Thumbprints not compliant with RFC7517

Issue #365 invalid
Former user created an issue

RFC7517 (sections 4.8 and 4.9) state that the thumbprint parameters are to be the "base64url-encoded SHA-xxx thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate." Normally, this would be the certificate taken from the first element in the "x5c" list.

The most common use of "x5t" and "x5t#S256" is to search for a JWKS entry using thumbprint values in JWS or JWE headers. The current Nimbus implementation (taking the hash of the "required" JWK fields) is not usable in this case since the JWS/JWE creator would not be able to recreate the JWK in order to calculate the needed thumbprint.

Comments (3)

  1. Yavor Vasilev

    Thanks for this report.

    Could you post a snippet demonstrating the issue?

    This JWT lib doesn’t set / precompute the JWS header and the JWK "x5t" and "x5t#S256" parameters.

  2. Log in to comment