tests: add jwt library test

This patch adds a unit test for the JWT library
to confirm that the results can be used with nRF Cloud.

Signed-off-by: Maximilian Deubel <[email protected]>

Author: maxd-nordic

CODEOWNERS

@@ -880,6 +880,7 @@
 /tests/lib/sms/                           @nrfconnect/ncs-modem-tre
 /tests/lib/tone/                          @nrfconnect/ncs-audio
 /tests/lib/uicc_lwm2m/                    @stig-bjorlykke
+/tests/lib/app_jwt/                       @nrfconnect/ncs-modem
 /tests/mocks/nrf_rpc/                     @nrfconnect/ncs-protocols-serialization
 /tests/modules/lib/zcbor/                 @oyvindronningstad
 /tests/modules/mcuboot/direct_xip/        @nrfconnect/ncs-pluto

lib/app_jwt/app_jwt.c

@@ -4,6 +4,12 @@
  * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
  */
 
+#ifdef _POSIX_C_SOURCE
+#undef _POSIX_C_SOURCE
+#endif
+/* Define _POSIX_C_SOURCE before including <string.h> in order to use `strtok_r`. */
+#define _POSIX_C_SOURCE 200809L
+
 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -14,13 +20,17 @@
 #include <date_time.h>
 #include <psa/crypto.h>
 #include <psa/crypto_extra.h>
+
+#if defined(CONFIG_BOARD_NATIVE_SIM)
+#define IAK_APPLICATION_GEN1 0x41020100
+#else
 #include <psa/nrf_platform_key_ids.h>
+#endif
 
 #include <cJSON.h>
 
 #include <app_jwt.h>
 
-#include <zephyr/posix/time.h>
 #include <zephyr/sys/base64.h>
 #include <zephyr/sys/byteorder.h>
 

tests/lib/app_jwt/CMakeLists.txt

@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+cmake_minimum_required(VERSION 3.20.0)
+
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(app_jwt_test)
+
+
+FILE(GLOB app_sources src/*.c)
+target_sources(app PRIVATE ${app_sources})
+
+target_sources(app
+  PRIVATE
+  ${ZEPHYR_NRF_MODULE_DIR}/lib/app_jwt/app_jwt.c
+  )
+
+target_include_directories(app
+  PRIVATE
+  ${ZEPHYR_NRF_MODULE_DIR}/subsys/net/lib/nrf_cloud/include/
+  )
+
+target_compile_options(app
+  PRIVATE
+  -DCONFIG_APP_JWT_LOG_LEVEL=4
+  -DCONFIG_APP_JWT_DEFAULT_TIMESTAMP=1735682400
+  )

tests/lib/app_jwt/prj.conf

@@ -0,0 +1,27 @@
+#
+# Copyright (c) 2025 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+CONFIG_ZTEST=y
+
+CONFIG_MAIN_STACK_SIZE=4096
+CONFIG_CJSON_LIB=y
+CONFIG_NEWLIB_LIBC=y
+CONFIG_NEWLIB_LIBC_FLOAT_PRINTF=y
+CONFIG_HEAP_MEM_POOL_SIZE=4096
+
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG=y
+CONFIG_BASE64=y
+
+CONFIG_ENTROPY_GENERATOR=y
+CONFIG_TEST_RANDOM_GENERATOR=y
+
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+
+CONFIG_PSA_WANT_ALG_ECDSA=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_ECC_SECP_R1_256=y
+CONFIG_PSA_WANT_ALG_SHA_256=y

tests/lib/app_jwt/src/main.c

@@ -0,0 +1,186 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <string.h>
+#include <stdint.h>
+#include <zephyr/kernel.h>
+#include <zephyr/ztest.h>
+#include <zephyr/logging/log.h>
+#include <zephyr/sys/base64.h>
+
+#include <psa/crypto.h>
+
+#include <app_jwt.h>
+
+LOG_MODULE_REGISTER(test_main, LOG_LEVEL_DBG);
+
+int date_time_now(int64_t *timestamp)
+{
+	*timestamp = 1739881289000;
+	return 0;
+}
+
+static psa_key_id_t kid;
+
+#define EC_PUB_KEY_RAW_LEN     65
+#define EC_PUB_KEY_HEADER_LEN  26
+#define EC_PUB_KEY_CONTENT_LEN (EC_PUB_KEY_RAW_LEN + EC_PUB_KEY_HEADER_LEN)
+#define PEM_LINE_LENGTH	       64
+
+#define EXPECTED_JWT_MIN                                                                           \
+	"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9."                                                    \
+	"eyJzdWIiOiJucmYtMzU4Mjk5ODQwMTIzNDU2IiwiZXhwIjoxNzM5ODgxODg5fQ.cYGNV8-"                   \
+	"DxTKyV3MlsSALKlva3Aarx3u0Owj8cxAH5tm3WRPLC8-xZtTW0djJp-j3V8sU1Mt_xjm3OIzMx4RNcw"
+
+#define EXPECTED_JWT_MIN_UUID                                                                      \
+	"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9."                                                    \
+	"eyJzdWIiOiI2YzBmMTIyNi1mNTA2LTExZWYtYTViYi05Mzc2M2I0YmRmMTEiLCJleHAiOjE3Mzk4ODE4ODl9."    \
+	"oIDg_ptVr7EP0Bg4qxmj5jh53d30FaBtzHOdeQJXyakz9_WQALqPXIrPl4immMvYhgcQD12KWxFiHh4YPjhBaw"
+
+#define EXPECTED_JWT_NRF91                                                                         \
+	"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjJhNTNkMjBmODcxYjFkZWVhYjUzYTFiZmNlMDJhZTVk" \
+	"NWVmYzEyZjFlMGY0YjVjZTY2YzRhMWMyOGRhZDExMmMifQ."                                          \
+	"eyJpYXQiOjE3Mzk4ODEyODksImp0aSI6Im5SRjkxNjAuNTY0YWIzNTYtZjUwNS0xMWVmLWIyODctYjc2OTAyMWQ1" \
+	"ZmQ2LjlmZjE3NTI0OWFmZTQ4OTQxMiIsImlzcyI6Im5SRjkxNjAuNTY0YWIzNTYtZjUwNS0xMWVmLWIyODctYjc2" \
+	"OTAyMWQ1ZmQ2Iiwic3ViIjoibnJmLTM1ODI5OTg0MDEyMzQ1NiIsImV4cCI6MTczOTg4MTg4OX0."             \
+	"i3xPhJ1dQw2bb_2OgaAZ8w-IP_EpLiDgt97agpAdIsWDSdzCWd2iwwCpV937mAyqXWe-eoc-VjnBlWfXk5nXqQ"
+
+#define EC_PRV_KEY                                                                                 \
+	"-----BEGIN PRIVATE KEY-----\n"                                                            \
+	"MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgyw3wVT7Uo05WHT4t\n"                       \
+	"w8AgAo6eXMm0Pj8jqnAoABVtflmhRANCAAQ2ofrLZw+Fve9PzQ4z9COJE8IFtFnH\n"                       \
+	"V0ey+tw/yXcqWROTXMauO4bJ4TC7CrmpM8IBXkKQm/gEHdQQCZXYAn68\n"                               \
+	"-----END PRIVATE KEY-----\n"
+
+#define EC_PUB_KEY                                                                                 \
+	"-----BEGIN PUBLIC KEY-----\n"                                                             \
+	"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENqH6y2cPhb3vT80OM/QjiRPCBbRZ\n"                       \
+	"x1dHsvrcP8l3KlkTk1zGrjuGyeEwuwq5qTPCAV5CkJv4BB3UEAmV2AJ+vA==\n"                           \
+	"-----END PUBLIC KEY-----\n"
+
+static int import_ecdsa_keypair(uint32_t *user_keypair_id)
+{
+	int err = 0;
+	const uint8_t priv_key[] = {0xcb, 0x0d, 0xf0, 0x55, 0x3e, 0xd4, 0xa3, 0x4e,
+				    0x56, 0x1d, 0x3e, 0x2d, 0xc3, 0xc0, 0x20, 0x02,
+				    0x8e, 0x9e, 0x5c, 0xc9, 0xb4, 0x3e, 0x3f, 0x23,
+				    0xaa, 0x70, 0x28, 0x00, 0x15, 0x6d, 0x7e, 0x59};
+
+	if (user_keypair_id != NULL) {
+		psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+
+		/* Initialize PSA Crypto */
+		err = psa_crypto_init();
+		if (err != PSA_SUCCESS) {
+			printk("psa_crypto_init failed! (Error: %d)\n", err);
+			return -1;
+		}
+
+		psa_set_key_usage_flags(&key_attributes,
+					PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE);
+		psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);
+		psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
+		psa_set_key_type(&key_attributes,
+				 PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
+		psa_set_key_bits(&key_attributes, 256);
+
+		/* Import key into PSA */
+		err = psa_import_key(&key_attributes, priv_key, sizeof(priv_key), &kid);
+		if (err != PSA_SUCCESS) {
+			LOG_ERR("psa_import_key failed! (Error: %d)", err);
+			return err;
+		}
+
+		LOG_INF("Public key in PEM format:");
+		printk(EC_PUB_KEY "\n");
+	}
+	return err;
+}
+
+/* Construct minimal JWT that still contains enough information to be accepted by nRF Cloud. */
+ZTEST(app_jwt, test_minimal)
+{
+	uint8_t buf[APP_JWT_STR_MAX_LEN];
+	int err = 0;
+	const char *expected_jwt = EXPECTED_JWT_MIN;
+
+	struct app_jwt_data jwt = {
+		.sec_tag = kid,
+		.key_type = JWT_KEY_TYPE_CLIENT_PRIV,
+		.alg = JWT_ALG_TYPE_ES256,
+		.add_keyid_to_header = false,
+		.validity_s = APP_JWT_VALID_TIME_S_DEF,
+		.jwt_buf = buf,
+		.jwt_sz = sizeof(buf),
+		.subject = "nrf-358299840123456",
+	};
+
+	err = app_jwt_generate(&jwt);
+	zassert_equal(err, 0, "err: %d", err);
+	zassert_equal(strcmp(jwt.jwt_buf, expected_jwt), 0, "unexpected JWT: %s", jwt.jwt_buf);
+	LOG_INF("minimal JWT: %s", jwt.jwt_buf);
+}
+
+/* Construct minimal JWT using a UUID as subject. */
+ZTEST(app_jwt, test_minimal_uuid)
+{
+	uint8_t buf[APP_JWT_STR_MAX_LEN];
+	int err = 0;
+	const char *expected_jwt = EXPECTED_JWT_MIN_UUID;
+
+	struct app_jwt_data jwt = {
+		.sec_tag = kid,
+		.key_type = JWT_KEY_TYPE_CLIENT_PRIV,
+		.alg = JWT_ALG_TYPE_ES256,
+		.add_keyid_to_header = false,
+		.validity_s = APP_JWT_VALID_TIME_S_DEF,
+		.jwt_buf = buf,
+		.jwt_sz = sizeof(buf),
+		.subject = "6c0f1226-f506-11ef-a5bb-93763b4bdf11",
+	};
+
+	err = app_jwt_generate(&jwt);
+	zassert_equal(err, 0, "err: %d", err);
+	zassert_equal(strcmp(jwt.jwt_buf, expected_jwt), 0, "unexpected JWT: %s", jwt.jwt_buf);
+	LOG_INF("minimal JWT using UUID: %s", jwt.jwt_buf);
+}
+
+/* Construct JWT similar to how the nRF91 modem makes them. */
+ZTEST(app_jwt, test_nrf91_like)
+{
+	uint8_t buf[APP_JWT_STR_MAX_LEN];
+	int err = 0;
+	const char *expected_jwt = EXPECTED_JWT_NRF91;
+
+	struct app_jwt_data jwt = {
+		.sec_tag = kid,
+		.key_type = JWT_KEY_TYPE_CLIENT_PRIV,
+		.alg = JWT_ALG_TYPE_ES256,
+		.add_keyid_to_header = true,
+		.add_timestamp = true,
+		.validity_s = APP_JWT_VALID_TIME_S_DEF,
+		.jwt_buf = buf,
+		.jwt_sz = sizeof(buf),
+		.issuer = "nRF9160.564ab356-f505-11ef-b287-b769021d5fd6",
+		.json_token_id = "nRF9160.564ab356-f505-11ef-b287-b769021d5fd6.9ff175249afe489412",
+		.subject = "nrf-358299840123456",
+	};
+
+	err = app_jwt_generate(&jwt);
+	zassert_equal(err, 0, "err: %d", err);
+	zassert_equal(strcmp(jwt.jwt_buf, expected_jwt), 0, "unexpected JWT: %s", jwt.jwt_buf);
+	LOG_INF("nrf91-like JWT: %s", jwt.jwt_buf);
+}
+
+static void *setup(void)
+{
+	int err = import_ecdsa_keypair(&kid);
+
+	zassert_equal(err, 0, "err: %d", err);
+
+	return NULL;
+}
+
+ZTEST_SUITE(app_jwt, NULL, setup, NULL, NULL, NULL);

tests/lib/app_jwt/testcase.yaml

@@ -0,0 +1,11 @@
+tests:
+  net.lib.app_jwt:
+    sysbuild: true
+    platform_allow:
+      - native_sim
+    integration_platforms:
+      - native_sim
+    tags:
+      - fota
+      - sysbuild
+      - ci_tests_lib_app_jwt