2.7 PublicJWK Object

This object represents an asymmetric public key and any certificates associated with it. This is a JWK object, as defined by RFC 7517. Some JWK member specifications are repeated below for easy reference along with expectations for specific models of secure elements.

The following definition is for elliptic curve public keys, supported by the CryptoAuthentication family of secure elements.

{
  "kid": "0",
  "kty": "EC",
  "crv": "P-256",
  "x": BASE64URL(X),
  "y": BASE64URL(Y),
  "x5c": [ BASE64(cert), ... ]
}

The following JWK fields required for elliptic curve public keys are defined in RFC 7518 section 6.2.1:

kid
Key ID string. It uniquely identifies this key on the secure element. For CryptoAuthentication secure elements, this will be the slot number of the corresponding private key.
kty
Key type. CryptoAuthentication secure elements only support EC public keys, as defined in RFC 7518 section 6.1.
crv
For elliptic curve keys, this is the curve name. CryptoAuthentication secure elements only support the P-256 curve, as defined in RFC 7518 section 6.2.1.1.
x
For elliptic curve keys, this is the encoded public key X integer, as defined in RFC 7518 section 6.2.1.2.
y
For elliptic curve keys, this is the encoded public key Y integer, as defined in RFC 7518 section 6.2.1.3.
x5c
If the public key has a certificate associated with it, that certificate will be found at the first position in this array. Subsequent certificates in the array will be the CA certificates used to validate the previous one. Certificates will be BASE64 encoded (not BASE64URL) strings of the DER certificate. This is defined in RFC 7517 section 4.7.