I am trying to upgrade our internal client to support EC account keys, and Pebble does not like my payloads or signatures. I keep getting the following error:
My signatures verify. The post data is in-line with what other clients push out successfully. I can build a valid JWK object from the dict I post. This only happens with EC keys, the RSA work fine.
Does anything have an idea on what/where to troubleshoot in Pebble or potential causes for this on my end?
I've seen a handful of similar issues in the archive and online; most people give up and still with RSA.
A very common issue with the JWS EC signatures is the signature format. If you're using a ready-made JWS library it will hopefully already do this correctly, but if you're doing the signing by yourself check that you're using PKCS#11 signatures (raw r+s values concatenated, no encoding) and not the also very common DSS signatures (DER encoded version of r+s).
For instance, in certbot/josepy (which uses Python's cryotography package), you have to call decode_dss_signature on the signature generated by cryptography to get the raw values from the DSS DER (and then properly concatenate them). Other libraries might give you PKCS#11 ECDSA signatures directly - this varies from implementation to implementation.
I was using josepy to sign, so you pointed me to the exact code to adapt. Everything is working well now.
Ironically, I was going to drop josepy a few weeks ago but decided to still use it, and before the holidays I generated some PRs for potential ways to drop the last bits of pyOpenSSL. I was just waist deep in that code, and did not connect the dots to my issue today!
Thanks so much! It would have taken me way too long to figure that out myself.
That was not causing an issue, but only by virtue of using some libraries that unknowingly took care of that. I added some code to ensure keys are sorted appropriately - thanks so much!