validateCwt

General-purpose CWT validation using a set of built-in required checks (expiration and signature validity) and a set of optional checks specified in checks parameter.

JWT signature is verified either using a supplied publicKey or using a trusted key (WebTokenCheck.TRUST check must be specified in this case).

Most of the optional checks just validate that a particular field in the CWT header or body has certain value. Special optional checks are:

WebTokenCheck.IDENT checks that cti value is fresh and was not used in any not-yet-unexpired CWT that was validated before. The value that should be provided with this check id determines CWT "jti namespace". Two identical cti values that belong to distinct namespaces are not considered to be in conflict.

WebTokenCheck.TRUST specifies that the signature must be checked against a known trusted key (directly or through the certificate chain specified in x5c). The value provided with this check id determines Configuration name that holds JSON-formatted object that maps the name to the trusted key as either JWK or Base64-encode CA certificate. The name of the key in the map is derived either from the X509 top certificate subject common name, from kid parameter in CWT header or iss value in the CWT body.

WebTokenCheck.CHALLENGE defines the nonce/challenge check using the value of the specified property. The value given to this key in checks map is used as a property name in the body part of the CWT. That property must exist. Its value is passed to Challenge.validateAndConsume method.

Parameters

Throws