feat: keystore filtering by JWK Key thumbprint

panva · Jan 26, 2020 · a9f6f71 · a9f6f71
1 parent 9df7d9d
commit a9f6f71
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 1 deletion.
diff --git a/docs/README.md b/docs/README.md
@@ -680,6 +680,7 @@ specified by the parameters are first.
  - `crv`: `<string>` Key Curve to filter for. (for EC and OKP keys)
  - `alg`: `<string>` Key supported algorithm to filter for.
  - `kid`: `<string>` Key ID to filter for.
+ - `thumbprint`: `<string>` JWK Key thumbprint to filter for.
  - `use`: `<string>` Filter keys with the specified use defined. Keys missing "use" parameter will
  be matched but rank lower then ones with an exact match.
  - `key_ops`: `string[]` Filter keys with specified key_ops defined (if key_ops is defined on the
@@ -701,6 +702,7 @@ parameters is returned.
  - `crv`: `<string>` Key Curve to filter for. (for EC and OKP keys)
  - `alg`: `<string>` Key supported algorithm to filter for.
  - `kid`: `<string>` Key ID to filter for.
+ - `thumbprint`: `<string>` JWK Key thumbprint to filter for.
  - `use`: `<string>` Filter keys with the specified use defined. Keys missing "use" parameter will
  be matched but rank lower then ones with an exact match.
  - `key_ops`: `string[]` Filter keys with specified key_ops defined (if key_ops is defined on the

diff --git a/lib/jwks/keystore.js b/lib/jwks/keystore.js
@@ -51,7 +51,7 @@ class KeyStore {
  i(this).keys = new Set(keys)
  }
 
- all ({ alg, kid, use, kty, key_ops: ops, x5t, 'x5t#S256': x5t256, crv } = {}) {
+ all ({ alg, kid, thumbprint, use, kty, key_ops: ops, x5t, 'x5t#S256': x5t256, crv } = {}) {
  if (ops !== undefined && (!Array.isArray(ops) || !ops.length || ops.some(x => typeof x !== 'string'))) {
  throw new TypeError('`key_ops` must be a non-empty array of strings')
  }
@@ -65,6 +65,10 @@ class KeyStore {
  candidate = false
  }
 
+ if (candidate && thumbprint !== undefined && key.thumbprint !== thumbprint) {
+ candidate = false
+ }
+
  if (candidate && x5t !== undefined && key.x5t !== x5t) {
  candidate = false
  }

diff --git a/test/jwks/keystore.test.js b/test/jwks/keystore.test.js
@@ -169,6 +169,15 @@ test('.all() and .get() kid filter', t => {
  t.is(ks.get({ kid: 'foobar' }), k)
 })
 
+test('.all() and .get() thumbprint filter', t => {
+ const k = generateSync('RSA')
+ const ks = new KeyStore(k)
+ t.deepEqual(ks.all({ thumbprint: 'baz' }), [])
+ t.deepEqual(ks.all({ thumbprint: k.thumbprint }), [k])
+ t.is(ks.get({ thumbprint: 'baz' }), undefined)
+ t.is(ks.get({ thumbprint: k.thumbprint }), k)
+})
+
 test('.all() and .get() x5t filter and sort', t => {
  const k = asKey(withX5C)
  const ks = new KeyStore(k)

diff --git a/types/index.d.ts b/types/index.d.ts
@@ -193,6 +193,7 @@ export namespace JWKS {
  x5t?: string;
  'x5t#S256'?: string;
  crv?: string;
+ thumbprint?: string;
  }
 
  class KeyStore {