oauth2.dev

x5c

IESG

Registry Context

x5c carries an X.509 certificate chain of one or more certificates for a JWK.

Technical Summary

The JWK "x5c" member is a JSON array of DER-encoded PKIX certificate values using base64 rather than base64url. The first certificate contains the key, which must match the public key represented by the JWK's other members.

When Used

When an X.509 certificate chain accompanies a JWK.

Normative Requirements

Unspecified actor

MUST
5
  1. RFC 7517 - Section 4.6

    The JWK "use" member must correspond to the usage specified in the first certificate..

    Condition: When "use" is present and the first certificate includes usage information.

    MUST correspond to the usage

  2. RFC 7517 - Section 4.6

    The JWK "alg" member must correspond to the algorithm specified in the first certificate..

    Condition: When "alg" is present with x5c.

    MUST correspond to the algorithm

  3. RFC 7517 - Section 4.7

    The PKIX certificate containing the key value must be the first certificate in the x5c array..

    Condition: When x5c is present.

    MUST be the first certificate

  4. RFC 7517 - Section 4.7

    The key in the first certificate must match the public key represented by the other JWK members..

    Condition: When x5c is present with other members representing the public key.

    MUST match the public key

  5. RFC 7517 - Section 4.7

    Other JWK members present with x5c must be semantically consistent with the related fields in the first certificate..

    Condition: When x5c and other JWK members are present.

    MUST be semantically consistent

MAY
2
  1. RFC 7517 - Section 4.7

    The first certificate may be followed by additional certificates, with each subsequent certificate being the one used to certify the previous certificate..

    Condition: After the first certificate in x5c.

    MAY be followed by additional certificates

  2. RFC 7517 - Section 4.7

    JWK members providing key usage, algorithm, or other information may also be present..

    Condition: When x5c is used.

    MAY also be present

OPTIONAL
1
  1. RFC 7517 - Section 4.7

    Use of the x5c member is optional..

    Condition: For a JWK.

    Use of this member is OPTIONAL

Validation Guidance

error

Check that x5c is a JSON array containing one or more base64-encoded, rather than base64url-encoded, DER PKIX certificate values.

error

Verify that the certificate containing the key value is first in the array.

error

When additional certificates are supplied, verify that each subsequent certificate certifies the previous certificate.

error

Verify that the key in the first certificate matches the public key represented by the other JWK members.

info

Allow x5c to be absent.

info

Allow key usage, algorithm, and other informational JWK members to accompany x5c.

error

Verify that all other JWK members are semantically consistent with related fields in the first certificate.

error

When "use" is present and the certificate includes usage information, verify that the values correspond.

error

When "alg" is present, verify that it corresponds to the algorithm specified in the certificate.

Reference

Details

Entry Id
x5c
Parameter Name
x5c
Parameter Description
X.509 Certificate Chain
Used With Kty Value
*
Parameter Information Class
Public
Change Controller
IESG
Reference
RFC7517 - Section 4.7