Update documentation and add tests

hieuk09 · hieuk09 · commit 431b524560cf · 2025-04-08T21:38:26.000+08:00
diff --git a/README.md b/README.md
@@ -647,24 +647,6 @@ rescue JWT::DecodeError
 end
 ```
 
-### X.509 certificate thumbprint in x5t header
-
-A JWT signature can be verified using a certificate thumbprint given in the `x5t` or `x5t#S256` header.
-The thumbprint is a base64url-encoded SHA-1 (or SHA256) hash of the DER encoding of an X.509 certificate.
-The verification process involves matching this thumbprint against a set of trusted certificates.
-
-```ruby
-# Load your trusted certificates
-certificates = [OpenSSL::X509::Certificate.new(File.read('cert.pem'))]
-
-# Decode a JWT with x5t verification
-begin
-  JWT.decode(token, nil, true, { x5t: { certificates: certificates } })
-rescue JWT::DecodeError
-  # Handle error, e.g. no certificate matches the x5t thumbprint
-end
-```
-
 ## JSON Web Key (JWK)
 
 JWK is a JSON structure representing a cryptographic key. This gem currently supports RSA, EC, OKP and HMAC keys. OKP support requires [RbNaCl](https://github.com/RubyCrypto/rbnacl) and currently only supports the Ed25519 curve.
@@ -692,13 +674,14 @@ algorithms = jwks.map { |key| key[:alg] }.compact.uniq
 JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwks)
 ```
 
-The `jwks` option can also be given as a lambda that evaluates every time a kid is resolved.
+The `jwks` option can also be given as a lambda that evaluates every time a key identifier is resolved.
 This can be used to implement caching of remotely fetched JWK Sets.
 
-If the requested `kid` is not found from the given set the loader will be called a second time with the `kid_not_found` option set to `true`.
+Key identifiers can be specified using `kid`, `x5t` or `x5c` header parameters.
+If the requested identifier is not found from the given set the loader will be called a second time with the `kid_not_found` option set to `true`.
 The application can choose to implement some kind of JWK cache invalidation or other mechanism to handle such cases.
 
-Tokens without a specified `kid` are rejected by default.
+Tokens without a specified key identifier (`kid`, `x5t` or `x5c`) are rejected by default.
 This behaviour may be overwritten by setting the `allow_nil_kid` option for `decode` to `true`.
 
 ```ruby
diff --git a/spec/jwt/jwk/rsa_spec.rb b/spec/jwt/jwk/rsa_spec.rb
@@ -67,6 +67,26 @@
         expect(subject).to include(:kty, :n, :e, :kid, :d, :p, :q, :dp, :dq, :qi)
       end
     end
+
+    context 'when x5c option is requested' do
+      subject { described_class.new(keypair).export(x5c: true) }
+      let(:keypair) { rsa_key }
+      it 'returns a hash with x5c certificate chain' do
+        expect(subject).to be_a Hash
+        expect(subject).to include(:kty, :n, :e, :kid, :x5c)
+        expect(subject[:x5c]).to be_a String
+      end
+    end
+
+    context 'when x5t option is requested' do
+      subject { described_class.new(keypair).export(x5t: true) }
+      let(:keypair) { rsa_key }
+      it 'returns a hash with x5t thumbprint' do
+        expect(subject).to be_a Hash
+        expect(subject).to include(:kty, :n, :e, :kid, :x5t)
+        expect(subject[:x5t]).to be_a String
+      end
+    end
   end
 
   describe '.kid' do
