Thumbprints not compliant with RFC7517
RFC7517 (sections 4.8 and 4.9) state that the thumbprint parameters are to be the "base64url-encoded SHA-xxx thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate." Normally, this would be the certificate taken from the first element in the "x5c" list.
The most common use of "x5t" and "x5t#S256" is to search for a JWKS entry using thumbprint values in JWS or JWE headers. The current Nimbus implementation (taking the hash of the "required" JWK fields) is not usable in this case since the JWS/JWE creator would not be able to recreate the JWK in order to calculate the needed thumbprint.
Comments (3)
-
-
Note that the JWK thumbprint computation (RFC 7638) is not related to the X.509 cert thumbprint computation.
-
- changed status to invalid
Closing as invalid, x5t != JWK thumbprint.
- Log in to comment
Thanks for this report.
Could you post a snippet demonstrating the issue?
This JWT lib doesn’t set / precompute the JWS header and the JWK "x5t" and "x5t#S256" parameters.