Add JWT Signature parameters and key types.

PiperOrigin-RevId: 625468585

Author: willinois

cc/jwt/BUILD.bazel

@@ -275,6 +275,37 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "jwt_signature_parameters",
+    hdrs = ["jwt_signature_parameters.h"],
+    include_prefix = "tink/jwt",
+    deps = ["//:parameters"],
+)
+
+cc_library(
+    name = "jwt_signature_public_key",
+    hdrs = ["jwt_signature_public_key.h"],
+    include_prefix = "tink/jwt",
+    deps = [
+        ":jwt_signature_parameters",
+        "//:key",
+        "@com_google_absl//absl/types:optional",
+    ],
+)
+
+cc_library(
+    name = "jwt_signature_private_key",
+    hdrs = ["jwt_signature_private_key.h"],
+    include_prefix = "tink/jwt",
+    deps = [
+        ":jwt_signature_parameters",
+        ":jwt_signature_public_key",
+        "//:key",
+        "//:private_key",
+        "@com_google_absl//absl/types:optional",
+    ],
+)
+
 # tests
 
 cc_test(

cc/jwt/CMakeLists.txt

@@ -252,6 +252,36 @@ tink_cc_library(
     tink::proto::tink_cc_proto
 )
 
+tink_cc_library(
+  NAME jwt_signature_parameters
+  SRCS
+    jwt_signature_parameters.h
+  DEPS
+    tink::core::parameters
+)
+
+tink_cc_library(
+  NAME jwt_signature_public_key
+  SRCS
+    jwt_signature_public_key.h
+  DEPS
+    tink::jwt::jwt_signature_parameters
+    absl::optional
+    tink::core::key
+)
+
+tink_cc_library(
+  NAME jwt_signature_private_key
+  SRCS
+    jwt_signature_private_key.h
+  DEPS
+    tink::jwt::jwt_signature_parameters
+    tink::jwt::jwt_signature_public_key
+    absl::optional
+    tink::core::key
+    tink::core::private_key
+)
+
 # tests
 
 tink_cc_test(

cc/jwt/jwt_signature_parameters.h

@@ -0,0 +1,35 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef TINK_JWT_JWT_SIGNATURE_PARAMETERS_H_
+#define TINK_JWT_JWT_SIGNATURE_PARAMETERS_H_
+
+#include "tink/parameters.h"
+
+namespace crypto {
+namespace tink {
+
+// Describes a JWT signature key pair without the randomly chosen key material.
+class JwtSignatureParameters : public Parameters {
+  // Returns true if verification is allowed for tokens without a `kid` header.
+  virtual bool AllowKidAbsent() const = 0;
+};
+
+}  // namespace tink
+}  // namespace crypto
+
+
+#endif  // TINK_JWT_JWT_SIGNATURE_PARAMETERS_H_

cc/jwt/jwt_signature_private_key.h

@@ -0,0 +1,54 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef TINK_JWT_JWT_SIGNATURE_PRIVATE_KEY_H_
+#define TINK_JWT_JWT_SIGNATURE_PRIVATE_KEY_H_
+
+#include <string>
+
+#include "absl/types/optional.h"
+#include "tink/jwt/jwt_signature_parameters.h"
+#include "tink/jwt/jwt_signature_public_key.h"
+#include "tink/key.h"
+#include "tink/private_key.h"
+
+namespace crypto {
+namespace tink {
+
+// Represents the signing function for a JWT Signature primitive.
+class JwtSignaturePrivateKey : public PrivateKey {
+ public:
+  const JwtSignaturePublicKey& GetPublicKey() const override = 0;
+
+  absl::optional<std::string> GetKid() const {
+    return GetPublicKey().GetKid();
+  }
+
+  absl::optional<int> GetIdRequirement() const override {
+    return GetPublicKey().GetIdRequirement();
+  }
+
+  const JwtSignatureParameters& GetParameters() const override {
+    return GetPublicKey().GetParameters();
+  }
+
+  bool operator==(const Key& other) const override = 0;
+};
+
+}  // namespace tink
+}  // namespace crypto
+
+#endif  // TINK_JWT_JWT_SIGNATURE_PRIVATE_KEY_H_

cc/jwt/jwt_signature_public_key.h

@@ -0,0 +1,59 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef TINK_JWT_JWT_SIGNATURE_PUBLIC_KEY_H_
+#define TINK_JWT_JWT_SIGNATURE_PUBLIC_KEY_H_
+
+#include <string>
+
+#include "absl/types/optional.h"
+#include "tink/jwt/jwt_signature_parameters.h"
+#include "tink/key.h"
+
+namespace crypto {
+namespace tink {
+
+// Represents the verification function for a JWT Signature primitive.
+class JwtSignaturePublicKey : public Key {
+ public:
+  // Returns the `kid` to be used for this key
+  // (https://www.rfc-editor.org/rfc/rfc7517#section-4.5).
+  //
+  // Note that the `kid` is not necessarily related to Tink's key ID in the
+  // keyset.
+  //
+  // If present, this `kid` will be written into the `kid` header during
+  // `ComputeMacAndEncode()`. If absent, no `kid` will be written.
+  //
+  // If present, and the `kid` header is present, the contents of the
+  // `kid` header need to match the return value of this function for
+  // validation to succeed in `VerifyMacAndDecode()`.
+  //
+  // Note that `GetParameters().AllowKidAbsent()` specifies whether or not
+  // omitting the `kid` header is allowed. Of course, if
+  // `GetParameters().AllowKidAbsent()` returns false, then `GetKid()` must
+  // return a non-empty value.
+  virtual absl::optional<std::string> GetKid() const = 0;
+
+  const JwtSignatureParameters& GetParameters() const override = 0;
+
+  bool operator==(const Key& other) const override = 0;
+};
+
+}  // namespace tink
+}  // namespace crypto
+
+#endif  // TINK_JWT_JWT_SIGNATURE_PUBLIC_KEY_H_