From eb432571ca6a872fd1a32f8d02860cdff1a613eb Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Tue, 28 Jul 2020 16:02:42 -0600 Subject: [PATCH] Bugfix jwk / kid mutually exclusive See https://git.rootprojects.org/root/greenlock-express.js/issues/38 --- package-lock.json | 18 +++++++++--------- package.json | 4 ++-- utils.js | 11 ++++++----- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/package-lock.json b/package-lock.json index 33611a5..93e2e21 100644 --- a/package-lock.json +++ b/package-lock.json @@ -28,9 +28,9 @@ "integrity": "sha512-OaEub02ufoU038gy6bsNHQOjIn8nUjGiLcaRmJ40IUykneJkIW5fxDqKxQx48cszuNflYldsJLPPXCrGfHs8yQ==" }, "@root/keypairs": { - "version": "0.9.0", - "resolved": "https://registry.npmjs.org/@root/keypairs/-/keypairs-0.9.0.tgz", - "integrity": "sha512-NXE2L9Gv7r3iC4kB/gTPZE1vO9Ox/p14zDzAJ5cGpTpytbWOlWF7QoHSJbtVX4H7mRG/Hp7HR3jWdWdb2xaaXg==", + "version": "0.10.0", + "resolved": "https://registry.npmjs.org/@root/keypairs/-/keypairs-0.10.0.tgz", + "integrity": "sha512-t8VocY46Mtb0NTsxzyLLf5tsgfw0BXLYVADAyiRdEdqHcvPFGJdjkXNtHVQuSV/FMaC65iTOHVP4E6X8iT3Ikg==", "requires": { "@root/encoding": "^1.0.1", "@root/pem": "^1.0.4", @@ -43,9 +43,9 @@ "integrity": "sha512-rEUDiUsHtild8GfIjFE9wXtcVxeS+ehCJQBwbQQ3IVfORKHK93CFnRtkr69R75lZFjcmKYVc+AXDB+AeRFOULA==" }, "@root/request": { - "version": "1.3.11", - "resolved": "https://registry.npmjs.org/@root/request/-/request-1.3.11.tgz", - "integrity": "sha512-3a4Eeghcjsfe6zh7EJ+ni1l8OK9Fz2wL1OjP4UCa0YdvtH39kdXB9RGWuzyNv7dZi0+Ffkc83KfH0WbPMiuJFw==" + "version": "1.6.1", + "resolved": "https://registry.npmjs.org/@root/request/-/request-1.6.1.tgz", + "integrity": "sha512-8wrWyeBLRp7T8J36GkT3RODJ6zYmL0/maWlAUD5LOXT28D3TDquUepyYDKYANNA3Gc8R5ZCgf+AXvSTYpJEWwQ==" }, "@root/x509": { "version": "0.7.2", @@ -152,9 +152,9 @@ "dev": true }, "glob": { - "version": "7.1.5", - "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.5.tgz", - "integrity": "sha512-J9dlskqUXK1OeTOYBEn5s8aMukWMwWfs+rPTn/jn50Ux4MNXVhubL1wu/j2t+H4NVI+cXEcCaYellqaPVGXNqQ==", + "version": "7.1.6", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.6.tgz", + "integrity": "sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==", "dev": true, "requires": { "fs.realpath": "^1.0.0", diff --git a/package.json b/package.json index bfdc53a..3e1377d 100644 --- a/package.json +++ b/package.json @@ -44,9 +44,9 @@ "dependencies": { "@root/csr": "^0.8.1", "@root/encoding": "^1.0.1", - "@root/keypairs": "^0.9.0", + "@root/keypairs": "^0.10.0", "@root/pem": "^1.0.4", - "@root/request": "^1.3.11", + "@root/request": "^1.6.1", "@root/x509": "^0.7.2" }, "devDependencies": { diff --git a/utils.js b/utils.js index 806fed5..5c0d1bc 100644 --- a/utils.js +++ b/utils.js @@ -11,11 +11,12 @@ U._jwsRequest = function (me, bigopts) { bigopts.protected.nonce = nonce; bigopts.protected.url = bigopts.url; // protected.alg: added by Keypairs.signJws - if (!bigopts.protected.jwk) { - // protected.kid must be overwritten due to ACME's interpretation of the spec - if (!('kid' in bigopts.protected)) { - bigopts.protected.kid = bigopts.kid; - } + if (bigopts.protected.jwk) { + bigopts.protected.kid = false; + } else if (!('kid' in bigopts.protected)) { + // protected.kid must be provided according to ACME's interpretation of the spec + // (using the provided URL rather than the Key's Thumbprint as Key ID) + bigopts.protected.kid = bigopts.kid; } // this will shasum the thumbprint the 2nd time