jwk: fix parsing JWKs with only an "x5c" parameter (i.e. no "n" and "e")

- use BIO_new_mem_buf that supports BIO_reset
- solve valgrind memory access error on apr_pstrmemdup
- migrate test_public_key_parse to test_jose
- bump to 2.4.19.1dev

Signed-off-by: Hans Zandbelt <[email protected]>

Author: zandbelt

ChangeLog

@@ -1,3 +1,7 @@
+12/08/2025
+- jwk: fix parsi8ng RSA JWKs with only an "x5c" parameter (i.e. no "n" and "e")
+- bump to 2.4.19.1dev
+
 12/01/2025
 - release 2.4.19
 

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.19],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.19.1dev],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/jose.c

@@ -1658,7 +1658,7 @@ static apr_byte_t _oidc_jwk_ec_key_to_jwk(apr_pool_t *pool, EVP_PKEY *pkey, oidc
  * by "input" to a JSON Web Key object
  */
 apr_byte_t oidc_jwk_pem_bio_to_jwk(apr_pool_t *pool, BIO *input, const char *kid, oidc_jwk_t **oidc_jwk,
-				   int is_private_key, oidc_jose_error_t *err) {
+				   apr_byte_t is_private_key, oidc_jose_error_t *err) {
 	cjose_err cjose_err;
 	X509 *x509 = NULL;
 	EVP_PKEY *pkey = NULL;
@@ -1672,7 +1672,7 @@ apr_byte_t oidc_jwk_pem_bio_to_jwk(apr_pool_t *pool, BIO *input, const char *kid
 
 	*oidc_jwk = oidc_jwk_new(pool);
 
-	if (is_private_key) {
+	if (is_private_key == TRUE) {
 		/* get the private key struct from the BIO */
 		if ((pkey = PEM_read_bio_PrivateKey(input, NULL, NULL, NULL)) == NULL) {
 			oidc_jose_error_openssl(err, "PEM_read_bio_PrivateKey");
@@ -1775,8 +1775,8 @@ apr_byte_t oidc_jwk_pem_bio_to_jwk(apr_pool_t *pool, BIO *input, const char *kid
 /*
  * parse a PEM-formatted public or private key from the specified file
  */
-static apr_byte_t oidc_jwk_parse_pem_key(apr_pool_t *pool, int is_private_key, const char *kid, const char *filename,
-					 oidc_jwk_t **jwk, oidc_jose_error_t *err) {
+static apr_byte_t oidc_jwk_parse_pem_key(apr_pool_t *pool, apr_byte_t is_private_key, const char *kid,
+					 const char *filename, oidc_jwk_t **jwk, oidc_jose_error_t *err) {
 	BIO *input = NULL;
 	apr_byte_t rv = FALSE;
 
@@ -1840,26 +1840,20 @@ static apr_byte_t _oidc_jwk_parse_x5c(apr_pool_t *pool, json_t *json, cjose_jwk_
 	const char *s_x5c = json_string_value(v);
 
 	/* PEM-format it */
-	const int len = 75;
+	const int chunk = 75;
 	int i = 0;
 	char *s = apr_psprintf(pool, "%s\n", OIDC_JOSE_CERT_BEGIN);
-	while (i < _oidc_strlen(s_x5c)) {
-		s = apr_psprintf(pool, "%s%s\n", s, apr_pstrmemdup(pool, s_x5c + i, len));
-		i += len;
+	const int n = _oidc_strlen(s_x5c);
+	while (i < n) {
+		s = apr_psprintf(pool, "%s%s\n", s, apr_pstrmemdup(pool, s_x5c + i, (i + chunk) > n ? (n - i) : chunk));
+		i += chunk;
 	}
 	s = apr_psprintf(pool, "%s%s\n", s, OIDC_JOSE_CERT_END);
 
-	BIO *input = NULL;
-
 	/* put it in BIO memory */
-	if ((input = BIO_new(BIO_s_mem())) == NULL) {
-		oidc_jose_error_openssl(err, "memory allocation BIO_new/BIO_s_mem");
-		return FALSE;
-	}
-
-	if (BIO_puts(input, s) <= 0) {
-		BIO_free(input);
-		oidc_jose_error_openssl(err, "BIO_puts");
+	BIO *input = BIO_new_mem_buf(s, _oidc_strlen(s));
+	if (input == NULL) {
+		oidc_jose_error_openssl(err, "BIO_new_mem_buf");
 		return FALSE;
 	}
 

src/jose.h

@@ -276,7 +276,7 @@ int oidc_jwt_alg2kty(oidc_jwt_t *jwt);
 /* return the key size for an algorithm */
 unsigned int oidc_alg2keysize(const char *alg);
 
-apr_byte_t oidc_jwk_pem_bio_to_jwk(apr_pool_t *pool, BIO *input, const char *kid, oidc_jwk_t **jwk, int is_private_key,
-				   oidc_jose_error_t *err);
+apr_byte_t oidc_jwk_pem_bio_to_jwk(apr_pool_t *pool, BIO *input, const char *kid, oidc_jwk_t **jwk,
+				   apr_byte_t is_private_key, oidc_jose_error_t *err);
 
 #endif /* _MOD_AUTH_OPENIDC_JOSE_H_ */

test/test.c

@@ -134,7 +134,7 @@ static char *test_private_key_parse(apr_pool_t *pool) {
 	oidc_jose_error_t err = {{'\0'}, 0, {'\0'}, {'\0'}};
 	BIO *input = NULL;
 	oidc_jwk_t *jwk = NULL;
-	int isPrivateKey = 1;
+	apr_byte_t isPrivateKey = TRUE;
 	int result;
 	char *json = NULL;
 
@@ -191,109 +191,6 @@ static char *test_private_key_parse(apr_pool_t *pool) {
 	return 0;
 }
 
-static char *test_public_key_parse(apr_pool_t *pool) {
-
-	oidc_jose_error_t err = {{'\0'}, 0, {'\0'}, {'\0'}};
-	oidc_jwk_t *jwk, *jwkCert = NULL;
-
-	BIO *input, *inputCert = NULL;
-	char *json = NULL;
-
-	int isPrivateKey = 0;
-	int result;
-
-	const char publicKeyFile[512];
-	const char certificateFile[512];
-	const char ecCertificateFile[512];
-	char *dir = getenv("srcdir") ? getenv("srcdir") : ".";
-	snprintf((char *)publicKeyFile, 512, "%s/%s", dir, "/public.pem");
-	snprintf((char *)certificateFile, 512, "%s/%s", dir, "/certificate.pem");
-	snprintf((char *)ecCertificateFile, 512, "%s/%s", dir, "/eccert.pem");
-
-	input = BIO_new(BIO_s_file());
-	TST_ASSERT_ERR("test_public_key_parse_BIO_new_public_key", input != NULL, pool, err);
-
-	TST_ASSERT_ERR("test_public_key_parse_BIOread_filename_public_key",
-		       result = BIO_read_filename(input, publicKeyFile), pool, err);
-
-	TST_ASSERT_ERR("oidc_jwk_pem_bio_to_jwk", oidc_jwk_pem_bio_to_jwk(pool, input, NULL, &jwk, isPrivateKey, &err),
-		       pool, err);
-	BIO_free(input);
-
-	inputCert = BIO_new(BIO_s_file());
-	TST_ASSERT_ERR("test_public_key_parse_BIO_new_certificate", inputCert != NULL, pool, err);
-
-	TST_ASSERT_ERR("test_public_key_parse_BIOread_filename_certificate",
-		       BIO_read_filename(inputCert, certificateFile), pool, err);
-
-	TST_ASSERT_ERR("oidc_jwk_pem_bio_to_jwk",
-		       oidc_jwk_pem_bio_to_jwk(pool, inputCert, NULL, &jwkCert, isPrivateKey, &err), pool, err);
-	BIO_free(inputCert);
-
-	TST_ASSERT_ERR("oidc_jwk_to_json with public key", oidc_jwk_to_json(pool, jwk, &json, &err), pool, err);
-	TST_ASSERT_STR(
-	    "oidc_jwk_to_json with public key output test", json,
-	    "{\"kty\":\"RSA\",\"kid\":\"IbLjLR7-C1q0-ypkueZxGIJwBQNaLg46DZMpnPW1kps\",\"e\":\"AQAB\",\"n\":"
-	    "\"iGeTXbfV5bMppx7o7qMLCuVIKqbBa_qOzBiNNpe0K8rjg7-1z9GCuSlqbZtM0_5BQ6bGonnSPD--"
-	    "PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK-tjwiNMj1l-cZt8pvuS-3LtTWIzC-"
-	    "hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo_C6RV_MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9j-"
-	    "4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A-51dgD4cQNzieLEEkJw\"}");
-	oidc_jwk_destroy(jwk);
-
-	TST_ASSERT_ERR("oidc_jwk_to_json with certificate", oidc_jwk_to_json(pool, jwkCert, &json, &err), pool, err);
-	TST_ASSERT_STR("oidc_jwk_to_json with certificate output test", json,
-		       "{\"kty\":\"RSA\",\"kid\":\"IbLjLR7-C1q0-ypkueZxGIJwBQNaLg46DZMpnPW1kps\",\"e\":\"AQAB\",\"n\":"
-		       "\"iGeTXbfV5bMppx7o7qMLCuVIKqbBa_qOzBiNNpe0K8rjg7-1z9GCuSlqbZtM0_5BQ6bGonnSPD--"
-		       "PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK-tjwiNMj1l-cZt8pvuS-3LtTWIzC-"
-		       "hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo_C6RV_MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9j-"
-		       "4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A-"
-		       "51dgD4cQNzieLEEkJw\",\"x5c\":[\"MIICnTCCAYUCBgFuk1+"
-		       "FLDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd2aW5jZW50MB4XDTE5MTEyMjEzNDcyMVoXDTI5MTEyMjEzNDkwMVowEj"
-		       "EQMA4GA1UEAwwHdmluY2VudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIhnk1231eWzKace6O6jCwrlSCqmw"
-		       "Wv6jswYjTaXtCvK44O/tc/Rgrkpam2bTNP+QUOmxqJ50jw/"
-		       "vj6MIRXYr0uFjQN9ztCpdbUNMHR90zp8LniDvWoX1uKtARhbzDm53ivrY8IjTI9ZfnGbfKb7kvty7U1iMwvoU2TOHGlJsua"
-		       "JZuT1XZq7ugulea8ZG2ATyExUs5eZqbqPwukVfzGEcAIetIIbNjhLyFg6yZGZ2Ghe7IxwvY/"
-		       "uJH3DOaGO2YYPCrh8paLnWDc5ao1QD3dDG5C5IdaWvH5h7JzenIH12LRSu2fFo2A1AIUx9SY2QlUhTeeQPudXYA+"
-		       "HEDc4nixBJCcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAfAo40il4qw7DfOkke0p1ZFAgLQQS3J5hYNDSRvVv+vxkk9o/"
-		       "N++zTMoHbfcDcU5BdVH6Qsr/12PXPX7Ur5WYDq+bWGAK3MAaGtZlmycFeVhoVRfab4TUWUy43H3VyFUNqjGRAVJ/"
-		       "VD1RW3fJ18KrQTN2fcKSd88Jqt5TvjROKghq95+8BQtlhrR/"
-		       "sQVrjgYwc+eU9ljWI56MQXbpHstl9IewMXnusSPxKRTbutjaxzKaoXRTUncPL6ga0SSxOTdKksM4ZYpPnq0B93silb+"
-		       "0qs8aJraGzjAmLE30opfufP+roth19VJxAfYsW5mgAmXP9kEAF+iWB8FB4/"
-		       "Q4noNG8Q==\"],\"x5t#S256\":\"hMVJ55Mqi4uAQIztPKUmL2MSfy6iN1Lr3J1CNGAIBms\",\"x5t\":\"0oN6Bx-"
-		       "eh6VAmNw1I7o3Dd9JPwE\"}");
-	oidc_jwk_destroy(jwkCert);
-
-	inputCert = BIO_new(BIO_s_file());
-	TST_ASSERT_ERR("test_public_key_parse_BIO_new_EC_certificate", inputCert != NULL, pool, err);
-
-	TST_ASSERT_ERR("test_public_key_parse_BIOread_filename_EC_certificate",
-		       BIO_read_filename(inputCert, ecCertificateFile), pool, err);
-
-	TST_ASSERT_ERR("oidc_jwk_pem_bio_to_jwk",
-		       oidc_jwk_pem_bio_to_jwk(pool, inputCert, NULL, &jwkCert, isPrivateKey, &err), pool, err);
-	BIO_free(inputCert);
-
-	TST_ASSERT_ERR("oidc_jwk_to_json with EC certificate", oidc_jwk_to_json(pool, jwkCert, &json, &err), pool, err);
-	TST_ASSERT_STR(
-	    "oidc_jwk_to_json with EC certificate output test", json,
-	    "{\"kty\":\"EC\",\"kid\":\"-THDTumMGazABrYTb8xJoYOK2OPiWmho3D-nPC1dSYg\",\"crv\":\"P-521\",\"x\":"
-	    "\"AR6Eh9VhdLEA-rm5WR0_T0LjKysJuBkSoXaR8GjphHvoOTrljcACRsVlTES9FMkbxbNEs4JdxPgPJl9G-e9WEJTe\",\"y\":"
-	    "\"AammgflZaJuSdycK_ccUXkSXjNQd8NsqJuv9LFpk5Ys1OAiirWm6uktXG8ALNSxSffcurBq8zqZyZ141dV6qSzKQ\",\"x5c\":["
-	    "\"MIICBDCCAWagAwIBAgIUdYpkXaCal7IwjHix3n1PP9/"
-	    "O6OcwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDMyMzIwNDU1MFoXDTMzMDMyMDIwNDU1MFowFDESMBAGA1UEA"
-	    "wwJbG9jYWxob3N0MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBHoSH1WF0sQD6ublZHT9PQuMrKwm4GRKhdpHwaOmEe+"
-	    "g5OuWNwAJGxWVMRL0UyRvFs0Szgl3E+A8mX0b571YQlN4BqaaB+Vlom5J3Jwr9xxReRJeM1B3w2yom6/"
-	    "0sWmTlizU4CKKtabq6S1cbwAs1LFJ99y6sGrzOpnJnXjV1XqpLMpCjUzBRMB0GA1UdDgQWBBTKfLLXyRVQpnXFf19Bs7eXRPlRmzAfBgNV"
-	    "HSMEGDAWgBTKfLLXyRVQpnXFf19Bs7eXRPlRmzAPBgNVHRMBAf8EBTADAQH/"
-	    "MAoGCCqGSM49BAMCA4GLADCBhwJBGkoifMDYwsSLSmnnVdFftqTwxrjdgrtPMRzetz/w/"
-	    "D9KkM4Mlufgv5jBXuWcEiP9ray2ZgAGhdkvoOfsc8g1l6ICQgEJ+"
-	    "9R5K2WKlDTEydmiHiSYQHSVyS61PFskm537AqrLVSRu80Sezu2W4m8IF2UbbRZiUPaHPIx9Xe3GdpqIEmPFfA==\"],\"x5t#S256\":"
-	    "\"yCl_u4GL5GrTkf8xvqdF2aixUIhjDdsMFhLUz7O6gVA\",\"x5t\":\"waxmjjAAhxGY5XvH6ufxVxwYGDw\"}");
-	oidc_jwk_destroy(jwkCert);
-
-	return 0;
-}
-
 static char *test_jwt_parse(apr_pool_t *pool) {
 
 	// from http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20
@@ -1388,7 +1285,6 @@ static char *test_check_cookie_domain(request_rec *r) {
 static char *all_tests(apr_pool_t *pool, request_rec *r) {
 	char *message;
 	TST_RUN(test_private_key_parse, pool);
-	TST_RUN(test_public_key_parse, pool);
 
 	TST_RUN(test_jwt_parse, pool);
 	TST_RUN(test_plaintext_jwt_parse, pool);

test/test_jose.c

@@ -400,6 +400,131 @@ START_TEST(test_jwk_json_parse_and_jwks) {
 }
 END_TEST
 
+START_TEST(test_jwk_json_x5c_parse) {
+	apr_pool_t *pool = oidc_test_pool_get();
+	oidc_jwk_t *jwk = NULL;
+	oidc_jose_error_t err = {{'\0'}, 0, {'\0'}, {'\0'}};
+	json_error_t json_err = {0, 0, 0, {'\0'}, {'\0'}};
+
+	// https://datatracker.ietf.org/doc/html/rfc7517#appendix-, n and e removed
+	const char *s_json =
+	    "{\"kty\":\"RSA\",\"use\":\"sig\",\"kid\":\"1b94c\",\"x5c\":[\"MIIDQjCCAiqgAwIBAgIGATz/"
+	    "FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIE"
+	    "lkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBgNV"
+	    "BAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5Ccm"
+	    "lhbiBDYW1wYmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnHYMeZ0LncoXaEde1fiLm1jHjmQsF/"
+	    "449IYALM9if6amFtPDy2yvz3YlRij66s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/"
+	    "A7Fck9Ws6SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpnfajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/"
+	    "p1MtcIM42EA8BzE6ZQqC7VPqPvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+"
+	    "oyVVkaZdklLQp2Btgt9qr21m42f4wTw+"
+	    "Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL+"
+	    "9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1zFo+"
+	    "Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/"
+	    "RuP2SmmaIzmnw9JiSlYhzo4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTqgawR+"
+	    "N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA==\"]}";
+
+	json_t *j = json_loads(s_json, 0, &json_err);
+	ck_assert_ptr_nonnull(j);
+	ck_assert_int_eq(oidc_is_jwk(j), TRUE);
+
+	jwk = oidc_jwk_parse(pool, j, &err);
+	ck_assert_msg(jwk != NULL, "oidc_jwk_parse failed: %s", oidc_jose_e2s(pool, err));
+	ck_assert_ptr_nonnull(jwk->kid);
+	ck_assert_int_eq(jwk->x5c->nelts, 1);
+
+	json_decref(j);
+	oidc_jwk_destroy(jwk);
+}
+END_TEST
+
+START_TEST(test_jwk_public_key_parse) {
+	apr_pool_t *pool = oidc_test_pool_get();
+	oidc_jose_error_t err = {{'\0'}, 0, {'\0'}, {'\0'}};
+	oidc_jwk_t *jwk, *jwkCert = NULL;
+	BIO *input, *inputCert = NULL;
+	char *json = NULL;
+	apr_byte_t isPrivateKey = FALSE;
+
+	const char publicKeyFile[512];
+	const char certificateFile[512];
+	const char ecCertificateFile[512];
+	char *dir = getenv("srcdir") ? getenv("srcdir") : ".";
+	snprintf((char *)publicKeyFile, 512, "%s/%s", dir, "/public.pem");
+	snprintf((char *)certificateFile, 512, "%s/%s", dir, "/certificate.pem");
+	snprintf((char *)ecCertificateFile, 512, "%s/%s", dir, "/eccert.pem");
+
+	input = BIO_new(BIO_s_file());
+	ck_assert_ptr_nonnull(input);
+	ck_assert_int_eq(BIO_read_filename(input, publicKeyFile), 1);
+	ck_assert_int_eq(oidc_jwk_pem_bio_to_jwk(pool, input, NULL, &jwk, isPrivateKey, &err), TRUE);
+	BIO_free(input);
+
+	inputCert = BIO_new(BIO_s_file());
+	ck_assert_ptr_nonnull(inputCert);
+	ck_assert_int_eq(BIO_read_filename(inputCert, certificateFile), 1);
+	apr_byte_t rv = oidc_jwk_pem_bio_to_jwk(pool, inputCert, NULL, &jwkCert, isPrivateKey, &err);
+	ck_assert_msg(rv == TRUE, "oidc_jwk_pem_bio_to_jwk failed: %s\n", oidc_jose_e2s(pool, err));
+	BIO_free(inputCert);
+
+	ck_assert_int_eq(oidc_jwk_to_json(pool, jwk, &json, &err), TRUE);
+	ck_assert_str_eq(
+	    json,
+	    "{\"kty\":\"RSA\",\"kid\":\"IbLjLR7-C1q0-ypkueZxGIJwBQNaLg46DZMpnPW1kps\",\"e\":\"AQAB\",\"n\":"
+	    "\"iGeTXbfV5bMppx7o7qMLCuVIKqbBa_qOzBiNNpe0K8rjg7-1z9GCuSlqbZtM0_5BQ6bGonnSPD--"
+	    "PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK-tjwiNMj1l-cZt8pvuS-3LtTWIzC-"
+	    "hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo_C6RV_MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9j-"
+	    "4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A-51dgD4cQNzieLEEkJw\"}");
+	oidc_jwk_destroy(jwk);
+
+	ck_assert_int_eq(oidc_jwk_to_json(pool, jwkCert, &json, &err), TRUE);
+	ck_assert_str_eq(
+	    json, "{\"kty\":\"RSA\",\"kid\":\"IbLjLR7-C1q0-ypkueZxGIJwBQNaLg46DZMpnPW1kps\",\"e\":\"AQAB\",\"n\":"
+		  "\"iGeTXbfV5bMppx7o7qMLCuVIKqbBa_qOzBiNNpe0K8rjg7-1z9GCuSlqbZtM0_5BQ6bGonnSPD--"
+		  "PowhFdivS4WNA33O0Kl1tQ0wdH3TOnwueIO9ahfW4q0BGFvMObneK-tjwiNMj1l-cZt8pvuS-3LtTWIzC-"
+		  "hTZM4caUmy5olm5PVdmru6C6V5rxkbYBPITFSzl5mpuo_C6RV_MYRwAh60ghs2OEvIWDrJkZnYaF7sjHC9j-"
+		  "4kfcM5oY7Zhg8KuHyloudYNzlqjVAPd0MbkLkh1pa8fmHsnN6cgfXYtFK7Z8WjYDUAhTH1JjZCVSFN55A-"
+		  "51dgD4cQNzieLEEkJw\",\"x5c\":[\"MIICnTCCAYUCBgFuk1+"
+		  "FLDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAd2aW5jZW50MB4XDTE5MTEyMjEzNDcyMVoXDTI5MTEyMjEzNDkwMVowEj"
+		  "EQMA4GA1UEAwwHdmluY2VudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIhnk1231eWzKace6O6jCwrlSCqmw"
+		  "Wv6jswYjTaXtCvK44O/tc/Rgrkpam2bTNP+QUOmxqJ50jw/"
+		  "vj6MIRXYr0uFjQN9ztCpdbUNMHR90zp8LniDvWoX1uKtARhbzDm53ivrY8IjTI9ZfnGbfKb7kvty7U1iMwvoU2TOHGlJsua"
+		  "JZuT1XZq7ugulea8ZG2ATyExUs5eZqbqPwukVfzGEcAIetIIbNjhLyFg6yZGZ2Ghe7IxwvY/"
+		  "uJH3DOaGO2YYPCrh8paLnWDc5ao1QD3dDG5C5IdaWvH5h7JzenIH12LRSu2fFo2A1AIUx9SY2QlUhTeeQPudXYA+"
+		  "HEDc4nixBJCcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAfAo40il4qw7DfOkke0p1ZFAgLQQS3J5hYNDSRvVv+vxkk9o/"
+		  "N++zTMoHbfcDcU5BdVH6Qsr/12PXPX7Ur5WYDq+bWGAK3MAaGtZlmycFeVhoVRfab4TUWUy43H3VyFUNqjGRAVJ/"
+		  "VD1RW3fJ18KrQTN2fcKSd88Jqt5TvjROKghq95+8BQtlhrR/"
+		  "sQVrjgYwc+eU9ljWI56MQXbpHstl9IewMXnusSPxKRTbutjaxzKaoXRTUncPL6ga0SSxOTdKksM4ZYpPnq0B93silb+"
+		  "0qs8aJraGzjAmLE30opfufP+roth19VJxAfYsW5mgAmXP9kEAF+iWB8FB4/"
+		  "Q4noNG8Q==\"],\"x5t#S256\":\"hMVJ55Mqi4uAQIztPKUmL2MSfy6iN1Lr3J1CNGAIBms\",\"x5t\":\"0oN6Bx-"
+		  "eh6VAmNw1I7o3Dd9JPwE\"}");
+	oidc_jwk_destroy(jwkCert);
+
+	inputCert = BIO_new(BIO_s_file());
+	ck_assert_ptr_nonnull(inputCert);
+	ck_assert_int_eq(BIO_read_filename(inputCert, ecCertificateFile), 1);
+	ck_assert_int_eq(oidc_jwk_pem_bio_to_jwk(pool, inputCert, NULL, &jwkCert, isPrivateKey, &err), TRUE);
+	BIO_free(inputCert);
+
+	ck_assert_int_eq(oidc_jwk_to_json(pool, jwkCert, &json, &err), TRUE);
+	ck_assert_str_eq(
+	    json,
+	    "{\"kty\":\"EC\",\"kid\":\"-THDTumMGazABrYTb8xJoYOK2OPiWmho3D-nPC1dSYg\",\"crv\":\"P-521\",\"x\":"
+	    "\"AR6Eh9VhdLEA-rm5WR0_T0LjKysJuBkSoXaR8GjphHvoOTrljcACRsVlTES9FMkbxbNEs4JdxPgPJl9G-e9WEJTe\",\"y\":"
+	    "\"AammgflZaJuSdycK_ccUXkSXjNQd8NsqJuv9LFpk5Ys1OAiirWm6uktXG8ALNSxSffcurBq8zqZyZ141dV6qSzKQ\",\"x5c\":["
+	    "\"MIICBDCCAWagAwIBAgIUdYpkXaCal7IwjHix3n1PP9/"
+	    "O6OcwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIzMDMyMzIwNDU1MFoXDTMzMDMyMDIwNDU1MFowFDESMBAGA1UEA"
+	    "wwJbG9jYWxob3N0MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBHoSH1WF0sQD6ublZHT9PQuMrKwm4GRKhdpHwaOmEe+"
+	    "g5OuWNwAJGxWVMRL0UyRvFs0Szgl3E+A8mX0b571YQlN4BqaaB+Vlom5J3Jwr9xxReRJeM1B3w2yom6/"
+	    "0sWmTlizU4CKKtabq6S1cbwAs1LFJ99y6sGrzOpnJnXjV1XqpLMpCjUzBRMB0GA1UdDgQWBBTKfLLXyRVQpnXFf19Bs7eXRPlRmzAfBgNV"
+	    "HSMEGDAWgBTKfLLXyRVQpnXFf19Bs7eXRPlRmzAPBgNVHRMBAf8EBTADAQH/"
+	    "MAoGCCqGSM49BAMCA4GLADCBhwJBGkoifMDYwsSLSmnnVdFftqTwxrjdgrtPMRzetz/w/"
+	    "D9KkM4Mlufgv5jBXuWcEiP9ray2ZgAGhdkvoOfsc8g1l6ICQgEJ+"
+	    "9R5K2WKlDTEydmiHiSYQHSVyS61PFskm537AqrLVSRu80Sezu2W4m8IF2UbbRZiUPaHPIx9Xe3GdpqIEmPFfA==\"],\"x5t#S256\":"
+	    "\"yCl_u4GL5GrTkf8xvqdF2aixUIhjDdsMFhLUz7O6gVA\",\"x5t\":\"waxmjjAAhxGY5XvH6ufxVxwYGDw\"}");
+	oidc_jwk_destroy(jwkCert);
+}
+END_TEST
+
 START_TEST(test_jwk_list_destroy) {
 	apr_pool_t *pool = oidc_test_pool_get();
 	apr_array_header_t *arr = apr_array_make(pool, 2, sizeof(const oidc_jwk_t *));
@@ -476,6 +601,8 @@ int main(void) {
 	tcase_add_test(core, test_jwk_json_parse_and_jwks);
 	tcase_add_test(core, test_jwk_list_destroy);
 	tcase_add_test(core, test_alg2keysize_and_hdr_get_and_jwt_parse);
+	tcase_add_test(core, test_jwk_json_x5c_parse);
+	tcase_add_test(core, test_jwk_public_key_parse);
 
 	Suite *s = suite_create("jose");
 	suite_add_tcase(s, sup);