Description
For WebTransport currently the go-libp2p implementation generates deterministic certificates
Whilst both HKDF and ECDSA are separately FIPS approved and have FIPS certified implementations, the FIPS approved ECDSA key generation function must use certified entropy source, and thus generating random keys/certs.
See this block here https://github.com/golang/go/blob/da9c5b142c855496222f0ab167c3f1d9e98403c4/src/crypto/ecdsa/ecdsa.go#L165 in golang toolchain in fips mode.
Reading the libp2p specs it is not clear to me if deterministic certificates are required; or if it is just a chosen implementation detail in go-libp2p.
The change to use deterministic certificates was done in libp2p/go-libp2p@a0432e7
Is it possible to optionally support non-deterministic certificates, like it was done prior to the above commit, for example with a build-tag ?
Because for FIPS case allowing to generate predictable keys sounds like unapproved usage which is difficult to bypass, and guard against misuse (ie. whilst it might be suitable for libp2p connection, it likely is not a good idea for the general purpose generic API of generating ECDSA keys, and changing standard library module would affect all users in a given project compilation).
Metadata
Metadata
Assignees
Labels
Type
Projects
Status