package wfe2 import ( "context" "crypto" "crypto/ecdsa" "crypto/elliptic" "crypto/rsa" "encoding/base64" "encoding/json" "errors" "fmt" "io/ioutil" "net/http" "net/url" "strconv" "strings" "github.com/prometheus/client_golang/prometheus" "gopkg.in/square/go-jose.v2" "github.com/letsencrypt/boulder/core" berrors "github.com/letsencrypt/boulder/errors" "github.com/letsencrypt/boulder/probs" "github.com/letsencrypt/boulder/web" ) // POST requests with a JWS body must have the following Content-Type header const expectedJWSContentType = "application/jose+json" var sigAlgErr = errors.New("no signature algorithms suitable for given key type") func sigAlgorithmForECDSAKey(key *ecdsa.PublicKey) (jose.SignatureAlgorithm, error) { params := key.Params() switch params.Name { case "P-256": return jose.ES256, nil case "P-384": return jose.ES384, nil case "P-521": return jose.ES512, nil } return "", sigAlgErr } func sigAlgorithmForKey(key crypto.PublicKey) (jose.SignatureAlgorithm, error) { switch k := key.(type) { case *rsa.PublicKey: return jose.RS256, nil case *ecdsa.PublicKey: return sigAlgorithmForECDSAKey(k) } return "", sigAlgErr } // Check that (1) there is a suitable algorithm for the provided key based on its // Golang type, (2) the Algorithm field on the JWK is either absent, or matches // that algorithm, and (3) the Algorithm field on the JWK is present and matches // that algorithm. Precondition: parsedJws must have exactly one signature on // it. func checkAlgorithm(key *jose.JSONWebKey, parsedJWS *jose.JSONWebSignature) error { algorithm, err := sigAlgorithmForKey(key.Key) if err != nil { return err } jwsAlgorithm := parsedJWS.Signatures[0].Header.Algorithm if jwsAlgorithm != string(algorithm) { return fmt.Errorf( "signature type '%s' in JWS header is not supported, expected one of RS256, ES256, ES384 or ES512", jwsAlgorithm, ) } if key.Algorithm != "" && key.Algorithm != string(algorithm) { return fmt.Errorf("algorithm '%s' on JWK is unacceptable", key.Algorithm) } return nil } // jwsAuthType represents whether a given POST request is authenticated using // a JWS with an embedded JWK (v1 ACME style, new-account, revoke-cert) or an // embeded Key ID (v2 AMCE style) or an unsupported/unknown auth type. type jwsAuthType int const ( embeddedJWK jwsAuthType = iota embeddedKeyID invalidAuthType ) // checkJWSAuthType examines a JWS' protected headers to determine if // the request being authenticated by the JWS is identified using an embedded // JWK or an embedded key ID. If no signatures are present, or mutually // exclusive authentication types are specified at the same time, a problem is // returned. checkJWSAuthType is separate from enforceJWSAuthType so that // endpoints that need to handle both embedded JWK and embedded key ID requests // can determine which type of request they have and act accordingly (e.g. // acme v2 cert revocation). func checkJWSAuthType(jws *jose.JSONWebSignature) (jwsAuthType, *probs.ProblemDetails) { // checkJWSAuthType is called after parseJWS() which defends against the // incorrect number of signatures. header := jws.Signatures[0].Header // There must not be a Key ID *and* an embedded JWK if header.KeyID != "" && header.JSONWebKey != nil { return invalidAuthType, probs.Malformed("jwk and kid header fields are mutually exclusive") } else if header.KeyID != "" { return embeddedKeyID, nil } else if header.JSONWebKey != nil { return embeddedJWK, nil } return invalidAuthType, nil } // enforceJWSAuthType enforces a provided JWS has the provided auth type. If there // is an error determining the auth type or if it is not the expected auth type // then a problem is returned. func (wfe *WebFrontEndImpl) enforceJWSAuthType( jws *jose.JSONWebSignature, expectedAuthType jwsAuthType) *probs.ProblemDetails { // Check the auth type for the provided JWS authType, prob := checkJWSAuthType(jws) if prob != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSAuthTypeInvalid"}).Inc() return prob } // If the auth type isn't the one expected return a sensible problem based on // what was expected if authType != expectedAuthType { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSAuthTypeWrong"}).Inc() switch expectedAuthType { case embeddedKeyID: return probs.Malformed("No Key ID in JWS header") case embeddedJWK: return probs.Malformed("No embedded JWK in JWS header") } } return nil } // validPOSTRequest checks a *http.Request to ensure it has the headers // a well-formed ACME POST request has, and to ensure there is a body to // process. func (wfe *WebFrontEndImpl) validPOSTRequest(request *http.Request) *probs.ProblemDetails { // All POSTs should have an accompanying Content-Length header if _, present := request.Header["Content-Length"]; !present { wfe.stats.httpErrorCount.With(prometheus.Labels{"type": "ContentLengthRequired"}).Inc() return probs.ContentLengthRequired() } // Per 6.2 ALL POSTs should have the correct JWS Content-Type for flattened // JSON serialization. if _, present := request.Header["Content-Type"]; !present { wfe.stats.httpErrorCount.With(prometheus.Labels{"type": "NoContentType"}).Inc() return probs.InvalidContentType("No Content-Type header on POST. Content-Type must be %q", expectedJWSContentType) } if contentType := request.Header.Get("Content-Type"); contentType != expectedJWSContentType { wfe.stats.httpErrorCount.With(prometheus.Labels{"type": "WrongContentType"}).Inc() return probs.InvalidContentType("Invalid Content-Type header on POST. Content-Type must be %q", expectedJWSContentType) } // Per 6.4.1 "Replay-Nonce" clients should not send a Replay-Nonce header in // the HTTP request, it needs to be part of the signed JWS request body if _, present := request.Header["Replay-Nonce"]; present { wfe.stats.httpErrorCount.With(prometheus.Labels{"type": "ReplayNonceOutsideJWS"}).Inc() return probs.Malformed("HTTP requests should NOT contain Replay-Nonce header. Use JWS nonce field") } // All POSTs should have a non-nil body if request.Body == nil { wfe.stats.httpErrorCount.With(prometheus.Labels{"type": "NoPOSTBody"}).Inc() return probs.Malformed("No body on POST") } return nil } // validNonce checks a JWS' Nonce header to ensure it is one that the // nonceService knows about, otherwise a bad nonce problem is returned. // NOTE: this function assumes the JWS has already been verified with the // correct public key. func (wfe *WebFrontEndImpl) validNonce(jws *jose.JSONWebSignature) *probs.ProblemDetails { // validNonce is called after validPOSTRequest() and parseJWS() which // defend against the incorrect number of signatures. header := jws.Signatures[0].Header nonce := header.Nonce if len(nonce) == 0 { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSMissingNonce"}).Inc() return probs.BadNonce("JWS has no anti-replay nonce") } else if !wfe.nonceService.Valid(nonce) { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSInvalidNonce"}).Inc() return probs.BadNonce("JWS has an invalid anti-replay nonce: %q", nonce) } return nil } // validPOSTURL checks the JWS' URL header against the expected URL based on the // HTTP request. This prevents a JWS intended for one endpoint being replayed // against a different endpoint. If the URL isn't present, is invalid, or // doesn't match the HTTP request a problem is returned. func (wfe *WebFrontEndImpl) validPOSTURL( request *http.Request, jws *jose.JSONWebSignature) *probs.ProblemDetails { // validPOSTURL is called after parseJWS() which defends against the incorrect // number of signatures. header := jws.Signatures[0].Header extraHeaders := header.ExtraHeaders // Check that there is at least one Extra Header if len(extraHeaders) == 0 { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSNoExtraHeaders"}).Inc() return probs.Malformed("JWS header parameter 'url' required") } // Try to read a 'url' Extra Header as a string headerURL, ok := extraHeaders[jose.HeaderKey("url")].(string) if !ok || len(headerURL) == 0 { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSMissingURL"}).Inc() return probs.Malformed("JWS header parameter 'url' required") } // Compute the URL we expect to be in the JWS based on the HTTP request expectedURL := url.URL{ Scheme: requestProto(request), Host: request.Host, Path: request.RequestURI, } // Check that the URL we expect is the one that was found in the signed JWS // header if expectedURL.String() != headerURL { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSMismatchedURL"}).Inc() return probs.Malformed("JWS header parameter 'url' incorrect. Expected %q got %q", expectedURL.String(), headerURL) } return nil } // matchJWSURLs checks two JWS' URL headers are equal. This is used during key // rollover to check that the inner JWS URL matches the outer JWS URL. If the // JWS URLs do not match a problem is returned. func (wfe *WebFrontEndImpl) matchJWSURLs(outer, inner *jose.JSONWebSignature) *probs.ProblemDetails { // Verify that the outer JWS has a non-empty URL header. This is strictly // defensive since the expectation is that endpoints using `matchJWSURLs` // have received at least one of their JWS from calling validPOSTForAccount(), // which checks the outer JWS has the expected URL header before processing // the inner JWS. outerURL, ok := outer.Signatures[0].Header.ExtraHeaders[jose.HeaderKey("url")].(string) if !ok || len(outerURL) == 0 { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "KeyRolloverOuterJWSNoURL"}).Inc() return probs.Malformed("Outer JWS header parameter 'url' required") } // Verify the inner JWS has a non-empty URL header. innerURL, ok := inner.Signatures[0].Header.ExtraHeaders[jose.HeaderKey("url")].(string) if !ok || len(innerURL) == 0 { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "KeyRolloverInnerJWSNoURL"}).Inc() return probs.Malformed("Inner JWS header parameter 'url' required") } // Verify that the outer URL matches the inner URL if outerURL != innerURL { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "KeyRolloverMismatchedURLs"}).Inc() return probs.Malformed("Outer JWS 'url' value %q does not match inner JWS 'url' value %q", outerURL, innerURL) } return nil } // parseJWS extracts a JSONWebSignature from a byte slice. If there is an error // reading the JWS or it is unacceptable (e.g. too many/too few signatures, // presence of unprotected headers) a problem is returned, otherwise the parsed // *JSONWebSignature is returned. func (wfe *WebFrontEndImpl) parseJWS(body []byte) (*jose.JSONWebSignature, *probs.ProblemDetails) { // Parse the raw JWS JSON to check that: // * the unprotected Header field is not being used. // * the "signatures" member isn't present, just "signature". // // This must be done prior to `jose.parseSigned` since it will strip away // these headers. var unprotected struct { Header map[string]string Signatures []interface{} } if err := json.Unmarshal(body, &unprotected); err != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSUnmarshalFailed"}).Inc() return nil, probs.Malformed("Parse error reading JWS") } // ACME v2 never uses values from the unprotected JWS header. Reject JWS that // include unprotected headers. if unprotected.Header != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSUnprotectedHeaders"}).Inc() return nil, probs.Malformed( `JWS "header" field not allowed. All headers must be in "protected" field`) } // ACME v2 never uses the "signatures" array of JSON serialized JWS, just the // mandatory "signature" field. Reject JWS that include the "signatures" array. if len(unprotected.Signatures) > 0 { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSMultiSig"}).Inc() return nil, probs.Malformed( `JWS "signatures" field not allowed. Only the "signature" field should contain a signature`) } // Parse the JWS using go-jose and enforce that the expected one non-empty // signature is present in the parsed JWS. bodyStr := string(body) parsedJWS, err := jose.ParseSigned(bodyStr) if err != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSParseError"}).Inc() return nil, probs.Malformed("Parse error reading JWS") } if len(parsedJWS.Signatures) > 1 { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSTooManySignatures"}).Inc() return nil, probs.Malformed("Too many signatures in POST body") } if len(parsedJWS.Signatures) == 0 { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSNoSignatures"}).Inc() return nil, probs.Malformed("POST JWS not signed") } if len(parsedJWS.Signatures) == 1 && len(parsedJWS.Signatures[0].Signature) == 0 { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSEmptySignature"}).Inc() return nil, probs.Malformed("POST JWS not signed") } return parsedJWS, nil } // parseJWSRequest extracts a JSONWebSignature from an HTTP POST request's body using parseJWS. func (wfe *WebFrontEndImpl) parseJWSRequest(request *http.Request) (*jose.JSONWebSignature, *probs.ProblemDetails) { // Verify that the POST request has the expected headers if prob := wfe.validPOSTRequest(request); prob != nil { return nil, prob } // Read the POST request body's bytes. validPOSTRequest has already checked // that the body is non-nil bodyBytes, err := ioutil.ReadAll(request.Body) if err != nil { wfe.stats.httpErrorCount.With(prometheus.Labels{"type": "UnableToReadReqBody"}).Inc() return nil, probs.ServerInternal("unable to read request body") } jws, prob := wfe.parseJWS(bodyBytes) if prob != nil { return nil, prob } // if the protected header contains a JWK and it's a EC key verify that it has // proper field lengths in a goroutine as the caller doesn't care about the // result of this check if jws.Signatures[0].Header.JSONWebKey != nil { switch jws.Signatures[0].Header.JSONWebKey.Key.(type) { case *ecdsa.PublicKey: go wfe.verifyECFieldLengths(bodyBytes, request) } } return jws, nil } // extractJWK extracts a JWK from a provided JWS or returns a problem. It // expects that the JWS is using the embedded JWK style of authentication and // does not contain an embedded Key ID. Callers should have acquired the // provided JWS from parseJWS to ensure it has the correct number of signatures // present. func (wfe *WebFrontEndImpl) extractJWK(jws *jose.JSONWebSignature) (*jose.JSONWebKey, *probs.ProblemDetails) { // extractJWK expects the request to be using an embedded JWK auth type and // to not contain the mutually exclusive KeyID. if prob := wfe.enforceJWSAuthType(jws, embeddedJWK); prob != nil { return nil, prob } // extractJWK must be called after parseJWS() which defends against the // incorrect number of signatures. header := jws.Signatures[0].Header // We can be sure that JSONWebKey is != nil because we have already called // enforceJWSAuthType() key := header.JSONWebKey // If the key isn't considered valid by go-jose return a problem immediately if !key.Valid() { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWKInvalid"}).Inc() return nil, probs.Malformed("Invalid JWK in JWS header") } return key, nil } // acctIDFromURL extracts the numeric int64 account ID from a ACMEv1 or ACMEv2 // account URL. If the acctURL has an invalid URL or the account ID in the // acctURL is non-numeric a MalformedProblem is returned. func (wfe *WebFrontEndImpl) acctIDFromURL(acctURL string, request *http.Request) (int64, *probs.ProblemDetails) { // For normal ACME v2 accounts we expect the account URL has a prefix composed // of the Host header and the acctPath. expectedURLPrefix := web.RelativeEndpoint(request, acctPath) // Process the acctURL to find only the trailing numeric account ID. Both the // expected URL prefix and a legacy URL prefix are permitted in order to allow // ACME v1 clients to use legacy accounts with unmodified account URLs for V2 // requests. var accountIDStr string if strings.HasPrefix(acctURL, expectedURLPrefix) { accountIDStr = strings.TrimPrefix(acctURL, expectedURLPrefix) } else if strings.HasPrefix(acctURL, wfe.LegacyKeyIDPrefix) { accountIDStr = strings.TrimPrefix(acctURL, wfe.LegacyKeyIDPrefix) } else { return 0, probs.Malformed( fmt.Sprintf("KeyID header contained an invalid account URL: %q", acctURL)) } // Convert the raw account ID string to an int64 for use with the SA's // GetRegistration RPC accountID, err := strconv.ParseInt(accountIDStr, 10, 64) if err != nil { return 0, probs.Malformed("Malformed account ID in KeyID header URL: %q", acctURL) } return accountID, nil } // lookupJWK finds a JWK associated with the Key ID present in a provided JWS, // returning the JWK and a pointer to the associated account, or a problem. It // expects that the JWS is using the embedded Key ID style of authentication // and does not contain an embedded JWK. Callers should have acquired the // provided JWS from parseJWS to ensure it has the correct number of signatures // present. func (wfe *WebFrontEndImpl) lookupJWK( jws *jose.JSONWebSignature, ctx context.Context, request *http.Request, logEvent *web.RequestEvent) (*jose.JSONWebKey, *core.Registration, *probs.ProblemDetails) { // We expect the request to be using an embedded Key ID auth type and to not // contain the mutually exclusive embedded JWK. if prob := wfe.enforceJWSAuthType(jws, embeddedKeyID); prob != nil { return nil, nil, prob } header := jws.Signatures[0].Header accountURL := header.KeyID accountID, prob := wfe.acctIDFromURL(accountURL, request) if prob != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSInvalidKeyID"}).Inc() return nil, nil, prob } // Try to find the account for this account ID account, err := wfe.SA.GetRegistration(ctx, accountID) if err != nil { // If the account isn't found, return a suitable problem if berrors.Is(err, berrors.NotFound) { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSKeyIDNotFound"}).Inc() return nil, nil, probs.AccountDoesNotExist("Account %q not found", accountURL) } // If there was an error and it isn't a "Not Found" error, return // a ServerInternal problem since this is unexpected. wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSKeyIDLookupFailed"}).Inc() // Add an error to the log event with the internal error message logEvent.AddError(fmt.Sprintf("Error calling SA.GetRegistration: %s", err.Error())) return nil, nil, probs.ServerInternal("Error retrieving account %q", accountURL) } // Verify the account is not deactivated if account.Status != core.StatusValid { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSKeyIDAccountInvalid"}).Inc() return nil, nil, probs.Unauthorized("Account is not valid, has status %q", account.Status) } // Update the logEvent with the account information and return the JWK logEvent.Requester = account.ID if account.Contact != nil { logEvent.Contacts = *account.Contact } return account.Key, &account, nil } // validJWSForKey checks a provided JWS for a given HTTP request validates // correctly using the provided JWK. If the JWS verifies the protected payload // is returned. The key/JWS algorithms are verified and // the JWK is checked against the keyPolicy before any signature validation is // done. If the JWS signature validates correctly then the JWS nonce value // and the JWS URL are verified to ensure that they are correct. func (wfe *WebFrontEndImpl) validJWSForKey( jws *jose.JSONWebSignature, jwk *jose.JSONWebKey, request *http.Request, logEvent *web.RequestEvent) ([]byte, *probs.ProblemDetails) { // Check that the public key and JWS algorithms match expected if err := checkAlgorithm(jwk, jws); err != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSAlgorithmCheckFailed"}).Inc() return nil, probs.BadSignatureAlgorithm(err.Error()) } // Verify the JWS signature with the public key. // NOTE: It might seem insecure for the WFE to be trusted to verify // client requests, i.e., that the verification should be done at the // RA. However the WFE is the RA's only view of the outside world // *anyway*, so it could always lie about what key was used by faking // the signature itself. payload, err := jws.Verify(jwk) if err != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSVerifyFailed"}).Inc() return nil, probs.Malformed("JWS verification error") } // Store the verified payload in the logEvent logEvent.Payload = string(payload) // Check that the JWS contains a correct Nonce header if prob := wfe.validNonce(jws); prob != nil { return nil, prob } // Check that the HTTP request URL matches the URL in the signed JWS if prob := wfe.validPOSTURL(request, jws); prob != nil { return nil, prob } // In the WFE1 package the check for the request URL required unmarshalling // the payload JSON to check the "resource" field of the protected JWS body. // This caught invalid JSON early and so we preserve this check by explicitly // trying to unmarshal the payload (when it is non-empty to allow POST-as-GET // behaviour) as part of the verification and failing early if it isn't valid JSON. var parsedBody struct{} if err := json.Unmarshal(payload, &parsedBody); string(payload) != "" && err != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWSBodyUnmarshalFailed"}).Inc() return nil, probs.Malformed("Request payload did not parse as JSON") } return payload, nil } // validJWSForAccount checks that a given JWS is valid and verifies with the // public key associated to a known account specified by the JWS Key ID. If the // JWS is valid (e.g. the JWS is well formed, verifies with the JWK stored for the // specified key ID, specifies the correct URL, and has a valid nonce) then // `validJWSForAccount` returns the validated JWS body, the parsed // JSONWebSignature, and a pointer to the JWK's associated account. If any of // these conditions are not met or an error occurs only a problem is returned. func (wfe *WebFrontEndImpl) validJWSForAccount( jws *jose.JSONWebSignature, request *http.Request, ctx context.Context, logEvent *web.RequestEvent) ([]byte, *jose.JSONWebSignature, *core.Registration, *probs.ProblemDetails) { // Lookup the account and JWK for the key ID that authenticated the JWS pubKey, account, prob := wfe.lookupJWK(jws, ctx, request, logEvent) if prob != nil { return nil, nil, nil, prob } // Verify the JWS with the JWK from the SA payload, prob := wfe.validJWSForKey(jws, pubKey, request, logEvent) if prob != nil { return nil, nil, nil, prob } return payload, jws, account, nil } // validPOSTForAccount checks that a given POST request has a valid JWS // using `validJWSForAccount`. If valid, the authenticated JWS body and the // registration that authenticated the body are returned. Otherwise a problem is // returned. The returned JWS body may be empty if the request is a POST-as-GET // request. func (wfe *WebFrontEndImpl) validPOSTForAccount( request *http.Request, ctx context.Context, logEvent *web.RequestEvent) ([]byte, *jose.JSONWebSignature, *core.Registration, *probs.ProblemDetails) { // Parse the JWS from the POST request jws, prob := wfe.parseJWSRequest(request) if prob != nil { return nil, nil, nil, prob } return wfe.validJWSForAccount(jws, request, ctx, logEvent) } // validPOSTAsGETForAccount checks that a given POST request is valid using // `validPOSTForAccount`. It additionally validates that the JWS request payload // is empty, indicating that it is a POST-as-GET request per ACME draft 15+ // section 6.3 "GET and POST-as-GET requests". If a non empty payload is // provided in the JWS the invalidPOSTAsGETErr problem is returned. This // function is useful only for endpoints that do not need to handle both POSTs // with a body and POST-as-GET requests (e.g. Order, Certificate). func (wfe *WebFrontEndImpl) validPOSTAsGETForAccount( request *http.Request, ctx context.Context, logEvent *web.RequestEvent) (*core.Registration, *probs.ProblemDetails) { // Call validPOSTForAccount to verify the JWS and extract the body. body, _, reg, prob := wfe.validPOSTForAccount(request, ctx, logEvent) if prob != nil { return nil, prob } // Verify the POST-as-GET payload is empty if string(body) != "" { return nil, probs.Malformed("POST-as-GET requests must have an empty payload") } return reg, prob } // validSelfAuthenticatedJWS checks that a given JWS verifies with the JWK // embedded in the JWS itself (e.g. self-authenticated). This type of JWS // is only used for creating new accounts or revoking a certificate by signing // the request with the private key corresponding to the certificate's public // key and embedding that public key in the JWS. All other request should be // validated using `validJWSforAccount`. If the JWS validates (e.g. the JWS is // well formed, verifies with the JWK embedded in it, the JWK meets // policy/algorithm requirements, has the correct URL and includes a valid // nonce) then `validSelfAuthenticatedJWS` returns the validated JWS body and // the JWK that was embedded in the JWS. Otherwise if the valid JWS conditions // are not met or an error occurs only a problem is returned func (wfe *WebFrontEndImpl) validSelfAuthenticatedJWS( jws *jose.JSONWebSignature, request *http.Request, logEvent *web.RequestEvent) ([]byte, *jose.JSONWebKey, *probs.ProblemDetails) { // Extract the embedded JWK from the parsed JWS pubKey, prob := wfe.extractJWK(jws) if prob != nil { return nil, nil, prob } // If the key doesn't meet the GoodKey policy return a problem immediately if err := wfe.keyPolicy.GoodKey(pubKey.Key); err != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "JWKRejectedByGoodKey"}).Inc() return nil, nil, probs.BadPublicKey(err.Error()) } // Verify the JWS with the embedded JWK payload, prob := wfe.validJWSForKey(jws, pubKey, request, logEvent) if prob != nil { return nil, nil, prob } return payload, pubKey, nil } // validSelfAuthenticatedPOST checks that a given POST request has a valid JWS // using `validSelfAuthenticatedJWS`. func (wfe *WebFrontEndImpl) validSelfAuthenticatedPOST( request *http.Request, logEvent *web.RequestEvent) ([]byte, *jose.JSONWebKey, *probs.ProblemDetails) { // Parse the JWS from the POST request jws, prob := wfe.parseJWSRequest(request) if prob != nil { return nil, nil, prob } // Extract and validate the embedded JWK from the parsed JWS return wfe.validSelfAuthenticatedJWS(jws, request, logEvent) } // rolloverRequest is a client request to change the key for the account ID // provided from the specified old key to a new key (the embedded JWK in the // inner JWS). type rolloverRequest struct { OldKey jose.JSONWebKey Account string } // rolloverOperation is a struct representing a requested rollover operation // from the specified old key to the new key for the given account ID. type rolloverOperation struct { rolloverRequest NewKey jose.JSONWebKey } // validKeyRollover checks if the innerJWS is a valid key rollover operation // given the outer JWS that carried it. It is assumed that the outerJWS has // already been validated per the normal ACME process using `validPOSTForAccount`. // It is *critical* this is the case since `validKeyRollover` does not check the // outerJWS signature. This function checks that: // 1) the inner JWS is valid and well formed // 2) the inner JWS has the same "url" header as the outer JWS // 3) the inner JWS is self-authenticated with an embedded JWK // // This function verifies that the inner JWS' body is a rolloverRequest instance // that specifies the correct oldKey. The returned rolloverOperation's NewKey // field will be set to the JWK from the inner JWS. // // If the request is valid a *rolloverOperation object is returned, // otherwise a problem is returned. The caller is left to verify // whether the new key is appropriate (e.g. isn't being used by another existing // account) and that the account field of the rollover object matches the // account that verified the outer JWS. func (wfe *WebFrontEndImpl) validKeyRollover( outerJWS *jose.JSONWebSignature, innerJWS *jose.JSONWebSignature, oldKey *jose.JSONWebKey, logEvent *web.RequestEvent) (*rolloverOperation, *probs.ProblemDetails) { // Extract the embedded JWK from the inner JWS jwk, prob := wfe.extractJWK(innerJWS) if prob != nil { return nil, prob } // If the key doesn't meet the GoodKey policy return a problem immediately if err := wfe.keyPolicy.GoodKey(jwk.Key); err != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "KeyRolloverJWKRejectedByGoodKey"}).Inc() return nil, probs.BadPublicKey(err.Error()) } // Check that the public key and JWS algorithms match expected if err := checkAlgorithm(jwk, innerJWS); err != nil { return nil, probs.Malformed(err.Error()) } // Verify the inner JWS signature with the public key from the embedded JWK. // NOTE(@cpu): We do not use `wfe.validJWSForKey` here because the inner JWS // of a key rollover operation is special (e.g. has no nonce, doesn't have an // HTTP request to match the URL to) innerPayload, err := innerJWS.Verify(jwk) if err != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "KeyRolloverJWSVerifyFailed"}).Inc() return nil, probs.Malformed("Inner JWS does not verify with embedded JWK") } // NOTE(@cpu): we do not stomp the web.RequestEvent's payload here since that is set // from the outerJWS in validPOSTForAccount and contains the inner JWS and inner // payload already. // Verify that the outer and inner JWS protected URL headers match if wfe.matchJWSURLs(outerJWS, innerJWS) != nil { return nil, prob } var req rolloverRequest if json.Unmarshal(innerPayload, &req) != nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "KeyRolloverUnmarshalFailed"}).Inc() return nil, probs.Malformed( "Inner JWS payload did not parse as JSON key rollover object") } // If there's no oldkey specified fail before trying to use // core.PublicKeyEqual on a nil argument. if req.OldKey.Key == nil { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "KeyRolloverWrongOldKey"}).Inc() return nil, probs.Malformed("Inner JWS does not contain old key field matching current account key") } // We must validate that the inner JWS' rollover request specifies the correct // oldKey. if keysEqual, err := core.PublicKeysEqual(req.OldKey.Key, oldKey.Key); err != nil { return nil, probs.Malformed("Unable to compare new and old keys: %s", err.Error()) } else if !keysEqual { wfe.stats.joseErrorCount.With(prometheus.Labels{"type": "KeyRolloverWrongOldKey"}).Inc() return nil, probs.Malformed("Inner JWS does not contain old key field matching current account key") } // Return a rolloverOperation populated with the validated old JWK, the // requested account, and the new JWK extracted from the inner JWS. return &rolloverOperation{ rolloverRequest: rolloverRequest{ OldKey: *oldKey, Account: req.Account, }, NewKey: *jwk, }, nil } func bitSizeToByteSize(bitSize int) int { byteSize := (bitSize / 8) if bitSize%8 > 0 { return byteSize + 1 } return byteSize } var curvesToSize = map[string]int{ "P-256": bitSizeToByteSize(elliptic.P256().Params().BitSize), "P-384": bitSizeToByteSize(elliptic.P384().Params().BitSize), "P-521": bitSizeToByteSize(elliptic.P521().Params().BitSize), } func (wfe *WebFrontEndImpl) verifyECFieldLengths(body []byte, request *http.Request) { var payload struct { Protected string } if err := json.Unmarshal(body, &payload); err != nil { return } b, err := base64.RawURLEncoding.DecodeString(payload.Protected) if err != nil { return } var keyData struct { JWK struct { X string Y string Crv string } } if err := json.Unmarshal(b, &keyData); err != nil { // this really shouldn't happen as we've already done this once before // successfully, in order to avoid a headache just return and pretend // it didn't happen return } x, err := base64.RawURLEncoding.DecodeString(keyData.JWK.X) if err != nil { return } y, err := base64.RawURLEncoding.DecodeString(keyData.JWK.Y) if err != nil { return } xLen, yLen := len(x), len(y) curveSize, present := curvesToSize[keyData.JWK.Crv] if !present { return } if xLen != curveSize || yLen != curveSize { wfe.stats.improperECFieldLengths.Inc() // if extractRequesterIP fails just continue on as we still want to know // that the key was badly padded, and a empty net.IP will render just fine ip, _ := extractRequesterIP(request) wfe.log.Infof("Incorrectly padded account EC JWK key from UA=%q IP=%s", request.UserAgent(), ip) } }