[dev.boringcrypto.go1.18] crypto/tls: allow BoringCrypto to use 4096-bit keys

FIPS-140 has been updated to allow 4096-bit RSA keys. Allow them in certificate processing. This is the Go 1.18 boringcrypto branch version of CL 447655. Not a straight cherry-pick, because the code in the boringcrypto branch is different from the code that merged into the main branch. Fixes #41147 for the Go 1.18 boringcrypto branch. Change-Id: Iae8a6406a2885e6546df2c28c1791c19cfafb6b5 Reviewed-on: https://go-review.googlesource.com/c/go/+/449639 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
2025-12-28 06:34:04 +00:00 · 2022-11-10 20:42:04 -05:00 · 2022-11-10 20:42:04 -05:00 · f241e00954
commit f241e00954
parent 94108e21ab
2 changed files with 2 additions and 2 deletions
--- a/src/crypto/tls/boring.go
+++ b/src/crypto/tls/boring.go
@ -91,7 +91,7 @@ func isBoringCertificate(c *x509.Certificate) bool {
 	default:
 		return false
 	case *rsa.PublicKey:
-		if size := k.N.BitLen(); size != 2048 && size != 3072 {
+		if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 {
 			return false
 		}
 	case *ecdsa.PublicKey:
--- a/src/crypto/tls/boring_test.go
+++ b/src/crypto/tls/boring_test.go
@ -309,7 +309,7 @@ func TestBoringCertAlgs(t *testing.T) {
 	// Set up some roots, intermediate CAs, and leaf certs with various algorithms.
 	// X_Y is X signed by Y.
 	R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK)
-	R2 := boringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA)
+	R2 := boringCert(t, "R2", boringRSAKey(t, 1024), nil, boringCertCA)

 	M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK)
 	M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)