diff options
author | Russ Cox <rsc@golang.org> | 2022-11-10 20:42:04 -0500 |
---|---|---|
committer | Russ Cox <rsc@golang.org> | 2022-11-11 20:24:12 +0000 |
commit | f241e009541082fb1bc5cc5a207ded510cac3d19 (patch) | |
tree | 28a264afc7fffd60c82b90ff03f95cc415b2cfe4 | |
parent | 94108e21ab6ff1e182fe4fe8cac12f5d0272a019 (diff) | |
download | go-git-f241e009541082fb1bc5cc5a207ded510cac3d19.tar.gz |
[dev.boringcrypto.go1.18] crypto/tls: allow BoringCrypto to use 4096-bit keys
FIPS-140 has been updated to allow 4096-bit RSA keys.
Allow them in certificate processing.
This is the Go 1.18 boringcrypto branch version of CL 447655.
Not a straight cherry-pick, because the code in the boringcrypto branch
is different from the code that merged into the main branch.
Fixes #41147 for the Go 1.18 boringcrypto branch.
Change-Id: Iae8a6406a2885e6546df2c28c1791c19cfafb6b5
Reviewed-on: https://go-review.googlesource.com/c/go/+/449639
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
-rw-r--r-- | src/crypto/tls/boring.go | 2 | ||||
-rw-r--r-- | src/crypto/tls/boring_test.go | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go index dabc67423d..63957c7442 100644 --- a/src/crypto/tls/boring.go +++ b/src/crypto/tls/boring.go @@ -91,7 +91,7 @@ func isBoringCertificate(c *x509.Certificate) bool { default: return false case *rsa.PublicKey: - if size := k.N.BitLen(); size != 2048 && size != 3072 { + if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 { return false } case *ecdsa.PublicKey: diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go index 8dd477a021..f7a2e03590 100644 --- a/src/crypto/tls/boring_test.go +++ b/src/crypto/tls/boring_test.go @@ -309,7 +309,7 @@ func TestBoringCertAlgs(t *testing.T) { // Set up some roots, intermediate CAs, and leaf certs with various algorithms. // X_Y is X signed by Y. R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK) - R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA) + R2 := boringCert(t, "R2", boringRSAKey(t, 1024), nil, boringCertCA) M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK) M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA) |