#include #include "jwt-cpp/jwt.h" inline namespace test_keys { extern std::string rsa_priv_key; extern std::string rsa_pub_key; extern std::string rsa_pub_key_invalid; extern std::string rsa512_priv_key; extern std::string rsa512_pub_key; extern std::string rsa512_pub_key_invalid; extern std::string ecdsa256_certificate; extern std::string ecdsa256_priv_key; extern std::string ecdsa256_pub_key; extern std::string ecdsa256_pub_key_invalid; extern std::string ecdsa384_priv_key; extern std::string ecdsa384_pub_key; extern std::string ecdsa384_pub_key_invalid; extern std::string ecdsa521_priv_key; extern std::string ecdsa521_pub_key; extern std::string ecdsa521_pub_key_invalid; extern std::string ed25519_priv_key; extern std::string ed25519_pub_key; extern std::string ed25519_pub_key_invalid; extern std::string ed448_priv_key; extern std::string ed448_pub_key; extern std::string ed448_pub_key_invalid; } TEST(TokenTest, DecodeToken) { std::string token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE"; auto decoded = jwt::decode(token); ASSERT_TRUE(decoded.has_algorithm()); ASSERT_TRUE(decoded.has_type()); ASSERT_FALSE(decoded.has_content_type()); ASSERT_FALSE(decoded.has_key_id()); ASSERT_TRUE(decoded.has_issuer()); ASSERT_FALSE(decoded.has_subject()); ASSERT_FALSE(decoded.has_audience()); ASSERT_FALSE(decoded.has_expires_at()); ASSERT_FALSE(decoded.has_not_before()); ASSERT_FALSE(decoded.has_issued_at()); ASSERT_FALSE(decoded.has_id()); ASSERT_EQ("HS256", decoded.get_algorithm()); ASSERT_EQ("JWS", decoded.get_type()); ASSERT_EQ("auth0", decoded.get_issuer()); } TEST(TokenTest, CreateToken) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::none{}); ASSERT_EQ("eyJhbGciOiJub25lIiwidHlwIjoiSldTIn0.eyJpc3MiOiJhdXRoMCJ9.", token); } TEST(TokenTest, CreateTokenHS256) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::hs256{"secret"}); ASSERT_EQ("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE", token); } TEST(TokenTest, CreateTokenRS256) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::rs256(rsa_pub_key, rsa_priv_key, "", "")); ASSERT_EQ( "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.VA2i1ui1cnoD6I3wnji1WAVCf29EekysvevGrT2GXqK1dDMc8" "HAZCTQxa1Q8NppnpYV-hlqxh-X3Bb0JOePTGzjynpNZoJh2aHZD-GKpZt7OO1Zp8AFWPZ3p8Cahq8536fD8RiBES9jRsvChZvOqA7gMcFc4" "YD0iZhNIcI7a654u5yPYyTlf5kjR97prCf_OXWRn-bYY74zna4p_bP9oWCL4BkaoRcMxi-IR7kmVcCnvbYqyIrKloXP2qPO442RBGqU7Ov9" "sGQxiVqtRHKXZR9RbfvjrErY1KGiCp9M5i2bsUHadZEY44FE2jiOmx-uc2z5c05CCXqVSpfCjWbh9gQ", token); } TEST(TokenTest, CreateTokenRS512) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::rs512(rsa512_pub_key, rsa512_priv_key, "", "")); ASSERT_EQ( "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.GZhnjtsvBl2_KDSxg4JW6xnmNjr2mWhYSZSSQyLKvI0" "TK86sJKchkt_HDy2IC5l5BGRhq_Xv9pHdA1umidQZG3a7gWvHsujqybCBgBraMTd1wJrCl4QxFg2RYHhHbRqb9BnPJgFD_vryd4GB" "hfGgejPBCBlGrQtqFGFdHHOjNHY", token); } TEST(TokenTest, CreateTokenPS256) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::ps256(rsa_pub_key, rsa_priv_key, "", "")); // TODO: Find a better way to check if generated signature is valid // Can't do simple check for equal since pss adds random salt. } TEST(TokenTest, CreateTokenPS384) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::ps384(rsa_pub_key, rsa_priv_key, "", "")); // TODO: Find a better way to check if generated signature is valid // Can't do simple check for equal since pss adds random salt. } TEST(TokenTest, CreateTokenPS512) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::ps512(rsa_pub_key, rsa_priv_key, "", "")); // TODO: Find a better way to check if generated signature is valid // Can't do simple check for equal since pss adds random salt. } TEST(TokenTest, CreateTokenES256) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::es256("", ecdsa256_priv_key, "", "")); auto decoded = jwt::decode(token); ASSERT_THROW(jwt::verify().allow_algorithm(jwt::algorithm::es256(ecdsa256_pub_key_invalid, "", "", "")).verify(decoded), jwt::signature_verification_exception); ASSERT_NO_THROW(jwt::verify().allow_algorithm(jwt::algorithm::es256(ecdsa256_pub_key, "", "", "")).verify(decoded)); } TEST(TokenTest, CreateTokenES256NoPrivate) { ASSERT_THROW([](){ auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::es256(ecdsa256_pub_key, "", "", "")); }(), jwt::signature_generation_exception); } TEST(TokenTest, CreateTokenES384) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::es384("", ecdsa384_priv_key, "", "")); auto decoded = jwt::decode(token); ASSERT_THROW(jwt::verify().allow_algorithm(jwt::algorithm::es384(ecdsa384_pub_key_invalid, "", "", "")).verify(decoded), jwt::signature_verification_exception); ASSERT_NO_THROW(jwt::verify().allow_algorithm(jwt::algorithm::es384(ecdsa384_pub_key, "", "", "")).verify(decoded)); } TEST(TokenTest, CreateTokenES384NoPrivate) { ASSERT_THROW([](){ auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::es384(ecdsa384_pub_key, "", "", "")); }(), jwt::signature_generation_exception); } TEST(TokenTest, CreateTokenES512) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::es512("", ecdsa521_priv_key, "", "")); auto decoded = jwt::decode(token); ASSERT_THROW(jwt::verify().allow_algorithm(jwt::algorithm::es512(ecdsa521_pub_key_invalid, "", "", "")).verify(decoded), jwt::signature_verification_exception); ASSERT_NO_THROW(jwt::verify().allow_algorithm(jwt::algorithm::es512(ecdsa521_pub_key, "", "", "")).verify(decoded)); } TEST(TokenTest, CreateTokenES512NoPrivate) { ASSERT_THROW([](){ auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::es512(ecdsa521_pub_key, "", "", "")); }(), jwt::signature_generation_exception); } #ifndef OPENSSL110 TEST(TokenTest, CreateTokenEd25519) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::ed25519("", ed25519_priv_key, "", "")); auto decoded = jwt::decode(token); ASSERT_THROW(jwt::verify().allow_algorithm(jwt::algorithm::ed25519(ed25519_pub_key_invalid, "", "", "")).verify(decoded), jwt::signature_verification_exception); ASSERT_NO_THROW(jwt::verify().allow_algorithm(jwt::algorithm::ed25519(ed25519_pub_key, "", "", "")).verify(decoded)); } TEST(TokenTest, CreateTokenEd448) { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::ed448("", ed448_priv_key, "", "")); auto decoded = jwt::decode(token); ASSERT_THROW(jwt::verify().allow_algorithm(jwt::algorithm::ed448(ed448_pub_key_invalid, "", "", "")).verify(decoded), jwt::signature_verification_exception); ASSERT_NO_THROW(jwt::verify().allow_algorithm(jwt::algorithm::ed448(ed448_pub_key, "", "", "")).verify(decoded)); } #endif TEST(TokenTest, VerifyTokenWrongAlgorithm) { std::string token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.VA2i1ui1cnoD6I3wnji1WAVCf29EekysvevGrT2GXqK1dDMc8" "HAZCTQxa1Q8NppnpYV-hlqxh-X3Bb0JOePTGzjynpNZoJh2aHZD-GKpZt7OO1Zp8AFWPZ3p8Cahq8536fD8RiBES9jRsvChZvOqA7gMcFc4" "YD0iZhNIcI7a654u5yPYyTlf5kjR97prCf_OXWRn-bYY74zna4p_bP9oWCL4BkaoRcMxi-IR7kmVcCnvbYqyIrKloXP2qPO442RBGqU7Ov9" "sGQxiVqtRHKXZR9RbfvjrErY1KGiCp9M5i2bsUHadZEY44FE2jiOmx-uc2z5c05CCXqVSpfCjWbh9gQ"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); } TEST(TokenTest, VerifyTokenNoneFail) { // None algorithm should not have a signature std::string token = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpYXQiOjE1OTUyNjc1MTZ9.cmFuZG9tc2ln"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyTokenRS256FailNoKey) { ASSERT_THROW([](){ auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::rs256("", "", "", "")) .with_issuer("auth0"); }(), jwt::rsa_exception); } TEST(TokenTest, VerifyTokenRS256) { std::string token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.VA2i1ui1cnoD6I3wnji1WAVCf29EekysvevGrT2GXqK1dDMc8" "HAZCTQxa1Q8NppnpYV-hlqxh-X3Bb0JOePTGzjynpNZoJh2aHZD-GKpZt7OO1Zp8AFWPZ3p8Cahq8536fD8RiBES9jRsvChZvOqA7gMcFc4" "YD0iZhNIcI7a654u5yPYyTlf5kjR97prCf_OXWRn-bYY74zna4p_bP9oWCL4BkaoRcMxi-IR7kmVcCnvbYqyIrKloXP2qPO442RBGqU7Ov9" "sGQxiVqtRHKXZR9RbfvjrErY1KGiCp9M5i2bsUHadZEY44FE2jiOmx-uc2z5c05CCXqVSpfCjWbh9gQ"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::rs256(rsa_pub_key, rsa_priv_key, "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenRS256PublicOnly) { std::string token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.VA2i1ui1cnoD6I3wnji1WAVCf29EekysvevGrT2GXqK1dDMc8" "HAZCTQxa1Q8NppnpYV-hlqxh-X3Bb0JOePTGzjynpNZoJh2aHZD-GKpZt7OO1Zp8AFWPZ3p8Cahq8536fD8RiBES9jRsvChZvOqA7gMcFc4" "YD0iZhNIcI7a654u5yPYyTlf5kjR97prCf_OXWRn-bYY74zna4p_bP9oWCL4BkaoRcMxi-IR7kmVcCnvbYqyIrKloXP2qPO442RBGqU7Ov9" "sGQxiVqtRHKXZR9RbfvjrErY1KGiCp9M5i2bsUHadZEY44FE2jiOmx-uc2z5c05CCXqVSpfCjWbh9gQ"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::rs256(rsa_pub_key, "", "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenRS256PrivateOnly) { std::string token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.VA2i1ui1cnoD6I3wnji1WAVCf29EekysvevGrT2GXqK1dDMc8" "HAZCTQxa1Q8NppnpYV-hlqxh-X3Bb0JOePTGzjynpNZoJh2aHZD-GKpZt7OO1Zp8AFWPZ3p8Cahq8536fD8RiBES9jRsvChZvOqA7gMcFc4" "YD0iZhNIcI7a654u5yPYyTlf5kjR97prCf_OXWRn-bYY74zna4p_bP9oWCL4BkaoRcMxi-IR7kmVcCnvbYqyIrKloXP2qPO442RBGqU7Ov9" "sGQxiVqtRHKXZR9RbfvjrErY1KGiCp9M5i2bsUHadZEY44FE2jiOmx-uc2z5c05CCXqVSpfCjWbh9gQ"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::rs256("", rsa_priv_key, "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenRS256Fail) { std::string token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.VA2i1ui1cnoD6I3wnji1WAVCf29EekysvevGrT2GXqK1dDMc8" "HAZCTQxa1Q8NppnpYV-hlqxh-X3Bb0JOePTGzjynpNZoJh2aHZD-GKpZt7OO1Zp8AFWPZ3p8Cahq8536fD8RiBES9jRsvChZvOqA7gMcFc4" "YD0iZhNIcI7a654u5yPYyTlf5kjR97prCf_OXWRn-bYY74zna4p_bP9oWCL4BkaoRcMxi-IR7kmVcCnvbYqyIrKloXP2qPO442RBGqU7Ov9" "sGQxiVqtRHKXZR9RbfvjrErY1KGiCp9M5i2bsUHadZEY44FE2jiOmx-uc2z5c05CCXqVSpfCjWbh9gQ"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::rs256(rsa_pub_key_invalid, "", "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyTokenRS512) { std::string token = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.GZhnjtsvBl2_KDSxg4JW6xnmNjr2mWhYSZ" "SSQyLKvI0TK86sJKchkt_HDy2IC5l5BGRhq_Xv9pHdA1umidQZG3a7gWvHsujqybCBgBraMTd1wJrCl4QxFg2RYHhHbRqb9BnPJgFD_vryd4" "GBhfGgejPBCBlGrQtqFGFdHHOjNHY"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::rs512(rsa512_pub_key, rsa512_priv_key, "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenRS512PublicOnly) { std::string token = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.GZhnjtsvBl2_KDSxg4JW6xnmNjr2mWhYSZ" "SSQyLKvI0TK86sJKchkt_HDy2IC5l5BGRhq_Xv9pHdA1umidQZG3a7gWvHsujqybCBgBraMTd1wJrCl4QxFg2RYHhHbRqb9BnPJgFD_vryd4" "GBhfGgejPBCBlGrQtqFGFdHHOjNHY"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::rs512(rsa512_pub_key, "", "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenRS512PrivateOnly) { std::string token = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.GZhnjtsvBl2_KDSxg4JW6xnmNjr2mWhYSZ" "SSQyLKvI0TK86sJKchkt_HDy2IC5l5BGRhq_Xv9pHdA1umidQZG3a7gWvHsujqybCBgBraMTd1wJrCl4QxFg2RYHhHbRqb9BnPJgFD_vryd4" "GBhfGgejPBCBlGrQtqFGFdHHOjNHY"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::rs512("", rsa512_priv_key, "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenRS512Fail) { std::string token = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.GZhnjtsvBl2_KDSxg4JW6xnmNjr2mWhYSZ" "SSQyLKvI0TK86sJKchkt_HDy2IC5l5BGRhq_Xv9pHdA1umidQZG3a7gWvHsujqybCBgBraMTd1wJrCl4QxFg2RYHhHbRqb9BnPJgFD_vryd4" "GBhfGgejPBCBlGrQtqFGFdHHOjNHY"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::rs512(rsa_pub_key_invalid, "", "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyTokenHS256) { std::string token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::hs256{ "secret" }) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenHS256Fail) { std::string token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::hs256{ "wrongsecret" }) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyTokenHS256FailSignatureLength) { std::string token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkA"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::hs256{ "secret" }) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyFail) { { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .set_audience("random") .set_payload_claim("typetest", picojson::value(10.0)) .sign(jwt::algorithm::none{}); auto decoded_token = jwt::decode(token); { auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth"); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); } { auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth0") .with_audience(std::set{ "test" }); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); } { auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth0") .with_audience("test"); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); } { auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth0") .with_subject("test"); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); } { auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth0") .with_claim("myclaim", jwt::claim(std::string("test"))); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); } { auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth0") .with_claim("typetest", jwt::claim(picojson::value(true))); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); } { jwt::claim object; std::istringstream iss{ R"({ "test": null })" }; iss >> object; ASSERT_EQ(object.get_type(), jwt::json::type::object); auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth0") .with_claim("myclaim", object); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); } } { auto token = jwt::create() .set_issuer("auth0") .set_type("JWS") .sign(jwt::algorithm::none{}); auto decoded_token = jwt::decode(token); { auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::none{}) .with_issuer("auth0") .with_audience("test"); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); } } } TEST(TokenTest, VerifyTokenES256FailNoKey) { ASSERT_THROW([](){ auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::es256("", "", "", "")) .with_issuer("auth0"); }(), jwt::ecdsa_exception); } TEST(TokenTest, VerifyTokenES256) { const std::string token = "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJhdXRoMCJ9.4iVk3-Y0v4RT4_9IaQlp-8dZ_4fsTzIylgrPTDLrEvTHBTyVS3tgPbr2_IZfLETtiKRqCg0aQ5sh9eIsTTwB1g"; auto verify = jwt::verify().allow_algorithm(jwt::algorithm::es256(ecdsa256_pub_key, "", "", "")); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenES256Fail) { const std::string token = "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJhdXRoMCJ9.4iVk3-Y0v4RT4_9IaQlp-8dZ_4fsTzIylgrPTDLrEvTHBTyVS3tgPbr2_IZfLETtiKRqCg0aQ5sh9eIsTTwB1g"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::es256(ecdsa256_pub_key_invalid, "", "", "")); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyTokenES384) { const std::string token = "eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.nTUwWanmj_K1VZM5it1ES-1FbnmRDL-lH3V_Fem-AhMur9Q61yZfKIydrpdavkm_SMxEsUGPVoqkpoEsjFjrtzMDs5s9yaFYD_ydiy1dsn9VbcI55voA3XwEcWFiPHri"; auto verify = jwt::verify().allow_algorithm(jwt::algorithm::es384(ecdsa384_pub_key, "", "", "")); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenES384Fail) { const std::string token = "eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.nTUwWanmj_K1VZM5it1ES-1FbnmRDL-lH3V_Fem-AhMur9Q61yZfKIydrpdavkm_SMxEsUGPVoqkpoEsjFjrtzMDs5s9yaFYD_ydiy1dsn9VbcI55voA3XwEcWFiPHri"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::es384(ecdsa384_pub_key_invalid, "", "", "")); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyTokenES521) { const std::string token = "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.ASF5hh9_Jyujzm3GRBttoth-3I6lCcwqun9Tt7Ekz9_23BN6-BFgwKidECWCNc4VINEqFEFdApC2y3YRdkpKX2etAWI7yYudAlxJ7Z17m6GwAoLOGaeNonsaKOe1UnC5W86eoXrCoPRgzsFTpKIb8NiolcYWjIY-r8gQd7BZ7whaj9Ft"; auto verify = jwt::verify().allow_algorithm(jwt::algorithm::es512(ecdsa521_pub_key, "", "", "")); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenES521Fail) { const std::string token = "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.ASF5hh9_Jyujzm3GRBttoth-3I6lCcwqun9Tt7Ekz9_23BN6-BFgwKidECWCNc4VINEqFEFdApC2y3YRdkpKX2etAWI7yYudAlxJ7Z17m6GwAoLOGaeNonsaKOe1UnC5W86eoXrCoPRgzsFTpKIb8NiolcYWjIY-r8gQd7BZ7whaj9Ft"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::es512(ecdsa521_pub_key_invalid, "", "", "")); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyTokenPS256) { std::string token = "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.CJ4XjVWdbV6vXGZkD4GdJbtYc80SN9cmPOqRhZBRzOyDRqTFE" "4MsbdKyQuhAWcvuMOjn-24qOTjVMR_P_uTC1uG6WPLcucxZyLnbb56zbKnEklW2SX0mQnCGewr-93a_vDaFT6Cp45MsF_OwFPRCMaS5CJg-" "N5KY67UrVSr3s9nkuK9ZTQkyODHfyEUh9F_FhRCATGrb5G7_qHqBYvTvaPUXqzhhpCjN855Tocg7A24Hl0yMwM-XdasucW5xNdKjG_YCkis" "HX7ax--JiF5GNYCO61eLFteO4THUg-3Z0r4OlGqlppyWo5X5tjcxOZCvBh7WDWfkxA48KFZPRv0nlKA"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::ps256(rsa_pub_key, rsa_priv_key, "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenPS256PublicOnly) { std::string token = "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.CJ4XjVWdbV6vXGZkD4GdJbtYc80SN9cmPOqRhZBRzOyDRqTFE" "4MsbdKyQuhAWcvuMOjn-24qOTjVMR_P_uTC1uG6WPLcucxZyLnbb56zbKnEklW2SX0mQnCGewr-93a_vDaFT6Cp45MsF_OwFPRCMaS5CJg-" "N5KY67UrVSr3s9nkuK9ZTQkyODHfyEUh9F_FhRCATGrb5G7_qHqBYvTvaPUXqzhhpCjN855Tocg7A24Hl0yMwM-XdasucW5xNdKjG_YCkis" "HX7ax--JiF5GNYCO61eLFteO4THUg-3Z0r4OlGqlppyWo5X5tjcxOZCvBh7WDWfkxA48KFZPRv0nlKA"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::ps256(rsa_pub_key, "", "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenPS256Fail) { std::string token = "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.CJ4XjVWdbV6vXGZkD4GdJbtYc80SN9cmPOqRhZBRzOyDRqTFE" "4MsbdKyQuhAWcvuMOjn-24qOTjVMR_P_uTC1uG6WPLcucxZyLnbb56zbKnEklW2SX0mQnCGewr-93a_vDaFT6Cp45MsF_OwFPRCMaS5CJg-" "N5KY67UrVSr3s9nkuK9ZTQkyODHfyEUh9F_FhRCATGrb5G7_qHqBYvTvaPUXqzhhpCjN855Tocg7A24Hl0yMwM-XdasucW5xNdKjG_YCkis" "HX7ax--JiF5GNYCO61eLFteO4THUg-3Z0r4OlGqlppyWo5X5tjcxOZCvBh7WDWfkxA48KFZPRv0nlKA"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::ps256(rsa_pub_key_invalid, "", "", "")) .with_issuer("auth0"); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyTokenPS256FailNoKey) { ASSERT_THROW([](){ auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::ps256("", "", "", "")) .with_issuer("auth0"); }(), jwt::rsa_exception); } #ifndef OPENSSL110 TEST(TokenTest, VerifyTokenEd25519) { const std::string token = "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.OujgVcO8xQx5xLcAYWENCRU1SCGH5HcX4MX4o6wU3M4" "DOnKiNmc0O2AnvQlzr-9cgI4QGQzeC6gz_fgLoesADg"; auto verify = jwt::verify().allow_algorithm(jwt::algorithm::ed25519(ed25519_pub_key, "", "", "")); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenEd25519Fail) { const std::string token = "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.OujgVcO8xQx5xLcAYWENCRU1SCGH5HcX4MX4o6wU3M4" "DOnKiNmc0O2AnvQlzr-9cgI4QGQzeC6gz_fgLoesADg"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::ed25519(ed25519_pub_key_invalid, "", "", "")); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } TEST(TokenTest, VerifyTokenEd448) { const std::string token = "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.Aldes9jrXZXxfNjuovqmIZ3r2WF4yVXVr2Q8B8SkAmv" "Bsw_3MHs8HtgKeXbqKFYWpHOCtmZJcH-AWMvoY6FCNdQqbESGTkv58O6tFbXDD_nLejWNAOuvcO2LPMySmkVNQUopmQf_HO62Mug1ngepUDE" "A"; auto verify = jwt::verify().allow_algorithm(jwt::algorithm::ed448(ed448_pub_key, "", "", "")); auto decoded_token = jwt::decode(token); verify.verify(decoded_token); } TEST(TokenTest, VerifyTokenEd448Fail) { const std::string token = "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.Aldes9jrXZXxfNjuovqmIZ3r2WF4yVXVr2Q8B8SkAmv" "Bsw_3MHs8HtgKeXbqKFYWpHOCtmZJcH-AWMvoY6FCNdQqbESGTkv58O6tFbXDD_nLejWNAOuvcO2LPMySmkVNQUopmQf_HO62Mug1ngepUDE" "A"; auto verify = jwt::verify() .allow_algorithm(jwt::algorithm::ed448(ed448_pub_key_invalid, "", "", "")); auto decoded_token = jwt::decode(token); ASSERT_THROW(verify.verify(decoded_token), jwt::signature_verification_exception); } #endif struct test_clock { jwt::date n; jwt::date now() const { return n; } }; TEST(TokenTest, VerifyTokenExpireFail) { auto token = jwt::create().set_expires_at(std::chrono::system_clock::from_time_t(100)).sign(jwt::algorithm::none{}); auto decoded_token = jwt::decode(token); auto verify = jwt::verify({std::chrono::system_clock::from_time_t(110)}) .allow_algorithm(jwt::algorithm::none{}); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); std::error_code ec; ASSERT_NO_THROW(verify.verify(decoded_token, ec)); ASSERT_TRUE(!(!ec)); ASSERT_EQ(ec.category(), jwt::error::token_verification_error_category()); ASSERT_EQ(ec.value(), static_cast(jwt::error::token_verification_error::token_expired)); } TEST(TokenTest, VerifyTokenExpire) { auto token = jwt::create().set_expires_at(std::chrono::system_clock::from_time_t(100)).sign(jwt::algorithm::none{}); auto decoded_token = jwt::decode(token); auto verify = jwt::verify({std::chrono::system_clock::from_time_t(90)}) .allow_algorithm(jwt::algorithm::none{}); ASSERT_NO_THROW(verify.verify(decoded_token)); std::error_code ec; ASSERT_NO_THROW(verify.verify(decoded_token, ec)); ASSERT_FALSE(!(!ec)); ASSERT_EQ(ec.value(), 0); } TEST(TokenTest, VerifyTokenNBFFail) { auto token = jwt::create().set_not_before(std::chrono::system_clock::from_time_t(100)).sign(jwt::algorithm::none{}); auto decoded_token = jwt::decode(token); auto verify = jwt::verify({std::chrono::system_clock::from_time_t(90)}) .allow_algorithm(jwt::algorithm::none{}); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); std::error_code ec; ASSERT_NO_THROW(verify.verify(decoded_token, ec)); ASSERT_TRUE(!(!ec)); ASSERT_EQ(ec.category(), jwt::error::token_verification_error_category()); ASSERT_EQ(ec.value(), static_cast(jwt::error::token_verification_error::token_expired)); } TEST(TokenTest, VerifyTokenNBF) { auto token = jwt::create().set_not_before(std::chrono::system_clock::from_time_t(100)).sign(jwt::algorithm::none{}); auto decoded_token = jwt::decode(token); auto verify = jwt::verify({std::chrono::system_clock::from_time_t(110)}) .allow_algorithm(jwt::algorithm::none{}); ASSERT_NO_THROW(verify.verify(decoded_token)); std::error_code ec; ASSERT_NO_THROW(verify.verify(decoded_token, ec)); ASSERT_FALSE(!(!ec)); ASSERT_EQ(ec.value(), 0); } TEST(TokenTest, VerifyTokenIATFail) { auto token = jwt::create().set_issued_at(std::chrono::system_clock::from_time_t(100)).sign(jwt::algorithm::none{}); auto decoded_token = jwt::decode(token); auto verify = jwt::verify({std::chrono::system_clock::from_time_t(90)}) .allow_algorithm(jwt::algorithm::none{}); ASSERT_THROW(verify.verify(decoded_token), jwt::token_verification_exception); std::error_code ec; ASSERT_NO_THROW(verify.verify(decoded_token, ec)); ASSERT_TRUE(!(!ec)); ASSERT_EQ(ec.category(), jwt::error::token_verification_error_category()); ASSERT_EQ(ec.value(), static_cast(jwt::error::token_verification_error::token_expired)); } TEST(TokenTest, VerifyTokenIAT) { auto token = jwt::create().set_issued_at(std::chrono::system_clock::from_time_t(100)).sign(jwt::algorithm::none{}); auto decoded_token = jwt::decode(token); auto verify = jwt::verify({std::chrono::system_clock::from_time_t(110)}) .allow_algorithm(jwt::algorithm::none{}); ASSERT_NO_THROW(verify.verify(decoded_token)); std::error_code ec; ASSERT_NO_THROW(verify.verify(decoded_token, ec)); ASSERT_FALSE(!(!ec)); ASSERT_EQ(ec.value(), 0); } TEST(TokenTest, GetClaimThrows) { auto token = "eyJhbGciOiJub25lIiwidHlwIjoiSldTIn0.eyJpc3MiOiJhdXRoMCJ9."; auto decoded_token = jwt::decode(token); ASSERT_THROW(decoded_token.get_header_claim("test"), std::runtime_error); ASSERT_THROW(decoded_token.get_payload_claim("test"), std::runtime_error); } TEST(TokenTest, ThrowInvalidKeyLength) { // We should throw if passed the wrong size ASSERT_THROW(jwt::algorithm::es256(ecdsa384_pub_key, ""), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es256("", ecdsa384_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es256(ecdsa384_pub_key, ecdsa384_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es256(ecdsa521_pub_key, ""), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es256("", ecdsa521_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es256(ecdsa521_pub_key, ecdsa521_priv_key), jwt::ecdsa_exception); // But also if only one cert has the wrong size ASSERT_THROW(jwt::algorithm::es256(ecdsa256_pub_key, ecdsa384_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es256(ecdsa256_pub_key, ecdsa521_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es256(ecdsa384_pub_key, ecdsa256_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es256(ecdsa521_pub_key, ecdsa256_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384(ecdsa256_pub_key, ""), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384("", ecdsa256_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384(ecdsa256_pub_key, ecdsa256_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384(ecdsa521_pub_key, ""), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384("", ecdsa521_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384(ecdsa521_pub_key, ecdsa521_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384(ecdsa384_pub_key, ecdsa256_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384(ecdsa384_pub_key, ecdsa521_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384(ecdsa256_pub_key, ecdsa384_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es384(ecdsa521_pub_key, ecdsa384_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512(ecdsa256_pub_key, ""), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512("", ecdsa256_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512(ecdsa256_pub_key, ecdsa256_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512(ecdsa384_pub_key, ""), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512("", ecdsa384_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512(ecdsa384_pub_key, ecdsa384_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512(ecdsa521_pub_key, ecdsa256_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512(ecdsa521_pub_key, ecdsa384_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512(ecdsa256_pub_key, ecdsa521_priv_key), jwt::ecdsa_exception); ASSERT_THROW(jwt::algorithm::es512(ecdsa384_pub_key, ecdsa521_priv_key), jwt::ecdsa_exception); // Make sure we do not throw if the correct params are passed ASSERT_NO_THROW(jwt::algorithm::es256(ecdsa256_pub_key, ecdsa256_priv_key)); ASSERT_NO_THROW(jwt::algorithm::es384(ecdsa384_pub_key, ecdsa384_priv_key)); ASSERT_NO_THROW(jwt::algorithm::es512(ecdsa521_pub_key, ecdsa521_priv_key)); }