Layer7 API Management

  • 1.  JWT x5t Header Thumbprint generation

    Broadcom Employee
    Posted Dec 04, 2018 07:53 PM

    I'm looking for a way to generate the x5t thumbprint that is part of the JWT header set.

     

    => The "x5t" (x.509 certificate thumbprint) header parameter provides a base64url encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate that can be used to match a certificate.

     

    The manual process I'm using is

    - Use OpenSSL to convert a PKCS12 key to DER formatted cert.

    - Use OpenSSL to generate the fingerprint

    - Use a bash script to base64url encode it

     

    Any thoughts on how this could be automated in Policy Manager?



  • 2.  Re: JWT x5t Header Thumbprint generation

    Broadcom Employee
    Posted Dec 05, 2018 02:17 PM
      |   view attached

    Good afternoon, I would recommend that you upgrade to CR3 for 9.3 or higher as there was an issue in how the x5t value was created before this. I've also attached a policy with an example of JWKS. This is a mirror to the policy included in the documentation: Working with JSON Web Tokens - CA API Gateway - 9.4 - CA Technologies Documentation 

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support

    Attachment(s)

    zip
    JWKS_Test.xml.zip   2 KB 1 version


  • 3.  Re: JWT x5t Header Thumbprint generation

    Broadcom Employee
    Posted Dec 05, 2018 05:26 PM
      |   view attached

    Hi Stephen, 

     

     

    Thanks for that. It wasn't clear to me from the docs how to access the x5t value. But I think I got there.

     

    I've modified (attached) the sample policy to extract the x5t value into a context variable so that you can insert it into the headers of the JWT that gets created (in case anyone else is attempting the same)

     

    Paul.

     

    Attachment(s)

    zip
    JWKS_Test_x5t.xml.zip   2 KB 1 version


  • 4.  Re: JWT x5t Header Thumbprint generation

    Broadcom Employee
    Posted Dec 05, 2018 07:05 PM

    Paul,

     

    Do you need any additional assistance?

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support