crypto/rsa: reimplement GenerateKey per FIPS 186-5 with bigmod [freeze exception]

[FiloSottile]

For #69536, we'll need rsa.GenerateKey to comply with FIPS 140-3 requirements. Moreover, we don't want to include math/big in the module boundary, so we'll need to reimplement it on top of crypto/internal/bigmod.

• Need to comply with IG C.E, IG C.F, and FIPS 186-5
• Should use the process in FIPS 186-5 A.1.1, A.1.3, B.3, B.3.2, and B.3.3
  • That is, we should run at least two (see IG C.F) Enhanced Miller-Rabin tests followed by a Lucas test
• Key generation runs only once, so it's ok for it not to be constant time, if it significantly reduces complexity
• For it to be testable, the process should draw non-determinism only from the DRBG io.Reader
  • Every reachable condition should have a test vector, unreachable conditions should be marked by a comment
• GenerateMultiPrimeKey is deprecated and doesn't need to be supported

[gopherbot]

Change https://go.dev/cl/630336 mentions this issue: crypto/rsa: reimplement GenerateKey per FIPS 186-5

[FiloSottile]

@golang/release I'd like to request a freeze exception to land this by Friday, November 29th.

This change will have no application-visible impact, and is necessary to keep math/big out of the FIPS 140 module boundary.

Apologies for not landing this by the deadline.

[dmitshur]

Thanks for letting us know ahead of the freeze. We discussed this and will approve the freeze exception bit here. Please be ready to update your plan if there turn out to be more complications than originally anticipated. Thanks.

[gopherbot]

Change https://go.dev/cl/632215 mentions this issue: crypto/internal/fips140/rsa: add Miller-Rabin test