diff options
| author | Russ Cox <rsc@golang.org> | 2022-04-27 09:02:53 -0400 |
|---|---|---|
| committer | Russ Cox <rsc@golang.org> | 2022-04-29 14:23:29 +0000 |
| commit | 0184fe5ece4f84fda9db04d2472b76efcaa8ef55 (patch) | |
| tree | 46d2538ae712570da44013bf6301403bbecda4a3 /src/crypto/tls/boring_test.go | |
| parent | 9e9c7a0aec0f821b54006681d4fdfba8a0cd6679 (diff) | |
| download | go-0184fe5ece4f84fda9db04d2472b76efcaa8ef55.tar.xz | |
[dev.boringcrypto] crypto/x509: remove VerifyOptions.IsBoring
This API was added only for BoringCrypto, never shipped in standard
Go. This API is also not compatible with the expected future evolution
of crypto/x509, as we move closer to host verifiers on macOS and Windows.
If we want to merge BoringCrypto into the main tree, it is best not to
have differing API. So instead of a hook set by crypto/tls, move the
actual check directly into crypto/x509, eliminating the need for
exposed API.
For #51940.
Change-Id: Ia2ae98c745de818d39501777014ea8166cab0b03
Reviewed-on: https://go-review.googlesource.com/c/go/+/395878
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Diffstat (limited to 'src/crypto/tls/boring_test.go')
| -rw-r--r-- | src/crypto/tls/boring_test.go | 16 |
1 files changed, 0 insertions, 16 deletions
diff --git a/src/crypto/tls/boring_test.go b/src/crypto/tls/boring_test.go index 12a7d937cb..f743fc8e9f 100644 --- a/src/crypto/tls/boring_test.go +++ b/src/crypto/tls/boring_test.go @@ -324,12 +324,6 @@ func TestBoringCertAlgs(t *testing.T) { L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK) L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf) - // boringCert checked that isBoringCertificate matches the caller's boringCertFIPSOK bit. - // If not, no point in building bigger end-to-end tests. - if t.Failed() { - t.Fatalf("isBoringCertificate failures; not continuing") - } - // client verifying server cert testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { clientConfig := testConfig.Clone() @@ -534,14 +528,11 @@ func boringCert(t *testing.T, name string, key interface{}, parent *boringCertif } var pub interface{} - var desc string switch k := key.(type) { case *rsa.PrivateKey: pub = &k.PublicKey - desc = fmt.Sprintf("RSA-%d", k.N.BitLen()) case *ecdsa.PrivateKey: pub = &k.PublicKey - desc = "ECDSA-" + k.Curve.Params().Name default: t.Fatalf("invalid key %T", key) } @@ -555,14 +546,7 @@ func boringCert(t *testing.T, name string, key interface{}, parent *boringCertif t.Fatal(err) } - // Tell isBoringCertificate to enforce FIPS restrictions for this check. - fipstls.Force() - defer fipstls.Abandon() - fipsOK := mode&boringCertFIPSOK != 0 - if isBoringCertificate(cert) != fipsOK { - t.Errorf("isBoringCertificate(cert with %s key) = %v, want %v", desc, !fipsOK, fipsOK) - } return &boringCertificate{name, org, parentOrg, der, cert, key, fipsOK} } |