Skip to content

Add support for x5t and x5t#S256 header #669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add support for x5t and x5t#S256 header #669

wants to merge 6 commits into from

Conversation

hieuk09
Copy link
Contributor

@hieuk09 hieuk09 commented Apr 4, 2025
edited
Loading

Description

Close #562

Checklist

Before the PR can be merged be sure the following are checked:

  • There are tests for the fix or feature added/changed
  • A description of the changes and a reference to the PR has been added to CHANGELOG.md. More details in the CONTRIBUTING.md

@hieuk09 hieuk09 force-pushed the feature/add-x5t branch 3 times, most recently from f6e2067 to 28a5e72 Compare April 4, 2025 22:13
@anakinj
Copy link
Member

anakinj commented Apr 7, 2025

@hieuk09 Did you have some reference for how this should work? Could take a look at that to educate myself a bit.

anakinj
anakinj reviewed Apr 7, 2025
View reviewed changes
anakinj
anakinj reviewed Apr 7, 2025
View reviewed changes
@anakinj
Copy link
Member

anakinj commented Apr 7, 2025

@hieuk09 Did you have some reference for how this should work? Could take a look at that to educate myself a bit.

Now when looking closer at the changes I found some links...

anakinj
anakinj reviewed Apr 7, 2025
View reviewed changes
@hieuk09
Copy link
Contributor Author

hieuk09 commented Apr 7, 2025

Thank you for the detailed review. I'll take a look and fix all the comments tomorrow.

@hieuk09
Copy link
Contributor Author

hieuk09 commented Apr 9, 2025

@anakinj could you have another review?

anakinj
anakinj reviewed Apr 20, 2025
View reviewed changes
lib/jwt/jwk/key_finder.rb
@@ -37,22 +36,36 @@ def key_for(kid)
# Returns the key for the given token
# @param [JWT::EncodedToken] token the token
def call(token)
key_for(token.header['kid'])
kid = token.header['kid']
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the token happens to have both a kid and for example a x5t header it will never attempt using the x5t.

Not sure if this is a real scenario and could for sure be a later addition.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a real scenario: here is a payload and header of token from Azure:

[
  {
    "aud": "https://management.core.windows.net",
    "iss": "https://sts.windows.net/57c0dc11-c207-49dd-9bec-76a2d395ea76/",
    "iat": 1745152327,
    "nbf": 1745152327,
    "exp": 1745157876,
    "acr": "1",
    // some more data
  },
  {
    "typ": "JWT",
    "alg": "RS256",
    "x5t": "CNv0OI3RwqlHFEVnaoMAshCH2XE",
    "kid": "CNv0OI3RwqlHFEVnaoMAshCH2XE"
  }
]

The keys can be found in https://login.windows.net/common/discovery/keys.

anakinj
anakinj reviewed Apr 20, 2025
View reviewed changes
anakinj
anakinj reviewed Apr 20, 2025
View reviewed changes
anakinj
anakinj reviewed Apr 20, 2025
View reviewed changes
Copy link
Member

@anakinj anakinj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the JWK approach is interesting. Im a bit concerned that we are cutting some corners here, as the x5* fields are pretty certificate specific and we are currently only dealing with keypairs.

anakinj
anakinj reviewed Apr 20, 2025
View reviewed changes
lib/jwt/jwk/rsa.rb
@@ -51,6 +51,9 @@ def verify_key
def export(options = {})
exported = parameters.clone
exported.reject! { |k, _| RSA_PRIVATE_KEY_ELEMENTS.include? k } unless private? && options[:include_private] == true

exported[:x5t] = Base64.url_encode(OpenSSL::Digest::SHA1.new(rsa_key.to_der).digest) if options[:include_x5t]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Im still a bit uncertain if we should make the decision here what the thumbprint is, the x5t is the thumbprint for the certificate, the RSA public key is just a part of the certificate.

Think we could have a way to export a X509 certificate that could be adding these fields directly from the certificate itself.

Also with this approach the thumbprint will differ if rsa_key is a private key or just the public key.
Also what about the SHA256 version of the thumbprint?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point, thanks for pointing that out. Let me think a bit more about this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anakinj anakinj anakinj left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support x5t in place of kid
2 participants
@hieuk09 @anakinj