[dev.boringcrypto] crypto/tls: permit P-521 in FIPS mode

While BoringCrypto has a certification for P-521, the go code disallows
certificates with it. This change permits those certificates to be used.

Change-Id: I451c91a845f22ff0e4c3e922eaf8bf82466e80ae
Reviewed-on: https://go-review.googlesource.com/c/go/+/343880
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>

diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
index 09f71c1691c12652666b180c38d7623f9cb66e6c..dabc67423dca9b59d68f153d3784ae4ca9d49bdb 100644 (file)
--- a/src/crypto/tls/boring.go
+++ b/src/crypto/tls/boring.go
@@ -6,6 +6,7 @@ package tls
 
 import (
        "crypto/ecdsa"
+       "crypto/elliptic"
        "crypto/internal/boring/fipstls"
        "crypto/rsa"
        "crypto/x509"
@@ -85,7 +86,7 @@ func isBoringCertificate(c *x509.Certificate) bool {
                return true
        }
 
-       // Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256.
+       // Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256, P-384, or P-521.
        switch k := c.PublicKey.(type) {
        default:
                return false
@@ -94,7 +95,7 @@ func isBoringCertificate(c *x509.Certificate) bool {
                        return false
                }
        case *ecdsa.PublicKey:
-               if name := k.Curve.Params().Name; name != "P-256" && name != "P-384" {
+               if k.Curve != elliptic.P256() && k.Curve != elliptic.P384() && k.Curve != elliptic.P521() {
                        return false
                }
        }