Description
Go version
go version go1.25-devel_d4c6effaa7 Wed Jun 11 10:11:53 2025 -0700 darwin/arm64
Output of go env in your module/workspace:
N/AWhat did you do?
I ran this code:
pk, _ := rsa.GenerateKey(rand.Reader, 2048)
pk.D = big.NewInt(0)
if err := pk.Validate(); err != nil {
panic(err)
}Using both go1.24.4 and go1.23.10.
What did you see happen?
No panic from Go 1.24, while earlier versions did catch the invalid D causing a panic with crypto/rsa: invalid exponents.
What did you expect to see?
I'd expect to see that newer versions of Go also caught the invalid private exponent D.
Even though D isn't used for computation after precompute has run once, I'd still expect Validate to catch inconsistent base values.
As marshaling/parsing stores the precomputed values in the encoding we could parse and use a key where D isn't consistent with the values used for computation.
One example is x509.MarshalPKCS1PrivateKey() where the documentation implies that the key must be valid by saying:
// The key must have passed validation by calling [rsa.PrivateKey.Validate] first.
As a side note, PrivateKey.Equal() ignores precomputed values, but do ensure that D matches.