New ABAP ACME Client - NewAccount POST Content-Type not fitting

RobinK · March 1, 2021, 9:44am

Hello Community,

I am trying to write a new client for SAP Systems in ABAP.
I am quite new to communicating via http, especially when it comes to signed JSON strings.

My problem occurs when I try to send the http post method for creating a new account.

The Response is:"Unsupported Media Type"

"{# "type": "urn:ietf:params:acme:error:malformed",
'# "detail": "Invalid Content-Type header on POST. Content-Type must be "application/jose+json"",
'# "status": 415#}"

I already set the http Content-Type header field to 'application/jose+json'.

So there may be a Problem with how I formatted that json string.

Sadly I can't really figure out how it should exactly look like.

The Documentation says it has to be a flattened json serialisation which should look like:

{

"payload":"SW4gb3VyIHZpbGx--EXAMPLE--hZ2UsIGZvbGtzIHNheSBHb",

"protected":"ey--EXAMPLE--JhbGciOiJFUzI1NiJ9",

"header": { "kid": "myKey"},

"signature": "b7V--EXAMPLE--2UpDPytr-kMnM_YjiQ3E0J2ucOI9LYA7mt57vc"

}

which is an base64url encoding of:

@Payload:

{

"contact":["mailto:myadress@email.tld"]

}

@Protected:

{

"alg":"RS256",

"jwk":

{"kty":"RSA",

"n":"I6ICJFUzI1NiIsCiAgICAiandr",

"e":"xXbFQ5RUxQdkhGeVZTQ00iCiAgIC",

"use":"sig"},

"nonce":"0004rgVuSQ3wiyx7BL3blBhRdyuUNyVKT_UC9kXB6OWLwko",

"url":"https://example.com/acme/new-account"

}

@signature: Here I am not quite sure which exact data to throw into my function module for signing.

Please point out if I am doing something completely wrong.

I would really like if someone could give me some advices or even an example what exactly has to be sent.

Although is there good option to check whether the jose I have created is consistent or not?

Thank you so far

_az · March 1, 2021, 9:59am

This error message is quite precise in its meaning. It's not a JWS problem, it's really a problem with the request header.

If you have some way to dump the request headers in your client, that should reveal what you're actually sending in that request header.

This shouldn't be here. RFC8555 says:

o The JWS Unprotected Header [RFC7515] MUST NOT be used

If kid is relevant, it goes into the Protected Header.

Do you have a JWS library? I highly recommend using one if you are not familiar with JOSE, as there are quite a few pitfalls.

It's a bit of a pain, but in the past I have used JSON Web Tokens - jwt.io. It's a pain because you have to convert from Flattened to Compact serialization, but otherwise it can help uncover basic serialization and signature problems.

RobinK · March 1, 2021, 10:43am

Hi _az,
thank you for your reply.

Unprotected Header is out now. (was just in for a few desperate tries) .

The class which is sending the http request sais just before sending that the data of the header field "Content-Type" really is set to 'application/jose+json'.
I even tried setting it in the protected section by "cty":"application/jose+json"
Still the same problem.

best regards,
Robin

stewe · March 1, 2021, 6:12pm

As _az mentioned, this error does not belong to the body part of the http request (containing the JWS). It is definitively the Content-Type header value which is incorrect. If you look at the source code you can see that the error message Invalid Content-Type header on POST. Content-Type must be... is only emitted if the Content-Type header does not match the string application/jose+json

Source:

github.com

letsencrypt/boulder/blob/294d1c31d70cb869db51cf2c41f0a0ad1d1d69aa/wfe2/verify.go#L163


	// Per 6.2 ALL POSTs should have the correct JWS Content-Type for flattened
	// JSON serialization.
	if _, present := request.Header["Content-Type"]; !present {
		wfe.stats.httpErrorCount.With(prometheus.Labels{"type": "NoContentType"}).Inc()
		return probs.InvalidContentType(fmt.Sprintf("No Content-Type header on POST. Content-Type must be %q",
			expectedJWSContentType))
	}
	if contentType := request.Header.Get("Content-Type"); contentType != expectedJWSContentType {
		wfe.stats.httpErrorCount.With(prometheus.Labels{"type": "WrongContentType"}).Inc()
		return probs.InvalidContentType(fmt.Sprintf("Invalid Content-Type header on POST. Content-Type must be %q",
			expectedJWSContentType))
	}
	// Per 6.4.1 "Replay-Nonce" clients should not send a Replay-Nonce header in
	// the HTTP request, it needs to be part of the signed JWS request body
	if _, present := request.Header["Replay-Nonce"]; present {
		wfe.stats.httpErrorCount.With(prometheus.Labels{"type": "ReplayNonceOutsideJWS"}).Inc()
		return probs.Malformed("HTTP requests should NOT contain Replay-Nonce header. Use JWS nonce field")
	}

github.com

letsencrypt/boulder/blob/294d1c31d70cb869db51cf2c41f0a0ad1d1d69aa/wfe2/verify.go#L28


	"github.com/letsencrypt/boulder/core"
	berrors "github.com/letsencrypt/boulder/errors"
	"github.com/letsencrypt/boulder/nonce"
	"github.com/letsencrypt/boulder/probs"
	"github.com/letsencrypt/boulder/web"
)
const (
	// POST requests with a JWS body must have the following Content-Type header
	expectedJWSContentType = "application/jose+json"
	maxRequestSize = 50000
)
func sigAlgorithmForKey(key *jose.JSONWebKey) (jose.SignatureAlgorithm, error) {
	switch k := key.Key.(type) {
	case *rsa.PublicKey:
		return jose.RS256, nil
	case *ecdsa.PublicKey:
		switch k.Params().Name {

webprofusion · March 2, 2021, 2:23am

Slightly off topic but any ACME tools that accepts a custom CSR and outputs a full chain in pem format will work for SAP, including https://certifytheweb.com - I added custom CSR support for that specifically to support SAP. I'm pretty sure certbot supports that as well.

The only reason I'm suggesting those is that implementing your own client is a long process if you then want to support all the different validation methods etc. If you're selling a solution then it could be worthwhile, but otherwise I'd avoid rolling your own

RobinK · March 4, 2021, 2:48pm

I tried to run my post request against an external tracking site.
So it seems like it really is sending Content-Type: application/jose+json; charset=utf-8
Which is bad because I cannot unset this.
In Boulder code I can see it wants the exact string "application/jose+json" so my request is denied as unsupported media type.
Seems to be an SAP Problem.

SAP Note: 2456232 - Cannot send HTTP Content-Type header without charset value.
There is a fix. Have to update the SAP REST adapter.. and I don't know how because I dont know how to get those .sca files in my abap stack system.
But this is an SAP related Problem.

Thank you so far!

system · April 3, 2021, 2:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Some errors encountered in getting the order list in web client development, where am I wrong? Client dev	4	1740	July 17, 2019
{'type': 'urn:ietf:params:acme:error:malformed', 'detail': 'JWS verification error', 'status': 400} with python Client dev	9	547	August 11, 2024
Invalid key authorization: malformed token - out of ideas Help	11	3626	April 29, 2016
New client: JWS verification error: malformed Client dev	6	2560	April 17, 2020
400 Status - urn:acme:error:malformed - JWS verification error Client dev	1	2630	August 28, 2016

New ABAP ACME Client - NewAccount POST Content-Type not fitting

Related topics