New client - parse error reading JWS

HI, I'm trying to create my own python acme client and I'm stuck at account creation.

Just as a note I'm using the jwcrypto.readthedocs.io library to create and sign jws tokens.

Now here is an example of the "new account" post (i'm running pebble inside a container).

{"payload":"eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUsICJjb250YWN0IjpbIm1haWx0bzp0ZXN0QHRlc3QuaXQiXX0","protected":"eyJhbGciOiJFUzI1NiIsImp3ayI6eyJjcnYiOiJQLTI1NiIsImQiOiJSR05QSXZ4WHRFTEl3QjdrR3A4SFRfc0NNUHk5akZNb3Jwb1Q3SlRPVVRJIiwia2lkIjoiQkMxNTJHZUItZlFLZnpmUDI0Sk9rbDlvZVhOVFBRbGhtM2pZaW5UR2RlUSIsImt0eSI6IkVDIiwieCI6ImFvMlZMVXBvV2UzT054bmRpUFpVTjdhS1NGQzFLYS02a254TnN2d2hYYkUiLCJ5IjoiRFVkOXgzSUtEaHVBdWMyVl8xdXRfOFM0MV9kVlhzUUdTdHBDanVFVkNCSSJ9LCJub25jZSI6IkpLd3lvcnlySFpfYnRtMTBUdVFtTnciLCJ1cmwiOiAiaHR0cHM6Ly8xNzIuMTkuMTkxLjIzNjoxNDAwMC9zaWduLW1lLXVwIn0","signature":"B5vzfeHLd_fM-ztZH_zDydIJ2eC21XH46zsfS8GACF1kLfErGf5jsTVeVNkz60b1APdEMjEAxhkMz_drPGXkDg"}

I keep receiving "Parse error reading JWS.
Using the jwt.io website it sees that all the informations are fine! Too using the following pub key it says that the signature is verified.

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEao2VLUpoWe3ONxndiPZUN7aKSFC1
Ka+6knxNsvwhXbENR33HcgoOG4C5zZX/W63/xLjX91VexAZK2kKO4RUIEg==
-----END PUBLIC KEY-----

Where is the problem?

Hi @skyscreaper

you send the wrong url.

{"alg":"ES256","jwk":{"crv":"P-256","d":"RGNPIvxXtELIwB7kGp8HT_sCMPy9jFMorpoT7JTOUTI","kid":"BC152GeB-fQKfzfP24JOkl9oeXNTPQlhm3jYinTGdeQ","kty":"EC","x":"ao2VLUpoWe3ONxndiPZUN7aKSFC1Ka-6knxNsvwhXbE","y":"DUd9x3IKDhuAuc2V_1ut_8S41_dVXsQGStpCjuEVCBI"},"nonce":"JKwyoryrHZ_btm10TuQmNw","url": "https://172.19.191.236:14000/sign-me-up"}

I'm using a request to get all the urls:

acme_base_url = "https://172.19.191.236:14000" #(this is my pebble server running in a container)

list_directory = (requests.get(url=acme_base_url+"/dir", verify=False)).json()

new_acct_url = list_directory['newAccount']

printing new_acct_url gives me : https://172.19.191.236:14000/sign-me-up

here is the entire answer from the get request:

{'keyChange': 'https://172.19.191.236:14000/rollover-account-key', 'meta': {'externalAccountRequired': False, 'termsOfService': 'data:text/plain,Do%20what%20thou%20wilt'}, 'newAccount': 'https://172.19.191.236:14000/sign-me-up',
'newNonce': 'https://172.19.191.236:14000/nonce-plz', 'newOrder': 'https://172.19.191.236:14000/order-plz', 'revokeCert': 'https://172.19.191.236:14000/revoke-cert'}

This is happening because you're sending the entire private key in the embedded JWK.

[ ACME ] > b64url -decode
Input data to encode/decode.  End by sending '.'
[ ACME ] > b64url data > eyJhbGciOiJFUzI1NiIsImp3ayI6eyJjcnYiOiJQLTI1NiIsImQiOiJSR05QSXZ4WHRFTEl3QjdrR3A4SFRfc0NNUHk5akZNb3Jwb1Q3SlRPVVRJIiwia2lkIjoiQkMxNTJHZUItZlFLZnpmUDI0Sk9rbDlvZVhOVFBRbGhtM2pZaW5UR2RlUSIsImt0eSI6IkVDIiwieCI6ImFvMlZMVXBvV2UzT054bmRpUFpVTjdhS1NGQzFLYS02a254TnN2d2hYYkUiLCJ5IjoiRFVkOXgzSUtEaHVBdWMyVl8xdXRfOFM0MV9kVlhzUUdTdHBDanVFVkNCSSJ9LCJub25jZSI6IkpLd3lvcnlySFpfYnRtMTBUdVFtTnciLCJ1cmwiOiAiaHR0cHM6Ly8xNzIuMTkuMTkxLjIzNjoxNDAwMC9zaWduLW1lLXVwIn0
... .
Result:
{"alg":"ES256","jwk":{"crv":"P-256","d":"RGNPIvxXtELIwB7kGp8HT_sCMPy9jFMorpoT7JTOUTI","kid":"BC152GeB-fQKfzfP24JOkl9oeXNTPQlhm3jYinTGdeQ","kty":"EC","x":"ao2VLUpoWe3ONxndiPZUN7aKSFC1Ka-6knxNsvwhXbE","y":"DUd9x3IKDhuAuc2V_1ut_8S41_dVXsQGStpCjuEVCBI"},"nonce":"JKwyoryrHZ_btm10TuQmNw","url": "https://172.19.191.236:14000/sign-me-up"}

See the d parameter? That's the private part of an ECDSA key. You don't want to send that to an ACME server, that's a security blunder that Pebble is stopping you from committing. (Though Pebble should definitely make a much less opaque error).

My bad... now is working. Anyway I was expecting something like "bad public key"...
Thank you!

No problem! We've now updated Pebble to return a more specific error message in this case.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.