feat(jwt): add support for HS384 algorithm

Author: damienbutt

Jwt/NAVFoundation.Jwt.axi

@@ -364,11 +364,7 @@ define_function char[HMAC_SHA512_HASH_SIZE] NAVJwtSignData(char data[], char sec
             return NAVHmacSha256(secret, data)
         }
         case NAV_JWT_ALG_TYPE_HS384: {
-            NAVLibraryFunctionErrorLog(NAV_LOG_LEVEL_ERROR,
-                                        __NAV_FOUNDATION_JWT__,
-                                        'NAVJwtSignData',
-                                        'HS384 algorithm is not supported')
-            return ''
+            return NAVHmacSha384(secret, data)
         }
         case NAV_JWT_ALG_TYPE_HS512: {
             return NAVHmacSha512(secret, data)

Jwt/README.md

@@ -12,7 +12,7 @@ This library implements:
 Key features:
 
 - Create JWT tokens with custom headers and payloads
-- Sign tokens using HMAC algorithms (HS256, HS512; HS384 not yet implemented)
+- Sign tokens using HMAC algorithms (HS256, HS384, HS512)
 - Verify token signatures
 - Decode and extract token components
 - Time-based validation (exp, nbf, iat claims)
@@ -272,7 +272,7 @@ define_function char[NAV_JWT_MAX_JSON_LENGTH] NAVJwtCreateHeader(char algorithm[
 
 **Parameters:**
 
-- `algorithm` - Signing algorithm (use `NAV_JWT_ALG_HS256` or `NAV_JWT_ALG_HS512`; HS384 not yet implemented)
+- `algorithm` - Signing algorithm (use `NAV_JWT_ALG_HS256`, `NAV_JWT_ALG_HS384`, or `NAV_JWT_ALG_HS512`)
 - `tokenType` - Token type (default: `NAV_JWT_TYP_JWT`)
 
 **Returns:** JSON string representing the JWT header
@@ -567,12 +567,12 @@ define_function integer ValidateTokenTiming(char token[], char secret[]) {
 
 ### Algorithm Constants
 
-| Constant            | Value     | Description                               |
-| ------------------- | --------- | ----------------------------------------- |
-| `NAV_JWT_ALG_HS256` | `"HS256"` | HMAC using SHA-256 (recommended)          |
-| `NAV_JWT_ALG_HS384` | `"HS384"` | HMAC using SHA-384 (not yet implemented)  |
-| `NAV_JWT_ALG_HS512` | `"HS512"` | HMAC using SHA-512 (strongest)            |
-| `NAV_JWT_ALG_NONE`  | `"none"`  | No signature (unsafe - use with caution!) |
+| Constant            | Value     | Description                 |
+| ------------------- | --------- | --------------------------- |
+| `NAV_JWT_ALG_HS256` | `"HS256"` | HMAC using SHA-256          |
+| `NAV_JWT_ALG_HS384` | `"HS384"` | HMAC using SHA-384          |
+| `NAV_JWT_ALG_HS512` | `"HS512"` | HMAC using SHA-512          |
+| `NAV_JWT_ALG_NONE`  | `"none"`  | No signature (use caution!) |
 
 ### Error Codes
 

__tests__/include/jwt/NAVJwtCreate.axi

@@ -9,7 +9,8 @@ constant char JWT_CREATE_TEST_PAYLOADS[][1024] = {
     '{"sub":"1234567890","name":"John Doe","email":"john.doe@example.com","role":"admin","permissions":["read","write","delete"],"iat":1516239022}', // Complex
     '',                                                             // Empty (should fail)
     '{"exp":0}',                                                    // Zero timestamp
-    '{"sub":"very_long_subject_string_with_lots_of_characters_to_test_boundary_conditions_in_the_jwt_implementation"}' // Long value
+    '{"sub":"very_long_subject_string_with_lots_of_characters_to_test_boundary_conditions_in_the_jwt_implementation"}', // Long value
+    '{"sub":"test384","name":"HS384 Test"}'                         // HS384 test
 }
 
 // Expected success/failure for create tests
@@ -19,6 +20,7 @@ constant char JWT_CREATE_TEST_EXPECTED_RESULT[] = {
     true,
     false,
     true,
+    true,
     true
 }
 
@@ -28,7 +30,8 @@ constant char JWT_CREATE_TEST_EXPECTED_HEADER[][255] = {
     '{"alg":"HS512","typ":"JWT"}',
     '{"alg":"HS256","typ":"JWT"}',
     '{"alg":"HS512","typ":"JWT"}',
-    '{"alg":"HS256","typ":"JWT"}'
+    '{"alg":"HS256","typ":"JWT"}',
+    '{"alg":"HS384","typ":"JWT"}'
 }
 
 constant char JWT_CREATE_TEST_EXPECTED_TOKEN[][NAV_JWT_MAX_TOKEN_LENGTH] = {
@@ -37,7 +40,8 @@ constant char JWT_CREATE_TEST_EXPECTED_TOKEN[][NAV_JWT_MAX_TOKEN_LENGTH] = {
     'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInBlcm1pc3Npb25zIjpbInJlYWQiLCJ3cml0ZSIsImRlbGV0ZSJdLCJpYXQiOjE1MTYyMzkwMjJ9.rNdpOMrWSuLXkM-ZpDf5h105WbtNUJK8wDBJu-OtII22JCSUb6KwRlLYHfTIHsNCj1fFvuVsEW03jXz8npo-pA',
     '',
     'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjB9.S2L6nE_7uhQhro2FiY-nx1o1c1mpdZ8Txy1zzI_KoKm-9O46rmSAmiUJFz8Ur9WFtiSJ88xqYuab_ecoiwEIYA',
-    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ2ZXJ5X2xvbmdfc3ViamVjdF9zdHJpbmdfd2l0aF9sb3RzX29mX2NoYXJhY3RlcnNfdG9fdGVzdF9ib3VuZGFyeV9jb25kaXRpb25zX2luX3RoZV9qd3RfaW1wbGVtZW50YXRpb24ifQ.qLdhVATRZUtc7X9C9E1u0MFwnIkU5-5rOFBfO3COmes'
+    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ2ZXJ5X2xvbmdfc3ViamVjdF9zdHJpbmdfd2l0aF9sb3RzX29mX2NoYXJhY3RlcnNfdG9fdGVzdF9ib3VuZGFyeV9jb25kaXRpb25zX2luX3RoZV9qd3RfaW1wbGVtZW50YXRpb24ifQ.qLdhVATRZUtc7X9C9E1u0MFwnIkU5-5rOFBfO3COmes',
+    'eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0Mzg0IiwibmFtZSI6IkhTMzg0IFRlc3QifQ.MrCpeBpIKrmKcj78okchRkWdnV-szd4Iwyb0q5_sGzjCjY1Kpzi2fKdXP5BAeDZG'
 }
 
 // Test algorithms for creation
@@ -47,7 +51,8 @@ constant char JWT_CREATE_TEST_ALGORITHMS[][32] = {
     'HS512',
     'HS256',
     'HS512',
-    'HS256'
+    'HS256',
+    'HS384'
 }
 
 // Test secrets for creation (RFC 7518 compliant lengths)
@@ -57,7 +62,8 @@ constant char JWT_CREATE_TEST_SECRETS[][128] = {
     'your-512-bit-secret-key-with-lots-of-entropy-and-more-padding-1234',                   // 64 bytes for HS512
     'your-256-bit-secret-1234567890ab',                                                      // 32 bytes for HS256
     'your-512-bit-secret-key-with-lots-of-entropy-and-more-padding-1234',                   // 64 bytes for HS512
-    'your-256-bit-secret-1234567890ab'                                                       // 32 bytes for HS256
+    'your-256-bit-secret-1234567890ab',                                                      // 32 bytes for HS256
+    'your-384-bit-secret-key-with-good-entropy-1234567890'                                   // 48+ bytes for HS384
 }
 
 define_function TestNAVJwtCreate() {

__tests__/include/jwt/NAVJwtVerify.axi

@@ -7,6 +7,7 @@ constant char JWT_VERIFY_TEST_TOKENS[][NAV_JWT_MAX_TOKEN_LENGTH] = {
     'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.wy2x0PggFVbsBBSMKYNE2OwRzvGvZAn0kfzx0VT3VqQ',  // Test 1 from Create - HS256
     'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIn0.7w8IDk7KV2rJ_JKsJXrGR5d5ypZBrJp1Z1CL6y-0ViU',  // Test 2 from Create - HS256
     'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInBlcm1pc3Npb25zIjpbInJlYWQiLCJ3cml0ZSIsImRlbGV0ZSJdLCJpYXQiOjE1MTYyMzkwMjJ9.rNdpOMrWSuLXkM-ZpDf5h105WbtNUJK8wDBJu-OtII22JCSUb6KwRlLYHfTIHsNCj1fFvuVsEW03jXz8npo-pA',  // Test 3 from Create - HS512
+    'eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0Mzg0IiwibmFtZSI6IkhTMzg0IFRlc3QifQ.MrCpeBpIKrmKcj78okchRkWdnV-szd4Iwyb0q5_sGzjCjY1Kpzi2fKdXP5BAeDZG',  // Test 7 from Create - HS384
     'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.wy2x0PggFVbsBBSMKYNE2OwRzvGvZAn0kfzx0VT3VqQ',  // Valid token with wrong secret
     '',                                     // Empty token (should fail)
     'invalid.token',                        // Only 2 parts (should fail)
@@ -18,6 +19,7 @@ constant char JWT_VERIFY_TEST_SECRETS[][128] = {
     'your-256-bit-secret-1234567890ab',                                                      // 32 bytes for HS256 - correct
     'your-256-bit-secret-1234567890ab',                                                      // 32 bytes for HS256 - correct
     'your-512-bit-secret-key-with-lots-of-entropy-and-more-padding-1234',                   // 64 bytes for HS512 - correct
+    'your-384-bit-secret-key-with-good-entropy-1234567890',                                 // 48+ bytes for HS384 - correct
     'wrong-secret-that-should-not-match',                                                    // Wrong secret (should fail)
     'your-256-bit-secret-1234567890ab',                                                      // Secret doesn't matter for empty token
     'your-256-bit-secret-1234567890ab',                                                      // Secret doesn't matter for malformed token
@@ -29,6 +31,7 @@ constant char JWT_VERIFY_EXPECTED_RESULT[] = {
     true,   // Valid token with correct secret
     true,   // Valid token with correct secret
     true,   // Valid token with correct secret
+    true,   // Valid HS384 token with correct secret
     false,  // Valid token with wrong secret
     false,  // Empty token
     false,  // Malformed token

__tests__/include/jwt/NAVJwtVerifyAndDecode.axi

@@ -7,6 +7,7 @@ constant char JWT_VERIFY_AND_DECODE_TEST_TOKENS[][NAV_JWT_MAX_TOKEN_LENGTH] = {
     'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.wy2x0PggFVbsBBSMKYNE2OwRzvGvZAn0kfzx0VT3VqQ',  // Test 1 from Create - HS256
     'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIn0.7w8IDk7KV2rJ_JKsJXrGR5d5ypZBrJp1Z1CL6y-0ViU',  // Test 2 from Create - HS256
     'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1pbiIsInBlcm1pc3Npb25zIjpbInJlYWQiLCJ3cml0ZSIsImRlbGV0ZSJdLCJpYXQiOjE1MTYyMzkwMjJ9.rNdpOMrWSuLXkM-ZpDf5h105WbtNUJK8wDBJu-OtII22JCSUb6KwRlLYHfTIHsNCj1fFvuVsEW03jXz8npo-pA',  // Test 3 from Create - HS512
+    'eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0ZXN0Mzg0IiwibmFtZSI6IkhTMzg0IFRlc3QifQ.MrCpeBpIKrmKcj78okchRkWdnV-szd4Iwyb0q5_sGzjCjY1Kpzi2fKdXP5BAeDZG',  // Test 7 from Create - HS384
     'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.wy2x0PggFVbsBBSMKYNE2OwRzvGvZAn0kfzx0VT3VqQ',  // Valid token with wrong secret
     '',                                     // Empty token
     'invalid.token',                        // Malformed (only 2 parts)
@@ -18,6 +19,7 @@ constant char JWT_VERIFY_AND_DECODE_TEST_SECRETS[][128] = {
     'your-256-bit-secret-1234567890ab',                                                      // 32 bytes for HS256 - correct
     'your-256-bit-secret-1234567890ab',                                                      // 32 bytes for HS256 - correct
     'your-512-bit-secret-key-with-lots-of-entropy-and-more-padding-1234',                   // 64 bytes for HS512 - correct
+    'your-384-bit-secret-key-with-good-entropy-1234567890',                                 // 48+ bytes for HS384 - correct
     'wrong-secret-that-should-not-match',                                                    // Wrong secret
     'your-256-bit-secret-1234567890ab',                                                      // Doesn't matter for empty
     'your-256-bit-secret-1234567890ab',                                                      // Doesn't matter for malformed
@@ -29,6 +31,7 @@ constant char JWT_VERIFY_AND_DECODE_EXPECTED_RESULT[] = {
     true,   // Valid token with correct secret
     true,   // Valid token with correct secret
     true,   // Valid token with correct secret
+    true,   // Valid HS384 token with correct secret
     false,  // Valid token with wrong secret (decodes but verification fails)
     false,  // Empty token (decode fails)
     false,  // Malformed token (decode fails)
@@ -40,6 +43,7 @@ constant char JWT_VERIFY_AND_DECODE_EXPECTED_IS_VALID[] = {
     true,   // Verified and valid
     true,   // Verified and valid
     true,   // Verified and valid
+    true,   // Verified and valid HS384
     false,  // Wrong secret - signature invalid
     false,  // Empty token - decode failed
     false,  // Malformed - decode failed
@@ -51,6 +55,7 @@ constant sinteger JWT_VERIFY_AND_DECODE_EXPECTED_ERRORS[] = {
     NAV_JWT_SUCCESS,
     NAV_JWT_SUCCESS,
     NAV_JWT_SUCCESS,
+    NAV_JWT_SUCCESS,
     NAV_JWT_ERROR_INVALID_SIGNATURE,
     NAV_JWT_ERROR_EMPTY_TOKEN,
     NAV_JWT_ERROR_INVALID_FORMAT,
@@ -62,6 +67,7 @@ constant char JWT_VERIFY_AND_DECODE_EXPECTED_HEADER[][255] = {
     '{"alg":"HS256","typ":"JWT"}',
     '{"alg":"HS256","typ":"JWT"}',
     '{"alg":"HS512","typ":"JWT"}',
+    '{"alg":"HS384","typ":"JWT"}',
     '{"alg":"HS256","typ":"JWT"}',
     '',  // Empty token - no header
     '',  // Malformed - no header
@@ -73,6 +79,7 @@ constant char JWT_VERIFY_AND_DECODE_EXPECTED_PAYLOAD[][1024] = {
     '{"sub":"1234567890","name":"John Doe","iat":1516239022}',
     '{"sub":"user123"}',
     '{"sub":"1234567890","name":"John Doe","email":"john.doe@example.com","role":"admin","permissions":["read","write","delete"],"iat":1516239022}',
+    '{"sub":"test384","name":"HS384 Test"}',
     '{"sub":"1234567890","name":"John Doe","iat":1516239022}',
     '',  // Empty token - no payload
     '',  // Malformed - no payload
@@ -84,6 +91,7 @@ constant char JWT_VERIFY_AND_DECODE_EXPECTED_ALG[][32] = {
     'HS256',
     'HS256',
     'HS512',
+    'HS384',
     'HS256',
     '',  // Empty token
     '',  // Malformed
@@ -95,6 +103,7 @@ constant sinteger JWT_VERIFY_AND_DECODE_EXPECTED_ALG_TYPE[] = {
     NAV_JWT_ALG_TYPE_HS256,
     NAV_JWT_ALG_TYPE_HS256,
     NAV_JWT_ALG_TYPE_HS512,
+    NAV_JWT_ALG_TYPE_HS384,
     NAV_JWT_ALG_TYPE_HS256,
     NAV_JWT_ALG_TYPE_UNKNOWN,  // Empty token
     NAV_JWT_ALG_TYPE_UNKNOWN,  // Malformed