Skip to content

JWKS Specification Compliance Assessment

RFC 7517 (JSON Web Key) Compliance Analysis

Last Updated: September 22, 2025
Compliance Status: ✅ FULLY COMPLIANT

✅ Compliant Features

  1. Required Parameters:
  2. kty parameter is properly required and validated

  3. ✅ All standard JWK parameters are supported with case-sensitive handling

  4. Key Type Support:

  5. ✅ RSA keys with required n and e parameters validation
  6. ✅ EC keys with required crv, x, and y parameters validation

  7. ✅ Symmetric keys with required k parameter validation (allows empty string)

  8. Optional Parameters:

  9. ✅ All standard optional parameters are supported (use, key_ops, alg, kid)
  10. ✅ X.509 certificate parameters (x5u, x5c, x5t, x5t#S256)
  11. ✅ Private key parameters for RSA and EC keys

  12. ✅ Proper parameter name mapping for x5t#S256x5t_s256

  13. Parameter Validation (RFC 7517 Section 4 Compliance):

  14. use parameter values validated ("sig", "enc", or URI)
  15. key_ops parameter values validated against RFC 7517 Section 4.3

  16. ✅ Mutual exclusivity validation between use and key_ops parameters

  17. Algorithm and Curve Support (RFC 7518 Compliance):

  18. ✅ EC curve validation for supported curves (P-256, P-384, P-521, secp256k1)

  19. ✅ Key type specific parameter validation

  20. Base64URL Encoding:

  21. ✅ Proper base64url decoding implementation

  22. ✅ Correct padding handling for all encoded parameters

  23. JSON Serialization (RFC 7517 Compliance):

  24. ✅ Case-sensitive parameter name handling
  25. ✅ Proper JWK parameter name serialization/deserialization

  26. x5t#S256 parameter correctly mapped to/from x5t_s256 field

  27. Key Properties and Utilities:

  28. ✅ Private key detection for RSA and EC keys
  29. ✅ Key size calculation for all key types
  30. ✅ Dictionary conversion with proper parameter names

✅ Previously Non-Compliant Issues - Now Fixed

  1. Case SensitivityRESOLVED:
  2. from_json() method now preserves case-sensitive parameter names
  3. ✅ Removed lowercase conversion that violated RFC 7517 Section 4

  4. ✅ Standard JWK JSON compatibility restored

  5. JSON SerializationRESOLVED:

  6. to_json() method uses proper JWK parameter names
  7. x5t_s256 field correctly serializes as x5t#S256

  8. ✅ All parameter names match RFC 7517 exactly

  9. Parameter ValidationRESOLVED:

  10. use parameter validation implemented ("sig", "enc", or custom URI)
  11. key_ops parameter validation against RFC 7517 Section 4.3 values

  12. ✅ Mutual exclusivity check between use and key_ops implemented

  13. Algorithm SupportRESOLVED:

  14. ✅ EC curve validation implemented per RFC 7518
  15. ✅ Supported curves: P-256, P-384, P-521, secp256k1
  16. ✅ Invalid curve detection with proper error messages

📊 Implementation Coverage Assessment

Core Requirements: ✅ Implemented - ✅ Required kty parameter validation - ✅ Key type specific parameter requirements - ✅ Case-sensitive parameter handling - ✅ Proper JSON serialization/deserialization

Parameter Validation: ✅ Implemented - ✅ use parameter value validation - ✅ key_ops parameter value validation
- ✅ Mutual exclusivity validation - ✅ Key type specific validation (RSA, EC, symmetric)

Algorithm Support: ✅ Implemented - ✅ RFC 7518 curve validation for EC keys - ✅ Key type validation for all supported types - ✅ Parameter format validation

JSON Handling: ✅ Implemented - ✅ RFC 7517 compliant parameter names - ✅ Case-sensitive parameter handling - ✅ Proper x5t#S256 parameter mapping - ✅ Error handling for invalid JSON

Overall: ✅ All required behaviors from RFC 7517 (JSON Web Key) are implemented. Not yet verified through an official certification process.