crypto/x509: relax boringcrypto certificate key size restrictions given the ongoing FIPS 140-3 validation

[HakanSunay]

Go version

go1.21.5

Output of go env in your module/workspace:

N/A

What did you do?

When GOEXPERIMENT=boringcrypto is set and fips is enforced using:

import _ "crypto/tls/fipsonly"

The standard library relies on boringAllowCert when verifying the validity of certificates:
https://github.com/golang/go/blob/master/src/crypto/x509/boring.go#L19-L39

As a result, certificates with RSA keys starting from 5K up to 16K (this range is specific to my use case) fail.

Given the fact that Go was recently updated to use the 20220614 BoringCrypto module based on a pending FIPS 140-3 validation:

• https://go-review.googlesource.com/c/go/+/549695
• https://go-review.googlesource.com/c/go/+/549975

FIPS 140-3 IG section C.F [1] allows FIPS validations to make use of sizes other than 2048, 3072, and 4096, and the current restriction in the above-linked boringAllowCert function dates from earlier FIPS certificates that predate this new guidance and required only specific sizes.

Does the pending FIPS validation allow other (larger) RSA key sizes, and if so, will Go be adjusting the restriction to permit those larger sizes?

[1] https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf

What did you see happen?

tls: failed to verify certificate: x509: certificate specifies an incompatible key usage

What did you expect to see?

A somewhat naive expectation is to see relaxation in size checks given the current FIPS 140-3 guidance and pending validation.

[dmitshur]

CC @golang/security.

[danielgospodinow]

+1 on this, I faced the same issue recently. Is there any progress regarding this?

[FiloSottile]

Unfortunately, we have reverted the module upgrade pending the final certificate, so this will have to wait. See #65321

[HakanSunay]

@FiloSottile I see that you have reintroduced the boringcrypto module upgrade. Would you consider relaxing the key size restrictions explained in this issue?

[FiloSottile]

The FIPS 140-3 IG allows modules to be validated at arbitrary RSA key sizes, but it doesn't automatically allow all modules to operate at those sizes. It's unclear to me from reading https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4735.pdf if the latest module can operate on key sizes beyond those it was tested at (1024, 2048, 3072, 4096).

Note that we are now planning to deprecate Go+BoringCrypto in favor of pursuing a validation for a Go native module, see #69536. We'll test RSA signature operations at all sizes supported by Go.