src/crypto/x509/boring.go - go - Git at Google

 // Copyright 2022 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 //go:build boringcrypto

 package x509

 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/internal/boring/fipstls"
 	"crypto/rsa"
 )

 // boringAllowCert reports whether c is allowed to be used
 // in a certificate chain by the current fipstls enforcement setting.
 // It is called for each leaf, intermediate, and root certificate.
 func boringAllowCert(c *Certificate) bool {
 	if !fipstls.Required() {
 		return true
 	}

 	// The key must be RSA 2048, RSA 3072, or ECDSA P-256, P-384, or P-521.
 	switch k := c.PublicKey.(type) {
 	default:
 		return false
 	case *rsa.PublicKey:
 		if size := k.N.BitLen(); size != 2048 && size != 3072 {
 			return false
 		}
 	case *ecdsa.PublicKey:
 		if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
 			return false
 		}
 	}
 	return true
 }
	// Copyright 2022 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	//go:build boringcrypto

	package x509

	import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/internal/boring/fipstls"
	"crypto/rsa"
	)

	// boringAllowCert reports whether c is allowed to be used
	// in a certificate chain by the current fipstls enforcement setting.
	// It is called for each leaf, intermediate, and root certificate.
	func boringAllowCert(c *Certificate) bool {
	if !fipstls.Required() {
	return true
	}

	// The key must be RSA 2048, RSA 3072, or ECDSA P-256, P-384, or P-521.
	switch k := c.PublicKey.(type) {
	default:
	return false
	case *rsa.PublicKey:
	if size := k.N.BitLen(); size != 2048 && size != 3072 {
	return false
	}
	case *ecdsa.PublicKey:
	if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
	return false
	}
	}
	return true
	}