Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/rsa: deprecate GenerateMultiPrimeKey and PrecomputedValues.CRTValues #56921

Closed
Tracked by #57752
rsc opened this issue Nov 23, 2022 · 8 comments
Closed
Tracked by #57752
Assignees
Labels
FrozenDueToAge Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone

Comments

@rsc
Copy link
Contributor

rsc commented Nov 23, 2022

Multi-prime RSA keys (those that are products of three or more large primes) are discouraged in general and rarely used.

As of Go 1.20, the PrecomputedValues.CRTValues supporting multiprime keys will still be computed and filled in, but to reduce the attack surface of crypto/rsa, those values will no longer be used by decryption.

PrecomputedValues.CRTValues and GenerateMultiPrimeKey were marked deprecated during the Go 1.20 cycle, but without a proposal review. I'm rolling back the deprecation marks in an upcoming CL (gopherbot will report it) and am filing this issue to discuss adding the deprecation marks.

I don't anticipate any controversy about deprecating these, the proposal process should confirm that.

@rsc rsc added the Proposal label Nov 23, 2022
@rsc rsc added this to the Proposal milestone Nov 23, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/453256 mentions this issue: crypto/elliptic: remove deprecation markers

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/453257 mentions this issue: crypto/rsa: remove deprecation markers for multiprime RSA support

gopherbot pushed a commit that referenced this issue Nov 23, 2022
These should be marked deprecated, but that needs a
(likely quick) proposal review.

The proposal is #56921.

Change-Id: I013a913a7f5196a341e2dd5f49c2687c26ee8331
Reviewed-on: https://go-review.googlesource.com/c/go/+/453257
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
@ianlancetaylor ianlancetaylor added the Proposal-Crypto Proposal related to crypto packages or other security issues label Nov 24, 2022
@rsc
Copy link
Contributor Author

rsc commented Nov 30, 2022

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc
Copy link
Contributor Author

rsc commented Dec 7, 2022

Does anyone object to marking these deprecated?

@rolandshoemaker
Copy link
Member

No objection, happy to see them go.

@rsc
Copy link
Contributor Author

rsc commented Dec 14, 2022

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

@rsc
Copy link
Contributor Author

rsc commented Dec 21, 2022

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

@rsc rsc changed the title proposal: crypto/rsa: deprecate GenerateMultiPrimeKey and PrecomputedValues.CRTValues crypto/rsa: deprecate GenerateMultiPrimeKey and PrecomputedValues.CRTValues Dec 21, 2022
@rsc rsc modified the milestones: Proposal, Backlog Dec 21, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/459976 mentions this issue: crypto/rsa: deprecate multiprime RSA support

@FiloSottile FiloSottile self-assigned this Mar 15, 2023
@FiloSottile FiloSottile modified the milestones: Backlog, Go1.21 Mar 15, 2023
@golang golang locked and limited conversation to collaborators Mar 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
None yet
Development

No branches or pull requests

5 participants