Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto: 4 tests will run into https://pkg.go.dev/crypto/[email protected]#hdr-Minimum_key_size #71612

Closed
dmitshur opened this issue Feb 7, 2025 · 2 comments
Closed

x/crypto: 4 tests will run into https://pkg.go.dev/crypto/[email protected]#hdr-Minimum_key_size #71612

dmitshur opened this issue Feb 7, 2025 · 2 comments
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@dmitshur
Copy link
Contributor

dmitshur commented Feb 7, 2025

Go 1.24 makes a change to crypto/rsa.GenerateKey that makes it return an error if a key of less than 1024 bits is requested, also adding a GODEBUG rsa1024min for it. See https://go.dev/doc/go1.24#cryptorsapkgcryptorsa.

When x/crypto's go.mod is updated to Go language 1.24 or newer (which will happen this August based on https://go.dev/s/release#timeline and https://go.dev/design/69095-x-repo-continuous-go#why-1_n_1_0), there are 4 tests in x/crypto that will begin to fail:

crypto $ go get [email protected] && go mod tidy && go fix ./... && go test ./...
--- FAIL: TestTLSChallengeCertOpt (0.00s)
    acme_test.go:762: crypto/rsa: 512-bit keys are insecure (see https://go.dev/pkg/crypto/rsa#hdr-Minimum_key_size)
FAIL
FAIL	golang.org/x/crypto/acme	4.133s
--- FAIL: TestCache (0.00s)
    autocert_test.go:624: crypto/rsa: 512-bit keys are insecure (see https://go.dev/pkg/crypto/rsa#hdr-Minimum_key_size)
--- FAIL: TestValidCert (0.00s)
    autocert_test.go:699: crypto/rsa: 512-bit keys are insecure (see https://go.dev/pkg/crypto/rsa#hdr-Minimum_key_size)
FAIL
FAIL	golang.org/x/crypto/acme/autocert	0.334s
--- FAIL: TestValidateCert (0.00s)
    certs_test.go:120: Unable to validate certificate: ssh: certificate signature does not verify
FAIL
FAIL	golang.org/x/crypto/ssh	3.458s
[...]

This is being reported early thanks to a -tiplang builder (see https://ci.chromium.org/ui/p/golang/builders/ci/x_crypto-gotip-linux-amd64-tiplang). It's not causing a problem today since x/crypto/go.mod's go directive is at 1.20, but does need to be fixed at some point, and this is the tracking issue for that.

CC @golang/security.
@dmitshur dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 7, 2025
@dmitshur dmitshur added this to the Unreleased milestone Feb 7, 2025
@dmitshur dmitshur mentioned this issue Feb 7, 2025
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/647975 mentions this issue: all: update certs for go1.24

@dmitshur dmitshur added FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Feb 9, 2025
@dmitshur dmitshur modified the milestones: Unreleased, Go1.25 Feb 11, 2025
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/648676 mentions this issue: main.star: remove known issues for -tiplang builder in x/crypto, x/tools

gopherbot pushed a commit to golang/build that referenced this issue Feb 11, 2025
@dmitshur @gopherbot
main.star: remove known issues for -tiplang builder in x/crypto, x/tools
fa5874d 
They're both fixed.

For golang/go#71612.
For golang/go#71613.

Change-Id: I7274cd5314c02cc01fda2ed1fd3a11d424349278
Reviewed-on: https://go-review.googlesource.com/c/build/+/648676
Auto-Submit: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>
@dmitshur dmitshur modified the milestones: Go1.25, Unreleased Feb 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
2 participants
@dmitshur @gopherbot