diff options
| author | Filippo Valsorda <filippo@golang.org> | 2025-07-10 17:24:26 +0200 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2025-07-11 12:29:02 -0700 |
| commit | 9d04122d240db4de36bf9ef4f5627e0025201bd9 (patch) | |
| tree | 11a97c064ccb54e3dfc3c51f0902b344dcfa2c5d | |
| parent | 1ca23682dd7b2706daa94e428b3b82cc85a752c0 (diff) | |
| download | go-9d04122d240db4de36bf9ef4f5627e0025201bd9.tar.xz | |
crypto/rsa: drop contradictory promise to keep PublicKey modulus secret
We claim to treat N as secret (and indeed bigmod is constant time in
relation to the modulus) but at the same time we warn that all inputs to
VerifyPKCS1v15 and Verify are public:
> The inputs are not considered confidential, and may leak through
> timing side channels, or if an attacker has control of part of the
> inputs.
See #67043 (which focuses on the inverse, recovering signatures by
controlling the public key input to Verify), and in particular
https://github.com/golang/go/issues/67043#issuecomment-2079335804.
Stopping the Verify adaptive attack would require significantly more
complexity, the kind that has caused vulnerabilities in the past (e.g.
CVE-2016-2107). On the other hand, assuming that a public key is
confidential is unlikely to work in practice, since it can be recovered
from just two valid (message, signature) pairs. See for example
https://keymaterial.net/2024/06/15/reconstructing-public-keys-from-signatures/.
This comment was introduced in CL 552935, not really due to a need to
specify that N was secret, but rather to clarify that E is not (so it
could be used in variable-time exponentiation).
Change-Id: I6a6a6964f3f8d2dc2fcc13ce938b271c9de9666b
Reviewed-on: https://go-review.googlesource.com/c/go/+/687616
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
| -rw-r--r-- | src/crypto/rsa/rsa.go | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go index d061d9b7a0..c557c3710a 100644 --- a/src/crypto/rsa/rsa.go +++ b/src/crypto/rsa/rsa.go @@ -63,9 +63,8 @@ var bigOne = big.NewInt(1) // A PublicKey represents the public part of an RSA key. // -// The value of the modulus N is considered secret by this library and protected -// from leaking through timing side-channels. However, neither the value of the -// exponent E nor the precise bit size of N are similarly protected. +// The values of N and E are not considered confidential, and may leak through +// side channels, or could be mathematically derived from other public values. type PublicKey struct { N *big.Int // modulus E int // public exponent |