[go] crypto/rsa: deprecate PKCS#1 v1.5 encryption
9 views
Skip to first unread message
Filippo Valsorda (Gerrit)
Sep 7, 2025, 10:08:27 AM9/7/25
to Daniel McCarney, Roland Shoemaker, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Daniel McCarney and Roland Shoemaker
Filippo Valsorda has uploaded the change for review![]( "Open in Gerrit")
Filippo Valsorda would like Daniel McCarney and Roland Shoemaker to review this change.
Commit message
crypto/rsa: deprecate PKCS#1 v1.5 encryption
Fixes #75302
Change-Id: I6a6a6964c2b3b33bfb34b9677a57610b933bbfab
Change diff
diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go
index f1e4ef4..76853a9 100644
--- a/src/crypto/rsa/pkcs1v15.go
+++ b/src/crypto/rsa/pkcs1v15.go
@@ -18,6 +18,12 @@
// PKCS1v15DecryptOptions is for passing options to PKCS #1 v1.5 decryption using
// the [crypto.Decrypter] interface.
+//
+// Deprecated: PKCS #1 v1.5 encryption is dangerous and should not be used.
+// See [draft-irtf-cfrg-rsa-guidance-05] for more information. Use
+// [EncryptOAEP] and [DecryptOAEP] instead.
+//
+// [draft-irtf-cfrg-rsa-guidance-05]: https://www.ietf.org/archive/id/draft-irtf-cfrg-rsa-guidance-05.html#name-rationale
type PKCS1v15DecryptOptions struct {
// SessionKeyLen is the length of the session key that is being
// decrypted. If not zero, then a padding error during decryption will
@@ -37,8 +43,11 @@
// deterministically on the bytes read from random, and may change
// between calls and/or between versions.
//
-// WARNING: use of this function to encrypt plaintexts other than
-// session keys is dangerous. Use RSA OAEP in new protocols.
+// Deprecated: PKCS #1 v1.5 encryption is dangerous and should not be used.
+// See [draft-irtf-cfrg-rsa-guidance-05] for more information. Use
+// [EncryptOAEP] and [DecryptOAEP] instead.
+//
+// [draft-irtf-cfrg-rsa-guidance-05]: https://www.ietf.org/archive/id/draft-irtf-cfrg-rsa-guidance-05.html#name-rationale
func EncryptPKCS1v15(random io.Reader, pub *PublicKey, msg []byte) ([]byte, error) {
if fips140only.Enabled {
return nil, errors.New("crypto/rsa: use of PKCS#1 v1.5 encryption is not allowed in FIPS 140-only mode")
@@ -91,14 +100,17 @@
return rsa.Encrypt(fk, em)
}
-// DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS #1 v1.5.
-// The random parameter is legacy and ignored, and it can be nil.
+// DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from
+// PKCS #1 v1.5. The random parameter is legacy and ignored, and it can be nil.
//
-// Note that whether this function returns an error or not discloses secret
-// information. If an attacker can cause this function to run repeatedly and
-// learn whether each instance returned an error then they can decrypt and
-// forge signatures as if they had the private key. See
-// DecryptPKCS1v15SessionKey for a way of solving this problem.
+// Deprecated: PKCS #1 v1.5 encryption is dangerous and should not be used.
+// Whether this function returns an error or not discloses secret information.
+// If an attacker can cause this function to run repeatedly and learn whether
+// each instance returned an error then they can decrypt and forge signatures as
+// if they had the private key. See [draft-irtf-cfrg-rsa-guidance-05] for more
+// information. Use [EncryptOAEP] and [DecryptOAEP] instead.
+//
+// [draft-irtf-cfrg-rsa-guidance-05]: https://www.ietf.org/archive/id/draft-irtf-cfrg-rsa-guidance-05.html#name-rationale
func DecryptPKCS1v15(random io.Reader, priv *PrivateKey, ciphertext []byte) ([]byte, error) {
if err := checkPublicKeySize(&priv.PublicKey); err != nil {
return nil, err
@@ -160,6 +172,13 @@
// Standard PKCS #1”, Daniel Bleichenbacher, Advances in Cryptology (Crypto '98)
// - [1] RFC 3218, Preventing the Million Message Attack on CMS,
// https://www.rfc-editor.org/rfc/rfc3218.html
+//
+// Deprecated: PKCS #1 v1.5 encryption is dangerous and should not be used. The
+// protections implemented by this function are limited and fragile, as
+// explained above. See [draft-irtf-cfrg-rsa-guidance-05] for more information.
+// Use [EncryptOAEP] and [DecryptOAEP] instead.
+//
+// [draft-irtf-cfrg-rsa-guidance-05]: https://www.ietf.org/archive/id/draft-irtf-cfrg-rsa-guidance-05.html#name-rationale
func DecryptPKCS1v15SessionKey(random io.Reader, priv *PrivateKey, ciphertext []byte, key []byte) error {
if err := checkPublicKeySize(&priv.PublicKey); err != nil {
return err
Change information
Files:
- M src/crypto/rsa/pkcs1v15.go
Change size: S
Delta: 1 file changed, 28 insertions(+), 9 deletions(-)
Related details
Attention is currently required from:
- Daniel McCarney
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Filippo Valsorda (Gerrit)
Sep 7, 2025, 8:35:32 PM9/7/25
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Daniel McCarney, Filippo Valsorda and Roland Shoemaker
Filippo Valsorda uploaded new patchset![]( "Open in Gerrit")
Filippo Valsorda uploaded patch set #3 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
Related details
Attention is currently required from:
- Daniel McCarney
- Filippo Valsorda
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Filippo Valsorda (Gerrit)
Sep 7, 2025, 9:00:21 PM9/7/25
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Daniel McCarney, Filippo Valsorda and Roland Shoemaker
Filippo Valsorda uploaded new patchset![]( "Open in Gerrit")
Filippo Valsorda uploaded patch set #4 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI
Related details
Attention is currently required from:
- Daniel McCarney
- Filippo Valsorda
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Daniel McCarney (Gerrit)
Sep 8, 2025, 1:33:16 PM9/8/25
to goph...@pubsubhelper.golang.org, Go LUCI, Roland Shoemaker, golang-co...@googlegroups.com
Attention needed from Filippo Valsorda and Roland Shoemaker
Daniel McCarney voted and added 1 comment![]( "Open in Gerrit")
Attention is currently required from:
- Filippo Valsorda
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Mark Freeman (Gerrit)
Sep 9, 2025, 3:15:57 PM9/9/25
to goph...@pubsubhelper.golang.org, Daniel McCarney, Go LUCI, Roland Shoemaker, golang-co...@googlegroups.com
Attention needed from Filippo Valsorda and Roland Shoemaker
Mark Freeman voted Code-Review+1![]( "Open in Gerrit")
| Code-Review | +1 |
Related details
Attention is currently required from:
- Filippo Valsorda
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Michael Pratt (Gerrit)
Sep 9, 2025, 3:21:35 PM9/9/25
to goph...@pubsubhelper.golang.org, Michael Pratt, Mark Freeman, Daniel McCarney, Go LUCI, Roland Shoemaker, golang-co...@googlegroups.com
Attention needed from Filippo Valsorda and Roland Shoemaker
Michael Pratt voted and added 1 comment![]( "Open in Gerrit")
Votes added by Michael Pratt
| Code-Review | +1 |
| Hold | +1 |
1 comment
Patchset-level comments
Michael Pratt . resolved
Awaiting proposal review (feel free to remove my hold afterwards)
Related details
Attention is currently required from:
- Filippo Valsorda
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Holds
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Filippo Valsorda (Gerrit)
Nov 15, 2025, 6:38:52 PM11/15/25
to Filippo Valsorda, goph...@pubsubhelper.golang.org, Michael Pratt, Mark Freeman, Daniel McCarney, Go LUCI, Roland Shoemaker, golang-co...@googlegroups.com
Attention needed from Roland Shoemaker
Filippo Valsorda added 1 comment![]( "Open in Gerrit")
Patchset-level comments
Attention is currently required from:
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Holds
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Filippo Valsorda (Gerrit)
Nov 15, 2025, 6:38:54 PM11/15/25
to Filippo Valsorda, goph...@pubsubhelper.golang.org, Michael Pratt, Mark Freeman, Daniel McCarney, Go LUCI, Roland Shoemaker, golang-co...@googlegroups.com
Attention needed from Michael Pratt and Roland Shoemaker
Filippo Valsorda removed a vote from this change![]( "Open in Gerrit")
Attention is currently required from:
- Michael Pratt
- Roland Shoemaker
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Nov 15, 2025, 6:41:29 PM11/15/25
to Filippo Valsorda, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Michael Pratt, Mark Freeman, Daniel McCarney, Go LUCI, Roland Shoemaker, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
crypto/rsa: deprecate PKCS#1 v1.5 encryption
Fixes #75302
Change-Id: I6a6a6964c2b3b33bfb34b9677a57610b933bbfab
Reviewed-on: https://go-review.googlesource.com/c/go/+/701436
Reviewed-by: Daniel McCarney <dan...@binaryparadox.net>
Reviewed-by: Mark Freeman <markf...@google.com>
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <fil...@golang.org>
Reviewed-by: Michael Pratt <mpr...@google.com>
Files:
- A api/next/75302.txt
- A doc/next/6-stdlib/99-minor/crypto/rsa/75302.md
- M src/crypto/rsa/pkcs1v15.go
Change size: S
Delta: 3 files changed, 34 insertions(+), 9 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Code-Review: +1 by Mark Freeman, +2 by Daniel McCarney, +1 by Michael Pratt
TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages