Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pk/rsa: use correct invariant when checking parameter d #100

merged 2 commits into from Jan 21, 2021


Copy link

@psafont psafont commented Jan 21, 2021

The correct invariant is d ≡ e⁻¹ (mod λ(n)), this means that the modulus is applied to both d and e⁻¹, which was not done with the previous check.

In practice this means that RSA keys using d = (p - 1) * (q - 1) instead of d = lcm (p - 1) (q - 1) could fail this test when they are valid.

Note: (FIPS 186-4 is more strict and would use the check previously used, but I think it should be an optional check)

It's d parameter is bigger than e ^ -1 mod LCM (p - 1) (q - 1) which is
licit as long as d and e ^ - 1 are congruent with respect of LCM (p - 1)
(q - 1).

Signed-off-by: Pau Ruiz Safont <>
The previous invariant didn't apply the modulus to d, which made it fail
on some valid keys.

Signed-off-by: Pau Ruiz Safont <>
Copy link

hannesm commented Jan 21, 2021


@hannesm hannesm merged commit e79c800 into mirage:main Jan 21, 2021
2 checks passed
hannesm added a commit to hannesm/opam-repository that referenced this pull request Jan 21, 2021
…age-crypto-rng-mirage and mirage-crypto-rng-async (0.8.10)


- Rsa.priv: require 1 = d * e mod (lam n). This allows interoperability with
  OpenSSL generated keys. Reported and fixed by @psafont in mirage/mirage-crypto#100.
@psafont psafont deleted the lambda branch January 21, 2021 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

2 participants