grpc 1.7.3 → 1.8.0

data/src/core/lib/security/credentials/jwt/json_token.h

@@ -19,6 +19,10 @@
 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JSON_TOKEN_H
 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JSON_TOKEN_H
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 #include <grpc/slice.h>
 #include <openssl/rsa.h>
 
@@ -31,43 +35,47 @@
 /* --- auth_json_key parsing. --- */
 
 typedef struct {
-  const char *type;
-  char *private_key_id;
-  char *client_id;
-  char *client_email;
-  RSA *private_key;
+  const char* type;
+  char* private_key_id;
+  char* client_id;
+  char* client_email;
+  RSA* private_key;
 } grpc_auth_json_key;
 
 /* Returns 1 if the object is valid, 0 otherwise. */
-int grpc_auth_json_key_is_valid(const grpc_auth_json_key *json_key);
+int grpc_auth_json_key_is_valid(const grpc_auth_json_key* json_key);
 
 /* Creates a json_key object from string. Returns an invalid object if a parsing
    error has been encountered. */
 grpc_auth_json_key grpc_auth_json_key_create_from_string(
-    const char *json_string);
+    const char* json_string);
 
 /* Creates a json_key object from parsed json. Returns an invalid object if a
    parsing error has been encountered. */
-grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json *json);
+grpc_auth_json_key grpc_auth_json_key_create_from_json(const grpc_json* json);
 
 /* Destructs the object. */
-void grpc_auth_json_key_destruct(grpc_auth_json_key *json_key);
+void grpc_auth_json_key_destruct(grpc_auth_json_key* json_key);
 
 /* --- json token encoding and signing. --- */
 
 /* Caller is responsible for calling gpr_free on the returned value. May return
    NULL on invalid input. The scope parameter may be NULL. */
-char *grpc_jwt_encode_and_sign(const grpc_auth_json_key *json_key,
-                               const char *audience,
-                               gpr_timespec token_lifetime, const char *scope);
+char* grpc_jwt_encode_and_sign(const grpc_auth_json_key* json_key,
+                               const char* audience,
+                               gpr_timespec token_lifetime, const char* scope);
 
 /* Override encode_and_sign function for testing. */
-typedef char *(*grpc_jwt_encode_and_sign_override)(
-    const grpc_auth_json_key *json_key, const char *audience,
-    gpr_timespec token_lifetime, const char *scope);
+typedef char* (*grpc_jwt_encode_and_sign_override)(
+    const grpc_auth_json_key* json_key, const char* audience,
+    gpr_timespec token_lifetime, const char* scope);
 
 /* Set a custom encode_and_sign override for testing. */
 void grpc_jwt_encode_and_sign_set_override(
     grpc_jwt_encode_and_sign_override func);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JSON_TOKEN_H */

data/src/core/lib/security/credentials/jwt/{jwt_credentials.c → jwt_credentials.cc}

@@ -16,8 +16,11 @@
  *
  */
 
+#include <grpc/support/port_platform.h>
+
 #include "src/core/lib/security/credentials/jwt/jwt_credentials.h"
 
+#include <inttypes.h>
 #include <string.h>
 
 #include "src/core/lib/surface/api_trace.h"
@@ -27,35 +30,35 @@
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 
-static void jwt_reset_cache(grpc_exec_ctx *exec_ctx,
-                            grpc_service_account_jwt_access_credentials *c) {
+static void jwt_reset_cache(grpc_exec_ctx* exec_ctx,
+                            grpc_service_account_jwt_access_credentials* c) {
   GRPC_MDELEM_UNREF(exec_ctx, c->cached.jwt_md);
   c->cached.jwt_md = GRPC_MDNULL;
-  if (c->cached.service_url != NULL) {
+  if (c->cached.service_url != nullptr) {
     gpr_free(c->cached.service_url);
-    c->cached.service_url = NULL;
+    c->cached.service_url = nullptr;
   }
   c->cached.jwt_expiration = gpr_inf_past(GPR_CLOCK_REALTIME);
 }
 
-static void jwt_destruct(grpc_exec_ctx *exec_ctx,
-                         grpc_call_credentials *creds) {
-  grpc_service_account_jwt_access_credentials *c =
-      (grpc_service_account_jwt_access_credentials *)creds;
+static void jwt_destruct(grpc_exec_ctx* exec_ctx,
+                         grpc_call_credentials* creds) {
+  grpc_service_account_jwt_access_credentials* c =
+      (grpc_service_account_jwt_access_credentials*)creds;
   grpc_auth_json_key_destruct(&c->key);
   jwt_reset_cache(exec_ctx, c);
   gpr_mu_destroy(&c->cache_mu);
 }
 
-static bool jwt_get_request_metadata(grpc_exec_ctx *exec_ctx,
-                                     grpc_call_credentials *creds,
-                                     grpc_polling_entity *pollent,
+static bool jwt_get_request_metadata(grpc_exec_ctx* exec_ctx,
+                                     grpc_call_credentials* creds,
+                                     grpc_polling_entity* pollent,
                                      grpc_auth_metadata_context context,
-                                     grpc_credentials_mdelem_array *md_array,
-                                     grpc_closure *on_request_metadata,
-                                     grpc_error **error) {
-  grpc_service_account_jwt_access_credentials *c =
-      (grpc_service_account_jwt_access_credentials *)creds;
+                                     grpc_credentials_mdelem_array* md_array,
+                                     grpc_closure* on_request_metadata,
+                                     grpc_error** error) {
+  grpc_service_account_jwt_access_credentials* c =
+      (grpc_service_account_jwt_access_credentials*)creds;
   gpr_timespec refresh_threshold = gpr_time_from_seconds(
       GRPC_SECURE_TOKEN_REFRESH_THRESHOLD_SECS, GPR_TIMESPAN);
 
@@ -63,7 +66,7 @@ static bool jwt_get_request_metadata(grpc_exec_ctx *exec_ctx,
   grpc_mdelem jwt_md = GRPC_MDNULL;
   {
     gpr_mu_lock(&c->cache_mu);
-    if (c->cached.service_url != NULL &&
+    if (c->cached.service_url != nullptr &&
         strcmp(c->cached.service_url, context.service_url) == 0 &&
         !GRPC_MDISNULL(c->cached.jwt_md) &&
         (gpr_time_cmp(gpr_time_sub(c->cached.jwt_expiration,
@@ -75,14 +78,14 @@ static bool jwt_get_request_metadata(grpc_exec_ctx *exec_ctx,
   }
 
   if (GRPC_MDISNULL(jwt_md)) {
-    char *jwt = NULL;
+    char* jwt = nullptr;
     /* Generate a new jwt. */
     gpr_mu_lock(&c->cache_mu);
     jwt_reset_cache(exec_ctx, c);
     jwt = grpc_jwt_encode_and_sign(&c->key, context.service_url,
-                                   c->jwt_lifetime, NULL);
-    if (jwt != NULL) {
-      char *md_value;
+                                   c->jwt_lifetime, nullptr);
+    if (jwt != nullptr) {
+      char* md_value;
       gpr_asprintf(&md_value, "Bearer %s", jwt);
       gpr_free(jwt);
       c->cached.jwt_expiration =
@@ -108,24 +111,25 @@ static bool jwt_get_request_metadata(grpc_exec_ctx *exec_ctx,
 }
 
 static void jwt_cancel_get_request_metadata(
-    grpc_exec_ctx *exec_ctx, grpc_call_credentials *c,
-    grpc_credentials_mdelem_array *md_array, grpc_error *error) {
+    grpc_exec_ctx* exec_ctx, grpc_call_credentials* c,
+    grpc_credentials_mdelem_array* md_array, grpc_error* error) {
   GRPC_ERROR_UNREF(error);
 }
 
 static grpc_call_credentials_vtable jwt_vtable = {
     jwt_destruct, jwt_get_request_metadata, jwt_cancel_get_request_metadata};
 
-grpc_call_credentials *
+grpc_call_credentials*
 grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
-    grpc_exec_ctx *exec_ctx, grpc_auth_json_key key,
+    grpc_exec_ctx* exec_ctx, grpc_auth_json_key key,
     gpr_timespec token_lifetime) {
-  grpc_service_account_jwt_access_credentials *c;
+  grpc_service_account_jwt_access_credentials* c;
   if (!grpc_auth_json_key_is_valid(&key)) {
     gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation");
-    return NULL;
+    return nullptr;
   }
-  c = gpr_zalloc(sizeof(grpc_service_account_jwt_access_credentials));
+  c = (grpc_service_account_jwt_access_credentials*)gpr_zalloc(
+      sizeof(grpc_service_account_jwt_access_credentials));
   c->base.type = GRPC_CALL_CREDENTIALS_TYPE_JWT;
   gpr_ref_init(&c->base.refcount, 1);
   c->base.vtable = &jwt_vtable;
@@ -143,33 +147,33 @@ grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
   return &c->base;
 }
 
-static char *redact_private_key(const char *json_key) {
-  char *json_copy = gpr_strdup(json_key);
-  grpc_json *json = grpc_json_parse_string(json_copy);
+static char* redact_private_key(const char* json_key) {
+  char* json_copy = gpr_strdup(json_key);
+  grpc_json* json = grpc_json_parse_string(json_copy);
   if (!json) {
     gpr_free(json_copy);
     return gpr_strdup("<Json failed to parse.>");
   }
-  const char *redacted = "<redacted>";
-  grpc_json *current = json->child;
+  const char* redacted = "<redacted>";
+  grpc_json* current = json->child;
   while (current) {
     if (current->type == GRPC_JSON_STRING &&
         strcmp(current->key, "private_key") == 0) {
-      current->value = (char *)redacted;
+      current->value = (char*)redacted;
       break;
     }
     current = current->next;
   }
-  char *clean_json = grpc_json_dump_to_string(json, 2);
+  char* clean_json = grpc_json_dump_to_string(json, 2);
   gpr_free(json_copy);
   grpc_json_destroy(json);
   return clean_json;
 }
 
-grpc_call_credentials *grpc_service_account_jwt_access_credentials_create(
-    const char *json_key, gpr_timespec token_lifetime, void *reserved) {
-  if (GRPC_TRACER_ON(grpc_api_trace)) {
-    char *clean_json = redact_private_key(json_key);
+grpc_call_credentials* grpc_service_account_jwt_access_credentials_create(
+    const char* json_key, gpr_timespec token_lifetime, void* reserved) {
+  if (grpc_api_trace.enabled()) {
+    char* clean_json = redact_private_key(json_key);
     gpr_log(GPR_INFO,
             "grpc_service_account_jwt_access_credentials_create("
             "json_key=%s, "
@@ -181,9 +185,9 @@ grpc_call_credentials *grpc_service_account_jwt_access_credentials_create(
             (int)token_lifetime.clock_type, reserved);
     gpr_free(clean_json);
   }
-  GPR_ASSERT(reserved == NULL);
+  GPR_ASSERT(reserved == nullptr);
   grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
-  grpc_call_credentials *creds =
+  grpc_call_credentials* creds =
       grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
           &exec_ctx, grpc_auth_json_key_create_from_string(json_key),
           token_lifetime);

data/src/core/lib/security/credentials/jwt/jwt_credentials.h

@@ -22,6 +22,10 @@
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/security/credentials/jwt/json_token.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 typedef struct {
   grpc_call_credentials base;
 
@@ -30,7 +34,7 @@ typedef struct {
   gpr_mu cache_mu;
   struct {
     grpc_mdelem jwt_md;
-    char *service_url;
+    char* service_url;
     gpr_timespec jwt_expiration;
   } cached;
 
@@ -40,9 +44,13 @@ typedef struct {
 
 // Private constructor for jwt credentials from an already parsed json key.
 // Takes ownership of the key.
-grpc_call_credentials *
+grpc_call_credentials*
 grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
-    grpc_exec_ctx *exec_ctx, grpc_auth_json_key key,
+    grpc_exec_ctx* exec_ctx, grpc_auth_json_key key,
     gpr_timespec token_lifetime);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_JWT_JWT_CREDENTIALS_H */

data/src/core/lib/security/credentials/jwt/{jwt_verifier.c → jwt_verifier.cc}

@@ -26,7 +26,10 @@
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 #include <grpc/support/useful.h>
+
+extern "C" {
 #include <openssl/pem.h>
+}
 
 #include "src/core/lib/http/httpcli.h"
 #include "src/core/lib/iomgr/polling_entity.h"
@@ -37,7 +40,7 @@
 
 /* --- Utils. --- */
 
-const char *grpc_jwt_verifier_status_to_string(
+const char* grpc_jwt_verifier_status_to_string(
     grpc_jwt_verifier_status status) {
   switch (status) {
     case GRPC_JWT_VERIFIER_OK:
@@ -59,7 +62,7 @@ const char *grpc_jwt_verifier_status_to_string(
   }
 }
 
-static const EVP_MD *evp_md_from_alg(const char *alg) {
+static const EVP_MD* evp_md_from_alg(const char* alg) {
   if (strcmp(alg, "RS256") == 0) {
     return EVP_sha256();
   } else if (strcmp(alg, "RS384") == 0) {
@@ -67,91 +70,91 @@ static const EVP_MD *evp_md_from_alg(const char *alg) {
   } else if (strcmp(alg, "RS512") == 0) {
     return EVP_sha512();
   } else {
-    return NULL;
+    return nullptr;
   }
 }
 
-static grpc_json *parse_json_part_from_jwt(grpc_exec_ctx *exec_ctx,
-                                           const char *str, size_t len,
-                                           grpc_slice *buffer) {
-  grpc_json *json;
+static grpc_json* parse_json_part_from_jwt(grpc_exec_ctx* exec_ctx,
+                                           const char* str, size_t len,
+                                           grpc_slice* buffer) {
+  grpc_json* json;
 
   *buffer = grpc_base64_decode_with_len(exec_ctx, str, len, 1);
   if (GRPC_SLICE_IS_EMPTY(*buffer)) {
     gpr_log(GPR_ERROR, "Invalid base64.");
-    return NULL;
+    return nullptr;
   }
-  json = grpc_json_parse_string_with_len((char *)GRPC_SLICE_START_PTR(*buffer),
+  json = grpc_json_parse_string_with_len((char*)GRPC_SLICE_START_PTR(*buffer),
                                          GRPC_SLICE_LENGTH(*buffer));
-  if (json == NULL) {
+  if (json == nullptr) {
     grpc_slice_unref_internal(exec_ctx, *buffer);
     gpr_log(GPR_ERROR, "JSON parsing error.");
   }
   return json;
 }
 
-static const char *validate_string_field(const grpc_json *json,
-                                         const char *key) {
+static const char* validate_string_field(const grpc_json* json,
+                                         const char* key) {
   if (json->type != GRPC_JSON_STRING) {
     gpr_log(GPR_ERROR, "Invalid %s field [%s]", key, json->value);
-    return NULL;
+    return nullptr;
   }
   return json->value;
 }
 
-static gpr_timespec validate_time_field(const grpc_json *json,
-                                        const char *key) {
+static gpr_timespec validate_time_field(const grpc_json* json,
+                                        const char* key) {
   gpr_timespec result = gpr_time_0(GPR_CLOCK_REALTIME);
   if (json->type != GRPC_JSON_NUMBER) {
     gpr_log(GPR_ERROR, "Invalid %s field [%s]", key, json->value);
     return result;
   }
-  result.tv_sec = strtol(json->value, NULL, 10);
+  result.tv_sec = strtol(json->value, nullptr, 10);
   return result;
 }
 
 /* --- JOSE header. see http://tools.ietf.org/html/rfc7515#section-4 --- */
 
 typedef struct {
-  const char *alg;
-  const char *kid;
-  const char *typ;
+  const char* alg;
+  const char* kid;
+  const char* typ;
   /* TODO(jboeuf): Add others as needed (jku, jwk, x5u, x5c and so on...). */
   grpc_slice buffer;
 } jose_header;
 
-static void jose_header_destroy(grpc_exec_ctx *exec_ctx, jose_header *h) {
+static void jose_header_destroy(grpc_exec_ctx* exec_ctx, jose_header* h) {
   grpc_slice_unref_internal(exec_ctx, h->buffer);
   gpr_free(h);
 }
 
 /* Takes ownership of json and buffer. */
-static jose_header *jose_header_from_json(grpc_exec_ctx *exec_ctx,
-                                          grpc_json *json, grpc_slice buffer) {
-  grpc_json *cur;
-  jose_header *h = gpr_zalloc(sizeof(jose_header));
+static jose_header* jose_header_from_json(grpc_exec_ctx* exec_ctx,
+                                          grpc_json* json, grpc_slice buffer) {
+  grpc_json* cur;
+  jose_header* h = (jose_header*)gpr_zalloc(sizeof(jose_header));
   h->buffer = buffer;
-  for (cur = json->child; cur != NULL; cur = cur->next) {
+  for (cur = json->child; cur != nullptr; cur = cur->next) {
     if (strcmp(cur->key, "alg") == 0) {
       /* We only support RSA-1.5 signatures for now.
          Beware of this if we add HMAC support:
          https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
        */
       if (cur->type != GRPC_JSON_STRING || strncmp(cur->value, "RS", 2) ||
-          evp_md_from_alg(cur->value) == NULL) {
+          evp_md_from_alg(cur->value) == nullptr) {
         gpr_log(GPR_ERROR, "Invalid alg field [%s]", cur->value);
         goto error;
       }
       h->alg = cur->value;
     } else if (strcmp(cur->key, "typ") == 0) {
       h->typ = validate_string_field(cur, "typ");
-      if (h->typ == NULL) goto error;
+      if (h->typ == nullptr) goto error;
     } else if (strcmp(cur->key, "kid") == 0) {
       h->kid = validate_string_field(cur, "kid");
-      if (h->kid == NULL) goto error;
+      if (h->kid == nullptr) goto error;
     }
   }
-  if (h->alg == NULL) {
+  if (h->alg == nullptr) {
     gpr_log(GPR_ERROR, "Missing alg field.");
     goto error;
   }
@@ -162,76 +165,77 @@ static jose_header *jose_header_from_json(grpc_exec_ctx *exec_ctx,
 error:
   grpc_json_destroy(json);
   jose_header_destroy(exec_ctx, h);
-  return NULL;
+  return nullptr;
 }
 
 /* --- JWT claims. see http://tools.ietf.org/html/rfc7519#section-4.1 */
 
 struct grpc_jwt_claims {
   /* Well known properties already parsed. */
-  const char *sub;
-  const char *iss;
-  const char *aud;
-  const char *jti;
+  const char* sub;
+  const char* iss;
+  const char* aud;
+  const char* jti;
   gpr_timespec iat;
   gpr_timespec exp;
   gpr_timespec nbf;
 
-  grpc_json *json;
+  grpc_json* json;
   grpc_slice buffer;
 };
 
-void grpc_jwt_claims_destroy(grpc_exec_ctx *exec_ctx, grpc_jwt_claims *claims) {
+void grpc_jwt_claims_destroy(grpc_exec_ctx* exec_ctx, grpc_jwt_claims* claims) {
   grpc_json_destroy(claims->json);
   grpc_slice_unref_internal(exec_ctx, claims->buffer);
   gpr_free(claims);
 }
 
-const grpc_json *grpc_jwt_claims_json(const grpc_jwt_claims *claims) {
-  if (claims == NULL) return NULL;
+const grpc_json* grpc_jwt_claims_json(const grpc_jwt_claims* claims) {
+  if (claims == nullptr) return nullptr;
   return claims->json;
 }
 
-const char *grpc_jwt_claims_subject(const grpc_jwt_claims *claims) {
-  if (claims == NULL) return NULL;
+const char* grpc_jwt_claims_subject(const grpc_jwt_claims* claims) {
+  if (claims == nullptr) return nullptr;
   return claims->sub;
 }
 
-const char *grpc_jwt_claims_issuer(const grpc_jwt_claims *claims) {
-  if (claims == NULL) return NULL;
+const char* grpc_jwt_claims_issuer(const grpc_jwt_claims* claims) {
+  if (claims == nullptr) return nullptr;
   return claims->iss;
 }
 
-const char *grpc_jwt_claims_id(const grpc_jwt_claims *claims) {
-  if (claims == NULL) return NULL;
+const char* grpc_jwt_claims_id(const grpc_jwt_claims* claims) {
+  if (claims == nullptr) return nullptr;
   return claims->jti;
 }
 
-const char *grpc_jwt_claims_audience(const grpc_jwt_claims *claims) {
-  if (claims == NULL) return NULL;
+const char* grpc_jwt_claims_audience(const grpc_jwt_claims* claims) {
+  if (claims == nullptr) return nullptr;
   return claims->aud;
 }
 
-gpr_timespec grpc_jwt_claims_issued_at(const grpc_jwt_claims *claims) {
-  if (claims == NULL) return gpr_inf_past(GPR_CLOCK_REALTIME);
+gpr_timespec grpc_jwt_claims_issued_at(const grpc_jwt_claims* claims) {
+  if (claims == nullptr) return gpr_inf_past(GPR_CLOCK_REALTIME);
   return claims->iat;
 }
 
-gpr_timespec grpc_jwt_claims_expires_at(const grpc_jwt_claims *claims) {
-  if (claims == NULL) return gpr_inf_future(GPR_CLOCK_REALTIME);
+gpr_timespec grpc_jwt_claims_expires_at(const grpc_jwt_claims* claims) {
+  if (claims == nullptr) return gpr_inf_future(GPR_CLOCK_REALTIME);
   return claims->exp;
 }
 
-gpr_timespec grpc_jwt_claims_not_before(const grpc_jwt_claims *claims) {
-  if (claims == NULL) return gpr_inf_past(GPR_CLOCK_REALTIME);
+gpr_timespec grpc_jwt_claims_not_before(const grpc_jwt_claims* claims) {
+  if (claims == nullptr) return gpr_inf_past(GPR_CLOCK_REALTIME);
   return claims->nbf;
 }
 
 /* Takes ownership of json and buffer even in case of failure. */
-grpc_jwt_claims *grpc_jwt_claims_from_json(grpc_exec_ctx *exec_ctx,
-                                           grpc_json *json, grpc_slice buffer) {
-  grpc_json *cur;
-  grpc_jwt_claims *claims = gpr_malloc(sizeof(grpc_jwt_claims));
+grpc_jwt_claims* grpc_jwt_claims_from_json(grpc_exec_ctx* exec_ctx,
+                                           grpc_json* json, grpc_slice buffer) {
+  grpc_json* cur;
+  grpc_jwt_claims* claims =
+      (grpc_jwt_claims*)gpr_malloc(sizeof(grpc_jwt_claims));
   memset(claims, 0, sizeof(grpc_jwt_claims));
   claims->json = json;
   claims->buffer = buffer;
@@ -240,19 +244,19 @@ grpc_jwt_claims *grpc_jwt_claims_from_json(grpc_exec_ctx *exec_ctx,
   claims->exp = gpr_inf_future(GPR_CLOCK_REALTIME);
 
   /* Per the spec, all fields are optional. */
-  for (cur = json->child; cur != NULL; cur = cur->next) {
+  for (cur = json->child; cur != nullptr; cur = cur->next) {
     if (strcmp(cur->key, "sub") == 0) {
       claims->sub = validate_string_field(cur, "sub");
-      if (claims->sub == NULL) goto error;
+      if (claims->sub == nullptr) goto error;
     } else if (strcmp(cur->key, "iss") == 0) {
       claims->iss = validate_string_field(cur, "iss");
-      if (claims->iss == NULL) goto error;
+      if (claims->iss == nullptr) goto error;
     } else if (strcmp(cur->key, "aud") == 0) {
       claims->aud = validate_string_field(cur, "aud");
-      if (claims->aud == NULL) goto error;
+      if (claims->aud == nullptr) goto error;
     } else if (strcmp(cur->key, "jti") == 0) {
       claims->jti = validate_string_field(cur, "jti");
-      if (claims->jti == NULL) goto error;
+      if (claims->jti == nullptr) goto error;
     } else if (strcmp(cur->key, "iat") == 0) {
       claims->iat = validate_time_field(cur, "iat");
       if (gpr_time_cmp(claims->iat, gpr_time_0(GPR_CLOCK_REALTIME)) == 0)
@@ -271,15 +275,15 @@ grpc_jwt_claims *grpc_jwt_claims_from_json(grpc_exec_ctx *exec_ctx,
 
 error:
   grpc_jwt_claims_destroy(exec_ctx, claims);
-  return NULL;
+  return nullptr;
 }
 
-grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims *claims,
-                                               const char *audience) {
+grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims* claims,
+                                               const char* audience) {
   gpr_timespec skewed_now;
   int audience_ok;
 
-  GPR_ASSERT(claims != NULL);
+  GPR_ASSERT(claims != nullptr);
 
   skewed_now =
       gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_clock_skew);
@@ -297,23 +301,23 @@ grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims *claims,
   /* This should be probably up to the upper layer to decide but let's harcode
      the 99% use case here for email issuers, where the JWT must be self
      issued. */
-  if (grpc_jwt_issuer_email_domain(claims->iss) != NULL &&
-      claims->sub != NULL && strcmp(claims->iss, claims->sub) != 0) {
+  if (grpc_jwt_issuer_email_domain(claims->iss) != nullptr &&
+      claims->sub != nullptr && strcmp(claims->iss, claims->sub) != 0) {
     gpr_log(GPR_ERROR,
             "Email issuer (%s) cannot assert another subject (%s) than itself.",
             claims->iss, claims->sub);
     return GRPC_JWT_VERIFIER_BAD_SUBJECT;
   }
 
-  if (audience == NULL) {
-    audience_ok = claims->aud == NULL;
+  if (audience == nullptr) {
+    audience_ok = claims->aud == nullptr;
   } else {
-    audience_ok = claims->aud != NULL && strcmp(audience, claims->aud) == 0;
+    audience_ok = claims->aud != nullptr && strcmp(audience, claims->aud) == 0;
   }
   if (!audience_ok) {
     gpr_log(GPR_ERROR, "Audience mismatch: expected %s and found %s.",
-            audience == NULL ? "NULL" : audience,
-            claims->aud == NULL ? "NULL" : claims->aud);
+            audience == nullptr ? "NULL" : audience,
+            claims->aud == nullptr ? "NULL" : claims->aud);
     return GRPC_JWT_VERIFIER_BAD_AUDIENCE;
   }
   return GRPC_JWT_VERIFIER_OK;
@@ -328,26 +332,26 @@ typedef enum {
 } http_response_index;
 
 typedef struct {
-  grpc_jwt_verifier *verifier;
+  grpc_jwt_verifier* verifier;
   grpc_polling_entity pollent;
-  jose_header *header;
-  grpc_jwt_claims *claims;
-  char *audience;
+  jose_header* header;
+  grpc_jwt_claims* claims;
+  char* audience;
   grpc_slice signature;
   grpc_slice signed_data;
-  void *user_data;
+  void* user_data;
   grpc_jwt_verification_done_cb user_cb;
   grpc_http_response responses[HTTP_RESPONSE_COUNT];
 } verifier_cb_ctx;
 
 /* Takes ownership of the header, claims and signature. */
-static verifier_cb_ctx *verifier_cb_ctx_create(
-    grpc_jwt_verifier *verifier, grpc_pollset *pollset, jose_header *header,
-    grpc_jwt_claims *claims, const char *audience, grpc_slice signature,
-    const char *signed_jwt, size_t signed_jwt_len, void *user_data,
+static verifier_cb_ctx* verifier_cb_ctx_create(
+    grpc_jwt_verifier* verifier, grpc_pollset* pollset, jose_header* header,
+    grpc_jwt_claims* claims, const char* audience, grpc_slice signature,
+    const char* signed_jwt, size_t signed_jwt_len, void* user_data,
     grpc_jwt_verification_done_cb cb) {
   grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
-  verifier_cb_ctx *ctx = gpr_zalloc(sizeof(verifier_cb_ctx));
+  verifier_cb_ctx* ctx = (verifier_cb_ctx*)gpr_zalloc(sizeof(verifier_cb_ctx));
   ctx->verifier = verifier;
   ctx->pollent = grpc_polling_entity_create_from_pollset(pollset);
   ctx->header = header;
@@ -361,9 +365,9 @@ static verifier_cb_ctx *verifier_cb_ctx_create(
   return ctx;
 }
 
-void verifier_cb_ctx_destroy(grpc_exec_ctx *exec_ctx, verifier_cb_ctx *ctx) {
-  if (ctx->audience != NULL) gpr_free(ctx->audience);
-  if (ctx->claims != NULL) grpc_jwt_claims_destroy(exec_ctx, ctx->claims);
+void verifier_cb_ctx_destroy(grpc_exec_ctx* exec_ctx, verifier_cb_ctx* ctx) {
+  if (ctx->audience != nullptr) gpr_free(ctx->audience);
+  if (ctx->claims != nullptr) grpc_jwt_claims_destroy(exec_ctx, ctx->claims);
   grpc_slice_unref_internal(exec_ctx, ctx->signature);
   grpc_slice_unref_internal(exec_ctx, ctx->signed_data);
   jose_header_destroy(exec_ctx, ctx->header);
@@ -380,63 +384,63 @@ void verifier_cb_ctx_destroy(grpc_exec_ctx *exec_ctx, verifier_cb_ctx *ctx) {
 gpr_timespec grpc_jwt_verifier_clock_skew = {60, 0, GPR_TIMESPAN};
 
 /* Max delay defaults to one minute. */
-gpr_timespec grpc_jwt_verifier_max_delay = {60, 0, GPR_TIMESPAN};
+grpc_millis grpc_jwt_verifier_max_delay = 60 * GPR_MS_PER_SEC;
 
 typedef struct {
-  char *email_domain;
-  char *key_url_prefix;
+  char* email_domain;
+  char* key_url_prefix;
 } email_key_mapping;
 
 struct grpc_jwt_verifier {
-  email_key_mapping *mappings;
+  email_key_mapping* mappings;
   size_t num_mappings; /* Should be very few, linear search ok. */
   size_t allocated_mappings;
   grpc_httpcli_context http_ctx;
 };
 
-static grpc_json *json_from_http(const grpc_httpcli_response *response) {
-  grpc_json *json = NULL;
+static grpc_json* json_from_http(const grpc_httpcli_response* response) {
+  grpc_json* json = nullptr;
 
-  if (response == NULL) {
+  if (response == nullptr) {
     gpr_log(GPR_ERROR, "HTTP response is NULL.");
-    return NULL;
+    return nullptr;
   }
   if (response->status != 200) {
     gpr_log(GPR_ERROR, "Call to http server failed with error %d.",
             response->status);
-    return NULL;
+    return nullptr;
   }
 
   json = grpc_json_parse_string_with_len(response->body, response->body_length);
-  if (json == NULL) {
+  if (json == nullptr) {
     gpr_log(GPR_ERROR, "Invalid JSON found in response.");
   }
   return json;
 }
 
-static const grpc_json *find_property_by_name(const grpc_json *json,
-                                              const char *name) {
-  const grpc_json *cur;
-  for (cur = json->child; cur != NULL; cur = cur->next) {
+static const grpc_json* find_property_by_name(const grpc_json* json,
+                                              const char* name) {
+  const grpc_json* cur;
+  for (cur = json->child; cur != nullptr; cur = cur->next) {
     if (strcmp(cur->key, name) == 0) return cur;
   }
-  return NULL;
+  return nullptr;
 }
 
-static EVP_PKEY *extract_pkey_from_x509(const char *x509_str) {
-  X509 *x509 = NULL;
-  EVP_PKEY *result = NULL;
-  BIO *bio = BIO_new(BIO_s_mem());
+static EVP_PKEY* extract_pkey_from_x509(const char* x509_str) {
+  X509* x509 = nullptr;
+  EVP_PKEY* result = nullptr;
+  BIO* bio = BIO_new(BIO_s_mem());
   size_t len = strlen(x509_str);
   GPR_ASSERT(len < INT_MAX);
   BIO_write(bio, x509_str, (int)len);
-  x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
-  if (x509 == NULL) {
+  x509 = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
+  if (x509 == nullptr) {
     gpr_log(GPR_ERROR, "Unable to parse x509 cert.");
     goto end;
   }
   result = X509_get_pubkey(x509);
-  if (result == NULL) {
+  if (result == nullptr) {
     gpr_log(GPR_ERROR, "Cannot find public key in X509 cert.");
   }
 
@@ -446,18 +450,18 @@ end:
   return result;
 }
 
-static BIGNUM *bignum_from_base64(grpc_exec_ctx *exec_ctx, const char *b64) {
-  BIGNUM *result = NULL;
+static BIGNUM* bignum_from_base64(grpc_exec_ctx* exec_ctx, const char* b64) {
+  BIGNUM* result = nullptr;
   grpc_slice bin;
 
-  if (b64 == NULL) return NULL;
+  if (b64 == nullptr) return nullptr;
   bin = grpc_base64_decode(exec_ctx, b64, 1);
   if (GRPC_SLICE_IS_EMPTY(bin)) {
     gpr_log(GPR_ERROR, "Invalid base64 for big num.");
-    return NULL;
+    return nullptr;
   }
   result = BN_bin2bn(GRPC_SLICE_START_PTR(bin),
-                     TSI_SIZE_AS_SIZE(GRPC_SLICE_LENGTH(bin)), NULL);
+                     TSI_SIZE_AS_SIZE(GRPC_SLICE_LENGTH(bin)), nullptr);
   grpc_slice_unref_internal(exec_ctx, bin);
   return result;
 }
@@ -465,24 +469,24 @@ static BIGNUM *bignum_from_base64(grpc_exec_ctx *exec_ctx, const char *b64) {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 
 // Provide compatibility across OpenSSL 1.02 and 1.1.
-static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
+static int RSA_set0_key(RSA* r, BIGNUM* n, BIGNUM* e, BIGNUM* d) {
   /* If the fields n and e in r are NULL, the corresponding input
    * parameters MUST be non-NULL for n and e.  d may be
    * left NULL (in case only the public key is used).
    */
-  if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
+  if ((r->n == nullptr && n == nullptr) || (r->e == nullptr && e == nullptr)) {
     return 0;
   }
 
-  if (n != NULL) {
+  if (n != nullptr) {
     BN_free(r->n);
     r->n = n;
   }
-  if (e != NULL) {
+  if (e != nullptr) {
     BN_free(r->e);
     r->e = e;
   }
-  if (d != NULL) {
+  if (d != nullptr) {
     BN_free(r->d);
     r->d = d;
   }
@@ -491,46 +495,46 @@ static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
 }
 #endif  // OPENSSL_VERSION_NUMBER < 0x10100000L
 
-static EVP_PKEY *pkey_from_jwk(grpc_exec_ctx *exec_ctx, const grpc_json *json,
-                               const char *kty) {
-  const grpc_json *key_prop;
-  RSA *rsa = NULL;
-  EVP_PKEY *result = NULL;
-  BIGNUM *tmp_n = NULL;
-  BIGNUM *tmp_e = NULL;
+static EVP_PKEY* pkey_from_jwk(grpc_exec_ctx* exec_ctx, const grpc_json* json,
+                               const char* kty) {
+  const grpc_json* key_prop;
+  RSA* rsa = nullptr;
+  EVP_PKEY* result = nullptr;
+  BIGNUM* tmp_n = nullptr;
+  BIGNUM* tmp_e = nullptr;
 
-  GPR_ASSERT(kty != NULL && json != NULL);
+  GPR_ASSERT(kty != nullptr && json != nullptr);
   if (strcmp(kty, "RSA") != 0) {
     gpr_log(GPR_ERROR, "Unsupported key type %s.", kty);
     goto end;
   }
   rsa = RSA_new();
-  if (rsa == NULL) {
+  if (rsa == nullptr) {
     gpr_log(GPR_ERROR, "Could not create rsa key.");
     goto end;
   }
-  for (key_prop = json->child; key_prop != NULL; key_prop = key_prop->next) {
+  for (key_prop = json->child; key_prop != nullptr; key_prop = key_prop->next) {
     if (strcmp(key_prop->key, "n") == 0) {
       tmp_n =
           bignum_from_base64(exec_ctx, validate_string_field(key_prop, "n"));
-      if (tmp_n == NULL) goto end;
+      if (tmp_n == nullptr) goto end;
     } else if (strcmp(key_prop->key, "e") == 0) {
       tmp_e =
           bignum_from_base64(exec_ctx, validate_string_field(key_prop, "e"));
-      if (tmp_e == NULL) goto end;
+      if (tmp_e == nullptr) goto end;
     }
   }
-  if (tmp_e == NULL || tmp_n == NULL) {
+  if (tmp_e == nullptr || tmp_n == nullptr) {
     gpr_log(GPR_ERROR, "Missing RSA public key field.");
     goto end;
   }
-  if (!RSA_set0_key(rsa, tmp_n, tmp_e, NULL)) {
+  if (!RSA_set0_key(rsa, tmp_n, tmp_e, nullptr)) {
     gpr_log(GPR_ERROR, "Cannot set RSA key from inputs.");
     goto end;
   }
   /* RSA_set0_key takes ownership on success. */
-  tmp_n = NULL;
-  tmp_e = NULL;
+  tmp_n = nullptr;
+  tmp_e = nullptr;
   result = EVP_PKEY_new();
   EVP_PKEY_set1_RSA(result, rsa); /* uprefs rsa. */
 
@@ -541,38 +545,39 @@ end:
   return result;
 }
 
-static EVP_PKEY *find_verification_key(grpc_exec_ctx *exec_ctx,
-                                       const grpc_json *json,
-                                       const char *header_alg,
-                                       const char *header_kid) {
-  const grpc_json *jkey;
-  const grpc_json *jwk_keys;
+static EVP_PKEY* find_verification_key(grpc_exec_ctx* exec_ctx,
+                                       const grpc_json* json,
+                                       const char* header_alg,
+                                       const char* header_kid) {
+  const grpc_json* jkey;
+  const grpc_json* jwk_keys;
   /* Try to parse the json as a JWK set:
      https://tools.ietf.org/html/rfc7517#section-5. */
   jwk_keys = find_property_by_name(json, "keys");
-  if (jwk_keys == NULL) {
+  if (jwk_keys == nullptr) {
     /* Use the google proprietary format which is:
        { <kid1>: <x5091>, <kid2>: <x5092>, ... } */
-    const grpc_json *cur = find_property_by_name(json, header_kid);
-    if (cur == NULL) return NULL;
+    const grpc_json* cur = find_property_by_name(json, header_kid);
+    if (cur == nullptr) return nullptr;
     return extract_pkey_from_x509(cur->value);
   }
 
   if (jwk_keys->type != GRPC_JSON_ARRAY) {
     gpr_log(GPR_ERROR,
             "Unexpected value type of keys property in jwks key set.");
-    return NULL;
+    return nullptr;
   }
   /* Key format is specified in:
      https://tools.ietf.org/html/rfc7518#section-6. */
-  for (jkey = jwk_keys->child; jkey != NULL; jkey = jkey->next) {
-    grpc_json *key_prop;
-    const char *alg = NULL;
-    const char *kid = NULL;
-    const char *kty = NULL;
+  for (jkey = jwk_keys->child; jkey != nullptr; jkey = jkey->next) {
+    grpc_json* key_prop;
+    const char* alg = nullptr;
+    const char* kid = nullptr;
+    const char* kty = nullptr;
 
     if (jkey->type != GRPC_JSON_OBJECT) continue;
-    for (key_prop = jkey->child; key_prop != NULL; key_prop = key_prop->next) {
+    for (key_prop = jkey->child; key_prop != nullptr;
+         key_prop = key_prop->next) {
       if (strcmp(key_prop->key, "alg") == 0 &&
           key_prop->type == GRPC_JSON_STRING) {
         alg = key_prop->value;
@@ -584,7 +589,7 @@ static EVP_PKEY *find_verification_key(grpc_exec_ctx *exec_ctx,
         kty = key_prop->value;
       }
     }
-    if (alg != NULL && kid != NULL && kty != NULL &&
+    if (alg != nullptr && kid != nullptr && kty != nullptr &&
         strcmp(kid, header_kid) == 0 && strcmp(alg, header_alg) == 0) {
       return pkey_from_jwk(exec_ctx, jkey, kty);
     }
@@ -592,21 +597,21 @@ static EVP_PKEY *find_verification_key(grpc_exec_ctx *exec_ctx,
   gpr_log(GPR_ERROR,
           "Could not find matching key in key set for kid=%s and alg=%s",
           header_kid, header_alg);
-  return NULL;
+  return nullptr;
 }
 
-static int verify_jwt_signature(EVP_PKEY *key, const char *alg,
+static int verify_jwt_signature(EVP_PKEY* key, const char* alg,
                                 grpc_slice signature, grpc_slice signed_data) {
-  EVP_MD_CTX *md_ctx = EVP_MD_CTX_create();
-  const EVP_MD *md = evp_md_from_alg(alg);
+  EVP_MD_CTX* md_ctx = EVP_MD_CTX_create();
+  const EVP_MD* md = evp_md_from_alg(alg);
   int result = 0;
 
-  GPR_ASSERT(md != NULL); /* Checked before. */
-  if (md_ctx == NULL) {
+  GPR_ASSERT(md != nullptr); /* Checked before. */
+  if (md_ctx == nullptr) {
     gpr_log(GPR_ERROR, "Could not create EVP_MD_CTX.");
     goto end;
   }
-  if (EVP_DigestVerifyInit(md_ctx, NULL, md, NULL, key) != 1) {
+  if (EVP_DigestVerifyInit(md_ctx, nullptr, md, nullptr, key) != 1) {
     gpr_log(GPR_ERROR, "EVP_DigestVerifyInit failed.");
     goto end;
   }
@@ -627,21 +632,21 @@ end:
   return result;
 }
 
-static void on_keys_retrieved(grpc_exec_ctx *exec_ctx, void *user_data,
-                              grpc_error *error) {
-  verifier_cb_ctx *ctx = (verifier_cb_ctx *)user_data;
-  grpc_json *json = json_from_http(&ctx->responses[HTTP_RESPONSE_KEYS]);
-  EVP_PKEY *verification_key = NULL;
+static void on_keys_retrieved(grpc_exec_ctx* exec_ctx, void* user_data,
+                              grpc_error* error) {
+  verifier_cb_ctx* ctx = (verifier_cb_ctx*)user_data;
+  grpc_json* json = json_from_http(&ctx->responses[HTTP_RESPONSE_KEYS]);
+  EVP_PKEY* verification_key = nullptr;
   grpc_jwt_verifier_status status = GRPC_JWT_VERIFIER_GENERIC_ERROR;
-  grpc_jwt_claims *claims = NULL;
+  grpc_jwt_claims* claims = nullptr;
 
-  if (json == NULL) {
+  if (json == nullptr) {
     status = GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR;
     goto end;
   }
   verification_key =
       find_verification_key(exec_ctx, json, ctx->header->alg, ctx->header->kid);
-  if (verification_key == NULL) {
+  if (verification_key == nullptr) {
     gpr_log(GPR_ERROR, "Could not find verification key with kid %s.",
             ctx->header->kid);
     status = GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR;
@@ -658,34 +663,35 @@ static void on_keys_retrieved(grpc_exec_ctx *exec_ctx, void *user_data,
   if (status == GRPC_JWT_VERIFIER_OK) {
     /* Pass ownership. */
     claims = ctx->claims;
-    ctx->claims = NULL;
+    ctx->claims = nullptr;
   }
 
 end:
-  if (json != NULL) grpc_json_destroy(json);
+  if (json != nullptr) grpc_json_destroy(json);
   EVP_PKEY_free(verification_key);
   ctx->user_cb(exec_ctx, ctx->user_data, status, claims);
   verifier_cb_ctx_destroy(exec_ctx, ctx);
 }
 
-static void on_openid_config_retrieved(grpc_exec_ctx *exec_ctx, void *user_data,
-                                       grpc_error *error) {
-  const grpc_json *cur;
-  verifier_cb_ctx *ctx = (verifier_cb_ctx *)user_data;
-  const grpc_http_response *response = &ctx->responses[HTTP_RESPONSE_OPENID];
-  grpc_json *json = json_from_http(response);
+static void on_openid_config_retrieved(grpc_exec_ctx* exec_ctx, void* user_data,
+                                       grpc_error* error) {
+  const grpc_json* cur;
+  verifier_cb_ctx* ctx = (verifier_cb_ctx*)user_data;
+  const grpc_http_response* response = &ctx->responses[HTTP_RESPONSE_OPENID];
+  grpc_json* json = json_from_http(response);
   grpc_httpcli_request req;
-  const char *jwks_uri;
+  const char* jwks_uri;
+  grpc_resource_quota* resource_quota = nullptr;
 
   /* TODO(jboeuf): Cache the jwks_uri in order to avoid this hop next time. */
-  if (json == NULL) goto error;
+  if (json == nullptr) goto error;
   cur = find_property_by_name(json, "jwks_uri");
-  if (cur == NULL) {
+  if (cur == nullptr) {
     gpr_log(GPR_ERROR, "Could not find jwks_uri in openid config.");
     goto error;
   }
   jwks_uri = validate_string_field(cur, "jwks_uri");
-  if (jwks_uri == NULL) goto error;
+  if (jwks_uri == nullptr) goto error;
   if (strstr(jwks_uri, "https://") != jwks_uri) {
     gpr_log(GPR_ERROR, "Invalid non https jwks_uri: %s.", jwks_uri);
     goto error;
@@ -693,9 +699,9 @@ static void on_openid_config_retrieved(grpc_exec_ctx *exec_ctx, void *user_data,
   jwks_uri += 8;
   req.handshaker = &grpc_httpcli_ssl;
   req.host = gpr_strdup(jwks_uri);
-  req.http.path = strchr(jwks_uri, '/');
-  if (req.http.path == NULL) {
-    req.http.path = "";
+  req.http.path = (char*)strchr(jwks_uri, '/');
+  if (req.http.path == nullptr) {
+    req.http.path = (char*)"";
   } else {
     *(req.host + (req.http.path - jwks_uri)) = '\0';
   }
@@ -703,11 +709,10 @@ static void on_openid_config_retrieved(grpc_exec_ctx *exec_ctx, void *user_data,
   /* TODO(ctiller): Carry the resource_quota in ctx and share it with the host
      channel. This would allow us to cancel an authentication query when under
      extreme memory pressure. */
-  grpc_resource_quota *resource_quota =
-      grpc_resource_quota_create("jwt_verifier");
+  resource_quota = grpc_resource_quota_create("jwt_verifier");
   grpc_httpcli_get(
       exec_ctx, &ctx->verifier->http_ctx, &ctx->pollent, resource_quota, &req,
-      gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_max_delay),
+      grpc_exec_ctx_now(exec_ctx) + grpc_jwt_verifier_max_delay,
       GRPC_CLOSURE_CREATE(on_keys_retrieved, ctx, grpc_schedule_on_exec_ctx),
       &ctx->responses[HTTP_RESPONSE_KEYS]);
   grpc_resource_quota_unref_internal(exec_ctx, resource_quota);
@@ -716,29 +721,29 @@ static void on_openid_config_retrieved(grpc_exec_ctx *exec_ctx, void *user_data,
   return;
 
 error:
-  if (json != NULL) grpc_json_destroy(json);
+  if (json != nullptr) grpc_json_destroy(json);
   ctx->user_cb(exec_ctx, ctx->user_data, GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR,
-               NULL);
+               nullptr);
   verifier_cb_ctx_destroy(exec_ctx, ctx);
 }
 
-static email_key_mapping *verifier_get_mapping(grpc_jwt_verifier *v,
-                                               const char *email_domain) {
+static email_key_mapping* verifier_get_mapping(grpc_jwt_verifier* v,
+                                               const char* email_domain) {
   size_t i;
-  if (v->mappings == NULL) return NULL;
+  if (v->mappings == nullptr) return nullptr;
   for (i = 0; i < v->num_mappings; i++) {
     if (strcmp(email_domain, v->mappings[i].email_domain) == 0) {
       return &v->mappings[i];
     }
   }
-  return NULL;
+  return nullptr;
 }
 
-static void verifier_put_mapping(grpc_jwt_verifier *v, const char *email_domain,
-                                 const char *key_url_prefix) {
-  email_key_mapping *mapping = verifier_get_mapping(v, email_domain);
+static void verifier_put_mapping(grpc_jwt_verifier* v, const char* email_domain,
+                                 const char* key_url_prefix) {
+  email_key_mapping* mapping = verifier_get_mapping(v, email_domain);
   GPR_ASSERT(v->num_mappings < v->allocated_mappings);
-  if (mapping != NULL) {
+  if (mapping != nullptr) {
     gpr_free(mapping->key_url_prefix);
     mapping->key_url_prefix = gpr_strdup(key_url_prefix);
     return;
@@ -751,39 +756,42 @@ static void verifier_put_mapping(grpc_jwt_verifier *v, const char *email_domain,
 
 /* Very non-sophisticated way to detect an email address. Should be good
    enough for now... */
-const char *grpc_jwt_issuer_email_domain(const char *issuer) {
-  const char *at_sign = strchr(issuer, '@');
-  if (at_sign == NULL) return NULL;
-  const char *email_domain = at_sign + 1;
-  if (*email_domain == '\0') return NULL;
-  const char *dot = strrchr(email_domain, '.');
-  if (dot == NULL || dot == email_domain) return email_domain;
+const char* grpc_jwt_issuer_email_domain(const char* issuer) {
+  const char* at_sign = strchr(issuer, '@');
+  if (at_sign == nullptr) return nullptr;
+  const char* email_domain = at_sign + 1;
+  if (*email_domain == '\0') return nullptr;
+  const char* dot = strrchr(email_domain, '.');
+  if (dot == nullptr || dot == email_domain) return email_domain;
   GPR_ASSERT(dot > email_domain);
   /* There may be a subdomain, we just want the domain. */
-  dot = gpr_memrchr(email_domain, '.', (size_t)(dot - email_domain));
-  if (dot == NULL) return email_domain;
+  dot = (const char*)gpr_memrchr((void*)email_domain, '.',
+                                 (size_t)(dot - email_domain));
+  if (dot == nullptr) return email_domain;
   return dot + 1;
 }
 
 /* Takes ownership of ctx. */
-static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx,
-                                    verifier_cb_ctx *ctx) {
-  const char *email_domain;
-  grpc_closure *http_cb;
-  char *path_prefix = NULL;
-  const char *iss;
+static void retrieve_key_and_verify(grpc_exec_ctx* exec_ctx,
+                                    verifier_cb_ctx* ctx) {
+  const char* email_domain;
+  grpc_closure* http_cb;
+  char* path_prefix = nullptr;
+  const char* iss;
   grpc_httpcli_request req;
+  grpc_resource_quota* resource_quota = nullptr;
   memset(&req, 0, sizeof(grpc_httpcli_request));
   req.handshaker = &grpc_httpcli_ssl;
   http_response_index rsp_idx;
 
-  GPR_ASSERT(ctx != NULL && ctx->header != NULL && ctx->claims != NULL);
+  GPR_ASSERT(ctx != nullptr && ctx->header != nullptr &&
+             ctx->claims != nullptr);
   iss = ctx->claims->iss;
-  if (ctx->header->kid == NULL) {
+  if (ctx->header->kid == nullptr) {
     gpr_log(GPR_ERROR, "Missing kid in jose header.");
     goto error;
   }
-  if (iss == NULL) {
+  if (iss == nullptr) {
     gpr_log(GPR_ERROR, "Missing iss in claims.");
     goto error;
   }
@@ -794,17 +802,17 @@ static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx,
      so we will rely instead on email/url mappings if we detect such an issuer.
      Part 4, on the other hand is implemented by both google and salesforce. */
   email_domain = grpc_jwt_issuer_email_domain(iss);
-  if (email_domain != NULL) {
-    email_key_mapping *mapping;
-    GPR_ASSERT(ctx->verifier != NULL);
+  if (email_domain != nullptr) {
+    email_key_mapping* mapping;
+    GPR_ASSERT(ctx->verifier != nullptr);
     mapping = verifier_get_mapping(ctx->verifier, email_domain);
-    if (mapping == NULL) {
+    if (mapping == nullptr) {
       gpr_log(GPR_ERROR, "Missing mapping for issuer email.");
       goto error;
     }
     req.host = gpr_strdup(mapping->key_url_prefix);
     path_prefix = strchr(req.host, '/');
-    if (path_prefix == NULL) {
+    if (path_prefix == nullptr) {
       gpr_asprintf(&req.http.path, "/%s", iss);
     } else {
       *(path_prefix++) = '\0';
@@ -816,7 +824,7 @@ static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx,
   } else {
     req.host = gpr_strdup(strstr(iss, "https://") == iss ? iss + 8 : iss);
     path_prefix = strchr(req.host, '/');
-    if (path_prefix == NULL) {
+    if (path_prefix == nullptr) {
       req.http.path = gpr_strdup(GRPC_OPENID_CONFIG_URL_SUFFIX);
     } else {
       *(path_prefix++) = 0;
@@ -831,12 +839,11 @@ static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx,
   /* TODO(ctiller): Carry the resource_quota in ctx and share it with the host
      channel. This would allow us to cancel an authentication query when under
      extreme memory pressure. */
-  grpc_resource_quota *resource_quota =
-      grpc_resource_quota_create("jwt_verifier");
-  grpc_httpcli_get(
-      exec_ctx, &ctx->verifier->http_ctx, &ctx->pollent, resource_quota, &req,
-      gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), grpc_jwt_verifier_max_delay),
-      http_cb, &ctx->responses[rsp_idx]);
+  resource_quota = grpc_resource_quota_create("jwt_verifier");
+  grpc_httpcli_get(exec_ctx, &ctx->verifier->http_ctx, &ctx->pollent,
+                   resource_quota, &req,
+                   grpc_exec_ctx_now(exec_ctx) + grpc_jwt_verifier_max_delay,
+                   http_cb, &ctx->responses[rsp_idx]);
   grpc_resource_quota_unref_internal(exec_ctx, resource_quota);
   gpr_free(req.host);
   gpr_free(req.http.path);
@@ -844,43 +851,44 @@ static void retrieve_key_and_verify(grpc_exec_ctx *exec_ctx,
 
 error:
   ctx->user_cb(exec_ctx, ctx->user_data, GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR,
-               NULL);
+               nullptr);
   verifier_cb_ctx_destroy(exec_ctx, ctx);
 }
 
-void grpc_jwt_verifier_verify(grpc_exec_ctx *exec_ctx,
-                              grpc_jwt_verifier *verifier,
-                              grpc_pollset *pollset, const char *jwt,
-                              const char *audience,
+void grpc_jwt_verifier_verify(grpc_exec_ctx* exec_ctx,
+                              grpc_jwt_verifier* verifier,
+                              grpc_pollset* pollset, const char* jwt,
+                              const char* audience,
                               grpc_jwt_verification_done_cb cb,
-                              void *user_data) {
-  const char *dot = NULL;
-  grpc_json *json;
-  jose_header *header = NULL;
-  grpc_jwt_claims *claims = NULL;
+                              void* user_data) {
+  const char* dot = nullptr;
+  grpc_json* json;
+  jose_header* header = nullptr;
+  grpc_jwt_claims* claims = nullptr;
   grpc_slice header_buffer;
   grpc_slice claims_buffer;
   grpc_slice signature;
   size_t signed_jwt_len;
-  const char *cur = jwt;
+  const char* cur = jwt;
 
-  GPR_ASSERT(verifier != NULL && jwt != NULL && audience != NULL && cb != NULL);
+  GPR_ASSERT(verifier != nullptr && jwt != nullptr && audience != nullptr &&
+             cb != nullptr);
   dot = strchr(cur, '.');
-  if (dot == NULL) goto error;
+  if (dot == nullptr) goto error;
   json = parse_json_part_from_jwt(exec_ctx, cur, (size_t)(dot - cur),
                                   &header_buffer);
-  if (json == NULL) goto error;
+  if (json == nullptr) goto error;
   header = jose_header_from_json(exec_ctx, json, header_buffer);
-  if (header == NULL) goto error;
+  if (header == nullptr) goto error;
 
   cur = dot + 1;
   dot = strchr(cur, '.');
-  if (dot == NULL) goto error;
+  if (dot == nullptr) goto error;
   json = parse_json_part_from_jwt(exec_ctx, cur, (size_t)(dot - cur),
                                   &claims_buffer);
-  if (json == NULL) goto error;
+  if (json == nullptr) goto error;
   claims = grpc_jwt_claims_from_json(exec_ctx, json, claims_buffer);
-  if (claims == NULL) goto error;
+  if (claims == nullptr) goto error;
 
   signed_jwt_len = (size_t)(dot - jwt);
   cur = dot + 1;
@@ -893,24 +901,26 @@ void grpc_jwt_verifier_verify(grpc_exec_ctx *exec_ctx,
   return;
 
 error:
-  if (header != NULL) jose_header_destroy(exec_ctx, header);
-  if (claims != NULL) grpc_jwt_claims_destroy(exec_ctx, claims);
-  cb(exec_ctx, user_data, GRPC_JWT_VERIFIER_BAD_FORMAT, NULL);
+  if (header != nullptr) jose_header_destroy(exec_ctx, header);
+  if (claims != nullptr) grpc_jwt_claims_destroy(exec_ctx, claims);
+  cb(exec_ctx, user_data, GRPC_JWT_VERIFIER_BAD_FORMAT, nullptr);
 }
 
-grpc_jwt_verifier *grpc_jwt_verifier_create(
-    const grpc_jwt_verifier_email_domain_key_url_mapping *mappings,
+grpc_jwt_verifier* grpc_jwt_verifier_create(
+    const grpc_jwt_verifier_email_domain_key_url_mapping* mappings,
     size_t num_mappings) {
-  grpc_jwt_verifier *v = gpr_zalloc(sizeof(grpc_jwt_verifier));
+  grpc_jwt_verifier* v =
+      (grpc_jwt_verifier*)gpr_zalloc(sizeof(grpc_jwt_verifier));
   grpc_httpcli_context_init(&v->http_ctx);
 
   /* We know at least of one mapping. */
   v->allocated_mappings = 1 + num_mappings;
-  v->mappings = gpr_malloc(v->allocated_mappings * sizeof(email_key_mapping));
+  v->mappings = (email_key_mapping*)gpr_malloc(v->allocated_mappings *
+                                               sizeof(email_key_mapping));
   verifier_put_mapping(v, GRPC_GOOGLE_SERVICE_ACCOUNTS_EMAIL_DOMAIN,
                        GRPC_GOOGLE_SERVICE_ACCOUNTS_KEY_URL_PREFIX);
   /* User-Provided mappings. */
-  if (mappings != NULL) {
+  if (mappings != nullptr) {
     size_t i;
     for (i = 0; i < num_mappings; i++) {
       verifier_put_mapping(v, mappings[i].email_domain,
@@ -920,11 +930,11 @@ grpc_jwt_verifier *grpc_jwt_verifier_create(
   return v;
 }
 
-void grpc_jwt_verifier_destroy(grpc_exec_ctx *exec_ctx, grpc_jwt_verifier *v) {
+void grpc_jwt_verifier_destroy(grpc_exec_ctx* exec_ctx, grpc_jwt_verifier* v) {
   size_t i;
-  if (v == NULL) return;
+  if (v == nullptr) return;
   grpc_httpcli_context_destroy(exec_ctx, &v->http_ctx);
-  if (v->mappings != NULL) {
+  if (v->mappings != nullptr) {
     for (i = 0; i < v->num_mappings; i++) {
       gpr_free(v->mappings[i].email_domain);
       gpr_free(v->mappings[i].key_url_prefix);