From 016d87b8393730146fdb1426de9be0142662ee59 Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Tue, 28 Jul 2020 15:44:03 -0600
Subject: [PATCH] Bugfixed protected.{kid,jwk} logic.

See https://git.rootprojects.org/root/greenlock-express.js/issues/38
---
 keypairs.js | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/keypairs.js b/keypairs.js
index dcad854..9775a61 100644
--- a/keypairs.js
+++ b/keypairs.js
@@ -218,7 +218,7 @@ Keypairs.signJwt = function (opts) {
 		var claims = JSON.parse(JSON.stringify(opts.claims || {}));
 		header.typ = 'JWT';
 
-		if (!header.kid && false !== header.kid) {
+		if (!header.kid && !header.jwk && false !== header.kid) {
 			header.kid = thumb;
 		}
 		if (!header.alg && opts.alg) {
@@ -294,11 +294,15 @@ Keypairs.signJws = function (opts) {
 				if (!protect.alg) {
 					protect.alg = alg();
 				}
+
 				// There's a particular request where ACME / Let's Encrypt explicitly doesn't use a kid
-				if (false === protect.kid) {
-					protect.kid = undefined;
-				} else if (!protect.kid) {
-					protect.kid = thumb;
+				// There should be a kid unless it's `false` or there's a `jwk` (a self-signed JWS)
+				if (!protect.kid) {
+					if (false === protect.kid) {
+						protect.kid = undefined;
+					} else if (!protect.jwk) {
+						protect.kid = thumb;
+					}
 				}
 				protectedHeader = JSON.stringify(protect);
 			}