Baseline JWT verifier

README.md

@@ -38,6 +38,9 @@ The JMH plugin seems to have trouble refreshing the project, so restart the Grad
   * Verify token
   * Verify token, get claim.
 
+## General observations
+There is not much headroom for improving the performance further. Most of the CPU time goes to signature verification.
+
 ## Latest results
 Running for OpenJDK 11 build 11.0.18+10 and OpenJDK 17 build 17.0.6+10, on Fedora Linux 6.1.8-200, AMD Ryzen 5950.
 
@@ -117,6 +120,7 @@ Only [java-jwt] seems to parse without validation, at about 65.2k operations per
 
 # History
 
+ - 1.x: Added baseline JWT verifiers
  - 1.5.0: Updated dependencies
  - 1.3.0: Updated dependencies, added Nimbus JOSE + JWT
  - 1.2.0: Added FusionAuth

build.gradle

@@ -16,6 +16,7 @@ ext {
     fusionAuthVersion = '5.3.0'
     junitJupiterVersion = '5.10.0'
     jaxbVersion = '2.3.1'
+    bouncyCastleVersion = '1.76'
 }
 
 def buildProjects() {
@@ -59,7 +60,7 @@ configure(buildProjects()) {
             xml.enabled = false
             // spotbugs does not allow to generate a xml and html report at once https://github.com/spotbugs/spotbugs/issues/857
         }
-        // it.excludeFilter = file("$rootDir/spotbugs-exclude.xml")
+        it.excludeFilter = file("$rootDir/spotbugs-exclude.xml")
     }
 }
 
@@ -69,24 +70,34 @@ configure(project(':jmh-benchmark')) {
     apply plugin: 'me.champeau.jmh'
 
     jmh {
+        jvmArgs = ["--add-opens", "java.management/sun.management=ALL-UNNAMED", "--add-opens", "java.base/java.lang=ALL-UNNAMED"]
         resultFormat = 'JSON'
 
         warmup = '1s' // Time to spend at each warmup iteration.
         warmupIterations = 10
 
+        includes = ['JwtVerifyBenchmark']
+
         fork = 1
         timeOnIteration = '5s'
         iterations = 5
         benchmarkMode = ['thrpt']
 
+        //jvmArgs = ['-XX:+UseG1GC', '-XX:+UnlockDiagnosticVMOptions', '-XX:+UseMontgomerySquareIntrinsic', '-XX:+UseMontgomeryMultiplyIntrinsic', '-XX:+UseSquareToLenIntrinsic', '-XX:+UseMultiplyToLenIntrinsic']
         jvmArgs = ['-XX:+UseG1GC']
+
+        duplicateClassesStrategy = DuplicatesStrategy.WARN
     }
 
     jmhReport {
         jmhResultPath = project.file("build/results/jmh/results.json")
         jmhReportOutput = project.file("build/results/jmh")
     }
 
+    jmhJar {
+        exclude 'LICENSE'
+    }
+
     tasks.jmh.finalizedBy tasks.jmhReport
 }
 

frameworks/baseline-bench/README.md

@@ -0,0 +1,14 @@
+# baseline-bench
+Benchmark configuration for the minimal JWT verifier.
+
+ * Single JWT issue, 
+ * Single JWK
+ * Per-key cache
+ * Efficient header comparison
+   * Check if dot at correct length
+   * Compare byte range with the most entropy first
+ * Efficient signature check 
+   * Precalculated SHA256 header hash 
+   * Per-thread initialized digest
+
+ Most of the CPU time (> 95%) is spent verifying the signature, so two alternative crypto providers are tested. 

frameworks/baseline-bench/build.gradle

@@ -0,0 +1,11 @@
+dependencies {
+
+    // https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk18on
+    api "org.bouncycastle:bcprov-jdk18on:${bouncyCastleVersion}"
+    api ("com.brsanthu:migbase64:2.2")
+    api project(":jmh-utils")
+
+    testImplementation project(":jmh-utils")
+}
+
+