go/jwt/jwt_signer_verifier_kid_test.go - third_party/tink - Git at Google

 // Copyright 2022 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ////////////////////////////////////////////////////////////////////////////////

 package jwt

 import (
 	"fmt"
 	"testing"
 	"time"

 	"github.com/google/tink/go/signature/subtle"
 	"github.com/google/tink/go/tink"
 )

 func createTinkECVerifier() (tink.Verifier, error) {
 	// Public key from: https://datatracker.ietf.org/doc/html/rfc7515#appendix-A.3
 	x, err := base64Decode("f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU")
 	if err != nil {
 		return nil, fmt.Errorf("base64 decoding x coordinate of public key: %v", err)
 	}
 	y, err := base64Decode("x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0")
 	if err != nil {
 		return nil, fmt.Errorf("base64 decoding y coordinate of public key: %v", err)
 	}
 	tv, err := subtle.NewECDSAVerifier("SHA256", "NIST_P256", "IEEE_P1363", x, y)
 	if err != nil {
 		return nil, fmt.Errorf("subtle.NewECDSAVerifier() err = %v, want nil", err)
 	}
 	return tv, nil
 }

 func createTinkECSigner() (tink.Signer, error) {
 	// Private key from: https://datatracker.ietf.org/doc/html/rfc7515#appendix-A.3
 	k, err := base64Decode("jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI")
 	if err != nil {
 		return nil, fmt.Errorf("base64 decoding private key: %v", err)
 	}
 	ts, err := subtle.NewECDSASigner("SHA256", "NIST_P256", "IEEE_P1363", k)
 	if err != nil {
 		return nil, fmt.Errorf("subtle.NewECDSASigner() err = %v, want nil", err)
 	}
 	return ts, nil
 }

 func createESVerifier(kid *string) (*verifierWithKID, error) {
 	tv, err := createTinkECVerifier()
 	if err != nil {
 		return nil, err
 	}
 	v, err := newVerifierWithKID(tv, "ES256", kid)
 	if err != nil {
 		return nil, fmt.Errorf("newVerifierWithKID(algorithm = 'ES256') err = %v, want nil", err)
 	}
 	return v, nil
 }

 func createESSigner(kid *string) (*signerWithKID, error) {
 	ts, err := createTinkECSigner()
 	if err != nil {
 		return nil, err
 	}
 	s, err := newSignerWithKID(ts, "ES256", kid)
 	if err != nil {
 		return nil, fmt.Errorf("newSignerWithKID(algorithm = 'ES256') err = %v, want nil", err)
 	}
 	return s, nil
 }

 func TestVerifierWithFixedToken(t *testing.T) {
 	// compact from: https://datatracker.ietf.org/doc/html/rfc7515#appendix-A.3
 	compact := "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
 	v, err := createESVerifier(nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	validator, err := NewValidator(&ValidatorOpts{ExpectedIssuer: refString("joe"), FixedNow: time.Unix(1300819300, 0)})
 	if err != nil {
 		t.Fatalf("NewValidator() err = %v, want nil", err)
 	}
 	verified, err := v.VerifyAndDecodeWithKID(compact, validator, nil)
 	if err != nil {
 		t.Errorf("VerifyAndDecodeWithKID() err = %v, want nil", err)
 	}
 	issuer, err := verified.Issuer()
 	if err != nil {
 		t.Errorf("verified.Issuer() err = %v, want nil", err)
 	}
 	if issuer != "joe" {
 		t.Errorf("verified.Issuer() = %q, want joe", issuer)
 	}
 	expiration, err := verified.ExpiresAt()
 	if err != nil {
 		t.Errorf("verified.ExpiresAt() err = %v, want nil", err)
 	}
 	wantExp := time.Unix(1300819380, 0)
 	if !expiration.Equal(wantExp) {
 		t.Errorf("verified.ExpiresAt() = %q, want %q", expiration, wantExp)
 	}
 	boolClaim, err := verified.BooleanClaim("http://example.com/is_root")
 	if err != nil {
 		t.Errorf("verified.BooleanClaim('http://example.com/is_root') err = %v, want nil", err)
 	}
 	if boolClaim != true {
 		t.Errorf("verified.BooleanClaim('http://example.com/is_root') = %v, want false", boolClaim)
 	}
 }

 func TestCreateSignValidateToken(t *testing.T) {
 	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
 	if err != nil {
 		t.Fatalf("NewRawJWT() err = %v, want nil", err)
 	}
 	validator, err := NewValidator(&ValidatorOpts{ExpectedTypeHeader: refString("JWT"), AllowMissingExpiration: true})
 	if err != nil {
 		t.Fatalf("NewValidator() err = %v, want nil", err)
 	}
 	s, err := createESSigner(nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	v, err := createESVerifier(nil)
 	if err != nil {
 		t.Fatal(err)
 	}

 	compact, err := s.SignAndEncodeWithKID(rawJWT, nil)
 	if err != nil {
 		t.Fatalf("s.SignAndEncodeWithKID() err = %v, want nil", err)
 	}
 	verified, err := v.VerifyAndDecodeWithKID(compact, validator, nil)
 	if err != nil {
 		t.Fatalf("v.VerifyAndDecodeWithKID() err = %v, want nil", err)
 	}
 	typeHeader, err := verified.TypeHeader()
 	if err != nil {
 		t.Errorf("verified.TypeHeader() err = %v, want nil", err)
 	}
 	if typeHeader != "JWT" {
 		t.Errorf("verified.TypeHeader() = %q, want 'JWT'", typeHeader)
 	}
 }

 func TestSignerWithTinkAndCustomKIDFails(t *testing.T) {
 	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
 	if err != nil {
 		t.Fatalf("NewRawJWT() err = %v, want nil", err)
 	}
 	s, err := createESSigner(refString("1234"))
 	if err != nil {
 		t.Fatal(err)
 	}
 	if _, err := s.SignAndEncodeWithKID(rawJWT, refString("123")); err == nil {
 		t.Errorf("s.SignAndEncodeWithKID(kid = 123) err = nil, want error")
 	}
 }

 type signerVerifierKIDTestCase struct {
 	tag               string
 	signerCustomKID   *string
 	verifierCustomKID *string
 	// calculated from the Tink Key ID.
 	signerKID *string
 	// calculated from the Tink Key ID.
 	verifierKID *string
 }

 func TestSignVerifyWithKID(t *testing.T) {
 	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
 	if err != nil {
 		t.Fatalf("NewRawJWT() err = %v, want nil", err)
 	}
 	validator, err := NewValidator(&ValidatorOpts{ExpectedTypeHeader: refString("JWT"), AllowMissingExpiration: true})
 	if err != nil {
 		t.Fatalf("NewValidator() err = %v, want nil", err)
 	}
 	for _, tc := range []signerVerifierKIDTestCase{
 		{
 			tag:               "verifier with custom kid matches kid in header generated with custom kid",
 			signerCustomKID:   refString("1234"),
 			verifierCustomKID: refString("1234"),
 		},
 		{
 			tag:             "verifier with tink kid matches kid in header generated with custom kid",
 			signerCustomKID: refString("1234"),
 			verifierKID:     refString("1234"),
 		},
 		{
 			tag:         "verifier with tink kid matches kid in header generated with tink kid",
 			signerKID:   refString("1234"),
 			verifierKID: refString("1234"),
 		},
 		{
 			tag:       "no kid in verifier ignores kid when present in header",
 			signerKID: refString("1234"),
 		},
 		{
 			tag:               "verifier with custom kid ignores when no kid present in header",
 			verifierCustomKID: refString("1234"),
 		},
 	} {
 		t.Run(tc.tag, func(t *testing.T) {
 			s, err := createESSigner(tc.signerCustomKID)
 			if err != nil {
 				t.Fatal(err)
 			}
 			v, err := createESVerifier(tc.verifierCustomKID)
 			if err != nil {
 				t.Fatal(err)
 			}
 			compact, err := s.SignAndEncodeWithKID(rawJWT, tc.signerKID)
 			if err != nil {
 				t.Fatalf("s.SignAndEncodeWithKID(kid = %v) err = %v, want nil", tc.signerKID, err)
 			}
 			verified, err := v.VerifyAndDecodeWithKID(compact, validator, tc.verifierKID)
 			if err != nil {
 				t.Fatalf("s.VerifyAndDecodeWithKID(kid = %v) err = %v, want nil", tc.verifierKID, err)
 			}
 			typeHeader, err := verified.TypeHeader()
 			if err != nil {
 				t.Errorf("verified.TypeHeader() err = %v, want nil", err)
 			}
 			if typeHeader != "JWT" {
 				t.Errorf("verified.TypeHeader() = %q, want 'JWT'", typeHeader)
 			}
 		})
 	}
 }

 func TestSignVerifyWithKIDFailure(t *testing.T) {
 	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
 	if err != nil {
 		t.Fatalf("NewRawJWT() err = %v, want nil", err)
 	}
 	validator, err := NewValidator(&ValidatorOpts{ExpectedTypeHeader: refString("JWT"), AllowMissingExpiration: true})
 	if err != nil {
 		t.Fatalf("NewValidator() err = %v, want nil", err)
 	}
 	for _, tc := range []signerVerifierKIDTestCase{
 		{
 			tag:               "verifier with custom kid different from header generated with custom kid",
 			signerCustomKID:   refString("1234"),
 			verifierCustomKID: refString("123"),
 		},
 		{
 			tag:               "verifier with custom kid different from header generated with tink kid",
 			signerKID:         refString("5678"),
 			verifierCustomKID: refString("1234"),
 		},
 		{
 			tag:               "verifier with both tink and custom kid",
 			verifierCustomKID: refString("1234"),
 			verifierKID:       refString("1234"),
 		},
 		{
 			tag:         "verifier with tink kid and token without kid in header",
 			verifierKID: refString("1234"),
 		},
 	} {
 		t.Run(tc.tag, func(t *testing.T) {
 			s, err := createESSigner(tc.signerCustomKID)
 			if err != nil {
 				t.Fatal(err)
 			}
 			v, err := createESVerifier(tc.verifierCustomKID)
 			if err != nil {
 				t.Fatal(err)
 			}
 			compact, err := s.SignAndEncodeWithKID(rawJWT, tc.signerKID)
 			if err != nil {
 				t.Fatalf("s.SignAndEncodeWithKID(kid = %v) err = %v, want nil", tc.signerKID, err)
 			}
 			if _, err := v.VerifyAndDecodeWithKID(compact, validator, tc.verifierKID); err == nil {
 				t.Fatalf("s.VerifyAndDecodeWithKID(kid = %v) err = nil, want error", tc.verifierKID)
 			}
 		})
 	}
 }

 func TestVerifierModifiedCompact(t *testing.T) {
 	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
 	if err != nil {
 		t.Fatalf("NewRawJWT() err = %v, want nil", err)
 	}
 	validator, err := NewValidator(&ValidatorOpts{ExpectedTypeHeader: refString("JWT"), AllowMissingExpiration: true})
 	if err != nil {
 		t.Fatalf("NewValidator() err = %v, want nil", err)
 	}
 	s, err := createESSigner(nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	v, err := createESVerifier(nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	compact, err := s.SignAndEncodeWithKID(rawJWT, nil)
 	if err != nil {
 		t.Fatalf("s.SignAndEncodeWithKID() err = %v, want nil", err)
 	}
 	if _, err := v.VerifyAndDecodeWithKID(compact, validator, nil); err != nil {
 		t.Errorf("VerifyAndDecodeWithKID() err = %v, want nil", err)
 	}
 	for _, invalid := range []string{
 		compact + "x",
 		compact + " ",
 		"x" + compact,
 		" " + compact,
 	} {
 		if _, err := v.VerifyAndDecodeWithKID(invalid, validator, nil); err == nil {
 			t.Errorf("VerifyAndDecodeWithKID() err = nil, want error")
 		}
 	}
 }

 func TestVerifierInvalidInputs(t *testing.T) {
 	validator, err := NewValidator(&ValidatorOpts{AllowMissingExpiration: true})
 	if err != nil {
 		t.Fatalf("NewValidator() err = %v, want nil", err)
 	}
 	v, err := createESVerifier(nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	for _, invalid := range []string{
 		"eyJhbGciOiJUzI1NiJ9.e30.YWJj.",
 		"eyJhbGciOiJUzI1NiJ9?.e30.YWJj",
 		"eyJhbGciOiJUzI1NiJ9.e30?.YWJj",
 		"eyJhbGciOiJUzI1NiJ9.e30.YWJj?",
 		"eyJhbGciOiJUzI1NiJ9.YWJj",
 	} {
 		if _, err := v.VerifyAndDecodeWithKID(invalid, validator, nil); err == nil {
 			t.Errorf("v.VerifyAndDecodeWithKID(compact = %q) err = nil, want error", invalid)
 		}
 	}
 }

 func TestNewSignerWithNilTinkSignerFails(t *testing.T) {
 	if _, err := newSignerWithKID(nil, "ES256", nil); err == nil {
 		t.Errorf("newSignerWithKID(nil, 'ES256', nil) err = nil, want error")
 	}
 }

 func TestNewVerifierWithNilTinkVerifierFails(t *testing.T) {
 	if _, err := newVerifierWithKID(nil, "ES256", nil); err == nil {
 		t.Errorf("newVerifierWithKID(nil, 'ES256', nil) err = nil, want error")
 	}
 }
	// Copyright 2022 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	////////////////////////////////////////////////////////////////////////////////

	package jwt

	import (
	"fmt"
	"testing"
	"time"

	"github.com/google/tink/go/signature/subtle"
	"github.com/google/tink/go/tink"
	)

	func createTinkECVerifier() (tink.Verifier, error) {
	// Public key from: https://datatracker.ietf.org/doc/html/rfc7515#appendix-A.3
	x, err := base64Decode("f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU")
	if err != nil {
	return nil, fmt.Errorf("base64 decoding x coordinate of public key: %v", err)
	}
	y, err := base64Decode("x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0")
	if err != nil {
	return nil, fmt.Errorf("base64 decoding y coordinate of public key: %v", err)
	}
	tv, err := subtle.NewECDSAVerifier("SHA256", "NIST_P256", "IEEE_P1363", x, y)
	if err != nil {
	return nil, fmt.Errorf("subtle.NewECDSAVerifier() err = %v, want nil", err)
	}
	return tv, nil
	}

	func createTinkECSigner() (tink.Signer, error) {
	// Private key from: https://datatracker.ietf.org/doc/html/rfc7515#appendix-A.3
	k, err := base64Decode("jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI")
	if err != nil {
	return nil, fmt.Errorf("base64 decoding private key: %v", err)
	}
	ts, err := subtle.NewECDSASigner("SHA256", "NIST_P256", "IEEE_P1363", k)
	if err != nil {
	return nil, fmt.Errorf("subtle.NewECDSASigner() err = %v, want nil", err)
	}
	return ts, nil
	}

	func createESVerifier(kid string) (verifierWithKID, error) {
	tv, err := createTinkECVerifier()
	if err != nil {
	return nil, err
	}
	v, err := newVerifierWithKID(tv, "ES256", kid)
	if err != nil {
	return nil, fmt.Errorf("newVerifierWithKID(algorithm = 'ES256') err = %v, want nil", err)
	}
	return v, nil
	}

	func createESSigner(kid string) (signerWithKID, error) {
	ts, err := createTinkECSigner()
	if err != nil {
	return nil, err
	}
	s, err := newSignerWithKID(ts, "ES256", kid)
	if err != nil {
	return nil, fmt.Errorf("newSignerWithKID(algorithm = 'ES256') err = %v, want nil", err)
	}
	return s, nil
	}

	func TestVerifierWithFixedToken(t *testing.T) {
	// compact from: https://datatracker.ietf.org/doc/html/rfc7515#appendix-A.3
	compact := "eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
	v, err := createESVerifier(nil)
	if err != nil {
	t.Fatal(err)
	}
	validator, err := NewValidator(&ValidatorOpts{ExpectedIssuer: refString("joe"), FixedNow: time.Unix(1300819300, 0)})
	if err != nil {
	t.Fatalf("NewValidator() err = %v, want nil", err)
	}
	verified, err := v.VerifyAndDecodeWithKID(compact, validator, nil)
	if err != nil {
	t.Errorf("VerifyAndDecodeWithKID() err = %v, want nil", err)
	}
	issuer, err := verified.Issuer()
	if err != nil {
	t.Errorf("verified.Issuer() err = %v, want nil", err)
	}
	if issuer != "joe" {
	t.Errorf("verified.Issuer() = %q, want joe", issuer)
	}
	expiration, err := verified.ExpiresAt()
	if err != nil {
	t.Errorf("verified.ExpiresAt() err = %v, want nil", err)
	}
	wantExp := time.Unix(1300819380, 0)
	if !expiration.Equal(wantExp) {
	t.Errorf("verified.ExpiresAt() = %q, want %q", expiration, wantExp)
	}
	boolClaim, err := verified.BooleanClaim("http://example.com/is_root")
	if err != nil {
	t.Errorf("verified.BooleanClaim('http://example.com/is_root') err = %v, want nil", err)
	}
	if boolClaim != true {
	t.Errorf("verified.BooleanClaim('http://example.com/is_root') = %v, want false", boolClaim)
	}
	}

	func TestCreateSignValidateToken(t *testing.T) {
	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
	if err != nil {
	t.Fatalf("NewRawJWT() err = %v, want nil", err)
	}
	validator, err := NewValidator(&ValidatorOpts{ExpectedTypeHeader: refString("JWT"), AllowMissingExpiration: true})
	if err != nil {
	t.Fatalf("NewValidator() err = %v, want nil", err)
	}
	s, err := createESSigner(nil)
	if err != nil {
	t.Fatal(err)
	}
	v, err := createESVerifier(nil)
	if err != nil {
	t.Fatal(err)
	}

	compact, err := s.SignAndEncodeWithKID(rawJWT, nil)
	if err != nil {
	t.Fatalf("s.SignAndEncodeWithKID() err = %v, want nil", err)
	}
	verified, err := v.VerifyAndDecodeWithKID(compact, validator, nil)
	if err != nil {
	t.Fatalf("v.VerifyAndDecodeWithKID() err = %v, want nil", err)
	}
	typeHeader, err := verified.TypeHeader()
	if err != nil {
	t.Errorf("verified.TypeHeader() err = %v, want nil", err)
	}
	if typeHeader != "JWT" {
	t.Errorf("verified.TypeHeader() = %q, want 'JWT'", typeHeader)
	}
	}

	func TestSignerWithTinkAndCustomKIDFails(t *testing.T) {
	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
	if err != nil {
	t.Fatalf("NewRawJWT() err = %v, want nil", err)
	}
	s, err := createESSigner(refString("1234"))
	if err != nil {
	t.Fatal(err)
	}
	if _, err := s.SignAndEncodeWithKID(rawJWT, refString("123")); err == nil {
	t.Errorf("s.SignAndEncodeWithKID(kid = 123) err = nil, want error")
	}
	}

	type signerVerifierKIDTestCase struct {
	tag string
	signerCustomKID *string
	verifierCustomKID *string
	// calculated from the Tink Key ID.
	signerKID *string
	// calculated from the Tink Key ID.
	verifierKID *string
	}

	func TestSignVerifyWithKID(t *testing.T) {
	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
	if err != nil {
	t.Fatalf("NewRawJWT() err = %v, want nil", err)
	}
	validator, err := NewValidator(&ValidatorOpts{ExpectedTypeHeader: refString("JWT"), AllowMissingExpiration: true})
	if err != nil {
	t.Fatalf("NewValidator() err = %v, want nil", err)
	}
	for _, tc := range []signerVerifierKIDTestCase{
	{
	tag: "verifier with custom kid matches kid in header generated with custom kid",
	signerCustomKID: refString("1234"),
	verifierCustomKID: refString("1234"),
	},
	{
	tag: "verifier with tink kid matches kid in header generated with custom kid",
	signerCustomKID: refString("1234"),
	verifierKID: refString("1234"),
	},
	{
	tag: "verifier with tink kid matches kid in header generated with tink kid",
	signerKID: refString("1234"),
	verifierKID: refString("1234"),
	},
	{
	tag: "no kid in verifier ignores kid when present in header",
	signerKID: refString("1234"),
	},
	{
	tag: "verifier with custom kid ignores when no kid present in header",
	verifierCustomKID: refString("1234"),
	},
	} {
	t.Run(tc.tag, func(t *testing.T) {
	s, err := createESSigner(tc.signerCustomKID)
	if err != nil {
	t.Fatal(err)
	}
	v, err := createESVerifier(tc.verifierCustomKID)
	if err != nil {
	t.Fatal(err)
	}
	compact, err := s.SignAndEncodeWithKID(rawJWT, tc.signerKID)
	if err != nil {
	t.Fatalf("s.SignAndEncodeWithKID(kid = %v) err = %v, want nil", tc.signerKID, err)
	}
	verified, err := v.VerifyAndDecodeWithKID(compact, validator, tc.verifierKID)
	if err != nil {
	t.Fatalf("s.VerifyAndDecodeWithKID(kid = %v) err = %v, want nil", tc.verifierKID, err)
	}
	typeHeader, err := verified.TypeHeader()
	if err != nil {
	t.Errorf("verified.TypeHeader() err = %v, want nil", err)
	}
	if typeHeader != "JWT" {
	t.Errorf("verified.TypeHeader() = %q, want 'JWT'", typeHeader)
	}
	})
	}
	}

	func TestSignVerifyWithKIDFailure(t *testing.T) {
	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
	if err != nil {
	t.Fatalf("NewRawJWT() err = %v, want nil", err)
	}
	validator, err := NewValidator(&ValidatorOpts{ExpectedTypeHeader: refString("JWT"), AllowMissingExpiration: true})
	if err != nil {
	t.Fatalf("NewValidator() err = %v, want nil", err)
	}
	for _, tc := range []signerVerifierKIDTestCase{
	{
	tag: "verifier with custom kid different from header generated with custom kid",
	signerCustomKID: refString("1234"),
	verifierCustomKID: refString("123"),
	},
	{
	tag: "verifier with custom kid different from header generated with tink kid",
	signerKID: refString("5678"),
	verifierCustomKID: refString("1234"),
	},
	{
	tag: "verifier with both tink and custom kid",
	verifierCustomKID: refString("1234"),
	verifierKID: refString("1234"),
	},
	{
	tag: "verifier with tink kid and token without kid in header",
	verifierKID: refString("1234"),
	},
	} {
	t.Run(tc.tag, func(t *testing.T) {
	s, err := createESSigner(tc.signerCustomKID)
	if err != nil {
	t.Fatal(err)
	}
	v, err := createESVerifier(tc.verifierCustomKID)
	if err != nil {
	t.Fatal(err)
	}
	compact, err := s.SignAndEncodeWithKID(rawJWT, tc.signerKID)
	if err != nil {
	t.Fatalf("s.SignAndEncodeWithKID(kid = %v) err = %v, want nil", tc.signerKID, err)
	}
	if _, err := v.VerifyAndDecodeWithKID(compact, validator, tc.verifierKID); err == nil {
	t.Fatalf("s.VerifyAndDecodeWithKID(kid = %v) err = nil, want error", tc.verifierKID)
	}
	})
	}
	}

	func TestVerifierModifiedCompact(t *testing.T) {
	rawJWT, err := NewRawJWT(&RawJWTOptions{TypeHeader: refString("JWT"), WithoutExpiration: true})
	if err != nil {
	t.Fatalf("NewRawJWT() err = %v, want nil", err)
	}
	validator, err := NewValidator(&ValidatorOpts{ExpectedTypeHeader: refString("JWT"), AllowMissingExpiration: true})
	if err != nil {
	t.Fatalf("NewValidator() err = %v, want nil", err)
	}
	s, err := createESSigner(nil)
	if err != nil {
	t.Fatal(err)
	}
	v, err := createESVerifier(nil)
	if err != nil {
	t.Fatal(err)
	}
	compact, err := s.SignAndEncodeWithKID(rawJWT, nil)
	if err != nil {
	t.Fatalf("s.SignAndEncodeWithKID() err = %v, want nil", err)
	}
	if _, err := v.VerifyAndDecodeWithKID(compact, validator, nil); err != nil {
	t.Errorf("VerifyAndDecodeWithKID() err = %v, want nil", err)
	}
	for _, invalid := range []string{
	compact + "x",
	compact + " ",
	"x" + compact,
	" " + compact,
	} {
	if _, err := v.VerifyAndDecodeWithKID(invalid, validator, nil); err == nil {
	t.Errorf("VerifyAndDecodeWithKID() err = nil, want error")
	}
	}
	}

	func TestVerifierInvalidInputs(t *testing.T) {
	validator, err := NewValidator(&ValidatorOpts{AllowMissingExpiration: true})
	if err != nil {
	t.Fatalf("NewValidator() err = %v, want nil", err)
	}
	v, err := createESVerifier(nil)
	if err != nil {
	t.Fatal(err)
	}
	for _, invalid := range []string{
	"eyJhbGciOiJUzI1NiJ9.e30.YWJj.",
	"eyJhbGciOiJUzI1NiJ9?.e30.YWJj",
	"eyJhbGciOiJUzI1NiJ9.e30?.YWJj",
	"eyJhbGciOiJUzI1NiJ9.e30.YWJj?",
	"eyJhbGciOiJUzI1NiJ9.YWJj",
	} {
	if _, err := v.VerifyAndDecodeWithKID(invalid, validator, nil); err == nil {
	t.Errorf("v.VerifyAndDecodeWithKID(compact = %q) err = nil, want error", invalid)
	}
	}
	}

	func TestNewSignerWithNilTinkSignerFails(t *testing.T) {
	if _, err := newSignerWithKID(nil, "ES256", nil); err == nil {
	t.Errorf("newSignerWithKID(nil, 'ES256', nil) err = nil, want error")
	}
	}

	func TestNewVerifierWithNilTinkVerifierFails(t *testing.T) {
	if _, err := newVerifierWithKID(nil, "ES256", nil); err == nil {
	t.Errorf("newVerifierWithKID(nil, 'ES256', nil) err = nil, want error")
	}
	}