is it possible to include the x5t and x5c in the jwks?

[visualjeff]

Is there a way to have the x5t and x5c produced along with the output of the jwks using keystore.toJWKS([private])?

As of now I receive the e and n which is fine for validation but I was wondering if its possible to also included the x5t and x5c without having to perform a hack.

{
  keys: [
    {
      e: 'AQAB',
      n: 'uoexvPALRq1M4393L6HjJwF4Kwg3LpF2qx3UepGpRBSyy8uuqXWnMxBfjLRVENsh-_FbW8QPbBZQKq5ieJb7g_B06QvFhKEf_CBnKwSl1PCoDyn231_tflwis-LpDUGvBBT8WPBGFn8nHtdal0kIp8AQ2W0WskeRY9Mgs3w1N-uLh0i9br-uq_N8TCKgdMcCui4_Fbss2mvGmyAEQP-BDtb4yeA04oFieceMRc39iYxAEnQk0QlF0NsbN5-lkWdKHQUinrYR-XAb-P_wmR1LdG-zKcavsof8086d--FfwNFZ7TXCR14iT36ie6673bxy-PMRxRcx5jlQ2BgLws0FWw',
      kty: 'RSA',
      kid: 'jJSuFxfrJvmMTlG9BV2cFAeLQd3amL1VhwP4N6nqLXg',
      use: 'sig'
    }
  ]
}

Thank you for your time!

[panva]

is it possible to include the x5t and x5c in the jwks?

it is! the library will calculate the thumbprints (x5t and x5t#S256) if you provide your key's certificate as x5c: string[], it will also validate that the x5c you provide is in the right format and that it is for the same key as the other JWK members indicate.

Say that i have a key like so (private is irrelevant, certificates are containing the public key only), but even if private key components are present the certificate will be validated to belong to the key.

{
  e: 'AQAB',
  kid: 'z74stT3qQkZWDjWvTw1x2UVGyOb2Bu6QgmqqB8l2ABQ',
  kty: 'RSA',
  n: 'x2WwCF7ekBS2IQapfaVgWcdUewNdqO4FeYblVXlRFfYPqZl3SlNSavzq0IDbEtUnGN3Easehy6pgcVYecK0OoNNndUFdvkRyaKQtZIOweP6c534-OCcVtB0JkmGIvgE738rswVPkWsfOwC4py6-YGUwevVv_T6_bJj2xh691DNZh8_CnfFr7OPeBEKP7u4r721fCq_KEeVYLAQkzEAO35Wu08V_Dm4ETUpsBv0o69Q79m2qhr7oUO9LaomUUaNbrh48DlM6UHhfS3RZ4ih8IY5y5RbnFSuopw2dlQ_6CchDquP6Y0xXpgekIETcqilJnfJaXp1Urroye0yTRMlcN9w'
}

and a certificate for this key

-----BEGIN CERTIFICATE-----
MIIFUDCCAzigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYExCzAJBgNVBAYTAkdC
MRAwDgYDVQQIDAdFbmdsYW5kMRIwEAYDVQQKDAlBbGljZSBMdGQxKDAmBgNVBAsM
H0FsaWNlIEx0ZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgNVBAMMGUFsaWNl
IEx0ZCBJbnRlcm1lZGlhdGUgQ0EwHhcNMTgwOTIxMTU1NTAwWhcNMTkxMDAxMTU1
NTAwWjCBizELMAkGA1UEBhMCQ1oxDzANBgNVBAgMBlByYWd1ZTESMBAGA1UEBwwJ
U3RyYXNuaWNlMRAwDgYDVQQKDAdCb2IgTHRkMRQwEgYDVQQLDAtFbmdpbmVlcmlu
ZzERMA8GA1UEAwwIY2xpZW50aWQxHDAaBgkqhkiG9w0BCQEWDXBhbnZhQGJvYi5s
dGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHZbAIXt6QFLYhBql9
pWBZx1R7A12o7gV5huVVeVEV9g+pmXdKU1Jq/OrQgNsS1ScY3cRqx6HLqmBxVh5w
rQ6g02d1QV2+RHJopC1kg7B4/pznfj44JxW0HQmSYYi+ATvfyuzBU+Rax87ALinL
r5gZTB69W/9Pr9smPbGHr3UM1mHz8Kd8Wvs494EQo/u7ivvbV8Kr8oR5VgsBCTMQ
A7fla7TxX8ObgRNSmwG/Sjr1Dv2baqGvuhQ70tqiZRRo1uuHjwOUzpQeF9LdFniK
HwhjnLlFucVK6inDZ2VD/oJyEOq4/pjTFemB6QgRNyqKUmd8lpenVSuujJ7TJNEy
Vw33AgMBAAGjgcUwgcIwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMwYJ
YIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIENsaWVudCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUoT7Nh2gJLqlru7QH7sSgxBaNcOswHwYDVR0jBBgwFoAU9aXg
CTQVzkjeGVwlbmtKkYn5/rIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAqjXoNfaOG1Kxk9jO
vrHfTNdgGdrpaudZH4gRU2044m8JvazUxhnWgk+n4mkjVD5CrNu7FWza3twt2nIR
50GKWilg2fiBIPcH5RVYz7gdO3r2N1nWohx3P49bGEyyDwxR1aeM/O8w0gQ70Ayd
oPPKggpef61MsLgYl+tiVqKx3VHO5A6hPScH26p56DOq28fjLZPnTskoXxn1IHB4
Ea4fUC1x4gXDS38qvvcBVWmQWbeTm1dWEUsmRVp6D1jPAsikYjzb86lOzC0S7V6l
X1QwAL4nxDsBpxx1JlKeNDk5sdr7mHQtODjq8w+Uo0EPmgGdTsCiBgPfWHRgYAs9
HTFbC6FWeu+Bu2Nfuo8MAYCY2+FhGEwUHuUtYUR04V9F6+J4xmSsPZp46PNo4F2u
gL4Nm81py3eDOq9WcuoN0iB8XqcjmFb3BvirpSzmNuP1FsqDj+QGN73W/seHylFM
AGnsAaF3A3gBUFF26+xz7hSXLGbEhoR6FYBZKvLBQgS3zna6KbYdw0pqUBvrEJfr
VXCQPy/Y1C3EnEhQqJDx9Rmw5qm6RpuCPga4pDzQPBLny+ggmb4BqHieD+Xz3g0b
N/84lxiSg60mlyuEwOHcQMmlOxjYf2zliCqRptD/LlfITlmzGjds9BhLlkHIBR3I
kEejZluclYP0Dljd65DCTqY1z0c=
-----END CERTIFICATE-----

A JWK with the x5c would be

jwk = {
  e: 'AQAB',
  kid: 'z74stT3qQkZWDjWvTw1x2UVGyOb2Bu6QgmqqB8l2ABQ',
  kty: 'RSA',
  n: 'x2WwCF7ekBS2IQapfaVgWcdUewNdqO4FeYblVXlRFfYPqZl3SlNSavzq0IDbEtUnGN3Easehy6pgcVYecK0OoNNndUFdvkRyaKQtZIOweP6c534-OCcVtB0JkmGIvgE738rswVPkWsfOwC4py6-YGUwevVv_T6_bJj2xh691DNZh8_CnfFr7OPeBEKP7u4r721fCq_KEeVYLAQkzEAO35Wu08V_Dm4ETUpsBv0o69Q79m2qhr7oUO9LaomUUaNbrh48DlM6UHhfS3RZ4ih8IY5y5RbnFSuopw2dlQ_6CchDquP6Y0xXpgekIETcqilJnfJaXp1Urroye0yTRMlcN9w',
  x5c: ['MIIFUDCCAzigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYExCzAJBgNVBAYTAkdCMRAwDgYDVQQIDAdFbmdsYW5kMRIwEAYDVQQKDAlBbGljZSBMdGQxKDAmBgNVBAsMH0FsaWNlIEx0ZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgNVBAMMGUFsaWNlIEx0ZCBJbnRlcm1lZGlhdGUgQ0EwHhcNMTgwOTIxMTU1NTAwWhcNMTkxMDAxMTU1NTAwWjCBizELMAkGA1UEBhMCQ1oxDzANBgNVBAgMBlByYWd1ZTESMBAGA1UEBwwJU3RyYXNuaWNlMRAwDgYDVQQKDAdCb2IgTHRkMRQwEgYDVQQLDAtFbmdpbmVlcmluZzERMA8GA1UEAwwIY2xpZW50aWQxHDAaBgkqhkiG9w0BCQEWDXBhbnZhQGJvYi5sdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHZbAIXt6QFLYhBql9pWBZx1R7A12o7gV5huVVeVEV9g+pmXdKU1Jq/OrQgNsS1ScY3cRqx6HLqmBxVh5wrQ6g02d1QV2+RHJopC1kg7B4/pznfj44JxW0HQmSYYi+ATvfyuzBU+Rax87ALinLr5gZTB69W/9Pr9smPbGHr3UM1mHz8Kd8Wvs494EQo/u7ivvbV8Kr8oR5VgsBCTMQA7fla7TxX8ObgRNSmwG/Sjr1Dv2baqGvuhQ70tqiZRRo1uuHjwOUzpQeF9LdFniKHwhjnLlFucVK6inDZ2VD/oJyEOq4/pjTFemB6QgRNyqKUmd8lpenVSuujJ7TJNEyVw33AgMBAAGjgcUwgcIwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIENsaWVudCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUoT7Nh2gJLqlru7QH7sSgxBaNcOswHwYDVR0jBBgwFoAU9aXgCTQVzkjeGVwlbmtKkYn5/rIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAqjXoNfaOG1Kxk9jOvrHfTNdgGdrpaudZH4gRU2044m8JvazUxhnWgk+n4mkjVD5CrNu7FWza3twt2nIR50GKWilg2fiBIPcH5RVYz7gdO3r2N1nWohx3P49bGEyyDwxR1aeM/O8w0gQ70AydoPPKggpef61MsLgYl+tiVqKx3VHO5A6hPScH26p56DOq28fjLZPnTskoXxn1IHB4Ea4fUC1x4gXDS38qvvcBVWmQWbeTm1dWEUsmRVp6D1jPAsikYjzb86lOzC0S7V6lX1QwAL4nxDsBpxx1JlKeNDk5sdr7mHQtODjq8w+Uo0EPmgGdTsCiBgPfWHRgYAs9HTFbC6FWeu+Bu2Nfuo8MAYCY2+FhGEwUHuUtYUR04V9F6+J4xmSsPZp46PNo4F2ugL4Nm81py3eDOq9WcuoN0iB8XqcjmFb3BvirpSzmNuP1FsqDj+QGN73W/seHylFMAGnsAaF3A3gBUFF26+xz7hSXLGbEhoR6FYBZKvLBQgS3zna6KbYdw0pqUBvrEJfrVXCQPy/Y1C3EnEhQqJDx9Rmw5qm6RpuCPga4pDzQPBLny+ggmb4BqHieD+Xz3g0bN/84lxiSg60mlyuEwOHcQMmlOxjYf2zliCqRptD/LlfITlmzGjds9BhLlkHIBR3IkEejZluclYP0Dljd65DCTqY1z0c=']
}

JWK.asKey(jwk)

// RSAKey {
//   'x5t#S256': '_gPMqAT8BELhXwBa2nIT0OvdWtQCiF_g09nAyHhgCe0',
//   e: 'AQAB',
//   kid: 'z74stT3qQkZWDjWvTw1x2UVGyOb2Bu6QgmqqB8l2ABQ',
//   kty: 'RSA',
//   n: 'x2WwCF7ekBS2IQapfaVgWcdUewNdqO4FeYblVXlRFfYPqZl3SlNSavzq0IDbEtUnGN3Easehy6pgcVYecK0OoNNndUFdvkRyaKQtZIOweP6c534-OCcVtB0JkmGIvgE738rswVPkWsfOwC4py6-YGUwevVv_T6_bJj2xh691DNZh8_CnfFr7OPeBEKP7u4r721fCq_KEeVYLAQkzEAO35Wu08V_Dm4ETUpsBv0o69Q79m2qhr7oUO9LaomUUaNbrh48DlM6UHhfS3RZ4ih8IY5y5RbnFSuopw2dlQ_6CchDquP6Y0xXpgekIETcqilJnfJaXp1Urroye0yTRMlcN9w',
//   x5c: [
//    'MIIFUDCCAzigAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYExCzAJBgNVBAYTAkdCMRAwDgYDVQQIDAdFbmdsYW5kMRIwEAYDVQQKDAlBbGljZSBMdGQxKDAmBgNVBAsMH0FsaWNlIEx0ZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgNVBAMMGUFsaWNlIEx0ZCBJbnRlcm1lZGlhdGUgQ0EwHhcNMTgwOTIxMTU1NTAwWhcNMTkxMDAxMTU1NTAwWjCBizELMAkGA1UEBhMCQ1oxDzANBgNVBAgMBlByYWd1ZTESMBAGA1UEBwwJU3RyYXNuaWNlMRAwDgYDVQQKDAdCb2IgTHRkMRQwEgYDVQQLDAtFbmdpbmVlcmluZzERMA8GA1UEAwwIY2xpZW50aWQxHDAaBgkqhkiG9w0BCQEWDXBhbnZhQGJvYi5sdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHZbAIXt6QFLYhBql9pWBZx1R7A12o7gV5huVVeVEV9g+pmXdKU1Jq/OrQgNsS1ScY3cRqx6HLqmBxVh5wrQ6g02d1QV2+RHJopC1kg7B4/pznfj44JxW0HQmSYYi+ATvfyuzBU+Rax87ALinLr5gZTB69W/9Pr9smPbGHr3UM1mHz8Kd8Wvs494EQo/u7ivvbV8Kr8oR5VgsBCTMQA7fla7TxX8ObgRNSmwG/Sjr1Dv2baqGvuhQ70tqiZRRo1uuHjwOUzpQeF9LdFniKHwhjnLlFucVK6inDZ2VD/oJyEOq4/pjTFemB6QgRNyqKUmd8lpenVSuujJ7TJNEyVw33AgMBAAGjgcUwgcIwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIENsaWVudCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUoT7Nh2gJLqlru7QH7sSgxBaNcOswHwYDVR0jBBgwFoAU9aXgCTQVzkjeGVwlbmtKkYn5/rIwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAqjXoNfaOG1Kxk9jOvrHfTNdgGdrpaudZH4gRU2044m8JvazUxhnWgk+n4mkjVD5CrNu7FWza3twt2nIR50GKWilg2fiBIPcH5RVYz7gdO3r2N1nWohx3P49bGEyyDwxR1aeM/O8w0gQ70AydoPPKggpef61MsLgYl+tiVqKx3VHO5A6hPScH26p56DOq28fjLZPnTskoXxn1IHB4Ea4fUC1x4gXDS38qvvcBVWmQWbeTm1dWEUsmRVp6D1jPAsikYjzb86lOzC0S7V6lX1QwAL4nxDsBpxx1JlKeNDk5sdr7mHQtODjq8w+Uo0EPmgGdTsCiBgPfWHRgYAs9HTFbC6FWeu+Bu2Nfuo8MAYCY2+FhGEwUHuUtYUR04V9F6+J4xmSsPZp46PNo4F2ugL4Nm81py3eDOq9WcuoN0iB8XqcjmFb3BvirpSzmNuP1FsqDj+QGN73W/seHylFMAGnsAaF3A3gBUFF26+xz7hSXLGbEhoR6FYBZKvLBQgS3zna6KbYdw0pqUBvrEJfrVXCQPy/Y1C3EnEhQqJDx9Rmw5qm6RpuCPga4pDzQPBLny+ggmb4BqHieD+Xz3g0bN/// 84lxiSg60mlyuEwOHcQMmlOxjYf2zliCqRptD/LlfITlmzGjds9BhLlkHIBR3IkEejZluclYP0Dljd65DCTqY1z0c='
//   ],
//   x5t: 'qOf1YEg_zFLX0PtGjiEVvjM1WsU'
// }

This library however will not generate the certificate for your key.

[Zyclotrop-j]

To generate the certificate from a given key-pair:

// Dependencies
const { generateKeyPair, createPublicKey } = require('crypto'); // native
const jose = require('jose'); // this
const forge = require('node-forge'); // new dependency

// generate key-pair - if you have one, you can skip this
// You can also use this librarby to generate this for you
const awaitKeys = new Promise((res, rej) => generateKeyPair('rsa', { // generateKeyPair is native node 12
  modulusLength: 4096,
  publicExponent: 0x10001,
}, async (err, publicKey, privateKey) => {
  if(err) {
    return rej(err);
  }
  const keys = {
    // key-export options could be integrated into the key-pair generation call, but are included here for verbosity
    privateKey: privateKey.export({
    type: 'pkcs8',
      format: 'pem',
      cipher: 'aes-256-cbc',
      passphrase: keypassphrase
    }),
    publicKey:  publicKey.export({
      type: 'spki',
      format: 'pem'
    })
  };

  // Create certificate - below code from https://github.com/digitalbazaar/forge#x509
  const cert = forge.pki.createCertificate();
  // Add the public key from above to this certificate
  cert.publicKey = forge.pki.publicKeyFromPem(keys.publicKey);
  // Set certificate properties....
  cert.serialNumber = '01';
  cert.validity.notBefore = new Date();
  cert.validity.notAfter = new Date();
  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
  var attrs = [{
    name: 'commonName',
    value: 'example.org'
  }, {
    name: 'countryName',
    value: 'AU'
  }, {
    shortName: 'ST',
    value: 'ACT'
  }, {
    name: 'localityName',
    value: 'Canberra'
  }, {
    name: 'organizationName',
    value: 'Test'
  }, {
    shortName: 'OU',
    value: 'Test'
  }];
  cert.setSubject(attrs);
  cert.setIssuer(attrs);
  cert.setExtensions([{
    name: 'basicConstraints',
    cA: true
  }, {
    name: 'keyUsage',
    keyCertSign: true,
    digitalSignature: true,
    nonRepudiation: true,
    keyEncipherment: true,
    dataEncipherment: true
  }, {
    name: 'extKeyUsage',
    serverAuth: true,
    clientAuth: true,
    codeSigning: true,
    emailProtection: true,
    timeStamping: true
  }, {
    name: 'nsCertType',
    client: true,
    server: true,
    email: true,
    objsign: true,
    sslCA: true,
    emailCA: true,
    objCA: true
  }, {
    name: 'subjectAltName',
    altNames: [{
      type: 6, // URI
      value: 'http://example.org/webid#me'
    }, {
      type: 7, // IP
      ip: '127.0.0.1'
    }]
  }, {
    name: 'subjectKeyIdentifier'
  }]);
  // Self-sign the certificate with the private key (from above)
  cert.sign(forge.pki.decryptRsaPrivateKey(keys.privateKey, keypassphrase));

  const jwtsjson = jose.JWK.asKey({
    key: keys.privateKey, // import key to jose
    format: "pem",
    passphrase: keypassphrase,
  }, {
    alg: "RS256",
    use: "sig",
    x5c: cert_to_x5c(forge.pki.certificateToPem(cert)) // the magic important line! use the self-signed certificate as x5c
  }).toJWK();

 keys.jwks = {"keys": [jwtsjson]};
 keys.name = jwtsjson.kid;
  res(keys);
}));

// Helper
// taken from (MIT licensed):
// https://github.com/hildjj/node-posh/blob/master/lib/index.js
function cert_to_x5c (cert, maxdepth) {
  if (maxdepth == null) {
    maxdepth = 0;
  }
  /*
   * Convert a PEM-encoded certificate to the version used in the x5c element
   * of a [JSON Web Key](http://tools.ietf.org/html/draft-ietf-jose-json-web-key).
   *             
   * `cert` PEM-encoded certificate chain
   * `maxdepth` The maximum number of certificates to use from the chain.
   */

  cert = cert.replace(/-----[^\n]+\n?/gm, ',').replace(/\n/g, '');
  cert = cert.split(',').filter(function(c) {
    return c.length > 0;
  });
  if (maxdepth > 0) {
    cert = cert.splice(0, maxdepth);
  }
  return cert;
}

With this setup the (self-signed) certificate chain and fingerprint is included into the jwks.
Maybe this'll help someone comming across this :)