1// Copyright 2022 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5//go:build boringcrypto 6 7package x509 8 9import ( 10 "crypto/ecdsa" 11 "crypto/elliptic" 12 "crypto/internal/boring/fipstls" 13 "crypto/rsa" 14) 15 16// boringAllowCert reports whether c is allowed to be used 17// in a certificate chain by the current fipstls enforcement setting. 18// It is called for each leaf, intermediate, and root certificate. 19func boringAllowCert(c *Certificate) bool { 20 if !fipstls.Required() { 21 return true 22 } 23 24 // The key must be RSA 2048, RSA 3072, RSA 4096, 25 // or ECDSA P-256, P-384, P-521. 26 switch k := c.PublicKey.(type) { 27 default: 28 return false 29 case *rsa.PublicKey: 30 if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 { 31 return false 32 } 33 case *ecdsa.PublicKey: 34 if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() { 35 return false 36 } 37 } 38 return true 39} 40