Generate JWKS file

Change-type: minor

Author: joshbwlng

Dockerfile

@@ -15,7 +15,7 @@ WORKDIR /etc/letsencrypt
 
 COPY entry.sh /usr/local/bin/
 
-COPY _keyid.js *.json /opt/
+COPY _jwks.js _keyid.js *.json /opt/
 
 ENTRYPOINT ["/bin/bash"]
 

_jwks.js

@@ -0,0 +1,33 @@
+const crypto = require('crypto');
+const fs = require('fs');
+
+// Read in required cert files
+const base = process.argv[2];
+const pem = fs.readFileSync(`${base}.pem`, 'utf8');
+const key = fs.readFileSync(`${base}.key`, 'utf8');
+const kid = fs.readFileSync(`${base}.kid`, 'utf8').trim();
+
+// Generate jwk from pem
+const privateKey = crypto.createPrivateKey(key);
+const jwk = privateKey.export({ format: 'jwk' });
+
+// Generate x5t thumbprint from pem
+const x509 = new crypto.X509Certificate(pem);
+const sha1hash = crypto.createHash('sha1').update(x509.raw).digest();
+const x5t = sha1hash.toString('base64url');
+
+// Remove unnecessary private 'd' property
+if (jwk.d) {
+	delete jwk.d;
+}
+
+// Output result
+process.stdout.write(JSON.stringify({
+	keys: [{
+		...jwk,
+		use: 'sig',
+		alg: 'ES256',
+		kid,
+		x5t,
+	}],
+}, null, 2));

entry.sh

@@ -102,6 +102,12 @@ function compute_api_kid {
 			"${CERTS}/private/api.${tld}.der" \
 			>"${CERTS}/private/api.${tld}.kid"
 	fi
+
+	if [[ -s "${CERTS}/private/api.${tld}.pem" && -s "${CERTS}/private/api.${tld}.key" && -s "${CERTS}/private/api.${tld}.kid" ]]; then
+		node --no-deprecation /opt/_jwks.js \
+			"${CERTS}/private/api.${tld}" \
+			>"${CERTS}/private/api.${tld}.jwks.json"
+	fi
 }
 
 function generate_vpn_dhparams {