ziluvatar
commented
5 years ago This library uses jws library which does not support it, in its readme:
This was developed against draft-ietf-jose-json-web-signature-08 and implements the entire spec except X.509 Certificate Chain signing/verifying (patches welcome).
Actually that TODO should contain more functionality not supported from the JWS spec: all x5... headers.
Anyway, a given JWT could have a x5c header (from spec):
4.1.6. "x5c" (X.509 Certificate Chain) Header Parameter
The "x5c" (X.509 certificate chain) Header Parameter contains the
X.509 public key certificate or certificate chain [RFC5280]
corresponding to the key used to digitally sign the JWS. The
certificate or certificate chain is represented as a JSON array of
certificate value strings. Each string in the array is a
base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER
[ITU.X690.2008] PKIX certificate value. The certificate containing
the public key corresponding to the key used to digitally sign the
JWS MUST be the first certificate. This MAY be followed by
additional certificates, with each subsequent certificate being the
one used to certify the previous one. The recipient MUST validate
the certificate chain according to RFC 5280 [RFC5280] and consider
the certificate or certificate chain to be invalid if any validation
failure occurs. Use of this Header Parameter is OPTIONAL.
See Appendix B for an example "x5c" value.This library won't do anything with that header, it will not use the first item as key to verify the signature nor verify the certificate chain.
Sounds scary that it is not checked but I don't really grasp what is meant with it here
Can you elaborate a little?