From 6a7eec9030e503a7edb09f7c1f1afbeeec3c7c32 Mon Sep 17 00:00:00 2001
From: Ten0 <9094255+Ten0@users.noreply.github.com>
Date: Wed, 25 Aug 2021 22:29:30 +0200
Subject: [PATCH] Add support for x5t#S256 header (#203)

---
 src/header.rs | 11 ++++++++++-
 src/jwk.rs    | 15 +++++++++++----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/header.rs b/src/header.rs
index 38e9bed..9ea330a 100644
--- a/src/header.rs
+++ b/src/header.rs
@@ -50,11 +50,19 @@ pub struct Header {
     /// Defined in [RFC7515#4.1.6](https://tools.ietf.org/html/rfc7515#section-4.1.6).
     #[serde(skip_serializing_if = "Option::is_none")]
     pub x5c: Option<Vec<String>>,
-    /// X.509 certificate thumbprint
+    /// X.509 SHA1 certificate thumbprint
     ///
     /// Defined in [RFC7515#4.1.7](https://tools.ietf.org/html/rfc7515#section-4.1.7).
     #[serde(skip_serializing_if = "Option::is_none")]
     pub x5t: Option<String>,
+    /// X.509 SHA256 certificate thumbprint
+    ///
+    /// Defined in [RFC7515#4.1.8](https://tools.ietf.org/html/rfc7515#section-4.1.8).
+    ///
+    /// This will be serialized/deserialized as "x5t#S256", as defined by the RFC.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[serde(rename = "x5t#S256")]
+    pub x5t_s256: Option<String>,
 }
 
 impl Header {
@@ -70,6 +78,7 @@ impl Header {
             x5u: None,
             x5c: None,
             x5t: None,
+            x5t_s256: None,
         }
     }
 
diff --git a/src/jwk.rs b/src/jwk.rs
index 0057387..0ad424e 100644
--- a/src/jwk.rs
+++ b/src/jwk.rs
@@ -168,21 +168,28 @@ pub struct CommonParameters {
     pub key_id: Option<String>,
 
     /// X.509 Public key cerfificate URL. This is currently not implemented (correctly).
+    ///
     /// Serialized to `x5u`.
     #[serde(rename = "x5u", skip_serializing_if = "Option::is_none")]
     pub x509_url: Option<String>,
 
     /// X.509 public key certificate chain. This is currently not implemented (correctly).
+    ///
     /// Serialized to `x5c`.
     #[serde(rename = "x5c", skip_serializing_if = "Option::is_none")]
     pub x509_chain: Option<Vec<String>>,
 
-    /// X.509 Certificate thumbprint. This is currently not implemented (correctly).
-    /// Also not implemented, is the SHA-256 thumbprint variant of this header.
+    /// X.509 Certificate SHA1 thumbprint. This is currently not implemented (correctly).
+    ///
     /// Serialized to `x5t`.
-    // TODO: How to make sure the headers are mutually exclusive?
     #[serde(rename = "x5t", skip_serializing_if = "Option::is_none")]
-    pub x509_fingerprint: Option<String>,
+    pub x509_sha1_fingerprint: Option<String>,
+
+    /// X.509 Certificate SHA256 thumbprint. This is currently not implemented (correctly).
+    ///
+    /// Serialized to `x5t#S256`.
+    #[serde(rename = "x5t#S256", skip_serializing_if = "Option::is_none")]
+    pub x509_sha256_fingerprint: Option<String>,
 }
 
 /// Key type value for an Elliptic Curve Key.