[Webkit-unassigned] [Bug 230001] New: SubtleCrypto.exportKey RSA sometimes exports different Private Exponent

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 7 08:22:22 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=230001

            Bug ID: 230001
           Summary: SubtleCrypto.exportKey RSA sometimes exports different
                    Private Exponent
           Product: WebKit
           Version: Other
          Hardware: iPhone / iPad
                OS: iOS 14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: panva.ip at gmail.com

When importing RSA JWKs I'm seeing an issue with export on iOS 14 that did not exist on iOS 12 and iOS 13. I'm experiencing this through real device testing on the BrowserStack platform.

The issue is that if re-exported, the exported JWK does not sometimes match the imported one. The snippet below works fine on iOS 12 and 13, but fails on iOS 14 Mobile Safari 14.0.2 (iOS 14.3).

```js
const jwk = {
  kty: "RSA",
  n: "w1MQU2ERHuPd_BJAJEHqI2UQdcU7qBQn9LrujqDIU1KafLNDK_yrS-ZhlpL9XOO0KZpLa4bEZhJpqiHiqG65uaeIsfS1iU2tqKQ5YBq5MQBcfR330jNAa08t8wAnamPZdEZGZX17MIw7J3fvpbHKSdsyfH6EacCrtmGjUzhXiKwcwG3BH1GRySnFBrsCbOA4WBp5DbP1GurgNcWOsGul2bApK44f0bawQ3RAEgchJFsC_Uz_w7piA9r8Wl9KUJZ5ygvEuTojTQBtyjcngwHFXgHDYzveHh7Q25MaX2EmoEUQUnH_VgOXKoSjtBSWTVW1lo-T7dw3XTiIsJRFWa38mQ",
  e: "AQAB",
  d: "JYptdNkPJVS-cZhAY7eXfL4L79a8pI1bMJpNB3S3i-wwbQ83NdkWQzxAPWR69cN9-RECtePtE4EuddiVa7H8WEZu62URDxay7drCfEomldhv7kw4OVpIY1eQiUfaS4RtYv-uwAriBm6tX-SZVstZCeDrTyox4PF7D06syW3mxQmZMTL6IwOLpQiAgijO5Aa2KihufIWbCVaEQ8UOvJ9VXcAJsM4wSHUc55jx5CfwHSlyPjxuWcBACvCB4llY_n_krHbFDAocmUImjpbMWp5y3BmS9wtGlbS_H9_Dl9Efkp6qRdhenOF2Fh9vLhoi19AhPu0ORfHTgjUuN4tLb88IAQ",
  p: "8kxaQxCH24jb0tZ4gPfvRUJJuD6WNbtBClhdoSE2JmvHM-HtzVCh6aW_ulHLIT82PBMRXTK_lihiUD6NvCSbjMiVEKHT6Jn5-dbSlpp8uj3HmfsACBvLpxMD81Go6Tx7RKb1HNL7yRCLyo8r9buJenGF2H03HJ88HuNoCjAxZ8E",
  q: "zl6xI19mJupKa0PTRZsy6sZ_2dQnl-KuMVt3-TtZ4LfcSZL1F24HlAkj8tPKGVF6oya-bYRoQ928iZTNV2Gy1VdnjUGb3xeINFzORZmGUGtV5w6ugtLcngYKkfdEfLltq2KX3ZvS--EdkT9iY47kWrTicSf28IyLUolCm62fitk",
  dp: "TjwbFPZ8d4VMPVqk1De6GWna9dO3mqfYy2dW7BUWL_ey_Wyg5R94-EFdk-KfLSAE-gbKH4aoV-q4O-LGzw4e76lAgHtQOhWlomcb3icJyPTzwyNJklSvQEYii2k9mfm-b59dG66AQB7IlGIANrsUG-YV6p4bsnEz72FMEaYX_cE",
  dq: "PyeLXh_byxz4GUtwZGTSeDa2-ZqLY1fjpwcu9_7JypN5vqpShxENEKibb7yQpJ7iwPsiW7GhluNMx23aSVuEtvVAo2HoqaUx8ZRVK8eH6yRt7X_4t-B_03xVz8W0F9dHUKOjhhYhwyNpQQH8wisAhyHECo0IbSUVnfSThcDkikE",
  qi: "DBZc1mfJLCxHgpHyfrlueIVTooOCGBWTSC-C6PBicwjl2eJiQVe9Q3zFShjvv70SJpZ15SBKn06fML9nn9lRvbzQJBP671lUtxF_NfYN7Yl_FLEeADMfV7wBKZ8eIk8BhstzSY3xH_ZNJklYRnSCBZNI_NlSfH2QxSb-JjH6xGA",
};

const { subtle } = globalThis.crypto;

const cryptoKey = await subtle.importKey('jwk', jwk, { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-256' } }, true, ['sign'])

const reExport = await subtle.exportKey('jwk', cryptoKey)

console.log(reExport.d === jwk.d) // expect the keys to match
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210907/d50f38ad/attachment-0001.htm>

More information about the webkit-unassigned mailing list