Double encoding in JWKS endpoint

[Methma]

Description

Hi Team,

We're encoding the certificate thumbprint which is already encoded. This is the same issue identified in wso2/product-is#14899. Need to port the IAM fix to the APIM side.

Thanks,
Methma

Steps to Reproduce

Below is the my WSO2 APIm 4.2.0 certificate fingerprints in the keystore,

Alias name: wso2carbon
Creation date: Feb 22, 2023
Entry type: trustedCertEntry

Owner: CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US
Issuer: CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US
Serial number: 63f65a03
Valid from: Wed Feb 22 23:38:03 IST 2023 until: Tue May 27 23:38:03 IST 2025
Certificate fingerprints:
MD5: 44:CA:B5:1B:F3:48:DE:D0:B6:FB:21:79:D7:7B:55:4E
SHA1: 81:7C:FA:10:C0:38:E0:F2:02:C9:BA:26:B4:AA:6E:8B:2F:E1:5A:7A
SHA256: 1B:24:29:B1:6E:F5:83:01:B7:4F:F1:62:53:65:5A:E8:55:37:E3:A5:BF:D1:59:08:5A:5A:8E:23:E5:A3:B2:2A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

So now when we comparing the SHA256 fingerprint in my keystore with the the x5ts256 field of the JWKS:

I take the SHA256 fingerprint, remove the ":" and convert to lowercase:
SHA256: 1b2429b16ef58301b74ff16253655ae85537e3a5bfd159085a5a8e23e5a3b22a

Then I base64 encode it twice, I can get to the same value as the x5t#S256 value in the JWKS.

This is the x5t#S256 value from the JWKS,
"x5t#S256":"TVdJeU5ESTVZakUyWldZMU9ETXdNV0kzTkdabU1UWXlOVE0yTlRWaFpUZzFOVE0zWlROaE5XSm1aREUxT1RBNE5XRTFZVGhsTWpObE5XRXpZakl5WVE",

And this is the value of the SHA256 fingerprint with encoded twice,
"TVdJeU5ESTVZakUyWldZMU9ETXdNV0kzTkdabU1UWXlOVE0yTlRWaFpUZzFOVE0zWlROaE5XSm1aREUxT1RBNE5XRTFZVGhsTWpObE5XRXpZakl5WVE="

Affected Component

APIM

Version

4.2.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response

[YasasRangika]

This issue does not affect the master branch.