x5t#S256
Registry Context
This optional JWK parameter contains the base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate. The certificate key must match the JWK public key, and any additional JWK metadata must be consistent with related certificate fields.
Technical Summary
RFC 7517 Section 4.9 defines "x5t#S256" as a base64url-encoded SHA-256 digest of the DER encoding of an X.509 certificate. Use of the member is OPTIONAL. The certificate key MUST match the public key represented by other JWK members. Other key-usage, algorithm, or informational members MAY be included, but their contents MUST be semantically consistent with related certificate fields.
When Used
Use this member to identify an X.509 certificate associated with a JWK by its SHA-256 thumbprint.
Normative Requirements
JWK producer
RFC 7517 - Section 4.9
include optional JWK members providing key usage, algorithm, or other information.
Condition: when the "x5t#S256" member is used
optional JWK members providing key usage, algorithm, or other information MAY also be present
RFC 7517 - Section 4.9
include the "x5t#S256" member.
Use of this member is OPTIONAL.
the contents of other JWK members
RFC 7517 - Section 4.9
be semantically consistent with related fields in the referenced certificate.
Condition: if other members are present
the contents of those members MUST be semantically consistent with the related fields in the referenced certificate.
the key in the certificate
RFC 7517 - Section 4.9
match the public key represented by other members of the JWK.
The key in the certificate MUST match the public key represented by other members of the JWK.
Validation Guidance
Allow "x5t#S256" to be absent.
When the referenced certificate is available, verify that its key matches the public key represented by the JWK.
Permit additional key-usage, algorithm, or informational JWK members when "x5t#S256" is present.
Reject additional JWK members whose contents are not semantically consistent with related fields in the referenced certificate.
Verify that "x5t#S256" is a base64url-encoded SHA-256 digest of the DER encoding of the referenced X.509 certificate.
Reference
Details
- Entry Id
x5t#S256- Parameter Name
x5t#S256- Parameter Description
X.509 Certificate SHA-256 Thumbprint- Used With Kty Value
*- Parameter Information Class
Public- Change Controller
IESG- Reference
RFC7517 - Section 4.9