Commit addca399 authored by Jamie Tanna's avatar Jamie Tanna

Blogument generating a JWK Thumbprint with Ruby

As I prefer to use Ruby for CLI tooling.

Plus update existing post with a link to this one.
parent 10d8b03b
Pipeline #152317993 passed with stages
in 11 minutes and 58 seconds
......@@ -18,4 +18,4 @@ In the spirit of [Blogumentation]({{< ref 2017-06-25-blogumentation >}}), I want
As of writing, we are using v2 of the Open Banking Directory, which is [documented on Open Banking's Confluence space](https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1150124033/Directory+2.0+Technical+Overview+v1.3). We see that there is a JWK Structure section, which notes that the `kid` is `The SHA-1 hash of the JWK Fingerprint`.
This JWK fingerprint is defined in [RFC7638: JSON Web Key (JWK) Thumbprint](https://tools.ietf.org/html/rfc7638), and as it is a well-defined standard, you should be able to find library support for it, [such as Nimbus for Java](https://connect2id.com/products/nimbus-jose-jwt/examples/jwk-thumbprints), or [using node-jose on Node projects]({{< ref 2020-06-02-jwk-thumprint-node >}})
This JWK fingerprint is defined in [RFC7638: JSON Web Key (JWK) Thumbprint](https://tools.ietf.org/html/rfc7638), and as it is a well-defined standard, you should be able to find library support for it, [such as Nimbus for Java](https://connect2id.com/products/nimbus-jose-jwt/examples/jwk-thumbprints), [using node-jose on Node projects]({{< ref 2020-06-02-jwk-thumprint-node >}}) or [json-jwt with Ruby]({{< ref 2020-06-03-jwk-thumbprint-ruby >}}).
---
title: "Generating JWK Thumbprints with Ruby"
description: "How to generate JWK thumbprints with Ruby."
tags:
- blogumentation
- ruby
- jwk
license_code: Apache-2.0
license_prose: CC-BY-NC-SA-4.0
date: 2020-06-03T09:00:07+0100
slug: "jwk-thumbprint-ruby"
---
As mentioned in [_How are Open Banking Key Ids (`kid`) Generated?_]({{< ref 2020-06-02-open-banking-key-id >}}), Open Banking use the JWK thumbprints as defined by [RFC7638: JSON Web Key (JWK) Thumbprint](https://tools.ietf.org/html/rfc7638).
But these may be used in other circumstances, so it's worth knowing how to generate them. Instead of hand-rolling the generation process, we can re-use the excellent [json-jwt](https://github.com/nov/json-jwt):
```ruby
require 'json/jwt'
def read_key(fname)
f = File.read fname
begin
return OpenSSL::PKey::RSA.new(f)
rescue Exception
# ignore
end
begin
return OpenSSL::PKey::EC.new(f)
rescue Exception
# ignore
end
end
hash = ARGV[1] || 'sha256'
key = read_key(ARGV[0])
key = key.public_key unless key.public?
jwk = JSON::JWK.new(key)
puts jwk.thumbprint(hash)
```
This allows us to run the following:
```sh
ruby thumb.rb path/to/private.pem # works with private key or public key
ruby thumb.rb path/to/public.pem # to use default hash algorithm
ruby thumb.rb path/to/public.pem SHA-1 # to specify our own
```
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment