io.jsonwebtoken.security

Interface X509Accessor

All Known Subinterfaces:

AsymmetricJwk<K>, EcPrivateJwk, EcPublicJwk, JweHeader, JwsHeader, OctetPrivateJwk<K,L>, OctetPublicJwk<K>, PrivateJwk<K,L,M>, ProtectedHeader, PublicJwk<K>, RsaPrivateJwk, RsaPublicJwk

public interface X509Accessor

Accessor methods of X.509-specific properties of a ProtectedHeader or AsymmetricJwk, guaranteeing consistent behavior across similar but distinct JWT concepts with identical parameter names.

Since:

0.12.0

See Also:

ProtectedHeader, AsymmetricJwk

Method Summary

Methods

Modifier and Type	Method and Description
List<X509Certificate>	getX509Chain() Returns the associated x5c (X.509 Certificate Chain), or null if not present.
byte[]	getX509Sha1Thumbprint() Returns the x5t (X.509 Certificate SHA-1 Thumbprint) (a.k.a.
byte[]	getX509Sha256Thumbprint() Returns the x5t#S256 (X.509 Certificate SHA-256 Thumbprint) (a.k.a.
URI	getX509Url() Returns the x5u (X.509 URL) that refers to a resource for the associated X.509 public key certificate or certificate chain, or null if not present.

Method Detail

getX509Url

URI getX509Url()

Returns the x5u (X.509 URL) that refers to a resource for the associated X.509 public key certificate or certificate chain, or null if not present.

When present, the URI MUST refer to a resource for an X.509 public key certificate or certificate chain that conforms to RFC 5280 in PEM-encoded form, with each certificate delimited as specified in Section 6.1 of RFC 4945. The key in the first certificate MUST match the public key represented by other members of the associated ProtectedHeader or JWK. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use HTTP over TLS; the identity of the server MUST be validated, as per Section 6 of RFC 6125.

• When present in a JwsHeader, the certificate or first certificate in the chain corresponds the public key complement of the private key used to digitally sign the JWS.
• When present in a JweHeader, the certificate or certificate chain corresponds to the public key to which the JWE was encrypted, and may be used to determine the private key needed to decrypt the JWE.
• When present in an AsymmetricJwk, the certificate or first certificate in the chain MUST contain the public key represented by the JWK.

Returns:

the x5u (X.509 URL) that refers to a resource for the associated X.509 public key certificate or certificate chain.

See Also:

JWK {@code x5u} (X.509 URL) Parameter, JWS {@code x5u} (X.509 URL) Header Parameter, JWE {@code x5u} (X.509 URL) Header Parameter

getX509Chain

List<X509Certificate> getX509Chain()

Returns the associated x5c (X.509 Certificate Chain), or null if not present. The initial certificate MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one.

• When present in a JwsHeader, the first certificate (at list index 0) MUST contain the public key complement of the private key used to digitally sign the JWS.
• When present in a JweHeader, the first certificate (at list index 0) MUST contain the public key to which the JWE was encrypted, and may be used to determine the private key needed to decrypt the JWE.
• When present in an AsymmetricJwk, the first certificate (at list index 0) MUST contain the public key represented by the JWK.

Returns:

the associated x5c (X.509 Certificate Chain), or null if not present.

See Also:

JWK x5c (X.509 Certificate Chain) Parameter, JWS x5c (X.509 Certificate Chain) Header Parameter, JWE x5c (X.509 Certificate Chain) Header Parameter

getX509Sha1Thumbprint

byte[] getX509Sha1Thumbprint()

Returns the x5t (X.509 Certificate SHA-1 Thumbprint) (a.k.a. digest) of the DER-encoding of the associated X.509 Certificate, or null if not present.

Note that certificate thumbprints are also sometimes known as certificate fingerprints.

• When present in a JwsHeader, it is the SHA-1 thumbprint of the X.509 certificate complement of the private key used to digitally sign the JWS.
• When present in a JweHeader, it is the SHA-1 thumbprint of the X.509 Certificate containing the public key to which the JWE was encrypted, and may be used to determine the private key needed to decrypt the JWE.
• When present in an AsymmetricJwk, it is the SHA-1 thumbprint of the X.509 certificate containing the public key represented by the JWK.

Returns:

the x5t (X.509 Certificate SHA-1 Thumbprint) (a.k.a. digest) of the DER-encoding of the associated X.509 Certificate, or null if not present

See Also:

JWK x5t (X.509 Certificate SHA-1 Thumbprint) Parameter, JWS x5t (X.509 Certificate SHA-1 Thumbprint) Header Parameter, JWE x5t (X.509 Certificate SHA-1 Thumbprint) Header Parameter

getX509Sha256Thumbprint

byte[] getX509Sha256Thumbprint()

Returns the x5t#S256 (X.509 Certificate SHA-256 Thumbprint) (a.k.a. digest) of the DER-encoding of the associated X.509 Certificate, or null if not present.

Note that certificate thumbprints are also sometimes known as certificate fingerprints.

• When present in a JwsHeader, it is the SHA-256 thumbprint of the X.509 certificate complement of the private key used to digitally sign the JWS.
• When present in a JweHeader, it is the SHA-256 thumbprint of the X.509 Certificate containing the public key to which the JWE was encrypted, and may be used to determine the private key needed to decrypt the JWE.
• When present in an AsymmetricJwk, it is the SHA-256 thumbprint of the X.509 certificate containing the public key represented by the JWK.

Returns:

the x5t#S256 (X.509 Certificate SHA-256 Thumbprint) (a.k.a. digest) of the DER-encoding of the associated X.509 Certificate, or null if not present

See Also:

JWK x5t#S256 (X.509 Certificate SHA-256 Thumbprint) Parameter, JWS x5t#S256 (X.509 Certificate SHA-256 Thumbprint) Header Parameter, JWE x5t#S256 (X.509 Certificate SHA-256 Thumbprint) Header Parameter