set x5t#S256 header (#65)

Author: reinkrul

credential_issuer/issuer.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/rsa"
 	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"errors"
@@ -110,12 +111,20 @@ func Issue(chain []*x509.Certificate, caFingerprintCert *x509.Certificate, key *
 		}
 
 		// x5t
+		// Note: although x5t is less safe than x5t#s256 (since is uses SHA-1, which has been broken), it's in here for backwards compatibility.
 		hashSha1 := sha1.Sum(signingCert.Raw)
 		err = hdrs.Set("x5t", base64.RawURLEncoding.EncodeToString(hashSha1[:]))
 		if err != nil {
 			return "", err
 		}
 
+		// x5t#S256
+		hashSha256 := sha256.Sum256(signingCert.Raw)
+		err = hdrs.Set("x5t#S256", base64.RawURLEncoding.EncodeToString(hashSha256[:]))
+		if err != nil {
+			return "", err
+		}
+
 		sign, err := jwt.Sign(token, jwt.WithKey(jwa.PS256, *key, jws.WithProtectedHeaders(hdrs)))
 		return string(sign), err
 	})

credential_issuer/issuer_test.go

@@ -4,6 +4,7 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"github.com/lestrrat-go/jwx/v2/jws"
 	"github.com/nuts-foundation/go-didx509-toolkit/internal"
 	"testing"
 
@@ -106,6 +107,10 @@ func TestIssue(t *testing.T) {
 
 		assert.Equal(t, expectedCredentialSubject, vc.CredentialSubject)
 		assert.Equal(t, validChain[0].NotAfter, *vc.ExpirationDate, "expiration date of VC must match signing certificate")
+		parsedJWT, err := jws.Parse([]byte(vc.Raw()))
+		require.NoError(t, err)
+		assert.Equal(t, "v4nyg4rKy6MBIxnutabaUwXCxYY", parsedJWT.Signatures()[0].ProtectedHeaders().X509CertThumbprint())
+		assert.Equal(t, "XC-vUEDhKsMrtpwtYEQty5PgSj4ZphDLNDG_Rg9hQDk", parsedJWT.Signatures()[0].ProtectedHeaders().X509CertThumbprintS256())
 	})
 
 	t.Run("ok - correct escaping of special characters", func(t *testing.T) {