Initial code

BUILD

@@ -0,0 +1,122 @@
+cc_library(
+    name = "jwt_verify_lib",
+    srcs = [
+        "src/check_audience.cc",
+        "src/jwks.cc",
+        "src/jwt.cc",
+        "src/status.cc",
+        "src/verify.cc",
+    ],
+    hdrs = [
+        "jwt_verify_lib/check_audience.h",
+        "jwt_verify_lib/jwks.h",
+        "jwt_verify_lib/jwt.h",
+        "jwt_verify_lib/status.h",
+        "jwt_verify_lib/verify.h",
+    ],
+    visibility = ["//visibility:public"],
+    deps = [
+        "//external:abseil_strings",
+        "//external:rapidjson",
+        "//external:ssl",
+    ],
+)
+
+cc_test(
+    name = "check_audience_test",
+    srcs = [
+        "src/check_audience_test.cc",
+    ],
+    linkopts = [
+        "-lm",
+        "-lpthread",
+    ],
+    linkstatic = 1,
+    deps = [
+        ":jwt_verify_lib",
+        "//external:googletest_main",
+    ],
+)
+
+cc_test(
+    name = "jwt_test",
+    srcs = [
+        "src/jwt_test.cc",
+    ],
+    linkopts = [
+        "-lm",
+        "-lpthread",
+    ],
+    linkstatic = 1,
+    deps = [
+        ":jwt_verify_lib",
+        "//external:googletest_main",
+    ],
+)
+
+cc_test(
+    name = "jwks_test",
+    srcs = [
+        "src/jwks_test.cc",
+    ],
+    linkopts = [
+        "-lm",
+        "-lpthread",
+    ],
+    linkstatic = 1,
+    deps = [
+        ":jwt_verify_lib",
+        "//external:googletest_main",
+    ],
+)
+
+cc_test(
+    name = "verify_pem_test",
+    srcs = [
+        "src/test_common.h",
+        "src/verify_pem_test.cc",
+    ],
+    linkopts = [
+        "-lm",
+        "-lpthread",
+    ],
+    linkstatic = 1,
+    deps = [
+        ":jwt_verify_lib",
+        "//external:googletest_main",
+    ],
+)
+
+cc_test(
+    name = "verify_jwk_rsa_test",
+    srcs = [
+        "src/test_common.h",
+        "src/verify_jwk_rsa_test.cc",
+    ],
+    linkopts = [
+        "-lm",
+        "-lpthread",
+    ],
+    linkstatic = 1,
+    deps = [
+        ":jwt_verify_lib",
+        "//external:googletest_main",
+    ],
+)
+
+cc_test(
+    name = "verify_jwk_ec_test",
+    srcs = [
+        "src/test_common.h",
+        "src/verify_jwk_ec_test.cc",
+    ],
+    linkopts = [
+        "-lm",
+        "-lpthread",
+    ],
+    linkstatic = 1,
+    deps = [
+        ":jwt_verify_lib",
+        "//external:googletest_main",
+    ],
+)

WORKSPACE

@@ -0,0 +1,13 @@
+load(
+    "//:repositories.bzl",
+    "boringssl_repositories",
+    "googletest_repositories",
+    "rapidjson_repositories",
+    "abseil_repositories",
+)
+
+boringssl_repositories()
+googletest_repositories()
+rapidjson_repositories()
+abseil_repositories()
+

googletest.BUILD

@@ -0,0 +1,40 @@
+
+cc_library(
+    name = "googletest",
+    srcs = [
+        "googletest/src/gtest-all.cc",
+        "googlemock/src/gmock-all.cc",
+    ],
+    hdrs = glob([
+        "googletest/include/**/*.h",
+        "googlemock/include/**/*.h",
+        "googletest/src/*.cc",
+        "googletest/src/*.h",
+        "googlemock/src/*.cc",
+    ]),
+    includes = [
+        "googlemock",
+        "googletest",
+        "googletest/include",
+        "googlemock/include",
+    ],
+    visibility = ["//visibility:public"],
+)
+
+cc_library(
+    name = "googletest_main",
+    srcs = ["googlemock/src/gmock_main.cc"],
+    visibility = ["//visibility:public"],
+    deps = [":googletest"],
+)
+
+cc_library(
+    name = "googletest_prod",
+    hdrs = [
+        "googletest/include/gtest/gtest_prod.h",
+    ],
+    includes = [
+        "googletest/include",
+    ],
+    visibility = ["//visibility:public"],
+)

jwt_verify_lib/check_audience.h

@@ -0,0 +1,53 @@
+// Copyright 2018 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.#pragma once
+
+#pragma once
+
+#include <memory>
+#include <set>
+#include <string>
+#include <vector>
+
+#include "jwt_verify_lib/status.h"
+
+namespace google {
+namespace jwt_verify {
+
+/**
+ * RFC for JWT `aud <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ only
+ * specifies case sensitive comparison. But experiences showed that users
+ * easily add wrong scheme and tailing slash to cause mis-match.
+ * In this implemeation, scheme portion of URI and tailing slash is removed
+ * before comparison.
+ */
+class CheckAudience {
+ public:
+  // Construct the object with a list audiences from config.
+  CheckAudience(const std::vector<std::string>& config_audiences);
+
+  // Check any of jwt_audiences is matched with one of configurated ones.
+  bool areAudiencesAllowed(const std::vector<std::string>& jwt_audiences) const;
+
+  // check if config audiences is empty
+  bool empty() const { return config_audiences_.empty(); }
+
+ private:
+  // configured audiences;
+  std::set<std::string> config_audiences_;
+};
+
+typedef std::unique_ptr<CheckAudience> CheckAudiencePtr;
+
+}  // namespace jwt_verify
+}  // namespace google

jwt_verify_lib/jwks.h

@@ -0,0 +1,72 @@
+// Copyright 2018 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.#pragma once
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "jwt_verify_lib/status.h"
+
+#include "openssl/ec.h"
+#include "openssl/evp.h"
+
+namespace google {
+namespace jwt_verify {
+
+/**
+ *  Class to parse and a hold JSON Web Key Set.
+ *
+ *  Usage example:
+ *    JwksPtr keys = Jwks::createFrom(jwks_string, type);
+ *    if (keys->getStatus() == Status::Ok) { ... }
+ */
+class Jwks : public WithStatus {
+ public:
+  // Format of public key.
+  enum Type { PEM, JWKS };
+
+  // Create from string
+  static std::unique_ptr<Jwks> createFrom(const std::string& pkey, Type type);
+
+  // Struct for JSON Web Key
+  struct Pubkey {
+    bssl::UniquePtr<EVP_PKEY> evp_pkey_;
+    bssl::UniquePtr<EC_KEY> ec_key_;
+    std::string kid_;
+    std::string kty_;
+    std::string alg_;
+    bool alg_specified_ = false;
+    bool kid_specified_ = false;
+    bool pem_format_ = false;
+  };
+  typedef std::unique_ptr<Pubkey> PubkeyPtr;
+
+  // Access to list of Jwks
+  const std::vector<PubkeyPtr>& keys() const { return keys_; }
+
+ private:
+  // Create Pem
+  void createFromPemCore(const std::string& pkey_pem);
+  // Create Jwks
+  void createFromJwksCore(const std::string& pkey_jwks);
+
+  // List of Jwks
+  std::vector<PubkeyPtr> keys_;
+};
+
+typedef std::unique_ptr<Jwks> JwksPtr;
+
+}  // namespace jwt_verify
+}  // namespace google

jwt_verify_lib/jwt.h

@@ -0,0 +1,61 @@
+// Copyright 2018 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.#pragma once
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+#include "jwt_verify_lib/status.h"
+
+namespace google {
+namespace jwt_verify {
+
+/**
+ * struct to hold a JWT data.
+ */
+struct Jwt {
+  // header string
+  std::string header_str_;
+  // header base64_url encoded
+  std::string header_str_base64url_;
+
+  // payload string
+  std::string payload_str_;
+  // payload base64_url encoded
+  std::string payload_str_base64url_;
+  // signature string
+  std::string signature_;
+  // alg
+  std::string alg_;
+  // kid
+  std::string kid_;
+  // iss
+  std::string iss_;
+  // audiences
+  std::vector<std::string> audiences_;
+  // sub
+  std::string sub_;
+  // expiration
+  int64_t exp_ = 0;
+
+  /**
+   * Parse Jwt from string text
+   * @return the status.
+   */
+  Status parseFromString(const std::string& jwt);
+};
+
+}  // namespace jwt_verify
+}  // namespace google