Strange modulus in root CA certificate

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: joev, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36

Steps to reproduce:

I was running some tests over public HTTPS certificates this weekend, and noticed something odd about the Thawte Root CA added by this ticket:

https://bugzilla.mozilla.org/show_bug.cgi?id=407163#c17

The modulus is divisible by 3:

$ openssl x509 -in thawte.pem -noout -text
...
RSA Public Key: (2048 bit)
      Modulus (2048 bit):
          00:ac:a0:f0:fb:80:59:d4:9c:c7:a4:cf:9d:a1:59:
          73:09:10:45:0c:0d:2c:6e:68:f1:6c:5b:48:68:49:
          59:37:fc:0b:33:19:c2:77:7f:cc:10:2d:95:34:1c:
          e6:eb:4d:09:a7:1c:d2:b8:c9:97:36:02:b7:89:d4:
          24:5f:06:c0:cc:44:94:94:8d:02:62:6f:eb:5a:dd:
          11:8d:28:9a:5c:84:90:10:7a:0d:bd:74:66:2f:6a:
          38:a0:e2:d5:54:44:eb:1d:07:9f:07:ba:6f:ee:e9:
          fd:4e:0b:29:f5:3e:84:a0:01:f1:9c:ab:f8:1c:7e:
          89:a4:e8:a1:d8:71:65:0d:a3:51:7b:ee:bc:d2:22:
          60:0d:b9:5b:9d:df:ba:fc:51:5b:0b:af:98:b2:e9:
          2e:e9:04:e8:62:87:de:2b:c8:d7:4e:c1:4c:64:1e:
          dd:cf:87:58:ba:4a:4f:ca:68:07:1d:1c:9d:4a:c6:
          d5:2f:91:cc:7c:71:72:1c:c5:c0:67:eb:32:fd:c9:
          92:5c:94:da:85:c0:9b:bf:53:7d:2b:09:f4:8c:9d:
          91:1f:97:6a:52:cb:de:09:36:a4:77:d8:7b:87:50:
          44:d5:3e:6e:29:69:fb:39:49:26:1e:09:a5:80:7b:
          40:2d:eb:e8:27:85:c9:fe:61:fd:7e:e6:7c:97:1d:
          d5:9d
...

In decimal, n = 21792351585640198823010717570910971808469628036117065647538316584461104694117982485321090653713725047310400166950260364014694475955614649567105003746715215324780062062279650013594782973385729484663548395943818891646627881966763447613843848477217062740245542204851265868584077207630605591368653815537305062114070585230257191208028253066375143961437528906673239945963251004711957177331642223955097208406041399313757154785490545306249678772025651877768759744272959454462203420797356883438748497204511642306943070888183560085665480831040768469291400165663422365743517117023333869866682052270847261336941032136430789186973



Actual results:

The modulus is trivially factorable (it is divisible by 3). I'm not familiar enough with the CA system to know if this is an exploitable problem (it certainly is for RSA in general, factoring n breaks everything).


Expected results:

Hopefully this is a misunderstanding on my behalf, and not a real problem. To my understanding RSA modulus should be a semiprime, and their prime factors should be huge.
(Reporter)

Comment 1

3 years ago
Nevermind! This was a spoofed cert that has a modulus that is a few bytes different from the one bundled in Firefox. I will diff harder next time :)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.