| | | 1 | | <# |
| | | 2 | | .SYNOPSIS |
| | | 3 | | Creates a self-signed X509 certificate from an RSA JWK. |
| | | 4 | | .DESCRIPTION |
| | | 5 | | This function wraps |
| | | 6 | | [Kestrun.Certificates.CertificateManager]::CreateSelfSignedCertificateFromJwk() |
| | | 7 | | and converts an RSA JWK into a self-signed X509Certificate2 instance. |
| | | 8 | | |
| | | 9 | | The input can be: |
| | | 10 | | - a JWK JSON string, or |
| | | 11 | | - a PowerShell hashtable/PSCustomObject that will be serialized |
| | | 12 | | to JSON via ConvertTo-Json -Compress. |
| | | 13 | | |
| | | 14 | | Once you have the certificate, you can export it to PFX/PEM |
| | | 15 | | using Export-KrCertificate. |
| | | 16 | | .PARAMETER Jwk |
| | | 17 | | The JWK representation. Can be: |
| | | 18 | | - a JSON string, or |
| | | 19 | | - a hashtable / PSCustomObject with JWK fields (kty, n, e, d, p, q, dp, dq, qi, kid). |
| | | 20 | | .PARAMETER SubjectName |
| | | 21 | | Subject name for the self-signed certificate (CN=...). Defaults to "CN=client-jwt". |
| | | 22 | | .OUTPUTS |
| | | 23 | | [System.Security.Cryptography.X509Certificates.X509Certificate2] |
| | | 24 | | .EXAMPLE |
| | | 25 | | $jwk = @{ |
| | | 26 | | kty = 'RSA' |
| | | 27 | | n = '...' |
| | | 28 | | e = 'AQAB' |
| | | 29 | | d = '...' |
| | | 30 | | p = '...' |
| | | 31 | | q = '...' |
| | | 32 | | dp = '...' |
| | | 33 | | dq = '...' |
| | | 34 | | qi = '...' |
| | | 35 | | } |
| | | 36 | | |
| | | 37 | | $cert = ConvertFrom-KrJwkJsonToCertificate -Jwk $jwk |
| | | 38 | | |
| | | 39 | | .EXAMPLE |
| | | 40 | | $jwkJson = Get-Content './client.jwk.json' -Raw |
| | | 41 | | $cert = ConvertFrom-KrJwkJsonToCertificate -Jwk $jwkJson -SubjectName 'CN=client-assertion' |
| | | 42 | | .EXAMPLE |
| | | 43 | | $jwk = Get-Content './client.jwk.json' -Raw |
| | | 44 | | ConvertFrom-KrJwkJsonToCertificate -Jwk $jwk | |
| | | 45 | | Export-KrCertificate -FilePath './certs/client' -Format Pem -IncludePrivateKey |
| | | 46 | | #> |
| | | 47 | | function ConvertFrom-KrJwkJsonToCertificate { |
| | | 48 | | [KestrunRuntimeApi('Everywhere')] |
| | | 49 | | [CmdletBinding()] |
| | | 50 | | [OutputType([System.Security.Cryptography.X509Certificates.X509Certificate2])] |
| | | 51 | | param( |
| | | 52 | | [Parameter(Mandatory = $true, ValueFromPipeline = $true)] |
| | | 53 | | [object] |
| | | 54 | | $Jwk, |
| | | 55 | | |
| | | 56 | | [Parameter()] |
| | | 57 | | [string] |
| | | 58 | | $SubjectName = 'CN=client-jwt' |
| | | 59 | | ) |
| | | 60 | | process { |
| | 0 | 61 | | if ($null -eq $Jwk) { |
| | 0 | 62 | | throw 'Jwk parameter cannot be null.' |
| | | 63 | | } |
| | | 64 | | |
| | | 65 | | # Normalize to JSON string |
| | 0 | 66 | | if ($Jwk -is [string]) { |
| | 0 | 67 | | $jwkJson = [string]$Jwk |
| | | 68 | | } else { |
| | | 69 | | # hashtable / PSCustomObject → JSON |
| | 0 | 70 | | $jwkJson = $Jwk | ConvertTo-Json -Depth 10 -Compress |
| | | 71 | | } |
| | | 72 | | |
| | 0 | 73 | | if ([string]::IsNullOrWhiteSpace($jwkJson)) { |
| | 0 | 74 | | throw 'Resolved JWK JSON is empty.' |
| | | 75 | | } |
| | | 76 | | |
| | 0 | 77 | | Write-KrLog -Level Verbose -Message 'Creating self-signed certificate from JWK (SubjectName={subjectName})' -Val |
| | | 78 | | |
| | 0 | 79 | | return [Kestrun.Certificates.CertificateManager]::CreateSelfSignedCertificateFromJwk( |
| | | 80 | | $jwkJson, |
| | | 81 | | $SubjectName |
| | | 82 | | ) |
| | | 83 | | } |
| | | 84 | | } |