RESOLVED FIXED289693
[GTK] [WebCrypto] X25519 `generateKey` + `exportKey` return mismatching keypair on Linux 
https://bugs.webkit.org/show_bug.cgi?id=289693
Summary [GTK] [WebCrypto] X25519 `generateKey` + `exportKey` return mismatching keypa...
larabr+bugzilla
Reported 2025-03-13 04:01:00 PDT
(Unsure if this is a security issue, I prefer to file it as such as it may be sensitive depending on the root cause.) Issue seen on Playwright build v2140 on Ubuntu (https://playwright.azureedge.net/builds/webkit/2140/webkit-ubuntu-22.04.zip). Generating an X25519 and exporting it in JWK format returns mismatching private and public keys (looking at the public point component `x`). I haven't tested other export formats. To repro: ``` const webCryptoKey = await window.crypto.subtle.generateKey('X25519', true, ['deriveKey', 'deriveBits']); const privateKey = await window.crypto.subtle.exportKey('jwk', webCryptoKey.privateKey); const publicKey = await window.crypto.subtle.exportKey('jwk', webCryptoKey.publicKey); if (privateKey.x !== publicKey.x) { throw new Error('Unexpected mismatching public point'); } ``` Example result I get logging `privateKey` and `publicKey` above: ``` { crv: 'X25519', d: '24MCkdh2f1R4vXr2uQuGABzsM2aCfEecyB7pWma_8QA', ext: true, key_ops: [ 'deriveBits', 'deriveKey' ], kty: 'OKP', x: 'ZiyHRj-b3s-yptoYUA2M3r5rgPP-LQb9Iza8RORWAwY' <--- }, { crv: 'X25519', ext: true, key_ops: [], kty: 'OKP', x: 'utLVOVGN-4uaNPkDEJr0cFIYdnAov7K6NE71L7XZZm0' <--- } ```
Attachments
Test cases to reproduce the issue (4.82 KB, text/html)
2025-08-20 01:04 PDT, Javier Fernandez 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-03-13 04:01:12 PDT
<rdar://problem/146940729>
larabr+bugzilla
Comment 2 2025-07-09 06:54:14 PDT
Any updates? I can still repro as of 49.alpha.1-33-g785305607+ (Epiphany Technology Preview) using WebKitGTK 2.49.3 . This bug makes WebCrypto X25519 unusable on WebKit Linux on my side , and the fact that it doesn't throw any errors on generation but only when the keys are used later on is also disruptive from a development perspective, to implement custom workarounds.
Javier Fernandez
Comment 3 2025-08-19 04:37:19 PDT
Thanks for the report. I confirmed the bug and I'm investigating it now.
Javier Fernandez
Comment 4 2025-08-20 00:34:40 PDT
I don´t think this is a security bug, from the perspective of the browser itself. The bug affects an external API exposed by the browser to allow applications to generate X25519 keys using the browser's crypto primitives. The bug affects only to the Linux (WebKitGtk+) platform and it causes the generated key to fail in import/export round-trip tests.
Javier Fernandez
Comment 5 2025-08-20 01:03:08 PDT
I have defined a test case based on a key-pair generated by the current WebCrypto gcrypt-based implementation of the X25519 algorithm: var testData = { 'spki': new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0, 95, 190, 216, 125, 162, 201, 117, 199, 34, 231, 83, 216, 103, 61, 126, 38, 11, 248, 88, 172, 149, 125, 108, 17, 195, 93, 225, 44, 92, 172, 113, 36]), 'pkcs8': new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 110, 4, 34, 4, 32, 1, 96, 201, 46, 17, 128, 81, 27, 33, 222, 180, 49, 71, 94, 54, 249, 144, 30, 112, 165, 238, 53, 136, 237, 254, 183, 39, 188, 156, 20, 32, 71]), 'jwk': { crv: "X25519", d: "AWDJLhGAURsh3rQxR142-ZAecKXuNYjt_rcnvJwUIEc", x: "Ap09nLJyqO8inQK0449qOyu0RhhaC7Ag2e3ZW_ZekwA", //x: "X77YfaLJdcci51PYZz1-Jgv4WKyVfWwRw13hLFyscSQ", kty: "OKP" } }; The 'spki' and 'pkcs8' format has been obtained by the 'subtle.crypto.export' method implemented in WebKitGtk+. The duplicated 'x' field in the JWK representation shows the mismatching issue described in this bug, which happens with any key generated by the X25519 algorithm implementation. When using the testData defined in any of the WPT tests of the WebCryptoAPI, the issue is not happening: var keyDataX25519 = { 'spki': new Uint8Array([48, 42, 48, 5, 6, 3, 43, 101, 110, 3, 33, 0, 28, 242, 177, 230, 2, 46, 197, 55, 55, 30, 215, 245, 62, 84, 250, 17, 84, 216, 62, 152, 235, 100, 234, 81, 250, 229, 179, 48, 124, 254, 151, 6]), 'raw': new Uint8Array([28, 242, 177, 230, 2, 46, 197, 55, 55, 30, 215, 245, 62, 84, 250, 17, 84, 216, 62, 152, 235, 100, 234, 81, 250, 229, 179, 48, 124, 254, 151, 6]), 'pkcs8': new Uint8Array([48, 46, 2, 1, 0, 48, 5, 6, 3, 43, 101, 110, 4, 34, 4, 32, 200, 131, 142, 118, 208, 87, 223, 183, 216, 201, 90, 105, 225, 56, 22, 10, 221, 99, 115, 253, 113, 164, 210, 118, 187, 86, 227, 168, 27, 100, 255, 97]), 'jwk': { crv: "X25519", d: "yIOOdtBX37fYyVpp4TgWCt1jc_1xpNJ2u1bjqBtk_2E", x: "HPKx5gIuxTc3Htf1PlT6EVTYPpjrZOpR-uWzMHz-lwY", kty: "OKP" } }; I'm attaching this bug a test case to reproduce the issue, where it has also an alternate codepath to verify that using a valid X25519 key-pair the import/export round-trip works as expected. This probes that the problem is not in the import/export methods, but in the X25519 generateKey method specifically.
Javier Fernandez
Comment 6 2025-08-20 01:04:09 PDT
Created attachment 476463 [details] Test cases to reproduce the issue
Javier Fernandez
Comment 7 2025-08-27 01:00:18 PDT
Pull request: https://github.com/WebKit/WebKit/pull/49923
EWS
Comment 8 2025-08-27 07:11:18 PDT
Committed 299198@main (33777aff18f1): <https://commits.webkit.org/299198@main> Reviewed commits have been landed. Closing PR #49923 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.