You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"description": "This schema defines the JSON Signature Scheme (JSS) signature object. The JSS signature object is a JSON object that contains a signature of a JSON object. The JSS signature object is used to sign a JSON object and is defined in the JSON Signature Scheme (JSS) specification, X.590, available at https://www.itu.int/rec/T-REC-X.590-202310-I/en",
6
+
"properties": {
7
+
"signatures": {
8
+
"description": "An array of JSS signature objects.",
9
+
"type": "array",
10
+
"items": {
11
+
"$ref": "#/$defs/signature"
12
+
}
13
+
}
14
+
},
15
+
"$defs": {
16
+
"signature": {
17
+
"type": "object",
18
+
"required": [
19
+
"hash_algorithm",
20
+
"algorithm",
21
+
"value"
22
+
],
23
+
"oneOf": [
24
+
{
25
+
"required": [
26
+
"public_key"
27
+
]
28
+
},
29
+
{
30
+
"required": [
31
+
"public_cert_chain"
32
+
]
33
+
},
34
+
{
35
+
"required": [
36
+
"cert_url"
37
+
]
38
+
},
39
+
{
40
+
"required": [
41
+
"thumbprint"
42
+
]
43
+
}
44
+
],
45
+
"properties": {
46
+
"id": {
47
+
"description": "A value that uniquely identifies the signature. All signatures with the same ID are considered different versions of the same signature and the version of the signature is identified by its modified property.",
48
+
"examples": [
49
+
"123e4567-e89b-12d3-a456-426614174000"
50
+
],
51
+
"$ref": "#/$defs/identifier"
52
+
},
53
+
"type": {
54
+
"description": "The value of this property MUST be jss.",
55
+
"const": "x590"
56
+
},
57
+
"algorithm": {
58
+
"description": "This property identifies the algorithm that was used to sign the JSON data and is a case-sensitive ASCII string. The value for this property SHOULD come from the signature-algorithm-type-ov vocabulary (see clause 6.2.2) and SHOULD be a current and widely accepted quantum safe algorithm, but MAY use any currently accepted safe algorithm. NOTE – At the time of this writing quantum safe algorithms could come from those defined in XMSS [IETF RFC 8391] section 5.3 or LMS [IETF RFC 8554] section 5.1 and other algorithms could come from those defined in JWA [IETF RFC 7518] section 3.1 or [IETF RFC 8037] section 3.1 (see the table below for a list of values from those RFCs). [para] While JWA [IETF RFC 7518] section 3.1 defines the following symmetric algorithms: HS256, HS384, and HS512, these algorithms SHOULD NOT be used. If one of these three symmetric algorithms is used, the sharing and transmission of those keys is out of scope for this Recommendation.",
59
+
"examples": [
60
+
"XMSS-SHA2_10_256",
61
+
"XMSS-SHA2_16_256",
62
+
"XMSS-SHA2_20_256",
63
+
"LMS_SHA256_M32_H5",
64
+
"LMS_SHA256_M32_H10",
65
+
"LMS_SHA256_M32_H15",
66
+
"LMS_SHA256_M32_H20",
67
+
"LMS_SHA256_M32_H25",
68
+
"RS256",
69
+
"RS384",
70
+
"RS512",
71
+
"ES256",
72
+
"ES384",
73
+
"ES512",
74
+
"PS256",
75
+
"PS384",
76
+
"PS512",
77
+
"Ed25519",
78
+
"Ed448"
79
+
],
80
+
"type": "string"
81
+
},
82
+
"cert_url": {
83
+
"description": "This property contains a uniform resource identifier (URI) [IETF RFC 3986] that refers to a resource for an X.509 public key certificate or certificate chain [IETF RFC 5280] for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.6 of [IETF RFC 7517] as quoted here. \"The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 [IETF RFC 5280] in PEM-encoded form, with each certificate delimited as specified in section 6.1 of RFC 4945 [IETF RFC 4945]. The key in the first certificate MUST match the public key. The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the certificate MUST use TLS [IETF RFC 2818] [IETF RFC 5246]; the identity of the server MUST be validated, as per section 6 of RFC 6125 [IETF RFC 6125].\" This property is called \"x5u\" in section 4.6 of [IETF RFC 7517].",
84
+
"examples": [
85
+
""
86
+
],
87
+
"type": "string",
88
+
"format": "uri"
89
+
},
90
+
"created": {
91
+
"description": "The time at which this signature was originally created. The creator can use any time it deems most appropriate as the time the signature was created, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The created property MUST NOT be changed when creating a new version of the signature.",
92
+
"$ref": "#/$defs/timestamp"
93
+
},
94
+
"hash_algorithm": {
95
+
"description": "This property identifies the hashing algorithm, as defined by the Internet Assigned Numbers Authority (IANA)…, that was used to hash the JCS version of the full JSON object (JSON Object + JSS Signature) and is a case-sensitive ASCII string. Implementations MAY use any current and widely accepted hashing algorithm (e.g., sha-256, sha-512) that is defined in the IANA registry. The actual signing process, defined in the algorithm property, sometimes uses an internal hashing algorithm inside the signing process itself, this property MAY identify the same hashing algorithm as the signing process or MAY identify a different hashing algorithm.",
96
+
"examples": [
97
+
"sha-256",
98
+
"sha-512"
99
+
],
100
+
"type": "string"
101
+
},
102
+
"modified": {
103
+
"description": "The time that this particular version of the signature was last modified. The creator can use any time it deems most appropriate as the time that this version of the signature was modified, but it MUST be precise to the nearest millisecond (exactly three digits after the decimal place in seconds). The modified property MUST be later than or equal to the value of the created property. If the created and modified properties are the same, then this is the first version of the signature.",
104
+
"$ref": "#/$defs/timestamp"
105
+
},
106
+
"public_cert_chain": {
107
+
"description": "This property contains a public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.7 of [IETF RFC 7517] as quoted here. This property \"contains a chain (X.509 certificate chain) of one or more PKIX certificates [IETF RFC 5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (section 4 of [IETF RFC 4648] – not base64URL.encoded) DER [b-ITU-T X.690] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key.\" This property is called \"x5c\" in section 4.7 of [IETF RFC 7517].",
108
+
"type": "array",
109
+
"items": {
110
+
"type": "string",
111
+
"contentEncoding": "base64url"
112
+
}
113
+
},
114
+
"public_key": {
115
+
"description": "This property contains a privacy enhanced mail (PEM) encoded public key without the header and footer for the algorithm selected in the algorithm property.",
116
+
"type": "string",
117
+
"contentEncoding": "base64url"
118
+
},
119
+
"related_to": {
120
+
"description": "A value that can identify the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.",
121
+
"type": "string"
122
+
},
123
+
"related_version": {
124
+
"description": "A value that can identify the version of the original JSON object that was signed with this signature. If the signature is detached from the original JSON object this property SHOULD be populated.",
125
+
"type": "string"
126
+
},
127
+
"revoked": {
128
+
"description": "A boolean that identifies if the signature creator deems that this signature is no longer valid. The default value is false.",
129
+
"default": false,
130
+
"type": "boolean"
131
+
},
132
+
"signatures": {
133
+
"type": "array",
134
+
"items": {
135
+
"$ref": "#/$defs/signature"
136
+
}
137
+
},
138
+
"signee": {
139
+
"description": "An unstructured string value for the name of the entity or organization that produced this signature.",
140
+
"type": "string"
141
+
},
142
+
"thumbprint": {
143
+
"description": "This property contains a fingerprint of a public key or public key certificate for the algorithm selected in the algorithm property and MUST follow the requirements defined in section 4.9 of [IETF RFC 7517] as quoted here. This property \"is a base64URL.encoded SHA-256 thumbprint (a.k.a. digest, X.509 certificate SHA-256 thumbprint) of the DER encoding of an X.509 certificate [IETF RFC 5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key.\" This property is called \"x5t#S256\" in section 4.9 of [IETF RFC 7517].",
144
+
"examples": [
145
+
""
146
+
],
147
+
"type": "string",
148
+
"contentEncoding": "base64url"
149
+
},
150
+
"valid_from": {
151
+
"description": "The time from which this signature is considered valid. If omitted, the signature is valid at all times or until the timestamp defined by valid_until. If the revoked property is true then this property MUST be ignored.",
152
+
"$ref": "#/$defs/timestamp"
153
+
},
154
+
"valid_until": {
155
+
"description": "The time at which this signature is no longer considered valid. If the valid_until property is omitted, then there is no constraint on the latest time for which the signature is valid. This property MUST be greater than the timestamp in the valid_from property if the valid_from property is defined. If the revoked property is true then this property MUST be ignored.",
156
+
"$ref": "#/$defs/timestamp"
157
+
},
158
+
"value": {
159
+
"description": "A base64URL.encoded signature that was created using the signature algorithm defined in the algorithm property and a key. In pseudo code it is defined as: base64URL.encode(sign(algorithm, key, hash(jcs(<JSONObject with Signature Object>)))).",
160
+
"examples": [
161
+
""
162
+
],
163
+
"type": "string",
164
+
"contentEncoding": "base64url"
165
+
}
166
+
}
167
+
},
168
+
"identifier": {
169
+
"description": "The identifier data type represents an RFC 4122-compliant universally unique identifier (UUID) [IETF RFC 4122] and uses the JSON string type [IETF RFC 8259] for serialization.",
"description": "The timestamp data type represents dates and times and uses the JSON string type [IETF RFC 8259] for serialization. The timestamp data MUST be a valid RFC 3339-formatted timestamp [IETF RFC 3339] using the format yyyy-mm-ddThh:mm:ss[.s+]Z where the \"s+\" represents 1 or more sub-second values. The brackets denote that sub-second precision is optional, and that if no digits are provided, the decimal place MUST NOT be present. The timestamp MUST be represented in the UTC+0 time zone and MUST use the \"Z\" designation to indicate this. Additional requirements may be defined where this data type is used.",
0 commit comments