summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7515.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc7515.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc7515.txt')
-rw-r--r--doc/rfc/rfc7515.txt3307
1 files changed, 3307 insertions, 0 deletions
diff --git a/doc/rfc/rfc7515.txt b/doc/rfc/rfc7515.txt
new file mode 100644
index 0000000..5ffc978
--- /dev/null
+++ b/doc/rfc/rfc7515.txt
@@ -0,0 +1,3307 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) M. Jones
+Request for Comments: 7515 Microsoft
+Category: Standards Track J. Bradley
+ISSN: 2070-1721 Ping Identity
+ N. Sakimura
+ NRI
+ May 2015
+
+
+ JSON Web Signature (JWS)
+
+Abstract
+
+ JSON Web Signature (JWS) represents content secured with digital
+ signatures or Message Authentication Codes (MACs) using JSON-based
+ data structures. Cryptographic algorithms and identifiers for use
+ with this specification are described in the separate JSON Web
+ Algorithms (JWA) specification and an IANA registry defined by that
+ specification. Related encryption capabilities are described in the
+ separate JSON Web Encryption (JWE) specification.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7515.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 1]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction ....................................................4
+ 1.1. Notational Conventions .....................................4
+ 2. Terminology .....................................................5
+ 3. JSON Web Signature (JWS) Overview ...............................7
+ 3.1. JWS Compact Serialization Overview .........................7
+ 3.2. JWS JSON Serialization Overview ............................8
+ 3.3. Example JWS ................................................8
+ 4. JOSE Header .....................................................9
+ 4.1. Registered Header Parameter Names .........................10
+ 4.1.1. "alg" (Algorithm) Header Parameter .................10
+ 4.1.2. "jku" (JWK Set URL) Header Parameter ...............10
+ 4.1.3. "jwk" (JSON Web Key) Header Parameter ..............11
+ 4.1.4. "kid" (Key ID) Header Parameter ....................11
+ 4.1.5. "x5u" (X.509 URL) Header Parameter .................11
+ 4.1.6. "x5c" (X.509 Certificate Chain) Header Parameter ...11
+ 4.1.7. "x5t" (X.509 Certificate SHA-1 Thumbprint)
+ Header Parameter ...................................12
+ 4.1.8. "x5t#S256" (X.509 Certificate SHA-256
+ Thumbprint) Header Parameter .......................12
+ 4.1.9. "typ" (Type) Header Parameter ......................12
+ 4.1.10. "cty" (Content Type) Header Parameter .............13
+ 4.1.11. "crit" (Critical) Header Parameter ................14
+ 4.2. Public Header Parameter Names .............................14
+ 4.3. Private Header Parameter Names ............................14
+ 5. Producing and Consuming JWSs ...................................15
+ 5.1. Message Signature or MAC Computation ......................15
+ 5.2. Message Signature or MAC Validation .......................16
+ 5.3. String Comparison Rules ...................................17
+ 6. Key Identification .............................................18
+
+
+
+
+
+Jones, et al. Standards Track [Page 2]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ 7. Serializations .................................................19
+ 7.1. JWS Compact Serialization .................................19
+ 7.2. JWS JSON Serialization ....................................19
+ 7.2.1. General JWS JSON Serialization Syntax ..............20
+ 7.2.2. Flattened JWS JSON Serialization Syntax ............21
+ 8. TLS Requirements ...............................................22
+ 9. IANA Considerations ............................................22
+ 9.1. JSON Web Signature and Encryption Header
+ Parameters Registry .......................................23
+ 9.1.1. Registration Template ..............................23
+ 9.1.2. Initial Registry Contents ..........................24
+ 9.2. Media Type Registration ...................................26
+ 9.2.1. Registry Contents ..................................26
+ 10. Security Considerations .......................................27
+ 10.1. Key Entropy and Random Values ............................27
+ 10.2. Key Protection ...........................................28
+ 10.3. Key Origin Authentication ................................28
+ 10.4. Cryptographic Agility ....................................28
+ 10.5. Differences between Digital Signatures and MACs ..........28
+ 10.6. Algorithm Validation .....................................29
+ 10.7. Algorithm Protection .....................................29
+ 10.8. Chosen Plaintext Attacks .................................30
+ 10.9. Timing Attacks ...........................................30
+ 10.10. Replay Protection .......................................30
+ 10.11. SHA-1 Certificate Thumbprints ...........................30
+ 10.12. JSON Security Considerations ............................31
+ 10.13. Unicode Comparison Security Considerations ..............31
+ 11. References ....................................................32
+ 11.1. Normative References .....................................32
+ 11.2. Informative References ...................................34
+ Appendix A. JWS Examples .........................................36
+ A.1. Example JWS Using HMAC SHA-256 ............................36
+ A.1.1. Encoding ..............................................36
+ A.1.2. Validating ............................................38
+ A.2. Example JWS Using RSASSA-PKCS1-v1_5 SHA-256 ...............38
+ A.2.1. Encoding ..............................................38
+ A.2.2. Validating ............................................42
+ A.3. Example JWS Using ECDSA P-256 SHA-256 .....................42
+ A.3.1. Encoding ..............................................42
+ A.3.2. Validating ............................................44
+ A.4. Example JWS Using ECDSA P-521 SHA-512 .....................45
+ A.4.1. Encoding ..............................................45
+ A.4.2. Validating ............................................47
+ A.5. Example Unsecured JWS .....................................47
+ A.6. Example JWS Using General JWS JSON Serialization ..........48
+ A.6.1. JWS Per-Signature Protected Headers ...................48
+ A.6.2. JWS Per-Signature Unprotected Headers .................49
+ A.6.3. Complete JOSE Header Values ...........................49
+
+
+
+Jones, et al. Standards Track [Page 3]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ A.6.4. Complete JWS JSON Serialization Representation ........50
+ A.7. Example JWS Using Flattened JWS JSON Serialization ........51
+ Appendix B. "x5c" (X.509 Certificate Chain) Example ..............52
+ Appendix C. Notes on Implementing base64url Encoding without
+ Padding ..............................................54
+ Appendix D. Notes on Key Selection ...............................55
+ Appendix E. Negative Test Case for "crit" Header Parameter .......57
+ Appendix F. Detached Content .....................................57
+ Acknowledgements ..................................................58
+ Authors' Addresses ................................................58
+
+1. Introduction
+
+ JSON Web Signature (JWS) represents content secured with digital
+ signatures or Message Authentication Codes (MACs) using JSON-based
+ [RFC7159] data structures. The JWS cryptographic mechanisms provide
+ integrity protection for an arbitrary sequence of octets. See
+ Section 10.5 for a discussion on the differences between digital
+ signatures and MACs.
+
+ Two closely related serializations for JWSs are defined. The JWS
+ Compact Serialization is a compact, URL-safe representation intended
+ for space-constrained environments such as HTTP Authorization headers
+ and URI query parameters. The JWS JSON Serialization represents JWSs
+ as JSON objects and enables multiple signatures and/or MACs to be
+ applied to the same content. Both share the same cryptographic
+ underpinnings.
+
+ Cryptographic algorithms and identifiers for use with this
+ specification are described in the separate JSON Web Algorithms (JWA)
+ [JWA] specification and an IANA registry defined by that
+ specification. Related encryption capabilities are described in the
+ separate JSON Web Encryption (JWE) [JWE] specification.
+
+ Names defined by this specification are short because a core goal is
+ for the resulting representations to be compact.
+
+1.1. Notational Conventions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
+ The interpretation should only be applied when the terms appear in
+ all capital letters.
+
+ BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per
+ Section 2.
+
+
+
+Jones, et al. Standards Track [Page 4]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation
+ of STRING, where STRING is a sequence of zero or more Unicode
+ [UNICODE] characters.
+
+ ASCII(STRING) denotes the octets of the ASCII [RFC20] representation
+ of STRING, where STRING is a sequence of zero or more ASCII
+ characters.
+
+ The concatenation of two values A and B is denoted as A || B.
+
+2. Terminology
+
+ These terms are defined by this specification:
+
+ JSON Web Signature (JWS)
+ A data structure representing a digitally signed or MACed message.
+
+ JOSE Header
+ JSON object containing the parameters describing the cryptographic
+ operations and parameters employed. The JOSE (JSON Object Signing
+ and Encryption) Header is comprised of a set of Header Parameters.
+
+ JWS Payload
+ The sequence of octets to be secured -- a.k.a. the message. The
+ payload can contain an arbitrary sequence of octets.
+
+ JWS Signature
+ Digital signature or MAC over the JWS Protected Header and the JWS
+ Payload.
+
+ Header Parameter
+ A name/value pair that is member of the JOSE Header.
+
+ JWS Protected Header
+ JSON object that contains the Header Parameters that are integrity
+ protected by the JWS Signature digital signature or MAC operation.
+ For the JWS Compact Serialization, this comprises the entire JOSE
+ Header. For the JWS JSON Serialization, this is one component of
+ the JOSE Header.
+
+ JWS Unprotected Header
+ JSON object that contains the Header Parameters that are not
+ integrity protected. This can only be present when using the JWS
+ JSON Serialization.
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 5]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Base64url Encoding
+ Base64 encoding using the URL- and filename-safe character set
+ defined in Section 5 of RFC 4648 [RFC4648], with all trailing '='
+ characters omitted (as permitted by Section 3.2) and without the
+ inclusion of any line breaks, whitespace, or other additional
+ characters. Note that the base64url encoding of the empty octet
+ sequence is the empty string. (See Appendix C for notes on
+ implementing base64url encoding without padding.)
+
+ JWS Signing Input
+ The input to the digital signature or MAC computation. Its value
+ is ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' ||
+ BASE64URL(JWS Payload)).
+
+ JWS Compact Serialization
+ A representation of the JWS as a compact, URL-safe string.
+
+ JWS JSON Serialization
+ A representation of the JWS as a JSON object. Unlike the JWS
+ Compact Serialization, the JWS JSON Serialization enables multiple
+ digital signatures and/or MACs to be applied to the same content.
+ This representation is neither optimized for compactness nor URL-
+ safe.
+
+ Unsecured JWS
+ A JWS that provides no integrity protection. Unsecured JWSs use
+ the "alg" value "none".
+
+ Collision-Resistant Name
+ A name in a namespace that enables names to be allocated in a
+ manner such that they are highly unlikely to collide with other
+ names. Examples of collision-resistant namespaces include: Domain
+ Names, Object Identifiers (OIDs) as defined in the ITU-T X.660 and
+ X.670 Recommendation series, and Universally Unique IDentifiers
+ (UUIDs) [RFC4122]. When using an administratively delegated
+ namespace, the definer of a name needs to take reasonable
+ precautions to ensure they are in control of the portion of the
+ namespace they use to define the name.
+
+ StringOrURI
+ A JSON string value, with the additional requirement that while
+ arbitrary string values MAY be used, any value containing a ":"
+ character MUST be a URI [RFC3986]. StringOrURI values are
+ compared as case-sensitive strings with no transformations or
+ canonicalizations applied.
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 6]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ The terms "JSON Web Encryption (JWE)", "JWE Compact Serialization",
+ and "JWE JSON Serialization" are defined by the JWE specification
+ [JWE].
+
+ The terms "Digital Signature" and "Message Authentication Code (MAC)"
+ are defined by the "Internet Security Glossary, Version 2" [RFC4949].
+
+3. JSON Web Signature (JWS) Overview
+
+ JWS represents digitally signed or MACed content using JSON data
+ structures and base64url encoding. These JSON data structures MAY
+ contain whitespace and/or line breaks before or after any JSON values
+ or structural characters, in accordance with Section 2 of RFC 7159
+ [RFC7159]. A JWS represents these logical values (each of which is
+ defined in Section 2):
+
+ o JOSE Header
+ o JWS Payload
+ o JWS Signature
+
+ For a JWS, the JOSE Header members are the union of the members of
+ these values (each of which is defined in Section 2):
+
+ o JWS Protected Header
+ o JWS Unprotected Header
+
+ This document defines two serializations for JWSs: a compact, URL-
+ safe serialization called the JWS Compact Serialization and a JSON
+ serialization called the JWS JSON Serialization. In both
+ serializations, the JWS Protected Header, JWS Payload, and JWS
+ Signature are base64url encoded, since JSON lacks a way to directly
+ represent arbitrary octet sequences.
+
+3.1. JWS Compact Serialization Overview
+
+ In the JWS Compact Serialization, no JWS Unprotected Header is used.
+ In this case, the JOSE Header and the JWS Protected Header are the
+ same.
+
+ In the JWS Compact Serialization, a JWS is represented as the
+ concatenation:
+
+ BASE64URL(UTF8(JWS Protected Header)) || '.' ||
+ BASE64URL(JWS Payload) || '.' ||
+ BASE64URL(JWS Signature)
+
+ See Section 7.1 for more information about the JWS Compact
+ Serialization.
+
+
+
+Jones, et al. Standards Track [Page 7]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+3.2. JWS JSON Serialization Overview
+
+ In the JWS JSON Serialization, one or both of the JWS Protected
+ Header and JWS Unprotected Header MUST be present. In this case, the
+ members of the JOSE Header are the union of the members of the JWS
+ Protected Header and the JWS Unprotected Header values that are
+ present.
+
+ In the JWS JSON Serialization, a JWS is represented as a JSON object
+ containing some or all of these four members:
+
+ o "protected", with the value BASE64URL(UTF8(JWS Protected Header))
+ o "header", with the value JWS Unprotected Header
+ o "payload", with the value BASE64URL(JWS Payload)
+ o "signature", with the value BASE64URL(JWS Signature)
+
+ The three base64url-encoded result strings and the JWS Unprotected
+ Header value are represented as members within a JSON object. The
+ inclusion of some of these values is OPTIONAL. The JWS JSON
+ Serialization can also represent multiple signature and/or MAC
+ values, rather than just one. See Section 7.2 for more information
+ about the JWS JSON Serialization.
+
+3.3. Example JWS
+
+ This section provides an example of a JWS. Its computation is
+ described in more detail in Appendix A.1, including specifying the
+ exact octet sequences representing the JSON values used and the key
+ value used.
+
+ The following example JWS Protected Header declares that the encoded
+ object is a JSON Web Token [JWT] and the JWS Protected Header and the
+ JWS Payload are secured using the HMAC SHA-256 [RFC2104] [SHS]
+ algorithm:
+
+ {"typ":"JWT",
+ "alg":"HS256"}
+
+ Encoding this JWS Protected Header as BASE64URL(UTF8(JWS Protected
+ Header)) gives this value:
+
+ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
+
+ The UTF-8 representation of the following JSON object is used as the
+ JWS Payload. (Note that the payload can be any content and need not
+ be a representation of a JSON object.)
+
+
+
+
+
+Jones, et al. Standards Track [Page 8]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ {"iss":"joe",
+ "exp":1300819380,
+ "http://example.com/is_root":true}
+
+ Encoding this JWS Payload as BASE64URL(JWS Payload) gives this value
+ (with line breaks for display purposes only):
+
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+
+ Computing the HMAC of the JWS Signing Input ASCII(BASE64URL(UTF8(JWS
+ Protected Header)) || '.' || BASE64URL(JWS Payload)) with the HMAC
+ SHA-256 algorithm using the key specified in Appendix A.1 and
+ base64url-encoding the result yields this BASE64URL(JWS Signature)
+ value:
+
+ dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
+
+ Concatenating these values in the order Header.Payload.Signature with
+ period ('.') characters between the parts yields this complete JWS
+ representation using the JWS Compact Serialization (with line breaks
+ for display purposes only):
+
+ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
+ .
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+ .
+ dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
+
+ See Appendix A for additional examples, including examples using the
+ JWS JSON Serialization in Sections A.6 and A.7.
+
+4. JOSE Header
+
+ For a JWS, the members of the JSON object(s) representing the JOSE
+ Header describe the digital signature or MAC applied to the JWS
+ Protected Header and the JWS Payload and optionally additional
+ properties of the JWS. The Header Parameter names within the JOSE
+ Header MUST be unique; JWS parsers MUST either reject JWSs with
+ duplicate Header Parameter names or use a JSON parser that returns
+ only the lexically last duplicate member name, as specified in
+ Section 15.12 ("The JSON Object") of ECMAScript 5.1 [ECMAScript].
+
+ Implementations are required to understand the specific Header
+ Parameters defined by this specification that are designated as "MUST
+ be understood" and process them in the manner defined in this
+ specification. All other Header Parameters defined by this
+
+
+
+Jones, et al. Standards Track [Page 9]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ specification that are not so designated MUST be ignored when not
+ understood. Unless listed as a critical Header Parameter, per
+ Section 4.1.11, all Header Parameters not defined by this
+ specification MUST be ignored when not understood.
+
+ There are three classes of Header Parameter names: Registered Header
+ Parameter names, Public Header Parameter names, and Private Header
+ Parameter names.
+
+4.1. Registered Header Parameter Names
+
+ The following Header Parameter names for use in JWSs are registered
+ in the IANA "JSON Web Signature and Encryption Header Parameters"
+ registry established by Section 9.1, with meanings as defined in the
+ subsections below.
+
+ As indicated by the common registry, JWSs and JWEs share a common
+ Header Parameter space; when a parameter is used by both
+ specifications, its usage must be compatible between the
+ specifications.
+
+4.1.1. "alg" (Algorithm) Header Parameter
+
+ The "alg" (algorithm) Header Parameter identifies the cryptographic
+ algorithm used to secure the JWS. The JWS Signature value is not
+ valid if the "alg" value does not represent a supported algorithm or
+ if there is not a key for use with that algorithm associated with the
+ party that digitally signed or MACed the content. "alg" values
+ should either be registered in the IANA "JSON Web Signature and
+ Encryption Algorithms" registry established by [JWA] or be a value
+ that contains a Collision-Resistant Name. The "alg" value is a case-
+ sensitive ASCII string containing a StringOrURI value. This Header
+ Parameter MUST be present and MUST be understood and processed by
+ implementations.
+
+ A list of defined "alg" values for this use can be found in the IANA
+ "JSON Web Signature and Encryption Algorithms" registry established
+ by [JWA]; the initial contents of this registry are the values
+ defined in Section 3.1 of [JWA].
+
+4.1.2. "jku" (JWK Set URL) Header Parameter
+
+ The "jku" (JWK Set URL) Header Parameter is a URI [RFC3986] that
+ refers to a resource for a set of JSON-encoded public keys, one of
+ which corresponds to the key used to digitally sign the JWS. The
+ keys MUST be encoded as a JWK Set [JWK]. The protocol used to
+ acquire the resource MUST provide integrity protection; an HTTP GET
+ request to retrieve the JWK Set MUST use Transport Layer Security
+
+
+
+Jones, et al. Standards Track [Page 10]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ (TLS) [RFC2818] [RFC5246]; and the identity of the server MUST be
+ validated, as per Section 6 of RFC 6125 [RFC6125]. Also, see
+ Section 8 on TLS requirements. Use of this Header Parameter is
+ OPTIONAL.
+
+4.1.3. "jwk" (JSON Web Key) Header Parameter
+
+ The "jwk" (JSON Web Key) Header Parameter is the public key that
+ corresponds to the key used to digitally sign the JWS. This key is
+ represented as a JSON Web Key [JWK]. Use of this Header Parameter is
+ OPTIONAL.
+
+4.1.4. "kid" (Key ID) Header Parameter
+
+ The "kid" (key ID) Header Parameter is a hint indicating which key
+ was used to secure the JWS. This parameter allows originators to
+ explicitly signal a change of key to recipients. The structure of
+ the "kid" value is unspecified. Its value MUST be a case-sensitive
+ string. Use of this Header Parameter is OPTIONAL.
+
+ When used with a JWK, the "kid" value is used to match a JWK "kid"
+ parameter value.
+
+4.1.5. "x5u" (X.509 URL) Header Parameter
+
+ The "x5u" (X.509 URL) Header Parameter is a URI [RFC3986] that refers
+ to a resource for the X.509 public key certificate or certificate
+ chain [RFC5280] corresponding to the key used to digitally sign the
+ JWS. The identified resource MUST provide a representation of the
+ certificate or certificate chain that conforms to RFC 5280 [RFC5280]
+ in PEM-encoded form, with each certificate delimited as specified in
+ Section 6.1 of RFC 4945 [RFC4945]. The certificate containing the
+ public key corresponding to the key used to digitally sign the JWS
+ MUST be the first certificate. This MAY be followed by additional
+ certificates, with each subsequent certificate being the one used to
+ certify the previous one. The protocol used to acquire the resource
+ MUST provide integrity protection; an HTTP GET request to retrieve
+ the certificate MUST use TLS [RFC2818] [RFC5246]; and the identity of
+ the server MUST be validated, as per Section 6 of RFC 6125 [RFC6125].
+ Also, see Section 8 on TLS requirements. Use of this Header
+ Parameter is OPTIONAL.
+
+4.1.6. "x5c" (X.509 Certificate Chain) Header Parameter
+
+ The "x5c" (X.509 certificate chain) Header Parameter contains the
+ X.509 public key certificate or certificate chain [RFC5280]
+ corresponding to the key used to digitally sign the JWS. The
+ certificate or certificate chain is represented as a JSON array of
+
+
+
+Jones, et al. Standards Track [Page 11]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ certificate value strings. Each string in the array is a
+ base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER
+ [ITU.X690.2008] PKIX certificate value. The certificate containing
+ the public key corresponding to the key used to digitally sign the
+ JWS MUST be the first certificate. This MAY be followed by
+ additional certificates, with each subsequent certificate being the
+ one used to certify the previous one. The recipient MUST validate
+ the certificate chain according to RFC 5280 [RFC5280] and consider
+ the certificate or certificate chain to be invalid if any validation
+ failure occurs. Use of this Header Parameter is OPTIONAL.
+
+ See Appendix B for an example "x5c" value.
+
+4.1.7. "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter
+
+ The "x5t" (X.509 certificate SHA-1 thumbprint) Header Parameter is a
+ base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
+ encoding of the X.509 certificate [RFC5280] corresponding to the key
+ used to digitally sign the JWS. Note that certificate thumbprints
+ are also sometimes known as certificate fingerprints. Use of this
+ Header Parameter is OPTIONAL.
+
+4.1.8. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header
+ Parameter
+
+ The "x5t#S256" (X.509 certificate SHA-256 thumbprint) Header
+ Parameter is a base64url-encoded SHA-256 thumbprint (a.k.a. digest)
+ of the DER encoding of the X.509 certificate [RFC5280] corresponding
+ to the key used to digitally sign the JWS. Note that certificate
+ thumbprints are also sometimes known as certificate fingerprints.
+ Use of this Header Parameter is OPTIONAL.
+
+4.1.9. "typ" (Type) Header Parameter
+
+ The "typ" (type) Header Parameter is used by JWS applications to
+ declare the media type [IANA.MediaTypes] of this complete JWS. This
+ is intended for use by the application when more than one kind of
+ object could be present in an application data structure that can
+ contain a JWS; the application can use this value to disambiguate
+ among the different kinds of objects that might be present. It will
+ typically not be used by applications when the kind of object is
+ already known. This parameter is ignored by JWS implementations; any
+ processing of this parameter is performed by the JWS application.
+ Use of this Header Parameter is OPTIONAL.
+
+ Per RFC 2045 [RFC2045], all media type values, subtype values, and
+ parameter names are case insensitive. However, parameter values are
+ case sensitive unless otherwise specified for the specific parameter.
+
+
+
+Jones, et al. Standards Track [Page 12]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ To keep messages compact in common situations, it is RECOMMENDED that
+ producers omit an "application/" prefix of a media type value in a
+ "typ" Header Parameter when no other '/' appears in the media type
+ value. A recipient using the media type value MUST treat it as if
+ "application/" were prepended to any "typ" value not containing a
+ '/'. For instance, a "typ" value of "example" SHOULD be used to
+ represent the "application/example" media type, whereas the media
+ type "application/example;part="1/2"" cannot be shortened to
+ "example;part="1/2"".
+
+ The "typ" value "JOSE" can be used by applications to indicate that
+ this object is a JWS or JWE using the JWS Compact Serialization or
+ the JWE Compact Serialization. The "typ" value "JOSE+JSON" can be
+ used by applications to indicate that this object is a JWS or JWE
+ using the JWS JSON Serialization or the JWE JSON Serialization.
+ Other type values can also be used by applications.
+
+4.1.10. "cty" (Content Type) Header Parameter
+
+ The "cty" (content type) Header Parameter is used by JWS applications
+ to declare the media type [IANA.MediaTypes] of the secured content
+ (the payload). This is intended for use by the application when more
+ than one kind of object could be present in the JWS Payload; the
+ application can use this value to disambiguate among the different
+ kinds of objects that might be present. It will typically not be
+ used by applications when the kind of object is already known. This
+ parameter is ignored by JWS implementations; any processing of this
+ parameter is performed by the JWS application. Use of this Header
+ Parameter is OPTIONAL.
+
+ Per RFC 2045 [RFC2045], all media type values, subtype values, and
+ parameter names are case insensitive. However, parameter values are
+ case sensitive unless otherwise specified for the specific parameter.
+
+ To keep messages compact in common situations, it is RECOMMENDED that
+ producers omit an "application/" prefix of a media type value in a
+ "cty" Header Parameter when no other '/' appears in the media type
+ value. A recipient using the media type value MUST treat it as if
+ "application/" were prepended to any "cty" value not containing a
+ '/'. For instance, a "cty" value of "example" SHOULD be used to
+ represent the "application/example" media type, whereas the media
+ type "application/example;part="1/2"" cannot be shortened to
+ "example;part="1/2"".
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 13]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+4.1.11. "crit" (Critical) Header Parameter
+
+ The "crit" (critical) Header Parameter indicates that extensions to
+ this specification and/or [JWA] are being used that MUST be
+ understood and processed. Its value is an array listing the Header
+ Parameter names present in the JOSE Header that use those extensions.
+ If any of the listed extension Header Parameters are not understood
+ and supported by the recipient, then the JWS is invalid. Producers
+ MUST NOT include Header Parameter names defined by this specification
+ or [JWA] for use with JWS, duplicate names, or names that do not
+ occur as Header Parameter names within the JOSE Header in the "crit"
+ list. Producers MUST NOT use the empty list "[]" as the "crit"
+ value. Recipients MAY consider the JWS to be invalid if the critical
+ list contains any Header Parameter names defined by this
+ specification or [JWA] for use with JWS or if any other constraints
+ on its use are violated. When used, this Header Parameter MUST be
+ integrity protected; therefore, it MUST occur only within the JWS
+ Protected Header. Use of this Header Parameter is OPTIONAL. This
+ Header Parameter MUST be understood and processed by implementations.
+
+ An example use, along with a hypothetical "exp" (expiration time)
+ field is:
+
+ {"alg":"ES256",
+ "crit":["exp"],
+ "exp":1363284000
+ }
+
+4.2. Public Header Parameter Names
+
+ Additional Header Parameter names can be defined by those using JWSs.
+ However, in order to prevent collisions, any new Header Parameter
+ name should either be registered in the IANA "JSON Web Signature and
+ Encryption Header Parameters" registry established by Section 9.1 or
+ be a Public Name (a value that contains a Collision-Resistant Name).
+ In each case, the definer of the name or value needs to take
+ reasonable precautions to make sure they are in control of the part
+ of the namespace they use to define the Header Parameter name.
+
+ New Header Parameters should be introduced sparingly, as they can
+ result in non-interoperable JWSs.
+
+4.3. Private Header Parameter Names
+
+ A producer and consumer of a JWS may agree to use Header Parameter
+ names that are Private Names (names that are not Registered Header
+ Parameter names (Section 4.1)) or Public Header Parameter names
+
+
+
+
+Jones, et al. Standards Track [Page 14]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ (Section 4.2). Unlike Public Header Parameter names, Private Header
+ Parameter names are subject to collision and should be used with
+ caution.
+
+5. Producing and Consuming JWSs
+
+5.1. Message Signature or MAC Computation
+
+ To create a JWS, the following steps are performed. The order of the
+ steps is not significant in cases where there are no dependencies
+ between the inputs and outputs of the steps.
+
+ 1. Create the content to be used as the JWS Payload.
+
+ 2. Compute the encoded payload value BASE64URL(JWS Payload).
+
+ 3. Create the JSON object(s) containing the desired set of Header
+ Parameters, which together comprise the JOSE Header (the JWS
+ Protected Header and/or the JWS Unprotected Header).
+
+ 4. Compute the encoded header value BASE64URL(UTF8(JWS Protected
+ Header)). If the JWS Protected Header is not present (which can
+ only happen when using the JWS JSON Serialization and no
+ "protected" member is present), let this value be the empty
+ string.
+
+ 5. Compute the JWS Signature in the manner defined for the
+ particular algorithm being used over the JWS Signing Input
+ ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' ||
+ BASE64URL(JWS Payload)). The "alg" (algorithm) Header Parameter
+ MUST be present in the JOSE Header, with the algorithm value
+ accurately representing the algorithm used to construct the JWS
+ Signature.
+
+ 6. Compute the encoded signature value BASE64URL(JWS Signature).
+
+ 7. If the JWS JSON Serialization is being used, repeat this process
+ (steps 3-6) for each digital signature or MAC operation being
+ performed.
+
+ 8. Create the desired serialized output. The JWS Compact
+ Serialization of this result is BASE64URL(UTF8(JWS Protected
+ Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS
+ Signature). The JWS JSON Serialization is described in
+ Section 7.2.
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 15]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+5.2. Message Signature or MAC Validation
+
+ When validating a JWS, the following steps are performed. The order
+ of the steps is not significant in cases where there are no
+ dependencies between the inputs and outputs of the steps. If any of
+ the listed steps fails, then the signature or MAC cannot be
+ validated.
+
+ When there are multiple JWS Signature values, it is an application
+ decision which of the JWS Signature values must successfully validate
+ for the JWS to be accepted. In some cases, all must successfully
+ validate, or the JWS will be considered invalid. In other cases,
+ only a specific JWS Signature value needs to be successfully
+ validated. However, in all cases, at least one JWS Signature value
+ MUST successfully validate, or the JWS MUST be considered invalid.
+
+ 1. Parse the JWS representation to extract the serialized values for
+ the components of the JWS. When using the JWS Compact
+ Serialization, these components are the base64url-encoded
+ representations of the JWS Protected Header, the JWS Payload, and
+ the JWS Signature, and when using the JWS JSON Serialization,
+ these components also include the unencoded JWS Unprotected
+ Header value. When using the JWS Compact Serialization, the JWS
+ Protected Header, the JWS Payload, and the JWS Signature are
+ represented as base64url-encoded values in that order, with each
+ value being separated from the next by a single period ('.')
+ character, resulting in exactly two delimiting period characters
+ being used. The JWS JSON Serialization is described in
+ Section 7.2.
+
+ 2. Base64url-decode the encoded representation of the JWS Protected
+ Header, following the restriction that no line breaks,
+ whitespace, or other additional characters have been used.
+
+ 3. Verify that the resulting octet sequence is a UTF-8-encoded
+ representation of a completely valid JSON object conforming to
+ RFC 7159 [RFC7159]; let the JWS Protected Header be this JSON
+ object.
+
+ 4. If using the JWS Compact Serialization, let the JOSE Header be
+ the JWS Protected Header. Otherwise, when using the JWS JSON
+ Serialization, let the JOSE Header be the union of the members of
+ the corresponding JWS Protected Header and JWS Unprotected
+ Header, all of which must be completely valid JSON objects.
+ During this step, verify that the resulting JOSE Header does not
+ contain duplicate Header Parameter names. When using the JWS
+
+
+
+
+
+Jones, et al. Standards Track [Page 16]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ JSON Serialization, this restriction includes that the same
+ Header Parameter name also MUST NOT occur in distinct JSON object
+ values that together comprise the JOSE Header.
+
+ 5. Verify that the implementation understands and can process all
+ fields that it is required to support, whether required by this
+ specification, by the algorithm being used, or by the "crit"
+ Header Parameter value, and that the values of those parameters
+ are also understood and supported.
+
+ 6. Base64url-decode the encoded representation of the JWS Payload,
+ following the restriction that no line breaks, whitespace, or
+ other additional characters have been used.
+
+ 7. Base64url-decode the encoded representation of the JWS Signature,
+ following the restriction that no line breaks, whitespace, or
+ other additional characters have been used.
+
+ 8. Validate the JWS Signature against the JWS Signing Input
+ ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' ||
+ BASE64URL(JWS Payload)) in the manner defined for the algorithm
+ being used, which MUST be accurately represented by the value of
+ the "alg" (algorithm) Header Parameter, which MUST be present.
+ See Section 10.6 for security considerations on algorithm
+ validation. Record whether the validation succeeded or not.
+
+ 9. If the JWS JSON Serialization is being used, repeat this process
+ (steps 4-8) for each digital signature or MAC value contained in
+ the representation.
+
+ 10. If none of the validations in step 9 succeeded, then the JWS MUST
+ be considered invalid. Otherwise, in the JWS JSON Serialization
+ case, return a result to the application indicating which of the
+ validations succeeded and failed. In the JWS Compact
+ Serialization case, the result can simply indicate whether or not
+ the JWS was successfully validated.
+
+ Finally, note that it is an application decision which algorithms may
+ be used in a given context. Even if a JWS can be successfully
+ validated, unless the algorithm(s) used in the JWS are acceptable to
+ the application, it SHOULD consider the JWS to be invalid.
+
+5.3. String Comparison Rules
+
+ Processing a JWS inevitably requires comparing known strings to
+ members and values in JSON objects. For example, in checking what
+ the algorithm is, the Unicode string "alg" will be checked against
+ the member names in the JOSE Header to see if there is a matching
+
+
+
+Jones, et al. Standards Track [Page 17]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Header Parameter name. The same process is then used to determine if
+ the value of the "alg" Header Parameter represents a supported
+ algorithm.
+
+ The JSON rules for doing member name comparison are described in
+ Section 8.3 of RFC 7159 [RFC7159]. Since the only string comparison
+ operations that are performed are equality and inequality, the same
+ rules can be used for comparing both member names and member values
+ against known strings.
+
+ These comparison rules MUST be used for all JSON string comparisons
+ except in cases where the definition of the member explicitly calls
+ out that a different comparison rule is to be used for that member
+ value. Only the "typ" and "cty" member values defined in this
+ specification do not use these comparison rules.
+
+ Some applications may include case-insensitive information in a case-
+ sensitive value, such as including a DNS name as part of a "kid" (key
+ ID) value. In those cases, the application may need to define a
+ convention for the canonical case to use for representing the case-
+ insensitive portions, such as lowercasing them, if more than one
+ party might need to produce the same value so that they can be
+ compared. (However, if all other parties consume whatever value the
+ producing party emitted verbatim without attempting to compare it to
+ an independently produced value, then the case used by the producer
+ will not matter.)
+
+ Also, see the JSON security considerations in Section 10.12 and the
+ Unicode security considerations in Section 10.13.
+
+6. Key Identification
+
+ It is necessary for the recipient of a JWS to be able to determine
+ the key that was employed for the digital signature or MAC operation.
+ The key employed can be identified using the Header Parameter methods
+ described in Section 4.1 or can be identified using methods that are
+ outside the scope of this specification. Specifically, the Header
+ Parameters "jku", "jwk", "kid", "x5u", "x5c", "x5t", and "x5t#S256"
+ can be used to identify the key used. These Header Parameters MUST
+ be integrity protected if the information that they convey is to be
+ utilized in a trust decision; however, if the only information used
+ in the trust decision is a key, these parameters need not be
+ integrity protected, since changing them in a way that causes a
+ different key to be used will cause the validation to fail.
+
+ The producer SHOULD include sufficient information in the Header
+ Parameters to identify the key used, unless the application uses
+ another means or convention to determine the key used. Validation of
+
+
+
+Jones, et al. Standards Track [Page 18]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ the signature or MAC fails when the algorithm used requires a key
+ (which is true of all algorithms except for "none") and the key used
+ cannot be determined.
+
+ The means of exchanging any shared symmetric keys used is outside the
+ scope of this specification.
+
+ Also, see Appendix D for notes on possible key selection algorithms.
+
+7. Serializations
+
+ JWSs use one of two serializations: the JWS Compact Serialization or
+ the JWS JSON Serialization. Applications using this specification
+ need to specify what serialization and serialization features are
+ used for that application. For instance, applications might specify
+ that only the JWS JSON Serialization is used, that only JWS JSON
+ Serialization support for a single signature or MAC value is used, or
+ that support for multiple signatures and/or MAC values is used. JWS
+ implementations only need to implement the features needed for the
+ applications they are designed to support.
+
+7.1. JWS Compact Serialization
+
+ The JWS Compact Serialization represents digitally signed or MACed
+ content as a compact, URL-safe string. This string is:
+
+ BASE64URL(UTF8(JWS Protected Header)) || '.' ||
+ BASE64URL(JWS Payload) || '.' ||
+ BASE64URL(JWS Signature)
+
+ Only one signature/MAC is supported by the JWS Compact Serialization
+ and it provides no syntax to represent a JWS Unprotected Header
+ value.
+
+7.2. JWS JSON Serialization
+
+ The JWS JSON Serialization represents digitally signed or MACed
+ content as a JSON object. This representation is neither optimized
+ for compactness nor URL-safe.
+
+ Two closely related syntaxes are defined for the JWS JSON
+ Serialization: a fully general syntax, with which content can be
+ secured with more than one digital signature and/or MAC operation,
+ and a flattened syntax, which is optimized for the single digital
+ signature or MAC case.
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 19]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+7.2.1. General JWS JSON Serialization Syntax
+
+ The following members are defined for use in top-level JSON objects
+ used for the fully general JWS JSON Serialization syntax:
+
+ payload
+ The "payload" member MUST be present and contain the value
+ BASE64URL(JWS Payload).
+
+ signatures
+ The "signatures" member value MUST be an array of JSON objects.
+ Each object represents a signature or MAC over the JWS Payload and
+ the JWS Protected Header.
+
+ The following members are defined for use in the JSON objects that
+ are elements of the "signatures" array:
+
+ protected
+ The "protected" member MUST be present and contain the value
+ BASE64URL(UTF8(JWS Protected Header)) when the JWS Protected
+ Header value is non-empty; otherwise, it MUST be absent. These
+ Header Parameter values are integrity protected.
+
+ header
+ The "header" member MUST be present and contain the value JWS
+ Unprotected Header when the JWS Unprotected Header value is non-
+ empty; otherwise, it MUST be absent. This value is represented as
+ an unencoded JSON object, rather than as a string. These Header
+ Parameter values are not integrity protected.
+
+ signature
+ The "signature" member MUST be present and contain the value
+ BASE64URL(JWS Signature).
+
+ At least one of the "protected" and "header" members MUST be present
+ for each signature/MAC computation so that an "alg" Header Parameter
+ value is conveyed.
+
+ Additional members can be present in both the JSON objects defined
+ above; if not understood by implementations encountering them, they
+ MUST be ignored.
+
+ The Header Parameter values used when creating or validating
+ individual signature or MAC values are the union of the two sets of
+ Header Parameter values that may be present: (1) the JWS Protected
+ Header represented in the "protected" member of the signature/MAC's
+ array element, and (2) the JWS Unprotected Header in the "header"
+
+
+
+
+Jones, et al. Standards Track [Page 20]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ member of the signature/MAC's array element. The union of these sets
+ of Header Parameters comprises the JOSE Header. The Header Parameter
+ names in the two locations MUST be disjoint.
+
+ Each JWS Signature value is computed using the parameters of the
+ corresponding JOSE Header value in the same manner as for the JWS
+ Compact Serialization. This has the desirable property that each JWS
+ Signature value represented in the "signatures" array is identical to
+ the value that would have been computed for the same parameter in the
+ JWS Compact Serialization, provided that the JWS Protected Header
+ value for that signature/MAC computation (which represents the
+ integrity-protected Header Parameter values) matches that used in the
+ JWS Compact Serialization.
+
+ In summary, the syntax of a JWS using the general JWS JSON
+ Serialization is as follows:
+
+ {
+ "payload":"<payload contents>",
+ "signatures":[
+ {"protected":"<integrity-protected header 1 contents>",
+ "header":<non-integrity-protected header 1 contents>,
+ "signature":"<signature 1 contents>"},
+ ...
+ {"protected":"<integrity-protected header N contents>",
+ "header":<non-integrity-protected header N contents>,
+ "signature":"<signature N contents>"}]
+ }
+
+ See Appendix A.6 for an example JWS using the general JWS JSON
+ Serialization syntax.
+
+7.2.2. Flattened JWS JSON Serialization Syntax
+
+ The flattened JWS JSON Serialization syntax is based upon the general
+ syntax but flattens it, optimizing it for the single digital
+ signature/MAC case. It flattens it by removing the "signatures"
+ member and instead placing those members defined for use in the
+ "signatures" array (the "protected", "header", and "signature"
+ members) in the top-level JSON object (at the same level as the
+ "payload" member).
+
+ The "signatures" member MUST NOT be present when using this syntax.
+ Other than this syntax difference, JWS JSON Serialization objects
+ using the flattened syntax are processed identically to those using
+ the general syntax.
+
+
+
+
+
+Jones, et al. Standards Track [Page 21]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ In summary, the syntax of a JWS using the flattened JWS JSON
+ Serialization is as follows:
+
+ {
+ "payload":"<payload contents>",
+ "protected":"<integrity-protected header contents>",
+ "header":<non-integrity-protected header contents>,
+ "signature":"<signature contents>"
+ }
+
+ See Appendix A.7 for an example JWS using the flattened JWS JSON
+ Serialization syntax.
+
+8. TLS Requirements
+
+ Implementations supporting the "jku" and/or "x5u" Header Parameters
+ MUST support TLS. Which TLS version(s) ought to be implemented will
+ vary over time and depend on the widespread deployment and known
+ security vulnerabilities at the time of implementation. At the time
+ of this writing, TLS version 1.2 [RFC5246] is the most recent
+ version.
+
+ To protect against information disclosure and tampering,
+ confidentiality protection MUST be applied using TLS with a
+ ciphersuite that provides confidentiality and integrity protection.
+ See current publications by the IETF TLS working group, including RFC
+ 6176 [RFC6176], for guidance on the ciphersuites currently considered
+ to be appropriate for use. Also, see "Recommendations for Secure Use
+ of Transport Layer Security (TLS) and Datagram Transport Layer
+ Security (DTLS)" [RFC7525] for recommendations on improving the
+ security of software and services using TLS.
+
+ Whenever TLS is used, the identity of the service provider encoded in
+ the TLS server certificate MUST be verified using the procedures
+ described in Section 6 of RFC 6125 [RFC6125].
+
+9. IANA Considerations
+
+ The following registration procedure is used for all the registries
+ established by this specification.
+
+ Values are registered on a Specification Required [RFC5226] basis
+ after a three-week review period on the jose-reg-review@ietf.org
+ mailing list, on the advice of one or more Designated Experts.
+ However, to allow for the allocation of values prior to publication,
+ the Designated Experts may approve registration once they are
+ satisfied that such a specification will be published.
+
+
+
+
+Jones, et al. Standards Track [Page 22]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Registration requests sent to the mailing list for review should use
+ an appropriate subject (e.g., "Request to register header parameter:
+ example").
+
+ Within the review period, the Designated Experts will either approve
+ or deny the registration request, communicating this decision to the
+ review list and IANA. Denials should include an explanation and, if
+ applicable, suggestions as to how to make the request successful.
+ Registration requests that are undetermined for a period longer than
+ 21 days can be brought to the IESG's attention (using the
+ iesg@ietf.org mailing list) for resolution.
+
+ Criteria that should be applied by the Designated Experts includes
+ determining whether the proposed registration duplicates existing
+ functionality, whether it is likely to be of general applicability or
+ useful only for a single application, and whether the registration
+ description is clear.
+
+ IANA must only accept registry updates from the Designated Experts
+ and should direct all requests for registration to the review mailing
+ list.
+
+ It is suggested that multiple Designated Experts be appointed who are
+ able to represent the perspectives of different applications using
+ this specification, in order to enable broadly informed review of
+ registration decisions. In cases where a registration decision could
+ be perceived as creating a conflict of interest for a particular
+ Expert, that Expert should defer to the judgment of the other
+ Experts.
+
+9.1. JSON Web Signature and Encryption Header Parameters Registry
+
+ This specification establishes the IANA "JSON Web Signature and
+ Encryption Header Parameters" registry for Header Parameter names.
+ The registry records the Header Parameter name and a reference to the
+ specification that defines it. The same Header Parameter name can be
+ registered multiple times, provided that the parameter usage is
+ compatible between the specifications. Different registrations of
+ the same Header Parameter name will typically use different Header
+ Parameter Usage Locations values.
+
+9.1.1. Registration Template
+
+ Header Parameter Name:
+ The name requested (e.g., "kid"). Because a core goal of this
+ specification is for the resulting representations to be compact,
+ it is RECOMMENDED that the name be short -- not to exceed 8
+ characters without a compelling reason to do so. This name is
+
+
+
+Jones, et al. Standards Track [Page 23]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ case sensitive. Names may not match other registered names in a
+ case-insensitive manner unless the Designated Experts state that
+ there is a compelling reason to allow an exception.
+
+ Header Parameter Description:
+ Brief description of the Header Parameter (e.g., "Key ID").
+
+ Header Parameter Usage Location(s):
+ The Header Parameter usage locations, which should be one or more
+ of the values "JWS" or "JWE".
+
+ Change Controller:
+ For Standards Track RFCs, list the "IESG". For others, give the
+ name of the responsible party. Other details (e.g., postal
+ address, email address, home page URI) may also be included.
+
+ Specification Document(s):
+ Reference to the document or documents that specify the parameter,
+ preferably including URIs that can be used to retrieve copies of
+ the documents. An indication of the relevant sections may also be
+ included but is not required.
+
+9.1.2. Initial Registry Contents
+
+ This section registers the Header Parameter names defined in
+ Section 4.1 in this registry.
+
+ o Header Parameter Name: "alg"
+ o Header Parameter Description: Algorithm
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.1 of RFC 7515
+
+ o Header Parameter Name: "jku"
+ o Header Parameter Description: JWK Set URL
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.2 of RFC 7515
+
+ o Header Parameter Name: "jwk"
+ o Header Parameter Description: JSON Web Key
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.3 of RFC 7515
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 24]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ o Header Parameter Name: "kid"
+ o Header Parameter Description: Key ID
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.4 of RFC 7515
+
+ o Header Parameter Name: "x5u"
+ o Header Parameter Description: X.509 URL
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.5 of RFC 7515
+
+ o Header Parameter Name: "x5c"
+ o Header Parameter Description: X.509 Certificate Chain
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.6 of RFC 7515
+
+ o Header Parameter Name: "x5t"
+ o Header Parameter Description: X.509 Certificate SHA-1 Thumbprint
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.7 of RFC 7515
+
+ o Header Parameter Name: "x5t#S256"
+ o Header Parameter Description: X.509 Certificate SHA-256 Thumbprint
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.8 of RFC 7515
+
+ o Header Parameter Name: "typ"
+ o Header Parameter Description: Type
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.9 of RFC 7515
+
+ o Header Parameter Name: "cty"
+ o Header Parameter Description: Content Type
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.10 of RFC 7515
+
+ o Header Parameter Name: "crit"
+ o Header Parameter Description: Critical
+ o Header Parameter Usage Location(s): JWS
+ o Change Controller: IESG
+ o Specification Document(s): Section 4.1.11 of RFC 7515
+
+
+
+
+Jones, et al. Standards Track [Page 25]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+9.2. Media Type Registration
+
+9.2.1. Registry Contents
+
+ This section registers the "application/jose" media type [RFC2046] in
+ the "Media Types" registry [IANA.MediaTypes] in the manner described
+ in RFC 6838 [RFC6838], which can be used to indicate that the content
+ is a JWS or JWE using the JWS Compact Serialization or the JWE
+ Compact Serialization. This section also registers the "application/
+ jose+json" media type in the "Media Types" registry, which can be
+ used to indicate that the content is a JWS or JWE using the JWS JSON
+ Serialization or the JWE JSON Serialization.
+
+ o Type name: application
+ o Subtype name: jose
+ o Required parameters: n/a
+ o Optional parameters: n/a
+ o Encoding considerations: 8bit; application/jose values are encoded
+ as a series of base64url-encoded values (some of which may be the
+ empty string), each separated from the next by a single period
+ ('.') character.
+ o Security considerations: See the Security Considerations section
+ of RFC 7515.
+ o Interoperability considerations: n/a
+ o Published specification: RFC 7515
+ o Applications that use this media type: OpenID Connect, Mozilla
+ Persona, Salesforce, Google, Android, Windows Azure, Xbox One,
+ Amazon Web Services, and numerous others that use JWTs
+ o Fragment identifier considerations: n/a
+ o Additional information:
+
+ Magic number(s): n/a
+ File extension(s): n/a
+ Macintosh file type code(s): n/a
+
+ o Person & email address to contact for further information:
+ Michael B. Jones, mbj@microsoft.com
+ o Intended usage: COMMON
+ o Restrictions on usage: none
+ o Author: Michael B. Jones, mbj@microsoft.com
+ o Change Controller: IESG
+ o Provisional registration? No
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 26]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ o Type name: application
+ o Subtype name: jose+json
+ o Required parameters: n/a
+ o Optional parameters: n/a
+ o Encoding considerations: 8bit; application/jose+json values are
+ represented as a JSON Object; UTF-8 encoding SHOULD be employed
+ for the JSON object.
+ o Security considerations: See the Security Considerations section
+ of RFC 7515
+ o Interoperability considerations: n/a
+ o Published specification: RFC 7515
+ o Applications that use this media type: Nimbus JOSE + JWT library
+ o Fragment identifier considerations: n/a
+ o Additional information:
+
+ Magic number(s): n/a
+ File extension(s): n/a
+ Macintosh file type code(s): n/a
+
+ o Person & email address to contact for further information:
+ Michael B. Jones, mbj@microsoft.com
+ o Intended usage: COMMON
+ o Restrictions on usage: none
+ o Author: Michael B. Jones, mbj@microsoft.com
+ o Change Controller: IESG
+ o Provisional registration? No
+
+10. Security Considerations
+
+ All of the security issues that are pertinent to any cryptographic
+ application must be addressed by JWS/JWE/JWK agents. Among these
+ issues are protecting the user's asymmetric private and symmetric
+ secret keys and employing countermeasures to various attacks.
+
+ All the security considerations in "XML Signature Syntax and
+ Processing Version 2.0" [W3C.NOTE-xmldsig-core2-20130411], also apply
+ to this specification, other than those that are XML specific.
+ Likewise, many of the best practices documented in "XML Signature
+ Best Practices" [W3C.NOTE-xmldsig-bestpractices-20130411] also apply
+ to this specification, other than those that are XML specific.
+
+10.1. Key Entropy and Random Values
+
+ Keys are only as strong as the amount of entropy used to generate
+ them. A minimum of 128 bits of entropy should be used for all keys,
+ and depending upon the application context, more may be required.
+
+
+
+
+
+Jones, et al. Standards Track [Page 27]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Implementations must randomly generate public/private key pairs, MAC
+ keys, and padding values. The use of inadequate pseudorandom number
+ generators (PRNGs) to generate cryptographic keys can result in
+ little or no security. An attacker may find it much easier to
+ reproduce the PRNG environment that produced the keys, searching the
+ resulting small set of possibilities rather than brute-force
+ searching the whole key space. The generation of quality random
+ numbers is difficult. RFC 4086 [RFC4086] offers important guidance
+ in this area.
+
+10.2. Key Protection
+
+ Implementations must protect the signer's private key. Compromise of
+ the signer's private key permits an attacker to masquerade as the
+ signer.
+
+ Implementations must protect the MAC key. Compromise of the MAC key
+ may result in undetectable modification of the authenticated content.
+
+10.3. Key Origin Authentication
+
+ The key management technique employed to obtain public keys must
+ authenticate the origin of the key; otherwise, it is unknown what
+ party signed the message.
+
+ Likewise, the key management technique employed to distribute MAC
+ keys must provide data origin authentication; otherwise, the contents
+ are delivered with integrity from an unknown source.
+
+10.4. Cryptographic Agility
+
+ See Section 8.1 of [JWA] for security considerations on cryptographic
+ agility.
+
+10.5. Differences between Digital Signatures and MACs
+
+ While MACs and digital signatures can both be used for integrity
+ checking, there are some significant differences between the security
+ properties that each of them provides. These need to be taken into
+ consideration when designing protocols and selecting the algorithms
+ to be used in protocols.
+
+ Both signatures and MACs provide for integrity checking -- verifying
+ that the message has not been modified since the integrity value was
+ computed. However, MACs provide for origination identification only
+ under specific circumstances. It can normally be assumed that a
+ private key used for a signature is only in the hands of a single
+ entity (although perhaps a distributed entity, in the case of
+
+
+
+Jones, et al. Standards Track [Page 28]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ replicated servers); however, a MAC key needs to be in the hands of
+ all the entities that use it for integrity computation and checking.
+ Validation of a MAC only provides corroboration that the message was
+ generated by one of the parties that knows the symmetric MAC key.
+ This means that origination can only be determined if a MAC key is
+ known only to two entities and the recipient knows that it did not
+ create the message. MAC validation cannot be used to prove
+ origination to a third party.
+
+10.6. Algorithm Validation
+
+ The digital signature representations for some algorithms include
+ information about the algorithm used inside the signature value. For
+ instance, signatures produced with RSASSA-PKCS1-v1_5 [RFC3447] encode
+ the hash function used, and many libraries actually use the hash
+ algorithm specified inside the signature when validating the
+ signature. When using such libraries, as part of the algorithm
+ validation performed, implementations MUST ensure that the algorithm
+ information encoded in the signature corresponds to that specified
+ with the "alg" Header Parameter. If this is not done, an attacker
+ could claim to have used a strong hash algorithm while actually using
+ a weak one represented in the signature value.
+
+10.7. Algorithm Protection
+
+ In some usages of JWS, there is a risk of algorithm substitution
+ attacks, in which an attacker can use an existing digital signature
+ value with a different signature algorithm to make it appear that a
+ signer has signed something that it has not. These attacks have been
+ discussed in detail in the context of Cryptographic Message Syntax
+ (CMS) [RFC6211]. This risk arises when all of the following are
+ true:
+
+ o Verifiers of a signature support multiple algorithms.
+
+ o Given an existing signature, an attacker can find another payload
+ that produces the same signature value with a different algorithm.
+
+ o The payload crafted by the attacker is valid in the application
+ context.
+
+ There are several ways for an application to mitigate algorithm
+ substitution attacks:
+
+ o Use only digital signature algorithms that are not vulnerable to
+ substitution attacks. Substitution attacks are only feasible if
+ an attacker can compute pre-images for a hash function accepted by
+
+
+
+
+Jones, et al. Standards Track [Page 29]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ the recipient. All JWA-defined signature algorithms use SHA-2
+ hashes, for which there are no known pre-image attacks, as of the
+ time of this writing.
+
+ o Require that the "alg" Header Parameter be carried in the JWS
+ Protected Header. (This is always the case when using the JWS
+ Compact Serialization and is the approach taken by CMS [RFC6211].)
+
+ o Include a field containing the algorithm in the application
+ payload, and require that it be matched with the "alg" Header
+ Parameter during verification. (This is the approach taken by
+ PKIX [RFC5280].)
+
+10.8. Chosen Plaintext Attacks
+
+ Creators of JWSs should not allow third parties to insert arbitrary
+ content into the message without adding entropy not controlled by the
+ third party.
+
+10.9. Timing Attacks
+
+ When cryptographic algorithms are implemented in such a way that
+ successful operations take a different amount of time than
+ unsuccessful operations, attackers may be able to use the time
+ difference to obtain information about the keys employed. Therefore,
+ such timing differences must be avoided.
+
+10.10. Replay Protection
+
+ While not directly in scope for this specification, note that
+ applications using JWS (or JWE) objects can thwart replay attacks by
+ including a unique message identifier as integrity-protected content
+ in the JWS (or JWE) message and having the recipient verify that the
+ message has not been previously received or acted upon.
+
+10.11. SHA-1 Certificate Thumbprints
+
+ A SHA-1 hash is used when computing "x5t" (X.509 certificate SHA-1
+ thumbprint) values, for compatibility reasons. Should an effective
+ means of producing SHA-1 hash collisions be developed and should an
+ attacker wish to interfere with the use of a known certificate on a
+ given system, this could be accomplished by creating another
+ certificate whose SHA-1 hash value is the same and adding it to the
+ certificate store used by the intended victim. A prerequisite to
+ this attack succeeding is the attacker having write access to the
+ intended victim's certificate store.
+
+
+
+
+
+Jones, et al. Standards Track [Page 30]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Alternatively, the "x5t#S256" (X.509 certificate SHA-256 thumbprint)
+ Header Parameter could be used instead of "x5t". However, at the
+ time of this writing, no development platform is known to support
+ SHA-256 certificate thumbprints.
+
+10.12. JSON Security Considerations
+
+ Strict JSON [RFC7159] validation is a security requirement. If
+ malformed JSON is received, then the intent of the producer is
+ impossible to reliably discern. Ambiguous and potentially
+ exploitable situations could arise if the JSON parser used does not
+ reject malformed JSON syntax. In particular, any JSON inputs not
+ conforming to the JSON-text syntax defined in RFC 7159 MUST be
+ rejected in their entirety by JSON parsers.
+
+ Section 4 of "The JavaScript Object Notation (JSON) Data Interchange
+ Format" [RFC7159] states, "The names within an object SHOULD be
+ unique", whereas this specification states that
+
+ The Header Parameter names within the JOSE Header MUST be unique;
+ JWS parsers MUST either reject JWSs with duplicate Header
+ Parameter names or use a JSON parser that returns only the
+ lexically last duplicate member name, as specified in
+ Section 15.12 ("The JSON Object") of ECMAScript 5.1 [ECMAScript].
+
+ Thus, this specification requires that the "SHOULD" in Section 4 of
+ [RFC7159] be treated as a "MUST" by producers and that it be either
+ treated as a "MUST" or treated in the manner specified in ECMAScript
+ 5.1 by consumers. Ambiguous and potentially exploitable situations
+ could arise if the JSON parser used does not enforce the uniqueness
+ of member names or returns an unpredictable value for duplicate
+ member names.
+
+ Some JSON parsers might not reject input that contains extra
+ significant characters after a valid input. For instance, the input
+ "{"tag":"value"}ABCD" contains a valid JSON-text object followed by
+ the extra characters "ABCD". Implementations MUST consider JWSs
+ containing such input to be invalid.
+
+10.13. Unicode Comparison Security Considerations
+
+ Header Parameter names and algorithm names are Unicode strings. For
+ security reasons, the representations of these names must be compared
+ verbatim after performing any escape processing (as per Section 8.3
+ of RFC 7159 [RFC7159]). This means, for instance, that these JSON
+ strings must compare as being equal ("sig", "\u0073ig"), whereas
+ these must all compare as being not equal to the first set or to each
+ other ("SIG", "Sig", "si\u0047").
+
+
+
+Jones, et al. Standards Track [Page 31]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ JSON strings can contain characters outside the Unicode Basic
+ Multilingual Plane. For instance, the G clef character (U+1D11E) may
+ be represented in a JSON string as "\uD834\uDD1E". Ideally, JWS
+ implementations SHOULD ensure that characters outside the Basic
+ Multilingual Plane are preserved and compared correctly;
+ alternatively, if this is not possible due to these characters
+ exercising limitations present in the underlying JSON implementation,
+ then input containing them MUST be rejected.
+
+11. References
+
+11.1. Normative References
+
+ [ECMAScript] Ecma International, "ECMAScript Language Specification,
+ 5.1 Edition", ECMA 262, June 2011,
+ <http://www.ecma-international.org/ecma-262/5.1/
+ ECMA-262.pdf>.
+
+ [IANA.MediaTypes]
+ IANA, "Media Types",
+ <http://www.iana.org/assignments/media-types>.
+
+ [ITU.X690.2008]
+ International Telecommunications Union, "Information
+ Technology - ASN.1 encoding rules: Specification of
+ Basic Encoding Rules (BER), Canonical Encoding Rules
+ (CER) and Distinguished Encoding Rules (DER)", ITU-T
+ Recommendation X.690, 2008.
+
+ [JWA] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
+ DOI 10.17487/RFC7518, May 2015,
+ <http://www.rfc-editor.org/info/rfc7518>.
+
+ [JWK] Jones, M., "JSON Web Key (JWK)", RFC 7517,
+ DOI 10.17487/RFC7517, May 2015,
+ <http://www.rfc-editor.org/info/rfc7517>.
+
+ [RFC20] Cerf, V., "ASCII format for Network Interchange",
+ STD 80, RFC 20, DOI 10.17487/RFC0020, October 1969,
+ <http://www.rfc-editor.org/info/rfc20>.
+
+ [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
+ Extensions (MIME) Part One: Format of Internet Message
+ Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
+ <http://www.rfc-editor.org/info/rfc2045>.
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 32]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
+ Extensions (MIME) Part Two: Media Types", RFC 2046,
+ DOI 10.17487/RFC2046, November 1996,
+ <http://www.rfc-editor.org/info/rfc2046>.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
+ DOI 10.17487/RFC2818, May 2000,
+ <http://www.rfc-editor.org/info/rfc2818>.
+
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
+ 2003, <http://www.rfc-editor.org/info/rfc3629>.
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifier (URI): Generic Syntax", STD 66,
+ RFC 3986, DOI 10.17487/RFC3986, January 2005,
+ <http://www.rfc-editor.org/info/rfc3986>.
+
+ [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
+ Encodings", RFC 4648, DOI 10.17487/RFC4648, October
+ 2006, <http://www.rfc-editor.org/info/rfc4648>.
+
+ [RFC4945] Korver, B., "The Internet IP Security PKI Profile of
+ IKEv1/ISAKMP, IKEv2, and PKIX", RFC 4945,
+ DOI 10.17487/RFC4945, August 2007,
+ <http://www.rfc-editor.org/info/rfc4945>.
+
+ [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
+ FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
+ <http://www.rfc-editor.org/info/rfc4949>.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
+ Security (TLS) Protocol Version 1.2", RFC 5246,
+ DOI 10.17487/RFC5246, August 2008,
+ <http://www.rfc-editor.org/info/rfc5246>.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation
+ List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May
+ 2008, <http://www.rfc-editor.org/info/rfc5280>.
+
+
+
+
+
+Jones, et al. Standards Track [Page 33]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
+ Verification of Domain-Based Application Service
+ Identity within Internet Public Key Infrastructure Using
+ X.509 (PKIX) Certificates in the Context of Transport
+ Layer Security (TLS)", RFC 6125, DOI 10.17487/RFC6125,
+ March 2011, <http://www.rfc-editor.org/info/rfc6125>.
+
+ [RFC6176] Turner, S. and T. Polk, "Prohibiting Secure Sockets
+ Layer (SSL) Version 2.0", RFC 6176,
+ DOI 10.17487/RFC6176, March 2011,
+ <http://www.rfc-editor.org/info/rfc6176>.
+
+ [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON)
+ Data Interchange Format", RFC 7159,
+ DOI 10.17487/RFC7159, March 2014,
+ <http://www.rfc-editor.org/info/rfc7159>.
+
+ [UNICODE] The Unicode Consortium, "The Unicode Standard",
+ <http://www.unicode.org/versions/latest/>.
+
+11.2. Informative References
+
+ [CanvasApp] Facebook, "Canvas Applications",
+ <http://developers.facebook.com/docs/authentication/
+ canvas>.
+
+ [JSS] Bradley, J. and N. Sakimura, Ed., "JSON Simple Sign",
+ September 2010, <http://jsonenc.info/jss/1.0/>.
+
+ [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption
+ (JWE)", RFC 7516, DOI 10.17487/RFC7516, May 2015,
+ <http://www.rfc-editor.org/info/rfc7516>.
+
+ [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
+ (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
+ <http://www.rfc-editor.org/info/rfc7519>.
+
+ [MagicSignatures]
+ Panzer, J., Ed., Laurie, B., and D. Balfanz, "Magic
+ Signatures", January 2011,
+ <http://salmon-protocol.googlecode.com/svn/trunk/
+ draft-panzer-magicsig-01.html>.
+
+ [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
+ Keyed-Hashing for Message Authentication", RFC 2104,
+ DOI 10.17487/RFC2104, February 1997,
+ <http://www.rfc-editor.org/info/rfc2104>.
+
+
+
+
+Jones, et al. Standards Track [Page 34]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
+ Standards (PKCS) #1: RSA Cryptography Specifications
+ Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February
+ 2003, <http://www.rfc-editor.org/info/rfc3447>.
+
+ [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
+ "Randomness Requirements for Security", BCP 106,
+ RFC 4086, DOI 10.17487/RFC4086, June 2005,
+ <http://www.rfc-editor.org/info/rfc4086>.
+
+ [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
+ Unique IDentifier (UUID) URN Namespace", RFC 4122,
+ DOI 10.17487/RFC4122, July 2005,
+ <http://www.rfc-editor.org/info/rfc4122>.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ DOI 10.17487/RFC5226, May 2008,
+ <http://www.rfc-editor.org/info/rfc5226>.
+
+ [RFC6211] Schaad, J., "Cryptographic Message Syntax (CMS)
+ Algorithm Identifier Protection Attribute", RFC 6211,
+ DOI 10.17487/RFC6211, April 2011,
+ <http://www.rfc-editor.org/info/rfc6211>.
+
+ [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type
+ Specifications and Registration Procedures", BCP 13,
+ RFC 6838, DOI 10.17487/RFC6838, January 2013,
+ <http://www.rfc-editor.org/info/rfc6838>.
+
+ [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre,
+ "Recommendations for Secure Use of Transport Layer
+ Security (TLS) and Datagram Transport Layer Security
+ (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
+ 2015, <http://www.rfc-editor.org/info/rfc7525>.
+
+ [SHS] National Institute of Standards and Technology, "Secure
+ Hash Standard (SHS)", FIPS PUB 180-4, March 2012,
+ <http://csrc.nist.gov/publications/fips/fips180-4/
+ fips-180-4.pdf>.
+
+ [W3C.NOTE-xmldsig-bestpractices-20130411]
+ Hirsch, F. and P. Datta, "XML Signature Best Practices",
+ World Wide Web Consortium Note
+ NOTE-xmldsig-bestpractices-20130411, April 2013,
+ <http://www.w3.org/TR/2013/
+ NOTE-xmldsig-bestpractices-20130411/>.
+
+
+
+
+Jones, et al. Standards Track [Page 35]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ [W3C.NOTE-xmldsig-core2-20130411]
+ Eastlake, D., Reagle, J., Solo, D., Hirsch, F.,
+ Roessler, T., Yiu, K., Datta, P., and S. Cantor, "XML
+ Signature Syntax and Processing Version 2.0", World Wide
+ Web Consortium Note NOTE-xmldsig-core2-20130411, April
+ 2013,
+ <http://www.w3.org/TR/2013/NOTE-xmldsig-core2-20130411/>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 36]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+Appendix A. JWS Examples
+
+ This section provides several examples of JWSs. While the first
+ three examples all represent JSON Web Tokens (JWTs) [JWT], the
+ payload can be any octet sequence, as shown in Appendix A.4.
+
+A.1. Example JWS Using HMAC SHA-256
+
+A.1.1. Encoding
+
+ The following example JWS Protected Header declares that the data
+ structure is a JWT [JWT] and the JWS Signing Input is secured using
+ the HMAC SHA-256 algorithm.
+
+ {"typ":"JWT",
+ "alg":"HS256"}
+
+ To remove potential ambiguities in the representation of the JSON
+ object above, the actual octet sequence representing UTF8(JWS
+ Protected Header) used in this example is also included below. (Note
+ that ambiguities can arise due to differing platform representations
+ of line breaks (CRLF versus LF), differing spacing at the beginning
+ and ends of lines, whether the last line has a terminating line break
+ or not, and other causes. In the representation used in this
+ example, the first line has no leading or trailing spaces, a CRLF
+ line break (13, 10) occurs between the first and second lines, the
+ second line has one leading space (32) and no trailing spaces, and
+ the last line does not have a terminating line break.) The octets
+ representing UTF8(JWS Protected Header) in this example (using JSON
+ array notation) are:
+
+ [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32,
+ 34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125]
+
+ Encoding this JWS Protected Header as BASE64URL(UTF8(JWS Protected
+ Header)) gives this value:
+
+ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
+
+ The JWS Payload used in this example is the octets of the UTF-8
+ representation of the JSON object below. (Note that the payload can
+ be any base64url-encoded octet sequence and need not be a base64url-
+ encoded JSON object.)
+
+ {"iss":"joe",
+ "exp":1300819380,
+ "http://example.com/is_root":true}
+
+
+
+
+Jones, et al. Standards Track [Page 37]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ The following octet sequence, which is the UTF-8 representation used
+ in this example for the JSON object above, is the JWS Payload:
+
+ [123, 34, 105, 115, 115, 34, 58, 34, 106, 111, 101, 34, 44, 13, 10,
+ 32, 34, 101, 120, 112, 34, 58, 49, 51, 48, 48, 56, 49, 57, 51, 56,
+ 48, 44, 13, 10, 32, 34, 104, 116, 116, 112, 58, 47, 47, 101, 120, 97,
+ 109, 112, 108, 101, 46, 99, 111, 109, 47, 105, 115, 95, 114, 111,
+ 111, 116, 34, 58, 116, 114, 117, 101, 125]
+
+ Encoding this JWS Payload as BASE64URL(UTF8(JWS Payload)) gives this
+ value (with line breaks for display purposes only):
+
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+
+ Combining these as BASE64URL(UTF8(JWS Protected Header)) || '.' ||
+ BASE64URL(JWS Payload) gives this string (with line breaks for
+ display purposes only):
+
+ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
+ .
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+
+ The resulting JWS Signing Input value, which is the ASCII
+ representation of above string, is the following octet sequence
+ (using JSON array notation):
+
+ [101, 121, 74, 48, 101, 88, 65, 105, 79, 105, 74, 75, 86, 49, 81,
+ 105, 76, 65, 48, 75, 73, 67, 74, 104, 98, 71, 99, 105, 79, 105, 74,
+ 73, 85, 122, 73, 49, 78, 105, 74, 57, 46, 101, 121, 74, 112, 99, 51,
+ 77, 105, 79, 105, 74, 113, 98, 50, 85, 105, 76, 65, 48, 75, 73, 67,
+ 74, 108, 101, 72, 65, 105, 79, 106, 69, 122, 77, 68, 65, 52, 77, 84,
+ 107, 122, 79, 68, 65, 115, 68, 81, 111, 103, 73, 109, 104, 48, 100,
+ 72, 65, 54, 76, 121, 57, 108, 101, 71, 70, 116, 99, 71, 120, 108, 76,
+ 109, 78, 118, 98, 83, 57, 112, 99, 49, 57, 121, 98, 50, 57, 48, 73,
+ 106, 112, 48, 99, 110, 86, 108, 102, 81]
+
+ HMACs are generated using keys. This example uses the symmetric key
+ represented in JSON Web Key [JWK] format below (with line breaks
+ within values for display purposes only):
+
+ {"kty":"oct",
+ "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75
+ aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"
+ }
+
+
+
+
+
+Jones, et al. Standards Track [Page 38]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Running the HMAC SHA-256 algorithm on the JWS Signing Input with this
+ key yields this JWS Signature octet sequence:
+
+ [116, 24, 223, 180, 151, 153, 224, 37, 79, 250, 96, 125, 216, 173,
+ 187, 186, 22, 212, 37, 77, 105, 214, 191, 240, 91, 88, 5, 88, 83,
+ 132, 141, 121]
+
+ Encoding this JWS Signature as BASE64URL(JWS Signature) gives this
+ value:
+
+ dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
+
+ Concatenating these values in the order Header.Payload.Signature with
+ period ('.') characters between the parts yields this complete JWS
+ representation using the JWS Compact Serialization (with line breaks
+ for display purposes only):
+
+ eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
+ .
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+ .
+ dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
+
+A.1.2. Validating
+
+ Since the "alg" Header Parameter is "HS256", we validate the HMAC
+ SHA-256 value contained in the JWS Signature.
+
+ To validate the HMAC value, we repeat the previous process of using
+ the correct key and the JWS Signing Input (which is the initial
+ substring of the JWS Compact Serialization representation up until
+ but not including the second period character) as input to the HMAC
+ SHA-256 function and then taking the output and determining if it
+ matches the JWS Signature (which is base64url decoded from the value
+ encoded in the JWS representation). If it matches exactly, the HMAC
+ has been validated.
+
+A.2. Example JWS Using RSASSA-PKCS1-v1_5 SHA-256
+
+A.2.1. Encoding
+
+ The JWS Protected Header in this example is different from the
+ previous example in two ways. First, because a different algorithm
+ is being used, the "alg" value is different. Second, for
+ illustration purposes only, the optional "typ" (type) Header
+ Parameter is not used. (This difference is not related to the
+ algorithm employed.) The JWS Protected Header used is:
+
+
+
+Jones, et al. Standards Track [Page 39]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ {"alg":"RS256"}
+
+ The octets representing UTF8(JWS Protected Header) in this example
+ (using JSON array notation) are:
+
+ [123, 34, 97, 108, 103, 34, 58, 34, 82, 83, 50, 53, 54, 34, 125]
+
+ Encoding this JWS Protected Header as BASE64URL(UTF8(JWS Protected
+ Header)) gives this value:
+
+ eyJhbGciOiJSUzI1NiJ9
+
+ The JWS Payload used in this example, which follows, is the same as
+ in the previous example. Since the BASE64URL(JWS Payload) value will
+ therefore be the same, its computation is not repeated here.
+
+ {"iss":"joe",
+ "exp":1300819380,
+ "http://example.com/is_root":true}
+
+ Combining these as BASE64URL(UTF8(JWS Protected Header)) || '.' ||
+ BASE64URL(JWS Payload) gives this string (with line breaks for
+ display purposes only):
+
+ eyJhbGciOiJSUzI1NiJ9
+ .
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+
+ The resulting JWS Signing Input value, which is the ASCII
+ representation of above string, is the following octet sequence:
+
+ [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 122, 73,
+ 49, 78, 105, 74, 57, 46, 101, 121, 74, 112, 99, 51, 77, 105, 79, 105,
+ 74, 113, 98, 50, 85, 105, 76, 65, 48, 75, 73, 67, 74, 108, 101, 72,
+ 65, 105, 79, 106, 69, 122, 77, 68, 65, 52, 77, 84, 107, 122, 79, 68,
+ 65, 115, 68, 81, 111, 103, 73, 109, 104, 48, 100, 72, 65, 54, 76,
+ 121, 57, 108, 101, 71, 70, 116, 99, 71, 120, 108, 76, 109, 78, 118,
+ 98, 83, 57, 112, 99, 49, 57, 121, 98, 50, 57, 48, 73, 106, 112, 48,
+ 99, 110, 86, 108, 102, 81]
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 40]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ This example uses the RSA key represented in JSON Web Key [JWK]
+ format below (with line breaks within values for display purposes
+ only):
+
+ {"kty":"RSA",
+ "n":"ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddx
+ HmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMs
+ D1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSH
+ SXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdV
+ MTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8
+ NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ",
+ "e":"AQAB",
+ "d":"Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97I
+ jlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0
+ BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn
+ 439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYT
+ CBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLh
+ BOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ",
+ "p":"4BzEEOtIpmVdVEZNCqS7baC4crd0pqnRH_5IB3jw3bcxGn6QLvnEtfdUdi
+ YrqBdss1l58BQ3KhooKeQTa9AB0Hw_Py5PJdTJNPY8cQn7ouZ2KKDcmnPG
+ BY5t7yLc1QlQ5xHdwW1VhvKn-nXqhJTBgIPgtldC-KDV5z-y2XDwGUc",
+ "q":"uQPEfgmVtjL0Uyyx88GZFF1fOunH3-7cepKmtH4pxhtCoHqpWmT8YAmZxa
+ ewHgHAjLYsp1ZSe7zFYHj7C6ul7TjeLQeZD_YwD66t62wDmpe_HlB-TnBA
+ -njbglfIsRLtXlnDzQkv5dTltRJ11BKBBypeeF6689rjcJIDEz9RWdc",
+ "dp":"BwKfV3Akq5_MFZDFZCnW-wzl-CCo83WoZvnLQwCTeDv8uzluRSnm71I3Q
+ CLdhrqE2e9YkxvuxdBfpT_PI7Yz-FOKnu1R6HsJeDCjn12Sk3vmAktV2zb
+ 34MCdy7cpdTh_YVr7tss2u6vneTwrA86rZtu5Mbr1C1XsmvkxHQAdYo0",
+ "dq":"h_96-mK1R_7glhsum81dZxjTnYynPbZpHziZjeeHcXYsXaaMwkOlODsWa
+ 7I9xXDoRwbKgB719rrmI2oKr6N3Do9U0ajaHF-NKJnwgjMd2w9cjz3_-ky
+ NlxAr2v4IKhGNpmM5iIgOS1VZnOZ68m6_pbLBSp3nssTdlqvd0tIiTHU",
+ "qi":"IYd7DHOhrWvxkwPQsRM2tOgrjbcrfvtQJipd-DlcxyVuuM9sQLdgjVk2o
+ y26F0EmpScGLq2MowX7fhd_QJQ3ydy5cY7YIBi87w93IKLEdfnbJtoOPLU
+ W0ITrJReOgo1cq9SbsxYawBgfp_gh6A5603k2-ZQwVK0JKSHuLFkuQ3U"
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 41]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ The RSA private key is then passed to the RSA signing function, which
+ also takes the hash type, SHA-256, and the JWS Signing Input as
+ inputs. The result of the digital signature is an octet sequence,
+ which represents a big-endian integer. In this example, it is:
+
+ [112, 46, 33, 137, 67, 232, 143, 209, 30, 181, 216, 45, 191, 120, 69,
+ 243, 65, 6, 174, 27, 129, 255, 247, 115, 17, 22, 173, 209, 113, 125,
+ 131, 101, 109, 66, 10, 253, 60, 150, 238, 221, 115, 162, 102, 62, 81,
+ 102, 104, 123, 0, 11, 135, 34, 110, 1, 135, 237, 16, 115, 249, 69,
+ 229, 130, 173, 252, 239, 22, 216, 90, 121, 142, 232, 198, 109, 219,
+ 61, 184, 151, 91, 23, 208, 148, 2, 190, 237, 213, 217, 217, 112, 7,
+ 16, 141, 178, 129, 96, 213, 248, 4, 12, 167, 68, 87, 98, 184, 31,
+ 190, 127, 249, 217, 46, 10, 231, 111, 36, 242, 91, 51, 187, 230, 244,
+ 74, 230, 30, 177, 4, 10, 203, 32, 4, 77, 62, 249, 18, 142, 212, 1,
+ 48, 121, 91, 212, 189, 59, 65, 238, 202, 208, 102, 171, 101, 25, 129,
+ 253, 228, 141, 247, 127, 55, 45, 195, 139, 159, 175, 221, 59, 239,
+ 177, 139, 93, 163, 204, 60, 46, 176, 47, 158, 58, 65, 214, 18, 202,
+ 173, 21, 145, 18, 115, 160, 95, 35, 185, 232, 56, 250, 175, 132, 157,
+ 105, 132, 41, 239, 90, 30, 136, 121, 130, 54, 195, 212, 14, 96, 69,
+ 34, 165, 68, 200, 242, 122, 122, 45, 184, 6, 99, 209, 108, 247, 202,
+ 234, 86, 222, 64, 92, 178, 33, 90, 69, 178, 194, 85, 102, 181, 90,
+ 193, 167, 72, 160, 112, 223, 200, 163, 42, 70, 149, 67, 208, 25, 238,
+ 251, 71]
+
+ Encoding the signature as BASE64URL(JWS Signature) produces this
+ value (with line breaks for display purposes only):
+
+ cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7
+ AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4
+ BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K
+ 0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqv
+ hJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrB
+ p0igcN_IoypGlUPQGe77Rw
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 42]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Concatenating these values in the order Header.Payload.Signature with
+ period ('.') characters between the parts yields this complete JWS
+ representation using the JWS Compact Serialization (with line breaks
+ for display purposes only):
+
+ eyJhbGciOiJSUzI1NiJ9
+ .
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+ .
+ cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7
+ AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4
+ BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K
+ 0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqv
+ hJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrB
+ p0igcN_IoypGlUPQGe77Rw
+
+A.2.2. Validating
+
+ Since the "alg" Header Parameter is "RS256", we validate the RSASSA-
+ PKCS1-v1_5 SHA-256 digital signature contained in the JWS Signature.
+
+ Validating the JWS Signature is a bit different from the previous
+ example. We pass the public key (n, e), the JWS Signature (which is
+ base64url decoded from the value encoded in the JWS representation),
+ and the JWS Signing Input (which is the initial substring of the JWS
+ Compact Serialization representation up until but not including the
+ second period character) to an RSASSA-PKCS1-v1_5 signature verifier
+ that has been configured to use the SHA-256 hash function.
+
+A.3. Example JWS Using ECDSA P-256 SHA-256
+
+A.3.1. Encoding
+
+ The JWS Protected Header for this example differs from the previous
+ example because a different algorithm is being used. The JWS
+ Protected Header used is:
+
+ {"alg":"ES256"}
+
+ The octets representing UTF8(JWS Protected Header) in this example
+ (using JSON array notation) are:
+
+ [123, 34, 97, 108, 103, 34, 58, 34, 69, 83, 50, 53, 54, 34, 125]
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 43]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Encoding this JWS Protected Header as BASE64URL(UTF8(JWS Protected
+ Header)) gives this value:
+
+ eyJhbGciOiJFUzI1NiJ9
+
+ The JWS Payload used in this example, which follows, is the same as
+ in the previous examples. Since the BASE64URL(JWS Payload) value
+ will therefore be the same, its computation is not repeated here.
+
+ {"iss":"joe",
+ "exp":1300819380,
+ "http://example.com/is_root":true}
+
+ Combining these as BASE64URL(UTF8(JWS Protected Header)) || '.' ||
+ BASE64URL(JWS Payload) gives this string (with line breaks for
+ display purposes only):
+
+ eyJhbGciOiJFUzI1NiJ9
+ .
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+
+ The resulting JWS Signing Input value, which is the ASCII
+ representation of above string, is the following octet sequence:
+
+ [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 70, 85, 122, 73,
+ 49, 78, 105, 74, 57, 46, 101, 121, 74, 112, 99, 51, 77, 105, 79, 105,
+ 74, 113, 98, 50, 85, 105, 76, 65, 48, 75, 73, 67, 74, 108, 101, 72,
+ 65, 105, 79, 106, 69, 122, 77, 68, 65, 52, 77, 84, 107, 122, 79, 68,
+ 65, 115, 68, 81, 111, 103, 73, 109, 104, 48, 100, 72, 65, 54, 76,
+ 121, 57, 108, 101, 71, 70, 116, 99, 71, 120, 108, 76, 109, 78, 118,
+ 98, 83, 57, 112, 99, 49, 57, 121, 98, 50, 57, 48, 73, 106, 112, 48,
+ 99, 110, 86, 108, 102, 81]
+
+ This example uses the Elliptic Curve key represented in JSON Web Key
+ [JWK] format below:
+
+ {"kty":"EC",
+ "crv":"P-256",
+ "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
+ "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
+ "d":"jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI"
+ }
+
+ The Elliptic Curve Digital Signature Algorithm (ECDSA) private part d
+ is then passed to an ECDSA signing function, which also takes the
+ curve type, P-256, the hash type, SHA-256, and the JWS Signing Input
+ as inputs. The result of the digital signature is the Elliptic Curve
+
+
+
+Jones, et al. Standards Track [Page 44]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ (EC) point (R, S), where R and S are unsigned integers. In this
+ example, the R and S values, given as octet sequences representing
+ big-endian integers are:
+
+ +--------+----------------------------------------------------------+
+ | Result | Value |
+ | Name | |
+ +--------+----------------------------------------------------------+
+ | R | [14, 209, 33, 83, 121, 99, 108, 72, 60, 47, 127, 21, 88, |
+ | | 7, 212, 2, 163, 178, 40, 3, 58, 249, 124, 126, 23, 129, |
+ | | 154, 195, 22, 158, 166, 101] |
+ | S | [197, 10, 7, 211, 140, 60, 112, 229, 216, 241, 45, 175, |
+ | | 8, 74, 84, 128, 166, 101, 144, 197, 242, 147, 80, 154, |
+ | | 143, 63, 127, 138, 131, 163, 84, 213] |
+ +--------+----------------------------------------------------------+
+
+ The JWS Signature is the value R || S. Encoding the signature as
+ BASE64URL(JWS Signature) produces this value (with line breaks for
+ display purposes only):
+
+ DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSA
+ pmWQxfKTUJqPP3-Kg6NU1Q
+
+ Concatenating these values in the order Header.Payload.Signature with
+ period ('.') characters between the parts yields this complete JWS
+ representation using the JWS Compact Serialization (with line breaks
+ for display purposes only):
+
+ eyJhbGciOiJFUzI1NiJ9
+ .
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+ .
+ DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSA
+ pmWQxfKTUJqPP3-Kg6NU1Q
+
+A.3.2. Validating
+
+ Since the "alg" Header Parameter is "ES256", we validate the ECDSA
+ P-256 SHA-256 digital signature contained in the JWS Signature.
+
+ Validating the JWS Signature is a bit different from the previous
+ examples. We need to split the 64 member octet sequence of the JWS
+ Signature (which is base64url decoded from the value encoded in the
+ JWS representation) into two 32 octet sequences, the first
+ representing R and the second S. We then pass the public key (x, y),
+ the signature (R, S), and the JWS Signing Input (which is the initial
+ substring of the JWS Compact Serialization representation up until
+
+
+
+Jones, et al. Standards Track [Page 45]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ but not including the second period character) to an ECDSA signature
+ verifier that has been configured to use the P-256 curve with the
+ SHA-256 hash function.
+
+A.4. Example JWS Using ECDSA P-521 SHA-512
+
+A.4.1. Encoding
+
+ The JWS Protected Header for this example differs from the previous
+ example because different ECDSA curves and hash functions are used.
+ The JWS Protected Header used is:
+
+ {"alg":"ES512"}
+
+ The octets representing UTF8(JWS Protected Header) in this example
+ (using JSON array notation) are:
+
+ [123, 34, 97, 108, 103, 34, 58, 34, 69, 83, 53, 49, 50, 34, 125]
+
+ Encoding this JWS Protected Header as BASE64URL(UTF8(JWS Protected
+ Header)) gives this value:
+
+ eyJhbGciOiJFUzUxMiJ9
+
+ The JWS Payload used in this example is the ASCII string "Payload".
+ The representation of this string is the following octet sequence:
+
+ [80, 97, 121, 108, 111, 97, 100]
+
+ Encoding this JWS Payload as BASE64URL(JWS Payload) gives this value:
+
+ UGF5bG9hZA
+
+ Combining these as BASE64URL(UTF8(JWS Protected Header)) || '.' ||
+ BASE64URL(JWS Payload) gives this string:
+
+ eyJhbGciOiJFUzUxMiJ9.UGF5bG9hZA
+
+ The resulting JWS Signing Input value, which is the ASCII
+ representation of above string, is the following octet sequence:
+
+ [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 70, 85, 122, 85,
+ 120, 77, 105, 74, 57, 46, 85, 71, 70, 53, 98, 71, 57, 104, 90, 65]
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 46]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ This example uses the Elliptic Curve key represented in JSON Web Key
+ [JWK] format below (with line breaks within values for display
+ purposes only):
+
+ {"kty":"EC",
+ "crv":"P-521",
+ "x":"AekpBQ8ST8a8VcfVOTNl353vSrDCLLJXmPk06wTjxrrjcBpXp5EOnYG_
+ NjFZ6OvLFV1jSfS9tsz4qUxcWceqwQGk",
+ "y":"ADSmRA43Z1DSNx_RvcLI87cdL07l6jQyyBXMoxVg_l2Th-x3S1WDhjDl
+ y79ajL4Kkd0AZMaZmh9ubmf63e3kyMj2",
+ "d":"AY5pb7A0UFiB3RELSD64fTLOSV_jazdF7fLYyuTw8lOfRhWg6Y6rUrPA
+ xerEzgdRhajnu0ferB0d53vM9mE15j2C"
+ }
+
+ The ECDSA private part d is then passed to an ECDSA signing function,
+ which also takes the curve type, P-521, the hash type, SHA-512, and
+ the JWS Signing Input as inputs. The result of the digital signature
+ is the EC point (R, S), where R and S are unsigned integers. In this
+ example, the R and S values, given as octet sequences representing
+ big-endian integers are:
+
+ +--------+----------------------------------------------------------+
+ | Result | Value |
+ | Name | |
+ +--------+----------------------------------------------------------+
+ | R | [1, 220, 12, 129, 231, 171, 194, 209, 232, 135, 233, |
+ | | 117, 247, 105, 122, 210, 26, 125, 192, 1, 217, 21, 82, |
+ | | 91, 45, 240, 255, 83, 19, 34, 239, 71, 48, 157, 147, |
+ | | 152, 105, 18, 53, 108, 163, 214, 68, 231, 62, 153, 150, |
+ | | 106, 194, 164, 246, 72, 143, 138, 24, 50, 129, 223, 133, |
+ | | 206, 209, 172, 63, 237, 119, 109] |
+ | S | [0, 111, 6, 105, 44, 5, 41, 208, 128, 61, 152, 40, 92, |
+ | | 61, 152, 4, 150, 66, 60, 69, 247, 196, 170, 81, 193, |
+ | | 199, 78, 59, 194, 169, 16, 124, 9, 143, 42, 142, 131, |
+ | | 48, 206, 238, 34, 175, 83, 203, 220, 159, 3, 107, 155, |
+ | | 22, 27, 73, 111, 68, 68, 21, 238, 144, 229, 232, 148, |
+ | | 188, 222, 59, 242, 103] |
+ +--------+----------------------------------------------------------+
+
+ The JWS Signature is the value R || S. Encoding the signature as
+ BASE64URL(JWS Signature) produces this value (with line breaks for
+ display purposes only):
+
+ AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZq
+ wqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8Kp
+ EHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn
+
+
+
+
+
+Jones, et al. Standards Track [Page 47]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Concatenating these values in the order Header.Payload.Signature with
+ period ('.') characters between the parts yields this complete JWS
+ representation using the JWS Compact Serialization (with line breaks
+ for display purposes only):
+
+ eyJhbGciOiJFUzUxMiJ9
+ .
+ UGF5bG9hZA
+ .
+ AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZq
+ wqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8Kp
+ EHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn
+
+A.4.2. Validating
+
+ Since the "alg" Header Parameter is "ES512", we validate the ECDSA
+ P-521 SHA-512 digital signature contained in the JWS Signature.
+
+ Validating this JWS Signature is very similar to the previous
+ example. We need to split the 132-member octet sequence of the JWS
+ Signature into two 66-octet sequences, the first representing R and
+ the second S. We then pass the public key (x, y), the signature (R,
+ S), and the JWS Signing Input to an ECDSA signature verifier that has
+ been configured to use the P-521 curve with the SHA-512 hash
+ function.
+
+A.5. Example Unsecured JWS
+
+ The following example JWS Protected Header declares that the encoded
+ object is an Unsecured JWS:
+
+ {"alg":"none"}
+
+ Encoding this JWS Protected Header as BASE64URL(UTF8(JWS Protected
+ Header)) gives this value:
+
+ eyJhbGciOiJub25lIn0
+
+ The JWS Payload used in this example, which follows, is the same as
+ in the previous examples. Since the BASE64URL(JWS Payload) value
+ will therefore be the same, its computation is not repeated here.
+
+ {"iss":"joe",
+ "exp":1300819380,
+ "http://example.com/is_root":true}
+
+ The JWS Signature is the empty octet string and BASE64URL(JWS
+ Signature) is the empty string.
+
+
+
+Jones, et al. Standards Track [Page 48]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Concatenating these values in the order Header.Payload.Signature with
+ period ('.') characters between the parts yields this complete JWS
+ representation using the JWS Compact Serialization (with line breaks
+ for display purposes only):
+
+ eyJhbGciOiJub25lIn0
+ .
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+ .
+
+A.6. Example JWS Using General JWS JSON Serialization
+
+ This section contains an example using the general JWS JSON
+ Serialization syntax. This example demonstrates the capability for
+ conveying multiple digital signatures and/or MACs for the same
+ payload.
+
+ The JWS Payload used in this example is the same as that used in the
+ examples in Appendix A.2 and Appendix A.3 (with line breaks for
+ display purposes only):
+
+ eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
+ cGxlLmNvbS9pc19yb290Ijp0cnVlfQ
+
+ Two digital signatures are used in this example: the first using
+ RSASSA-PKCS1-v1_5 SHA-256 and the second using ECDSA P-256 SHA-256.
+ For the first, the JWS Protected Header and key are the same as in
+ Appendix A.2, resulting in the same JWS Signature value; therefore,
+ its computation is not repeated here. For the second, the JWS
+ Protected Header and key are the same as in Appendix A.3, resulting
+ in the same JWS Signature value; therefore, its computation is not
+ repeated here.
+
+A.6.1. JWS Per-Signature Protected Headers
+
+ The JWS Protected Header value used for the first signature is:
+
+ {"alg":"RS256"}
+
+ Encoding this JWS Protected Header as BASE64URL(UTF8(JWS Protected
+ Header)) gives this value:
+
+ eyJhbGciOiJSUzI1NiJ9
+
+ The JWS Protected Header value used for the second signature is:
+
+ {"alg":"ES256"}
+
+
+
+Jones, et al. Standards Track [Page 49]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ Encoding this JWS Protected Header as BASE64URL(UTF8(JWS Protected
+ Header)) gives this value:
+
+ eyJhbGciOiJFUzI1NiJ9
+
+A.6.2. JWS Per-Signature Unprotected Headers
+
+ Key ID values are supplied for both keys using per-signature Header
+ Parameters. The two JWS Unprotected Header values used to represent
+ these key IDs are:
+
+ {"kid":"2010-12-29"}
+
+ and
+
+ {"kid":"e9bc097a-ce51-4036-9562-d2ade882db0d"}
+
+A.6.3. Complete JOSE Header Values
+
+ Combining the JWS Protected Header and JWS Unprotected Header values
+ supplied, the JOSE Header values used for the first and second
+ signatures, respectively, are:
+
+ {"alg":"RS256",
+ "kid":"2010-12-29"}
+
+ and
+
+ {"alg":"ES256",
+ "kid":"e9bc097a-ce51-4036-9562-d2ade882db0d"}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 50]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+A.6.4. Complete JWS JSON Serialization Representation
+
+ The complete JWS JSON Serialization for these values is as follows
+ (with line breaks within values for display purposes only):
+
+ {
+ "payload":
+ "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGF
+ tcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
+ "signatures":[
+ {"protected":"eyJhbGciOiJSUzI1NiJ9",
+ "header":
+ {"kid":"2010-12-29"},
+ "signature":
+ "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZ
+ mh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjb
+ KBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHl
+ b1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZES
+ c6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AX
+ LIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw"},
+ {"protected":"eyJhbGciOiJFUzI1NiJ9",
+ "header":
+ {"kid":"e9bc097a-ce51-4036-9562-d2ade882db0d"},
+ "signature":
+ "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS
+ lSApmWQxfKTUJqPP3-Kg6NU1Q"}]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 51]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+A.7. Example JWS Using Flattened JWS JSON Serialization
+
+ This section contains an example using the flattened JWS JSON
+ Serialization syntax. This example demonstrates the capability for
+ conveying a single digital signature or MAC in a flattened JSON
+ structure.
+
+ The values in this example are the same as those in the second
+ signature of the previous example in Appendix A.6.
+
+ The complete JWS JSON Serialization for these values is as follows
+ (with line breaks within values for display purposes only):
+
+ {
+ "payload":
+ "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGF
+ tcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
+ "protected":"eyJhbGciOiJFUzI1NiJ9",
+ "header":
+ {"kid":"e9bc097a-ce51-4036-9562-d2ade882db0d"},
+ "signature":
+ "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS
+ lSApmWQxfKTUJqPP3-Kg6NU1Q"
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 52]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+Appendix B. "x5c" (X.509 Certificate Chain) Example
+
+ The JSON array below is an example of a certificate chain that could
+ be used as the value of an "x5c" (X.509 certificate chain) Header
+ Parameter, per Section 4.1.6 (with line breaks within values for
+ display purposes only):
+
+ ["MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVM
+ xITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR2
+ 8gRGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExM
+ TYwMTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UE
+ CBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWR
+ keS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYW
+ RkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlc
+ nRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJ
+ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTt
+ wY6vj3D3HKrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqV
+ Tr9vcyOdQmVZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aL
+ GbqGmu75RpRSgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo
+ 7RJlbmr2EkRTcDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgW
+ JCJjPOq8lh8BJ6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAw
+ EAAaOCATIwggEuMB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVH
+ SMEGDAWgBTSxLDSkdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEA
+ MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWR
+ keS5jb20wRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2
+ RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVH
+ SAAMDgwNgYIKwYBBQUHAgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j
+ b20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggE
+ BANKGwOy9+aG2Z+5mC6IGOgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPI
+ UyIXvJxwqoJKSQ3kbTJSMUA2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL
+ 5CkKSkB2XIsKd83ASe8T+5o0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9
+ p0iRFEUOOjZv2kWzRaJBydTXRE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsx
+ uxN89txJx9OjxUUAiKEngHUuHqDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZ
+ EjYx8WnM25sgVjOuH0aBsXBTWVU+4=",
+ "MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Z
+ hbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIE
+ luYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb
+ 24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8x
+ IDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDYyOTE3MDY
+ yMFoXDTI0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRoZS
+ BHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3MgM
+ iBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
+ ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XC
+ APVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux
+ 6wwdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLO
+ tXiEqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWo
+ riMYavx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZ
+ Eewo+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjggHhMIIB3TAdBgNVHQ
+
+
+
+Jones, et al. Standards Track [Page 53]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ 4EFgQU0sSw0pHUTBFxs2HLPaH+3ahq1OMwgdIGA1UdIwSByjCBx6GBwaSBvjCBu
+ zEkMCIGA1UEBxMbVmFsaUNlcnQgVmFsaWRhdGlvbiBOZXR3b3JrMRcwFQYDVQQK
+ Ew5WYWxpQ2VydCwgSW5jLjE1MDMGA1UECxMsVmFsaUNlcnQgQ2xhc3MgMiBQb2x
+ pY3kgVmFsaWRhdGlvbiBBdXRob3JpdHkxITAfBgNVBAMTGGh0dHA6Ly93d3cudm
+ FsaWNlcnQuY29tLzEgMB4GCSqGSIb3DQEJARYRaW5mb0B2YWxpY2VydC5jb22CA
+ QEwDwYDVR0TAQH/BAUwAwEB/zAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGG
+ F2h0dHA6Ly9vY3NwLmdvZGFkZHkuY29tMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA
+ 6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9yb290LmNybD
+ BLBgNVHSAERDBCMEAGBFUdIAAwODA2BggrBgEFBQcCARYqaHR0cDovL2NlcnRpZ
+ mljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5MA4GA1UdDwEB/wQEAwIBBjAN
+ BgkqhkiG9w0BAQUFAAOBgQC1QPmnHfbq/qQaQlpE9xXUhUaJwL6e4+PrxeNYiY+
+ Sn1eocSxI0YGyeR+sBjUZsE4OWBsUs5iB0QQeyAfJg594RAoYC5jcdnplDQ1tgM
+ QLARzLrUc+cb53S8wGd9D0VmsfSxOaFIqII6hR8INMqzW/Rn453HWkrugp++85j
+ 09VZw==",
+ "MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ
+ 0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNT
+ AzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0a
+ G9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkq
+ hkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE
+ 5MDYyNjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTm
+ V0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZ
+ XJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQD
+ ExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9
+ AdmFsaWNlcnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5a
+ vIWZJV16vYdA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zf
+ N1SLUzm1NZ9WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwb
+ P7RfZHM047QSv4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQU
+ AA4GBADt/UG9vUJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQ
+ C1u+mNr0HZDzTuIYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMM
+ j4QssxsodyamEwCW/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd"]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 54]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+Appendix C. Notes on Implementing base64url Encoding without Padding
+
+ This appendix describes how to implement base64url encoding and
+ decoding functions without padding based upon standard base64
+ encoding and decoding functions that do use padding.
+
+ To be concrete, example C# code implementing these functions is shown
+ below. Similar code could be used in other languages.
+
+ static string base64urlencode(byte [] arg)
+ {
+ string s = Convert.ToBase64String(arg); // Regular base64 encoder
+ s = s.Split('=')[0]; // Remove any trailing '='s
+ s = s.Replace('+', '-'); // 62nd char of encoding
+ s = s.Replace('/', '_'); // 63rd char of encoding
+ return s;
+ }
+
+ static byte [] base64urldecode(string arg)
+ {
+ string s = arg;
+ s = s.Replace('-', '+'); // 62nd char of encoding
+ s = s.Replace('_', '/'); // 63rd char of encoding
+ switch (s.Length % 4) // Pad with trailing '='s
+ {
+ case 0: break; // No pad chars in this case
+ case 2: s += "=="; break; // Two pad chars
+ case 3: s += "="; break; // One pad char
+ default: throw new System.Exception(
+ "Illegal base64url string!");
+ }
+ return Convert.FromBase64String(s); // Standard base64 decoder
+ }
+
+ As per the example code above, the number of '=' padding characters
+ that needs to be added to the end of a base64url-encoded string
+ without padding to turn it into one with padding is a deterministic
+ function of the length of the encoded string. Specifically, if the
+ length mod 4 is 0, no padding is added; if the length mod 4 is 2, two
+ '=' padding characters are added; if the length mod 4 is 3, one '='
+ padding character is added; if the length mod 4 is 1, the input is
+ malformed.
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 55]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ An example correspondence between unencoded and encoded values
+ follows. The octet sequence below encodes into the string below,
+ which when decoded, reproduces the octet sequence.
+
+ 3 236 255 224 193
+ A-z_4ME
+
+Appendix D. Notes on Key Selection
+
+ This appendix describes a set of possible algorithms for selecting
+ the key to be used to validate the digital signature or MAC of a JWS
+ or for selecting the key to be used to decrypt a JWE. This guidance
+ describes a family of possible algorithms rather than a single
+ algorithm, because in different contexts, not all the sources of keys
+ will be used, they can be tried in different orders, and sometimes
+ not all the collected keys will be tried; hence, different algorithms
+ will be used in different application contexts.
+
+ The steps below are described for illustration purposes only;
+ specific applications can and are likely to use different algorithms
+ or perform some of the steps in different orders. Specific
+ applications will frequently have a much simpler method of
+ determining the keys to use, as there may be one or two key selection
+ methods that are profiled for the application's use. This appendix
+ supplements the normative information on key location in Section 6.
+
+ These algorithms include the following steps. Note that the steps
+ can be performed in any order and do not need to be treated as
+ distinct. For example, keys can be tried as soon as they are found,
+ rather than collecting all the keys before trying any.
+
+ 1. Collect the set of potentially applicable keys. Sources of keys
+ may include:
+
+ * Keys supplied by the application protocol being used.
+
+ * Keys referenced by the "jku" (JWK Set URL) Header Parameter.
+
+ * The key provided by the "jwk" (JSON Web Key) Header Parameter.
+
+ * The key referenced by the "x5u" (X.509 URL) Header Parameter.
+
+ * The key provided by the "x5c" (X.509 certificate chain) Header
+ Parameter.
+
+ * Other applicable keys available to the application.
+
+
+
+
+
+Jones, et al. Standards Track [Page 56]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+ The order for collecting and trying keys from different key
+ sources is typically application dependent. For example,
+ frequently, all keys from a one set of locations, such as local
+ caches, will be tried before collecting and trying keys from
+ other locations.
+
+ 2. Filter the set of collected keys. For instance, some
+ applications will use only keys referenced by "kid" (key ID) or
+ "x5t" (X.509 certificate SHA-1 thumbprint) parameters. If the
+ application uses the JWK "alg" (algorithm), "use" (public key
+ use), or "key_ops" (key operations) parameters, keys with
+ inappropriate values of those parameters would be excluded.
+ Additionally, keys might be filtered to include or exclude keys
+ with certain other member values in an application-specific
+ manner. For some applications, no filtering will be applied.
+
+ 3. Order the set of collected keys. For instance, keys referenced
+ by "kid" (key ID) or "x5t" (X.509 certificate SHA-1 thumbprint)
+ parameters might be tried before keys with neither of these
+ values. Likewise, keys with certain member values might be
+ ordered before keys with other member values. For some
+ applications, no ordering will be applied.
+
+ 4. Make trust decisions about the keys. Signatures made with keys
+ not meeting the application's trust criteria would not be
+ accepted. Such criteria might include, but is not limited to,
+ the source of the key, whether the TLS certificate validates for
+ keys retrieved from URLs, whether a key in an X.509 certificate
+ is backed by a valid certificate chain, and other information
+ known by the application.
+
+ 5. Attempt signature or MAC validation for a JWS or decryption of a
+ JWE with some or all of the collected and possibly filtered and/
+ or ordered keys. A limit on the number of keys to be tried might
+ be applied. This process will normally terminate following a
+ successful validation or decryption.
+
+ Note that it is reasonable for some applications to perform signature
+ or MAC validation prior to making a trust decision about a key, since
+ keys for which the validation fails need no trust decision.
+
+
+
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 57]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+Appendix E. Negative Test Case for "crit" Header Parameter
+
+ Conforming implementations must reject input containing critical
+ extensions that are not understood or cannot be processed. The
+ following JWS must be rejected by all implementations, because it
+ uses an extension Header Parameter name "http://example.invalid/
+ UNDEFINED" that they do not understand. Any other similar input, in
+ which the use of the value "http://example.invalid/UNDEFINED" is
+ substituted for any other Header Parameter name not understood by the
+ implementation, must also be rejected.
+
+ The JWS Protected Header value for this JWS is:
+
+ {"alg":"none",
+ "crit":["http://example.invalid/UNDEFINED"],
+ "http://example.invalid/UNDEFINED":true
+ }
+
+ The complete JWS that must be rejected is as follows (with line
+ breaks for display purposes only):
+
+ eyJhbGciOiJub25lIiwNCiAiY3JpdCI6WyJodHRwOi8vZXhhbXBsZS5jb20vVU5ERU
+ ZJTkVEIl0sDQogImh0dHA6Ly9leGFtcGxlLmNvbS9VTkRFRklORUQiOnRydWUNCn0.
+ RkFJTA.
+
+Appendix F. Detached Content
+
+ In some contexts, it is useful to integrity-protect content that is
+ not itself contained in a JWS. One way to do this is to create a JWS
+ in the normal fashion using a representation of the content as the
+ payload but then delete the payload representation from the JWS and
+ send this modified object to the recipient rather than the JWS. When
+ using the JWS Compact Serialization, the deletion is accomplished by
+ replacing the second field (which contains BASE64URL(JWS Payload))
+ value with the empty string; when using the JWS JSON Serialization,
+ the deletion is accomplished by deleting the "payload" member. This
+ method assumes that the recipient can reconstruct the exact payload
+ used in the JWS. To use the modified object, the recipient
+ reconstructs the JWS by re-inserting the payload representation into
+ the modified object and uses the resulting JWS in the usual manner.
+ Note that this method needs no support from JWS libraries, as
+ applications can use this method by modifying the inputs and outputs
+ of standard JWS libraries.
+
+
+
+
+
+
+
+
+Jones, et al. Standards Track [Page 58]
+
+RFC 7515 JSON Web Signature (JWS) May 2015
+
+
+Acknowledgements
+
+ Solutions for signing JSON content were previously explored by Magic
+ Signatures [MagicSignatures], JSON Simple Sign [JSS], and Canvas
+ Applications [CanvasApp], all of which influenced this document.
+
+ Thanks to Axel Nennker for his early implementation and feedback on
+ the JWS and JWE specifications.
+
+ This specification is the work of the JOSE working group, which
+ includes dozens of active and dedicated participants. In particular,
+ the following individuals contributed ideas, feedback, and wording
+ that influenced this specification:
+
+ Dirk Balfanz, Richard Barnes, Brian Campbell, Alissa Cooper, Breno de
+ Medeiros, Stephen Farrell, Yaron Y. Goland, Dick Hardt, Joe
+ Hildebrand, Jeff Hodges, Russ Housley, Edmund Jay, Tero Kivinen, Ben
+ Laurie, Ted Lemon, James Manger, Matt Miller, Kathleen Moriarty, Tony
+ Nadalin, Hideki Nara, Axel Nennker, John Panzer, Ray Polk, Emmanuel
+ Raviart, Eric Rescorla, Pete Resnick, Jim Schaad, Paul Tarjan, Hannes
+ Tschofenig, and Sean Turner.
+
+ Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
+ Sean Turner, Stephen Farrell, and Kathleen Moriarty served as
+ Security Area Directors during the creation of this specification.
+
+Authors' Addresses
+
+ Michael B. Jones
+ Microsoft
+
+ EMail: mbj@microsoft.com
+ URI: http://self-issued.info/
+
+
+ John Bradley
+ Ping Identity
+
+ EMail: ve7jtb@ve7jtb.com
+ URI: http://www.thread-safe.com/
+
+
+ Nat Sakimura
+ Nomura Research Institute
+
+ EMail: n-sakimura@nri.co.jp
+ URI: http://nat.sakimura.org/
+
+
+
+
+Jones, et al. Standards Track [Page 59]
+