Summary - Trying Boring Go in FIPS mode to connect to Microsoft services (Azure). Intermediate CA Certificate for Microsoft has a 4096 bit public key that is not allowed by Boring Go (Code here ), Is there any workaround without having to turn off FIPS mode ?
go version go1.14b4 linux/amd64
Hi all,
So I am working on an application that requires to be run in FIPS mode and has to connect to Azure services. I looked up the boring Go branch, got version 1.14 and started using it.
While trying to connect to Azure services (for eg. graph[dot]microsoft[dot]com or even microsoft[dot]com), I was getting an incompatible certificate usage issue. Here is the sample code I am using -
`package main
import ( "fmt" "io/ioutil" "net/http" _ "crypto/tls/fipsonly" //Code works without this but we need the application to run in FIPS ) func main() { url := "https: //microsoft.com" //Space put here because of two link limit fmt.Printf("HTML code of %s ...\n", url) client := &http.Client{} resp, err := client.Get(url) if err != nil { panic(err) } defer resp.Body.Close() html, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } fmt.Printf("%s\n", html) }`
The error I get is as follows -
HTML code of https: //microsoft.com ... panic: Get "https://microsoft.com": x509: certificate specifies an incompatible key usage goroutine 1 [running]: main.main() /usr/local/go/bin/test.go:15 +0x26c exit status 2
I checked the golang code and found that a certificate with a 4096 bit public key is not a valid certificate according to the IsBoringCertificate function The intermediate certificate in Microsoft’s Certificate Chain has a 4096 bit public key.
So, my question is as follows :
- Is this intended behavior ?
- If yes, is here any workaround via which I can keep FIPS mode on and connect to these services ? This workaround can be code changes or using different tools. However, I can’t turn off FIPS mode.
Thanks for going through this !