Closed
Description
Is there a reason why the IsBoringCertificate() check would not allow RSA key sizes > 3072 ?
Specifically, I am trying to establish a TLS connection to a corporate server that has an intermediate CA whose key size is 4096 and it throws:
tls handshake failed: x509: certificate specifies an incompatible key usage
Seems like this was recently discussed in golang-nuts ( https://groups.google.com/g/golang-nuts/c/DbzPtRDtVgQ ) but i found no open issue here.
Metadata
Metadata
Assignees
Type
Projects
Relationships
Development
No branches or pull requests
Activity
FiloSottile commentedon Aug 31, 2020
@agl, it looks like there's a good argument for NIST having clarified they'll take 4096. Should we allow it?
[-]dev.boringcrypto - /crypto/tls/boring.go RSA key sizes restricted to 2048 and 3072[/-][+]dev.boringcrypto: crypto/tls: in boring.go, RSA key sizes restricted to 2048 and 3072[/+]kumpfdp commentedon Sep 2, 2020
This would be great to be included. Today, we're having to manually apply a patch to that line of code.
agl commentedon Sep 15, 2020
Having looked into this, it doesn't appear that allowing other modulus sizes is strictly compliant with the current validation. However, future validations can be updated to take advantage of the increased flexibility now allowed by the IG. We expect to do this, but have no timelines to announce and do not currently have a revalidation in progress.
sfc-gh-dwu commentedon May 11, 2021
It's 2021 now, any update on when we can get 4096bit validated?
evanye commentedon Jan 6, 2022
It's 2022 now. Any update on when we can get 4096 bits validated?
agl commentedon Jan 6, 2022
It's been nearly a year since we did a new validation that includes RSA 4096. I'm afraid NIST can take as long as they take—we've no ability to speed up their processing.
[-]dev.boringcrypto: crypto/tls: in boring.go, RSA key sizes restricted to 2048 and 3072[/-][+]crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072[/+]cipherboy commentedon Jul 8, 2022
Per closed duplicate #53755:
Let me know if this is agreeable and I can open a PR.
(TL;DR: Leidos confirmed any key size
>= 2048
is safe to allow under FIPS 140-2 IG A.14, and the existing cert without 4096-bit tested is sufficient for 4096-bit keys, as 4096-bit wasn't a testing target when the existing cert was released).evanye commentedon Jul 8, 2022
@cipherboy that's great news! please keep us updated on which go version this can be merged into, so that we can stop using our fork of boringcrypto :)
rolandshoemaker commentedon Jul 8, 2022
@agl as the resident FIPS person, do you have an opinion on this?
16 remaining items
cipherboy commentedon Nov 9, 2022
Thank you @rsc!
rsc commentedon Nov 9, 2022
@gopherbot please backport
gopherbot commentedon Nov 9, 2022
Backport issue(s) opened: #56671 (for 1.18), #56672 (for 1.19).
Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.
rsc commentedon Nov 9, 2022
Only needs Go 1.19; closed the Go 1.18 backport.
gopherbot commentedon Nov 9, 2022
Change https://go.dev/cl/449016 mentions this issue:
[release-branch.go1.19] crypto/x509: allow BoringCrypto to use 4096-bit keys
gopherbot commentedon Nov 11, 2022
Change https://go.dev/cl/449639 mentions this issue:
[dev.boringcrypto.go1.18] crypto/tls: allow BoringCrypto to use 4096-bit keys
[dev.boringcrypto.go1.18] crypto/tls: allow BoringCrypto to use 4096-…
[release-branch.go1.19] crypto/x509: allow BoringCrypto to use 4096-b…
[release-branch.go1.19] crypto/x509: allow BoringCrypto to use 4096-b…
crypto/x509: allow BoringCrypto to use 4096-bit keys