Open Bug 1896444 Opened 1 month ago Updated 21 days ago

crypto.subtle.verify does not work with large RSA public exponent

Categories

(Core :: DOM: Web Crypto, defect, P3)

Product:
Core
Component:
DOM: Web Crypto
Version:
Firefox 125
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox126 --- affected
firefox127 --- affected
firefox128 --- affected

People

(Reporter: mail, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0

Steps to reproduce:

Run the following in Firefox web console

b64Tou8 = (b) => Uint8Array.from(atob(b), c => c.charCodeAt(0))
key = await crypto.subtle.importKey('jwk', {
    "alg": "PS384",
    "e": "K932_NQuz0qCWG0SZbKm97-6NG1Oy2VFbwAb9Mh1OcHS0jXlZCCa-jJWd9li6aYd_bLkcR26K70eFxIIxSY8bZElSeidBcpBewjHUd5wNmubxI9MInQPgsPUT9gEHXYeRC1o0vBUOUPH7hDNfCEC9ijSOiTFDT01oZakoc_XoTc",
    "ext": true,
    "key_ops": [
        "verify"
    ],
    "kty": "RSA",
    "n": "1pMIIPcf5Re_MlnRTUAgmwKlwNPWGZHHMd19o5-NaYIVUuIxjWya2JfmA4h6R26jFiwSBdqayW8C7fMd8Em9VfFCE0wX1DgqDnjidTRfFl--jknNymz1xybFmd054J514PMwozEh5zl25PrLqc-gAcKLfJb4E0-ZgdtnULQ6QXEPUdpCQP4DEGwSrLHnu1PXXsclbaP93QcYuJw2VBD85hvHyZsRX7TDwxgIH6fhtlo3d06OUMlujOKyzGs7NnmCNmor-ZJMS6_bP_XnIiWKtwXHbUPl8fEhuYSBTpjqKyuHJc2byQXAvD11wqjbcKcVMhPDmuNxsrXcHa_LGdb66Q"
}, {name: 'RSA-PSS', hash: 'SHA-384'}, true, ['verify'])
await crypto.subtle.verify(
{ name: "RSA-PSS", saltLength: 48 },
key,
b64Tou8('rVnnfXInk1rA7Du7/Mo2mdecWf/d4lnjuh31osBh37b5bYzCGFt4Hc6UkS8pJeASg66TtOMh0vft0aU3Ne2K5y7iSFMeSEwsf0vzLFlDy0oEPwMqykrXhBbzALys//RKPFePLS2RCtlvxolXqE70ajT4KtO3miLCHYHD/EJCxpwmr8K0H+E9sJRYoK8s0e0e4kSgFl7RC6FeLpAfwy+IIf02b6vvxBQAOq6VkLp4FMYmUp1C5hP3314CdVs3mR+4DvqwnRFvAsq4kt5CSccUWIRhmPWCM5uF4FTbt13jpHw0xgiBkYsVkLKhXzOwi67XtRMi/GqWCjxmipRDBqlo6A=='),
b64Tou8('bXNnAAAACQAHAAEAAwECA9p6qnIBnR+VHfGXAhzmOHb+iwoC3BwxoSsKLdFQjQeCfwUtEKOSugdbMJjTxrZRJ3Ip8njlobvPY2bK7rII6Pjf9xAXXw0oVZeEH/3O+P9e1sLlyVlTvDxkXgBsdX89eqFZ'),
)

Actual results:

The script returns false while the signature is valid.

Expected results:

The script should have returned true.

Additional context

I think the issue is similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1268235. However, crypto.subtle.verify happens in the user space, not during TLS handshake. The performance degradation due to using large public exponent can be considered a tradeoff from the website developer.

The discovery of this issue came from implementing Partially Blind RSA in JavaScript.

Managed to reproduce this issue on:

  • Firefox Nightly 128.0a1;
  • Firefox Beta 127.0b1;
  • Firefox 126.0;

Tested and reproduced on:

  • Windows 10;
  • macOS 12;
  • Ubuntu 22;

Setting to Product to ‘DevTools’ and the Component to ‘General’ . Please change if there’s a better fit, thank you.
Setting as NEW so the developing team can have a look.

Status: UNCONFIRMED → NEW
status-firefox126: --- → affected
status-firefox127: --- → affected
status-firefox128: --- → affected
Component: Untriaged → General
Ever confirmed: true
Product: Firefox → DevTools

console is only used to execute js which demonstrates the issue.
https://searchfox.org/mozilla-central/rev/7a8904165618818f73ab7fc692ace4a57ecd38c9/dom/base/SubtleCrypto.cpp#66-70 indicates that this should be in Dom: Core & HTML

Component: General → DOM: Core & HTML
Product: DevTools → Core
Component: DOM: Core & HTML → DOM: Web Crypto
Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.