Summary - Trying Boring Go in FIPS mode to connect to Microsoft services (Azure). Intermediate CA Certificate for Microsoft has a 4096 bit public key that is not allowed by Boring Go (Code here ), Is there any workaround without having to turn off FIPS mode ?
go version go1.14b4 linux/amd64
Hi all,
So I am working on an application that requires to be run in FIPS mode
and has to connect to Azure services. I looked up the boring Go branch,
got version 1.14 and started using it.
While trying to connect to Azure services (for eg.
graph[dot]microsoft[dot]com or even microsoft[dot]com), I was getting an
incompatible certificate usage issue. Here is the sample code I am
using -
`package main
import ( "fmt" "io/ioutil" "net/http" _ "crypto/tls/fipsonly" //Code works without this but we need the application to run in FIPS ) func main() { url := "https: //microsoft.com" //Space put here because of two link limit fmt.Printf("HTML code of %s ...\n", url) client := &http.Client{} resp, err := client.Get(url) if err != nil { panic(err) } defer resp.Body.Close() html, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } fmt.Printf("%s\n", html) }`
The error I get is as follows -
HTML code of https: //microsoft.com ... panic: Get
"https: //microsoft.com": x509: certificate specifies an incompatible key
usage goroutine 1 [running]: main.main() /usr/local/go/bin/test.go:15
+0x26c exit status 2
I checked the golang code and found that a certificate with a 4096
bit public key is not a valid certificate according to the
IsBoringCertificate function The intermediate certificate in Microsoft’s
Certificate Chain has a 4096 bit public key.
So, my question is as follows :
Thanks for going through this !
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/619f65bc-e79a-4412-8913-a03992fae04a%40googlegroups.com.
(Disclaimer: not a FIPS compliance expert, you should hire your own experts to get authoritative answers)FIPS 140-2 seems to reference FIPS 186-4 for specific algorithm choices. FIPS 186-4 specifies that the RSA modulus shall be 1024, 2048, or 3072 bits. So, as-written, it seems like 4096-bit RSA keys are not allowed under FIPS 140-2, which would explain why BoringCrypto doesn't permit them.There seems to be a bunch of discussion in standards bodies saying that this was a bit of a mistake in FIPS 186-4, but the great thing about regulations is you don't fix them just by saying "oh, that's obviously incorrect, let's just ignore it" :(Seems like you need to talk to Azure about FIPS 140-2 compliant access methods, or to your own compliance staff about how you can navigate the regulatory requirements and still connect to stuff.- Dave
To unsubscribe from this group and stop receiving emails from it, send an email to golan...@googlegroups.com.
Question/Problem SP 800-131A Rev1 provides only the lower bound, 2048 bits, for the RSA modulus size used in signature generation. Does this imply that the RSA modulus sizes other than 2048 and 3072 may be used to generate the RSA signatures in the approved mode? In particular, is the use of the 4096-bit modulus approved and, if so, what are the testing requirements for the RSA key generation if the key pair used in the RSA signature algorithm is generated by the module?
Resolution
When performing an RSA signature generation, a module may use any modulus size greater than or equal to 2048 bits. At least one of the RSA modulus lengths supported by the module for RSA signature generation shall be 2048, 3072, or 4096 bits.
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/b460994e-4be3-42ca-9e03-6ee7ad1238de%40googlegroups.com.