[dev.boringcrypto] crypto/x509: remove VerifyOptions.IsBoring

This API was added only for BoringCrypto, never shipped in standard
Go. This API is also not compatible with the expected future evolution
of crypto/x509, as we move closer to host verifiers on macOS and Windows.

If we want to merge BoringCrypto into the main tree, it is best not to
have differing API. So instead of a hook set by crypto/tls, move the
actual check directly into crypto/x509, eliminating the need for
exposed API.

For #51940.

Change-Id: Ia2ae98c745de818d39501777014ea8166cab0b03
Reviewed-on: https://go-review.googlesource.com/c/go/+/395878
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

boring.go

@@ -7,11 +7,7 @@
 package tls
 
 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
 	"crypto/internal/boring/fipstls"
-	"crypto/rsa"
-	"crypto/x509"
 )
 
 // needFIPS returns fipstls.Required(); it avoids a new import in common.go.
@@ -79,32 +75,6 @@ func fipsCipherSuites(c *Config) []uint16 {
 	return list
 }
 
-// isBoringCertificate reports whether a certificate may be used
-// when constructing a verified chain.
-// It is called for each leaf, intermediate, and root certificate.
-func isBoringCertificate(c *x509.Certificate) bool {
-	if !needFIPS() {
-		// Everything is OK if we haven't forced FIPS-only mode.
-		return true
-	}
-
-	// Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256, P-384, or P-521.
-	switch k := c.PublicKey.(type) {
-	default:
-		return false
-	case *rsa.PublicKey:
-		if size := k.N.BitLen(); size != 2048 && size != 3072 {
-			return false
-		}
-	case *ecdsa.PublicKey:
-		if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
-			return false
-		}
-	}
-
-	return true
-}
-
 // fipsSupportedSignatureAlgorithms currently are a subset of
 // defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
 var fipsSupportedSignatureAlgorithms = []SignatureScheme{