Handle x5t using JWK key finder

hieuk09 · hieuk09 · commit 323ffc1ee852 · 2025-04-08T21:29:08.000+08:00
diff --git a/lib/jwt/base64.rb b/lib/jwt/base64.rb
@@ -13,6 +13,12 @@ def url_encode(str)
         ::Base64.urlsafe_encode64(str, padding: false)
       end
 
+      # Encode a string with Base64 complying with RFC 4648 (padded).
+      # @api private
+      def strict_encode(str)
+        ::Base64.strict_encode64(str)
+      end
+
       # Decode a string with URL-safe Base64 complying with RFC 4648.
       # @api private
       def url_decode(str)
diff --git a/lib/jwt/decode.rb b/lib/jwt/decode.rb
@@ -2,7 +2,6 @@
 
 require 'json'
 require 'jwt/x5c_key_finder'
-require 'jwt/x5t_key_finder'
 
 module JWT
   # The Decode class is responsible for decoding and verifying JWT tokens.
@@ -61,13 +60,11 @@ def verify_algo
 
     def set_key
       @key = find_key(&@keyfinder) if @keyfinder
-      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).key_for(token.header['kid']) if @options[:jwks]
+      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).call(token) if @options[:jwks]
 
-      if (x5c_options = @options[:x5c])
-        @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(token.header['x5c'])
-      elsif (x5t_options = @options[:x5t])
-        @key = X5tKeyFinder.new(x5t_options[:certificates]).from(token.header)
-      end
+      return unless (x5c_options = @options[:x5c])
+
+      @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(token.header['x5c'])
     end
 
     def allowed_and_valid_algorithms
diff --git a/lib/jwt/jwk/key_finder.rb b/lib/jwt/jwk/key_finder.rb
@@ -22,11 +22,10 @@ def initialize(options)
 
       # Returns the verification key for the given kid
       # @param [String] kid the key id
-      def key_for(kid)
-        raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid || @allow_nil_kid
-        raise ::JWT::DecodeError, 'Invalid type for kid header parameter' unless kid.nil? || kid.is_a?(String)
+      def key_for(kid, key_field = :kid)
+        raise ::JWT::DecodeError, "Invalid type for #{key_field} header parameter" unless kid.nil? || kid.is_a?(String)
 
-        jwk = resolve_key(kid)
+        jwk = resolve_key(kid, key_field)
 
         raise ::JWT::DecodeError, 'No keys found in jwks' unless @jwks.any?
         raise ::JWT::DecodeError, "Could not find public key for kid #{kid}" unless jwk
@@ -37,22 +36,36 @@ def key_for(kid)
       # Returns the key for the given token
       # @param [JWT::EncodedToken] token the token
       def call(token)
-        key_for(token.header['kid'])
+        kid = token.header['kid']
+        x5t = token.header['x5t']
+        x5c = token.header['x5c']
+
+        if kid
+          key_for(kid, :kid)
+        elsif x5t
+          key_for(x5t, :x5t)
+        elsif x5c
+          key_for(x5c, :x5c)
+        elsif @allow_nil_kid
+          key_for(kid)
+        else
+          raise ::JWT::DecodeError, 'No key id (kid) or x5t found from token headers'
+        end
       end
 
       private
 
-      def resolve_key(kid)
-        key_matcher = ->(key) { (kid.nil? && @allow_nil_kid) || key[:kid] == kid }
+      def resolve_key(kid, key_field)
+        key_matcher = ->(key) { (kid.nil? && @allow_nil_kid) || key[key_field] == kid }
 
         # First try without invalidation to facilitate application caching
-        @jwks ||= JWT::JWK::Set.new(@jwks_loader.call(kid: kid))
+        @jwks ||= JWT::JWK::Set.new(@jwks_loader.call(key_field => kid))
         jwk = @jwks.find { |key| key_matcher.call(key) }
 
         return jwk if jwk
 
         # Second try, invalidate for backwards compatibility
-        @jwks = JWT::JWK::Set.new(@jwks_loader.call(invalidate: true, kid_not_found: true, kid: kid))
+        @jwks = JWT::JWK::Set.new(@jwks_loader.call(invalidate: true, kid_not_found: true, key_field => kid))
         @jwks.find { |key| key_matcher.call(key) }
       end
     end
diff --git a/lib/jwt/jwk/rsa.rb b/lib/jwt/jwk/rsa.rb
@@ -51,6 +51,10 @@ def verify_key
       def export(options = {})
         exported = parameters.clone
         exported.reject! { |k, _| RSA_PRIVATE_KEY_ELEMENTS.include? k } unless private? && options[:include_private] == true
+
+        exported[:x5c] = Base64.strict_encode(rsa_key.to_der) if options[:x5c]
+        exported[:x5t] = Base64.url_encode(OpenSSL::Digest::SHA1.new(rsa_key.to_der).digest) if options[:x5t]
+
         exported
       end
 
@@ -67,7 +71,7 @@ def key_digest
       def []=(key, value)
         raise ArgumentError, 'cannot overwrite cryptographic key attributes' if RSA_KEY_ELEMENTS.include?(key.to_sym)
 
-        super(key, value)
+        super
       end
 
       private
diff --git a/lib/jwt/x5t_key_finder.rb b/lib/jwt/x5t_key_finder.rb
diff --git a/spec/jwt/jwk/decode_with_jwk_spec.rb b/spec/jwt/jwk/decode_with_jwk_spec.rb
@@ -4,7 +4,8 @@
   describe '.decode for JWK usecase' do
     let(:keypair)       { test_pkey('rsa-2048-private.pem') }
     let(:jwk)           { JWT::JWK.new(keypair) }
-    let(:public_jwks) { { keys: [jwk.export, { kid: 'not_the_correct_one', kty: 'oct', k: 'secret' }] } }
+    let(:valid_key)     { jwk.export }
+    let(:public_jwks) { { keys: [valid_key, { kid: 'not_the_correct_one', kty: 'oct', k: 'secret' }] } }
     let(:token_payload) { { 'data' => 'something' } }
     let(:token_headers) { { kid: jwk.kid } }
     let(:algorithm)     { 'RS512' }
@@ -38,6 +39,24 @@
         end
       end
 
+      context 'and x5t is in the set' do
+        let(:valid_key) { jwk.export(x5t: true) }
+        let(:token_headers) { { x5t: Base64.urlsafe_encode64(OpenSSL::Digest::SHA1.new(keypair.to_der).digest, padding: false) } }
+        it 'is able to decode the token' do
+          payload, _header = described_class.decode(signed_token, nil, true, { algorithms: [algorithm], jwks: public_jwks })
+          expect(payload).to eq(token_payload)
+        end
+      end
+
+      context 'and x5c is in the set' do
+        let(:valid_key) { jwk.export(x5c: true) }
+        let(:token_headers) { { x5c: Base64.strict_encode64(keypair.to_der) } }
+        it 'is able to decode the token' do
+          payload, _header = described_class.decode(signed_token, nil, true, { algorithms: [algorithm], jwks: public_jwks })
+          expect(payload).to eq(token_payload)
+        end
+      end
+
       context 'no keys are found in the set' do
         let(:public_jwks) { { keys: [] } }
         it 'raises an exception' do
@@ -51,7 +70,7 @@
         let(:token_headers) { {} }
         it 'raises an exception' do
           expect { described_class.decode(signed_token, nil, true, { algorithms: [algorithm], jwks: public_jwks }) }.to raise_error(
-            JWT::DecodeError, 'No key id (kid) found from token headers'
+            JWT::DecodeError, 'No key id (kid) or x5t found from token headers'
           )
         end
       end
diff --git a/spec/jwt/x5t_key_finder_spec.rb b/spec/jwt/x5t_key_finder_spec.rb
