nordic-piks
diff --git a/‎CODEOWNERS
+5 b/‎CODEOWNERS
+5
diff --git a/‎doc/nrf/libraries/others/app_jwt.rst
+86 b/‎doc/nrf/libraries/others/app_jwt.rst
+86
diff --git a/‎include/app_jwt.h
+155 b/‎include/app_jwt.h
+155
diff --git a/‎lib/CMakeLists.txt
+1 b/‎lib/CMakeLists.txt
+1
diff --git a/‎lib/Kconfig
+1 b/‎lib/Kconfig
+1
diff --git a/‎lib/app_jwt/CMakeLists.txt
+11 b/‎lib/app_jwt/CMakeLists.txt
+11
diff --git a/‎lib/app_jwt/Kconfig
+36 b/‎lib/app_jwt/Kconfig
+36
@@ -192,6 +192,7 @@
 /doc/nrf/libraries/others/adp536x.rst     @nrfconnect/ncs-cia-doc
 /doc/nrf/libraries/others/app_event_manager.rst @nrfconnect/ncs-si-muffin-doc @nrfconnect/ncs-si-bluebagel-doc
 /doc/nrf/libraries/others/app_event_manager_profiler_tracer.rst @nrfconnect/ncs-si-bluebagel-doc
+/doc/nrf/libraries/others/app_jwt.rst      @nrfconnect/ncs-modem-doc @ayla-nordicsemi
 /doc/nrf/libraries/others/audio_module.rst @nrfconnect/ncs-audio-doc
 /doc/nrf/libraries/others/contin_array.rst @nrfconnect/ncs-audio-doc
 /doc/nrf/libraries/others/data_fifo.rst   @nrfconnect/ncs-audio-doc
@@ -314,6 +315,7 @@
 /ext/iperf3/                              @nrfconnect/ncs-code-owners @nrfconnect/ncs-modem-tre
 
 # Include
+/include/app_jwt.h                        @nrfconnect/ncs-modem @ayla-nordicsemi
 /include/audio/                           @nrfconnect/ncs-audio
 /include/audio_module/                    @nrfconnect/ncs-audio
 /include/bluetooth/                       @nrfconnect/ncs-dragoon
@@ -377,6 +379,7 @@
 
 # Libraries
 /lib/adp536x/                             @nrfconnect/ncs-cia
+/lib/app_jwt/                             @nrfconnect/ncs-modem @ayla-nordicsemi
 /lib/at_cmd_parser/                       @nrfconnect/ncs-co-networking @nrfconnect/ncs-modem
 /lib/at_cmd_custom/                       @nrfconnect/ncs-modem
 /lib/at_host/                             @nrfconnect/ncs-co-networking @nrfconnect/ncs-modem
@@ -439,6 +442,7 @@
 /samples/CMakeLists.txt                   @nrfconnect/ncs-co-build-system
 /samples/app_event_manager/               @nrfconnect/ncs-si-muffin @nrfconnect/ncs-si-bluebagel
 /samples/app_event_manager_profiler_tracer/ @nrfconnect/ncs-si-muffin @nrfconnect/ncs-si-bluebagel
+/samples/app_jwt/                             @nrfconnect/ncs-modem @ayla-nordicsemi
 /samples/benchmarks/coremark/             @nrfconnect/ncs-si-bluebagel
 /samples/bluetooth/nrf_auraconfig/        @nrfconnect/ncs-audio
 /samples/bluetooth/central_and_peripheral_hr/ @nrfconnect/ncs-si-muffin
@@ -562,6 +566,7 @@
 
 /samples/app_event_manager/*.rst          @nrfconnect/ncs-si-muffin-doc @nrfconnect/ncs-si-bluebagel-doc
 /samples/app_event_manager_profiler_tracer/*.rst @nrfconnect/ncs-si-muffin-doc
+/samples/app_jwt/*.rst                        @nrfconnect/ncs-modem-doc @ayla-nordicsemi
 /samples/benchmarks/coremark/*.rst        @nrfconnect/ncs-si-bluebagel-doc
 /samples/bluetooth/**/*.rst                @nrfconnect/ncs-si-bluebagel-doc @nrfconnect/ncs-si-muffin-doc
 /samples/bluetooth/central_and_peripheral_hr/*.rst @nrfconnect/ncs-si-muffin-doc
 
@@ -0,0 +1,86 @@
+.. _lib_app_jwt:
+
+Application JWT
+###############
+
+.. contents::
+   :local:
+   :depth: 2
+
+The Application JWT library provides access to the `JSON Web Token (JWT)`_ generation feature from application core using signing and identity services from secure core.
+
+Configuration
+*************
+
+To use the library to request a JWT, complete the following steps:
+
+1. Set the following Kconfig options to enable the library:
+
+   * :kconfig:option:`CONFIG_APP_JWT`
+   * :kconfig:option:`CONFIG_APP_JWT_VERIFY_SIGNATURE`
+   * :kconfig:option:`CONFIG_APP_JWT_PRINT_EXPORTED_PUBKEY_DER`
+   * :kconfig:option:`CONFIG_NRF_SECURITY`
+   * :Kconfig:option:`CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED`
+   * :Kconfig:option:`CONFIG_SSF_DEVICE_INFO_SERVICE_ENABLED`
+
+#. Generate a signing key pair if you do not want to use the IAK Key.
+#. Populate the :c:struct:`app_jwt_data` structure with your desired values.
+   See :ref:`app_jwt_values` for more information.
+#. Pass the structure to the function that generates JWT (:c:func:`app_jwt_generate`).
+
+If the function executes successfully, :c:member:`app_jwt_data.jwt_buf` will contain the JSON web token.
+
+.. note::
+   If a timestamp is needed and there is an error getting the time from the clock source (or the returned time in seconds is 0), the **iat** field will contain the value set by the :kconfig:option:`CONFIG_APP_JWT_DEFAULT_TIMESTAMP` Kconfig option.
+
+.. _app_jwt_values:
+
+Possible structure values
+=========================
+
+You can configure the following values in the :c:struct:`app_jwt_data` structure:
+
+* :c:member:`app_jwt_data.sec_tag` - Optional, the ``sec_tag`` must contain a valid signing key.
+  If set to ``0``, the library will use the IAK for signing.
+* :c:member:`app_jwt_data.key_type` - Required if ``sec_tag`` is not zero.
+  Defines the type of key in the sec tag.
+* :c:member:`app_jwt_data.alg` - Required, always use the value ``JWT_ALG_TYPE_ES256``.
+  Defines the JWT signing algorithm.
+  Currently, only ECDSA 256 is supported.
+* :c:member:`app_jwt_data.add_keyid_to_header` - Optional.
+  Corresponds to **kid** claim.
+  Use ``false`` if you want to leave out this field.
+  If filled with the value ``true``, the claim **kid** will contain the SHA256 of the DER of the public part of the signing key.
+* :c:member:`app_jwt_data.json_token_id` - Optional.
+  Corresponds to **jti** claim.
+  Use ``0`` if you want to leave out this field.
+* :c:member:`app_jwt_data.subject` - Optional.
+  Corresponds to **sub** claim.
+  Use ``0`` if you want to leave out this field.
+* :c:member:`app_jwt_data.audience` - Optional.
+  Corresponds to **aud** claim.
+  Use ``0`` if you want to leave out this field.
+* :c:member:`app_jwt_data.issuer` - Optional.
+  Corresponds to **iss** claim.
+  Use ``0`` if you want to leave out this field.
+* :c:member:`app_jwt_data.add_timestamp` - Optional.
+  Corresponds to **iat** claim.
+  Use ``false`` if you want to leave out this field.
+  If filled with the value ``true``, the claim **iat** will be filled with the current timestamp in seconds.
+* :c:member:`app_jwt_data.validity_s` - Optional.
+  Defines the expiration date for the JWT.
+  If set to ``0``, the field **exp** will be omitted from the generated JWT.
+* :c:member:`app_jwt_data.jwt_buf` - Required.
+  The buffer size must be from 600 to 900 bytes.
+  You must provide a valid buffer.
+  The library does not do any allocation.
+* :c:member:`app_jwt_data.jwt_sz` - Size of the JWT buffer.
+  Required, must be equal to the size of :c:member:`app_jwt_data.jwt_buf`.
+
+API documentation
+*****************
+
+| Header file: :file:`include/app_jwt.h`
+| Source file: :file:`lib/app_jwt/app_jwt.c`
+
+.. doxygengroup:: app_jwt
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef _APP_JWT_H
+#define _APP_JWT_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @file app_jwt.h
+ *
+ * @brief Generate a JWT with from application core.
+ * @defgroup app_jwt JWT generation
+ * @{
+ *
+ */
+
+#include <stdint.h>
+#include <stdbool.h>
+#include <strings.h>
+
+/** @brief Maximum size of a JWT string, could be used to allocate JWT
+ *         output buffer.
+ */
+#define APP_JWT_STR_MAX_LEN 900
+
+/** @brief Maximum valid duration for JWTs generated by user application */
+#define APP_JWT_VALID_TIME_S_MAX (7 * 24 * 60 * 60)
+
+/** @brief Default valid duration for JWTs generated by user application */
+#define APP_JWT_VALID_TIME_S_DEF (10 * 60)
+
+/** @brief UUID size in bytes */
+#define APP_JWT_UUID_BYTE_SZ 16
+
+/** @brief UUID v4 format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + '\0' */
+#define APP_JWT_UUID_V4_STR_LEN (((APP_JWT_UUID_BYTE_SZ * 2) + 4) + 1)
+
+/** @brief Size in bytes of each JWT String field */
+#define APP_JWT_CLAIM_MAX_SIZE 64
+
+/** @brief The type of key to be used for signing the JWT. */
+enum app_jwt_key_type {
+	JWT_KEY_TYPE_CLIENT_PRIV = 2,
+	JWT_KEY_TYPE_ENDORSEMENT = 8,
+};
+
+/** @brief JWT signing algorithm */
+enum app_jwt_alg_type {
+	JWT_ALG_TYPE_ES256 = 0,
+};
+
+/** @brief JWT parameters required for JWT generation and pointer to generated JWT */
+struct app_jwt_data {
+	/** Sec tag to use for JWT signing */
+	unsigned int sec_tag;
+	/** Key type in the specified sec tag */
+	enum app_jwt_key_type key_type;
+	/** JWT signing algorithm */
+	enum app_jwt_alg_type alg;
+
+	/**
+	 * Indicates if a 'kid' claim is required or not, if set to 1, 'kid' claim
+	 * will contain sha256 of the signing key.
+	 */
+	bool add_keyid_to_header;
+
+	/**
+	 * NULL terminated 'jti' claim; Unique identifier; can be used to prevent the
+	 * JWT from being replayed
+	 */
+	const char *json_token_id;
+	/** NULL terminated 'sub' claim; the principal that is the subject of the JWT */
+	const char *subject;
+	/** NULL terminated 'aud' claim; intended recipient of the JWT */
+	const char *audience;
+	/** NULL terminated 'iss' claim; Issuer of the JWT */
+	const char *issuer;
+
+	/**
+	 * Indicates if an issue timestamp is required or not, if set to 1, 'exp' claim
+	 * will be present.
+	 */
+	bool add_timestamp;
+
+	/**
+	 * Corresponds to 'exp' claim; Defines how long the JWT will be valid.
+	 * If application has a valid time source, and the 'iat' claim is present,
+	 * the timestamp in seconds will be added to this value.
+	 */
+	uint32_t validity_s;
+
+	/**
+	 * Buffer to which the NULL terminated JWT will be copied.
+	 * It is the responsibility of the user to provide a valid buffer.
+	 * The returned JWT could be as long as 900 bytes, use the
+	 * defined size value APP_JWT_STR_MAX_LEN to create your supplied return buffer.
+	 */
+	char *jwt_buf;
+	/** Size of the user provided buffer. */
+	size_t jwt_sz;
+};
+
+/**
+ * @brief Generate a JWT using the supplied parameters. If successful,
+ * the JWT string will be stored in the supplied struct.
+ * You are responsible for providing a valid pointer to store the JWT.
+ *
+ * Subject, audience, token ID and issuer fields may be NULL in which case those
+ * fields are left out from generated JWT token.
+ *
+ * All fields will be truncated to 64 characters, you should always provide null
+ * terminated strings.
+ *
+ * The API does not verify the time source validity, it is up to the caller to make sure
+ * that the system has access to a valid time source, otherwise "iat" field will
+ * contain an arbitrary timestamp.
+ *
+ * @param[in,out] jwt Pointer to struct containing JWT parameters and result.
+ *
+ * @retval 0 If the operation was successful.
+ * @retval -errno Negative errno for other failures.
+ */
+int app_jwt_generate(struct app_jwt_data *const jwt);
+
+/**
+ * @brief Get the device UUID from the secure domain
+ * and return it as a NULL terminated string in the supplied buffer.
+ * The device UUID can be used as a device identifier for cloud services and
+ * for secure device management using the nRF Cloud Identity Service.
+ *
+ * UUID v4 defined by ITU-T X.667 | ISO/IEC 9834-8 has a length of 35 bytes, add
+ * 1 byte for the atring termination character. You are expected to provide a buffer
+ * of at least 36 bytes.
+ *
+ * @param[out] uuid_buffer Pointer to buffer where the device UUID string will be written to.
+ * @param[in] uuid_buffer_size Size of the provided buffer.
+ *
+ * @retval 0 If the operation was successful.
+ * @retval -errno Negative errno for other failures.
+ */
+int app_jwt_get_uuid(char *uuid_buffer, const size_t uuid_buffer_size);
+
+/** @} */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _APP_JWT_H */
@@ -33,6 +33,7 @@ add_subdirectory_ifdef(CONFIG_HW_ID_LIBRARY hw_id)
 add_subdirectory_ifdef(CONFIG_EDGE_IMPULSE edge_impulse)
 add_subdirectory_ifdef(CONFIG_WAVE_GEN_LIB wave_gen)
 add_subdirectory_ifdef(CONFIG_HW_UNIQUE_KEY_SRC hw_unique_key)
+add_subdirectory_ifdef(CONFIG_APP_JWT app_jwt)
 add_subdirectory_ifdef(CONFIG_MODEM_JWT modem_jwt)
 add_subdirectory_ifdef(CONFIG_MODEM_SLM modem_slm)
 add_subdirectory_ifdef(CONFIG_MODEM_ATTEST_TOKEN modem_attest_token)
 
@@ -6,6 +6,7 @@
 
 menu "Libraries"
 
+rsource "app_jwt/Kconfig"
 rsource "bin/Kconfig"
 rsource "nrf_modem_lib/Kconfig"
 rsource "adp536x/Kconfig"
 
@@ -0,0 +1,11 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+zephyr_library()
+
+zephyr_library_sources(
+    app_jwt.c
+)
@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+menuconfig APP_JWT
+	bool "Application JWT Library"
+	depends on SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED && SSF_DEVICE_INFO_SERVICE_ENABLED
+	select BASE64
+	# Needed for time and date
+	select DATE_TIME
+	select NET_SOCKETS
+	select NETWORKING
+	# Needed to print integer values in JSON
+	select CJSON_LIB
+	select CBPRINTF_FP_SUPPORT
+
+if APP_JWT
+
+config APP_JWT_DEFAULT_TIMESTAMP
+	int "Default timestamp to use in case time value is 0"
+	default 1735682400
+
+config APP_JWT_VERIFY_SIGNATURE
+	bool "Verify signature after signing"
+	default y
+
+config APP_JWT_PRINT_EXPORTED_PUBKEY_DER
+	bool "Print to terminal the DER formatted public key"
+
+module=APP_JWT
+module-str=User App JWT
+source "${ZEPHYR_BASE}/subsys/logging/Kconfig.template.log_config"
+
+endif # APP_JWT