angusmillar
commented
2 years ago Hi, kirshrana, That JWKS look ok to my eye. Here is one produced by the test cases found here in my library. I don't believe you need the 'x5c' property unless you are using an x.509 certificate chain, which if you were you would know about it.
{
"keys": [
{
"kty": "EC",
"kid": "__q7Q4cf6G69ExQSrfW5A_2c3mJrtrRPBhtoRTyZlQM",
"use": "sig",
"alg": "ES256",
"crv": "P-256",
"x": "j2oyU1JyNT1x66i-PFsdsU1qL-y_Nxq7RjwKkd5kNyc",
"y": "OPR0AnWPAmhFC6y1RAXFvsAGS0ptfUwuoTKkWXpP4bE"
}
]
}The SHC Verifier Portal does not take an input that is the JWKS file/JSON. Rather the portal inspects the "iss" property found inside the SMART Health Card's JWS token it is validating. This is a URL to a publically accessible endpoint that serves up the JWKS JSON.
It needs to get that JWKS in order to validate that the SMART Health Card's JWS signature has been signed by a certificate pertaining to the public key found in that JWKS.
So it is your job to publically host that endpoint that provides that JWKS JSON to the SHC Verifier Portal. Once you have hosted that service you need to provide its endpoint address to the library that generates the SMART Health Card's JWS token.
So for my library that is a matter of setting the Issuer to your hosted endpoint address, as seen in my examples here, and also seen below:
//Set the base of the URL where any validator will retrieve the public keys from (e.g : [Issuer]/.well-known/jwks.json)
Uri Issuer = new Uri("https://acmecare.com/shc");And then used here, see the Issuer variable being passed in:
//Instantiate and populate the Smart Health Card Model with the properties we just setup
SmartHealthCardModel SmartHealthCard = new SmartHealthCardModel(Issuer, IssuanceDateTimeOffset,
new VerifiableCredential(VerifiableCredentialTypeList,
new CredentialSubject(FhirVersion, FhirBundleJson)));Within my library's GitHub repository, there is a project that shows how this can be done. Have a look at the project found here: SmartHealthCard.JwksEndpoin
However, that project expects to load a certificate from a Windows certificate store by Thumbprint. So it will not work for you straight out of the box. You would have to load your certificate into a Windows certificate store and update the appsetting.json file to use and then load your certificate by its thumbprint. And of course, it would need to run on a Windows box.
However, is it a good example of what is required to host your JWKS file on a '.well-known/jwks.json' endpoint as the SHC Verifier Portal or any other validator will require?
I hope this helps.
Hello, Well, I have created keys with OpenSSL, exported as .pfx and also able to generate JWKS json file. Here is that -
But now I am not sure is this correct one. Could you please guide me how to validate this json in SHC Verifier Portal. Not sure how to use this verifier portal.
other thing is on this url - https://smarthealth.cards/examples/issuer/.well-known/jwks.json , I can see there is
"x5c":element in the json. How to generate that element? What am I missing?