noir_passport: pubkey_offset is unconstrained with respect to the X.509 SubjectPublicKeyInfo field position

[x-senpai-x]

Description

verify_rsa_pubkey_in_tbs performs a byte-for-byte comparison of the DSC modulus at a prover-supplied pubkey_offset, but never verifies that this offset corresponds to the subjectPublicKeyInfo element of the X.509 TBS SEQUENCE.

A prover can craft a certificate that embeds the legitimate CSCA-signed modulus bytes inside an X.509v3 extension or other field (which the CSCA signs as part of the full TBS), while the actual subjectPublicKeyInfo contains an attacker-controlled key. The CSCA signature verifies; the extracted "pubkey" belongs to the attacker.

Root Cause

The circuit treats the TBS certificate as an opaque byte array and trusts the prover to supply the correct offset for every field. subjectPublicKeyInfo is always the 7th element of the TBS SEQUENCE per X.509 grammar, but this structural invariant is never enforced in-circuit.

Affected file(s):

File	Notes
noir-examples/noir-passport-monolithic/utils/data-check/tbs-pubkey/src/lib.nr	verify_rsa_pubkey_in_tbs — offset not structurally validated

Fix

Implement a minimal DER TLV navigator gadget in Noir (skip_der_tlv) that reads the tag, parses the 1-to-4-byte length, and skips the content.