OK, I agree that this is not a security problem but UI issue only.
However, note that the UI says "Public key" and before that "Key
algorithm: RSA". As such, the public key should not have any extra bytes
at the start or at the end, just the public RSA 2048 bit key as is (as
desribed by "Key Algorithm" and "Key Size" fields immediately above).
Also note that the key displayed by gcr-viewer does not match key value
displayed by `openssl x509 -in ... -text`, Google Chrome, nor Firefox.
Is this also by design?
That said, I agree that gcr-viewer doesn't show the exponent separate
from the modulus either so maybe the easiest fix would be to change the
label "Public Key" to say "DER Encoded Public Key" to make it obvious
that user must decode the encoding of the key by themselves. When I'm
viewing PEM encoded key I sure didn't expect to see the public key as
DER encoded raw data.
A better fix would be to render modulus and exponent as separate fields
without any extra bytes. Of course, that would require different code
paths for e.g. RSA and x25519.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gcr in Ubuntu.
https://bugs.launchpad.net/bugs/1969118
Title:
Certificate viewer shows extra bytes for RSA keys
Status in gcr package in Ubuntu:
Invalid
Bug description:
When I view a x509 certificate using
gcr-viewer .../path/to/certificate.pem
and open the "Details" section and check the RSA public key
information, the section that lists the public key renders extra 8
bytes at the start and 5 bytes at the end which are not actually part
of the key.
I haven't tried if this happens with other file types except x509, or
with encryption methods except RSA. The exact certificate I viewed can
be downloaded from https://crt.sh/?d=6454583403 and the expected
public key modulus should start with 00:b6:28:0b:44:... but the
certificate viewer shows public key starting with bytes 30 82 01 0A 02
82 01 01 00 B6 28 0B 44. Note the extra bytes 30 82 01 0A 02 82 01 01.
The extra bytes seem to be static and do not change after re-lanching
the viewer again. There are also extra bytes in the end of the
displayed key.
I'm marking this bug as a security vulnerability for now because
(1) This tool is supposed to used to check encryption credentials, and
(2) It's still unknown if this is some kind of 8 byte underflow/5 byte
overflow or just a rendering problem. I'm not aware of the viewer writing extra
bytes to any memory location so I would assume this is just a rendering issue.
I'm fine with this issue being public so feel free to publish at your
discretion.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gcr 3.28.0-1
ProcVersionSignature: Ubuntu 5.4.0-107.121~18.04.1-lowlatency 5.4.174
Uname: Linux 5.4.0-107-lowlatency x86_64
ApportVersion: 2.20.9-0ubuntu7.27
Architecture: amd64
CurrentDesktop: MATE
Date: Thu Apr 14 15:47:18 2022
EcryptfsInUse: Yes
InstallationDate: Installed on 2019-01-05 (1194 days ago)
InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64
(20180725)
SourcePackage: gcr
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcr/+bug/1969118/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
