })";
887 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
888 }
889
TEST_F(JwkSetToPublicKeysetHandleTest,Es256WithoutXFails)890 TEST_F(JwkSetToPublicKeysetHandleTest, Es256WithoutXFails) {
891 std::string jwt_set = R"({
892 "keys":[{
893 "kty":"EC",
894 "crv":"P-256",
895 "y":"7oRiYhnmkP6nqrdXWgtsWUWq5uFRLJkhyVFiWPRB278",
896 "use":"sig","alg":"ES256","key_ops":["verify"],
897 "kid":"EhuduQ"}]
898 })";
899 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
900 }
901
TEST_F(JwkSetToPublicKeysetHandleTest,Es256WithoutYFails)902 TEST_F(JwkSetToPublicKeysetHandleTest, Es256WithoutYFails) {
903 std::string jwt_set = R"({
904 "keys":[{
905 "kty":"EC",
906 "crv":"P-256",
907 "x":"wO6uIxh8SkKOO8VjZXNRTteRcwCPE4_4JElKyaa0fcQ",
908 "use":"sig","alg":"ES256","key_ops":["verify"],
909 "kid":"EhuduQ"}]
910 })";
911 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
912 }
913
TEST_F(JwkSetToPublicKeysetHandleTest,Es256PrivateKeyFails)914 TEST_F(JwkSetToPublicKeysetHandleTest, Es256PrivateKeyFails) {
915 std::string jwt_set = R"({
916 "keys":[{
917 "kty":"EC",
918 "crv":"P-256",
919 "alg":"ES256",
920 "x":"SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
921 "y":"lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
922 "d":"0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"
923 })";
924 EXPECT_THAT(JwkSetToPublicKeysetHandle(jwt_set), Not(IsOk()));
925 }
926
927 TEST(JwkSetFromPublicKeysetHandleTest,
928 EcdsaWithTinkOutputPrefixSuccessWithKid) {
929 std::string public_keyset_with_tink_output_prefix = R"({
930 "primaryKeyId": 303799737,
931 "key": [
932 {
933 "keyId": 303799737,
934 "status": "ENABLED",
935 "outputPrefixType": "TINK",
936 "keyData": {
937 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey",
938 "keyMaterialType": "ASYMMETRIC_PUBLIC",
939 "value": "IiDuhGJiGeaQ/qeqt1daC2xZRarm4VEsmSHJUWJY9EHbvxogwO6uIxh8SkKOO8VjZXNRTteRcwCPE4/4JElKyaa0fcQQAQ=="
940 }
941 }
942 ]
943 })";
944 util::StatusOr<std::unique_ptr<KeysetReader>> reader =
945 JsonKeysetReader::New(public_keyset_with_tink_output_prefix);
946 ASSERT_THAT(reader, IsOk());
947 util::StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
948 CleartextKeysetHandle::Read(std::move(*reader));
949 ASSERT_THAT(keyset_handle, IsOk());
950
951 util::StatusOr<std::string> jwk_set =
952 JwkSetFromPublicKeysetHandle(**keyset_handle);
953 ASSERT_THAT(jwk_set, IsOk());
954
955 // Check that jwk_set is equalivalent to kEs256JwkPublicKey.
956 util::StatusOr<google::protobuf::Struct> output_struct =
957 jwt_internal::JsonStringToProtoStruct(*jwk_set);
958 ASSERT_THAT(output_struct, IsOk());
959 util::StatusOr<google::protobuf::Struct> expected_struct =
960 jwt_internal::JsonStringToProtoStruct(kEs256JwkPublicKey);
961 ASSERT_THAT(expected_struct, IsOk());
962
963 std::string differences;
964 MessageDifferencer message_differencer;
965 message_differencer.ReportDifferencesToString(&differences);
966 EXPECT_TRUE(message_differencer.Compare(*output_struct, *expected_struct))
967 << differences;
968 }
969
970 TEST(JwkSetFromPublicKeysetHandleTest,
971 JwtRsaSsaPkcs1WithTinkOutputPrefixSuccessWithKid) {
972 std::string public_keyset_with_tink_output_prefix = R"({
973 "primaryKeyId": 1277272603,
974 "key": [
975 {
976 "keyData": {
977 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtRsaSsaPkcs1PublicKey",
978 "value": "IgMBAAEagAK+ZQ5rrZNivGPs3ytlUDOgR1KeaxFBo1YEwB0Hxp0ZryfjJwaJhaga/S5lZzy8faOfqXc9r/vZtvYgd/f4oPZRpPAuTXHfJKFfJsShLlkX1t6bOufaiE2LEag3s5+PvA9vrVn4XU2/neerfTzP5EjVZ7Igf70eO4hy5TFpZjRV6+xfMJ6Ewk/mDuRXPKXnlthxGLbx2J2RVrOvNWA0bfnI00wQvfahbVV+++nuF9Ae3FLCQU4/MmDMg8dskVvEAsauuBceyirtS0NB1L2++gSnj8nNCEK2cIQpqGCRPA5bJP3o6VEZiI8lIUdZO6PLVCd3o4pzwsYSykBfigPpmX5hEAE=",
979 "keyMaterialType": "ASYMMETRIC_PUBLIC"
980 },
981 "status": "ENABLED",
982 "keyId": 1277272603,
983 "outputPrefixType": "TINK"
984 }
985 ]
986 })";
987 util::StatusOr<std::unique_ptr<KeysetReader>> reader =
988 JsonKeysetReader::New(public_keyset_with_tink_output_prefix);
989 ASSERT_THAT(reader, IsOk());
990 util::StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
991 CleartextKeysetHandle::Read(std::move(*reader));
992 ASSERT_THAT(keyset_handle, IsOk());
993
994 util::StatusOr<std::string> jwk_set =
995 JwkSetFromPublicKeysetHandle(**keyset_handle);
996 ASSERT_THAT(jwk_set, IsOk());
997
998 // Check that jwk_set is equalivalent to kRs256JwkPublicKey.
999 util::StatusOr<google::protobuf::Struct> output_struct =
1000 jwt_internal::JsonStringToProtoStruct(*jwk_set);
1001 ASSERT_THAT(output_struct, IsOk());
1002 util::StatusOr<google::protobuf::Struct> expected_struct =
1003 jwt_internal::JsonStringToProtoStruct(kRs256JwkPublicKey);
1004 ASSERT_THAT(expected_struct, IsOk());
1005
1006 std::string differences;
1007 MessageDifferencer message_differencer;
1008 message_differencer.ReportDifferencesToString(&differences);
1009 EXPECT_TRUE(message_differencer.Compare(*output_struct, *expected_struct))
1010 << differences;
1011 }
1012
1013 TEST(JwkSetFromPublicKeysetHandleTest, WithLegacyOutputPrefixFails) {
1014 std::string public_keyset_with_bad_output_prefix = R"({
1015 "primaryKeyId": 303799737,
1016 "key": [
1017 {
1018 "keyId": 303799737,
1019 "status": "ENABLED",
1020 "outputPrefixType": "LEGACY",
1021 "keyData": {
1022 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey",
1023 "keyMaterialType": "ASYMMETRIC_PUBLIC",
1024 "value": "IiDuhGJiGeaQ/qeqt1daC2xZRarm4VEsmSHJUWJY9EHbvxogwO6uIxh8SkKOO8VjZXNRTteRcwCPE4/4JElKyaa0fcQQAQ=="
1025 }
1026 }
1027 ]
1028 })";
1029 util::StatusOr<std::unique_ptr<KeysetReader>> reader =
1030 JsonKeysetReader::New(public_keyset_with_bad_output_prefix);
1031 ASSERT_THAT(reader, IsOk());
1032 util::StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
1033 CleartextKeysetHandle::Read(std::move(*reader));
1034 ASSERT_THAT(keyset_handle, IsOk());
1035
1036 util::StatusOr<std::string> jwk_set =
1037 JwkSetFromPublicKeysetHandle(**keyset_handle);
1038 EXPECT_THAT(jwk_set, Not(IsOk()));
1039 }
1040
1041 TEST(JwkSetFromPublicKeysetHandleTest, WithInvalidKeyMaterialTypeFails) {
1042 std::string public_keyset_with_invalid_key_material_type = R"({
1043 "primaryKeyId": 303799737,
1044 "key": [
1045 {
1046 "keyId": 303799737,
1047 "status": "ENABLED",
1048 "outputPrefixType": "TINK",
1049 "keyData": {
1050 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey",
1051 "keyMaterialType": "ASYMMETRIC_PRIVATE",
1052 "value": "IiDuhGJiGeaQ/qeqt1daC2xZRarm4VEsmSHJUWJY9EHbvxogwO6uIxh8SkKOO8VjZXNRTteRcwCPE4/4JElKyaa0fcQQAQ=="
1053 }
1054 }
1055 ]
1056 })";
1057 util::StatusOr<std::unique_ptr<KeysetReader>> reader =
1058 JsonKeysetReader::New(public_keyset_with_invalid_key_material_type);
1059 ASSERT_THAT(reader, IsOk());
1060 util::StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
1061 CleartextKeysetHandle::Read(std::move(*reader));
1062 ASSERT_THAT(keyset_handle, IsOk());
1063
1064 util::StatusOr<std::string> jwk_set =
1065 JwkSetFromPublicKeysetHandle(**keyset_handle);
1066 EXPECT_THAT(jwk_set, Not(IsOk()));
1067 }
1068
1069 TEST(JwkSetFromPublicKeysetHandleTest, WithUnknownTypeUrlFails) {
1070 std::string public_keyset_with_invalid_key_material_type = R"({
1071 "primaryKeyId": 303799737,
1072 "key": [
1073 {
1074 "keyId": 303799737,
1075 "status": "ENABLED",
1076 "outputPrefixType": "TINK",
1077 "keyData": {
1078 "typeUrl": "type.googleapis.com/google.crypto.tink.Unknown",
1079 "keyMaterialType": "ASYMMETRIC_PUBLIC",
1080 "value": "IiDuhGJiGeaQ/qeqt1daC2xZRarm4VEsmSHJUWJY9EHbvxogwO6uIxh8SkKOO8VjZXNRTteRcwCPE4/4JElKyaa0fcQQAQ=="
1081 }
1082 }
1083 ]
1084 })";
1085 util::StatusOr<std::unique_ptr<KeysetReader>> reader =
1086 JsonKeysetReader::New(public_keyset_with_invalid_key_material_type);
1087 ASSERT_THAT(reader, IsOk());
1088 util::StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
1089 CleartextKeysetHandle::Read(std::move(*reader));
1090 ASSERT_THAT(keyset_handle, IsOk());
1091
1092 util::StatusOr<std::string> jwk_set =
1093 JwkSetFromPublicKeysetHandle(**keyset_handle);
1094 EXPECT_THAT(jwk_set, Not(IsOk()));
1095 }
1096
1097 TEST(JwkSetFromPublicKeysetHandleTest, EcdsaWithUnknownAlgorithmFails) {
1098 std::string public_keyset_with_unknown_algorithm = R"({
1099 "primaryKeyId": 303799737,
1100 "key": [
1101 {
1102 "keyData": {
1103 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey",
1104 "value": "IiDuhGJiGeaQ/qeqt1daC2xZRarm4VEsmSHJUWJY9EHbvxogwO6uIxh8SkKOO8VjZXNRTteRcwCPE4/4JElKyaa0fcQ=",
1105 "keyMaterialType": "ASYMMETRIC_PUBLIC"
1106 },
1107 "status": "ENABLED",
1108 "keyId": 303799737,
1109 "outputPrefixType": "TINK"
1110 }
1111 ]
1112 })";
1113 util::StatusOr<std::unique_ptr<KeysetReader>> reader =
1114 JsonKeysetReader::New(public_keyset_with_unknown_algorithm);
1115 ASSERT_THAT(reader, IsOk());
1116 util::StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
1117 CleartextKeysetHandle::Read(std::move(*reader));
1118 ASSERT_THAT(keyset_handle, IsOk());
1119
1120 util::StatusOr<std::string> jwk_set =
1121 JwkSetFromPublicKeysetHandle(**keyset_handle);
1122 EXPECT_THAT(jwk_set, Not(IsOk()));
1123 }
1124
1125 TEST(JwkSetFromPublicKeysetHandleTest,
1126 JwtRsaSsaPkcs1WithUnknownAlgorithmFails) {
1127 std::string public_keyset_with_unknown_algorithm = R"({
1128 "primaryKeyId": 1277272603,
1129 "key": [
1130 {
1131 "keyData": {
1132 "typeUrl": "type.googleapis.com/google.crypto.tink.JwtRsaSsaPkcs1PublicKey",
1133 "value": "IgMBAAEagAK+ZQ5rrZNivGPs3ytlUDOgR1KeaxFBo1YEwB0Hxp0ZryfjJwaJhaga/S5lZzy8faOfqXc9r/vZtvYgd/f4oPZRpPAuTXHfJKFfJsShLlkX1t6bOufaiE2LEag3s5+PvA9vrVn4XU2/neerfTzP5EjVZ7Igf70eO4hy5TFpZjRV6+xfMJ6Ewk/mDuRXPKXnlthxGLbx2J2RVrOvNWA0bfnI00wQvfahbVV+++nuF9Ae3FLCQU4/MmDMg8dskVvEAsauuBceyirtS0NB1L2++gSnj8nNCEK2cIQpqGCRPA5bJP3o6VEZiI8lIUdZO6PLVCd3o4pzwsYSykBfigPpmX5h",
1134 "keyMaterialType": "ASYMMETRIC_PUBLIC"
1135 },
1136 "status": "ENABLED",
1137 "keyId": 1277272603,
1138 "outputPrefixType": "TINK"
1139 }
1140 ]
1141 })";
1142 util::StatusOr<std::unique_ptr<KeysetReader>> reader =
1143 JsonKeysetReader::New(public_keyset_with_unknown_algorithm);
1144 ASSERT_THAT(reader, IsOk());
1145 util::StatusOr<std::unique_ptr<KeysetHandle>> keyset_handle =
1146 CleartextKeysetHandle::Read(std::move(*reader));
1147 ASSERT_THAT(keyset_handle, IsOk());
1148
1149 util::StatusOr<std::string> jwk_set =
1150 JwkSetFromPublicKeysetHandle(**keyset_handle);
1151 EXPECT_THAT(jwk_set, Not(IsOk()));
1152 }
1153
1154 } // namespace
1155 } // namespace tink
1156 } // namespace crypto
1157