JWS verification error - EC account keys not working


#1

Does anyone have an idea what is incorrect about the signature with this request? I get JWS verification error (type=urn:acme:error:malformed) from the acme-server. If I run it through my validator it says ok, but I also made the validator so I am guessing both are wrong (;

{
“header”:{“alg”:“ES256”, “jwk”: {“kty”:“EC”, “crv”:“P-256”, “x”:“24vwix51ywyS0v7MmVmQKT6qWYSBXNMVj8H2baGign0”, “y”:“lj60aGu0IrsYxXXfRBx9851q3Acaz6HCcVY_KdlkIzg”} },
“payload”:“ewogICJyZXNvdXJjZSI6ICJuZXctcmVnIiwKICAiY29udGFjdCI6IFsKICAgICJtYWlsdG86YWNtZUB0aGlzLWlzLWEtdGVzdC5jb20iLAogICAgInRlbDorNDc0MDEzOTM4MyIKICBdCn0K”,
“protected”:“eyJub25jZSI6Ii1iNjhpNWNGdFJHNDV6QUY4SDdCa0lVY1FGbjljeGxodHZhblZNSGVCVDAifQ”,
“signature”:“MEQCIF_k_yd2BQu7LsldaWWZJSpowMf4esbtkHwmNcIckBROAiAKXtUxnwRRCsfXRdMkYVzmEUxHhVICAiPFlbG-_hRUxA”
}

Validator: https://webapp.udc.no/validator_jws

JWS validation success!
JSON:

{
“resource”: “new-reg”,
“contact”: [
"mailto:acme@this-is-a-test.com",
“tel:+4740139383”
]
}


#2

Yes, I see the same problem.

When using ECC account to call “new-reg” command.


#3

Here is my jws:

========================================

{“header”: {“alg”: “ES256”, “jwk”: {“kty”: “EC”, “crv”: “P-256”, “x”: “FwvSZpu06i3frSk_mz9HcD9nETn4wf3mQ-zDtG21Gao”, “y”: “S8rR-0dWa8nAcw1fbunF_ajS3PQZ-QwLps-2adgLgPk”}}, “protected”: “eyJub25jZSI6ICJPWjRZUk1hMFdhUzlVYzhoQ1RDVml2WWx3dnNRYVZRbTJ6ZzFCVDFBdkR3IiwgImFsZyI6ICJFUzI1NiIsICJqd2siOiB7Imt0eSI6ICJFQyIsICJjcnYiOiAiUC0yNTYiLCAieCI6ICJGd3ZTWnB1MDZpM2ZyU2tfbXo5SGNEOW5FVG40d2YzbVEtekR0RzIxR2FvIiwgInkiOiAiUzhyUi0wZFdhOG5BY3cxZmJ1bkZfYWpTM1BRWi1Rd0xwcy0yYWRnTGdQayJ9fQ”, “payload”: “eyJyZXNvdXJjZSI6ICJuZXctcmVnIiwgImFncmVlbWVudCI6ICJodHRwczovL2xldHNlbmNyeXB0Lm9yZy9kb2N1bWVudHMvTEUtU0EtdjEuMC4xLUp1bHktMjctMjAxNS5wZGYifQ”, “signature”: “MEQCIH_cE0n4N0THwlZl_2lZLvdp9z5g60UkdAqa_K6MifUSAiBHCHJP2R72lyXxUd_BtQOhbwplHIQCckSRzbuyzXXo3Q”}

========================================

I used the ECC key from the boulder unit tests:

==========================

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIH+p32RUnqT/iICBEGKrLIWFcyButv0S0lU/BLPOyHn2oAoGCCqGSM49
AwEHoUQDQgAEFwvSZpu06i3frSk/mz9HcD9nETn4wf3mQ+zDtG21GapLytH7R1Zr
ycBzDV9u6cX9qNLc9Bn5DAumz7Zp2AuA+Q==
-----END EC PRIVATE KEY-----

==========================


#4

Neil: Your JWS validates OK on my web-based validator. Could it perhaps be something wrong with the acme-implementation ?


#5

I don’t think so. there is not too much “other implementation”. Just post the jws to the acme server, it reports error.

{“type”:“urn:acme:error:malformed”,“detail”:“JWS verification error”,“status”:400}


#6

I retried with the same code using RSA keys instead, and that works. I guess EC-keys is not supported for now.


#7

#8

Ah ok. Then it is possible it is not properly implemented in acme. Somebody else would have to verify that.


#9

I suggest you change the title of this topic to something like: ECC account key can not be verified.

I’m not sure.


#10

Hi, @Jay,

How is going on?

Thanks.