Skip to content

go crypto and BoringCrypto

Sun Yimin edited this page May 9, 2022 · 1 revision

There are REVERSE MERGE dev.boringcrypto (cdcb4b6) into master commits in golang on May/3, 2022.

What's boringcrypto?

BoringCrypto (BoringSSL based crypto) maintained by Google is an open-source, general-purpose cryptographic library that provides FIPS 140–2 approved cryptographic algorithms to serve BoringSSL and other user-space applications.

BoringSSL is Google’s forked version of OpenSSL cryptographic library and BoringSSL is used in all Google website product’s TLS stacks since June 2014 — including Google Android OS and Google Chrome. Google initially forked the OpenSSL code with BoringSSL, but have now formally released Google Tink.

The native go crypto is not FIPS compliant and there are few open proposals to facilitate Go code to meet FIPS requirements. Users can use prominent go compilers/toolsets backed by FIPS validated SSL libraries provided by Google or Redhat which enables Go to bypass the standard library cryptographic routines and instead call into a FIPS 140–2 validated cryptographic library. These toolsets are available as container images, where users can use the same to compile any Go based applications.

The impact to this package

Mainly the compatibility issues with new golang sdk.

Reference

Go Crypto and Kubernetes — FIPS 140–2 and FedRAMP Compliance

all: REVERSE MERGE dev.boringcrypto (cdcb4b6) into master