github.com/mtsmfm/go/src@v0.0.0-20221020090648-44bdcb9f8fde/crypto/x509/boring.go (about) 1 // Copyright 2022 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 //go:build boringcrypto 6 7 package x509 8 9 import ( 10 "crypto/ecdsa" 11 "crypto/elliptic" 12 "crypto/internal/boring/fipstls" 13 "crypto/rsa" 14 ) 15 16 // boringAllowCert reports whether c is allowed to be used 17 // in a certificate chain by the current fipstls enforcement setting. 18 // It is called for each leaf, intermediate, and root certificate. 19 func boringAllowCert(c *Certificate) bool { 20 if !fipstls.Required() { 21 return true 22 } 23 24 // The key must be RSA 2048, RSA 3072, or ECDSA P-256, P-384, or P-521. 25 switch k := c.PublicKey.(type) { 26 default: 27 return false 28 case *rsa.PublicKey: 29 if size := k.N.BitLen(); size != 2048 && size != 3072 { 30 return false 31 } 32 case *ecdsa.PublicKey: 33 if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() { 34 return false 35 } 36 } 37 return true 38 }