Private/Get-KeyAuthorization.ps1

function Get-KeyAuthorization {
    [CmdletBinding()]
    [OutputType('System.String')]
    param(
        [Parameter(Mandatory,Position=0)]
        [PSTypeName('PoshACME.PAAccount')]$Account,
        [Parameter(Mandatory,Position=1)]
        [string]$Token
    )

    # https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-8.1

    # A key authorization is a string that expresses
    # a domain holder's authorization for a specified key to satisfy a
    # specified challenge, by concatenating the token for the challenge
    # with a key fingerprint, separated by a "." character:

    # keyAuthorization = token || '.' || base64url(JWK_Thumbprint(accountKey))

    # The "JWK_Thumbprint" step indicates the computation specified in
    # [RFC7638], using the SHA-256 digest [FIPS180-4]. As noted in
    # [RFC7518] any prepended zero octets in the fields of a JWK object
    # MUST be stripped before doing the computation.

    # As specified in the individual challenges below, the token for a
    # challenge is a string comprised entirely of characters in the URL-
    # safe base64 alphabet. The "||" operator indicates concatenation of
    # strings.

    # hydrate the account key
    $acctKey = $Account.key | ConvertFrom-Jwk

    # create the key thumbprint
    $pubJwk = $acctKey | ConvertTo-Jwk -PublicOnly -AsJson
    $jwkBytes = [Text.Encoding]::UTF8.GetBytes($pubJwk)
    $sha256 = [Security.Cryptography.SHA256]::Create()
    $jwkHash = $sha256.ComputeHash($jwkBytes)
    $thumb = ConvertTo-Base64Url $jwkHash

    # append it to the token to make the key authorization
    $keyAuth = "$Token.$thumb"

    return $keyAuth
}