Skip to content
Advertisement

What fields do I verify in a x509 (as x5c header in a JWS) to prove legitimacy of the Certificate?

I’ve already posted a similar question here, but I’ve realized that my issue could have more to do with x509 certificate rather than JWS in general.

Here’s the thing, I’m pretty new to JWS, and Apple now transmits them as part of their server-to-server communication. I’m trying to understand how to fully guarantee the validity of the JWS, because from what I understand, the signature verification only implies that the entire JWS wasn’t tampered with. I don’t know how to actually verify that this payload is indeed coming from a trusted source (aka Apple).

Here’s what I got so far (PHP):

JavaScript

Is there a specific field to check against inside the certificates (one that couldn’t be spoofed) to verify the identity/source of the JWS?

Thanks!

Advertisement

Answer

Thanks to @IMSoP for pointing me in the right direction. When a JWS contains a chain of certificates (x5c header), we’re supposed to have a copy of these valid certificates (or at least the root, since it validates the rest of the chain). In my case, I could find them on Apple’s website.

Once you download them, it’s as easy as:

JavaScript
User contributions licensed under: CC BY-SA
10 People found this is helpful
Advertisement