profile
viewpoint
Ackerley Tng ackerleytng Centre for Strategic Infocomm Technologies Singapore https://ackerleytng.github.io/blog/ Loves elegant code (and languages (clojure!)) and building useful and intuitive things.

ackerleytng/gowherene 10

Helping Singaporeans plot recommendations since 2018

ackerleytng/datomic-for-audit-trails-talk 2

Code/slides for a talk at the Nov 2019 Clojure Meetup in Singapore, about how Datomic is a great database for implementing apps requiring audit trails

ackerleytng/auth-mechanisms-presentation 1

Consolidated findings from exploration of auth-mechanisms

ackerleytng/.emacs.d 0

Emacs config

ackerleytng/2019-advent-of-code 0

Code for Advent of Code 2019

ackerleytng/apicentre 0

Using micro-frontends to enable teams to publish apis

ackerleytng/auth-helper-extension 0

A chrome extension to help developers when developing using access tokens

push eventackerleytng/pharo

ackerleytng

commit sha 89a14c85132602e45e05d7678f58a6fed60338c3

Add more comments as I understand how completion is implemented

view details

push time in a day

issue commentpharo-project/pharo

Commenting out a piece of code containing comments should maintain the inside comments

Thanks for your help, and thanks for the detailed explanation! I've started working on this issue in pull request #7082

dupriezt

comment created time in 2 days

push eventackerleytng/pharo

ackerleytng

commit sha e904c881a480395e8a346698e16b424eec27279a

Add comments to better understand code

view details

push time in 2 days

PR opened pharo-project/pharo

[WIP] Fixes #7057: Commenting out a piece of code containing comments should maintain the inside comments

Still a work in progress! Kicking off this pull request first

+171 -51

0 comment

3 changed files

pr created time in 2 days

issue commentpharo-spec/NewTools

Can't load NewTools-FileDialog

Here's the full stack in the debugger, which I get when I load FileDialog.

UndefinedObject(Object)>>doesNotUnderstand: #asTraitComposition
UndefinedObject>>doesNotUnderstand: #asTraitComposition
MCClassDefinition>>traitCompositionCompiled
[ :builder | 
			builder
				superclass: superClass;
				name: name;
				layoutClass: (ObjectLayout layoutForType: type);
				slots: self instanceVariables;
				sharedVariables: self classVariables;
				sharedPools: self sharedPoolsString;
				classSlots: self classInstanceVariables;
				traitComposition: self traitCompositionCompiled;
				classTraitComposition: self classTraitCompositionCompiled;
				comment: comment stamp: commentStamp;
				category: category;
				environment: superClass environment ] in [ Smalltalk classInstaller
		make: [ :builder | 
			builder
				superclass: superClass;
				name: name;
				layoutClass: (ObjectLayout layoutForType: type);
				slots: self instanceVariables;
				sharedVariables: self classVariables;
				sharedPools: self sharedPoolsString;
				classSlots: self classInstanceVariables;
				traitComposition: self traitCompositionCompiled;
				classTraitComposition: self classTraitCompositionCompiled;
				comment: comment stamp: commentStamp;
				category: category;
				environment: superClass environment ] ] in MCClassDefinition>>createClass in Block: [ :builder | ...
ShiftClassInstaller>>make:
ShiftClassInstaller class>>make:
[ Smalltalk classInstaller
		make: [ :builder | 
			builder
				superclass: superClass;
				name: name;
				layoutClass: (ObjectLayout layoutForType: type);
				slots: self instanceVariables;
				sharedVariables: self classVariables;
				sharedPools: self sharedPoolsString;
				classSlots: self classInstanceVariables;
				traitComposition: self traitCompositionCompiled;
				classTraitComposition: self classTraitCompositionCompiled;
				comment: comment stamp: commentStamp;
				category: category;
				environment: superClass environment ] ] in MCClassDefinition>>createClass in Block: [ Smalltalk classInstaller...
FullBlockClosure(BlockClosure)>>on:do:
MCClassDefinition>>createClass
MCClassDefinition>>load
MCClassDefinition(MCDefinition)>>addMethodAdditionTo:
[ :each | each addMethodAdditionTo: methodAdditions ] in MCPackageLoader>>basicLoadDefinitions in Block: [ :each | each addMethodAdditionTo: methodAddition...etc...
[ :each | | newLabel |
			"Special handling for first and last element"
			(count = 0 or: [ count + 1 = size or: [(Time millisecondsSince: lastUpdate) >= msecs]]) 
				ifTrue: [ 
					bar current: count.
					oldLabel = (newLabel := (labelBlock cull: each) ifNil: [oldLabel]) 
						ifFalse: [
							bar label: newLabel.
							oldLabel := newLabel ].
				lastUpdate := Time millisecondClockValue ].
			aBlock value: each.
			count := count + 1 ] in [:bar |
		labelBlock := aStringOrBlock isString
			ifTrue: [
				bar label: aStringOrBlock.
				[ :dummyItem | aStringOrBlock] ]
			ifFalse: [ aStringOrBlock ].

		self do: [ :each | | newLabel |
			"Special handling for first and last element"
			(count = 0 or: [ count + 1 = size or: [(Time millisecondsSince: lastUpdate) >= msecs]]) 
				ifTrue: [ 
					bar current: count.
					oldLabel = (newLabel := (labelBlock cull: each) ifNil: [oldLabel]) 
						ifFalse: [
							bar label: newLabel.
							oldLabel := newLabel ].
				lastUpdate := Time millisecondClockValue ].
			aBlock value: each.
			count := count + 1 ] ] in OrderedCollection(Collection)>>do:displayingProgress:every: in Block: [ :each | | newLabel |...
OrderedCollection>>do:
[:bar |
		labelBlock := aStringOrBlock isString
			ifTrue: [
				bar label: aStringOrBlock.
				[ :dummyItem | aStringOrBlock] ]
			ifFalse: [ aStringOrBlock ].

		self do: [ :each | | newLabel |
			"Special handling for first and last element"
			(count = 0 or: [ count + 1 = size or: [(Time millisecondsSince: lastUpdate) >= msecs]]) 
				ifTrue: [ 
					bar current: count.
					oldLabel = (newLabel := (labelBlock cull: each) ifNil: [oldLabel]) 
						ifFalse: [
							bar label: newLabel.
							oldLabel := newLabel ].
				lastUpdate := Time millisecondClockValue ].
			aBlock value: each.
			count := count + 1 ] ] in OrderedCollection(Collection)>>do:displayingProgress:every: in Block: [:bar |...
FullBlockClosure(BlockClosure)>>cull:
[ ^ block cull: self ] in [ self prepareForRunning.
	  CurrentJob value: self during: [ ^ block cull: self ] ] in Job>>run in Block: [ ^ block cull: self ]
[ activeProcess
			psValueAt: index
			put: anObject.
		aBlock value ] in CurrentJob(DynamicVariable)>>value:during: in Block: [ activeProcess...
FullBlockClosure(BlockClosure)>>ensure:
CurrentJob(DynamicVariable)>>value:during:
CurrentJob class(DynamicVariable class)>>value:during:
[ self prepareForRunning.
	  CurrentJob value: self during: [ ^ block cull: self ] ] in Job>>run in Block: [ self prepareForRunning....
FullBlockClosure(BlockClosure)>>ensure:
Job>>run
MorphicUIManager(UIManager)>>displayProgress:from:to:during:
ByteString(String)>>displayProgressFrom:to:during:
OrderedCollection(Collection)>>do:displayingProgress:every:
OrderedCollection(Collection)>>do:displayingProgress:
MCPackageLoader>>basicLoadDefinitions
[self basicLoadDefinitions] in MCPackageLoader>>basicLoad in Block: [self basicLoadDefinitions]
ackerleytng

comment created time in 3 days

issue commentpharo-project/pharo

Commenting out a piece of code containing comments should maintain the inside comments

Thanks! @dupriezt

I want to learn how you tracked this method down!

How did you track it down to this method? Where did you start looking? Did you already know that it had to do with completions?

dupriezt

comment created time in 3 days

issue commentpharo-spec/NewTools

Can't load NewTools-FileDialog

@StevenCostiou I tried loading Spec with the Metacello code on the Spec readme, but I'm still getting the same error. I tried editing the .class.st file directly, and I'm able to load FileDialog if I delete these two lines

	#traits : 'TSpDynamicPresenter',
	#classTraits : 'TSpDynamicPresenter classTrait',

Is there something else I can try?

ackerleytng

comment created time in 3 days

pull request commentpharo-project/pharo

Fix FileDialog to delete non-empty directories.

I got confused as well. Thanks for your pointers! I made a last commit that removes the ensure: after the block

ackerleytng

comment created time in 3 days

push eventackerleytng/pharo

ackerleytng

commit sha 2b803d38228199e4f7d386c4fac2f22211445da7

Remove ensure: after the test block, since memFs will get garbage collected after each test

view details

push time in 3 days

pull request commentpharo-project/pharo

Fix FileDialog to delete non-empty directories.

How should I explicitly delete the memory filesystem?

ackerleytng

comment created time in 3 days

pull request commentpharo-project/pharo

Fix FileDialog to delete non-empty directories.

Sure, I'll fix it! I have a question!

How do I delete the memory Filesystem in-between tests? I was assuming that it will be garbage collected since a new memory Filesystem is created before every test by the setUp method. Is that a good assumption?

If I can delete the memory Filesystem, then that will remove the need to delete the temporary files, so I'll remove the [] ensure: stuff.

ackerleytng

comment created time in 3 days

issue openedpharo-spec/NewTools

Can't load NewTools-FileDialog

I'm getting a #asTraitComposition was sent to nil, where Smalltalk compiler evaluate: self traitCompositionString is nil.

To reproduce, I'm using a Pharo 9.0 image and after doing this

Metacello new
    baseline: 'NewTools';
    repository: 'github://pharo-spec/NewTools';
    load.

I manually loaded NewTools-FileDialog and got this issue.

I noticed that TSpDynamicPresenter is nowhere in this repository, could that be why?

created time in 3 days

issue commentpharo-project/pharo

could we introduce isDoubleQuote in Character

Should isDoubleQuote return true only for ", or should it also return true for all of these? https://www.compart.com/en/unicode/search?q=quotation#characters

Ducasse

comment created time in 4 days

PR opened pharo-project/pharo

Fix FileDialog to delete non-empty directories.

Also add tests and refactor deleteFileOrDirectory.

Fixes #6331.

+136 -32

0 comment

2 changed files

pr created time in 4 days

push eventackerleytng/pharo

push time in 4 days

create barnchackerleytng/pharo

branch : 6331-fix-delete-non-empty-directory

created branch time in 4 days

push eventackerleytng/pharo

ackerleytng

commit sha 1b2c08716805f979658715c4077586a144f5f5ee

Fix FileDialog to delete non-empty directories. Also add tests and refactor deleteFileOrDirectory. Fixes #6331.

view details

push time in 4 days

fork ackerleytng/pharo

Pharo is a dynamic reflective pure object-oriented language supporting live programming inspired by Smalltalk.

http://pharo.org

fork in 4 days

issue commentpharo-project/pharo

FileDialog raises an error when we want to delete a non empty folder.

Oh! The delete button only works if something is selected on the right menu (File), it doesn't apply to anything selected on the left menu (Directory)

Ducasse

comment created time in 4 days

issue commentpharo-project/pharo

FileDialog raises an error when we want to delete a non empty folder.

On the latest launcher as well, Pharo Mooc image, Arch Linux too. Even if the directory is empty, nothing appears to happen when I click the delete button.

Ducasse

comment created time in 4 days

issue commentpharo-project/pharo

Commenting out a piece of code containing comments should maintain the inside comments

I'm a Pharo beginner but I'd like to give this a shot! How should I find out the method responsible for prepending and appending the double quote?

Where should I set the breakpoints...?

dupriezt

comment created time in 5 days

startedchmln/sd

started time in 13 days

startedmengshukeji/Luckysheet

started time in 14 days

push eventackerleytng/pharo-mooc-redo-dice-dsl

Ackerley Tng

commit sha 56bd9c80259655e98c606b38d568aac30250628c

Create README.md

view details

push time in 16 days

create barnchackerleytng/pharo-mooc-redo-dice-dsl

branch : master

created branch time in 16 days

created repositoryackerleytng/pharo-mooc-redo-dice-dsl

created time in 16 days

issue commentpharo-project/pharo

[Linux 64bit] Pharo 8 Devel libgit2_init problem

I dug into this a little bit - I believe the correct solution is to install libcurl-gnutls.so.4 systemwide.

I did this:

$ ldd ~/Pharo/vms/80-x64/lib/pharo/5.0-202002121043/libgit2.so
ldd: warning: you do not have execution permission for `/home/ackerleytng/Pharo/vms/80-x64/lib/pharo/5.0-202002121043/libgit2.so'
        linux-vdso.so.1 (0x00007ffff71fa000)
        libcurl-gnutls.so.4 => not found
        libz.so.1 => /usr/lib/libz.so.1 (0x00007fbb9172c000)
        libssl.so.1.0.0 => not found
        libcrypto.so.1.0.0 => not found
        libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007fbb916ec000)
        librt.so.1 => /usr/lib/librt.so.1 (0x00007fbb916e1000)
        libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007fbb916bd000)
        libc.so.6 => /usr/lib/libc.so.6 (0x00007fbb914f6000)
        libssl.so.1.1 => /usr/lib/libssl.so.1.1 (0x00007fbb91466000)
        libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 (0x00007fbb91189000)
        /usr/lib64/ld-linux-x86-64.so.2 (0x00007fbb91ab9000)
        libdl.so.2 => /usr/lib/libdl.so.2 (0x00007fbb91183000)

Which shows that I have a few libraries missing.

After installing libcurl-gnutls with

pacman -S libcurl-gnutls

I get this

ldd ~/Pharo/vms/80-x64/lib/pharo/5.0-202002121043/libgit2.so
ldd: warning: you do not have execution permission for `/home/ackerleytng/Pharo/vms/80-x64/lib/pharo/5.0-202002121043/libgit2.so'
/home/ackerleytng/Pharo/vms/80-x64/lib/pharo/5.0-202002121043/libgit2.so: /usr/lib/libcurl-gnutls.so.4: no version information available (required by /home/ackerleytng/Pharo/vms/80-x64/lib/pharo/5.0-202002121043/libgit2.so)
        linux-vdso.so.1 (0x00007ffdbb91a000)
        libcurl-gnutls.so.4 => /usr/lib/libcurl-gnutls.so.4 (0x00007f9e462c6000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00007f9e462ac000)
        libssl.so.1.0.0 => not found
        libcrypto.so.1.0.0 => not found
        libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007f9e4626c000)
        librt.so.1 => /usr/lib/librt.so.1 (0x00007f9e46261000)
        libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f9e4623d000)
        libc.so.6 => /usr/lib/libc.so.6 (0x00007f9e46076000)
        libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0x00007f9e4604a000)
        libidn2.so.0 => /usr/lib/libidn2.so.0 (0x00007f9e46029000)
        libpsl.so.5 => /usr/lib/libpsl.so.5 (0x00007f9e46016000)
        libnettle.so.8 => /usr/lib/libnettle.so.8 (0x00007f9e45fd8000)
        libgnutls.so.30 => /usr/lib/libgnutls.so.30 (0x00007f9e45e0f000)
        libssl.so.1.1 => /usr/lib/libssl.so.1.1 (0x00007f9e45d7f000)
        libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 (0x00007f9e45aa2000)
        /usr/lib64/ld-linux-x86-64.so.2 (0x00007f9e466c1000)
        libunistring.so.2 => /usr/lib/libunistring.so.2 (0x00007f9e45920000)
        libp11-kit.so.0 => /usr/lib/libp11-kit.so.0 (0x00007f9e457f7000)
        libtasn1.so.6 => /usr/lib/libtasn1.so.6 (0x00007f9e457df000)
        libhogweed.so.6 => /usr/lib/libhogweed.so.6 (0x00007f9e45797000)
        libgmp.so.10 => /usr/lib/libgmp.so.10 (0x00007f9e456f6000)
        libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f9e456f0000)
        libffi.so.7 => /usr/lib/libffi.so.7 (0x00007f9e456e4000)

And the Pharo Mooc image starts up without the error.

I'm not sure what the goals of the pharo-launcher are, but if we want to provide a smooth experience, it might make sense to package libcurl-gnutls.so.4 in, or otherwise improve error messages!

I would like to help out! I'm new to Pharo and would appreciate pointers.

C0ldS0b3r

comment created time in 16 days

push eventackerleytng/.emacs.d

ackerleytng

commit sha f758cf60369d20c456cd984328362667235809df

Disable bell

view details

push time in 20 days

issue commentpsycopg/psycopg2

as_string() function for psycopg2.sql module requires a "context" (connection or cursor).

@zlex7 I felt that I needed this too.

For my rather basic test, I ended up using a helper test function that was able to form the query

def _join_seq(seq):
    parts = str(seq).split("'")
    return "".join([p for i, p in enumerate(parts) if i % 2 == 1])

and then I used this with

_join_seq(query.seq)

instead of

query.as_string(conn)
zlex7

comment created time in 21 days

issue commentpharo-project/pharo

[Linux 64bit] Pharo 8 Devel libgit2_init problem

I'm getting this error too, when launching the Pharo Mooc, Pharo 8.0

C0ldS0b3r

comment created time in a month

push eventackerleytng/gowherene

Ackerley Tng

commit sha 4a842529461ab3cfe91ac823e904b523cb4f9e24

Specify that services should always restart

view details

push time in a month

startedCaffeineViking/vimrc

started time in a month

push eventackerleytng/auth-helper-extension

Ackerley Tng

commit sha c3943681708d5e36b0df14e4adc30f26692118a1

Add documentation

view details

push time in a month

push eventackerleytng/auth-helper-extension

Ackerley Tng

commit sha 785fa7907ed702c67aad298762946ca6ccd6367d

Cosmetic changes on popup

view details

push time in a month

push eventackerleytng/auth-helper-extension

Ackerley Tng

commit sha a779ad2f13ee4b3f16df0e7b716d3cc885e8b3a9

Add error handling

view details

push time in a month

push eventackerleytng/auth-helper-extension

Ackerley Tng

commit sha 6584eb84746dc76cb8b645adad92c277c951e527

Fix handling of active

view details

Ackerley Tng

commit sha 8b280cdfd28d79fd6b5203ab0b359cf6c9281f16

Cleanup html

view details

push time in a month

push eventackerleytng/auth-helper-extension

Ackerley Tng

commit sha ed1bdc147c25416a45329a08524d02bbd9e6c321

Remove code for future features for now

view details

Ackerley Tng

commit sha afc30c058450ea9c60ca7a8a4ad62f58599fa905

Refactor updateToken to getToken

view details

Ackerley Tng

commit sha 9511900302ca2291b97f78b2b31a89a69f429743

Also parse and present iat and exp nicely

view details

Ackerley Tng

commit sha 0b7aa098a03b2c8308fb785c4034ceca4e58c1b5

Remove debug header

view details

push time in a month

create barnchackerleytng/auth-helper-extension

branch : master

created branch time in a month

created repositoryackerleytng/auth-helper-extension

A chrome extension to help developers when developing using access tokens

created time in a month

startedgoogle/jwt_verify_lib

started time in a month

startedgoogle/jwt_verify_lib

started time in a month

startedExiv2/exiv2

started time in a month

startedpracticalli/clojure-deps-edn

started time in a month

push eventackerleytng/.emacs.d

Ackerley Tng

commit sha c8d839eca5a4aaeea3ef43fd16caeafd79b79b35

Cleanup config for lsp

view details

push time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha d035c5eec2e85cbdffc44cea6e0fe1dd464d99a1

Add tests for check_audience.cc

view details

Ackerley Tng

commit sha 286dfea42637bed3a3d0f8d00d0e2fa4f9ff5942

Add some test cases for RSASSA-PSS and update BUILD to run those

view details

Ackerley Tng

commit sha aa369974ea63b143444bac3d2f149119736c713c

Override << operator for better test error messages

view details

Ackerley Tng

commit sha 516c29896b443beb0a37d8a1592665d72089ee3c

Allow PS256, PS384 and PS512 jwts to be parsed

view details

Ackerley Tng

commit sha 450f47912a2d970d82e0199ce715ff6dc850cec2

Move operator<< override into test_common.h since we don't want additional code in the main library if it's not required there

view details

Ackerley Tng

commit sha 747168862e792e8e245b5cbf00e21d8b4a165c14

Add timeout specification for tests

view details

Ackerley Tng

commit sha 07ea1fc031d7eec14b988352cf6a1a30e62d961a

Add implementation to verify RSAPSS and basic testing

view details

Ackerley Tng

commit sha 2bf18ac2bb3c6d595f1bc35ef345cd24ba5ed671

Add test cases for PS384 and PS512

view details

Ackerley Tng

commit sha 06d7cc451541efdfa144fb457dc2445399fab9e4

Add more test cases including negative tests Used jwt.io, where I can quickly modify the header of the token

view details

Ackerley Tng

commit sha 8a284ae21261a2df65a97e00c823874b5880627c

Adjust class data member names to follow style guide

view details

Ackerley Tng

commit sha 91198839a88166037b77216fbe9d3c9ef7ed3eae

Use absl::flat_hash_set to optimize checking of implemented_algs

view details

Ackerley Tng

commit sha bc56e98cb10e9a01e900980013998ef390dfc27c

Add note to indicate no need to free pctx

view details

Ackerley Tng

commit sha 01a41aa22400aa75f34f97977c9380a43ec0be2e

Remove inheritance for better readability in test case

view details

Ackerley Tng

commit sha 04b0673d52b152ce3e6cabf04581c15e7bca7df3

Unroll parameterized test for better readability

view details

Ackerley Tng

commit sha e9757dec7b15abfbb250532992419fec0a7c01ae

Mark kImplementedAlgs as const

view details

Ackerley Tng

commit sha c2b07185e954b418efd5cc23987855f58008d11d

Explain test cases better in comments

view details

Wayne Zhang

commit sha 80443fb0c8efc431f0228eecd0bd93280384319f

Merge pull request #54 from ackerleytng/add-check-audience-tests Add tests for check_audience.cc

view details

Ackerley Tng

commit sha ddf8cdfc9434ca5b6779173c8dfa16944b6ab25f

Use shorter variable names with descriptive comments

view details

Ackerley Tng

commit sha 9cb97fe472a123c59118499de2433885908200fd

Move global static const flat_hash_set into function to avoid the static initialization order problem

view details

Ackerley Tng

commit sha 56f0f6d9d35421c9d06961a994b4f9c8db14b828

Improve helper function name

view details

push time in a month

delete branch ackerleytng/jwt_verify_lib

delete branch : add-check-audience-tests

delete time in a month

delete branch ackerleytng/jwt_verify_lib

delete branch : add-rsassa-pss-support

delete time in a month

pull request commentgoogle/jwt_verify_lib

Add RSASSA-PSS support

Thanks! I suppose we can close #49 ?

ackerleytng

comment created time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

+// Copyright 2018 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+//    https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++#include "gtest/gtest.h"+#include "jwt_verify_lib/verify.h"+#include "src/test_common.h"++namespace google {+namespace jwt_verify {+namespace {++// The following is the jwks from querying a private temporary instance of keycloak at+// https://keycloak.localhost/auth/realms/applications/protocol/openid-connect/certs++const std::string PublicKeyRSAPSS = R"(+{+  "keys": [+    {+      "kid": "RGlV9a54XdAsuiYUDkQ0hDkiSZ92TJCgneh7-HvN-sk",+      "kty": "RSA",+      "alg": "PS384",+      "use": "sig",+      "n": "8logDcIilAXYJ2kNOrUIAVrWg3g-i1EUsWzEwAV3WT9NNwisUsljdyK3OOxy8yhbWyunxia-4Qo8nCIjURfLn0XoJyozCsruTWuvv2nvWx380zDD5gN-RK0kab_UWOV_zkr9YhBYd2PUB-sCcEwDKj8uHZrJ2CvXvxt2LV8_l_kwlCEDS_q97eEqvxhvYFF8DVo_AGABoK6fU1urn7X-GQcClgOEI8qKho-FU0RPJM80pnmCVds7oP2NYHSnAbkxltiB2cU1qazs21A52obU5zemUwJcdEGpykBKgc_aKaxkusLs2O0xWvnDbgXvboqb_0UhZPWNILZYK09jYCFobQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKZh6TANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0MzUyWhcNMzAwNzA1MDE0NTMyWjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyWiANwiKUBdgnaQ06tQgBWtaDeD6LURSxbMTABXdZP003CKxSyWN3Irc47HLzKFtbK6fGJr7hCjycIiNRF8ufRegnKjMKyu5Na6+/ae9bHfzTMMPmA35ErSRpv9RY5X/OSv1iEFh3Y9QH6wJwTAMqPy4dmsnYK9e/G3YtXz+X+TCUIQNL+r3t4Sq/GG9gUXwNWj8AYAGgrp9TW6uftf4ZBwKWA4QjyoqGj4VTRE8kzzSmeYJV2zug/Y1gdKcBuTGW2IHZxTWprOzbUDnahtTnN6ZTAlx0QanKQEqBz9oprGS6wuzY7TFa+cNuBe9uipv/RSFk9Y0gtlgrT2NgIWhtAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAMaFjwzA+74wY+2YjsMk79IpvDV3Kke7hBThz+9+KT8u2cCX1fUucZemk5vNfLbv+Swhjs+Psuhim1mXxqfyNeSPrIznWAQDSUIW5c3SuJtIOXbfXjIoeK7QW4yhv4NsQBnXd0o6UncvlSZvFxQCMDqGrybOim2O93nM7p3udE2c08tAZ/XRFrxgENvuO3XGAg5EIiUEbHjtOgpjGwkxDfvOm0C4giaaHbUEarzK0olAExtKENwa9AKsxnckMH/kWNBY6ohYSJ7DojRUY84bKTWWFx8Krj0kzjNkbadrdAya8YoRp4IRqjZ9cA9i+yIlN1ulhL9GGq4JDHqTFaoBxiQ="+      ],+      "x5t": "6mK6ZUgfCVv2sm7GVsDR_tdPjjE",+      "x5t#S256": "PJYSXCbyowmimYVC41vPKlZyUfmqcGNo6Cfba4y8pkE"+    },+    {+      "kid": "u_ZZAorrQhtL2MA-bWkZ0qpzjia4D3u6QUvBRscHLrg",+      "kty": "RSA",+      "alg": "PS512",+      "use": "sig",+      "n": "0k2d9uo6k1luw7VpgeZuf4xIlhpp_pPndYjHCZBhSmXsXN7lV-HhYE3Vv2WurMT32HrOJVm4zJWbQOOFG2LD8Byw1sKzZWoS_wwFUWdeTzw43JniK-PYDY5sOM5sn6uGtfLNzm0fO0gkhLMf-dgodimA7dw_4kFqIYP9VNJOi3Pw3XI0uAuK1X7_eJ7mzWlCC8ERT0iJELKqC1Hx8Ub13SeTaFvPoguvx08END87WUbkdp4e4N16d_wVUWuutidY2HkjcklNhUWTc0BSST89TyKwwXwrXqY7_Ka14pjo8H-s6nT1ns80LiTjvjgzyeMRbptOYmgxlmYL0AXI07hbZw",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKaU5jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0NDA1WhcNMzAwNzA1MDE0NTQ1WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSTZ326jqTWW7DtWmB5m5/jEiWGmn+k+d1iMcJkGFKZexc3uVX4eFgTdW/Za6sxPfYes4lWbjMlZtA44UbYsPwHLDWwrNlahL/DAVRZ15PPDjcmeIr49gNjmw4zmyfq4a18s3ObR87SCSEsx/52Ch2KYDt3D/iQWohg/1U0k6Lc/DdcjS4C4rVfv94nubNaUILwRFPSIkQsqoLUfHxRvXdJ5NoW8+iC6/HTwQ0PztZRuR2nh7g3Xp3/BVRa662J1jYeSNySU2FRZNzQFJJPz1PIrDBfCtepjv8prXimOjwf6zqdPWezzQuJOO+ODPJ4xFum05iaDGWZgvQBcjTuFtnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBALyEXqK3BYwVU/7o8+wfDwOJ2nk9OmoGIu3hu6gwqC92DOXClus11UGHKsfhhYlQdzdBpNRD5hjabqaEpCoqF4HwzIWL+Pc08hnnP1IsxkAZdKicKLeFE6BwldK/RYK5vuNXjO824xGnTJuIEApWD2lWf7T3Ndyve14vx1B+6NPmazXPHcSbDN+06bXg8YeZVMnBqRYVBCxo5IoEwP2kJC/F3RbYJTF8QV2/AnwA/Bt1/rl6Y9MPqCwntyfrxq26Bwlpf9vC1dwRK45Tgv9c94/rD1Xax3MPQhhnCo+6H9UWSe/mIdPC2jPifcYJGujPpbbcp23fBOig+FwY6OZl1oo="+      ],+      "x5t": "YVSZ0gbRsdQ2ItVwc00GynAyFwk",+      "x5t#S256": "ZOJz7HKW1fQVb46QI0Ymw7v4u1mfRmzDJmOp3zUMpt4"+    },+    {+      "kid": "4hmO65bbc7IVI-3PfA2emAlO0qhv4rB__yw8BPQ58q8",+      "kty": "RSA",+      "alg": "PS256",+      "use": "sig",+      "n": "vz40nPlC2XsAGbqfp3S4nyl2G1iMFER1l_I4k7gfC-87UWu2-a7BZQHb646WmSXu8xFzu0x5FFTFmu_v3Aj1NAcdYbz09UypSxfH--aw7ATiSWL26jHixFP4l6miJxaXV-rlp9qFSO--1JRnlvYrt6M5mQI0ZvN8EahAVXIHNtDMZYu0HYwwL7j45gjF9o9kDbfMSPr8Oni0QC2tTcCg623OlNqrJZFT4YNJ8A1nRfwGwBLFp5pxpK9ZCekQVhBpZNUrlLB5uDaB5H9lwFKslbHC-HKlJbfZZg16j6tlQTgw6dnKNo5LPrZ4TeSUyuoudzZSpZo4dyFsasTfWYTSLQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHIdU1jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDEwOTU3WhcNMzAwNzA1MDExMTM3WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/PjSc+ULZewAZup+ndLifKXYbWIwURHWX8jiTuB8L7ztRa7b5rsFlAdvrjpaZJe7zEXO7THkUVMWa7+/cCPU0Bx1hvPT1TKlLF8f75rDsBOJJYvbqMeLEU/iXqaInFpdX6uWn2oVI777UlGeW9iu3ozmZAjRm83wRqEBVcgc20Mxli7QdjDAvuPjmCMX2j2QNt8xI+vw6eLRALa1NwKDrbc6U2qslkVPhg0nwDWdF/AbAEsWnmnGkr1kJ6RBWEGlk1SuUsHm4NoHkf2XAUqyVscL4cqUlt9lmDXqPq2VBODDp2co2jks+tnhN5JTK6i53NlKlmjh3IWxqxN9ZhNItAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEhiswSA4BBd9ka473JMX27y+4ZyxitUWi9ARhloiPtE7b+HVsRd6febjPlwMZJ/x7c5lRrQXEGCtJdHcVf2JybNo9bAPSsnmGAD9I+x5GyJljgRuItcfIJ3ALV7LqMbFPZ7cO6jB9hzYtjzECRN0+hJKSZm99kpau2sI8C1FkT+aSK7+j0jGagYwfI8hG7SV1IKQgTxtGZSpFgn2mi60TYsnLt2JYKSACq5hZykO7BPxnTK0sAK9ue34ddEuVe6L1wxDv44PME2dZwRmCRT5d7qj8lO4n2VYqBbc90ME6yAeRIhYRZSrHFTE2Wkufi+21HXIB63dKoYqiPe3y/GZno="+      ],+      "x5t": "5lmEYc56y8EeBpHsP1-LO8M0W2c",+      "x5t#S256": "oC0EpmLVEv1CptAVxKT9uVpC975xKlu3xOrhh8RTNy4"+    }+  ]+}+)";++// PS256 JWT with correct kid+// Header:+// {+//   "alg": "PS256",+//   "typ": "JWT",+//   "kid": "4hmO65bbc7IVI-3PfA2emAlO0qhv4rB__yw8BPQ58q8"+// }+// Payload:+// {+//   "exp": 1593912811,+//   "iat": 1593912511,+//   "jti": "3c9ee909-3ca5-4587-8c0b-700cb4cb8e62",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "de37ba9c-4b3a-4250-a89b-da81928fcf9b",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }++const std::string Ps256JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0aG1PNjViYmM3SVZJLTNQ"+    "ZkEyZW1BbE8wcWh2NHJCX195dzhCUFE1OHE4In0."+    "eyJleHAiOjE1OTM5MTI4MTEsImlhdCI6MTU5MzkxMjUxMSwianRpIjoiM2M5ZWU5MDktM2Nh"+    "NS00NTg3LThjMGItNzAwY2I0Y2I4ZTYyIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImRlMzdiYTljLTRiM2EtNDI1MC1hODliLWRhODE5MjhmY2Y5YiIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "fas6TkXZ97K1d8tTMCEFDcG-MupI-BwGn0UZD8riwmbLf5xmDPaoZwmJ3k-szVo-oJMfMZbr"+    "VAI8xQwg4Z7bQvd3I9WM6XPsu1_gKnkc2EOATgkdpDg5rWOPSZCFLUD_bqsoPQrfc2C1-UKs"+    "VOwUkXEH6rEIlOvngqQWNJjtbkvsS2N_3kNAgaD8cELT5mxmM4vGZn14OHmXHJBIW9pHJU64"+    "tA0sDcexoylL7xB_E1XTs3St0sYyq_pz9920vHScr9KXQ3y9k-fbPvgBs2gGY0iK63E0lEwD"+    "fRWY4Za6RRqymammehv7ZiE4HjDy5Q_AdLGdRefrTxtiQrHIThLqAw";+++// PS384 JWT with correct kid+// Header:+// {+//   "alg": "PS384",+//   "typ": "JWT",+//   "kid": "RGlV9a54XdAsuiYUDkQ0hDkiSZ92TJCgneh7-HvN-sk"+// }+// Payload:+// {+//   "exp": 1593913901,+//   "iat": 1593913601,+//   "jti": "375242be-54c3-4c06-ad07-22457d493390",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "a0cc48a5-1eea-4078-b965-3f8edee8a15e",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }++const std::string Ps384JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzM4NCIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSR2xWOWE1NFhkQXN1aVlV"+    "RGtRMGhEa2lTWjkyVEpDZ25laDctSHZOLXNrIn0."+    "eyJleHAiOjE1OTM5MTM5MDEsImlhdCI6MTU5MzkxMzYwMSwianRpIjoiMzc1MjQyYmUtNTRj"+    "My00YzA2LWFkMDctMjI0NTdkNDkzMzkwIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImEwY2M0OGE1LTFlZWEtNDA3OC1iOTY1LTNmOGVkZWU4YTE1ZSIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "lQdbyqQH0dBYA0yIMVmV-KMGOYc7-BuuQUggKqEi9kpmvZAeXaX1v04n6XkyZdIRMxLgxVoK"+    "LH3XJLg7zwW_luYR5ZlYj5SLYxUSkrlG3RfOvRpphXzhH-TcRQMdwSFEbNUiibZ6NkSmzMLi"+    "Weryi3JHCHAxt2e9Z6_dWlrKXXSvpmZgrn--NdU433TmePFdgoEGUH8F9q7T1Nd1S5FnsS2i"+    "-ywZzNMQIfQ59k_r1_WlH81bwoNgd4ffTlVsosZrw84UYBJdNt73-RWu1NNTXvIY2MiImods"+    "oo7DAD__ZDMgnJ8cpBmrq0YASz04SESNt1jiwCWbasJQx_B73hmd1A";+++// PS512 JWT with correct kid+// Header:+// {+//   "alg": "PS512",+//   "typ": "JWT",+//   "kid": "u_ZZAorrQhtL2MA-bWkZ0qpzjia4D3u6QUvBRscHLrg"+// }+// Payload:+// {+//   "exp": 1593913918,+//   "iat": 1593913618,+//   "jti": "7c1f8cba-7f7c-4e05-b02c-2a0a77914f5d",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "d8dbe685-cd10-42da-841c-f7ae6cd4d588",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }++const std::string Ps512JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1X1paQW9yclFodEwyTUEt"+    "YldrWjBxcHpqaWE0RDN1NlFVdkJSc2NITHJnIn0."+    "eyJleHAiOjE1OTM5MTM5MTgsImlhdCI6MTU5MzkxMzYxOCwianRpIjoiN2MxZjhjYmEtN2Y3"+    "Yy00ZTA1LWIwMmMtMmEwYTc3OTE0ZjVkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImQ4ZGJlNjg1LWNkMTAtNDJkYS04NDFjLWY3YWU2Y2Q0ZDU4OCIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "p-NqE3q9BVakZNkKX3-X5FKIm64PloIjBjWfajQuRayHv4cj6xwvDve3uCuZa2oKyefJRNLy"+    "6rCJUGNsYM9Q-WRCtD6SuWLPkuqh-SUFtZqW7sWGOqTLKbMBx5StLZx7eEgdRWqzIxwLVLdF"+    "VuO-3L88qHFTU2Vv8UAu_nX-uyFKOV5bYgyFlxqgpSqvsbm6lZ0EZghPuidOmnMPQdS8-Evk"+    "jwSAYEgoQ1crXY8dEUc_AJfq84jtuMJMnFhfVQvk_8hN71wYWWYThXtEATFySUFrkoCvB-da"+    "Sl9FNeK5UPE9vYBi7QJ-Wt3Ikg7kEgPiuADlIao_ZxKdzoA51isGBg";+++class VerifyJwkRsaPssTest : public testing::Test {+ protected:+  void SetUp() {+    jwks_ = Jwks::createFrom(PublicKeyRSAPSS, Jwks::Type::JWKS);+    EXPECT_EQ(jwks_->getStatus(), Status::Ok);+  }++  JwksPtr jwks_;+};+++TEST_F(VerifyJwkRsaPssTest, Ps256CorrectKidOK) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(Ps256JwtTextWithCorrectKid), Status::Ok);+  EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::Ok);++  fuzzJwtSignature(jwt, [this](const Jwt& jwt) {+    EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::JwtVerificationFail);+  });+}+++TEST_F(VerifyJwkRsaPssTest, Ps384CorrectKidOK) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(Ps384JwtTextWithCorrectKid), Status::Ok);+  EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::Ok);++  fuzzJwtSignature(jwt, [this](const Jwt& jwt) {+    EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::JwtVerificationFail);+  });+}+++TEST_F(VerifyJwkRsaPssTest, Ps512CorrectKidOK) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(Ps512JwtTextWithCorrectKid), Status::Ok);+  EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::Ok);++  fuzzJwtSignature(jwt, [this](const Jwt& jwt) {+    EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::JwtVerificationFail);+  });+}+++// This set of keys and jwts were generated at https://jwt.io/+// public key:+//     "-----BEGIN PUBLIC KEY-----"+//     "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv"+//     "vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc"+//     "aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy"+//     "tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0"+//     "e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb"+//     "V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9"+//     "MwIDAQAB"+//     "-----END PUBLIC KEY-----"++const std::string JwtIoPublicKeyRSAPSS = R"(+{+  "keys": [+    {+      "kty": "RSA",+      "kid": "f08a1cc9-d266-4049-9c22-f95260cbf5fd",+      "e": "AQAB",+      "n": "nzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA-kzeVOVpVWwkWdVha4s38XM_pa_yr47av7-z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr_Mrm_YtjCZVWgaOYIhwrXwKLqPr_11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e-lf4s4OxQawWD79J9_5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa-GSYOD2QU68Mb59oSk2OB-BtOLpJofmbGEGgvmwyCI9Mw"+    }+  ]+}+)";++// private key:+//     "-----BEGIN RSA PRIVATE KEY-----"+//     "MIIEogIBAAKCAQEAnzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA+kzeVOVpVWw"+//     "kWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr/Mr"+//     "m/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEi"+//     "NQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e+lf4s4OxQawWD79J9/5d3Ry0vbV"+//     "3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa+GSYOD2"+//     "QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9MwIDAQABAoIBACiARq2wkltjtcjs"+//     "kFvZ7w1JAORHbEufEO1Eu27zOIlqbgyAcAl7q+/1bip4Z/x1IVES84/yTaM8p0go"+//     "amMhvgry/mS8vNi1BN2SAZEnb/7xSxbflb70bX9RHLJqKnp5GZe2jexw+wyXlwaM"+//     "+bclUCrh9e1ltH7IvUrRrQnFJfh+is1fRon9Co9Li0GwoN0x0byrrngU8Ak3Y6D9"+//     "D8GjQA4Elm94ST3izJv8iCOLSDBmzsPsXfcCUZfmTfZ5DbUDMbMxRnSo3nQeoKGC"+//     "0Lj9FkWcfmLcpGlSXTO+Ww1L7EGq+PT3NtRae1FZPwjddQ1/4V905kyQFLamAA5Y"+//     "lSpE2wkCgYEAy1OPLQcZt4NQnQzPz2SBJqQN2P5u3vXl+zNVKP8w4eBv0vWuJJF+"+//     "hkGNnSxXQrTkvDOIUddSKOzHHgSg4nY6K02ecyT0PPm/UZvtRpWrnBjcEVtHEJNp"+//     "bU9pLD5iZ0J9sbzPU/LxPmuAP2Bs8JmTn6aFRspFrP7W0s1Nmk2jsm0CgYEAyH0X"+//     "+jpoqxj4efZfkUrg5GbSEhf+dZglf0tTOA5bVg8IYwtmNk/pniLG/zI7c+GlTc9B"+//     "BwfMr59EzBq/eFMI7+LgXaVUsM/sS4Ry+yeK6SJx/otIMWtDfqxsLD8CPMCRvecC"+//     "2Pip4uSgrl0MOebl9XKp57GoaUWRWRHqwV4Y6h8CgYAZhI4mh4qZtnhKjY4TKDjx"+//     "QYufXSdLAi9v3FxmvchDwOgn4L+PRVdMwDNms2bsL0m5uPn104EzM6w1vzz1zwKz"+//     "5pTpPI0OjgWN13Tq8+PKvm/4Ga2MjgOgPWQkslulO/oMcXbPwWC3hcRdr9tcQtn9"+//     "Imf9n2spL/6EDFId+Hp/7QKBgAqlWdiXsWckdE1Fn91/NGHsc8syKvjjk1onDcw0"+//     "NvVi5vcba9oGdElJX3e9mxqUKMrw7msJJv1MX8LWyMQC5L6YNYHDfbPF1q5L4i8j"+//     "8mRex97UVokJQRRA452V2vCO6S5ETgpnad36de3MUxHgCOX3qL382Qx9/THVmbma"+//     "3YfRAoGAUxL/Eu5yvMK8SAt/dJK6FedngcM3JEFNplmtLYVLWhkIlNRGDwkg3I5K"+//     "y18Ae9n7dHVueyslrb6weq7dTkYDi3iOYRW8HRkIQh06wEdbxt0shTzAJvvCQfrB"+//     "jg/3747WSsf/zBTcHihTRBdAv6OmdhV4/dD5YBfLAkLrd+mX7iE="+//     "-----END RSA PRIVATE KEY-----"++const std::string JwtTextWithNoKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9."+    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlh"+    "dCI6MTUxNjIzOTAyMn0."+    "hZnl5amPk_I3tb4O-Otci_5XZdVWhPlFyVRvcqSwnDo_srcysDvhhKOD01DigPK1lJvTSTol"+    "yUgKGtpLqMfRDXQlekRsF4XhAjYZTmcynf-C-6wO5EI4wYewLNKFGGJzHAknMgotJFjDi_NC"+    "VSjHsW3a10nTao1lB82FRS305T226Q0VqNVJVWhE4G0JQvi2TssRtCxYTqzXVt22iDKkXeZJ"+    "ARZ1paXHGV5Kd1CljcZtkNZYIGcwnj65gvuCwohbkIxAnhZMJXCLaVvHqv9l-AAUV7esZvkQ"+    "R1IpwBAiDQJh4qxPjFGylyXrHMqh5NlT_pWL2ZoULWTg_TJjMO9TuQ";+++const std::string JwtTextWithNonExistentKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im5vbmV4aXN0ZW50In0."+    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlh"+    "dCI6MTUxNjIzOTAyMn0."+    "USMoL8XwVl-sqtIl-VQr97oNr1XWbgnJnDJbi65ExV7IioYQ3cGfrpi9n2GxJOwuw6zU572l"+    "ME-wD9It-Q8H8eAOi83KoimQJmdzCGGUGTgwo3tZK5HV7W3srgP1_46-X43DYWOT6h1pIAE7"+    "7s23XuSKbq4rpp6cmbDODARfTj6OTQWTqwhOkX0Xo7i2q1foreKI8PnOyrvbs7oXrLJGZhg_"+    "6mRnP0wRJJFkIu2uYKcLDcgJ0OWXY6dQ-8agj-yjZ5ZUX8GUcy347P0UUpsGVNd1pUawLwTi"+    "kmNidJOxkGlawLtOwE7u0WtZdYmcppx99Qw5U4gYdQQx0wJqgj_d8g";+++// Expected behavior for VerifyKidMatchingTest:+// If kid is not specified in the jwt, allow verification as long as any of the+//   keys in the jwks are appropriate.+// If kid is specified in the jwt, use only the requested key in the jwks for+//   verification.+class VerifyKidMatchingTest : public testing::Test {+ protected:+  void SetUp() {+    correct_jwks_ = Jwks::createFrom(JwtIoPublicKeyRSAPSS, Jwks::Type::JWKS);+    EXPECT_EQ(correct_jwks_->getStatus(), Status::Ok);+    wrong_jwks_ = Jwks::createFrom(PublicKeyRSAPSS, Jwks::Type::JWKS);+    EXPECT_EQ(wrong_jwks_->getStatus(), Status::Ok);+  }++  // This jwks contains the appropriate key for signature verification+  JwksPtr correct_jwks_;+  // This jwks does not contain the appropriate key for signature verification+  JwksPtr wrong_jwks_;+};+++TEST_F(VerifyKidMatchingTest, JwtTextWithNoKidNoMatchingKey) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(JwtTextWithNoKid), Status::Ok);+  // jwt has no kid, and none of the keys in the jwks can be used to verify,+  //   hence verification fails+  EXPECT_EQ(verifyJwt(jwt, *wrong_jwks_),+            Status::JwtVerificationFail);+}+++TEST_F(VerifyKidMatchingTest, JwtTextWithNoKidOk) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(JwtTextWithNoKid), Status::Ok);+  // jwt has no kid, and one of the keys in the jwks can be used to verify,+  //   hence verification is ok+  EXPECT_EQ(verifyJwt(jwt, *correct_jwks_, 1), Status::Ok);+}+++TEST_F(VerifyKidMatchingTest, JwtTextWithNonExistentKid) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(JwtTextWithNonExistentKid), Status::Ok);+  // jwt has a kid, which did not match any of the keys in the jwks (even+  //   though the jwks does contain an appropriate key)+  EXPECT_EQ(verifyJwt(jwt, *correct_jwks_, 1),

Done! 2bafc33

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha 2bafc336e9fd0a83fe4be0b07516ccb7512847ed

Applied linting with ./script/check-style

view details

push time in a month

pull request commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

I'd like to propose using the direct initializer syntax (without new). Specifically for this implementation, the handle to implemented_args never leaves the isImplemented function, so C++ is able to insert the destructor appropriately (just before the program exits).

I wrote a small program to illustrate this here and here's the output:

$ g++ ok.cc && valgrind --leak-check=full --show-leak-kinds=all ./a.out
==354120== Memcheck, a memory error detector
==354120== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==354120== Using Valgrind-3.16.0.GIT and LibVEX; rerun with -h for copyright info
==354120== Command: ./a.out
==354120==
Foobar()
11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
Foobar()
11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111~Foobar()
==354120==
==354120== HEAP SUMMARY:
==354120==     in use at exit: 32 bytes in 1 blocks
==354120==   total heap usage: 3 allocs, 2 frees, 73,760 bytes allocated
==354120==
==354120== 32 bytes in 1 blocks are still reachable in loss record 1 of 1
==354120==    at 0x4839DEF: operator new(unsigned long) (vg_replace_malloc.c:342)
==354120==    by 0x1092A1: leak(char) (in /home/ackerleytng/scratch/a.out)
==354120==    by 0x109424: main (in /home/ackerleytng/scratch/a.out)
==354120==
==354120== LEAK SUMMARY:
==354120==    definitely lost: 0 bytes in 0 blocks
==354120==    indirectly lost: 0 bytes in 0 blocks
==354120==      possibly lost: 0 bytes in 0 blocks
==354120==    still reachable: 32 bytes in 1 blocks
==354120==         suppressed: 0 bytes in 0 blocks
==354120==
==354120== For lists of detected and suppressed errors, rerun with: -s
==354120== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

The output shows that when leak() is called, the destructor ~Foobar() is never called, and valgrind reports a leak due to the call to new, whereas the destructor does its work correctly, not in every iteration of the loop, but at the end of the program.

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha 5e4b5e7c076693de06ac266f7a1ccb436f870f11

Allow destructor to do cleanup of allocated static memory

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { +bool isImplemented(absl::string_view alg) {

Added in 0eac53f!

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha 0eac53f3d2e6b7313a5b05a8504d3833178e1e06

Add anonymous namespace for isImplemented

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { -namespace {--static const absl::flat_hash_set<std::string> kImplementedAlgs = {+bool hasImplementedAlg(std::string alg) {+  static const absl::flat_hash_set<std::string> implemented_algs = {

Okay, here 1015e94!

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha 1015e946638384f64665c6428aa0f0adbf4a484f

Fixed static deinitialization problem See http://www.cs.technion.ac.il/users/yechiel/c++-faq/construct-on-first-use-v2.html

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { -namespace {--static const absl::flat_hash_set<std::string> kImplementedAlgs = {+bool hasImplementedAlg(std::string alg) {+  static const absl::flat_hash_set<std::string> implemented_algs = {

Oh I see this http://www.cs.technion.ac.il/users/yechiel/c++-faq/construct-on-first-use-v2.html

ackerleytng

comment created time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { -namespace {--static const absl::flat_hash_set<std::string> kImplementedAlgs = {+bool hasImplementedAlg(std::string alg) {+  static const absl::flat_hash_set<std::string> implemented_algs = {

If I use new, wouldn't the flat_hash_set leak? Do you mean

bool isImplemented(absl::string_view alg) {
  static const absl::flat_hash_set<absl::string_view> *implemented_algs =
      new absl::flat_hash_set<absl::string_view>({
          {"ES256"}, {"ES384"}, {"ES512"},
          {"HS256"}, {"HS384"}, {"HS512"},
          {"RS256"}, {"RS384"}, {"RS512"},
          {"PS256"}, {"PS384"}, {"PS512"},
          {"EdDSA"},
        });

  return implemented_algs->find(alg) != implemented_algs->end();
}
ackerleytng

comment created time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { -namespace {--static const absl::flat_hash_set<std::string> kImplementedAlgs = {+bool hasImplementedAlg(std::string alg) {

Fixed in ad3a68b, thanks!

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha ad3a68b3563f9610b600af6cd71b7f2605161ed8

Switched to use string_view

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { +namespace {++static absl::flat_hash_set<std::string> implemented_algs = {

Thanks! Okay after referring to the envoy one, I think this implementation is serves the same purpose, unless you're intending for ImplementedAlgs to be accessed as-is, as a flat_hash_set?

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha 56f0f6d9d35421c9d06961a994b4f9c8db14b828

Improve helper function name

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { +namespace {++static absl::flat_hash_set<std::string> implemented_algs = {

What do you think of moving the global static const flat_hash_set into a function instead? (9cb97fe) This has the additional benefit of encapsulating the checking in a nice function.

Also, I'm new to C++. Help me understand the initialization order problem! My understanding is that there is a problem only if there is more than one compilation unit that uses the same global variable that has a static storage duration. Specifically for this case, since ImplementedAlgs is in an anonymous namespace usable only in this file, it is only available in this compilation unit, and so I thought that specifically for this case there wouldn't be a problem.

I do understand that we might not want to rely on this though, in case someone in future accidentally decides to use ImplementedAlgs out of the anonymous namespace.

I also explored one of the common patterns suggested in the Google style guide:

TEST(Foo, Bar) {
  std::string needle = "foo";
  std::array<const char*, 3> haystack = {"foo", "bar", "baz"};
  EXPECT_TRUE(std::is_trivially_destructible<decltype(haystack)>::value);
  EXPECT_TRUE(std::find(haystack.begin(), haystack.end(), needle) != haystack.end());
}

We could use a static const trivially destructible array instead, which would avoid the initialization order problem, but it seems like in order to use std::find (and haystack.begin() and haystack.end()) I'd have to specify the size of the array manually.

Is the Envoy Singleton implementation this one? https://github.com/envoyproxy/envoy/blob/master/include/envoy/singleton/manager.h

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha 9cb97fe472a123c59118499de2433885908200fd

Move global static const flat_hash_set into function to avoid the static initialization order problem

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { +namespace {++static absl::flat_hash_set<std::string> implemented_algs = {

Found this. https://google.github.io/styleguide/cppguide.html#:~:text=Maps,%20sets,%20and%20other%20dynamic%20containers

Will take a look at absl/algorithm/container.h

ackerleytng

comment created time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

+// Copyright 2018 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+//    https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++#include "gtest/gtest.h"+#include "jwt_verify_lib/verify.h"+#include "src/test_common.h"++namespace google {+namespace jwt_verify {+namespace {++// The following is the jwks from querying a private temporary instance of keycloak at+// https://keycloak.localhost/auth/realms/applications/protocol/openid-connect/certs++const std::string PublicKeyRSAPSS = R"(+{+  "keys": [+    {+      "kid": "RGlV9a54XdAsuiYUDkQ0hDkiSZ92TJCgneh7-HvN-sk",+      "kty": "RSA",+      "alg": "PS384",+      "use": "sig",+      "n": "8logDcIilAXYJ2kNOrUIAVrWg3g-i1EUsWzEwAV3WT9NNwisUsljdyK3OOxy8yhbWyunxia-4Qo8nCIjURfLn0XoJyozCsruTWuvv2nvWx380zDD5gN-RK0kab_UWOV_zkr9YhBYd2PUB-sCcEwDKj8uHZrJ2CvXvxt2LV8_l_kwlCEDS_q97eEqvxhvYFF8DVo_AGABoK6fU1urn7X-GQcClgOEI8qKho-FU0RPJM80pnmCVds7oP2NYHSnAbkxltiB2cU1qazs21A52obU5zemUwJcdEGpykBKgc_aKaxkusLs2O0xWvnDbgXvboqb_0UhZPWNILZYK09jYCFobQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKZh6TANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0MzUyWhcNMzAwNzA1MDE0NTMyWjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyWiANwiKUBdgnaQ06tQgBWtaDeD6LURSxbMTABXdZP003CKxSyWN3Irc47HLzKFtbK6fGJr7hCjycIiNRF8ufRegnKjMKyu5Na6+/ae9bHfzTMMPmA35ErSRpv9RY5X/OSv1iEFh3Y9QH6wJwTAMqPy4dmsnYK9e/G3YtXz+X+TCUIQNL+r3t4Sq/GG9gUXwNWj8AYAGgrp9TW6uftf4ZBwKWA4QjyoqGj4VTRE8kzzSmeYJV2zug/Y1gdKcBuTGW2IHZxTWprOzbUDnahtTnN6ZTAlx0QanKQEqBz9oprGS6wuzY7TFa+cNuBe9uipv/RSFk9Y0gtlgrT2NgIWhtAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAMaFjwzA+74wY+2YjsMk79IpvDV3Kke7hBThz+9+KT8u2cCX1fUucZemk5vNfLbv+Swhjs+Psuhim1mXxqfyNeSPrIznWAQDSUIW5c3SuJtIOXbfXjIoeK7QW4yhv4NsQBnXd0o6UncvlSZvFxQCMDqGrybOim2O93nM7p3udE2c08tAZ/XRFrxgENvuO3XGAg5EIiUEbHjtOgpjGwkxDfvOm0C4giaaHbUEarzK0olAExtKENwa9AKsxnckMH/kWNBY6ohYSJ7DojRUY84bKTWWFx8Krj0kzjNkbadrdAya8YoRp4IRqjZ9cA9i+yIlN1ulhL9GGq4JDHqTFaoBxiQ="+      ],+      "x5t": "6mK6ZUgfCVv2sm7GVsDR_tdPjjE",+      "x5t#S256": "PJYSXCbyowmimYVC41vPKlZyUfmqcGNo6Cfba4y8pkE"+    },+    {+      "kid": "u_ZZAorrQhtL2MA-bWkZ0qpzjia4D3u6QUvBRscHLrg",+      "kty": "RSA",+      "alg": "PS512",+      "use": "sig",+      "n": "0k2d9uo6k1luw7VpgeZuf4xIlhpp_pPndYjHCZBhSmXsXN7lV-HhYE3Vv2WurMT32HrOJVm4zJWbQOOFG2LD8Byw1sKzZWoS_wwFUWdeTzw43JniK-PYDY5sOM5sn6uGtfLNzm0fO0gkhLMf-dgodimA7dw_4kFqIYP9VNJOi3Pw3XI0uAuK1X7_eJ7mzWlCC8ERT0iJELKqC1Hx8Ub13SeTaFvPoguvx08END87WUbkdp4e4N16d_wVUWuutidY2HkjcklNhUWTc0BSST89TyKwwXwrXqY7_Ka14pjo8H-s6nT1ns80LiTjvjgzyeMRbptOYmgxlmYL0AXI07hbZw",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKaU5jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0NDA1WhcNMzAwNzA1MDE0NTQ1WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSTZ326jqTWW7DtWmB5m5/jEiWGmn+k+d1iMcJkGFKZexc3uVX4eFgTdW/Za6sxPfYes4lWbjMlZtA44UbYsPwHLDWwrNlahL/DAVRZ15PPDjcmeIr49gNjmw4zmyfq4a18s3ObR87SCSEsx/52Ch2KYDt3D/iQWohg/1U0k6Lc/DdcjS4C4rVfv94nubNaUILwRFPSIkQsqoLUfHxRvXdJ5NoW8+iC6/HTwQ0PztZRuR2nh7g3Xp3/BVRa662J1jYeSNySU2FRZNzQFJJPz1PIrDBfCtepjv8prXimOjwf6zqdPWezzQuJOO+ODPJ4xFum05iaDGWZgvQBcjTuFtnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBALyEXqK3BYwVU/7o8+wfDwOJ2nk9OmoGIu3hu6gwqC92DOXClus11UGHKsfhhYlQdzdBpNRD5hjabqaEpCoqF4HwzIWL+Pc08hnnP1IsxkAZdKicKLeFE6BwldK/RYK5vuNXjO824xGnTJuIEApWD2lWf7T3Ndyve14vx1B+6NPmazXPHcSbDN+06bXg8YeZVMnBqRYVBCxo5IoEwP2kJC/F3RbYJTF8QV2/AnwA/Bt1/rl6Y9MPqCwntyfrxq26Bwlpf9vC1dwRK45Tgv9c94/rD1Xax3MPQhhnCo+6H9UWSe/mIdPC2jPifcYJGujPpbbcp23fBOig+FwY6OZl1oo="+      ],+      "x5t": "YVSZ0gbRsdQ2ItVwc00GynAyFwk",+      "x5t#S256": "ZOJz7HKW1fQVb46QI0Ymw7v4u1mfRmzDJmOp3zUMpt4"+    },+    {+      "kid": "4hmO65bbc7IVI-3PfA2emAlO0qhv4rB__yw8BPQ58q8",+      "kty": "RSA",+      "alg": "PS256",+      "use": "sig",+      "n": "vz40nPlC2XsAGbqfp3S4nyl2G1iMFER1l_I4k7gfC-87UWu2-a7BZQHb646WmSXu8xFzu0x5FFTFmu_v3Aj1NAcdYbz09UypSxfH--aw7ATiSWL26jHixFP4l6miJxaXV-rlp9qFSO--1JRnlvYrt6M5mQI0ZvN8EahAVXIHNtDMZYu0HYwwL7j45gjF9o9kDbfMSPr8Oni0QC2tTcCg623OlNqrJZFT4YNJ8A1nRfwGwBLFp5pxpK9ZCekQVhBpZNUrlLB5uDaB5H9lwFKslbHC-HKlJbfZZg16j6tlQTgw6dnKNo5LPrZ4TeSUyuoudzZSpZo4dyFsasTfWYTSLQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHIdU1jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDEwOTU3WhcNMzAwNzA1MDExMTM3WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/PjSc+ULZewAZup+ndLifKXYbWIwURHWX8jiTuB8L7ztRa7b5rsFlAdvrjpaZJe7zEXO7THkUVMWa7+/cCPU0Bx1hvPT1TKlLF8f75rDsBOJJYvbqMeLEU/iXqaInFpdX6uWn2oVI777UlGeW9iu3ozmZAjRm83wRqEBVcgc20Mxli7QdjDAvuPjmCMX2j2QNt8xI+vw6eLRALa1NwKDrbc6U2qslkVPhg0nwDWdF/AbAEsWnmnGkr1kJ6RBWEGlk1SuUsHm4NoHkf2XAUqyVscL4cqUlt9lmDXqPq2VBODDp2co2jks+tnhN5JTK6i53NlKlmjh3IWxqxN9ZhNItAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEhiswSA4BBd9ka473JMX27y+4ZyxitUWi9ARhloiPtE7b+HVsRd6febjPlwMZJ/x7c5lRrQXEGCtJdHcVf2JybNo9bAPSsnmGAD9I+x5GyJljgRuItcfIJ3ALV7LqMbFPZ7cO6jB9hzYtjzECRN0+hJKSZm99kpau2sI8C1FkT+aSK7+j0jGagYwfI8hG7SV1IKQgTxtGZSpFgn2mi60TYsnLt2JYKSACq5hZykO7BPxnTK0sAK9ue34ddEuVe6L1wxDv44PME2dZwRmCRT5d7qj8lO4n2VYqBbc90ME6yAeRIhYRZSrHFTE2Wkufi+21HXIB63dKoYqiPe3y/GZno="+      ],+      "x5t": "5lmEYc56y8EeBpHsP1-LO8M0W2c",+      "x5t#S256": "oC0EpmLVEv1CptAVxKT9uVpC975xKlu3xOrhh8RTNy4"+    }+  ]+}+)";++// PS256 JWT with correct kid+// Header:+// {+//   "alg": "PS256",+//   "typ": "JWT",+//   "kid": "4hmO65bbc7IVI-3PfA2emAlO0qhv4rB__yw8BPQ58q8"+// }+// Payload:+// {+//   "exp": 1593912811,+//   "iat": 1593912511,+//   "jti": "3c9ee909-3ca5-4587-8c0b-700cb4cb8e62",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "de37ba9c-4b3a-4250-a89b-da81928fcf9b",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }++const std::string Ps256JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0aG1PNjViYmM3SVZJLTNQ"+    "ZkEyZW1BbE8wcWh2NHJCX195dzhCUFE1OHE4In0."+    "eyJleHAiOjE1OTM5MTI4MTEsImlhdCI6MTU5MzkxMjUxMSwianRpIjoiM2M5ZWU5MDktM2Nh"+    "NS00NTg3LThjMGItNzAwY2I0Y2I4ZTYyIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImRlMzdiYTljLTRiM2EtNDI1MC1hODliLWRhODE5MjhmY2Y5YiIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "fas6TkXZ97K1d8tTMCEFDcG-MupI-BwGn0UZD8riwmbLf5xmDPaoZwmJ3k-szVo-oJMfMZbr"+    "VAI8xQwg4Z7bQvd3I9WM6XPsu1_gKnkc2EOATgkdpDg5rWOPSZCFLUD_bqsoPQrfc2C1-UKs"+    "VOwUkXEH6rEIlOvngqQWNJjtbkvsS2N_3kNAgaD8cELT5mxmM4vGZn14OHmXHJBIW9pHJU64"+    "tA0sDcexoylL7xB_E1XTs3St0sYyq_pz9920vHScr9KXQ3y9k-fbPvgBs2gGY0iK63E0lEwD"+    "fRWY4Za6RRqymammehv7ZiE4HjDy5Q_AdLGdRefrTxtiQrHIThLqAw";+++// PS384 JWT with correct kid+// Header:+// {+//   "alg": "PS384",+//   "typ": "JWT",+//   "kid": "RGlV9a54XdAsuiYUDkQ0hDkiSZ92TJCgneh7-HvN-sk"+// }+// Payload:+// {+//   "exp": 1593913901,+//   "iat": 1593913601,+//   "jti": "375242be-54c3-4c06-ad07-22457d493390",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "a0cc48a5-1eea-4078-b965-3f8edee8a15e",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }++const std::string Ps384JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzM4NCIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSR2xWOWE1NFhkQXN1aVlV"+    "RGtRMGhEa2lTWjkyVEpDZ25laDctSHZOLXNrIn0."+    "eyJleHAiOjE1OTM5MTM5MDEsImlhdCI6MTU5MzkxMzYwMSwianRpIjoiMzc1MjQyYmUtNTRj"+    "My00YzA2LWFkMDctMjI0NTdkNDkzMzkwIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImEwY2M0OGE1LTFlZWEtNDA3OC1iOTY1LTNmOGVkZWU4YTE1ZSIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "lQdbyqQH0dBYA0yIMVmV-KMGOYc7-BuuQUggKqEi9kpmvZAeXaX1v04n6XkyZdIRMxLgxVoK"+    "LH3XJLg7zwW_luYR5ZlYj5SLYxUSkrlG3RfOvRpphXzhH-TcRQMdwSFEbNUiibZ6NkSmzMLi"+    "Weryi3JHCHAxt2e9Z6_dWlrKXXSvpmZgrn--NdU433TmePFdgoEGUH8F9q7T1Nd1S5FnsS2i"+    "-ywZzNMQIfQ59k_r1_WlH81bwoNgd4ffTlVsosZrw84UYBJdNt73-RWu1NNTXvIY2MiImods"+    "oo7DAD__ZDMgnJ8cpBmrq0YASz04SESNt1jiwCWbasJQx_B73hmd1A";+++// PS512 JWT with correct kid+// Header:+// {+//   "alg": "PS512",+//   "typ": "JWT",+//   "kid": "u_ZZAorrQhtL2MA-bWkZ0qpzjia4D3u6QUvBRscHLrg"+// }+// Payload:+// {+//   "exp": 1593913918,+//   "iat": 1593913618,+//   "jti": "7c1f8cba-7f7c-4e05-b02c-2a0a77914f5d",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "d8dbe685-cd10-42da-841c-f7ae6cd4d588",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }++const std::string Ps512JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1X1paQW9yclFodEwyTUEt"+    "YldrWjBxcHpqaWE0RDN1NlFVdkJSc2NITHJnIn0."+    "eyJleHAiOjE1OTM5MTM5MTgsImlhdCI6MTU5MzkxMzYxOCwianRpIjoiN2MxZjhjYmEtN2Y3"+    "Yy00ZTA1LWIwMmMtMmEwYTc3OTE0ZjVkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImQ4ZGJlNjg1LWNkMTAtNDJkYS04NDFjLWY3YWU2Y2Q0ZDU4OCIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "p-NqE3q9BVakZNkKX3-X5FKIm64PloIjBjWfajQuRayHv4cj6xwvDve3uCuZa2oKyefJRNLy"+    "6rCJUGNsYM9Q-WRCtD6SuWLPkuqh-SUFtZqW7sWGOqTLKbMBx5StLZx7eEgdRWqzIxwLVLdF"+    "VuO-3L88qHFTU2Vv8UAu_nX-uyFKOV5bYgyFlxqgpSqvsbm6lZ0EZghPuidOmnMPQdS8-Evk"+    "jwSAYEgoQ1crXY8dEUc_AJfq84jtuMJMnFhfVQvk_8hN71wYWWYThXtEATFySUFrkoCvB-da"+    "Sl9FNeK5UPE9vYBi7QJ-Wt3Ikg7kEgPiuADlIao_ZxKdzoA51isGBg";+++class VerifyJwkRsaPssTest : public testing::Test {+ protected:+  void SetUp() {+    jwks_ = Jwks::createFrom(PublicKeyRSAPSS, Jwks::Type::JWKS);+    EXPECT_EQ(jwks_->getStatus(), Status::Ok);+  }++  JwksPtr jwks_;+};+++TEST_F(VerifyJwkRsaPssTest, Ps256CorrectKidOK) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(Ps256JwtTextWithCorrectKid), Status::Ok);+  EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::Ok);++  fuzzJwtSignature(jwt, [this](const Jwt& jwt) {+    EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::JwtVerificationFail);+  });+}+++TEST_F(VerifyJwkRsaPssTest, Ps384CorrectKidOK) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(Ps384JwtTextWithCorrectKid), Status::Ok);+  EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::Ok);++  fuzzJwtSignature(jwt, [this](const Jwt& jwt) {+    EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::JwtVerificationFail);+  });+}+++TEST_F(VerifyJwkRsaPssTest, Ps512CorrectKidOK) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(Ps512JwtTextWithCorrectKid), Status::Ok);+  EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::Ok);++  fuzzJwtSignature(jwt, [this](const Jwt& jwt) {+    EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::JwtVerificationFail);+  });+}+++// This set of keys and jwts were generated at https://jwt.io/+// public key:+//     "-----BEGIN PUBLIC KEY-----"+//     "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv"+//     "vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc"+//     "aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy"+//     "tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0"+//     "e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb"+//     "V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9"+//     "MwIDAQAB"+//     "-----END PUBLIC KEY-----"++const std::string JwtIoPublicKeyRSAPSS = R"(+{+  "keys": [+    {+      "kty": "RSA",+      "kid": "f08a1cc9-d266-4049-9c22-f95260cbf5fd",+      "e": "AQAB",+      "n": "nzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA-kzeVOVpVWwkWdVha4s38XM_pa_yr47av7-z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr_Mrm_YtjCZVWgaOYIhwrXwKLqPr_11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e-lf4s4OxQawWD79J9_5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa-GSYOD2QU68Mb59oSk2OB-BtOLpJofmbGEGgvmwyCI9Mw"+    }+  ]+}+)";++// private key:+//     "-----BEGIN RSA PRIVATE KEY-----"+//     "MIIEogIBAAKCAQEAnzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA+kzeVOVpVWw"+//     "kWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr/Mr"+//     "m/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEi"+//     "NQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e+lf4s4OxQawWD79J9/5d3Ry0vbV"+//     "3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa+GSYOD2"+//     "QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9MwIDAQABAoIBACiARq2wkltjtcjs"+//     "kFvZ7w1JAORHbEufEO1Eu27zOIlqbgyAcAl7q+/1bip4Z/x1IVES84/yTaM8p0go"+//     "amMhvgry/mS8vNi1BN2SAZEnb/7xSxbflb70bX9RHLJqKnp5GZe2jexw+wyXlwaM"+//     "+bclUCrh9e1ltH7IvUrRrQnFJfh+is1fRon9Co9Li0GwoN0x0byrrngU8Ak3Y6D9"+//     "D8GjQA4Elm94ST3izJv8iCOLSDBmzsPsXfcCUZfmTfZ5DbUDMbMxRnSo3nQeoKGC"+//     "0Lj9FkWcfmLcpGlSXTO+Ww1L7EGq+PT3NtRae1FZPwjddQ1/4V905kyQFLamAA5Y"+//     "lSpE2wkCgYEAy1OPLQcZt4NQnQzPz2SBJqQN2P5u3vXl+zNVKP8w4eBv0vWuJJF+"+//     "hkGNnSxXQrTkvDOIUddSKOzHHgSg4nY6K02ecyT0PPm/UZvtRpWrnBjcEVtHEJNp"+//     "bU9pLD5iZ0J9sbzPU/LxPmuAP2Bs8JmTn6aFRspFrP7W0s1Nmk2jsm0CgYEAyH0X"+//     "+jpoqxj4efZfkUrg5GbSEhf+dZglf0tTOA5bVg8IYwtmNk/pniLG/zI7c+GlTc9B"+//     "BwfMr59EzBq/eFMI7+LgXaVUsM/sS4Ry+yeK6SJx/otIMWtDfqxsLD8CPMCRvecC"+//     "2Pip4uSgrl0MOebl9XKp57GoaUWRWRHqwV4Y6h8CgYAZhI4mh4qZtnhKjY4TKDjx"+//     "QYufXSdLAi9v3FxmvchDwOgn4L+PRVdMwDNms2bsL0m5uPn104EzM6w1vzz1zwKz"+//     "5pTpPI0OjgWN13Tq8+PKvm/4Ga2MjgOgPWQkslulO/oMcXbPwWC3hcRdr9tcQtn9"+//     "Imf9n2spL/6EDFId+Hp/7QKBgAqlWdiXsWckdE1Fn91/NGHsc8syKvjjk1onDcw0"+//     "NvVi5vcba9oGdElJX3e9mxqUKMrw7msJJv1MX8LWyMQC5L6YNYHDfbPF1q5L4i8j"+//     "8mRex97UVokJQRRA452V2vCO6S5ETgpnad36de3MUxHgCOX3qL382Qx9/THVmbma"+//     "3YfRAoGAUxL/Eu5yvMK8SAt/dJK6FedngcM3JEFNplmtLYVLWhkIlNRGDwkg3I5K"+//     "y18Ae9n7dHVueyslrb6weq7dTkYDi3iOYRW8HRkIQh06wEdbxt0shTzAJvvCQfrB"+//     "jg/3747WSsf/zBTcHihTRBdAv6OmdhV4/dD5YBfLAkLrd+mX7iE="+//     "-----END RSA PRIVATE KEY-----"++const std::string JwtTextWithNoKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9."+    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlh"+    "dCI6MTUxNjIzOTAyMn0."+    "hZnl5amPk_I3tb4O-Otci_5XZdVWhPlFyVRvcqSwnDo_srcysDvhhKOD01DigPK1lJvTSTol"+    "yUgKGtpLqMfRDXQlekRsF4XhAjYZTmcynf-C-6wO5EI4wYewLNKFGGJzHAknMgotJFjDi_NC"+    "VSjHsW3a10nTao1lB82FRS305T226Q0VqNVJVWhE4G0JQvi2TssRtCxYTqzXVt22iDKkXeZJ"+    "ARZ1paXHGV5Kd1CljcZtkNZYIGcwnj65gvuCwohbkIxAnhZMJXCLaVvHqv9l-AAUV7esZvkQ"+    "R1IpwBAiDQJh4qxPjFGylyXrHMqh5NlT_pWL2ZoULWTg_TJjMO9TuQ";+++const std::string JwtTextWithNonExistentKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im5vbmV4aXN0ZW50In0."+    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlh"+    "dCI6MTUxNjIzOTAyMn0."+    "USMoL8XwVl-sqtIl-VQr97oNr1XWbgnJnDJbi65ExV7IioYQ3cGfrpi9n2GxJOwuw6zU572l"+    "ME-wD9It-Q8H8eAOi83KoimQJmdzCGGUGTgwo3tZK5HV7W3srgP1_46-X43DYWOT6h1pIAE7"+    "7s23XuSKbq4rpp6cmbDODARfTj6OTQWTqwhOkX0Xo7i2q1foreKI8PnOyrvbs7oXrLJGZhg_"+    "6mRnP0wRJJFkIu2uYKcLDcgJ0OWXY6dQ-8agj-yjZ5ZUX8GUcy347P0UUpsGVNd1pUawLwTi"+    "kmNidJOxkGlawLtOwE7u0WtZdYmcppx99Qw5U4gYdQQx0wJqgj_d8g";+++// Expected behavior for VerifyKidMatchingTest:+// If kid is not specified in the jwt, allow verification as long as any of the+//   keys in the jwks are appropriate.+// If kid is specified in the jwt, use only the requested key in the jwks for+//   verification.+class VerifyKidMatchingTest : public testing::Test {+ protected:+  void SetUp() {+    jwks_containing_appropriate_key_ = Jwks::createFrom(JwtIoPublicKeyRSAPSS, Jwks::Type::JWKS);+    EXPECT_EQ(jwks_containing_appropriate_key_->getStatus(), Status::Ok);+    jwks_that_does_not_contain_appropriate_key_ = Jwks::createFrom(PublicKeyRSAPSS, Jwks::Type::JWKS);+    EXPECT_EQ(jwks_that_does_not_contain_appropriate_key_->getStatus(), Status::Ok);+  }++  JwksPtr jwks_containing_appropriate_key_;

Fixed in ddf8cdf!

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha ddf8cdfc9434ca5b6779173c8dfa16944b6ab25f

Use shorter variable names with descriptive comments

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { +namespace {++static absl::flat_hash_set<std::string> implemented_algs = {

I just noticed this in the envoy style guide about static global variables. I don't think we're affected by the static initialization order problem, since ImplementedAlgs is in an anonymous namespace and won't be used by other files.

What do you think of ImplementedArgs, in relation to the static initialization order problem?

ackerleytng

comment created time in a month

PR opened google/jwt_verify_lib

Add tests for check_audience.cc

I added some tests while trying to get familiar with the codebase, hope to contribute upstream too!

+11 -0

0 comment

1 changed file

pr created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha c2b07185e954b418efd5cc23987855f58008d11d

Explain test cases better in comments

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { +namespace {++static absl::flat_hash_set<std::string> implemented_algs = {

How about the constants in the test cases, like Ps{256,384,512}JwtTextWithCorrectKid or PublicKeyRSAPSS? I took reference from the existing test cases. I could change them all to line up with the style guide too.

ackerleytng

comment created time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

+// Copyright 2018 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+//    https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++#include "gtest/gtest.h"+#include "jwt_verify_lib/verify.h"+#include "src/test_common.h"++namespace google {+namespace jwt_verify {+namespace {++// The following is the jwks from querying a private temporary instance of keycloak at+// https://keycloak.localhost/auth/realms/applications/protocol/openid-connect/certs++const std::string PublicKeyRSAPSS = R"(+{+  "keys": [+    {+      "kid": "RGlV9a54XdAsuiYUDkQ0hDkiSZ92TJCgneh7-HvN-sk",+      "kty": "RSA",+      "alg": "PS384",+      "use": "sig",+      "n": "8logDcIilAXYJ2kNOrUIAVrWg3g-i1EUsWzEwAV3WT9NNwisUsljdyK3OOxy8yhbWyunxia-4Qo8nCIjURfLn0XoJyozCsruTWuvv2nvWx380zDD5gN-RK0kab_UWOV_zkr9YhBYd2PUB-sCcEwDKj8uHZrJ2CvXvxt2LV8_l_kwlCEDS_q97eEqvxhvYFF8DVo_AGABoK6fU1urn7X-GQcClgOEI8qKho-FU0RPJM80pnmCVds7oP2NYHSnAbkxltiB2cU1qazs21A52obU5zemUwJcdEGpykBKgc_aKaxkusLs2O0xWvnDbgXvboqb_0UhZPWNILZYK09jYCFobQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKZh6TANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0MzUyWhcNMzAwNzA1MDE0NTMyWjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyWiANwiKUBdgnaQ06tQgBWtaDeD6LURSxbMTABXdZP003CKxSyWN3Irc47HLzKFtbK6fGJr7hCjycIiNRF8ufRegnKjMKyu5Na6+/ae9bHfzTMMPmA35ErSRpv9RY5X/OSv1iEFh3Y9QH6wJwTAMqPy4dmsnYK9e/G3YtXz+X+TCUIQNL+r3t4Sq/GG9gUXwNWj8AYAGgrp9TW6uftf4ZBwKWA4QjyoqGj4VTRE8kzzSmeYJV2zug/Y1gdKcBuTGW2IHZxTWprOzbUDnahtTnN6ZTAlx0QanKQEqBz9oprGS6wuzY7TFa+cNuBe9uipv/RSFk9Y0gtlgrT2NgIWhtAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAMaFjwzA+74wY+2YjsMk79IpvDV3Kke7hBThz+9+KT8u2cCX1fUucZemk5vNfLbv+Swhjs+Psuhim1mXxqfyNeSPrIznWAQDSUIW5c3SuJtIOXbfXjIoeK7QW4yhv4NsQBnXd0o6UncvlSZvFxQCMDqGrybOim2O93nM7p3udE2c08tAZ/XRFrxgENvuO3XGAg5EIiUEbHjtOgpjGwkxDfvOm0C4giaaHbUEarzK0olAExtKENwa9AKsxnckMH/kWNBY6ohYSJ7DojRUY84bKTWWFx8Krj0kzjNkbadrdAya8YoRp4IRqjZ9cA9i+yIlN1ulhL9GGq4JDHqTFaoBxiQ="+      ],+      "x5t": "6mK6ZUgfCVv2sm7GVsDR_tdPjjE",+      "x5t#S256": "PJYSXCbyowmimYVC41vPKlZyUfmqcGNo6Cfba4y8pkE"+    },+    {+      "kid": "u_ZZAorrQhtL2MA-bWkZ0qpzjia4D3u6QUvBRscHLrg",+      "kty": "RSA",+      "alg": "PS512",+      "use": "sig",+      "n": "0k2d9uo6k1luw7VpgeZuf4xIlhpp_pPndYjHCZBhSmXsXN7lV-HhYE3Vv2WurMT32HrOJVm4zJWbQOOFG2LD8Byw1sKzZWoS_wwFUWdeTzw43JniK-PYDY5sOM5sn6uGtfLNzm0fO0gkhLMf-dgodimA7dw_4kFqIYP9VNJOi3Pw3XI0uAuK1X7_eJ7mzWlCC8ERT0iJELKqC1Hx8Ub13SeTaFvPoguvx08END87WUbkdp4e4N16d_wVUWuutidY2HkjcklNhUWTc0BSST89TyKwwXwrXqY7_Ka14pjo8H-s6nT1ns80LiTjvjgzyeMRbptOYmgxlmYL0AXI07hbZw",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKaU5jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0NDA1WhcNMzAwNzA1MDE0NTQ1WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSTZ326jqTWW7DtWmB5m5/jEiWGmn+k+d1iMcJkGFKZexc3uVX4eFgTdW/Za6sxPfYes4lWbjMlZtA44UbYsPwHLDWwrNlahL/DAVRZ15PPDjcmeIr49gNjmw4zmyfq4a18s3ObR87SCSEsx/52Ch2KYDt3D/iQWohg/1U0k6Lc/DdcjS4C4rVfv94nubNaUILwRFPSIkQsqoLUfHxRvXdJ5NoW8+iC6/HTwQ0PztZRuR2nh7g3Xp3/BVRa662J1jYeSNySU2FRZNzQFJJPz1PIrDBfCtepjv8prXimOjwf6zqdPWezzQuJOO+ODPJ4xFum05iaDGWZgvQBcjTuFtnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBALyEXqK3BYwVU/7o8+wfDwOJ2nk9OmoGIu3hu6gwqC92DOXClus11UGHKsfhhYlQdzdBpNRD5hjabqaEpCoqF4HwzIWL+Pc08hnnP1IsxkAZdKicKLeFE6BwldK/RYK5vuNXjO824xGnTJuIEApWD2lWf7T3Ndyve14vx1B+6NPmazXPHcSbDN+06bXg8YeZVMnBqRYVBCxo5IoEwP2kJC/F3RbYJTF8QV2/AnwA/Bt1/rl6Y9MPqCwntyfrxq26Bwlpf9vC1dwRK45Tgv9c94/rD1Xax3MPQhhnCo+6H9UWSe/mIdPC2jPifcYJGujPpbbcp23fBOig+FwY6OZl1oo="+      ],+      "x5t": "YVSZ0gbRsdQ2ItVwc00GynAyFwk",+      "x5t#S256": "ZOJz7HKW1fQVb46QI0Ymw7v4u1mfRmzDJmOp3zUMpt4"+    },+    {+      "kid": "4hmO65bbc7IVI-3PfA2emAlO0qhv4rB__yw8BPQ58q8",+      "kty": "RSA",+      "alg": "PS256",+      "use": "sig",+      "n": "vz40nPlC2XsAGbqfp3S4nyl2G1iMFER1l_I4k7gfC-87UWu2-a7BZQHb646WmSXu8xFzu0x5FFTFmu_v3Aj1NAcdYbz09UypSxfH--aw7ATiSWL26jHixFP4l6miJxaXV-rlp9qFSO--1JRnlvYrt6M5mQI0ZvN8EahAVXIHNtDMZYu0HYwwL7j45gjF9o9kDbfMSPr8Oni0QC2tTcCg623OlNqrJZFT4YNJ8A1nRfwGwBLFp5pxpK9ZCekQVhBpZNUrlLB5uDaB5H9lwFKslbHC-HKlJbfZZg16j6tlQTgw6dnKNo5LPrZ4TeSUyuoudzZSpZo4dyFsasTfWYTSLQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHIdU1jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDEwOTU3WhcNMzAwNzA1MDExMTM3WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/PjSc+ULZewAZup+ndLifKXYbWIwURHWX8jiTuB8L7ztRa7b5rsFlAdvrjpaZJe7zEXO7THkUVMWa7+/cCPU0Bx1hvPT1TKlLF8f75rDsBOJJYvbqMeLEU/iXqaInFpdX6uWn2oVI777UlGeW9iu3ozmZAjRm83wRqEBVcgc20Mxli7QdjDAvuPjmCMX2j2QNt8xI+vw6eLRALa1NwKDrbc6U2qslkVPhg0nwDWdF/AbAEsWnmnGkr1kJ6RBWEGlk1SuUsHm4NoHkf2XAUqyVscL4cqUlt9lmDXqPq2VBODDp2co2jks+tnhN5JTK6i53NlKlmjh3IWxqxN9ZhNItAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEhiswSA4BBd9ka473JMX27y+4ZyxitUWi9ARhloiPtE7b+HVsRd6febjPlwMZJ/x7c5lRrQXEGCtJdHcVf2JybNo9bAPSsnmGAD9I+x5GyJljgRuItcfIJ3ALV7LqMbFPZ7cO6jB9hzYtjzECRN0+hJKSZm99kpau2sI8C1FkT+aSK7+j0jGagYwfI8hG7SV1IKQgTxtGZSpFgn2mi60TYsnLt2JYKSACq5hZykO7BPxnTK0sAK9ue34ddEuVe6L1wxDv44PME2dZwRmCRT5d7qj8lO4n2VYqBbc90ME6yAeRIhYRZSrHFTE2Wkufi+21HXIB63dKoYqiPe3y/GZno="+      ],+      "x5t": "5lmEYc56y8EeBpHsP1-LO8M0W2c",+      "x5t#S256": "oC0EpmLVEv1CptAVxKT9uVpC975xKlu3xOrhh8RTNy4"+    }+  ]+}+)";++// PS256 JWT with correct kid+// Header:+// {+//   "alg": "PS256",+//   "typ": "JWT",+//   "kid": "4hmO65bbc7IVI-3PfA2emAlO0qhv4rB__yw8BPQ58q8"+// }+// Payload:+// {+//   "exp": 1593912811,+//   "iat": 1593912511,+//   "jti": "3c9ee909-3ca5-4587-8c0b-700cb4cb8e62",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "de37ba9c-4b3a-4250-a89b-da81928fcf9b",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }+const std::string Ps256JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0aG1PNjViYmM3SVZJLTNQ"+    "ZkEyZW1BbE8wcWh2NHJCX195dzhCUFE1OHE4In0."+    "eyJleHAiOjE1OTM5MTI4MTEsImlhdCI6MTU5MzkxMjUxMSwianRpIjoiM2M5ZWU5MDktM2Nh"+    "NS00NTg3LThjMGItNzAwY2I0Y2I4ZTYyIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImRlMzdiYTljLTRiM2EtNDI1MC1hODliLWRhODE5MjhmY2Y5YiIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "fas6TkXZ97K1d8tTMCEFDcG-MupI-BwGn0UZD8riwmbLf5xmDPaoZwmJ3k-szVo-oJMfMZbr"+    "VAI8xQwg4Z7bQvd3I9WM6XPsu1_gKnkc2EOATgkdpDg5rWOPSZCFLUD_bqsoPQrfc2C1-UKs"+    "VOwUkXEH6rEIlOvngqQWNJjtbkvsS2N_3kNAgaD8cELT5mxmM4vGZn14OHmXHJBIW9pHJU64"+    "tA0sDcexoylL7xB_E1XTs3St0sYyq_pz9920vHScr9KXQ3y9k-fbPvgBs2gGY0iK63E0lEwD"+    "fRWY4Za6RRqymammehv7ZiE4HjDy5Q_AdLGdRefrTxtiQrHIThLqAw";+++// PS384 JWT with correct kid+// Header:+// {+//   "alg": "PS384",+//   "typ": "JWT",+//   "kid": "RGlV9a54XdAsuiYUDkQ0hDkiSZ92TJCgneh7-HvN-sk"+// }+// Payload:+// {+//   "exp": 1593913901,+//   "iat": 1593913601,+//   "jti": "375242be-54c3-4c06-ad07-22457d493390",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "a0cc48a5-1eea-4078-b965-3f8edee8a15e",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }+++const std::string Ps384JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzM4NCIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSR2xWOWE1NFhkQXN1aVlV"+    "RGtRMGhEa2lTWjkyVEpDZ25laDctSHZOLXNrIn0."+    "eyJleHAiOjE1OTM5MTM5MDEsImlhdCI6MTU5MzkxMzYwMSwianRpIjoiMzc1MjQyYmUtNTRj"+    "My00YzA2LWFkMDctMjI0NTdkNDkzMzkwIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImEwY2M0OGE1LTFlZWEtNDA3OC1iOTY1LTNmOGVkZWU4YTE1ZSIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "lQdbyqQH0dBYA0yIMVmV-KMGOYc7-BuuQUggKqEi9kpmvZAeXaX1v04n6XkyZdIRMxLgxVoK"+    "LH3XJLg7zwW_luYR5ZlYj5SLYxUSkrlG3RfOvRpphXzhH-TcRQMdwSFEbNUiibZ6NkSmzMLi"+    "Weryi3JHCHAxt2e9Z6_dWlrKXXSvpmZgrn--NdU433TmePFdgoEGUH8F9q7T1Nd1S5FnsS2i"+    "-ywZzNMQIfQ59k_r1_WlH81bwoNgd4ffTlVsosZrw84UYBJdNt73-RWu1NNTXvIY2MiImods"+    "oo7DAD__ZDMgnJ8cpBmrq0YASz04SESNt1jiwCWbasJQx_B73hmd1A";+++// PS512 JWT with correct kid+// Header:+// {+//   "alg": "PS512",+//   "typ": "JWT",+//   "kid": "u_ZZAorrQhtL2MA-bWkZ0qpzjia4D3u6QUvBRscHLrg"+// }+// Payload:+// {+//   "exp": 1593913918,+//   "iat": 1593913618,+//   "jti": "7c1f8cba-7f7c-4e05-b02c-2a0a77914f5d",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "d8dbe685-cd10-42da-841c-f7ae6cd4d588",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }+++const std::string Ps512JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1X1paQW9yclFodEwyTUEt"+    "YldrWjBxcHpqaWE0RDN1NlFVdkJSc2NITHJnIn0."+    "eyJleHAiOjE1OTM5MTM5MTgsImlhdCI6MTU5MzkxMzYxOCwianRpIjoiN2MxZjhjYmEtN2Y3"+    "Yy00ZTA1LWIwMmMtMmEwYTc3OTE0ZjVkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImQ4ZGJlNjg1LWNkMTAtNDJkYS04NDFjLWY3YWU2Y2Q0ZDU4OCIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "p-NqE3q9BVakZNkKX3-X5FKIm64PloIjBjWfajQuRayHv4cj6xwvDve3uCuZa2oKyefJRNLy"+    "6rCJUGNsYM9Q-WRCtD6SuWLPkuqh-SUFtZqW7sWGOqTLKbMBx5StLZx7eEgdRWqzIxwLVLdF"+    "VuO-3L88qHFTU2Vv8UAu_nX-uyFKOV5bYgyFlxqgpSqvsbm6lZ0EZghPuidOmnMPQdS8-Evk"+    "jwSAYEgoQ1crXY8dEUc_AJfq84jtuMJMnFhfVQvk_8hN71wYWWYThXtEATFySUFrkoCvB-da"+    "Sl9FNeK5UPE9vYBi7QJ-Wt3Ikg7kEgPiuADlIao_ZxKdzoA51isGBg";+++class VerifyJwkRsaPssTest : public testing::Test {+ protected:+  void SetUp() {+    jwks_ = Jwks::createFrom(PublicKeyRSAPSS, Jwks::Type::JWKS);+    EXPECT_EQ(jwks_->getStatus(), Status::Ok);+  }++  JwksPtr jwks_;+};+++class VerifyJwkRsaPssJwtsTest : public VerifyJwkRsaPssTest,+                                public testing::WithParamInterface<std::string> {+ protected:+  void SetUp() {+    VerifyJwkRsaPssTest::SetUp();+  }+};+++TEST_P(VerifyJwkRsaPssJwtsTest, CorrectKidOK) {+  Jwt jwt;+  EXPECT_EQ(jwt.parseFromString(GetParam()), Status::Ok);+  EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::Ok);++  fuzzJwtSignature(jwt, [this](const Jwt& jwt) {+    EXPECT_EQ(verifyJwt(jwt, *jwks_, 1), Status::JwtVerificationFail);+  });+}+++INSTANTIATE_TEST_CASE_P(+    VerifyJwkRsaPssJwtsTests,+    VerifyJwkRsaPssJwtsTest,+    testing::Values(+        Ps256JwtTextWithCorrectKid,+        Ps384JwtTextWithCorrectKid,+        Ps512JwtTextWithCorrectKid),+    [](const testing::TestParamInfo<VerifyJwkRsaPssJwtsTest::ParamType>& info) {+      if (info.param == Ps256JwtTextWithCorrectKid) {+        return "PS256";+      } else if (info.param == Ps384JwtTextWithCorrectKid) {+        return "PS384";+      } else if (info.param == Ps512JwtTextWithCorrectKid) {+        return "PS512";+      } else {+        return "Unknown";+      }+    });+++// This set of keys and jwts were generated at https://jwt.io/+// public key:+//     "-----BEGIN PUBLIC KEY-----"+//     "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv"+//     "vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc"+//     "aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy"+//     "tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0"+//     "e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb"+//     "V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9"+//     "MwIDAQAB"+//     "-----END PUBLIC KEY-----"++const std::string JwtIoPublicKeyRSAPSS = R"(+{+  "keys": [+    {+      "kty": "RSA",+      "kid": "f08a1cc9-d266-4049-9c22-f95260cbf5fd",+      "e": "AQAB",+      "n": "nzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA-kzeVOVpVWwkWdVha4s38XM_pa_yr47av7-z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr_Mrm_YtjCZVWgaOYIhwrXwKLqPr_11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e-lf4s4OxQawWD79J9_5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa-GSYOD2QU68Mb59oSk2OB-BtOLpJofmbGEGgvmwyCI9Mw"+    }+  ]+}+)";++// private key:+//     "-----BEGIN RSA PRIVATE KEY-----"+//     "MIIEogIBAAKCAQEAnzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA+kzeVOVpVWw"+//     "kWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr/Mr"+//     "m/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEi"+//     "NQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e+lf4s4OxQawWD79J9/5d3Ry0vbV"+//     "3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa+GSYOD2"+//     "QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9MwIDAQABAoIBACiARq2wkltjtcjs"+//     "kFvZ7w1JAORHbEufEO1Eu27zOIlqbgyAcAl7q+/1bip4Z/x1IVES84/yTaM8p0go"+//     "amMhvgry/mS8vNi1BN2SAZEnb/7xSxbflb70bX9RHLJqKnp5GZe2jexw+wyXlwaM"+//     "+bclUCrh9e1ltH7IvUrRrQnFJfh+is1fRon9Co9Li0GwoN0x0byrrngU8Ak3Y6D9"+//     "D8GjQA4Elm94ST3izJv8iCOLSDBmzsPsXfcCUZfmTfZ5DbUDMbMxRnSo3nQeoKGC"+//     "0Lj9FkWcfmLcpGlSXTO+Ww1L7EGq+PT3NtRae1FZPwjddQ1/4V905kyQFLamAA5Y"+//     "lSpE2wkCgYEAy1OPLQcZt4NQnQzPz2SBJqQN2P5u3vXl+zNVKP8w4eBv0vWuJJF+"+//     "hkGNnSxXQrTkvDOIUddSKOzHHgSg4nY6K02ecyT0PPm/UZvtRpWrnBjcEVtHEJNp"+//     "bU9pLD5iZ0J9sbzPU/LxPmuAP2Bs8JmTn6aFRspFrP7W0s1Nmk2jsm0CgYEAyH0X"+//     "+jpoqxj4efZfkUrg5GbSEhf+dZglf0tTOA5bVg8IYwtmNk/pniLG/zI7c+GlTc9B"+//     "BwfMr59EzBq/eFMI7+LgXaVUsM/sS4Ry+yeK6SJx/otIMWtDfqxsLD8CPMCRvecC"+//     "2Pip4uSgrl0MOebl9XKp57GoaUWRWRHqwV4Y6h8CgYAZhI4mh4qZtnhKjY4TKDjx"+//     "QYufXSdLAi9v3FxmvchDwOgn4L+PRVdMwDNms2bsL0m5uPn104EzM6w1vzz1zwKz"+//     "5pTpPI0OjgWN13Tq8+PKvm/4Ga2MjgOgPWQkslulO/oMcXbPwWC3hcRdr9tcQtn9"+//     "Imf9n2spL/6EDFId+Hp/7QKBgAqlWdiXsWckdE1Fn91/NGHsc8syKvjjk1onDcw0"+//     "NvVi5vcba9oGdElJX3e9mxqUKMrw7msJJv1MX8LWyMQC5L6YNYHDfbPF1q5L4i8j"+//     "8mRex97UVokJQRRA452V2vCO6S5ETgpnad36de3MUxHgCOX3qL382Qx9/THVmbma"+//     "3YfRAoGAUxL/Eu5yvMK8SAt/dJK6FedngcM3JEFNplmtLYVLWhkIlNRGDwkg3I5K"+//     "y18Ae9n7dHVueyslrb6weq7dTkYDi3iOYRW8HRkIQh06wEdbxt0shTzAJvvCQfrB"+//     "jg/3747WSsf/zBTcHihTRBdAv6OmdhV4/dD5YBfLAkLrd+mX7iE="+//     "-----END RSA PRIVATE KEY-----"++const std::string JwtTextWithNoKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9."+    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlh"+    "dCI6MTUxNjIzOTAyMn0."+    "hZnl5amPk_I3tb4O-Otci_5XZdVWhPlFyVRvcqSwnDo_srcysDvhhKOD01DigPK1lJvTSTol"+    "yUgKGtpLqMfRDXQlekRsF4XhAjYZTmcynf-C-6wO5EI4wYewLNKFGGJzHAknMgotJFjDi_NC"+    "VSjHsW3a10nTao1lB82FRS305T226Q0VqNVJVWhE4G0JQvi2TssRtCxYTqzXVt22iDKkXeZJ"+    "ARZ1paXHGV5Kd1CljcZtkNZYIGcwnj65gvuCwohbkIxAnhZMJXCLaVvHqv9l-AAUV7esZvkQ"+    "R1IpwBAiDQJh4qxPjFGylyXrHMqh5NlT_pWL2ZoULWTg_TJjMO9TuQ";+++const std::string JwtTextWithNonExistentKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im5vbmV4aXN0ZW50In0."+    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlh"+    "dCI6MTUxNjIzOTAyMn0."+    "USMoL8XwVl-sqtIl-VQr97oNr1XWbgnJnDJbi65ExV7IioYQ3cGfrpi9n2GxJOwuw6zU572l"+    "ME-wD9It-Q8H8eAOi83KoimQJmdzCGGUGTgwo3tZK5HV7W3srgP1_46-X43DYWOT6h1pIAE7"+    "7s23XuSKbq4rpp6cmbDODARfTj6OTQWTqwhOkX0Xo7i2q1foreKI8PnOyrvbs7oXrLJGZhg_"+    "6mRnP0wRJJFkIu2uYKcLDcgJ0OWXY6dQ-8agj-yjZ5ZUX8GUcy347P0UUpsGVNd1pUawLwTi"+    "kmNidJOxkGlawLtOwE7u0WtZdYmcppx99Qw5U4gYdQQx0wJqgj_d8g";+++class JwtIoVerifyJwkRsaPssTest : public VerifyJwkRsaPssTest {+ protected:+  void SetUp() {+    VerifyJwkRsaPssTest::SetUp();

Fixed in 01a41aa!

ackerleytng

comment created time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

+// Copyright 2018 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+//    https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++#include "gtest/gtest.h"+#include "jwt_verify_lib/verify.h"+#include "src/test_common.h"++namespace google {+namespace jwt_verify {+namespace {++// The following is the jwks from querying a private temporary instance of keycloak at+// https://keycloak.localhost/auth/realms/applications/protocol/openid-connect/certs++const std::string PublicKeyRSAPSS = R"(+{+  "keys": [+    {+      "kid": "RGlV9a54XdAsuiYUDkQ0hDkiSZ92TJCgneh7-HvN-sk",+      "kty": "RSA",+      "alg": "PS384",+      "use": "sig",+      "n": "8logDcIilAXYJ2kNOrUIAVrWg3g-i1EUsWzEwAV3WT9NNwisUsljdyK3OOxy8yhbWyunxia-4Qo8nCIjURfLn0XoJyozCsruTWuvv2nvWx380zDD5gN-RK0kab_UWOV_zkr9YhBYd2PUB-sCcEwDKj8uHZrJ2CvXvxt2LV8_l_kwlCEDS_q97eEqvxhvYFF8DVo_AGABoK6fU1urn7X-GQcClgOEI8qKho-FU0RPJM80pnmCVds7oP2NYHSnAbkxltiB2cU1qazs21A52obU5zemUwJcdEGpykBKgc_aKaxkusLs2O0xWvnDbgXvboqb_0UhZPWNILZYK09jYCFobQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKZh6TANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0MzUyWhcNMzAwNzA1MDE0NTMyWjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyWiANwiKUBdgnaQ06tQgBWtaDeD6LURSxbMTABXdZP003CKxSyWN3Irc47HLzKFtbK6fGJr7hCjycIiNRF8ufRegnKjMKyu5Na6+/ae9bHfzTMMPmA35ErSRpv9RY5X/OSv1iEFh3Y9QH6wJwTAMqPy4dmsnYK9e/G3YtXz+X+TCUIQNL+r3t4Sq/GG9gUXwNWj8AYAGgrp9TW6uftf4ZBwKWA4QjyoqGj4VTRE8kzzSmeYJV2zug/Y1gdKcBuTGW2IHZxTWprOzbUDnahtTnN6ZTAlx0QanKQEqBz9oprGS6wuzY7TFa+cNuBe9uipv/RSFk9Y0gtlgrT2NgIWhtAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAMaFjwzA+74wY+2YjsMk79IpvDV3Kke7hBThz+9+KT8u2cCX1fUucZemk5vNfLbv+Swhjs+Psuhim1mXxqfyNeSPrIznWAQDSUIW5c3SuJtIOXbfXjIoeK7QW4yhv4NsQBnXd0o6UncvlSZvFxQCMDqGrybOim2O93nM7p3udE2c08tAZ/XRFrxgENvuO3XGAg5EIiUEbHjtOgpjGwkxDfvOm0C4giaaHbUEarzK0olAExtKENwa9AKsxnckMH/kWNBY6ohYSJ7DojRUY84bKTWWFx8Krj0kzjNkbadrdAya8YoRp4IRqjZ9cA9i+yIlN1ulhL9GGq4JDHqTFaoBxiQ="+      ],+      "x5t": "6mK6ZUgfCVv2sm7GVsDR_tdPjjE",+      "x5t#S256": "PJYSXCbyowmimYVC41vPKlZyUfmqcGNo6Cfba4y8pkE"+    },+    {+      "kid": "u_ZZAorrQhtL2MA-bWkZ0qpzjia4D3u6QUvBRscHLrg",+      "kty": "RSA",+      "alg": "PS512",+      "use": "sig",+      "n": "0k2d9uo6k1luw7VpgeZuf4xIlhpp_pPndYjHCZBhSmXsXN7lV-HhYE3Vv2WurMT32HrOJVm4zJWbQOOFG2LD8Byw1sKzZWoS_wwFUWdeTzw43JniK-PYDY5sOM5sn6uGtfLNzm0fO0gkhLMf-dgodimA7dw_4kFqIYP9VNJOi3Pw3XI0uAuK1X7_eJ7mzWlCC8ERT0iJELKqC1Hx8Ub13SeTaFvPoguvx08END87WUbkdp4e4N16d_wVUWuutidY2HkjcklNhUWTc0BSST89TyKwwXwrXqY7_Ka14pjo8H-s6nT1ns80LiTjvjgzyeMRbptOYmgxlmYL0AXI07hbZw",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKaU5jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0NDA1WhcNMzAwNzA1MDE0NTQ1WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSTZ326jqTWW7DtWmB5m5/jEiWGmn+k+d1iMcJkGFKZexc3uVX4eFgTdW/Za6sxPfYes4lWbjMlZtA44UbYsPwHLDWwrNlahL/DAVRZ15PPDjcmeIr49gNjmw4zmyfq4a18s3ObR87SCSEsx/52Ch2KYDt3D/iQWohg/1U0k6Lc/DdcjS4C4rVfv94nubNaUILwRFPSIkQsqoLUfHxRvXdJ5NoW8+iC6/HTwQ0PztZRuR2nh7g3Xp3/BVRa662J1jYeSNySU2FRZNzQFJJPz1PIrDBfCtepjv8prXimOjwf6zqdPWezzQuJOO+ODPJ4xFum05iaDGWZgvQBcjTuFtnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBALyEXqK3BYwVU/7o8+wfDwOJ2nk9OmoGIu3hu6gwqC92DOXClus11UGHKsfhhYlQdzdBpNRD5hjabqaEpCoqF4HwzIWL+Pc08hnnP1IsxkAZdKicKLeFE6BwldK/RYK5vuNXjO824xGnTJuIEApWD2lWf7T3Ndyve14vx1B+6NPmazXPHcSbDN+06bXg8YeZVMnBqRYVBCxo5IoEwP2kJC/F3RbYJTF8QV2/AnwA/Bt1/rl6Y9MPqCwntyfrxq26Bwlpf9vC1dwRK45Tgv9c94/rD1Xax3MPQhhnCo+6H9UWSe/mIdPC2jPifcYJGujPpbbcp23fBOig+FwY6OZl1oo="+      ],+      "x5t": "YVSZ0gbRsdQ2ItVwc00GynAyFwk",+      "x5t#S256": "ZOJz7HKW1fQVb46QI0Ymw7v4u1mfRmzDJmOp3zUMpt4"+    },+    {+      "kid": "4hmO65bbc7IVI-3PfA2emAlO0qhv4rB__yw8BPQ58q8",+      "kty": "RSA",+      "alg": "PS256",+      "use": "sig",+      "n": "vz40nPlC2XsAGbqfp3S4nyl2G1iMFER1l_I4k7gfC-87UWu2-a7BZQHb646WmSXu8xFzu0x5FFTFmu_v3Aj1NAcdYbz09UypSxfH--aw7ATiSWL26jHixFP4l6miJxaXV-rlp9qFSO--1JRnlvYrt6M5mQI0ZvN8EahAVXIHNtDMZYu0HYwwL7j45gjF9o9kDbfMSPr8Oni0QC2tTcCg623OlNqrJZFT4YNJ8A1nRfwGwBLFp5pxpK9ZCekQVhBpZNUrlLB5uDaB5H9lwFKslbHC-HKlJbfZZg16j6tlQTgw6dnKNo5LPrZ4TeSUyuoudzZSpZo4dyFsasTfWYTSLQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHIdU1jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDEwOTU3WhcNMzAwNzA1MDExMTM3WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/PjSc+ULZewAZup+ndLifKXYbWIwURHWX8jiTuB8L7ztRa7b5rsFlAdvrjpaZJe7zEXO7THkUVMWa7+/cCPU0Bx1hvPT1TKlLF8f75rDsBOJJYvbqMeLEU/iXqaInFpdX6uWn2oVI777UlGeW9iu3ozmZAjRm83wRqEBVcgc20Mxli7QdjDAvuPjmCMX2j2QNt8xI+vw6eLRALa1NwKDrbc6U2qslkVPhg0nwDWdF/AbAEsWnmnGkr1kJ6RBWEGlk1SuUsHm4NoHkf2XAUqyVscL4cqUlt9lmDXqPq2VBODDp2co2jks+tnhN5JTK6i53NlKlmjh3IWxqxN9ZhNItAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEhiswSA4BBd9ka473JMX27y+4ZyxitUWi9ARhloiPtE7b+HVsRd6febjPlwMZJ/x7c5lRrQXEGCtJdHcVf2JybNo9bAPSsnmGAD9I+x5GyJljgRuItcfIJ3ALV7LqMbFPZ7cO6jB9hzYtjzECRN0+hJKSZm99kpau2sI8C1FkT+aSK7+j0jGagYwfI8hG7SV1IKQgTxtGZSpFgn2mi60TYsnLt2JYKSACq5hZykO7BPxnTK0sAK9ue34ddEuVe6L1wxDv44PME2dZwRmCRT5d7qj8lO4n2VYqBbc90ME6yAeRIhYRZSrHFTE2Wkufi+21HXIB63dKoYqiPe3y/GZno="+      ],+      "x5t": "5lmEYc56y8EeBpHsP1-LO8M0W2c",+      "x5t#S256": "oC0EpmLVEv1CptAVxKT9uVpC975xKlu3xOrhh8RTNy4"+    }+  ]+}+)";++// PS256 JWT with correct kid+// Header:+// {+//   "alg": "PS256",+//   "typ": "JWT",+//   "kid": "4hmO65bbc7IVI-3PfA2emAlO0qhv4rB__yw8BPQ58q8"+// }+// Payload:+// {+//   "exp": 1593912811,+//   "iat": 1593912511,+//   "jti": "3c9ee909-3ca5-4587-8c0b-700cb4cb8e62",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "de37ba9c-4b3a-4250-a89b-da81928fcf9b",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }+const std::string Ps256JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI0aG1PNjViYmM3SVZJLTNQ"+    "ZkEyZW1BbE8wcWh2NHJCX195dzhCUFE1OHE4In0."+    "eyJleHAiOjE1OTM5MTI4MTEsImlhdCI6MTU5MzkxMjUxMSwianRpIjoiM2M5ZWU5MDktM2Nh"+    "NS00NTg3LThjMGItNzAwY2I0Y2I4ZTYyIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImRlMzdiYTljLTRiM2EtNDI1MC1hODliLWRhODE5MjhmY2Y5YiIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "fas6TkXZ97K1d8tTMCEFDcG-MupI-BwGn0UZD8riwmbLf5xmDPaoZwmJ3k-szVo-oJMfMZbr"+    "VAI8xQwg4Z7bQvd3I9WM6XPsu1_gKnkc2EOATgkdpDg5rWOPSZCFLUD_bqsoPQrfc2C1-UKs"+    "VOwUkXEH6rEIlOvngqQWNJjtbkvsS2N_3kNAgaD8cELT5mxmM4vGZn14OHmXHJBIW9pHJU64"+    "tA0sDcexoylL7xB_E1XTs3St0sYyq_pz9920vHScr9KXQ3y9k-fbPvgBs2gGY0iK63E0lEwD"+    "fRWY4Za6RRqymammehv7ZiE4HjDy5Q_AdLGdRefrTxtiQrHIThLqAw";+++// PS384 JWT with correct kid+// Header:+// {+//   "alg": "PS384",+//   "typ": "JWT",+//   "kid": "RGlV9a54XdAsuiYUDkQ0hDkiSZ92TJCgneh7-HvN-sk"+// }+// Payload:+// {+//   "exp": 1593913901,+//   "iat": 1593913601,+//   "jti": "375242be-54c3-4c06-ad07-22457d493390",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "a0cc48a5-1eea-4078-b965-3f8edee8a15e",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }+++const std::string Ps384JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzM4NCIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSR2xWOWE1NFhkQXN1aVlV"+    "RGtRMGhEa2lTWjkyVEpDZ25laDctSHZOLXNrIn0."+    "eyJleHAiOjE1OTM5MTM5MDEsImlhdCI6MTU5MzkxMzYwMSwianRpIjoiMzc1MjQyYmUtNTRj"+    "My00YzA2LWFkMDctMjI0NTdkNDkzMzkwIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImEwY2M0OGE1LTFlZWEtNDA3OC1iOTY1LTNmOGVkZWU4YTE1ZSIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "lQdbyqQH0dBYA0yIMVmV-KMGOYc7-BuuQUggKqEi9kpmvZAeXaX1v04n6XkyZdIRMxLgxVoK"+    "LH3XJLg7zwW_luYR5ZlYj5SLYxUSkrlG3RfOvRpphXzhH-TcRQMdwSFEbNUiibZ6NkSmzMLi"+    "Weryi3JHCHAxt2e9Z6_dWlrKXXSvpmZgrn--NdU433TmePFdgoEGUH8F9q7T1Nd1S5FnsS2i"+    "-ywZzNMQIfQ59k_r1_WlH81bwoNgd4ffTlVsosZrw84UYBJdNt73-RWu1NNTXvIY2MiImods"+    "oo7DAD__ZDMgnJ8cpBmrq0YASz04SESNt1jiwCWbasJQx_B73hmd1A";+++// PS512 JWT with correct kid+// Header:+// {+//   "alg": "PS512",+//   "typ": "JWT",+//   "kid": "u_ZZAorrQhtL2MA-bWkZ0qpzjia4D3u6QUvBRscHLrg"+// }+// Payload:+// {+//   "exp": 1593913918,+//   "iat": 1593913618,+//   "jti": "7c1f8cba-7f7c-4e05-b02c-2a0a77914f5d",+//   "iss": "https://keycloak.localhost/auth/realms/applications",+//   "sub": "c3cfd999-ca22-4080-9863-277427db4321",+//   "typ": "Bearer",+//   "azp": "foo",+//   "session_state": "d8dbe685-cd10-42da-841c-f7ae6cd4d588",+//   "acr": "1",+//   "scope": "email profile",+//   "email_verified": false,+//   "name": "User Zero",+//   "preferred_username": "user0",+//   "given_name": "User",+//   "family_name": "Zero",+//   "email": "user0@mail.com"+// }+++const std::string Ps512JwtTextWithCorrectKid =+    "eyJhbGciOiJQUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1X1paQW9yclFodEwyTUEt"+    "YldrWjBxcHpqaWE0RDN1NlFVdkJSc2NITHJnIn0."+    "eyJleHAiOjE1OTM5MTM5MTgsImlhdCI6MTU5MzkxMzYxOCwianRpIjoiN2MxZjhjYmEtN2Y3"+    "Yy00ZTA1LWIwMmMtMmEwYTc3OTE0ZjVkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2Nh"+    "bGhvc3QvYXV0aC9yZWFsbXMvYXBwbGljYXRpb25zIiwic3ViIjoiYzNjZmQ5OTktY2EyMi00"+    "MDgwLTk4NjMtMjc3NDI3ZGI0MzIxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZm9vIiwic2Vz"+    "c2lvbl9zdGF0ZSI6ImQ4ZGJlNjg1LWNkMTAtNDJkYS04NDFjLWY3YWU2Y2Q0ZDU4OCIsImFj"+    "ciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2Us"+    "Im5hbWUiOiJVc2VyIFplcm8iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyMCIsImdpdmVu"+    "X25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiJaZXJvIiwiZW1haWwiOiJ1c2VyMEBtYWls"+    "LmNvbSJ9."+    "p-NqE3q9BVakZNkKX3-X5FKIm64PloIjBjWfajQuRayHv4cj6xwvDve3uCuZa2oKyefJRNLy"+    "6rCJUGNsYM9Q-WRCtD6SuWLPkuqh-SUFtZqW7sWGOqTLKbMBx5StLZx7eEgdRWqzIxwLVLdF"+    "VuO-3L88qHFTU2Vv8UAu_nX-uyFKOV5bYgyFlxqgpSqvsbm6lZ0EZghPuidOmnMPQdS8-Evk"+    "jwSAYEgoQ1crXY8dEUc_AJfq84jtuMJMnFhfVQvk_8hN71wYWWYThXtEATFySUFrkoCvB-da"+    "Sl9FNeK5UPE9vYBi7QJ-Wt3Ikg7kEgPiuADlIao_ZxKdzoA51isGBg";+++class VerifyJwkRsaPssTest : public testing::Test {+ protected:+  void SetUp() {+    jwks_ = Jwks::createFrom(PublicKeyRSAPSS, Jwks::Type::JWKS);+    EXPECT_EQ(jwks_->getStatus(), Status::Ok);+  }++  JwksPtr jwks_;+};+++class VerifyJwkRsaPssJwtsTest : public VerifyJwkRsaPssTest,+                                public testing::WithParamInterface<std::string> {

Fixed in 04b0673!

ackerleytng

comment created time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 namespace google { namespace jwt_verify { +namespace {++static absl::flat_hash_set<std::string> implemented_algs = {

Fixed in e9757de!

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha bc56e98cb10e9a01e900980013998ef390dfc27c

Add note to indicate no need to free pctx

view details

Ackerley Tng

commit sha 01a41aa22400aa75f34f97977c9380a43ec0be2e

Remove inheritance for better readability in test case

view details

Ackerley Tng

commit sha 04b0673d52b152ce3e6cabf04581c15e7bca7df3

Unroll parameterized test for better readability

view details

Ackerley Tng

commit sha e9757dec7b15abfbb250532992419fec0a7c01ae

Mark kImplementedAlgs as const

view details

push time in a month

pull request commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

I'm a little with variable naming on the google style guide, do let me know if there's anything I should change!

ackerleytng

comment created time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 Status Jwt::parseFromString(const std::string& jwt) {   if (alg_ != "ES256" && alg_ != "ES384" && alg_ != "ES512" &&       alg_ != "HS256" && alg_ != "HS384" && alg_ != "HS512" &&       alg_ != "RS256" && alg_ != "RS384" && alg_ != "RS512" &&+      alg_ != "PS256" && alg_ != "PS384" && alg_ != "PS512" &&

Added in commit 9119883!

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha 8a284ae21261a2df65a97e00c823874b5880627c

Adjust class data member names to follow style guide

view details

Ackerley Tng

commit sha 91198839a88166037b77216fbe9d3c9ef7ed3eae

Use absl::flat_hash_set to optimize checking of implemented_algs

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

+// Copyright 2018 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+//    https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++#include "gtest/gtest.h"+#include "jwt_verify_lib/verify.h"+#include "src/test_common.h"++namespace google {+namespace jwt_verify {+namespace {++// The following is the jwks from querying a private temporary instance of keycloak at+// https://keycloak.localhost/auth/realms/applications/protocol/openid-connect/certs++const std::string PublicKeyRSAPSS = R"(+{+  "keys": [+    {+      "kid": "RGlV9a54XdAsuiYUDkQ0hDkiSZ92TJCgneh7-HvN-sk",+      "kty": "RSA",+      "alg": "PS384",+      "use": "sig",+      "n": "8logDcIilAXYJ2kNOrUIAVrWg3g-i1EUsWzEwAV3WT9NNwisUsljdyK3OOxy8yhbWyunxia-4Qo8nCIjURfLn0XoJyozCsruTWuvv2nvWx380zDD5gN-RK0kab_UWOV_zkr9YhBYd2PUB-sCcEwDKj8uHZrJ2CvXvxt2LV8_l_kwlCEDS_q97eEqvxhvYFF8DVo_AGABoK6fU1urn7X-GQcClgOEI8qKho-FU0RPJM80pnmCVds7oP2NYHSnAbkxltiB2cU1qazs21A52obU5zemUwJcdEGpykBKgc_aKaxkusLs2O0xWvnDbgXvboqb_0UhZPWNILZYK09jYCFobQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKZh6TANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0MzUyWhcNMzAwNzA1MDE0NTMyWjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDyWiANwiKUBdgnaQ06tQgBWtaDeD6LURSxbMTABXdZP003CKxSyWN3Irc47HLzKFtbK6fGJr7hCjycIiNRF8ufRegnKjMKyu5Na6+/ae9bHfzTMMPmA35ErSRpv9RY5X/OSv1iEFh3Y9QH6wJwTAMqPy4dmsnYK9e/G3YtXz+X+TCUIQNL+r3t4Sq/GG9gUXwNWj8AYAGgrp9TW6uftf4ZBwKWA4QjyoqGj4VTRE8kzzSmeYJV2zug/Y1gdKcBuTGW2IHZxTWprOzbUDnahtTnN6ZTAlx0QanKQEqBz9oprGS6wuzY7TFa+cNuBe9uipv/RSFk9Y0gtlgrT2NgIWhtAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAMaFjwzA+74wY+2YjsMk79IpvDV3Kke7hBThz+9+KT8u2cCX1fUucZemk5vNfLbv+Swhjs+Psuhim1mXxqfyNeSPrIznWAQDSUIW5c3SuJtIOXbfXjIoeK7QW4yhv4NsQBnXd0o6UncvlSZvFxQCMDqGrybOim2O93nM7p3udE2c08tAZ/XRFrxgENvuO3XGAg5EIiUEbHjtOgpjGwkxDfvOm0C4giaaHbUEarzK0olAExtKENwa9AKsxnckMH/kWNBY6ohYSJ7DojRUY84bKTWWFx8Krj0kzjNkbadrdAya8YoRp4IRqjZ9cA9i+yIlN1ulhL9GGq4JDHqTFaoBxiQ="+      ],+      "x5t": "6mK6ZUgfCVv2sm7GVsDR_tdPjjE",+      "x5t#S256": "PJYSXCbyowmimYVC41vPKlZyUfmqcGNo6Cfba4y8pkE"+    },+    {+      "kid": "u_ZZAorrQhtL2MA-bWkZ0qpzjia4D3u6QUvBRscHLrg",+      "kty": "RSA",+      "alg": "PS512",+      "use": "sig",+      "n": "0k2d9uo6k1luw7VpgeZuf4xIlhpp_pPndYjHCZBhSmXsXN7lV-HhYE3Vv2WurMT32HrOJVm4zJWbQOOFG2LD8Byw1sKzZWoS_wwFUWdeTzw43JniK-PYDY5sOM5sn6uGtfLNzm0fO0gkhLMf-dgodimA7dw_4kFqIYP9VNJOi3Pw3XI0uAuK1X7_eJ7mzWlCC8ERT0iJELKqC1Hx8Ub13SeTaFvPoguvx08END87WUbkdp4e4N16d_wVUWuutidY2HkjcklNhUWTc0BSST89TyKwwXwrXqY7_Ka14pjo8H-s6nT1ns80LiTjvjgzyeMRbptOYmgxlmYL0AXI07hbZw",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHKaU5jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDE0NDA1WhcNMzAwNzA1MDE0NTQ1WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSTZ326jqTWW7DtWmB5m5/jEiWGmn+k+d1iMcJkGFKZexc3uVX4eFgTdW/Za6sxPfYes4lWbjMlZtA44UbYsPwHLDWwrNlahL/DAVRZ15PPDjcmeIr49gNjmw4zmyfq4a18s3ObR87SCSEsx/52Ch2KYDt3D/iQWohg/1U0k6Lc/DdcjS4C4rVfv94nubNaUILwRFPSIkQsqoLUfHxRvXdJ5NoW8+iC6/HTwQ0PztZRuR2nh7g3Xp3/BVRa662J1jYeSNySU2FRZNzQFJJPz1PIrDBfCtepjv8prXimOjwf6zqdPWezzQuJOO+ODPJ4xFum05iaDGWZgvQBcjTuFtnAgMBAAEwDQYJKoZIhvcNAQELBQADggEBALyEXqK3BYwVU/7o8+wfDwOJ2nk9OmoGIu3hu6gwqC92DOXClus11UGHKsfhhYlQdzdBpNRD5hjabqaEpCoqF4HwzIWL+Pc08hnnP1IsxkAZdKicKLeFE6BwldK/RYK5vuNXjO824xGnTJuIEApWD2lWf7T3Ndyve14vx1B+6NPmazXPHcSbDN+06bXg8YeZVMnBqRYVBCxo5IoEwP2kJC/F3RbYJTF8QV2/AnwA/Bt1/rl6Y9MPqCwntyfrxq26Bwlpf9vC1dwRK45Tgv9c94/rD1Xax3MPQhhnCo+6H9UWSe/mIdPC2jPifcYJGujPpbbcp23fBOig+FwY6OZl1oo="+      ],+      "x5t": "YVSZ0gbRsdQ2ItVwc00GynAyFwk",+      "x5t#S256": "ZOJz7HKW1fQVb46QI0Ymw7v4u1mfRmzDJmOp3zUMpt4"+    },+    {+      "kid": "4hmO65bbc7IVI-3PfA2emAlO0qhv4rB__yw8BPQ58q8",+      "kty": "RSA",+      "alg": "PS256",+      "use": "sig",+      "n": "vz40nPlC2XsAGbqfp3S4nyl2G1iMFER1l_I4k7gfC-87UWu2-a7BZQHb646WmSXu8xFzu0x5FFTFmu_v3Aj1NAcdYbz09UypSxfH--aw7ATiSWL26jHixFP4l6miJxaXV-rlp9qFSO--1JRnlvYrt6M5mQI0ZvN8EahAVXIHNtDMZYu0HYwwL7j45gjF9o9kDbfMSPr8Oni0QC2tTcCg623OlNqrJZFT4YNJ8A1nRfwGwBLFp5pxpK9ZCekQVhBpZNUrlLB5uDaB5H9lwFKslbHC-HKlJbfZZg16j6tlQTgw6dnKNo5LPrZ4TeSUyuoudzZSpZo4dyFsasTfWYTSLQ",+      "e": "AQAB",+      "x5c": [+        "MIICpzCCAY8CBgFzHIdU1jANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwHhcNMjAwNzA1MDEwOTU3WhcNMzAwNzA1MDExMTM3WjAXMRUwEwYDVQQDDAxhcHBsaWNhdGlvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/PjSc+ULZewAZup+ndLifKXYbWIwURHWX8jiTuB8L7ztRa7b5rsFlAdvrjpaZJe7zEXO7THkUVMWa7+/cCPU0Bx1hvPT1TKlLF8f75rDsBOJJYvbqMeLEU/iXqaInFpdX6uWn2oVI777UlGeW9iu3ozmZAjRm83wRqEBVcgc20Mxli7QdjDAvuPjmCMX2j2QNt8xI+vw6eLRALa1NwKDrbc6U2qslkVPhg0nwDWdF/AbAEsWnmnGkr1kJ6RBWEGlk1SuUsHm4NoHkf2XAUqyVscL4cqUlt9lmDXqPq2VBODDp2co2jks+tnhN5JTK6i53NlKlmjh3IWxqxN9ZhNItAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEhiswSA4BBd9ka473JMX27y+4ZyxitUWi9ARhloiPtE7b+HVsRd6febjPlwMZJ/x7c5lRrQXEGCtJdHcVf2JybNo9bAPSsnmGAD9I+x5GyJljgRuItcfIJ3ALV7LqMbFPZ7cO6jB9hzYtjzECRN0+hJKSZm99kpau2sI8C1FkT+aSK7+j0jGagYwfI8hG7SV1IKQgTxtGZSpFgn2mi60TYsnLt2JYKSACq5hZykO7BPxnTK0sAK9ue34ddEuVe6L1wxDv44PME2dZwRmCRT5d7qj8lO4n2VYqBbc90ME6yAeRIhYRZSrHFTE2Wkufi+21HXIB63dKoYqiPe3y/GZno="+      ],+      "x5t": "5lmEYc56y8EeBpHsP1-LO8M0W2c",+      "x5t#S256": "oC0EpmLVEv1CptAVxKT9uVpC975xKlu3xOrhh8RTNy4"+    }+  ]+}+)";++// JWT with correct kid+// Header:+// {+//   "alg": "PS256",

I added some tests after referencing verify_jwk_rsa_test.cc, but I realized most of the verification logic is already tested in verify_jwk_rsa_test.cc.

The parts specific to RSASSA-PSS are already covered, I believe. The wrong signature part should be tested with the fuzzing in fuzzJwtSignature.

Let me know if anything else is missing!

ackerleytng

comment created time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha 06d7cc451541efdfa144fb457dc2445399fab9e4

Add more test cases including negative tests Used jwt.io, where I can quickly modify the header of the token

view details

push time in a month

push eventackerleytng/jwt_verify_lib

Ackerley Tng

commit sha 2bf18ac2bb3c6d595f1bc35ef345cd24ba5ed671

Add test cases for PS384 and PS512

view details

push time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 bool verifySignatureRSA(RSA* key, const EVP_MD* md, absl::string_view signature,                             castToUChar(signed_data), signed_data.length()); } +bool verifySignatureRSAPSS(RSA* key, const EVP_MD* md, const uint8_t* signature,+                           size_t signature_len, const uint8_t* signed_data,+                           size_t signed_data_len) {+  if (key == nullptr || md == nullptr || signature == nullptr ||+      signed_data == nullptr) {+    return false;+  }+  bssl::UniquePtr<EVP_PKEY> evp_pkey(EVP_PKEY_new());+  if (EVP_PKEY_set1_RSA(evp_pkey.get(), key) != 1) {+    return false;+  }++  bssl::UniquePtr<EVP_MD_CTX> md_ctx(EVP_MD_CTX_create());+  EVP_PKEY_CTX *pctx;

Yup okay there's a

BORINGSSL_MAKE_DELETER(EVP_MD_CTX, EVP_MD_CTX_free)

here which makes EVP_MD_CTX_free the deleter for EVP_MD_CTX, and so freeing of pctx is handled.

We don't have to specially free pctx, it's like an additional reference :)

ackerleytng

comment created time in a month

Pull request review commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

 bool verifySignatureRSA(RSA* key, const EVP_MD* md, absl::string_view signature,                             castToUChar(signed_data), signed_data.length()); } +bool verifySignatureRSAPSS(RSA* key, const EVP_MD* md, const uint8_t* signature,+                           size_t signature_len, const uint8_t* signed_data,+                           size_t signed_data_len) {+  if (key == nullptr || md == nullptr || signature == nullptr ||+      signed_data == nullptr) {+    return false;+  }+  bssl::UniquePtr<EVP_PKEY> evp_pkey(EVP_PKEY_new());+  if (EVP_PKEY_set1_RSA(evp_pkey.get(), key) != 1) {+    return false;+  }++  bssl::UniquePtr<EVP_MD_CTX> md_ctx(EVP_MD_CTX_create());+  EVP_PKEY_CTX *pctx;

I believe we do not have to free pctx. I was referring to this part of boringssl code. Although that's in C, the setup_ctx function doesn't free pctx, and doesn't return pctx either, so it couldn't have been freed elsewhere.

Over here in BoringSSL docs it says that the EVP_PKEY_CTX of the signing operation will be written to *pctx, and in the implementation here, we see that the ctx->pctx is assigned to pctx.

EVP_MD_CTX_cleanup will free ctx->pctx (here) and I'm assuming the use of UniquePtr handles calling of EVP_MD_CTX_cleanup? Let me look into that a bit more.

ackerleytng

comment created time in a month

pull request commentgoogle/jwt_verify_lib

[WIP] Add RSASSA-PSS support

@googlebot I signed it!

ackerleytng

comment created time in a month

issue commentgoogle/jwt_verify_lib

jwt_verify_lib complains about invalid kty/alg combination

Please see PR #53 ! Thanks. Still WIP, need to add more test cases.

volkdir

comment created time in a month

PR opened google/jwt_verify_lib

[WIP] Add RSASSA-PSS support

Would appreciate any feedback on this work in progress! I'll be adding more test cases

+237 -8

0 comment

7 changed files

pr created time in a month

create barnchackerleytng/jwt_verify_lib

branch : add-rsassa-pss-support

created branch time in a month

push eventackerleytng/keypress

Ackerley Tng

commit sha 3a7f67af36933381d4f473b8104c88ede5c3fb4e

Update keycloak and move to louketo

view details

push time in a month

create barnchackerleytng/jwt_verify_lib

branch : add-check-audience-tests

created branch time in a month

issue commentcaddyserver/caddy

Why validate scheme and port?

Thanks @francislavoie!

We plan to use another port soon. If anyone else is here looking for a hotfix, here's what I have

FROM golang:1.14.4-buster

# Patch out the part that checks for conflicting scheme
RUN git clone https://github.com/caddyserver/caddy.git && \
    sed -i '/return "", d.Err("upstream address has conflicting scheme/d' caddy/modules/caddyhttp/reverseproxy/caddyfile.go && \
    cd caddy/cmd/caddy/ && \
    go build && \
    mv caddy /tmp/caddy
ackerleytng

comment created time in a month

issue openedcaddyserver/caddy

Why validate scheme and port?

caddy validates scheme (https/http) against the configured port (80/443) here https://github.com/caddyserver/caddy/blob/4b10ae5ce6c930b5acd46cb5c569481f349e336c/modules/caddyhttp/reverseproxy/caddyfile.go#L127

I was wondering if you'd consider relaxing this validation? I love caddy's simplified syntax for reverse proxying (compared to nginx's), but due to some constraints, I happen to need to proxy to an upstream listening on port 443 without https.

created time in a month

issue commentgoogle/jwt_verify_lib

jwt_verify_lib complains about invalid kty/alg combination

I'd like to give this a shot. I'll work on adding PS256 support if nobody else is working on this yet?

volkdir

comment created time in a month

issue commentfwupd/firmware-lenovo-thinkpad

My lenovo X1 reboots and updates are not applied.

I did

sudo fwupdmgr refresh --force
sudo fwupdmgr update

and it still didn't update, but the following did result in a successful update

sudo fwupdmgr clear-history
sudo fwupdmgr clear-cache
sudo rm -rf /root/.cache/fwupd
sudo fwupdmgr refresh --force
sudo fwupdmgr update
lhirlimann

comment created time in 2 months

push eventackerleytng/.emacs.d

Ackerley Tng

commit sha e01a93abc1bc4542b77eec7e20c2a5c6980a1143

Disable lsp-ui-doc-mode

view details

Ackerley Tng

commit sha 8b6109ad54bb7e49ec8c735cc4915c036a9f345b

Add google-c-style

view details

push time in 2 months

push eventackerleytng/learn-cpp

Ackerley Tng

commit sha f1e1aab5bd67e07e8bc5dcbb6f076dbbe4d37209

Add exercises for 06

view details

push time in 2 months

push eventackerleytng/learn-cpp

Ackerley Tng

commit sha 646dfa47f82b723755316bf55c936257aa750555

Add gitignores

view details

Ackerley Tng

commit sha 7d0fb98cfc78107e61c49efb9ff6fee53290c544

Add exercises

view details

push time in 2 months

push eventackerleytng/.emacs.d

Ackerley Tng

commit sha 73f7ad6b9a5ea73fa55f5a7c43603982d1fad708

Add lsp support for c++

view details

push time in 2 months

more