lib: app_jwt: add an app core jwt generator and add a sample for usage

Ref: NRFX-6688

Signed-off-by: Aymen LAOUINI <[email protected]>

CODEOWNERS

@@ -311,6 +311,7 @@
 /ext/iperf3/                              @nrfconnect/ncs-code-owners @jhirsi
 
 # Include
+/include/app_jwt.h                        @nrfconnect/ncs-modem @ayla-nordicsemi
 /include/audio/                           @nrfconnect/ncs-audio
 /include/audio_module/                    @nrfconnect/ncs-audio
 /include/bluetooth/                       @nrfconnect/ncs-si-muffin @nrfconnect/ncs-dragoon
@@ -353,6 +354,7 @@
 
 # Libraries
 /lib/adp536x/                             @nrfconnect/ncs-cia
+/lib/app_jwt/                             @nrfconnect/ncs-modem @ayla-nordicsemi
 /lib/at_cmd_parser/                       @nrfconnect/ncs-co-networking @nrfconnect/ncs-modem
 /lib/at_cmd_custom/                       @nrfconnect/ncs-modem
 /lib/at_host/                             @nrfconnect/ncs-co-networking @nrfconnect/ncs-modem
@@ -493,6 +495,7 @@
 /samples/gazell/                          @leewkb4567
 /samples/hw_id/                           @nrfconnect/ncs-cia
 /samples/ipc/ipc_service/                 @nrfconnect/ncs-si-muffin
+/samples/jwt/                             @nrfconnect/ncs-modem @ayla-nordicsemi
 /samples/keys/                            @nrfconnect/ncs-aegir
 /samples/matter/                          @nrfconnect/ncs-matter
 /samples/mpsl/                            @nrfconnect/ncs-dragoon
@@ -615,6 +618,7 @@
 /samples/gazell/**/*.rst                  @nrfconnect/ncs-si-muffin-doc
 /samples/hw_id/*.rst                      @nrfconnect/ncs-cia-doc
 /samples/ipc/ipc_service/*.rst            @nrfconnect/ncs-si-muffin-doc
+/samples/jwt/*.rst                        @nrfconnect/ncs-modem-doc @ayla-nordicsemi
 /samples/keys/**/*.rst                    @nrfconnect/ncs-aegir-doc
 /samples/matter/**/*.rst                  @nrfconnect/ncs-matter-doc
 /samples/mpsl/**/*.rst                    @nrfconnect/ncs-dragoon-doc

include/app_jwt.h

@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef _APP_JWT_H
+#define _APP_JWT_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @file app_jwt.h
+ *
+ * @brief Generate a JWT with from application core.
+ * @defgroup app_jwt JWT generation
+ * @{
+ *
+ */
+
+#include <stdint.h>
+#include <strings.h>
+
+/** @brief Maximum size of a JWT string, could be used to allocate JWT
+ *         output buffer.
+ */
+#define APP_JWT_STR_MAX_LEN 900
+
+/** @brief Maximum valid duration for JWTs generated by user application */
+#define APP_JWT_VALID_TIME_S_MAX (7 * 24 * 60 * 60)
+
+/** @brief Default valid duration for JWTs generated by user application */
+#define APP_JWT_VALID_TIME_S_DEF (10 * 60)
+
+/** @brief UUID size in bytes */
+#define APP_JWT_UUID_BYTE_SZ 16
+
+/** @brief UUID v4 format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx */
+#define APP_JWT_UUID_V4_STR_LEN ((APP_JWT_UUID_BYTE_SZ * 2) + 4)
+
+/** @brief The type of key to be used for signing the JWT. */
+enum app_jwt_key_type {
+	JWT_KEY_TYPE_CLIENT_PRIV = 2,
+	JWT_KEY_TYPE_ENDORSEMENT = 8,
+};
+
+/**@brief JWT signing algorithm */
+enum app_jwt_alg_type {
+	JWT_ALG_TYPE_ES256 = 0,
+};
+
+/** @brief JWT parameters required for JWT generation and pointer to generated JWT */
+struct app_jwt_data {
+	/** Sec tag to use for JWT signing */
+	unsigned int sec_tag;
+	/** Key type in the specified sec tag */
+	enum app_jwt_key_type key;
+	/** JWT signing algorithm */
+	enum app_jwt_alg_type alg;
+
+	/** Defines how long the JWT will be valid; in seconds (from generation).
+	 * The 'iat' and 'exp' claims will be populated only if the application has a
+	 * valid date and time.
+	 */
+	uint32_t validity_s;
+
+	/**  NULL terminated 'sub' claim; the principal that is the subject of the JWT */
+	const char *subject;
+	/**  NULL terminated 'aud' claim; intended recipient of the JWT */
+	const char *audience;
+
+	/** Buffer to which the NULL terminated JWT will be copied.
+	 * It is the responsibility of the user to provide a valid buffer.
+	 * The returned JWT could be as long as 900 bytes, use the
+	 * defined size value APP_JWT_STR_MAX_LEN to create your supplied return buffer.
+	 */
+	char *jwt_buf;
+	/** Size of the user provided buffer. */
+	size_t jwt_sz;
+};
+
+/**
+ * @brief Generates a JWT using the supplied parameters. If successful,
+ * the JWT string will be stored in the supplied struct.
+ * The user is responsible for providing a valid pointer to store the JWT.
+ *
+ * Subject and audience fields may be NULL in which case those fields are left out
+ * from generated JWT token.
+ *
+ * JWT is signed with the application identity attestation key, no matter what
+ * value is supplied in the sec_tag.
+ *
+ * @param[in,out] jwt Pointer to struct containing JWT parameters and result.
+ *
+ * @retval 0 If the operation was successful.
+ *         Otherwise, a (negative) error code is returned.
+ */
+int app_jwt_generate(struct app_jwt_data *const jwt);
+
+/**
+ * @brief Gets the device UUID from the secure domain
+ * and returns it as a NULL terminated string in the supplied buffer.
+ * The device UUID can be used as a device identifier for cloud services and
+ * for secure device management using the nRF Cloud Identity Service.
+ *
+ * UUID v4 defined by ITU-T X.667 | ISO/IEC 9834-8 has a length of 35 bytes, add
+ * 1 byte for the atring termination character. User is expected to provide a buffer
+ * of at least 36 bytes.
+ *
+ * @param[out] uuid_buffer Pointer to buffer where the device UUID string will be written to.
+ *
+ * @param[in] uuid_buffer_size Size of the provided buffer.
+ *
+ * @retval 0 If the operation was successful.
+ *         Otherwise, a (negative) error code is returned.
+ */
+int app_jwt_get_uuid(char *uuid_buffer, const size_t uuid_buffer_size);
+
+/** @} */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _APP_JWT_H */

lib/CMakeLists.txt

@@ -33,6 +33,7 @@ add_subdirectory_ifdef(CONFIG_HW_ID_LIBRARY hw_id)
 add_subdirectory_ifdef(CONFIG_EDGE_IMPULSE edge_impulse)
 add_subdirectory_ifdef(CONFIG_WAVE_GEN_LIB wave_gen)
 add_subdirectory_ifdef(CONFIG_HW_UNIQUE_KEY_SRC hw_unique_key)
+add_subdirectory_ifdef(CONFIG_APP_JWT app_jwt)
 add_subdirectory_ifdef(CONFIG_MODEM_JWT modem_jwt)
 add_subdirectory_ifdef(CONFIG_MODEM_SLM modem_slm)
 add_subdirectory_ifdef(CONFIG_MODEM_ATTEST_TOKEN modem_attest_token)

lib/Kconfig

@@ -6,6 +6,7 @@
 
 menu "Libraries"
 
+rsource "app_jwt/Kconfig"
 rsource "bin/Kconfig"
 rsource "nrf_modem_lib/Kconfig"
 rsource "adp536x/Kconfig"

lib/app_jwt/CMakeLists.txt

@@ -0,0 +1,11 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+zephyr_library()
+
+zephyr_library_sources(
+    app_jwt.c
+)

lib/app_jwt/Kconfig

@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+menuconfig APP_JWT
+	bool "Application JWT Library"
+	select BASE64
+	select CJSON_LIB
+	# needed to print integer values in JSON
+	select CBPRINTF_FP_SUPPORT
+	select POSIX_API
+
+if APP_JWT
+
+config APP_JWT_VERIFY_SIGNATURE
+	bool "Verify signature after signing"
+	default y
+
+config APP_JWT_PRINT_EXPORTED_PUBKEY_DER
+	bool "Print to terminal the DER formatted public key"
+	default y
+
+module=APP_JWT
+module-str=User App JWT
+source "${ZEPHYR_BASE}/subsys/logging/Kconfig.template.log_config"
+
+endif # APP_JWT