Golang crypto/rsa: PrivateKey.Validate() no longer catch invalid private exponent D

Go version

go version go1.25-devel_d4c6effaa7 Wed Jun 11 10:11:53 2025 -0700 darwin/arm64

Output of go env in your module/workspace:

N/A

What did you do?

I ran this code:

pk, _ := rsa.GenerateKey(rand.Reader, 2048)
pk.D = big.NewInt(0)
if err := pk.Validate(); err != nil {
    panic(err)
}

Using both go1.24.4 and go1.23.10.

What did you see happen?

No panic from Go 1.24, while earlier versions did catch the invalid D causing a panic with crypto/rsa: invalid exponents.

What did you expect to see?

I'd expect to see that newer versions of Go also caught the invalid private exponent D.

Even though D isn't used for computation after precompute has run once, I'd still expect Validate to catch inconsistent base values. As marshaling/parsing stores the precomputed values in the encoding we could parse and use a key where D isn't consistent with the values used for computation.

One example is x509.MarshalPKCS1PrivateKey() where the documentation implies that the key must be valid by saying:

// The key must have passed validation by calling [rsa.PrivateKey.Validate] first.

As a side note, PrivateKey.Equal() ignores precomputed values, but do ensure that D matches.

Comment From: gabyhelp

Related Issues

• crypto/rsa: mismatched keys no longer error #61077
• crypto/rsa: RSA keys newly rejected in Go 1.24 #70643 (closed)

Related Documentation

• Go 1.24 Release Notes > Standard library > Minor changes to the library > crypto/rsa

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

Comment From: cherrymui

cc @golang/security

Comment From: gopherbot

Change https://go.dev/cl/687836 mentions this issue: crypto/rsa: check PrivateKey.D for consistency with Dp and Dq

Comment From: gopherbot

Change https://go.dev/cl/687835 mentions this issue: crypto/rsa: check for post-Precompute changes in Validate