Move 'jwk' and 'alg' fields to protected header. (#4677)

* Move 'jwk' and 'alg' fields to protected header. Previously, these were in the unprotected JWS header, which Boulder currently allows. However, the next version of the spec doesn't allow anything in the unprotected header. Moving these fields now allows server implementers who are implementing the Certbot/Boulder version of ACME (https://github.com/letsencrypt/boulder/blob/master/docs/acme-divergences.md) to use JOSE libraries that don't support unprotected headers. Fixes #4417. * Only protect existing headers.
2026-05-28 04:34:11 -04:00 · 2017-05-17 13:46:52 -07:00 · 2017-05-17 13:46:52 -07:00 · 686f5d6c81
commit 686f5d6c81
parent 4caff11371
2 changed files with 3 additions and 2 deletions
--- a/acme/acme/jose/jws.py
+++ b/acme/acme/jose/jws.py
@ -222,7 +222,8 @@ class Signature(json_util.JSONObjectWithFields):

        protected_params = {}
        for header in protect:
-            protected_params[header] = header_params.pop(header)
+            if header in header_params:
+                protected_params[header] = header_params.pop(header)
        if protected_params:
            # pylint: disable=star-args
            protected = cls.header_cls(**protected_params).json_dumps()
--- a/acme/acme/jws.py
+++ b/acme/acme/jws.py
@ -49,6 +49,6 @@ class JWS(jose.JWS):
        # jwk field if kid is not provided.
        include_jwk = kid is None
        return super(JWS, cls).sign(payload, key=key, alg=alg,
-                                    protect=frozenset(['nonce', 'url', 'kid']),
+                                    protect=frozenset(['nonce', 'url', 'kid', 'jwk', 'alg']),
                                    nonce=nonce, url=url, kid=kid,
                                    include_jwk=include_jwk)