languages/go
languages/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-02 11:21:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

[dev.boringcrypto] crypto/tls: permit P-521 in FIPS mode

Browse source 
While BoringCrypto has a certification for P-521, the go code disallows
certificates with it. This change permits those certificates to be used.

Change-Id: I451c91a845f22ff0e4c3e922eaf8bf82466e80ae
Reviewed-on: https://go-review.googlesource.com/c/go/+/343880
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
This commit is contained in:
Watson Ladd 2021-08-20 15:52:08 -07:00 committed by Filippo Valsorda
parent 083811d079
commit 5ae200d526
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/crypto/tls/boring.go
View file

@ -6,6 +6,7 @@ package tls
import ( import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic"
"crypto/internal/boring/fipstls" "crypto/internal/boring/fipstls"
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
@ -85,7 +86,7 @@ func isBoringCertificate(c *x509.Certificate) bool {
return true return true
} }
// Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256. // Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256, P-384, or P-521.
switch k := c.PublicKey.(type) { switch k := c.PublicKey.(type) {
default: default:
return false return false
@ -94,7 +95,7 @@ func isBoringCertificate(c *x509.Certificate) bool {
return false return false
} }
case *ecdsa.PublicKey: case *ecdsa.PublicKey:
if name := k.Curve.Params().Name; name != "P-256" && name != "P-384" { if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
return false return false
} }
} }