Format of JWS when doing ACME

pbreed · June 24, 2023, 11:30pm

Format of things...

Trying to get my home brew client to work...
so if we read the JWS examples in RFC7515

and I have :
base 64 url of the protected header pb64
base 64 of the payload pl64
base 64 of the signature s64...

The JWS spcc (RFC7515) represents this as pb64.p64.s64
The RFC8555
shows it as
{ "protected":"pb64","payload":"p64","signature":"s64" }

Looking at code for example ACME clients it seems the latter is correct.
Did I not read RFC7515 right or is the acme not really compliant?

Also I believe that the signature should be:
against [pb64.p64]

Is this correct?

Trying to do step one account creation and I'm getting the completely expected error:
"Parse Error Reading JWS"

So something is wrong with my post, alas I have no clue what it is?
Any suggestions?

Also making it harder to find example I'm trying to do this with ECDSA for performance and memory reasons, and most examples are RSA.

Thanks!

Nummer378 · June 25, 2023, 12:18am

The JWS standard* has two different representation ("serialization") formats:

The Compact Serialization, which uses base64 encoding with dot concatenation of header, body and signature ("eyX.Y.Z"). See RFC 7515 section 3.1.
The JSON Serialization, which uses JSON encoding of the base64 encoding of header, body, and signature ("{"protected": "eyX", "payload": "Y", signature: "Z"}"). See RFC 7515 section 3.2

Which of these two serialization formats is used varies in different protocols. RFC 8555 Section 6.2 requires JSON serialization, so the latter of the two.

*In a broader context, the two serialization schemes exist for most JSON Web Algorithms (JWA) formats, not only JWS.

pbreed · June 25, 2023, 3:46am

This is what I'm posting... (Strip line breaks)
{"protected":"eyJhbGciOiJFUzI1NiIsImp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieC
I6ImdTbWU5cmMweUFGN18wX2lDY0V1cENNYUt2bkdRU0JFZHZQbkRQUTFlXzAiLCJ5IjoiRXByQ21vYl
ZfRG1hZWdVOTNSWWp1d1VjTExwTjNBd0xpUlJvQlFBSWJZUSJ9LCJub25jZSI6IjJRb1pjWUdYZUtuZ2
VHaHBNMUJ1Q25jS0pqZEZGb1l0U3hQRDdPY1ZoTk5ZeFZsMGYwOCIsInVybCI6Imh0dHBzOi8vYWNtZS
1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3QifQ","payload":"eyJ
0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZX0","signature":"a0hZQs92IHtKNWHuhujCfsFZ_LlrE
QmD6cZ_3cWcteICnrZyYCviHMqKgzat8L7KsIQfu-w9on7jyaZYavRImQ"}

_az · June 25, 2023, 4:45am

I was able to send that JWS to the Let's Encrypt staging server using curl, verbatim, and it created an account for me:

$ curl -k --data '{"protected":"eyJhbGciOiJFUzI1NiIsImp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6ImdTbWU5cmMweUFGN18wX2lDY0V1cENNYUt2bkdRU0JFZHZQbkRQUTFlXzAiLCJ5IjoiRXByQ21vYlZfRG1hZWdVOTNSWWp1d1VjTExwTjNBd0xpUlJvQlFBSWJZUSJ9LCJub25jZSI6IjJRb1pjWUdYZUtuZ2VHaHBNMUJ1Q25jS0pqZEZGb1l0U3hQRDdPY1ZoTk5ZeFZsMGYwOCIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3QifQ","payload":"eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZX0","signature":"a0hZQs92IHtKNWHuhujCfsFZ_LlrEQmD6cZ_3cWcteICnrZyYCviHMqKgzat8L7KsIQfu-w9on7jyaZYavRImQ"}' -H 'Content-Type: application/jose+json' https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
{
  "key": {
    "kty": "EC",
    "crv": "P-256",
    "x": "gSme9rc0yAF7_0_iCcEupCMaKvnGQSBEdvPnDPQ1e_0",
    "y": "EprCmobV_DmaegU93RYjuwUcLLpN3AwLiRRoBQAIbYQ"
  },
  "initialIp": "redacted",
  "createdAt": "2023-06-25T04:44:00.683273208Z",
  "status": "valid"
}

pbreed · June 25, 2023, 12:13pm

Thanks!
I was so sure that it was a crypto problem I did not notice I'd typoed the Content Type.....
Arghhh..... thanks!
On to the next step...

system · July 25, 2023, 12:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.