2

After creating a key pair in AWS KMS service I can see the public key looks something like:

-----BEGIN PUBLIC KEY-----
J1UJQVArKIBiUNUgvkEamuz4treK5qSCJeUD+TcN9lPEQTXrApYV+CcXnuQJql472gPGtTNbyE
-----END PUBLIC KEY-----

But when clients invoke the jwks endpoint url (e.g. https://my-authorization-service.com/.well-known/jwks)

I want the response to look like any other conventional (e.g. google jwks etc.) jwks response, like this:

{
  "alg": "RS256",
  "kty": "RSA",
  "use": "sig",
  "n": "vYjDQCjiQCjiQCjiQCjiQCji",
  "e": "AQAB",
  "kid": "79adDfP_ggD-fuxsFWdkd",
  "x5t": "aaaaaaabbbbbbbbcccccccc",
  "x5c": [
    "the_x5c_bla_bla"
  ]
}

The purpose of this JWKs endpoint is to have authorizers refer to this endpoint to fetch the correct JWKs key in order to verify/validate a JWT token that has been signed by the private key.

How can I present the KMS public key in a JWKs format as described above ? or am I doing something wrong?

Mercury
  • 7,430
  • 3
  • 42
  • 54

1 Answers1

1

Turns out that this is a matter of exporting the RSA public key to jwk format.

This was answered on another stackoverflow post, link to answer

In Javascript (NodeJS runtime) you can do it natively (From Node 15.9.0 or above):

import { createPublicKey } from 'crypto'
const pemPublicKey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG...
-----END PUBLIC KEY-----`
const publicKey = createPublicKey(pemPublicKey)
console.log(publicKey.export({ format: 'jwk' }))

So I had to extrat the KMS public key and export/convert the key as shown above. then finally present the key as required, and have it available via my jwks endpoint.

Mercury
  • 7,430
  • 3
  • 42
  • 54