Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSAAndroid fails to verify RSA signatures when the public exponent is bigger than 2^32 #72906

Open
runfoapp bot opened this issue Jul 27, 2022 · 8 comments
Open

RSAAndroid fails to verify RSA signatures when the public exponent is bigger than 2^32 #72906

runfoapp bot opened this issue Jul 27, 2022 · 8 comments
Labels
area-System.Security disabled-test The test is disabled in source code against the issue os-android
Milestone
Future

Comments

@runfoapp
Copy link

runfoapp bot commented Jul 27, 2022
edited
Loading

There are a bunch of cryptography failures on Android in rolling build 1905046. Here is an example of one:

https://helixre107v0xdeko0k025g8.blob.core.windows.net/dotnet-runtime-refs-heads-main-e21ac2efc94b48918e/Microsoft.Extensions.Caching.Memory.Tests/1/console.10ca6335.log?%3Fhelixlogtype%3Dresult

<test name="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(hashName: \&quot;SHA256\&quot;)" type="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests" method="BuildEmptyRsaPss" time="0.031689" result="Fail">
        <failure exception-type="Xunit.Sdk.TrueException">
          <message><![CDATA[Certificate's public key verifies the signature\nExpected: True\nActual:   False]]></message>
          <stack-trace><![CDATA[   at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.<>c__DisplayClass17_0.<BuildEmptyRsaPss>b__0(X509Certificate2 cert, DateTimeOffset now) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 407
   at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildRsaCertificateAndRun(IEnumerable`1 extensions, Action`2 action, Boolean addSubjectKeyIdentifier, String callerName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 1490
   at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(String hashName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 382
   at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, Span`1 args, BindingFlags invokeAttr)]]></stack-trace>
        </failure>
      </test>

Runfo Tracking Issue: system.security.cryptography.x509certificates.tests work item

Build Definition Kind Run Name

Build Result Summary

Day Hit Count Week Hit Count Month Hit Count
0 0 0
@ghost ghost added the untriaged New issue has not been triaged by the area owner label Jul 27, 2022
@ghost
Copy link

ghost commented Jul 27, 2022

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Runfo Creating Tracking Issue (data being generated)

Author: runfoapp[bot]
Assignees: -
Labels:

area-System.Security
Milestone: -

@noahfalk noahfalk added blocking-clean-ci Blocking PR or rolling runs of 'runtime' or 'runtime-extra-platforms' os-android labels Jul 27, 2022
@ghost
Copy link

ghost commented Jul 27, 2022

Tagging subscribers to 'arch-android': @steveisok, @akoeplinger
See info in area-owners.md if you want to be subscribed.

Issue Details

There are a bunch of cryptography failures on Android in rolling build 1905046. Here is an example of one:

https://helixre107v0xdeko0k025g8.blob.core.windows.net/dotnet-runtime-refs-heads-main-e21ac2efc94b48918e/Microsoft.Extensions.Caching.Memory.Tests/1/console.10ca6335.log?%3Fhelixlogtype%3Dresult

<test name="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(hashName: \&quot;SHA256\&quot;)" type="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests" method="BuildEmptyRsaPss" time="0.031689" result="Fail">
        <failure exception-type="Xunit.Sdk.TrueException">
          <message><![CDATA[Certificate's public key verifies the signature\nExpected: True\nActual:   False]]></message>
          <stack-trace><![CDATA[   at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.<>c__DisplayClass17_0.<BuildEmptyRsaPss>b__0(X509Certificate2 cert, DateTimeOffset now) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 407
   at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildRsaCertificateAndRun(IEnumerable`1 extensions, Action`2 action, Boolean addSubjectKeyIdentifier, String callerName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 1490
   at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(String hashName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 382
   at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, Span`1 args, BindingFlags invokeAttr)]]></stack-trace>
        </failure>
      </test>

Runfo Tracking Issue: system.security.cryptography.x509certificates.tests work item

Build Definition Kind Run Name Console Core Dump Test Results Run Client
1905046 runtime-extra-platforms Rolling net7.0-Android-Release-x86-Mono_Release-Ubuntu.1804.Amd64.Android.29.Open console.log test results runclient.py
1905046 runtime-extra-platforms Rolling net7.0-Android-Release-x64-Mono_Release-Ubuntu.1804.Amd64.Android.29.Open console.log test results runclient.py
1905046 runtime-extra-platforms Rolling net7.0-Android-Release-arm-Mono_Release-Windows.10.Amd64.Android.Open console.log test results runclient.py
1905046 runtime-extra-platforms Rolling net7.0-Android-Release-arm64-Mono_Release-Windows.10.Amd64.Android.Open console.log test results runclient.py
1904585 runtime-extra-platforms Rolling net7.0-Linux-Release-x64-CoreCLR_release-(Fedora.34.Amd64.Open)[email protected]/dotnet-buildtools/prereqs:fedora-34-helix-20220523150939-4f64125 console.log runclient.py
1903280 runtime-extra-platforms PR 72832 net7.0-MacCatalyst-Release-arm64-Mono_Release-OSX.1200.Arm64.Open console.log runclient.py
1903274 runtime-extra-platforms Rolling net7.0-Linux-Release-x64-CoreCLR_release-(Fedora.34.Amd64.Open)[email protected]/dotnet-buildtools/prereqs:fedora-34-helix-20220523150939-4f64125 console.log runclient.py
1902034 runtime-extra-platforms Rolling net7.0-Linux-Release-x64-CoreCLR_release-(Fedora.34.Amd64.Open)[email protected]/dotnet-buildtools/prereqs:fedora-34-helix-20220523150939-4f64125 console.log runclient.py
1901750 runtime-extra-platforms PR 72545 net7.0-MacCatalyst-Release-arm64-Mono_Release-OSX.1200.Arm64.Open console.log runclient.py
1900887 runtime-extra-platforms Rolling net7.0-Linux-Release-x64-CoreCLR_release-(Fedora.34.Amd64.Open)[email protected]/dotnet-buildtools/prereqs:fedora-34-helix-20220523150939-4f64125 console.log runclient.py
1900480 runtime-extra-platforms Rolling net7.0-Linux-Release-x64-CoreCLR_release-(Fedora.34.Amd64.Open)[email protected]/dotnet-buildtools/prereqs:fedora-34-helix-20220523150939-4f64125 console.log runclient.py
1900064 runtime-extra-platforms Rolling net7.0-Linux-Release-x64-CoreCLR_release-(Fedora.34.Amd64.Open)[email protected]/dotnet-buildtools/prereqs:fedora-34-helix-20220523150939-4f64125 console.log runclient.py

Build Result Summary

Day Hit Count Week Hit Count Month Hit Count
4 9 9
Author: runfoapp[bot]
Assignees: -
Labels:

area-System.Security, blocking-clean-ci, os-android, untriaged
Milestone: -

@runfoapp runfoapp bot mentioned this issue Jul 27, 2022
Closed
@bartonjs
Copy link
Member

The default RSA provider tests claim that Android supports both RSASSA-PSS and RSA with keys whose exponents are bigger than 32 bits; but this may be the only test that does both.

<test name="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(hashName: \"SHA256\")" type="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests" method="BuildEmptyRsaPss" time="0.0771638" result="Fail">
<failure exception-type="Xunit.Sdk.TrueException">
<message>
<![CDATA[ Certificate's public key verifies the signature\nExpected: True\nActual: False ]]>
</message>
<stack-trace>
<![CDATA[ at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.<>c__DisplayClass17_0.<BuildEmptyRsaPss>b__0(X509Certificate2 cert, DateTimeOffset now) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 407 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildRsaCertificateAndRun(IEnumerable`1 extensions, Action`2 action, Boolean addSubjectKeyIdentifier, String callerName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 1490 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(String hashName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 382 at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, Span`1 args, BindingFlags invokeAttr) ]]>
</stack-trace>
</failure>
</test>
<test name="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(hashName: \"SHA384\")" type="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests" method="BuildEmptyRsaPss" time="0.0057438" result="Fail">
<failure exception-type="Xunit.Sdk.TrueException">
<message>
<![CDATA[ Certificate's public key verifies the signature\nExpected: True\nActual: False ]]>
</message>
<stack-trace>
<![CDATA[ at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.<>c__DisplayClass17_0.<BuildEmptyRsaPss>b__0(X509Certificate2 cert, DateTimeOffset now) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 407 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildRsaCertificateAndRun(IEnumerable`1 extensions, Action`2 action, Boolean addSubjectKeyIdentifier, String callerName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 1490 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(String hashName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 382 at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, Span`1 args, BindingFlags invokeAttr) ]]>
</stack-trace>
</failure>
</test>
<test name="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(hashName: \"SHA512\")" type="System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests" method="BuildEmptyRsaPss" time="0.0070822" result="Fail">
<failure exception-type="Xunit.Sdk.TrueException">
<message>
<![CDATA[ Certificate's public key verifies the signature\nExpected: True\nActual: False ]]>
</message>
<stack-trace>
<![CDATA[ at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.<>c__DisplayClass17_0.<BuildEmptyRsaPss>b__0(X509Certificate2 cert, DateTimeOffset now) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 407 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildRsaCertificateAndRun(IEnumerable`1 extensions, Action`2 action, Boolean addSubjectKeyIdentifier, String callerName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 1490 at System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.CrlBuilderTests.BuildEmptyRsaPss(String hashName) in /_/src/libraries/System.Security.Cryptography.X509Certificates/tests/CertificateCreation/CrlBuilderTests.cs:line 382 at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, Span`1 args, BindingFlags invokeAttr) ]]>
</stack-trace>
</failure>
</test>

The only failures are in the CrlBuilderTests.BuildEmptyRsaPss test, and that test is passing everywhere except Android.

@bartonjs bartonjs mentioned this issue Jul 27, 2022
Merged
@steveisok steveisok removed the untriaged New issue has not been triaged by the area owner label Jul 27, 2022
@bartonjs bartonjs added the disabled-test The test is disabled in source code against the issue label Jul 27, 2022
@danmoseley danmoseley removed the blocking-clean-ci Blocking PR or rolling runs of 'runtime' or 'runtime-extra-platforms' label Jul 28, 2022
@steveisok steveisok added this to the Future milestone Aug 1, 2022
@vcsjones vcsjones mentioned this issue Aug 2, 2022
Merged
@bartonjs
Copy link
Member

bartonjs commented Aug 3, 2022

Newer tests show that even RSASSA-PKCS1 is failing with big-exponent keys; it looks like RsaVerificationPrimitive is not working how we'd expect. That makes big-exponent encryption also suspect.

@bartonjs bartonjs changed the title system.security.cryptography.x509certificates.tests work item RSAAndroid fails to verify RSA signatures when the public exponent is bigger than 2^32 Aug 3, 2022
@vcsjones
Copy link
Member

Looking at this:

https://github.com/google/boringssl/blob/ce65c1daf827f870cde6b54ee14e59117f38c0de/crypto/fipsmodule/rsa/rsa_impl.c#L88-L99

BoringSSL, the cryptographic provider used by conscrypt in Android, does not permit RSA e greater than 33-bits (yes 33 not 32).

I haven't yet figured out why sign appears to work and verify does not, but judging from the commentary it appears the intention is that verifying with a large public exponent is disabled to mitigate DoS.

@bartonjs
Copy link
Member

Probably "you have the private key, you do you", vs "you got this public key from a certificate, oh, they're trolling you".

It'd be nicer if they failed at key import, though.

@vcsjones
Copy link
Member

vcsjones commented Mar 7, 2023

I got some amount of confirmation from a Google contact saying "Yes, we limit public key operations with an exponent of <= 2^33". So these disabled tests should become either conditional tests, or, where appropriate, don't use a large exponent (I seem to recall a number of the CRL tests using big exponents exclusively).

@steveisok steveisok modified the milestones: Future, 8.0.0 Mar 7, 2023
@steveisok
Copy link
Member

@vcsjones thanks, we can work to get these enabled.

@steveisok steveisok modified the milestones: 8.0.0, Future Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Security disabled-test The test is disabled in source code against the issue os-android
Projects
None yet
Milestone
Future
Development

No branches or pull requests
5 participants
@vcsjones @steveisok @noahfalk @danmoseley @bartonjs