remove boringcrypto in favour of the new fips140 module

.github/workflows/go.yml

@@ -10,65 +10,56 @@ on:
 
 jobs:
   build:
-    name: Build ${{ matrix.go-version }}
+    name: Build
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        go-version: [1.22.8, 1.23.2]
     steps:
-    - name: Set up Go ${{ matrix.go-version }}
+    - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: ${{ matrix.go-version }}
+        go-version: 1.24.3
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
     - name: Build and Lint
       run: |
          go build ./...
          go vet -tests=false ./... # Specifically for examples without a corresponding identifier
   test:
-    name: Text ${{ matrix.os }} | ${{ matrix.go-version }}
+    name: Text ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        go-version: [1.22.8, 1.23.2]
         os: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-    - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
+    - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: ${{ matrix.go-version }}
+        go-version: 1.24.3
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
     - name: Test on ${{ matrix.os }}
       run: |
          go test ./...
-  boringcrypto:
+  fips140:
+    name: 'Test FIPS 140'
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        go-version: [1.22.8, 1.23.2]
     steps:
-    - name: Set up Go ${{ matrix.go-version }}
+    - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: ${{ matrix.go-version }}
+        go-version: 1.24.3
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
     - name: Test
       run: |
-         CGO_ENABLED=1 GOEXPERIMENT=boringcrypto go test ./...
+         GODEBUG=fips140=on go test ./...
   vulncheck:
-    name: Vulncheck ${{ matrix.go-version }}
+    name: Vulncheck
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        go-version: [1.22.8, 1.23.2]
     steps:
     - name: Set up Go ${{ matrix.go-version }}
       uses: actions/setup-go@v5
       with:
-        go-version: ${{ matrix.go-version }}
+        go-version: 1.24.3
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4
     - name: Get govulncheck

example_test.go

@@ -247,10 +247,10 @@ func ExampleServer_VerifyPeerIdentity() {
 	// Output:
 }
 
-// ExampleClientServer shows how to send a GET request from a client to server
+// Shows how to send a GET request from a client to server
 // over a mTLS connection. The client and server verify the identity of their
 // peers.
-func ExampleClientServer() {
+func Example() {
 	// The client and server private key. Private keys should never be exposed!
 	const (
 		ServerPrivateKey = "k2:RsxEXi8ebLIWI8BI9MJHGBqKa1keq67Ds8hrgetZV1M" // Only known to the server

key.go

@@ -25,8 +25,6 @@ import (
 	"strconv"
 	"strings"
 	"time"
-
-	"aead.dev/mtls/internal/boring"
 )
 
 // PrivateKey is private key for TLS and mutual TLS connections.
@@ -55,9 +53,6 @@ func ParsePrivateKey(s string) (PrivateKey, error) {
 		return nil, errors.New("mtls: invalid private key")
 
 	case strings.HasPrefix(s, "k1:"):
-		if boring.FIPS {
-			return nil, errors.New("mtls: ed25519 not supported by FIPS module")
-		}
 		var key EdDSAPrivateKey
 		if err := key.UnmarshalText([]byte(s)); err != nil {
 			return nil, err
@@ -83,10 +78,6 @@ type EdDSAPrivateKey struct {
 // GenerateKeyEdDSA generates a new [EdDSAPrivateKey] using entropy
 // from random. If random is nil, [crypto/rand.Reader] will be used.
 func GenerateKeyEdDSA(random io.Reader) (*EdDSAPrivateKey, error) {
-	if boring.FIPS {
-		return nil, errors.New("mtls: ed25519 not supported by FIPS module")
-	}
-
 	if random == nil {
 		random = rand.Reader
 	}
@@ -107,38 +98,25 @@ func GenerateKeyEdDSA(random io.Reader) (*EdDSAPrivateKey, error) {
 
 // Private returns the EdDSA private key.
 func (pk *EdDSAPrivateKey) Private() crypto.PrivateKey {
-	if boring.FIPS {
-		panic("mtls: ed25519 not supported by FIPS module")
-	}
 	priv := make(ed25519.PrivateKey, ed25519.PrivateKeySize)
 	copy(priv, pk.priv)
 	return priv
 }
 
 // Public returns the EdDSA public key.
 func (pk *EdDSAPrivateKey) Public() crypto.PublicKey {
-	if boring.FIPS {
-		panic("mtls: ed25519 not supported by FIPS module")
-	}
 	return pk.priv.Public()
 }
 
 // Identity returns the identity of the EdDSA public key.
 func (pk *EdDSAPrivateKey) Identity() Identity {
-	if boring.FIPS {
-		panic("mtls: ed25519 not supported by FIPS module")
-	}
 	return pk.identity
 }
 
 // MarshalText returns a textual representation of the private key.
 //
 // It returns output equivalent to [EdDSAPrivateKey.String]
 func (pk *EdDSAPrivateKey) MarshalText() ([]byte, error) {
-	if boring.FIPS {
-		return nil, errors.New("mtls: ed25519 not supported by FIPS module")
-	}
-
 	var text [46]byte
 	b := append(text[:0], "k1:"...)
 	b = base64.RawURLEncoding.AppendEncode(b, pk.priv[:ed25519.SeedSize])
@@ -147,10 +125,6 @@ func (pk *EdDSAPrivateKey) MarshalText() ([]byte, error) {
 
 // UnmarshalText parses a private key textual representation.
 func (pk *EdDSAPrivateKey) UnmarshalText(text []byte) error {
-	if boring.FIPS {
-		return errors.New("mtls: ed25519 not supported by FIPS module")
-	}
-
 	if !bytes.HasPrefix(text, []byte("k1:")) {
 		return errors.New("mtls: invalid EdDSA private key")
 	}
@@ -181,10 +155,6 @@ func (pk *EdDSAPrivateKey) UnmarshalText(text []byte) error {
 //
 // Its output is equivalent to [EdDSAPrivateKey.MarshalText]
 func (pk *EdDSAPrivateKey) String() string {
-	if boring.FIPS {
-		panic("mtls: ed25519 not supported by FIPS module")
-	}
-
 	return "k1:" + base64.RawURLEncoding.EncodeToString(pk.priv[:ed25519.SeedSize])
 }
 

key_test.go

@@ -15,15 +15,11 @@ import (
 	"testing"
 
 	"aead.dev/mtls"
-	"aead.dev/mtls/internal/boring"
 )
 
 // TestGenerateKeyEdDSA tests whether generated EdDSA private keys
 // are equal to their parsed textual representation
 func TestGenerateKeyEdDSA(t *testing.T) {
-	if boring.FIPS {
-		t.Skip("Ed25519 is not available in FIPS mode")
-	}
 	t.Parallel()
 
 	key, err := mtls.GenerateKeyEdDSA(rand.Reader)
@@ -73,10 +69,6 @@ func TestGenerateKeyECDSA(t *testing.T) {
 // identity of the corresponding private key.
 func TestPrivateKey_Identity(t *testing.T) {
 	for _, test := range privateKeyIdentityTests {
-		if boring.FIPS && test.SkipFIPS {
-			continue
-		}
-
 		key, err := mtls.ParsePrivateKey(test.PrivateKey)
 		if err != nil {
 			t.Fatalf("failed to parse private key %s: %v", test.PrivateKey, err)
@@ -107,12 +99,10 @@ func TestPrivateKey_Identity(t *testing.T) {
 var privateKeyIdentityTests = []struct {
 	Filename   string
 	PrivateKey string
-	SkipFIPS   bool // Skip test in FIPS mode
 }{
 	{
 		Filename:   "./testdata/certs/ed25519.crt",
 		PrivateKey: "k1:xZnpcYtPdVMNLBBRaUO5HPEoK_jVrcc3MWR8BshkjJw",
-		SkipFIPS:   boring.FIPS,
 	},
 	{
 		Filename:   "./testdata/certs/p-256.crt",