Opened 2 years ago

Closed 2 years ago

#2005 closed defect (fixed)

SelfSignedGenerator.java - invalid rsa private keys

Reported by: backup Owned by: zzz
Priority: minor Milestone: 0.9.31
Component: api/crypto Version: 0.9.30
Keywords: Cc:
Parent Tickets: Sensitive: no

Description

SelfSignedGenerator?.java creates according to openssl check invalid rsa private keys for RSA_SHA256_2048, RSA_SHA384_3072, RSA_SHA512_4096.

Also the rsa private keys are too small (is: 1525 bytes):
With header and Base64.getEncoder() an encoded rsa 4096 key is expected to be ~3272 bytes.

Testing:
activate: public static void main in SelfSignedGenerator?.java
run: java -cp $I2P/lib/i2p.jar net.i2p.crypto.SelfSignedGenerator? main
check results with openssl:

openssl rsa  -in test4.priv -text -noout -check
openssl rsa  -in test5.priv -text -noout -check
openssl rsa  -in test6.priv -text -noout -check
Private-Key: (4096 bit)
modulus:
    00:d5:fb:e9:9e:e5:8f:70:ac:e4:f6:f8:76:4d:39:
    b7:24:ec:59:7f:8c:7c:82:67:2c:f3:06:d6:74:73:
    ec:80:48:d0:ae:be:cf:dc:8a:08:59:57:62:14:5a:
    0f:80:0f:0c:21:bf:a3:24:13:b4:11:a2:c9:c5:ae:
    22:ab:97:8c:09:c5:99:2e:e2:89:64:43:2d:d7:62:
    4b:77:0e:5f:af:f1:a0:57:93:12:3c:82:15:f4:14:
    19:0f:17:42:d8:41:46:67:58:16:44:01:c8:b1:c8:
    b7:1b:bf:ed:ba:47:30:b3:f1:e7:8f:03:f7:f2:fd:
    8d:27:97:02:ec:72:aa:1d:4c:a3:94:a4:32:43:2c:
    0e:b1:bd:fd:ae:cf:35:d7:46:f3:9b:a6:44:4d:9f:
    e5:40:ab:bc:c2:bb:db:86:10:38:a8:ce:47:fb:35:
    12:2c:45:7a:d0:87:3b:ea:aa:15:b3:e3:b4:86:8f:
    a1:15:bd:f1:6c:d2:2d:26:0a:bc:50:a2:57:6d:2f:
    f3:1e:a3:cb:59:fa:ac:02:bf:e0:62:9f:ca:0f:32:
    e7:8f:fe:bd:67:29:a1:b5:9a:45:f3:49:05:16:f8:
    3b:cb:02:42:0c:37:b9:20:76:cc:5b:08:64:a5:56:
    f1:71:b4:f4:89:ec:43:e8:fa:5e:95:44:2b:8b:e5:
    2a:10:49:f3:63:61:ad:7a:d5:52:b9:10:60:2f:7b:
    34:91:4e:d7:22:11:5e:70:82:a9:99:9c:38:f3:d3:
    98:ef:99:56:45:34:42:d7:8a:b0:1b:1b:ad:d0:a8:
    6e:8e:cc:fd:f3:2c:e3:a5:d4:7c:16:ca:e5:1b:73:
    5f:30:3d:95:04:f7:60:05:91:ff:aa:ef:a0:ba:b4:
    c3:bd:fd:cc:13:e2:85:8a:d0:1d:60:9d:e5:9f:cd:
    9d:d2:c5:ce:82:9e:e7:44:02:5f:f3:1a:7b:a9:69:
    43:4d:1f:f9:ce:fb:15:c4:f9:a0:80:bb:77:9a:b0:
    91:97:53:b4:89:cc:72:81:68:17:c0:d9:72:85:f0:
    f2:ce:87:cb:e4:37:a2:cc:fb:e8:a2:68:84:63:15:
    1c:6a:52:f8:ed:97:4f:90:c1:f0:ab:08:49:89:57:
    15:01:d8:a2:68:51:5f:b1:5a:59:5c:09:9a:4c:85:
    62:11:40:d7:20:a1:79:bd:4b:76:cf:70:6f:9d:c0:
    e8:dc:d1:ae:e9:6f:cd:31:97:85:01:36:2f:78:0b:
    31:e8:98:46:91:67:73:f3:60:74:5e:2b:44:5f:3a:
    a1:6e:5f:1d:52:53:d2:9b:5e:8d:5b:89:85:3c:cd:
    6f:40:c3:a0:ce:df:a5:2c:fe:ea:8e:f1:77:ba:f1:
    d4:3d:ad
publicExponent: 0
privateExponent:
    1d:99:17:aa:73:e4:50:58:89:df:23:64:f1:af:9f:
    06:8b:6e:a1:b6:e3:ee:01:a9:75:00:28:1f:b9:7d:
    28:0d:6a:58:11:6a:9c:fd:b6:c3:ec:d3:53:2f:55:
    df:87:b5:4c:e1:be:06:1a:77:98:cc:e4:8d:e4:55:
    45:58:d3:f4:f2:11:0b:2c:28:86:e6:c7:eb:77:dc:
    2a:5e:a1:9b:ab:97:5b:25:ab:ab:14:ef:46:70:95:
    3a:c2:23:eb:d7:b3:8e:4d:df:de:8e:44:9d:5a:bf:
    01:26:9e:12:5b:10:80:83:60:5d:26:d6:60:14:f4:
    36:5a:ab:fb:da:ac:6f:1b:0f:b1:5a:b8:dd:13:b6:
    00:9d:df:fe:13:09:46:7a:b8:ed:79:a5:0e:fb:a3:
    f1:3b:10:03:fb:8a:14:d4:1f:92:31:de:41:00:09:
    40:78:67:d1:7a:33:2e:75:52:45:2c:a4:e6:cb:ed:
    23:1d:bf:cc:26:92:3a:25:d8:00:6b:44:1e:85:38:
    62:af:93:4c:21:e1:33:0c:29:54:5a:f7:ce:fc:62:
    8d:47:56:19:73:e7:bb:3f:d8:97:1b:2d:8a:0c:d1:
    f0:75:a2:7f:20:22:0a:3c:84:6d:bf:0e:74:d4:3e:
    d7:54:89:52:9e:8c:92:28:37:76:fc:13:ed:e8:c7:
    d5:72:05:d6:68:b9:1a:3a:bd:bb:35:3f:d8:4a:0c:
    37:74:8a:5b:e8:3a:ed:2b:db:04:ea:7f:84:2f:44:
    90:1b:ee:1d:5f:62:ce:1e:cc:c9:24:f1:3a:68:3c:
    f7:1f:b5:89:31:ed:67:30:c6:33:2f:1e:f4:4b:a6:
    9f:c8:1b:ac:a2:be:a8:8c:80:65:9c:55:c1:3e:e8:
    42:d9:f4:80:70:3c:e8:ad:3a:a2:c6:52:59:b9:ee:
    55:2c:06:38:48:1b:11:1c:f1:8d:b1:fb:84:8a:db:
    f3:d7:e9:91:28:87:30:a6:1a:71:0f:02:df:bc:61:
    bd:8b:4a:4c:b8:b3:35:bb:0f:63:ef:92:e9:d8:13:
    37:a6:41:3d:50:ef:ed:6d:85:a0:03:37:cf:27:12:
    0f:8e:ce:b1:62:43:0d:63:41:66:20:41:e4:79:05:
    aa:e3:7d:8c:36:50:2e:ad:f6:9e:c4:26:62:67:73:
    dc:89:b0:26:3e:4c:43:2b:2c:64:a0:31:ed:1d:7d:
    80:66:22:fe:20:1f:3c:dd:e2:bd:3a:38:a9:35:4e:
    67:1b:8e:dd:f2:86:ad:51:db:36:13:60:2c:58:b3:
    09:78:4c:41:ac:66:21:54:01:d2:a4:7f:5c:8b:76:
    77:a8:17:e9:37:50:1d:1a:e3:27:89:18:0c:60:8e:
    b1:01
prime1: 0
prime2: 0
exponent1: 0
exponent2: 0
coefficient: 0
139705402380160:error:040A0065:rsa routines:RSA_check_key_ex:bad e value:crypto/rsa/rsa_chk.c:50:
139705402380160:error:040A0080:rsa routines:RSA_check_key_ex:p not prime:crypto/rsa/rsa_chk.c:56:
139705402380160:error:040A0081:rsa routines:RSA_check_key_ex:q not prime:crypto/rsa/rsa_chk.c:62:
139705402380160:error:040A007F:rsa routines:RSA_check_key_ex:n does not equal p q:crypto/rsa/rsa_chk.c:72:
139705402380160:error:040A007B:rsa routines:RSA_check_key_ex:d e not congruent to 1:crypto/rsa/rsa_chk.c:105:
139705402380160:error:0306B067:bignum routines:BN_div:div by zero:crypto/bn/bn_div.c:179:

Subtickets

Change History (6)

comment:1 Changed 2 years ago by backup

KeyGenerator?.java >
KeyPairGenerator? kpg = KeyPairGenerator?.getInstance(type.getBaseAlgorithm().getName());
kpg.initialize(type.getParams(), _context.random());
kp = kpg.generateKeyPair();
—> is ok for rsa, the new created private rsa key is ok.

I assume the error has to be in SigUtil?.java, several transformations are called:

keys[0] = SigUtil?.fromJavaKey(pubkey, type);
keys[1] = SigUtil?.fromJavaKey(privkey, type);
PublicKey? jpub = SigUtil?.toJavaKey(pub);
PrivateKey? jpriv = SigUtil?.toJavaKey(priv);

comment:2 Changed 2 years ago by zzz

Status: newopen

Why priority critical? What does this impact?

comment:3 Changed 2 years ago by backup

If there is a bug with the rsa keys creation, we would deal with damaged or truncated/shortened rsa key - this a security issue for all who use the KeyStoreUtil?.

If it's only a minor export problem (keystore—>pem) then this is of course only a minor problem.

comment:4 Changed 2 years ago by zzz

Milestone: undecided0.9.32
Owner: set to zzz
Priority: criticalminor
Status: openaccepted

reproduced here.

Indeed, the PEM doesn't contain the publicexponent, prime1/2, exponent1/2, and coefficient values. Those values are present in the PEM generated the "old" way (by calling out to keytool).

It's not clear how to generate those programatically, there's no place for them in the KeySpec? constructor http://docs.oracle.com/javase/6/docs/api/java/security/spec/RSAPrivateKeySpec.html but perhaps we just need to switch to this one http://docs.oracle.com/javase/6/docs/api/java/security/spec/RSAMultiPrimePrivateCrtKeySpec.html or this one http://docs.oracle.com/javase/6/docs/api/java/security/spec/RSAPrivateCrtKeySpec.html

I believe all these values are implicit or derivable from the modulus and private exponent.

It isn't clear if we are losing the values somewhere in all the transformations, or if the values were never there because we don't use the correct constructor.

I don't believe this is a major problem. The private keys aren't corrupt or too small, the encoding is valid, they just don't contain all the parameters required to make openssl happy. The javadoc links above have simple descriptions of what each field means and how to derive them.

I'll put this on my list for .32.

comment:5 Changed 2 years ago by zzz

I have a fix I will check in after the 0.9.31 release. It preserves the "CRT" (Chinese Remainder Theorem) parameters that openssl requires in the PEM. As a happy byproduct, it speeds up signing by 3.3x. The fix only works for new keys. There's no easy way to recover the parameters for existing keys.

comment:6 Changed 2 years ago by zzz

Milestone: 0.9.320.9.31
Resolution: fixed
Status: acceptedclosed

.31 release delayed, so pushed in c36cf9aa5fb6dfbee2436b4972baef01e2b1617a 0.9.30-19-rc

Note: See TracTickets for help on using tickets.