Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/rsa: 4096 bit keys are not generated with BoringCrypto [1.20 backport] #58927

Closed
gopherbot opened this issue Mar 8, 2023 · 7 comments
Closed

crypto/rsa: 4096 bit keys are not generated with BoringCrypto [1.20 backport] #58927

gopherbot opened this issue Mar 8, 2023 · 7 comments
Labels
CherryPickApproved Used during the release process for point releases
Milestone
Go1.20.5

Comments

@gopherbot
Copy link

@FiloSottile requested issue #58803 to be considered for backport to the next 1.20 minor release.

@gopherbot please open a Go 1.20 backport issue for this.

Go 1.20 updated the BoringCrypto module and started using BoringCrypto for RSA 4096 bit keys in crypto/x509, but not in GenerateKey. The two are not necessarily correlated (most X.509 keys are loaded from disk, not generated) but using unverified crypto unexpectedly is not great, and the fix is simple.

/cc @rsc @golang/security
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label Mar 8, 2023
@gopherbot gopherbot mentioned this issue Mar 8, 2023
Closed
@gopherbot gopherbot added this to the Go1.20.3 milestone Mar 8, 2023
@cherrymui cherrymui added the CherryPickApproved Used during the release process for point releases label Mar 15, 2023
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label Mar 15, 2023
@heschi heschi added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Mar 20, 2023
@mknyszek mknyszek modified the milestones: Go1.20.3, Go1.20.4 Apr 4, 2023
@gopherbot
Copy link
Author

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@dmitshur
Copy link
Contributor

dmitshur commented Apr 26, 2023
edited

The upstream CL is almost ready, just waiting on @FiloSottile to resolve a comment and submit.
Reopening to give this backport more time.

@dmitshur dmitshur reopened this Apr 26, 2023
@gopherbot gopherbot modified the milestones: Go1.20.4, Go1.20.5 May 2, 2023
@heschi
Copy link
Contributor

heschi commented May 15, 2023

Still no activity. Re-closing.

@heschi heschi closed this as not planned Won't fix, can't repro, duplicate, stale May 15, 2023
@FiloSottile
Copy link
Contributor

Mailed https://go.dev/cl/495735. Reopening for merging.

@FiloSottile FiloSottile reopened this May 17, 2023
@gopherbot
Copy link
Author

Change https://go.dev/cl/495735 mentions this issue: [release-branch.go1.20] crypto/rsa: use BoringCrypto for 4096 bit keys

@FiloSottile FiloSottile removed the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label May 17, 2023
gopherbot pushed a commit that referenced this issue May 17, 2023
@FiloSottile @heschi
[release-branch.go1.20] crypto/rsa: use BoringCrypto for 4096 bit keys
600636e 
Updates #58803
Fixes #58927

Change-Id: I097938ff61dae2b65214f8d0126d68de63525f5b
Reviewed-on: https://go-review.googlesource.com/c/go/+/474515
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 7bc3281)
Reviewed-on: https://go-review.googlesource.com/c/go/+/495735
Reviewed-by: Heschi Kreinick <heschi@google.com>
@heschi
Copy link
Contributor

heschi commented May 18, 2023

Fixed by above commit, not sure why gopherbot didn't close the issue.

@heschi heschi closed this as completed May 18, 2023
@dmitshur
Copy link
Contributor

not sure why gopherbot didn't close the issue.

The one time it doesn't fight humans is the time it would've been helpful. 😅

bradfitz pushed a commit to tailscale/go that referenced this issue May 25, 2023
@FiloSottile @bradfitz
[release-branch.go1.20] crypto/rsa: use BoringCrypto for 4096 bit keys
b83e5ce 
Updates golang#58803
Fixes golang#58927

Change-Id: I097938ff61dae2b65214f8d0126d68de63525f5b
Reviewed-on: https://go-review.googlesource.com/c/go/+/474515
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 7bc3281)
Reviewed-on: https://go-review.googlesource.com/c/go/+/495735
Reviewed-by: Heschi Kreinick <heschi@google.com>
bradfitz pushed a commit to tailscale/go that referenced this issue May 25, 2023
@FiloSottile @bradfitz
[release-branch.go1.20] crypto/rsa: use BoringCrypto for 4096 bit keys
b23cce7 
Updates golang#58803
Fixes golang#58927

Change-Id: I097938ff61dae2b65214f8d0126d68de63525f5b
Reviewed-on: https://go-review.googlesource.com/c/go/+/474515
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 7bc3281)
Reviewed-on: https://go-review.googlesource.com/c/go/+/495735
Reviewed-by: Heschi Kreinick <heschi@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases
Projects
None yet
Milestone
Go1.20.5
Development

No branches or pull requests
6 participants
@FiloSottile @mknyszek @dmitshur @gopherbot @cherrymui @heschi