'url' key in HTTP POST JSON


#1

Hi,

I’m writing my own ACME client. An example request’s plaintext before JSON and Base64 encoding and signing might look like this (Perl hash, with redactions):

$VAR1 = {
  "payload" => {
    "agreement" => "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
    "resource" => "new-reg"
  },
  "protected" => {
    "alg" => "ES384",
    "jwk" => {
      "crv" => "P-384",
      "kty" => "EC",
      "x" => "[...]",
      "y" => "[...]"
    },
    "nonce" => "[...]",
    "url" => undef
  }
};

Note how I intentionally left the ‘url’ key undefined, which causes it to be missing entirely after JSON encoding. My question is the following:

Why does that still work and what is the purpose of that key anyway? It seems like a layer violation to include the URL inside the body of a request to that very same URL.

I will most likely change my code to set that key according to the spec, but I’m curious as to its purpose.

Thanks


#2

The URL being part of the signed payload ensures that the whole request is mutually authenticated. This was added after a researcher analyzed a formal model of ACME. See this thread for more details (specifically “Issue 1”).


#3

So LE ignoring that key is… a bug, intentional, something else?


#4

That’s probably due to boulder implementing (a variant of) the acme-01 draft (with some backwards-compatible divergences). url was added in acme-03.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.