Fix bug in self signed JWT creation. The header must contain the cert thumbprint. The jwt-simple lib doesn't provide a way to do that. Switching to customer implementation.

Author: RandalliLama

lib/self-signed-jwt.js

@@ -20,33 +20,58 @@
  */
 'use strict';
 
-require('date-utils');
 var jwtConstants = require('./constants').Jwt;
-var jwt = require('jwt-simple');
 var Logger = require('./log').Logger;
+var util = require('./util');
+
+var crypto = require('crypto');
+require('date-utils');
+var uuid = require('node-uuid');
 
-function SelfSignedJwt(callContext, authority, clientId, certificate) {
+function SelfSignedJwt(callContext, authority, clientId) {
   this._log = new Logger('SelfSignedJwt', callContext._logContext);
   this._callContext = callContext;
 
   this._tokenEndpoint = authority.tokenEndpoint;
-  this._certificate = certificate;
   this._clientId = clientId;
 }
 
-SelfSignedJwt.prototype.create = function() {
-	var now = new Date();
-//	var expires = Date.now().add({ minutes: jwtConstants.SELF_SIGNED_JWT_LIFETIME });
+SelfSignedJwt.prototype._createHeader = function(thumbprint) {
+    var header = { typ: 'JWT', alg: 'RS256', x5t : thumbprint };
+
+    this._log.verbose('Creating self signed JWT header.  Thumbprint: ' + thumbprint);
+
+    return header;
+};
+
+SelfSignedJwt.prototype._createPayload = function() {
+  var now = new Date();
   var expires = (new Date()).addMinutes(jwtConstants.SELF_SIGNED_JWT_LIFETIME);
 
-	var jwtPayload = {};
-	jwtPayload[jwtConstants.AUDIENCE] = this._authority;
-	jwtPayload[jwtConstants.ISSUER] = this._clientId;
-	jwtPayload[jwtConstants.SUBJECT] = this._clientId;
-	jwtPayload[jwtConstants.NOT_BEFORE] = now.getTime();
-	jwtPayload[jwtConstants.EXPIRES_ON] = expires.getTime();
+  this._log.verbose('Creating self signed JWT payload.  Expires: ' + expires + ' NotBefore: ' + now);
+
+  var jwtPayload = {};
+  jwtPayload[jwtConstants.AUDIENCE] = this._authority;
+  jwtPayload[jwtConstants.ISSUER] = this._clientId;
+  jwtPayload[jwtConstants.SUBJECT] = this._clientId;
+  jwtPayload[jwtConstants.NOT_BEFORE] = now.getTime();
+  jwtPayload[jwtConstants.EXPIRES_ON] = expires.getTime();
+  jwtPayload[jwtConstants.JWT_ID] = uuid.v4();
+
+  return jwtPayload;
+};
+
+SelfSignedJwt.prototype.create = function(certificate, thumbprint) {
+  var header = this._createHeader(thumbprint);
+  var payload = this._createPayload();
+
+  var headerString = util.base64EncodeStringUrlSafe(JSON.stringify(header));
+  var payloadString = util.base64EncodeStringUrlSafe(JSON.stringify(payload));
+  var stringToSign = headerString + '.' + payloadString;
+
+  var signature = util.base64EncodeStringUrlSafe(crypto.createSign('RSA-SHA256').update(stringToSign).sign(certificate, 'base64'));
 
-	return jwt.encode(jwtPayload, this._certificate, 'RS256');
+	return stringToSign + '.' + signature;
 };
 
 module.exports.SelfSignedJwt = SelfSignedJwt;

package.json

@@ -23,7 +23,6 @@
   "licenses": [ { "type": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0" } ],
   "dependencies": {
     "date-utils": "*",
-    "jwt-simple": "~0",
     "node-uuid": "1.4.1",
     "request": ">= 2.9.203",
     "underscore": ">= 1.3.1",

test/self-signed-jwt.js

@@ -33,8 +33,8 @@ var SelfSignedJwt = testRequire('self-signed-jwt').SelfSignedJwt;
 
 suite('self-signed-jwt', function() {
   test('create-jwt', function(done) {
-    var ssjwt = new SelfSignedJwt(cp.callContext, cp.authority, cp.clienId, util.getSelfSignedCert());
-    var jwt = ssjwt.create();
+    var ssjwt = new SelfSignedJwt(cp.callContext, cp.authority, cp.clienId);
+    var jwt = ssjwt.create(util.getSelfSignedCert(), cp.certHash);
     var err;
     if (!jwt) {
       err = new Error('Returned empty jwt');

test/util/util.js

@@ -583,4 +583,6 @@ util.getSelfSignedCert = function() {
   return privatePem;
 };
 
+util.commonParameters.certHash = 'C1:5D:EA:86:56:AD:DF:67:BE:80:31:D8:5E:BD:DC:5A:D6:C4:36:E1';
+
 module.exports = util;