lib: app_jwt: add an application core jwt generator and add a sample for usage #19561
Conversation
ayla-nordicsemi
requested review from
tokangas,
mwinblad-n,
parttimaa and
mparpala
github-actions
bot
added
the
changelog-entry-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:more detailsGithub labels
List of changed files detected by CI (0)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
from
ebc5af3 to
4b8344f
Compare
github-actions
bot
added
doc-required
There was a problem hiding this comment.
The commit message needs some work. If the name of the library is user_app_jwt, the title should start with lib: user_app_jwt:. There should be empty lines after the title and before the signature. Add also a description for the commit, in addition to the Jira item, which is internal.
I did not go through the whole PR yet, will continue later.
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
from
4b8344f to
c534625
Compare
ayla-nordicsemi
changed the title
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
7 times, most recently
from
406a065 to
87a8425
Compare
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
from
703aa8e to
be3bd43
Compare
|
You can find the documentation preview for this PR at this link. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
5 times, most recently
from
bfeeb2e to
ad0f24c
Compare
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
from
ad0f24c to
ff379df
Compare
samples/jwt/src/main.c
Outdated
| LOG_INF("JWT(%d) : %s", strlen(jwt_str), jwt_str); | ||
| } else { | ||
| LOG_ERR("jwt_generate error : %d", ret); | ||
| }; |
There was a problem hiding this comment.
Editorial: Extra semicolon (;) at the end of this line.
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
2 times, most recently
from
03eca79 to
381e21e
Compare
include/app_jwt.h
Outdated
| JWT_KEY_TYPE_ENDORSEMENT = 8, | ||
| }; | ||
|
|
||
| /**@brief JWT signing algorithm */ |
There was a problem hiding this comment.
differs from other help text with space before brief
include/app_jwt.h
Outdated
| /** Defines how long the JWT will be valid; in seconds (from generation). | ||
| * The 'iat' and 'exp' claims will be populated either the application | ||
| * has or not a valid date and time. | ||
| */ |
There was a problem hiding this comment.
usually has the form:
/**
* First line of comment
*/
and top/bottom lines are delimiters only to prevent jagged text indent (for information only)
include/app_jwt.h
Outdated
| * | ||
| * The API doesn't verify the time source validity, it is up to the caller to make sure | ||
| * that the system has access to a valid time source, otherwise "iat" field will | ||
| * containt the time since boot in seconds. |
| * @retval 0 If the operation was successful. | ||
| * Otherwise, a (negative) error code is returned, check header errno.h for a full list. |
There was a problem hiding this comment.
2 @retvals one per line, apply comments throughout
There was a problem hiding this comment.
do you mean it should be like this :
| * @retval 0 If the operation was successful. | |
| * Otherwise, a (negative) error code is returned, check header errno.h for a full list. | |
| * @retval 0 If the operation was successful. | |
| * @retval a (negative) error code is returned, check header errno.h for a full list. |
There was a problem hiding this comment.
* @retval -errno Negative errno for other failures.
lib/app_jwt/Kconfig
Outdated
| # needed for time and date | ||
| select POSIX_API | ||
| # needed to print integer values in JSON |
There was a problem hiding this comment.
comments start with capital letters
lib/app_jwt/app_jwt.c
Outdated
|
|
||
| /* Length of JTI field, this should be at least UUIDv4 size | ||
| * + size of board name | ||
| **/ |
lib/app_jwt/app_jwt.c
Outdated
| return -EINVAL; | ||
| } | ||
| /* this will hold 4 integer words in string format */ | ||
| /*(string Length 8 + 1) */ |
samples/jwt/Kconfig
Outdated
| bool "Json Web Token Sample" | ||
| select APP_JWT | ||
| help | ||
| "Enable sample-specific configurations." |
There was a problem hiding this comment.
why are there quotes in help text
samples/jwt/Kconfig
Outdated
| menuconfig JWT_SAMPLE | ||
| bool "Json Web Token Sample" | ||
| select APP_JWT | ||
| help |
There was a problem hiding this comment.
why is this even in a Kconfig? Put it in prj.conf ?
samples/jwt/README.rst
Outdated
| JWT signing verification | ||
| ======================== | ||
|
|
||
| Flag CONFIG_APP_JWT_VERIFY_SIGNATURE allow to verify the JWT signature against the IAK key. |
There was a problem hiding this comment.
use proper
:kconfig:option:`CONFIG_x`
syntax
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
from
381e21e to
4d3dfc4
Compare
| @@ -0,0 +1,11 @@ | |||
| .. _lib_app_jwt: | |||
|
|
|||
| Library Application JWT | |||
There was a problem hiding this comment.
Since Application JWT is a single library, it would be better to placed under the "nrf\doc\nrf\libraries\others" folder.
| @@ -0,0 +1,80 @@ | |||
| .. _app_jwt: | |||
There was a problem hiding this comment.
| .. _app_jwt: | |
| .. _lib_app_jwt: |
As per the guideline here: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/templates/library_template_README.html
| Application JWT | ||
| ################### |
There was a problem hiding this comment.
| Application JWT | |
| ################### | |
| Application JWT | |
| ############### |
| Application JWT | ||
| ################### | ||
|
|
||
| The Application JWT library provides access to the `JSON Web Token (JWT)`_ generation feature from application core using signing and identity services from secure core. |
There was a problem hiding this comment.
| The Application JWT library provides access to the `JSON Web Token (JWT)`_ generation feature from application core using signing and identity services from secure core. | |
| The Application JWT library provides access to the `JSON Web Token (JWT)`_ generation feature from application core using signing services and secure core using identity services. |
There was a problem hiding this comment.
Signing is done by Secure core,
Identification (generation of the UUID) is also done by secure core.
maybe rephrasing to the following to avoid any ambiguities :
| The Application JWT library provides access to the `JSON Web Token (JWT)`_ generation feature from application core using signing and identity services from secure core. | |
| The Application JWT library provides access to the `JSON Web Token (JWT)`_ generation feature from Application core using Secure core signing service and identity service. |
| * :Kconfig:option:`CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED` | ||
| * :Kconfig:option:`CONFIG_SSF_DEVICE_INFO_SERVICE_ENABLED` | ||
|
|
||
| #. Read the device UUID (:c:func:`app_jwt_get_uuid`) |
There was a problem hiding this comment.
| #. Read the device UUID (:c:func:`app_jwt_get_uuid`) | |
| #. Read the device UUID (:c:func:`app_jwt_get_uuid`). |
| * :c:member:`app_jwt_data.jwt_buf` - Required. | ||
| Buffer for the generated, null-terminated, JWT string. | ||
| Buffer size has to be al least 600 bytes, at most 900 bytes. | ||
| The user has to provide a valid buffer, library doesn't do any allocation. |
There was a problem hiding this comment.
| The user has to provide a valid buffer, library doesn't do any allocation. | |
| You must to provide a valid buffer, library does not do any allocation. |
|
|
||
| Application JWT | ||
| ################### | ||
|
|
There was a problem hiding this comment.
.. contents::
:local:
:depth: 2
| jwt generator | ||
| ################### |
There was a problem hiding this comment.
| jwt generator | |
| ################### | |
| JWT generator | |
| ############# |
| :local: | ||
| :depth: 2 | ||
|
|
||
| This sample shows how Application core can generate a JWT signed with the IAK. |
There was a problem hiding this comment.
| This sample shows how Application core can generate a JWT signed with the IAK. | |
| This sample shows how application core can generate a JWT signed with the IAK. |
samples/jwt/README.rst
Outdated
|
|
||
| * - Board | ||
| - Support | ||
| * - nrf9280pdk/nrf9280/cpuapp |
There was a problem hiding this comment.
Not sure whether the nRF9280 PDK should be mentioned in the public docs now? Please check this with the PMT.
Hence, sample doc is not completely reviewed.
Also, the table should be pulled from the sample.yml file - https://raw.githubusercontent.com/nrfconnect/sdk-nrf/refs/heads/main/doc/nrf/templates/sample_README.rst.
There was a problem hiding this comment.
Hi Divya,
nrf9280pdk is already public : https://docs.nordicsemi.com/bundle/ncs-2.7.99-cs2/page/zephyr/boards/nordic/nrf9280pdk/doc/index.html
|
|
||
| #include <zephyr/kernel.h> | ||
| #include <zephyr/logging/log.h> | ||
| LOG_MODULE_REGISTER(jwt_sample, CONFIG_JWT_SAMPLE_LOG_LEVEL); |
There was a problem hiding this comment.
Missing extra enter on top LOG_MODULE_REGISTER...
There was a problem hiding this comment.
Are you planning to address the unite test for this in a separate PR?
| static char *jwt_payload_create(const char *const sub, const char *const aud, uint64_t exp) | ||
| { | ||
| int err = 0; | ||
|
|
There was a problem hiding this comment.
You don't need to have a space between all these declarations
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
from
4d3dfc4 to
7342368
Compare
|
After documentation is built, you will find the preview for this PR here. Preview links for modified nRF Connect SDK documents: https://ncsdoc.z6.web.core.windows.net/PR-19561/nrf/libraries/app_jwt/app_jwt.html |
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
6 times, most recently
from
e320229 to
9d95b0b
Compare
Ref: NRFX-6688 Signed-off-by: Aymen LAOUINI <aymen.laouini@nordicsemi.no>
ayla-nordicsemi
force-pushed
the
add_jwt_generation_for_user_application
branch
from
9d95b0b to
9140593
Compare
|
Add a JWT generator in lib directory and add a sample application to demonstrate the usage.
@tokangas : the jwt generator interface API is defined here "include/user_app_jwt.h", your feedback on this interface is welcome !