github.com/mtsmfm/go/src@v0.0.0-20221020090648-44bdcb9f8fde/crypto/x509/boring.go

github.com/mtsmfm/go/src@v0.0.0-20221020090648-44bdcb9f8fde/crypto/x509/boring.go (about)

     1  // Copyright 2022 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  //go:build boringcrypto
     6  
     7  package x509
     8  
     9  import (
    10  	"crypto/ecdsa"
    11  	"crypto/elliptic"
    12  	"crypto/internal/boring/fipstls"
    13  	"crypto/rsa"
    14  )
    15  
    16  // boringAllowCert reports whether c is allowed to be used
    17  // in a certificate chain by the current fipstls enforcement setting.
    18  // It is called for each leaf, intermediate, and root certificate.
    19  func boringAllowCert(c *Certificate) bool {
    20  	if !fipstls.Required() {
    21  		return true
    22  	}
    23  
    24  	// The key must be RSA 2048, RSA 3072, or ECDSA P-256, P-384, or P-521.
    25  	switch k := c.PublicKey.(type) {
    26  	default:
    27  		return false
    28  	case *rsa.PublicKey:
    29  		if size := k.N.BitLen(); size != 2048 && size != 3072 {
    30  			return false
    31  		}
    32  	case *ecdsa.PublicKey:
    33  		if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
    34  			return false
    35  		}
    36  	}
    37  	return true
    38  }