crypto/rsa: don't correct private exponent unless needed.

At some point in the past, I believe the GCD algorithm was setting d to
be negative. The RSA code has been correcting that ever since but, now,
it appears to have changed and the correction isn't needed.

Having d be too large is harmless, it's just a little odd and I
happened to notice.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/7948044

diff --git a/src/pkg/crypto/rsa/rsa.go b/src/pkg/crypto/rsa/rsa.go
index 35a5f7c3c6a107504d919564a3f745ed421049fc..f56fb37ee5471ef480a04bbb47fe422ab2b2a03d 100644 (file)
--- a/src/pkg/crypto/rsa/rsa.go
+++ b/src/pkg/crypto/rsa/rsa.go
@@ -203,7 +203,9 @@ NextSetOfPrimes:
                g.GCD(priv.D, y, e, totient)
 
                if g.Cmp(bigOne) == 0 {
-                       priv.D.Add(priv.D, totient)
+                       if priv.D.Sign() < 0 {
+                               priv.D.Add(priv.D, totient)
+                       }
                        priv.Primes = primes
                        priv.N = n
 

diff --git a/src/pkg/crypto/rsa/rsa_test.go b/src/pkg/crypto/rsa/rsa_test.go
index f08cfe73c4ca99ad7a526d8cd49fbce7aec06a77..ffd96e62f64b72ad5cf74d67ae43e117a6c725a1 100644 (file)
--- a/src/pkg/crypto/rsa/rsa_test.go
+++ b/src/pkg/crypto/rsa/rsa_test.go
@@ -93,6 +93,9 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) {
        if err := priv.Validate(); err != nil {
                t.Errorf("Validate() failed: %s", err)
        }
+       if priv.D.Cmp(priv.N) > 0 {
+               t.Errorf("private exponent too large")
+       }
 
        pub := &priv.PublicKey
        m := big.NewInt(42)