Parse error reading JWS

I tried to create an account and received a message:
Parse error reading JWS

I sent:
{“protected”:“eyJhbGciOiJFUzI1NiIsImp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6Ik1GWXdFQVlIS29aSXpqMENBUVlGSzRFRUFBb0RRZ0FFYmY2SUVOeWJLbXRBRGxWSVBXbEdrWi83OFVpNjg4Z3oiLCJ5Ijoia3d2Q3N4YXNGNzdrcG9xMldxWWhwWmIxa2pTWWdUVjJ5aGVld3JyZklVRlJMdHBrYVIrM2J3PT0ifSwibm9uY2UiOiIwMDAyd2hhR09SeGVDR19LeHJZemVra1U4NlJTYUhYaE9GbldUdGl0WFZUV21OdyIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3QifQ”,“payload”:“eyJjb250YWN0IjpbIm1haWx0bzpleGFtcGxlQG1haWwuYWJjIl19”,“signature”:“IjMwNDYwMjIxMDBlOTFlMjI5YzdmYzVhNDczOWU3YWY3ZjU0ZTZmNWJkYjI1NGU3ZjVhYzc4YWYwNDc5NDU5ODE0NjQxYTlmYWRkMDIyMTAwZTBkZThhNjQ4NjVlMDZjYjgyNWE0Zjg4ZTE3NjEwOTM5NDJjNGJjYTY2NDRlOTgyNTRmNzkzMjI2YmQwZjVjNiI”}

Private key only for test:
-----BEGIN PRIVATE KEY-----
MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQg0++Jn7JPTZlL0Pk71qrK
NSrwYI7/70o/T83oTY3h9TChRANCAARt/ogQ3Jsqa0AOVUg9aUaRn/vxSLrzyDOT
C8KzFqwXvuSmirZapiGllvWSNJiBNXbKF57Cut8hQVEu2mRpH7dv
-----END PRIVATE KEY-----

Hi @Gov,

Is this a custom developed ACME client? Did you send the payload exactly as you shared it in this thread? I ask because I notice it has smart quotes in the JSON data (e.g. “protected” vs "protected").

Yes. This is a custom client
Try this:
{“protected”:“eyJhbGciOiJFUzI1NiIsImp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6Ik1GWXdFQVlIS29aSXpqMENBUVlGSzRFRUFBb0RRZ0FFYmY2SUVOeWJLbXRBRGxWSVBXbEdrWi83OFVpNjg4Z3oiLCJ5Ijoia3d2Q3N4YXNGNzdrcG9xMldxWWhwWmIxa2pTWWdUVjJ5aGVld3JyZklVRlJMdHBrYVIrM2J3PT0ifSwibm9uY2UiOiIwMDAyd2hhR09SeGVDR19LeHJZemVra1U4NlJTYUhYaE9GbldUdGl0WFZUV21OdyIsInVybCI6Imh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3QifQ”,“payload”:“eyJjb250YWN0IjpbIm1haWx0bzpleGFtcGxlQG1haWwuYWJjIl19”,“signature”:“IjMwNDYwMjIxMDBlOTFlMjI5YzdmYzVhNDczOWU3YWY3ZjU0ZTZmNWJkYjI1NGU3ZjVhYzc4YWYwNDc5NDU5ODE0NjQxYTlmYWRkMDIyMTAwZTBkZThhNjQ4NjVlMDZjYjgyNWE0Zjg4ZTE3NjEwOTM5NDJjNGJjYTY2NDRlOTgyNTRmNzkzMjI2YmQwZjVjNiI”}

You have to url encode the inner base64 values too.

2 Likes

Agreed, e.g. your jwk.x is encoded as MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEbf6IENybKmtADlVIPWlGkZ/78Ui688gz, but should be MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEbf6IENybKmtADlVIPWlGkZ_78Ui688gz.

2 Likes

That

{“alg”:“ES256”,“jwk”:{“kty”:“EC”,“crv”:“P-256”,“x”:“MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEbf6IENybKmtADlVIPWlGkZ/78Ui688gz”,“y”:“kwvCsxasF77kpoq2WqYhpZb1kjSYgTV2yheewrrfIUFRLtpkaR+3bw==”},“nonce”:“0002whaGORxeCG_KxrYzekkU86RSaHXhOFnWTtitXVTWmNw”,“url”:“https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”}

looks buggy.

x and y have different lengths.

Rechecked with an own P-256 key: Length 49, both x and y, not 70 or 62.

PS: Sorry, the own sample is a P-256 key, not a P-384.

I accepted your advice given above, but the error comes again:
{“type”:“urn:ietf:params:acme:error:malformed”,“detail”:“Parse error reading JWS”,“status”:400}

Can you post a new sample JWS?

{“protected”:“eyJhbGciOiJFUzI1NiIsImp3ayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IkhuejQyekNVMDM2LXphR1d1cF9XeGdkYzFTVjdtRWxscDB1RWZmVnlUSU0iLCJ5IjoiS01Kai1Wc3Z5NHVPRDdvUU1LZEsyRWxBREVqSktnWTRQVnZ2Z1NMYVNZRSJ9LCJub25jZSI6IjAwMDJnT2xxbk9fTGVWX1BrQ0Q0RjVtM0hGS3lQS3RZRUxXUjM5dVJvQVBRX3FvIiwidXJsIjoiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCJ9”,“payload”:“e30”,“signature”:“CgDT2TQflZ7oQbVHLv6wlpK9CEywyC1KTAf2bVMBV_UAm6bvvTvYGBKuB4oL2coOPWCuwaOXzKVymZq6N1gE5A”}

-----BEGIN PRIVATE KEY-----
MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgiiAoO3Qu29hHT+FzV7GU
vznT6j+fPI9A+GyJZDRHHzWhRANCAAQefPjbMJTTfr7NoZa6n9bGB1zVJXuYSWWn
S4R99XJMgyjCY/lbL8uLjg+6EDCnSthJQAxIySoGOD1b74Ei2kmB
-----END PRIVATE KEY-----

I think secp256k1 is not supported, try prime256v1 instead.

Supported Key Algorithms:

P-256  (prime256v1)
P-384  (secp384r1) 
4 Likes

That’s

{“alg”:“ES256”,“jwk”:{“kty”:“EC”,“crv”:“P-256”,“x”:“Hnz42zCU036-zaGWup_Wxgdc1SV7mEllp0uEffVyTIM”,“y”:“KMJj-Vsvy4uOD7oQMKdK2ElADEjJKgY4PVvvgSLaSYE”},“nonce”:“0002gOlqnO_LeV_PkCD4F5m3HFKyPKtYELWR39uRoAPQ_qo”,“url”:“https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”}

Rechecked with an own sample - there is a different order.

“crv”:“P-256”,“kty”:“EC”

And the payload - empty? The termsOfServiceAgreed may be required.

Just wanted to write that too. You beat me by 5 minutes :slight_smile:

2 Likes

Me three. The error from Boulder is:

failed to unmarshal JWK: square/go-jose: invalid EC key, X/Y are not on declared curve: “{“kty”:“EC”,“crv”:“P-256”,“x”:“Hnz42zCU036-zaGWup_Wxgdc1SV7mEllp0uEffVyTIM”,“y”:“KMJj-Vsvy4uOD7oQMKdK2ElADEjJKgY4PVvvgSLaSYE”}”

2 Likes

Thank you all for your help. It works

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.