search

ghbutton / react-native-simple-crypto

A simpler React-Native crypto library
https://www.npmjs.com/package/react-native-simple-crypto
MIT License
42 stars 25 forks source link

Calling RSA functions with faulty inputs crashes the app #31

Open pke opened 3 years ago

pke commented 3 years ago

Would it be possible to catch errors on the native side to not crash the app when exceptions happen on native side?

When handing in invalid data to the RSA functions, like a private key to RSA.encrypt, the app crashes instantly.

ghbutton commented 3 years ago

Yea that makes sense, do you have some example data I can test with? Just some throw away private key?

pke commented 3 years ago

Thanks for your swift response! -----BEGIN RSA PRIVATE KEY----- MIIJJwIBAAKCAgEA9XLTJk9hmXYksPywZvWOXiSVBZImd2/1Psoz5zYBdfDkzBmb R++7XgMWVhyaTkTkSCjKKQiT+4Qs6HbEZZXTpidtQJQZJcDQMx6NuxwkBBYOSCYs LBgqEltGsyuKLRt0lExitIOFtJaJmxR3FFwN0mkCwdqAOcI4VOOmqBTp7BdccwxZ WWYBmwKsOeYWcZChksJuTiRBJdGCyI5JwWJDOY5lLu4B62jusAelisoTCzC+kKiC tKohTW0BBxLlZ6wW8ZU3/63fB3zZLVhCm7HUrRmml7xzQ4Ifqoqi4aNTdH+moeJD /4+4Fx/O2/rhDDWVVx1arQC3+oK6XUfrq7eVtuJiItAd4b9qAQhq5OHwLQ6Wlwr2 hUFZ0pq/A78hQ9jPjkKUA9g3WLHazUJvyM92S815V28ocrZNOpPOdjycRqAuslvM PO41V398+CtJue6UEqP0euB75wdGdhBkRKpj687YWGuGlbOVSKfu5HGnWrsR8zIi hBjTyzzozY0KA0MZmuVKVJR0M2r5406NfWmoNdowRAbRr7OPkpoZEOKKmlx0BByN 748GtWuDY/USzn8Q5BJ7a/VeWaWxDYq323J9jkFdNkbEDsYP3tstDbMUUr1HCnJz rOVUJEpy9sdKc22r/1enF+sGkKGqQEg8/vBQN4t85nHxSNoFxZMhbWS1wPsCAwEA AQKCAgAy/aLOD6m4BupCdoxzJ0pnVnQ7Dwy8vV6Wp802mGqfROdTW3J99FjZhAys 4Q5RelBuiULOWYDcvK3TsXDFpeWtW/1/cAT1aeQW6p8JIyR8UNSwunVsx6xd2eaL LF1tV4nVkTTkSXqKdMerlwnSCfm5H6W5/hmrZiTrxcuGmamrKYNER2l8gAuPV3PO J3W8LA7U/V2LEE8Uez0PSzgZW7+ZgnKU2E8/x7HmkgAbIDXqmjrMtKVKwRlgC2gu Pwe3jPHLSHO0wztVQ+OeXvqfe8cyGuUYGsdbW/oWJO0HsTWSOz6z3NzBh+r3qtz/ qFP+hFc9HNUModyWx3fODzXvm5kXWDDh2FYC8EV2tR0rwf7GOLlT43FL4lbhEOWl 4xHq26vg4GdO1AK9Huoyrhr2AOVhaNXgk4CxTgnNc86ciJO+OK9Qn77SJ/RilY/L 47suYdZxZzgzs29Bj+AF203+yzSk+DfZK6We59E86A2VkDpbX0gSCVqmss7GYpPz rQv+nunIP0wR6/Uzw4d1mwSKMf6grDOaVbrxp6bUSHfrTC3tJkLzIUyh2k2FzGok pxKZ85hlvrosawz+Q66SOgaBvp69qidf3ipJfjFPzjRfhhd+rKtk7aFjEKR9QSTg pTgs4XcJ3OIQ3mFPQ6PVzrnA79ApHOyiNDONYFh6sCWUx5qDUQKCAQEA/kbT9HdY hKQusiAx02/tGf5Ew1YUX0bQD/NnZO8OgrfK2bDb8HYHVtuZ+1yxY/apLP5KQ/18 hD8/GCvMV+RyZ876z02reCsaxaSGBvb0+DR/0SFjkxvA1LbIE6mdoYwK0+cctBpP RQ9Paj+82i8372IY+DKu25pN89FABZc/YOIHkJWlkkHLcnEu4983qupfnDWjYugJ Kb3ZrgdmwCY3g91p/pR/Ltj7nZA873u9X5/t3A8aQXcFRqltXk2QwOqeLy/RdsOL zhU7tqiOR9vLDAWOUTmY91Q3CMYQHKrrarWqKmeCetr2xqC4aE1LMk2EDc8HcM/c HBoXkCADCco6mQKCAQEA9xyuEjzb9OANSrFYplLRdfxIyehkoWp5D3RVDrTjm7l5 z28tCE+YlkHdIueeDPNvl5AQskeVSn8IyKtTSMM1Xb5m69qSdjyUuVl2TmJCwLHU ykIHa7SOFJjvhxBkL9T/q0JvajQtDvvQ3ar81nD6xXRyzZA9FA5taMmEOMPK6upL A4wHIwFkeoN0zEO2iHFCZiL33DP4geAWwuMYL2sS386Dn8/mlw6RUsFJQfYKEW02 r108kG8PnZIqlqMePdCbByh8YY0uhC0kQG+0+q+OXUMvSEY67RY1xFoxB5s5PBFd bsI2HlGDnORjB4/jso7NV9pMuMgx1avX98GjRIoIswKCAQBUiP+WWscW8e6EUae+ /4r4BUyfFFMZidVKOEW7jK5qTuglj2LPgq3V9pQuuRZQgYSk7LWL/Q4UeWJkissY vV47nNhNaykCfnIcGyJj1l6C1hFYWZ1dHvDwxwOlZdJ+Dqza3g7w4X5RG1HvpNkI QIJ8F0Tt3wu6/oXD9WEveqUbdInHS7kL8svMdEx+fYtoSxsWN87l5vaE5hUkgllq sEnskQPYG05dKM4eCAH6LE09KVJOwsab1RHv+AvgOjFRsa59SYx9y20DSpPbmhYT VcMfcAlsf5WXRGw3goGAxmIVy+eSyW7boUhBqNUl9+x0AMlSPe3fV3t57ELBK6NW 8eChAoIBAFxOsVOMull5zF1HbCcNLsNVD1ek4NpPLJOyUAejWJaWLUNoczj0irou Nk3QmYCa+udx4FrIVKM0WvKi1QSMLwYqlsWpqyZRsPify4qyN99FToiTK7R3CM/2 5Rrd657WgP7XXUkd3msHc9kqAzKTl4lk23GgXMB+Ny56gFK4CLfB922GxC+2WHNP YbTf4nKLZFNE4rO2EjFppPb9383uwGkr+o0bGzb4MR7pptTl9JLX6iKNwI7vfbTN oe0NV8GdiBufav8BvwuO1UjgsYknRRXff+0OlvpzXnhPfJsrx7CBiBZUo+SlbHWR 9tAfVt4fa+NSX3BzD/KSM6WQBs4WhfMCggEAbO/nKXipPH1JeKw3dE86re1q6XdN XNOSrT0n9ILjFQ7vAaMsC1vVnnqCVOQa2rHAqFRXMhBzEXnHA7FrLXUkB+pgaVzM 2ZZtrLp73Yqpu8BBbf/4T0U8ix87OciskZlX+W8eL9S/FAdCfV7Vy28hQedyqJp7 c/EgC1NTeS36HzNfzir52oY0wlL7w5EssqjNGLJ5VNXpiCjEZp8O1JDgR3XSLR3N mw+WBMQ5Apoyzj06eN2UdvuWbDjRZ2Ky/NrRztrciMMS48TYt9hbNd6i+s2sg3CB tc9qlMXiEK1BueysUWuxO7NWsK9IQi/gxYq+VT0gt1egX/CccLtnIblqSQ== -----END RSA PRIVATE KEY-----

pke commented 3 years ago

While we are at it:

const decryptedBytes = await RNSimpleCrypto.RSA.decrypt(RNSimpleCrypto.utils.convertUtf8ToArrayBuffer(recipient.encryptedContent.content), privateKeyString)

Crashes the app. recipient.encryptedContent.content is a string with binary data from a decoded PKCS#7

The following is what I see on the console, but of course console tries to print in UTF-8 encoding.

[Fri Feb 26 2021 18:00:03.416]  LOG      recipient {"encryptedContent": {"algorithm": "1.2.840.113549.1.1.1", "content": ".¥uÀÜ´…5†èE&3ý®D–\Ž>°äßó:F+I¿ûxmX¬>qÌSF7þdÀ|õ\"çǐó~>Ìêï×®eEö÷fê@žÃŸÃÅÉ ãÛp¡C&1ѺºÉâ²l!’¢±ËË\\)
             Ti—c>+SÎR®ÌDƒÁ—Ï„÷Š}—õÜ\\§ õÝ{ÄáÂîSõÝa¢ÂD0ˆ¯Ò…Ì_³¾Ñ̯Q_ÏN7ÍڎM’V¿
¶¹µûûÊ]ùVwvò%
aÂ9øòӊùÏ¡7®DY6壬¡õçƔv.}Ûi'öí©
                                 ‚ôL«üSoª]èå¦W˜Èša-^¹[²-” -R
qfª®Fϝê>ý‹Íú{.ÐqÔ9h×$³%j¥´çv»ñ†iÜÅâzN¾DÉ                  Úçñh,«=B_D¹‹¦a´Èõ¤»h¯ÔÇoÃc‘¸zéú7nύŠ)ˆÖ\\
ìËù÷«®=¯f$äPœ”å¢ V*'¥ö¸:nÓ]ä\\jԣѨ£­~9¾Ð°vbSwƒA¯>mJZ§… pzÚ×7!îi¡<‡,Á-‹›¡_ž$n҂¸åè1t±˜ò«G¸¡µÄn½¢ˆÛu¾¨ñTî{2ºì·çª\\䵍§uÒoamY{^8z:ö¢ïfµ"}

So in which representation should RSA.decrypt get its first argument?

ghbutton commented 3 years ago

I think it is different for iOS / Android. Both expect a hash with both public key and a private one. iOS seems to encode in base64, Android uses an array buffer. Are you trying to generate a set of public / private keys using some memory storage? We could try to create a function to format the keys properly given base64 public and private key input.