Solved: Re: JWT Certificate Thumbprint Confirmation Method

API-Evangelist · 08-12-2021 06:47 PM

Need some information on below if anyone implemented below? How to generate x5t#S256 value within apigee?

https://datatracker.ietf.org/doc/html/rfc8705#section-3.1

To represent the hash of a certificate in a JWT, this specification
defines the new JWT Confirmation Method [RFC7800] member "x5t#S256"
for the X.509 Certificate SHA-256 Thumbprint.  The value of the
"x5t#S256" member is a base64url-encoded [RFC4648] SHA-256 [SHS] hash
(a.k.a., thumbprint, fingerprint, or digest) of the DER encoding
[X690] of the X.509 certificate [RFC5280].  The base64url-encoded
value MUST omit all trailing pad '=' characters and MUST NOT include
any line breaks, whitespace, or other additional characters.

Is it just extracting certificate thumbprint and performing base64 url encoding & omit the trailing pad & any line breaks, whitespace or anything more to it?

Any reference?

Thanks.

API-Evangelist

Was able to figure out..

Just FYI: May be below will help.. General command line way.

echo "<<Place SHA256 thumbprint of cert>>" |xxd -r -p | openssl enc -a | tr -d '=' | tr '/+' '_-'

Java(snippet):

MessageDigest sha256 = MessageDigest.getInstance("SHA-256"); //Use a sha-256 MessageDigest instance
byte[] x5tS256 = sha256.digest(cert.getEncoded()); //cert is X509Certificate - Hash the bytes of the entire certificate
String encodedx5tS256 = Base64.getUrlEncoder().withoutPadding()
.encodeToString(x5tS256);

Once you have the value which you can use it in "x5t#S256" confirmation method member while generating JWT token using apigee JWT policies..

View solution in original post

API-Evangelist