From f8b838d404fd8e68a99ad41cc212d669c07c891b Mon Sep 17 00:00:00 2001
From: David Brown <david.brown@linaro.org>
Date: Thu, 20 Sep 2018 12:15:20 -0700
Subject: [PATCH] jwt: Add JSON web token library

This patch adds a JSON web token library that adds the capability
to sign JSON tokens.  This was located in subsys due to the dependency
on MBEDTLS, which resides in /ext.

Signed-off-by: David Brown <david.brown@linaro.org>
Signed-off-by: Andy Gross <andy.gross@linaro.org>
---
 doc/reference/misc/index.rst                  |  12 +
 include/zephyr/jwt.h                          |  96 ++++++
 subsys/CMakeLists.txt                         |   1 +
 subsys/Kconfig                                |   2 +
 subsys/jwt/CMakeLists.txt                     |   4 +
 subsys/jwt/Kconfig                            |  32 ++
 subsys/jwt/jwt.c                              | 320 ++++++++++++++++++
 tests/subsys/jwt/CMakeLists.txt               |   8 +
 tests/subsys/jwt/jwt-test-cert.pem            |  18 +
 tests/subsys/jwt/jwt-test-private.der         | Bin 0 -> 1216 bytes
 tests/subsys/jwt/jwt-test-private.pem         |  28 ++
 tests/subsys/jwt/prj.conf                     |  24 ++
 tests/subsys/jwt/src/jwt-test-cert.c          | 148 ++++++++
 tests/subsys/jwt/src/jwt-test-private.c       | 112 ++++++
 tests/subsys/jwt/src/main.c                   |  67 ++++
 tests/subsys/jwt/src/tls_config/user-tls.conf |   5 +
 tests/subsys/jwt/testcase.yaml                |   5 +
 17 files changed, 882 insertions(+)
 create mode 100644 include/zephyr/jwt.h
 create mode 100644 subsys/jwt/CMakeLists.txt
 create mode 100644 subsys/jwt/Kconfig
 create mode 100644 subsys/jwt/jwt.c
 create mode 100644 tests/subsys/jwt/CMakeLists.txt
 create mode 100644 tests/subsys/jwt/jwt-test-cert.pem
 create mode 100644 tests/subsys/jwt/jwt-test-private.der
 create mode 100644 tests/subsys/jwt/jwt-test-private.pem
 create mode 100644 tests/subsys/jwt/prj.conf
 create mode 100644 tests/subsys/jwt/src/jwt-test-cert.c
 create mode 100644 tests/subsys/jwt/src/jwt-test-private.c
 create mode 100644 tests/subsys/jwt/src/main.c
 create mode 100644 tests/subsys/jwt/src/tls_config/user-tls.conf
 create mode 100644 tests/subsys/jwt/testcase.yaml

diff --git a/doc/reference/misc/index.rst b/doc/reference/misc/index.rst
index 25f639642b2..21f931d2234 100644
--- a/doc/reference/misc/index.rst
+++ b/doc/reference/misc/index.rst
@@ -25,3 +25,15 @@ JSON
 
 .. doxygengroup:: json
    :project: Zephyr
+
+JWT
+===
+
+JSON Web Tokens (JWT) are an open, industry standard [RFC
+7519](https://tools.ietf.org/html/rfc7519) method for representing
+claims securely between two parties.  Although JWT is fairly flexible,
+this API is limited to creating the simplistic tokens needed to
+authenticate with the Google Core IoT infrastructure.
+
+.. doxygengroup:: jwt
+   :project: Zephyr
diff --git a/include/zephyr/jwt.h b/include/zephyr/jwt.h
new file mode 100644
index 00000000000..db7712569e6
--- /dev/null
+++ b/include/zephyr/jwt.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 2018 Linaro Ltd
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef ZEPHYR_INCLUDE_JWT_H_
+#define ZEPHYR_INCLUDE_JWT_H_
+
+#include <zephyr/types.h>
+#include <stdbool.h>
+
+/**
+ * @brief JSON Web Token (JWT)
+ * @defgroup jwt JSON Web Token (JWT)
+ * @ingroup structured_data
+ * @{
+ */
+
+/**
+ * @brief JWT data tracking.
+ *
+ * JSON Web Tokens contain several sections, each encoded in base-64.
+ * This structure tracks the token as it is being built, including
+ * limits on the amount of available space.  It should be initialized
+ * with jwt_init().
+ */
+struct jwt_builder {
+	/** The base of the buffer we are writing to. */
+	char *base;
+
+	/** The place in this buffer where we are currently writing.
+	 */
+	char *buf;
+
+	/** The length remaining to write. */
+	size_t len;
+
+	/**
+	 * Flag that is set if we try to write past the end of the
+	 * buffer.  If set, the token is not valid.
+	 */
+	bool overflowed;
+
+	/* Pending bytes yet to be converted to base64. */
+	unsigned char wip[3];
+
+	/* Number of pending bytes. */
+	int pending;
+};
+
+/**
+ * @brief Initialize the JWT builder.
+ *
+ * Initialize the given JWT builder for the creation of a fresh token.
+ * The buffer size should at least be as long as JWT_BUILDER_MAX_SIZE
+ * returns.
+ *
+ * @param builder The builder to initialize.
+ * @param buffer The buffer to write the token to.
+ * @param buffer_size The size of this buffer.  The token will be NULL
+ * terminated, which needs to be allowed for in this size.
+ *
+ * @retval 0 Success
+ * @retval -ENOSPC Buffer is insufficient to initialize
+ */
+int jwt_init_builder(struct jwt_builder *builder,
+		     char *buffer,
+		     size_t buffer_size);
+
+/**
+ * @brief add JWT primary payload.
+ */
+int jwt_add_payload(struct jwt_builder *builder,
+		    s32_t exp,
+		    s32_t iat,
+		    const char *aud);
+
+/**
+ * @brief Sign the JWT token.
+ */
+int jwt_sign(struct jwt_builder *builder,
+	     const char *der_key,
+	     size_t der_key_len);
+
+
+static inline size_t jwt_payload_len(struct jwt_builder *builder)
+{
+	return (builder->buf - builder->base);
+}
+
+/**
+ * @}
+ */
+
+#endif
diff --git a/subsys/CMakeLists.txt b/subsys/CMakeLists.txt
index c4af21ff33a..3696f5adf50 100644
--- a/subsys/CMakeLists.txt
+++ b/subsys/CMakeLists.txt
@@ -17,3 +17,4 @@ add_subdirectory_ifdef(CONFIG_SETTINGS             settings)
 add_subdirectory(fb)
 add_subdirectory(power)
 add_subdirectory(stats)
+add_subdirectory_if_kconfig(jwt)
diff --git a/subsys/Kconfig b/subsys/Kconfig
index d51b582b232..df133c082ee 100644
--- a/subsys/Kconfig
+++ b/subsys/Kconfig
@@ -40,3 +40,5 @@ source "subsys/app_memory/Kconfig"
 source "subsys/power/Kconfig"
 
 source "subsys/fb/Kconfig"
+
+source "subsys/jwt/Kconfig"
diff --git a/subsys/jwt/CMakeLists.txt b/subsys/jwt/CMakeLists.txt
new file mode 100644
index 00000000000..e4893b6ff3b
--- /dev/null
+++ b/subsys/jwt/CMakeLists.txt
@@ -0,0 +1,4 @@
+zephyr_link_interface_ifdef(CONFIG_MBEDTLS mbedTLS)
+zephyr_library()
+zephyr_library_sources(jwt.c)
+zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)
diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig
new file mode 100644
index 00000000000..a71e64358f8
--- /dev/null
+++ b/subsys/jwt/Kconfig
@@ -0,0 +1,32 @@
+#
+# Copyright (c) 2018 Linaro
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+menuconfig JWT
+	bool "Enable JSON Web Token generation"
+	select JSON_LIBRARY
+	help
+	  Enable creation of JWT tokens
+
+if JWT
+choice
+	prompt "JWT signature algorithm"
+	default JWT_SIGN_RSA
+	help
+	  Select which algorithm to use for signing JWT tokens.
+
+config JWT_SIGN_RSA
+	bool "Use RSA signature (RS-256)"
+	select MBEDTLS
+
+config JWT_SIGN_ECDSA
+	bool "Use ECDSA signature (ES-256)"
+	select TINYCRYPT
+	select TINYCRYPT_SHA256
+	select TINYCRYPT_ECC_DSA
+	select TINYCRYPT_CTR_PRNG
+	select TINYCRYPT_AES
+
+endchoice
+endif
diff --git a/subsys/jwt/jwt.c b/subsys/jwt/jwt.c
new file mode 100644
index 00000000000..f6c7ea4b8e5
--- /dev/null
+++ b/subsys/jwt/jwt.c
@@ -0,0 +1,320 @@
+/*
+ * Copyright (C) 2018 Linaro Ltd
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include <string.h>
+#include <zephyr/types.h>
+#include <errno.h>
+
+#include <zephyr/jwt.h>
+#include <json.h>
+
+#ifdef CONFIG_JWT_SIGN_RSA
+#include <mbedtls/pk.h>
+#include <mbedtls/rsa.h>
+#include <mbedtls/sha256.h>
+#endif
+
+#ifdef CONFIG_JWT_SIGN_ECDSA
+#include <tinycrypt/ctr_prng.h>
+#include <tinycrypt/sha256.h>
+#include <tinycrypt/ecc_dsa.h>
+#include <tinycrypt/constants.h>
+
+#include <random/rand32.h>
+#endif
+
+/*
+ * Base-64 encoding is typically done by lookup into a 64-byte static
+ * array.  As an experiment, lets look at both code size and time for
+ * one that does the character encoding computationally.  Like the
+ * array version, this doesn't do bounds checking, and assumes the
+ * passed value has been masked.
+ *
+ * On Cortex-M, this function is 34 bytes of code, which is only a
+ * little more than half of the size of the lookup table.
+ */
+#if 1
+static int base64_char(int value)
+{
+	if (value < 26) {
+		return value + 'A';
+	} else if (value < 52) {
+		return value + 'a' - 26;
+	} else if (value < 62) {
+		return value + '0' - 52;
+	} else if (value == 62) {
+		return '-';
+	} else {
+		return '_';
+	}
+}
+#else
+static const char b64_table[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+static inline int base64_char(int value)
+{
+	return b64_table[value];
+}
+#endif
+
+/*
+ * Add a single character to the jwt buffer.  Detects overflow, and
+ * always keeps the buffer null terminated.
+ */
+static void base64_outch(struct jwt_builder *st, char ch)
+{
+	if (st->overflowed) {
+		return;
+	}
+
+	if (st->len < 2) {
+		st->overflowed = true;
+		return;
+	}
+
+	*st->buf++ = ch;
+	st->len--;
+	*st->buf = 0;
+}
+
+/*
+ * Flush any pending base64 character data out.  If we have all three
+ * bytes are present, this will generate 4 characters, otherwise it
+ * may generate fewer.
+ */
+static void base64_flush(struct jwt_builder *st)
+{
+	if (st->pending < 1) {
+		return;
+	}
+
+	base64_outch(st, base64_char(st->wip[0] >> 2));
+	base64_outch(st, base64_char(((st->wip[0] & 0x03) << 4) |
+				(st->wip[1] >> 4)));
+
+	if (st->pending >= 2) {
+		base64_outch(st, base64_char(((st->wip[1] & 0x0f) << 2) |
+				(st->wip[2] >> 6)));
+	}
+	if (st->pending >= 3) {
+		base64_outch(st, base64_char(st->wip[2] & 0x3f));
+	}
+
+	st->pending = 0;
+	memset(st->wip, 0, 3);
+}
+
+static void base64_addbyte(struct jwt_builder *st, uint8_t byte)
+{
+	st->wip[st->pending++] = byte;
+	if (st->pending == 3) {
+		base64_flush(st);
+	}
+}
+
+static int base64_append_bytes(const char *bytes, size_t len,
+			 void *data)
+{
+	struct jwt_builder *st = data;
+
+	while (len-- > 0) {
+		base64_addbyte(st, *bytes++);
+	}
+
+	return 0;
+}
+
+struct jwt_header {
+	char *typ;
+	char *alg;
+};
+
+static struct json_obj_descr jwt_header_desc[] = {
+	JSON_OBJ_DESCR_PRIM(struct jwt_header, alg, JSON_TOK_STRING),
+	JSON_OBJ_DESCR_PRIM(struct jwt_header, typ, JSON_TOK_STRING),
+};
+
+struct jwt_payload {
+	s32_t exp;
+	s32_t iat;
+	const char *aud;
+};
+
+static struct json_obj_descr jwt_payload_desc[] = {
+	JSON_OBJ_DESCR_PRIM(struct jwt_payload, aud, JSON_TOK_STRING),
+	JSON_OBJ_DESCR_PRIM(struct jwt_payload, exp, JSON_TOK_NUMBER),
+	JSON_OBJ_DESCR_PRIM(struct jwt_payload, iat, JSON_TOK_NUMBER),
+};
+
+/*
+ * Add the JWT header to the buffer.
+ */
+static void jwt_add_header(struct jwt_builder *builder)
+{
+	static const struct jwt_header head = {
+		.typ = "JWT",
+#ifdef CONFIG_JWT_SIGN_RSA
+		.alg = "RS256",
+#endif
+#ifdef CONFIG_JWT_SIGN_ECDSA
+		.alg = "ES256",
+#endif
+	};
+
+	int res = json_obj_encode(jwt_header_desc, ARRAY_SIZE(jwt_header_desc),
+				  &head, base64_append_bytes, builder);
+	if (res != 0) {
+		/* Log an error here. */
+		return;
+	}
+	base64_flush(builder);
+}
+
+int jwt_add_payload(struct jwt_builder *builder,
+		     s32_t exp,
+		     s32_t iat,
+		     const char *aud)
+{
+	struct jwt_payload payload = {
+		.exp = exp,
+		.iat = iat,
+		.aud = aud,
+	};
+
+	base64_outch(builder, '.');
+	int res = json_obj_encode(jwt_payload_desc,
+				  ARRAY_SIZE(jwt_payload_desc),
+				  &payload, base64_append_bytes, builder);
+
+	base64_flush(builder);
+	return res;
+}
+
+#ifdef CONFIG_JWT_SIGN_RSA
+int jwt_sign(struct jwt_builder *builder,
+	     const char *der_key,
+	     size_t der_key_len)
+{
+	int res;
+	mbedtls_pk_context ctx;
+
+	mbedtls_pk_init(&ctx);
+
+	res = mbedtls_pk_parse_key(&ctx, der_key, der_key_len,
+				       NULL, 0);
+	if (res != 0) {
+		return res;
+	}
+
+	u8_t hash[32], sig[256];
+	size_t sig_len = sizeof(sig);
+
+	/*
+	 * The '0' indicates to mbedtls to do a SHA256, instead of
+	 * 224.
+	 */
+	mbedtls_sha256(builder->base, builder->buf - builder->base,
+		       hash, 0);
+
+	res = mbedtls_pk_sign(&ctx, MBEDTLS_MD_SHA256,
+			      hash, sizeof(hash),
+			      sig, &sig_len,
+			      NULL, NULL);
+	if (res != 0) {
+		return res;
+	}
+
+	base64_outch(builder, '.');
+	base64_append_bytes(sig, sig_len, builder);
+	base64_flush(builder);
+
+	return builder->overflowed ? -ENOMEM : 0;
+}
+#endif
+
+#ifdef CONFIG_JWT_SIGN_ECDSA
+static TCCtrPrng_t prng_state;
+static bool prng_init;
+
+static const char personalize[] = "zephyr:drivers/jwt/jwt.c";
+
+static int setup_prng(void)
+{
+	if (prng_init) {
+		return 0;
+	}
+	prng_init = true;
+
+	u8_t entropy[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE];
+
+	for (int i = 0; i < sizeof(entropy); i += sizeof(u32_t)) {
+		u32_t rv = sys_rand32_get();
+
+		memcpy(entropy + i, &rv, sizeof(uint32_t));
+	}
+
+	int res = tc_ctr_prng_init(&prng_state,
+				   (const uint8_t *) &entropy, sizeof(entropy),
+				   personalize,
+				   sizeof(personalize));
+
+	return res == TC_CRYPTO_SUCCESS ? 0 : -EINVAL;
+}
+
+int default_CSPRNG(u8_t *dest, unsigned int size)
+{
+	int res = tc_ctr_prng_generate(&prng_state, NULL, 0, dest, size);
+	return res;
+}
+
+int jwt_sign(struct jwt_builder *builder,
+	     const char *der_key,
+	     size_t der_key_len)
+{
+	struct tc_sha256_state_struct ctx;
+	u8_t hash[32], sig[64];
+	int res;
+
+	tc_sha256_init(&ctx);
+	tc_sha256_update(&ctx, builder->base, builder->buf - builder->base);
+	tc_sha256_final(hash, &ctx);
+
+	res = setup_prng();
+
+	if (res != 0) {
+		return res;
+	}
+	uECC_set_rng(&default_CSPRNG);
+
+	/* Note that tinycrypt only supports P-256. */
+	res = uECC_sign(der_key, hash, sizeof(hash),
+			sig, &curve_secp256r1);
+	if (res != TC_CRYPTO_SUCCESS) {
+		return -EINVAL;
+	}
+
+	base64_outch(builder, '.');
+	base64_append_bytes(sig, sizeof(sig), builder);
+	base64_flush(builder);
+
+	return 0;
+}
+#endif
+
+int jwt_init_builder(struct jwt_builder *builder,
+		     char *buffer,
+		     size_t buffer_size)
+{
+	builder->base = buffer;
+	builder->buf = buffer;
+	builder->len = buffer_size;
+	builder->overflowed = false;
+	builder->pending = 0;
+
+	jwt_add_header(builder);
+
+	return 0;
+}
diff --git a/tests/subsys/jwt/CMakeLists.txt b/tests/subsys/jwt/CMakeLists.txt
new file mode 100644
index 00000000000..ff28d5e8a9a
--- /dev/null
+++ b/tests/subsys/jwt/CMakeLists.txt
@@ -0,0 +1,8 @@
+cmake_minimum_required(VERSION 3.8)
+
+include($ENV{ZEPHYR_BASE}/cmake/app/boilerplate.cmake NO_POLICY_SCOPE)
+project(NONE)
+
+FILE(GLOB app_sources src/*.c)
+target_sources(app PRIVATE ${app_sources})
+zephyr_include_directories(${APPLICATION_SOURCE_DIR}/src/tls_config)
diff --git a/tests/subsys/jwt/jwt-test-cert.pem b/tests/subsys/jwt/jwt-test-cert.pem
new file mode 100644
index 00000000000..39859e23eb5
--- /dev/null
+++ b/tests/subsys/jwt/jwt-test-cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgIJAIo6NLZ3yCHqMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
+BAMMCGp3dC10ZXN0MCAXDTE4MDcwMjE3MjExMVoYDzQ3NTYwNTI5MTcyMTExWjAT
+MREwDwYDVQQDDAhqd3QtdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAKZSmN8OM9BpYjLEQHzsv5+jNYpRze1Jmb74KT/R16j7xjaCRWTbbXPvU8oC
+frCRBr3VZkvqh3ptlaVrZLnWw92yXAOLAFxGFouGyCgNtLE+tg2CIpdbdQIAl8dX
+S6CB+y3Iu4E3xI7mfJr5LQzUuCLlO6D+qD5emTZXdiV+/IkXPDnwPC6zPxT1I5aS
+Qnsd0AuxRHGJO0Tl6uosZ7vZ45yKGoMe6RPjPAawo5idK6WEZdsjd1nKZHadVAVX
+pxDLYux/OfzXUz1GLewR0UIQanM5GBCgz5uIbx6IaIs8MFk/ZrUJZfw3959O1xrG
+FmRnZEHAkFHZ2vUlXMBinw3sLNMCAwEAAaNQME4wHQYDVR0OBBYEFINKpDYiVZyi
+JlzHhq5Xo0Ax4eTKMB8GA1UdIwQYMBaAFINKpDYiVZyiJlzHhq5Xo0Ax4eTKMAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADzE5U+/LiDbI/PS+5o3J5z+
+0eYdIOYU4Qe/ltdnt0voRKY1a0WHkYYXoFiONSRuAK/6O3bJByfQCd/NSAObTkPY
+R0WPCg2vriztxPxs2fdU2VBh4qB7WM/yNOPpMamCDPZzg5oubVIwecYwZ0V888xV
+GfWHwRcKtN7QogNIpGhMJj65MYPuB1cXAdUq7/zpRAewCp472dcUKLzLTHq7z8VU
+ko0u1uTemh+xHtJLpVxqq7a6cpgka3DS7qwjz5XUL6UWKyL3uJcUL36ghL0ZwyQv
+HngefbPQFMDyyoPh6QPGUMLwgN5pMI5mvdtA0I7z0G67TLpB+hpf+Kgyzx5JjQ0=
+-----END CERTIFICATE-----
diff --git a/tests/subsys/jwt/jwt-test-private.der b/tests/subsys/jwt/jwt-test-private.der
new file mode 100644
index 0000000000000000000000000000000000000000..85614d02363234ff839a6ae9d155d97a589b92c6
GIT binary patch
literal 1216
zcmV;x1V8&Qf&{z*0RS)!1_>&LNQU<f0RaI800e>rrZ9p8q5=T`0)hbn0H#uy-wrd-
zX<{<OKz!`KpQAO3QO)g1nZEcbKhf8y`^GkcMP%D;bMI5i0)DWO2EEm0OX`PuZIz{K
zWVzPE-LhN*ivV0k7K?_+C=Il+KDG^lB9~ir0sxoCS4*IQ`z^@3fj7jC=6ss@EezDS
zBIP@v{-{1)nKoB;C4T&g7d$!eJT9|86!jyPl0thO&<n9dafv%b<?8AzXS><soQfKQ
z9_bU~JO;3%n4K%7gk{?!cUj70cAZoOSEmrmV(fo8{MS=GMlI|S(LxYvb2%6gpwF9#
zZytzfi##w{KW4QFW&AhypH9~r#uj8}WI@1?QQ6w{C0xK_pAGCR(*gql009Dm0RSYe
z@PfFC8oM&-$v6X)-ie_fteS7smA9`_;T`VuC6g%HT8>>fy8)+F4kpmEwYUr8Wd!#6
z+qe-Kg8rJZPfoN4@XQs@L$R|VjX<ys8cm-riFJW>tnWP>JKXn^wKk-gF(}0tw*Lc}
z)w|}Ye%4Dtgf_(a#5nt}{2?~U5S~#V#>Z0bcb8;hY{dkCP_|kjPEoRvLeb};j<!QU
z|FUmF1<>D|^j%VG0{f1B8}m%$WGgIGER%NxFs52ydO&EE_h~LVC$&6;jH&)#rdk4w
z0X<L$m?6-7Mf8LdfESaB&HVtE?}cyKG+1Gr{#y=#^7SU{*K_?w1hU-a|0x22fdJHJ
z=T+*#_UpLxl~h>Bp}U8n_1-QagqY>l-e1I6Z!&j#7$U4|s`WOvpm)@#t$g$wJP%ly
z!_JCWjjmJa-T7HNACh+}zxgJ%>y9l6PCx~=pnx(QGa%UL&!V3;<lh<foWF8mXU2)?
zF*2$}?YS+)skFj?kGrxXg)J^nKwScXfdI&LYS}5s<4)i3khHm95`^BI(vjLQYMQ(f
z+Z}W23}yRZF2k%%b^rw5(Om=W?{{`3*1C=0_f(@RIr;%os+G6MVSZQ_&MRzUy$UBe
zlmn8-#B+}Mhm4ZzYQ<(|)2k#_t~F0A)_&udpLD*kKpFa;l`C9ah+Nq2SLtWB4(|ei
zfF#>ey$Rb^X;{*@2FB4TpG?ic$S2_u4JP!x>4-dlFBPPEZ>iIi`mf*hELH9@pm+;0
z#K-R1D?q+f_h$ex&`!61rv9FwX)juqO*v~{^rQ(Wn3fr4mC%i~S=OGz;3BmL+5nRN
zTIm~Ex*X}fa$t(Pm+lxi*sS!F>s}f5(E@>hT+Qclw4#}T*|A{#8d(OE*AE$ahTkP?
zkEquol9-3K>mvhWd9c3mkx(IcgQ_!BMlp<V|KMl=8ZDRr!+r-9n`u0urkxha3A@O%
z8>i2Eya$?2xuKGLr9?78Lx5F$g)LAg#0d!?<Fm9D^L1ON>s(>U8c>Lx8=Z8!%~f@$
z0)c>N*~qAnkp4xCU%5>kh5{k!BM0`Xt8BJ;^7d1u?ubuFZuDeOVBw5AeV{8>avHZ(
z*P9I#q!9u77QK5ru&ri-f$vT2C^+jGSn|P85}aZ-3P(#tNG~Gvv@)v?WH~alT63Az
eQz&<fKM>zhDHX9v1Z1<V<!;F--Gn?xL6Wd#Tu#XV

literal 0
HcmV?d00001

diff --git a/tests/subsys/jwt/jwt-test-private.pem b/tests/subsys/jwt/jwt-test-private.pem
new file mode 100644
index 00000000000..99e5c7884d1
--- /dev/null
+++ b/tests/subsys/jwt/jwt-test-private.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCmUpjfDjPQaWIy
+xEB87L+fozWKUc3tSZm++Ck/0deo+8Y2gkVk221z71PKAn6wkQa91WZL6od6bZWl
+a2S51sPdslwDiwBcRhaLhsgoDbSxPrYNgiKXW3UCAJfHV0uggfstyLuBN8SO5nya
++S0M1Lgi5Tug/qg+Xpk2V3YlfvyJFzw58Dwusz8U9SOWkkJ7HdALsURxiTtE5erq
+LGe72eOcihqDHukT4zwGsKOYnSulhGXbI3dZymR2nVQFV6cQy2Lsfzn811M9Ri3s
+EdFCEGpzORgQoM+biG8eiGiLPDBZP2a1CWX8N/efTtcaxhZkZ2RBwJBR2dr1JVzA
+Yp8N7CzTAgMBAAECggEAJK3wgriKGrsy6ck4A5TeiaEfrJpv1JW3r1LhHe70JZMo
+2lqOXTi7AadVDibQs7W4C+NlBPb627gRGYL+mrFPTrQH8MwVz0OxsyGNQLANGk2f
+Lol1gXWs7z0cO9z3k7U2pJkxKMUYtv8DmdW75ql+1ktBhDbE+cQ4+6/8ITbJEJ5R
+H8bHUu53l2RibMUEgFC2WiFOUbKRQtHnoY62Q0D/sm9CBdDfnPRdUmsC+45+G/NM
+5GQrLFQsk3cEMKZaYHpAaJX3aS46J7U8hIyp/l+mWgKMAT1QB5gh0HxF9IQTgBeT
+is39AJfvhW/ZNFhhnP5bDoHy9Sbs13P9RgSy3OX/KQKBgQDUZ+dV6sH267j0lVRY
+yKG7h6H13i4hhJjl1t5fxFhvMnd7GCKsa6r1Nregd9SnrXz0GzwPWJjDzopYja5T
+6d35WTsfkncqv/kmtuuOLQlOQAW2oIAyHDMg2OjPop825N8Z9Zy/cmFnxonpMTKq
+Re25LcSptMKAj7uyI4UtLlBAXQKBgQDIdWrZKcjjTt/wkLS5XxKE3pzSkdowapq8
+Etsdc+oMZftgLsOsTXYABN/RXQPt73d2Jda6jeD3VKMrOfoBUqqVt8hhflgXzits
+Yr0KJzmUA5LHxHOO+YeMkutqxWZm06skVq41TyzWfuOYn3S+sEAZ+p6VK1xciFzY
+7lfpZ7cO7wKBgCTbUr0J21ZpWNK4BsbRKZ9MzcHIJ+ERDSb0vemIPIAvFaR6b6nT
+lPqv3/UsVe4yoHgLMcTH7torQL5U92cAMdBOt3+m/p6gaS9alk05a1/0pAkomJYZ
+ZpXQjbVZ1p7D4CK1B9oAkv5a6RtZuhzpvXJgiruX7hg42Kz0lOteGfbRAoGAXM3n
+crSimYHZsWD9GlkGlNcPGXmG3yVrj6jXIpKYh7brIwNjebC+8ZFQIXiDqjNURjGM
+cP/gaAEaLZgAw34HFZtpPKGmnRbJCbvIsxunz3u8B5pOuaGSfKVEMkFDgFV8hS1Q
+J8QJCSDjs7QW83Vbp+tcYckaUIidG510u81VdacCgYBo2ciokJD+RYxfuU0dhgIh
+6SMH9qqrbLZ58vZTpe6IT0hu9GRQYOGMO32gK1dyGrdU15sNFKQRAfoWvXs7sK1m
+goHvTe0oOOsZWPLBUBKcYjYKR0tFSC8i9LQyqw9kOTK0WnOZ1VMod4s/EN9RKRWx
+SQRks63lbskp3YQ8R0GSsA==
+-----END PRIVATE KEY-----
diff --git a/tests/subsys/jwt/prj.conf b/tests/subsys/jwt/prj.conf
new file mode 100644
index 00000000000..0c6b402cee8
--- /dev/null
+++ b/tests/subsys/jwt/prj.conf
@@ -0,0 +1,24 @@
+CONFIG_BASE64=y
+CONFIG_JSON_LIBRARY=y
+CONFIG_JWT=y
+CONFIG_ZTEST=y
+# CONFIG_ZTEST_STACKSIZE=2048
+CONFIG_ZTEST_STACKSIZE=8192
+CONFIG_MAIN_STACK_SIZE=1024
+
+# Enable MBEDTLS
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=32768
+CONFIG_MBEDTLS_USER_CONFIG_ENABLE=y
+CONFIG_MBEDTLS_USER_CONFIG_FILE="user-tls.conf"
+
+CONFIG_DEBUG_OPTIMIZATIONS=y
+
+CONFIG_HW_STACK_PROTECTION=y
+CONFIG_PTHREAD_IPC=y
+CONFIG_NET_SOCKETS=y
+
+CONFIG_NEWLIB_LIBC=y
+
diff --git a/tests/subsys/jwt/src/jwt-test-cert.c b/tests/subsys/jwt/src/jwt-test-cert.c
new file mode 100644
index 00000000000..4b1828e2403
--- /dev/null
+++ b/tests/subsys/jwt/src/jwt-test-cert.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2018, Linaro, Ltd
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ */
+
+/* subject:/CN=jwt-test */
+/* issuer :/CN=jwt-test */
+unsigned char XXX_subject_name[21] = {
+0x30, 0x13, 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C,
+0x08, 0x6A, 0x77, 0x74, 0x2D, 0x74, 0x65, 0x73, 0x74,
+};
+unsigned char XXX_public_key[294] = {
+0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+0x0D, 0x01, 0x01,
+0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02,
+0x82, 0x01, 0x01,
+0x00, 0xA6, 0x52, 0x98, 0xDF, 0x0E, 0x33, 0xD0, 0x69, 0x62, 0x32, 0xC4, 0x40,
+0x7C, 0xEC, 0xBF,
+0x9F, 0xA3, 0x35, 0x8A, 0x51, 0xCD, 0xED, 0x49, 0x99, 0xBE, 0xF8, 0x29, 0x3F,
+0xD1, 0xD7, 0xA8,
+0xFB, 0xC6, 0x36, 0x82, 0x45, 0x64, 0xDB, 0x6D, 0x73, 0xEF, 0x53, 0xCA, 0x02,
+0x7E, 0xB0, 0x91,
+0x06, 0xBD, 0xD5, 0x66, 0x4B, 0xEA, 0x87, 0x7A, 0x6D, 0x95, 0xA5, 0x6B, 0x64,
+0xB9, 0xD6, 0xC3,
+0xDD, 0xB2, 0x5C, 0x03, 0x8B, 0x00, 0x5C, 0x46, 0x16, 0x8B, 0x86, 0xC8, 0x28,
+0x0D, 0xB4, 0xB1,
+0x3E, 0xB6, 0x0D, 0x82, 0x22, 0x97, 0x5B, 0x75, 0x02, 0x00, 0x97, 0xC7, 0x57,
+0x4B, 0xA0, 0x81,
+0xFB, 0x2D, 0xC8, 0xBB, 0x81, 0x37, 0xC4, 0x8E, 0xE6, 0x7C, 0x9A, 0xF9, 0x2D,
+0x0C, 0xD4, 0xB8,
+0x22, 0xE5, 0x3B, 0xA0, 0xFE, 0xA8, 0x3E, 0x5E, 0x99, 0x36, 0x57, 0x76, 0x25,
+0x7E, 0xFC, 0x89,
+0x17, 0x3C, 0x39, 0xF0, 0x3C, 0x2E, 0xB3, 0x3F, 0x14, 0xF5, 0x23, 0x96, 0x92,
+0x42, 0x7B, 0x1D,
+0xD0, 0x0B, 0xB1, 0x44, 0x71, 0x89, 0x3B, 0x44, 0xE5, 0xEA, 0xEA, 0x2C, 0x67,
+0xBB, 0xD9, 0xE3,
+0x9C, 0x8A, 0x1A, 0x83, 0x1E, 0xE9, 0x13, 0xE3, 0x3C, 0x06, 0xB0, 0xA3, 0x98,
+0x9D, 0x2B, 0xA5,
+0x84, 0x65, 0xDB, 0x23, 0x77, 0x59, 0xCA, 0x64, 0x76, 0x9D, 0x54, 0x05, 0x57,
+0xA7, 0x10, 0xCB,
+0x62, 0xEC, 0x7F, 0x39, 0xFC, 0xD7, 0x53, 0x3D, 0x46, 0x2D, 0xEC, 0x11, 0xD1,
+0x42, 0x10, 0x6A,
+0x73, 0x39, 0x18, 0x10, 0xA0, 0xCF, 0x9B, 0x88, 0x6F, 0x1E, 0x88, 0x68, 0x8B,
+0x3C, 0x30, 0x59,
+0x3F, 0x66, 0xB5, 0x09, 0x65, 0xFC, 0x37, 0xF7, 0x9F, 0x4E, 0xD7, 0x1A, 0xC6,
+0x16, 0x64, 0x67,
+0x64, 0x41, 0xC0, 0x90, 0x51, 0xD9, 0xDA, 0xF5, 0x25, 0x5C, 0xC0, 0x62, 0x9F,
+0x0D, 0xEC, 0x2C, 0xD3, 0x02, 0x03, 0x01, 0x00, 0x01,
+};
+unsigned char XXX_certificate[767] = {
+0x30, 0x82, 0x02, 0xFB, 0x30, 0x82, 0x01, 0xE3, 0xA0, 0x03, 0x02, 0x01, 0x02,
+0x02, 0x09, 0x00,
+0x8A, 0x3A, 0x34, 0xB6, 0x77, 0xC8, 0x21, 0xEA, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+0x86, 0x48, 0x86,
+0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0F,
+0x06, 0x03, 0x55,
+0x04, 0x03, 0x0C, 0x08, 0x6A, 0x77, 0x74, 0x2D, 0x74, 0x65, 0x73, 0x74, 0x30,
+0x20, 0x17, 0x0D,
+0x31, 0x38, 0x30, 0x37, 0x30, 0x32, 0x31, 0x37, 0x32, 0x31, 0x31, 0x31, 0x5A,
+0x18, 0x0F, 0x34,
+0x37, 0x35, 0x36, 0x30, 0x35, 0x32, 0x39, 0x31, 0x37, 0x32, 0x31, 0x31, 0x31,
+0x5A, 0x30, 0x13,
+0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x08, 0x6A, 0x77,
+0x74, 0x2D, 0x74,
+0x65, 0x73, 0x74, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+0x48, 0x86, 0xF7,
+0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82,
+0x01, 0x0A, 0x02,
+0x82, 0x01, 0x01, 0x00, 0xA6, 0x52, 0x98, 0xDF, 0x0E, 0x33, 0xD0, 0x69, 0x62,
+0x32, 0xC4, 0x40,
+0x7C, 0xEC, 0xBF, 0x9F, 0xA3, 0x35, 0x8A, 0x51, 0xCD, 0xED, 0x49, 0x99, 0xBE,
+0xF8, 0x29, 0x3F,
+0xD1, 0xD7, 0xA8, 0xFB, 0xC6, 0x36, 0x82, 0x45, 0x64, 0xDB, 0x6D, 0x73, 0xEF,
+0x53, 0xCA, 0x02,
+0x7E, 0xB0, 0x91, 0x06, 0xBD, 0xD5, 0x66, 0x4B, 0xEA, 0x87, 0x7A, 0x6D, 0x95,
+0xA5, 0x6B, 0x64,
+0xB9, 0xD6, 0xC3, 0xDD, 0xB2, 0x5C, 0x03, 0x8B, 0x00, 0x5C, 0x46, 0x16, 0x8B,
+0x86, 0xC8, 0x28,
+0x0D, 0xB4, 0xB1, 0x3E, 0xB6, 0x0D, 0x82, 0x22, 0x97, 0x5B, 0x75, 0x02, 0x00,
+0x97, 0xC7, 0x57,
+0x4B, 0xA0, 0x81, 0xFB, 0x2D, 0xC8, 0xBB, 0x81, 0x37, 0xC4, 0x8E, 0xE6, 0x7C,
+0x9A, 0xF9, 0x2D,
+0x0C, 0xD4, 0xB8, 0x22, 0xE5, 0x3B, 0xA0, 0xFE, 0xA8, 0x3E, 0x5E, 0x99, 0x36,
+0x57, 0x76, 0x25,
+0x7E, 0xFC, 0x89, 0x17, 0x3C, 0x39, 0xF0, 0x3C, 0x2E, 0xB3, 0x3F, 0x14, 0xF5,
+0x23, 0x96, 0x92,
+0x42, 0x7B, 0x1D, 0xD0, 0x0B, 0xB1, 0x44, 0x71, 0x89, 0x3B, 0x44, 0xE5, 0xEA,
+0xEA, 0x2C, 0x67,
+0xBB, 0xD9, 0xE3, 0x9C, 0x8A, 0x1A, 0x83, 0x1E, 0xE9, 0x13, 0xE3, 0x3C, 0x06,
+0xB0, 0xA3, 0x98,
+0x9D, 0x2B, 0xA5, 0x84, 0x65, 0xDB, 0x23, 0x77, 0x59, 0xCA, 0x64, 0x76, 0x9D,
+0x54, 0x05, 0x57,
+0xA7, 0x10, 0xCB, 0x62, 0xEC, 0x7F, 0x39, 0xFC, 0xD7, 0x53, 0x3D, 0x46, 0x2D,
+0xEC, 0x11, 0xD1,
+0x42, 0x10, 0x6A, 0x73, 0x39, 0x18, 0x10, 0xA0, 0xCF, 0x9B, 0x88, 0x6F, 0x1E,
+0x88, 0x68, 0x8B,
+0x3C, 0x30, 0x59, 0x3F, 0x66, 0xB5, 0x09, 0x65, 0xFC, 0x37, 0xF7, 0x9F, 0x4E,
+0xD7, 0x1A, 0xC6,
+0x16, 0x64, 0x67, 0x64, 0x41, 0xC0, 0x90, 0x51, 0xD9, 0xDA, 0xF5, 0x25, 0x5C,
+0xC0, 0x62, 0x9F,
+0x0D, 0xEC, 0x2C, 0xD3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x50, 0x30, 0x4E,
+0x30, 0x1D, 0x06,
+0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x83, 0x4A, 0xA4, 0x36, 0x22,
+0x55, 0x9C, 0xA2,
+0x26, 0x5C, 0xC7, 0x86, 0xAE, 0x57, 0xA3, 0x40, 0x31, 0xE1, 0xE4, 0xCA, 0x30,
+0x1F, 0x06, 0x03,
+0x55, 0x1D, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x83, 0x4A, 0xA4, 0x36,
+0x22, 0x55, 0x9C,
+0xA2, 0x26, 0x5C, 0xC7, 0x86, 0xAE, 0x57, 0xA3, 0x40, 0x31, 0xE1, 0xE4, 0xCA,
+0x30, 0x0C, 0x06,
+0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x0D,
+0x06, 0x09, 0x2A,
+0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01,
+0x01, 0x00, 0x3C,
+0xC4, 0xE5, 0x4F, 0xBF, 0x2E, 0x20, 0xDB, 0x23, 0xF3, 0xD2, 0xFB, 0x9A, 0x37,
+0x27, 0x9C, 0xFE,
+0xD1, 0xE6, 0x1D, 0x20, 0xE6, 0x14, 0xE1, 0x07, 0xBF, 0x96, 0xD7, 0x67, 0xB7,
+0x4B, 0xE8, 0x44,
+0xA6, 0x35, 0x6B, 0x45, 0x87, 0x91, 0x86, 0x17, 0xA0, 0x58, 0x8E, 0x35, 0x24,
+0x6E, 0x00, 0xAF,
+0xFA, 0x3B, 0x76, 0xC9, 0x07, 0x27, 0xD0, 0x09, 0xDF, 0xCD, 0x48, 0x03, 0x9B,
+0x4E, 0x43, 0xD8,
+0x47, 0x45, 0x8F, 0x0A, 0x0D, 0xAF, 0xAE, 0x2C, 0xED, 0xC4, 0xFC, 0x6C, 0xD9,
+0xF7, 0x54, 0xD9,
+0x50, 0x61, 0xE2, 0xA0, 0x7B, 0x58, 0xCF, 0xF2, 0x34, 0xE3, 0xE9, 0x31, 0xA9,
+0x82, 0x0C, 0xF6,
+0x73, 0x83, 0x9A, 0x2E, 0x6D, 0x52, 0x30, 0x79, 0xC6, 0x30, 0x67, 0x45, 0x7C,
+0xF3, 0xCC, 0x55,
+0x19, 0xF5, 0x87, 0xC1, 0x17, 0x0A, 0xB4, 0xDE, 0xD0, 0xA2, 0x03, 0x48, 0xA4,
+0x68, 0x4C, 0x26,
+0x3E, 0xB9, 0x31, 0x83, 0xEE, 0x07, 0x57, 0x17, 0x01, 0xD5, 0x2A, 0xEF, 0xFC,
+0xE9, 0x44, 0x07,
+0xB0, 0x0A, 0x9E, 0x3B, 0xD9, 0xD7, 0x14, 0x28, 0xBC, 0xCB, 0x4C, 0x7A, 0xBB,
+0xCF, 0xC5, 0x54,
+0x92, 0x8D, 0x2E, 0xD6, 0xE4, 0xDE, 0x9A, 0x1F, 0xB1, 0x1E, 0xD2, 0x4B, 0xA5,
+0x5C, 0x6A, 0xAB,
+0xB6, 0xBA, 0x72, 0x98, 0x24, 0x6B, 0x70, 0xD2, 0xEE, 0xAC, 0x23, 0xCF, 0x95,
+0xD4, 0x2F, 0xA5,
+0x16, 0x2B, 0x22, 0xF7, 0xB8, 0x97, 0x14, 0x2F, 0x7E, 0xA0, 0x84, 0xBD, 0x19,
+0xC3, 0x24, 0x2F,
+0x1E, 0x78, 0x1E, 0x7D, 0xB3, 0xD0, 0x14, 0xC0, 0xF2, 0xCA, 0x83, 0xE1, 0xE9,
+0x03, 0xC6, 0x50,
+0xC2, 0xF0, 0x80, 0xDE, 0x69, 0x30, 0x8E, 0x66, 0xBD, 0xDB, 0x40, 0xD0, 0x8E,
+0xF3, 0xD0, 0x6E,
+0xBB, 0x4C, 0xBA, 0x41, 0xFA, 0x1A, 0x5F, 0xF8, 0xA8, 0x32, 0xCF, 0x1E, 0x49,
+0x8D, 0x0D,
+};
diff --git a/tests/subsys/jwt/src/jwt-test-private.c b/tests/subsys/jwt/src/jwt-test-private.c
new file mode 100644
index 00000000000..9a42dbde8d0
--- /dev/null
+++ b/tests/subsys/jwt/src/jwt-test-private.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2018, Linaro, Ltd
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ */
+
+
+unsigned char jwt_test_private_der[] = {
+	0x30, 0x82, 0x04, 0xbc, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+	0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
+	0x04, 0xa6, 0x30, 0x82, 0x04, 0xa2, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01,
+	0x01, 0x00, 0xa6, 0x52, 0x98, 0xdf, 0x0e, 0x33, 0xd0, 0x69, 0x62, 0x32,
+	0xc4, 0x40, 0x7c, 0xec, 0xbf, 0x9f, 0xa3, 0x35, 0x8a, 0x51, 0xcd, 0xed,
+	0x49, 0x99, 0xbe, 0xf8, 0x29, 0x3f, 0xd1, 0xd7, 0xa8, 0xfb, 0xc6, 0x36,
+	0x82, 0x45, 0x64, 0xdb, 0x6d, 0x73, 0xef, 0x53, 0xca, 0x02, 0x7e, 0xb0,
+	0x91, 0x06, 0xbd, 0xd5, 0x66, 0x4b, 0xea, 0x87, 0x7a, 0x6d, 0x95, 0xa5,
+	0x6b, 0x64, 0xb9, 0xd6, 0xc3, 0xdd, 0xb2, 0x5c, 0x03, 0x8b, 0x00, 0x5c,
+	0x46, 0x16, 0x8b, 0x86, 0xc8, 0x28, 0x0d, 0xb4, 0xb1, 0x3e, 0xb6, 0x0d,
+	0x82, 0x22, 0x97, 0x5b, 0x75, 0x02, 0x00, 0x97, 0xc7, 0x57, 0x4b, 0xa0,
+	0x81, 0xfb, 0x2d, 0xc8, 0xbb, 0x81, 0x37, 0xc4, 0x8e, 0xe6, 0x7c, 0x9a,
+	0xf9, 0x2d, 0x0c, 0xd4, 0xb8, 0x22, 0xe5, 0x3b, 0xa0, 0xfe, 0xa8, 0x3e,
+	0x5e, 0x99, 0x36, 0x57, 0x76, 0x25, 0x7e, 0xfc, 0x89, 0x17, 0x3c, 0x39,
+	0xf0, 0x3c, 0x2e, 0xb3, 0x3f, 0x14, 0xf5, 0x23, 0x96, 0x92, 0x42, 0x7b,
+	0x1d, 0xd0, 0x0b, 0xb1, 0x44, 0x71, 0x89, 0x3b, 0x44, 0xe5, 0xea, 0xea,
+	0x2c, 0x67, 0xbb, 0xd9, 0xe3, 0x9c, 0x8a, 0x1a, 0x83, 0x1e, 0xe9, 0x13,
+	0xe3, 0x3c, 0x06, 0xb0, 0xa3, 0x98, 0x9d, 0x2b, 0xa5, 0x84, 0x65, 0xdb,
+	0x23, 0x77, 0x59, 0xca, 0x64, 0x76, 0x9d, 0x54, 0x05, 0x57, 0xa7, 0x10,
+	0xcb, 0x62, 0xec, 0x7f, 0x39, 0xfc, 0xd7, 0x53, 0x3d, 0x46, 0x2d, 0xec,
+	0x11, 0xd1, 0x42, 0x10, 0x6a, 0x73, 0x39, 0x18, 0x10, 0xa0, 0xcf, 0x9b,
+	0x88, 0x6f, 0x1e, 0x88, 0x68, 0x8b, 0x3c, 0x30, 0x59, 0x3f, 0x66, 0xb5,
+	0x09, 0x65, 0xfc, 0x37, 0xf7, 0x9f, 0x4e, 0xd7, 0x1a, 0xc6, 0x16, 0x64,
+	0x67, 0x64, 0x41, 0xc0, 0x90, 0x51, 0xd9, 0xda, 0xf5, 0x25, 0x5c, 0xc0,
+	0x62, 0x9f, 0x0d, 0xec, 0x2c, 0xd3, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02,
+	0x82, 0x01, 0x00, 0x24, 0xad, 0xf0, 0x82, 0xb8, 0x8a, 0x1a, 0xbb, 0x32,
+	0xe9, 0xc9, 0x38, 0x03, 0x94, 0xde, 0x89, 0xa1, 0x1f, 0xac, 0x9a, 0x6f,
+	0xd4, 0x95, 0xb7, 0xaf, 0x52, 0xe1, 0x1d, 0xee, 0xf4, 0x25, 0x93, 0x28,
+	0xda, 0x5a, 0x8e, 0x5d, 0x38, 0xbb, 0x01, 0xa7, 0x55, 0x0e, 0x26, 0xd0,
+	0xb3, 0xb5, 0xb8, 0x0b, 0xe3, 0x65, 0x04, 0xf6, 0xfa, 0xdb, 0xb8, 0x11,
+	0x19, 0x82, 0xfe, 0x9a, 0xb1, 0x4f, 0x4e, 0xb4, 0x07, 0xf0, 0xcc, 0x15,
+	0xcf, 0x43, 0xb1, 0xb3, 0x21, 0x8d, 0x40, 0xb0, 0x0d, 0x1a, 0x4d, 0x9f,
+	0x2e, 0x89, 0x75, 0x81, 0x75, 0xac, 0xef, 0x3d, 0x1c, 0x3b, 0xdc, 0xf7,
+	0x93, 0xb5, 0x36, 0xa4, 0x99, 0x31, 0x28, 0xc5, 0x18, 0xb6, 0xff, 0x03,
+	0x99, 0xd5, 0xbb, 0xe6, 0xa9, 0x7e, 0xd6, 0x4b, 0x41, 0x84, 0x36, 0xc4,
+	0xf9, 0xc4, 0x38, 0xfb, 0xaf, 0xfc, 0x21, 0x36, 0xc9, 0x10, 0x9e, 0x51,
+	0x1f, 0xc6, 0xc7, 0x52, 0xee, 0x77, 0x97, 0x64, 0x62, 0x6c, 0xc5, 0x04,
+	0x80, 0x50, 0xb6, 0x5a, 0x21, 0x4e, 0x51, 0xb2, 0x91, 0x42, 0xd1, 0xe7,
+	0xa1, 0x8e, 0xb6, 0x43, 0x40, 0xff, 0xb2, 0x6f, 0x42, 0x05, 0xd0, 0xdf,
+	0x9c, 0xf4, 0x5d, 0x52, 0x6b, 0x02, 0xfb, 0x8e, 0x7e, 0x1b, 0xf3, 0x4c,
+	0xe4, 0x64, 0x2b, 0x2c, 0x54, 0x2c, 0x93, 0x77, 0x04, 0x30, 0xa6, 0x5a,
+	0x60, 0x7a, 0x40, 0x68, 0x95, 0xf7, 0x69, 0x2e, 0x3a, 0x27, 0xb5, 0x3c,
+	0x84, 0x8c, 0xa9, 0xfe, 0x5f, 0xa6, 0x5a, 0x02, 0x8c, 0x01, 0x3d, 0x50,
+	0x07, 0x98, 0x21, 0xd0, 0x7c, 0x45, 0xf4, 0x84, 0x13, 0x80, 0x17, 0x93,
+	0x8a, 0xcd, 0xfd, 0x00, 0x97, 0xef, 0x85, 0x6f, 0xd9, 0x34, 0x58, 0x61,
+	0x9c, 0xfe, 0x5b, 0x0e, 0x81, 0xf2, 0xf5, 0x26, 0xec, 0xd7, 0x73, 0xfd,
+	0x46, 0x04, 0xb2, 0xdc, 0xe5, 0xff, 0x29, 0x02, 0x81, 0x81, 0x00, 0xd4,
+	0x67, 0xe7, 0x55, 0xea, 0xc1, 0xf6, 0xeb, 0xb8, 0xf4, 0x95, 0x54, 0x58,
+	0xc8, 0xa1, 0xbb, 0x87, 0xa1, 0xf5, 0xde, 0x2e, 0x21, 0x84, 0x98, 0xe5,
+	0xd6, 0xde, 0x5f, 0xc4, 0x58, 0x6f, 0x32, 0x77, 0x7b, 0x18, 0x22, 0xac,
+	0x6b, 0xaa, 0xf5, 0x36, 0xb7, 0xa0, 0x77, 0xd4, 0xa7, 0xad, 0x7c, 0xf4,
+	0x1b, 0x3c, 0x0f, 0x58, 0x98, 0xc3, 0xce, 0x8a, 0x58, 0x8d, 0xae, 0x53,
+	0xe9, 0xdd, 0xf9, 0x59, 0x3b, 0x1f, 0x92, 0x77, 0x2a, 0xbf, 0xf9, 0x26,
+	0xb6, 0xeb, 0x8e, 0x2d, 0x09, 0x4e, 0x40, 0x05, 0xb6, 0xa0, 0x80, 0x32,
+	0x1c, 0x33, 0x20, 0xd8, 0xe8, 0xcf, 0xa2, 0x9f, 0x36, 0xe4, 0xdf, 0x19,
+	0xf5, 0x9c, 0xbf, 0x72, 0x61, 0x67, 0xc6, 0x89, 0xe9, 0x31, 0x32, 0xaa,
+	0x45, 0xed, 0xb9, 0x2d, 0xc4, 0xa9, 0xb4, 0xc2, 0x80, 0x8f, 0xbb, 0xb2,
+	0x23, 0x85, 0x2d, 0x2e, 0x50, 0x40, 0x5d, 0x02, 0x81, 0x81, 0x00, 0xc8,
+	0x75, 0x6a, 0xd9, 0x29, 0xc8, 0xe3, 0x4e, 0xdf, 0xf0, 0x90, 0xb4, 0xb9,
+	0x5f, 0x12, 0x84, 0xde, 0x9c, 0xd2, 0x91, 0xda, 0x30, 0x6a, 0x9a, 0xbc,
+	0x12, 0xdb, 0x1d, 0x73, 0xea, 0x0c, 0x65, 0xfb, 0x60, 0x2e, 0xc3, 0xac,
+	0x4d, 0x76, 0x00, 0x04, 0xdf, 0xd1, 0x5d, 0x03, 0xed, 0xef, 0x77, 0x76,
+	0x25, 0xd6, 0xba, 0x8d, 0xe0, 0xf7, 0x54, 0xa3, 0x2b, 0x39, 0xfa, 0x01,
+	0x52, 0xaa, 0x95, 0xb7, 0xc8, 0x61, 0x7e, 0x58, 0x17, 0xce, 0x2b, 0x6c,
+	0x62, 0xbd, 0x0a, 0x27, 0x39, 0x94, 0x03, 0x92, 0xc7, 0xc4, 0x73, 0x8e,
+	0xf9, 0x87, 0x8c, 0x92, 0xeb, 0x6a, 0xc5, 0x66, 0x66, 0xd3, 0xab, 0x24,
+	0x56, 0xae, 0x35, 0x4f, 0x2c, 0xd6, 0x7e, 0xe3, 0x98, 0x9f, 0x74, 0xbe,
+	0xb0, 0x40, 0x19, 0xfa, 0x9e, 0x95, 0x2b, 0x5c, 0x5c, 0x88, 0x5c, 0xd8,
+	0xee, 0x57, 0xe9, 0x67, 0xb7, 0x0e, 0xef, 0x02, 0x81, 0x80, 0x24, 0xdb,
+	0x52, 0xbd, 0x09, 0xdb, 0x56, 0x69, 0x58, 0xd2, 0xb8, 0x06, 0xc6, 0xd1,
+	0x29, 0x9f, 0x4c, 0xcd, 0xc1, 0xc8, 0x27, 0xe1, 0x11, 0x0d, 0x26, 0xf4,
+	0xbd, 0xe9, 0x88, 0x3c, 0x80, 0x2f, 0x15, 0xa4, 0x7a, 0x6f, 0xa9, 0xd3,
+	0x94, 0xfa, 0xaf, 0xdf, 0xf5, 0x2c, 0x55, 0xee, 0x32, 0xa0, 0x78, 0x0b,
+	0x31, 0xc4, 0xc7, 0xee, 0xda, 0x2b, 0x40, 0xbe, 0x54, 0xf7, 0x67, 0x00,
+	0x31, 0xd0, 0x4e, 0xb7, 0x7f, 0xa6, 0xfe, 0x9e, 0xa0, 0x69, 0x2f, 0x5a,
+	0x96, 0x4d, 0x39, 0x6b, 0x5f, 0xf4, 0xa4, 0x09, 0x28, 0x98, 0x96, 0x19,
+	0x66, 0x95, 0xd0, 0x8d, 0xb5, 0x59, 0xd6, 0x9e, 0xc3, 0xe0, 0x22, 0xb5,
+	0x07, 0xda, 0x00, 0x92, 0xfe, 0x5a, 0xe9, 0x1b, 0x59, 0xba, 0x1c, 0xe9,
+	0xbd, 0x72, 0x60, 0x8a, 0xbb, 0x97, 0xee, 0x18, 0x38, 0xd8, 0xac, 0xf4,
+	0x94, 0xeb, 0x5e, 0x19, 0xf6, 0xd1, 0x02, 0x81, 0x80, 0x5c, 0xcd, 0xe7,
+	0x72, 0xb4, 0xa2, 0x99, 0x81, 0xd9, 0xb1, 0x60, 0xfd, 0x1a, 0x59, 0x06,
+	0x94, 0xd7, 0x0f, 0x19, 0x79, 0x86, 0xdf, 0x25, 0x6b, 0x8f, 0xa8, 0xd7,
+	0x22, 0x92, 0x98, 0x87, 0xb6, 0xeb, 0x23, 0x03, 0x63, 0x79, 0xb0, 0xbe,
+	0xf1, 0x91, 0x50, 0x21, 0x78, 0x83, 0xaa, 0x33, 0x54, 0x46, 0x31, 0x8c,
+	0x70, 0xff, 0xe0, 0x68, 0x01, 0x1a, 0x2d, 0x98, 0x00, 0xc3, 0x7e, 0x07,
+	0x15, 0x9b, 0x69, 0x3c, 0xa1, 0xa6, 0x9d, 0x16, 0xc9, 0x09, 0xbb, 0xc8,
+	0xb3, 0x1b, 0xa7, 0xcf, 0x7b, 0xbc, 0x07, 0x9a, 0x4e, 0xb9, 0xa1, 0x92,
+	0x7c, 0xa5, 0x44, 0x32, 0x41, 0x43, 0x80, 0x55, 0x7c, 0x85, 0x2d, 0x50,
+	0x27, 0xc4, 0x09, 0x09, 0x20, 0xe3, 0xb3, 0xb4, 0x16, 0xf3, 0x75, 0x5b,
+	0xa7, 0xeb, 0x5c, 0x61, 0xc9, 0x1a, 0x50, 0x88, 0x9d, 0x1b, 0x9d, 0x74,
+	0xbb, 0xcd, 0x55, 0x75, 0xa7, 0x02, 0x81, 0x80, 0x68, 0xd9, 0xc8, 0xa8,
+	0x90, 0x90, 0xfe, 0x45, 0x8c, 0x5f, 0xb9, 0x4d, 0x1d, 0x86, 0x02, 0x21,
+	0xe9, 0x23, 0x07, 0xf6, 0xaa, 0xab, 0x6c, 0xb6, 0x79, 0xf2, 0xf6, 0x53,
+	0xa5, 0xee, 0x88, 0x4f, 0x48, 0x6e, 0xf4, 0x64, 0x50, 0x60, 0xe1, 0x8c,
+	0x3b, 0x7d, 0xa0, 0x2b, 0x57, 0x72, 0x1a, 0xb7, 0x54, 0xd7, 0x9b, 0x0d,
+	0x14, 0xa4, 0x11, 0x01, 0xfa, 0x16, 0xbd, 0x7b, 0x3b, 0xb0, 0xad, 0x66,
+	0x82, 0x81, 0xef, 0x4d, 0xed, 0x28, 0x38, 0xeb, 0x19, 0x58, 0xf2, 0xc1,
+	0x50, 0x12, 0x9c, 0x62, 0x36, 0x0a, 0x47, 0x4b, 0x45, 0x48, 0x2f, 0x22,
+	0xf4, 0xb4, 0x32, 0xab, 0x0f, 0x64, 0x39, 0x32, 0xb4, 0x5a, 0x73, 0x99,
+	0xd5, 0x53, 0x28, 0x77, 0x8b, 0x3f, 0x10, 0xdf, 0x51, 0x29, 0x15, 0xb1,
+	0x49, 0x04, 0x64, 0xb3, 0xad, 0xe5, 0x6e, 0xc9, 0x29, 0xdd, 0x84, 0x3c,
+	0x47, 0x41, 0x92, 0xb0
+};
+unsigned int jwt_test_private_der_len = 1216;
diff --git a/tests/subsys/jwt/src/main.c b/tests/subsys/jwt/src/main.c
new file mode 100644
index 00000000000..e135aa97468
--- /dev/null
+++ b/tests/subsys/jwt/src/main.c
@@ -0,0 +1,67 @@
+/*
+ * RFC 7519 Json Web Tokens
+ *
+ * Copyright (C) 2018, Linaro, Ltd
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <zephyr/types.h>
+#include <stdbool.h>
+#include <ztest.h>
+#include <json.h>
+#include <zephyr/jwt.h>
+
+#include <mbedtls/pk.h>
+#include <mbedtls/rsa.h>
+#include <mbedtls/sha256.h>
+
+extern unsigned char jwt_test_private_der[];
+extern unsigned int jwt_test_private_der_len;
+
+void test_jwt(void)
+{
+	/*
+	 * TODO: This length should be computable, based on the length
+	 * of the audience string.
+	 */
+	char buf[460];
+	struct jwt_builder build;
+	int res;
+
+	res = jwt_init_builder(&build, buf, sizeof(buf));
+
+	zassert_equal(res, 0, "Setting up jwt");
+
+	res = jwt_add_payload(&build, 1530312026, 1530308426,
+			      "iot-work-199419");
+	zassert_equal(res, 0, "Adding payload");
+
+	res = jwt_sign(&build, jwt_test_private_der, jwt_test_private_der_len);
+	zassert_equal(res, 0, "Signing payload");
+
+	zassert_equal(build.overflowed, false, "Not overflow");
+
+	printk("JWT:\n%s\n", buf);
+	printk("len: %zd\n", jwt_payload_len(&build));
+}
+
+void test_main(void)
+{
+	ztest_test_suite(lib_jwt_test,
+		ztest_unit_test(test_jwt));
+
+	ztest_run_test_suite(lib_jwt_test);
+}
+
diff --git a/tests/subsys/jwt/src/tls_config/user-tls.conf b/tests/subsys/jwt/src/tls_config/user-tls.conf
new file mode 100644
index 00000000000..035f2b062ec
--- /dev/null
+++ b/tests/subsys/jwt/src/tls_config/user-tls.conf
@@ -0,0 +1,5 @@
+#define MBEDTLS_AES_ROM_TABLES
+
+#define MBEDTLS_HAVE_TIME
+#define MBEDTLS_HAVE_TIME_DATE
+#define MBEDTLS_PLATFORM_TIME_ALT
diff --git a/tests/subsys/jwt/testcase.yaml b/tests/subsys/jwt/testcase.yaml
new file mode 100644
index 00000000000..9abe3df1e72
--- /dev/null
+++ b/tests/subsys/jwt/testcase.yaml
@@ -0,0 +1,5 @@
+tests:
+  libraries.encoding:
+    min_ram: 96
+    tags: jwt
+    platform_exclude: esp32 qemu_x86_64 #no newlib