[dev.boringcrypto] crypto/x509: remove VerifyOptions.IsBoring

This API was added only for BoringCrypto, never shipped in standard Go. This API is also not compatible with the expected future evolution of crypto/x509, as we move closer to host verifiers on macOS and Windows. If we want to merge BoringCrypto into the main tree, it is best not to have differing API. So instead of a hook set by crypto/tls, move the actual check directly into crypto/x509, eliminating the need for exposed API. For #51940. Change-Id: Ia2ae98c745de818d39501777014ea8166cab0b03 Reviewed-on: https://go-review.googlesource.com/c/go/+/395878 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
2025-04-03 20:17:36 +03:00 · 2022-04-27 09:02:53 -04:00 · 2022-04-27 09:02:53 -04:00 · dd10335a9c
commit dd10335a9c
parent f9f1229355
5 changed files with 5 additions and 59 deletions
--- a/boring.go
+++ b/boring.go
@ -7,11 +7,7 @@
 package tls

 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
 	"crypto/internal/boring/fipstls"
-	"crypto/rsa"
-	"crypto/x509"
 )

 // needFIPS returns fipstls.Required(); it avoids a new import in common.go.
@ -79,32 +75,6 @@ func fipsCipherSuites(c *Config) []uint16 {
 	return list
 }

-// isBoringCertificate reports whether a certificate may be used
-// when constructing a verified chain.
-// It is called for each leaf, intermediate, and root certificate.
-func isBoringCertificate(c *x509.Certificate) bool {
-	if !needFIPS() {
-		// Everything is OK if we haven't forced FIPS-only mode.
-		return true
-	}
-
-	// Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256, P-384, or P-521.
-	switch k := c.PublicKey.(type) {
-	default:
-		return false
-	case *rsa.PublicKey:
-		if size := k.N.BitLen(); size != 2048 && size != 3072 {
-			return false
-		}
-	case *ecdsa.PublicKey:
-		if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
-			return false
-		}
-	}
-
-	return true
-}
-
 // fipsSupportedSignatureAlgorithms currently are a subset of
 // defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
 var fipsSupportedSignatureAlgorithms = []SignatureScheme{
--- a/boring_test.go
+++ b/boring_test.go
@ -324,12 +324,6 @@ func TestBoringCertAlgs(t *testing.T) {
 	L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK)
 	L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf)

-	// boringCert checked that isBoringCertificate matches the caller's boringCertFIPSOK bit.
-	// If not, no point in building bigger end-to-end tests.
-	if t.Failed() {
-		t.Fatalf("isBoringCertificate failures; not continuing")
-	}
-
 	// client verifying server cert
 	testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) {
 		clientConfig := testConfig.Clone()
@ -534,14 +528,11 @@ func boringCert(t *testing.T, name string, key interface{}, parent *boringCertif
 	}

 	var pub interface{}
-	var desc string
 	switch k := key.(type) {
 	case *rsa.PrivateKey:
 		pub = &k.PublicKey
-		desc = fmt.Sprintf("RSA-%d", k.N.BitLen())
 	case *ecdsa.PrivateKey:
 		pub = &k.PublicKey
-		desc = "ECDSA-" + k.Curve.Params().Name
 	default:
 		t.Fatalf("invalid key %T", key)
 	}
@ -555,14 +546,7 @@ func boringCert(t *testing.T, name string, key interface{}, parent *boringCertif
 		t.Fatal(err)
 	}

-	// Tell isBoringCertificate to enforce FIPS restrictions for this check.
-	fipstls.Force()
-	defer fipstls.Abandon()
-
 	fipsOK := mode&boringCertFIPSOK != 0
-	if isBoringCertificate(cert) != fipsOK {
-		t.Errorf("isBoringCertificate(cert with %s key) = %v, want %v", desc, !fipsOK, fipsOK)
-	}
 	return &boringCertificate{name, org, parentOrg, der, cert, key, fipsOK}
 }

--- a/handshake_client.go
+++ b/handshake_client.go
@ -866,9 +866,7 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
 			DNSName:       c.config.ServerName,
 			Intermediates: x509.NewCertPool(),
 		}
-		if needFIPS() {
-			opts.IsBoring = isBoringCertificate
-		}
+
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
 		}
--- a/handshake_server.go
+++ b/handshake_server.go
@ -817,9 +817,6 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
 			Intermediates: x509.NewCertPool(),
 			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		}
-		if needFIPS() {
-			opts.IsBoring = isBoringCertificate
-		}

 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
--- a/notboring.go
+++ b/notboring.go
@ -6,18 +6,15 @@

 package tls

-import "crypto/x509"
-
 func needFIPS() bool { return false }

 func supportedSignatureAlgorithms() []SignatureScheme {
 	return defaultSupportedSignatureAlgorithms
 }

-func fipsMinVersion(c *Config) uint16              { panic("fipsMinVersion") }
-func fipsMaxVersion(c *Config) uint16              { panic("fipsMaxVersion") }
-func fipsCurvePreferences(c *Config) []CurveID     { panic("fipsCurvePreferences") }
-func fipsCipherSuites(c *Config) []uint16          { panic("fipsCipherSuites") }
-func isBoringCertificate(c *x509.Certificate) bool { panic("isBoringCertificate") }
+func fipsMinVersion(c *Config) uint16          { panic("fipsMinVersion") }
+func fipsMaxVersion(c *Config) uint16          { panic("fipsMaxVersion") }
+func fipsCurvePreferences(c *Config) []CurveID { panic("fipsCurvePreferences") }
+func fipsCipherSuites(c *Config) []uint16      { panic("fipsCipherSuites") }

 var fipsSupportedSignatureAlgorithms []SignatureScheme