(Disclaimer: Not a FIPS compliance expert) Couple of observations. I looked at how others are treating this by taking an example of OpenSSL 1.1.1 and Go's 1.12.4 distribution from CentOS 8.1 (which is derived from RHEL 8.1 and RHEL is inline for FIPS 140-2 validation as we speak).
[1]. OpenSSL 1.1.1 FIPS patch (source: http://vault.centos.org/8.1.1911/BaseOS/Source/SPackages/openssl-1.1.1c-2.el8.src.rpm ) allows RSA public key modulus bits greater than 1024 bits in size via OPENSSL_RSA_FIPS_MIN_MODULUS_BITS (whose value is defined in rsa.h as 1048) [2]. CentOS 8.1 's go lang distribution (source: http://vault.centos.org/8.1.1911/AppStream/Source/SPackages/golang-1.12.12-4.module_el8.1.0+271+e71148fc.src.rpm; File: src/crypto/tls/boring.go) allows RSA public key modules bits greater than 2048 and its size divisible by 512 as valid RSA public keys. Attaching relevant screenshots below. Does this tell there is a need for a patch in golang's dev.boringcrypto branch to allow RSA 4096 bit keys? Has anyone encountered the issue by using dev.boringcrypto distribution? Thanks! Bhagya On Thursday, April 30, 2020 at 11:13:18 AM UTC-7, mohit....@gmail.com wrote: > > Summary - Trying Boring Go in FIPS mode to connect to Microsoft services > (Azure). Intermediate CA Certificate for Microsoft has a 4096 bit public > key that is not allowed by Boring Go (Code here > <https://github.com/golang/go/blob/2b0d842f4b24b3be4bcf02c7a796e3a4d3d952f6/src/crypto/tls/boring.go#L98> > > ), Is there any workaround without having to turn off FIPS mode ? > > go version go1.14b4 linux/amd64 > > Hi all, > So I am working on an application that requires to be run in FIPS mode and > has to connect to Azure services. I looked up the boring Go branch, got > version 1.14 and started using it. > While trying to connect to Azure services (for eg. > graph[dot]microsoft[dot]com or even microsoft[dot]com), I was getting an > incompatible certificate usage issue. Here is the sample code I am using - > `package main > > import ( > "fmt" > "io/ioutil" > "net/http" > _ "crypto/tls/fipsonly" //Code works without this but we need the > application to run in FIPS > ) > func main() { > url := "https: //microsoft.com" //Space put here because of two link > limit > fmt.Printf("HTML code of %s ...\n", url) > client := &http.Client{} > resp, err := client.Get(url) > > if err != nil { > panic(err) > } > > defer resp.Body.Close() > > html, err := ioutil.ReadAll(resp.Body) > if err != nil { > panic(err) > } > > fmt.Printf("%s\n", html) > }` > > The error I get is as follows - > HTML code of https: //microsoft.com ... panic: Get "https: //microsoft.com": > x509: certificate specifies an incompatible key usage goroutine 1 > [running]: main.main() /usr/local/go/bin/test.go:15 +0x26c exit status 2 > > I checked the golang code and found that a certificate with a 4096 bit > public key is not a valid certificate according to the IsBoringCertificate > function The intermediate certificate in Microsoft’s Certificate Chain has > a 4096 bit public key. > [image: Screen Shot 2020-04-27 at 12.35.20 PM] > <https://forum.golangbridge.org/uploads/default/original/2X/5/5ee810d6e3d7c0397d6414aed64851342df3f843.png> > > So, my question is as follows : > > 1. Is this intended behavior ? > 2. If yes, is here any workaround via which I can keep FIPS mode on > and connect to these services ? This workaround can be code changes or > using different tools. However, I can’t turn off FIPS mode. > > Thanks for going through this ! > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/616c2787-27ea-4514-ad65-14eec4ed0cb7%40googlegroups.com.
