generateKey occasionally produces bad ECDSA public keys

Number:rdar://35729330 Date Originated:2017-11-28
Status: Resolved:
Product:Safari Product Version:11.0.1 (13604.3.5)
Classification: Reproducible:Approximately once every 200 trials

crypto.subtle.generateKey({{ name: "ECDSA", namedCurve: "P-256", }, true, ["sign", "verify"]) will occasionally (about 1 out of 200 times) produce keys that when exported contain points that are not on curve P-256.

The most apparent symptom is that Safari will fail when attempting to verify signatures created with these keys. But other browsers refuse to import these keys.

Summary for crypto team:

A few JWK exported ECDSA generated keys give x,y pairs that are not on the curve.

We do not know if the bug is in the generator or in the exporter.

Steps to Reproduce:

Overview of how to reproduce.

1. Generate a large number of keys (say 500).
2. Export to JWK.
3. Test validity of the keys.

There are multiple ways to test the validity of the generated keys.

- Sign data using the key and then attempt to verify the signature.
- Mathematically compute that the x and y values correspond to a point on curve P-256
- Import the exported keys into other browsers.

All three tests confirm that some bad keys are generated.

For steps 1 and 2, see the attached files [...] Note that as keys are randomly generated, each run of the script will produce a different 500 keys.

In that output file of 500 private keys, three are bad. Those are 




To test these sample load testKeys.js[...]

Expected Results:

All generated keys should pass all tests

Actual Results:

A few generated/exported keys fail. 

Impact: [...]


We suspect that the Safari bug is in creating the representation of x. That may be in the generation process or it may be in the export process. (Hey, we have to leave something for you to test.)

The reason for this is that some of the bad keys we've seen have x values which cannot correspond to any y. Given the x of E8BDqZcRjbq1SRIyOG5xs6-bY-_CkXrPhgUfZFXAcAA in foo-467 computing y^2 := x^3 - 3x + b (where b and the modulus are defined in curve P-256) results in a y^2 that is not a quadratic residue in the underlying group.

The other two bad keys do allow us to compute a y^2 that do happen to be quadratic residues, but do not correspond to the y given in the exported key.

We have only tested P-256 keys.

Note for open-radar readers:

The actual rdar contained several attachments with testing and generating scripts, as well as buckets full of generated test data and screenshots.

Security: We did not see any security implications of this issue but filed it under Security nonetheeless, as misbehavior of some cryptographic routine is something that needs to be treated as a security issue until determined otherwise. Apple has since confirmed that there are no security implications, and reclassified it. Only after that reclassification are we sharing this publicly.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!