Appendix E. Negative Test Case for "crit" Header Parameter

This appendix provides a test case that demonstrates the behavior required when an implementation encounters a "crit" (critical) Header Parameter value that it does not understand.

Purpose

The "crit" Header Parameter indicates that extensions to the JWS specification are being used that MUST be understood and processed. If a recipient does not understand any of the extensions listed in the "crit" array, it MUST reject the JWS.

Test Case

A JWS with a "crit" value listing a Header Parameter that the implementation does not support should be rejected by the implementation, even if the JWS is otherwise well-formed and the signature is valid.

Expected Behavior

If understood: Process the JWS normally, validating all critical parameters
If not understood: Reject the JWS entirely, regardless of signature validity

This ensures that JWSs using mandatory extensions are not processed by implementations that cannot properly handle those extensions, preventing potential security vulnerabilities.

Implementation Note

Producers MUST NOT include in the "crit" list:

Header Parameter names defined by the base JWS/JWA specifications
Duplicate names
Names that do not appear in the JOSE Header
An empty array "[]"