x5c
Registry Context
x5c carries an X.509 certificate chain of one or more certificates for a JWK.
Technical Summary
The JWK "x5c" member is a JSON array of DER-encoded PKIX certificate values using base64 rather than base64url. The first certificate contains the key, which must match the public key represented by the JWK's other members.
When Used
When an X.509 certificate chain accompanies a JWK.
Normative Requirements
Unspecified actor
RFC 7517 - Section 4.6
The JWK "use" member must correspond to the usage specified in the first certificate..
Condition: When "use" is present and the first certificate includes usage information.
MUST correspond to the usage
RFC 7517 - Section 4.6
The JWK "alg" member must correspond to the algorithm specified in the first certificate..
Condition: When "alg" is present with x5c.
MUST correspond to the algorithm
RFC 7517 - Section 4.7
The PKIX certificate containing the key value must be the first certificate in the x5c array..
Condition: When x5c is present.
MUST be the first certificate
RFC 7517 - Section 4.7
The key in the first certificate must match the public key represented by the other JWK members..
Condition: When x5c is present with other members representing the public key.
MUST match the public key
RFC 7517 - Section 4.7
Other JWK members present with x5c must be semantically consistent with the related fields in the first certificate..
Condition: When x5c and other JWK members are present.
MUST be semantically consistent
RFC 7517 - Section 4.7
The first certificate may be followed by additional certificates, with each subsequent certificate being the one used to certify the previous certificate..
Condition: After the first certificate in x5c.
MAY be followed by additional certificates
RFC 7517 - Section 4.7
JWK members providing key usage, algorithm, or other information may also be present..
Condition: When x5c is used.
MAY also be present
RFC 7517 - Section 4.7
Use of the x5c member is optional..
Condition: For a JWK.
Use of this member is OPTIONAL
Validation Guidance
Check that x5c is a JSON array containing one or more base64-encoded, rather than base64url-encoded, DER PKIX certificate values.
Verify that the certificate containing the key value is first in the array.
When additional certificates are supplied, verify that each subsequent certificate certifies the previous certificate.
Verify that the key in the first certificate matches the public key represented by the other JWK members.
Allow x5c to be absent.
Allow key usage, algorithm, and other informational JWK members to accompany x5c.
Verify that all other JWK members are semantically consistent with related fields in the first certificate.
When "use" is present and the certificate includes usage information, verify that the values correspond.
When "alg" is present, verify that it corresponds to the algorithm specified in the certificate.
Reference
Details
- Entry Id
x5c- Parameter Name
x5c- Parameter Description
X.509 Certificate Chain- Used With Kty Value
*- Parameter Information Class
Public- Change Controller
IESG- Reference
RFC7517 - Section 4.7