The rules to obtain the verification key from X.509 should be changed to use the uniformResourceIdentifier from the SAN extension instead of the unifiedResourceName (which does not exist).

Furthermore, since uniformResourceIdentifier can potentially start with a https scheme, the JWT Issuer Metadata rule should only be enforced if no x5* JWT header was set.

We also need to add x5t#S256 JWT header.

Fixed by #183