crypto.subtle.verify does not work with large RSA public exponent
Categories
(Core :: DOM: Web Crypto, defect, P3)
Tracking
()
People
(Reporter: mail, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Steps to reproduce:
Run the following in Firefox web console
b64Tou8 = (b) => Uint8Array.from(atob(b), c => c.charCodeAt(0))
key = await crypto.subtle.importKey('jwk', {
"alg": "PS384",
"e": "K932_NQuz0qCWG0SZbKm97-6NG1Oy2VFbwAb9Mh1OcHS0jXlZCCa-jJWd9li6aYd_bLkcR26K70eFxIIxSY8bZElSeidBcpBewjHUd5wNmubxI9MInQPgsPUT9gEHXYeRC1o0vBUOUPH7hDNfCEC9ijSOiTFDT01oZakoc_XoTc",
"ext": true,
"key_ops": [
"verify"
],
"kty": "RSA",
"n": "1pMIIPcf5Re_MlnRTUAgmwKlwNPWGZHHMd19o5-NaYIVUuIxjWya2JfmA4h6R26jFiwSBdqayW8C7fMd8Em9VfFCE0wX1DgqDnjidTRfFl--jknNymz1xybFmd054J514PMwozEh5zl25PrLqc-gAcKLfJb4E0-ZgdtnULQ6QXEPUdpCQP4DEGwSrLHnu1PXXsclbaP93QcYuJw2VBD85hvHyZsRX7TDwxgIH6fhtlo3d06OUMlujOKyzGs7NnmCNmor-ZJMS6_bP_XnIiWKtwXHbUPl8fEhuYSBTpjqKyuHJc2byQXAvD11wqjbcKcVMhPDmuNxsrXcHa_LGdb66Q"
}, {name: 'RSA-PSS', hash: 'SHA-384'}, true, ['verify'])
await crypto.subtle.verify(
{ name: "RSA-PSS", saltLength: 48 },
key,
b64Tou8('rVnnfXInk1rA7Du7/Mo2mdecWf/d4lnjuh31osBh37b5bYzCGFt4Hc6UkS8pJeASg66TtOMh0vft0aU3Ne2K5y7iSFMeSEwsf0vzLFlDy0oEPwMqykrXhBbzALys//RKPFePLS2RCtlvxolXqE70ajT4KtO3miLCHYHD/EJCxpwmr8K0H+E9sJRYoK8s0e0e4kSgFl7RC6FeLpAfwy+IIf02b6vvxBQAOq6VkLp4FMYmUp1C5hP3314CdVs3mR+4DvqwnRFvAsq4kt5CSccUWIRhmPWCM5uF4FTbt13jpHw0xgiBkYsVkLKhXzOwi67XtRMi/GqWCjxmipRDBqlo6A=='),
b64Tou8('bXNnAAAACQAHAAEAAwECA9p6qnIBnR+VHfGXAhzmOHb+iwoC3BwxoSsKLdFQjQeCfwUtEKOSugdbMJjTxrZRJ3Ip8njlobvPY2bK7rII6Pjf9xAXXw0oVZeEH/3O+P9e1sLlyVlTvDxkXgBsdX89eqFZ'),
)
Actual results:
The script returns false
while the signature is valid.
Expected results:
The script should have returned true
.
Additional context
I think the issue is similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1268235. However, crypto.subtle.verify
happens in the user space, not during TLS handshake. The performance degradation due to using large public exponent can be considered a tradeoff from the website developer.
The discovery of this issue came from implementing Partially Blind RSA in JavaScript.
Comment 1•1 month ago
|
||
Managed to reproduce this issue on:
- Firefox Nightly 128.0a1;
- Firefox Beta 127.0b1;
- Firefox 126.0;
Tested and reproduced on:
- Windows 10;
- macOS 12;
- Ubuntu 22;
Setting to Product to ‘DevTools’ and the Component to ‘General’ . Please change if there’s a better fit, thank you.
Setting as NEW so the developing team can have a look.
Comment 2•1 month ago
|
||
console is only used to execute js which demonstrates the issue.
https://searchfox.org/mozilla-central/rev/7a8904165618818f73ab7fc692ace4a57ecd38c9/dom/base/SubtleCrypto.cpp#66-70 indicates that this should be in Dom: Core & HTML
Updated•1 month ago
|
Updated•21 days ago
|
Description
•