Search code examples
joseacmepebblejson-web-signatureecdsasignature

ACME Client Implementation

I am currently working on my own ACME client implementation. I generated the following JWS:

{"protected": "ewogImFsZyI6ICJFUzI1NiIsCiAiandrIjogInsia3R5IjogIkVDIiwiY3J2IjogIlAtMjU2IiwieCI6Ik1UYzVOVFF6TVRJME16STNNamd5TVRjM01UZzFOVFV5TnpJME16a3hOalk0TURjM01UYzNNalV3TWpJeU5qVXpNVFk0T1RRMU1ETTRNRFV5T0RRd09UY3dOemd6T0RFMU1qQTQiLCJ5IjoiTXpjeU56UTFNVEkyTURVME9EQTROREE0TXpBek9URTBNVGczTXpFME5UWXhORGcwT1RrMk5EUTFNRGswTVRNek5USTFNRGcxTmpZek9ERTRPRGsyTnpVNE1EZzROell6T1RJME9ETSJ9IiwKICJub25jZSI6ICI5aUxqYUdIMEV0R2NySDBLdDF0MTBBIiwKICJ1cmwiOiAiaHR0cHM6Ly8wLjAuMC4wOjE0MDAwL3NpZ24tbWUtdXAiCiB9","payload":"eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9","signature":"MEUCIFNRj1eVStlonvZhEzg92Bb57qZn3wEUi2dvwdWFQ3oaAiEAg5BQKHeGip0kcv8dEbfnhZCrgb11myFztxfIOWtdvVs"}

Signed with ES256 (ECDSA P256 and SHA256) Public Key X: 179543124327282177185552724391668077177250222653168945038052840970783815208 Public Key Y: 37274512605480840830391418731456148499644509413352508566381889675808876392483 JWK: {"kty": "EC","crv": "P-256","x":"MTc5NTQzMTI0MzI3MjgyMTc3MTg1NTUyNzI0MzkxNjY4MDc3MTc3MjUwMjIyNjUzMTY4OTQ1MDM4MDUyODQwOTcwNzgzODE1MjA4","y":"MzcyNzQ1MTI2MDU0ODA4NDA4MzAzOTE0MTg3MzE0NTYxNDg0OTk2NDQ1MDk0MTMzNTI1MDg1NjYzODE4ODk2NzU4MDg4NzYzOTI0ODM"}

Unencoded Headder: { "alg": "ES256", "jwk": "{"kty": "EC","crv": "P-256","x":"MTc5NTQzMTI0MzI3MjgyMTc3MTg1NTUyNzI0MzkxNjY4MDc3MTc3MjUwMjIyNjUzMTY4OTQ1MDM4MDUyODQwOTcwNzgzODE1MjA4","y":"MzcyNzQ1MTI2MDU0ODA4NDA4MzAzOTE0MTg3MzE0NTYxNDg0OTk2NDQ1MDk0MTMzNTI1MDg1NjYzODE4ODk2NzU4MDg4NzYzOTI0ODM"}", "nonce": "9iLjaGH0EtGcrH0Kt1t10A", "url": "https://0.0.0.0:14000/sign-me-up" }

Unencoded payload: {"termsOfServiceAgreed": true}

This account creation request is rejected by the ACME Server (Pebble) with the following response:

{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Parse error reading JWS", "status": 400 }

Can someone please have a look? Thanks in advance.

M

I tried changing formats a lot but nothing works.

Solution

  • Looking at your unencoded header, I can see that the jwk value starts and ends with a double-quote (i.e., the character '"'). An example in RFC 8555 (page 35) shows that the jwk value is not a string, so this might be the problem. Using a JSON object instead of a string might work.