From 960f44e8dd222fcb19891f289ae8f822792a907c Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Fri, 15 May 2026 07:20:03 -0600
Subject: [PATCH] Add RSADoS note to `RsaPublicKey::MAX_PUB_EXPONENT`

Explains why there's a maximum pub exponent limit in the first place,
notes the particular constant came from *ring*, and lists the APIs
that can be used to get around it.

See also: #695
---
 src/key.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/key.rs b/src/key.rs
index c6d53dee..b5d7e258 100644
--- a/src/key.rs
+++ b/src/key.rs
@@ -216,6 +216,21 @@ impl RsaPublicKey {
     pub const MIN_PUB_EXPONENT: u64 = 2;
 
     /// Maximum value of the public exponent `e`.
+    ///
+    /// Very large public exponents are a potential denial-of-service vector (a.k.a. "RSADoS")
+    /// because they increase the amount of work required for e.g. signature verification. See:
+    ///
+    /// <https://www.imperialviolet.org/2012/03/17/rsados.html>
+    ///
+    /// The particular constant below has been chosen to align with *ring* where this value was
+    /// selected based on the history of this particular issue, API compatibility concerns, and
+    /// benchmark-driven evaluation. See RustCrypto/RSA#155.
+    ///
+    /// If for some reason you have a legitimate reason to use keys with public exponents larger
+    /// than this value, use the special APIs:
+    ///
+    /// - [`RsaPublicKey::new_with_large_exp`]
+    /// - [`RsaPrivateKey::from_components_with_large_exponent`]
     pub const MAX_PUB_EXPONENT: u64 = (1 << 33) - 1;
 
     /// Maximum size of the modulus `n` in bits.