From 016d87b8393730146fdb1426de9be0142662ee59 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Tue, 28 Jul 2020 15:44:03 -0600 Subject: [PATCH] Bugfixed protected.{kid,jwk} logic. See https://git.rootprojects.org/root/greenlock-express.js/issues/38 --- keypairs.js | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/keypairs.js b/keypairs.js index dcad854..9775a61 100644 --- a/keypairs.js +++ b/keypairs.js @@ -218,7 +218,7 @@ Keypairs.signJwt = function (opts) { var claims = JSON.parse(JSON.stringify(opts.claims || {})); header.typ = 'JWT'; - if (!header.kid && false !== header.kid) { + if (!header.kid && !header.jwk && false !== header.kid) { header.kid = thumb; } if (!header.alg && opts.alg) { @@ -294,11 +294,15 @@ Keypairs.signJws = function (opts) { if (!protect.alg) { protect.alg = alg(); } + // There's a particular request where ACME / Let's Encrypt explicitly doesn't use a kid - if (false === protect.kid) { - protect.kid = undefined; - } else if (!protect.kid) { - protect.kid = thumb; + // There should be a kid unless it's `false` or there's a `jwk` (a self-signed JWS) + if (!protect.kid) { + if (false === protect.kid) { + protect.kid = undefined; + } else if (!protect.jwk) { + protect.kid = thumb; + } } protectedHeader = JSON.stringify(protect); }