Skip to content

crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072 #41147

Closed
@riraccuia

Description

@riraccuia

Is there a reason why the IsBoringCertificate() check would not allow RSA key sizes > 3072 ?

Specifically, I am trying to establish a TLS connection to a corporate server that has an intermediate CA whose key size is 4096 and it throws:
tls handshake failed: x509: certificate specifies an incompatible key usage

Seems like this was recently discussed in golang-nuts ( https://groups.google.com/g/golang-nuts/c/DbzPtRDtVgQ ) but i found no open issue here.

@FiloSottile

Activity

FiloSottile

FiloSottile commented on Aug 31, 2020

@FiloSottile
Contributor

@agl, it looks like there's a good argument for NIST having clarified they'll take 4096. Should we allow it?

changed the title [-]dev.boringcrypto - /crypto/tls/boring.go RSA key sizes restricted to 2048 and 3072[/-] [+]dev.boringcrypto: crypto/tls: in boring.go, RSA key sizes restricted to 2048 and 3072[/+] on Sep 1, 2020
added
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
on Sep 1, 2020
added this to the Backlog milestone on Sep 1, 2020
kumpfdp

kumpfdp commented on Sep 2, 2020

@kumpfdp

This would be great to be included. Today, we're having to manually apply a patch to that line of code.

agl

agl commented on Sep 15, 2020

@agl
Contributor

Having looked into this, it doesn't appear that allowing other modulus sizes is strictly compliant with the current validation. However, future validations can be updated to take advantage of the increased flexibility now allowed by the IG. We expect to do this, but have no timelines to announce and do not currently have a revalidation in progress.

sfc-gh-dwu

sfc-gh-dwu commented on May 11, 2021

@sfc-gh-dwu

It's 2021 now, any update on when we can get 4096bit validated?

evanye

evanye commented on Jan 6, 2022

@evanye

It's 2022 now. Any update on when we can get 4096 bits validated?

agl

agl commented on Jan 6, 2022

@agl
Contributor

It's 2022 now. Any update on when we can get 4096 bits validated?

It's been nearly a year since we did a new validation that includes RSA 4096. I'm afraid NIST can take as long as they take—we've no ability to speed up their processing.

changed the title [-]dev.boringcrypto: crypto/tls: in boring.go, RSA key sizes restricted to 2048 and 3072[/-] [+]crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072[/+] on Jul 8, 2022
cipherboy

cipherboy commented on Jul 8, 2022

@cipherboy
Contributor

Per closed duplicate #53755:

Per Hashicorp's recent discussions with Leidos around a Letter of Attestation for Vault based on BoringCrypto's 3678 certificate, larger key sizes are allowed. In particular, this limitation shouldn't be necessary as, per our lab contact (and with permission to quote in the interest of getting this change upstreamed):

P. said:

FIPS 140-2 IG A.14 allows for one to use RSA key sizes >= 2048 bits, so long as the ones that are testable have been tested. At the time of the BoringCrypto certification, only up to 3072 was testable, so IG A.14 would allow you to use anything above that as well.

Since the relevant BC certificate has both 2048 and 3072 tested, we sould simplify the check to >= 2048.

Let me know if this is agreeable and I can open a PR.

(TL;DR: Leidos confirmed any key size >= 2048 is safe to allow under FIPS 140-2 IG A.14, and the existing cert without 4096-bit tested is sufficient for 4096-bit keys, as 4096-bit wasn't a testing target when the existing cert was released).

evanye

evanye commented on Jul 8, 2022

@evanye

@cipherboy that's great news! please keep us updated on which go version this can be merged into, so that we can stop using our fork of boringcrypto :)

rolandshoemaker

rolandshoemaker commented on Jul 8, 2022

@rolandshoemaker
Member

@agl as the resident FIPS person, do you have an opinion on this?

16 remaining items

cipherboy

cipherboy commented on Nov 9, 2022

@cipherboy
Contributor

Thank you @rsc!

rsc

rsc commented on Nov 9, 2022

@rsc
Contributor

@gopherbot please backport

gopherbot

gopherbot commented on Nov 9, 2022

@gopherbot
Contributor

Backport issue(s) opened: #56671 (for 1.18), #56672 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

rsc

rsc commented on Nov 9, 2022

@rsc
Contributor

Only needs Go 1.19; closed the Go 1.18 backport.

gopherbot

gopherbot commented on Nov 9, 2022

@gopherbot
Contributor

Change https://go.dev/cl/449016 mentions this issue: [release-branch.go1.19] crypto/x509: allow BoringCrypto to use 4096-bit keys

gopherbot

gopherbot commented on Nov 11, 2022

@gopherbot
Contributor

Change https://go.dev/cl/449639 mentions this issue: [dev.boringcrypto.go1.18] crypto/tls: allow BoringCrypto to use 4096-bit keys

added 2 commits that reference this issue on Nov 11, 2022
f241e00
861ba02
locked and limited conversation to collaborators on Nov 11, 2023
added a commit that references this issue on Feb 20, 2024
9ff2a66
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.

Type

No type

Projects

No projects

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @agl@rsc@jaredpar@cipherboy@kumpfdp

      Issue actions

        crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072 · Issue #41147 · golang/go