encoding the thumbprint is not part of the RFC

so better return just the raw digest and let the consumer decide how to proceed

frontend/src/common/crypto.ts

@@ -483,7 +483,7 @@ export async function getFingerprint(key: string | undefined) {
  * @param key A key to compute the thumbprint for
  * @throws Error if the key is not supported
  */
-export async function getJwkThumbprint(key: JsonWebKey | CryptoKey): Promise<string> {
+export async function getJwkThumbprint(key: JsonWebKey | CryptoKey): Promise<Uint8Array> {
   let jwk: JsonWebKey;
   if (key instanceof CryptoKey) {
     jwk = await crypto.subtle.exportKey('jwk', key);
@@ -505,6 +505,5 @@ export async function getJwkThumbprint(key: JsonWebKey | CryptoKey): Promise<str
     default: throw new Error('Unsupported key type');
   }
   const bytes = new TextEncoder().encode(orderedJson);
-  const hashBuffer = await crypto.subtle.digest('SHA-256', bytes);
-  return base64url.stringify(new Uint8Array(hashBuffer), { pad: false });
+  return new Uint8Array(await crypto.subtle.digest('SHA-256', bytes));
 }

frontend/test/common/crypto.spec.ts

@@ -1,7 +1,7 @@
 import { use as chaiUse, expect } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 import { before, describe } from 'mocha';
-import { base64 } from 'rfc4648';
+import { base64, base64url } from 'rfc4648';
 import { UnwrapKeyError, UserKeys, VaultKeys, getJwkThumbprint } from '../../src/common/crypto';
 
 chaiUse(chaiAsPromised);
@@ -252,7 +252,7 @@ describe('crypto', () => {
 
       const thumbprint = await getJwkThumbprint(input);
 
-      expect(thumbprint).to.eq('NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs');
+      expect(base64url.stringify(thumbprint, { pad: false })).to.eq('NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs');
     });
 
   });