Nimbus JOSE + JWT 4.1 adds support for JWK thumbprints
The latest 4.1 release of the Nimbus JOSE + JWT library library adds support for computing JSON Web Key (JWK) thumbprints as specified in RFC 7638.
JWK thumbprints are intended to provide unique hashes of RSA, EC and shared
secret key material. These may for example be used as key ID (kid
) header
parameters in JWS and JWE objects. OpenID Connect also uses them for self-issued
identity providers.
Example usage:
// Create or parse RSA JWK
RSAKey rsaJWK = new RSAKey.Builder(...).build();
// SHA-256 is the default hash for JWK thumbprints
Base64URL thumbprintSHA256 = rsaJWK.computeThumbprint();
// The hash algorithm may be specified explicitly
Base64URL thumbprintSHA1 = rsaJWK.computeThumbprint("SHA-1");
The thumbprints are returned as a BASE64URL encoded byte array.
To get the string representation of the BASE64URL:
String b64URLString = thumbprintSHA256.toString();
To get the underlying byte array:
byte[] bytes = thumbprintSHA256.decode();
To get the thumbprint as a big integer:
BigInteger bigInt = thumbprintSHA256.decodeToBigInteger();
Download
Update 2015-09-21 The original thumbprint routine for octet sequence keys contained a bug which was fixed in 4.1.1. Thanks to Brian Campbell for spotting this.
The Maven Dependency for the 4.1.1 release:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>4.1.1</version>
</dependency>
For other methods check out the downloads page.
Feedback
Leave your comments below or contact Connect2id support.