(Disclaimer: not a FIPS compliance expert, you should hire your own experts to get authoritative answers)
FIPS 140-2 seems to reference FIPS 186-4 for specific algorithm choices. FIPS 186-4 specifies that the RSA modulus shall be 1024, 2048, or 3072 bits. So, as-written, it seems like 4096-bit RSA keys are not allowed under FIPS 140-2, which would explain why BoringCrypto doesn't permit them. There seems to be a bunch of discussion in standards bodies saying that this was a bit of a mistake in FIPS 186-4, but the great thing about regulations is you don't fix them just by saying "oh, that's obviously incorrect, let's just ignore it" :( Seems like you need to talk to Azure about FIPS 140-2 compliant access methods, or to your own compliance staff about how you can navigate the regulatory requirements and still connect to stuff. - Dave On Thu, Apr 30, 2020 at 11:13 AM <mohit.bits2...@gmail.com> wrote: > Summary - Trying Boring Go in FIPS mode to connect to Microsoft services > (Azure). Intermediate CA Certificate for Microsoft has a 4096 bit public > key that is not allowed by Boring Go (Code here > <https://github.com/golang/go/blob/2b0d842f4b24b3be4bcf02c7a796e3a4d3d952f6/src/crypto/tls/boring.go#L98> > ), Is there any workaround without having to turn off FIPS mode ? > > go version go1.14b4 linux/amd64 > > Hi all, > So I am working on an application that requires to be run in FIPS mode and > has to connect to Azure services. I looked up the boring Go branch, got > version 1.14 and started using it. > While trying to connect to Azure services (for eg. > graph[dot]microsoft[dot]com or even microsoft[dot]com), I was getting an > incompatible certificate usage issue. Here is the sample code I am using - > `package main > > import ( > "fmt" > "io/ioutil" > "net/http" > _ "crypto/tls/fipsonly" //Code works without this but we need the > application to run in FIPS > ) > func main() { > url := "https: //microsoft.com" //Space put here because of two link > limit > fmt.Printf("HTML code of %s ...\n", url) > client := &http.Client{} > resp, err := client.Get(url) > > if err != nil { > panic(err) > } > > defer resp.Body.Close() > > html, err := ioutil.ReadAll(resp.Body) > if err != nil { > panic(err) > } > > fmt.Printf("%s\n", html) > }` > > The error I get is as follows - > HTML code of https: //microsoft.com ... panic: Get "https: //microsoft.com": > x509: certificate specifies an incompatible key usage goroutine 1 > [running]: main.main() /usr/local/go/bin/test.go:15 +0x26c exit status 2 > > I checked the golang code and found that a certificate with a 4096 bit > public key is not a valid certificate according to the IsBoringCertificate > function The intermediate certificate in Microsoft’s Certificate Chain has > a 4096 bit public key. > [image: Screen Shot 2020-04-27 at 12.35.20 PM] > <https://forum.golangbridge.org/uploads/default/original/2X/5/5ee810d6e3d7c0397d6414aed64851342df3f843.png> > > So, my question is as follows : > > 1. Is this intended behavior ? > 2. If yes, is here any workaround via which I can keep FIPS mode on > and connect to these services ? This workaround can be code changes or > using different tools. However, I can’t turn off FIPS mode. > > Thanks for going through this ! > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/619f65bc-e79a-4412-8913-a03992fae04a%40googlegroups.com > <https://groups.google.com/d/msgid/golang-nuts/619f65bc-e79a-4412-8913-a03992fae04a%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAMx%2Br7WOU4-%2BVweYrep2dcCkhirgV9JiV3ct42k70fBtL73wcw%40mail.gmail.com.
