Skip to content

acme/api: reject General JSON Serialization JWS bodies per RFC 8555#2662

Open
SAY-5 wants to merge 1 commit into
smallstep:masterfrom
SAY-5:fix/acme-reject-general-jws-2642
Open

acme/api: reject General JSON Serialization JWS bodies per RFC 8555#2662
SAY-5 wants to merge 1 commit into
smallstep:masterfrom
SAY-5:fix/acme-reject-general-jws-2642

Conversation

@SAY-5

@SAY-5 SAY-5 commented Apr 22, 2026

Copy link
Copy Markdown

Summary

Fixes #2642.

RFC 8555 section 6.2 mandates that ACME JWS bodies MUST use the Flattened JSON Serialization. go-jose/v3's ParseSigned accepts both Flattened and General forms, so step-ca silently accepted:

{"payload": "...", "signatures": [{"protected": "...", "signature": "..."}]}

as if it were a legal RFC 7515 flattened body. As the reporter notes, go-jose doesn't expose a way to restrict this, so the check has to sit at the JSON layer before jose.ParseJWS runs.

Fix

Add a lightweight rejectGeneralJWS helper in front of parseJWS that JSON-probes the body for a top-level "signatures" array (plural, the telltale General-form field). Hit → return ACME ErrorMalformedType with a message pointing back to RFC 8555. Bodies that aren't valid JSON fall through to the existing ParseJWS path so go-jose's own diagnostics still produce the familiar compact JWS format must have three parts error for compact-serialization mistakes.

Tests

  • New sub-test TestHandler_parseJWS/fail/general-jws drives a General-form body through parseJWS and asserts 400 ErrorMalformedType with the RFC-8555-pointing message.
  • Existing fail/read-body-error, fail/parse-jws-error, and ok cases stay green.

go build ./acme/..., go vet ./acme/..., go test ./acme/api -run TestHandler_parseJWS all green.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions github-actions Bot added the needs triage Waiting for discussion / prioritization by team label Apr 22, 2026
@hslatman hslatman self-assigned this Apr 28, 2026
Comment thread acme/api/middleware.go
// singular "signature" + "protected" alongside "payload".
func rejectGeneralJWS(body []byte) error {
var peek struct {
Signatures json.RawMessage `json:"signatures"`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should also assert that the message doesn't include the unprotected header

Suggested change
Signatures json.RawMessage `json:"signatures"`
Signatures json.RawMessage `json:"signatures"`
Header json.RawMessage `json:"header"`

@SAY-5

SAY-5 commented May 23, 2026

Copy link
Copy Markdown
Author

Good catch. rejectGeneralJWS now also rejects a top-level "header" member (the JWS Unprotected Header, forbidden by RFC 8555 section 6.2), with a matching test case. 880c12c.

RFC 8555 section 6.2 mandates Flattened JSON Serialization. go-jose/v3's
ParseSigned accepts both Flattened and General forms, so step-ca silently
accepted invalid ACME bodies. Reject them explicitly.

Also reject the JWS Unprotected Header member per RFC 8555 section 6.2
which does not permit it in ACME requests.

Fixes smallstep#2642.

Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
@SAY-5 SAY-5 force-pushed the fix/acme-reject-general-jws-2642 branch from 880c12c to e4c004f Compare May 27, 2026 02:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs triage Waiting for discussion / prioritization by team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Step-CA accepts non-flattened JWS POST requests

5 participants