ACME Client Implementation

Question

I am currently working on my own ACME client implementation. I generated the following JWS:

{"protected": "ewogImFsZyI6ICJFUzI1NiIsCiAiandrIjogInsia3R5IjogIkVDIiwiY3J2IjogIlAtMjU2IiwieCI6Ik1UYzVOVFF6TVRJME16STNNamd5TVRjM01UZzFOVFV5TnpJME16a3hOalk0TURjM01UYzNNalV3TWpJeU5qVXpNVFk0T1RRMU1ETTRNRFV5T0RRd09UY3dOemd6T0RFMU1qQTQiLCJ5IjoiTXpjeU56UTFNVEkyTURVME9EQTROREE0TXpBek9URTBNVGczTXpFME5UWXhORGcwT1RrMk5EUTFNRGswTVRNek5USTFNRGcxTmpZek9ERTRPRGsyTnpVNE1EZzROell6T1RJME9ETSJ9IiwKICJub25jZSI6ICI5aUxqYUdIMEV0R2NySDBLdDF0MTBBIiwKICJ1cmwiOiAiaHR0cHM6Ly8wLjAuMC4wOjE0MDAwL3NpZ24tbWUtdXAiCiB9","payload":"eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9","signature":"MEUCIFNRj1eVStlonvZhEzg92Bb57qZn3wEUi2dvwdWFQ3oaAiEAg5BQKHeGip0kcv8dEbfnhZCrgb11myFztxfIOWtdvVs"}

Signed with ES256 (ECDSA P256 and SHA256) Public Key X: 179543124327282177185552724391668077177250222653168945038052840970783815208 Public Key Y: 37274512605480840830391418731456148499644509413352508566381889675808876392483 JWK: {"kty": "EC","crv": "P-256","x":"MTc5NTQzMTI0MzI3MjgyMTc3MTg1NTUyNzI0MzkxNjY4MDc3MTc3MjUwMjIyNjUzMTY4OTQ1MDM4MDUyODQwOTcwNzgzODE1MjA4","y":"MzcyNzQ1MTI2MDU0ODA4NDA4MzAzOTE0MTg3MzE0NTYxNDg0OTk2NDQ1MDk0MTMzNTI1MDg1NjYzODE4ODk2NzU4MDg4NzYzOTI0ODM"}

Unencoded Headder: { "alg": "ES256", "jwk": "{"kty": "EC","crv": "P-256","x":"MTc5NTQzMTI0MzI3MjgyMTc3MTg1NTUyNzI0MzkxNjY4MDc3MTc3MjUwMjIyNjUzMTY4OTQ1MDM4MDUyODQwOTcwNzgzODE1MjA4","y":"MzcyNzQ1MTI2MDU0ODA4NDA4MzAzOTE0MTg3MzE0NTYxNDg0OTk2NDQ1MDk0MTMzNTI1MDg1NjYzODE4ODk2NzU4MDg4NzYzOTI0ODM"}", "nonce": "9iLjaGH0EtGcrH0Kt1t10A", "url": "https://0.0.0.0:14000/sign-me-up" }

Unencoded payload: {"termsOfServiceAgreed": true}

This account creation request is rejected by the ACME Server (Pebble) with the following response:

{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Parse error reading JWS", "status": 400 }

Can someone please have a look? Thanks in advance.

M

I tried changing formats a lot but nothing works.

score 0 · Accepted Answer · answered Nov 03 '22 at 22:11

0

Looking at your unencoded header, I can see that the jwk value starts and ends with a double-quote (i.e., the character '"'). An example in RFC 8555 (page 35) shows that the jwk value is not a string, so this might be the problem. Using a JSON object instead of a string might work.

answered Nov 03 '22 at 22:11

Yasmen Quandil

16
1

Unfortunately, I already tried that. Any other ideas? – moritzzirom Nov 06 '22 at 15:19
For the crypto error, you might be incorrectly formatting the signing input, or the signature output is not in the desired format specified by RFC7515 for ECDSA (see the example of A.3 of the appendix) – Yasmen Quandil Nov 06 '22 at 22:39
My mistake was to encode the signature parts r and s individually and concatenating them. It should be done the other way around. Thanks! – moritzzirom Nov 09 '22 at 12:22

ACME Client Implementation

1 Answers1