From eb432571ca6a872fd1a32f8d02860cdff1a613eb Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Tue, 28 Jul 2020 16:02:42 -0600
Subject: [PATCH] Bugfix jwk / kid mutually exclusive

See https://git.rootprojects.org/root/greenlock-express.js/issues/38
---
 package-lock.json | 18 +++++++++---------
 package.json      |  4 ++--
 utils.js          | 11 ++++++-----
 3 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 33611a5..93e2e21 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -28,9 +28,9 @@
 			"integrity": "sha512-OaEub02ufoU038gy6bsNHQOjIn8nUjGiLcaRmJ40IUykneJkIW5fxDqKxQx48cszuNflYldsJLPPXCrGfHs8yQ=="
 		},
 		"@root/keypairs": {
-			"version": "0.9.0",
-			"resolved": "https://registry.npmjs.org/@root/keypairs/-/keypairs-0.9.0.tgz",
-			"integrity": "sha512-NXE2L9Gv7r3iC4kB/gTPZE1vO9Ox/p14zDzAJ5cGpTpytbWOlWF7QoHSJbtVX4H7mRG/Hp7HR3jWdWdb2xaaXg==",
+			"version": "0.10.0",
+			"resolved": "https://registry.npmjs.org/@root/keypairs/-/keypairs-0.10.0.tgz",
+			"integrity": "sha512-t8VocY46Mtb0NTsxzyLLf5tsgfw0BXLYVADAyiRdEdqHcvPFGJdjkXNtHVQuSV/FMaC65iTOHVP4E6X8iT3Ikg==",
 			"requires": {
 				"@root/encoding": "^1.0.1",
 				"@root/pem": "^1.0.4",
@@ -43,9 +43,9 @@
 			"integrity": "sha512-rEUDiUsHtild8GfIjFE9wXtcVxeS+ehCJQBwbQQ3IVfORKHK93CFnRtkr69R75lZFjcmKYVc+AXDB+AeRFOULA=="
 		},
 		"@root/request": {
-			"version": "1.3.11",
-			"resolved": "https://registry.npmjs.org/@root/request/-/request-1.3.11.tgz",
-			"integrity": "sha512-3a4Eeghcjsfe6zh7EJ+ni1l8OK9Fz2wL1OjP4UCa0YdvtH39kdXB9RGWuzyNv7dZi0+Ffkc83KfH0WbPMiuJFw=="
+			"version": "1.6.1",
+			"resolved": "https://registry.npmjs.org/@root/request/-/request-1.6.1.tgz",
+			"integrity": "sha512-8wrWyeBLRp7T8J36GkT3RODJ6zYmL0/maWlAUD5LOXT28D3TDquUepyYDKYANNA3Gc8R5ZCgf+AXvSTYpJEWwQ=="
 		},
 		"@root/x509": {
 			"version": "0.7.2",
@@ -152,9 +152,9 @@
 			"dev": true
 		},
 		"glob": {
-			"version": "7.1.5",
-			"resolved": "https://registry.npmjs.org/glob/-/glob-7.1.5.tgz",
-			"integrity": "sha512-J9dlskqUXK1OeTOYBEn5s8aMukWMwWfs+rPTn/jn50Ux4MNXVhubL1wu/j2t+H4NVI+cXEcCaYellqaPVGXNqQ==",
+			"version": "7.1.6",
+			"resolved": "https://registry.npmjs.org/glob/-/glob-7.1.6.tgz",
+			"integrity": "sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==",
 			"dev": true,
 			"requires": {
 				"fs.realpath": "^1.0.0",
diff --git a/package.json b/package.json
index bfdc53a..3e1377d 100644
--- a/package.json
+++ b/package.json
@@ -44,9 +44,9 @@
 	"dependencies": {
 		"@root/csr": "^0.8.1",
 		"@root/encoding": "^1.0.1",
-		"@root/keypairs": "^0.9.0",
+		"@root/keypairs": "^0.10.0",
 		"@root/pem": "^1.0.4",
-		"@root/request": "^1.3.11",
+		"@root/request": "^1.6.1",
 		"@root/x509": "^0.7.2"
 	},
 	"devDependencies": {
diff --git a/utils.js b/utils.js
index 806fed5..5c0d1bc 100644
--- a/utils.js
+++ b/utils.js
@@ -11,11 +11,12 @@ U._jwsRequest = function (me, bigopts) {
 		bigopts.protected.nonce = nonce;
 		bigopts.protected.url = bigopts.url;
 		// protected.alg: added by Keypairs.signJws
-		if (!bigopts.protected.jwk) {
-			// protected.kid must be overwritten due to ACME's interpretation of the spec
-			if (!('kid' in bigopts.protected)) {
-				bigopts.protected.kid = bigopts.kid;
-			}
+		if (bigopts.protected.jwk) {
+			bigopts.protected.kid = false;
+		} else if (!('kid' in bigopts.protected)) {
+			// protected.kid must be provided according to ACME's interpretation of the spec
+			// (using the provided URL rather than the Key's Thumbprint as Key ID)
+			bigopts.protected.kid = bigopts.kid;
 		}
 
 		// this will shasum the thumbprint the 2nd time