How to validate signature of JWT from jwks without x5c

Question

I have a JWT security token which I need to verify via jwks endpoint. Data in jwks looks like:

{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "alg": "RS256",
      "n": "......",
      "kid": "2132132-b1e6-47e7-a30f-1831942f74bd"
    },
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "alg": "RS256",
      "n": "......",
      "kid": "tsp-app-a"
    },
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "alg": "RS256",
      "n": ".....",
      "kid": "tsp-app-b"
    }
  ]
}

I have tried one third party api but it looks like it is dependent on x5c key which isn't present in my case.

My code is:

public static bool Validate(JwtSecurityToken jsonToken)
        {
            bool result = false;
            try
            {
                var headers = Jose.JWT.Headers<JWTHeader>(jsonToken.RawData);
                var payload = Jose.JWT.Payload<JWTPayload>(jsonToken.RawData);

                string jwk = "";
                using (HttpClient cli = new HttpClient())
                {
                    jwk = cli.GetStringAsync(MyclientUrlforWellknownjson).Result;
                }

                var jwkinfo = JsonSerializer.Deserialize<JWKS>(jwk);
                //Find right key. Match kid and alg,  (To be changed later. It is possible that there are multiple x5c elements in key)
                var jwkkey = (from item in jwkinfo.keys where item.kid == headers.kid && item.alg == headers.alg select item).SingleOrDefault();

                //If key was found then load its public key
                System.Security.Cryptography.X509Certificates.X509Certificate2 cert = null;
                if (jwkkey != null)
                {
                    //Get public key from well known information
                    byte[] key = System.Text.Encoding.ASCII.GetBytes(jwkkey.x5c[0]); //??todo 
                    //Create cert                   
                    cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(key);
                }

                var o = Jose.JWT.Decode(jsonToken.RawData, cert.PublicKey.Key);


            }
            catch (Exception ex)
            {

            }
            return result;
        }

How can I validate a JWT via jwks without x5c?

Answer 1

Using x5c is just one way, but you can also retrieve the public key with the parameters e (public exponent) and n (modulus), which is also documented on the jose-jwt github page:

//If kid was found then load public key
if (jwkkey != null)
{
    RSACryptoServiceProvider key = new RSACryptoServiceProvider();
    key.ImportParameters(new RSAParameters
    {
        Modulus = Base64Url.Decode(jwkkey.n),
        Exponent = Base64Url.Decode(jwkkey.e)
    });
}

// get the public key in PEM format, e.g. to use it on jwt.io
var pubkey = Convert.ToBase64String(key.ExportSubjectPublicKeyInfo());
const string pemHeader = "-----BEGIN PUBLIC KEY-----";
const string pemFooter = "-----END PUBLIC KEY-----";
var publicKeyPem = pemHeader + Environment.NewLine + pubkey + Environment.NewLine + pemFooter;

var o = Jose.JWT.Decode(jsonToken.RawData, key);

You can also export the public key in PEM format again as shown in the code above, which will look like this:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgIdJV4qWKyt3wkS66yBG5Ii9ew+eofuPU49TjlRIU5Iu5jX2mRMoHdcI7V78iKYSQHKYxz17cqzQyERxKnEiDgy/gwouStRgvPdm3H4rq//7p0t15SunsG2T1rEVf0sZEDnQ5qRkm7iqs6ZG1NqqIUtnOTd1Pd1MhbEqeENFtaPHvN37eZL82WmsQlJviFH4I9iZQVR/QT4GREQlRro8IjJTaloUyeDQTOQ+4ll1+4+g/ug2tZ+s9xleLzl5L9ZKSVJFhtMLn8WGaVldagarwa7kMLfuiVe8B5Lr7poQa4NCAR54ECPWoOHrABdPZKrkkxjVypTXUzL5cPzmzFC2xwIDAQAB
-----END PUBLIC KEY-----

and later use that key to manually verify your token on https://jwt.io

(key export corrected after a hint from @Topaco)