230001 – SubtleCrypto.exportKey RSA sometimes exports different Private Exponent

Bug 230001 - SubtleCrypto.exportKey RSA sometimes exports different Private Exponent

Summary: SubtleCrypto.exportKey RSA sometimes exports different Private Exponent

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	Other
Hardware:	iPhone / iPad iOS 14

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-09-07 08:22 PDT by Filip Skokan
Modified:	2021-09-08 09:11 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
test case (2.03 KB, text/html) 2021-09-07 15:30 PDT, Alexey Proskuryakov	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Skokan 2021-09-07 08:22:22 PDT

When importing RSA JWKs I'm seeing an issue with export on iOS 14 that did not exist on iOS 12 and iOS 13. I'm experiencing this through real device testing on the BrowserStack platform.

The issue is that if re-exported, the exported JWK does not sometimes match the imported one. The snippet below works fine on iOS 12 and 13, but fails on iOS 14 Mobile Safari 14.0.2 (iOS 14.3).

```js
const jwk = {
  kty: "RSA",
  n: "w1MQU2ERHuPd_BJAJEHqI2UQdcU7qBQn9LrujqDIU1KafLNDK_yrS-ZhlpL9XOO0KZpLa4bEZhJpqiHiqG65uaeIsfS1iU2tqKQ5YBq5MQBcfR330jNAa08t8wAnamPZdEZGZX17MIw7J3fvpbHKSdsyfH6EacCrtmGjUzhXiKwcwG3BH1GRySnFBrsCbOA4WBp5DbP1GurgNcWOsGul2bApK44f0bawQ3RAEgchJFsC_Uz_w7piA9r8Wl9KUJZ5ygvEuTojTQBtyjcngwHFXgHDYzveHh7Q25MaX2EmoEUQUnH_VgOXKoSjtBSWTVW1lo-T7dw3XTiIsJRFWa38mQ",
  e: "AQAB",
  d: "JYptdNkPJVS-cZhAY7eXfL4L79a8pI1bMJpNB3S3i-wwbQ83NdkWQzxAPWR69cN9-RECtePtE4EuddiVa7H8WEZu62URDxay7drCfEomldhv7kw4OVpIY1eQiUfaS4RtYv-uwAriBm6tX-SZVstZCeDrTyox4PF7D06syW3mxQmZMTL6IwOLpQiAgijO5Aa2KihufIWbCVaEQ8UOvJ9VXcAJsM4wSHUc55jx5CfwHSlyPjxuWcBACvCB4llY_n_krHbFDAocmUImjpbMWp5y3BmS9wtGlbS_H9_Dl9Efkp6qRdhenOF2Fh9vLhoi19AhPu0ORfHTgjUuN4tLb88IAQ",
  p: "8kxaQxCH24jb0tZ4gPfvRUJJuD6WNbtBClhdoSE2JmvHM-HtzVCh6aW_ulHLIT82PBMRXTK_lihiUD6NvCSbjMiVEKHT6Jn5-dbSlpp8uj3HmfsACBvLpxMD81Go6Tx7RKb1HNL7yRCLyo8r9buJenGF2H03HJ88HuNoCjAxZ8E",
  q: "zl6xI19mJupKa0PTRZsy6sZ_2dQnl-KuMVt3-TtZ4LfcSZL1F24HlAkj8tPKGVF6oya-bYRoQ928iZTNV2Gy1VdnjUGb3xeINFzORZmGUGtV5w6ugtLcngYKkfdEfLltq2KX3ZvS--EdkT9iY47kWrTicSf28IyLUolCm62fitk",
  dp: "TjwbFPZ8d4VMPVqk1De6GWna9dO3mqfYy2dW7BUWL_ey_Wyg5R94-EFdk-KfLSAE-gbKH4aoV-q4O-LGzw4e76lAgHtQOhWlomcb3icJyPTzwyNJklSvQEYii2k9mfm-b59dG66AQB7IlGIANrsUG-YV6p4bsnEz72FMEaYX_cE",
  dq: "PyeLXh_byxz4GUtwZGTSeDa2-ZqLY1fjpwcu9_7JypN5vqpShxENEKibb7yQpJ7iwPsiW7GhluNMx23aSVuEtvVAo2HoqaUx8ZRVK8eH6yRt7X_4t-B_03xVz8W0F9dHUKOjhhYhwyNpQQH8wisAhyHECo0IbSUVnfSThcDkikE",
  qi: "DBZc1mfJLCxHgpHyfrlueIVTooOCGBWTSC-C6PBicwjl2eJiQVe9Q3zFShjvv70SJpZ15SBKn06fML9nn9lRvbzQJBP671lUtxF_NfYN7Yl_FLEeADMfV7wBKZ8eIk8BhstzSY3xH_ZNJklYRnSCBZNI_NlSfH2QxSb-JjH6xGA",
};

const { subtle } = globalThis.crypto;

const cryptoKey = await subtle.importKey('jwk', jwk, { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-256' } }, true, ['sign'])

const reExport = await subtle.exportKey('jwk', cryptoKey)

console.log(reExport.d === jwk.d) // expect the keys to match
```

Comment 1 Filip Skokan 2021-09-07 12:33:06 PDT

Interestingly enough, when I flip the actual and expected, then I the same bug applies to OS X Safari only in reverse.

That being said - for deterministic signatures produced using both JWKs - they both generate the same output.

Comment 2 Alexey Proskuryakov 2021-09-07 15:30:01 PDT

Created attachment 437563 [details]
test case

Same test case as an attachment. Verified failing on Apple Silicon Mac.

I think that we get this value directly from CCRSAGetKeyComponents. Equivalent private exponents obviously exist; I'm not sure if there are any requirements on round-trip fidelity or on using a particular normalized form in any of the specs involved.

Comment 3 Radar WebKit Bug Importer 2021-09-08 09:11:02 PDT

<rdar://problem/82875952>