...

Source file src/crypto/x509/boring.go

Documentation: crypto/x509

     1  // Copyright 2022 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build boringcrypto
     6  
     7  package x509
     8  
     9  import (
    10  	"crypto/ecdsa"
    11  	"crypto/elliptic"
    12  	"crypto/internal/boring/fipstls"
    13  	"crypto/rsa"
    14  )
    15  
    16  // boringAllowCert reports whether c is allowed to be used
    17  // in a certificate chain by the current fipstls enforcement setting.
    18  // It is called for each leaf, intermediate, and root certificate.
    19  func boringAllowCert(c *Certificate) bool {
    20  	if !fipstls.Required() {
    21  		return true
    22  	}
    23  
    24  	// The key must be RSA 2048, RSA 3072, RSA 4096,
    25  	// or ECDSA P-256, P-384, P-521.
    26  	switch k := c.PublicKey.(type) {
    27  	default:
    28  		return false
    29  	case *rsa.PublicKey:
    30  		if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 {
    31  			return false
    32  		}
    33  	case *ecdsa.PublicKey:
    34  		if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
    35  			return false
    36  		}
    37  	}
    38  	return true
    39  }
    40  

View as plain text