2.7 PublicJWK Object
The PublicJWK object represents an asymmetric public key and any associated certificates. This is a JWK object, as defined in RFC 7517. For convenience, key JWK member specifications are summarized below, along with expectations for specific secure sub-system device models.
The following definitions apply to elliptic curve public keys supported by the CryptoAuthentication™ and CryptoAutomotive™ secure sub-systems. However, the definitions are structured to work for other secure sub-systems as well.
NIST P-224
{
"kid": "0",
"kty": "EC",
"crv": "P-224",
"x": BASE64URL(x),
"y": BASE64URL(y),
"x5c": [ BASE64(cert), ... ]
}NIST P-256
{
"kid": "0",
"kty": "EC",
"crv": "P-256",
"x": BASE64URL(x),
"y": BASE64URL(y),
"x5c": [ BASE64(cert), ... ]
}NIST P-384
{
"kid": "0",
"kty": "EC",
"crv": "P-384",
"x": BASE64URL(x),
"y": BASE64URL(y),
"x5c": [ BASE64(cert), ... ]
}NIST P-521
{
"kid": "0",
"kty": "EC",
"crv": "P-521",
"x": BASE64URL(x),
"y": BASE64URL(y),
"x5c": [ BASE64(cert), ... ]
}Secp256k1 (Bitcoin/Blockchain)
{
"kid": "0",
"kty": "EC",
"crv": "secp256k1",
"x": BASE64URL(x),
"y": BASE64URL(y),
"x5c": [ BASE64(cert), ... ]
}Brainpool 256-bit
{
"kid": "0",
"kty": "EC",
"crv": "brainpoolP256r1",
"x": BASE64URL(x),
"y": BASE64URL(y),
"x5c": [ BASE64(cert), ... ]
}Brainpool 384-bit
{
"kid": "0",
"kty": "EC",
"crv": "brainpoolP384r1",
"x": BASE64URL(x),
"y": BASE64URL(y),
"x5c": [ BASE64(cert), ... ]
}Brainpool 512-bit
{
"kid": "0",
"kty": "EC",
"crv": "brainpoolP512r1",
"x": BASE64URL(x),
"y": BASE64URL(y),
"x5c": [ BASE64(cert), ... ]
}The following JWK fields, required for elliptic curve public keys, are defined in RFC 7518 section 6.2.1:
| kid | Key ID string that uniquely identifies this key on the secure sub-system device. For CryptoAuthentication™ secure sub-system devices (currently ATECC608, ECC204 and ECC206) and CryptoAutomotive™ secure sub-system devices (currently TA010), this will be the slot number of the corresponding private key. For CryptoAutomotive™ secure sub-system devices (currently TA100 and TA101), this will be the data source name of the corresponding data source defined in the secure sub-system device's secure key provisioning service configuration file. |
| kty | The EC public key type. |
| crv | For elliptic curve keys, this is the curve name as defined in RFC 7518 section 6.2.1.1. |
| x | For elliptic curve keys, this is the encoded public key X integer, as defined in RFC 7518 section 6.2.1.2. |
| y | For elliptic curve keys, this is the encoded public key Y integer, as defined in RFC 7518 section 6.2.1.3. |
| x5c | If the public key has an associated certificate, it will appear as the first element in this array. Subsequent certificates in the array will be the CA certificates used to validate the previous one. Certificates will be BASE64 encoded (not BASE64URL) strings of the DER certificate. This is defined in RFC 7517 section 4.7. |
The following definitions apply to octet key pairs supported by the CryptoAutomotive™ secure sub-system devices. However, the definitions are structured to work for other secure sub-systems as well. The JWT octet key pair object is defined in RFC 8037 section 3.1.
Ed25519
{
"kid": "0",
"kty": "OKP",
"crv": "Ed25519",
"x": BASE64URL(x),
"x5c": [ BASE64(cert), ... ]
}Ed448
{
"kid": "0",
"kty": "OKP",
"crv": "Ed448",
"x": BASE64URL(x),
"x5c": [ BASE64(cert), ... ]
}X25519
{
"kid": "0",
"kty": "OKP",
"crv": "X25519",
"x": BASE64URL(x),
"x5c": [ BASE64(cert), ... ]
}X448
{
"kid": "0",
"kty": "OKP",
"crv": "X448",
"x": BASE64URL(x),
"x5c": [ BASE64(cert), ... ]
}The following JWK fields, required for octet key pair public keys, are defined in RFC 8037 section 2:
| kid | Key ID string that uniquely identifies this key on the secure sub-system device. For CryptoAuthentication™ secure sub-system devices, this will be the slot number of the corresponding private key. For CryptoAutomotive™ secure sub-system devices, this will be the data source name of the corresponding data source defined in the secure sub-system device's secure key provisioning service configuration file. |
| kty | The public key type. |
| crv | The key subtype. |
| x | The encoded complete public key (curve point (x,y)), as defined in RFC 8032 section 5.1.2. |
| x5c | If the public key has an associated certificate, it will appear as the first element in this array. Subsequent certificates in the array will be the CA certificates used to validate the previous one. Certificates will be BASE64 encoded (not BASE64URL) strings of the DER certificate. This is defined in RFC 7517 section 4.7. |
The following definitions apply to RSA public keys supported by the CryptoAutomotive™ secure sub-system devices. However, the definitions are structured to work for other secure sub-systems as well.
RSA
{
"kid": "0",
"kty": "RSA",
"n": BASE64URLUINT(n)
"e": BASE64URLUINT(e)
"x5c": [ BASE64(cert), ... ]
}The following JWK fields, required for RSA public keys, are defined in RFC 7518 section 6.3.
| kid | Key ID string that uniquely identifies this key on the secure sub-system device. For CryptoAutomotive™ secure sub-system devices, this will be the data source name of the corresponding data source defined in the secure sub-system device's secure key provisioning service configuration file. |
| kty | The public key type. |
| n | The encoded modulus value for the RSA public key, as defined in RFC 7518 section 6.3.1.1. |
| e | The encoded exponent value for the RSA public key, as defined in RFC 7518 section 6.3.1.2. |
| x5c | If the public key has an associated certificate, it will appear as the first element in this array. Subsequent certificates in the array will be the CA certificates used to validate the previous one. Certificates will be BASE64 encoded (not BASE64URL) strings of the DER certificate. This is defined in RFC 7517 section 4.7. |