Certificate chain validation when x5c attributes are present
Issue #60
wontfix
Hi there,
While validating the claim I am seeing some validation against the n and e attributes against the key generate from the chain of x5c attributes (if it present). But from the chain of x5c attributes it just pick the 0th base64 ecoded element
I am talking about RsaJsonWebKey. checkForBareKeyCertMismatch() ---> method and comparing the public key if both are same and then do further validation
Is there any logic to perform a full trust chain validation against the chain of certificate contained in the x5c attribute list
Could you please provide me some example or document if any available
Thanks
Comments (2)
-
repo owner -
repo owner - changed status to wontfix
Marking as "wontfix" because this is out of scope for the library.
- Log in to comment
No, there's nothing in the library for doing the certificate chain validation. The
checkForBareKeyCertMismatch()
is there to enforce the requirement in https://tools.ietf.org/html/rfc7517#section-4.7 that "The key in the first certificate MUST match the public key represented by other members of the JWK." But doing full certificate chain validation (or not), what the trust roots are, revocation checking, etc. is more up to the application using JWK. Take a look at Java's CertPathValidator for "validating certification paths (also known as certificate chains)".