crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072

[riraccuia]

Is there a reason why the IsBoringCertificate() check would not allow RSA key sizes > 3072 ?

Specifically, I am trying to establish a TLS connection to a corporate server that has an intermediate CA whose key size is 4096 and it throws:
tls handshake failed: x509: certificate specifies an incompatible key usage

Seems like this was recently discussed in golang-nuts ( https://groups.google.com/g/golang-nuts/c/DbzPtRDtVgQ ) but i found no open issue here.

@FiloSottile

[FiloSottile]

@agl, it looks like there's a good argument for NIST having clarified they'll take 4096. Should we allow it?

[kumpfdp]

This would be great to be included. Today, we're having to manually apply a patch to that line of code.

[agl]

Having looked into this, it doesn't appear that allowing other modulus sizes is strictly compliant with the current validation. However, future validations can be updated to take advantage of the increased flexibility now allowed by the IG. We expect to do this, but have no timelines to announce and do not currently have a revalidation in progress.

[sfc-gh-dwu]

It's 2021 now, any update on when we can get 4096bit validated?

[evanye]

It's 2022 now. Any update on when we can get 4096 bits validated?

[agl]

It's 2022 now. Any update on when we can get 4096 bits validated?

It's been nearly a year since we did a new validation that includes RSA 4096. I'm afraid NIST can take as long as they take—we've no ability to speed up their processing.

[cipherboy]

Per closed duplicate #53755:

Per Hashicorp's recent discussions with Leidos around a Letter of Attestation for Vault based on BoringCrypto's 3678 certificate, larger key sizes are allowed. In particular, this limitation shouldn't be necessary as, per our lab contact (and with permission to quote in the interest of getting this change upstreamed):

P. said:

FIPS 140-2 IG A.14 allows for one to use RSA key sizes >= 2048 bits, so long as the ones that are testable have been tested. At the time of the BoringCrypto certification, only up to 3072 was testable, so IG A.14 would allow you to use anything above that as well.

Since the relevant BC certificate has both 2048 and 3072 tested, we sould simplify the check to >= 2048.

Let me know if this is agreeable and I can open a PR.

(TL;DR: Leidos confirmed any key size >= 2048 is safe to allow under FIPS 140-2 IG A.14, and the existing cert without 4096-bit tested is sufficient for 4096-bit keys, as 4096-bit wasn't a testing target when the existing cert was released).

[evanye]

@cipherboy that's great news! please keep us updated on which go version this can be merged into, so that we can stop using our fork of boringcrypto :)

[rolandshoemaker]

@agl as the resident FIPS person, do you have an opinion on this?