Closed geekpex closed 4 years ago
Thx for your feedback. Which client are you using to rollover the account-key?
I'm creating ACME integration to our system that uses https://github.com/go-acme/lego as a base. But sadly it does not include the key rollover functionality so I'm adding the support based on the rfc.
And I just noticed that when I'm talking about "inner payload" I mean the inner JWS object that is the payload.
your understanding is correct. I pushed a fix into devel
branch which should skip the nonce-check of the inner payload during key-rollover. I tested with acmeshell for verifyication (see below log). Give it at try and me know if it works for you.
/G.
'2020-07-25 19:29:17 - acme2certifier - DEBUG - _config_load()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - _config_load()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account.parse()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Message.check()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - decode_message()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Nonce.check_nonce()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Nonce.nonce._check_and_delete(d2394997432049cca8dd71b27d30eef7)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.nonce_check(d2394997432049cca8dd71b27d30eef7)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.nonce_check() ended'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.nonce_delete(d2394997432049cca8dd71b27d30eef7)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.nonce_delete() ended'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Nonce._check_and_delete() ended with:200'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Nonce.check_nonce() ended with:200'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Message._name_get()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - kid: http://acme-srv.bar.local/acme/acct/ZfsImvDUDbXS'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Message._name_get() returns: ZfsImvDUDbXS'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Signature.check(ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - check signature against account key'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Signature._jwk_load(ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.jwk_load(ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore._account_search(column:name, pattern:ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore._account_search() ended with: True'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.jwk_load() ended with: {'kty': 'EC', 'crv': 'P-256', 'x': 'qJ63in1wJ3skC4pjD8o1_bKXoJ635F-_tKFVDF3wd3k', 'y': 'w-qFkcSp52dJj6gS3wxDwZrM51ccdQzLJEteK64NIgo', 'alg': 'ES256'}'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - signature_check()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Signature.check() ended with: True:None'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Message.check() ended with:200'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._key_change(ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Message.check()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - decode_message()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - skip nonce check of inner payload during keyrollover' <---------------
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Message._name_get()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Message._name_get() returns: None'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Signature.check(None)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - check signature against key includedn in jwk'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - signature_check()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Signature.check() ended with: True:None'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Message.check() ended with:200'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._key_change_validate(ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._lookup(jwk:{"kty": "EC", "crv": "P-256", "x": "o8kTd3bJLbFWXjBizyImz7z7OvKc3MO4KqqmDrYJ4d4", "y": "hCoYZ96zg1veD6nOvUIiDGl8dhE97NffJQdGktHMhAs"})'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.account_lookup(column:jwk, pattern:{"kty": "EC", "crv": "P-256", "x": "o8kTd3bJLbFWXjBizyImz7z7OvKc3MO4KqqmDrYJ4d4", "y": "hCoYZ96zg1veD6nOvUIiDGl8dhE97NffJQdGktHMhAs"})'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore._account_search(column:jwk, pattern:{"kty": "EC", "crv": "P-256", "x": "o8kTd3bJLbFWXjBizyImz7z7OvKc3MO4KqqmDrYJ4d4", "y": "hCoYZ96zg1veD6nOvUIiDGl8dhE97NffJQdGktHMhAs"})'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore._account_search() ended with: False'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.account_lookup() ended'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._inner_jws_check()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._inner_jws_check() ended with: 200:None'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._inner_payload_check()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._key_compare(ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.jwk_load(ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore._account_search(column:name, pattern:ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore._account_search() ended with: True'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.jwk_load() ended with: {'kty': 'EC', 'crv': 'P-256', 'x': 'qJ63in1wJ3skC4pjD8o1_bKXoJ635F-_tKFVDF3wd3k', 'y': 'w-qFkcSp52dJj6gS3wxDwZrM51ccdQzLJEteK64NIgo', 'alg': 'ES256'}'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._key_compare() ended with: 200'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._inner_payload_check() ended with: 200:None'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account._key_change_validate() ended with: 200:None'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.account_update({'name': 'ZfsImvDUDbXS', 'jwk': '{"kty": "EC", "crv": "P-256", "x": "o8kTd3bJLbFWXjBizyImz7z7OvKc3MO4KqqmDrYJ4d4", "y": "hCoYZ96zg1veD6nOvUIiDGl8dhE97NffJQdGktHMhAs"}'})'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore._account_search(column:name, pattern:ZfsImvDUDbXS)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore._account_search() ended with: True'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.account_update() ended'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Message.prepare_response()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Nonce.nonce_generate_and_add()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Nonce.nonce__new()'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - got nonce: b4d64e0084f642c99841dacd970d8f31'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.nonce_add(b4d64e0084f642c99841dacd970d8f31)'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - DBStore.nonce_add() ended'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Nonce.generate_and_add() ended with:b4d64e0084f642c99841dacd970d8f31'
'2020-07-25 19:29:17 - acme2certifier - DEBUG - Account.account_parse() returns: {"data": {}, "code": 200, "header": {"Replay-Nonce": "b4d64e0084f642c99841dacd970d8f31"}}'
'2020-07-25 19:29:17 - acme2certifier - INFO - 192.168.14.131 /acme/key-change {'data': {}, 'code': 200, 'header': {'Replay-Nonce': '- modified -'}}'
First of all, really nice project! But sadly I stumbled upon a little problem on key rollover functionality... Is this a bug or am I misinterpreting the RFC?
According to RFC 8555 (https://tools.ietf.org/html/rfc8555#section-7.3.5) spec the inner JWS should not contain nonce header.
When using the master, the key rollover process fails to "urn:ietf:params:acme:error:badNonce" error message in Account._key_change function and this is because it tries to validate nonce from inner JWS headers but it does not exist.
I solved the problem by creating own message.check function for key rollover process, which does not contain the nonce check (maybe not the most elegant solution).