Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Browser freezing when call method importX509() #459

Closed
2 tasks done
taylortrey opened this issue Sep 26, 2022 · 4 comments
Closed
2 tasks done

Browser freezing when call method importX509() #459

taylortrey opened this issue Sep 26, 2022 · 4 comments
Labels
triage

Comments

@taylortrey
Copy link

What happened?

Hi there!

I've found a place where while loop just go to infinity.
Move on chain importX509() -> getSPKI() -> spkiFromX509() -> getElement() -> parseElement() and parseElement it's the last method when you have a while loop, exactly the one that is in the condition if (length === 0x80) .

For reproduce this I've attached my JWS input data below.
Thanks in advance!

Version

v4.9.3 and less

Runtime

Browser

Runtime Details

Chrome Browser/Safari/Firefox

Code to reproduce

eyJ4NWMiOlsiTUlJRDVqQ0NBczZnQXdJQkFnSUJBakFOQmdrcWhraUc5dzBCQVFzRkFEQjdNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFQ0JNQ1ZFNHhFREFPQmdOVkJBb1RCMDFUU1VkT1NVRXhEREFLQmdOVkJBc1RBMUpPUkRFWE1CVUdBMVVFQXhNT1RWTkpSMDVKUVNCU1RrUWdRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGM0JoZG14dkxteDVjMjkyUUcxemFXZHVhV0V1WTI5dE1CNFhEVEU1TVRFeE16QTRNakF3TUZvWERUSTRNVEV4TXpBNE1qQXdNRm93Z1lBeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlFd0pVVGpFUU1BNEdBMVVFQ2hNSFRWTkpSMDVKUVRFVU1CSUdBMVVFQ3hNTFRWTkpSMDVKUVNCU1RrUXhGREFTQmdOVkJBTVRDMDFUU1VkT1NVRWdVazVFTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGR3WVhac2J5NXNlWE52ZGtCdGMybG5ibWxoTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtSb28zMHp0dHBpRmxCS25PQW1sT2NUMDd4UG1zN1o2XC9aZE45S25FXC9Qb05ReDdnNitBcDZiK3RyQTJXREc4MGpFdHdBeTVYSmNtODFyQnZKSnZqd1dRaGlQamhYSHZFaWJsKzV6VFlFWFF0dmwzcUtOZGlrWHVYUEJMSVwvcndtWlROWmQyYWE1YmlWb0xFWStjUVZMT2pkQVpTOVpJa2V1TFllTEVaZk5reTdyTGE0WHlSTzRXNFhFVVdnYWZPcCtaU1hBVE96NDhYQ2IrZm1hZWs0ZDhlcHNWSlwvWDNRd3c5STltcWc4UUE3XC9FSDlBU09ZdmJNek9qU3VEallCQ1JxNFNKd1wvWUJKRG5CY0JKU0VTekxKRERDSlF5UDRCT0QyK1A1VVpcL09XU055ekVEQ0xmTHNpQ1ZqZHQwbU5Ycm5cL3RHcGRMb3kxclZmQzJTT0FvWkVVQ0F3RUFBYU52TUcwd0RBWURWUjBUQVFIXC9CQUl3QURBZEJnTlZIUTRFRmdRVVVcL2x1b1wvYmJCT2xyUTd3ckMzK2dna0lUY1NZd0N3WURWUjBQQkFRREFnU3dNQkVHQ1dDR1NBR0crRUlCQVFRRUF3SUZvREFlQmdsZ2hrZ0JodmhDQVEwRUVSWVBlR05oSUdObGNuUnBabWxqWVhSbE1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVhyb0ZaOUZlUDEwZ3RRZ3VwdERvNlUwU0lBQjlucWpOMUlrdHlxYXRmVXVWdFRodXhYQWIzUVE3a1ltR0NaRWFPSUtvRmRWYzhpOWFSNVpyWUMxVklONCtjR0x2N1AzNlpsMnE0aTJHXC9YMFF6bmlQUHZzUHlPVVhlVFZzM2s2U3hlMDd1V2R4c2dscTlMY1ZXKytQdkdZem90WlArWnRtVHpZQVF0Z2FkaFBObzcrUW1UTzFGRGp1OXA5aFRGSzdXaG1YQU80OGJGOWpyRmlUa2J3bW82UGRsUWlxaVBRWWxiZk8wWFY3MjdRVVoxWXlHOHJSXC8zVlZSc0JPbXdaQktDajBka2g5ZWlSY05wSmxvcWUxdVo4M0VCR1wvV0NpYzV3RTlQK09sXC9wRk5KRnBmalhNc21UOGxrQ0s5NTRhWWYyeG9IMWJIa09OWUFFRWswaVF1XC8iXSwiYWxnIjoiUFMyNTYifQ.eyJhY3NFcGhlbVB1YktleSI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IjRmRVdraUp6S1RvbUMwMUhrN3JrSDFKVG5lR2RaYW5LOHZsemExRExUZEUiLCJ5IjoieXd4b0tiQnluaFh3V3d2LXg0Q1Atc0IyTEhzLUJyQnlIN0I2RDZHWlJQVSJ9LCJzZGtFcGhlbVB1YktleSI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlV4bHg2TlNJOHBXZG5XZ1lJRjBDR3lrZk1DVkNaTC0zdTVzMW1HVmw3MDAiLCJ5IjoiTWVxS0hMMXZseG9TVFAwMGhLUnhqLVllb2lTekpxWktFZWFvLVRQbGJaayJ9LCJhY3NVUkwiOiJodHRwczovL2Fjcy1zZXJ2ZXIucWEtcGF5c2ltLm1zaWduaWEuY29tL2FwaS92MS9jaGFsbGVuZ2VzIn0.SsXH1wvFNQc8x6mplybxkPU8QimffBgeqZqVJVb4H71qcDV-hCiuApXDmdX45yMU94JqX-OWx0C9_vKkmkNyHubQkAnQJwlolwukKANkzCDk1qIkUHN7MjRDTLMzMkmWqMZ0m8IZmJ3qZ9xTJkzFdp75BJpTo-AEeODT-ZCd6eXdx70gzMhkP9VqAiGuquv7TOI5ke4vkflEBWzqilJp4w48Tut2_ldGmpMZZlIkebkfSHgTeqQYPVJl_J9mNJweAFpSULBompB0uKHS8Jmc034VKHsikpjXsvpBcoKvbp95Qm-b-6VFGyLHJ9YsEbJxNK7tuFFWapOdDalIVCdm8Q

Required

  • I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
  • I agree to follow this project's Code of Conduct
@panva
Copy link
Owner

panva commented Sep 26, 2022

Kindly provide code to reproduce, not just a JWS.

@panva panva added the waiting for feedback The OP is asked for feedback or a proposal label Sep 26, 2022
@taylortrey
Copy link
Author

Oh sorry, sure:

const certificatesContent =  {
x5c: ["MIID5jCCAs6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVE4xEDAOBgNVBAoTB01TSUdOSUExDDAKBgNVBAsTA1JORDEXMBUGA1UEAxMOTVNJR05JQSBSTkQgQ0ExJjAkBgkqhkiG9w0BCQEWF3BhdmxvLmx5c292QG1zaWduaWEuY29tMB4XDTE5MTExMzA4MjAwMFoXDTI4MTExMzA4MjAwMFowgYAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJUTjEQMA4GA1UEChMHTVNJR05JQTEUMBIGA1UECxMLTVNJR05JQSBSTkQxFDASBgNVBAMTC01TSUdOSUEgUk5EMSYwJAYJKoZIhvcNAQkBFhdwYXZsby5seXNvdkBtc2lnbmlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKRoo30zttpiFlBKnOAmlOcT07xPms7Z6/ZdN9KnE/PoNQx7g6+Ap6b+trA2WDG80jEtwAy5XJcm81rBvJJvjwWQhiPjhXHvEibl+5zTYEXQtvl3qKNdikXuXPBLI/rwmZTNZd2aa5biVoLEY+cQVLOjdAZS9ZIkeuLYeLEZfNky7rLa4XyRO4W4XEUWgafOp+ZSXATOz48XCb+fmaek4d8epsVJ/X3Qww9I9mqg8QA7/EH9ASOYvbMzOjSuDjYBCRq4SJw/YBJDnBcBJSESzLJDDCJQyP4BOD2+P5UZ/OWSNyzEDCLfLsiCVjdt0mNXrn/tGpdLoy1rVfC2SOAoZEUCAwEAAaNvMG0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUU/luo/bbBOlrQ7wrC3+ggkITcSYwCwYDVR0PBAQDAgSwMBEGCWCGSAGG+EIBAQQEAwIFoDAeBglghkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4IBAQAXroFZ9FeP10gtQguptDo6U0SIAB9nqjN1IktyqatfUuVtThuxXAb3QQ7kYmGCZEaOIKoFdVc8i9aR5ZrYC1VIN4+cGLv7P36Zl2q4i2G/X0QzniPPvsPyOUXeTVs3k6Sxe07uWdxsglq9LcVW++PvGYzotZP+ZtmTzYAQtgadhPNo7+QmTO1FDju9p9hTFK7WhmXAO48bF9jrFiTkbwmo6PdlQiqiPQYlbfO0XV727QUZ1YyG8rR/3VVRsBOmwZBKCj0dkh9eiRcNpJloqe1uZ83EBG/WCic5wE9P+Ol/pFNJFpfjXMsmT8lkCK954aYf2xoH1bHkONYAEEk0iQu/"],
alg: 'PS256'
};
const jws = "eyJ4NWMiOlsiTUlJRDVqQ0NBczZnQXdJQkFnSUJBakFOQmdrcWhraUc5dzBCQVFzRkFEQjdNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0dBMVVFQ0JNQ1ZFNHhFREFPQmdOVkJBb1RCMDFUU1VkT1NVRXhEREFLQmdOVkJBc1RBMUpPUkRFWE1CVUdBMVVFQXhNT1RWTkpSMDVKUVNCU1RrUWdRMEV4SmpBa0Jna3Foa2lHOXcwQkNRRVdGM0JoZG14dkxteDVjMjkyUUcxemFXZHVhV0V1WTI5dE1CNFhEVEU1TVRFeE16QTRNakF3TUZvWERUSTRNVEV4TXpBNE1qQXdNRm93Z1lBeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlFd0pVVGpFUU1BNEdBMVVFQ2hNSFRWTkpSMDVKUVRFVU1CSUdBMVVFQ3hNTFRWTkpSMDVKUVNCU1RrUXhGREFTQmdOVkJBTVRDMDFUU1VkT1NVRWdVazVFTVNZd0pBWUpLb1pJaHZjTkFRa0JGaGR3WVhac2J5NXNlWE52ZGtCdGMybG5ibWxoTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtSb28zMHp0dHBpRmxCS25PQW1sT2NUMDd4UG1zN1o2XC9aZE45S25FXC9Qb05ReDdnNitBcDZiK3RyQTJXREc4MGpFdHdBeTVYSmNtODFyQnZKSnZqd1dRaGlQamhYSHZFaWJsKzV6VFlFWFF0dmwzcUtOZGlrWHVYUEJMSVwvcndtWlROWmQyYWE1YmlWb0xFWStjUVZMT2pkQVpTOVpJa2V1TFllTEVaZk5reTdyTGE0WHlSTzRXNFhFVVdnYWZPcCtaU1hBVE96NDhYQ2IrZm1hZWs0ZDhlcHNWSlwvWDNRd3c5STltcWc4UUE3XC9FSDlBU09ZdmJNek9qU3VEallCQ1JxNFNKd1wvWUJKRG5CY0JKU0VTekxKRERDSlF5UDRCT0QyK1A1VVpcL09XU055ekVEQ0xmTHNpQ1ZqZHQwbU5Ycm5cL3RHcGRMb3kxclZmQzJTT0FvWkVVQ0F3RUFBYU52TUcwd0RBWURWUjBUQVFIXC9CQUl3QURBZEJnTlZIUTRFRmdRVVVcL2x1b1wvYmJCT2xyUTd3ckMzK2dna0lUY1NZd0N3WURWUjBQQkFRREFnU3dNQkVHQ1dDR1NBR0crRUlCQVFRRUF3SUZvREFlQmdsZ2hrZ0JodmhDQVEwRUVSWVBlR05oSUdObGNuUnBabWxqWVhSbE1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVhyb0ZaOUZlUDEwZ3RRZ3VwdERvNlUwU0lBQjlucWpOMUlrdHlxYXRmVXVWdFRodXhYQWIzUVE3a1ltR0NaRWFPSUtvRmRWYzhpOWFSNVpyWUMxVklONCtjR0x2N1AzNlpsMnE0aTJHXC9YMFF6bmlQUHZzUHlPVVhlVFZzM2s2U3hlMDd1V2R4c2dscTlMY1ZXKytQdkdZem90WlArWnRtVHpZQVF0Z2FkaFBObzcrUW1UTzFGRGp1OXA5aFRGSzdXaG1YQU80OGJGOWpyRmlUa2J3bW82UGRsUWlxaVBRWWxiZk8wWFY3MjdRVVoxWXlHOHJSXC8zVlZSc0JPbXdaQktDajBka2g5ZWlSY05wSmxvcWUxdVo4M0VCR1wvV0NpYzV3RTlQK09sXC9wRk5KRnBmalhNc21UOGxrQ0s5NTRhWWYyeG9IMWJIa09OWUFFRWswaVF1XC8iXSwiYWxnIjoiUFMyNTYifQ.eyJhY3NFcGhlbVB1YktleSI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlNfRnRPM2gzaU1BTjRrejNYVzNXMFplY2RGZUNWbFpxaUlycTlfVFo4cFkiLCJ5IjoiVmlWa3dkT3NHX0hYaGhEdVVRT2dLMThyYWF4b2swTGN2VVotWVlrdkVFSSJ9LCJzZGtFcGhlbVB1YktleSI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6ImtJY1I0WS1HVDg3M0lCMTRBbE90eFF1OS1TQUN6TENqU0VvcGpjSVpkSlkiLCJ5Ijoic0pkc2xpelNoYzlsTEIwRDFCRmpYMFFPYWhJN1liSU5tbTVUeE41bGtKYyJ9LCJhY3NVUkwiOiJodHRwczovL3FhLWFjcy1zZXJ2ZXIuYXBwLm1zaWduaWEtcm5kLnRlY2gvYXBpL3YxL2NoYWxsZW5nZXMifQ.h3ctGie6AIwobhGtzsm3Kc5TXCS7AuUJBW42P94UoyESNUMqzECnCj_GlROtXUDhDx0Y90Efv7A_ZBAFZAPf8wJdgCy9Qd4SVpSlvSva7ee5c6uy3OTSwaJEzP3H-j0YRPevEugLWfXrb2LoyAHHI9sNgl-_8d35_B8cnWV19-7y-fzdnOQhHBiK-T6kX-Taplk1v5c7hzNF4CsCeE4aY7RCrrKREseAnnZCoTA-QvYIM2ODd0WCEegSFiPwyaiVHxkkYUSGsLUcNG7JSp4qzHwH-WbJo4q_vcTraMfux3F8iKvjPyXbjK2WRpLHwI9uPzClrPoiHT4NL1vfqPtTQw";

public async verify(jws: string, certificatesContent: any) {
        let certificates: string[] = certificatesContent.x5c;
        const cert = '-----BEGIN CERTIFICATE-----' + certificates[0] + '-----END CERTIFICATE-----';

        const publicKey = await importX509(cert, certificatesContent.alg);
        const isVerified = await compactVerify(jws, publicKey);

        if (!isVerified) {
            throw new AcsSignedContentError("JWS Content have not been verified");
        }
        return true;
    }

@panva
Copy link
Owner

panva commented Sep 26, 2022

Do you feel like looking into the issue further? Possibly identifying and fixing the problem?

@taylortrey
Copy link
Author

I would love to, but unfortunately I don't feel that I'm strong in this case to fix this error.

@panva panva removed the waiting for feedback The OP is asked for feedback or a proposal label Sep 27, 2022
@panva panva closed this as completed in 47d0d77 Sep 27, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Jan 2, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@panva @taylortrey