mirror of https://go.googlesource.com/go
40 lines
993 B
Go
40 lines
993 B
Go
// Copyright 2022 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
//go:build boringcrypto
|
|
|
|
package x509
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/internal/boring/fipstls"
|
|
"crypto/rsa"
|
|
)
|
|
|
|
// boringAllowCert reports whether c is allowed to be used
|
|
// in a certificate chain by the current fipstls enforcement setting.
|
|
// It is called for each leaf, intermediate, and root certificate.
|
|
func boringAllowCert(c *Certificate) bool {
|
|
if !fipstls.Required() {
|
|
return true
|
|
}
|
|
|
|
// The key must be RSA 2048, RSA 3072, RSA 4096,
|
|
// or ECDSA P-256, P-384, P-521.
|
|
switch k := c.PublicKey.(type) {
|
|
default:
|
|
return false
|
|
case *rsa.PublicKey:
|
|
if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 {
|
|
return false
|
|
}
|
|
case *ecdsa.PublicKey:
|
|
if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|